I was studying the Blind schnorr signatures in this paper (PDF) which says that the signer sends a commitment
$$r=g^{k}\bmod p$$
which the user blinds with 2 random elements $a,b$ to get
$$r'=r\cdot g^{-a}\cdot y^{-b}\bmod p$$
what is the intuition behind this blinding step?
Why can't we use the normal Schnorr signature with Fiat-Shamir heuristic with the user supplying $e=H(m,r)$ to generate the challenge on his message?
Schnorr signature is a pair challenge-response $(e, s)$ with challenge computed as a hash of message $m$ and initial commitment $r$; signature is verified by re-creating that commitment with challenge and response only.
For blind Schnorr signature, one keeps verification equation while randomizing both challenge and response with $\beta, \alpha$ respectively, see page 368. Hash is calculated by receiver of the signature; signer computes his response having blinded challenge $e = H(m, r') + \beta$ only, without $\beta$ and $r'$ to enforce blindness property. That is, having an $(e, r)$ pair verified, signer can not recognize it as any of his signatures sent to receivers.
In case receiver would send $e = H(m, r)$ unblinded to signer, or let signer calculate the hash himself, signer would recognize the receiver later.
The only missing part is how to calculate $r'$ such that verification equation would hold for $(e, r)$ after blinding. Best be done yourself as a homework.
Blind signatures are here to avoid recognition. That is, to have no algorithm that, having a signature and a database (records of signatures issued), would output who this signature was produced for. To achieve this, two challenge-response pairs were introduced, and the user is actually generating $e = H(m, r)$ himself. Connection between that pairs is user secret. Having it open, blindness property would be lost.
