I was searching how to make blind signatures based on standard ECDSA and couldn't find anything useful. I found a 10-year old paper with a proposal, but it proposes a formula incompatible with the standard ECDSA signature that is used in Bitcoin:
http://mshwang.ccs.asia.edu.tw/www/myjournal/P191.pdfMy goal is to lock funds in a usual multisig transaction where private keys belong to N friends. When they sign my transaction, they should not be able to see what is being spent or where it goes from and to. Splitting the key using SSSS ("Shamir's Secret Sharing Scheme") is not the perfect option as the recovered secret must be applied on a single machine that may not be trusted (think regular Win PC). When multisig transaction is being signed by every participant, no machine is able to spend the funds arbitrarily.
My question to experts is whether the following algorithm that uses a simple multiplication factor is workable:
TL;DR:
1. You send money to x*pubkey instead of pubkey. (x is your secret integer - "blinding factor")
2. You ask third party to sign (hash/x) instead of hash of tx itself.
3. You use x*signature to redeem funds.
More specifically:
Part 1. Sending the funds:
1. Trusted party gives you their public key D (D = d*G, d — private key, G — standard generator point).
2. You choose secret random integer x ("blinding factor")
3. Compute public key D2 = x*D
4. Send money to D2 (it could be one of the keys in multisig script).
5. Store in your encrypted wallet info about x, D and the transaction to spend it later.
Part 2. Redeeming funds:
1. Compute the hash h = signatureHash(tx).
2. Compute h2 = (h / x) mod n (n — order of our curve secp256k)
3. Send to the third party h2 to be signed with their private key d.
4. Third party sends back to you a usual ECDSA signature (r,s) where s = (k^-1)(h2 + d*r)
5. You multiply s by x and get s2 = x*s = (k^-1)(x*h2 + x*d*r)
6. This new signature (r,s2) is equivalent to a signature of h signed with a private key x*d.
7. Neither you, nor third party knows x*d (only you know x, only they know d), but you know x*d*G = x*D = D2 — a public key derived from their public key.
8. So the signature (r,s2) is a valid signature of message h verifiable by public key D2=x*D.
9. You publish your transaction with signature (r,s2) and the third party cannot know that it was signed by them.
Is there a fault somewhere? What do you think?
Thanks.
EDIT: This scheme fails. As gmaxwell pointed out below, r is not blinded and will be recognized by the signing party.
