@ Victor

Atomic Signature Swaps (ASS) over Nostr is a protocol for atomically exchanging Schnorr signatures using Nostr events for orchestration. This new primitive enables multiple interesting applications like:

• Getting paid to publish specific Nostr events
• Issuing automatic payment receipts
• Contract signing in exchange for payment
• P2P asset exchanges
• Trading and enforcement of asset option contracts
• Payment in exchange for Nostr-based credentials or access tokens
• Exchanging GMs 🌞

It only requires that (i) the involved signatures be Schnorr signatures using the secp256k1 curve and that (ii) at least one of those signatures be accessible to both parties. These requirements are naturally met by Nostr events (published to relays), Taproot transactions (published to the mempool and later to the blockchain), and Cashu payments (using mints that support NUT-07, allowing any pair of these signatures to be swapped atomically.

How the Cryptographic Magic Works 🪄

This is a Schnorr signature (Zₓ, s):

s = z + H(Zₓ || P || m)⋅k

If you haven't seen it before, don't worry, neither did I until three weeks ago.

The signature scalar s is the the value a signer with private key k (and public key P = k⋅G) must calculate to prove his commitment over the message m given a randomly generated nonce z (Zₓ is just the x-coordinate of the public point Z = z⋅G). H is a hash function (sha256 with the tag "BIP0340/challenge" when dealing with BIP340), || just means to concatenate and G is the generator point of the elliptic curve, used to derive public values from private ones.

Now that you understand what this equation means, let's just rename z = r + t. We can do that, z is just a randomly generated number that can be represented as the sum of two other numbers. It also follows that z⋅G = r⋅G + t⋅G ⇔ Z = R + T. Putting it all back into the definition of a Schnorr signature we get:

s = (r + t) + H((R + T)ₓ || P || m)⋅k

Which is the same as:

s = sₐ + t where sₐ = r + H((R + T)ₓ || P || m)⋅k

sₐ is what we call the adaptor signature scalar) and t is the secret. ((R + T)ₓ, sₐ) is an incomplete signature that just becomes valid by add the secret t to the sₐ:

s = sₐ + t

What is also important for our purposes is that by getting access to the valid signature s, one can also extract t from it by just subtracting sₐ:

t = s - sₐ

The specific value of t depends on our choice of the public point T, since R is just a public point derived from a randomly generated nonce r.

So how do we choose T so that it requires the secret t to be the signature over a specific message m' by an specific public key P'? (without knowing the value of t)

Let's start with the definition of t as a valid Schnorr signature by P' over m':

t = r' + H(R'ₓ || P' || m')⋅k' ⇔ t⋅G = r'⋅G + H(R'ₓ || P' || m')⋅k'⋅G

That is the same as:

T = R' + H(R'ₓ || P' || m')⋅P'

Notice that in order to calculate the appropriate T that requires t to be an specific signature scalar, we only need to know the public nonce R' used to generate that signature.

In summary: in order to atomically swap Schnorr signatures, one party P' must provide a public nonce R', while the other party P must provide an adaptor signature using that nonce:

sₐ = r + H((R + T)ₓ || P || m)⋅k where T = R' + H(R'ₓ || P' || m')⋅P'

P' (the nonce provider) can then add his own signature t to the adaptor signature sₐ in order to get a valid signature by P, i.e. s = sₐ + t. When he publishes this signature (as a Nostr event, Cashu transaction or Taproot transaction), it becomes accessible to P that can now extract the signature t by P' and also make use of it.

Important considerations

A signature may not be useful at the end of the swap if it unlocks funds that have already been spent, or that are vulnerable to fee bidding wars.

When a swap involves a Taproot UTXO, it must always use a 2-of-2 multisig timelock to avoid those issues.

Cashu tokens do not require this measure when its signature is revealed first, because the mint won't reveal the other signature if they can't be successfully claimed, but they also require a 2-of-2 multisig timelock when its signature is only revealed last (what is unavoidable in cashu for cashu swaps).

For Nostr events, whoever receives the signature first needs to publish it to at least one relay that is accessible by the other party. This is a reasonable expectation in most cases, but may be an issue if the event kind involved is meant to be used privately.

How to Orchestrate the Swap over Nostr?

Before going into the specific event kinds, it is important to recognize what are the requirements they must meet and what are the concerns they must address. There are mainly three requirements:

• Both parties must agree on the messages they are going to sign
• One party must provide a public nonce
• The other party must provide an adaptor signature using that nonce

There is also a fundamental asymmetry in the roles of both parties, resulting in the following significant downsides for the party that generates the adaptor signature:

• NIP-07 and remote signers do not currently support the generation of adaptor signatures, so he must either insert his nsec in the client or use a fork of another signer
• There is an overhead of retrieving the completed signature containing the secret, either from the blockchain, mint endpoint or finding the appropriate relay
• There is risk he may not get his side of the deal if the other party only uses his signature privately, as I have already mentioned
• There is risk of losing funds by not extracting or using the signature before its timelock expires. The other party has no risk since his own signature won't be exposed by just not using the signature he received.

The protocol must meet all those requirements, allowing for some kind of role negotiation and while trying to reduce the necessary hops needed to complete the swap.

Swap Proposal Event (kind:455)

This event enables a proposer and his counterparty to agree on the specific messages whose signatures they intend to exchange. The content field is the following stringified JSON:

{     "give": <signature spec (required)>,     "take": <signature spec (required)>,     "exp": <expiration timestamp (optional)>,     "role": "<adaptor | nonce (optional)>",     "description": "<Info about the proposal (optional)>",     "nonce": "<Signature public nonce (optional)>",     "enc_s": "<Encrypted signature scalar (optional)>" }

The field role indicates what the proposer will provide during the swap, either the nonce or the adaptor. When this optional field is not provided, the counterparty may decide whether he will send a nonce back in a Swap Nonce event or a Swap Adaptor event using the nonce (optionally) provided by in the Swap Proposal in order to avoid one hop of interaction.

The enc_s field may be used to store the encrypted scalar of the signature associated with the nonce, since this information is necessary later when completing the adaptor signature received from the other party.

A signature spec specifies the type and all necessary information for producing and verifying a given signature. In the case of signatures for Nostr events, it contain a template with all the fields, except pubkey, id and sig:

{ "type": "nostr", "template": { "kind": "<kind>"        "content": "<content>"        "tags": [ … ],        "created_at": "<created_at>" } }

In the case of Cashu payments, a simplified signature spec just needs to specify the payment amount and an array of mints trusted by the proposer:

{   "type": "cashu",   "amount": "<amount>",   "mint": ["<acceptable mint_url>", …] }

This works when the payer provides the adaptor signature, but it still needs to be extended to also work when the payer is the one receiving the adaptor signature. In the later case, the signature spec must also include a timelock and the derived public keys Y of each Cashu Proof, but for now let's just ignore this situation. It should be mentioned that the mint must be trusted by both parties and also support Token state check (NUT-07) for revealing the completed adaptor signature and P2PK spending conditions (NUT-11) for the cryptographic scheme to work.

The tags are:

• "p", the proposal counterparty's public key (required)
• "a", a kind:30455 Swap Listing event or an application specific version of it (optional)

Forget about this Swap Listing event for now, I will get to it later...

Swap Nonce Event (kind:456) - Optional

This is an optional event for the Swap Proposal receiver to provide the public nonce of his signature when the proposal does not include a nonce or when he does not want to provide the adaptor signature due to the downsides previously mentioned. The content field is the following stringified JSON:

{     "nonce": "<Signature public nonce>",     "enc_s": "<Encrypted signature scalar (optional)>" }

And the tags must contain:

• "e", a kind:455 Swap Proposal Event (required)
• "p", the counterparty's public key (required)

Swap Adaptor Event (kind:457)

The content field is the following stringified JSON:

{ "adaptors": [ {         "sa": "<Adaptor signature scalar>",         "R": "<Signer's public nonce (including parity byte)>",         "T": "<Adaptor point (including parity byte)>",         "Y": "<Cashu proof derived public key (if applicable)>",     }, …],     "cashu": "<Cashu V4 token (if applicable)>" }

And the tags must contain:

• "e", a kind:455 Swap Proposal Event (required)
• "p", the counterparty's public key (required)

Discoverability

The Swap Listing event previously mentioned as an optional tag in the Swap Proposal may be used to find an appropriate counterparty for a swap. It allows a user to announce what he wants to accomplish, what his requirements are and what is still open for negotiation.

Swap Listing Event (kind:30455)

The content field is the following stringified JSON:

{ "description": "<Information about the listing (required)>", "give": <partial signature spec (optional)>, "take": <partial signature spec (optional)>, "examples: [<take signature spec>], // optional "exp": <expiration timestamp (optional)>, "role": "<adaptor | nonce (optional)>" }

The description field describes the restrictions on counterparties and signatures the user is willing to accept.

A partial signature spec is an incomplete signature spec used in Swap Proposal events kind:455 where omitting fields signals that they are still open for negotiation.

The examples field is an array of signature specs the user would be willing to take.

The tags are:

• "d", a unique listing id (required)
• "s", the status of the listing draft | open | closed (required)
• "t", topics related to this listing (optional)
• "p", public keys to notify about the proposal (optional)

Application Specific Swap Listings

Since Swap Listings are still fairly generic, it is expected that specific use cases define new event kinds based on the generic listing. Those application specific swap listing would be easier to filter by clients and may impose restrictions and add new fields and/or tags. The following are some examples under development:

Sponsored Events

This listing is designed for users looking to promote content on the Nostr network, as well as for those who want to monetize their accounts by sharing curated sponsored content with their existing audiences.

It follows the same format as the generic Swap Listing event, but uses the kind:30456 instead.

The following new tags are included:

• "k", event kind being sponsored (required)
• "title", campaign title (optional)

It is required that at least one signature spec (give and/or take) must have "type": "nostr" and also contain the following tag ["sponsor", "<pubkey>", "<attestation>"] with the sponsor's public key and his signature over the signature spec without the sponsor tag as his attestation. This last requirement enables clients to disclose and/or filter sponsored events.

Asset Swaps

This listing is designed for users looking for counterparties to swap different assets that can be transferred using Schnorr signatures, like any unit of Cashu tokens, Bitcoin or other asset IOUs issued using Taproot.

It follows the same format as the generic Swap Listing event, but uses the kind:30457 instead.

It requires the following additional tags:

• "t", asset pair to be swapped (e.g. "btcusd")
• "t", asset being offered (e.g. "btc")
• "t", accepted payment method (e.g. "cashu", "taproot")

Swap Negotiation

From finding an appropriate Swap Listing to publishing a Swap Proposal, there may be some kind of negotiation between the involved parties, e.g. agreeing on the amount to be paid by one of the parties or the exact content of a Nostr event signed by the other party. There are many ways to accomplish that and clients may implement it as they see fit for their specific goals. Some suggestions are:

• Adding kind:1111 Comments to the Swap Listing or an existing Swap Proposal
• Exchanging tentative Swap Proposals back and forth until an agreement is reached
• Simple exchanges of DMs
• Out of band communication (e.g. Signal)

Work to be done

I've been refining this specification as I develop some proof-of-concept clients to experience its flaws and trade-offs in practice. I left the signature spec for Taproot signatures out of the current document as I still have to experiment with it. I will probably find some important orchestration issues related to dealing with 2-of-2 multisig timelocks, which also affects Cashu transactions when spent last, that may require further adjustments to what was presented here.

The main goal of this article is to find other people interested in this concept and willing to provide valuable feedback before a PR is opened in the NIPs repository for broader discussions.

References

• GM Swap- Nostr client for atomically exchanging GM notes. Live demo available here.
• Sig4Sats Script - A Typescript script demonstrating the swap of a Cashu payment for a signed Nostr event.
• Loudr- Nostr client under development for sponsoring the publication of Nostr events. Live demo available at loudr.me.
• Poelstra, A. (2017). Scriptless Scripts. Blockstream Research. https://github.com/BlockstreamResearch/scriptless-scripts