On the Security of Nominative Signatures
Nominative signatures are the dual scheme of undeniable signatures, where only the nominee can verify the nominator (signer)’s signature and if necessary, only the nominee can prove to the third party that the signature issued to him (her) is valid. The first construction was proposed by Kim, Park and Won  and it was shown in the recent work of Huang and Wang in ACISP 2004  that Kim-Park-Won’s scheme does not satisfy the goal of nominative signatures. Moreover, Huang and Wang suggested a new nominative signature scheme in the same paper. They claimed that the new scheme satisfies all requirements of nominative signatures. In this paper, we show that Huang and Wang’s scheme does not satisfy one important property of nominative signatures, namely the nominator (signer) can also verify the validity of the published signature. Moreover, we will show that the nominator can always show to anyone that the signature is indeed a valid signature without any cooperation from the nominee. Hence, the scheme is not nominative, since it does not satisfy the requirements of nominative signatures. Finally, we also discuss the security assumption that needs to be satisfied to obtain secure and efficient nominative signatures.
KeywordsCryptography Digital Signatures Nominative Signatures Convertible Untransferable
Unable to display preview. Download preview PDF.
- 1.Camenisch, J.: Efficient and generalized group signatures. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 465–479. Springer, Heidelberg (1997)Google Scholar
- 2.Camenisch, J.: Group signature schemes and payment systems based on the discrete logarithm problem. PhD thesis, ETH Zürich (1998)Google Scholar
- 3.Chaum, D.: Zero-knowledge undeniable signatures. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 458–464. Springer, Heidelberg (1991)Google Scholar
- 6.Jakobsson, M., Sako, K., Impagliazzo, R.: Designated Verifier Proofs and Their Applications. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996)Google Scholar
- 7.Kim, S.J., Park, S.J., Won, D.H.: Zero-Knowledge Nominative Signatures. In: Proceedings of PragoCrypt 1996, International Conference on the Theory and Applications of Cryptology, pp. 380 – 392 (1996)Google Scholar
- 8.Michels, M., Stadler, M.: Efficient Convertible Undeniable Signature Schemes. In: Proc. of 4th Annual Workshop on Selected Areas in Cryptography (SAC 1997), pp. 231–244. Springer, Berlin (1997)Google Scholar