Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability. The signer can generate a signature with message recovery for a specified recipient. With a dispute, the recipient has ability to convert the signature into an ordinary one that can be verified by anyone without divulging her/his private key and the message. However, we point out that any adversary can forge a converted signature in this article.

In this paper, we propose an idea of the generalization of threshold signature and authenticated encryption for group communications. The concept of the (t, n) threshold signature with (k, l) shared verification is implemented in group-oriented cryptosystems. In the system, any t members can represent a group to sign a message and any k verifiers can represent another group to authenticate the signature. By integrating the cryptographic techniques of data encryption, digital signature and message recovery, a group-oriented authenticated encryption scheme with (k, l) shared verification is also proposed. The message expansion and communication cost can also be reduced in our schemes.

Nyberg and Rueppel recently proposed a new EIGamal-type digital signature scheme with message recovery feature and its six variants. The advantage of small signed message length is effective especially in some applications like public key certifying protocols or the key exchange. But two forgeries that present a real threat over such applications are pointed out. In certifying public keys or key exchanges, redundancy is not preferable in order to store or transfer small data. Therefore the current systems should be modified in order to integrate the Nyberg-Ruepple's signature into such applications. However, there has not been such a research that prevents the forgeries directly by improving the signature scheme. In this paper, we investigate a condition to avoid the forgeries directly. We also show some new message recovery signatures strong against the forgeries by adding a negligible computation amount to their signatures, while not increasing the signature size. The new scheme can be integrated into the above application without modifying the current systems, while maintaining the security.

In 1990, Menezes, Okamoto and Vanstone proposed a method that reduces EDLP to DLP, which gave an impact on the security of cryptosystems based on EDLP. But this reducing is valid only when Weil pairing can be defined over the m-torsion group which includes the base point of EDLP. If an elliptic curve is ordinary, there exists EDLP to which we cannot apply the reducing. In this paper, we investigate the condition for which this reducing is invalid.