Implementing blind signature on ed25519

Blind-signature is a cryptographic scheme that allows creating signature on a encrypted message that is also valid on the decrypted message. This powerful scheme enables many anonimization systems to exists. To build the intuition, the process of blind-signature can be visualized as follows:

  1. Alice prepares a letter.
  2. Place it into an envelope along with a carbon paper.
  3. Bob signs the envelope.
  4. Alice takes out the signed letter from the envelope.

As a result, Bob learns nothing about the content of the letter, while Alice ends up with the letter signed by Bob.

Bob signs the letter without knowing its content

Bob signs the letter without knowing its content

Although this schema is widely known for RSA 1, it is hard to find it for other algorithms like EdDSA. In this post we will look at how to implement blind signature on ed25519.

Before we jump to equations, let’s recall some facts about elliptic-curves cryptography:

Let’s assume a voting process where Alice is a voter, and Bob is an authorization person who signs ballot-papers and hence, authorizing them. Since Alice doesn’t want to disclose her vote option to Bob, they proceed with blind signature protocol.


The process of signing blindly is interactive and consist of four steps, starting from Bob:

  1. Bob generates random number (nonce) $k$ in range $(1, q-1)$, computes $$r=k \times G (mod\ p)$$ and sends $r$ to Alice.

  2. Alice picks two random numbers $a$ and $b$ in the range $(1, q-1)$, use them to compute challenge number $e$, $$\begin{aligned} R’ &= r \times (a \times G) \times (b \times P) \pmod{p} \\ e’ &= H(R’|| P || M) \\ e &= e\prime + b \pmod{q} \end{aligned}$$ and sends $e$ to Bob .

  3. Bob performs a signature $$s = e \times x + k \pmod{q}$$ and sends $s$ to Alice

  4. Alice computes $$s’ = s + a \pmod{q}$$

The pair \((R’, s’)\) is a valid signature on transaction $M$.

You can find the experimental implementation in TypeScript here.

To be continued.