Building Intuition for the Cashu Blind Signature Scheme

Original Postby thunderbiscuit

The ecash blind signature scheme, as explained by Ruben Somsen and David Wagner and implemented in [Cashu](, employs cryptographic techniques to create and redeem tokens while preserving user privacy.

The scheme uses elliptic curve Diffie-Hellman points for secure communication between parties, such as Alice and Bob, through private and public keys.

A crucial aspect of the scheme is the ability to demonstrate that one does not know the private key corresponding to a specific point on the curve. This is achieved by deriving the coordinates of the point from the hash of a message, leveraging the hash function's preimage resistance property.

To address privacy concerns in token systems, the concept of blinding and unblinding tokens is introduced. In this system, a mint, referred to as Mike, issues tokens after receiving payment. To maintain anonymity, Alice sends Mike a blinded message containing her public key modified by another random public key. Mike then signs this message blindly, which Alice can later unblind. This technique prevents Mike from tracing the redeemed token back to its issuance, thereby preserving the privacy of transactions.

Furthermore, the system allows Alice to prove possession of a valid token to Mike without disclosing her private key. The underlying mathematical functions ensure that a given point C on the curve represents a Diffie-Hellman exchange between Alice's public key A and Mike's public key K. Verification of the token's legitimacy involves checking that point C has not been previously redeemed. These tokens serve as a private form of payment within the system and are designed to prevent double-spending and unauthorized redemptions. Through this process, Mike cannot determine the involvement of other parties in transactions, such as payments made by Alice to Bob using the token.