Blind Signatures for Untraceable Payments

Blind Signatures for Untraceable Payments is David Chaum’s CRYPTO ‘82 paper introducing blind signatures for privacy-preserving electronic payments.

The Payment Privacy Problem

Chaum starts from the coming automation of payment systems. Electronic banking can improve convenience and control, but if every transaction reveals payer, payee, amount, time, and place to a third party, the payment system becomes a record of a person’s movements, associations, reading, religion, politics, health, and habits.

The paper’s goal is to avoid a false choice between traceable electronic banking and insecure anonymous cash. Chaum wants a system that protects privacy while retaining proof of payment, exceptional auditability, and theft controls.

Blind Signature Protocol

The paper explains blind signatures through the carbon-lined-envelope analogy. A voter or payer seals a message inside an envelope; the signer marks the outside; the carbon transfers the signature to the hidden slip; and the signed slip can later be shown without revealing which envelope it came from.

Cryptographically, the provider chooses a random token, blinds it with a commuting function, and sends the blinded token to the signer. The signer applies its private signing function and returns the signed blinded token. The provider removes the blinding factor and obtains a valid signature on the original token. Anyone can verify the signature with the public verification function, but the signer cannot link the unblinded token to the blinded item it signed.

Bank, Payer, and Payee

In the payment example, the payer creates a random note and blinds it. The bank signs the blinded note and debits the payer’s account. The payer unblinds the signed note, checks the bank’s signature, and later gives the note to a payee. The payee verifies the signature and deposits the note with the bank.

The bank can reject double-spent notes by maintaining a list of cleared notes. It can also know that the note is valid because it carries the bank’s signature. What it cannot know, if the protocol is used correctly, is which payer’s withdrawal produced that deposited note.

Lineage

This paper is the technical root of Chaumian e-cash and DigiCash. It also marks an important difference between banked digital cash and Bitcoin. Chaumian systems preserve privacy through a signing institution that cannot link withdrawals and deposits; Bitcoin removes the mint but exposes a public ledger with pseudonymous keys.

The paper belongs beside New Directions in Cryptography because it turns digital signatures into a privacy primitive. It belongs beside Security Without Identification because the later paper expands blind signatures into a full transaction-systems program.

See Also

Sources