Are Blind Signatures Fundamentally Different From Signatures of Hashed Values?

Question

I've been reading up on blind signatures and am trying to wrap my head around the concept - specifically in the context of anonymous blockchain transactions using vouchers. One particular issue I'm having with this is understanding what precisely a blind signature consists of. Do these differ from signatures of hashed values?

Would the following qualify as a blind signature:

1. Someone (A) hashes some data and signs it.

2. Hash sent to another party (B) who also signs it.

3. Data and hash and signatures are sent to yet another party (C) who can verify it all.

Or are they meant to mean that A creates data and blinds it, B signs the blinded data saying A created it and/or was authorized to do so, C receives blind signature and data without being able to relate it back to A - but by way of B can tell the data was created in a valid manner?

Is the objective just for C to never know who A is, but confirm that it was created in a valid manner via B?

Answer 1

The idea behind a blind signature is that party $\mathcal{A}$ has a message $m$ that they want party $\mathcal{B}$ to sign, but they do not want party $\mathcal{B}$ to learn the value of $m$. Using RSA, where $(e, N)$ is $\mathcal{B}$'s public key and $d$ is it's private key, this may look like:

1. $\mathcal{A}$ computes $x = m*r^e \mod N$, where $r$ is a randomly sampled value.
2. $\mathcal{B}$ signs $x$ i.e. $y = x^d \mod N$ and sends the signature to $\mathcal{A}$.
3. $\mathcal{A}$ computes $s \equiv y * r^{-1} \equiv (m * r^e)^d * r^{-1} \equiv m^d * r * r^{-1} \equiv m^d \mod N$, which is $\mathcal{B}$'s signature of $m$.

Note that $\mathcal{A}$ now has a signature from $\mathcal{B}$ on $m$, and $\mathcal{B}$ has no knowledge of $m$ since they cannot recover $m$ from $x$. _[1] Anyone can verify this signature using $\mathcal{B}$'s public key.

---

Note that this does not work with hashing, because hashing is one-way. If we say $x = H(m)$ then in step 3. we have no way of recovering the signature for the original value $m$.

_{[1]: as poncho points out, blind signatures have a stronger property than this, namely that if $\mathcal{B}$ signs messages for both $\mathcal{A}$ and $\mathcal{C}$, then given an unblinded message and signature pair $\mathcal{B}$ cannot determine who the signature was for}