Functional Adaptor Signatures: Beyond All-or-Nothing Blockchain-based Payments

In scenarios where a seller holds sensitive data $x$, like patient records, and a buyer seeks to obtain an evaluation of a function $f$ on $x$, solutions in trustless environments like blockchain fall into two categories: (1) Smart contract-powered solutions and (2) cryptographic solutions using tools such as adaptor signatures. The former offers atomic transactions where the buyer learns $f(x)$ upon payment. However, this approach is inefficient, costly, lacks privacy for the seller's data, and is incompatible with blockchains such as bitcoin. In contrast, the adaptor signature-based approach addresses all of the above issues but comes with an "all-or-nothing" guarantee, where the buyer fully extracts $x$ and does not support extracting $f(x)$. In this work, we bridge the gap between these approaches, developing a solution that enables fair functional sales while offering all the above properties like adaptor signatures. Towards this, we propose functional adaptor signatures (FAS), a novel cryptographic primitive and show how it can be used to enable functional sales. We formalize the security properties of FAS, among which is a new notion called witness privacy to capture seller's privacy, which ensures the buyer does not learn anything beyond $f(x)$. We present multiple variants of witness privacy, namely, witness hiding, witness indistinguishability, and zero-knowledge. We introduce two efficient constructions of FAS supporting linear functions based on groups of prime-order and lattices, that satisfy the strongest notion of witness privacy. A central conceptual contribution of our work lies in revealing a surprising connection between functional encryption and adaptor signatures. We implement our FAS construction for Schnorr signatures and show that for reasonably sized seller witnesses, all operations are quite efficient even for commodity hardware.