Definition
A blinded (or blind) signature is a cryptographic construction, introduced by David Chaum in 1982, in which a signer authenticates a message whose contents have been disguised, or "blinded," by the requester. The signer applies their secret key without ever seeing the underlying data; the requester then removes the blinding to obtain a valid signature on the original message. Crucially, the signer cannot later connect that finished signature to the specific request that produced it. This simple property — authentication without knowledge — is the foundation of private digital cash.
Blind, sign, unblind
The classic flow has three steps. First, the requester combines the message with a secret random "blinding factor" and sends the disguised result to the signer. Second, the signer signs the blinded value with their private key and returns it, learning nothing about the message underneath. Third, the requester strips out the blinding factor, leaving an ordinary signature that verifies against the signer's public key exactly as if it had been produced normally. Chaum's original scheme used the mathematical structure of RSA, where blinding is a multiplication the signer cannot detect and unblinding is the corresponding division. The same idea has since been carried to elliptic-curve settings: modern ecash implementations use a blind Diffie-Hellman key exchange, where the mint signs a blinded curve point rather than an RSA value.
The envelope analogy
The standard mental model is a carbon-paper envelope. You seal your message inside an envelope lined with carbon paper and hand it to a notary. The notary signs the outside of the envelope; the carbon paper transfers the signature onto the message within. When you open the envelope, you hold a genuinely signed document — yet the notary never read a word of it, and if shown the document later, cannot say which envelope it came from among all the ones they signed that day.
Why it matters for Bitcoin
Blinded signatures are the engine of Chaumian ecash. A mint signs token secrets blindly, guaranteeing two properties at once: unforgeability, because only the mint holds the signing key and can mint valid tokens, and untraceability, because the mint cannot tell which token it signed or who holds it now. When a token is later redeemed, the mint can verify its own signature and check the token has not been double-spent — but it cannot link the redemption back to the original issuance. Even if a mint and a merchant collude, they cannot reconstruct who spent a given note. This is a fundamentally stronger privacy guarantee than pseudonymity: the linkage never exists, so there is nothing to subpoena, leak, or analyze.
Where you meet it in the sovereign stack
It is worth placing blinded signatures within Bitcoin's broader privacy toolkit. On-chain techniques such as CoinJoin obscure linkages between transactions that are all publicly visible; blinded signatures instead prevent the linkage from ever being recorded, but only within a custodial mint. The two operate at different layers with different trust assumptions, and serious privacy practice composes them: on-chain hygiene for the coins you hold, ecash for the sats you spend in small amounts. Neither replaces the other, and understanding the blind-signature primitive is what lets you evaluate exactly which promises each layer can and cannot keep.
This primitive underpins both single-operator Cashu mints and federated Fedimint guardians, the two leading ecash systems in the Bitcoin ecosystem. Both are custodial — the mint holds the bitcoin backing the tokens — but blinded signatures ensure the custodian is blind to your balance and your spending graph. For a Bitcoiner practicing self-custody for savings, ecash offers a complementary tool for small, private, instant payments, with the blind signature doing the privacy work. The trade-off is trust in the mint's solvency, never in its discretion: the mathematics guarantees the mint cannot spy on you even if it wants to. That separation of powers — custody without surveillance — is what makes Chaum's 1982 idea foundational reading for anyone studying private digital money.
In Simple Terms
A blinded (or blind) signature is a cryptographic construction, introduced by David Chaum in 1982, in which a signer authenticates a message whose contents have…
