// Sign is the exported version of sign. It uses RFC6979 and Blake256 to
// produce a Schnorr signature.
func Sign(curve *secp256k1.KoblitzCurve, priv *secp256k1.PrivateKey,
hash []byte) (r, s *big.Int, err error) {
// Convert the private scalar to a 32 byte big endian number.
pA := BigIntToEncodedBytes(priv.GetD())
defer zeroArray(pA)
// Generate a 32-byte scalar to use as a nonce. Try RFC6979
// first.
kB := nonceRFC6979(priv.Serialize(), hash, nil, nil)
for {
sig, err := schnorrSign(curve, hash, pA[:], kB, nil, nil,
chainhash.HashFuncB)
if err == nil {
r = sig.GetR()
s = sig.GetS()
break
}
errTyped, ok := err.(SchnorrError)
if !ok {
return nil, nil, fmt.Errorf("unknown error type")
}
if errTyped.GetCode() != ErrSchnorrHashValue {
return nil, nil, err
}
// We need to compute a new nonce, because the one we used
// didn't work. Compute a random nonce.
_, err = rand.Read(kB)
if err != nil {
return nil, nil, err
}
}
return r, s, nil
}
