Blinding ECDSA

Like it or not, ECDSA is the King of the Hill when it comes to Bitcoin and Ethereum, and is the core of its trust infrastructure. While it is not quite as scalable as methods such as EdDSA, it is possible to implement a range of privacy-preserving methods with a little bit of modification in the creation of the signature. Before we start, let’s have a quick look at how ECDSA works.

Basics of ECDSA

Overall, with an ECDSA signature, Alice signs the hash of a message (h(M)) with her private key (sk), and Bob checks it with her public key (Pk). With ECDA, Alice produces a private key (sk) and a public key (Pk):

We then take a hash of a message:

Alice then creates a random value of k, and produces:

and where r is the x coordinate value of k.G (mod n). The s value is then:

When Bob checks the signature, he computes:

and:

Bob then computes a point at:

If the value of x co-ordinate of Z is equal to r, the signature checks out. In this case, n is the order of the curve.

Blinded ECDSA

With a blinded signature, Bob can sign for a message, without knowing what the message is. In this case, Alice will create a blinded ECDSA signature, and where Bob can then…