Improved convertible authenticated encryption scheme with provable security

Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).

► We demonstrated that Lee et al.ʼs scheme is vulnerable to the chosen-plaintext attack.
► We proposed an improved variant to withstand our proposed attack.
► The proposed scheme achieves confidentiality under IND-CCA2.
► The proposed scheme achieves unforgeability under EF-CMA.