Implementing blind signature on ed25519

Blind signature is a cryptographic scheme, which allows for a signature creation on an encrypted message that is also valid on the decrypted message. This powerful scheme enables many anonymous schemes to exist. The process of a blind signature can be visualized as follows:

  1. Alice prepares a letter.
  2. Alice place it into an envelope along with carbon paper.
  3. Bob signs the envelope.
  4. Alice takes out the signed letter from the envelope.

As a result, Bob learns nothing about the content of the letter, while Alice ends up with the letter signed by Bob.

Bob signs the letter without knowing its content

Bob signs the letter without knowing its content

Although this schema is widely known for RSA 1, it is hard to find it for other algorithms like EdDSA. In this post, we will look at how to implement blind signature on ed25519.

Before we jump to equations, let’s recall some facts about elliptic-curve cryptography:

Let’s assume a voting process where Alice is a voter and Bob is an authorization unit who signs ballot papers making them valid votes. Since Alice doesn’t want to disclose her vote option to Bob, they proceed with the blind signature protocol.


The process of signing blindly is interactive and consists of four steps, starting from Bob:

  1. Bob generates random number (nonce) $k$ in range $(1, L-1)$, computes point $$R=k \times G$$ and sends $R$ to Alice.

  2. Alice picks two random numbers $a$ and $b$ in the range $(1, L-1)$, use them to compute challenge number $e$, $$\begin{aligned} R’ &= R + (a \times G) + (b \times P) \\ e’ &= H(R’|| P || M) \\ e &= e\prime + b \pmod{L} \end{aligned}$$ and sends number $e$ to Bob.

  3. Bob calculates a signature $$s = e \times x + k \pmod{L}$$ and sends $s$ to Alice.

  4. Alice calculate $$s’ = s + a \pmod{L}$$

The pair \((R’, s’)\) is a valid signature on transaction $M$.

In the first step, point $R$ is Bob’s public commitment to his secret $k$. In other words, value $R$ guarantees that Bob has not changed the nonce $k$ between steps 1 and 3 without revealing $k$ to Alice.

The number $k$ must be used only once (nonce—number once)—it must not be re-used between signatures.

However, there is no loss of signature blindness even if the value $k$ gets revealed—malicious Bob can not influence Alice’s anonymity.

You can find the experimental implementation in TypeScript here.

Read the discussion on stackoverflow.