● Work on PTLCs for LN using simplified ECDSA adaptor signatures: Point Time Locked Contracts (PTLCs) are an alternative to the Hash Time Locked Contracts (HTLCs) currently used to enable routable payments in LN. A problem with the existing HTLC mechanism is that every hop along a payments path secures its conditional payment with the same hash digest. This means that a user who controls two nodes along the same path knows that any hops between those nodes were not the ultimate spender or receiver of the payment. This not only reduces the amount of privacy provided by LN’s onion routing but it also allows a malicious user to steal the routing fees paid to the in-between hops (this is known as the wormhole attack). For example, in the following route, Mallory can steal Bob and Carol’s routing fees as well as conclude that neither of them is the spender or receiver of the ultimate payment.

Alice → Mallory → Bob → Carol → Mallory' → Dan

PTLCs make it possible for each hop to use a different identifier for the payment by using adaptor signatures (which represent points on an elliptic curve) rather than hashes. Adaptor signatures were originally described for use with the schnorr signature scheme. It’s known to be possible to use them with Bitcoin’s current ECDSA signature scheme (see Newsletter #16) but the process relies on two-party ECDSA signing (2pECDSA) which is complex and requires security assumptions beyond those normally required for Bitcoin-style ECDSA signatures. However, more recently, Lloyd Fournier published a paper describing how to securely use adaptor signatures with just regular 2-of-2 Bitcoin multisig (e.g. OP_CHECKMULTISIG ) and simple discrete log equivalence (DLEQ); this was summarized in a post to the Lightning-Dev mailing list last November.

Last week during the Lightning HackSprint, several developers worked on these 2-of-2 multisig adaptor signatures. The results were an excellent blog post about the subject and proof-of-concept implementations for the C-language libsecp256k1 and Scala bitcoin-s libraries. That code is currently unreviewed and possibly unsafe, but it can help developers begin experimenting with the use of adaptor signatures on mainnet, both for PTLCs in LN and for use in other trustless contract protocols.