Blinded 2P-ECDSA signing #400
Description
The signing protocol for a fully blinded server:
(P1 = server, P2 = client).
P1 chooses a random ephemeral key share k1 <- Zq and computes R1 = k1.G and sends to P2
P2 chooses a random ephemeral key share x2 <- Zq and computes R = k2.R1
P2 then determines r (the x component of R mod q).
P2 generate a random blinding key b <- Zq
P2 chooses m and computes c1 = Enc_pk(k2^-1.H(m) mod q) and v = k2^-1.rx2 mod q using the Paillier public key pk from P1.
P2 then performs a homomorphic scalar multiplication of v by ck to obtain c2 = Enc_pk(k2^-1.rx2x1 mod q), and then Pailier homomorphic addition of c1 and c2 to obtian c3 = Enc_pk(k2^-1.H(x) + k2^-1.rx2x1 mod q).
P2 then performs a homomorphic scalar multiplication of c3 by b to obtain c4 = Enc_pk(k2^-1.H(x).b + k2^-1.rx2x1.b mod q) and sends to P1.
P1 decrypts c4 using their Pailier secret key sk to give t = Dec_sk(c4) = k2^-1.H(x).b + k2^-1.rx2x1.b mod q.
P1 multiplies t by the inverse of their ephemeral key share k1^-1 to compute the blinded s value: s_b = k^-1.H(x).b + k^-1.rx.b mod q and sends to P2.
P2 then unblinds s_b to obtain the final signature s = s_b.b^-1
P2 verifies (r,s) against the message m and the shared public key Q.