Convertible multi-authenticated encryption scheme

A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert the authenticated ciphertext into ordinary signature in case of a dispute or repudiation. The previous proposed CAE schemes can only allow one signer to produce the authenticated ciphertext. It might be inadequate for multiparty environments. In this paper, we elaborate on the merits of CAE and multi-signature schemes to propose a convertible multi-authenticated encryption scheme which has the following advantages: (i) The size of the generated authenticated ciphertext is independent of the number of total participating signers. (ii) Except for the designated recipient, no one can obtain the signed message and verify its corresponding signature. (iii) The signature is cooperatively produced by a group of signers instead of a single signer. (iv) In case of a later dispute on repudiation, the recipient has the ability to convert the authenticated ciphertext into an ordinary one for convincing anyone of the signers' dishonesty. (C) 2007 Elsevier Inc. All rights reserved.