Implementing blind signature on ed25519
Blindsignature is a cryptographic scheme that allows creating signature on a encrypted message that is also valid on the decrypted message. This powerful scheme enables many anonimization systems to exists. To build the intuition, the process of blindsignature can be visualized as follows:
 Alice prepares a letter.
 Place it into an envelope along with a carbon paper.
 Bob signs the envelope.
 Alice takes out the signed letter from the envelope.
As a result, Bob learns nothing about the content of the letter, while Alice ends up with the letter signed by Bob.
Although this schema is widely known for RSA 1, it is hard to find it for other algorithms like EdDSA. In this post we will look at how to implement blind signature on ed25519.
Before we jump to equations, let’s recall some facts about ellipticcurves cryptography:

Elliptic Curve Cryptography (ECC) is defined over finite prime field, meaning that we are using modular arithmetic, so every time we perform addition or multilipaction we also need to perform $\pmod{p}$ for both x and y coordinates. Particullary, for Curve25519, $p = 2^{255}  19$.

We use uppercase letters for points on a curve, and lowercase for scalars.

G is publicly known point on a curve called generator or base point.

In ECC, private key is defined as scalar number, whereas public key is point on the curve.

Public key $P$ (point on a curve) can be derived from private key $s$ (scalar) by multiplying generator point $G$ by $s$, i.e., $P=G \times s$.

Multipling generator point $G$ by a scalar $n$ is the same as adding point $G$ to itself $n$ times.
Let’s assume a voting process where Alice is a voter, and Bob is an authorization person who signs ballotpapers and hence, authorizing them. Since Alice doesn’t want to disclose her vote option to Bob, they proceed with blind signature protocol.
Let:
 P be a Bob’s public key,
 H be a secure hash function (like, SHA512),
  be a concatendation operator,
 M be a message we want to sign blindly.
The process of signing blindly is interactive and consist of four steps, starting from Bob:

Bob generates random number (nonce) $k$ in range $(1, q1)$, computes $$r=k \times G (mod\ p)$$ and sends $r$ to Alice.

Alice picks two random numbers $a$ and $b$ in the range $(1, q1)$, use them to compute challenge number $e$, $$\begin{aligned} R’ &= r \times (a \times G) \times (b \times P) \pmod{p} \\ e’ &= H(R’ P  M) \\ e &= e\prime + b \pmod{q} \end{aligned}$$ and sends $e$ to Bob .

Bob performs a signature $$s = e \times x + k \pmod{q}$$ and sends $s$ to Alice

Alice computes $$s’ = s + a \pmod{q}$$
The pair \((R’, s’)\) is a valid signature on transaction $M$.
You can find the experimental implementation in TypeScript here.
To be continued.