> They might try to match based on timing. If there isn't enough volume of people verifying they might be able to figure something out so care would definitely be needed especially at the start.
The timing attack is worse than that.
Suppose Bob has a pseudonymous account with the service. So he signs into his account, NotBob99, which is not supposed to be associated with Bob. Or even just uses a device with the same cookie or device fingerprint. On a dozen separate occasions.
Is he unmasked the first time? Maybe not, there could have been thousands of people requesting a signature at that time, although you have immediately narrowed it down by 99.999% from hundreds of millions. Is he unmasked the second time? Pretty good chance of that, because you can exclude anyone who didn't request a signature the first time. Even if it isn't fully unique yet, the number of candidates can now be counted on one hand. Has he been unmasked by the twelfth time? Almost certainly.
It's also not clear what the fancy cryptography is supposed to be buying you over the alternative. If you use blinded signatures, you have a timing attack, but Bob can still share the signatures unless the timing attack is being actively exploited, which it obviously isn't supposed to be as if it was it would only prove the signature scheme ineffective.
Now suppose you just have secret "is over 18" and "is over 21" passwords, changed on the same interval as the signatures would expire. The passwords aren't unique, everyone in the eligible age group gets the same one (and services that are 18+ request the 18+ password even from people over 21), so you can't correlate them with an individual and each person only has to request the password once per change interval (e.g. 30 days) rather than once per use. What advantage do blinded signatures have over this?
The timing attack is worse than that.
Suppose Bob has a pseudonymous account with the service. So he signs into his account, NotBob99, which is not supposed to be associated with Bob. Or even just uses a device with the same cookie or device fingerprint. On a dozen separate occasions.
Is he unmasked the first time? Maybe not, there could have been thousands of people requesting a signature at that time, although you have immediately narrowed it down by 99.999% from hundreds of millions. Is he unmasked the second time? Pretty good chance of that, because you can exclude anyone who didn't request a signature the first time. Even if it isn't fully unique yet, the number of candidates can now be counted on one hand. Has he been unmasked by the twelfth time? Almost certainly.
It's also not clear what the fancy cryptography is supposed to be buying you over the alternative. If you use blinded signatures, you have a timing attack, but Bob can still share the signatures unless the timing attack is being actively exploited, which it obviously isn't supposed to be as if it was it would only prove the signature scheme ineffective.
Now suppose you just have secret "is over 18" and "is over 21" passwords, changed on the same interval as the signatures would expire. The passwords aren't unique, everyone in the eligible age group gets the same one (and services that are 18+ request the 18+ password even from people over 21), so you can't correlate them with an individual and each person only has to request the password once per change interval (e.g. 30 days) rather than once per use. What advantage do blinded signatures have over this?