Since the time Diffie and Hellman introduced the concept of digital signatures (see Question2.2.2), many signature schemes have been proposed in cryptographic literature. These schemes can be categorized as either conventional digital signature schemes (for example, RSA and DSA) or special signature schemes depending on their security features. In a conventional signature scheme (the original model defined by Diffie and Hellman), we generally assume the following situation:
- The signer knows the contents of the message that he has signed.
- Anyone who knows the public key of the signer can verify the correctness
of the signature at any time without any consent or input from the signer.
(Digital signature schemes with this property are called self-authenticating
- The security of the signature schemes is based on certain complexity-theoretic assumptions.
In some situations, it may be better to relax some of these assumptions, and/or add certain special security features. For example, when Alice asks Bob to sign a certain message, she may not want him to know the contents of the message. In the past decade, a variety of special signature schemes have been developed to fit other security needs that might be desired in different applications. Questions 7.3 through 7.8 deal with some of these special signature schemes.