Cryptography Series Seven: Digital Signatures

1 Overview

1.1 Basic concepts

Digital Signature, also known as electronic signature, refers to a set of specific symbols or codes attached to an electronic document. It uses cryptographic technology to extract relevant information from the electronic document and conduct authentication to form it, which is used to identify the identity of the issuer and the issuer's approval of the electronic document, and can be used by the receiver to verify whether the electronic document has been transmitted during transmission. tampering or forgery.

In order to meet the requirements of identity authentication , data integrity and non-repudiation in the network environment , digital signatures should have the following characteristics:

• Authenticity letter: A signature convinces the recipient of the document that the signer signed the document.
• Non-reusability: Signatures are not reusable, that is, the signatures of the same message at different times are different.
• Immutability: After a file is signed, the file cannot be changed.
• Unforgeability: The signature can prove that the signer and not someone else signed the document, and no one can forge the signature.
• Non-repudiation: When the signer denies his signature, the signature recipient can request a trusted third party to arbitrate.

1.2 Signature principle

1.2.1 Formal definition

The formal definition of digital signature is as follows:

(1) System initialization

The system initializes to generate the basic parameters of the signature scheme $(M,s,K,Sign,Ver)$。

Among them, $M$ is message space,$S$ is the signature space,$K$ is the key space, including private key and public key,$Sign$ is a set of signature algorithms,$Ver$ is a collection of signature verification algorithms.

(2) Signature generation process

对$k=(k_1,k_2)\in K$ , where$k_1$is the public key, $k_2$is the private key, signature algorithm $sig{n}_{k_2}:M\to S,sig{n}_{k_2}\in Sign$。

For any message $m\in M$ , message signature$s=sig{n}_{k_2}(m)$, $s\in S$ , forming the signature message group$(m,s)$ to the signature verifier.

(3) Signature verification process

For $k_1\in K$ , there is a corresponding signature verification algorithm:verk 1 : M × S → { True , F false } ， verk 1 ∈ Ver ver_{k_1}: M \times S \to \{True,False\}， ver_{ k_1}\in Ververk1​​:M×S→{ True,F a l se } ，v e rk1​​∈Ver。

The signature verifier receives $(m,s)$ , calculate$ve{r}_{k_1}(m,s)$,若$ve{r}_{k_1}(m,s)=True$ , the signature is valid, otherwise the signature is invalid:

$$ve{r}_{k_1}(m,s)=\{\begin{array}{ll}True,& ifs=sig{n}_{k_2}(m),\\ False& ifs\ne sig{n}_{k_2}(m)\end{array}$$

For every $k\in K$ , signature function$sig{n}_{k_2}$and signature verification function $ve{r}_{k_1}$is easy to calculate.

In general, $sig{n}_{k_2}$It can be public or not, and the security of the private key is required in the signature algorithm; and the verification function $ve{r}_{k_1}$is public, and also requires any message $m$ , from the setSSCalculatess$in\; S$$s$ such that$ve{r}_{k_1}(m,s)=True$ is very difficult, that is, the attacker's response to the message$m$ produces a valid signature$s$ is impossible.

1.2.2 Signature process

• The sender A uses the Hash algorithm to generate a message digest (Message Digest)
• The sender A encrypts the message digest with its own private key, and the encrypted message digest is the digital signature
• Sender A sends the message and signature to receiver B
• After receiving the message and its name, the receiver B decrypts the signature with the public key of the sender A to obtain the message digest generated by the sender A
• Receiver B uses the Hash algorithm used by sender A to regenerate the digest of the obtained message, and compares the two digests. If they are the same, it means that the signature is a valid signature of sender A for this message, otherwise the signature is invalid.

2 RSA-based signature scheme

2.1 Implementation process

(1) Initialization: Generate a public-private key pair

Choose two large prime numbers $p,q$ (not leakable), calculate$n=pq$ andnnEuler function of$n$$\phi \left(n\right)=(p-1)(q-1)$

Randomly select an integer $e(1<e<\phi (n))$ as the public key, satisfying$gcd(e,\phi (n))=1$，$e$与$\phi \left(n\right)$ mutual prime

Use Euclid's extended algorithm to calculate the private key: $d\equiv e^{-1}\mathrm{mod}\phi \left(n\right)$，即eeinverse of$e$

(2) Signature process

Let the message to be signed be $m\in Z_n$, the signer uses a secure Hash function to generate a message digest $h=H\left(m\right)$ , then compute the signature:$s\equiv h^{d}modn$。

(3) Verification process

The signature receiver receives the message $m$ and signature$s$ , calculate message digest$h=H\left(m\right)$ , then, check the equation$h\mathrm{mod}n\equiv s^{e}modn$ . If established, the signature is valid; otherwise, the signature is invalid.

2.2 Security Analysis

The RSA signature scheme also has the problem of signature reusability, that is, the signature for the same message at different times is the same. This problem can be solved by introducing random numbers in the signature, which is reflected in the digital signature scheme mentioned later.

3 Signature scheme based on discrete logarithm

Signature schemes based on discrete logarithm problems are more commonly used in digital signature schemes, including ElGamal signature schemes, Schnorr signature schemes, and DSA signature schemes.

3.1 ElGamal signature system

In 1985, T.ElGamal proposed the ElGamal cryptosystem which can be used for both encryption and digital signature. The modified form of the ElGamal digital signature scheme has been adopted by the US NIST as a digital signature standard (DSS, Digital Signature Standard) . The ElGamal digital signature scheme is a non-deterministic signature scheme , that is, for a given message, there are different digital signatures due to different random numbers selected, and the verification algorithm can use any of them as a valid signature. accept.

3.1.1 Implementation process

(1) Initialization: Generate a public-private key pair

Randomly choose a large prime number $p$ , and requires$p-1$ has a large prime factor,$g\in {\mathbf{Z}}_p^{\ast }$is a primitive element ( $Z_p$is a $A\; finite\; field\; of\; p$ elements,$Z_p^{\ast }$is $Z_p$The multiplicative group formed by the non-zero elements in

Choose a random number $x{\in }_R{Z}_{p-1}^{\ast }$（$\ast$ means to remove zero elements,$R$ means random selection), calculate$y\equiv g^x\mathrm{mod}p$

Public key: $(p,g,y)$

private key: $x$

(2) Signature process

Let the message to be signed be $m$ , the signer uses a secure Hash function to generate a message digest$h=H\left(m\right)$ , then choose a random number$k{\in }_R{Z}_p^{\ast }$,calculate:

$$\{\begin{array}{l}r\equiv g^k\mathrm{mod}p\\ s\equiv (h-xr)k^{-1}mod(p-1)\end{array}$$

to message $The\; signature\; of\; m$ is$(r,s)$

(3) Verification process

The signature receiver receives the message $m$ and signature$(r,s)$ , calculate the message digest$h=H\left(m\right)$ , then, check the equation$y^r{r}^s\equiv g^h\mathrm{mod}p$ . If established, the signature is valid; otherwise, the signature is invalid.

3.1.2 Security Analysis

random number $Selection\; of\; k$ and storage of private keyxxThe secrecy of$x\; is\; of\; paramount\; importance.$if$If\; the\; k$ value is leaked, it is easy to calculate the private key$x$。

In addition, the random number $k$ cannot be reused, multiple kkselected when signing multiple timesThere should be no correlation between$k$$x$。

random number $The\; use\; of\; k$ also ensures the non-reusability of the signature scheme. Different random numbers are selected at different times. Even if the same message is signed, different results will be produced, which avoids the problem of signature reuse in RSA signatures.

3.2 Schnorr signature system

C.Schnorr proposed the Schnorr signature system in 1989, which has the characteristics of faster signature speed and shorter signature length.

3.2.1 Implementation process

(1) Initialization: Generate a public-private key pair

Randomly select a large prime number $p、q$，$q$ is$p-$Large prime factors of$1$

Select the generator $g\in {\mathbf{Z}}_p^{\ast }$, $g^q\equiv 1\mathrm{mod}p,g\ne 1$

Choose a random number $1<x<q$，计算$y\equiv g^{x}modp$

Public key: $(y,g,p,q)$

private key: $x$

(2) Signature process

Let the message to be signed be $m$ , the signer chooses a random number$1\le k\le q-1$ , calculate:

$$\{\begin{array}{l}r\equiv g^k\mathrm{mod}p\\ h=H(m,r)\\ s\equiv (xh+k)modq\end{array}$$

to message $The\; signature\; of\; m$ is$(h,s)$ , where$H$ is the Hash function

(3) Verification process

The signature receiver receives the message $m$ and signature$(e,s)$ ,Define$r_1\equiv g^s{y}^{-e}\mathrm{mod}p$

Then, check the equation $h=H(m,r_1)$ . If established, the signature is valid; otherwise, the signature is invalid.

3.2.2 Security Analysis

In the ElGamal digital signature scheme, $g$ is$Z_p^{\ast }$generator, and in the Schnorr digital signature scheme by introducing the prime number $q$ , select$g$ is$Z_p^{\ast }$target qqGenerators of subgroups of order$q\; .$

From the perspective of exhaustive search of the signer's private key, the security of ElGamal signature is higher, because the order of its generator is $p-1$ , greater than the order qqof the Schnorr signature generator$q$ . In addition, the security of the Schnorr digital signature scheme is similar to that of the ElGamal digital signature scheme.

3.3 DSA signature system

In December 1994, the National Institute of Standards and Technology (NIST, National Institute of Standard and Technology) officially promulgated the Digital Signature Standard (DSS, Digital Signature Standard) , which was designed on the basis of EIGamal and Schnorr digital signature schemes.

Due to the better compatibility and applicability of DSS, it has been widely used. The algorithm in the digital signature standard DSS is often called DSA (Digital Signature Algorithm).

(1) Initialization: Generate a public-private key pair

Randomly choose a large prime number $p$ (length in$512$~$1024$bit)、$q$($160$bit)，$q$ is$p-$Large prime factors of$1$$p-1$ can be$q$ evenly divisible).

Choose $g\equiv h^{(p-1)/q}\mathrm{mod}p$ , where the integer$h$满足$1<h<p-1$ , and$g>1$。

Choose a random number $1<x<q$，计算$y\equiv g^{x}modp$

Public key: $(p,q,g,y)$

private key: $x$

(2) Signature process

Let the message to be signed be $m$ , the signer chooses a random number$k$ , computed:

$$\{\begin{array}{l}r\equiv g^k\mathrm{mod}p\\ s\equiv [H(m)+xr]k^{-1}modq\end{array}$$

Among them, $H$ is the SHA1 algorithm.

(3) Verification process

The signature recipient receives the message $m$ and signature$(r,s)$后，计算:
$$\{\begin{array}{l}w\equiv s^{-1}\mathrm{mod}q\\ u_1\equiv H(m)wmodq\\ u_2\equiv rwmodq\\ v\equiv (g^{u_1}{y}^{u_2}modp)modq\end{array}$$Then, check the equation $v=r$ . If established, the signature is valid; otherwise, the signature is invalid.

3.4 Discrete logarithm signature system

3.4.1 Comparison of three signature systems

As mentioned earlier, the proposal of the ElGamal signature scheme is the earliest of the three schemes, and it is also the basis of the latter two schemes. The Schnorr signature scheme can be regarded as a variant of the ElGamal signature scheme, which shortens the signature length. The DSA signature scheme is another variant of the EGamal signature scheme, and it also absorbs some design ideas of the Schnorr scheme.

Due to the different signature algorithms adopted, the signature verification equations and processes of the three schemes are also different. According to the calculation amount and signature length, the efficiency of these three schemes is compared and analyzed as follows. Among them, since the time required for modulo addition, modulo subtraction, and inverse operations is far lower than the time required for operations such as exponentiation, product, and Hash evaluation, it can be ignored.

signature system	sign	verify	signature length
ElGamal	$T_e+T_h+2T{\_}_m$	$3T{\_}_e+T_h+T_m$	$|p|+|p-1|$
scrounge	$T_e+T_h+T_m$	$2T{\_}_e+T_h+T_m$	$|q|+|2H(m)|$
DSA	$T_e+T_h+2T{\_}_m$	$2T{\_}_e+T_h+3T{\_}_m$	$2|q|$

Among them, $T_e$: Calculation amount of exponentiation; $T_h$: calculation amount of hash calculation; $T_m$: The calculation amount of the product operation.

It can be seen that the signature process of the Schnorr scheme requires relatively less calculation and is faster, especially some calculations are irrelevant to the message and can be completed in advance, which can also reduce the signature time. The verification process of the Schnorr scheme is relatively less computationally intensive, and the length of the generated signature value is also shorter (depending on $|q|+|2H\left(m\right)|$ ). Therefore, Schnorr is more suitable for applications in environments such as smart cards.

Individual computations in the other two schemes can also be precomputed, whereas the RSA scheme is not precomputable.

3.4.2 General Form of Discrete Logarithm Signature System

The ElGamal, Schnorr, and DSA signature schemes can all be attributed to the special case of the discrete logarithm signature scheme based on finite fields. The general form of the discrete logarithm signature scheme is summarized as follows:

(1) Initialization

Randomly choose a large prime number $p$、$q$，$q$ is$p-$Large prime factors of$1$$p-1$ can be$q$ divisible)

Select the generator $g\in {\mathbf{Z}}_p^{\ast }$, $g^q\equiv 1\mathrm{mod}p,g\ne 1$

Choose a random number $1<x<q$，计算$y\equiv g^x\mathrm{mod}p$

Public key: $(p,q,g,y)$

private key: $x$

(2) Signature process

Let the message to be signed be $m$ , the signer calculates$h=H(m)$，$H$ is a secure Hash function

Choose a random number $k$，满足$1<k<q$ , calculate$r\equiv g^{k}modp$

From the equation $and\equiv b+cx(modq)$ to solve$s$。

to message $The\; signature\; of\; m$ is$(r,s)$

Coefficients a , b , ca , b , c of the equationThere are many different selection methods for$a$$,$$b$$,$$c$$r^{\prime }\equiv r\mathrm{mod}q$。

(3) Verification process

The signature receiver receives the message $m$ and signature$(r,s)$ , verify$r^a\equiv g^b{y}^{c}mod$, if established, the signature is valid; otherwise, the signature is invalid.

Such as a , b , ca,b,c for the first row of the above table$a,b,$The possible signing and verification equations for$c\; (regardless\; of\; sign)\; are\; as\; follows:$

signature equation	Verify the equation
$r^{\prime }k\equiv (s+mx)\mathrm{mod}q$	$r^{r^{\prime }}\equiv g^s{y}^{m}modp$
$r^{\prime }k\equiv (m+sx)modq$	$r^{r^{\prime }}\equiv g^m{y}^{s}modp$
$sk\equiv (r^{\prime }+mx)modq$	$r^s\equiv g^{r^{\prime }}{y}^{m}modp$
$sk\equiv (m+r^{\prime }x)modq$	$r^s\equiv g^m{y}^{r^{\prime }}modp$
$mk\equiv (s+r^{\prime }x)modq$	$r^m\equiv g^s{y}^{r^{\prime }}\mathrm{mod}p$
$mk\equiv (r^{\prime }+sx)modq$	$r^m\equiv g^{r^{\prime }}{y}^{s}modp$

The 6 different signature schemes listed, plus the minus sign, add up to $24$ , using listeda,b,ca,b,cThe other possible values ​​of$a$$,$$b$$,$$c$$120$ .

In addition, rr can also be defined$r$ produces more DSA-like schemes:$r\equiv (g^{k}modp)modq$ , using the same signature equation.

并定义验证等式如下：$$\{\begin{array}{l}{u}_1\equiv a^{-1}b\mathrm{mod}q\\ u_2\equiv a^{-1}cmodq\\ r\equiv (g^{u_1}{y}^{u_2}modp)modq\end{array}$$Something like this can yield up to $From\; 13,000$ variants, all of which have the same security, an easily computed efficient solution can be selected.

4. Elliptic curve-based signature scheme

DSA (Elliptic Curve Distal Signature Algorithm) is an implementation of elliptic curve-based public key cryptosystem in digital signature, that is, the DSA algorithm is implemented on the elliptic curve finite field, and its security depends on the elliptic curve-based finite group. Discrete logarithm puzzle.

Compared with RSA-based digital signatures and finite-field discrete logarithm-based digital signatures, under the same security strength conditions, the ECDSA scheme has short signature length, small storage space, and fast calculation speed, which is especially suitable for limited computing power and storage space. , Bandwidth is limited, and high-speed implementation is required (such as applications in smart cards).

5. Special digital signature

In the practical application of digital signature, some special occasions often have special requirements. For example, in order to protect the privacy of the information owner, a blind signature is generated ; in order to realize the safe transfer of signature rights, a proxy signature is generated ; in order to realize multiple signatures on the same message, multiple signatures are generated .

5.1 Proxy signature

Proxy signature means that the original signer authorizes his signature right to the agent, and the agent exercises his signature right on behalf of the original signer. When the verifier verifies the proxy signature, the verifier can not only verify the validity of the signature, but also be sure that the signature is approved by the original signer.

(1) Proxy signature classification

According to the authorization form of the original signer to the proxy signer, the proxy signature can be divided into

• fully delegated proxy signature
• Partially Authorized Proxy Signatures (Proxy Signatures for Non-Protected Proxies, Proxy Signatures for Protected Proxies)
• Proxy signature with power of attorney

Fully entrusted proxy signature means that the original signer secretly hands over his private key (or the physical device containing the private key) to the proxy signer, who can use this key to sign various messages. The proxy signature generated by the proxy signer is the same as the signature generated by the original signer.

Partially authorized proxy signature means that the original signer uses his private key to calculate a new proxy private key and sends it to the proxy signer through a secure channel. The proxy signer can use this proxy private key to sign messages and generate proxy signatures. The generated proxy signature is different from the signature generated by the original signer using his own private key, and the verifier can distinguish the original signer's signature from the proxy's signature.

Proxy signature with power of attorney refers to a letter of authorization issued by the original signer to the proxy signer. This power of attorney is signed with the private key of the original signer. In addition to including that a proxy signer can act on behalf of the signing power, it also includes some Special information such as proxy duration, types of messages that can be signed, etc. After the proxy signer obtains the authorization letter, he uses his own private key to generate the proxy private key and uses the proxy private key to sign the signed message, and includes the authorization letter in the signature, and the verifier first checks when verifying the proxy signature Its power of attorney, to determine whether the agency authorization is valid. If the check is passed, the validity of the proxy signature itself is further verified. If the verification passes, it is a valid proxy signature, otherwise the proxy signature is invalid.

(2) Proxy signature scheme

In 1997, S.Kim.S.Park and D.Won proposed a proxy signature scheme with power of attorney, referred to as the KPW scheme. The main idea is that the proxy signer uses his private key and the power of attorney signed by the original signer to generate the proxy private key to generate the proxy signature, where the power of attorney $m_w$Refers to a file that includes the original signer's ID, the proxy signer's ID, the validity period of the proxy authority, the scope of the proxy signature information, and other information.

In addition to the KPW proxy signature scheme, discrete logarithm-based proxy signature schemes include the MUO proxy signature scheme proposed by M.Mambo, K.Usuda and E.Okamoto in 1996, and the PH proxy signature scheme proposed by Petersen and Horster in 1997. . Transplanting the idea of ​​proxy signature based on discrete logarithm to elliptic curve cryptosystem can evolve a variety of proxy signature schemes based on elliptic curve.

5.2 Blind signature

Blind signature is a digital signature with special properties first proposed by D.Chaum in 1982. This signature requires the signer to be able to sign the message without knowing the content of the signed file .
Even if the signer sees the signed message and its signature later, the signer cannot tell when and for whom the signature was generated. Intuitively speaking, the generation process of this kind of signature is like signing a message with the signer's eyes closed, so it is vividly called "blind" digital signature.

Because blind signature solves the anonymity problem that people are concerned about, it is widely used in applications such as electronic currency, electronic voting, and electronic auction.

(1) Blind signature classification

According to the degree of "blindness", blind signature schemes are usually divided into strong blind signatures, weak blind signatures, and partial blind signatures.

Let $R\left(m\right)$ is the message$The\; blind\; message\; obtained\; after\; m$ blinding,$Sign\left(R\right(m))$ is the blind message$Signature\; of\; R\left(m\right)$ ,$Sign\left(m\right)$ is the real message mmobtained after deblinding$m$ 's signature.

Strong blind signature means that the signer cannot establish $Sign(R(m))$到$The\; signature\; of\; the\; linkage\; of\; Sign\; (\; m)$ , also known as$a$$fully$$blind$$signature$$.$

Weak blind signature means that the signer only knows $Sign\left(R\right(m))$ without knowing$Sign\left(m\right)$ , but once public$Sign\left(m\right)$ , the signer can establish a connection between the two, that is, the signer can put the blind signature$Behavior\; of\; Sign\left(R\right(m))$ and message$The\; content\; of\; m$ is associated.

The particularity of partially blind signatures is that in addition to the signed message $In\; addition\; to\; m,$ it also contains the message m 1 m_1jointly generated by the message owner and the signer$m_1$(including message $range\; of\; m$ , validity period, etc.), in the process of partial blind signature, message$m_1$It has always been public, that is, the signature after blinding is $Sign(R(m),m_1)$ , the final message owner gets$Sign(m,m_1)$。

(2) Blind signature implementation steps

In the blind signature scheme, the owner of the message, that is, the entity A that needs the blind signature service is called the user, and the entity B that provides the blind signature service is called the signer. When user A needs signer B to sign a message, follow the steps below:

• User A blinds the message to be signed, so that the specific content of the message is garbled for signer B, also known as blind message;
• User A sends a blind message to signer B
• Signer B digitally signs the received blind message
• Signer B hands over the blind message and its signature to User A
• The user receives the signature and performs deblinding processing, that is, the signature of the original message by signer B is obtained and the blind signature can be verified

5.3 Multiple digital signatures

In digital signature applications, sometimes multiple users are required to sign and authenticate the same file. A digital signature scheme that enables multiple users to sign the same file is called a digital multi-signature (Digital Multi-signature) scheme .

According to different signature processes, multiple digital signature schemes can be divided into:

• Sequential Multi-signature Scheme
• Broadcasting Multi-signature Scheme

The Digital Multi-signature scheme includes a message sender (Issuer), a message signer (Signers) and a signature verifier (Verifier). The signature collector (Collector) is also included in the broadcast multi-signature scheme.

In the ordered multiple digital signature scheme , the message sender stipulates the order of message signatures, and then sends the message to the first signer. Except for the first signer, each signer first verifies the previous signature after receiving the signed message If the signature is valid, send the signed message to the next signer to continue signing; if the signature is invalid, refuse to sign the message and terminate the entire signing process. When the signature verifier receives the signed message, it verifies the validity of the signature. A typical scheme is the ElGamal ordered multiple digital signature scheme

In the broadcast multiple digital signature scheme , the message sender sends the message to each message signer at the same time, and the signer sends the message to the signature collector after signing the message, and the collector sorts out the signed message and sends it to the signature verifier , the signature verifier verifies the validity of the multi-signature. Typical scheme is Harn broadcast multiple digital signature scheme

5.4 Group signature

In 1991, Chaum and Heyst proposed the Group Signature ( Group Signature ) scheme for the first time. The group signature scheme allows legitimate users in the group to sign in the name of the user group, and has many characteristics such as the anonymity of the signer, and only the authoritative person can identify the identity of the signer. Generally speaking, the participants of a group signature are composed of group members (signers) , **group administrators (GC, Group Center) and signature acceptors (signature verifiers)**.

Groups are widely used in real life. For example, the board of directors of a company decides to punish an employee and entrusts a director to do so. The director signs on the punishment-related matters on behalf of the board of directors, and a group signature is required. In this way, those who are punished only know that the punishment is a collective decision made by the board of directors, and will not contact the specific directors who handled it through their signatures. If there is a dispute over the punishment, the chairman of the board of directors, as a group administrator, can reveal the identity of the signing director.

5.5 Non-repudiation signature

Ordinary digital signatures can be copied and anyone can verify their validity, which is okay for documents such as publicity, but for some documents such as personal or company letters, especially the signatures of valuable documents, if they can also be freely copied and Verification will cause losses, which requires non-repudiation signatures.

The essence of undeniable signature is that it is impossible to verify the validity of the signature without the cooperation of the signer , so as to prevent the copying or distribution of the document signed by him . This property enables the signer to control the dissemination of the product, and has applications in electronic publishing systems and intellectual property protection.

Non-repudiation signature consists of three parts: signature algorithm, verification protocol and non-repudiation algorithm .

Since this kind of signature needs to be verified with the cooperation of the signer, this will give the signer a "denial" opportunity, that is, the signer refuses to cooperate to deny that he has signed the message when the signer is unfavorable. The non-repudiation algorithm is to prevent the signer from "deny". The signer can also use the non-repudiation algorithm to prove to the court or the public that a signature is indeed not from him. If the signer refuses to participate or does not cooperate with the implementation of the signature verification protocol, it means that the signature was signed by him.

5.6 Other digital signatures

To meet different needs and applications, there are other data signature schemes, such as threshold digital signature (Threshold Digital Signature), failure - stop signature (Fail-Stop Signature), one-time signature, conditional signature, forward security signature, Chameleon Signature, Concurrent Signature.