1. On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole Normale Supérieure, France) Chanathip Namprempre (Thammasat University, Thailand)

2. 2 The concept Blind signature scheme:  Kg(1 k ) → (pk, sk)  User(pk, M) ↔ Sign(sk) ↓ s / reject  Verify(pk, M, s) → 0/1 Blind MAC scheme:  Kg(1 k ) → K  User(M) ↔ Tag(K) ↓ t / reject  Verify(K, M, t) → 0/1 Security:  One-more unforgeability [PS96] no PTA can output n+1 valid message-signature (message-tag) pairs after n interactions with signing (tagging) oracle  Blindness [JLO97] no PTA can tell which of two messages was signed (tagged) during which session, even after seeing signatures (tags)

3. 3 Motivation As for standard signatures vs. MACs: efficiency Applicable when signer = verifier, e.g.:  Fairness in two-party computation [Pin03] = first (and only) mention of blind MACs  Online digital cash [Cha82] bank tags and verifies coins using same key K  Voting schemes [FOO92] registered voters get committed vote tagged under key K by the administrator administrator reveals K after voting phase

4. 4 Results  Blind MACs do not exist  Unforgeability and blindness are contradictory  Intuition: users have no way to check whether tagger is using same key in both sessions  Blind MACs do exist if users have shared state OK for [Pin03], probably not for ecash and voting Construction based on (slight variant of) Chaum’s blind signature scheme, letting  K = pk || sk  Tag(K) send pk to user, then execute Sign(sk)  User(M) compare received pk to pk’ in shared state

5. 5 Open problems  Blind MAC schemes using only symmetric primitives (in state-sharing users setting)  … or impossibility thereof by showing that (state- sharing) blind MACs imply blind signatures obvious construction (pk = shared state, sk = K) doesn’t work: how to verify?