create a bitcoin service that wanted to provide an instant proof to a user of funds under administrator control, the user could send an arbitrary hash value to the server, which could then be signed by all the privkeys corresponding to all publicly controlled pubkeys.
Um? Couldn't an attacker just send a hash of a transaction, and thereby trick the service into signing the transaction so the attacker could steal the bitcoins?
No...the hash must be arbitrarily determined by the user requesting proof, or else an intercepted or purchased sig could be presented as ones own. BTC sigs include all relevant tx components, amount, time, rec add as well as the sha256 tx hash included in a valid msg sig. Attacker would have to derive a hash that produces the same sig as a valid tx w/o the privkey (probably harder than outright key forgery).
More likely some one would figure out a way to increment the arbitrary data in such a way the curve parameters are eventually revealed, which brings us back the question of whether or not lots of sigs can be used to weaken a privkey secrecy.
To blunt that possibility:
The server could just rehash the arbitrary user hash w/random salt and transmit that...user informed of server's salt and algo rounds and thus verifies that response msg was generated by holder of privkeys containing crypto proof that sig incorporates user's challenge hash msg.