A Hierarchical Watermarking Scheme for PRFs from Standard Lattice Assumptions

Abstract

A software watermarking scheme is to embed a “mark” or a message into a program in a cryptographic way. It is useful in proving ownership (e.g., in applications to digital rights management) and in authenticating software (e.g., for proving the distributor of the software). A qualified software watermarking scheme should satisfy three requirements: (i) the marked program should not differ from the original program significantly; (ii) the embedded “mark” or message should not be removed without destroying the program dramatically; (iii) forging a marked program without a watermarking secret key is difficult. To the best of our knowledge, existing watermarking schemes for PRFs only deal with a single key, and no scheme supports watermarking the same PRF key for multiple times which is useful for hierarchical organizations.

In the paper, we put forward a definition and security requirements for a hierarchical watermarking scheme for PRFs. Under the definition, a hierarchical watermarking scheme for PRFs is constructed to be functionality-preserving, unremovable and unforgeable under standard assumptions, namely, the LWE assumption and the SIS problem. The watermarking scheme is based on a variant translucent constrained PRF with desired security properties.

Appendices

A Proof of Theorem 6

Proof

The idea behind the proof is that any two consecutive hybrids differs at one point and this difference cannot be distinguished with noticeable probability since the adversary is privacy-admissible and the security of the variant of translucent constrained PRF.

Let \(\{X_{01},X_{02},\ldots , X_{0L}\}\) and \(\{X_{11},X_{12},\ldots , X_{1L}\}\) be the two sets that an adversary sends to the challenger for the selectively consistent privacy experiment. Let \(D_{j}\) be the symmetric difference of sets \(X_{0j}\) and \(X_{1j}\). Then, \(D_{j}= (X_{0j}\vee X_{1j})\setminus (X_{0j}\wedge X_{1j})\) for all \(j\in [L]\) and define \(D=D_{1}\vee D_{2}\ldots \vee D_{L}\).

The hybrids are defined as follows:

• Hybrid H\(_{0}\): This is exactly the selectively consistent privacy experiment when \(b=0\). An adversary \(\mathcal {A}\) chooses two sets \(\{X_{01},X_{02},\ldots , X_{0L}\}\) and \(\{X_{11},X_{12},\ldots , X_{1L}\}\). Then, \(\mathcal {A}\) sends them to the challenger. The challenger runs \((pp,tk)\leftarrow \textsf {PTP.Setup}(1^{\lambda })\), \(msk\leftarrow \textsf {PTP.SampleKey}(pp)\). Since \(b=0\), the challenger computes \(sk_{X_{0j}}\leftarrow \textsf {PTP.PCst}(pp,msk,X_{0j})\) for all \(j\in [L]\). Define a circuit \(C_{j}(\cdot )=\textsf {PTP.PCstEval}(pp,sk_{X_{0j}},\cdot )\) for all \(j\in [L]\) and the challenger sends all circuits \(\{C_{j}\}_{j\in [L]}\) to the adversary. Besides, the adversary can access the evaluation oracle. Finally, the experiment outputs whatever the adversary outputs.

• Hybrid H\(_{0,i}\): Arrange all elements in D in a lexicographical order and define \(D^{i}\) be the set of first i elements. Define \(X^{i}_{bj}=(X_{bj}\vee (D_{j}\wedge D^{i}))\setminus (X_{bj}\wedge (D_{j}\wedge D^{i}))\) for \(b=0,1\), \(j\in [L]\) and set \(\{X^{i}_{01},X^{i}_{02},\ldots , X^{i}_{0L}\}\) and \(\{X^{i}_{11},X^{i}_{12},\ldots , X^{i}_{1L}\}\) as the two puncture sets. The remaining experiment steps are the same as in Hybrid H\(_{0}\).

• Hybrid H\(_{1}\): This is exactly the selectively consistent privacy experiment when \(b=1\). Same as Hybrid H\(_{0}\) except that the constraint key are computed as \(sk_{X_{1j}}\leftarrow \textsf {PTP.PCst}(pp,msk,X_{1j})\) for all \(j\in [L]\)

Observe that Hybrid H\(_{0,0}\) is the same as Hybrid H\(_{0}\) and Hybrid H\(_{0,|D|}\) is the same as Hybrid H\(_{1}\). To see this, for any \(j\in [L]\), the following equations hold:

$$\begin{aligned} {\left\{ \begin{array}{ll} X^{0}_{0j}=(X_{0j}\vee (D_{j}\wedge D^{0}))\setminus (X_{0j}\wedge (D_{j}\wedge D^{0}))=(X_{0j}\vee \emptyset )\setminus (X_{0j}\wedge \emptyset )=X_{0j};\\ X^{|D|}_{0j}=(X_{0j}\vee (D_{j}\wedge D^{|D|}))\setminus (X_{0j}\wedge (D_{j}\wedge D^{|D|}))=(X_{0j}\vee D_{j})\setminus (X_{0j}\wedge D_{j})\\ =X_{1j}. \end{array}\right. } \end{aligned}$$

Next, we prove the indistinguishability between Hybrid H\(_{0,i}\) and Hybrid H\(_{0,i+1}\). The difference between them is how the \((i+1)\)-th element denoted by \(d_{i+1}\) in D is computed. Since the adversary \(\mathcal {A}\) is privacy-admissible, \(d_{i+1}\) must be in either \(X_{0j}\wedge D_{j}\) or \(X_{1j}\wedge D_{j}\) for all \(j\in [L]\). In H\(_{0,i}\), according to the correctness of our variant of the translucent constrained PRF,

$$\begin{aligned} C^{i}_{j}(d_{i+1})= {\left\{ \begin{array}{ll} \textsf {PTP.PCstEval}(pp,sk_{X^{i}_{0j}},d_{i+1}) &{} d_{i+1}\in X_{0j}\wedge D_{j}\\ \textsf {PTP.Eval}(pp,msk,d_{i+1}) &{} d_{i+1}\in X_{1j}\wedge D_{j}, \end{array}\right. } \end{aligned}$$

where \(C^{i}_{j}\) is the j-th circuit that the challenger returns to the adversary as the challenge response in Hybrid H\(_{0,i}\). \(sk_{X^{i}_{0j}}\) is the constraint key for the puncture set \(X^{i}_{0j}\) as defined in Hybrid H\(_{0,i}\).

In H\(_{0,i+1}\), according to the correctness,

$$\begin{aligned} C^{i+1}_{j}(d_{i+1})= {\left\{ \begin{array}{ll} \textsf {PTP.Eval}(pp,msk,d_{i+1}) &{} d_{i+1}\in X_{0j}\wedge D_{j}\\ \textsf {PTP.PCstEval}(pp,sk_{X^{i+1}_{0j}},d_{i+1}) &{} d_{i+1}\in X_{1j}\wedge D_{j}. \end{array}\right. } \end{aligned}$$

Define an intermediate hybrid \({\textbf {InterH}}\) where, for \(y_{1},y_{2}{\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{m}\),

$$\begin{aligned} C^{IH}_{j}(d_{i+1})= {\left\{ \begin{array}{ll} y_{1} &{} d_{i+1}\in X_{0j}\wedge D_{j}\\ y_{2} &{} d_{i+1}\in X_{1j}\wedge D_{j}. \end{array}\right. } \end{aligned}$$

Since the adversary is privacy-admissible, \(d_{i+1}\) will never be asked. Besides, since the variant of the translucent constrained PRF is constrained pseudorandom and is pseudorandom, Hybrids H\(_{0,i}\) and H\(_{0,i+1}\) are both indistinguishable with the intermediate hybrid.

B Proof of Theorem 7

1.1 B.1 Proof of Correctness

Proof

Recall that the hierarchical watermarking scheme runs \(\{msk^{l}\}_{l\in [L]}\leftarrow \textsf {WM.Setup}(1^{\lambda })\) to get the watermarking keys. Then, a PRF key is sampled: \(k\leftarrow \textsf {PTP.SampleKey}(pp)\). To embed a set of messages \(\{m^{l}\}_{l\in [L]}\) to a PRF key k, invoke \(\{C^{l},cipher^{l}\}_{l\in [L]}\leftarrow \textsf {WM.Mark}_{l}\) where \(C^{l}(\cdot )=\textsf {PTP.PCstEval}(pp,sk^{l}_{T},\cdot )\) and \(sk^{l}_{T}\) is the constraint key at the l-th level. \(\{C^{l}\}_{l\in [L]}\) are the watermarked circuits.

By the correctness of the encryption scheme E, the ciphertext at the l-th level can be correctly deciphered at the \((l+1)\)-th level.

• Functionality-preserving: Let \(S^{l}\) be the set of points x where \(C^{l}(x)\not =\textsf {PTP.Eval}(pp,k,x)\) for all \(l\in [L]\) and \(x\in \mathcal {D}\setminus T^{l}\) where \(\mathcal {D}\) is the domain and \(T^{l}\) is the puncture point set at the l-th level. By the evaluation correctness of \(\varPi _{PTP}\), it holds that \(\frac{|S^{l}|}{2^{n}}\) is negligible for all \(l\in [L]\). Besides, the size of \(T^{l}\) is at most IJL and \(\frac{IJL}{2^{n}}\) is negligible for \(I,J,L=\omega (\log \lambda )\). To sum up, \(C^{l}(\cdot )\) agrees with \(\textsf {PTP.Eval}(pp,k,\cdot )\) on all but a negligible fraction of points.

• Extraction correctness: Let \(X^{l}\) be the set of puncture points at l-th level and H be the set of sampled points which is part of the watermarking key used for computing \(X^{l}\). Since \(\varPi _{PRF}\) is secure, points in \(X^{l}\) are pseudorandom. Moreover, points in H are sampled uniformly at random. Hence, \(\textrm{Pr}[x=h]\le 2\cdot \frac{(IJL)\cdot (Ld)}{2^{n}}=\textrm{negl}(\lambda )\) for any \(x\in X^{l}\) and \(h\in H\). By the evaluation correctness, \(C^{l}(h)=\textsf {PTP.Eval}(pp,k,h)\) with high probability for \(h\in H\). Thus, with high probability, the sets of puncture points are identical in marking and extraction procedures at the same level. By the verification correctness, we get \(ctr^{l}_{0}=ctr^{l}_{1}=\ldots =ctr^{l}_{m^{l}}=J\) and \(ctr^{l}_{m^{l}+1}=\ldots =ctr^{l}_{I+1}=0\) with high probability. To conclude, the marked message can be correctly extracted with high probability.

1.2 B.2 Proof of Unremovability

Hybrid H\(_{0}\) is the watermarking experiment.

Hybrid H\(_{1}\): Same as H\(_{0}\), except that the challenger chooses L truly random function \(\{f_{l}\}_{l\in [L]}\) during the setup phase. Then, during the experiment, the challenger evaluates \(f_{l}(\cdot )\) whenever it has to evaluate \(\textsf {PRF.Eval}(k^{*}_{l},\cdot )\).

Hybrid H\(_{2}\): Same as H\(_{1}\), except that for all \(l\in [L]\), the challenger maintains two tables \(T^{0}_{l},T^{1}_{l}\) at the l-th level. Every table keeps track of a mapping \(\mathcal {K}\rightarrow \{0,1\}^{nIJ}\), where \(\mathcal {K}\) is the PRF key space. The challenger responds to all queries as follows:

• Marking oracle: Same as H\(_{1}\), except that when the challenger obtains a PRF key \(k\in \mathcal {K}\) either from the adversary or by decrypting a ciphertext, it firstly searches k in the tables \(T^{0}_{l},T^{1}_{l}\) where l is the level number from the adversary. If a match is found, then the challenger sets \(X^{0,l}=T^{0}_{l}(k)\) and \(X^{1,l}=T^{1}_{l}(k)\). Otherwise, the challenger uniformly samples \(X^{0,l}, X^{1,l}{\mathop {\leftarrow }\limits ^{\$}} \{0,1\}^{nIJ}\), and adds the mapping \(k\rightarrow X^{0,l}, k\rightarrow X^{1,l}\) to tables \(T^{0}_{l}, T^{1}_{l}\) respectively. The rest proceeds as in H\(_{1}\).

• Challenge oracle: On input a set of messages \(\{m_{l}\}_{l\in [L]}\) from the adversary, the challenger samples a key \(\hat{k}\leftarrow \textsf {PTP.SampleKey}(pp)\). The puncture point set \((\hat{X}^{0,l},\hat{X}^{1,l})\) is computed as in Marking oracle. The rest proceeds as in H\(_{1}\).

During the extraction phase, the challenger checks whether there exist an l and two different keys from tables \(T^{0}_{l}, T^{1}_{l}\), say, k and \(k'\), such that \(Y^{0,l}=Y^{'0,l}\) or \(Y^{1,l}=Y^{'1,l}\). If yes, then abort the experiment and output \(Bad_{1}\). Otherwise, compute \(\tilde{Y}^{0,l},\tilde{Y}^{1,l}\) for all \(l\in [L]\) as in H\(_{1}\). Next, the challenger checks whether \((\tilde{Y}^{0,l},\tilde{Y}^{1,l})\) equals some \((Y^{0,l},Y^{1,l})\) in the table \(T^{0}_{l},T^{1}_{l}\) for all \(l\in [L]\). If so, then set \((\tilde{X}^{0,l},\tilde{X}^{1,l})\) to be the value \((X^{0,l},X^{1,l})\) corresponding to the \((Y^{0,l},Y^{1,l})\). Otherwise, uniformly sample \(\tilde{X}^{0,l},\tilde{X}^{1,l}{\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{nIJ}\). The rest of the extraction procedure is the same as H\(_{1}\).

Hybrid H\(_{3}\): Same as H\(_{2}\), except that when answering the challenge oracle, the challenger directly samples \(\{\hat{X}^{0,l},\hat{X}^{1,l}\}_{l\in [L]}{\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{nIJ}\) without checking whether the PRF key \(\hat{k}\) sampled by the challenger is queried by the adversary before. Besides, the mapping \(\hat{k}\rightarrow \{\hat{X}^{0,l},\hat{X}^{1,l}\}_{l\in [L]}\) is added into the corresponding table \(T^{0}_{l}, T^{1}_{l}\) for \(l\in [L]\) in the extraction phase instead of in the query phase. The rest is the same as H\(_{2}\).

Hybrid H\(_{4}\): Same as H\(_{3}\), except that during the extraction phase, the challenger checks whether \(\hat{C}^{l}(h^{b,itr}_{u})\not =\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})\) holds for some \(b^{*}, l^{*}, itr^{*}, u^{*}\) where \(b\in \{0,1\}\), \(l\in [L]\), \(u\in [d]\), \(itr=l,l+1,\ldots ,L\) and \(\hat{C}^{l}\) is the l-th watermarked circuit from the challenger. If there exist such \(b^{*}, l^{*}, itr^{*}, u^{*}\), then the experiment aborts and outputs \(Bad_{2}\). The rest is the same as H\(_{3}\).

Hybrid H\(_{5}\): Same as H\(_{4}\), except that during the extraction phase, the challenger checks whether \(\tilde{C}^{\tilde{l}}(h^{b,itr}_{u})\not =\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})\) holds for some \(b^{*}, l^{*}, itr^{*}, u^{*}\) where \(b\in \{0,1\}\), \(u\in [d]\), \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\), \(\tilde{l}\) is the level number and \(\tilde{C}^{\tilde{l}}\) is the \(\tilde{l}\)-th watermarked circuit from the adversary. If there exist such \(b^{*}, l^{*}, itr^{*}, u^{*}\), then abort the experiment and output \(Bad_{3}\). Otherwise, set \(\tilde{X}^{b,itr}=\hat{X}^{b,itr}\) for \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\) and \(b\in \{0,1\}\). The rest is the same as H\(_{4}\).

Hybrid H\(_{6}\): Same as H\(_{5}\), except that during the extraction phase, for the level number \(\tilde{l}\) from the adversary, re-define \(ctr^{\tilde{l}}_{i}=\Vert \{j|\tilde{C}(x^{0,\tilde{l}}_{ij})=\hat{C}^{\tilde{l}-1}(x^{0,\tilde{l}}_{ij})\}\Vert \) for \(i\in [I]\). The rest is the same as H\(_{5}\).

Hybrid H\(_{7}\): Same as H\(_{6}\), except that when the challenger responds to the challenge oracle, it uses different and uniformly sampled \(\{\eta ^{b,l}_{u}\}^{b\in \{0,1\}, l\in [L]}_{u\in [d]}\). The rest is the same as in H\(_{6}\).

Hybrid H\(_{8}\): Same as H\(_{7}\), except that during the extraction phase, the challenger aborts the experiment and outputs \(Bad_{4}\) if there exist \(b\in \{0,1\}\), \(i,i'\in [I],j,j'\in [J],l,l'\in [L]\) such that \((i,j,l)\not =(i',j',l')\) but \(\hat{x}^{b,l}_{ij}=\hat{x}^{b,l'}_{i'j'}\). The rest is the same as H\(_{7}\).

Lemma 1

If \(\varPi _{PRF}\) is secure, then for all efficient adversaries \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{0}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{1}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

Any adversary who can distinguish H\(_{0}\) and H\(_{1}\) with non-negligible advantage can be used to break the security of the PRF.

Lemma 2

If \(\varPi _{PTP}\) is key-injective, then for all efficient adversaries,

$$ \vert \textrm{Pr}[{\textbf {H}}_{1}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{2}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

H\(_{1}\) and H\(_{2}\) are identical if H\(_{2}\) does not output \(Bad_{1}\). In the following, we prove that \(Bad_{1}\) happens with a negligible probability. If there exists an \(l\in [L]\), such that \(Y^{0,l}_{k_{1}}=Y^{0,l}_{k_{2}}\) or \(Y^{1,l}_{k_{1}}=Y^{1,l}_{k_{2}}\) for two different keys \(k_{1}\) and \(k_{2}\) queried by the adversary at the l-th level, then \(\textsf {PTP.Eval}(pp,k_{1},h^{b,l}_{u})=\textsf {PTP.Eval}(pp,k_{2},h^{b,l}_{u})\) for all \(u\in [d]\) and some \(b\in \{0,1\}\), which happens with a negligible probability due to the key-injectivity of \(\varPi _{PTP}\).

Lemma 3

If \(\varPi _{PTP}\) satisfies selective constrained pseudorandomness, then for all efficient adversaries \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{2}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{3}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

H\(_{2}\) and H\(_{3}\) are identical if the adversary never makes a query on the key \(\hat{k}\) sampled by the challenger answering the challenge oracle. If there exists an adversary \(\mathcal {A}\) that can distinguish H\(_{2}\) and H\(_{3}\) with a non-negligible advantage \(\epsilon \), then an adversary \(\mathcal {B}\) can be constructed from \(\mathcal {A}\) to break the selective constrained pseudorandomness of \(\varPi _{PTP}\).

1. 1.

   First, \(\mathcal {B}\) samples \(T=\{x^{l}_{ij}\}^{l\in [L]}_{i\in [I],j\in [j]}\leftarrow \{0,1\}^{n}\) uniformly at random and it sends T to the challenger that simulates the scheme \(\varPi _{PTP}\). Next, the challenger runs \((pp,tk)\leftarrow \textsf {PTP.Setup}(1^{\lambda })\), \(msk\leftarrow \textsf {PTP.SampleKey}(pp)\) and \(sk_{T}\leftarrow \textsf {PTP.PCst}(pp,msk,T)\). Then, \(\mathcal {B}\) receives pp and a circuit \(C(\cdot )=\textsf {PTP.PCstEval}(pp, sk_{T},\cdot )\) from the challenger.

2. 2.

   \(\mathcal {B}\) simulates H\(_{2}\) and H\(_{3}\) for the adversary \(\mathcal {A}\). It sends pp from the challenger to the adversary \(\mathcal {A}\). The remaining setup is the same as in H\(_{2}\) and H\(_{3}\).

3. 3.

   During the query phase, \(\mathcal {B}\) answers the marking queries at the first level as in H\(_{2}\) and H\(_{3}\). For marking oracle queries at l-th level (\(l\not =1\)), since \(\mathcal {B}\) cannot receive the testing key tk from the challenger, it computes \(ctr^{v}_{i}=\Vert \{j|C^{l-1}(x^{0,v}_{ij})=\textsf {PTP.PCstEval}(pp,sk^{l-1},x^{0,v}_{ij})\}\Vert \) for \(v=l,l+1,\ldots ,L\), \(i\in [I]\) and \(j\in [J]\), where \(C^{l-1}(\cdot )\) is the marked circuit from the adversary \(\mathcal {A}\) and \(sk^{l-1}\) is the deciphered constraint key. The rest of marking procedure remains the same. When \(\mathcal {A}\) accesses challenge oracle, \(\mathcal {B}\) returns \(\{C^{l}(\cdot )=\textsf {PTP.PCstEval}(pp,sk_{T},\cdot )\}_{l\in [L]}\) to the adversary.

4. 4.

   Let \(k_{1},k_{2},\ldots ,k_{Q}\in \mathcal {K}\) be the keys queried by \(\mathcal {A}\) and Q be the maximum query number. At the end of the query phase, \(\mathcal {B}\) chooses an index \(i{\mathop {\leftarrow }\limits ^{\$}}[Q]\) uniformly at random and computes \(y=\textsf {PTP.Eval}(pp,k_{i},x^{1}_{11})\) where \(x^{1}_{11} \in T\). Then, it makes a query \(x^{1}_{11}\) to the challenger for the selective constrained pseudorandomness and receives a response \(\hat{y}\). If \(y=\hat{y}\), then \(\mathcal {B}\) outputs 1; otherwise, it outputs 0.

Since \(\mathcal {A}\) can distinguish H\(_{2}\) from H\(_{3}\) with a non-negligible probability \(\epsilon \), then with the same probability, it submits a PRF key which is exactly the same key sampled by the challenger. Now, consider the following two cases:

• Suppose that for the query \(x^{1}_{11}\), the challenger for the constrained pseudorandomness experiment answers \(\textsf {PTP.Eval}(pp,msk,x^{1}_{11})\). With probability \(\epsilon /Q\), \(k_{i}=msk\) where \(k_{i}\) is the key queried by \(\mathcal {A}\) but chosen by \(\mathcal {B}\). In this case, \(y=\hat{y}\) and \(\mathcal {B}\) outputs 1 with probability at least \(\epsilon /Q\).

• Suppose the challenger for the constrained pseudorandomness experiment answers a truly random value. Then, \(y=\hat{y}\) with a probability \(\frac{1}{2^{m}}\) which is negligible.

To sum up, \(\mathcal {B}\) can break the constrained pseudorandomness of \(\varPi _{PTP}\) with an advantage \(\epsilon /Q-\frac{1}{2^{m}}\), where \(\epsilon \) is non-negligible, Q is polynomial in \(\lambda \). Thus, H\(_{2}\) and H\(_{3}\) are indistinguishable under the condition that \(\varPi _{PTP}\) is selectively constrained pseudorandom.

Lemma 4

If \(\varPi _{PTP}\) satisfies selective evaluation correctness, then for all adversaries \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{3}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{4}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

Hybrids H\(_{3}\) and H\(_{4}\) are identical only if in H\(_{4}\), the challenger does not output \(Bad_{2}\). For all \(l\in [L]\), \(\hat{C}^{l}(\cdot )=\textsf {PTP.PCstEval}(pp,sk^{l}_{T},\cdot )\). Since all \(\{h^{0,l}_{u},h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) are sampled uniformly at random and independent of other parameters, and \(\varPi _{PTP}\) satisfies selective evaluation correctness, \(\textrm{Pr}[\hat{C}^{l}(h^{b,itr}_{u})\not =\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})]=\textrm{negl}(\lambda )\) for \(b\in \{0,1\}\), \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\) and \(u\in [d]\). Since \(L=\omega (\log \lambda )\) and \(d=\textrm{poly}(\lambda )\), \(Bad_{2}\) is output in H\(_{4}\) with negligible probability by a union bound. Thus, Hybrids H\(_{3}\) and H\(_{4}\) are indistinguishable.

Lemma 5

For all unremoving-admissible adversary \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{4}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{5}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

We prove that the output distributions of H\(_{4}\) and H\(_{5}\) are statistically indistinguishable. In the following, firstly prove that \(Bad_{3}\) in H\(_{5}\) is output by the challenger with negligible probability; then, prove that with high probability, \(\tilde{Y}^{b,itr}=\hat{Y}^{b,itr}\) for \(b\in \{0,1\}\), \(itr=\tilde{l},\tilde{l}+1,\ldots ,L\).

• Note that \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) do not relate to the challenger’s behavior and the adversary’s view until the extraction phase. The sampling of \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) can be deterred at the extraction phase. Since the adversary is unremoving-admissible, \(\tilde{C}\sim _{f}\hat{C}^{\tilde{l}}\) where \(\frac{1}{f}=\textrm{negl}(\lambda )\) and \(\tilde{l}\) is the level number from the adversary at the challenge phase. Since all \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) are sampled uniformly and independent of \(\tilde{C}\) and \(\hat{C}^{\tilde{l}}\), for \(b\in \{0,1\}\), \(\textrm{Pr}[\tilde{C}(h^{b,l}_{u})\not =\hat{C}^{\tilde{l}}(h^{b,l}_{u})]\le \frac{1}{f}=\textrm{negl}(\lambda )\). Besides, since \(L=\omega (\log \lambda )\) and \(d=\textrm{poly}(\lambda )\), by a union bound, for all \(b\in \{0,1\}, l\in [L],u\in [d]\), \(\textrm{Pr}[\tilde{C}(h^{b,l}_{u})=\hat{C}^{\tilde{l}}(h^{b,l}_{u})]\ge 1-\textrm{negl}(\lambda )\). If \(Bad_{2}\) in H\(_{4}\) is not output, then \(\hat{C}^{\tilde{l}}(h^{b,itr}_{u})=\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\), \(u=1,2,\ldots ,d\). Hence, the \(Bad_{3}\) in H\(_{5}\) is output by the challenger with negligible probability.

• As discussed above, \(Bad_{3}\) in H\(_{5}\) is output by the challenger with negligible probability. In other words, \(\tilde{y}^{b,itr}_{u}=\tilde{C}(h^{b,itr}_{u})=\textsf {PTP.Eval}(pp,\hat{k},h^{b,itr}_{u})=\hat{y}^{b,itr}_{u}\) with high probability for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\) and \(u\in [d]\). Hence, in both H\(_{4}\) and H\(_{5}\), \(\tilde{X}^{b,itr}=\hat{X}^{b,itr}\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\).

Lemma 6

If \(\varPi _{PTP}\) satisfies selective verification correctness, then for all efficient and unremoving-admissible adversaries \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{5}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{6}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

Since \(Bad_{1},Bad_{2},Bad_{3}\) do not happen, \(\tilde{X}^{b,itr}=\hat{X}^{b,itr}\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\) where \(\tilde{l}\) is the level number output by the adversary. By unremoving-admissibility of the adversary \(\mathcal {A}\), with high probability \(\tilde{C}(x^{b,itr}_{ij})=\hat{C}^{\tilde{l}}(x^{b,itr}_{ij})\) for \(b\in \{0,1\}, itr=\tilde{l},\tilde{l}+1,\ldots ,L\), \(i\in [I]\) and \(j\in [J]\). Then, by the verification correctness,

$$\begin{aligned} \begin{aligned}&\textsf {PTP.Test}(pp,tk,\tilde{C}(x^{0,itr}_{ij}))\\&=\textsf {PTP.Test}(pp,tk,\hat{C}^{\tilde{l}}(x^{0,itr}_{ij}))= \end{aligned} {\left\{ \begin{array}{ll} 1&{} i=1,2,\ldots ,m^{\tilde{l}}\\ 0&{} i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,L. \end{array}\right. } \end{aligned}$$

Thus, the counter \(ctr^{\tilde{l}}_{i}\) are computed the same in H\(_{5}\) and H\(_{6}\). H\(_{5}\) and H\(_{6}\) are indistinguishable.

We first prove the indistinguishability between \({\textbf {H}}_{7}\) and \({\textbf {H}}_{8}\). Then, the indistinguishability between \({\textbf {H}}_{6}\) and \({\textbf {H}}_{7}\) is proven.

Lemma 7

For all efficient and unremoving-admissible adversaries \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{7}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{8}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

The difference between Hybrids H\(_{7}\) and H\(_{8}\) is the event \(Bad_{4}\). Since the probability of \(Bad_{4}\) happening is \(\frac{(IJL)^{2}}{2^{n-1}}\) which is negligible since \(I,J,L=\omega (\log \lambda )\) and \(n=\textrm{poly}(\lambda )\), Hybrids H\(_{7}\) and H\(_{8}\) are indistinguishable.

Next, prove that Hybrids H\(_{8}\) outputs \(m^{\tilde{l}}\) with non-negligible probability. First, prove that with high probability, \(ctr^{\tilde{l}}_{i}=J\) for adversary’s level number \(\tilde{l}\) and \(i\in [m_{\tilde{l}}]\). Since the adversary \(\mathcal {A}\) is unremoving-admissible, for a negligible function \(\frac{1}{f(n)}\), \(\tilde{C}(\cdot )\sim _{f}\hat{C}^{\tilde{l}}(\cdot )\) where \(\tilde{C}(\cdot )\) is the challenge response circuit from the adversary and \(\hat{C}^{\tilde{l}}(\cdot )\) is the challenge circuit watermarked at the \(\tilde{l}\)-th level. Since \(\{\hat{x}^{b,l}_{ij}\}^{b\in \{0,1\},l\in [L]}_{i\in [I],j\in [J]}\) used for answering the challenge query are sampled uniformly and independent of the adversary’s view, \(\tilde{C}(\hat{x}^{b,l}_{ij})=\hat{C}^{\tilde{l}}(\hat{x}^{b,l}_{ij})\) for \(b\in \{0,1\},l\in [L], i\in [I], j\in [J]\) with high probability.

Then, we prove that for any \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\), \(\vert ctr^{\tilde{l}}_{i}-ctr^{\tilde{l}}_{i+1}\vert \le \frac{J}{I+1}\). Define \(\overline{X}^{\tilde{l}}=\{x^{0,\tilde{l}}_{ij}\}\) where \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\) and \(j\in [J]\) and denote the size of \(\overline{X}^{\tilde{l}}\) by g. Define \(X_{and}=\{x|x\in \overline{X}^{\tilde{l}}\wedge \tilde{C}(x)=\hat{C}^{\tilde{l}-1}(x)\}\) and denote the size of \(X_{and}\) by u. Since the exact partition of \(\overline{X}^{\tilde{l}}\) is independent of the view of the adversary \(\mathcal {A}\), the distribution of \(ctr^{\tilde{l}}_{i}\) for \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\) is the hypergeometric distribution \(\mathcal {H}(u,g,J)\). Therefore,

$$\begin{aligned} \begin{aligned} \textrm{Pr}[ctr^{\tilde{l}}_{i}\ge (\frac{u}{g}+\frac{1}{2(I+1)})J]\le e^{-\frac{J}{2(I+1)^{2}}}, \ \textrm{Pr}[ctr^{\tilde{l}}_{i+1}\le (\frac{u}{g}-\frac{1}{2(I+1)})J]\le e^{-\frac{J}{2(I+1)^{2}}}, \end{aligned} \end{aligned}$$

which are both negligible. By the union bound, the probability that there exists \(i=m^{\tilde{l}}+1,m^{\tilde{l}}+2,\ldots ,I\) such that \(\vert ctr^{\tilde{l}}_{i}-ctr^{\tilde{l}}_{i+1}\vert \ge \frac{J}{I+1}\) is negligible. Thus, the smallest subscribe such that \(\vert ctr^{\tilde{l}}_{i}-ctr^{\tilde{l}}_{i+1}\vert \ge \frac{J}{I+1}\) is \(m_{\tilde{l}}\) with high probability.

Lemma 8

If \(\varPi _{PTP}\) satisfies selectively consistent privacy, then for all efficient adversaries \(\mathcal {A}\),

$$ \vert \textrm{Pr}[{\textbf {H}}_{6}(\mathcal {A})\not =m^{\tilde{l}}]-\textrm{Pr}[{\textbf {H}}_{7}(\mathcal {A})\not =m^{\tilde{l}}]\vert =\textrm{negl}(\lambda ). $$

Proof

Suppose that an adversary \(\mathcal {A}\) can distinguish \({\textbf {H}}_{6}\) and \({\textbf {H}}_{7}\) with a non-negligible probability, then an adversary \(\mathcal {B}\) can be constructed to break the selectively consistent privacy of the \(\varPi _{PTP}\). The reduction proceeds as follows:

1. 1.

   To start, \(\mathcal {B}\) guesses what L messages the adversary \(\mathcal {A}\) is intended to embed in the challenge phase. Suppose these L messages are guessed to be \(\{m_{1}, m_{2},\ldots , m_{L}\}\). Next, \(\mathcal {B}\) samples two point sets \(T_{0}\), \(T_{1}\) with a special form uniformly at random. More specifically, if we define \(T^{m_{1}}_{b}=\{x^{bl}_{ij}: x^{bl}_{ij} \xleftarrow {\$}\{0,1\}^{n}, \forall l\in [L], i \in [I], j \in [J] \}\), \(\bar{X}^{m_{l}}_{b}=\{x^{bl}_{ij}\xleftarrow {\$}\{0,1\}^{n}: i \in \{m_{l}+1,m_{l}+2,\ldots ,I-1, I\}, j \in [J] \}\), and \(X^{m_{l}}_{b}=\{x^{bl}_{ij}\in T^{m_{l-1}}_{b}: i \in \{m_{l}+1,m_{l}+2,\ldots ,I-1, I\},, j \in [J] \}\), then for \(l=2,3,\ldots , L\) and \(b=\{0,1\}\), \(T^{m_{l}}_{b}=(T^{m_{l-1}}_{b}\setminus X^{m_{l}}_{b} )\cup \bar{X}^{m_{l}}_{b}\)¹³. Then, \(T_{0}=\{T^{m_{1}}_{0}, T^{m_{2}}_{0},\ldots , T^{m_{L}}_{0}\}\) and \(T_{1}=\{T^{m_{1}}_{1}, T^{m_{2}}_{1},\ldots , T^{m_{L}}_{1}\}\) are sent to the challenger \(\mathcal {C}\).

2. 2.

   \(\mathcal {C}\) samples a bit \(\beta \) uniformly at random. Then, \(\mathcal {C}\) runs the setup algorithm of the scheme \(\varPi _{PTP}\) and generates L constraint keys \(\{sk_{l}\}_{l\in [L]}\) punctured at \(T_{\beta }\). Finally, the public parameters pp and L circuits \(\{C_{l}=\textsf {PTP.PCstEval}(pp,\) \( sk_{l},\) \( \cdot )\}_{l\in [L]}\) are sent to \(\mathcal {B}\).

3. 3.

   \(\mathcal {B}\) invokes \(\mathcal {A}\). To simulate the unremovability experiment, \(\mathcal {B}\) proceeds the setup as in the watermarking scheme. At the end of the setup phase, \(\mathcal {B}\) sends pp to \(\mathcal {A}\).

4. 4.

   In the query phase, \(\mathcal {B}\) answers the queries as follows:

   • Marking oracle: There exists one difference when \(\mathcal {B}\) answers the marking oracle. Since \(\mathcal {B}\) does not have the testing key, \(\mathcal {B}\) cannot compute the counters same as in the third step of \(\textsf {WM.Mark}_{l}(\cdot )\). To overcome this difficulty, \(\mathcal {B}\) computes the counters by \(ctr^{b,itr}_{i}=\sum ^{J}_{j=1}{} {\textbf {1}}_{\not =}(C^{l-1}(x^{b,itr}_{ij})\not =\textsf {PTP.Eval}(pp,k,x^{b,itr}_{ij}))\) for \(itr=l,l+1,\ldots , L\) where \({\textbf {1}}_{\not =}\) is an indicator function, i.e.,

     $$\begin{aligned} {\textbf {1}}_{\not =}(expression)= {\left\{ \begin{array}{ll} 1&{} expression\ is\ true\\ 0&{} expression\ is\ false. \end{array}\right. } \end{aligned}$$

   • Challenge oracle: On input a set of challenge messages \(\{m_{l}\}^{L}_{l=1}\), \(\mathcal {B}\) checks whether it has made a correct guess. If yes, then \(\mathcal {B}\) sends L circuits \(\{C_{l}\}_{l\in [L]}\) to \(\mathcal {A}\) directly. If no, then \(\mathcal {B}\) aborts the experiment and outputs a bit uniformly at random.

5. 5.

   \(\mathcal {A}\) outputs a circuit \(\tilde{C}^{\tilde{l}}\) and a level number \(\tilde{l}\) when it makes no more queries. Then, \(\mathcal {B}\) extracts the watermarked message from \(\tilde{C}^{\tilde{l}}\). If the extracted message is not \(m^{\tilde{l}}\), then \(\mathcal {B}\) outputs 1; otherwise, it outputs 0.

As in Lemma 7, \({\textbf {H}}_{7}\) and \({\textbf {H}}_{8}\) are indistinguishable and \({\textbf {H}}_{8}\) does not output \(m^{\tilde{l}}\) with a negligible probability. Thus, it is concluded that \({\textbf {H}}_{7}\) does not output \(m^{\tilde{l}}\) with a negligible probability. By contradiction, assume that \({\textbf {H}}_{6}\) does not output \(m^{\tilde{l}}\) with a noticeable probability \(\epsilon \). In the following, we discuss two cases: \(\beta =0\) and \(\beta =1\).

• \(\beta =0\): \(\mathcal {B}\) simulates \({\textbf {H}}_{6}\) for \(\mathcal {A}\). Under our assumption, \(\mathcal {B}\) outputs 1 with a probability at \(\frac{1}{2}+\frac{1}{I^{L}}\epsilon \).

• \(\beta =1\): \(\mathcal {B}\) simulates \({\textbf {H}}_{7}\) for \(\mathcal {A}\). Based on our proof, \(\mathcal {B}\) outputs 1 with a probability at \(\frac{1}{2}\) plus a negligible probability.

In our scheme, L is set to be a constant and I is a polynomial in \(\lambda \). To conclude, \(\mathcal {B}\) breaks the selectively consistent privacy of \(\varPi _{PTP}\) with a non-negligible probability which is a contradiction.

Combining all these lemmas, unremovability is proven.

1.3 B.3 Proof of Unforgeability

Proof

To start with, define the following hybrids:

Hybrid H\(_{i}\) ( \(i=0, 1, 2, 3\)): It is almost identical to H\(_{i}\) defined in proving unremovability, except that there is no challenge oracle. Besides, in the extraction phase of Hybrid H\(_{3}\), the challenger computes \(\tilde{Y}^{b,l}=(\tilde{C}(h^{b,l}_{1}),\ldots ,\tilde{C}(h^{b,l}_{d}))\) for \(b\in \{0,1\}\) and aborts the experiment if for some k queried by the adversary at the query phase, \(\tilde{Y}^{b,l}\)=(\(\textsf {PTP.Eval}(pp,k,h^{b,l}_{1})\),\(\ldots \),\(\textsf {PTP.Eval}(pp,k,h^{b,l}_{d})\)) for \(b=0,1\). Otherwise, it proceeds as H\(_{2}\).

Lemma 9

If \(\varPi _{PRF}\) is a secure PRF and \(\varPi _{PTP}\) is key-injective, then for all adversaries,

$$\begin{aligned} \begin{aligned} \vert \textrm{Pr}[{\textbf {H}}_{i}(\mathcal {A})\not =\perp ]- \textrm{Pr}[{\textbf {H}}_{i+1}(\mathcal {A})\not =\perp ]\vert&=\textrm{negl}(\lambda ), \text {for} \ i=0, 1. \end{aligned} \end{aligned}$$

Proof

The proof follows the same arguments for Lemmas 1 and 2.

Lemma 10

If \(\varPi _{PTP}\) satisfies evaluation correctness, then for all \(\delta \)-unforging-admissible adversaries \(\mathcal {A}\) where \(\delta =\frac{1}{\textrm{poly}(\lambda )}\),

$$\begin{aligned} \vert \textrm{Pr}[{\textbf {H}}_{2}(\mathcal {A})\not =\perp ]- \textrm{Pr}[{\textbf {H}}_{3}(\mathcal {A})\not =\perp ]\vert =\textrm{negl}(\lambda ). \end{aligned}$$

Proof

If H\(_{3}\) does not abort the experiment, then Hybrid H\(_{2}\) and H\(_{3}\) are statistically indistinguishable. In the following, we prove the abortion in H\(_{3}\) happens with a negligible probability.

For \(l\in [L]\) and \(q_{l}\in [Q_{l}]\), let \(S^{l}_{q_{l}}\) be the set of points at which the circuit \(\tilde{C}\) output by the adversary and the circuit computing \(\textsf {PTP.Eval}(pp,k^{l}_{q_{l}},\cdot )\) disagree. Note that \(\textsf {PTP.Eval}(pp,k^{l}_{q_{l}},\cdot )\) agrees at all but a negligible fraction of the whole domain with \(C^{l}_{q_{l}}(\cdot )\). Here, \(C^{l}_{q_{l}}\) is the marked circuit for the PRF key \(k^{l}_{q_{l}}\) at the l-th level for the \(q_{l}\)-th query. Due to the \(\delta \)-unforging-admissibility, \(\frac{|S^{l}_{q_{l}}|}{2^{n}}\ge \delta \). Since the marking phase does not depend on \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\), the sampling of \(\{h^{0,l}_{u}, h^{1,l}_{u}\}^{l\in [L]}_{u\in [d]}\) can be deterred until the extraction phase. Since each \(h^{b,l}_{u}\) is sampled uniformly and independently, for \(b\in \{0,1\}\), \(l\in [L]\), \(u\in [d]\) and \(q_{l}\in [Q_{l}]\), we have that \(\textrm{Pr}[h^{b,l}_{u}\in S^{l}_{q_{l}} ]=\frac{|S^{l}_{q_{l}}|}{2^{n}}\ge \delta \). Then, for all \(l\in [L]\) and \(q_{l}\in [Q_{l}]\), \(b\in \{0,1\}\),

$$\begin{aligned} \textrm{Pr}[\forall u\in [d]: h^{b,l}_{u}\not \in S^{l}_{q_{l}}]=(1-\frac{|S^{l}_{q_{l}}|}{2^{n}})^{d}\le (1-\delta )^{\lambda /\delta }\le e^{-\lambda }, \end{aligned}$$

(1)

where \(d=\lambda /\delta \) and \(\delta =1/\textrm{poly}(\lambda )\). Since we set \(\sum ^{L}_{l=1}q_{l}=\textrm{poly}(\lambda )\), with negligible probability, H\(_{3}\) aborts the experiment. Thus, Hybrid H\(_{2}\) and H\(_{3}\) are statistically indistinguishable.

Lemma 11

For all adversaries, \(\textrm{Pr}[{\textbf {H}}_{3}(\mathcal {A})\not =\perp ]=\textrm{negl}(\lambda )\).

Proof

Since H\(_{3}\) does not abort, then \(X=\{x^{l}_{ij}\leftarrow \{0,1\}^{n}: \text {for all } l\in [L], i\in [I],j\in [J]\}\).

Since \(\frac{LIJ}{2^{n}}\) is negligible, \(\textrm{Pr}[\textsf {PTP.Test}(pp,tk^{\tilde{l}},\tilde{C}(x^{\tilde{l}}_{ij}))=1]=\frac{LIJ}{2^{n}}=\textrm{negl}(\lambda )\). By a union bound, \(\textrm{Pr}[ctr^{\tilde{l}}_{i}=\sum \limits _{j\in [J]}\textsf {PTP.Test}(pp,tk^{\tilde{l}},\tilde{C}(x^{\tilde{l}}_{ij}))=0]=(1-\frac{LIJ}{2^{n}})^{J}\sim 1-\textrm{negl}(\lambda )\) for all \(i\in [I]\). Thus, with high probability, 0 is extracted from \(\tilde{C}\) which leads to output \(\perp \) for the experiment.

Combing all these lemmas, the watermarking scheme satisfies unforgeability.