In many applications involving anonymity, it is desirable to allow a participant to sign a message without knowing what the message is. This is called a blind signature.
Blind signatures
Suppose
Charlie wants Dianne to sign a message m, but does not want Dianne to
know the contents of the message. This might seem like a strange thing
 why would Diane sign something without knowing what it is? But the
concept
has useful applications in situations involving anonymity, such as
digital cash and electronic voting. The arrangement works like this:
 Charlie "blinds" the message m, with some random number b (the blinding factor). This results in blind(m,b).
 Dianne signs this message, resulting in sign(blind(m,b),d), where d is Dianne's private key.
 Charlie then unblinds the message using b, resulting in unblind(sign(blind(m,b),d),b). The functions are designed so that this reduces to sign(m,d), i.e. Dianne's signature on m.
The concept of blind signatures (and their implementation in RSA) was invented by David Chaum in 1982.
Implementation in RSA
Recap on plain
RSA signatures
Euler's totient. Two numbers
are "relative primes" if their only common factor is 1. The Euler's
totient of a number n, written phi(n), is the number of relative primes
to n which are less than
n. If
n=57, all 56 of the numbers less than n are relatively prime to n,
because n is prime. So phi(57)=56. Fact
1:
if n is the composite pq, where p and q are prime, then phi(n) =
(p1)(q1). For example, suppose n=35. We can work out
manually
that there are 24 primes relative to 35 which are below 35, namely
{1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}. We
can use the fact mentioned to calculate this more directly. Since 35
= 5*7, and 5 and 7 are primes,
phi(35)=4*6=24, as expected.Modulo arithmetic. In "mod n" arithmetic, all numbers are reduced to their remainder on division by n. For example, we are used to working in "mod 256", where (for example) 250 + 10 = 4 (mod 256), and 100 * 4 = 144 (mod 256), and 100^{2} = 16, 100^{3}=64, 100^{4}=0 (mod 256). Fact 2: a^{phi(n)} = 1 (mod n).
Generating the public and private keys.
Exercise. Which of the
following key pairs are valid?
Pick two large prime numbers, p and q. Let n=pq. Typically, n is a 1024
bit number. Pick e relatively
prime
to (p1)(q1). Now find d such that ed=1 mod (p1)(q1). You can use
Euclid's
algorithm to find this d. The pair of numbers (e, n) is
the public key. The pair of numbers (d, n) is the private key. The
two primes p,q are no longer needed, and can be discarded, but should
never be revealed. K=(3,99), K^{1}=(27,99)
 K=(7,187), K^{1}=(23,187)
 K=(23,187), K^{1}=(7,187)
 K=(7,143), K^{1}=(23,143)
Message format. Divide the message into blocks, each block corresponding to a number less than n. For example, for binary data, the blocks will be (log_{2} n) bits.
Signing. The signature of message m is s = m^{d} mod n.
Signature verification. To recover the message from the signature s, put m' = s^{e} mod n.
Why it works.
m' 
= 
s^{e} 
(mod n) 

by definition of sig verification 
= 
m^{de} 
(mod n)  by definition of signature 

= 
m^{k(p1)(q1) + 1} 
(mod n)  since de = k(p1)(q1) + 1, some k  
= 
m^{k phi(n) + 1} 
(mod n)  Fact 1 

= 
(m^{phi(n) })^{k }m^{ }  (mod n)  elementary equivalences 

= 
m 
(mod n)  Fact 2 
Exercise. Sign the message
88 with the key (7,187). (Details of similar calculation
[1],p.468, [2],p.271.)
Blind signatures
Suppose C wants D to sign the message m blindly. Suppose D's public key is (e,n) and her private key is (d,n).C first blinds the message m, by multiplying it by k^{e} mod n, where k is a randomly chosen number called the blinding factor. C sends the blinded message m . k^{e} mod n to D.
Next, D signs the blinded message, resulting in ( m . k^{e} )^{d} mod n, and sends the signed blinded message back to C.
Finally, C unblinds the message by dividing by k mod n, resulting in ( m . k^{e} )^{d} / k mod n.
( m . k^{e}
)^{d} / k mod n 
= 
m^{d} . k^{ed} ^{} / k mod n  (mod n) 

elementary equivalence 
= 
m^{d} . k / k mod n  (mod n)  by the reasoning given above 

= 
m^{d} mod n  (mod n)  which is the D's signature on m 
Implementation in other cryptographic schemes
Many other crypto schemes besides RSA also support blind signatures.
References
[1] Bruce Schneier, Applied Cryptography. Second Edition, J. Wiley and Sons, 1996.
[2] William Stallings, Cryptography and Network Security, Principles and Practice, Prentice Hall, 1999.
[3] Nigel Smart, Cryptography. McGraw Hill, 2003.