Improved convertible authenticated encryption scheme with provable security

(1)

Contents lists available atScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

Improved convertible authenticated encryption scheme with provable

security

Han-Yu Lin

a

, Chien-Lung Hsu

a

,

b

,

∗

, Shih-Kun Huang

c

a_{Department of Information Management, Chang Gung University, Tao-Yuan, 333, Taiwan} b_{Taiwan Information Security Center at NTUST (TWISC@NTUST), Taipei, 106, Taiwan} c_{Department of Computer Science, National Chiao Tung University, Hsinchu, 300, Taiwan}

a r t i c l e

i n f o

a b s t r a c t

Article history:

Received 26 August 2010

Received in revised form 22 November 2010 Accepted 25 March 2011

Available online 14 April 2011 Communicated by L. Viganò Keywords: Cryptography Convertible Authenticated encryption ElGamal system Provable security Random oracle model

Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves conﬁdentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).

1. Introduction

In 1994, Horster et al. [4] proposed an authenticated encryption (AE) scheme which simultaneously satisfies the security properties of integrity, confidentiality and authen-ticity. In an AE scheme, a signer can generate an authenti-cated ciphertext such that only a designated recipient has the ability to decrypt it and verify the signature. How-ever, since the recovered signature is not publicly verifi-able, a later dispute over repudiation might occur.

To deal with the problem, in 1999, Araki et al. [1] proposed a convertible limited veriﬁer signature scheme which provides a conversion mechanism. Yet, their signa-ture conversion mechanism only works on condition that the signer is willing to release an extra parameter. If a dis-honest signer refuses to assist, the mechanism is infeasible.

*

Corresponding author at: Department of Information Management, Chang Gung University, Tao-Yuan, 333, Taiwan. Tel.: +886 3 2118800; fax: +886 3 2118020.

E-mail address:[email protected](C.-L. Hsu).

Moreover, the conversion process will increase additional communication and computation cost. In 2003, Zhang and Kim [16] also pointed out that Araki et al.’s scheme is vulnerable to the universal forgery attack on an arbitrary chosen message.

In 2002, Wu and Hsu [13] proposed a so-called con-vertible authenticated encryption (CAE) scheme, in which the converted signature is just embedded in the authen-ticated ciphertext. Consequently, the designated recipient can solely reveal the converted signature to convince any-one of the signer’s dishany-onesty without extra computational efforts. Based on the Wu–Hsu scheme, in 2003, Huang and Chang [5] proposed another CAE scheme with better ef-ﬁciency. In 2005, Lv et al. [10] addressed a practical CAE scheme based on the self-certiﬁed public key system. In 2009, Wu and Lin [15] proposed a secure CAE scheme based on RSA. Their scheme is provably secure in the ran-dom oracle model. So far, lots of related works [2,3,8,9,12, 14,17] have been proposed.

Based on the ElGamal cryptosystem, in 2009, Lee et al. [6] proposed a CAE scheme with only heuristic se-curity analyses. In this paper, we will demonstrate that

(2)

their scheme is insecure in the security notion of chosen-plaintext attacks. Then an improved scheme will be pre-sented. To guarantee its feasibility and give more convinc-ing security, we formally prove that our scheme achieves conﬁdentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) in the random oracle model.

2. Security vulnerability of Lee et al.’s scheme

In this section, we ﬁrst brieﬂy review Lee et al.’s scheme [6] and then demonstrate the security weakness of their scheme.

2.1. Brief review of Lee et al.’s scheme

Lee et al.’s scheme can be divided into three phases: the signature generation, the message recovery and the conversion phases. Initially, a system authority ﬁrst deter-mines two large primes, p and q, satisfying q

|(

p

−

1

)

. Let

g be a generator of order q and h

(

·)

a collision-resistant one-way hash function. Each user Ui chooses his private

key xi

∈R

Zq and computes a corresponding public key

yi

=

gximod p. Without loss of generality, let Ua and Ub

separately be a signer and a designated recipient.

In the signature generation and the message recovery phases, Uaﬁrst selects an integer k

∈R

Zq and computes

r

=

gkmod p

,

(1) c

=

M

y(k+xa) b

−1 mod p

,

(2) s

=

k

+

xah

(

M

,

r

)

mod q

.

(3)

Hence,

δ

= (

c

,

r

,

s

)

is the authenticated ciphertext for Ub.

Upon receiving

δ,

Ub ﬁrst recovers the message as

M

=

c

(

r ya

)

xbmod p

,

(4)

and then veriﬁes the signature by checking if

gs

=

r yh_a(M,r)mod p

.

(5)

In the conversion phase, Ub can just release the

con-verted signature

(

r

,

s

)

for the message M. Hence, any third party can validate it with Eq. (5).

2.2. Security weakness

In the security notion of chosen-plaintext attacks, given a target authenticated ciphertext

δ

= (

c

,

r

,

s

)

, an adver-sary cannot even identify the encrypted message from only two candidate messages

(

M0,M1). Nevertheless, in Lee et al.’s scheme, a weakest adversary without any oracle query ability can easily break the indistinguishability by check-ing whether gs

=

r yh(M0,r)

a or gs

=

r yha(M1,r) holds.

Con-sequently, any adversary without the knowledge of des-ignated recipient’s private key can still output the correct message.

3. Improved CAE scheme

In this section, we propose an improved CAE scheme. The initial setup is the same as that of Lee et al.’s scheme. Details of each phase are described as follows:

Signature generation. For signing a message M for Ub

,

Ua

ﬁrst chooses k

∈R

Zq and computes

r

=

gkmod p

,

(6)

w

=

y(k+xa)

b mod p

,

(7)

s

=

k

+

xah

(

M

,

r

,

w

)

mod q

,

(8)

c

=

F

(

r

,

s

,

w

)

−1M mod p

,

where

F is also a one-way hash function

.

(9) The authenticated ciphertext

δ

= (

c

,

r

,

s

)

is then sent to Ub.

Message recovery. Upon receiving

δ,

Ub ﬁrst computes

w

= (

r ya

)

xbmod p

,

(10)

and then recovers the message as

M

=

F

(

r

,

s

,

w

)

c mod p

.

(11) He further veriﬁes the signature by checking if

gs

=

r yh_a(M,r,w)mod p

.

(12)

If it holds, Ubaccepts the signature.

Conversion. When the case of a later dispute over re-pudiation occurs, Ub can reveal the converted signature

Ω

= (

r

,

s

,

w

)

for M. Thus, anyone can verify the converted signature with the assistance of Eq. (12).

4. Security proof

In this section, we ﬁrst prove the security of our im-proved scheme in the random oracle model and then make a comparison with related works.

4.1. Security notion and proof Discrete Logarithm Problem (DLP)

Let p and q be two large primes satisfying q

|

p

−

1, and

g a generator of order q. Given an instance

(

y

,

p

,

q

,

g

)

, where y

=

gx_{mod p for some x}

_∈

_Z

q, it is polynomial-time

intractable to derive x.

Computational Diﬃe–Hellman Problem (CDHP)

Let p and q be two large primes satisfying that

q

|

p

−

1, and g a generator of order q. Given an instance (p

,

q

,

g

,

ga

_,

_gb

₎

_{for some a}

_,

_b

_∈

_Z

q, it is polynomial-time

intractable to derive gabmod p.

Definition 1 (Confidentiality). A CAE scheme is said to achieve the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext at-tacks (IND-CCA2) if there is no probabilistic polynomial-time adversary

A

with a non-negligible advantage in the following game played with a challenger

B

:

(3)

Setup: The challenger

B

ﬁrst sends the system’s public pa-rameters to the adversary

A

.

Phase 1: The adversary

A

can ask several queries adap-tively, i.e., each query might be based on the result of previous queries:

– Signature-generation (SG) queries:

A

chooses a mes-sage M and then gives it to

B

who will return a corresponding authenticated ciphertext

δ

.

– Message-recovery (MR) queries:

A

submits an authen-ticated ciphertext

δ

to

B

. If

δ

is valid,

B

returns the recovered message M and its converted signa-ture

Ω

; else, an error symbol ¶ is outputted as a result.

Challenge: The adversary

A

produces two messages, M0

and M1, of the same length. The challenger B ﬂips a

coin

λ

← {

0

,

1

}

and generates an authenticated cipher-text

δ

∗ for Mλ. The ciphertext

δ

∗ is then delivered to

A as a target challenge.

A

can make new queries as those in Phase 1 except the MR query for the target cipher-text.

Guess: At the end of the game,

A

outputs a bit

λ

. The adversary

A

wins this game if

λ

= λ

. We deﬁne

A

’s advantage as Adv

(A) = |

Pr

[λ

= λ] −

1

/

2

|

.

Deﬁnition 2 (Unforgeability). A CAE scheme is said to achieve the security requirement of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) if there is no probabilistic polynomial-time ad-versary

A

with a non-negligible advantage in the following game played with a challenger

B

:

Setup:

B

ﬁrst sends the system’s public parameters to the adversary A.

A

adaptively makes SG queries as those in Phase 1 of Deﬁnition 1.

Forgery: Finally,

A

produces an authenticated ciphertext

δ

∗ which is not outputted by the SG query. The adver-sary

A

wins if

δ

∗is valid.

Theorem 1 (Proof of conﬁdentiality). The improved CAE scheme

is

(

t

,

qh

,

qF

,

qSG

,

qMR

,

ε

)

-secure against indistinguishability

un-der adaptive chosen-ciphertext attacks (IND-CCA2) in the ran-dom oracle model if there is no probabilistic polynomial-time adversary that can

(

t

,

ε

)

-break the CDHP, where

ε

2

ε

− (

qMR

)

2−|p|

/(

qh

+

qF

),

t

≈

t

+

tλ

(

2qSG

+

2qMR

).

Here tλis the time for performing a modular exponentiation

over a ﬁnite ﬁeld.

Proof. Fig. 1 depicts the proof structure of this theorem. Suppose that a probabilistic polynomial-time adversary

A

can

(

t

,

qh

,

qF

,

qSG

,

qMR

,

ε

)

-break the improved scheme with

a non-negligible advantage

ε

under the adaptive chosen-ciphertext attack after running in time at most t and ask-ing at most qhh

,

qFF

,

qSG SG and qMR MR queries. Then we

can construct another algorithm

B

that

(

t

,

ε

)

-breaks the CDHP by taking

A

as a subroutine. Let all involved parties

Fig. 1. The proof structure of Theorem 1.

and parameters be deﬁned in the same way as those in Section 3. The objective of

B

is to obtain

(

gxaxb _{mod p}

₎

_by taking

(

p

,

q

,

g

,

ya

,

yb

)

as inputs. In this proof,

B

simulates

a challenger to

A

in the following game.

B

sends public parameters

{

p

,

q

,

g

,

ya

,

yb}to the adversary

A

.

Phase 1:

A

makes the following queries adaptively: – h oracle: When

A

makes an h oracle query of

h

(

M

,

r

,

w

)

,

B

ﬁrst searches the h-list for a matched entry. Otherwise,

B

chooses v1

∈R

Zq and adds the

entry

(

M

,

r

,

w

,

v1)into h-list. Finally,

B

returns v1

as a result.

– F oracle: When

A

makes an F oracle query of

F

(

r

,

s

,

w

)

,

B

ﬁrst searches the F -list for a matched entry. Otherwise,

B

chooses v2

∈R

Zp and adds the

entry

(

r

,

s

,

w

,

v2)into F -list. Finally,

B

returns v2as

a result.

– SG query: When

A

makes an SG query for some message M,

B

ﬁrst chooses s, v1

∈R

Zq and v2

∈R

Zp. Then he computes r

=

gsy−av1mod p and c

=

v−₂1M mod p. The ciphertext

δ

= (

c

,

r

,

s

)

is then re-turned to

A

.

– MR query: When

A

makes an MR query for some authenticated ciphertext

δ

= (

c

,

r

,

s

)

,

B

ﬁrst searches the F -list for an entry

(

r

,

s

,

w

,

v₂

)

where r

=

r

and s

=

s. Then he computes M

=

v₂

·

c mod p and

checks if gs

₌

_{r y}h(M,r,w)

a mod p. If it holds,

B

re-turns M and its converted signature

Ω

= (

r

,

s

,

w

)

; else, an error symbol ¶ is outputted as a result. Challenge:

A

generates two messages, M0 and M1, of

the same length. The challenger

B

ﬂips a coin

λ

←

{

0

,

1

}

and produces an authenticated ciphertext

δ

∗

=

(

c∗

,

r∗

,

s∗

)

for Mλ where c∗

∈R

Zp, s∗

∈R

Zq and r∗

=

ya.

Phase 2:

A

makes new queries as those stated in Phase 1 except the MR query for the target ciphertext

δ

∗. Analysis of the game: Consider the simulation of MR

que-ries. It is possible for an MR query to return the error symbol ¶ for some valid

δ

= (

c

,

r

,

s

)

on condition that

(4)

cor-Fig. 2. The proof structure of conﬁdentiality in Theorem 2. responding F

(

r

,

s

,

w

)

random oracle in advance. Let

MR_ERR be the event that an MR query returns ¶ for some valid

δ

during the entire game, AC-V the event that an authenticated ciphertext submitted by

A

is valid. QF denotes the event that

A

has ever asked F

(

r

,

s

,

w

)

random oracle beforehand. Then we can express the error probability of any MR query as Pr

[

AC-V

| ¬

QF

]

2−|p|. Since

A

can ask at most qMR

MR queries, we can further express the probability of MR_ERR as

Pr

[

MR_ERR

] (

qMR

)

2−|p|

.

(13)

In the challenge phase,

B

has returned a simulated authenticated ciphertext

δ

∗

= (

c∗

,

r∗

,

s∗

)

where w∗ is unknown to

B

. Let GP be the event that the entire simulation game is perfect. Obviously, if the adversary

A

never asks h

(

Mλ

,

r∗

,

w∗

)

or F

(

r∗

,

s∗

,

w∗

)

in Phase 2, the entire simulation game could be regarded as per-fect. We denote the event that

A

does make such an oracle query in Phase 2 by QHF∗. When the entire sim-ulation game is perfect, it can be seen that

A

gains no advantage in guessing

λ

due to the randomness of the output of the random oracle, i.e.,

Pr

λ

= λ |

GP

=

1

/

2

.

(14) Rewriting the expression of Pr

[λ

= λ]

, we have Pr

λ

= λ

=

Pr

λ

= λ |

GP

Pr

[

GP

]

+

Pr

λ

= λ | ¬

GP

Pr

[¬

GP

]

(

1

/

2

)

Pr

[

GP

] +

Pr

[¬

GP

] (

by Eq. (14)

)

= (

1

/

2

)

1

−

Pr

[¬

GP

]

+

Pr

[¬

GP

]

= (

1

/

2

)

+ (

1

/

2

)

Pr

[¬

GP

].

(15) On the other hand, we can also derive that

Pr

λ

= λ

Pr

λ

= λ |

GP

Pr

[

GP

]

= (

1

/

2

)

1

−

Pr

[¬

GP

]

= (

1

/

2

)

− (

1

/

2

)

Pr

[¬

GP

].

(16)

With inequalities (15) and (16), we know that

Pr

λ

= λ

−

1

/

2

(

1

/

2

)

Pr

[¬

GP

].

(17) Recall that in Deﬁnition 1,

A

’s advantage is deﬁned as Adv

(

A

)

= |

Pr

[λ

= λ] −

1

/

2

|

. By assumption,

A

has non-negligible probability

ε

to break the proposed scheme. We therefore have

ε

=

Pr

λ

= λ

−

1

/

2

(

1

/

2

)

Pr

[¬

GP

]

(by Eq. (17))

= (

1

/

2

)

Pr

QHF∗

∨

MR_ERR

(

1

/

2

)

Pr

QHF∗

+

Pr

[

MR_ERR

]

Combining Eq. (13) and rewriting the above inequality, we get

Pr

QHF∗

2

ε

−

Pr

[

MR_ERR

]

2

ε

− (

qMR

)

2−|p|

.

If the event QHF∗ happens, we claim that

B

has a chance to output gxaxb

= (

_w∗

₎

1/2_{mod p from either} the h-list or the F -list. Consequently,

B

has a non-negligible probability

ε

(

2

ε

− (

qMR

)

2−|p|

)/(

qh

+

qF

)

to solve the CDHP. The computational time required for

B

is t

≈

t

+

tλ

(

2qSG

+

2qMR

)

.

2

Theorem 2 (Proof of unforgeability). The improved CAE scheme

is

(

t

,

qh

,

qF

,

qSG

,

ε

)

-secure against existential forgery under

adaptive chosen-message attacks (EF-CMA) in the random ora-cle model if there is no probabilistic polynomial-time adversary that can

(

t

,

ε

)

-break the DLP, where

ε

−

2−|q|

/(

qh

),

t

≈

t

+

tλ

(

4qSG

).

Here tλ is the time for performing a modular exponentiation

over a ﬁnite ﬁeld.

Proof. Fig. 2 depicts the proof structure of this theorem. Suppose that a probabilistic polynomial-time adversary

A

(5)

can

(

t

,

qh

,

qF

,

qSG

,

ε

)

-break the improved scheme with a

non-negligible advantage

ε

under the adaptive chosen-message attack after running in time at most t and asking at most qhh, qFF and qSG SG queries. Then we can

con-struct another algorithm

B

that

(

t

,

ε

)

-breaks the DLP by taking

A

as a subroutine. Let all involved parties and no-tations be deﬁned the same as those in Section 3. The objective of

B

is to obtain the private key xa by taking

(

p

,

q

,

g

,

ya

)

as inputs. We use the Forking lemma

intro-duced by Pointcheval and Stern [11] to prove this theorem. In this proof,

B

simulates a challenger to

A

in the follow-ing game.

B

comes up with a random tape composed of a long sequence of random bits. Then

B

simulates two runs of the proposed scheme to the ad-versary

A

on input

(

p

,

q

,

g

,

ya

,

yb

=

gα mod p

)

where

α

∈R

Zq, and the random tape.

Phase 1:

A

adaptively asks h and F random oracles and SG queries as those deﬁned in Theorem 1.

Forgery: Assume that

A

tries to forge an authenticated ciphertext for the message M. After querying the ran-dom oracle h

(

M

,

r

,

w

),

A successfully produces a valid

forgery

δ

= (

c

,

r

,

s

)

where

s

=

k

+

xah

(

M

,

r

,

w

)

mod q

.

(18)

Then

B

again runs

A

on the same input and random tape. Since

A

is running with the same random tape, we know that the i-th query he will ask is always the same as the one during the ﬁrst running. For all the oracle queries before h

(

M

,

r

,

w

),

B returns

iden-tical results as those in the ﬁrst time. When

A

asks

h

(

M

,

r

,

w

)

this time,

B

directly gives a new answer v∗₁. Eventually,

A

outputs another forgery

δ

∗

= (

c∗

,

r

,

s∗

)

for M.

Analysis of the game: According to the Forking lemma, if

A

has a non-negligible advantage

ε

to break the improved CAE scheme under the adaptive chosen-message attack, we can obtain that

s

=

k

+

xav1mod q (by Eq. (18))

s∗

=

k

+

xav∗1mod q

.

(19)

Combining Eqs. (18) and (19), we have

s

−

xav1

=

s∗

−

xav∗1

⇒

xa

= (

s

−

s∗

)/(

v1

−

v∗1

).

The probability that

A

guesses a correct random value without asking an h

(

M

,

r

,

w

)

query is not greater than 2−|q|_{. Besides, the probability that}

_A

_{outputs another}

forgery

δ

∗

= (

c∗

,

r

,

s∗

)

with h

(

M

,

r

,

w

)

=

h

(

M

,

r

,

w

)

is

q−_h1. Therefore, we can express the probability that

B

solves the DLP in the second simulation as

ε

−

2−|q|

/(

qh

).

Moreover, the computational time required for

B

dur-ing the simulation is

t

≈

t

+

tλ

(

4qSG

).

2

Table 1

Comparisons of the proposed and related schemes.

Item Scheme LHT LQ Ours IND-CPA secure × √ √ IND-CCA2 secure × × √ EF-CMA secure × × √ Computational costs∗ 5E+4M 5E+2M 5E+4M

∗_{The symbols ‘E’ and ‘M’ denote modular exponentiation and}

multiplica-tion, respectively.

According to Theorem 2, the improved CAE scheme is secure against existential forgery attacks. That is to say, a signer cannot repudiate having generated his authenticated ciphertext. Hence, we obtain the following corollary. Corollary 1. The improved CAE scheme satisﬁes the security

re-quirement of non-repudiation.

4.2. Comparisons

We compare our proposed scheme with Lee et al.’s (LHT for short) [6] and the Li–Qin (LQ for short) [7] schemes in terms of provided security level and computational costs. Note that the computational costs are evaluated in num-ber of required modular exponentiation and multiplication. Detailed comparisons are demonstrated in Table 1. From this table, it can be seen that although the computational cost of the Li–Qin scheme is slightly better than that of ours, they fail to provide more convincing security proofs. As a whole, we conclude that the proposed scheme is a better alternative for practical implementation.

5. Conclusions

Convertible authenticated encryption (CAE) schemes have crucial beneﬁts to the conﬁdential applications such as credit card transactions, online auctions and the busi-ness contract signing, etc. In this paper, we pointed out that Lee et al.’s scheme is insecure in the security no-tion of ciphertext indistinguishability under the chosen-plaintext attacks. Concretely speaking, a weakest adversary without any oracle query ability can easily identify the en-crypted message from two candidate messages for a given ciphertext. Additionally, an improved CAE scheme is fur-ther proposed. In the random oracle model, we formally proved that our scheme achieves both the IND-CCA2 and the EF-CMA security.

Acknowledgements

We would like to thank anonymous referees for their valuable suggestions. This work was supported in part by the Chang Gung University Grant UARPD390111, Chang Gung Memorial Hospital Grant CMRPD390031, and in part by National Science Council under the grant NSC 98-2410-H-182-007-MY2.

(6)

References

[1] S. Araki, S. Uehara, K. Imamura, The limited veriﬁer signature and its application, IEICE Transactions on Fundamentals E82-A (1) (1999) 63–68.

[2] T.Y. Chang, A convertible multi-authenticated encryption scheme for group communications, Information Sciences 178 (17) (2008) 3426– 3434.

[3] H.Y. Chien, Selectively convertible authenticated encryption in the random oracle model, The Computer Journal 51 (4) (2008) 419–434. [4] P. Horster, M. Michel, H. Peterson, Authenticated encryption schemes with low communication costs, Electronics Letters 30 (15) (1994) 1212–1213.

[5] H.F. Huang, C.C. Chang, An eﬃcient convertible authenticated en-cryption scheme and its variant, in: Proceedings of the 5th Inter-national Conference on Information and Communications Security (ICICS2003), Springer-Verlag, Berlin, 2003, pp. 382–392.

[6] C.C. Lee, M.S. Hwang, S.F. Tzeng, A new convertible authenticated en-cryption scheme based on the ElGamal cryptosystem, International Journal of Foundations of Computer Science 20 (2) (2009) 351–359. [7] F. Li, Z. Qin, Cryptanalysis of a convertible authentication

encryp-tion scheme based on the ElGamal cryptosystem, IETE Technical Re-view 27 (3) (2010) 266–269.

[8] H.Y. Lin, T.S. Wu, Bilinear pairings based convertible authenti-cated encryption scheme with provable recipient, in: Proceedings of

2008 International Computer Symposium (ICS 2008), Taipei, Taiwan, November 2008.

[9] H.Y. Lin, Y.S. Yeh, A novel(t,n)threshold convertible authenticated encryption scheme, Applied Mathematical Sciences 2 (5) (2008) 249– 254.

[10] J. Lv, X. Wang, K. Kim, Practical convertible authenticated encryption schemes using self-certiﬁed public keys, Applied Mathematics and Computation 169 (2) (2005) 1285–1297.

[11] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures, Journal of Cryptology 13 (2000) 361–369. [12] J.L. Tsai, Convertible multi-authenticated encryption scheme with

one-way hash function, Computer Communications 32 (5) (2009) 783–786.

[13] T.S. Wu, C.L. Hsu, Convertible authenticated encryption scheme, The Journal of Systems and Software 62 (3) (2002) 205–209.

[14] T.S. Wu, C.L. Hsu, K.Y. Tsai, H.Y. Lin, T.C. Wu, Convertible multi-authenticated encryption scheme, Information Sciences 178 (1) (2008) 256–263.

[15] T.S. Wu, H.Y. Lin, Secure convertible authenticated encryption scheme based on RSA, Informatica 33 (4) (2009) 481–486.

[16] F. Zhang, K. Kim, A universal forgery on Araki et al.’s convertible limited veriﬁer signature scheme, IEICE Transactions on Fundamen-tals E86-A (2) (2003) 515–516.

[17] W. Zhao, On the security of Yuan et al.’s undeniable signature scheme, International Journal of Network Security 11 (3) (2010) 177– 180.