A nominative signature scheme allows a nominator (i.e. the signer) and a nominee (i.e. a designated verifier) to jointly generate and publish a signature so that only the nominee can check the validity of a nominative signature and further convince a third party to accept this fact. Recently, Huang and Wang proposed such a new scheme at ACISP 2004, and claimed that their scheme is secure under some standard computational assumptions. In this paper, we remark that their scheme is not a nominative signature in fact, since it fails to meet the crucial security requirement: verification untransferability. Specifically, we identify an adaptively chosen-message attack against their scheme such that the nominator can determine the validity of a new message-signature pair with some indirect help from the nominee. Moreover, we point out that using our attack the nominator is further able to demonstrate the validity of nominative signatures to a third party. Therefore, the Huang-Wang scheme does not meet confirmation/disavowal untransferability either. © 2007 International Federation for Information Processing.
CITATION STYLE
Wang, G., & Bao, F. (2007). Security remarks on a convertible nominative signature scheme. In IFIP International Federation for Information Processing (Vol. 232, pp. 265–275). https://doi.org/10.1007/978-0-387-72367-9_23
Mendeley helps you to discover research relevant for your work.