About the man-in-the-middle attack (MITM) in the challenge-response protocol discussed today, I am wondering if the following method works. As Joel also suggested briefly, I am thinking of using of authenticated key agreement protocol (KA) to encounter this problem.
Informally, and for the purpose of our discussion, KA is a public key protocol that establish a session key between two entities, and each party get authenticated by the other.
A secure KA (in the Bellare-Rogaway model or the Canetti-Krawczyk model) can withstand MITM. In particular, a user C forwarding a user A's challenge to user B will only result in two different session keys (one between A and C and another between B and C).
So my suggestion is as follows: use such KA to get a session key (which involves the challenge-response part already), then use the resulting session key to encrypt the signature. If the other side is not the one it purported, then he/she cannot decrypt and get the signature. The encryption here is just symmetric encryption, and the computational overhead involved by KA can be amortized to several invocations (well, there is a security trade off, e.g. the session key is later compromised).