Fact-checked by Grok 2 weeks ago

Blind signature

A blind signature is a digital signature scheme in which a user can obtain a valid signature on a message from a signer without disclosing the message's content to the signer, ensuring the signer's inability to link the signature to the specific message or user while maintaining standard signature verifiability on the unblinded original.^[1]^[2] Introduced by cryptographer David Chaum in 1982, the primitive relies on interactive protocols, typically based on public-key cryptography like RSA, where the user "blinds" the message by multiplying it with a random value raised to the signer's public exponent modulo the modulus, submits the blinded version for signing, and then "unblinds" the resulting signature by dividing out the random factor's inverse.^[3]^[4] The core security properties—unforgeability against the signer and blindness—enable applications in privacy-focused systems, such as untraceable digital cash (ecash) where a bank issues signed tokens without tracking spending, and anonymous credentials or voting protocols that prevent coercion or linkage.^[4]^[5] Chaum's original motivation addressed double-spending in electronic payments while preserving user anonymity, influencing systems like DigiCash, though practical deployments have faced challenges from computational demands and evolving threats like quantum computing, spurring research into lattice-based or threshold variants.^[3]^[6] Despite these, blind signatures remain foundational for privacy-preserving authentication, with ongoing advancements focusing on efficiency and post-quantum security without compromising the unlinkability that defines the scheme.^[7]^[8]

History

Invention and early development

Blind signatures were invented by cryptographer David Chaum in 1982 to enable untraceable electronic payments, allowing a signer—such as a bank—to issue valid signatures on blinded messages without gaining knowledge of their content, thereby supporting user anonymity while preventing double-spending through serial number checks on unblinded signatures.^[3] Chaum detailed the concept in his paper "Blind Signatures for Untraceable Payments," presented at the CRYPTO '82 conference held August 23–25, 1982, in Santa Barbara, California, with proceedings published in 1983.^[9] The scheme adapted the RSA public-key cryptosystem, where a user blinds a message m by computing m' \equiv m \cdot r^e \pmod{N} using a random factor r, obtains the signature s' \equiv (m')^d \pmod{N} from the signer (who knows d but sees only m'), and unblinds by s \equiv s' \cdot r^{-1} \pmod{N} to yield s \equiv m^d \pmod{N}, preserving signature validity without revealing m.^[3] Chaum's innovation addressed limitations in prior electronic cash proposals by combining digital signatures with blinding to ensure payments could not be traced or linked by the issuer post-signing, a property formalized as "blindness" alongside completeness and unforgeability under the RSA assumption.^[3] He filed a patent application for blind signature systems in 1983, which was granted as U.S. Patent 4,759,063 in 1988, covering methods for generating and verifying such signatures in payment contexts.^[10] Early development progressed toward practical deployment when Chaum founded DigiCash Inc. in late 1989 in Amsterdam to commercialize blind signature-based eCash, marking the transition from theoretical primitive to a system for anonymous micropayments over networks.^[11] DigiCash's protocol extended Chaum's 1982 design by incorporating cut-and-choose techniques for observer double-spending detection, with initial trials demonstrating small-value transfers by 1994, though widespread adoption faced regulatory and market hurdles.^[12]

Adoption in electronic cash systems

Blind signatures enable anonymous electronic cash (e-cash) systems by allowing users to obtain digitally signed "coins" from a bank without revealing their serial numbers or identities, thus preventing transaction tracing while permitting double-spending detection upon deposit. In such protocols, a user generates a blinded message containing a unique coin serial number, which the bank signs without knowledge of its content; the user then unblinds the signature to obtain a valid, untraceable coin for spending with merchants, who verify the signature before accepting it. The bank later checks deposited coins against a database of issued serials to enforce uniqueness, maintaining overall system integrity without compromising payer anonymity. This mechanism, first detailed by David Chaum in 1983, addressed key challenges in digitizing cash-like privacy and unforgeability.^[3] The primary commercial adoption occurred through DigiCash, founded by Chaum in 1990, which implemented blind signatures in its eCash protocol launched for pilot testing in 1994. eCash facilitated small-value anonymous payments via software wallets integrated with partner banks, such as Deutsche Bank and Mark Twain Bank, enabling the first recorded electronic payment on May 27, 1994, between a Dutch customer and a vendor. Despite technical viability—processing millions of low-value transactions in trials across the Netherlands, Sweden, and the U.S.—adoption remained limited due to merchant reluctance, insufficient network effects, and banks' concerns over regulatory compliance and money laundering risks, which undermined the privacy features central to the design.^[13]^[14] DigiCash's bankruptcy in July 1998 marked the end of significant e-cash efforts reliant on blind signatures, with assets sold amid cash flow shortages and failure to scale beyond niche applications. Subsequent research explored variants like group blind signatures for multi-bank interoperability, but no other systems achieved comparable real-world deployment, highlighting barriers such as centralized trust dependencies and competition from traceable alternatives like credit cards. While eCash demonstrated the feasibility of blind signature-based anonymity, its commercial shortcomings stemmed more from institutional resistance and market timing than cryptographic flaws.^[15]^[13]

Formal definition

Protocol overview

A blind signature protocol is an interactive cryptographic procedure between a user (requester) and a signer, enabling the signer to generate a valid digital signature on a user-chosen message without gaining knowledge of the message content. The signer holds a key pair from a secure underlying digital signature scheme, typically resistant to chosen-message attacks, consisting of a public verification key pk and a private signing key sk. The user provides a message m for signing while preserving privacy, which is essential for applications requiring unlinkability between issued signatures and their origins.^[16]^[3] The protocol proceeds in three main phases: blinding, signing, and unblinding. First, the user selects a random blinding factor r from a domain ensuring invertibility under the scheme's group operations and computes a blinded message m' as a function of m, r, and pk, randomizing m while preserving algebraic structure for later reversal. The user transmits m' to the signer, who treats it as an ordinary message and computes the blinded signature s' using sk on m'. The signer returns s' without retaining or linking it to prior interactions. Finally, the user applies an unblinding operation to s' using r, yielding s, a valid signature verifiable on the original m under pk. This construction ensures the signer's output is computationally indistinguishable from signing a random message, providing information-theoretic or computational blindness depending on the instantiation.^[16]^[2] Formally introduced by David Chaum in 1982, the protocol leverages homomorphic properties of the underlying signature scheme to compose blinding and unblinding as near-inverses around the signing operation, such that *Unblind(Sign(Blind(m, r, pk), sk), r) ≡ Sign(m, sk) *. Completion guarantees a correct signature if the user follows the protocol faithfully, while security properties like unforgeability limit the user to at most one valid signature per interaction. Implementations must address challenges such as ensuring r's randomness and handling modular inverses to prevent leakage or malleability attacks.^[3]^[16]

Blinding and unblinding process

In the RSA-based blind signature scheme, the blinding process begins with the user selecting a message m and a random blinding factor r that is coprime to the signer's modulus N. The user computes the blinded message m' as m' \equiv m \cdot r^e \pmod{N}, where e is the signer's public exponent. This operation multiplicatively masks m using the homomorphic properties of exponentiation modulo N, ensuring the signer cannot discern the original content.^[17]^[3] The blinded message m' is then submitted to the signer, who applies the standard RSA signing function without knowledge of r or m, producing the blinded signature s' \equiv (m')^d \pmod{N}, where d is the signer's private exponent satisfying e \cdot d \equiv 1 \pmod{\phi(N)}.^[17] This step leverages the RSA trapdoor permutation, where the signer effectively raises the input to the power d modulo N.^[3] Unblinding occurs when the user recovers the valid signature on m by multiplying the received s' by the modular inverse of r: s \equiv s' \cdot r^{-1} \pmod{N}. Substituting the expressions yields s \equiv (m \cdot r^e)^d \cdot r^{-1} \equiv m^d \cdot r^{ed} \cdot r^{-1} \equiv m^d \pmod{N}, since r^{ed} \equiv r \pmod{N} by Euler's theorem and the relation ed \equiv 1 \pmod{\phi(N)}. This process preserves the correctness of the signature while concealing the message from the signer during issuance.^[17]^[3] The protocol assumes the user interacts honestly in unblinding and that r is chosen uniformly at random from \{1, \dots, N-1\} excluding multiples of the primes factoring N, to ensure invertibility and avoid factorization risks. In practice, implementations may include additional checks, such as the signer verifying m' lies in the quadratic residuum subgroup to mitigate certain attacks, though the core blinding-unblinding relies on the algebraic structure of RSA.^[17]

Security properties

Blindness

Blindness, a core security property of blind signature schemes, ensures that the signer obtains no information about the message content during the signing process and cannot link a produced signature to the specific protocol interaction that generated it.^[18] This property prevents the signer from tracing or correlating signatures to original messages, which is essential for privacy-preserving applications like anonymous payments.^[3] Formally, blindness is captured by an indistinguishability experiment involving a malicious signer adversary. The adversary selects two distinct messages m_0 and m_1, and engages in a signing interaction with a simulator acting as an honest user; the simulator blinds and presents one of the messages (chosen randomly) to the adversary for signing. After receiving the blinded signature and unblinding it internally, the simulator returns the valid signature on the chosen message to the adversary, who must then guess the bit indicating which message was signed. A scheme is blind if no probabilistic polynomial-time adversary succeeds with advantage greater than negligible over $1/2.^[19] ^[20] In David Chaum's original RSA-based blind signature scheme from 1983, blindness is achieved through multiplicative blinding: the user computes a blinded message m' \equiv m \cdot r^e \pmod{N} for random r, which the signer processes as s' \equiv (m')^d \pmod{N}; unblinding yields s \equiv s' \cdot r^{-1} \pmod{N} \equiv m^d \pmod{N}. Since r^e \pmod{N} is uniformly random for suitable r, the signer's view of m' reveals no information about m, providing statistical blindness under the assumption that the RSA modulus N hides the blinding factor effectively.^[3] ^[18] More recent analyses distinguish between "message hiding" (signer learns nothing of the message) and "unlinkability" (signer cannot link signature to session), noting that standard blindness definitions encompass both, though some schemes may separate them for partially blind variants.^[21] Security proofs for blindness in specific constructions often rely on the underlying hard problem, such as RSA or discrete logarithm, with reductions showing that breaking blindness implies solving the problem.^[22] In practice, implementations must avoid malleability issues or side-channel leaks that could compromise this property, as raw RSA blinding without hashing can enable forgery despite blindness holding.^[18]

Unforgeability and completeness

Completeness, or correctness, in a blind signature scheme ensures that if both the user and signer follow the protocol honestly, the user obtains a valid signature on the intended message with overwhelming probability upon successful completion. Formally, for a scheme with key generation G, signing protocol S, user protocol U, and verification V, whenever the signer outputs "success" and the user produces a signature \sigma on message m, the verification V(PK, m, \sigma) = 1 holds except with probability negligible in the security parameter \lambda. This property derives from the correctness of the underlying digital signature primitive and the invertibility of the blinding factor, preserving the signature's validity after unblinding.^[23]^[24] Unforgeability prevents an adversary from generating valid signatures beyond those legitimately obtained via interaction with the signer. In the blind setting, it is defined such that no efficient adversary, after at most k successful interactions yielding k signatures, can produce more than k valid, distinct message-signature pairs that verify under the signer's public key, except with negligible probability. This holds even if the adversary impersonates the user or controls the blinding process. Security relies on the hardness of problems like RSA inversion (in the random oracle model for early schemes) or discrete logarithms in later constructions, where forging would imply solving the underlying assumption.^[25]^[23]^[24]

One-more unforgeability

One-more unforgeability requires that an adversary interacting with a legitimate signer in q blind signing sessions cannot output more than q valid, distinct message-signature pairs verifiable under the signer's public key, where the messages were chosen by the adversary but never revealed to the signer in unblinded form.^[20] This notion captures the challenge that the user controls message selection and unblinding, potentially enabling extraction of extra signatures through protocol manipulation, unlike standard existential unforgeability in non-blind schemes.^[19] Formally, security is defined via a game where the adversary, given the public key, performs q signing queries (possibly adaptively or in parallel), then outputs m > q pairs (m_i, \sigma_i) such that \sigma_i verifies on m_i for all i, and the m_i are distinct; no probabilistic polynomial-time adversary succeeds except with negligible probability.^[26] The property addresses "one-more" forgery risks, where even a single extra signature could enable attacks like currency inflation in electronic cash systems, as each legitimate interaction should yield exactly one usable signature.^[27] Proofs of one-more unforgeability typically reduce to hard problems such as one-more RSA inversion, where solving e modular exponentiations given e+1 blinded challenges implies breaking the scheme's underlying assumption.^[27] For instance, in RSA-based blind signatures, security holds under the full-domain hash model against adaptive adversaries, though early Chaumian schemes faced existential forgeries until refined variants.^[27] Violations of one-more unforgeability have been demonstrated in schemes like blind Schnorr or ECDSA adaptations via rogue-key or rewinding attacks, where an adversary reuses signing responses across blinded messages to forge extras, highlighting the need for careful protocol design.^[28] Modern constructions, such as those based on discrete logs or lattices, aim for polynomial-security variants of one-more unforgeability to mitigate query-scaling advantages in proofs.^[29] This stronger guarantee ensures completeness (honest users obtain valid signatures) while binding output to interaction count, distinguishing it from weaker balance or completeness alone.^[20]

Constructions

RSA-based blind signatures

The RSA-based blind signature scheme utilizes the homomorphic properties of RSA encryption to allow a user to obtain a signature on a message without revealing its content to the signer. Introduced by David Chaum in his 1982 paper presented at CRYPTO '82, the protocol enables applications such as untraceable digital payments by ensuring the signer cannot link the signed message to the original input.^[3]^[30] The signer first generates an RSA key pair: a modulus N = pq where p and q are distinct large primes, a public exponent e coprime to \phi(N) = (p-1)(q-1), and a private exponent d satisfying ed \equiv 1 \pmod{\phi(N)}. The public key (N, e) is shared, while d remains secret.^[30]^[2] To obtain a signature on message m (with $0 < m < N), the user selects a random blinding factor r such that \gcd(r, N) = 1 and $0 < r < N. The user computes the blinded message m' \equiv m \cdot r^e \pmod{N} and sends m' to the signer. The signer, treating m' as an ordinary message, computes the blinded signature s' \equiv (m')^d \pmod{N} and returns it. The user then unblinds by calculating s \equiv s' \cdot r^{-1} \pmod{N}, where r^{-1} is the modular inverse of r modulo N. This s verifies as a standard RSA signature: s^e \equiv m \pmod{N}.^[30]^[3] Correctness holds because s' \equiv (m \cdot r^e)^d \equiv m^d \cdot r^{ed} \equiv m^d \cdot r \pmod{N} (since r^{ed} \equiv r \pmod{N} by Euler's theorem, given \gcd(r, N) = 1), so unblinding yields s \equiv m^d \pmod{N}.^[30]^[2] Blindness arises from the randomness of r^e \pmod{N}, which distributes m' uniformly when r has sufficient entropy, preventing the signer from distinguishing the underlying m.^[30] Unforgeability follows from the RSA assumption: forging a valid signature without the private key is as hard as inverting RSA encryption. However, the basic scheme achieves only basic unforgeability; stronger notions like one-more unforgeability (resisting forgery of k signatures after obtaining k-1) require enhancements such as message salting or proofs of knowledge to mitigate attacks like those exploiting low-entropy blinding or signer key exposure.^[4]^[30] The scheme assumes the signer blindly signs without additional checks, which can introduce risks if implemented naively, such as vulnerability to chosen-message attacks without padding. Modern variants, as standardized in RFC 9474 (published October 2023), incorporate probabilistic signing with hash functions for appendix-based security, ensuring the signature verifies only for the original message hash.^[30]^[4]

Discrete logarithm-based schemes

Discrete logarithm-based blind signature schemes operate in a cyclic group G of prime order q generated by g, where the hardness of computing discrete logarithms ensures security. The signer's private key is x \in \mathbb{Z}_q, with public key y = g^x. These schemes typically involve the user blinding a commitment to the message by multiplying it with a random group element or the public key raised to a random exponent, allowing the signer to produce a response on the blinded input without learning the message, followed by the user's unblinding step to recover a valid signature.^[31] Security proofs often rely on the one-more discrete logarithm assumption, where an adversary cannot solve multiple DL instances even after receiving solutions to related instances, frequently in the random oracle model.^[32] A foundational construction, introduced by Camenisch, Piveteau, and Stadler in 1994, presents two protocols. The first adapts a DSA variant: the user forms a blinded hash commitment r' = (g^k \cdot H(m)^b \mod p) \mod q using random k, b and sends it along with the higher bits; the signer computes s' = k_s^{-1} (H' + x r') \mod q on the blinded r', where k_s is the signer's ephemeral key; the user unblinds s = s' \cdot b^{-1} \mod q and adjusts r = r' \cdot b^{-1} \mod q to obtain (r, s) verifying under DSA rules. The second scheme draws from a DL-based identification protocol akin to Guillou-Quisquater: the user blinds a message identity assertion with a random pad, the signer verifies and responds with a private-key exponentiation in the group, and unblinding extracts the signature via modular inverse of the pad. Both achieve computational blindness under the DL assumption, with the DSA variant susceptible to specific attacks if parameters are weak, as noted in subsequent cryptanalysis.^[31] The blind Schnorr scheme, extending the 1988 Schnorr protocol, provides an efficient alternative. In its interactive form: the user selects k \in \mathbb{Z}_q, computes commitment R = g^k, chooses blinding \gamma \in \mathbb{Z}_q, and sends R' = R \cdot y^\gamma = g^{k + x \gamma}; the signer selects challenge c \in \mathbb{Z}_q (or hashes H(R') in Fiat-Shamir), computes response

s' = ?\ wait, actually signer provides \(s' = c' \cdot x

or in full: for Schnorr, the signer would respond as if identifying, but adapted: user then computes full

s' = (k + \gamma c) + c \cdot something no: precisely, after receiving \(c

, user computes s' = k + \gamma c, but to make valid, the effective challenge for original is c + H(m || g^{s'} y^{-c}) wait, the unblinding yields s = s' - \gamma c, with verification g^s y^c = R and c = H(m || R). This ensures perfect blindness if the signer's challenge is independent of the message, with unforgeability under one-more DL.^[33]^[32] Elliptic curve discrete logarithm (ECDLP) variants, such as those proposed in 2013, map the protocols to elliptic curve groups for shorter keys and faster computation while preserving security levels equivalent to DL in finite fields; for example, blinding multiplies points by random scalars, with unblinding via scalar subtraction.^[34] Recent constructions enhance these to support concurrency and threshold signing without bilinear pairings, proving security directly from standard DL or computational Diffie-Hellman assumptions; the BZ scheme exemplifies efficiency, issuing signatures via two exponentiations in the group.^[35]^[36] These schemes enable applications requiring smaller signatures than RSA-based analogs but demand careful parameter selection to resist advances in DL solvers like index calculus.^[37]

Post-quantum constructions

Post-quantum blind signatures are cryptographic protocols designed to resist attacks from quantum computers, which can efficiently solve integer factorization and discrete logarithm problems underlying classical schemes like RSA and elliptic curve variants using Shor's algorithm.^[38] These constructions typically rely on alternative hardness assumptions, such as lattice problems or code-based primitives, presumed secure against both classical and quantum adversaries.^[39] Early efforts focused on adapting standard post-quantum digital signatures into blind variants, often in the random oracle model, to achieve properties like blindness and one-more unforgeability.^[40] Lattice-based schemes dominate due to their versatility and alignment with NIST's post-quantum standardization efforts. A 2023 construction provides a two-round protocol based on the hardness of Ring/Module Short Integer Solution (SIS), Learning With Errors (LWE), and NTRU problems, yielding compact signatures suitable for privacy applications with communication costs under 10 KB for 128-bit security.^[38] This scheme achieves round-optimality and full blindness without relying on non-standard assumptions, outperforming prior lattice blind signatures in efficiency.^[41] Extensions include threshold variants for distributed signing, as in a 2025 lattice-based threshold blind signature supporting up to 100 parties while maintaining unforgeability under the SIS assumption.^[42] Variants built on lattice signature frameworks like BLISS incorporate bimodal Gaussian sampling for rejection sampling, ensuring statistical zero-knowledge proofs of blindness with signature sizes around 5-10 KB.^[43] These schemes prove security in the random oracle model against quantum polynomial-time adversaries, though practical implementations face challenges from larger parameter sizes compared to classical counterparts.^[38] Code-based constructions offer an alternative, leveraging the hardness of decoding random linear codes or matrix equivalence problems. A 2025 scheme uses the Matrix Equivalence Digital Signature (MEDS) group action to build a blind signature with signatures under 2 KB, proven secure under the quasi-cyclic moderate-density parity-check code assumption in the random oracle model.^[39] This approach avoids lattices' module structure vulnerabilities and supports efficient verification, though key generation remains computationally intensive.^[39] Hybrid and compilation techniques further expand options. A framework from 2025 transforms any post-quantum hash-and-sign signature (e.g., those based on NIST's CRYSTALS-Dilithium) into a blind scheme via blinding factors and zero-knowledge proofs, ensuring blindness by construction without altering the underlying signature's quantum resistance.^[40] Similarly, Dilithium adaptations yield proxy blind signatures for identity-based settings, using lattice matrix cascades for 256-bit security levels with signing times under 1 second on standard hardware.^[44] These methods highlight ongoing progress, but all post-quantum blind signatures incur overheads in size and rounds, limiting deployment in resource-constrained environments until optimized parameters mature.^[40]

Applications

Digital cash and micropayments

Blind signatures enable anonymous digital cash systems by allowing users to obtain signatures on payment tokens without revealing their content to the issuer, preserving user privacy while permitting the issuer to verify validity upon redemption. In the protocol introduced by David Chaum in 1982, a user generates a random serial number as the coin's identifier, blinds it using a random factor, and submits the blinded message to the bank, which signs it without knowledge of the underlying serial. Upon unblinding, the user receives a valid signature on the original serial, which can be spent with merchants who deposit it back to the bank for verification; the bank checks for double-spending by ensuring the serial has not been previously redeemed, but cannot link the withdrawal to the deposit due to blindness.^[3] This mechanism underpinned DigiCash's eCash system, launched commercially in 1994 after Chaum founded the company in 1989, facilitating untraceable online payments through financial institutions like Deutsche Bank and the Mark Twain Bank, which handled about 29,000 transactions before the system's discontinuation.^[45]^[46] eCash supported denominations from $0.01 to $10, with users withdrawing blinded coins via software on Windows or Mac, spending them anonymously at participating merchants, and relying on the bank's online double-spend database rather than full blockchain verification.^[46] The system's failure stemmed from limited merchant adoption, competition from credit cards, and DigiCash's bankruptcy in 1998, despite technical success in delivering anonymity superior to traceable alternatives like credit cards.^[46] For micropayments—small-value transactions often infeasible due to processing fees—blind signatures facilitate efficient, private protocols by minimizing on-chain or bank interactions; users can batch multiple blinded micro-coins for signing, reducing overhead while maintaining unlinkability.^[47] Schemes like those extending Chaum's model incorporate one-time pads or hash chains to further deter fraud in high-volume scenarios, ensuring merchants receive fair compensation without tracing user spending patterns.^[47] Such applications remain relevant in privacy-focused payment layers atop blockchains, where blind signatures prevent linkage across low-fee transactions, though scalability challenges persist without trusted issuers.^[48]

Anonymous voting and authentication

Blind signatures facilitate anonymous voting by allowing a voter to receive a digital signature attesting to their eligibility without disclosing the vote's content to the signing authority. In such protocols, the voter selects a random blinding factor, applies it to a blinded version of their vote or a commitment to it, and submits this to a trusted authority (e.g., a registration server) for signing. Upon receiving the signed blinded message, the voter removes the blinding factor to obtain a valid signature on the original vote, which can then be verified by a tallying authority to confirm eligibility and prevent double-voting, while the signer's ignorance of the vote preserves ballot secrecy.^[49]^[50] This approach has been integrated into electronic voting systems, such as those using blockchain for tamper-resistant tallying, where blind signatures ensure one valid vote per authenticated participant without linking identities to choices.^[51] Practical implementations include Vocdoni's protocol, which employs blind signatures alongside a Census Merkle Tree to verify voter eligibility in decentralized elections, enabling participants to prove inclusion without revealing their ballot.^[52] Similarly, pairing-based blind signature schemes have been proposed for e-voting, combining them with elliptic curve signatures to achieve verifiability and coercion resistance, as demonstrated in formal security models where the scheme resists forgery even under adaptive attacks.^[53] These mechanisms address key challenges in remote e-voting, such as ensuring receipt-freeness and anonymity against collusion between authorities, though they require careful parameter selection to mitigate risks like signer collusion.^[54] In anonymous authentication, blind signatures enable users to obtain credentials or tokens from an issuer without revealing the underlying attributes or context, supporting privacy-preserving access control. For instance, a user blinds a message encoding their eligibility (e.g., age or membership) and receives a signature, which, after unblinding, serves as proof to a verifier without linking it back to the issuance process.^[55] This is foundational in protocols like Privacy Pass, where blind RSA signatures allow clients to redeem signed tokens for anonymous website access or CAPTCHA exemptions, preventing issuers from tracking usage patterns across sessions.^[2] Threshold variants extend this to distributed settings, distributing signing keys among multiple parties to issue credentials resilient to single-point compromises, as in decentralized anonymous authentication for IoT devices.^[56]^[57] Such applications maintain unforgeability through cryptographic assumptions like RSA's hardness, but demand concurrent security proofs to counter parallel signing attacks in multi-user scenarios.^[58]

Blockchain privacy protocols

Blind signatures enable privacy in blockchain protocols by permitting a signer—such as a mixer operator or credential authority—to authenticate blinded transaction data without revealing its contents, thereby unlinkable from the user's identity on the public ledger. In coin mixing services, users blind coin ownership proofs or withdrawal requests before submission; the mixer signs the blinded input, and the user unblinds it to receive unmarked output coins, severing traceability between inputs and outputs to enhance fungibility against chain analysis. This approach, rooted in Chaum's original eCash design, has been adapted for cryptocurrencies where full zero-knowledge proofs are computationally intensive, though it introduces reliance on the signer's honesty to avoid over-issuance.^[59]^[60] Threshold variants distribute signing authority across multiple nodes, reducing trust in any single entity for decentralized blockchains. A 2024 Paillier-derived threshold blind signature scheme supports blockchain systems by allowing a quorum to collectively sign blinded messages, applicable to privacy-preserving oracles or distributed mixers, with security proven under the composite residuosity assumption. Such protocols mitigate centralization risks while enabling selective unlinkability, as demonstrated in simulations showing resistance to collusion up to a threshold parameter t < n/2, where n is the total signers.^[61] In commit-chain architectures—off-chain scaling solutions settling periodically on main chains—blind signatures obscure commitment details during interactive phases, preventing eavesdroppers from linking user actions across sessions. A June 2024 proposal integrates blind signatures into commit-chains to counter linkage via timing or value correlations, achieving provable privacy under the random oracle model while maintaining chain validity through verifiable unblinding. Lattice-based constructions like BLAZE extend this to post-quantum settings, supporting efficient blind signing for Bitcoin-compatible mixers with signature sizes under 10 KB and signing times below 1 second on standard hardware, as benchmarked in 2019 implementations.^[62]^[60]

Limitations and risks

Vulnerabilities in classical schemes

In RSA-based blind signature schemes, a notable vulnerability occurs when the public exponent e shares common factors with \phi(N), where N is the modulus and \phi is Euler's totient function; this compromises blinding, enabling a malicious signer to deduce message bits from the e-th residue classes of the blinded input. Protocols such as RSA-BSSA address this by requiring zero-knowledge proofs of \gcd(e, \phi(N)) = 1 or incorporating salts to randomize interactions, ensuring statistical blindness even against adaptive adversaries. Without these safeguards, the scheme reduces to a blind token mechanism but fails full blindness, as demonstrated in analyses of Chaum's original full-domain hash variant.^[4] These schemes further depend on the one-more RSA inversion assumption, under which an adversary interacting to obtain q valid signatures cannot produce a verifiable (q+1)-th signature on an arbitrary message; while no polynomial-time classical attacks succeed against padded instances like FDH-RSA or PSS-RSA, unpadded or deterministically signed variants expose malleability, allowing adversaries to multiply blinded message-signature pairs to forge unintended valid outputs due to RSA's homomorphic properties. Security proofs hold in the random oracle model, but deviations—such as short hash outputs or inadequate padding—elevate forgery probabilities to non-negligible levels, bounded by factors like \Theta(t_A^2(k) \cdot 2^{-8hLen}) where t_A(k) denotes adversary queries and hLen the hash length.^[4]^[63] Discrete logarithm-based blind signatures, exemplified by Schnorr variants, suffer from subliminal channels in protocol transcripts; malicious signers or intermediary devices can exploit elements like commitments R and challenges c for covert Diffie-Hellman key exchanges, embedding traceable data that links blinded interactions to original messages and erodes unlinkability, even in audited black-box settings. Concurrent or parallel executions amplify risks, enabling one-more forgeries where adversaries extract extra signatures beyond issued ones via interactive reductions, particularly if the one-more discrete logarithm assumption falters in multi-session scenarios without random oracles or setup assumptions. These issues persist across extensions like Tessaro-Zhu schemes, where additional randomness vectors widen channel capacities.^[64]^[65]

Implementation challenges

Implementations of blind signatures, particularly RSA-based variants, demand rigorous cryptographic practices to mitigate risks inherent in the protocol's interactive nature and reliance on modular arithmetic. A primary challenge is ensuring the blinding factor r is coprime to the RSA modulus N, as non-coprime values prevent unblinding and may expose factorization attempts if mishandled; protocols require rejection sampling to generate uniform r until \gcd(r, N) = 1, increasing computational overhead.^[17] Cryptographically secure random number generators are essential for r and salts, with failures leading to predictable blinds that compromise privacy or enable forgery.^[17] Blinding must target the hash of the message rather than the raw message to avert existential forgeries and exploits like one-more attacks; full-domain hash (FDH) or probabilistic schemes (e.g., PSS) with secure hashes like SHA-384 are mandated, but insecure hashing allows adversaries to forge signatures by manipulating blinded inputs.^[66] ^[17] Low-entropy messages exacerbate inference risks for signers, necessitating randomized message preparation (e.g., salting) to obscure content without altering verifiability.^[17] The protocol's efficiency is strained by repeated large-integer operations: users compute r^e \mod N, signers perform costly (m')^d \mod N (a private-key exponentiation vulnerable to high-volume denial-of-service), and users execute unblinding with modular inversion. For 3072-bit moduli providing 128-bit security, signatures exceed 384 bytes, dwarfing elliptic curve alternatives and amplifying bandwidth and storage demands in scalable applications.^[66] ^[17] Side-channel attacks pose acute threats during signing, as the blinded exponentiation leaks timing, power, or fault information revealing private keys; countermeasures like RSA blinding, constant-time arithmetic, and signature verification are required, yet add further complexity and performance penalties.^[17] Key generation per protocol variant (per FIPS 186-5) prevents cross-protocol reuse vulnerabilities, but enforces stricter management than standard signatures.^[17] Overall, these factors render classical implementations non-post-quantum secure and prone to misconfiguration, underscoring the need for audited libraries over custom code.^[17] ^[66]

Societal and regulatory concerns

Blind signatures enable cryptographic protocols that preserve user anonymity in applications such as digital cash and private transactions, but this feature has prompted societal concerns over their potential to facilitate illicit activities including money laundering, terrorism financing, and tax evasion by rendering transactions untraceable to authorities.^[67] Empirical evidence from physical cash usage in crime—estimated by the United Nations Office on Drugs and Crime to account for up to 80% of black market transactions in some regions—suggests that scalable digital equivalents could amplify such risks if not counterbalanced by oversight mechanisms. Regulatory scrutiny intensified with early implementations like David Chaum's DigiCash system in the 1990s, which used blind signatures for anonymous e-cash but faced resistance from financial institutions and governments wary of undermining anti-money laundering (AML) frameworks, contributing to its bankruptcy in 1998 amid limited adoption and compliance hurdles.^[68] The Financial Action Task Force (FATF), in its 2020 guidance on virtual assets, identifies privacy-enhancing tools—including those achieving anonymity via blinding or mixing techniques—as red flags for money laundering, recommending enhanced due diligence and transaction monitoring to mitigate risks posed by untraceable flows.^[69] In modern blockchain contexts, protocols incorporating blind signatures for privacy, such as certain confidential transaction schemes, encounter similar pressures; exchanges have delisted privacy-focused assets under FATF's "Travel Rule" requirements, which mandate originator-beneficiary information sharing for transactions exceeding thresholds, reflecting a policy preference for traceable systems over fully anonymous ones to enable law enforcement access. Proponents of "auditable privacy" argue for hybrid designs where blind signatures include selective disclosure capabilities, as explored in central bank digital currency pilots, to reconcile individual privacy rights with societal needs for accountability in high-value or suspicious activities.^[70]

References

[1]
Blind Signature - an overview | ScienceDirect Topics
Blind signature is defined as a type of digital signature where the message is blinded before being signed, preventing the signer from knowing its content, ...
[2]
RSA Blind Signatures - IETF
Aug 2, 2021 · This document specifies the RSA-based blind signature scheme with appendix (RSA-BSSA). RSA blind signatures were first introduced by Chaum for untraceable ...
[3]
[PDF] Blind signatures for untraceable payments
David Chaum. (3) Ability to stop use of payments media reported stolen. BLIND SIGNATURE CRYPTOSYSTEMS. The new kind of cryptography will be introduced first in ...
[4]
[PDF] Security Analysis of RSA-BSSA? - Cryptology ePrint Archive
Blind signatures were first introduced by David Chaum [13,14]. The motivating application was untraceable electronic cash (ecash) [13,15]: a bank can issue ...
[5]
Chaum Blind Signature Scheme | SpringerLink
May 10, 2025 · David Chaum introduced in 1982 blind digital signatures aiming at providing anonymous cryptographic electronic currency (Chaum, 1983).
[6]
Improved Lattice Blind Signatures from Recycled Entropy
Aug 16, 2024 · Blind signatures represent a class of cryptographic primitives enabling privacy-preserving authentication with several applications such as ...
[7]
Practical Round-Optimal Blind Signatures in the ROM from Standard ...
Sep 24, 2023 · Blind signatures serve as a foundational tool for privacy-preserving applications and have recently seen renewed interest due to new ...
[8]
Blind Signatures from Arguments of Inequality
Blind signatures are an important tool for privacy-preserving applications with a long history dating back to Chaum's seminal work in Crypto'82. In this ...
[9]
Blind Signatures for Untraceable Payments - SpringerLink
About this paper. Cite this paper. Chaum, D. (1983). Blind Signatures for Untraceable Payments. In: Chaum, D.
[10]
Blind signature systems - US4759063A - Google Patents
... Chaum David L Blind unanticipated signature systems. NL9102144A * 1991-12-20 1993-07-16 Nederlanden Staat METHOD AND SCHEME FOR GROUP DIGITAL DATA VALIDATION ...
[11]
The Money Changer | Imagining the Internet | Elon University
Biography: David Chaum was the founder of DigiCash in the early 1990s. He was the inventor of cryptographic protocols that allowed him to create a company ...
[12]
What was DigiCash? - Decrypt
Feb 3, 2019 · Late 1989 - Chaum founds the DigiCash company. 1994 - DigiCash beats the likes of Visa and Mastercard to prove small payments can be sent across ...
[13]
DigiCash: Meaning, History, Implications - Investopedia
Known as "Blind Signature" technology, Chaum's invention both enhanced security for DigiCash users and made electronic payments untraceable by outside sources.
[14]
May 27, 1994: the first electronic payment with eCash - Atlas21
May 27, 1994 · Moreover, the lack of a sufficient user base was one of the reasons for its failure. With few users and merchants willing to adopt eCash, the ...
[15]
3 Pre-Bitcoin Virtual Currencies That Bit the Dust - CoinDesk
Nov 30, 2014 · The reasons for DigiCash's failure were mixed, according to reports from the time, including a lack of cash flow and friction between the ...
[16]
RFC 9474 - RSA Blind Signatures - IETF Datatracker
Oct 10, 2023 · This document specifies an RSA-based blind signature protocol. RSA blind signatures were first introduced by Chaum for untraceable payments.
[17]
RFC 9474: RSA Blind Signatures
### Summary of RFC 9474: RSA Blind Signatures
[18]
[PDF] Security of Blind Digital Signatures - UCLA Computer Science
A variation on basic digital signatures, known as blind digital signatures, was proposed by Chaum. Blind digital signature schemes include the additional ...
[19]
[PDF] The Case of Round-Optimal Blind Signatures
Blind signatures were introduced by Chaum in 1982 [19]. In a blind signature scheme, a user interacts in a protocol with a signer to obtain a signature on a ...
[20]
Security of Blind Signatures Revisited | Journal of Cryptology
Jan 14, 2016 · The two security properties, blindness and unforgeability, have been formalized in [27, 31]. The blindness definition [27] basically says that a ...
[21]
Two faces of blindness | Designs, Codes and Cryptography
Apr 29, 2023 · Blind signatures actually possess two separate properties: the intuitive understanding that the message to be signed is hidden from the signer, and the fact ...
[22]
[PDF] On blindness of several ElGamal-type blind signatures
2 Blindness property. Before talking about blindness we recall the definition of blind signature scheme. It is determined by three algorithms: – (sk, pk) ...
[23]
[PDF] Two Faces of Blindness
Oct 18, 2022 · We first define partially blind signatures and their completeness and un- forgeability properties in section 2. We then study the two faces of ...<|separator|>
[24]
[PDF] A Survey on Blind Digital Signatures - Nabiha Asghar
He has shown that knowing the process of constructing DLP-based blind signatures and the principle of their use in e-cash systems is valuable for designing new ...<|control11|><|separator|>
[25]
[PDF] Security of Blind Signatures Revisited - Dominique Schröder
There are two main security requirements for blind signature schemes. First, the scheme should be blind. That is, a malicious signer should not be able to link ...
[26]
[PDF] Boosting the Security of Blind Signature Schemes - CISPA
We refer to the corresponding notion of security as sequential (`-)one-more unforgeability. ... We define two security properties for linear function families.
[27]
[PDF] The One-More-RSA-Inversion Problems and the Security of ...
To date, no attacks against the one-more-forgery goal are known on the blind FDH-RSA signature scheme. We would like to support this evidence of security with.
[28]
[PDF] One-more Unforgeability of Blind ECDSA
The one-more forgery includes the extra signature (r∗ = f(R∗),s∗) on the mes- sage m∗. We call this attack as the ECDSA-ROS attack, because Eq. 1 is similar to ...
[29]
[PDF] Short Pairing-Free Blind Signatures with Exponential Security
The proof of security for both schemes consists of showing that any adversary breaking one-more unforgeability can be transformed into one breaking either. OMDL ...
[30]
RFC 9474: RSA Blind Signatures
Oct 3, 2023 · This document specifies an RSA-based blind signature protocol. RSA blind signatures were first introduced by Chaum for untraceable payments.
[31]
[PDF] Blind Signatures Based on the Discrete Logarithm Problem
A blind signature scheme is a protocol allowing Bob to obtain a valid signature for a message m from a signer Alice without her seeing the message or its sig-.
[32]
[PDF] Blind Schnorr Signatures in the Algebraic Group Model
We now formally prove that blind Schnorr signatures are unforgeable assuming the hardness of the one-more discrete logarithm problem and the ROS problem.
[33]
[PDF] Concurrently Secure Blind Schnorr Signatures
May 24, 2024 · Blind signatures, introduced by Chaum [Cha82], define a protocol between a signer and a user that lets the latter obtain a signature on a ...
[34]
New blind signature schemes based on the (elliptic curve) discrete ...
We propose a new blind signature scheme based on the discrete logarithm problem. Finally, we introduce an elliptic curve-based variant of the proposed scheme.
[35]
Boosting the Security of Blind Signature Schemes
Jun 16, 2021 · We show the first efficient blind signature schemes achieving this level of security based on the RSA, factoring, or discrete logarithm assumptions.
[36]
[PDF] Pairing-Free Blind Signatures from CDH Assumptions‹
Blind signatures [Cha82] are interactive protocols that allow a user to obtain a signature on a message in a way that does not reveal anything about the message ...
[37]
[PDF] a blind signature based on discrete logarithm problem - ijicic
This study proposes a new blind signature scheme based on discrete logarithm problem and generalized type digital signature schemes. The proposed blind ...
[38]
Lattice-Based Blind Signatures: Short, Efficient, and Round-Optimal
Jan 24, 2023 · We give a construction of a 2-round blind signature scheme based on the hardness of standard lattice problems (Ring/Module-SIS/LWE and NTRU) with a signature ...
[39]
Post-Quantum Blind Signatures from Matrix Code Equivalence
Feb 18, 2025 · We construct a novel code-based blind signature scheme, us- ing the Matrix Equivalence Digital Signature (MEDS) group action.
[40]
Blinding Post-Quantum Hash-and-Sign Signatures
May 21, 2025 · Blind signature schemes are essential for privacy-preserving applications such as electronic voting, digital currencies or anonymous credentials ...
[41]
Lattice-Based Blind Signatures: Short, Efficient, and Round-Optimal
Nov 21, 2023 · We propose a 2-round blind signature protocol based on the random oracle heuristic and the hardness of standard lattice problems.
[42]
Lattice-based Threshold Blind Signatures - Cryptology ePrint Archive
Sep 1, 2025 · Blind signatures are a central tool for privacy-preserving protocols. They allow users to obtain signatures from a signer without the signer ...
[43]
A Lattice-Based Blind Signature Using BLISS
Sep 30, 2025 · This paper proposes an efficient lattice-based blind signature scheme built upon the BLISS framework. By incor porating bimodal Gaussian ...<|separator|>
[44]
Post Quantum-Resistant Blind Signature Scheme for Consumer ...
May 15, 2025 · This scheme is designed to resist quantum computing attacks and is based on the post-quantum digital signature algorithm CRYSTALS-Dilithium, which NIST has ...
[45]
ECASH - chaum.com
David Chaum Publishes “Blind Signatures for Untraceable Payments”. Blind Signatures for Untraceable Payments. David Chaum - 1982. 1994. Original technical team ...
[46]
eCash: Overview, Rise and Fall - Investopedia
eCash was created by Dr. David Chaum and implemented via his company, DigiCash. eCash worked on the premise of blind signatures where message content is ...What Was eCash? · Understanding eCash · eCash and Online Security...
[47]
Untraceable, anonymous and fair micropayment scheme
In this paper we present a new efficient and secure micropayment scheme which fulfils the security properties that guarantee no financial risk for merchants.
[48]
What Is ECash? - Bitcoin Magazine
How eCash Worked. eCash operated using a system of blinded signatures, a cryptographic technique invented by David Chaum. Here's a breakdown of how the system ...
[49]
Blind Signatures in Electronic Voting Systems - SpringerLink
Electronic voting systems are created to facilitate the election, accelerate voting and counting votes and increase turnout for the election.
[50]
[PDF] Blind Signatures and Blind Signature E-Voting Protocols
Dec 12, 2018 · In that part, we have a special focus on privacy within e-voting schemes (since blind signatures are a means to achieve privacy) and go into ...
[51]
Blockchain-based system for e-voting using Blind Signature Protocol
Feb 2, 2022 · Reports of possible third-party interference in the electoral process, unauthorized voting, disenfranchisement, and technical failure raise ...
[52]
Blind Signatures | Vocdoni
Dec 14, 2021 · Blind Signatures. The current approach by Vocdoni regarding determining the eligibility of a potential voter is to use a Census Merkle Tree.
[53]
[PDF] AN E-VOTING PROTOCOL BASED ON PAIRING BLIND ...
The main cryptographic building blocks used by our system are two, namely, pairing-based blind signatures and elliptic curve digital signatures. We give both, a ...Missing: applications | Show results with:applications
[54]
(PDF) Blind Signatures in Electronic Voting Systems - ResearchGate
Aug 7, 2025 · PDF | Electronic voting systems are created to facilitate the election, accelerate voting and counting votes and increase turnout for the ...
[55]
[PDF] Boosting the Security of Blind Signature Schemes, Compactly
One-more unforgeability guarantees that an adversary cannot produce more signed messages than the number of times it invoked the signing protocol. It is ...
[56]
An Anonymous Authentication Protocol Based on Blind Signature for ...
Jun 7, 2024 · This paper proposes an anonymous authentication protocol based on blind signature for the Internet of Things (IoTs), which is proposed to ...
[57]
[PDF] Adaptively Secure Threshold Blind BLS Signatures and Threshold ...
Privacy Pass anonymous authentication scheme, among many others. 1 ... A threshold-blind signature scheme and its application in blockchain- based systems.
[58]
On the Security of Blind Signatures in the Multi-Signer Setting
Apr 5, 2023 · ... anonymous credentials and voting systems. However, many practical blind signature schemes have only been analysed in the game-based setting ...
[59]
Blind Signature Scheme - an overview | ScienceDirect Topics
Blind signature schemes are generally used in privacy-preserving techniques like blockchain technology, electronic voting systems, and anonymous authentication.
[60]
[PDF] BLAZE: Practical Lattice-Based Blind Signatures for Privacy ...
Blind signatures constitute basic cryptographic ingredients for privacy-preserving applications such as anonymous credentials, e-voting, and Bitcoin. Despite ...
[61]
A Threshold-Blind Signature Scheme and Its Application in ...
Aug 16, 2024 · In this work we present a threshold blind signature scheme designed on the modified version of the Paillier cryptosystem presented by Yi et al.
[62]
Enhancing privacy in commit-chains based on blind signature
Jun 15, 2024 · The main goal of this paper is to provide a solution for increasing users' privacy in commit-chain via blind signature.
[63]
[PDF] The One-More-RSA-Inversion Problems and the Security of ...
... one-way [8, 13], but this result will not help us here. To date, no attacks against the one-more-forgery goal are known on the blind FDH-RSA signature scheme.
[64]
Privacy Illusion: Subliminal Channels in Schnorr-like Blind ... - MDPI
We have shown that blind-signature schemes are vulnerable to malicious implementation setups that invalidate privacy properties of blind signatures while ...
[65]
Security of Blind Discrete Log Signatures against Interactive Attacks
We present a novel parallel one-more signature forgery against blind Okamoto-Schnorr and blind Schnorr signatures in which an attacker interacts some l times ...
[66]
A Gentle Introduction to Blind signatures: From RSA to Lattice ... - arXiv
Sep 2, 2025 · Blind signatures were first introduced by David Chaum. They allow a user to have a message signed by a signer without revealing the message ...Missing: early | Show results with:early
[67]
Cyberlaundering: Anonymous Digital Cash and Money Laundering.
First, the Federal Reserve would likely announce that all cyberbanks accepting anonymous ecash conform with FDIC regulations. Thus, these banks would be subject ...
[68]
WIRED 2.12: "E-Money (That's What I Want)" by Steven Levy
And he hopes somebody listens, because the wild card in the era of digital money is anonymity, and David Chaum thinks we're in trouble without it. Dollar Bills ...
[69]
[PDF] Virtual Assets Red Flag Indicators - FATF
privacy coin. • Customers that operate as an unregistered/unlicensed VASP on peer-to-peer. (P2P) exchange websites, particularly when there are concerns that ...
[70]
https://www.forbes.com/sites/digital-assets/2025/10/23/the-future-of-crypto-depends-on-auditable-privacy/