I don't think the article is wrong. Most likely I'm missing something. Can anyone help with understanding these formulas?
It is possible; I'm not sure that the blog post is actually accurate.
The paper I knew about adaptor signatures is this one:
https://github.com/LLFourn/one-time-VES/blob/master/main.pdfI haven't gone through it completely so far, but it seems more 'complete' to say the least.
To be honest, now that we do have Schnorr signatures in Bitcoin, spending too much time on ECDSA doesn't make too much sense anyway.
Rene Pickhardt made a pretty good video about Adaptor Signatures in Schnorr:
https://www.youtube.com/watch?v=a8Pdpz_JzokI really like how he intuitively explains the concept and proves it in program code afterwards.
There is also
a presentation by Conner Formknecht from Lightning Labs about 'Scriptless 2P-ECDSA', but while he does explain the concept and signature process, he doesn't show the decryption.
Okay, yes, it's all so confusing because of the blog post's notation. Read through page 12 of the above linked paper and it becomes crystal clear. Here a short explanation (replaced s^ with s').
Blog post says that you sign like this:
s=(H(m)+R*p)*r-1Paper uses this notation:
s=(H(m)+Rx*x)*r-1
= (H(m)+f(gr)*x)*r-1Blog post says that you tweak like this:
s'=(H(m)+R*p*t)*r-1Paper says you tweak like this:
s'=(H(m)+Rx*x)*r-1, but with a different R
x (
see below).
= (H(m)+f(gy*r)*x)*r-1Both agree that you just multiply by
y-1 or
t-1 to decrypt the signature. However, only in the notation of the paper it becomes easy to understand, why.
s=s'*y-1
= (H(m)+f(gy*r)*x)*r-1*y-1
= (H(m)+f(gy*r)*x)*(r*y)-1Basically, s is a signature under the secret key
y*r.
So it 100% works if following the paper.
I'm not 100% sure that R*t == f(g
r*y), though. I believe that R*t would correspond to f(g
r)*y, which would not be the same thing, right?
For ease of reading:
private key p=x
tweak t=y
x-coordinate of public randomness R=f(gr)