Nominative signature : applications, security models and constructions

Abstract

A signer in a Nominative Signature (NS) scheme can arbitrarily choose a nominee, then jointly generate a signature in such a way that the signature can only be verified with the nominee’s consent and the nominator cannot check or prove to others the validity of the signature. Since its introduction in 1996, there have been only a few constructions proposed and all of them have already been found flawed. In addition, there is no formal security model defined for nominative signature. Even more problematic, there is no convincing application proposed. Due to these problems, the research of nominative signature has almost stalled and it is unknown if a secure nominative signature scheme can be built or there exists an application for it. In this thesis, we investigate these problems and provide positive answers to them. First, we find that nominative signature has more desirable properties for building a user certification system than universal designated-verifier signature which is originally believed to be one of the best implementations of the user certification system. Second, we propose a suite of formal definitions and rigorous security models for nominative signature. Third, we construct four concrete nominative signature schemes. We show that all of our constructions are efficient and suitable for different target applications. In addition, all the constructions are proven secure under the adversarial models we defined.