Blind Schnorr Signatures
Interactive Demo

Disguise a Nostr event, ask the server to blindly sign, then unblind & post!

Schnorr signatures let a signer prove they signed a message using their secret key. Blind signatures take this a step further -- you can sign a message without ever knowing the contents of what you are signing.

A user disguises their message, has the server sign the disguised message, then unblinds the result -- producing a valid signature that the server can't link back to the message it signed.

This is powerful for privacy: a server can act as an authority while remaining blind to the contents of the data it is authorising. See this article by Nadav @ suredbits for more on the math.

Follow steps 1–7

SERVER

7. Verify signature

Once the user shares the signature-nonce pair \((s', R')\), anyone can verify it solves the schnorr verification equation \(s' * G = R' + c*X\) for challenge \(c\) belonging to message \(m\).

Most importantly, the server has no way of correlating this signature-nonce pair with the challenge and nonce they signed with earlier.

Publickey

Message

Signature:

Blinded nonce

Valid?:

USER

Broadcast Nostr event

<Signed Nostr Event>

Schnorr Verification Equation

Show \((s', R')\) solves the schnorr verification equation \((s' * G = R' + c*X)\) for challenge \(c\) under public key \(X\):

Hint: Expand \(s'\) from definitions (plug and chug the algebra)

Reveal proof

Starting with the blinded signature: $$\begin{aligned} s' &= s + \alpha \\ &= (k + c'*x) + \alpha \\ &= k + (c+\beta)*x + \alpha \\ &= (k + \alpha + \beta*x) + c*x \end{aligned}$$ so $$\begin{aligned} s'*G &= ((k + \alpha + \beta*x) + c*x)*G \\ &= (k + \alpha + \beta*x)*G + c*(x*G) \\ &= k*G + \alpha*G + \beta*(x*G) + c*(x*G) \\ &= (R + \alpha*G + \beta*X) + c*X \\ &= R' + c*X \end{aligned}$$

Thanks for trying!

Code: check out the blind schnorr signature PR to secp256kfun!

Why? Blind signatures enable powerful privacy patterns: a server can authenticate or authorize user actions without learning what those actions are. Think anonymous credentials, private voting, or unlinkable access tokens. An authority can verify you're allowed to do something without ever seeing what you did.

My nonce expired! Currently the server only allows one signing session at a time, to prevent Wagner attacks (concurrent sessions can allow forgery).

Donate

made with love by utxo.club