Fairly exchanging digital information is an everyday problem. We focus on the specific scenario of a sale where a seller holds a digital secret x (e.g., medical data or a machine learning model) and a buyer wants to compute a function f on the seller’s secret in exchange for payment. Fairness in this context means that the buyer receives the desired information if and only if the seller is paid. Additionally, privacy is crucial — the buyer should learn nothing beyond f(x). In trustless digital environments like blockchain-based Web3 systems, existing solutions typically fall into two categories: (1) Smart contract-based approaches, which ensure atomic transactions where the buyer receives f(x) (but not x) upon payment. However, these methods are often inefficient, costly, and are incompatible with legacy blockchains like Bitcoin. (2) Cryptographic approaches using adaptor signatures, which address these inefficiencies but enforce an “all-or-nothing” trade-off, allowing the buyer to extract x entirely rather than just f(x).

We bridge this gap through functional adaptor signatures (FAS), a novel extension of cryptographic digital signatures that enables fair functional sales with improved efficiency, privacy, and blockchain compatibility. With FAS, the seller commits to x, the buyer pre-signs a payment transaction tied to f, and the seller transforms the pre-signature into a valid signature to receive payment. The buyer then extracts f(x), completing the exchange.

In this talk, I will introduce functional adaptor signatures and present constructions for different functions, enabling pay-per-query style services for applications such as large-scale data analytics, and common machine learning tasks such as model fine-tuning and inference. In particular, our constructions follow from two general design frameworks: one based on functional encryption and other based on homomorphic encryption, each offering a different tradeoff in seller/buyer computation and the underlying function class. Our FAS constructions are extensions of Schnorr signatures, ensuring Bitcoin compatibility. Along the way, we also introduce new algebraic zero-knowledge proof systems to prove plaintext equality across ciphertexts of different encryption schemes.

This is based on joint works with Nikhil Vanjani (CMU), Aravind Thyagarajan (U Sydney), and Garrett Greiner (U Utah).