On the (Im)possibility of Blind Message Authentication Codes - PowerPoint PPT Presentation

About This Presentation
Title:

On the (Im)possibility of Blind Message Authentication Codes

Description:

On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven & Ecole Normale Sup rieure) joint work with – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 18
Provided by: Grego56
Learn more at: http://www.neven.org
Category:

less

Transcript and Presenter's Notes

Title: On the (Im)possibility of Blind Message Authentication Codes


1
On the (Im)possibility of Blind Message
Authentication Codes
  • Gregory Neven (Katholieke Universiteit Leuven
    Ecole Normale Supérieure)joint work with Michel
    Abdalla (Ecole Normale Supérieure)Chanathip
    Namprempre (Thammasat University)

2
Authentication primitives
  • Asymmetric digital signatures
  • Symmetric message authentication codes (MACs)
  • advantage about 100 times faster

sk
pk
M, s
s Sign(sk, M)
Verify(pk, M, s) 1 ?
K
K
M, t
t Tag(K, M)
Verify(K, M, t) 1 ?
3
Blind signatures
  • Asymmetric blind signatures
  • Anonymity-providing ingredient in various crypto
    protocols,e.g. digital cash, electronic voting,

pk
sk
pk, M
M, s
Verify(pk, M, s) 1 ?
Sign(sk)
s User(pk, M)
4
Blind signatures
  • Asymmetric blind signatures
  • Anonymity-providing ingredient in various crypto
    protocols,e.g. digital cash, electronic voting,
  • Symmetric blind MACs?

pk
sk
pk, M
M, s
Verify(pk, M, s) 1 ?
Sign(sk)
s User(pk, M)
K
M
K
M, t
Tag(K)
t User(M)
Verify(K, M, t) 1 ?
5
Applications of blind MACs digital cash
  • Main motivation efficiency
  • Example 1 online digital cash Chaum 82

sk
pk,
User(pk, )
Sign(sk)
Verify(pk, , s) 1 ? already spent?


ok/nok
Verify(pk, , s) 1 ?
6
Applications of blind MACs digital cash
  • Main motivation efficiency
  • Example 1 online digital cash Chaum 82

sk
pk,
K
User(pk, )
Sign(sk)Tag(K)
K
Verify(pk, , t) 1 ? already spent?


ok/nok
Verify(pk, , s) 1 ?
7
Applications of blind MACs electronic voting
  • Example 2 electronic voting FOO 92
  • 1. Administrator blindly signs commitments to
    votes2. Voters anonymously post signed vote
    commitments3. Voters anonymously open votes4.
    Public counting and verification

8
Applications of blind MACs electronic voting
  • Example 2 electronic voting FOO 92
  • 1. Administrator blindly signs tags commitments
    to votes2. Voters anonymously post signed tagged
    vote commitments3. Administrator publishes MAC
    key4. Voters anonymously open votes5. Public
    counting and verification

9
Applications of blind MACs electronic voting
  • Example 2 electronic voting FOO 92
  • 1. Administrator blindly signs tags commitments
    to votes2. Voters anonymously post signed tagged
    vote commitments3. Administrator publishes MAC
    key4. Voters anonymously open votes5. Public
    counting and verification
  • Example 3 fair secure two-party computation
    Pinkas 03
  • circuit constructor blindly signs bit
    commitments provided by evaluator, and later
    verifies own signature on actual outputs

10
Our contributions
  • Main result blind MACs do not exist
  • formal syntax and security definitions
  • proof that unforgeability and blindness cannot be
    simultaneously satisfied
  • Blind MACs do exist if users can share state
  • example scheme based on blind signatures(so no
    performance benefits!)
  • stronger, more natural blindness definition for
    blind signatures proof for modified Chaum blind
    signatures

11
Syntax and security of blind signatures
Kg
Sign
User
Verify
1k
pk,sk
sk
pk,M
pk,M,s
0/1
s /
One-more unforgeability PS 96
Blindness JLO 97
pk
pk,sk
M0, M1 b R 0,1
F
A
User(pk,Mb)
Sign(sk)
User(pk,M1-b)
User(pk,M1-b)
(n times)
s0, s1
(M1,s1),,(Mn1,sn1)
b
A wins iff Verify(pk,Mi,si)1 for i1..n1
A wins iff bb
12
Syntax and security of blind MACs
Kg
Sign
User
Verify
1k
pk,skK
skK
pk,M1k
pk,M,tK
0/1
Tag
t /
One-more unforgeability
Blindness
pk 1k
pk,sk K
M0, M1 b R 0,1
F
A
User(pk,Mb) 1k
Sign(sk) Tag(K)
User(pk,M1-b)
User(pk,M1-b) 1k
(n times)
t0, t1
(M1,t1),,(Mn1,tn1)
b
A wins iff Verify(pk,Mi,ti)1 for i1..n1
A wins iff bb
K
13
Impossibility proof
  • Intuition user does not have a public key so
    cannot check whether resulting tag is valid or
    whether tagger used same key in both sessions

K
1k
M0, M1 b R 0,1
A
F
K0 R Kg(1k)K1 R Kg(1k)
User(1k,Mb)
Tag(K0)
User(1k,M1-b)
Tag(K1)
t0, t1
K R Kg(1k) t Tag(K,M)
If Verify(K0,M0,t0) 1 then b0 else b1
b
(M,t)
Advblind(k) Advomu(k) 1
A F
14
Picking up the pieces state-sharing users
  • Attack does not go through when users have common
    state
  • Reasonable? Provably secure constructions?

K
M0, M1 b R 0,1
A
K0 R Kg(1k)K1 R Kg(1k)
User(1k,Mb)
Tag(K0)
User(1k,M1-b)
Tag(K1)
t0, t1
If Verify(K0,M0,t0) 1 then b0 else b1
b
15
Possibility of blind MACs for state-sharing users
  • Reasonable?
  • probably not for digital cash, electronic
    votingperfectly reasonable for fair two-party
    computation Pinkas 03
  • Theoretical construction proving existence
  • given BSig (KgS, SignS, UserS,
    VerifyS)construct BMAC (KgM, TagM, UserM,
    VerifyM)by letting K (pk,sk) and storing pk in
    shared state
  • KgM(1k) Run (pk,sk) R KgS(1k) and return K
    (pk,sk) TagM(K) Parse K as (pk,sk), send pk
    to user, run SignS(sk) UserM(1k,M) Reject if
    received pk different from pk in shared state
    Run UserS(pk,M) until
    outputs s, return t s VerifyM(K,M,t) Parse
    K as (pk,sk), return VerifyS(pk,M,t)

16
Dishonest-key blindness
  • Need stronger/more natural blindness notion for
    blind signatures
  • Satisfied by Chaums blind signatures if e prime
    and e gt N
  • CPP04 any e coprime with f(N)

pk,sk 1k
M0, M1, pk b R 0,1
A
User(pk,Mb)
User(pk,M1-b)
User(pk,M1-b)
s0, s1
b
17
Conclusions and open problems
  • Main results
  • impossibility of blind MACs in most
    general/useful setting
  • possibility of blind MACs when users can share
    state
  • Ongoing work
  • relation between honest-key and dishonest-key
    blindness
  • Open problems
  • efficient blind MACs for state-sharing users(or
    impossibility thereof blind MACs blind
    signatures?)
  • possibility of blind MACs in other models
Write a Comment
User Comments (0)
About PowerShow.com