Eiichiro Fujisaki scite author profile

Abstract. This paper proposes a bit commitment scheme, BC(-), and e1~icient statistical zero knowledge (in short, SZK) protocols in which, for any given multi-variable polynomial f(X1, ..,X~) and any given modulus n, prover :P gives (I1,..,h) to verifier V and can convince V that 7 ~ knows (xl,.., xt) satisfying f(xl,.., x~) --0 (mod n) and I, = BC(x~), (i = 1, .., t). The proposed protocols are O(Inl) times more efficient than the corresponding previous ones [Dam93, Dam95, Oka95]. The (knowledge) soundness of our protocols holds under a computational assumption, the intractability of a modified RSA problem (see Def.3), while the (statistical) zero-knowledgeness of the protocols needs no computational assumption. The protocols can be employed to construct various practical cryptographic protocols, such as fair exchange, untraceable electronic cash and verifiable secret sharing protocols.

show abstract

RSA-OAEP Is Secure under the RSA Assumption

Fujisaki

et al. 2002

View full text Add to dashboard Cite

Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) onewayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.

show abstract

A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order

2002

View full text Add to dashboard Cite

Abstract. We present a statistically-hiding commitment scheme allowing commitment to arbitrary size integers, based on any (Abelian) group with certain properties, most importantly, that it is hard for the committer to compute its order. We also give efficient zero-knowledge protocols for proving knowledge of the contents of commitments and for verifying multiplicative relations over the integers on committed values. The scheme can be seen as a generalization, with a slight modification, of the earlier scheme of Fujisaki and Okamoto [14]. The reasons we revisit the earlier scheme and give some modification to it are as follows:-The earlier scheme [14] has some gaps in the proof of soundness of the associated protocols, one of which presents a non-trivial problem which, to the best of our knowledge, has remained open until now. We fill all the gaps here using additional ideas including minor modification of the form of a commitment. -Although related works such as [8,3,10,4] do not suffer from the main problem we solve here, the reason for this is that they use "commitments" with a single base (i.e., of form c = g s mod n). Such commitments, however, cannot satisfy the standard hiding property for commitments, and hence protocols using them cannot in general be (honest-verifier) zero-knowledge nor witness indistinguishable. -In a computationally convincing proof of knowledge where the prover produces the common input (which is the type of protocol we look at here), one cannot completely exclude the possibility that a prover manages to produce a common input on which he can cheat easily. This means that the standard definition of proofs of knowledge cannot be satisfied. Therefore we introduce a new definition for computationally convincing proofs of knowledge, designed to handle the case where the common input is chosen by the (possibly cheating) prover. -Our results apply to any group with suitable properties. In particular, they apply to a much larger class of RSA moduli than the safe prime products proposed in [14] -Potential examples include RSA moduli, class groups and, with a slight modification, even non-Abelian groups. Our scheme can replace the earlier one in various other constructions, such as the efficient interval proofs of Boudot [4] and the efficient proofs for the product of two safe primes proposed by Camenisch and Michels [9].

show abstract

How to Enhance the Security of Public-Key Encryption at Minimum Cost

1999

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.