Perhaps a possible solution is to generate a private key in the browser using an algorithm such as PBKDF2 or bcrypt operating against a public per-user salt and a high entropy password. The private key is only kept in the clients memory long enough to sign something for the server.
This is not the best possible solution but I can't see how it would be worse than a compromised salt/bcrypt hash.
This is not the best possible solution but I can't see how it would be worse than a compromised salt/bcrypt hash.