I am working in a project inspired in digital cash where we would like to use partially-blind signatures. This is so that the Bank signs a check with a hidden serial number (S), but a plainly visible denomination value (V). Because we may not wholly trust the signer (the Bank), we'd also like this to be threshold or multisig, so that we can have the independent signature of several signers and make signer corruption more difficult.
We have an onboarding process to enrol and remove signers, so there is a central authority that keeps track of their public keys. I read the analysis of the Bellare-Neven 06 paper on the KOSK vs Plain Public-key model, and it seems to me that with this setup, we can actually use the KOSK setting. NIZK proofs have advanced since the time of the paper and they are not necessarily prohibitive anymore. Furthermore, if what we want to prove is Proof of Knowledge of a DL secret key, that seems to be doable with Sigma-Protocols and not even require SNARKs.
If we can indeed rely on these and use the KOSK model, we can make a simple Multisig by using a linear signature scheme and aggregating signatures and public keys. If I understsand correctly, we would not need to worry about distributing shares of randomness during the signing process, as is done in 3-round MuSig.
But I've been doing the research on the existing literature on this topic and I haven't found anything out there that ticks all our boxes. I think I can cobble enough pieces together in an acceptable way, but would appreciate some feedback on it.
Our main goal is security, but we also want performance as good as possible, both in terms of computation (effort to create a signature) and on communication complexity (signature size and verifying key information). For this reason I've been focusing on Schnorr-based schemes, instead of Bilinear-Pairings- (eg Boldyreva 03) or RSA-based schemes.
As for threshold- vs multi-signatures, I'm favouring multisigs at the moment because they seem to be lighter in construction: there is no need to distribute a key or a secret with a secret sharing kind of scheme and my intuition tells me that should make a faster scheme. And although I will have to send some information about the keys that have been aggregated, because we have a registry of signers we only need to send indices to the keys which is much shorter.
I analysed the Blind Signature by Okamoto in the version described in [Pointcheval and Stern 2000] and the Abe-Okamoto Partially Blind Signature.
Now, my problem is which base scheme to use. Ideally, I'd use Abe-Okamoto for its partial blindness. But it takes one extra element than the Schnorr-Okamoto and is more intensive to compute. Moreover, I don't know how paranoid I should be regarding concurrency.
The User will interact with each signer. Each of them will use their own randomness. The user also has to create some randomness, which will never be sent to the signers and is only used for blinding. Does this mean the User can employ the same blinding factors with every signer?
If we can reuse the randomness, then I believe Abe-Okamoto is linear and I could create a Multisig by just adding the shares and letting the verifier check that the aggregated key has been computed from a subset of centrally registered keys.
Do you think this is feasible? Can I use a Multisig Abe-Okamoto in this way? Or is there a better way to get the same behaviour?
