Paper 2006/007

Further Discussions on the Security of a Nominative Signature Scheme

Lifeng Guo, Guilin Wang, and Duncan S. Wong

Abstract

A nominative signature scheme allows a nominator (or signer) and a nominee (or verifier) to jointly generate and publish a signature in such a way that \emph{only} the nominee can verify the signature and if necessary, \emph{only} the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, \emph{only} allows the nominee to convert a nominative signature to a publicly verifiable one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly verifiable one, all \emph{without} any help from the nominee. In this paper, we point out that Susilo and Mu's attacks are actually \emph{incomplete} and {\it inaccurate}. In particular, we show that there exists no efficient algorithm for a nominator to check the validity of a signature if this signature is generated by the nominator and the nominee {\it honestly} and the Decisional Diffie-Hellman Problem is hard. On the other hand, we point out that the Huang-Wang scheme is indeed {\it insecure}, since there is an attack that allows the nominator to generate valid nominative signatures alone and prove the validity of such signatures to a third party.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Digital SignatureNominative Signature
Contact author(s)
lfguo @ amss ac cn
History
2006-01-10: received
Short URL
https://ia.cr/2006/007
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2006/007,
      author = {Lifeng Guo and Guilin Wang and Duncan S.  Wong},
      title = {Further Discussions on the Security of a Nominative Signature Scheme},
      howpublished = {Cryptology ePrint Archive, Paper 2006/007},
      year = {2006},
      note = {\url{https://eprint.iacr.org/2006/007}},
      url = {https://eprint.iacr.org/2006/007}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.