P' = P + H(P||S)G
d' = d + H(P||S)
Examples:
-
Pis a public key,Sis a bitcoin script with a locktime for a different Key(Q).
The owner ofPcan sign forP'and spend the output regularly(by signing withd').
OR the owner ofQcan providePandSand then get evaluated by S as a regular script. (and if the script evaluates to true he can get the money) -
Sis a hash of a document and this is used to timestamp data, not the best way since you need this to be able to sign on the transaction later and this isn't saved anywhere.
R' = R + H(R||c)G
k' = k + H(R||c)
Examples:
- Commit to some data (i.e. timestamps).
- Use this as auxilary data for a sidechain/payment channel(liquid, lightning etc.).
s' = k + ed + t
s'G = R(kG) + eP(dG) + T(tG)
This is only useful in MuSig, otherwise the signer can replace R with whatever he wants, rendering t signature useless.
Examples:
-
Atomic Swaps:
Alice and Bob have a 2-Out-of-2 address on both litecoin and bitcoin. Alice want to sell 10LTC to Bob for 1BTC.
She provides to bob 2 adaptor signatures with the sameT, one for the 10LTC and another for the 1BTC.
Bob in exchange gives her 2 regular schnorr signatures(partial signatures).
Alice creates a full signature for the 1BTC and broadcast it.
Bob sees that signature. subtract from it his signature and the adaptor signature, and from that he gets-t.
Now he get add that to the adaptor signature for the 10LTC, add his signature and get his money. -
Same can be done with lightning channels. of course you'll need a TimeLock option to revert the operation in case of non cooperative party.
Math:
Alice1: sa1 = ka1 + e1da + t
Alice2: sa2 = ka2 + e2da + t
Bob1: sb1 = kb1 + e1db
Bob2: sb2 = kb2 + e2db
Alice1 Sends: s' = sa1 + sb1 - t
Bob calculate: s'- sa1 - sb1 == -t
Bob send: s' = sb2 + sa2 + (-t)