Nominative signature, introduced by Kim, Park and Won, is a useful cryptographic primitive to limit the publicly verifiable property of ordinary digital signature. In a nominative signature scheme, a nominator and a nominee jointly generate a signature in such a way that only the nominee can check the validity of the signature and further convince a third party of the fact. However, Kim et al.'s Schnorr-based nominative signature scheme was found to be insecure. In this paper, we propose a new nominative signature scheme based on Schnorr signature. Formal proofs are provided to show that our scheme is provably secure under some standard complexity assumptions in the random oracle model.
展开▼
