1-out-of-2 Signature

                           Miroslaw Kutylowski 
                 Wroclaw University of Technology
                                   Jun Shao
                    Zhejiang Gongshang University

We consider a scenario in which Alice entitles Bob to serve as her
proxy with the right to sign one out of two possible documents, say
m_1 and m_2. The protocol guarantees that the data given to Bob
cannot be recognized as signatures of m_1 and m_2, unless Bob
transforms them with his private key. The most important feature is,
however, then if Bob finalizes both signatures (of m_1 and of
m_2) - violating the delegated rights, then Bob's private key will
be revealed to Alice. So we propose an undeniable proof of
misbehavior instead of other means that turn out to be less
effective and more difficult to implement.

The presented solution can be applied for enabling agents or
representatives in negotiations to provide the original signed
documents on behalf of represented parties. The solution can be
immediately extended to a version with any fixed number of
documents, from which only one can be signed finally.

Security of the scheme  can be shown in random oracle model. We also
provide a solution, for which security of the signer is protected
within the fail-stop framework.


ACM ASIA CCS 2011

supported by Foundation for Polish Science, ``Mistrz'' Programme