I have a variant of the Rabin-Williams signature system that speeds up
verification by an order of magnitude with no effect on security. This
might be useful for web pages or USENET postings.
See http://pobox.com/~djb/papers/sigs.ps.
People have been scared of Rabin encryption because it has a chosen
ciphertext attack which reveals the key.
Rabin's signature system, as published in 1979, uses a one-way hash
function and is invulnerable to chosen-message attacks.
(The original RSA signature system was vulnerable, as were various
oversimplified versions of Rabin's system.)
The only reason to use RSA signatures instead of Rabin signatures is to
line RSADSI's pockets.
---Dan