### Question 38. What are Special Signature
Schemes?

Since the time Diffie and Hellman introduced the concept of digital
signatures (see Question 3), many signature schemes
have been proposed in cryptographic literature. These schemes can be categorized
as either conventional digital signature schemes (e.g., RSA, DSA) or special
signature schemes depending on their security features.

In a *conventional signature scheme* (the original model defined
by Diffie and Hellman), we generally assume the following situation:

- The signer knows the contents of the message that he has signed.
- Anyone who knows the public key of the signer can verify the correctness
of the signature at any time without any consent or input from the signer.
(Digital signature schemes with this property are called
*self-authenticating
signature schemes*.)
- The security of the signature schemes (i.e., hard to forge, non-repudiation,
see Question 3) is based on certain complexity-theoretic
assumptions.

In some situations, it may be better to relax some of these assumptions,
and/or add certain special security features. For example, when Alice asks
Bob to sign a certain message, she may not want him to know the contents
of the message. In the past decade, a variety of special signature schemes
have been developed to fit security needs in different applications. More
examples of such special schemes are given in Question
39 through Question 44 in alphabetic order.