On the (Im)possibility of Blind Message Authentication Codes

Gregory Neven (Katholieke Universiteit Leuven, Belgium)

Joint work with:Michel Abdalla (Ecole Normale Supérieure, France)

Chanathip Namprempre (Thammasat University, Thailand)

2

The concept

Blind signature scheme: Kg(1k) → (pk, sk) User(pk, M) ↔ Sign(sk)

↓ s / reject

Verify(pk, M, s) → 0/1

Blind MAC scheme: Kg(1k) → K User(M) ↔ Tag(K)

↓ t / reject

Verify(K, M, t) → 0/1

Security: One-more unforgeability [PS96]

no PTA can output n+1 valid message-signature (message-tag) pairs after n interactions with signing (tagging) oracle

Blindness [JLO97]no PTA can tell which of two messages was signed (tagged) during which session, even after seeing signatures (tags)

3

Motivation

As for standard signatures vs. MACs: efficiency

Applicable when signer = verifier, e.g.: Fairness in two-party computation [Pin03]

= first (and only) mention of blind MACs

Online digital cash [Cha82]bank tags and verifies coins using same key K

Voting schemes [FOO92]registered voters get committed vote tagged under key K

by the administrator

administrator reveals K after voting phase

4

Results

Blind MACs do not exist Unforgeability and blindness are contradictory Intuition: users have no way to check whether tagger is

using same key in both sessions

Blind MACs do exist if users have shared stateOK for [Pin03], probably not for ecash and voting

Construction based on (slight variant of) Chaum’s blind signature scheme, letting

K = pk || sk Tag(K) send pk to user, then execute Sign(sk) User(M) compare received pk to pk’ in shared state

5

Open problems

Blind MAC schemes using only symmetric primitives (in state-sharing users setting)

… or impossibility thereof by showing that (state-sharing) blind MACs imply blind signatures

obvious construction (pk = shared state, sk = K) doesn’t work: how to verify?