### What are
Special Signature Schemes?

Since the time Diffie and Hellman
introduced the concept of digital signatures (see Question 3), many signature schemes have been proposed in
cryptographic literature. These schemes can be categorized as
either conventional digital signature schemes (e.g., RSA,
DSA) or special signature schemes depending on their security
features.

In a conventional signature scheme (the
original model defined by Diffie and Hellman), we generally
assume the following situation:

- The signer knows the contents of
the message that he has signed.
- Anyone who knows the public key of
the signer can verify the correctness of the
signature at any time without any consent or input
from the signer. (Digital signature schemes with this
property are called self-authenticating signature
schemes.)
- The security of the signature
schemes (i.e., hard to forge, non-repudiation, see Question 3) is based on certain
complexity-theoretic assumptions.

In some situations, it may be better to
relax some of these assumptions, and/or add certain special
security features. For example, when Alice asks Bob to sign a
certain message, she may not want him to know the contents of
the message. In the past decade, a variety of special
signature schemes have been developed to fit security needs
in different applications. More examples of such special
schemes are given in Question 39
through Question
44 in alphabetic order.