Paper 2006/007
Further Discussions on the Security of a Nominative Signature Scheme
Lifeng Guo, Guilin Wang, and Duncan S. Wong
Abstract
A nominative signature scheme allows a nominator (or signer) and a nominee (or verifier) to jointly generate and publish a signature in such a way that \emph{only} the nominee can verify the signature and if necessary, \emph{only} the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, \emph{only} allows the nominee to convert a nominative signature to a publicly verifiable one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly verifiable one, all \emph{without} any help from the nominee. In this paper, we point out that Susilo and Mu's attacks are actually \emph{incomplete} and {\it inaccurate}. In particular, we show that there exists no efficient algorithm for a nominator to check the validity of a signature if this signature is generated by the nominator and the nominee {\it honestly} and the Decisional Diffie-Hellman Problem is hard. On the other hand, we point out that the Huang-Wang scheme is indeed {\it insecure}, since there is an attack that allows the nominator to generate valid nominative signatures alone and prove the validity of such signatures to a third party.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Digital SignatureNominative Signature
- Contact author(s)
- lfguo @ amss ac cn
- History
- 2006-01-10: received
- Short URL
- https://ia.cr/2006/007
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2006/007, author = {Lifeng Guo and Guilin Wang and Duncan S. Wong}, title = {Further Discussions on the Security of a Nominative Signature Scheme}, howpublished = {Cryptology {ePrint} Archive, Paper 2006/007}, year = {2006}, url = {https://eprint.iacr.org/2006/007} }