Upload
herbert-craig
View
216
Download
1
Embed Size (px)
Citation preview
On the (Im)possibility of Blind Message Authentication Codes
Gregory Neven (Katholieke Universiteit Leuven, Belgium)
Joint work with:Michel Abdalla (Ecole Normale Supérieure, France)
Chanathip Namprempre (Thammasat University, Thailand)
2
The concept
Blind signature scheme: Kg(1k) → (pk, sk) User(pk, M) ↔ Sign(sk)
↓ s / reject
Verify(pk, M, s) → 0/1
Blind MAC scheme: Kg(1k) → K User(M) ↔ Tag(K)
↓ t / reject
Verify(K, M, t) → 0/1
Security: One-more unforgeability [PS96]
no PTA can output n+1 valid message-signature (message-tag) pairs after n interactions with signing (tagging) oracle
Blindness [JLO97]no PTA can tell which of two messages was signed (tagged) during which session, even after seeing signatures (tags)
3
Motivation
As for standard signatures vs. MACs: efficiency
Applicable when signer = verifier, e.g.: Fairness in two-party computation [Pin03]
= first (and only) mention of blind MACs
Online digital cash [Cha82]bank tags and verifies coins using same key K
Voting schemes [FOO92]registered voters get committed vote tagged under key K
by the administrator
administrator reveals K after voting phase
4
Results
Blind MACs do not exist Unforgeability and blindness are contradictory Intuition: users have no way to check whether tagger is
using same key in both sessions
Blind MACs do exist if users have shared stateOK for [Pin03], probably not for ecash and voting
Construction based on (slight variant of) Chaum’s blind signature scheme, letting
K = pk || sk Tag(K) send pk to user, then execute Sign(sk) User(M) compare received pk to pk’ in shared state
5
Open problems
Blind MAC schemes using only symmetric primitives (in state-sharing users setting)
… or impossibility thereof by showing that (state-sharing) blind MACs imply blind signatures
obvious construction (pk = shared state, sk = K) doesn’t work: how to verify?