TYPE 0x0003 · SIGNATURE FAMILY

ADAPTOR_SIG

Adaptor signature verification. Verifies a Schnorr signature that has been "adapted" off-chain by combining a presig with an adaptor secret t (where T = t·G). On-chain the block sees a single signing key + the completed signature; the adaptor point T and secret t are off-chain machinery. Enables scriptless-script atomic protocols without hash locks.

Signature Non-Invertible

Ladder Diagram

Fields

Field	Data Type	Size	Side	Description
signing_key	PUBKEY	32-33 B	Witness	Signing public key (x-only 32B or compressed 33B). The adaptor point is NOT revealed in the witness — the adaptor secret is applied off-chain to produce the adapted signature.
signature	SIGNATURE	64-65 B	Witness	Adapted Schnorr signature (the completed adaptor signature)

Single signing pubkey folded into Merkle leaf via merkle_pub_key (PubkeyCountForBlock = 1). v0.7 dropped the second "adaptor point" slot — T = t·G is needed only for off-chain witness extraction, not for on-chain consensus, since the adapted sig verifies as a normal Schnorr against the signing key. No key fields in conditions.

F26: the conditions field count is exactly zero. Any spurious conditions field on an ADAPTOR_SIG block is rejected at fund time by createrungtx and at consensus by the wire-format deserialiser.

Wire Format Breakdown

Conditions side (no implicit fields — ADAPTOR_SIG conditions carry no per-block bytes; the signing pubkey is folded into the rung leaf via merkle_pub_key):

0x0003 = block header only

Witness side (in input witness):

0x0003 PUBKEY · 32-33B SIGNATURE · 64-65B

Witness reveals only the signing pubkey + the adapted Schnorr signature; no adaptor point. The adapted sig is a regular Schnorr signature verified against the signing pubkey.

Evaluation Logic

0. Pre-eval (MLSC proof): the signing pubkey is bound to the rung leaf via merkle_pub_key. A mismatched pubkey produces a different leaf and the proof rejects before EvalAdaptorSigBlock runs.

1. ResolvePubkeyCommitments must return exactly 1 pubkey. FindField(SIGNATURE) must succeed. If either fails → ERROR

2. SIGNATURE size must be 64 or 65 bytes (Schnorr only; ECDSA not supported). Size outside that range → ERROR

3. VerifySigWithScheme dispatches to Schnorr verify. The adapted signature, having been completed off-chain by adding the adaptor secret, verifies as an ordinary Schnorr signature against the signing pubkey. Verification fails → UNSATISFIED

4. Adapted signature valid → SATISFIED

Return Values

Condition	Result
Witness pubkey count != 1, or SIGNATURE missing	ERROR
SIGNATURE size outside 64-65 bytes (Schnorr only)	ERROR
Schnorr verification of adapted signature fails	UNSATISFIED
Adapted signature valid	SATISFIED

JSON Wire Format

Conditions (committed in the rung leaf)

{
  "type": "ADAPTOR_SIG",
  "inverted": false,
  "fields": [
  ]
}

Witness (input)

{
  "type": "ADAPTOR_SIG",
  "inverted": false,
  "fields": [
    { "type": "PUBKEY", "hex": "02abc1...33 bytes (signing key)" },
    { "type": "SIGNATURE", "hex": "e5f71b...64 bytes (adapted)" }
  ]
}

Use Cases

DLC Oracle Contracts

Discreet Log Contracts use adaptor signatures to bind payouts to oracle attestations. The oracle's adaptor point commits to a future event outcome. When the oracle signs the outcome, the adapted signature becomes completable, enabling trustless settlement.

Scriptless Scripts

Adaptor signatures enable conditional payments without revealing any script on-chain. The spending transaction looks like a normal single-sig spend, but the act of completing the adaptor reveals a secret scalar to the counterparty.

Atomic Swaps Without Hash Locks

Cross-chain atomic swaps using adaptor signatures instead of HTLCs. Both parties create adaptor signatures with the same adaptor point. Completing one swap leg reveals the adaptor secret, enabling the other leg. More private than hash-lock swaps.

← MULTISIG MUSIG_THRESHOLD →