Two faces of blindness

Blind signatures are a decades-old privacy enhancing technology. It is not always clearly understood that blind signatures actually possess two separate properties: the intuitive understanding that the message to be signed is hidden from the signer, and the fact that the resulting signature is unlinkable (meaning that the signer cannot later tell in which session it created a particular signature). The question is: how exactly should these properties be defined, and can they be defined in a natural way such that they are mutually independent yet together imply blindness? In this paper we study this question, present formal definitions for message indistinguishability and signature unlinkability (and a few more related ones), and study their relationships. We show that these two properties are indeed mutually independent. Unfortunately their union is not equivalent to blindness in what appear to be only pathological cases.


Introduction
David Chaum introduced blind signatures almost four decades ago [6], as the fundamental building block to implement a form of untraceable digital cash. His proposal was to represent each digital coin as a unique serial number blindly signed by the issuing bank. The unique serial number embedded in the coin would prevent double spending, while the blind signature over the coin would guarantee both untraceability (by not knowing which coin was signed) and unforgeability (by signing the coins in the first place).  Chaum explained blind signatures intuitively by showing how a blind signature could be implemented in a traditional, non digital, setting using carbon paper inside paper envelopes. To obtain a blind signature on a secret message, a user could send the message inside a sealed envelope to the signer, with the inside of the envelope covered with carbon paper. The carbon paper ensures that if the signer signs the envelope from the outside, the carbon paper transfers this signature to the secret message inside the envelope. When the signer returns the still sealed envelope (proving it didn't see the message) all the user needs to do is to open the envelope to obtain the blindly signed message.
This intuitive explanation clearly shows that the message stays hidden from the signer. But this by itself is not enough to prevent a bank from tracing a digital coin signed this way, even if it prevents the bank from learning its serial number. In fact, if the bank signs each envelope in a slightly different way, and remembers which way of signing it used to sign each envelope, it can link actual signatures on messages to the particular envelope on which it put the exact same signature. In other words, in order to guarantee all the desired security and privacy properties, blind signatures need to guarantee the following two separate properties.
"Hiding the message" The message to be signed is hidden from the signer. Signature unlinkability Given a final blind signature on a message, the signer cannot determine when it generated that particular signature.
Perhaps due to Chaum's metaphor, blind signatures have always informally been explained as signatures where the message to be signed is hidden from the signer. But as the above example shows, blind signatures need to guarantee two separate faces of blindness. The question is: how exactly should these properties be defined, and can they be defined in a natural way such that they are mutually independent yet together imply blindness? Although in the particular case of signing digital coins signing messages without knowing their contents is a desirable feature, in general this is irresponsible: who would sign a contract without knowing its terms? Therefore, in many applications partially blind signatures, where the signer may need to know (at least part of) the message before signing it, do serve an important purpose. Such partially blind signatures have been introduced by Abe and Fujisaki [1], and have applications in scenarios where a user wants to prove that a certain condition has been met, without revealing when or where that condition was met. Blind signatures can for example be used to issue a unique and unforgeable token or receipt whenever a user has performed a certain action (like paying a bill, visiting a checkpoint, entering or leaving a certain location, completing some task, or satisfying any other predetermined requirement). This token can then later be used to prove that this particular action was performed or requirement was satisfied. This approach has been used, for example, to construct a privacy friendly form of ticketing for public transport [7]. Blind signatures have also been used to implement attribute based credentials [4,5,8].
In this paper we explore the different faces of blindness in depth, in the more general setting of partially blind signatures. We note that our results also apply to normal blind signatures as such signatures are equivalent to partially blind signatures where the public message equals the empty string. In a way this paper is a dual to the paper of Schröder and Unruh [15] that reexamines the definition of security of blind signature schemes, discovering that the messages and their resulting signatures have some independent influence on the overall security of the scheme. We first define partially blind signatures and their completeness and unforgeability properties in Sect. 2. We then study the two faces of blindness (message indistinguishability and signature unlinkability) and their relationships in Sect. 3. This section also discusses message hiding, and why message indistinguishability is the more appropriate notion to study in this context. We show that message indistinguishability and signature unlinkability are both implied by a partially blind signature scheme, but that they are indeed two separate notions (in the sense that there are signature schemes that satisfy one of the two requirements, but bot both). Unfortunately, in pathological cases the union of these two properties does not imply blindness. We summarise and discuss our results in Fig. 1and Sect. 4. Figure 1 is also useful as a 'cheat-sheet' to keep track of the different properties defined throughout the paper.

Completeness and unforgeability
We start with the basics: the definition of completeness and unforgeability of (partially blind) signatures. We follow the framework for defining blind signatures provided by Juels et al. [10] and generalised and refined for partially blind signatures by Abe and Okamoto [2,12,13]). In this setting a (partially blind) signature scheme is defined as follows (where λ is the security parameter of the scheme). 1 consists of four probabilistic polynomial-time algorithms G, S, U, V .
• G takes security parameter 1 λ as input, and returns a secret key sk (to be given to the signer only) and a corresponding public key PK (known to all parties in the system). • S and U are in fact interactive algorithms where signer S has private input sk and public input the public message m (with length polynomial in the security parameter λ), while user U has private input message m (also with length polynomial in the security parameter λ) and public input PK and m. S and U interact with each other over a public communication channel. After the interaction, S outputs either success or fail, and U outputs either a signature σ or ⊥. U's output is private. S's output is public. • V takes as input a public key PK, public message m, a message m and a signature σ , and outputs either accept or reject. This verification can be performed by any party.
We write out S ← S(sk, m) ⇔ U(PK, m, m) → out U for an interaction between a signer and a user with the specified inputs, with out S as the output of the signer and out U as the output of the user. We return to this somewhat peculiar definition of completeness (that subsumes correctness) in the next section. We now define the unforgeability property. 1. Run G(1 λ ) to generate sk and PK. Give sk, PK to S and PK to U * . 2. Let U * engage in polynomially (in λ) many adaptive, parallel and arbitrarily interleaved interactions with polynomially many copies of the signer S (knowing sk). Let j be the number of such interactions that return success for the signer. Adversary U * wins this game whenever k > j. The signature scheme is unforgeable when every possible adversary U * wins this game with at most negligible probability (i.e., probability 2 −λ ), where this probability is computed over the private coin-flips of G, U * , V and all signers S.

The two faces of blindness
With the above definitions for a correct and unforgeable signature scheme given we are now ready to study the two different faces of blindness of such signature schemes.
We start with the definition of blindness itself. After that we study message indistinguishability in Sect. 3.2. This notion is somewhat stronger than message hiding (discussed in Sect. 3.3). We finish with the definition of signature unlinkability in Sect. 3.4. It turns out that it is more appropriate to focus on message indistinguishability rather than message hiding, because the latter notion is actually implied by signature unlinkability. Throughout this section we establish relationships between the different notions we define.

Blindness
The following definition of partial blindness is due to Abe and Okamoto [2,13] that extends the original defintion of blind signatures from Juels et al. [10] by allowing part of the message to be signed to be public. Definition 3.1 (Blindness) Consider a signature scheme G, S, U, V and the following game between an adversarial signer S * and two honest users U 0 and U 1 , mediated by a challenger. 1. Run G(1 λ ) to generate sk and PK. Give sk, PK to S * . 2. Adversary S * outputs PK, two private messages 2 m 0 , m 1 , and public message m, and gives them to the challenger. 3. The challenger randomly selects b ∈ {0, 1} and setsb = 1 − b. It sets up user U 0 with input (PK, m, m b ) and user U 1 with input (PK, m, mb). 4. S * is given oracle access to each of these users to engage in the blind signature protocol with each of them, mediated by the challenger. 3 5. Let σ b be the result returned by U 0 and σb be the result returned by U 1 . If both signatures are valid, the challenger gives (σ 0 , σ 1 ) to S * , in that fixed order. Give ⊥ to S * otherwise. 6. S * outputs b ∈ {0, 1}. Adversary S * wins this game whenever b = b. The signature scheme is blind when every possible adversary S * wins this game with at most negligible advantage (i.e. probability 1/2 ± 2 −λ ), where the probability is computed over the coin-flips of S * and the private coin-flips of U 0 and U 1 .
Note that in this definition, as well as the ones that follow, we assume that the adversarial signer knows which of the users (U 0 or U 1 ) it is interacting with during the protocol.
The above definition is taken from [13], which differs in one significant aspect from [12] (the published conference version that precedes the full paper [13]) as follows.
Step 5 in the game above originally read: 5' Let σ b be the result returned by U 0 and σb be the result returned by U 1 . If both signatures are valid, the challenger gives (m, m b , σ b ) and (m, mb, σb) to S * in arbitrary order. If only one of the signatures is valid, the challenger gives that signature and the corresponding message to S * . Give ⊥ to S * otherwise.
In other words: the original game allows that even if only one of the signatures is valid, the challenger gives that signature and the corresponding message to S * . This leaves a blind signature scheme open to the following generic attack.
1. Adversary S * outputs PK and two private messages m 0 , m 1 , and public message m, and gives them to the challenger. 2. The challenger randomly selects b ∈ {0, 1} and setsb = 1 − b. It sets up user U 0 with input (PK, m, m b ) and user U 1 with input (PK, m, mb). 3. S * engages in the blind signature protocol, but only with U 0 . It aborts its interaction with U 1 which therefore returns ⊥. (Note: U 1 can also return a random value, but definitely not a valid signature as this requires the cooperation of S * , so this is easily detected in the next step.) 4. Let σ b be the result returned by U 0 . As the other signature equals ⊥ the challenger therefore gives (m b , σ b ) to S * as its challenge. 5. This is no game for S * : using its knowledge of m 0 and m 1 it quickly sees which of the two was given to U 0 to sign. S * outputs b ∈ {0, 1} and wins.
Clearly this is not desirable, which probably explains why the definition is amended in the full paper.

Message indistinguishability
We now turn our attention to the message indistinguishability property, stating that the adversary cannot distinguish which of two known messages it is actually asked to sign by a user.

Definition 3.2 (Message indistinguishability)
Let G, S, U, V be a signature scheme and consider the following game between an adversarial signer S * and a honest user U, mediated by a challenger.
1. Run G(1 λ ) to generate sk and PK. Give sk, PK to S * . 2. Adversary S * outputs PK and two private messages m 0 , m 1 , and public message m, and gives them to the challenger. 3. The challenger randomly selects b ∈ {0, 1}. It sets up user U with input PK, m, m b . 4. S * is given oracle access to the user to engage in the blind signature protocol with it, mediated by the challenger. 5. Let σ be the result returned by U. This is hidden from S * . 4 The signature scheme is message indistinguishable when every possible adversary S * wins this game with at most negligible advantage (i.e., probability 1/2 ± 2 −λ ), where the probability is computed over the coin-flips of S * and the private coin-flips of U. We first offer an example of a signature scheme that is message indistinguishable, as this is useful in the proofs that follow. This signature scheme requires a semantically secure encryption scheme {} k that satisfies the following property.

Property 3.1 Given c, m and k such that c = {m} k , the probability to find m = m and a potentially different key k x such that c = {m } k x is negligible.
One might think that an authenticated encryption scheme perhaps fits the bill [3]. Unfortunately this is in general not the case. 5 Luckily, a special mode of authenticated encryption called CCM (that combines CTR encryption with a CBC-MAC using the same key k) satisfies this property. CCM is a stream cipher that roughly works as follows (see [9] for details).
• Let E k () be a pseudo-random function (it could be a block cipher or a hash function keyed by k). • Let m be a message whose length is a multiple of the block length of this underlying block cipher, and write m = We write t = T k (m) Again (for simplicity) tags are assumed to be exactly as long as a single block. • Compute the key stream blocks A i by encrypting a counter with k, i.e., CCM is known to be semantically secure [9]. We show it also satisfies property 3.1.

Lemma 3.1
Let {m} k be the CCM authenticated encryption scheme described above. Such a scheme satisfies property 3.1.
If we focus on the tag part, then to break the property we need to find m and k This entails finding m and k x such that In this equation c z and z are fixed. The adversary is free to choose k x but this fixes m as well as it needs to match c when xor-ed with (A 0 . . . A z−1 ). If we model the pseudo-random function E k () as a random oracle [11], it is extremely unlikely that it is possible to meet these constraints: for every possible choice of k there is exactly one possible mapping of the random oracle for E k x (z) that satisfies the equation, which only happens with negligible probability.

Construction 3.1 (Message indistinguishable signature scheme) Let
= G, S, U, V be any ordinary unforgeable and complete signature scheme (where U submits the message m to be signed in plaintext to S; we are abusing notation somewhat). Let {m} k U be the CCM authenticated encryption scheme discussed above.
Define the message indistinguishable signature scheme Proof The construction matches the (syntactic) constraints of Definition 2.1, and it is easily seen to be complete as defined in 2.2.
We rely on Property 3.1 to prove unforgeability (Definition 2.3). If the blind signature scheme would be forgeable, a user U * would be able to return k signatures σ 1 , . . . , σ k for . . , k}, when given only j < k such message/signature pairs. By definition, the underlying standard signature scheme is not forgeable. By the pigeonhole principle then there should be two signatures σ i = (σ i , k i ) and σ j = (σ j , k j ) such that σ i and σ j are signatures over the equal strings c i m i and c j m j . Then m i = m j and by assumption. This contradicts property 3.1.
Because the encryption scheme is semantically secure, this signature scheme is message indistinguishable according to definition 3.2.
We first show that blindness implies message indistinguishability. Proof Intuitively the argument runs as follows. Because the signer knows that b selects which message user U 0 will offer for signing, if the signature scheme were not message indistinguishable, the signer could trivially guess b correctly (even when not given m b ). The formal proof requires a bit more work.
Suppose not. So there is an adversarial signer S * for the game defined in Definition 3.2. We turn it into an adversarial signer S * * for the game defined in Definition 3.1 as follows.
1. S * * starts S * , which returns PK and two private messages m 0 , m 1 , and public message m. 2. S * * forwards these to the challenger from Definition 3.1. 3. Let this challenger randomly select b ∈ {0, 1}, setb = 1 − b, giving user U 0 the input (PK, m, m b ) and user U 1 the input (PK, m, mb). 4. Set up both users to be ready to engage with S * * in the blind signature protocol (according to the game defined in 3.1). 5. S * * is merely a mediator now, relaying messages between the users and S * . It actually runs the interactive blind signing protocol only between user U 0 and S * . (It aborts the other instance.) Observe how this corresponds to the challenge that S * is supposed to get according to Definition 3.2. 6. Let σ b be the result returned by U 0 . (The other user returns ⊥.) 7. Because one of the signatures fails to be created, according to the blindness game defined for Definition 3.1, the challenger gives ⊥ to S * * , who simply discards it. 8. S * outputs b ∈ {0, 1}, which S * * forwards as its own output for this challenge.
The output b of S * corresponds to the challenge U 0 , PK, m, m b . If b = b , then by construction b is also the correct response to the challenge given to S * * . This shows that advantage of S * * the same of that of S * , i.e., non-negligible, contradicting the premise of the theorem.
The converse does not hold however: there are message indistinguishable signature schemes that are not blind as the following theorem demonstrates. This shows that message indistinguishability is a strictly weaker notion. Proof Let be the signature scheme from Construction 3.1. This is message indistinguishable according to Lemma 3.2.
Clearly this signature scheme is not really blind: a malicious signer can record for each run the signature σ it generated. It can then always win the game in Definition 3.1: it now knows the σ b it created while interacting with U 0 , which it can match to (σ 0 , σ 1 We conclude that message indistinguishability does not imply blindness, and thus the theorem follows.

Message hiding
Message indistinguishability is a very strong property (it is in fact very similar to semantic security definitions for encryption schemes [11]), but perhaps this property is somewhat counter intuitive and perhaps even stronger than needed for the typical scenario where blind signatures are used: there we typically want to prevent the signer from learning a random message (think a random sequence number) someone else submits for signing. This notion is captured in the following definition of message hiding. 1. Run G(1 λ ) to generate sk and PK. Give sk, PK to S * . 2. Adversary S * outputs PK and public message m, and gives them to the challenger. 3. The challenger randomly selects a private message m ∈ {0, 1} λ , and sets up an instance of a user U with input PK, m, m. 4. S * is given oracle access to user U to engage in the blind signature protocol with it, mediated by the challenger. 5. Let σ be the signature returned by U. The challenger gives σ to S * . 6. S * outputs m ∈ {0, 1} λ . Adversary S * wins this game whenever m = m.
The signature scheme is message hiding when every possible adversary S * wins this game with at most negligible probability (i.e., probability at most 2 −λ ), where the probability is computed over the coin-flips of S * and the private coin-flips of U.
Blind signature schemes that only offer message hiding are for instance used in the Idemix attribute based credential system to hide the master secret m 1 from the credential issuer [8]. A trivial implementation of such a blind signature scheme in the random oracle model would be one where the message m to be signed is first hashed using a cryptographic hash function h and subsequently sending the resulting hash h(m) to the signer to be signed with an arbitrary traditional (non-blind) signature scheme. 6 This shows that message hiding is a strictly weaker notion than (general) blindness. But does message indistinguishability imply message hiding, or the other way around? In fact not when we define message hiding as above. Proof Consider the basic message hiding signature scheme above. Let h be a hash function modelled as a random oracle. This guarantees that no adversary is able to recover m given h(m).
Let the signer use an ordinary signature scheme with signing key k S and verification key K S to compute the signature σ on a string s as [s] k S . A message hiding signature scheme is one where the user, wishing to compute a signature on a public message m and a private message m computes m h(m) and sends this to the signer to sign. The signature then equals [m h(m)] k S . To verify such a signature, the verifier is given m and m, computes m h(m) and uses checks the signature σ using the underlying traditional signature verification function.
The construction matches the (syntactic) constraints of Definition 2.1, and it is easily seen to be complete as defined in 2.2.
The construction is also (strongly) message hiding according to Definition 3.3. Suppose the challenger returns a signature σ after the query phase. If the adversary is able to successfully guess m such that σ = [m h(m )] k S then this essentially means the adversary was able to compute m = m while observing the hashes h(m) sent during the signing process. This is contrary to the assumption on h.
The thus constructed signature scheme is clearly not message indistinguishable according to

Theorem 3.4 Consider a signature scheme = G, S, U, V that is message indistinguishable according to Definition 3.2. This does not imply that is message hiding according to Definition 3.3.
Proof Let be the message indistinguishable signature scheme from Construction 3.1. Suppose we tweak it a bit such that the signature returned by the user equals σ = (σ , k U , m, m). This tweak does not affect message indistinguishability, for in that game σ is not given to the adversary as part of the challenge. However, in the message hiding game as defined in Definition 3.3, the adversary does get σ and thus trivially wins that game. The result follows.
So message indistinguishability and strong message hiding are incomparable notions. However, a weaker notion of message hiding (that does not give the adversary access to the generated signatures) does follow from message indistinguishability. For that we have to weaken the definition a bit by not giving the adversarial signer the set of final signatures obtained by the user(s). The formal definition is as follows.

Definition 3.4 (Message hiding)
Let G, S, U, V be a signature scheme and consider the following game between an adversarial signer S * and a honest user U, mediated by a challenger.
1. Run G(1 λ ) to generate sk and PK. Give sk, PK to S * . 2. Adversary S * outputs PK and public message m, and gives them to the challenger. 3. The challenger randomly selects a private message m ∈ {0, 1} λ , and sets up an instance of a user U with input PK, m, m. 4. S * is given oracle access to user U to engage in the blind signature protocol with it, mediated by the challenger. 5. Let σ be the signature returned by U. σ is hidden from S * 6. S * outputs m ∈ {0, 1} λ . Adversary S * wins this game whenever m = m.
The signature scheme is message hiding when every possible adversary S * wins this game with at most negligible probability (i.e., probability at most 2 −λ ), where the probability is computed over the coin-flips of S * and the private coin-flips of U. Proof Suppose not. So there is an adversarial signer S * for the game defined in Definition 3.4. We turn it into an adversarial signer S * * for the game defined in Definition 3.2 as follows.
1. S * * starts S * , which returns PK and m. 2. S * * essentially operates as the challenger for S * using whatever it learns in the process to solve its own challenge. 3. S * * does the following. It generates two fresh private messages m 0 , m 1 and uses the public message m it got from S * and forwards these together with PK received from S * to its own challenger in Definition 3.2. This challenger sets up a user with input PK, m 1 , m b (depending on its hidden coin flip b) to which S * * is given oracle access to, to engage in the blind signature protocol. S * * forwards this oracle access to S * . 4. After S * has finished interacting with its oracles, is outputs a guess m (to S * * ). When m = m b as in step 3 for b ∈ 0, 1, S * * returns b otherwise it returns a random bit.
If S * guesses m correctly, then m = m b given to user U as part of S * * challenge in step 3. The probability that this happens is non-negligible. We conclude that the advantage of S * * guessing b is also non-negligible.

Signature unlinkability
We now turn to the definition of signature unlinkability. The challenge is to define it in such a way that it does not immediately imply the message indistinguishability property (and thus would be almost equivalent to the general blindness property). We solve this by letting the challenger generate the messages to be signed and giving the signer only the resulting signatures in random order.
Definition 3.5 (Signature unlinkability) Consider a signature scheme G, S, U, V and the following game between an adversarial signer S * and two honest users U 0 and U 1 .
1. Run G(1 λ ) to generate sk and PK. Give sk, PK to S * . 2. Adversary S * outputs PK, and a public message m, and gives them to the challenger. 3. The challenger generates two messages 7 m 0 , m 1 and sets up user U 0 with input (PK, m, m 0 ) and user U 1 with input (PK, m, m 1 ).
4. S * is given oracle access to both users to engage in the blind signature protocol with both of them, mediated by the challenger. 5. Let σ 0 be the result returned by U 0 and σ 1 be the result returned by U 1 . 6. If any of the signatures is invalid, the challenger gives ⊥ to S * . 8 Otherwise the challenger randomly selects b ∈ {0, 1} and setsb = 1 − b. The challenger gives σ b and σb to S * in that order. 7. S * outputs b ∈ {0, 1}.
Adversary S * wins this game whenever b = b. The signature scheme is signature unlinkable when every possible adversary S * wins this game with at most negligible advantage (i.e., probability 1/2 ± 2 −λ ), where the probability is computed over the coin-flips of S * and the private coin-flips of U 0 and U 1 .
We note that Chaum's untraceable payment scheme [6] uses a blind signature scheme that is strongly message hiding and is signature unlinkable as well.
The following signature unlinkable signature scheme (which is a slight modification of Chaum's blind signature scheme) is useful in the proofs of some of the following theorems. We omit the public message m for simplicity. The careful observer will have noted that this is essentially Chaum's blind signature protocol with r derived from m (making it no longer blind as we shall see shortly) while m cannot be recovered from the signature by hiding it using h 2 .

Lemma 3.3 The signature scheme from Construction 3.2 is signature unlinkable according to Definition 3.5.
Proof The construction matches the (syntactic) constraints of Definition 2.1 (disregarding the public message m), and it is easily seen to be complete as defined in 2.2 using the fact that we have (r e ) d mod n = 1 in RSA, and the result σ = h 2 (m) d mod n is a traditional RSA signature over h(m ). This signature scheme is signature unlinkable. As in the game defined in Definition 3.5 the challenger generates m 0 and m 1 , the adversarial signer S * does not know them. By playing the game S * learns: • m 0 = h 2 (m 0 )r e 0 mod n (and that it is computed by U 0 ), • m 1 = h 2 (m 1 )r e 1 mod n (and that it is computed by U 1 ), • σ 0 = h 2 (m 0 ) d mod n and σ 1 = h 2 (m 1 ) d mod n given in the order defined by a random bit b.
S * needs to guess b based on this information (and its knowledge of the public key (n, e)).
As h 1 and h 2 are random oracles, the value S * learns for m 0 could actually correspond to h 2 (m 1 )r e 1 mod n (and vice versa). So the information it relies on to decide on the value for b could just as well be used to argue for the opposite value.
We first show that blindness implies signature unlinkability. Theorem 3.6 Consider a signature scheme = G, S, U, V that is blind according to Definition 3.1. Then is signature unlinkable according to Definition 3.5.
Proof Suppose not. So there is an adversarial signer S * for the game defined in Definition 3.5. We turn it into an adversarial signer S * * for the game defined in Definition 3.1 as follows.
1. S * * starts S * , which returns PK and m. 2. S * * generates two distinct messages m 0 , m 1 and sends them to the challenger along with PK and m. 3. The challenger randomly selects b ∈ {0, 1} and setsb = 1 − b. It sets up user U 0 with input (PK, m, m b ) and user U 1 with input (PK, m, mb). 4. S * * engages in the blind signature protocol with both users, mediated by the challenger.
It does so by relaying all messages to and from S * . 9 5. Let σ b be the result returned by U 0 and σb be the result returned by U 1 . If both signatures are valid, then the challenger gives (σ 0 , σ 1 ) to S * * in that order by definition. 10 Otherwise it returns ⊥ to S * * . 6. S * * forwards σ 0 and σ 1 in that order to S * as the challenge. 7. S * outputs b ∈ {0, 1}, which S * * forwards as its own output for this challenge.
We observe that if S * outputs b it believes the first signature (σ 0 , corresponding to m 0 ) given as a challenge was generated while interacting with user U b . Which is the case if b equals b generated by the challenger for the game defined in Definition 3.1. This means that b is also the correct response to the challenge given to S * * . This shows that the advantage of S * * is the same of that of S * , i.e., non-negligible, contradicting the premise of the theorem.
The signature scheme from Construction 3.2 allows us to prove that the converse does not hold: there are signature unlinkable signature schemes that are not blind as the following theorem demonstrates. This shows that also signature unlinkability (like message indistinguishability) is a strictly weaker notion. Theorem 3.7 Consider a signature scheme = G, S, U, V that is signature unlinkable according to Definition 3.5. This does not imply that is blind according to Definition 3.1.
Proof Consider the signature scheme from Construction 3.2, which is signature unlinkable according to Lemma 3.3. This scheme is clearly not blind: using its knowledge of m 0 (that the adversary chooses according to Definition 3.1) the adversarial signer S * can compute r 0 = h 1 (m 0 ) and hence m 0 = h 2 (m 0 )r e 0 mod n that either user U 0 or user U 1 will submit for signing. This allows S * to tell which of two users was given m 0 as input by the challenger, and therefore allows S * to correctly guess b.
A very similar proof can be used to prove the following theorem.

Theorem 3.8 Consider a signature scheme
= G, S, U, V that is signature unlinkable according to Definition 3.5. This does not imply that is message indistinguishable according to Definition 3.2.
Proof Again consider the signature scheme from Construction 3.2, which is signature unlinkable according to Lemma 3.3. This signature scheme is not message indistinguishable according to Definition 3.2 however. In the message indistinguishability game the adversarial signer knows m 0 and m 1 and therefore can compute It can therefore tell which of the two messages the challenger submits for signing and hence can always correctly guess b and win the game.
The reverse is also true. This scheme is however not signature unlinkable according to Definition 3.5. Suppose the adversarial signer keeps the intermediate signatures σ 0 and σ 1 it generated while interacting with user U 0 and user U 1 respectively. As in the proof of theorem 3.2 it can match these with This shows that message indistinguishability and signature unlinkability are indeed separate notions.
We will now explore the relationship between signature unlinkability and other notions defined in this paper. For example, what is the relationship between signature unlinkability and message hiding? The blind signature scheme underlying the Idemix attribute based credential scheme [5,8] is in fact only strongly message hiding but not signature unlinkable. 11 This proves the following theorem. Theorem 3.10 Consider a signature scheme = G, S, U, V that is strongly message hiding according to Definition 3.3. This does not imply that is signature unlinkable according to Definition 3.5. 11 The CL signature over a message (m 0 , . . . , m k ) equals (A, e, v) such that where Z , R i , S and n are part of the public key. A and e are generated by the signer, which makes this scheme trivially signature linkable. When submitting a message for signing, the user submits a commitment k i=0 R m i i S v to that message to hide it. And to use such a credential in an unlinkable fashion, the main goal of Idemix, the user does not reveal A and e but simply proves their existence to the verifier in zero knowledge.
The other way around, signature unlinkability does imply (weak) message hiding (which explains why we need the slightly stronger notion of message indistinguishability).

Theorem 3.11
Consider a signature scheme = G, S, U, V that is signature unlinkable according to Definition 3.5. Then is message hiding according to Definition 3.4.

Proof
The proof is very similar to the proof of theorem 3.5.
Suppose not. So there is an adversarial signer S * for the game defined in Definition 3.4. We turn it into an adversarial signer S * * for the game defined in Definition 3.5 as follows.
1. S * * starts S * , which returns PK and m. 2. S * * essentially operates as the challenger for S * using whatever it learns in the process to solve its own challenge. 3. S * * forwards m to its own challenger. This challenger generates two messages m 0 and m 1 and sets up a user U 0 with input (PK, m i , m 0 ) and a user U 1 with input (PK, m, m 1 ). S * * is given oracle access to both users to engage in the blind signature protocol with both of them, mediated by the challenger. For U 0 it forwards oracle access to S * . For U 1 , S * * interacts with this oracle itself. This way S * is set up exactly as in the definition of the game in 3.4 4. After S * has finished interacting with its oracles, it outputs a guess m (to S * * ).
For the signature unlinkability game S * * is playing, S * * asks for its challenge. If both signatures (σ 0 generated by U 0 and σ 1 generated by U 1 ) in step 3 are valid it receives σ b and σb (depending on the private coin flip b of its challenger) in that order. It then checks whether σ b or σb is a valid signature over m (the guess returned by S * ).
In the first case it returns b = 0, in the second case it returns b = 1. If neither is the case it returns a random bit b .
By assumption with some non-negligible probability, m returned by S * corresponds to the oracle set up by S * * in step 3. Then m = m 0 (as S * never interacted with U 1 ). So if m matches σ b (the first signature in its challenge), σ b must be a signature over m 0 and hence b = 0. And if it matches σb, then b = 1 instead. We see that in this case b = b and hence the adversary wins. As we already concluded that this case happens with non-negligible probability, the conclusion follows.
The reverse of this theorem does not hold, by 3.9 and 3.5.

Message indistinguishability and signature unlinkability
We have so far shown that signature blindness can be separated into two separate properties, message indistinguishability and signature unlinkability, that are indeed independent: one does not imply the other, and neither on its own implies blindness. The natural question to ask is whether message indistinguishability and signature unlinkability together do imply blindness. That would be a nice conclusion, as it would show that the proposed separation is ideal in the sense that both properties capture all what makes a signature scheme blind. Unfortunately, this is not the case if we do not rule out pathological cases of misbehaving users, as the following theorem shows. Proof Let be a blind signature scheme according to 3.1. Modify as follows to create a new signature scheme . Pick a particular message m. If σ is the signature returned by user U when interacting with S, define U to return the tuple (σ, β) where β is a random identity except when U wants a signature on message m. In that case β equals the identity of U. Clearly, is no longer blind. The adversarial signer can always commit to messages m 0 = m and m 1 to the challenger. Depending on its private bit b, the challenger gives m to either U 0 or U 1 . Whichever it is, it will return a signature (σ 0 , b) over m while the other returns (σ 1 , β) over m 1 where β is random.
When challenged, the adversary receives (σ 0 , b), (σ 1 , β) in that order. It returns the b it finds in the first signature which by construction is always equal to the private bit chosen by the challenger. In other words, the adversary wins.
In the message indistinguishability game of Definition 3.2, the adversary doesn't receive the final signatures. Therefore its view when interacting with S is exactly the same as when interacting with S. We conclude that is also message indistinguishable. In the signature unlinkability game of Definition 3.5, the adversary does not get to pick the messages to be signed. Instead, the challenger does. With overwhelming probability, m is not among the messages chosen by the adversary. As a result, the β component of both challenge signatures is random and can be ignored, i.e. the advantage of the adversary against is no better than against . We conclude that is signature unlinkable.

Conclusions
A summary of our results is presented in Fig. 1 Compiling this figure, we made use of the following transitivity rules governing the relationships among the several notions we defined in this paper.
• A → B and B → C implies A → C.
• A | − B and B → C implies A | − C.
• A → B and B | − C implies A | − C.
As can be seen from the picture, this paper shows that signature blindness can be decomposed into two separate and indeed independent properties: message indistinguishability and signature unlinkability. The more natural notion of message hiding cannot be used for this purpose as it is implied by signature unlinkability.
Unfortunately combining signature unlinkability and message indistinguishability does not give back blindness, although this appears to be the case only in pathological cases. We have so far been unable to prove a restricted version of such a theorem ruling out certain classes of users, and neither did we find a less pathological counterexample. This is left for further research.
I am grateful to the anonymous reviewers for their comments and suggestions that really helped improve the paper.
Data availibility Data sharing not applicable to this article as no datasets were generated or analysed during the current study.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.