signSchnorrTx method

List<int> signSchnorrTx(
  1. List<int> digest, {
  2. List<int>? tweak,
  3. List<int>? auxRand,
})

Signs a given Schnorr-based transaction digest using the Schnorr signature scheme.

Implementation

List<int> signSchnorrTx(List<int> digest,
    {List<int>? tweak, List<int>? auxRand}) {
  if (digest.length != 32) {
    throw const CryptoSignException("The message must be a 32-byte array.");
  }
  if (tweak != null && tweak.length != 32) {
    throw const CryptoSignException("The message must be a 32-byte array.");
  }
  List<int> byteKey = <int>[];
  if (tweak != null) {
    byteKey = BitcoinSignerUtils.calculatePrivateTweek(
        signingKey.privateKey.toBytes(), tweak);
  } else {
    byteKey = signingKey.privateKey.toBytes();
  }
  final List<int> aux =
      auxRand ?? QuickCrypto.sha256Hash(<int>[...digest, ...byteKey]);
  final d0 = BigintUtils.fromBytes(byteKey);

  if (!(BigInt.one <= d0 && d0 <= BitcoinSignerUtils.order - BigInt.one)) {
    throw const CryptoSignException(
        "The secret key must be an integer in the range 1..n-1.");
  }
  final P = Curves.generatorSecp256k1 * d0;
  BigInt d = d0;
  if (P.y.isOdd) {
    d = BitcoinSignerUtils.order - d;
  }

  final t = BytesUtils.xor(
      BigintUtils.toBytes(d, length: BitcoinSignerUtils.baselen),
      P2TRUtils.taggedHash("BIP0340/aux", aux));

  final kHash = P2TRUtils.taggedHash(
    "BIP0340/nonce",
    <int>[
      ...t,
      ...BigintUtils.toBytes(P.x, length: BitcoinSignerUtils.baselen),
      ...digest
    ],
  );
  final k0 = BigintUtils.fromBytes(kHash) % BitcoinSignerUtils.order;

  if (k0 == BigInt.zero) {
    throw const CryptoSignException(
        'Failure. This happens only with negligible probability.');
  }
  final R = (Curves.generatorSecp256k1 * k0);
  BigInt k = k0;
  if (R.y.isOdd) {
    k = BitcoinSignerUtils.order - k;
  }

  final eHash = P2TRUtils.taggedHash(
    "BIP0340/challenge",
    List<int>.from([
      ...BigintUtils.toBytes(R.x, length: BitcoinSignerUtils.baselen),
      ...BigintUtils.toBytes(P.x, length: BitcoinSignerUtils.baselen),
      ...digest
    ]),
  );

  final e = BigintUtils.fromBytes(eHash) % BitcoinSignerUtils.order;

  final eKey = (k + e * d) % BitcoinSignerUtils.order;
  final sig = List<int>.from([
    ...BigintUtils.toBytes(R.x, length: BitcoinSignerUtils.baselen),
    ...BigintUtils.toBytes(eKey, length: BitcoinSignerUtils.baselen)
  ]);
  final verify = verifyKey.verifySchnorrSig(digest, sig, tweak: tweak);
  if (!verify) {
    throw const CryptoSignException(
        'The created signature does not pass verification.');
  }
  return sig;
}