Security reconsideration of the Huang–Wang nominative signature

To prevent potential misuse and to enhance privacy, signatures with restricted verifiability have been recently extensively discussed in the literature. Unlike undeniable signatures and designated verifier signatures, nominative signatures restrict the ability of signature verification and confirmation to a designated verifier only. In this paper, security issues of a nominative signature scheme proposed by Huang and Wang are reconsidered. The first result obtained is that the cryptanalysis reported recently by Susilo and Mu is shown to be incompletely correct; namely, the nominator in fact cannot verify but can only screen signatures, and therefore any third party should not be convinced by the confirmation done by the nominator. The second observation is that the scheme proposed by Huang and Wang may not be as strong as originally claimed. Nevertheless, the overall result is optimistic that the security properties provided by the Huang–Wang nominative signature scheme are sufficient for most applications.