# Are (EC) DSA blind signatures possible?

I’ve been searching for a way to create blind ECDSA signatures.
My research and experimentation has led me to believe that this is not possible.

I’ve been attempting to articulate why and I think that it is because it is not possible to apply a transformation to the message in a way which can be reversed whilst retaining a valid signature. The message and signature cannot be transformed as required because the ephemeral key is not known by the recipient, and if the key were known then the long term signing key could be determined. An ECDSA signature only permits validating that the signature was formed from the message and the private key corresponding to the expected public key.

I would like to confirm whether there are any known ECDSA blind signature schemes? I suppose publication bias might prevent this from appearing in the literature.

More generally are there any known ECDSA variants such as proxy signatures? My research has led me to the conclusion that it’s functionality is entirely constrained to yielding a standard signature scheme.

Cryptography Asked on December 27, 2020

A paper(https://eprint.iacr.org/2018/660.pdf) in Asiaccs 2019 seems to have constructed one. But it did not give a security proof. Not sure if it is secure. Hope it can help you.

Answered by user77340 on December 27, 2020

I am not aware of any existing scheme allowing this easily (excepted for PureEdDSA maybe, but I wouldn't classify it as an ECDSA variant).

However I do not believe this is impossible. So let's try to do this for ECDSA:

We have a message $m$ whose hashed value $H(m)$ is converted into an integer $z$ which gets signed into the signature $(r,s)$ by the signer.

Now the verifier will basically rely on begin{aligned} C&=u_1times G+u_2times Q\ &=u_1 times G +u_2d times G\ &=(u_1+u_2 d)times G \ &=(zs^{-1}+rds^{-1})times G \ &=(z+rds)color{red}{s^{-1}}times G \ &=(z+rd)color{red}{(z+rd)^{-1}(k^{-1})^{-1}}times G \ &=ktimes G end{aligned} And will say that it verifies iff $C_x==r$ And as you can see, if you can change $r,s,z$ then you can force a coefficient in the latest line to cancel "almost out", by taking $bs,abr,abz$ instead and would end up with $$(abz+abrd)color{red}{b^{-1}(z+rd)^{-1}(k^{-1})^{-1}}times G \ = aktimes G$$

Now the difficult part is to find out if it is possible to get $a,b,m'$ such that $H(m')$, once converted into $z'$ is such that $z'=abz$ and such that $(aktimes G)_x equiv abrmod n$...

I do not see why this couldn't be possible, being given so much slack on the variables... But since I don't have time right now to actually try it out, I'll try to do it later or another day and will edit this answer accordingly.

Answered by Lery on December 27, 2020

## Related Questions

### A modification of the Blum-Micalli construction

1  Asked on October 24, 2021

### Would Triple DES-X with 7 keys be much slower than standard Triple DES?

1  Asked on October 24, 2021 by abercrombie-dorfen

### Publicly verifiable secret sharing scheme

1  Asked on October 24, 2021 by fiono

### DTLS vs direct use of AES. What are the threats unique for direct use of AES instead of DTLS?

1  Asked on October 24, 2021

### Can someone help me understand this?

1  Asked on October 24, 2021 by user80873

### ZKP for product of two primes

2  Asked on October 24, 2021 by yacovm

### How does second pre-image attack on Merkle Signature Scheme work?

1  Asked on October 24, 2021

### Modulo hashing scheme

0  Asked on October 24, 2021

### How do herding attacks on hash functions work?

1  Asked on October 24, 2021

### Has the ECDH protocol been designed just for key exchange or is it widely used for key exchange?

1  Asked on October 24, 2021 by manish-kaul

### AES/ECB vs AES/CBC for <16 bytes

1  Asked on October 24, 2021 by andriy-gerasika

### How to implement arbitrary s-box in a side-channel-free way in C?

0  Asked on October 24, 2021

### Should I use self generated or predefined RFC 7919 DH groups?

1  Asked on October 24, 2021 by wedi

### What’s the least computationally expensive way to verify a message is from who they say they are?

1  Asked on October 24, 2021 by alexandhisscripts

### AES-256, CBC, plaintext length is multiple of block size: Does PKCS #7 padding weaken the encryption?

1  Asked on October 24, 2021

### Pollard Rho Optimization

0  Asked on October 24, 2021

### How can a collision attack using MD5 be used to break WOTS

1  Asked on October 24, 2021 by evernal

### Is there any examples of information-theoretic secure MPC for dishonest majority against malicious adversary?

1  Asked on October 24, 2021 by shoy700

### Are the asymmetric roles of the two keys in the elliptical curves the same (as for RSA)? Can they be interchanged indifferently?

2  Asked on October 24, 2021 by benoit-leger-derville

### Proof of the Diffie-Hellman Key Exchange

1  Asked on March 7, 2021 by mppub