Are commutative digital signature possible?

Question

Say we have a message $m$. Signer $S^1$ will sign this message using his digital signature to produce:

$$\operatorname{Sign}_{S^1}(m)$$

Now, say another signer $S^2$ wants to sign the output of the previous stage to generate:

$$\operatorname{Sign}_{S^2}(\operatorname{Sign}_{S^1}(m))$$

Is there a way to verify that $m$ has been signed by either signer without having to remove the signature of signer $S^2$?

Also, can I verify that $m$ was signed by signer $S^1$, even if I am not interested in verifying that it was signed by signer $S^2$?

Answer 1

Let a signed message consist of a bit string $m$ and a set of signatures $\Sigma$. A ‘signed message’ of a bit string $m$ with no signatures is $(m, \{\})$. When the $i^{\mathit{th}}$ user signs $(m, \Sigma)$, they return $(m, \Sigma \cup \{\sigma\})$ where $\sigma = \operatorname{Sign}_{S^i}(m)$. The verifier confirms that there are signatures by all the signers they care about on the message.

This works with any base signature scheme, like Ed25519. If a signature appendix in the base signature scheme adds $s$ bytes, and there are $n$ signatures, a signature appendix in this composite signature scheme adds $s\cdot n$ bytes, and the cost of verification is at most $s$ times the cost of verification of the base signature scheme.

If this doesn't satisfy your goals, you'll need to be more specific about what they are!