Functional Adaptor Signatures: Beyond All-or-Nothing Blockchain-based Payments

TL;DR

This paper introduces functional adaptor signatures (FAS), a new cryptographic primitive that enables fair, privacy-preserving functional sales on blockchains, bridging the gap between smart contracts and adaptor signatures.

Contribution

It proposes FAS, formalizes its security, introduces multiple witness privacy variants, and provides efficient constructions supporting linear functions based on groups and lattices.

Findings

FAS enables fair functional sales with privacy on blockchains.

Efficient FAS constructions support linear functions using groups and lattices.

FAS reveals a connection between functional encryption and adaptor signatures.

Abstract

In scenarios where a seller holds sensitive data $x$, like patient records, and a buyer seeks to obtain an evaluation of a function $f$ on $x$, solutions in trustless environments like blockchain fall into two categories: (1) Smart contract-powered solutions and (2) cryptographic solutions using tools such as adaptor signatures. The former offers atomic transactions where the buyer learns $f(x)$ upon payment. However, this approach is inefficient, costly, lacks privacy for the seller's data, and is incompatible with blockchains such as bitcoin. In contrast, the adaptor signature-based approach addresses all of the above issues but comes with an "all-or-nothing" guarantee, where the buyer fully extracts $x$ and does not support extracting $f(x)$. In this work, we bridge the gap between these approaches, developing a solution that enables fair functional sales while offering all the above properties like adaptor signatures. Towards this, we propose functional adaptor signatures (FAS), a novel cryptographic primitive and show how it can be used to enable functional sales. We formalize the security properties of FAS, among which is a new notion called witness privacy to capture seller's privacy, which ensures the buyer does not learn anything beyond $f(x)$. We present multiple variants of witness privacy, namely, witness hiding, witness indistinguishability, and zero-knowledge. We introduce two efficient constructions of FAS supporting linear functions based on groups of prime-order and lattices, that satisfy the strongest notion of witness privacy. A central conceptual contribution of our work lies in revealing a surprising connection between functional encryption and adaptor signatures. We implement our FAS construction for Schnorr signatures and show that for reasonably sized seller witnesses, all operations are quite efficient even for commodity hardware.