Convertible authenticated encryption scheme

The digital signature provides the functions of integration, authentication, and non-repudiation for the signing message. In some applications, however, the signature only needs to be verified by some specified recipients while keeping the message secret from the public. The authenticated encryption schemes can be used to achieve this purpose. To protect the recipient's benefit in the case of a later dispute, we should further enable the recipient to convert the signature into an ordinary one that can be verified by anyone. Recently, Araki et al. proposed a convertible limited verifier scheme to resolve the problem. Their scheme equips the recipient with the ability to convert the signature into an ordinary one. However, the conversion requires the cooperation of the signer. In the paper, we proposed a convertible authenticated encryption scheme that can easily produce the ordinary signature without the cooperation of the signer. Further, the proposed scheme is more efficient than Araki et al.'s in terms of the computation complexities and the communication costs. (C) 2001 Elsevier Science Inc. All rights reserved.