In 1982, David Chaum solved a problem that would take forty years to matter: how do you get someone to sign a document they cannot read? His answer, published as "Blind Signatures for Untraceable Payments" at CRYPTO '82, produced the mathematical foundations beneath every modern privacy-preserving payment system. The blind signature schemes running today in Cashu, Fedimint, Wasabi Wallet, and Signal are direct descendants of that paper, yet each uses different mathematics to achieve the same core property. Understanding why they differ requires understanding what they share.
Every blind signature scheme exploits a single principle: algebraic homomorphism. An operation is homomorphic when you can perform it on disguised inputs and the disguise cancels cleanly from the result. If I scramble your message with a random mask before you sign it, and your signing operation passes through my scramble without breaking it, then I can remove my mask afterward and recover a valid signature on the original message. You signed something you never saw, and you have no way to connect the final signed document to the scrambled version you actually touched. This principle works the same way across every mathematical setting cryptographers have tried, and grasping it once means grasping every blind signature scheme ever constructed.
The Carbon Paper Envelope: Chaum's RSA Scheme (1982)
Chaum himself offered the best intuition. Imagine a voter who places a completed ballot inside an envelope lined with carbon paper, credentials printed on the outside. An election official verifies the credentials and signs the outside with a pen. Carbon paper transfers the signature through to the ballot. Later, the voter removes the signed ballot and drops it in the ballot box inside a fresh unmarked envelope. No one can connect the ballot to the voter who cast it, and when the ballot is counted, the signature proves authorization while revealing nothing about which voter cast it.
RSA makes this carbon paper trick precise. The critical feature is multiplicative homomorphism: if Alice multiplies her message by a random mask before Bob signs it, Bob's signature operation distributes over that multiplication. When Alice divides out her mask afterward, it cancels cleanly and she holds a valid signature on her original message. Bob never saw it. For those who want the notation: Alice computes m' = m * r^e mod N, Bob signs to get s' = (m')^d mod N, Alice unblinds with s = s' / r mod N, and the RSA identity r^(ed) = r guarantees the mask cancels to leave m^d, a standard signature. The unlinkability is information-theoretic: even with infinite computing power, the signer cannot determine which message he signed.
Chaum founded DigiCash in Amsterdam in 1989 to commercialize this idea. By 1994, the company had deployed the first electronic cash payment using blind RSA signatures, with Mark Twain Bank in Missouri becoming the only American bank to issue eCash. Deutsche Bank and Credit Suisse followed, along with banks in Scandinavia, Australia, and Finland. The bank signed coins it could not see, and when those coins were deposited, the bank verified the signature without knowing which withdrawal produced them. DigiCash filed for bankruptcy in 1998 with only five thousand customers. The math was correct. The market was not ready.
Blinding Without RSA: Wagner's Elliptic Curve Construction (1996)
On March 31, 1996, David Wagner posted "Chaumian ecash without RSA" to the cypherpunks mailing list. His observation: you can blind a Diffie-Hellman key exchange the same way you blind an RSA signature. RSA was still under patent, and Wagner's construction offered a clean alternative. Where Chaum multiplied a message by a random mask in the world of big integers, Wagner shifted a message by a random offset in the world of elliptic curve points. Different algebra, identical principle: the disguise passes through signing and cancels upon removal.
On an elliptic curve, the mint's private key is a secret number and the public key is a curve point derived from it. Alice converts her secret into a curve point and shifts it by a random offset before sending the shifted point to the mint. The mint multiplies by its private key. Alice removes her offset, and because scalar multiplication distributes over point addition, the offset cancels. What remains is the mint's signature on her original message point, which the mint signed without seeing.
Cashu uses exactly this scheme, adapted to secp256k1 (Bitcoin's curve). Callebtc built the protocol around this construction beginning in 2022, calling it Blind Diffie-Hellman Key Exchange (BDHKE) and defining it in the NUT-00 specification. The user picks a random secret, maps it to a curve point, blinds it with a random shift, receives the mint's blind signature, and removes the shift. The ecash token is the secret paired with its unblinded signature. Redemption: the mint recomputes the signature using its private key and checks whether the result matches.
One subtlety distinguishes this from Chaum's RSA scheme: only the mint can verify, because verification requires the private key. Since ecash redemption always goes through the mint, public verifiability is unnecessary for the basic protocol. For peer-to-peer token verification without contacting the mint, Cashu's NUT-12 adds Discrete Log Equality (DLEQ) proofs: the mint proves that the same private key behind its public key was used to generate the blind signature, enabling offline verification.
The Schnorr Temptation and Its Undoing
Schnorr signatures possess a mathematical elegance that makes them appear ideal for blinding. Claus-Peter Schnorr published his scheme in 1989, and its core mechanism is a three-move conversation: the signer commits to a random value, receives a challenge, and responds with a value combining the challenge with the private key. The response equation is linear, a structure that practically begs to be blinded.
Blinding it is as elegant as the signature itself. Upon receiving the signer's commitment, shifts it with two random factors, derives a real challenge from the shifted version, sends a modified challenge back, and adjusts the response. The result is a valid Schnorr signature that the signer cannot link to the signing session. Two random numbers provide a two-dimensional shift making the connection impossible.
The trouble is concurrency. In 2002, David Wagner (the same cryptographer behind the RSA-free blinding scheme) published "A Generalized Birthday Problem" at CRYPTO 2002, showing that an attacker who opens many blind signing sessions simultaneously can combine information across them to forge extra signatures. The linearity of the Schnorr response means that enough parallel sessions give the attacker sufficient algebraic purchase to extract one more valid signature than sessions opened. For a 256-bit curve, the attack requires roughly 2^23 concurrent sessions, trivially achievable on modern hardware. In 2020, Benhamouda, Lepoint, Loss, Orru, and Raykova shattered the underlying hardness assumption (the ROS problem) completely by producing a polynomial-time solver, making the attack fully efficient.
This explains why Wasabi Wallet v1.0 initially chose RSA blind signatures: Schnorr blinding under concurrency was known to be vulnerable since 2002, and RSA had a formal security proof (Bellare et al., 2003). Wasabi v1.1 eventually did adopt Schnorr blind signatures, with a mitigation that neutralized Wagner's attack for the CoinJoin use case. In a CoinJoin round, the coordinator controls participation and limits concurrent sessions. A successful forgery would let an attacker register an extra output without a corresponding input, but because the coordinator verifies that outputs cannot exceed inputs before signing, the forged credential produces a denial-of-service (the round fails to balance) not a theft. Rate-limiting concurrent registrations makes even disruption impractical.
Academic fixes addressed the general case: Fuchsbauer, Plouviez, Seurin proposed a modified scheme at EUROCRYPT 2020 forcing sequential-like interaction within concurrent sessions, and Abe constructed an alternative achieving provable security for polynomially many sessions back in 2001. Mercury Wallet deployed Schnorr blind signatures for statechain transfers. But the dominant response was more radical: the projects needing the most flexibility abandoned blind signatures altogether.
Pairing the Way: BLS Blind Signatures and Threshold Mints (2001)
In 2001, Boneh, Lynn, and Shacham presented a signature scheme at ASIACRYPT built on bilinear pairings, a mathematical structure unavailable to RSA or Schnorr. A pairing takes two curve points and produces an output in a third group, with the property that you can shuffle secret multipliers between inputs without changing the output. BLS signing is almost absurdly simple: hash the message to a curve point and multiply by the private key. The result, 48 bytes on BLS12-381, is the entire signature.
Blinding is correspondingly simple. Boldyreva showed in 2003 that scaling the message point by a random factor before signing lets the signer's private-key multiplication distribute over the scaling. Divide out the factor afterward and you hold a valid signature the signer never saw. Multiplicative blinding where Cashu's is additive, but the same core principle: disguise passes through signing and cancels on removal.
What makes BLS uniquely suited to federated systems is that signatures are additive: partial signatures from different signers sum to a valid signature under the combined key. Split the master private key into shares using Shamir's scheme and distribute them across guardians. Each guardian independently produces a partial blind signature on a blinded message. Collect enough partials and combine with interpolation coefficients to produce a complete blind signature under the aggregate key. No interactive protocol between guardians, no multi-round communication. Each one independently multiplies a blinded point by their secret share.
Fedimint implements precisely this. The fedimint-tbs crate (threshold blind signatures over BLS12-381) encodes the full protocol: a user hashes a random nonce to a curve point, scales it by a blinding factor, then submits to the federation. Each guardian computes a partial blind signature. The pairing lets anyone verify each partial against the guardian's public key share, catching malicious guardians before aggregation. Interpolation combines valid shares into a single blinded signature. The user removes the blinding factor and holds ecash verifiable against the federation's aggregate public key.
The trade-off is cost: pairing operations run roughly ten times slower than Cashu's secp256k1 operations. But Fedimint needed threshold signing without interactive protocols, and BLS is the only family where that construction works cleanly. The cryptography followed from the trust model: a single mint can afford cheap curve operations, a federation needs the additive structure only pairings provide.
Beyond Blinding: Keyed-Verification Anonymous Credentials (2014)
Every blind signature scheme discussed so far solves one narrow problem: sign a token the signer cannot see so that redemption is unlinkable to issuance. This works when every token is identical, as in fixed-denomination ecash, but collapses when tokens need to carry attributes. Wasabi Wallet v1 hit this wall: because blind signatures could only certify "this output was registered by a valid participant" without encoding amounts, every CoinJoin output had to use fixed denominations. The wallet decomposed amounts from the bottom up using powers of two starting at 0.1 BTC, one coin per denomination level. A user with 0.37 BTC would get outputs of 0.1 and 0.2 BTC, with 0.07 BTC left as toxic change linked to their input.
In 2014, Chase, Meiklejohn, and Zaverucha published "Algebraic MACs and Keyed-Verification Anonymous Credentials" at ACM CCS, and the key observation was disarmingly simple. Anonymous credential research had spent two decades assuming credentials must be publicly verifiable, forcing expensive constructions using pairings or RSA. IBM built Idemix and Microsoft built U-Prove on these foundations, and neither shipped at consumer scale. But most real-world privacy systems have the issuer and verifier as the same entity: Signal's server issues and verifies group credentials, a CoinJoin coordinator issues and redeems tokens. When the issuer is the verifier, public verifiability is wasted effort. Drop that requirement and you can replace signatures with algebraic message authentication codes (MACs), symmetric-key constructions running at wire speed on standard elliptic curve operations.
The KVAC construction: the issuer computes a MAC tag on the user's attributes, producing curve points that constitute the credential. On presentation, the user randomizes these points with a fresh blinding factor, severing the link to issuance. A zero-knowledge proof convinces the verifier the randomized tag was correctly formed, without revealing the original tag or attributes. The verifier checks using the same secret key that created the credential. Signal deployed this in 2020 for private group membership, running fast enough for every group message check across hundreds of millions of users.
Ficsor, Kogman, Ontivero, and Seres published the WabiSabi paper in 2021, adapting KVACs for CoinJoin with variable amounts. The critical extension builds on the Chase-Perrin-Zaverucha 2019 follow-up (ACM CCS 2020, for Signal's private groups), which allowed credential attributes to be curve points. This enabled Pedersen commitments as attributes: commitments that hide a value behind a random mask while being additively homomorphic (the sum of commitments equals the commitment to the sum of values, without revealing any individual value).
In WabiSabi, a user registering a CoinJoin input receives KVAC credentials where each attribute is a Pedersen commitment to an amount. The coordinator stamps the commitment with a MAC without learning the value. During output registration through a fresh Tor circuit, the user presents randomized credentials and proves in zero-knowledge that committed amounts balance against declared outputs. The coordinator verifies the MAC and balance proof without seeing a number or linking output to input. Users can split and merge credentials through reissuance rounds, converting one credential for 5 BTC into two for 2 and 3 BTC, each reissuance breaking linkability. Toxic change vanishes. Outputs can be any amount.
The Family Tree
Chaum's 1982 RSA scheme was elegant but patent-encumbered, requiring a single trusted signer. Wagner's 1996 variant freed the construction from patents and brought it to elliptic curves, where Cashu deployed it in 2022 for single-mint ecash. Schnorr blind signatures offered the most beautiful algebra but fell to Wagner's own concurrent forgery attack, though Wasabi v1.1 showed that application-specific mitigations could neutralize it in practice. BLS signatures, proven blindable by Boldyreva in 2003, provided the additive structure for threshold signing that Fedimint adopted in 2021. And KVACs, published in 2014 and extended for Signal in 2019, abandoned blind signatures entirely in favor of algebraic MACs with attribute commitments, enabling WabiSabi's variable-amount CoinJoin.
Each transition was forced by a concrete limitation. RSA blinding was slow and patent-restricted. Elliptic curve blinding was fast but limited to single signers. Schnorr blinding was fragile under concurrency. BLS blinding enabled federations but required expensive pairings. And blind signatures of all types could certify membership but not attributes, driving the shift to anonymous credentials. The constructions grew more sophisticated, but the intuition remained constant: find a structure where disguise passes through signing and cancels upon removal. Whether multiplicative masking in RSA, additive shifting on an elliptic curve, scalar scaling in a pairing group, or credential randomization in a KVAC, the underlying principle is Chaum's envelope with carbon paper, refined by four decades of engineering into the tools that protect millions of transactions from surveillance.
What connects every scheme is not the specific algebra but the insight that signing and seeing are separable operations. A signer can authenticate a statement without comprehending it and authorize a payment without tracking it. A verifier can confirm membership without identifying the member. Mathematics enforces this separation in a way that policy never could, because the separation is not a feature of the institution performing the signature but a structural property of the computation itself. The envelope cannot be opened because the envelope is made of mathematics.