Jun Furukawa

NEC Corporation, Edo, Tōkyō, Japan

Are you Jun Furukawa?

Claim your profile

Publications (33)0.24 Total impact

  • Isamu Teranishi, Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: Anonymous Credential with Attributes Certification after Registration
    IEICE Transactions. 01/2012; 95-A:125-137.
  • Jun Furukawa, Kengo Mori, Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We discuss an implementation of a network voting scheme based on mix-net technology. We employed the scheme presented at Financial Cryptography 2002, but replaced the numeric computations with those on a elliptic curve. As a result, we obtained three times speed up and data length shortening to one third. The system has been employed in a private organization with roughly 20,000 voters since 2004.
    Towards Trustworthy Elections, New Directions in Electronic Voting; 01/2010
  • Frederik Armknecht, Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: Group key exchange protocols (GKE) allow a set of parties to establish a common key over an insecure network. So far the research on GKE mainly focused on identifying and formalizing appropriate security definitions that has led to a variety of different security models. Besides reaching a high security level, another important aspect is to reduce the communication effort. In many practical scenarios it is preferable (or possibly even indispensable) to reduce the number of messages to a minimum, e.g., to save time and/or energy. We prove that any n-party GKE that provides forward security (FS) and mutual authentication (MA) against insider attackers needs at least two communication rounds and in that case at least \frac12n2+ \frac12 n\frac{1}{2}n^2+ \frac{1}{2} n–3 messages. Observe that FS and MA are today accepted as basic security recommendations. Hence these bounds hold automatically as well for more elaborate security definitions. Then, we describe a 2-round-GKE that requires n + 1 messages more than the derived lower bound. We prove that the protocol achieves UC-security (in the model by Katz and Shin (CCS’05)) in the common reference string (CRS) model. To the best of our knowledge, this represents the most communication efficient (in terms of number of rounds and messages) UC-secure GKE so far.
    Selected Areas in Cryptography - 17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, Revised Selected Papers; 01/2010
  • Isamu Teranishi, Jun Furukawa, Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features: 1) no one, not even an authority, can identify users who have been authenticated within the allowable number, 2) anyone can trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Our scheme can be applied to e-voting, e-cash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users' participation from protocols and guarantees that they will remain anonymous to everyone.
    Ieice Transactions - IEICE. 01/2009;
  • Source
    Jun Furukawa, Kazue Sako, Satoshi Obana
    [Show abstract] [Hide abstract]
    ABSTRACT: Today, many users of the network access to multiple independent services consecutively or even simultaneously. Single sign-on systems help such users to access services easily with only a single log-in process. Some single sign-on systems that require users' IC cards be authenticated directly by services, achieve high level of security in that they allow no third party to have the power to impersonate users. However, most of these systems are vulnerable when IC cards are analyzed since the security is solely dependent on the secret information born in side the card. In this paper, we propose a novel single sign-on system with IC card that still keeps certain level of security even when user's IC card is analyzed. In the system, secret information is kept distributedly in IC card and portal.
    Proceedings of the 5th Workshop on Digital Identity Management, Chicago, Illinois, USA, November 13, 2009; 01/2009
  • Source
    Kaoru Kurosawa, Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of un- deniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UC-security, where UC means universal composability. We next show that there exists a UC-secure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does not satisfy the invisibility defined by (10). We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UC-security against non-adaptive adversaries is equivalent to this definition of invisibility and the strong unforgeabil- ity in FZK-hybrid model, where FZK is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeni- able signature schemes (including Chaum's scheme) are UC-secure if the confirmation/disavowal protocols are both UC zero-knowledge.
    Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7-11, 2008, Proceedings, Part II - Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations; 01/2008
  • [Show abstract] [Hide abstract]
    ABSTRACT: The fuzzy identity-based encryption schemes are attribute-based encryption schemes such that each party with the private key for an attribute set S\mathcal{S} is allowed to decrypt ciphertexts encrypted by an attribute set S¢\mathcal{S}' , if and only if the two sets S\mathcal{S} and S¢\mathcal{S}' are close to each other as measured by the set-overlap-distance metric. That is, there is a threshold t and, if t out of n attributes of S\mathcal{S} are also included in S¢\mathcal{S}' , the receivers can decrypt the ciphertexts. In previous schemes, this threshold t is fixed when private keys are generated and the length of ciphertexts are linear to n. In this paper, we propose a novel fuzzy identity-based encryption scheme where the threshold t is flexible by nature and the length of ciphertexts are linear to n − t. The latter property makes the scheme short if it allows receivers to decrypt ciphertexts when error rate n − t, i.e., distance between the two attribute sets, is low.
    Progress in Cryptology - INDOCRYPT 2008, 9th International Conference on Cryptology in India, Kharagpur, India, December 14-17, 2008. Proceedings; 01/2008
  • [Show abstract] [Hide abstract]
    ABSTRACT: The universal composability (UC) framework by Canetti [15] is a general-purpose framework for designing secure protocols. It ensures the security of UC-secure protocols under arbitrary compositions. As key exchange protocols (KEs) belong to the most used cryptographic mechanisms, some research has been done on UC-secure 2-party KEs. However, the only result regarding UC-secure group key exchange protocols (GKEs) is a generic method presented by Katz and Shin [35]. It allows to turn any GKE protocol that fulfills certain security requirements into a UC-secure variant. This yields GKE protocols which require at least five communication rounds in practice when no session identities are provided by external mechanisms. Up to now, no effort has been taken to design dedicated UC-secure GKE protocols with a lower communication complexity. In this paper, we propose a new UC-secure GKE which needs only two rounds. We show that two is the minimum possible number of rounds and that any 2-round UC-secure GKE requires at least as many messages as our protocol. The proof of security relies on a new assumption which is a combination of the decision bilinear Diffie-Hellman assumption and the linear Diffie-Hellman assumption.
    Security and Cryptography for Networks, 6th International Conference, SCN 2008, Amalfi, Italy, September 10-12, 2008. Proceedings; 01/2008
  • Source
    Ryuichi Sakai, Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: Broadcast encryption schemes enable senders to efficiently broadcast ciphertexts to a large set of receivers in a way that only non- revoked receivers can decrypt them. Identity-based encryption schemes are public key encryption schemes that can use arbitrary strings as public keys. We propose the first public key broadcast encryption scheme that can use any string as a public key of each receiver. That is, identity-based broadcast encryption scheme. Our scheme has many desirable proper- ties. The scheme is fully collusion resistant, and the size of ciphertexts and that of private key are small constants. The size of public key is proportional to only the maximum number of receiver sets to each of which the ciphertext is sent. Note that its size remains to be so although the number of potential receivers is super-polynomial size. Besides these properties, the achieving the first practical identity-based broadcast en- cryption scheme itself is the most interesting point of this paper. The security of our scheme is proved in the generic bilinear group model.
    IACR Cryptology ePrint Archive. 01/2007; 2007:217.
  • Jun Furukawa, Kazue Sako
    IEICE Transactions. 01/2007; 90-A:113-127.
  • Jun Furukawa, Hideki Imai
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we propose a novel scheme to prove the correctness of mix-net that is composed of multiple shufflings, in such a way that the computational complexity of its verifier does not depend on the number of its composite shufflings. We call this scheme an aggregate shuffle argument scheme. Although a similar scheme proposed by Abe in Eurocrypt 1998 exists, our scheme is much more efficient. In fact, the computational cost required for the verifier in our scheme is less than 1/60 of that in Abe’s scheme. This is mainly because our scheme exploits the efficient shuffle arguments proposed of Furukawa et al. in Crypto 2001 while Abe’s scheme exploits the shuffle proof proposed by Sako et al. in Eurocrypt 1995. We also proposed a formal model and security requirements of aggregate shuffle argument schemes.
    Financial Cryptography and Data Security, 11th International Conference, FC 2007, and 1st International Workshop on Usable Security, USEC 2007, Scarborough, Trinidad and Tobago, February 12-16, 2007. Revised Selected Papers; 01/2007
  • IEICE Transactions. 01/2007; 90-A:1803-1813.
  • Jun Furukawa, Nuttapong Attrapadung
    [Show abstract] [Hide abstract]
    ABSTRACT: Broadcast encryption schemes enable senders to efficiently broadcast ciphertexts to a large set of receivers in a way that only non-revoked receivers can decrypt them. Black-box traitor revocable broadcast encryption schemes are broadcast encryption schemes that enable a tracer, who is given a pirate decoder, to identify traitors by black-box accessing the given pirated decoder and to revoke traitors so identified. In this paper, we propose a fully collusion resistant black-box traitor revocable broadcast encryption scheme in which the size of each private key is constant, the size of the public key is proportional to the number of receivers, and the sizes of ciphertexts are sub-linear with respect to the number of receivers. The encryption procedure in our scheme requires only a public key. The tracing procedure in it requires only a public key and black-box access to a resettable pirate decoder. The security of our scheme is proved in the generic bilinear group model if the subgroup decision assumption holds.
    Automata, Languages and Programming, 34th International Colloquium, ICALP 2007, Wroclaw, Poland, July 9-13, 2007, Proceedings; 01/2007
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In a famous paper at Crypto’01, Boneh and Franklin proposed the first fully functional identity-based encryption scheme (IBE), around fifteen years after the concept was introduced by Shamir. Their scheme achieves chosen-ciphertext security (i.e., secure in the sense of IND-ID-CCA); however, the security reduction is far from being tight. In this paper, we present an efficient variant of the Boneh-Franklin scheme that achieves a tight security reduction. Our scheme is basically an IBE scheme under two keys, one of which is randomly chosen and given to the user. It can be viewed as a continuation of an idea introduced by Katz and Wang; however, unlike the Katz-Wang variant, our scheme is quite efficient, as its ciphertext size is roughly comparable to that of the original full Boneh-Franklin scheme. The security of our scheme can be based on either the gap bilinear Diffie-Hellman (GBDH) or the decisional bilinear Diffie-Hellman (DBDH) assumptions.
    11/2006: pages 19-36;
  • Jun Furukawa, Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose here the first efficient publicly verifiable hybrid mix-net. Previous publicly verifiable mix-net was only efficient for short ciphertexts and was not suitable for mixing long messages. Previous hybrid mix-net can mix long messages but did not have public verifiability. The proposed scheme is efficient enough to treat large scale electronic questionnaires of long messages as well as voting with write-ins, and offers public verifiability of the correctness of the tally. The scheme is provably secure if we assume random oracles, semantic security of a one-time symmetric-key cryptosystem, and intractability of decision Diffie-Hellman problem. KeywordsHybrid-mix-public verifiability-multiple encryption-efficient
    10/2006: pages 111-125;
  • Jun Furukawa, Kaoru Kurosawa, Hideki Imai
    [Show abstract] [Hide abstract]
    ABSTRACT: Pass showed a 2-move deniable zero-knowledge argument scheme for any NP{\cal NP} language in the random oracle model at Crypto 2003. However, this scheme is very inefficient because it relies on the cut and choose paradigm (via straight-line witness extractable technique). In this paper, we propose a very efficient compiler that transforms any Σ-protocol to a 2-move deniable zero-knowledge argument scheme in the random oracle model, which is also a resettable zero-knowledge and resettably-sound argument of knowledge. Since there is no essential loss of efficiency in our transform, we can obtain a very efficient undeniable signature scheme and a very efficient deniable authentication scheme. Keywordsdeniable-efficient-constant-round-resettable zero-knowledge-the random oracle model-resettably-sound argument of knowledge-Σ-protocol
    06/2006: pages 46-57;
  • Source
    Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: 報告番号: 甲21891 ; 学位授与年月日: 2006-09-29 ; 学位の種別: 課程博士 ; 学位の種類: 博士(情報理工学) ; 学位記番号: 博情第105号 Secure multi-party protocols are cryptographic protocols which multiple players engage in. Many application specific multi-party protocols have been proposed, which include electronic voting, electronic cash, electronic auction, broadcast encryption, traitor tracing, anonymous authentication, group signature, secret sharing, conference (group) key distribution, group key generation, etc. These multi-party protocols are designed mainly so as to carry out social activities in the network. The technique of general multi-party computation that enables multi-party to securely compute any efficient function is known. However, its results are mostly far from practical efficiency in the sense of computational, communication, and round complexity. This is the major reason why a large number of specific constructions of multi-party protocols has been proposed. Since a multiple number of players engage in multi-party protocols, they often have complex security requirements. Such circumstance, besides the fact that the number of players itself is large, makes it hard to construct efficient multi-party protocols. Thus, effi-ciency enhancement is the major and crucial interest in these designing of multi-party protocols. Among these examples of multi-party protocols presented above, electronic voting, broadcast encryption, and group signature can be listed as most useful multi-party protocols. This dissertation presents several efficiency enhanced variants of these protocols. They are an efficient publicly verifiable shuffle scheme, an efficient publicly verifiable shuffle and decryption scheme, an efficient publicly verifiable hybrid mixnet scheme, an aggregate shuffle argument scheme, an efficient ompiler from Σ-protocol to deniable zero-knowledge argument, a black-box traitor revocable broadcast encryption scheme, a group signature scheme for separate and distributed authorities, and an efficient group signature based on bilinear mappings. These protocols are efficient enough for practical purposes.
    01/2006;
  • Source
    Jun FURUKAWA, Hideki IMAI
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose a new group signature scheme which is secure if we assume the Decision Diffie-Hellman assumption, the q -Strong Diffie-Hellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].
    01/2006;
  • Jun Furukawa, Kazue Sako
    Financial Cryptography and Data Security, 10th International Conference, FC 2006, Anguilla, British West Indies, February 27-March 2, 2006, Revised Selected Papers; 01/2006
  • Jun Furukawa, Kaoru Kurosawa, Hideki Imai
    Automata, Languages and Programming, 33rd International Colloquium, ICALP 2006, Venice, Italy, July 10-14, 2006, Proceedings, Part II; 01/2006