I'm not aware of of any cryptographic primitive that has all the properties
you want. However, certificates solve this problem nicely; Alice issues
a certificate to Bob allowing Bob to sign for Alice. This assumes that
the verifier can interpret such certificates, however. (We designed
KeyNote (see www.crypto.com/trustmgt/kn.html) to be especially useful
for such applications).
If I recall correctly, the Mambo, Usada and Okamoto proxy signature scheme
works for specific messages (Alice is part of signature protocol), but
I could be confusing this with their encryption protocol. You might want
to take a look at
M. Blaze, M. Strauss. Atomic Proxy Cryptography. Eurocrypt '98.
Full version (PostScript) at www.crypto.com/papers/proxy.ps
Here, Alice and Bob can create a "proxy" key that allows them to
transparently sign for one another (which does not sound like what you
want, but it could be a starting point).
-matt
> Hi...
>
> I'm a research student studying crypto (newbies).
>
> I really need a paper, which I can not get:
> Masahiro Mambo, Usada & Eiji Okamoto "Proxy Signatures" Proceedings of the
> 1995 Symposium
> on Cryptography and Information Security (SCIS 95), Inuyama, Japan, 24-27
> Jan 1995.
>
> I've mailed two of the authors, though.
>
> 1/ Just in case anyone knows where to download or "request" the paper from
> the Internet, pls let me kow.
>
> 2/ Does anyone know other "variants of proxy signatures"? Here's a little
> description:
> - While Alice is not around, Bob on behalf of Alice, can sign for Alice (a
> proxy signature). Thus Alice 'delegates' herself to Bob.
> - The signature should be distinguishable from normal signatures
> - Only the original signer and the designater proxy signer can create a
> valid proxy signature (actually, I don't the original signer to be able to
> create a proxy signature. Anyway its my problem)
> - A proxy signer (bob) cannot create a valid proxy signature not detected as
> proxy signature
> - Verifier can be convinced of Alice's agreement in the signed message
> - Original signer can determine the proxy signer's identity from a proxy
> signature
> - a proxy signer cannot disavoe an accepted proxy signature he created.
>
> BTW, it's not in Schneier's crypto paper links, although it is mentioned in
> his book, ref 1001.
>
> Thanxalot,
>
> -mukti
>
>