On the Security of Nominative Signatures

  • Willy Susilo
  • Yi Mu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3574)


Nominative signatures are the dual scheme of undeniable signatures, where only the nominee can verify the nominator (signer)’s signature and if necessary, only the nominee can prove to the third party that the signature issued to him (her) is valid. The first construction was proposed by Kim, Park and Won [7] and it was shown in the recent work of Huang and Wang in ACISP 2004 [5] that Kim-Park-Won’s scheme does not satisfy the goal of nominative signatures. Moreover, Huang and Wang suggested a new nominative signature scheme in the same paper. They claimed that the new scheme satisfies all requirements of nominative signatures. In this paper, we show that Huang and Wang’s scheme does not satisfy one important property of nominative signatures, namely the nominator (signer) can also verify the validity of the published signature. Moreover, we will show that the nominator can always show to anyone that the signature is indeed a valid signature without any cooperation from the nominee. Hence, the scheme is not nominative, since it does not satisfy the requirements of nominative signatures. Finally, we also discuss the security assumption that needs to be satisfied to obtain secure and efficient nominative signatures.


Cryptography Digital Signatures Nominative Signatures Convertible Untransferable 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Camenisch, J.: Efficient and generalized group signatures. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 465–479. Springer, Heidelberg (1997)Google Scholar
  2. 2.
    Camenisch, J.: Group signature schemes and payment systems based on the discrete logarithm problem. PhD thesis, ETH Zürich (1998)Google Scholar
  3. 3.
    Chaum, D.: Zero-knowledge undeniable signatures. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 458–464. Springer, Heidelberg (1991)Google Scholar
  4. 4.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE IT 22, 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Huang, Z., Wang, Y.: Convertible Nominative Signatures. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 348–357. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Jakobsson, M., Sako, K., Impagliazzo, R.: Designated Verifier Proofs and Their Applications. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Kim, S.J., Park, S.J., Won, D.H.: Zero-Knowledge Nominative Signatures. In: Proceedings of PragoCrypt 1996, International Conference on the Theory and Applications of Cryptology, pp. 380 – 392 (1996)Google Scholar
  8. 8.
    Michels, M., Stadler, M.: Efficient Convertible Undeniable Signature Schemes. In: Proc. of 4th Annual Workshop on Selected Areas in Cryptography (SAC 1997), pp. 231–244. Springer, Berlin (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Willy Susilo
    • 1
  • Yi Mu
    • 1
  1. 1.Centre for Information Security Research, School of Information Technology and Computer ScienceUniversity of WollongongWollongongAustralia

Personalised recommendations