Assume the client and server have engaged in mutual authentication as per auth0.txt. We assume that the server also has a configured-in-the-client blind-authentication pubkey. Something outside the protocol should avoid the server operator giving a different one to every client. We can make future authentication for this client private: Client generates a random pubkey P, Client sends BLINDMINTREQ. Server replys with BLINDMINTCHALLENGE [33 byte R value] Client sends BLINDMINTREPLY [96 byte blinded signature proposal] Server relies with BLINDMINTSIGNATURE [64 byte blinded signature]. The server could reply with all zeros, indicating failure, and the client can retry. (for technical reasons the server should not be permitted to run the mint protocol multiple times in parallel. If a second user requests and the first is too slow he should fail and be forced to retry) Client unblinds and saves P and the signature of it. ------ Later when the client connects, instead of AUTHPROPOSE, The client sends BLINDAUTH: 33 byte P, 64 byte signature of P by the blind-authentication pubkey 64 byte signature of session_id by P. The client is now authenticated without the server knowing which client it is. The client can now perform the BLINDMINTREQ protocol above again, save a new P and destroy the old one. This way P is never reused and the clients connections are all unlinkable. A downside is that if a bad client gets access the only way to kick them out is to change the blind-authentication pubkey, which impacts all blind-auth users. One way to mitigate this would be to make the blind-auth pubkey be a hash of many pubkeys, to be used at specific block heights spaced (say) a week apart. The mint procedure can be used to get the current pubkey and its membership proof. Then the user can be required to connect non-anonymously to get a ID under a different key. Then any blind ID obtained this way can expire after no more than a week, and so an abusive user could only continue being a problem for a week... though their privacy is worse, since any user that doesn't connect during a week couldn't have been any of the connections that week. This protocol could be enhanced further with the server keeping track of used P values (until they expire), and only granting one new blind value per connection so that it could check that the same client was not connecting many times in parallel.