On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven & Ecole Normale Supérieure) joint work with Michel Abdalla (Ecole Normale Supérieure) Chanathip Namprempre (Thammasat University)

Authentication primitives Asymmetric: digital signatures Symmetric: message authentication codes (MACs) advantage: about 100 times faster sk pk M, s s = Sign(sk, M) Verify(pk, M, s) = 1 ? K K M, t t = Tag(K, M) Verify(K, M, t) = 1 ?

Blind signatures Asymmetric: blind signatures Anonymity-providing ingredient in various crypto protocols, e.g. digital cash, electronic voting,… pk sk pk, M M, s Sign(sk) s = User(pk, M) Verify(pk, M, s) = 1 ?

Blind signatures Asymmetric: blind signatures Anonymity-providing ingredient in various crypto protocols, e.g. digital cash, electronic voting,… Symmetric: blind MACs? pk sk pk, M M, s Sign(sk) s = User(pk, M) Verify(pk, M, s) = 1 ? K M K M, t Tag(K) t = User(M) Verify(K, M, t) = 1 ?

Applications of blind MACs: digital cash Main motivation: efficiency Example 1: online digital cash [Chaum 82] sk pk,$ Sign(sk) User(pk, $) Verify(pk, $, s) = 1 ? $ already spent? $ $ ok/nok Verify(pk, $, s) = 1 ?

Applications of blind MACs: digital cash Main motivation: efficiency Example 1: online digital cash [Chaum 82] sk K pk,$ Sign(sk) Tag(K) User(pk, $) K Verify(pk, $, t) = 1 ? $ already spent? $ $ ok/nok Verify(pk, $, s) = 1 ?

Applications of blind MACs: electronic voting Example 2: electronic voting [FOO 92] 1. Administrator blindly signs commitments to votes 2. Voters anonymously post signed vote commitments 3. Voters anonymously open votes 4. Public counting and verification

Applications of blind MACs: electronic voting Example 2: electronic voting [FOO 92] 1. Administrator blindly signs tags commitments to votes 2. Voters anonymously post signed tagged vote commitments 3. Administrator publishes MAC key 4. Voters anonymously open votes 5. Public counting and verification

Applications of blind MACs: electronic voting Example 2: electronic voting [FOO 92] 1. Administrator blindly signs tags commitments to votes 2. Voters anonymously post signed tagged vote commitments 3. Administrator publishes MAC key 4. Voters anonymously open votes 5. Public counting and verification Example 3: fair secure two-party computation [Pinkas 03] circuit constructor blindly signs bit commitments provided by evaluator, and later verifies own signature on actual outputs

Our contributions Main result: blind MACs do not exist formal syntax and security definitions proof that unforgeability and blindness cannot be simultaneously satisfied Blind MACs do exist if users can share state example scheme based on blind signatures (so no performance benefits!) stronger, more natural blindness definition for blind signatures + proof for modified Chaum blind signatures

Syntax and security of blind signatures 1k Kg pk,sk sk Sign User pk,M pk,M,s Verify 0/1 s / One-more unforgeability [PS 96] Blindness [JLO 97] pk pk,sk M0, M1 b R {0,1} F A User(pk,Mb) Sign(sk) User(pk,M1-b) User(pk,M1-b) (n times) s0, s1 (M1,s1),…,(Mn+1,sn+1) b’ A wins iff Verify(pk,Mi,si)=1 for i=1..n+1 A wins iff b’=b

Syntax and security of blind MACs 1k Kg pk,sk K sk K Sign User pk,M 1k pk,M,t K Verify 0/1 Tag t / One-more unforgeability Blindness pk 1k pk,sk K M0, M1 b R {0,1} F A User(pk,Mb) 1k Sign(sk) Tag(K) User(pk,M1-b) User(pk,M1-b) 1k (n times) t0, t1 (M1,t1),…,(Mn+1,tn+1) b’ A wins iff Verify(pk,Mi,ti)=1 for i=1..n+1 A wins iff b’=b K

Advblind(k) + Advomu(k) = 1 Impossibility proof Intuition: user does not have a public key so cannot check whether resulting tag is valid or whether tagger used same key in both sessions K 1k A M0, M1 b R {0,1} F K0 R Kg(1k) K1 R Kg(1k) User(1k,Mb) Tag(K0) User(1k,M1-b) Tag(K1) So all is lost? Not entirely, maybe weaker blindness notions are achievable. For example… t0, t1 K’ R Kg(1k) t Tag(K’,M) If Verify(K0,M0,t0) = 1 then b’=0 else b’=1 b’ (M,t) Advblind(k) + Advomu(k) = 1 A F

Picking up the pieces: state-sharing users Attack does not go through when users have common state Reasonable? Provably secure constructions? K A M0, M1 b R {0,1} K0 R Kg(1k) K1 R Kg(1k) User(1k,Mb) State e.g. if K0 ≠ K1 Tag(K0) User(1k,M1-b) Tag(K1) t0, t1 If Verify(K0,M0,t0) = 1 then b’=0 else b’=1 b’

Possibility of blind MACs for state-sharing users Reasonable? probably not for digital cash, electronic voting perfectly reasonable for fair two-party computation [Pinkas 03] Theoretical construction proving existence: given BSig = (KgS, SignS, UserS, VerifyS) construct BMAC = (KgM, TagM, UserM, VerifyM) by letting K = (pk,sk) and storing pk in shared state: KgM(1k): Run (pk,sk) R KgS(1k) and return K = (pk,sk) TagM(K): Parse K as (pk,sk), send pk to user, run SignS(sk) UserM(1k,M): Reject if received pk different from pk’ in shared state Run UserS(pk,M) until outputs s, return t = s VerifyM(K,M,t): Parse K as (pk,sk), return VerifyS(pk,M,t)

Dishonest-key blindness Need stronger/more natural blindness notion for blind signatures: Satisfied by Chaum’s blind signatures if e prime and e > N [CPP04]: any e coprime with φ(N) pk,sk 1k M0, M1, pk b R {0,1} A User(pk,Mb) User(pk,M1-b) User(pk,M1-b) s0, s1 b’

Conclusions and open problems Main results: impossibility of blind MACs in most general/useful setting possibility of blind MACs when users can share state Ongoing work: relation between honest-key and dishonest-key blindness Open problems: efficient blind MACs for state-sharing users (or impossibility thereof: blind MACs blind signatures?) possibility of blind MACs in other models