A nominative signature scheme allows a nominator (or signer) and a nominee (or verifier) to jointly generate and publish a signature in such a way that only the nominee can verify the signature and if necessary, only the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, only allows the nominee to convert a nominative signature to a publicly verifiable one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly verifiable one, all without any help from the nominee. In this paper, we point out that Susilo and Mu’s attacks are actually incomplete and inaccurate. In particular, we show that there exists no efficient algorithm for a nom...
Lifeng Guo, Guilin Wang, Duncan S. Wong, Lei Hu