On the (Im)possibility of Blind Message Authentication Codes

1
On the (Im)possibility of Blind Message
Authentication Codes

• Gregory Neven (Katholieke Universiteit Leuven,
  Belgium)
• Joint work withMichel Abdalla (Ecole Normale
  Supérieure, France)Chanathip Namprempre
  (Thammasat University, Thailand)

2
The concept

• Blind signature scheme
• Kg(1k) ? (pk, sk)
• User(pk, M) ? Sign(sk) ? s / reject
• Verify(pk, M, s) ? 0/1

• Blind MAC scheme
• Kg(1k) ? K
• User(M) ? Tag(K) ? t / reject
• Verify(K, M, t) ? 0/1

• Security
• One-more unforgeability PS96
• no PTA can output n1 valid message-signature
  (message-tag) pairs after n interactions with
  signing (tagging) oracle
• Blindness JLO97
• no PTA can tell which of two messages was signed
  (tagged) during which session, even after seeing
  signatures (tags)

3
Motivation

• As for standard signatures vs. MACs efficiency
• Applicable when signer verifier, e.g.
• Fairness in two-party computation Pin03
• first (and only) mention of blind MACs
• Online digital cash Cha82
• bank tags and verifies coins using same key K
• Voting schemes FOO92
• registered voters get committed vote tagged under
  key K by the administrator
• administrator reveals K after voting phase

4
Results

• Blind MACs do not exist
• Unforgeability and blindness are contradictory
• Intuition users have no way to check whether
  tagger is using same key in both sessions
• Blind MACs do exist if users have shared state
• OK for Pin03, probably not for ecash and voting
• Construction based on (slight variant of) Chaums
  blind signature scheme, letting
• K pk sk
• Tag(K) send pk to user, then execute Sign(sk)
• User(M) compare received pk to pk in shared state

5
Open problems

• Blind MAC schemes using only symmetric primitives
  (in state-sharing users setting)
• or impossibility thereof by showing that
  (state-sharing) blind MACs imply blind signatures
• obvious construction (pk shared state, sk K)
  doesnt work how to verify?