1 / 5

On the (Im)possibility of Blind Message Authentication Codes

On the (Im)possibility of Blind Message Authentication Codes. Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole Normale Supérieure, France) Chanathip Namprempre (Thammasat University, Thailand). Blind signature scheme: Kg(1 k ) → (pk, sk)

ssettle
Download Presentation

On the (Im)possibility of Blind Message Authentication Codes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with:Michel Abdalla (Ecole Normale Supérieure, France)Chanathip Namprempre (Thammasat University, Thailand)

  2. Blind signature scheme: Kg(1k) → (pk, sk) User(pk, M) ↔ Sign(sk) ↓ s / reject Verify(pk, M, s) → 0/1 Blind MAC scheme: Kg(1k) → K User(M) ↔ Tag(K) ↓t / reject Verify(K, M, t) → 0/1 The concept Security: • One-more unforgeability [PS96] no PTA can output n+1 valid message-signature (message-tag) pairs after n interactions with signing (tagging) oracle • Blindness [JLO97] no PTA can tell which of two messages was signed (tagged) during which session, even after seeing signatures (tags)

  3. Motivation As for standard signatures vs. MACs: efficiency Applicable when signer = verifier, e.g.: • Fairness in two-party computation [Pin03] = first (and only) mention of blind MACs • Online digital cash [Cha82] bank tags and verifies coins using same key K • Voting schemes [FOO92] registered voters get committed vote tagged under key K by the administrator administrator reveals K after voting phase

  4. Results • Blind MACs do not exist • Unforgeability and blindness are contradictory • Intuition: users have no way to check whether tagger is using same key in both sessions • Blind MACs do exist if users have shared state OK for [Pin03], probably not for ecash and voting Construction based on (slight variant of) Chaum’s blind signature scheme, letting • K = pk || sk • Tag(K) send pk to user, then execute Sign(sk) • User(M) compare received pk to pk’ in shared state

  5. Open problems • Blind MAC schemes using only symmetric primitives (in state-sharing users setting) • … or impossibility thereof by showing that (state-sharing) blind MACs imply blind signatures obvious construction (pk = shared state, sk = K) doesn’t work: how to verify?

More Related