How do blind signatures work with RSA, and what is their main application?
Alice "blinds" a message by multiplying it with $r^e$ before Bob signs it. After receiving the blinded signature, Alice removes the blinding factor to obtain a valid signature on the original message — Bob never saw the message.
* Alice hides m behind a random r^e, the bank signs the disguised value, and the r^-1 unblinding leaves a genuine signature on m the bank never saw. *
The protocol:
- Alice chooses message $m$ and random blinding factor $r$
- Alice computes blinded message: $m' \equiv r^e \cdot m \mod N$
- Alice sends $m'$ to Bob (the signer)
- Bob signs: $s' \equiv (m')^d \mod N$
- Bob returns $s'$ to Alice
- Alice removes blinding: $s \equiv s' \cdot r^{-1} \mod N$
- Alice verifies: $m \equiv s^e \mod N$ ✓
Why it works (proof): $$\frac{s'}{r} = \frac{(m')^d}{r} = \frac{(r^e \cdot m)^d}{r} = \frac{r^{ed} \cdot m^d}{r} = \frac{r \cdot m^d}{r} = m^d = s$$
The factor $r^{ed} = r$ collapses because $ed \equiv 1 \bmod \varphi(N)$, so the blinding cancels cleanly and only the genuine signature $m^d$ remains.
Main application: Digital cash (e-cash)
- The message $m$ is a unique serial number for a digital coin
- The bank signs the coin without knowing its serial number → privacy
- The signed coin $(m, s)$ can be verified by anyone using the bank's public key
- When spent, the shop verifies the signature and the bank checks the serial number hasn't been used before (preventing double-spending)
Blind signatures are a classic, widely studied use of RSA's homomorphic property precisely because that one cancellation lets a signer certify content it is not allowed to see.
Go deeper:
Blind signature — the blind-RSA construction and its uses (e-cash, anonymous voting), with a step diagram.