Blinded 2P-ECDSA signing

[tomt1664]

The signing protocol for a fully blinded server:

(P1 = server, P2 = client).

P1 chooses a random ephemeral key share k1 <- Zq and computes R1 = k1.G and sends to P2 P2 chooses a random ephemeral key share x2 <- Zq and computes R = k2.R1 P2 then determines r (the x component of R mod q). P2 generate a random blinding key b <- Zq P2 chooses m and computes c1 = Enc_pk(k2^-1.H(m) mod q) and v = k2^-1.rx2 mod q using the Paillier public key pk from P1. P2 then performs a homomorphic scalar multiplication of v by ck to obtain c2 = Enc_pk(k2^-1.rx2x1 mod q), and then Pailier homomorphic addition of c1 and c2 to obtian c3 = Enc_pk(k2^-1.H(x) + k2^-1.rx2x1 mod q). P2 then performs a homomorphic scalar multiplication of c3 by b to obtain c4 = Enc_pk(k2^-1.H(x).b + k2^-1.rx2x1.b mod q) and sends to P1. P1 decrypts c4 using their Pailier secret key sk to give t = Dec_sk(c4) = k2^-1.H(x).b + k2^-1.rx2x1.b mod q. P1 multiplies t by the inverse of their ephemeral key share k1^-1 to compute the blinded s value: s_b = k^-1.H(x).b + k^-1.rx.b mod q and sends to P2. P2 then unblinds s_b to obtain the final signature s = s_b.b^-1 P2 verifies (r,s) against the message m and the shared public key Q.