On the (Im)possibility of Blind Message Authentication Codes

1
On the (Im)possibility of Blind Message
Authentication Codes

• Gregory Neven (Katholieke Universiteit Leuven
  Ecole Normale Supérieure)joint work with Michel
  Abdalla (Ecole Normale Supérieure)Chanathip
  Namprempre (Thammasat University)

2
Authentication primitives

• Asymmetric digital signatures
• Symmetric message authentication codes (MACs)
• advantage about 100 times faster

sk
pk
M, s
s Sign(sk, M)
Verify(pk, M, s) 1 ?
K
K
M, t
t Tag(K, M)
Verify(K, M, t) 1 ?
3
Blind signatures

• Asymmetric blind signatures
• Anonymity-providing ingredient in various crypto
  protocols,e.g. digital cash, electronic voting,

pk
sk
pk, M
M, s
Verify(pk, M, s) 1 ?
Sign(sk)
s User(pk, M)
4
Blind signatures

• Asymmetric blind signatures
• Anonymity-providing ingredient in various crypto
  protocols,e.g. digital cash, electronic voting,
• Symmetric blind MACs?

pk
sk
pk, M
M, s
Verify(pk, M, s) 1 ?
Sign(sk)
s User(pk, M)
K
M
K
M, t
Tag(K)
t User(M)
Verify(K, M, t) 1 ?
5
Applications of blind MACs digital cash

• Main motivation efficiency
• Example 1 online digital cash Chaum 82

sk
pk,
User(pk, )
Sign(sk)
Verify(pk, , s) 1 ? already spent?


ok/nok
Verify(pk, , s) 1 ?
6
Applications of blind MACs digital cash

• Main motivation efficiency
• Example 1 online digital cash Chaum 82

sk
pk,
K
User(pk, )
Sign(sk)Tag(K)
K
Verify(pk, , t) 1 ? already spent?


ok/nok
Verify(pk, , s) 1 ?
7
Applications of blind MACs electronic voting

• Example 2 electronic voting FOO 92
• 1. Administrator blindly signs commitments to
  votes2. Voters anonymously post signed vote
  commitments3. Voters anonymously open votes4.
  Public counting and verification

8
Applications of blind MACs electronic voting

• Example 2 electronic voting FOO 92
• 1. Administrator blindly signs tags commitments
  to votes2. Voters anonymously post signed tagged
  vote commitments3. Administrator publishes MAC
  key4. Voters anonymously open votes5. Public
  counting and verification

9
Applications of blind MACs electronic voting

• Example 2 electronic voting FOO 92
• 1. Administrator blindly signs tags commitments
  to votes2. Voters anonymously post signed tagged
  vote commitments3. Administrator publishes MAC
  key4. Voters anonymously open votes5. Public
  counting and verification
• Example 3 fair secure two-party computation
  Pinkas 03
• circuit constructor blindly signs bit
  commitments provided by evaluator, and later
  verifies own signature on actual outputs

10
Our contributions

• Main result blind MACs do not exist
• formal syntax and security definitions
• proof that unforgeability and blindness cannot be
  simultaneously satisfied
• Blind MACs do exist if users can share state
• example scheme based on blind signatures(so no
  performance benefits!)
• stronger, more natural blindness definition for
  blind signatures proof for modified Chaum blind
  signatures

11
Syntax and security of blind signatures
Kg
Sign
User
Verify
1k
pk,sk
sk
pk,M
pk,M,s
0/1
s /
One-more unforgeability PS 96
Blindness JLO 97
pk
pk,sk
M0, M1 b R 0,1
F
A
User(pk,Mb)
Sign(sk)
User(pk,M1-b)
User(pk,M1-b)
(n times)
s0, s1
(M1,s1),,(Mn1,sn1)
b
A wins iff Verify(pk,Mi,si)1 for i1..n1
A wins iff bb
12
Syntax and security of blind MACs
Kg
Sign
User
Verify
1k
pk,skK
skK
pk,M1k
pk,M,tK
0/1
Tag
t /
One-more unforgeability
Blindness
pk 1k
pk,sk K
M0, M1 b R 0,1
F
A
User(pk,Mb) 1k
Sign(sk) Tag(K)
User(pk,M1-b)
User(pk,M1-b) 1k
(n times)
t0, t1
(M1,t1),,(Mn1,tn1)
b
A wins iff Verify(pk,Mi,ti)1 for i1..n1
A wins iff bb
K
13
Impossibility proof

• Intuition user does not have a public key so
  cannot check whether resulting tag is valid or
  whether tagger used same key in both sessions

K
1k
M0, M1 b R 0,1
A
F
K0 R Kg(1k)K1 R Kg(1k)
User(1k,Mb)
Tag(K0)
User(1k,M1-b)
Tag(K1)
t0, t1
K R Kg(1k) t Tag(K,M)
If Verify(K0,M0,t0) 1 then b0 else b1
b
(M,t)
Advblind(k) Advomu(k) 1
A F
14
Picking up the pieces state-sharing users

• Attack does not go through when users have common
  state
• Reasonable? Provably secure constructions?

K
M0, M1 b R 0,1
A
K0 R Kg(1k)K1 R Kg(1k)
User(1k,Mb)
Tag(K0)
User(1k,M1-b)
Tag(K1)
t0, t1
If Verify(K0,M0,t0) 1 then b0 else b1
b
15
Possibility of blind MACs for state-sharing users

• Reasonable?
• probably not for digital cash, electronic
  votingperfectly reasonable for fair two-party
  computation Pinkas 03
• Theoretical construction proving existence
• given BSig (KgS, SignS, UserS,
  VerifyS)construct BMAC (KgM, TagM, UserM,
  VerifyM)by letting K (pk,sk) and storing pk in
  shared state
• KgM(1k) Run (pk,sk) R KgS(1k) and return K
  (pk,sk) TagM(K) Parse K as (pk,sk), send pk
  to user, run SignS(sk) UserM(1k,M) Reject if
  received pk different from pk in shared state
  Run UserS(pk,M) until
  outputs s, return t s VerifyM(K,M,t) Parse
  K as (pk,sk), return VerifyS(pk,M,t)

16
Dishonest-key blindness

• Need stronger/more natural blindness notion for
  blind signatures
• Satisfied by Chaums blind signatures if e prime
  and e gt N
• CPP04 any e coprime with f(N)

pk,sk 1k
M0, M1, pk b R 0,1
A
User(pk,Mb)
User(pk,M1-b)
User(pk,M1-b)
s0, s1
b
17
Conclusions and open problems

• Main results
• impossibility of blind MACs in most
  general/useful setting
• possibility of blind MACs when users can share
  state
• Ongoing work
• relation between honest-key and dishonest-key
  blindness
• Open problems
• efficient blind MACs for state-sharing users(or
  impossibility thereof blind MACs blind
  signatures?)
• possibility of blind MACs in other models