## CryptoDB

### Eiichiro Fujisaki

#### Publications

Year
Venue
Title
2018
JOFC
2016
ASIACRYPT
2014
ASIACRYPT
2007
PKC
2007
EPRINT
In a seminal paper of identity based encryption (IBE), Boneh and Franklin [BF01] mentioned an interesting transform from an IBE scheme to a signature scheme, which was observed by Moni Naor. In this paper, we give formal security treatments for this transform and discover several implications and separations among security notions of IBE and transformed signature. For example, we show for such a successful transform, one-wayness of IBE is an essential condition. Additionally, we give a sufficient and necessary condition for converting a semantically secure IBE scheme into an existentially unforgeable signature scheme. Our results help establish strategies on design and automatic security proof of signature schemes from (possibly weak) IBE schemes. We also show some separation results which strongly support that one-wayness, rather than semantic security, of IBE captures an essential condition to achieve secure signature.
2006
EPRINT
The ring signature allows a signer to leak secrets anonymously, without the risk of identity escrow. At the same time, the ring signature provides great flexibility: No group manager, no special setup, and the dynamics of group choice. The ring signature is, however, vulnerable to malicious or irresponsible signers in some applications, because of its anonymity. In this paper, we propose a traceable ring signature scheme. A traceable ring scheme is a ring signature except that it can restrict excessive'' anonymity. The traceable ring signature has a tag that consists of a list of ring members and an issue that refers to, for instance, a social affair or an election. A ring member can make any signed but anonymous opinion regarding the issue, but only once (per tag). If the member submits another signed opinion, possibly pretending to be another person who supports the first opinion, the identity of the member is immediately revealed. If the member submits the same opinion, for instance, voting yes'' regarding the same issue twice, everyone can see that these two are linked. The traceable ring signature can suit to many applications, such as an anonymous voting on a BBS, a dishonest whistle-blower problem, and unclonable group identification. We formalize the security definitions for this primitive and show an efficient and simple construction.
2004
EPRINT
We propose a new security class, called plaintext-simulatability, defined over the public-key encryption schemes. The notion of plaintext simulatability (denoted PS) is similar to the notion of plaintext awareness (denoted PA), but it is, properly'', a weaker security class for public-key encryption. In most cases, PA is unnecessarily'' strong, --- only used to prove that a public-key encryption scheme is CCA2-secure, because it looks much easier than to prove directly'' that the scheme meets IND-CCA2. We show that PS also implies IND-CCA2, while preserving a good view of the security proofs as well as PA. PS looks properly'' stronger than IND-CCA2. So far, however, it is not sure how to prove this, which remains open.
2004
JOFC
2002
ASIACRYPT
2001
CRYPTO
2001
EPRINT
We present a commitment scheme allowing commitment to arbitrary size integers, based on any Abelian group with certain properties, most importantly that it is hard for the committer to compute its order. Potential examples include RSA and class groups. We also give efficient zero-knowledge protocols for proving knowledge of the contents of a commitment and for verifying multiplicative relations over the integers on committed values. This means that our scheme can support, for instance, the efficent interval proofs of Boudot. The scheme can be seen as a modification and a generalization of an earlier scheme of Fujisaki and Okamoto(FO), and in particular our results show that we can use a much larger class of RSA moduli than the safe prime products proposed by FO. Also, we correct some mistakes in the proofs of FO and give what appears to be the first multiplication protocol for a Fujisaki/Okamoto-like scheme with a complete proof of soundness.
2000
EPRINT
Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the {\it one-wayness} of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the {\it partial-domain} one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA--OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
1999
CRYPTO
1999
PKC
1998
EUROCRYPT
1997
CRYPTO
1996
ASIACRYPT
1992
CRYPTO

Eurocrypt 2008
Eurocrypt 2006
PKC 2004