On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.

Slides:

Advertisements

Similar presentations

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Advertisements

Off-the-Record Communication, or, Why Not To Use PGP

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

A Pairing-Based Blind Signature

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Hybrid Signcryption with Insider Security Alexander W. Dent.

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Class 12 Anonymous Digital Currency CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department of Computer Science and Engineering National Sun Yat-Sen University.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Hybrid Signcryption with Outsider Security

Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.

Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Introduction to Public Key Cryptography

Chapter 13 Digital Signature

WISA An Efficient On-line Electronic Cash with Unlinkable Exact Payments Toru Nakanishi, Mitsuaki Shiota and Yuji Sugiyama Dept. of Communication.

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

An Efficient and Secure Event Signature (EASES) Protocol for Peer-to-Peer Massively Multiplayer Online Games Mo-Che Chan, Shun-Yun Hu and Jehn-Ruey Jiang.

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Topic 22: Digital Schemes (2)

Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Cryptography Lecture 9 Stefan Dziembowski

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.

Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland.

CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong.

A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.

1 一個新的代理簽章法 A New Proxy Signature Scheme 作者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡報告者 : 郭淑娟.

Prepared by Dr. Lamiaa Elshenawy

Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven,

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat.

多媒體網路安全實驗室 Private Information Retrieval Scheme Combined with E- Payment in Querying Valuable Information Date： Reporter: Chien-Wen Huang 出處:

Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.

Quantum tokens for digital signatures

Proxy Blind Signature Scheme

第四章數位簽章.

第四章數位簽章.

A flexible date-attachment scheme on e-cash

CS/ECE 578 Cyber-Security

Digital signatures.

Topic 11: Authenticated Encryption + CCA-Security

On the (Im)possibility of Blind Message Authentication Codes

Cryptography Lecture 26.

Presentation transcript:

On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole Normale Supérieure, France) Chanathip Namprempre (Thammasat University, Thailand)

2 The concept Blind signature scheme:  Kg(1 k ) → (pk, sk)  User(pk, M) ↔ Sign(sk) ↓ s / reject  Verify(pk, M, s) → 0/1 Blind MAC scheme:  Kg(1 k ) → K  User(M) ↔ Tag(K) ↓ t / reject  Verify(K, M, t) → 0/1 Security:  One-more unforgeability [PS96] no PTA can output n+1 valid message-signature (message-tag) pairs after n interactions with signing (tagging) oracle  Blindness [JLO97] no PTA can tell which of two messages was signed (tagged) during which session, even after seeing signatures (tags)

3 Motivation As for standard signatures vs. MACs: efficiency Applicable when signer = verifier, e.g.:  Fairness in two-party computation [Pin03] = first (and only) mention of blind MACs  Online digital cash [Cha82] bank tags and verifies coins using same key K  Voting schemes [FOO92] registered voters get committed vote tagged under key K by the administrator administrator reveals K after voting phase

4 Results  Blind MACs do not exist  Unforgeability and blindness are contradictory  Intuition: users have no way to check whether tagger is using same key in both sessions  Blind MACs do exist if users have shared state OK for [Pin03], probably not for ecash and voting Construction based on (slight variant of) Chaum’s blind signature scheme, letting  K = pk || sk  Tag(K) send pk to user, then execute Sign(sk)  User(M) compare received pk to pk’ in shared state

5 Open problems  Blind MAC schemes using only symmetric primitives (in state-sharing users setting)  … or impossibility thereof by showing that (state- sharing) blind MACs imply blind signatures obvious construction (pk = shared state, sk = K) doesn’t work: how to verify?