Jun Furukawa

NEC Corporation, Edo, Tokyo, Japan

Are you Jun Furukawa?

Claim your profile

Publications (36)5.14 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: In this letter, we propose a secrecy criterion for outsourcing encrypted databases. In encrypted databases, encryption schemes revealing some information are often used in order to manipulate encrypted data efficiently. The proposed criterion is based on inference analysis for databases: We simulate attacker's inference on specified secret information with and without the revealed information from the encrypted database. When the two inference results are the same, then secrecy of the specified information is preserved against outsourcing the encrypted database. We also show that the proposed criterion is decidable under a practical setting.
    No preview · Article · Jun 2015 · IEICE Transactions on Information and Systems
  • Kaoru Kurosawa · Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we show three generic constructions of 2-pass key exchange (KE) protocols which satisfy weak perfect forward secrecy (wPFS) under a sole assumption that there exists a CPA-secure KEM. Our first construction is CK-secure, the second one is eCK-secure, and the last one is both CK-secure and eCK-secure.
    No preview · Article · Feb 2014
  • Isamu Teranishi · Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.
    No preview · Article · Jan 2012 · IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences
  • Frederik Armknecht · Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: Group key exchange protocols (GKE) allow a set of parties to establish a common key over an insecure network. So far the research on GKE mainly focused on identifying and formalizing appropriate security definitions that has led to a variety of different security models. Besides reaching a high security level, another important aspect is to reduce the communication effort. In many practical scenarios it is preferable (or possibly even indispensable) to reduce the number of messages to a minimum, e.g., to save time and/or energy. We prove that any n-party GKE that provides forward security (FS) and mutual authentication (MA) against insider attackers needs at least two communication rounds and in that case at least \(\frac{1}{2}n^2+ \frac{1}{2} n\)–3 messages. Observe that FS and MA are today accepted as basic security recommendations. Hence these bounds hold automatically as well for more elaborate security definitions. Then, we describe a 2-round-GKE that requires n + 1 messages more than the derived lower bound. We prove that the protocol achieves UC-security (in the model by Katz and Shin (CCS’05)) in the common reference string (CRS) model. To the best of our knowledge, this represents the most communication efficient (in terms of number of rounds and messages) UC-secure GKE so far.
    No preview · Conference Paper · Aug 2010
  • Jun Furukawa · Kengo Mori · Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We discuss an implementation of a network voting scheme based on mix-net technology. We employed the scheme presented at Financial Cryptography 2002, but replaced the numeric computations with those on a elliptic curve. As a result, we obtained three times speed up and data length shortening to one third. The system has been employed in a private organization with roughly 20,000 voters since 2004.
    No preview · Conference Paper · Jan 2010
  • Isamu Teranishi · Jun Furukawa · Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features: 1) no one, not even an authority, can identify users who have been authenticated within the allowable number, 2) anyone can trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Our scheme can be applied to e-voting, e-cash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users' participation from protocols and guarantees that they will remain anonymous to everyone.
    No preview · Article · Jan 2009 · IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences
  • Source
    Jun Furukawa · Kazue Sako · Satoshi Obana
    [Show abstract] [Hide abstract]
    ABSTRACT: Today, many users of the network access to multiple independent services consecutively or even simultaneously. Single sign-on systems help such users to access services easily with only a single log-in process. Some single sign-on systems that require users' IC cards be authenticated directly by services, achieve high level of security in that they allow no third party to have the power to impersonate users. However, most of these systems are vulnerable when IC cards are analyzed since the security is solely dependent on the secret information born in side the card. In this paper, we propose a novel single sign-on system with IC card that still keeps certain level of security even when user's IC card is analyzed. In the system, secret information is kept distributedly in IC card and portal.
    Preview · Conference Paper · Jan 2009
  • [Show abstract] [Hide abstract]
    ABSTRACT: The fuzzy identity-based encryption schemes are attribute-based encryption schemes such that each party with the private key for an attribute set S\mathcal{S} is allowed to decrypt ciphertexts encrypted by an attribute set S¢\mathcal{S}' , if and only if the two sets S\mathcal{S} and S¢\mathcal{S}' are close to each other as measured by the set-overlap-distance metric. That is, there is a threshold t and, if t out of n attributes of S\mathcal{S} are also included in S¢\mathcal{S}' , the receivers can decrypt the ciphertexts. In previous schemes, this threshold t is fixed when private keys are generated and the length of ciphertexts are linear to n. In this paper, we propose a novel fuzzy identity-based encryption scheme where the threshold t is flexible by nature and the length of ciphertexts are linear to n − t. The latter property makes the scheme short if it allows receivers to decrypt ciphertexts when error rate n − t, i.e., distance between the two attribute sets, is low.
    No preview · Conference Paper · Dec 2008
  • Jun Furukawa · Frederik Armknecht · Kaoru Kurosawa
    [Show abstract] [Hide abstract]
    ABSTRACT: The universal composability (UC) framework by Canetti [15] is a general-purpose framework for designing secure protocols. It ensures the security of UC-secure protocols under arbitrary compositions. As key exchange protocols (KEs) belong to the most used cryptographic mechanisms, some research has been done on UC-secure 2-party KEs. However, the only result regarding UC-secure group key exchange protocols (GKEs) is a generic method presented by Katz and Shin [35]. It allows to turn any GKE protocol that fulfills certain security requirements into a UC-secure variant. This yields GKE protocols which require at least five communication rounds in practice when no session identities are provided by external mechanisms. Up to now, no effort has been taken to design dedicated UC-secure GKE protocols with a lower communication complexity. In this paper, we propose a new UC-secure GKE which needs only two rounds. We show that two is the minimum possible number of rounds and that any 2-round UC-secure GKE requires at least as many messages as our protocol. The proof of security relies on a new assumption which is a combination of the decision bilinear Diffie-Hellman assumption and the linear Diffie-Hellman assumption.
    No preview · Conference Paper · Sep 2008
  • Source
    Kaoru Kurosawa · Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UC-security, where UC means universal composability. We next show that there exists a UC-secure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does not satisfy the invisibility defined by [10]. We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UC-security against non-adaptive adversaries is equivalent to this definition of invisibility and the strong unforgeability in -hybrid model, where is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeniable signature schemes (including Chaum’s scheme) are UC-secure if the confirmation/disavowal protocols are both UC zero-knowledge.
    Preview · Conference Paper · Jul 2008
  • Jun Furukawa · Nuttapong Attrapadung
    [Show abstract] [Hide abstract]
    ABSTRACT: Broadcast encryption schemes enable senders to efficiently broadcast ciphertexts to a large set of receivers in a way that only non-revoked receivers can decrypt them. Black-box traitor revocable broadcast encryption schemes are broadcast encryption schemes that enable a tracer, who is given a pirate decoder, to identify traitors by black-box accessing the given pirated decoder and to revoke traitors so identified. In this paper, we propose a fully collusion resistant black-box traitor revocable broadcast encryption scheme in which the size of each private key is constant, the size of the public key is proportional to the number of receivers, and the sizes of ciphertexts are sub-linear with respect to the number of receivers. The encryption procedure in our scheme requires only a public key. The tracing procedure in it requires only a public key and black-box access to a resettable pirate decoder. The security of our scheme is proved in the generic bilinear group model if the subgroup decision assumption holds.
    No preview · Conference Paper · Jul 2007
  • Jun Furukawa · Hideki Imai
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we propose a novel scheme to prove the correctness of mix-net that is composed of multiple shufflings, in such a way that the computational complexity of its verifier does not depend on the number of its composite shufflings. We call this scheme an aggregate shuffle argument scheme. Although a similar scheme proposed by Abe in Eurocrypt 1998 exists, our scheme is much more efficient. In fact, the computational cost required for the verifier in our scheme is less than 1/60 of that in Abe’s scheme. This is mainly because our scheme exploits the efficient shuffle arguments proposed of Furukawa et al. in Crypto 2001 while Abe’s scheme exploits the shuffle proof proposed by Sako et al. in Eurocrypt 1995. We also proposed a formal model and security requirements of aggregate shuffle argument schemes.
    No preview · Conference Paper · Feb 2007
  • Jun Furukawa · Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose here the first efficient publicly verifiable hybrid mix-net. Previous publicly verifiable mix-net was only efficient for short ciphertexts and was not suitable for mixing long messages. Previous hybrid mix-net can mix long messages but did not have public verifiability. The proposed scheme is efficient enough to treat large scale electronic questionnaires of long messages as well as voting with write-ins, and offers public verifiability of the correctness of the tally. The scheme is provably secure if we assume random oracles, semantic security of a one-time symmetric-key cryptosystem, and intractability of decision Diffie-Hellman problem. This paper is the full version of the extended abstract appeared in FC 2006 [10].
    No preview · Article · Jan 2007 · IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences
  • Source
    Ryuichi Sakai · Jun Furukawa
    [Show abstract] [Hide abstract]
    ABSTRACT: Broadcast encryption schemes enable senders to efficiently broadcast ciphertexts to a large set of receivers in a way that only non- revoked receivers can decrypt them. Identity-based encryption schemes are public key encryption schemes that can use arbitrary strings as public keys. We propose the first public key broadcast encryption scheme that can use any string as a public key of each receiver. That is, identity-based broadcast encryption scheme. Our scheme has many desirable proper- ties. The scheme is fully collusion resistant, and the size of ciphertexts and that of private key are small constants. The size of public key is proportional to only the maximum number of receiver sets to each of which the ciphertext is sent. Note that its size remains to be so although the number of potential receivers is super-polynomial size. Besides these properties, the achieving the first practical identity-based broadcast en- cryption scheme itself is the most interesting point of this paper. The security of our scheme is proved in the generic bilinear group model.
    Preview · Article · Jan 2007

  • No preview · Article · Jan 2007
  • Source
    Nuttapong Attrapadung · Jun Furukawa · Hideki Imai
    [Show abstract] [Hide abstract]
    ABSTRACT: We introduce a primitive called Hierarchical Identity-Coupling Broadcast Encryption (HICBE) that can be used for constructing e-- cient collusion-resistant public-key broadcast encryption schemes with extended properties such as forward-security and keyword-searchability. Our forward-secure broadcast encryption schemes have small ciphertext and private key sizes, in particular, independent of the number of users in the system. One of our best two constructions achieves ciphertexts of constant size and user private keys of size O(log2 T), where T is the total number of time periods, while another achieves both ciphertexts and user private keys of size O(logT). These performances are compara- ble to those of the currently best single-user forward-secure public-key encryption scheme, while our schemes are designed for broadcasting to arbitrary sets of users. As a side result, we also formalize the notion of searchable broadcast encryption, which is a new generalization of public key encryption with keyword search. We then relate it to anonymous HICBE and present a construction with polylogarithmic performance.
    Full-text · Conference Paper · Dec 2006
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In a famous paper at Crypto’01, Boneh and Franklin proposed the first fully functional identity-based encryption scheme (IBE), around fifteen years after the concept was introduced by Shamir. Their scheme achieves chosen-ciphertext security (i.e., secure in the sense of IND-ID-CCA); however, the security reduction is far from being tight. In this paper, we present an efficient variant of the Boneh-Franklin scheme that achieves a tight security reduction. Our scheme is basically an IBE scheme under two keys, one of which is randomly chosen and given to the user. It can be viewed as a continuation of an idea introduced by Katz and Wang; however, unlike the Katz-Wang variant, our scheme is quite efficient, as its ciphertext size is roughly comparable to that of the original full Boneh-Franklin scheme. The security of our scheme can be based on either the gap bilinear Diffie-Hellman (GBDH) or the decisional bilinear Diffie-Hellman (DBDH) assumptions.
    Preview · Chapter · Nov 2006
  • Jun Furukawa · Kazue Sako
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose here the first efficient publicly verifiable hybrid mix-net. Previous publicly verifiable mix-net was only efficient for short ciphertexts and was not suitable for mixing long messages. Previous hybrid mix-net can mix long messages but did not have public verifiability. The proposed scheme is efficient enough to treat large scale electronic questionnaires of long messages as well as voting with write-ins, and offers public verifiability of the correctness of the tally. The scheme is provably secure if we assume random oracles, semantic security of a one-time symmetric-key cryptosystem, and intractability of decision Diffie-Hellman problem. KeywordsHybrid-mix-public verifiability-multiple encryption-efficient
    No preview · Chapter · Oct 2006
  • Jun Furukawa · Kaoru Kurosawa · Hideki Imai
    [Show abstract] [Hide abstract]
    ABSTRACT: Pass showed a 2-move deniable zero-knowledge argument scheme for any NP{\cal NP} language in the random oracle model at Crypto 2003. However, this scheme is very inefficient because it relies on the cut and choose paradigm (via straight-line witness extractable technique). In this paper, we propose a very efficient compiler that transforms any Σ-protocol to a 2-move deniable zero-knowledge argument scheme in the random oracle model, which is also a resettable zero-knowledge and resettably-sound argument of knowledge. Since there is no essential loss of efficiency in our transform, we can obtain a very efficient undeniable signature scheme and a very efficient deniable authentication scheme. Keywordsdeniable-efficient-constant-round-resettable zero-knowledge-the random oracle model-resettably-sound argument of knowledge-Σ-protocol
    No preview · Chapter · Jun 2006
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The first refreshable anonymous token scheme proposed in [l] enables one to provide services in such a way that each of its users is allowed to enjoy only a fixed number of services at the same time. In this paper, we show that the scheme in [l] is insecure and propose a provably secure refreshable partial anonymous token scheme which is a generalization of the previous scheme. The new scheme has an additional ability to control the anonymity level of users. We also propose a formal model and security requirements of the new scheme.
    Full-text · Article · May 2006 · IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences