Details about blind signature on ed25519

Note that the article has errors. It says that "We use uppercase letters for points on a curve", yet uses lowercase $r$ instead of $R$ in $r=kG$. It uses the operator symbol ✕ both for scalar multiplication and for point addition, which is confusing. It also contains references to "mod p", which is a remnant of non-EC schemes which should not appear in EC point math.

You are right, after a better look i noticed such errors too. Do you know any better reference for blind signature on ed25519?

Is it essential for your use case that the signer is unable to recognize the signature later? It's easy to ask someone to sign something such that the signer isn't aware of the message. The more difficult part is making it impossible for the signer to recognize their signature later. What is your use case?

well, an anonymous cash system where i cant use zkstuff or rings. I can only verify that a ed25519 signature is valid. My idea is to build a three steps protocol where first users propose a "challenge" to be signed by a validator, the validatore sign every message and then user individually unblind the message to withfraw the funds

So yes, it would be nice to make it impossible to follow for the singer too. If this cant be done, the signer can just mix the signatures before publishjing them (but its not a good approach imo)

I've looked through the scheme in the article, and at first glance it looks good to me. Essentially, the signature challenge scalar is blinded by $b$, and the signer's commitment $R$ is blinded by $aG$. This makes it impossible for the signer to recognize their signature. $R$ should definitely not be re-used between signers. Hopefully someone here will have a reference to a security-audited paper that uses this technique, which is quite simple and elegant.

okay, then, can I make it public? can I prior publish n- r and then user will use such r in order?

$R$ is the public commitment of the signer's secret nonce $k$. Signers can't share the same $R$ value, because that would require them to all know the $k$ value, which is catastrophic. I think you can, however, publish a particular signer's $R$ value.

Im talking about this r=k×G(mod p). Can I precompute n-k and then publish all resulting r publicly for everyone?

I know, I'm calling it $R$ instead of $r$ because it's a point and not a scalar.

Okay so it can be done. then any user will pick his own R in order which has been published and will deploy their own e. So knowing R, e, and S its still impossible to track (R', s') signature to which user belong to

Just to be clear, only signers pick their own secret $k$ values, and therefore only signers publish their commitment values $R=kG$. The $e$ value is a challenge from the person asking the signer to blindly sign, and the signer should not choose it. And yes, if the signer already knows $R,e,s$ and they can't recognize their own signature, then neither can the public.

Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/140606/discussion-between-user10002393-and-knaccc).

Hey, thanks for pointing out the errors in the article. I've updated it accordingly. @knaccc can you spot any errors?

@StanislawBaranski it looks like you've addressed the issues. Btw, `mod p` still applies for scalar-only arithmetic - I just meant it should not appear on a line which has point operations, since you don't `mod p` a point. One other thing - when dealing with point coordinates, the x and y are mod q, where q is the dimension of the finite field, i.e. 2^255-19. The other number, p, is the group order, and is a different number that scalar-only operations are modded by. Random scalars are less than p, so that part of your article is correct as long as you don't say earlier that p = 2^255-19

@knaccc Thank you! Fixed again :) Added the line "For scalar-only operations, we also use modular arithmetic but over a different prime number (group order)" and the (mod L) for each scalar operation.

@StanislawBaranski one last thing, if you're calling the group order L, then the scalars should be integers less than L. Your article currently still says less than p

@knaccc ah, you're right, updated! Thank you very much :)

I sit in a Tesla and translated this thread with Ai: