For the first version of the standard, we're going to keep this as simple as we possibly can, given that no out-of-the-box solutions seem to exist: a fully-blind RSA signature:
It's kinda neat to realize that the difference between a partially-blind and fully-blind signature scheme is (in this context) just a performance concern. We certainly want to figure out a (elliptical or bilinear or lattice) partially-blind solution, but that won't be included in version-0 of the 402-Receipts standard, and that's fine.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!