Selectively Convertible Authenticated Encryption in the Random Oracle Model

Conventionally, a verified digital signature releases information about both the signing event and the signed content simultaneously, where the signing event proves the truth that someone actually signed something. However, in many cases, the information of the signing event and the signed content have different uses and distinct degrees of importance on various occasions. In such cases, the conventional digital signature, the current authenticated encryption schemes and the current signcryption schemes cannot satisfy the needs of selectively releasing either the information about the signing event or that about the signed content or both depending on the situation. In this paper, we shall propose a selectively convertible authenticated encryption scheme where either the sender or the designated receiver can selectively convert the encryption such that the signing event and that of the signed content can be released adaptively. The security of the scheme is proved in the random oracle model. Applications based on the proposed scheme are also introduced.