I am looking for guidance on implementing a protocol where a BLS private key is split into 2 out of 3 shares using Shamir's Secret Sharing, and signatures must be obtained without revealing the original message to the other parties.

Here's my current approach:

Alice has a BLS private key. She splits this private key into 3 shares, $s_a$, $s_b$, and $s_c$, using Shamir's Secret Sharing. Alice then sends Bob the share $s_b$, retaining $s_a$ and $s_c$ herself. Alice can forget the full private key as she can recover it at any time with $s_c$.

When Alice wants to sign a message $m$ under the original full private key, she signs it with her share $s_a$ and gets a partial signature $\text{sig}_a$. Alice needs Bob to sign the same message $m$ with $s_b$ to get another partial signature $\text{sig}_b$, and send it back to her. She then adds $\text{sig}_a$ and $\text{sig}_b$ to get the full signature $\text{sig}$, which is as if it has been signed by the full private key.

However, I am facing a problem. Alice doesn't want Bob to know the message $m$ she wants to sign. If she sends the plain text message $m$ to Bob for signing, Bob will know the content of the message.

I considered using Paillier encryption to encrypt the message $m$ with a public key, sending Bob the encrypted message $\text{enc}_m$. In this scenario, Bob would sign the encrypted message $\text{enc}_m$ with his share $s_b$, sending the partial signature $\text{sig}_{\text{enc}_m}$ back to Alice.

But I see another issue here. As Bob's partial signature $\text{sig}_{\text{enc}_m}$ is signed on the encrypted message, when Alice decrypts Bob's partial signature, she isn't necessarily getting what she expects, i.e., if I understood correctly, she won't get the partial signature of the raw message $m$ signed with Bob’s share $s_b$. Or will she?

How should I implement such a protocol while not revealing the message to Bob? Would this be even feasible to do so?

PS: I've used BLS here only because I'm not sure if ECDSA signature scheme would even be possible as I have read about its non-linear nature. If ECDSA is easier and more feasible, I'm happy to change.