Blind and Threshold Blind Signatures

A blind signature scheme allows a user to obtain a valid signature on a message while ensuring that the signer learns nothing about the message. The user blinds the message, the signer signs the blinded value, and the user unblinds the response to obtain a valid signature on the original message. Importantly, the signer still retains full control over whether to participate in the protocol, it only gives up visibility into the message being signed.

At first glance, this functionality can seem counterintuitive or even dangerous: why would a signer want to sign a message whose contents it does not know? The key point is that blind signatures are not meant for arbitrary signing, but for settings where the signer wishes to certify properties of an interaction rather than the specific message being signed. Typical examples include digital cash, anonymous credentials, and voting systems, where the signer enforces rules such as rate limits, eligibility, or payment, but should not be able to link signatures to specific messages or users. In these settings, blindness is a feature, not a bug.

For an example of a real-world application of blind signatures, see our post on simple payment systems with unlinkability, where blind signatures are used to mint unlinkable payment tokens.

This post first defines blind signatures and a concrete BLS instantiation, then briefly reviews threshold BLS signatures, and finally shows how the two compose with minimal additional machinery.

Parties

Signer $S$ holds a public verification key $pk$ and a secret signing key $sk$.
User $U$ wishes to obtain a signature on a message $m$ without revealing $m$ to $S$.

Setup

$\mathsf{KeyGen}(1^\lambda)$ outputs a key pair $(pk, sk)$.
The public key $pk$ is available to all users. The secret key $sk$ is known only to the signer.

The blind signing functionality is defined by an interactive two-party protocol.

Formally, we write

\[\langle U(m), S(sk) \rangle \to \sigma,\]

to denote an interactive two-party protocol between a user $U$ with private input $m$ and a signer $S$ with private input $sk$. The execution produces an output $\sigma$ for the user. The signer need not obtain any output beyond its local transcript.

The protocol proceeds as follows.

The user samples randomness $\rho$ and computes a blinded value $C = \mathsf{Blind}(m; \rho)$.
The user sends $C$ to the signer.
The signer computes $R = \mathsf{Sign}(sk, C)$ and returns $R$.
The user computes $\sigma = \mathsf{Unblind}(R; \rho)$.

The functions $\mathsf{Blind}$ and $\mathsf{Unblind}$ are public and deterministic, all randomness comes from the input to $\mathsf{Blind}$.

Verification

$\mathsf{Verify}(pk, m, \sigma) = 1$ if and only if $\sigma$ is a valid signature on $m$ under $pk$.

Security Properties

Correctness ensures that honest executions yield valid signatures. Blindness ensures that the signer learns nothing about the signed message. One more unforgeability ensures that each interaction yields at most one usable signature.

Correctness

For all $(pk, sk)$ generated by $\mathsf{KeyGen}$, all messages $m$, and all randomness $\rho$, honest executions produce $\sigma$ such that $\mathsf{Verify}(pk, m, \sigma) = 1$.

Blindness

The signer cannot distinguish whether it interacted with $U(m_0)$ or $U(m_1)$ for any two messages of equal length, except with negligible advantage.

One More Unforgeability

After at most $q$ blind signing interactions, no probabilistic polynomial time adversary can output more than $q$ valid message signature pairs under the signer’s public key, except with negligible probability.

Let $G_1, G_2$ be groups of prime order $p$ with bilinear pairing $e : G_1 \times G_2 \to G_T$. Let $g \in G_2$ be a generator. Let $H : {0,1}^* \to G_1$ be a hash function modeled as a random oracle.

Key Generation

Sample $x \leftarrow \mathbb{Z}_p$ and set $sk = x$, $pk = g^x$.

Blind Signing

The user samples $r \leftarrow \mathbb{Z}_p$ and computes $C = H(m)^r$.
The signer computes $R = C^x$.
The user computes $\sigma = R^{1/r} = H(m)^x$.

Verification

Accept if $e(\sigma, g) = e(H(m), pk)$.

Correctness follows from bilinearity. Blindness follows since, for any fixed message $m$, the blinded value $C = H(m)^r$ is uniformly distributed over $G_1$ as $r$ ranges uniformly over $\mathbb{Z}_p$. In particular, even given $m$, the signer cannot distinguish $C$ from a random group element or link it to a specific execution.

One more unforgeability holds under the one more Diffie Hellman (OMDH) assumption in the random oracle model. Intuitively, this property says that each successful interaction with the blind signing protocol yields at most one usable signature: even an adversary that can adaptively interact with the signer many times cannot extract additional valid signatures “for free.”

For readers interested in formal definitions and proofs of one more unforgeability for blind and blind BLS signatures, see JN25.

Threshold BLS Signatures

In a threshold BLS signature scheme, the signing key $x$ is shared among $n$ parties using Shamir secret sharing, which uses a random degree $\le t$ polynomial. So the scheme has a reconstruction threshold of $t+1$. Party $i$ holds a share $x_i$ and produces a partial signature $\sigma_i = H(m)^{x_i}$. Any set of $t+1$ partial signatures can be combined using Lagrange interpolation to obtain $H(m)^x$. Security holds as long as at most $t$ signing parties are corrupt.

This construction and its properties are discussed in more detail in earlier posts on secret sharing and threshold cryptography, see the post on Shamir secret sharing and threshold BLS signatures.

Threshold blind BLS signatures combine the blinding mechanism described above with threshold BLS signing.

The user computes $C = H(m)^r$ as in the blind scheme.
Each signer holding $x_i$ returns a partial signature $C^{x_i}$.
From any $t+1$ responses, the user interpolates to obtain $C^x$ and unblinds to recover $H(m)^x$.

Blindness is inherited directly from the single signer blind scheme. Threshold robustness is inherited directly from threshold BLS. One more unforgeability follows by composition, since producing a usable signature still requires consuming a full threshold signing instance.