## Introduction

Blind Signatures are a signature scheme which allows one party to sign a message without learning the message they signed.

**History** – Invented by David Chaum in 1982 for an early centralized digital currency called *anonymous ecash.*

This was an anonymous ecash that enabled a trusted party (like a bank) to issue and redeem coins without learning to whom these coins were spent.

### How Non-Anonymous Ecash Works

### How Anonymous Ecash Works

- Alice chooses a random serial number
**SN** - Alice blinds
**SN**with a random number**r**(*)**bSN = Blind(r, SN)** - Signer signs
**bSN**to generate a blind signaure**bσ = sign(SK, bSN)** - Alice unblinds the blind signature to a signature on
**SN****σ = unblind(r, bσ)**

## Blind Signatures – Unlinkability

Unlinkability – Any **bSN** (blinded serial number) can be unblinded to any other **SN** (serial number). Thus a **bSN** can not be linked to any **SN**.

This is only a description of RSA blind signatures, however there are many more blind signature schemes.

## RSA Signatures

```
PK = (e,N)
SK = (d,N)
RSA(PK, x) = x^e(mod N)
RSA-1(SK, y) = y^d(mod N)
```

RSA-1 and RSA are inverses of each other:

`RSA-1(SK, RSA(PK, x)) = ((x^e)^d) (mod N) = x`

Signing

`RSA-1(SK, Hash(m)) = Hash(m)^d (mod N) = σ`

Verification

`RSA(PK, σ) = σ^e (mod N) = (Hash(m)^d)^e (mod N) = Hash(m) (mod N)`

### Hidden RSA Signature

I’m so tired of typing these equations. Here’s a screenshot.