Feature: Blind Signing for Multisig

[PeterMcBTC]

Dear Blockstream Team,

I propose a privacy enhancement for Green’s 2-of-2 and 2-of-3 multisig wallets to ensure Blockstream’s servers never hold the wallet descriptor in plaintext and can sign transactions blindly, without knowing the transaction details or balances.

Current Issue: In 2-of-2 and 2-of-3 setups, Blockstream’s servers receive the wallet descriptor (xpubs) to sign transactions, allowing visibility into addresses and balances. Even with Tor or personal nodes, cosigning exposes sensitive data.

Proposed Solution:
• Encrypt the wallet descriptor with a key derived from the user’s xpub and store only the encrypted version on Blockstream’s servers.
• Implement blind signing, where Blockstream’s servers sign transactions without decrypting the descriptor or seeing transaction details (e.g., amounts, addresses)

Benefits:
• Blockstream never sees descriptors, balances, or transaction details, even during signing.
• Aligns with privacy demands in the Bitcoin community

Request: Please consider developing blind signing with encrypted descriptors to make Green a top choice for private multisig wallets. This could leverage existing node and hardware wallet support.

Happy to provide feedback!

Thanks!