True or false: "Blind signatures are a purely mathematical concept with no practical application."
False — blind signatures power digital cash (e-cash): a bank can sign a coin without seeing it, giving anonymous yet unforgeable electronic money.
* Withdraw (blind + sign), spend, deposit — and because the bank only ever saw the blinded coin, it can't link a spent coin to its withdrawal. *
The flagship application is digital cash. A customer "blinds" a coin's serial number before sending it to the bank, the bank signs the blinded value, and the customer unblinds to recover the bank's valid signature on the original coin — so the bank certifies a coin it never actually saw. That single trick delivers three of the properties digital money needs at once:
- Unforgeable — only the bank can produce valid signatures, so coins can't be counterfeited.
- Unlinkable (anonymous) — the bank can't connect a spent coin back to the withdrawal it came from.
- No double-spending — when a coin is presented, the bank checks its serial number hasn't been seen before.
A fourth, harder property — transferable, passing a coin between users like physical cash — is desirable but not automatic. This is not just theory: David Chaum's DigiCash implemented it in the 1990s, and modern systems such as GNU Taler use the same blind-signature principle; the idea also underpins anonymous voting and privacy-preserving authentication.
Go deeper:
Ecash — Chaum's DigiCash — how RSA blind signatures gave withdrawal/spend unlinkability in the first real anonymous digital cash.