// PartialSign is the generalized and exported version of
// schnorrPartialSign.
func PartialSign(curve *secp256k1.KoblitzCurve, msg []byte,
priv *secp256k1.PrivateKey, privNonce *secp256k1.PrivateKey,
pubSum *secp256k1.PublicKey) (*Signature, error) {
privBytes := priv.Serialize()
defer zeroSlice(privBytes)
privNonceBytes := privNonce.Serialize()
defer zeroSlice(privNonceBytes)
return schnorrPartialSign(curve, msg, privBytes, privNonceBytes, pubSum,
chainhash.HashFuncB)
}
// GenerateNoncePair is the generalized and exported version of generateNoncePair.
func GenerateNoncePair(curve *secp256k1.KoblitzCurve, msg []byte,
privkey *secp256k1.PrivateKey, extra []byte,
version []byte) (*secp256k1.PrivateKey, *secp256k1.PublicKey, error) {
priv, pubNonce, err := generateNoncePair(curve, msg, privkey.Serialize(),
nonceRFC6979, extra, version)
if err != nil {
return nil, nil, err
}
privNonce := secp256k1.NewPrivateKey(curve,
EncodedBytesToBigInt(copyBytes(priv)))
return privNonce, pubNonce, nil
}
// Sign is the exported version of sign. It uses RFC6979 and Blake256 to
// produce a Schnorr signature.
func Sign(curve *secp256k1.KoblitzCurve, priv *secp256k1.PrivateKey,
hash []byte) (r, s *big.Int, err error) {
// Convert the private scalar to a 32 byte big endian number.
pA := BigIntToEncodedBytes(priv.GetD())
defer zeroArray(pA)
// Generate a 32-byte scalar to use as a nonce. Try RFC6979
// first.
kB := nonceRFC6979(priv.Serialize(), hash, nil, nil)
for {
sig, err := schnorrSign(curve, hash, pA[:], kB, nil, nil,
chainhash.HashFuncB)
if err == nil {
r = sig.GetR()
s = sig.GetS()
break
}
errTyped, ok := err.(SchnorrError)
if !ok {
return nil, nil, fmt.Errorf("unknown error type")
}
if errTyped.GetCode() != ErrSchnorrHashValue {
return nil, nil, err
}
// We need to compute a new nonce, because the one we used
// didn't work. Compute a random nonce.
_, err = rand.Read(kB)
if err != nil {
return nil, nil, err
}
}
return r, s, nil
}