In order to sign a

Blind signatures allow for a user (you!) to disguise a message challenge and then request a server to sign your disguised challenge. The user can then take this signature and unblind it. Resulting in a signature that is valid for the original challenge they disguised, while looking completely different to the challenge which the server was asked to sign.

See this fantastic article by Nadav @ suredbits for an intro on blind signatures and some motivations for the mathematics.

We can then unblind this signature, revealing a completely separate signature that is not only valid but also looks completely unrelated to what we asked of the server.

In order to get a better idea for how blind schnorr signatures work, interaction with the

The server has some private key \(x\) and public key \(X = x*G\).

(\(G\) is the generator point of an elliptic curve - basically
all you need to know is that it is impossible to find the secret
\(x\) from knowing \(X\)).

Server generates a new random secret \(k\) and uses it to create a public nonce \(R=k*G\), and saves them.

Choose a message for the server to blindly sign \(m\),

**Message \(m\)**:

Generate two random scalar values \(\alpha\) and \(\beta\).

These scalars will used to blind (disguise) what we request the
server to sign.

**Blinding values:**

Request the server to produce a signature for the challenge using
the nonce secret \(k\) and private key \(x\)

\(s = k + c'*x\).

**Signature \(s\)**:

Blind the nonce \(R' = R + \alpha*G + \beta*X\).

For a message \(m\) create a challenge \(c = H(X, R', m)\) using a hash function \(H\), then blind it \(c' = c + \beta\).

🦀 Use WASM to locally blind the nonce and create a challenge. 📝Use the blinding values to get the tweaked signature \(s' = s + \alpha\).

🦀 Locally unblind the signature!
**Unblinded signature \(s'\)**:

Once the user shares this signature-nonce pair \((s', R)\), anyone
can verify it solves the schnorr verification equation \(s' * G =
R' + c*X'\) for some challenge \(c\) belonging to message \(m\).

Most importantly,
**the server has no way of correlating** this signature-nonce
pair with the challenge and nonce they signed with earlier.

**Valid?**:

Math: show \((s', R')\) solves the schnorr verification equation \((s' * G = R' + c*X)\) for challenge \(c\) under public key \(X\):

Hint: Expand \(s'\) from definitions (plug and chug the algebra)Starting with the blinded signature:
$$\begin{aligned} s' &= s + \alpha
\\ &= (k + c'*x) + \alpha
\\ &= k + (c+\beta)*x + \alpha
\\ &= (k + \alpha + \beta*x) + c*x
\end{aligned}$$
so
$$\begin{aligned} s'*G &= ((k + \alpha + \beta*x) + c*x)*G
\\ &= (k + \alpha + \beta*x)*G + c*(x*G)
\\ &= k*G + \alpha*G + \beta*(x*G) + c*(x*G)
\\ &= (R + \alpha*G + \beta*X) + c*X
\\ &= R' + c*X
\end{aligned}$$