Blind Signatures are a signature scheme which allows one party to sign a message without learning the message they signed.
History – Invented by David Chaum in 1982 for an early centralized digital currency called anonymous ecash.
This was an anonymous ecash that enabled a trusted party (like a bank) to issue and redeem coins without learning to whom these coins were spent.
How Non-Anonymous Ecash Works
How Anonymous Ecash Works
- Alice chooses a random serial number SN
- Alice blinds SN with a random number r (*)
bSN = Blind(r, SN)
- Signer signs bSN to generate a blind signaure
bσ = sign(SK, bSN)
- Alice unblinds the blind signature to a signature on SN
σ = unblind(r, bσ)
Blind Signatures – Unlinkability
Unlinkability – Any bSN (blinded serial number) can be unblinded to any other SN (serial number). Thus a bSN can not be linked to any SN.
This is only a description of RSA blind signatures, however there are many more blind signature schemes.
PK = (e,N) SK = (d,N) RSA(PK, x) = x^e(mod N) RSA-1(SK, y) = y^d(mod N)
RSA-1 and RSA are inverses of each other:
RSA-1(SK, RSA(PK, x)) = ((x^e)^d) (mod N) = x
RSA-1(SK, Hash(m)) = Hash(m)^d (mod N) = σ
RSA(PK, σ) = σ^e (mod N) = (Hash(m)^d)^e (mod N) = Hash(m) (mod N)
Hidden RSA Signature
I’m so tired of typing these equations. Here’s a screenshot.