CryptoDB
Further Discussions on the Security of a Nominative Signature Scheme
Authors: | |
---|---|
Download: | |
Abstract: | A nominative signature scheme allows a nominator (or signer) and a nominee (or verifier) to jointly generate and publish a signature in such a way that \emph{only} the nominee can verify the signature and if necessary, \emph{only} the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, \emph{only} allows the nominee to convert a nominative signature to a publicly verifiable one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly verifiable one, all \emph{without} any help from the nominee. In this paper, we point out that Susilo and Mu's attacks are actually \emph{incomplete} and {\it inaccurate}. In particular, we show that there exists no efficient algorithm for a nominator to check the validity of a signature if this signature is generated by the nominator and the nominee {\it honestly} and the Decisional Diffie-Hellman Problem is hard. On the other hand, we point out that the Huang-Wang scheme is indeed {\it insecure}, since there is an attack that allows the nominator to generate valid nominative signatures alone and prove the validity of such signatures to a third party. |
BibTeX
@misc{eprint-2006-21501, title={Further Discussions on the Security of a Nominative Signature Scheme}, booktitle={IACR Eprint archive}, keywords={public-key cryptography / Digital Signature, Nominative Signature}, url={http://eprint.iacr.org/2006/007}, note={ lfguo@amss.ac.cn 13154 received 5 Jan 2006}, author={Lifeng Guo and Guilin Wang and Duncan S. Wong}, year=2006 }