Further discussions on the security of a nominative signature scheme

A nominative signature scheme allows a nominator (or signer) and a nominee (or verifier) to jointly generate and publish a signature in such a way that only the nominee can verify the signature and if necessary, only the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, only allows the nominee to convert a nominative signature to a publicly verifiable one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly verifiable one, all without any help from the nominee. In this paper, we point out that Sušilo and Mu's attacks are actually incomplete and inaccurate. In particular, we show that there exists no efficient algorithm for a nominator to check the validity of a signature if this signature is generated by the nominator and the nominee honestly and the Decisional Diffie-Hellman Problem is hard. On the other hand, we point out that the Huang-Wang scheme is indeed insecure, since there is an attack that allows the nominator to generate valid nominative signatures alone and prove the validity of such signatures to a third party.