I understand the public key will be available on the blockchain if transactions are already done, but how does the attacker know which transaction?
Maybe, maybe not. But are you willing to risk it? If it's a targeted attack, chances are they know your address. I'm no expert on multisig cryptography, but as far as I know they could just test every multisig public key ever used.
I'm not saying this setup is a good idea, I just want to know the details and make a good decision.
You're basically turning a 1-of-2 multisig into something where you need 2-of-3 locations to recover the funds. Why not use a 2-of-3 multisig the way it's intended, and add all public keys to each share?
Maybe I can add an option: have you seen "
split mnemonic cards"? To me this is a lot more intuitive than multisig (although I've never used it in practice).
Example:
Card 1: tiny XXXX fetch dash hint XXXX minute XXXX XXXX XXXX belt ship XXXX XXXX system XXXX globe engine type country chief filter muscle tray
Card 2: tiny knock XXXX dash hint ranch XXXX job inch chief XXXX XXXX manual liar system have XXXX XXXX type country chief XXXX XXXX tray
Card 3: XXXX knock fetch XXXX XXXX ranch minute job inch chief belt ship manual liar XXXX have globe engine XXXX XXXX XXXX filter muscle XXXX
This accomplishes exactly what you want: you need 2-of-3 locations to restore the private key, and I don't think brute-forcing 8 missing words is viable any time soon.