International Association
for Cryptologic Research

Domain-Specific Pseudonymous Signature schemes were recently proposed for privacy preserving authentication of digital identity documents by the BSI, German Federal Office for Information Security. The crucial property of domain-specific pseudonymous signatures is that a signer may derive unique pseudonyms within a so called domain. Now, the signer's true identity is hidden behind his domain pseudonyms and this pseudonyms are unlinkable, i.e. it is infeasible to correlate two pseudonyms with a single user. In this paper we take a critical look at the security definitions and constructions of domain-specific pseudonymous signatures proposed by far. We review two articles which propose ``sound and clean'' security definitions and point out some issues present in this models. Some of this issues may have a strong practical impact on constructions provable secure in this models. Additionally, we point out some worrisome facts about the proposed schemes and their security analysis.