I'd like your feedback on a cryptographic idea I have for Cashu. The idea is to allow Alice to blind a message, but where she cannot unblind it. Only the final recipient of the token, Carol, can unblind.

Using the Cashu protocol, where Alice is working with the mint (Bob), to prepare a token (x,C) which she will send to Carol. Let's define Carol's private key as 'f', with her public key as 'F=fG'

In the standard protocol, 'r' is a random integer selected by Alice. I propose instead that Alice selects a random integer r_. Instead of adding 'r*G' to Y in the third step (see the 'blinding' step in screenshot below), I propose that she instead adds 'r_ * F', to get 'B_ = Y + r_ * F'

This is equivalent to 'B_ = Y + r * G', where 'r = r_ * f'. Therefore, Alice has managed to blind it with 'r', but Alice doesn't know what 'r' is. Only Carol knows 'r', as only Carol knows 'f'. Carol is the only person that can compute 'r = r_ * f'

In the standard protocol, Alice unblinds and sends (x,C) to Carol. But here, Alice cannot unblind. Alice sends r_ and C_ to Carol instead. i.e. she sends (x, r_, C_) to Carol.

Carol can then reconstruct C, the 'unblinding' in the screenshot below, as 'C = C_ - r * K' , where 'r = r_ * f'.

Thoughts? While I have a background in maths, I'm very new to elliptic curves, so I'm assuming there's an attack surface that I'm missing.

Motivation: The original motivation is for 'deterministic outputs' in the Spilman channel that I'm working on with the Cashu folks (@calle), but this idea might also be useful in normal Cashu usage where the receiver (Carol) is offline. An offline receiver could publish their public key and the online sender can prepare a suitable 'BlindSignature' from the mint. Carol (and only Carol) is able to unblind and Carol can validate the DLEQ proof (NUT-12) offline