This PR adds the ability to do private atomic swap transactions between BTC and DCR using adaptor signatures. When doing atomic swaps with the original technique of unlocking coins by revealing the pre-image of a hash, the same values would appear on both blockchains, allowing anyone to link the transactions. By using adaptor signatures, this privacy vulnerability is fixed. However, some additional off-chain communication is required between the parties.
Decred’s Schnorr signature algorithm is currently not secure for multi-signer adaptor signatures, so the spending condition for the atomic swap contract is a 2-of-2 multisig for which one party knows one of the private keys to spend the contract on each chain. It may be possible to combine a more private MuSig contract on bitcoin with a 2-of-2 multisig on Decred, but this is left for future work. If that is done, it will not only not be possible to link the two transactions, but on Bitcoin, the atomic swap will be indistinguishable from a P2PK transaction.
The sequence of actions to perform a private atomic swap is the following
Both parties lock their coins in an atomic swap contract
Party A picks a hidden tweak value, and sends a private key tweaked adaptor signature to party B for the signature party B requires to unlock the coins locks by party A
Based on this, party B constructs a public key tweaked adaptor sig for the signature required by party A
Since party A knows the hidden tweak, they are able to decrypt party B’s adaptor signature, and redeem their coins
After seeing the redemption transaction on chain, party B can recover the tweak, decrypt the original adaptor signature party A sent, and redeem their coins
A contract output on Decred is a P2SH output with the following script:
On Bitcoin, the contract output is a P2TR output with two possible script paths, and a provably unspendable internal key. One of the script paths is a normal redeem script, and the other is a refund script. Since when spending a taproot output, only one of the scripts are revealed, third parties can only see that a 2-of-2 multisig was spent. If in future work this is improved to use a MuSig internal key, it will seem as if just a P2PK transaction was done. Decred will need an upgrade to its Schnorr signature scheme and to implement taproot before this is possible.
Below are the steps required to perform a private atomic swap. Party A is trading their 2 DCR for Party B's 1 BTC.
First, party B gets a fresh address from their dcrwallet and sends it to Party A. Party A then uses the lockfunds command
to create a private atomic swap contract on Decred:
Party A sends the contract and the lock trasaction to party B. Also Party A uses the getpubkey command in btcatomicswap to get a valid public key, and sends it to party A. Schnorr signatures require that a public key with an even Y is used. This is why there is a special command to get a public key.
After recieving all the information about each other's lock transactions, both parties run auditprivatecontract to confirm that
the other party created the contract that was agreed, and then run unsignedredemption to create an unsigned redemption transcation
that the other party can use to create an adaptor signature.
Now, Party A is ready to create an adaptor signature with initiatadaptor. Only the Adaptor Sig is sent to Party B, if the tweak is sent to party B they can take all the funds.
Party B then verifies the adaptor sig using verifyadaptor, and if it is valid, creates their own adaptor sig using participateadaptor and sends it to Party A.
% dcratomicswap verifyadaptor 6376a914dbc112eaae46fd0af651f672398be60a147487b48852bf6704462e6465b1756876a91471d5f7433ef0303d1228a7a3df06afcedff62b188852be e7d4dba1d6f3bb191d834a8ad1a32a97be6db59259954401d15be887ad4f4c0fe726cf4a0b819053e1928403498da5ff0d8a8ef244e642dce5f6a76591012e8e95000ab94a0d2fb50abd2618175c55d16cc5a3336cd06a91debff07148e7dfbf8a02aebcb905797123be610796eeb5f435a033c80cc57c8f99b72f9d06c131cd00 022833ace8bcc0ba5a05af105a4f8cc8eba53b30fc1d55b948c4cf3b976be203e6 01000000018e8087b2c83db290247b25e7c15ddda19d367bbf2d9417a1d16ae8f02658c8d00100000000ffffffff01842feb0b0000000000001976a9147a1b7d541ca7805c92b7a2274d008b9280da0fe088ac000000000000000001000000000000000000000000ffffffff00
Adaptor sig is valid!
Now, Party A, with their tweak is able to decrypt Party B's adaptor signature and redeem the atomic swap using privateredeem:
% btcatomicswap privateredeem 208a52c8d8513bc7bf46af22a334325a5748761488dc19716f94afdd17ffd80733ad20ec94690892d20b170bdf55ee6a00d4cedb1dd3083c4a4e19e90a1950406786ccac 04dedc6265b175208a52c8d8513bc7bf46af22a334325a5748761488dc19716f94afdd17ffd80733ac bb8c111c3cb53e3fa0852b4fde18213d7545cdfc36f604e87586622c5e1a1e97 02000000000102abf53e57aa1c372b5d8910b7fe6e12891121de353a3f582c484bac83653540410000000000feffffff64ac7065f3790b53298d5ebdc3755a91de4fc88966f0358a883a426f9752664c0000000000feffffff0200e1f5050000000022512040e5e05b520cb1d25df21e41cf28301deb3707bb49389ef422262c514b8a59e8f2d7f50500000000160014f5ae2a02dce7a6c2df3904513c415957390c346502473044022032b97c2d2980de67cb25cb7ece4bdfcd64975eafbef523f7328698443652f22202200c2a7056bafacd1639dc5fd6a574cdfb0f586a170d769cfa5cacf3930b8381990121024b37478b5ae9d849932b68d7d7cc44e1bc8ad209397984e0b42350a2bed16b630247304402202bac8206f615c70c6983280aad339e2f344f4f99fa64b8c977cbe492eb658f5d022037c4d8e68c0f93543183da8b63875646a76d907f238de65136d38cd1abe99e670121024e709919da9ca6092dc916fb541a15047ae81036a244b1fcb5618a95a7dcd86900000000 38df09c58cb6fe0a37525fdf82a05cb1fe81d9d228dcf08eae5bd57cf34eda7a0cec5418dd2bbc35db24191b4b8e83c3b0fcd5abfbb2dbbf21fef83fe5645ccb95000ab94a0d2fb50abd2618175c55d16cc5a3336cd06a91debff07148e7dfbf8a02aebcb905797123be610796eeb5f435a033c80cc57c8f99b72f9d06c131cd01 02000000017d04847b498b82271848ed9e48aaf3fdc44429d2680c582b1616909269c145fd0000000000ffffffff0167e0f50500000000160014afcba2357512ba071417945119d96a815dc699a000000000 6b0440650a81638e3359e61b8062148b0f9550e7ebedda68a38fd8a73c255c50
Publish redeem transaction? [y/N] y
Published redeem transaction (d0388cb031f1497afc09ceb0cb3d5d010aeb09a21535144bb9fe18c4ce043ecf)
Party B, checks the block explorer, and when they see that Party A has done their redemption, Party B uses Party A's redemption
transaction and the adaptor signature they created to extract the tweak. This is done with the extracttweak command. Then with
knowledge of the tweak, they can redeem the atomic swap.
This PR adds the ability to do private atomic swap transactions between BTC and DCR using adaptor signatures. When doing atomic swaps with the original technique of unlocking coins by revealing the pre-image of a hash, the same values would appear on both blockchains, allowing anyone to link the transactions. By using adaptor signatures, this privacy vulnerability is fixed. However, some additional off-chain communication is required between the parties.
Here is some background information on Decred’s Schnorr signature implementation: https://github.com/decred/dcrd/blob/master/dcrec/secp256k1/schnorr/README.md
Reading this article will help you get familiar with adaptor signatures (specifically read section
3–1. Single signer schnorr Adaptor signature
) https://medium.com/crypto-garage/adaptor-signature-schnorr-signature-and-ecdsa-da0663c2adc4Decred’s Schnorr signature algorithm is currently not secure for multi-signer adaptor signatures, so the spending condition for the atomic swap contract is a 2-of-2 multisig for which one party knows one of the private keys to spend the contract on each chain. It may be possible to combine a more private MuSig contract on bitcoin with a 2-of-2 multisig on Decred, but this is left for future work. If that is done, it will not only not be possible to link the two transactions, but on Bitcoin, the atomic swap will be indistinguishable from a P2PK transaction.
The sequence of actions to perform a private atomic swap is the following
A contract output on Decred is a P2SH output with the following script:
On Bitcoin, the contract output is a P2TR output with two possible script paths, and a provably unspendable internal key. One of the script paths is a normal redeem script, and the other is a refund script. Since when spending a taproot output, only one of the scripts are revealed, third parties can only see that a 2-of-2 multisig was spent. If in future work this is improved to use a MuSig internal key, it will seem as if just a P2PK transaction was done. Decred will need an upgrade to its Schnorr signature scheme and to implement taproot before this is possible.
The following is Bitcoin's redeem script:
And the refund script:
Below are the steps required to perform a private atomic swap. Party A is trading their 2 DCR for Party B's 1 BTC.
First, party B gets a fresh address from their
dcrwallet
and sends it to Party A. Party A then uses thelockfunds
command to create a private atomic swap contract on Decred:Party A sends the contract and the lock trasaction to party B. Also Party A uses the
getpubkey
command inbtcatomicswap
to get a valid public key, and sends it to party A. Schnorr signatures require that a public key with an even Y is used. This is why there is a special command to get a public key.Party B then does
lockfunds
withbtcatomicswap
:After recieving all the information about each other's lock transactions, both parties run
auditprivatecontract
to confirm that the other party created the contract that was agreed, and then rununsignedredemption
to create an unsigned redemption transcation that the other party can use to create an adaptor signature.Party A:
Party B:
Now, Party A is ready to create an adaptor signature with
initiatadaptor
. Only the Adaptor Sig is sent to Party B, if the tweak is sent to party B they can take all the funds.Party B then verifies the adaptor sig using
verifyadaptor
, and if it is valid, creates their own adaptor sig usingparticipateadaptor
and sends it to Party A.Now, Party A, with their tweak is able to decrypt Party B's adaptor signature and redeem the atomic swap using
privateredeem
:Party B, checks the block explorer, and when they see that Party A has done their redemption, Party B uses Party A's redemption transaction and the adaptor signature they created to extract the tweak. This is done with the
extracttweak
command. Then with knowledge of the tweak, they can redeem the atomic swap.