Exploring the World of HTLCs: Challenges and Innovations

Hash time locked contracts are a type of smart contract, that creates a time based escrow that users can trade tokens in a peer-to-peer fashion, by revealing the secret to a hash to unlock the tokens.

Let's break that down a little bit further.

The basic essence of a HTLC is such that a user is able to trade their tokens with another user in such a way that if anything goes wrong there is no risk to losing their assets.

The basic process of a HTLC is such:

1. Aisha chooses a secret \(x\) and produces \(H(x)\), a hash value of x. She then locks her coins with the hash for time \(T\).
2. Umar locks his coins using the hash value generated by Aisha for time \(T\).
3. Aisha publishes her secret \(x\) to take Umar's coins before \(T\) expires.
4. Umar now knows secret \(x\) and can then use that to take Aisha coins before \(T\) expires.

HTLCs function similarly to a free american call option, which tends to disadvantage the initiator of the swap. This is because the counterparty has the option to walk away from the transaction at any time, leaving the initiator to wait until the contract expires to reclaim their coins. To counter this, one solution could be to require the counterparty to pay a small, non-refundable fee to the initiator. Alternatively, implementing a dynamic pricing mechanism that increases the transaction cost over time could deter this behaviour.

Scaling HTLCs presents another challenge, as they require a direct counterparty and communication channel for each trade. This setup is not ideal for transactions involving long-tail assets due to the difficulty in finding a willing counterparty. A potential solution to this issue is to establish a batch auction system for HTLCs, allowing the processing of multiple bids and asks within a set timeframe.

Privacy in HTLC-based atomic swaps is also a concern. The transactions can be easily traced by analysing the hash function on both chains. Adaptor signatures offer a way to address this privacy issue by preventing the leak of the hash pre-image on the chain.

So this leads to the question of what are adaptor signatures and are they actually any better?

Adaptor Signatures were first mentioned by Andrew Poelstra in an article titled Scriptless Scripts: How Bitcoin Can Support Smart Contracts Without Smart Contracts. This article explained how to use adaptor signatures as an alternative to HTLCs to perform atomic swaps that offer greater privacy protections.

An adaptor signature is basically a schnorr signature with an added piece of hidden information. For reminding, this is a schnorr signature:

\[ s = r + H(P || R || m) P\]

where:

• \(H\) is the hash function.
• \(m\) is the message.
• \(r\) is a random number
• \(R = rG\) is the x-coordinate of the random point and G is the generator point.

A great property of the schnorr signature is that it is made up of purely linear terms that make it possible for it to easily construct multi-party signatures by just adding them together.

The adaptor signature is created by introducing a secret t in the signature calculation as:

\[ s' = t + schnorr\] which breaks down further to \[ s' = t + r + H(P || R || m) P\]

where:

• \(t\) is a secret key

Decrypting the signature and finding out the secret would require the original signature and the adapted signature.

\[t = s' - s\]

Back to the original example, this time both parties would engage in a trade for 1 BTC for 10 LTC using a cross-chain atomic swap.

1. Aisha locks 1 BTC in a multi-sig address. Umar locks 10LTC in another multi-sig address. Both parties create a combined public key that's indistinguishable from any other schnorr public key, (including being the same size).
2. Aisha creates an adaptor schnorr signature \(s_{a}^{'}\) by choosing a random number t and then passes that to Umar along with the public key generated, \((s_{a}^{'}, T)\).

3. Umar verifies the adaptor schnorr signature and adds his adaptor signature and passes that to Aisha.

   \[S_{ab}^{'} = s_{a}^{'} + s_{u} = t + r_{a} + r_{b} + H(R|P|m)(p_{a} + p_{b})\]

4. Aisha verifies the signature from Umar and decrypts the adaptor schnorr signature using \(t\).
5. To claim Aisha completes her signature using her secret \(t\) and her part of the multisig resulting in \(s_{ab}^{'} - t\). By broadcasting this transaction she reveals \(t\) to Umar and now Umar can calculate \(t\) himself from subtracting Aisha's complete signature \(s_{ab}\) from the adaptor signature, \(t = s_{ab}^{'} - s_{ab}\). Using \(t\) Umar completes his signature for the BTC transaction and claims his BTC.

In conclusion, Hash Time Locked Contracts (HTLCs) offer a unique approach to decentralized token trading but face challenges in terms of balance, scalability, and privacy. Innovations like adaptor signatures, incorporating encrypted schnorr signatures, offer a compelling alternative. They enhance privacy and could revolutionize atomic swaps. The future of blockchain technology hinges on balancing scalability, security, and privacy, with adaptor signatures potentially key to overcoming HTLCs' limitations. Continued research and development will determine their impact on secure, private blockchain transactions, reflecting the dynamic nature of this technological field.