Skip to content

Blind Signature

Table of contents

Open Table of contents

What it is

Sometimes it’s necessary to get data signed by a third party so that the signed data can be used in another context.

The simplest way to achieve this is to send over the data to the third party such that it gets signed. This however breaks privacy as the signer has access to the plaintext message.

Is there a way to mask the data so that it can still be signed by a third party without it knowing what gets signed?

As it turns out, this is possible via a primitive called “Blind Signature”.

How it works

The following Blind Signature is based on BLS Signatures. It’s therefore useful to have a basic understanding of Elliptic Curve Pairings and BLS Signatures before reading on.

We’ll be working with an Elliptic Curve EE that is of order qq and has a generator GG. All calculations are done mod q\bmod\ q if not stated otherwise.

There’s also a hash function HH as well as an Elliptic Curve Pairing:

e:E1×E2Fe: E_1 \times E_2 \rightarrow \mathbb{F}

Here, ee is the pairing that maps two Elliptic Curve points E1E_1 and E2E_2 to an element in a finite field F\mathbb{F}.

As a quick reminder, a BLS Signature is created by hashing the message mm and interpreting the result as a point on the Elliptic Curve. Once done, the signature σ\sigma is created by multiplying the hashed message with the private key xx:

σ=xH(m)\sigma = xH(m)

In the following example Alice wants to get a signature on her message mm from Bob without Bob knowing what the content of her message is.

The first step is for Bob to generate his private key xx that will later be used by him to generate a signature for Alice’s masked messaged. The private key is chosen by sampling a random value from Zq\mathbb{Z}_q:

x$Zqx \overset{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_q

Bob then derives his public key XX by multiplying the private key xx with the generator GG:

X=xGX = xG

The public key can then be shared with Alice.

Next up, Alice generates a “nonce” (number used once) rr by randomly sampling an element from Zq\mathbb{Z}_q:

r$Zqr \overset{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_q

She’ll then derive the nonce’s public key RR by multiplying rr with the generator GG:

R=rGR = rG

The tuple (r,R)(r, R) can be interpreted as an ephemeral key pair.

Once done, she hashes the message mm she wants to get signed by Bob using the hash function HH. She also adds RR to the hashed value which results in the masked message mm':

m=H(m)+Rm' = H(m) + R

The masked message mm' is sent to Bob for signing.

Bob creates an “almost signature” σ\sigma' by multiplying mm' with his private key xx which he then sends back to Alice.

Alice can recover the real signature by computing:

σ=σrX\sigma = \sigma' - rX

This signature σ\sigma can be verified using the BLS Signature verification check:

e(H(m),X)=?e(σ,G)e(H(m), X) \overset{?}{=} e(\sigma, G)

Blind Signature

Why it works

Evaluating the expression we can see that the result is a valid BLS Signature:

σ=σrX=xmR=xH(m)+RR=xH(m)+RR=xH(m)\begin{aligned} \sigma &= \sigma' - rX \\ &= xm' - R \\ &= xH(m) + R - R \\ &= xH(m) + \cancel{R} - \cancel{R} \\ &= xH(m) \end{aligned}

Furthermore, thanks to the nonce rr Alice is using to mask the message mm and the fact that rr is sampled randomly, Bob can’t distinguish the masked message mm' from random noise which protects the original message mm from being seen in the clear.