On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit...
-
Upload
herbert-craig -
Category
Documents
-
view
216 -
download
1
Transcript of On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit...
![Page 1: On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.](https://reader038.fdocuments.us/reader038/viewer/2022103022/56649f435503460f94c63402/html5/thumbnails/1.jpg)
On the (Im)possibility of Blind Message Authentication Codes
Gregory Neven (Katholieke Universiteit Leuven, Belgium)
Joint work with:Michel Abdalla (Ecole Normale Supérieure, France)
Chanathip Namprempre (Thammasat University, Thailand)
![Page 2: On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.](https://reader038.fdocuments.us/reader038/viewer/2022103022/56649f435503460f94c63402/html5/thumbnails/2.jpg)
2
The concept
Blind signature scheme: Kg(1k) → (pk, sk) User(pk, M) ↔ Sign(sk)
↓ s / reject
Verify(pk, M, s) → 0/1
Blind MAC scheme: Kg(1k) → K User(M) ↔ Tag(K)
↓ t / reject
Verify(K, M, t) → 0/1
Security: One-more unforgeability [PS96]
no PTA can output n+1 valid message-signature (message-tag) pairs after n interactions with signing (tagging) oracle
Blindness [JLO97]no PTA can tell which of two messages was signed (tagged) during which session, even after seeing signatures (tags)
![Page 3: On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.](https://reader038.fdocuments.us/reader038/viewer/2022103022/56649f435503460f94c63402/html5/thumbnails/3.jpg)
3
Motivation
As for standard signatures vs. MACs: efficiency
Applicable when signer = verifier, e.g.: Fairness in two-party computation [Pin03]
= first (and only) mention of blind MACs
Online digital cash [Cha82]bank tags and verifies coins using same key K
Voting schemes [FOO92]registered voters get committed vote tagged under key K
by the administrator
administrator reveals K after voting phase
![Page 4: On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.](https://reader038.fdocuments.us/reader038/viewer/2022103022/56649f435503460f94c63402/html5/thumbnails/4.jpg)
4
Results
Blind MACs do not exist Unforgeability and blindness are contradictory Intuition: users have no way to check whether tagger is
using same key in both sessions
Blind MACs do exist if users have shared stateOK for [Pin03], probably not for ecash and voting
Construction based on (slight variant of) Chaum’s blind signature scheme, letting
K = pk || sk Tag(K) send pk to user, then execute Sign(sk) User(M) compare received pk to pk’ in shared state
![Page 5: On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.](https://reader038.fdocuments.us/reader038/viewer/2022103022/56649f435503460f94c63402/html5/thumbnails/5.jpg)
5
Open problems
Blind MAC schemes using only symmetric primitives (in state-sharing users setting)
… or impossibility thereof by showing that (state-sharing) blind MACs imply blind signatures
obvious construction (pk = shared state, sk = K) doesn’t work: how to verify?