Using RSA signatures (see Question 3.1.1), Chaum demonstrated the implementation of this concept as follows: Suppose Alice has a message m that she wishes to have signed by Bob, and she does not want Bob to learn anything about m. Let (n,e) be Bob's public key and (n,d) be his private key. Alice generates a random value r such that gcd(r, n) = 1 and sends x = (re m) mod n to Bob. The value x is ``blinded'' by the random value r; hence Bob can derive no useful information from it. Bob returns the signed value t = xd mod n to Alice. Since
xdº (re m)d º r md mod n,
Alice can obtain the true signature s of m by computing s = r-1 t mod n.
Now Alice's message has a signature she could not have obtained on her own. This signature scheme is secure provided that factoring and root extraction remains difficult. However, regardless of the status of these problems the signature scheme is unconditionally ``blind'' since r is random. The random r does not allow the signer to learn about the message even if the signer can solve the underlying hard problems.
There are potential problems if Alice can give an arbitrary message to be signed, since this effectively enables her to mount a chosen message attack. One way of thwarting this kind of attack is described in [CFN88].
Blind signatures have numerous uses including timestamping (see Question 7.11), anonymous access control, and digital cash (see Question 4.2.1). Thus it is not surprising there are now numerous variations on the blind signature theme. Further work on blind signatures has been carried out in recent years [FY94] [SPC95].