Preventing Witness Leakage in Adaptor Signatures

Adaptor signature schemes allow two parties to trade fairly. When a valid signature is revealed, the secret witness can also be extracted. This is useful in blockchain settings such as atomic swaps and fair exchange. However, if an adversary obtains both the pre-signature and the full signature, they can extract the witness. To fix this, we introduce a secret value aux into the extract algorithm. Only those who know aux can extract the witness. We also find that the adaptor algorithm must use aux to remain secure. In a fair exchange, the buyer extracts the witness, and the seller runs the adaptor algorithm. Since both parts need aux, both parties must share it. The auxiliary secret aux can be shared using various methods such as non-interactive key exchange (NIKE), interactive key exchange (IKE), and key encapsulation mechanism (KEM). We show that our scheme is aEUF-CMA secure, allows witness extraction only with the shared secret aux, and introduces a new property called witness hiding, which ensures the witness remains hidden without aux. Our contributions are: (1) We show that adaptor signatures can leak the witness if both the pre-signature and full signature are seen, (2) We fix this by adding a shared secret aux that only the right party knows, (3)We define and prove a new security idea called witness hiding, and (4)We give an example using Schnorr signatures and show how to share aux using simple methods like NIKE.