A suggestion for partially-blind signatures

[nimia]

Have you maybe considered using a hash of the URL for e, the RSA public exponent?

Like, if we want to sign the equivalent of "this blinded nonce touched me, on the way to URL" we could do: e = 1 | hash(URL) | 1 # we concatenate a 1 bit at the start to make sure all exponents are of equal length, and at the end to make sure the exponent is odd d = e^-1 % phi(N) signature = (nonce^d % N, URL)

Obviously I don't have a security proof, but it "seems" secure, right? Hope this helps :-)