Abstract
A software watermarking scheme is to embed a “mark” or a message into a program in a cryptographic way. It is useful in proving ownership (e.g., in applications to digital rights management) and in authenticating software (e.g., for proving the distributor of the software). A qualified software watermarking scheme should satisfy three requirements: (i) the marked program should not differ from the original program significantly; (ii) the embedded “mark” or message should not be removed without destroying the program dramatically; (iii) forging a marked program without a watermarking secret key is difficult. To the best of our knowledge, existing watermarking schemes for PRFs only deal with a single key, and no scheme supports watermarking the same PRF key for multiple times which is useful for hierarchical organizations.
In the paper, we put forward a definition and security requirements for a hierarchical watermarking scheme for PRFs. Under the definition, a hierarchical watermarking scheme for PRFs is constructed to be functionality-preserving, unremovable and unforgeable under standard assumptions, namely, the LWE assumption and the SIS problem. The watermarking scheme is based on a variant translucent constrained PRF with desired security properties.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that the function value at a puncture point is incorrect and this incorrectness cannot be tested if the incorrect function value is modified.
- 2.
The program is usually determined by a pseudorandom function secret key, a signing key or a decryption key. In the paper, the program is an implementation of a PRF.
- 3.
Here, L is a constant and I, J, for example, can be polynomial in the security parameter.
- 4.
Recall that the constrained key computes incorrect function values which can be tested whether the function values are evaluated at the points in the puncture set.
- 5.
- 6.
The variant can generate and output partial constraint key while the original one in [18] can only generate and output the whole constraint key. The detailed discussion can be found in the introduction.
- 7.
\(T_{in}\) and \(T_{out}\) indicate the positions in T.
- 8.
\(w_{t}\) is the t-th component of the vector \({\textbf {w}}\in \mathbb {Z}_{q}\).
- 9.
The collection {\({\textbf {D}}_{t}\in \{0,1\}^{n\times m}\}_{t\in [N]}\) is a basis for the module \(\mathbb {Z}^{n\times m}_{q}\). Its definition makes it convenient to set a trapdoor in the function values at puncture points. More technique details can be found in [18].
- 10.
Note that \(b^{*}\) takes on either 0 or 1 and \(b^{*}\) is the symbol relative to the puncture point. b is the symbol standing for the bit.
- 11.
In the following equations, the superscript T stands for the transpostition.
- 12.
The circuit \(C^{l-1}\) and the ciphertext \(cipher^{l-1}\) are output at the \((l-1)\)-th level.
- 13.
\(T^{m_{l}}_{b}\) is the puncture point set encoding the watermarking messages \(m_{1}, m_{2},\ldots ,m_{l}.\).
References
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices (2009)
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)
Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Barak, B., et al.: On the (im) possibility of obfuscating programs. J. ACM (JACM) 59(2), 1–48 (2012)
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Boneh, D., Kim, S., Montgomery, H.: Private puncturable PRFs from standard lattice assumptions. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 415–445. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_15
Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_17
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_15
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, pp. 1–12. ACM (2014)
Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_1
Chvátal, V.: The tail of the hypergeometric distribution. Discret. Math. 25(3), 285–287 (1979)
Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. SIAM J. Comput. 47(6), 2157–2202 (2018)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Goyal, R., Kim, S., Manohar, N., Waters, B., Wu, D.J.: Watermarking public-key cryptographic primitives. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 367–398. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_12
Kim, S., Wu, D.J.: Watermarking cryptographic functionalities from standard lattice assumptions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 503–536. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_17
Kim, S., Wu, D.J.: Watermarking PRFs from lattices: stronger security via extractable PRFs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 335–366. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_11
Lyubashevsky, V., Wichs, D.: Simple lattice trapdoor sampling from a broad class of distributions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 716–730. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_32
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Naccache, D., Shamir, A., Stern, J.P.: How to copyright a function? In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 188–196. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_14
Nishimaki, R.: How to watermark cryptographic functions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 111–125. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_7
Quach, W., Wichs, D., Zirdelis, G.: Watermarking PRFs under standard assumptions: public marking and security with extraction queries. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 669–698. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_24
Yang, R., Au, M.H., Lai, J., Xu, Q., Yu, Z.: Collusion resistant watermarking schemes for cryptographic functionalities. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 371–398. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_14
Yang, R., Au, M.H., Yu, Z., Xu, Q.: Collusion resistant watermarkable PRFs from standard assumptions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 590–620. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_20
Yoshida, M., Fujiwara, T.: Toward digital watermarking for cryptographic data. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 94(1), 270–272 (2011)
Acknowledgement
The authors are supported by the National Key R &D Program of China (No. 2021YFB3100200), the Theme-Based Research Project (T35-710/20-R), the HKU-SCF FinTech Academy, the Open Research Fund of Key Laboratory of Cryptography of Zhejiang Province (No. ZCL21010), the National Key Research and Development Program of China (No. 2021YFA1000600 and 2018YFA0704702), the National Natural Science Foundation of China (No. 61832012), the National Natural Science Foundation of China (No. 61902283) and 2019 Phd Start-up Fund of Weifang University (No. 2019BS13).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Theorem 6
Proof
The idea behind the proof is that any two consecutive hybrids differs at one point and this difference cannot be distinguished with noticeable probability since the adversary is privacy-admissible and the security of the variant of translucent constrained PRF.
Let \(\{X_{01},X_{02},\ldots , X_{0L}\}\) and \(\{X_{11},X_{12},\ldots , X_{1L}\}\) be the two sets that an adversary sends to the challenger for the selectively consistent privacy experiment. Let \(D_{j}\) be the symmetric difference of sets \(X_{0j}\) and \(X_{1j}\). Then, \(D_{j}= (X_{0j}\vee X_{1j})\setminus (X_{0j}\wedge X_{1j})\) for all \(j\in [L]\) and define \(D=D_{1}\vee D_{2}\ldots \vee D_{L}\).
The hybrids are defined as follows:
-
Hybrid H\(_{0}\): This is exactly the selectively consistent privacy experiment when \(b=0\). An adversary \(\mathcal {A}\) chooses two sets \(\{X_{01},X_{02},\ldots , X_{0L}\}\) and \(\{X_{11},X_{12},\ldots , X_{1L}\}\). Then, \(\mathcal {A}\) sends them to the challenger. The challenger runs \((pp,tk)\leftarrow \textsf {PTP.Setup}(1^{\lambda })\), \(msk\leftarrow \textsf {PTP.SampleKey}(pp)\). Since \(b=0\), the challenger computes \(sk_{X_{0j}}\leftarrow \textsf {PTP.PCst}(pp,msk,X_{0j})\) for all \(j\in [L]\). Define a circuit \(C_{j}(\cdot )=\textsf {PTP.PCstEval}(pp,sk_{X_{0j}},\cdot )\) for all \(j\in [L]\) and the challenger sends all circuits \(\{C_{j}\}_{j\in [L]}\) to the adversary. Besides, the adversary can access the evaluation oracle. Finally, the experiment outputs whatever the adversary outputs.
-
Hybrid H\(_{0,i}\): Arrange all elements in D in a lexicographical order and define \(D^{i}\) be the set of first i elements. Define \(X^{i}_{bj}=(X_{bj}\vee (D_{j}\wedge D^{i}))\setminus (X_{bj}\wedge (D_{j}\wedge D^{i}))\) for \(b=0,1\), \(j\in [L]\) and set \(\{X^{i}_{01},X^{i}_{02},\ldots , X^{i}_{0L}\}\) and \(\{X^{i}_{11},X^{i}_{12},\ldots , X^{i}_{1L}\}\) as the two puncture sets. The remaining experiment steps are the same as in Hybrid H\(_{0}\).
-
Hybrid H\(_{1}\): This is exactly the selectively consistent privacy experiment when \(b=1\). Same as Hybrid H\(_{0}\) except that the constraint key are computed as \(sk_{X_{1j}}\leftarrow \textsf {PTP.PCst}(pp,msk,X_{1j})\) for all \(j\in [L]\)
Observe that Hybrid H\(_{0,0}\) is the same as Hybrid H\(_{0}\) and Hybrid H\(_{0,|D|}\) is the same as Hybrid H\(_{1}\). To see this, for any \(j\in [L]\), the following equations hold:
Next, we prove the indistinguishability between Hybrid H\(_{0,i}\) and Hybrid H\(_{0,i+1}\). The difference between them is how the \((i+1)\)-th element denoted by \(d_{i+1}\) in D is computed. Since the adversary \(\mathcal {A}\) is privacy-admissible, \(d_{i+1}\) must be in either \(X_{0j}\wedge D_{j}\) or \(X_{1j}\wedge D_{j}\) for all \(j\in [L]\). In H\(_{0,i}\), according to the correctness of our variant of the translucent constrained PRF,
where \(C^{i}_{j}\) is the j-th circuit that the challenger returns to the adversary as the challenge response in Hybrid H\(_{0,i}\). \(sk_{X^{i}_{0j}}\) is the constraint key for the puncture set \(X^{i}_{0j}\) as defined in Hybrid H\(_{0,i}\).
In H\(_{0,i+1}\), according to the correctness,
Define an intermediate hybrid \({\textbf {InterH}}\) where, for \(y_{1},y_{2}{\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{m}\),
Since the adversary is privacy-admissible, \(d_{i+1}\) will never be asked. Besides, since the variant of the translucent constrained PRF is constrained pseudorandom and is pseudorandom, Hybrids H\(_{0,i}\) and H\(_{0,i+1}\) are both indistinguishable with the intermediate hybrid.
B Proof of Theorem 7
1.1 B.1 Proof of Correctness
Proof
Recall that the hierarchical watermarking scheme runs \(\{msk^{l}\}_{l\in [L]}\leftarrow \textsf {WM.Setup}(1^{\lambda })\) to get the watermarking keys. Then, a PRF key is sampled: \(k\leftarrow \textsf {PTP.SampleKey}(pp)\). To embed a set of messages \(\{m^{l}\}_{l\in [L]}\) to a PRF key k, invoke \(\{C^{l},cipher^{l}\}_{l\in [L]}\leftarrow \textsf {WM.Mark}_{l}\) where \(C^{l}(\cdot )=\textsf {PTP.PCstEval}(pp,sk^{l}_{T},\cdot )\) and \(sk^{l}_{T}\) is the constraint key at the l-th level. \(\{C^{l}\}_{l\in [L]}\) are the watermarked circuits.
By the correctness of the encryption scheme E, the ciphertext at the l-th level can be correctly deciphered at the \((l+1)\)-th level.
-
Functionality-preserving: Let \(S^{l}\) be the set of points x where \(C^{l}(x)\not =\textsf {PTP.Eval}(pp,k,x)\) for all \(l\in [L]\) and \(x\in \mathcal {D}\setminus T^{l}\) where \(\mathcal {D}\) is the domain and \(T^{l}\) is the puncture point set at the l-th level. By the evaluation correctness of \(\varPi _{PTP}\), it holds that \(\frac{|S^{l}|}{2^{n}}\) is negligible for all \(l\in [L]\). Besides, the size of \(T^{l}\) is at most IJL and \(\frac{IJL}{2^{n}}\) is negligible for \(I,J,L=\omega (\log \lambda )\). To sum up, \(C^{l}(\cdot )\) agrees with \(\textsf {PTP.Eval}(pp,k,\cdot )\) on all but a negligible fraction of points.
-
Extraction correctness: Let \(X^{l}\) be the set of puncture points at l-th level and H be the set of sampled points which is part of the watermarking key used for computing \(X^{l}\). Since \(\varPi _{PRF}\) is secure, points in \(X^{l}\) are pseudorandom. Moreover, points in H are sampled uniformly at random. Hence, \(\textrm{Pr}[x=h]\le 2\cdot \frac{(IJL)\cdot (Ld)}{2^{n}}=\textrm{negl}(\lambda )\) for any \(x\in X^{l}\) and \(h\in H\). By the evaluation correctness, \(C^{l}(h)=\textsf {PTP.Eval}(pp,k,h)\) with high probability for \(h\in H\). Thus, with high probability, the sets of puncture points are identical in marking and extraction procedures at the same level. By the verification correctness, we get \(ctr^{l}_{0}=ctr^{l}_{1}=\ldots =ctr^{l}_{m^{l}}=J\) and \(ctr^{l}_{m^{l}+1}=\ldots =ctr^{l}_{I+1}=0\) with high probability. To conclude, the marked message can be correctly extracted with high probability.
1.2 B.2 Proof of Unremovability
Hybrid H\(_{0}\) is the watermarking experiment.
Hybrid H\(_{1}\): Same as H\(_{0}\), except that the challenger chooses L truly random function \(\{f_{l}\}_{l\in [L]}\) during the setup phase. Then, during the experiment, the challenger evaluates \(f_{l}(\cdot )\) whenever it has to evaluate \(\textsf {PRF.Eval}(k^{*}_{l},\cdot )\).
Hybrid H\(_{2}\): Same as H\(_{1}\), except that for all \(l\in [L]\), the challenger maintains two tables \(T^{0}_{l},T^{1}_{l}\) at the l-th level. Every table keeps track of a mapping \(\mathcal {K}\rightarrow \{0,1\}^{nIJ}\), where \(\mathcal {K}\) is the PRF key space. The challenger responds to all queries as follows:
-
Marking oracle: Same as H\(_{1}\), except that when the challenger obtains a PRF key \(k\in \mathcal {K}\) either from the adversary or by decrypting a ciphertext, it firstly searches k in the tables \(T^{0}_{l},T^{1}_{l}\) where l is the level number from the adversary. If a match is found, then the challenger sets \(X^{0,l}=T^{0}_{l}(k)\) and \(X^{1,l}=T^{1}_{l}(k)\). Otherwise, the challenger uniformly samples \(X^{0,l}, X^{1,l}{\mathop {\leftarrow }\limits ^{\$}} \{0,1\}^{nIJ}\), and adds the mapping \(k\rightarrow X^{0,l}, k\rightarrow X^{1,l}\) to tables \(T^{0}_{l}, T^{1}_{l}\) respectively. The rest proceeds as in H\(_{1}\).
-
Challenge oracle: On input a set of messages \(\{m_{l}\}_{l\in [L]}\) from the adversary, the challenger samples a key \(\hat{k}\leftarrow \textsf {PTP.SampleKey}(pp)\). The puncture point set \((\hat{X}^{0,l},\hat{X}^{1,l})\) is computed as in Marking oracle. The rest proceeds as in H\(_{1}\).
During the extraction phase, the challenger checks whether there exist an l and two different keys from tables \(T^{0}_{l}, T^{1}_{l}\), say, k and \(k'\), such that \(Y^{0,l}=Y^{'0,l}\) or \(Y^{1,l}=Y^{'1,l}\). If yes, then abort the experiment and output \(Bad_{1}\). Otherwise, compute \(\tilde{Y}^{0,l},\tilde{Y}^{1,l}\) for all \(l\in [L]\) as in H\(_{1}\). Next, the challenger checks whether \((\tilde{Y}^{0,l},\tilde{Y}^{1,l})\) equals some \((Y^{0,l},Y^{1,l})\) in the table \(T^{0}_{l},T^{1}_{l}\) for all \(l\in [L]\). If so, then set \((\tilde{X}^{0,l},\tilde{X}^{1,l})\) to be the value \((X^{0,l},X^{1,l})\) corresponding to the \((Y^{0,l},Y^{1,l})\). Otherwise, uniformly sample \(\tilde{X}^{0,l},\tilde{X}^{1,l}{\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{nIJ}\). The rest of the extraction procedure is the same as H\(_{1}\).
Hybrid H\(_{3}\): Same as H\(_{2}\), except that when answering the challenge oracle, the challenger directly samples \(\{\hat{X}^{0,l},\hat{X}^{1,l}\}_{l\in [L]}{\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{nIJ}\) without checking whether the PRF key \(\hat{k}\) sampled by the challenger is queried by the adversary before. Besides, the mapping \(\hat{k}\rightarrow \{\hat{X}^{0,l},\hat{X}^{1,l}\}_{l\in [L]}\) is added into the corresponding table \(T^{0}_{l}, T^{1}_{l}\) for \(l\in [L]\) in the extraction phase instead of in the query phase. The rest is the same as H\(_{2}\).
Hybrid H\(_{4}\): Same as H\(_{3}\), except that during the extraction phase, the challenger checks whether \(\hat{C}^{l}(h^{b,itr}_{u})\not =\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})\) holds for some \(b^{*}, l^{*}, itr^{*}, u^{*}\) where \(b\in \{0,1\}\), \(l\in [L]\), \(u\in [d]\), \(itr=l,l+1,\ldots ,L\) and \(\hat{C}^{l}\) is the l-th watermarked circuit from the challenger. If there exist such \(b^{*}, l^{*}, itr^{*}, u^{*}\), then the experiment aborts and outputs \(Bad_{2}\). The rest is the same as H\(_{3}\).
Hybrid H\(_{5}\): Same as H\(_{4}\), except that during the extraction phase, the challenger checks whether \(\tilde{C}^{\tilde{l}}(h^{b,itr}_{u})\not =\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})\) holds for some \(b^{*}, l^{*}, itr^{*}, u^{*}\) where \(b\in \{0,1\}\), \(u\in [d]\), \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\), \(\tilde{l}\) is the level number and \(\tilde{C}^{\tilde{l}}\) is the \(\tilde{l}\)-th watermarked circuit from the adversary. If there exist such \(b^{*}, l^{*}, itr^{*}, u^{*}\), then abort the experiment and output \(Bad_{3}\). Otherwise, set \(\tilde{X}^{b,itr}=\hat{X}^{b,itr}\) for \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\) and \(b\in \{0,1\}\). The rest is the same as H\(_{4}\).
Hybrid H\(_{6}\): Same as H\(_{5}\), except that during the extraction phase, for the level number \(\tilde{l}\) from the adversary, re-define \(ctr^{\tilde{l}}_{i}=\Vert \{j|\tilde{C}(x^{0,\tilde{l}}_{ij})=\hat{C}^{\tilde{l}-1}(x^{0,\tilde{l}}_{ij})\}\Vert \) for \(i\in [I]\). The rest is the same as H\(_{5}\).
Hybrid H\(_{7}\): Same as H\(_{6}\), except that when the challenger responds to the challenge oracle, it uses different and uniformly sampled \(\{\eta ^{b,l}_{u}\}^{b\in \{0,1\}, l\in [L]}_{u\in [d]}\). The rest is the same as in H\(_{6}\).
Hybrid H\(_{8}\): Same as H\(_{7}\), except that during the extraction phase, the challenger aborts the experiment and outputs \(Bad_{4}\) if there exist \(b\in \{0,1\}\), \(i,i'\in [I],j,j'\in [J],l,l'\in [L]\) such that \((i,j,l)\not =(i',j',l')\) but \(\hat{x}^{b,l}_{ij}=\hat{x}^{b,l'}_{i'j'}\). The rest is the same as H\(_{7}\).
Lemma 1
If \(\varPi _{PRF}\) is secure, then for all efficient adversaries \(\mathcal {A}\),
Proof
Any adversary who can distinguish H\(_{0}\) and H\(_{1}\) with non-negligible advantage can be used to break the security of the PRF.
Lemma 2
If \(\varPi _{PTP}\) is key-injective, then for all efficient adversaries,
Proof
H\(_{1}\) and H\(_{2}\) are identical if H\(_{2}\) does not output \(Bad_{1}\). In the following, we prove that \(Bad_{1}\) happens with a negligible probability. If there exists an \(l\in [L]\), such that \(Y^{0,l}_{k_{1}}=Y^{0,l}_{k_{2}}\) or \(Y^{1,l}_{k_{1}}=Y^{1,l}_{k_{2}}\) for two different keys \(k_{1}\) and \(k_{2}\) queried by the adversary at the l-th level, then \(\textsf {PTP.Eval}(pp,k_{1},h^{b,l}_{u})=\textsf {PTP.Eval}(pp,k_{2},h^{b,l}_{u})\) for all \(u\in [d]\) and some \(b\in \{0,1\}\), which happens with a negligible probability due to the key-injectivity of \(\varPi _{PTP}\).
Lemma 3
If \(\varPi _{PTP}\) satisfies selective constrained pseudorandomness, then for all efficient adversaries \(\mathcal {A}\),
Proof
H\(_{2}\) and H\(_{3}\) are identical if the adversary never makes a query on the key \(\hat{k}\) sampled by the challenger answering the challenge oracle. If there exists an adversary \(\mathcal {A}\) that can distinguish H\(_{2}\) and H\(_{3}\) with a non-negligible advantage \(\epsilon \), then an adversary \(\mathcal {B}\) can be constructed from \(\mathcal {A}\) to break the selective constrained pseudorandomness of \(\varPi _{PTP}\).
-
1.
First, \(\mathcal {B}\) samples \(T=\{x^{l}_{ij}\}^{l\in [L]}_{i\in [I],j\in [j]}\leftarrow \{0,1\}^{n}\) uniformly at random and it sends T to the challenger that simulates the scheme \(\varPi _{PTP}\). Next, the challenger runs \((pp,tk)\leftarrow \textsf {PTP.Setup}(1^{\lambda })\), \(msk\leftarrow \textsf {PTP.SampleKey}(pp)\) and \(sk_{T}\leftarrow \textsf {PTP.PCst}(pp,msk,T)\). Then, \(\mathcal {B}\) receives pp and a circuit \(C(\cdot )=\textsf {PTP.PCstEval}(pp, sk_{T},\cdot )\) from the challenger.
-
2.
\(\mathcal {B}\) simulates H\(_{2}\) and H\(_{3}\) for the adversary \(\mathcal {A}\). It sends pp from the challenger to the adversary \(\mathcal {A}\). The remaining setup is the same as in H\(_{2}\) and H\(_{3}\).
-
3.
During the query phase, \(\mathcal {B}\) answers the marking queries at the first level as in H\(_{2}\) and H\(_{3}\). For marking oracle queries at l-th level (\(l\not =1\)), since \(\mathcal {B}\) cannot receive the testing key tk from the challenger, it computes \(ctr^{v}_{i}=\Vert \{j|C^{l-1}(x^{0,v}_{ij})=\textsf {PTP.PCstEval}(pp,sk^{l-1},x^{0,v}_{ij})\}\Vert \) for \(v=l,l+1,\ldots ,L\), \(i\in [I]\) and \(j\in [J]\), where \(C^{l-1}(\cdot )\) is the marked circuit from the adversary \(\mathcal {A}\) and \(sk^{l-1}\) is the deciphered constraint key. The rest of marking procedure remains the same. When \(\mathcal {A}\) accesses challenge oracle, \(\mathcal {B}\) returns \(\{C^{l}(\cdot )=\textsf {PTP.PCstEval}(pp,sk_{T},\cdot )\}_{l\in [L]}\) to the adversary.
-
4.
Let \(k_{1},k_{2},\ldots ,k_{Q}\in \mathcal {K}\) be the keys queried by \(\mathcal {A}\) and Q be the maximum query number. At the end of the query phase, \(\mathcal {B}\) chooses an index \(i{\mathop {\leftarrow }\limits ^{\$}}[Q]\) uniformly at random and computes \(y=\textsf {PTP.Eval}(pp,k_{i},x^{1}_{11})\) where \(x^{1}_{11} \in T\). Then, it makes a query \(x^{1}_{11}\) to the challenger for the selective constrained pseudorandomness and receives a response \(\hat{y}\). If \(y=\hat{y}\), then \(\mathcal {B}\) outputs 1; otherwise, it outputs 0.
Since \(\mathcal {A}\) can distinguish H\(_{2}\) from H\(_{3}\) with a non-negligible probability \(\epsilon \), then with the same probability, it submits a PRF key which is exactly the same key sampled by the challenger. Now, consider the following two cases:
-
Suppose that for the query \(x^{1}_{11}\), the challenger for the constrained pseudorandomness experiment answers \(\textsf {PTP.Eval}(pp,msk,x^{1}_{11})\). With probability \(\epsilon /Q\), \(k_{i}=msk\) where \(k_{i}\) is the key queried by \(\mathcal {A}\) but chosen by \(\mathcal {B}\). In this case, \(y=\hat{y}\) and \(\mathcal {B}\) outputs 1 with probability at least \(\epsilon /Q\).
-
Suppose the challenger for the constrained pseudorandomness experiment answers a truly random value. Then, \(y=\hat{y}\) with a probability \(\frac{1}{2^{m}}\) which is negligible.
To sum up, \(\mathcal {B}\) can break the constrained pseudorandomness of \(\varPi _{PTP}\) with an advantage \(\epsilon /Q-\frac{1}{2^{m}}\), where \(\epsilon \) is non-negligible, Q is polynomial in \(\lambda \). Thus, H\(_{2}\) and H\(_{3}\) are indistinguishable under the condition that \(\varPi _{PTP}\) is selectively constrained pseudorandom.
Lemma 4
If \(\varPi _{PTP}\) satisfies selective evaluation correctness, then for all adversaries \(\mathcal {A}\),
Proof
Hybrids H\(_{3}\) and H\(_{4}\) are identical only if in H\(_{4}\), the challenger does not output \(Bad_{2}\). For all \(l\in [L]\), \(\hat{C}^{l}(\cdot )=\textsf {PTP.PCstEval}(pp,sk^{l}_{T},\cdot )\). Since all \(\{h^{0,l}_{u},h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) are sampled uniformly at random and independent of other parameters, and \(\varPi _{PTP}\) satisfies selective evaluation correctness, \(\textrm{Pr}[\hat{C}^{l}(h^{b,itr}_{u})\not =\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})]=\textrm{negl}(\lambda )\) for \(b\in \{0,1\}\), \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\) and \(u\in [d]\). Since \(L=\omega (\log \lambda )\) and \(d=\textrm{poly}(\lambda )\), \(Bad_{2}\) is output in H\(_{4}\) with negligible probability by a union bound. Thus, Hybrids H\(_{3}\) and H\(_{4}\) are indistinguishable.
Lemma 5
For all unremoving-admissible adversary \(\mathcal {A}\),
Proof
We prove that the output distributions of H\(_{4}\) and H\(_{5}\) are statistically indistinguishable. In the following, firstly prove that \(Bad_{3}\) in H\(_{5}\) is output by the challenger with negligible probability; then, prove that with high probability, \(\tilde{Y}^{b,itr}=\hat{Y}^{b,itr}\) for \(b\in \{0,1\}\), \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\).
-
Note that \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) do not relate to the challenger’s behavior and the adversary’s view until the extraction phase. The sampling of \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) can be deterred at the extraction phase. Since the adversary is unremoving-admissible, \(\tilde{C}\sim _{f}\hat{C}^{\tilde{l}}\) where \(\frac{1}{f}=\textrm{negl}(\lambda )\) and \(\tilde{l}\) is the level number from the adversary at the challenge phase. Since all \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) are sampled uniformly and independent of \(\tilde{C}\) and \(\hat{C}^{\tilde{l}}\), for \(b\in \{0,1\}\), \(\textrm{Pr}[\tilde{C}(h^{b,l}_{u})\not =\hat{C}^{\tilde{l}}(h^{b,l}_{u})]\le \frac{1}{f}=\textrm{negl}(\lambda )\). Besides, since \(L=\omega (\log \lambda )\) and \(d=\textrm{poly}(\lambda )\), by a union bound, for all \(b\in \{0,1\}, l\in [L],u\in [d]\), \(\textrm{Pr}[\tilde{C}(h^{b,l}_{u})=\hat{C}^{\tilde{l}}(h^{b,l}_{u})]\ge 1-\textrm{negl}(\lambda )\). If \(Bad_{2}\) in H\(_{4}\) is not output, then \(\hat{C}^{\tilde{l}}(h^{b,itr}_{u})=\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\), \(u=1,2,\ldots ,d\). Hence, the \(Bad_{3}\) in H\(_{5}\) is output by the challenger with negligible probability.
-
As discussed above, \(Bad_{3}\) in H\(_{5}\) is output by the challenger with negligible probability. In other words, \(\tilde{y}^{b,itr}_{u}=\tilde{C}(h^{b,itr}_{u})=\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})=\hat{y}^{b,itr}_{u}\) with high probability for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\) and \(u\in [d]\). Hence, in both H\(_{4}\) and H\(_{5}\), \(\tilde{X}^{b,itr}=\hat{X}^{b,itr}\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\).
Lemma 6
If \(\varPi _{PTP}\) satisfies selective verification correctness, then for all efficient and unremoving-admissible adversaries \(\mathcal {A}\),
Proof
Since \(Bad_{1},Bad_{2},Bad_{3}\) do not happen, \(\tilde{X}^{b,itr}=\hat{X}^{b,itr}\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\) where \(\tilde{l}\) is the level number output by the adversary. By unremoving-admissibility of the adversary \(\mathcal {A}\), with high probability \(\tilde{C}(x^{b,itr}_{ij})=\hat{C}^{\tilde{l}}(x^{b,itr}_{ij})\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\), \(i\in [I]\) and \(j\in [J]\). Then, by the verification correctness,
Thus, the counter \(ctr^{\tilde{l}}_{i}\) are computed the same in H\(_{5}\) and H\(_{6}\). H\(_{5}\) and H\(_{6}\) are indistinguishable.
We first prove the indistinguishability between \({\textbf {H}}_{7}\) and \({\textbf {H}}_{8}\). Then, the indistinguishability between \({\textbf {H}}_{6}\) and \({\textbf {H}}_{7}\) is proven.
Lemma 7
For all efficient and unremoving-admissible adversaries \(\mathcal {A}\),
Proof
The difference between Hybrids H\(_{7}\) and H\(_{8}\) is the event \(Bad_{4}\). Since the probability of \(Bad_{4}\) happening is \(\frac{(IJL)^{2}}{2^{n-1}}\) which is negligible since \(I,J,L=\omega (\log \lambda )\) and \(n=\textrm{poly}(\lambda )\), Hybrids H\(_{7}\) and H\(_{8}\) are indistinguishable.
Next, prove that Hybrids H\(_{8}\) outputs \(m^{\tilde{l}}\) with non-negligible probability. First, prove that with high probability, \(ctr^{\tilde{l}}_{i}=J\) for adversary’s level number \(\tilde{l}\) and \(i\in [m_{\tilde{l}}]\). Since the adversary \(\mathcal {A}\) is unremoving-admissible, for a negligible function \(\frac{1}{f(n)}\), \(\tilde{C}(\cdot )\sim _{f}\hat{C}^{\tilde{l}}(\cdot )\) where \(\tilde{C}(\cdot )\) is the challenge response circuit from the adversary and \(\hat{C}^{\tilde{l}}(\cdot )\) is the challenge circuit watermarked at the \(\tilde{l}\)-th level. Since \(\{\hat{x}^{b,l}_{ij}\}^{b\in \{0,1\},l\in [L]}_{i\in [I],j\in [J]}\) used for answering the challenge query are sampled uniformly and independent of the adversary’s view, \(\tilde{C}(\hat{x}^{b,l}_{ij})=\hat{C}^{\tilde{l}}(\hat{x}^{b,l}_{ij})\) for \(b\in \{0,1\},l\in [L], i\in [I], j\in [J]\) with high probability.
Then, we prove that for any \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\), \(\vert ctr^{\tilde{l}}_{i}-ctr^{\tilde{l}}_{i+1}\vert \le \frac{J}{I+1}\). Define \(\overline{X}^{\tilde{l}}=\{x^{0,\tilde{l}}_{ij}\}\) where \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\) and \(j\in [J]\) and denote the size of \(\overline{X}^{\tilde{l}}\) by g. Define \(X_{and}=\{x|x\in \overline{X}^{\tilde{l}}\wedge \tilde{C}(x)=\hat{C}^{\tilde{l}-1}(x)\}\) and denote the size of \(X_{and}\) by u. Since the exact partition of \(\overline{X}^{\tilde{l}}\) is independent of the view of the adversary \(\mathcal {A}\), the distribution of \(ctr^{\tilde{l}}_{i}\) for \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\) is the hypergeometric distribution \(\mathcal {H}(u,g,J)\). Therefore,
which are both negligible. By the union bound, the probability that there exists \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\) such that \(\vert ctr^{\tilde{l}}_{i}-ctr^{\tilde{l}}_{i+1}\vert \ge \frac{J}{I+1}\) is negligible. Thus, the smallest subscribe such that \(\vert ctr^{\tilde{l}}_{i}-ctr^{\tilde{l}}_{i+1}\vert \ge \frac{J}{I+1}\) is \(m_{\tilde{l}}\) with high probability.
Lemma 8
If \(\varPi _{PTP}\) satisfies selectively consistent privacy, then for all efficient adversaries \(\mathcal {A}\),
Proof
Suppose that an adversary \(\mathcal {A}\) can distinguish \({\textbf {H}}_{6}\) and \({\textbf {H}}_{7}\) with a non-negligible probability, then an adversary \(\mathcal {B}\) can be constructed to break the selectively consistent privacy of the \(\varPi _{PTP}\). The reduction proceeds as follows:
-
1.
To start, \(\mathcal {B}\) guesses what L messages the adversary \(\mathcal {A}\) is intended to embed in the challenge phase. Suppose these L messages are guessed to be \(\{m_{1}, m_{2},\ldots , m_{L}\}\). Next, \(\mathcal {B}\) samples two point sets \(T_{0}\), \(T_{1}\) with a special form uniformly at random. More specifically, if we define \(T^{m_{1}}_{b}=\{x^{bl}_{ij}: x^{bl}_{ij} \xleftarrow {\$}\{0,1\}^{n}, \forall l\in [L], i \in [I], j \in [J] \}\), \(\bar{X}^{m_{l}}_{b}=\{x^{bl}_{ij}\xleftarrow {\$}\{0,1\}^{n}: i \in \{m_{l}+1,m_{l}+2,\ldots ,I-1, I\}, j \in [J] \}\), and \(X^{m_{l}}_{b}=\{x^{bl}_{ij}\in T^{m_{l-1}}_{b}: i \in \{m_{l}+1,m_{l}+2,\ldots ,I-1, I\},, j \in [J] \}\), then for \(l=2,3,\ldots , L\) and \(b=\{0,1\}\), \(T^{m_{l}}_{b}=(T^{m_{l-1}}_{b}\setminus X^{m_{l}}_{b} )\cup \bar{X}^{m_{l}}_{b}\)Footnote 13. Then, \(T_{0}=\{T^{m_{1}}_{0}, T^{m_{2}}_{0},\ldots , T^{m_{L}}_{0}\}\) and \(T_{1}=\{T^{m_{1}}_{1}, T^{m_{2}}_{1},\ldots , T^{m_{L}}_{1}\}\) are sent to the challenger \(\mathcal {C}\).
-
2.
\(\mathcal {C}\) samples a bit \(\beta \) uniformly at random. Then, \(\mathcal {C}\) runs the setup algorithm of the scheme \(\varPi _{PTP}\) and generates L constraint keys \(\{sk_{l}\}_{l\in [L]}\) punctured at \(T_{\beta }\). Finally, the public parameters pp and L circuits \(\{C_{l}=\textsf {PTP.PCstEval}(pp,\) \( sk_{l},\) \( \cdot )\}_{l\in [L]}\) are sent to \(\mathcal {B}\).
-
3.
\(\mathcal {B}\) invokes \(\mathcal {A}\). To simulate the unremovability experiment, \(\mathcal {B}\) proceeds the setup as in the watermarking scheme. At the end of the setup phase, \(\mathcal {B}\) sends pp to \(\mathcal {A}\).
-
4.
In the query phase, \(\mathcal {B}\) answers the queries as follows:
-
Marking oracle: There exists one difference when \(\mathcal {B}\) answers the marking oracle. Since \(\mathcal {B}\) does not have the testing key, \(\mathcal {B}\) cannot compute the counters same as in the third step of \(\textsf {WM.Mark}_{l}(\cdot )\). To overcome this difficulty, \(\mathcal {B}\) computes the counters by \(ctr^{b,itr}_{i}=\sum ^{J}_{j=1}{} {\textbf {1}}_{\not =}(C^{l-1}(x^{b,itr}_{ij})\not =\textsf {PTP.Eval}(pp,k,x^{b,itr}_{ij}))\) for \(itr=l,l+1,\ldots , L\) where \({\textbf {1}}_{\not =}\) is an indicator function, i.e.,
$$\begin{aligned} {\textbf {1}}_{\not =}(expression)= {\left\{ \begin{array}{ll} 1&{} expression\ is\ true\\ 0&{} expression\ is\ false. \end{array}\right. } \end{aligned}$$ -
Challenge oracle: On input a set of challenge messages \(\{m_{l}\}^{L}_{l=1}\), \(\mathcal {B}\) checks whether it has made a correct guess. If yes, then \(\mathcal {B}\) sends L circuits \(\{C_{l}\}_{l\in [L]}\) to \(\mathcal {A}\) directly. If no, then \(\mathcal {B}\) aborts the experiment and outputs a bit uniformly at random.
-
-
5.
\(\mathcal {A}\) outputs a circuit \(\tilde{C}^{\tilde{l}}\) and a level number \(\tilde{l}\) when it makes no more queries. Then, \(\mathcal {B}\) extracts the watermarked message from \(\tilde{C}^{\tilde{l}}\). If the extracted message is not \(m^{\tilde{l}}\), then \(\mathcal {B}\) outputs 1; otherwise, it outputs 0.
As in Lemma 7, \({\textbf {H}}_{7}\) and \({\textbf {H}}_{8}\) are indistinguishable and \({\textbf {H}}_{8}\) does not output \(m^{\tilde{l}}\) with a negligible probability. Thus, it is concluded that \({\textbf {H}}_{7}\) does not output \(m^{\tilde{l}}\) with a negligible probability. By contradiction, assume that \({\textbf {H}}_{6}\) does not output \(m^{\tilde{l}}\) with a noticeable probability \(\epsilon \). In the following, we discuss two cases: \(\beta =0\) and \(\beta =1\).
-
\(\beta =0\): \(\mathcal {B}\) simulates \({\textbf {H}}_{6}\) for \(\mathcal {A}\). Under our assumption, \(\mathcal {B}\) outputs 1 with a probability at \(\frac{1}{2}+\frac{1}{I^{L}}\epsilon \).
-
\(\beta =1\): \(\mathcal {B}\) simulates \({\textbf {H}}_{7}\) for \(\mathcal {A}\). Based on our proof, \(\mathcal {B}\) outputs 1 with a probability at \(\frac{1}{2}\) plus a negligible probability.
In our scheme, L is set to be a constant and I is a polynomial in \(\lambda \). To conclude, \(\mathcal {B}\) breaks the selectively consistent privacy of \(\varPi _{PTP}\) with a non-negligible probability which is a contradiction.
Combining all these lemmas, unremovability is proven.
1.3 B.3 Proof of Unforgeability
Proof
To start with, define the following hybrids:
Hybrid H\(_{i}\) ( \(i=0, 1, 2, 3\)): It is almost identical to H\(_{i}\) defined in proving unremovability, except that there is no challenge oracle. Besides, in the extraction phase of Hybrid H\(_{3}\), the challenger computes \(\tilde{Y}^{b,l}=(\tilde{C}(h^{b,l}_{1}),\ldots ,\tilde{C}(h^{b,l}_{d}))\) for \(b\in \{0,1\}\) and aborts the experiment if for some k queried by the adversary at the query phase, \(\tilde{Y}^{b,l}\)=(\(\textsf {PTP.Eval}(pp,k,h^{b,l}_{1})\),\(\ldots \),\(\textsf {PTP.Eval}(pp,k,h^{b,l}_{d})\)) for \(b=0,1\). Otherwise, it proceeds as H\(_{2}\).
Lemma 9
If \(\varPi _{PRF}\) is a secure PRF and \(\varPi _{PTP}\) is key-injective, then for all adversaries,
Proof
The proof follows the same arguments for Lemmas 1 and 2.
Lemma 10
If \(\varPi _{PTP}\) satisfies evaluation correctness, then for all \(\delta \)-unforging-admissible adversaries \(\mathcal {A}\) where \(\delta =\frac{1}{\textrm{poly}(\lambda )}\),
Proof
If H\(_{3}\) does not abort the experiment, then Hybrid H\(_{2}\) and H\(_{3}\) are statistically indistinguishable. In the following, we prove the abortion in H\(_{3}\) happens with a negligible probability.
For \(l\in [L]\) and \(q_{l}\in [Q_{l}]\), let \(S^{l}_{q_{l}}\) be the set of points at which the circuit \(\tilde{C}\) output by the adversary and the circuit computing \(\textsf {PTP.Eval}(pp,k^{l}_{q_{l}},\cdot )\) disagree. Note that \(\textsf {PTP.Eval}(pp,k^{l}_{q_{l}},\cdot )\) agrees at all but a negligible fraction of the whole domain with \(C^{l}_{q_{l}}(\cdot )\). Here, \(C^{l}_{q_{l}}\) is the marked circuit for the PRF key \(k^{l}_{q_{l}}\) at the l-th level for the \(q_{l}\)-th query. Due to the \(\delta \)-unforging-admissibility, \(\frac{|S^{l}_{q_{l}}|}{2^{n}}\ge \delta \). Since the marking phase does not depend on \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\), the sampling of \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) can be deterred until the extraction phase. Since each \(h^{b,l}_{u}\) is sampled uniformly and independently, for \(b\in \{0,1\}\), \(l\in [L]\), \(u\in [d]\) and \(q_{l}\in [Q_{l}]\), we have that \(\textrm{Pr}[h^{b,l}_{u}\in S^{l}_{q_{l}} ]=\frac{|S^{l}_{q_{l}}|}{2^{n}}\ge \delta \). Then, for all \(l\in [L]\) and \(q_{l}\in [Q_{l}]\), \(b\in \{0,1\}\),
where \(d=\lambda /\delta \) and \(\delta =1/\textrm{poly}(\lambda )\). Since we set \(\sum ^{L}_{l=1}q_{l}=\textrm{poly}(\lambda )\), with negligible probability, H\(_{3}\) aborts the experiment. Thus, Hybrid H\(_{2}\) and H\(_{3}\) are statistically indistinguishable.
Lemma 11
For all adversaries, \(\textrm{Pr}[{\textbf {H}}_{3}(\mathcal {A})\not =\perp ]=\textrm{negl}(\lambda )\).
Proof
Since H\(_{3}\) does not abort, then \(X=\{x^{l}_{ij}\leftarrow \{0,1\}^{n}: \text {for all } l\in [L], i\in [I],j\in [J]\}\).
Since \(\frac{LIJ}{2^{n}}\) is negligible, \(\textrm{Pr}[\textsf {PTP.Test}(pp,tk^{\tilde{l}},\tilde{C}(x^{\tilde{l}}_{ij}))=1]=\frac{LIJ}{2^{n}}=\textrm{negl}(\lambda )\). By a union bound, \(\textrm{Pr}[ctr^{\tilde{l}}_{i}=\sum \limits _{j\in [J]}\textsf {PTP.Test}(pp,tk^{\tilde{l}},\tilde{C}(x^{\tilde{l}}_{ij}))=0]=(1-\frac{LIJ}{2^{n}})^{J}\sim 1-\textrm{negl}(\lambda )\) for all \(i\in [I]\). Thus, with high probability, 0 is extracted from \(\tilde{C}\) which leads to output \(\perp \) for the experiment.
Combing all these lemmas, the watermarking scheme satisfies unforgeability.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Zhao, Y., Wang, Y., Yiu, S.M., Liu, Y., Wang, M. (2023). A Hierarchical Watermarking Scheme for PRFs from Standard Lattice Assumptions. In: Lenzini, G., Meng, W. (eds) Security and Trust Management. STM 2022. Lecture Notes in Computer Science, vol 13867. Springer, Cham. https://doi.org/10.1007/978-3-031-29504-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-29504-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29503-4
Online ISBN: 978-3-031-29504-1
eBook Packages: Computer ScienceComputer Science (R0)