Walk through a concrete example of a blind signature with RSA.
With public key (667, 9) and secret d=137: Alice blinds m=38 with r=63, sends m'=36. Bank signs s'=487. Alice unblinds to get s=283. Verification: $283^9 \equiv 38 \mod 667$ ✓.
Setup: Public key $(N, e) = (667, 9)$, Secret $d = 137$
Step 1 — Alice's message: $m = 38$ (the coin's serial number)
Step 2 — Blind: Choose $r = 63$ $m' \equiv 63^9 \cdot 38 \mod 667 = 36$
Step 3 — Send: Alice sends $m' = 36$ to the bank
Step 4 — Bank signs: $s' = 36^{137} \mod 667 = 487$
Step 5 — Bank returns: $s' = 487$
Step 6 — Alice unblinds: $s \equiv 487 \cdot 63^{-1} \mod 667$ $63^{-1} \equiv 180 \mod 667$ $s = 487 \cdot 180 \equiv 283 \mod 667$
Step 7 — Verify: $283^9 \equiv 38 \mod 667$ ✓
Step 8 — Spend: Alice pays with coin $(38, 283)$. Any shop can verify the bank's signature.
Key insight: The bank signed something (36) that looks nothing like the actual message (38). It has no idea what coin it signed — ensuring Alice's privacy.
Go deeper:
Blind signature — Blind RSA signatures — the same protocol in symbols, to check each step of this worked example against.