Abstract :
In some situations, a user wants to sign a message in such a way that only a designated verifier is convinced of the validity of the signature, whereas other users cannot distinguish whether the signer has signed this message at all. In some cases, the signer may want to preserve this level of privacy forever, which means that the initial verifier should not be able to convince anyone else of the fact that the signer signed the message. In some other cases, the signer may want to give the initial verifier the possibility to transfer his conviction to someone else (maybe to everybody), when/if desired.
In this paper we review this notion of private signatures, focusing on the level of transferability desired by the signer. We first consider the two extreme cases (non-transferability and complete transferability) which can be generically and efficiently solved by using very basic cryptographic primitives, as we show in this paper. Then we consider a case with partial transferability, for which we propose a generic solution based on the primitive of distributed ring signatures.
