Draft of an upcoming scriptless scripts paper. This was at the beginning of 2017. But now an entire year has gone by.

post-schnorr lightning transactions https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-February/001031.html

Say we're trying to do an atomic swap. I have an adaptor signature where I can put some coins into a multisig. You give me an adaptor signature, which gives me the ability to translate your signature, which you will later reveal to take the coins, into some discrete log challenge. You give me an adaptor signature and some values, and I say yeah as long as this happens hten I will sign. So coins can use one curve, and you can claim curves from the other coin. On the other chain we do the same way, so you give me an adaptor signature with the same t value. I only have the adaptor signatures now. You sign to take your coins, I use your signature to learn the secret key, and then I can use that to take coins on my end. What if this was an ed25519 coin and a secp coin? It's dependent on using the same t on both sides. I want you to give me two t's and one on secp and one on ed25519 and a proof that they are using the same private key. How do you make the key-- how do you limit the... When you make this ring signature thing, you have only so many digits. You divide it up into digits, you add up all the digits. For each digit, you give me a-- you say this is either the secret key of 0 or 1, or 0 or 2, etc. Doesn't have to be 128-bits. These proofs are pretty big. Each ring signature is like... if you do it in binary, 96 bytes per digit, 96 bytes * 128 in this case. This is just p2p. It's like 10-20 kb. It's not very much.

Do people currently have cross-chain atomic swaps for different curves? You could just use hashes, but anyone could see the hashes. They can link them.

The signer could give you a signature and the adaptor signature. There's a challenger-responder protocol in that draft of the scriptless script.

We need a new definition or letter for sG. We use that a lot.