The adaptor signature s' is the real signature s, minus a secret tweak t: s'=s-t
The adaptor signature is published together with the elliptic curve points R for the nonce and T for the tweak, which belong to their corresponding secrets r and t.
The Verifier can now do the verification and check that everything is valid. After this the Verifier has to wait for the real signature s to appear on-chain to calculate t: t=s-s'.
But in the case of block-wide signature aggregation, the real signature s never appears on-chain because it gets "lost" inside the aggregate signature. The aggregate signature s_agg is a sum of all the other signatures; in the case of Signature Half Aggregation it's a sum of all signatures, each multiplied by an unpredictable value z_i:
s_agg is the only value to appear on-chain and it's useless for calculating t.
More in-depth info can be found here: https://www.gijsvandam.nl/post/why-does-signature-half-aggregation-break-adaptor-signatures/
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments