## CryptoDB

### Paper: Further Discussions on the Security of a Nominative Signature Scheme

Authors: Lifeng Guo Guilin Wang Duncan S. Wong URL: http://eprint.iacr.org/2006/007 Search ePrint Search Google A nominative signature scheme allows a nominator (or signer) and a nominee (or verifier) to jointly generate and publish a signature in such a way that \emph{only} the nominee can verify the signature and if necessary, \emph{only} the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, \emph{only} allows the nominee to convert a nominative signature to a publicly verifiable one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly verifiable one, all \emph{without} any help from the nominee. In this paper, we point out that Susilo and Mu's attacks are actually \emph{incomplete} and {\it inaccurate}. In particular, we show that there exists no efficient algorithm for a nominator to check the validity of a signature if this signature is generated by the nominator and the nominee {\it honestly} and the Decisional Diffie-Hellman Problem is hard. On the other hand, we point out that the Huang-Wang scheme is indeed {\it insecure}, since there is an attack that allows the nominator to generate valid nominative signatures alone and prove the validity of such signatures to a third party.
##### BibTeX
@misc{eprint-2006-21501,
title={Further Discussions on the Security of a Nominative Signature Scheme},
booktitle={IACR Eprint archive},
keywords={public-key cryptography / Digital Signature, Nominative Signature},
url={http://eprint.iacr.org/2006/007},
note={ lfguo@amss.ac.cn 13154 received 5 Jan 2006},
author={Lifeng Guo and Guilin Wang and Duncan S. Wong},
year=2006
}