Preventing Witness Leakage in Adaptor Signatures | Publication | NCCU Academic Hub

Publications-Periodical Articles

Article View/Open

html(1)

Publication Export

Google Scholar^TM

NCCU Library

Discovery System

Citation Infomation

Related Publications in TAIR

Simple Record
Full Record

題名	Preventing Witness Leakage in Adaptor Signatures
作者	左瑞麟 Hsu, Jen-Chieh;Tso, Raylin
貢獻者	資訊系
關鍵詞	Adaptor signature; fair exchange; key agreement
日期	2025-10
上傳時間	12-Mar-2026 15:07:49 (UTC+8)
摘要	Adaptor signature schemes allow two parties to trade fairly. When a valid signature is revealed, the secret witness can also be extracted. This is useful in blockchain settings such as atomic swaps and fair exchange. However, if an adversary obtains both the pre-signature and the full signature, they can extract the witness. To fix this, we introduce a secret value aux\textsf {aux} into the extract algorithm. Only those who know aux\textsf {aux} can extract the witness. We also find that the adaptor algorithm must use aux\textsf {aux} to remain secure. In a fair exchange, the buyer extracts the witness, and the seller runs the adaptor algorithm. Since both parts need aux\textsf {aux} , both parties must share it. The auxiliary secret aux\textsf {aux} can be shared using various methods such as non-interactive key exchange (NIKE), interactive key exchange (IKE), and key encapsulation mechanism (KEM). We show that our scheme is aEUF-CMA secure, allows witness extraction only with the shared secret aux\textsf {aux} , and introduces a new property called restricted extractability, which ensures the witness remains hidden without aux\textsf {aux} . Our contributions are: 1) We show that adaptor signatures can leak the witness if both the pre-signature and full signature are seen, 2) We fix this by adding a shared secret aux\textsf {aux} that only the right party knows, 3) We define and prove a new security idea called restricted extractability, and 4) We give an example using Schnorr signatures and show how to share aux\textsf {aux} using simple methods like NIKE.
關聯	IEEE Access, Vol.13, pp.172584-172597
資料類型	article
DOI	https://doi.org/10.1109/ACCESS.2025.3616813

dc.contributor	資訊系
dc.creator (作者)	左瑞麟
dc.creator (作者)	Hsu, Jen-Chieh;Tso, Raylin
dc.date (日期)	2025-10
dc.date.accessioned	12-Mar-2026 15:07:49 (UTC+8)	-
dc.date.available	12-Mar-2026 15:07:49 (UTC+8)	-
dc.date.issued (上傳時間)	12-Mar-2026 15:07:49 (UTC+8)	-
dc.identifier.uri (URI)	https://nccur.lib.nccu.edu.tw/handle/140.119/162044	-
dc.description.abstract (摘要)	Adaptor signature schemes allow two parties to trade fairly. When a valid signature is revealed, the secret witness can also be extracted. This is useful in blockchain settings such as atomic swaps and fair exchange. However, if an adversary obtains both the pre-signature and the full signature, they can extract the witness. To fix this, we introduce a secret value aux\textsf {aux} into the extract algorithm. Only those who know aux\textsf {aux} can extract the witness. We also find that the adaptor algorithm must use aux\textsf {aux} to remain secure. In a fair exchange, the buyer extracts the witness, and the seller runs the adaptor algorithm. Since both parts need aux\textsf {aux} , both parties must share it. The auxiliary secret aux\textsf {aux} can be shared using various methods such as non-interactive key exchange (NIKE), interactive key exchange (IKE), and key encapsulation mechanism (KEM). We show that our scheme is aEUF-CMA secure, allows witness extraction only with the shared secret aux\textsf {aux} , and introduces a new property called restricted extractability, which ensures the witness remains hidden without aux\textsf {aux} . Our contributions are: 1) We show that adaptor signatures can leak the witness if both the pre-signature and full signature are seen, 2) We fix this by adding a shared secret aux\textsf {aux} that only the right party knows, 3) We define and prove a new security idea called restricted extractability, and 4) We give an example using Schnorr signatures and show how to share aux\textsf {aux} using simple methods like NIKE.
dc.format.extent	107 bytes	-
dc.format.mimetype	text/html	-
dc.relation (關聯)	IEEE Access, Vol.13, pp.172584-172597
dc.subject (關鍵詞)	Adaptor signature; fair exchange; key agreement
dc.title (題名)	Preventing Witness Leakage in Adaptor Signatures
dc.type (資料類型)	article
dc.identifier.doi (DOI)	10.1109/ACCESS.2025.3616813
dc.doi.uri (DOI)	https://doi.org/10.1109/ACCESS.2025.3616813