> Party 1 never learns the final value of (R,s1+s2) or m.

Actually, it seems like a blinding step is missing. Assume the server (party 1)
received some c during the signature protocol. Can't the server scan the
blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in
signature verification and then check c == c'? If true, then the server has the
preimage for the c received from the client, including m.