1. On the (Im)possibility of Blind Message Authentication Codes
Gregory Neven (Katholieke Universiteit Leuven & Ecole Normale Supérieure) joint work with Michel Abdalla (Ecole Normale Supérieure) Chanathip Namprempre (Thammasat University)

2. Authentication primitives
Asymmetric: digital signatures
Symmetric: message authentication codes (MACs)
advantage: about 100 times faster sk pk
M, s
s = Sign(sk, M)
Verify(pk, M, s) = 1 ? K K
M, t
t = Tag(K, M)
Verify(K, M, t) = 1 ?

3. Blind signatures Asymmetric: blind signatures
Anonymity-providing ingredient in various crypto protocols, e.g. digital cash, electronic voting,… pk sk
pk, M
M, s
Sign(sk)
s = User(pk, M)
Verify(pk, M, s) = 1 ?

4. Blind signatures Asymmetric: blind signatures
Anonymity-providing ingredient in various crypto protocols, e.g. digital cash, electronic voting,…
Symmetric: blind MACs? pk sk
pk, M
M, s
Sign(sk)
s = User(pk, M)
Verify(pk, M, s) = 1 ? K M K
M, t
Tag(K)
t = User(M)
Verify(K, M, t) = 1 ?

5. Applications of blind MACs: digital cash
Main motivation: efficiency
Example 1: online digital cash [Chaum 82] sk
pk,$
Sign(sk)
User(pk, $)
Verify(pk, $, s) = 1 ? $ already spent? $ $
ok/nok
Verify(pk, $, s) = 1 ?

6. Applications of blind MACs: digital cash
Main motivation: efficiency
Example 1: online digital cash [Chaum 82] sk K
pk,$
Sign(sk) Tag(K)
User(pk, $) K
Verify(pk, $, t) = 1 ? $ already spent? $ $
ok/nok
Verify(pk, $, s) = 1 ?

7. Applications of blind MACs: electronic voting
Example 2: electronic voting [FOO 92]
1. Administrator blindly signs commitments to votes 2. Voters anonymously post signed vote commitments 3. Voters anonymously open votes 4. Public counting and verification

8. Applications of blind MACs: electronic voting
Example 2: electronic voting [FOO 92]
1. Administrator blindly signs tags commitments to votes 2. Voters anonymously post signed tagged vote commitments 3. Administrator publishes MAC key 4. Voters anonymously open votes 5. Public counting and verification

9. Applications of blind MACs: electronic voting
Example 2: electronic voting [FOO 92]
1. Administrator blindly signs tags commitments to votes 2. Voters anonymously post signed tagged vote commitments 3. Administrator publishes MAC key 4. Voters anonymously open votes 5. Public counting and verification
Example 3: fair secure two-party computation [Pinkas 03]
circuit constructor blindly signs bit commitments provided by evaluator, and later verifies own signature on actual outputs

10. Our contributions Main result: blind MACs do not exist
formal syntax and security definitions
proof that unforgeability and blindness cannot be simultaneously satisfied
Blind MACs do exist if users can share state
example scheme based on blind signatures (so no performance benefits!)
stronger, more natural blindness definition for blind signatures + proof for modified Chaum blind signatures

11. Syntax and security of blind signatures1k Kg
pk,sk sk
Sign
User
pk,M
pk,M,s
Verify
0/1
s /
One-more unforgeability [PS 96]
Blindness [JLO 97] pk
pk,sk
M0, M1
b R {0,1} F A
User(pk,Mb)
Sign(sk)
User(pk,M1-b)
User(pk,M1-b)
(n times)
s0, s1
(M1,s1),…,(Mn+1,sn+1) b’
A wins iff Verify(pk,Mi,si)=1 for i=1..n+1
A wins iff b’=b

12. Syntax and security of blind MACs1k Kg
pk,sk K
sk K
Sign
User
pk,M 1k
pk,M,t K
Verify
0/1
Tag
t /
One-more unforgeability
Blindness
pk 1k
pk,sk K
M0, M1
b R {0,1} F A
User(pk,Mb) 1k
Sign(sk)
Tag(K)
User(pk,M1-b)
User(pk,M1-b) 1k
(n times)
t0, t1
(M1,t1),…,(Mn+1,tn+1) b’
A wins iff Verify(pk,Mi,ti)=1 for i=1..n+1
A wins iff b’=b K

13. Advblind(k) + Advomu(k) = 1
Impossibility proof
Intuition: user does not have a public key so cannot check whether resulting tag is valid or whether tagger used same key in both sessions K 1k A
M0, M1
b R {0,1} F
K0 R Kg(1k) K1 R Kg(1k)
User(1k,Mb)
Tag(K0)
User(1k,M1-b)
Tag(K1)
So all is lost? Not entirely, maybe weaker blindness notions are achievable. For example…
t0, t1
K’ R Kg(1k)
t Tag(K’,M)
If Verify(K0,M0,t0) = 1
then b’=0 else b’=1 b’
(M,t)
Advblind(k) + Advomu(k) = 1
A F

14. Picking up the pieces: state-sharing users
Attack does not go through when users have common state
Reasonable? Provably secure constructions? K A
M0, M1
b R {0,1}
K0 R Kg(1k) K1 R Kg(1k)
User(1k,Mb)
State
e.g. if K0 ≠ K1
Tag(K0)
User(1k,M1-b)
Tag(K1)
t0, t1
If Verify(K0,M0,t0) = 1
then b’=0 else b’=1 b’

15. Possibility of blind MACs for state-sharing users
Reasonable?
probably not for digital cash, electronic voting perfectly reasonable for fair two-party computation [Pinkas 03]
Theoretical construction proving existence:
given BSig = (KgS, SignS, UserS, VerifyS) construct BMAC = (KgM, TagM, UserM, VerifyM) by letting K = (pk,sk) and storing pk in shared state:
KgM(1k): Run (pk,sk) R KgS(1k) and return K = (pk,sk) TagM(K): Parse K as (pk,sk), send pk to user, run SignS(sk) UserM(1k,M): Reject if received pk different from pk’ in shared state Run UserS(pk,M) until outputs s, return t = s VerifyM(K,M,t): Parse K as (pk,sk), return VerifyS(pk,M,t)

16. Dishonest-key blindness
Need stronger/more natural blindness notion for blind signatures:
Satisfied by Chaum’s blind signatures if e prime and e > N
[CPP04]: any e coprime with φ(N)
pk,sk 1k
M0, M1, pk
b R {0,1} A
User(pk,Mb)
User(pk,M1-b)
User(pk,M1-b)
s0, s1 b’

17. Conclusions and open problems
Main results:
impossibility of blind MACs in most general/useful setting
possibility of blind MACs when users can share state
Ongoing work:
relation between honest-key and dishonest-key blindness
Open problems:
efficient blind MACs for state-sharing users (or impossibility thereof: blind MACs blind signatures?)
possibility of blind MACs in other models