Question about "the right partial sig" in multi-hop-locks.md

[hieblmi]

Thank you for the thorough description of PTLCs in https://github.com/BlockstreamResearch/scriptless-scripts/blob/master/md/multi-hop-locks.md.

My question is if the multi hop lock scheme would still work as intended if the partial signatures of the right sides psig(j,m,T) wouldn't be tweaked with the adaptor, but if only the left sides' partial signatures would be required to be offset by t to form a valid signature, e.g. sig = psig(i,m,T) + psig(j,m) + t?

[jonasnick]

I'm not sure if I fully understand your problem. psig(j,m) does not look right because j must take T into account when signing.

[hieblmi]

Thanks for your response. Looking at the example txB below I am not clear on why B sends their partial signature with an adaptor like (s_b, R_b+T). Couldn't they omit the adaptor in their signature?
If B sends psig (s_b, R_b) and A responds with psig (s_a, R_a+T) then couldn't B complete the sig for txB upon learning t?
I hope this makes sense and I really appreciate your time.

[jonasnick]

Thanks for the clarification. If I understand correctly, we need to look more in depth into the equations. If B sends (s_b, R_b) and A responds with (s_a, R_a+T), then we have (roughly)

s_aG = R_a + c*X
s_bG = R_b + c'*X
where X = keyagg(A, B)
           c = hash(R_a + R_b + T, ...)
           c' = hash(R_a + R_b, ...)

Hence, c != c' and we can't just add up the s_a, s_b and t to produce a complete Schnorr signature.

I hope that helps.

[hieblmi]

Thank you, that helps with my understanding. I forgot that the adaptor is also part of the hash to be signed, which is I believe to prevent forging signatures for relative private keys...

Last question: That means that if the adaptor wasn't part of the hash then B could only send (s_b, R_b) in order to create a valid sig with (s_a, R_a+T) and t, is that correct?

[jonasnick]

I don't think so.

Let s = s_a + s_b
    R = R_a + R_b

s*G = R + T + hash(R, ...)*X

which means that (s,R) is not a valid Schnorr signature (due to the additional T).

There's a variant of adaptor signatures where the "adaptor is not part of the hash": A sends (s_a' = s_a+t, R_a). Then from a valid signature (s, R_a + R_b) it is possible to compute t.

s*G = (R_a + R_b) + hash(R_a + R_b, ...)X
=>
s_a' + s_b - s = t

I tried this version in an initial writeup of the multi-hop scheme, but switched away from it for reasons I don't remember anymore.

[hieblmi]

I can follow the second example, great!

For my prior example I want to make sure you saw the "and t". In the example I meant that (s_a+s_b+t, R_a+R_b+T) should be a valid sig. Thanks for your effort again!

[jonasnick]

In the example I meant that (s_a+s_b+t, R_a+R_b+T) should be a valid sig.

Yes that'd be a valid sig. But you mentioned that T wouldn't be input to the hash which would then result in the equation I wrote in my reply.

[hieblmi]

Excuse me for being vague and inaccurate, by "T" missing from the hash I actually meant "R and T" missing from the hash. So I was talking about a scenario where only the message m is hashed.

[jonasnick]

If R is missing from the hash it's not a Schnorr signature either. If your public key is Y, I can choose a random s and then set

R = - s*G + hash(m)*Y

which would be a valid signature (if R wasn't hashed).

[hieblmi]

It is all clear now, thank you.