David Chaum's 1983 invention that made anonymous digital cash possible. Here's how it actually works — from the envelope metaphor down to the maths.
Before diving into the maths, let's understand the physical-world analogy that Chaum himself used.
Imagine you write a cheque for $100 on a piece of paper. You place this cheque inside a special envelope lined with carbon paper. You seal the envelope and bring it to your bank. The bank — without opening the envelope — signs on the outside, pressing through the carbon paper. When you open the envelope, you find the bank's signature is now on your cheque. The bank has certified the cheque without ever seeing its content.
A mathematical "blinding factor" that hides your message. Cheap to apply and remove.
RSA digital signature that proves the cheque is certified — without knowing what it says.
After removing the envelope, you hold a valid signed coin that the bank cannot link to you.
Click through each step to see the blind-signature protocol in action. Watch the envelope move between Alice, the Bank, and Bob.
#7294 and wraps it in a blinding factor.m = 7294 and a random blinding factor r. She computes blinded = m · re mod n where (e, n) is the bank's public key.
Blind signatures use RSA (or a similar scheme). You don't need to master RSA — just grasp how the blinding trick works. Here are the three key formulas.
Alice multiplies her coin serial m by a random blinding factor r raised to the bank's public exponent e. This hides m completely.
The bank signs the blinded value using its private key d. It never sees the original m. Standard RSA signing.
Alice divides out her blinding factor r. What remains is the bank's valid RSA signature on the original coin m. Magic? No — modular arithmetic.
Because (m · re)d = md · red = md · r (since red mod n = r by RSA). So dividing by r gives md — which is exactly the bank's signature on m. The blinding factor cancels out perfectly.
Blind signatures provide three cryptographic guarantees that make anonymous digital cash possible.
Great question. If the bank signs without seeing the content, what stops Alice from slipping in a $1,000,000 coin when she only deposited $1? Chaum designed two safeguards:
So the bank is blindfolded about which coin it's signing — but it always knows how much it's worth and has already been paid for it. Blindness protects Alice's privacy without creating any risk for the bank.
The signer (bank) cannot see the message it is signing. It is computationally infeasible to determine m from the blinded value.
When the signed coin is later deposited, the bank cannot link it to the withdrawal. Alice's identity is cryptographically severed from the coin.
Only the bank can produce valid signatures. Even though Alice manipulated the message, the resulting signature is indistinguishable from a normally-signed coin.
The bank records each serial number when deposited. If the same serial appears twice, the bank knows someone double-spent — and Chaum's protocol reveals their identity.
Chaum proved that mathematical privacy in digital payments was possible. Before 1983, most cryptographers assumed digital money would always be traceable because it requires third-party validation.
Blind signatures inspired every subsequent privacy-preserving protocol — from zero-knowledge proofs in Zcash, to ring signatures in Monero, to the Pedersen commitments in Confidential Transactions.
Blind signatures solved privacy but not decentralisation. The bank is still the single point of failure. Satoshi's breakthrough was combining this kind of cryptographic cleverness with a fully distributed consensus mechanism — removing the bank entirely.