Abstract. Known practical blind signature schemes whose security against adaptive and parallel attacks can be proven in the random oracle model either need five data exchanges between the signer and the user or are limited to issue only logarithmically many signatures in terms of a security parameter. This paper presents an efficient blind signature scheme that allows a polynomial number of signatures to be securely issued while only three data exchanges are needed. Its security is proven in the random oracle model. As an application, a provably secure solution for double-spender-traceable e-cash is presented.