Question 38. What are Special Signature Schemes?

Since the time Diffie and Hellman introduced the concept of digital signatures (see Question 3), many signature schemes have been proposed in cryptographic literature. These schemes can be categorized as either conventional digital signature schemes (e.g., RSA, DSA) or special signature schemes depending on their security features.

In a conventional signature scheme (the original model defined by Diffie and Hellman), we generally assume the following situation:

• The signer knows the contents of the message that he has signed.
• Anyone who knows the public key of the signer can verify the correctness of the signature at any time without any consent or input from the signer. (Digital signature schemes with this property are called self-authenticating signature schemes.)
• The security of the signature schemes (i.e., hard to forge, non-repudiation, see Question 3) is based on certain complexity-theoretic assumptions.

In some situations, it may be better to relax some of these assumptions, and/or add certain special security features. For example, when Alice asks Bob to sign a certain message, she may not want him to know the contents of the message. In the past decade, a variety of special signature schemes have been developed to fit security needs in different applications. More examples of such special schemes are given in Question 39 through Question 44 in alphabetic order.