Understanding Blind Signatures by Ethan Heilman


Blind Signatures are a signature scheme which allows one party to sign a message without learning the message they signed.

History – Invented by David Chaum in 1982 for an early centralized digital currency called anonymous ecash.

This was an anonymous ecash that enabled a trusted party (like a bank) to issue and redeem coins without learning to whom these coins were spent.

How Non-Anonymous Ecash Works

How non-anonymous ecash works

How Anonymous Ecash Works

  1. Alice chooses a random serial number SN
  2. Alice blinds SN with a random number r (*)
    bSN = Blind(r, SN)
  3. Signer signs bSN to generate a blind signaure
    bσ = sign(SK, bSN)
  4. Alice unblinds the blind signature to a signature on SN
    σ = unblind(r, bσ)
how blind signature work in ecash
anonymous ecash example with bank, ecash, etc.

Blind Signatures – Unlinkability

Unlinkability – Any bSN (blinded serial number) can be unblinded to any other SN (serial number). Thus a bSN can not be linked to any SN.

This is only a description of RSA blind signatures, however there are many more blind signature schemes.

RSA Signatures

PK = (e,N)
SK = (d,N)
RSA(PK, x) = x^e(mod N)
RSA-1(SK, y) = y^d(mod N)

RSA-1 and RSA are inverses of each other:

RSA-1(SK, RSA(PK, x)) = ((x^e)^d) (mod N) = x


RSA-1(SK, Hash(m)) = Hash(m)^d (mod N) = σ


RSA(PK, σ) = σ^e (mod N) = (Hash(m)^d)^e (mod N) = Hash(m) (mod N)

Hidden RSA Signature

I’m so tired of typing these equations. Here’s a screenshot.

RSA blind signatures