On the security of nominative signatures

Nominative signatures are the dual scheme of undeniable signatures, where only the nominee can verify the nominator (signer)'s signature and if necessary, only the nominee can prove to the third party that the signature issued to him (her) is valid. The first construction was proposed by Kim, Park and Won [7] and it was shown in the recent work of Huang and Wang in ACISP 2004 [51 that Kim-Park-Won's scheme does not satisfy the goal of nominative signatures. Moreover, Huang and Wang suggested a new nominative signature scheme in the same paper. They claimed that the new scheme satisfies all requirements of nominative signatures. In this paper, we show that Huang and Wang's scheme does not satisfy one important property of nominative signatures, namely the nominator (signer) can also verify the validity of the published signature. Moreover, we will show that the nominator can always show to anyone that the signature is indeed a valid signature without any cooperation from the nominee. Hence, the scheme is not nominative, since it does not satisfy the requirements of nominative signatures. Finally, we also discuss the security assumption that needs to be satisfied to obtain secure and efficient nominative signatures.