# Blind Signature

## What it is

Sometimes it’s necessary to get data signed by a third party so that the signed data can be used in another context.

The simplest way to achieve this is to send over the data to the third party such that it gets signed. This however breaks privacy as the signer has access to the plaintext message.

Is there a way to mask the data so that it can still be signed by a third party without it knowing what gets signed?

As it turns out, this is possible via a primitive called “Blind Signature”.

## How it works

The following Blind Signature is based on BLS Signatures. It’s therefore useful to have a basic understanding of Elliptic Curve Pairings and BLS Signatures before reading on.

We’ll be working with an Elliptic Curve $E$ that is of order $q$ and has a generator $G$. All calculations are done $\bmod\ q$ if not stated otherwise.

There’s also a hash function $H$ as well as an Elliptic Curve Pairing:

$e: E_1 \times E_2 \rightarrow \mathbb{F}$

Here, $e$ is the pairing that maps two Elliptic Curve points $E_1$ and $E_2$ to an element in a finite field $\mathbb{F}$.

As a quick reminder, a BLS Signature is created by hashing the message $m$ and interpreting the result as a point on the Elliptic Curve. Once done, the signature $\sigma$ is created by multiplying the hashed message with the private key $x$:

$\sigma = xH(m)$

In the following example Alice wants to get a signature on her message $m$ from Bob without Bob knowing what the content of her message is.

The first step is for Bob to generate his private key $x$ that will later be used by him to generate a signature for Alice’s masked messaged. The private key is chosen by sampling a random value from $\mathbb{Z}_q$:

$x \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

Bob then derives his public key $X$ by multiplying the private key $x$ with the generator $G$:

$X = xG$

The public key can then be shared with Alice.

Next up, Alice generates a “nonce” (number used once) $r$ by randomly sampling an element from $\mathbb{Z}_q$:

$r \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

She’ll then derive the nonce’s public key $R$ by multiplying $r$ with the generator $G$:

$R = rG$

The tuple $(r, R)$ can be interpreted as an ephemeral key pair.

Once done, she hashes the message $m$ she wants to get signed by Bob using the hash function $H$. She also adds $R$ to the hashed value which results in the masked message $m'$:

$m' = H(m) + R$

The masked message $m'$ is sent to Bob for signing.

Bob creates an “almost signature” $\sigma'$ by multiplying $m'$ with his private key $x$ which he then sends back to Alice.

Alice can recover the real signature by computing:

$\sigma = \sigma' - rX$

This signature $\sigma$ can be verified using the BLS Signature verification check:

$e(H(m), X) \overset{?}{=} e(\sigma, G)$

## Why it works

Evaluating the expression we can see that the result is a valid BLS Signature:

\begin{aligned} \sigma &= \sigma' - rX \\ &= xm' - R \\ &= xH(m) + R - R \\ &= xH(m) + \cancel{R} - \cancel{R} \\ &= xH(m) \end{aligned}

Furthermore, thanks to the nonce $r$ Alice is using to mask the message $m$ and the fact that $r$ is sampled randomly, Bob can’t distinguish the masked message $m'$ from random noise which protects the original message $m$ from being seen in the clear.