106
General Discussion / Re: $1000 BitUSD Bounty - ECC Blinded Signatures
« on: June 30, 2015, 08:27:19 pm »This approach allows ME to have someone else sign SOMETHING without them being able to prove they were the one who signed it which could be useful for multi-sig / two-factor on confidential transactions.
Ah, got it. The tricky thing is that the only person who is able to derive this one-time public key is the one who can generate a, b, c, d, P, and Q (Alice in the example). But I would think for private multisig to be useful the sender of the funds needs to be able to independently specify the public key that is allowed to withdraw the funds using only public information about the receiver. So that means unsolicited funds could not be sent to Alice with this kind of blinded withdraw condition. It would require Alice to provide the sender with the one-time public key that Alice generates in order for the sender to send Alice the funds.
As an aside, for this to be really useful, it would be nice it the scheme could be augmented into a blinded threshold signature scheme (to generalize from a blinded 2-of-2 multisig to a blinded M-of-N multisig). In fact, I would be concerned with being dependent on another party to be able to access my funds. But at least that part can be solved through a convention of everyone using a 1-of-2 multisig where the 2 keys are different one-time public keys: one between ME and the regular blinded signer, and one between ME and my cold storage key acting as the blinded signer.