Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

Abstract

A software watermarking scheme allows one to embed a “mark” into a program without significantly altering the behavior of the program. Moreover, it should be difficult to remove the watermark without destroying the functionality of the program. Recently, Cohen et al. (STOC 2016) and Boneh et al. (PKC 2017) showed how to watermark cryptographic functions such as pseudorandom functions (PRFs) using indistinguishability obfuscation. Notably, in their constructions, the watermark remains intact even against arbitrary removal strategies. A natural question is whether we can build watermarking schemes from standard assumptions that achieve this strong mark-unremovability property. We give the first construction of a watermarkable family of PRFs that satisfies this strong mark-unremovability property from standard lattice assumptions (namely, the learning with errors (LWE) and the one-dimensional short integer solution (SIS) problems). As part of our construction, we introduce a new cryptographic primitive called a translucent PRF. We then give a concrete construction of a translucent PRF family from standard lattice assumptions, which in turn yields a watermarkable family of PRFs from the same assumptions.

Appendices

Translucent PRF Correctness and Security Analysis

In this section, we give the formal correctness and security analysis of the private translucent \(t\)-puncturable PRF construction from Sect. 5.1. Our analysis leverages a number of similar components. To streamline the presentation in Appendices A.2 and A.3 , we first introduce a set of auxiliary algorithms that we will use throughout the analysis in Appendix A.1. We then give the correctness proof in Appendix A.2 and the security proofs in Appendix A.3.

1.1 Correctness and Security Analysis: Auxiliary Algorithms

In this section, we introduce the auxiliary algorithm that will be used in the correctness and security proofs in the subsequent sections.

• \(\mathsf {Setup} ^*(1^\lambda , \mathsf {T} ) \rightarrow (\mathsf {pp} ^*, \mathsf {msk} ^*)\): The auxiliary setup algorithm is a modification of the real setup algorithm \(\mathsf {TPRF} .\mathsf {Setup} \). Instead of generating the public matrices uniformly at random as in \(\mathsf {TPRF} .\mathsf {Setup} \), the \(\mathsf {Setup} ^*\) algorithm takes in a set of punctured points as input and generates public matrices that are “pre-punctured” at these points. Generating the public matrices this way provide a way for a reduction algorithm to directly embed LWE instances into the public matrices and the punctured key. To generate these matrices in this specific way, some of the computation in the real \(\mathsf {TPRF} .\mathsf {Constrain} \) algorithm is moved into \(\mathsf {Setup} ^*\). Formally, on input the security parameter \(\lambda \), and the set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) of punctured points, the auxiliary setup algorithm first samples matrices \(\hat{\mathbf {A}}\), \(\{ \mathbf {A}'_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}'_{i,j} \}_{i\in [t], j\in [z]}\), and \(\{ \mathbf {C}'_k \}_{k\in [\tau ]}\) uniformly at random from \(\mathbb {Z}_q^{n \times m}\) and sample vectors \(\{ \mathbf {w}_i \}_{i\in [t]}\) uniformly at random from \(\mathbb {Z}_q^n\). Then, it generates an FHE secret key \(\mathsf {HE.sk} \leftarrow \mathsf {HE.KeyGen} (1^\lambda , 1^{d_\mathsf {eq} }, 1^{\rho + N})\), and for all \(i \in [t]\), it constructs ciphertexts \(\mathsf {ct} _i \leftarrow \mathsf {HE.Enc} (\mathsf {HE.sk} ,(x^*_i, \mathbf {w}_i))\). It sets \(\mathsf {ct} = \{ \mathsf {ct} _i \}_{i \in [t]}\). Then, it defines

  $$\begin{aligned} \begin{array}{lcll} \mathbf {A}_b &{}=&{} \mathbf {A}'_b - b \cdot \mathbf {G}&{} \forall b \in \{0,1\}\\ \mathbf {B}_{i, j} &{}=&{} \mathbf {B}'_{i, j} - \mathsf {ct} _{i,j} \cdot \mathbf {G}&{} \forall i\in [t], j\in [z] \\ \mathbf {C}_k&{}=&{} \mathbf {C}'_k- \mathsf {HE.sk} _k\cdot \mathbf {G}&{} \forall k\in [\tau ]. \\ \end{array} \end{aligned}$$

  Next, for each \(i,i^* \in [t]\) and \(\ell \in [N]\), the auxiliary setup algorithm computes

  $$\begin{aligned} \widetilde{\mathbf {B}}_{i,{i^*},\ell } \leftarrow \mathsf {Eval} _{\mathsf {pk} }(C_\ell , \mathbf {B}'_{i,1}, \ldots , \mathbf {B}'_{i,z}, \mathbf {A}'_{x_{{i^*},1}^*}, \ldots , \mathbf {A}'_{x_{{i^*},\rho }^*}, \mathbf {C}'_1, \ldots , \mathbf {C}'_\tau ) \end{aligned}$$

  and sets the trapdoor matrices as

  $$\begin{aligned} \mathbf {W}_{i^*}= \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,{i^*},\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) + \sum _{\ell \in [N]} w_{{i^*},\ell } \cdot \mathbf {D}_\ell . \end{aligned}$$

  Finally, it samples a secret key \(\mathbf {s}\) from the error distribution \(\mathbf {s}\leftarrow \chi ^n\) and returns

  $$\begin{aligned} \mathsf {pp} ^*= \left( \hat{\mathbf {A}}, \{ \mathbf {A}_b \}_{b \in \{0,1\}}, \{ \mathbf {B}_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {C}_k \}_{k\in [\tau ]}, \{ \mathbf {W}_i \}_{i\in [t]} \right) \\ \mathsf {msk} ^*= (\mathbf {s}, \mathsf {HE.sk} , \mathsf {ct} , \mathsf {T} , \{ \mathbf {w}_i \}_{i\in [t]}) . \end{aligned}$$

• \(\mathsf {Constrain} ^*_1(\mathsf {pp} ^*, \mathsf {msk} ^*) \rightarrow \mathsf {sk} _\mathsf {T} ^*\): This auxiliary constrain algorithm is a modification of the real constrain algorithm \(\mathsf {TPRF} .\mathsf {Constrain} \). The algorithm is identical to \(\mathsf {TPRF} .\mathsf {Constrain} \) except for the components that have moved to the auxiliary setup algorithm \(\mathsf {Setup} ^*\). Formally, on input the auxiliary public parameters \(\mathsf {pp} ^*\) and an auxiliary PRF key \(\mathsf {msk} ^*= (\mathbf {s}, \mathsf {HE.sk} , \mathsf {ct} , \mathsf {T} , \{ \mathbf {w}_i \}_{i\in [t]})\), the auxiliary constraining algorithm samples error vectors \(\mathbf {e}_0 \leftarrow \chi ^m\), \(\mathbf {e}_{1,b} \leftarrow \chi ^m\) for \(b \in \{0,1\}\), \(\mathbf {e}_{2,i, j} \leftarrow \chi ^m\) for \(i\in [t]\) and \(j\in [z]\), and \(\mathbf {e}_{3,k} \leftarrow \chi ^m\) for \(k\in [\tau ]\) and computes the vectors

  $$\begin{aligned} \begin{array}{lcll} \hat{\mathbf {a}}^T &{}=&{} \mathbf {s}^T \hat{\mathbf {A}}+ \mathbf {e}_0^T \\ \mathbf {a}_b^T &{}=&{} \mathbf {s}^T (\mathbf {A}_b + b \cdot \mathbf {G}) + \mathbf {e}_{1,b}^T &{}\qquad \forall b \in \{0,1\}\\ \mathbf {b}_{i, j}^T &{}=&{} \mathbf {s}^T (\mathbf {B}_j+ \mathsf {ct} _{i,j} \cdot \mathbf {G}) + \mathbf {e}_{2,i, j}^T &{}\qquad \forall i\in [t], \forall j\in [z] \\ \mathbf {c}_k^T &{}=&{} \mathbf {s}^T (\mathbf {C}_k+ \mathsf {HE.sk} _k\cdot \mathbf {G}) + \mathbf {e}_{3,k}^T &{}\qquad \forall k\in [\tau ]. \end{array} \end{aligned}$$

  It sets \(\mathsf {enc} = \left( \hat{\mathbf {a}}, \{ \mathbf {a}_b \}_{b \in \{0,1\}}, \{ \mathbf {b}_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {c}_k \}_{k\in [\tau ]} \right) \) and outputs \(\mathsf {sk} _\mathsf {T} ^*= (\mathsf {enc} , \mathsf {ct} )\).

• \(\mathsf {Constrain} ^*_2(\mathsf {pp} ^*, \mathsf {msk} ^*) \rightarrow \mathsf {sk} _\mathsf {T} ^*\): This auxiliary constrain algorithm is a modification of the real constrain algorithm \(\mathsf {TPRF} .\mathsf {Constrain} \). The algorithm generates the components that correspond to the matrix embeddings in the constrained key by sampling them uniformly at random. Formally, on input the auxiliary public parameters \(\mathsf {pp} ^*\) and an auxiliary PRF key \(\mathsf {msk} ^*= (\mathbf {s}, \mathsf {HE.sk} , \mathsf {ct} , \mathsf {T} , \{ \mathbf {w}_i \}_{i\in [t]})\), the auxiliary constraining algorithm instantiates the encoding \(\mathsf {enc} = \big ( \hat{\mathbf {a}}, \{ \mathbf {a}_b \}_{b \in \{0,1\}} \{ \mathbf {b}_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {c}_k \}_{k\in [\tau ]} \big )\) with uniformly random vectors in \(\mathbb {Z}_q^m\) and outputs \(\mathsf {sk} _\mathsf {T} ^*= (\mathsf {enc} , \mathsf {ct} )\).

• \(\mathsf {Eval} _1^*(\mathsf {pp} ^*, \mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x) \rightarrow \tilde{\mathbf {y}}\): This auxiliary evaluation algorithm is a modification of the real evaluation algorithm \(\mathsf {TPRF} .\mathsf {Eval} \). Instead of using the master secret key \(\mathsf {msk} \) to evaluate the PRF, the evaluation algorithm uses the punctured key (along with additional auxiliary information) to evaluate the PRF. Formally, on input the auxiliary public parameters \(\mathsf {pp} ^*\), an auxiliary PRF key \(\mathsf {msk} ^*= (\mathbf {s}, \mathsf {HE.sk} , \mathsf {ct} , \mathsf {T} , \{ \mathbf {w}_i \}_{i\in [t]})\), the auxiliary constrained key \(\mathsf {sk} _\mathsf {T} ^*= (\mathsf {enc} , \mathsf {ct} )\) for some set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\), and an evaluation point \(x\in \{0,1\}^\rho \), the auxiliary evaluation algorithm first parses \(\mathsf {enc} = \left( \hat{\mathbf {a}}, \{ \mathbf {a}_b \}_{b \in \{0,1\}}, \{ \mathbf {b}_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {c}_k \}_{k\in [\tau ]} \right) \) and computes the vector

  $$\begin{aligned} \widetilde{\mathbf {b}}_{i, \ell } \leftarrow \mathsf {Eval} _{\mathsf {ct} }((\mathsf {ct} _i, x), C_{\ell }, \mathbf {b}_{i,1}, \ldots , \mathbf {b}_{i,z}, \mathbf {a}_{x_1}, \ldots , \mathbf {a}_{x_\rho }, \mathbf {c}_1, \ldots , \mathbf {c}_\tau ) \end{aligned}$$

  for \(i\in [t]\) and \(\ell \in [N]\). It then checks if \(x= x^*_{{i^*}}\) for some \({i^*}\in [t]\). If this is not the case, then it returns the value

  $$\begin{aligned} \tilde{\mathbf {y}}= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right\rceil _p. \end{aligned}$$

  Otherwise, if there exists an \({i^*}\in [t]\) such that \(x = x^*_{{i^*}}\), it samples an error vector \(\mathbf {e}\leftarrow \chi ^m\) and returns

  $$\begin{aligned} \tilde{\mathbf {y}}= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) - \mathbf {s}^T \sum _{\ell \in [N]} w_{{i^*},\ell } \mathbf {D}_\ell - \mathbf {e}^T \right\rceil _p . \end{aligned}$$

• \(\mathsf {Eval} _2^*(\mathsf {pp} ^*, \mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x) \rightarrow \tilde{\mathbf {y}}\): This auxiliary evaluation algorithm is a modification of the real evaluation algorithm \(\mathsf {TPRF} .\mathsf {Eval} \). Instead of actually evaluating the PRF, the auxiliary evaluation algorithm implements a completely random function on punctured values (and returns \(\bot \) on non-punctured values). Formally, on input the public parameters \(\mathsf {pp} ^*\), the auxiliary PRF key \(\mathsf {msk} ^*= (\mathbf {s}, \mathsf {HE.sk} , \mathsf {ct} , \mathsf {T} , \{ \mathbf {w}_i \}_{i\in [t]})\), the auxiliary constrained key \(\mathsf {sk} _\mathsf {T} ^*\) for some set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\), and an evaluation point \(x\in \{0,1\}^\rho \), the auxiliary evaluation algorithm first checks if \(x= x^*_{i^*}\) for some \(i^* \in [t]\). If not, it returns \(\bot \). Otherwise, it samples a uniformly random vector \(\mathbf {d}\overset{\textsc {r}}{\leftarrow }\mathbb {Z}_q^m\) and returns \(\tilde{\mathbf {y}}= \lfloor \mathbf {d} \rceil _p\).

1.2 Correctness Analysis

In this section, we give the formal proof of Theorem 5.1, which states that the translucent \(t\)-puncturable PRF in Sect. 5.1 satisfies both (selective) evaluation correctness and (selective) verification correctness (Definition 4.4). We show the two properties separately in Appendices A.2.1 and A.2.2 .

1.2.1 Proof of Selective Evaluation Correctness

In the selective evaluation correctness game, the adversary \(\mathcal {A}\) begins by committing to a set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) of \(t\) distinct points in the domain of \(\Pi _{\mathsf {TPRF} }\). Next, let \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\), \(\mathsf {msk} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\), and \(\mathsf {sk} _\mathsf {T} \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {msk} , \mathsf {T} )\). Adversary \(\mathcal {A}\) is then given the public parameters \(\mathsf {pp} \) and the constrained key \(\mathsf {sk} _\mathsf {T} \), and outputs an element in the domain \(x\in \{0,1\}^\rho \). Without loss of generality, we can assume that \(x\notin \mathsf {T} \), or equivalently \(x\ne x_i^*\) for all \(i\in [t]\), since otherwise, the adversary’s advantage is 0. We now bound the probability that the value \(\mathbf {y}_x= \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x)\) obtained using the constrained evaluation algorithm at \(x\) differs from the real PRF value \(\mathbf {y}_x' = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)\) at \(x\). To argue this, we first recall that the key punctured at \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) contains the following encodings:

$$\begin{aligned} \begin{array}{lcll} \hat{\mathbf {a}}^T &{}=&{} \mathbf {s}^T \hat{\mathbf {A}}+ \mathbf {e}_0^T \\ \mathbf {a}_b^T &{}=&{} \mathbf {s}^T (\mathbf {A}_b + b \cdot \mathbf {G}) + \mathbf {e}_{1,b}^T &{}\qquad \forall b \in \{0,1\}\\ \mathbf {b}_{i, j}^T &{}=&{} \mathbf {s}^T (\mathbf {B}_j+ \mathsf {ct} _{i,j} \cdot \mathbf {G}) + \mathbf {e}_{2,i, j}^T &{}\qquad \forall i\in [t], \forall j\in [z] \\ \mathbf {c}_k^T &{}=&{} \mathbf {s}^T (\mathbf {C}_k+ \mathsf {HE.sk} _k\cdot \mathbf {G}) + \mathbf {e}_{3,k}^T &{}\qquad \forall k\in [\tau ]. \end{array} \end{aligned}$$

as well as FHE ciphertexts \(\{ \mathsf {ct} _i \}_{i\in [t]}\) where \(\mathsf {ct} _i\) is an FHE encryption of \((x_i^*, \mathbf {w}_i)\). The constrained evaluation algorithm then computes the vectors \(\widetilde{\mathbf {b}}_{i,\ell }\)

$$\begin{aligned} \widetilde{\mathbf {b}}_{i,\ell } \leftarrow \mathsf {Eval} _{\mathsf {ct} }((\mathsf {ct} _i, x), C_{\ell }, \mathbf {b}_{i,1}, \ldots , \mathbf {b}_{i,z}, \mathbf {a}_{x_1}, \ldots , \mathbf {a}_{x_\rho }, \mathbf {c}_1, \ldots , \mathbf {c}_z) \end{aligned}$$

for \(i\in [t]\) and \(\ell \in [N]\) and returns

$$\begin{aligned} \mathbf {y}_x= \left\lfloor \hat{\mathbf {a}}^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right\rceil _p . \end{aligned}$$

(A.1)

Next, by Theorem 3.10, we have that for all \(i\in [t]\) and \(\ell \in [N]\),

$$\begin{aligned} \widetilde{\mathbf {b}}_{i,\ell }^T&= \mathbf {s}^T (\widetilde{\mathbf {B}}_{i,\ell } + \left\langle \mathsf {HE.Eval} (\mathsf {eq} _\ell (x, \cdot ), \mathsf {ct} _i), \mathsf {HE.sk} \right\rangle \cdot \mathbf {G}) + \mathbf {e}_{i, \ell }^T \\&= \mathbf {s}^T (\widetilde{\mathbf {B}}_{i,\ell } + (\mathsf {eq} _\ell (x, (x_i^*, \mathbf {w}_i)) + \epsilon _{i, \ell }) \cdot \mathbf {G}) + \mathbf {e}_{i, \ell }^T \\&= \mathbf {s}^T (\widetilde{\mathbf {B}}_{i, \ell } + \epsilon _{i, \ell } \cdot \mathbf {G}) + \mathbf {e}_{i,\ell }^T, \end{aligned}$$

where

$$\begin{aligned} \widetilde{\mathbf {B}}_{i, \ell } = \mathsf {Eval} _{\mathsf {pk} }\left( C_\ell , \mathbf {B}_{i,1}, \ldots , \mathbf {B}_{i,z}, \mathbf {A}_{x_1}, \ldots , \mathbf {A}_{x_\rho }, \mathbf {C}_1, \ldots , \mathbf {C}_\tau \right) , \end{aligned}$$

and we used Theorem 3.9 in the second equality and the fact that \(\mathsf {eq} _\ell (x, (x_i^*, \mathbf {w}_i)) = 0\) when \(x_i^* \ne x\) in the third equality. Moreover, by Theorem 3.9, \(\left| \epsilon _{i, \ell } \right| \le B \cdot m^{O(d_\mathsf {eq} )}\) and by Theorem 3.10, \(\left\| \mathbf {e}_{i,\ell } \right\| \le B \cdot m^{O(d)}\). Then,

$$\begin{aligned} \hat{\mathbf {a}}^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell )&= \left( \mathbf {s}^T \hat{\mathbf {A}}+ \mathbf {e}_0^T \right) + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \left( \mathbf {s}^T (\widetilde{\mathbf {B}}_{i,\ell } + \epsilon _{i,\ell } \cdot \mathbf {G}) + \mathbf {e}_{i,\ell }^T \right) \mathbf {G}^{-1}(\mathbf {D}_\ell ) \nonumber \\&= \underbrace{\mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) + {\tilde{\mathbf {e}}}^T}_{\varvec{\xi }_x^T} = \varvec{\xi }_x^T \end{aligned}$$

(A.2)

where

$$\begin{aligned} \left\| \tilde{\mathbf {e}} \right\| = \left\| \mathbf {e}_0^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} (\mathbf {e}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) + \epsilon _{i,\ell } \cdot \mathbf {s}^T \cdot \mathbf {D}_\ell ) \right\| \le B \cdot m^{O(d)}, \end{aligned}$$

using the fact that \(B, m, N= \mathsf {poly} (\lambda )\). Thus, combining Eq. (A.1) and (A.2), we have that \(\mathbf {y}_x= \lfloor \varvec{\xi }_x^T \rceil _p\). Next, by definition, the output \(\mathbf {y}'_x= \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)\) of the evaluation algorithm is given by

$$\begin{aligned} \mathbf {y}'_x= \left\lfloor \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) \right\rceil _p = \lfloor \varvec{\xi }_x^T - {\tilde{\mathbf {e}}}^T \rceil _p, \end{aligned}$$

(A.3)

where \(\varvec{\xi }_x\) is the quantity defined in Eq. (A.2). Thus, \(\mathbf {y}_x\) = \(\mathbf {y}'_x\) as long as \(\varvec{\xi }_x\) does not contain any “borderline” components that can be rounded in the “wrong direction” due to the additional error \(\widetilde{\mathbf {e}}\). Let \(\mathsf {Borderline} _{x}\) be the event that there exists an index \(\eta \in [m]\) such that \(\varvec{\xi }_x^T \mathbf {u}_\eta \in [-E,E] + (q/p) \cdot (\mathbb {Z}+ 1/2)\), where \(\mathbf {u}_\eta \) is the \(\eta {\mathrm {th}}\) basis vector, and \(E = B \cdot m^{O(d)}\) is a bound on \(\left\| {\tilde{\mathbf {e}}} \right\| \). To prove the theorem, it suffices to show that it is computationally hard for an adversary to find a point \(x\) such that \(\mathsf {Borderline} _{x}\) occurs. To do this, we proceed via a hybrid argument. First, we define our sequence of hybrid experiments.

• Hybrid \(\mathsf {H} _0\): This is the real experiment. In particular, the adversary begins by committing to a set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) of punctured points. The challenger then computes \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\), \(\mathsf {msk} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\), and \(\mathsf {sk} _\mathsf {T} = (\mathsf {enc} , \mathsf {ct} ) \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , \mathsf {msk} , \mathsf {T} )\). Finally, the challenger gives \((\mathsf {pp} , \mathsf {sk} _\mathsf {T} )\) to the adversary.

• Hybrid \(\mathsf {H} _{1}\): Same as \(\mathsf {H} _0\), except the challenger generates the public parameters and PRF key using the auxiliary setup algorithm: \((\mathsf {pp} ^*, \mathsf {msk} ^*) \leftarrow \mathsf {Setup} ^*(1^\lambda , \mathsf {T} )\), where \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) is the set of punctured points to which the adversary committed. The challenger generates the constrained key as \(\mathsf {sk} _\mathsf {T} ^*\leftarrow \mathsf {Constrain} ^*_1(\mathsf {pp} ^*, \mathsf {msk} ^*)\) and gives \((\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*)\) to the adversary.

• Hybrid \(\mathsf {H} _2\): Same as \(\mathsf {H} _1\), except the challenger generates the constrained key \(\mathsf {sk} _\mathsf {T} ^*\leftarrow \mathsf {Constrain} _2^*(\mathsf {pp} ^*, \mathsf {msk} ^*)\) using the second auxiliary constraining algorithm. It gives \((\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*)\) to the adversary.

For a hybrid experiment \(\mathsf {H} \) and an adversary \(\mathcal {A}\), we write \(\mathsf {H} (\mathcal {A})\) to denote the indicator random variable for whether the event \(\mathsf {Borderline} _{x}\) occurred in \(\mathsf {H} \). We now show that the outputs in each consecutive pair of hybrid experiments are statistically or computationally indistinguishable. This in particular implies that

$$\begin{aligned} \left| \Pr [\mathsf {H} _0(\mathcal {A}) = 1] - \Pr [\mathsf {H} _2(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

To finish the proof, we then show that \(\Pr [\mathsf {H} _2(\mathcal {A}) = 1] = \mathsf {negl} (\lambda )\).

Lemma A.1

For all adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _0(\mathcal {A}) = 1] - \Pr [\mathsf {H} _1(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

We first show that the distribution of the public parameters \(\mathsf {pp} \) in \(\mathsf {H} _0\) is statistically indistinguishable from the distribution of the auxiliary public parameters \(\mathsf {pp} ^*\) in \(\mathsf {H} _1\).

• In hybrid \(\mathsf {H} _0\), the matrices \(\hat{\mathbf {A}}, \{ \mathbf {A}_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}_{i, j} \}_{i\in [t], j\in [z]}\), \(\{ \mathbf {C}_k \}_{k\in [\tau ]}\) are uniform and independent over \(\mathbb {Z}_q^{n \times m}\), and the matrices \(\{ \mathbf {W}_i \}_{i\in [t]}\) are independent and statistically close to uniform over \(\mathbb {Z}_q^{n \times m}\) by properties of the trapdoor generation algorithm (Theorem 3.6).

• In hybrid \(\mathsf {H} _1\), by definition of the auxiliary setup algorithm \(\mathsf {Setup} ^*\), the matrices \(\hat{\mathbf {A}}, \{ \mathbf {A}_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}_{i, j} \}_{i\in [t], j\in [z]}\), \(\{ \mathbf {C}_k \}_{k\in [\tau ]}\) are independent and uniform over \(\mathbb {Z}_q^{n \times m}\). We conclude by arguing that the matrices \(\mathbf {W}_i\) for all \(i\in [t]\) are distributed independently and uniformly over \(\mathbb {Z}_q^{n \times m}\). By definition, \(\mathsf {Setup} ^*\) first computes the matrices

  $$\begin{aligned} \widetilde{\mathbf {B}}_{i,{i^*},\ell } \leftarrow \mathsf {Eval} _{\mathsf {pk} }(C_\ell , \mathbf {B}_{i,1}, \ldots , \mathbf {B}_{i,z}, \mathbf {A}_{x_{{i^*},1}^*}, \ldots , \mathbf {A}_{x_{{i^*},\rho }^*}, \mathbf {C}_1, \ldots , \mathbf {C}_\tau ) \end{aligned}$$

  for \(i, {i^*}\in [t], \ell \in [N]\) and defines

  $$\begin{aligned} \mathbf {W}_{i^*}&= \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t]\\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,{i^*},\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) + \underbrace{\sum _{\ell \in [N]} w_{{i^*},\ell } \cdot \mathbf {D}_\ell }_{\widetilde{\mathbf {D}}_i}, \end{aligned}$$

  where \(\mathbf {w}_{i^*}\overset{\textsc {r}}{\leftarrow }\mathbb {Z}_q^N\) for all \({i^*}\in [t]\). Thus, each matrix \(\widetilde{\mathbf {D}}_i\) is a random linear combination of basis elements of \(\mathbb {Z}_q^{n \times m}\) and distributed independently and uniformly. We conclude that the distribution of \(\mathsf {pp} \) is statistically indistinguishable from that of \(\mathsf {pp} ^*\).

To complete the proof, we argue that the distribution of the components in the constrained key \(\mathsf {sk} _\mathsf {T} = (\mathsf {enc} , \mathsf {ct} )\) in \(\mathsf {H} _0\) is statistically indistinguishable from \(\mathsf {sk} _\mathsf {T} ^*\) in \(\mathsf {H} _1\). This follows from the fact that the matrices \(\hat{\mathbf {A}}, \{ \mathbf {A}_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}_{i, j} \}_{i\in [t], j\in [z]}\), \(\{ \mathbf {C}_k \}_{k\in [\tau ]}\), and \(\{ \mathbf {W}_{i} \}_{i\in [t]}\) are statistically indistinguishable in \(\mathsf {H} _0\) and \(\mathsf {H} _1\). In particular, this means that the coefficients \(\mathbf {w}_i \in \mathbb {Z}_q^N\) in \(\mathsf {H} _0\) and \(\mathsf {H} _1\) are statistically indistinguishable. Since the ciphertexts \(\mathsf {ct} = \{ \mathsf {ct} _i \}_{i\in [t]}\) are generated in the exact same manner in \(\mathsf {H} _0\) and \(\mathsf {H} _1\), we conclude that they are statistically indistinguishable in the two experiments. Finally, since the public matrices, the FHE secret key, and the ciphertexts are either identically distributed or statistically indistinguishable between the two experiments, the encoding \(\mathsf {enc} \) is statistically indistinguishable between the two experiments and we conclude that the distribution of \((\mathsf {pp} , \mathsf {sk} _\mathsf {T} )\) in \(\mathsf {H} _0\) is statistically indistinguishable from the distribution of \((\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*)\) in \(\mathsf {H} _1\). \(\square \)

Lemma A.2

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m (3 + t\cdot z+ \tau )\)), for all efficient adversaries \(\mathcal {A}\), \( \left| \Pr [\mathsf {H} _1(\mathcal {A}) = 1] - \Pr [\mathsf {H} _2(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda ) \).

Proof

Suppose there exists an adversary \(\mathcal {A}\) that can distinguish \(\mathsf {H} _1\) from \(\mathsf {H} _2\) with some non-negligible probability \(\varepsilon \). We use \(\mathcal {A}\) to construct an algorithm \(\mathcal {B}\) that breaks the \(\mathsf {LWE} _{n, m, q, \chi }\) assumption. Algorithm \(\mathcal {B}\) works as follows:

1. 1.

   First, it receives a challenge \((\hat{\mathbf {A}}, \hat{\mathbf {a}})\), \(\{ (\mathbf {A}'_b, \mathbf {a}'_b) \}_{b \in \{0,1\}}\), \(\{ (\mathbf {B}'_{i, j}, \mathbf {b}'_{i, j}) \}_{i\in [t], j\in [z]}\), and \(\{ (\mathbf {C}'_k, \mathbf {c}'_k) \}_{k\in [\tau ]}\) from the LWE challenger.

2. 2.

   Algorithm \(\mathcal {B}\) starts running \(\mathcal {A}\). When \(\mathcal {A}\) commits to its set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\), algorithm \(\mathcal {B}\) runs the auxiliary setup algorithm \(\mathsf {Setup} ^*\), except it uses the matrices \(\hat{\mathbf {A}}\), \(\{ \mathbf {A}'_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}'_{i, j} \}_{i\in [t], j\in [z]}\), and \(\{ \mathbf {C}'_k \}_{k\in [\tau ]}\) from the LWE challenge in place of the corresponding matrices in \(\mathsf {Setup} ^*\). It generates the rest of the public parameters \(\mathsf {pp} ^*\) as described in \(\mathsf {Setup} ^*\).

3. 3.

   To simulate the constrained key \(\mathsf {sk} _\mathsf {T} ^*\), algorithm \(\mathcal {B}\) sets \(\mathsf {enc} = \left( \hat{\mathbf {a}}, \{ \mathbf {a}'_b \}_{b \in \{0,1\}}, \{ \mathbf {b}'_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {c}'_k \}_{k\in [\tau ]} \right) \) to be the vectors from the LWE challenge. The ciphertexts \(\mathsf {ct} \) are constructed exactly as in \(\mathsf {H} _1\) and \(\mathsf {H} _2\) (as described in \(\mathsf {Setup} ^*\)). Finally, \(\mathcal {B}\) gives the public parameters \(\mathsf {pp} ^*\) and the constrained key \(\mathsf {sk} _\mathsf {T} ^*= (\mathsf {enc} , \mathsf {ct} )\) to \(\mathcal {A}\).

4. 4.

   At the end of the game, \(\mathcal {A}\) outputs a vector \(x\). Algorithm \(\mathcal {B}\) computes \(\varvec{\xi }_x\) as defined in Eq. (A.2), and outputs 1 if \(\varvec{\xi }_x^T \mathbf {u}_\eta \in [-E, E] + (q/p) \cdot (\mathbb {Z}+ 1/2)\) where \(\mathbf {u}_\eta \) is the \(\eta {\mathrm {th}}\) basis vector, and 0 otherwise.

It is easy to see that if the challenge consists of valid LWE challenge vectors, then \(\mathcal {B}\) has perfectly simulated \(\mathsf {H} _1\), whereas if the challenge consists of uniformly random vectors, then \(\mathcal {B}\) has perfectly simulated \(\mathsf {H} _2\). Moreover, algorithm \(\mathcal {B}\) outputs 1 if and only if the adversary’s output \(x\) triggers the \(\mathsf {Borderline} _{x}\) event. By assumption then, \(\mathcal {B}\) is able to break the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption with the same probability \(\varepsilon \). \(\square \)

Lemma A.3

Under the \(\mathsf {1D\text {-}SIS\text {-}R} _{m',p,q,\beta }\) assumption (where \(m' = m (3 + t\cdot z+ \tau )\) and \(\beta = B \cdot m^{O(d)}\)), for all efficient adversaries, \(\mathcal {A}\), \(\Pr [\mathsf {H} _2(\mathcal {A}) = 1] = \mathsf {negl} (\lambda )\).

Proof

We begin with a high-level overview of the proof. In \(\mathsf {H} _3\), the encoding \(\mathsf {enc} \) in the punctured key is uniformly random, and thus, can be viewed as the challenge vector \(\mathbf {v}\) in a 1D-SIS-R instance (Definition 3.5). Next, according to Theorem 3.10, the constrained evaluation algorithm \(\mathsf {TPRF} .\mathsf {ConstrainEval} \) is effectively computing a “short” linear combination of the vectors in \(\mathsf {enc} \). Thus, if an adversary is able to find a point \(x\) such that the constrained evaluation algorithm yields a boundary value, then the same point \(x\) is a solution to the 1D-SIS-R instance.

Formally, suppose there exists an adversary \(\mathcal {A}\) that outputs a point \(x\in \{0,1\}^\rho \) such that \(\mathsf {Borderline} _{x}\) occurs with non-negligible probability \(\varepsilon \). We use \(\mathcal {A}\) to construct an algorithm \(\mathcal {B}\) that breaks \(\mathsf {1D\text {-}SIS\text {-}R} _{m', p, q, \beta }\). At the beginning of the game, algorithm \(\mathcal {B}\) is given its 1D-SIS-R challenge vector \(\mathbf {v}\in \mathbb {Z}_q^{m'}\). Then, \(\mathcal {B}\) begins simulating \(\mathsf {H} _3\) algorithm \(\mathcal {A}\). At the beginning of the game, \(\mathcal {A}\) commits to a set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) of punctured points. Algorithm \(\mathcal {B}\) then runs \(\mathsf {Setup} ^*(1^\lambda , \mathsf {T} )\) to obtain the public parameters \(\mathsf {pp} ^*\). When simulating the \(\mathsf {Constrain} _2^*\) algorithm, algorithm \(\mathcal {B}\) substitutes the challenge vector \(\mathbf {v}\) for \(\mathsf {enc} \) (in particular, \(\mathcal {B}\) treats \(\mathbf {v}\) as the concatenation of the vectors \(\hat{\mathbf {a}}, \{ \mathbf {a}_b \}\), \(\{ \mathbf {b}_{i, j} \}\), \(\{ \mathbf {c}_k \}\)). The other components of the secret key are constructed exactly as in \(\mathsf {H} _3\). It then gives \(\mathsf {pp} ^*\) and \(\mathsf {sk} _\mathsf {T} = (\mathsf {enc} , \mathsf {ct} )\) to the adversary and receives \(\mathcal {A}\)’s guess \(x\). Since \(\mathbf {v}\) is uniformly distributed, algorithm \(\mathcal {B}\) perfectly simulates \(\mathsf {H} _3\) for \(\mathcal {A}\). By assumption then, with probability \(\varepsilon \), \(\mathcal {A}\) outputs a point \(x\) such that \(\mathsf {Borderline} _{x}\) occurs. This means that there exists some \(\eta \in [m]\) such that

$$\begin{aligned} \varvec{\xi }_x^T \mathbf {u}_\eta = \left( \hat{\mathbf {a}}^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_i) \right) \mathbf {u}_\eta \in [-E,E] + \frac{q}{p} \cdot (\mathbb {Z}+ 1/2). \end{aligned}$$

(A.4)

where \(E = B \cdot m^{O(d)}\) and \(\mathbf {u}_\eta \in \mathbb {Z}_q^m\) is the \(\eta {\mathrm {th}}\) canonical basis vector. By Theorem 3.10, we have that for all \(i\in [t]\) and \(\ell \in [N]\),j

$$\begin{aligned} \widetilde{\mathbf {b}}_{i, \ell }^T = \sum _{b \in \{0,1\}} \mathbf {a}_b^T \mathbf {R}^{(1)}_{b,i,\ell } + \sum _{j\in [z]} \mathbf {b}_{i, j}^T \mathbf {R}^{(2)}_{i, j,\ell } + \sum _{k\in [\tau ]} \mathbf {c}_k^T \mathbf {R}^{(3)}_{k,i,\ell } \end{aligned}$$

for some matrices \(\{ \mathbf {R}^{(1)}_{b,\ell ,i} \}_{b \in \{0,1\}}\), \(\{ \mathbf {R}^{(2)}_{j,\ell ,i} \}_{j\in [z]}\), \(\{ \mathbf {R}^{(3)}_{k,\ell ,i} \}_{k\in [\tau ]}\) where \(\left\| \mathbf {R}^{(1)}_{b,\ell ,i} \right\| \), \(\left\| \mathbf {R}^{(2)}_{j,\ell ,i} \right\| \), \(\left\| \mathbf {R}^{(3)}_{k,\ell ,i} \right\| \le m^{O(d)}\). This means that we can write \(\varvec{\xi }_x\) as

$$\begin{aligned} \varvec{\xi }_x^T = \hat{\mathbf {a}}^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_i) = \mathbf {v}^T \mathbf {R}. \end{aligned}$$

for some \(\mathbf {R}\in \mathbb {Z}_q^{m' \times m}\) where \(\left\| \mathbf {R} \right\| \le m^{O(d)}\). Substituting into Eq. (A.4), we have that

$$\begin{aligned} \varvec{\xi }_x^T \mathbf {u}_\eta = \mathbf {v}^T \mathbf {R}\cdot \mathbf {u}_\eta = \left\langle \mathbf {v}, \mathbf {R}\cdot \mathbf {u}_\eta \right\rangle \in [-E, E] + \frac{q}{p} \cdot (\mathbb {Z}+ 1/2). \end{aligned}$$

Moreover, \(\left\| \mathbf {R}\cdot \mathbf {u}_\eta \right\| \le \left\| \mathbf {R} \right\| \le m^{O(d)} = \beta \), and so the vector \(\mathbf {R}\cdot \mathbf {u}_\eta \) is a valid solution to the 1D-SIS-R challenge. We conclude that \(\mathcal {B}\) succeeds in breaking the \(\mathsf {1D\text {-}SIS\text {-}R} _{m', p, q, \beta }\) with the same (non-negligible) advantage \(\varepsilon \). \(\square \)

Combining Lemmas A.1 through A.3, we conclude that under the \(\mathsf {LWE} \) and \(\mathsf {1D\text {-}SIS\text {-}R} \) assumptions (for the parameters given in Theorem 5.1), no efficient adversary is able to find an input \(x\notin \mathsf {T} \) such that the \(\mathsf {Borderline} _{x}\) event occurs. Equivalently, no efficient adversary can find an \(x\notin \mathsf {T} \) where \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x) \ne \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x)\). Thus, \(\Pi _{\mathsf {TPRF} }\) satisfies (selective) evaluation correctness. \(\square \)

1.2.2 Proof of Selective Verification Correctness

In the selective verification correctness game, the adversary \(\mathcal {A}\) first commits to a set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) of punctured points. It is then provided with the public parameters \(\mathsf {pp} \) and the constrained key \(\mathsf {sk} _\mathsf {T} \). Finally, \(\mathcal {A}\) wins the game if at least one of the following conditions is satisfied:

• Case 1: it outputs a point \(x\in \mathsf {T} \) such that the testing algorithm rejects:

  $$\begin{aligned} \mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x^*_i)) = 0 . \end{aligned}$$

• Case 2: it outputs a point \(x\notin \mathsf {T} \) such that the testing algorithm accepts:

  $$\begin{aligned} \mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x)) = 1 . \end{aligned}$$

We define \(\mathsf {Bad} _1\) to be the event that an adversary outputs a point \(x\) that satisfies the first case. We define the event \(\mathsf {Bad} _2\) analogously. We now show that for all efficient adversaries \(\mathcal {A}\), the probability of either \(\mathsf {Bad} _1\) or \(\mathsf {Bad} _2\) occurring is negligible.

Lemma A.4

Under the parameter settings given in Theorem 5.1, for all adversaries \(\mathcal {A}\), \(\Pr [\mathsf {Bad} _1] = 0\).

Proof

Let \(x\in \mathcal {X}\) be the output of \(\mathcal {A}\), and suppose \(x\in \mathsf {T} \). Then, there exists an index \({i^*}\in [t]\) such that \(x= x^*_{i^*}\). On input the public parameters \(\mathsf {pp} \), the constrained key \(\mathsf {sk} _\mathsf {T} \), and the point \(x^*_{i^*}\), the constrained evaluation algorithm first computes

$$\begin{aligned} \widetilde{\mathbf {b}}_{i,\ell } \leftarrow \mathsf {Eval} _{\mathsf {ct} }((\mathsf {ct} , x^*_{i^*}), C_{\ell }, \mathbf {b}_{i,1}, \ldots , \mathbf {b}_{i, z}, \mathbf {a}_{x^*_{{i^*},1}}, \ldots , \mathbf {a}_{x^*_{{i^*}, \rho }}, \mathbf {c}_1, \ldots , \mathbf {c}_t) \end{aligned}$$

for \(i\in [t]\) and \(\ell \in [N]\) and the returns the value

$$\begin{aligned} \mathbf {y}_{x^*_{i^*}} = \left\lfloor \hat{\mathbf {a}}^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right\rceil _p. \end{aligned}$$

(A.5)

By Theorems 3.9 and 3.10 , the vectors \(\widetilde{\mathbf {b}}_{i,\ell }\) can be written as

$$\begin{aligned} \widetilde{\mathbf {b}}_{i,\ell } = \mathbf {s}^T \left( \widetilde{\mathbf {B}}_{i,\ell } + \left( \mathsf {eq} (x^*_{i^*},x^*_i) \cdot w_{i,\ell } + \epsilon _{i,\ell } \right) \cdot \mathbf {G}\right) + \mathbf {e}_{i,\ell }^T, \end{aligned}$$

where

$$\begin{aligned} \widetilde{\mathbf {B}}_{i,\ell } = \mathsf {Eval} _{\mathsf {pk} }(C_\ell , \mathbf {B}_{i,1}, \ldots , \mathbf {B}_{i, z}, \mathbf {A}_{x_{{i^*},1}^*}, \ldots , \mathbf {A}_{x_{{i^*},\rho }^*}, \mathbf {C}_1, \ldots , \mathbf {C}_\tau ), \end{aligned}$$

and \(\left| \epsilon _{i,\ell } \right| \le B \cdot m^{O(d_\mathsf {eq} )}\) and \(\left\| \mathbf {e}_{i,\ell } \right\| \le B \cdot m^{O(d)}\). Substituting into Eq. (A.5), we have

$$\begin{aligned} \mathbf {y}_{x^*_{i^*}}&= \left\lfloor \left( \mathbf {s}^T \hat{\mathbf {A}}+ \mathbf {e}_0^T \right) + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \left( \mathbf {s}^T \left( \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right. \right. \right. \\&\quad \left. \left. \left. \quad + \mathsf {eq} (x^*_{i^*},x^*_i) \cdot w_{i,\ell } \cdot \mathbf {D}_\ell + \epsilon _{i,\ell } \cdot \mathbf {D}_\ell \right) + \mathbf {e}^T_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) \right\rceil _p \nonumber \\&= \left\lfloor \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \left( \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) + \mathsf {eq} (x^*_{i^*},x^*_i) \cdot w_{i,\ell } \cdot \mathbf {D}_\ell \right) \right) + \mathbf {e}^T \right\rceil _p \\&= \left\lfloor \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \left( \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) + \sum _{\ell \in [N]} w_{{i^*},\ell } \cdot \mathbf {D}_\ell \right) + \mathbf {e}^T \right\rceil _p \end{aligned}$$

where

$$\begin{aligned} \mathbf {e}^T = \mathbf {e}_0^T + \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \left( \epsilon _{i,\ell } \cdot \mathbf {s}^T \cdot \mathbf {D}_\ell + \mathbf {e}^T_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) , \end{aligned}$$

and \(\left\| \mathbf {e} \right\| \le B \cdot m^{O(d)}\). Now, by construction of the \(\mathsf {TPRF} .\mathsf {Constrain} \) algorithm, the vector \(\mathbf {w}_{i^*} \in \mathbb {Z}_q^{N}\) is chosen such that

$$\begin{aligned} \mathbf {W}_{i^*} = \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) + \sum _{\ell \in [N]} w_{i^*,\ell } \cdot \mathbf {D}_\ell \end{aligned}$$

and so we have

$$\begin{aligned} \mathbf {y}_{x^*_{i^*}} = \left\lfloor \mathbf {s}^T \mathbf {W}_{{i^*}} + \mathbf {e}^T \right\rceil _p . \end{aligned}$$

Next, the testing algorithm \(\mathsf {TPRF} .\mathsf {Test} \) computes the inner product

$$\begin{aligned} \left\langle \mathbf {y}_{x^*_{i^*}}, \mathbf {z}_{i^*} \right\rangle&= \left\lfloor \mathbf {s}^T \mathbf {W}_{i^*}+ \mathbf {e}^T \right\rceil _p \cdot \mathbf {z}_{{i^*}} \\&= \left\lfloor \mathbf {s}^T \mathbf {W}_{{i^*}} \mathbf {z}_{{i^*}} + \mathbf {e}^T \mathbf {z}_{{i^*}} \right\rceil _p + \tilde{e} \\&= \left\lfloor \mathbf {e}^T \mathbf {z}_{{i^*}} \right\rceil _p + \tilde{e} \end{aligned}$$

where \(\left| \tilde{e} \right| \le B \cdot (m + 1) = B_{\mathsf {test} }\) is the rounding error. Here, we used the fact that \(\mathbf {z}_{i^*}\) is a (short) trapdoor vector for \(\mathbf {W}_{i^*}\) (Theorem 3.6), as well as the fact that the rounding operation \(\lfloor \cdot \rceil _p\) is almost additively homomorphic in that for any \(x,y \in \mathbb {Z}_q\), we have that \(\lfloor x+y \rceil _p = \lfloor x \rceil _p+\lfloor y \rceil _p + b\) for \(b \in \{0,1\}\). Since \(\left\| \mathbf {e} \right\| \le B \cdot m^{O(d)}\) and \(\mathbf {z}_{i^*}\) is B-bounded, we have that \(\left| \mathbf {e}^T \mathbf {z}_{i^*} \right| < \frac{q}{2p}\), in which case \(\left\lfloor \mathbf {e}^T \mathbf {z}_{{i^*}} \right\rceil _p = 0\). Thus, \(\left\langle \mathbf {y}_x, \mathbf {z}_{i^*} \right\rangle = {\tilde{e}} \in [-B_{\mathsf {test} }, B_{\mathsf {test} }]\). In this case, \(\mathsf {TPRF} .\mathsf {Test} \) outputs 1 with probability 1, and the claim follows. \(\square \)

Lemma A.5

Under the parameter settings given in Theorem 5.1, and the \(\mathsf {LWE} _{n, m', q, \chi }\) and \(\mathsf {1D\text {-}SIS\text {-}R} _{m', p, q, \beta }\) assumptions (where \(m' = m (3 + t\cdot z+ \tau )\) and \(\beta = B \cdot m^{O(d)}\)), for all efficient adversaries \(\mathcal {A}\), \(\Pr [\mathsf {Bad} _2] = \mathsf {negl} (\lambda )\).

Proof

In the correctness experiment, the challenger samples \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\) and \(\mathsf {msk} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\). We first show that over the random choices of these algorithms

$$\begin{aligned} \Pr [\exists x\in \{0,1\}^\rho :\mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)) = 1] = \mathsf {negl} (\lambda ). \end{aligned}$$

(A.6)

As we subsequently show, the claim then follows by invoking evaluation correctness. To show Eq. (A.6), we union bound over all \(x\in \{0,1\}^\rho \). First, take any \(x\in \{0,1\}^\rho \) and let \(\mathbf {y}_x= \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)\). Consider the probability that \(\mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathbf {y}_x) = 1\). By definition,

$$\begin{aligned} \mathbf {y}_{x} = \lfloor \mathbf {s}^T (\hat{\mathbf {A}}+ \mathbf {B}') \rceil _p \text { where } \mathbf {B}' = \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ). \end{aligned}$$

Now, the matrix \(\hat{\mathbf {A}}\) is sampled uniformly at random over \(\mathbb {Z}_q^{n \times m}\). Since \(\mathbf {s}\) is nonzero with overwhelming probability, there is at least a single entry \(i \in [n]\) such that \(s_i \ne 0\). Moreover, since \(\mathbf {s}\) is sampled from a B-bounded distribution, \(\left| s_i \right| \le B\). In particular, this means that \(s_i\) is invertible over \(\mathbb {Z}_q\) (since q is a product of primes \(p_j\) where \(p_j > B\)). Since \(\hat{\mathbf {A}}\) is sampled uniformly and independently of \(\mathbf {B}'\), \(\hat{\mathbf {A}}+ \mathbf {B}'\) is also distributed uniformly at random. Since \(s_i\) is invertible over \(\mathbb {Z}_q\) (and independent of \(\hat{\mathbf {A}}+ \mathbf {B}'\)), this implies that the product \(\mathbf {s}^T(\hat{\mathbf {A}}+ \mathbf {B}')\) is a uniformly random vector in \(\mathbb {Z}_q^m\). Finally, since q is a multiple of p, we conclude that \(\mathbf {y}_x= \lfloor \mathbf {s}^T \hat{\mathbf {A}}+ \mathbf {B}' \rceil _p\) is uniform over \(\mathbb {Z}_p^m\).

Consider now the output \(\mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathbf {y}_x)\). Let \(\mathsf {tk} = \{ \mathbf {z}_i \}_{i\in [t]}\). Since \(\mathbf {y}_x\) is distributed uniformly over \(\mathbb {Z}_p^m\) and independent of \(\mathbf {z}_i\) for all \(i\in [t]\), then for any \(i\in [t]\), we have that

$$\begin{aligned} \Pr [ \left\langle \mathbf {y}_x, \mathbf {z}_i \right\rangle \in [-B_{\mathsf {test} }, B_{\mathsf {test} }] ] = 2 B_{\mathsf {test} }/ p. \end{aligned}$$

Union bounding over all \(i\in [t]\), we have that

$$\begin{aligned}&\Pr [ \mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathbf {y}_x) = 1 ] \\&\quad = \Pr [\exists i\in [t] :\left\langle \mathbf {y}_x, \mathbf {z}_i \right\rangle \in [-B_{\mathsf {test} }, B_{\mathsf {test} }] ] \le \frac{2 \cdot B_{\mathsf {test} }\cdot t}{p}. \end{aligned}$$

Finally, to show Eq. (A.6), we union bound over all \(x\in \{0,1\}^\rho \) to argue that over the randomness used to sample the public parameters (in particular, the matrix \(\hat{\mathbf {A}}\)),

$$\begin{aligned}&\Pr [ \exists x\in \{0,1\}^\rho :\mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)) = 1 ]\\&\quad \le \frac{2^{\rho + 1} \cdot B_{\mathsf {test} }\cdot t}{p} = \mathsf {negl} (\lambda ), \end{aligned}$$

since \(p = 2^{(\rho ^{1 + \varepsilon })}\), and \(B_{\mathsf {test} }, t= \mathsf {poly} (\lambda )\). Thus, we conclude that if the adversary outputs a point \(x\notin \mathsf {T} \) where \(\mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x) = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)\), then with overwhelming probability (over the randomness used to sample the public parameters),

$$\begin{aligned} \Pr [\mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x)) = 1] = \mathsf {negl} (\lambda ). \end{aligned}$$

However, by evaluation correctness (shown in Appendix A.2.1), with overwhelming probability, no efficient adversary in the correctness game can find a point \(x\notin \mathsf {T} \) where \(\mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\mathsf {T} , x) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , x)\). The claim follows. \(\square \)

Combining Lemmas A.4 and A.5 , we have that \(\mathcal {A}\) wins the game with negligible probability. We conclude that \(\Pi _{\mathsf {TPRF} }\) satisfies selective verification correctness. \(\square \)

1.3 Security Analysis

In this section, we give the formal proofs of Theorem 5.2. We analyze constrained pseudorandomness (Claim A.6), privacy (Claim A.13), and key-injectivity (Claim A.17) separately.

1.3.1 Constrained Pseudorandomness

In this section, we show that the translucent PRF in Sect. 5.1 satisfies selective single-key constrained pseudorandomness. Specifically, we show the following claim:

Claim A.6

(Constrained Pseudorandomness) Define \(\lambda , n, m, p, q, \chi , t, z, \tau \) as in Theorem 5.2. Under the \(\mathsf {LWE} _{n, m', q, \chi }\) and \(\mathsf {1D\text {-}SIS\text {-}R} _{m'', p, q, \beta }\) assumptions, \(\Pi _{\mathsf {TPRF} }\) satisfies selective single-key constrained pseudorandomness (Definition 4.10).

Proof

Let \(\mathcal {A}\) be an adversary and \(\mathcal {S}^{(t)}\) be the set system corresponding to the family of \(t\)-puncturable constraints (Definition 4.7). We begin by defining a sequence of hybrid experiments:

• Hybrid \({\mathsf {H} _{0}}\): This is the real experiment \(\mathsf {CExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(0)}\) (Definition 4.9). Specifically, the adversary \(\mathcal {A}\) begins by committing to a set \(\mathsf {T} = \{ x^*_i \}_{i\in [t]}\) of t distinct points in the domain of \(\Pi _{\mathsf {TPRF} }\). The challenger then samples \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\), \(\mathsf {msk} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\), and \(\mathsf {sk} _\mathsf {T} \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {msk} ,\mathsf {T} )\). Then, the adversary is given \(\mathsf {pp} \), \(\mathsf {sk} _\mathsf {T} \), access to an honest evaluation oracle \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} , \cdot )\) for points \(x\notin \mathsf {T} \), and access to a challenge evaluation oracle for points \(x\in \mathsf {T} \). In \(\mathsf {CExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(0)}\), the challenge evaluation oracle outputs the PRF value \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} , \cdot )\).

• Hybrid \({\mathsf {H} _{1}}\): Same as \({\mathsf {H} _{0}}\), except that the challenger generates the public parameters \(\mathsf {pp} ^*\) and the PRF key \(\mathsf {msk} ^*\) using the auxiliary setup algorithm: \((\mathsf {pp} ^*, \mathsf {msk} ^*) \leftarrow \mathsf {Setup} ^*(1^\lambda , \mathsf {T} )\), where \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) is the set of points the adversary commits to at the beginning of the experiment. In addition, the challenger generates the constrained key as \(\mathsf {sk} _\mathsf {T} ^*\leftarrow \mathsf {Constrain} _1^*(\mathsf {pp} ^*, \mathsf {msk} ^*)\) and gives \((\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*)\) to the adversary. Both the evaluation and challenge queries are handled as in \(\mathsf {H} _0\): on a query \(x\in \mathcal {X}\), the challenger replies with \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} ^*, \mathsf {msk} ^*, x)\).

• Hybrid \({\mathsf {H} _{2}}\): Same as \({\mathsf {H} _{1}}\), except that the challenger answers the evaluation and challenge queries using the auxiliary evaluation algorithm \(\mathsf {Eval} _1^*\). Specifically, on an evaluation or a challenge query \(x\in \mathcal {X}\), the challenger replies with \(\mathsf {Eval} _1^*(\mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\). Note that if the adversary queries for an evaluation of x multiple times, the challenger will always reply with the same value (i.e., the value of \(\mathsf {Eval} _1^*(\mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\) it used when responding to the first query on input \(x\)).

• Hybrid \({\mathsf {H} _{3}}\): Same as \({\mathsf {H} _{2}}\), except that the challenger generates the constrained key using the auxiliary constraining algorithm \(\mathsf {Constrain} _2^*\): \(\mathsf {sk} _\mathsf {T} \leftarrow \mathsf {Constrain} _2^*(\mathsf {msk} ^*)\). Moreover, the challenger answers the challenge queries using the auxiliary evaluation algorithm \(\mathsf {Eval} _2^*\). In particular, on a challenge query \(x\in \mathsf {T} \), the challenger replies with \(\mathsf {Eval} ^*_2(\mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\). The evaluation queries are handled as in \(\mathsf {H} _2\) (using \(\mathsf {Eval} _1^*\)). Similar to \({\mathsf {H} _{2}}\), if the adversary makes multiple challenge queries on the same input x, the challenger will use a consistent value each time (i.e., reply with the value of \(\mathsf {Eval} _2^*(\mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\) it used when responding to the first challenge query on input \(x\)).

• Hybrid \({\mathsf {H} _{4}}\): Same as \({\mathsf {H} _{3}}\), except the challenger generates the constrained key using the auxiliary constraining algorithm \(\mathsf {Constrain} _1^*\): \(\mathsf {sk} _\mathsf {T} \leftarrow \mathsf {Constrain} _1^*(\mathsf {msk} ^*)\). Both the evaluation and the challenge oracle queries are handled as in \(\mathsf {H} _3\).

• Hybrid \({\mathsf {H} _{5}}\): Same as \({\mathsf {H} _{4}}\), except the challenger answers the evaluation queries using the real evaluation algorithm \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , \cdot )\). The challenge queries are handled as in \(\mathsf {H} _4\) (using \(\mathsf {Eval} _2^*\)).

• Hybrid \({\mathsf {H} _{6}}\): Same as \({\mathsf {H} _{5}}\), except the challenger generates the public parameters \(\mathsf {pp} \) and the constrained key \(\mathsf {sk} _\mathsf {T} \) honestly using \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\), \(\mathsf {msk} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\), and \(\mathsf {sk} _\mathsf {T} = (\mathsf {enc} ,\mathsf {ct} ) \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} ,\mathsf {msk} ,\mathsf {T} )\). This is the experiment \(\mathsf {CExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(1)}\) (Definition 4.9).

For a hybrid experiment \(\mathsf {H} \) and an adversary \(\mathcal {A}\), we write \(\mathsf {H} (\mathcal {A})\) to denote the random variable for the output of \(\mathcal {A}\) in hybrid \(\mathsf {H} \). We now show that the distribution of the adversary’s outputs in each consecutive pair of hybrid experiments is either statistically or computationally indistinguishable.

Lemma A.7

For all adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _0(\mathcal {A}) = 1] - \Pr [\mathsf {H} _1(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

The only difference between \(\mathsf {H} _0\) and \(\mathsf {H} _1\) is that the public parameters and the constrained key are generated according to the auxiliary algorithms \(\mathsf {Setup} ^*\) and \(\mathsf {Constrain} _1^*\) in \(\mathsf {H} _1\), respectively, rather than the real algorithms. By the same argument as in the proof of Lemma A.1 (for evaluation correctness), we have that the distribution of \((\mathsf {pp} , \mathsf {sk} _\mathsf {T} )\) in \(\mathsf {H} _0\) is statistically indistinguishable from the distribution of \((\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*)\) in \(\mathsf {H} _1\). Finally, since the evaluation oracle queries are handled identically in the two experiments, we conclude that the adversary’s view in \(\mathsf {H} _0\) and \(\mathsf {H} _1\) is statistically indistinguishable. The lemma follows. \(\square \)

Before showing that hybrid \(\mathsf {H} _1\) and \(\mathsf {H} _2\) are computationally indistinguishable (Lemma A.9), we first show that hybrids \(\mathsf {H} _2\) and \(\mathsf {H} _3\) are computationally indistinguishable (Lemma A.8). This will greatly simplify the argument needed to show indistinguishability of hybrids \(\mathsf {H} _1\) and \(\mathsf {H} _2\) in Lemma A.9.

Lemma A.8

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m(3 + t(z+ 1) + \tau )\)), for all efficient adversaries \(\mathcal {A}\), \( \left| \Pr [\mathsf {H} _2(\mathcal {A}) = 1] - \Pr [\mathsf {H} _3(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda ) \).

Proof

Our argument is very similar to the proof of Lemma A.2, with the exception that we additionally have to reason about the challenge oracle queries in this case. In particular, we show that if there exists an adversary \(\mathcal {A}\) that can distinguish \(\mathsf {H} _2\) from \(\mathsf {H} _3\) with some non-negligible probability, then we can use \(\mathcal {A}\) to construct an algorithm \(\mathcal {B}\) that breaks the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption with the same probability. Algorithm \(\mathcal {B}\) behaves as follows:

1. 1.

   First, \(\mathcal {B}\) receives a challenge \((\hat{\mathbf {A}}, \hat{\mathbf {a}})\), \(\{ (\mathbf {A}'_b, \mathbf {a}'_b) \}_{b \in \{0,1\}}\), \(\{ (\mathbf {B}'_{i, j}, \mathbf {b}'_{i, j}) \}_{i\in [t], j\in [z]}\), \(\{ (\mathbf {C}'_k, \mathbf {c}'_k) \}_{k\in [\tau ]}\), and \(\{ (\mathbf {H}'_i, \mathbf {h}'_i) \}_{i\in [t]}\) from the LWE challenger.

2. 2.

   Algorithm \(\mathcal {B}\) starts running \(\mathcal {A}\). When \(\mathcal {A}\) commits to its set \(\mathsf {T} = \{ x_{i^*} \}_{i\in [t]}\), algorithm \(\mathcal {B}\) runs the auxiliary setup algorithm \(\mathsf {Setup} ^*\), except it instantiates \(\mathsf {pp} ^*\) as follows:

   • It uses the matrices \(\hat{\mathbf {A}}\), \(\{ \mathbf {A}'_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}'_{i,j} \}_{i\in [t], j\in [z]}\), and \(\{ \mathbf {C}'_k \}_{k\in [\tau ]}\) from the LWE challenge in place of the corresponding matrices in \(\mathsf {Setup} ^*\).

   • It uses the matrices \(\mathbf {H}'_i\) from the LWE challenge to instantiate the vectors \(\{ \mathbf {w}_i \}_{i\in [t]}\). Namely, it sets \(\mathbf {w}_\ell \) such that \(\mathbf {H}'_i= \sum _{\ell \in [N]} w_{i,\ell } \mathbf {D}_\ell \).

   Finally, \(\mathcal {B}\) constructs the remaining components of \(\mathsf {pp} ^*\) and \(\mathsf {msk} ^*\) exactly as described in \(\mathsf {Setup} ^*\) algorithm, with the exception that it does not sample a secret key \(\mathbf {s}\) in \(\mathsf {msk} ^*\).

3. 3.

   To simulate the constrained key \(\mathsf {sk} _\mathsf {T} ^*\), algorithm \(\mathcal {B}\) sets \(\mathsf {enc} = \left( \hat{\mathbf {a}}, \{ \mathbf {a}'_b \}_{b \in \{0,1\}}, \{ \mathbf {b}'_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {c}'_k \}_{k\in [\tau ]} \right) \) to be the vectors from the LWE challenge. The ciphertexts \(\mathsf {ct} \) are constructed exactly as described in \(\mathsf {Setup} ^*\). Finally, \(\mathcal {B}\) gives the public parameters \(\mathsf {pp} ^*\) and the constrained key \(\mathsf {sk} _\mathsf {T} ^*= (\mathsf {enc} , \mathsf {ct} )\) to \(\mathcal {A}\).

4. 4.

   To simulate the honest evaluation queries for \(x\notin \mathsf {T} \), \(\mathcal {B}\) computes the vector

   $$\begin{aligned} \widetilde{\mathbf {b}}_{i, \ell } \leftarrow \mathsf {Eval} _{\mathsf {ct} }((\mathsf {ct} _i, x), C_{\ell }, \mathbf {b}_{i,1}, \ldots , \mathbf {b}_{i,z}, \mathbf {a}_{x_1}, \ldots , \mathbf {a}_{x_\rho }, \mathbf {c}_1, \ldots , \mathbf {c}_\tau ) \end{aligned}$$

   for \(i\in [t]\) and \(\ell \in [N]\) and returns the value

   $$\begin{aligned} \tilde{\mathbf {y}}= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right\rceil _p. \end{aligned}$$
5. 5.

   Whenever \(\mathcal {A}\) makes a challenge oracle query on a point \(x\in \mathsf {T} \) (in particular, this means that \(x= x_{i^*}\) for some \({i^*}\in [t]\)), algorithm \(\mathcal {B}\) responds as follows. It first computes the vector

   $$\begin{aligned} \widetilde{\mathbf {b}}_{i, \ell } \leftarrow \mathsf {Eval} _{\mathsf {ct} }((\mathsf {ct} _i, x), C_{\ell }, \mathbf {b}_{i,1}, \ldots , \mathbf {b}_{i,z}, \mathbf {a}_{x_1}, \ldots , \mathbf {a}_{x_\rho }, \mathbf {c}_1, \ldots , \mathbf {c}_\tau ) \end{aligned}$$

   for \(i\in [t]\) and \(\ell \in [N]\) and returns the value

   $$\begin{aligned} \tilde{\mathbf {y}}= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) - \mathbf {h}'_{{i^*}} \right\rceil _p . \end{aligned}$$
6. 6.

   Finally, \(\mathcal {B}\) outputs whatever \(\mathcal {A}\) outputs.

We now argue that the public parameters \(\mathsf {pp} ^*\), the constrained key \(\mathsf {sk} _\mathsf {T} ^*\), the honest evaluation queries, and the challenge oracle queries are correctly simulated.

• By definition, the matrices \(\hat{\mathbf {A}}\), \(\{ \mathbf {A}'_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}'_{i, j} \}_{i\in [t], j\in [z]}\), and \(\{ \mathbf {C}'_k \}_{k\in [\tau ]}\) are distributed uniformly and independently over \(\mathbb {Z}_q^{n \times m}\), exactly as those sampled by \(\mathsf {Setup} ^*\). In addition, since each \(\mathbf {H}_i'\) is also uniformly random over \(\mathbb {Z}_q^{n \times m}\), it follows that each \(\mathbf {w}_i\) is uniform over \(\mathbb {Z}_q^N\) (since the collection \(\{ \mathbf {D}_\ell \}_{\ell \in [N]}\) constitutes a basis for \(\mathbb {Z}_q^{n \times m}\)). Thus, algorithm \(\mathcal {B}\) perfectly simulates the behavior of \(\mathsf {Setup} ^*\) in \(\mathsf {H} _2\) and \(\mathsf {H} _3\) (except it does not explicitly sample a secret vector \(\mathbf {s}\)).

• Next, if the challenge vectors \(\left( \hat{\mathbf {a}}, \{ \mathbf {a}'_b \}_{b \in \{0,1\}}, \{ \mathbf {b}'_{i, j} \}_{i\in [t], j\in [z]}, \{ \mathbf {c}'_k \}_{k\in [\tau ]} \right) \) are LWE samples, then \(\mathcal {B}\) has correctly simulated the distribution of \(\mathsf {sk} _\mathsf {T} ^*\) in \(\mathsf {H} _2\). If instead they are uniformly random, then \(\mathcal {B}\) has correctly simulated the distribution of \(\mathsf {sk} _\mathsf {T} ^*\) in \(\mathsf {H} _3\).

• For the honest evaluation queries for \(x\notin \mathsf {T} \), it is easy to see that the simulation is correct since \(\mathcal {B}\) is simply computing the auxiliary evaluation function \(\mathsf {Eval} _1^*\), which is used in both hybrid experiments.

• For the challenge queries, if \(\{ \mathbf {h}'_i \}_{i\in [t]}\) are LWE samples, then we have for all \({i^*}\in [t]\),

  $$\begin{aligned} \mathbf {h}'_{i^*}= \mathbf {s}^T \mathbf {H}'_{i^*}+ \mathbf {e}_{i^*}^T = \mathbf {s}^T \sum _{\ell \in [N]} w_{{i^*}, \ell } \mathbf {D}_{\ell } + \mathbf {e}_{i^*}^T, \end{aligned}$$

  where \(\mathbf {s}\) is the LWE secret and \(\mathbf {e}_i\) is an error term. Therefore, the value

  $$\begin{aligned} \tilde{\mathbf {y}}= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) - \mathbf {h}'_{{i^*}} \right\rceil _p . \end{aligned}$$

  is a perfect simulation of \(\mathsf {Eval} ^*_1\) in \(\mathsf {H} _2\). Alternatively, if the vectors \(\mathbf {h}'_{i^*}\) are uniformly random, then \(\mathcal {B}\) correctly simulates the challenge oracle responses with \(\mathsf {Eval} ^*_2\) according to \(\mathsf {H} _3\).

We conclude that if algorithm \(\mathcal {B}\) obtains samples from the LWE distribution, then the view it simulates for \(\mathcal {A}\) is identical to the view of \(\mathcal {A}\) in \(\mathsf {H} _2\). Otherwise, if \(\mathcal {B}\) obtains samples from a uniformly random distribution, then the view it simulates for \(\mathcal {A}\) is identical to the view of \(\mathcal {A}\) in \(\mathsf {H} _3\). Thus, we conclude that if \(\mathcal {A}\) is able to distinguish \(\mathsf {H} _2\) from \(\mathsf {H} _3\) with non-negligible probability, \(\mathcal {B}\) can break the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption with the same probability. \(\square \)

Lemma A.9

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m(3 + t(z+ 1) + \tau )\)), and \(\mathsf {1D\text {-}SIS\text {-}R} _{m'', p, q, \beta }\) assumptions (where \(m'' = m (3 + t\cdot z+ \tau )\) and \(\beta = B \cdot m^{O(d)}\)) for all efficient adversaries \(\mathcal {A}\), we have that \(\left| \Pr [\mathsf {H} _1(\mathcal {A}) = 1] - \Pr [\mathsf {H} _2(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

The only difference between hybrids \(\mathsf {H} _1\) and \(\mathsf {H} _2\) is that in \(\mathsf {H} _2\), the honest evaluation and challenge queries are answered using the auxiliary evaluation algorithm \(\mathsf {Eval} _1^*(\mathsf {pp} ^*, \mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, \cdot )\) rather than the real evaluation algorithm \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*, \cdot )\). For clarity of presentation, we consider the case for the evaluation queries and challenge queries separately.

Evaluation oracle queries By the admissibility condition, the adversary is only allowed to query the evaluation oracle on inputs \(x\notin \mathsf {T} \). In this case, the auxiliary evaluation algorithm \(\mathsf {Eval} _1^*(\mathsf {pp} ^*, \mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\) simply implements the constrained evaluation algorithm \(\mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\) using the auxiliary public parameters and constrained key. As long as \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*, x) = \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*, x)\), the distribution of the evaluation queries in both \(\mathsf {H} _1\) and \(\mathsf {H} _2\) is identical. However, this is precisely the guarantee provided by evaluation correctness (Definition 4.4). More precisely, we can apply the same argument as in the proof of Theorem 5.1 in Appendix A.2.1 to show that the constrained evaluation agrees with the true evaluation. Thus, we conclude that the responses to all (admissible) evaluation oracle queries in \(\mathsf {H} _1\) and \(\mathsf {H} _2\) are identical with overwhelming probability.

Challenge oracle queries We now consider the challenge oracle queries. In particular, we argue that the outputs of \(\mathsf {Eval} _1^*(\mathsf {pp} ^*, \mathsf {msk} ^*, \mathsf {sk} _\mathsf {T} ^*, \cdot )\) and \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} ^*, \mathsf {sk} _\mathsf {T} ^*, \cdot )\) on the challenge queries \(x\in \mathsf {T} \) are computationally indistinguishable. We start by recalling how the challenge queries are handled in the two hybrid experiments:

• In \(\mathsf {H} _1\), on input a point \(x\), the challenger computes

  $$\begin{aligned} \widetilde{\mathbf {B}}_{i,\ell } \leftarrow \mathsf {Eval} _{\mathsf {pk} }(C_\ell , \mathbf {B}_{i, 1}, \ldots , \mathbf {B}_{i, z}, \mathbf {A}_{x_{i,1}}, \ldots , \mathbf {A}_{x_{i, \rho }}, \mathbf {C}_1, \ldots , \mathbf {C}_\tau ). \end{aligned}$$

  for \(i\in [t]\), \(\ell \in [N]\) and returns the value

  $$\begin{aligned} \mathbf {y}_x= \left\lfloor \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) \right\rceil _p \end{aligned}$$

• In \(\mathsf {H} _2\), on input a point \(x= x^*_{{i^*}}\), for some \({i^*}\in [t]\), the challenger computes \(\tilde{\mathbf {y}}= \mathsf {Eval} ^*_1(\mathsf {pp} ^*,\mathsf {msk} ^*,\mathsf {sk} _\mathsf {T} ^*, x)\) by first computing

  $$\begin{aligned} \widetilde{\mathbf {b}}_{i, \ell } \leftarrow \mathsf {Eval} _{\mathsf {ct} }((\mathsf {ct} _i, x), C_{\ell }, \mathbf {b}_{i,1}, \ldots , \mathbf {b}_{i,z}, \mathbf {a}_{x_1}, \ldots , \mathbf {a}_{x_\rho }, \mathbf {c}_1, \ldots , \mathbf {c}_\tau ) \end{aligned}$$

  for \(i\in [t]\) and \(\ell \in [N]\). It then samples an error vector \(\mathbf {e}\leftarrow \chi ^m\) and returns

  $$\begin{aligned} \tilde{\mathbf {y}}= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {b}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) - \mathbf {s}^T \sum _{\ell \in [N]} w_{{i^*},\ell } \mathbf {D}_\ell - \mathbf {e}^T \right\rceil _p . \end{aligned}$$

  By Theorems 3.9 and 3.10 and the definition of \(\{ \mathbf {A}_b \}_{b \in \{0,1\}}\), \(\{ \mathbf {B}_{i, j} \}_{i\in [t], j\in [z]}\), and \(\{ \mathbf {C}_{k} \}_{k\in [\tau ]}\) in \(\mathsf {Setup} ^*\), we can write

  $$\begin{aligned} \widetilde{\mathbf {b}}_{i,\ell }^T = \mathbf {s}^T \left( \widetilde{\mathbf {B}}_{i,\ell } + (\mathsf {eq} (x,x^*_i) \cdot w_{i,\ell } + \epsilon _{i,\ell }) \cdot \mathbf {G}\right) + \mathbf {e}^T_{i,\ell } \end{aligned}$$

  for \(\left\| \mathbf {e}_{i,\ell } \right\| \le B \cdot m^{O(d)}\). Since \(\mathsf {eq} (x,x^*_i)=0\) for \(i\ne {i^*}\) and \(\mathsf {eq} (x,x^*_{i^*})=1\), we can rewrite \(\tilde{\mathbf {y}}\) as follows

  $$\begin{aligned} \tilde{\mathbf {y}}&= \left\lfloor \hat{\mathbf {a}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \left[ \mathbf {s}^T \left( \widetilde{\mathbf {B}}_{i, \ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) + \epsilon _{i, \ell } \mathbf {D}_\ell \right) + \mathbf {e}_{i, \ell }^T \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right] \right. \\&\quad \left. + \mathbf {s}^T \sum _{\ell \in [N]} \left( w_{{i^*}, \ell }\mathbf {D}_\ell - w_{{i^*}, \ell }\mathbf {D}_\ell \right) - \mathbf {e}^T \right\rceil _p \\&= \left\lfloor \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) + \widetilde{\mathbf {e}}^T \right\rceil _p, \end{aligned}$$

  where \(\widetilde{\mathbf {e}}^T = \sum _{i\in [t], \ell \in [N]} \left( \epsilon _{i, \ell } \cdot \mathbf {s}^T \mathbf {D}_\ell + \mathbf {e}_{i, \ell }^T \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) - \mathbf {e}^T\). Note that \(\left\| \widetilde{\mathbf {e}} \right\| \le B \cdot m^{O(d)}\).

For notational convenience, define \(\varvec{\xi }_x\in \mathbb {Z}_q^m\) to be the “unrounded” PRF value in \(\mathsf {H} _2\):

$$\begin{aligned} \varvec{\xi }_x^T = \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i,\ell }^T \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) + \widetilde{\mathbf {e}}^T . \end{aligned}$$

Then, we can write \({\tilde{\mathbf {y}}}_x= \lfloor \varvec{\xi }_x^T \rceil _p\) and \(\mathbf {y}_x= \lfloor \varvec{\xi }_x^T - \widetilde{\mathbf {e}}^T \rceil _p\). Thus, we see that \(\mathbf {y}_x= \tilde{\mathbf {y}}_x\) as long as the vector \(\varvec{\xi }_x\) does not contain any “borderline” components that can be rounded in the wrong direction due to \(\widetilde{\mathbf {e}}\). Similar to the proof of evaluation correctness in Appendix A.2.1, we define \(\mathsf {Borderline} _{x}\) to be the event that there exists an index \(\eta \in [m]\) such that

$$\begin{aligned} \varvec{\xi }_x^T \mathbf {u}_\eta \in [-E,E] + \frac{q}{p} \cdot (\mathbb {Z}+ 1/2) \end{aligned}$$

where \(E = m^{O(d)}\) is a bound on \(\left\| \widetilde{\mathbf {e}} \right\| \) and \(\mathbf {u}_\eta \) is the \(\eta {\mathrm {th}}\) basis vector. To conclude the proof, we show that \(\Pr [\mathsf {Borderline} _{x}] = \mathsf {negl} (\lambda )\) in \(\mathsf {H} _2\). Our argument consists of two steps. First, we argue that in \(\mathsf {H} _3\), the “unrounded” PRF evaluation does not contain any borderline components. This in turn implies that in \(\mathsf {H} _2\), the unrounded PRF value \(\varvec{\xi }_x\) does not contain any borderline components—otherwise, algorithm \(\mathcal {B}\) from the proof of Lemma A.8 can be used to distinguish \(\mathsf {H} _2\) from \(\mathsf {H} _3\), in violation of Lemma A.8. We now show this more formally.

• In hybrid \(\mathsf {H} _3\), on a challenge query \(x= x_{i}^*\), the response is computed by first sampling \(\mathbf {d}\overset{\textsc {r}}{\leftarrow }\mathbb {Z}_q^m\) and then rounding \({\tilde{\mathbf {y}}}_x= \lfloor \mathbf {d} \rceil _p\). Since \(E \cdot p/q = \mathsf {negl} (\lambda )\), we conclude that for each \(\eta \in [m]\),

  $$\begin{aligned} \Pr [ \mathbf {d}^T \mathbf {u}_\eta \in [-E, E] + (q/p) \cdot (\mathbb {Z}+ 1/2) ] = \mathsf {negl} (\lambda ). \end{aligned}$$

  Thus, with overwhelming probability, \(\mathbf {d}\) does not contain any borderline components.

• Suppose in \(\mathsf {H} _2\) that the vector \(\varvec{\xi }_x\) contains a borderline component with non-negligible probability. But then the algorithm \(\mathcal {B}\) from the proof of Lemma A.8 can be used to distinguish \(\mathsf {H} _2\) from \(\mathsf {H} _3\): the algorithm \(\mathcal {B}\) simply outputs 1 if the unrounded vector contains a borderline component. From our analysis in Lemma A.8, the unrounded vector \(\varvec{\xi }_x\) is distributed exactly as in \(\mathsf {H} _2\) if \(\mathcal {B}\) received samples from the LWE distribution, whereas the unrounded vector \(\varvec{\xi }_x\) is distributed as in \(\mathsf {H} _3\) if \(\mathcal {B}\) received samples from the uniform distribution. Thus, under \(\mathsf {LWE} _{n, m', q, \chi }\), it must be the case that \(\varvec{\xi }_x\) does not contain any borderline components with overwhelming probability.

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption, we have that \(\Pr [ \mathsf {Borderline} _{x} ] = \mathsf {negl} (\lambda )\). In this case, \(\mathbf {y}_x= {\tilde{\mathbf {y}}}_x\). We conclude that the distributions of responses to the challenge queries in \(\mathsf {H} _1\) and \(\mathsf {H} _2\) are computationally indistinguishable. \(\square \)

Lemma A.10

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m(3 + t(z+ 1) + \tau )\)), for all efficient adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _3(\mathcal {A}) = 1] - \Pr [\mathsf {H} _4(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

Follows from a similar argument as Lemma A.8 (except the behavior of the challenge oracle is identical in the two experiments). \(\square \)

Lemma A.11

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m(3 + t(z+ 1) + \tau )\)) and the \(\mathsf {1D\text {-}SIS\text {-}R} _{m'',p,q,\beta }\) (where \(m'' = m(3 + tz+ \tau )\)) for all efficient adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _4(\mathcal {A}) = 1] - \Pr [\mathsf {H} _5(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

Follows from a similar argument as Lemma A.9, except we only have to reason about how the evaluation oracle queries are handled. The challenge queries are handled identically in the two experiments. \(\square \)

Lemma A.12

For all adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _5(\mathcal {A}) = 1] - \Pr [\mathsf {H} _6(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

Follows from the same argument as Lemma A.7. \(\square \)

Combining Lemmas A.7 to A.12, we conclude that \(\Pi _{\mathsf {TPRF} }\) satisfies selective single-key constrained pseudorandomness. \(\square \)

1.3.2 Privacy

In this section, we show that the translucent PRF in Sect. 5.1 satisfies selective single-key privacy. Specifically, we show the following claim:

Claim A.13

(Privacy) Define \(\lambda , n, m, q, \chi , t, z, \tau \) as in Theorem 5.2. Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption and assuming the homomorphic encryption scheme \(\Pi _{\mathsf {HE} }\) is semantically secure, \(\Pi _{\mathsf {TPRF} }\) is selectively single-key private (Definition 4.14).

Proof

Recall first that a constrained key \(\mathsf {sk} _\mathsf {T} = (\mathsf {enc} , \mathsf {ct} )\) for a set \(\mathsf {T} = \{ x_i^* \}_{i\in [t]}\) consists of two components: a set of encodings \(\mathsf {enc} \) and a collection of ciphertexts \(\mathsf {ct} = \{ \mathsf {ct} _i \}_{i\in [t]}\). In our proof of constrained pseudorandomness (Claim A.6), we demonstrated that the set of encodings \(\mathsf {enc} \) in the constrained key is indistinguishable from a collection of random vectors. Together with semantic security of the FHE ciphertexts \(\mathsf {ct} _i\), we have that the constrained key \(\mathsf {sk} _\mathsf {T} \) hides the set \(\mathsf {T} \).

Formally, we proceed with a hybrid argument. Let \(\mathcal {A}\) be an adversary and \(\mathcal {S}^{(t)}\) be the set system corresponding to the family of \(t\)-puncturable constraints (Definition 4.7). In the proof, we show the selective notion of privacy (Remark 4.15) where we assume that the adversary commits to its two challenge sets \(S_0\) and \(S_1\) at the beginning of the experiment. We now introduce our hybrid experiments.

• Hybrid \(\mathsf {H} _0\): This is the real experiment \(\mathsf {PExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(0)}\) where the challenger, on input two sets \(S_0, S_1 \in \mathcal {S}^{(t)}\), gives the adversary the constrained key \(\mathsf {sk} _0 = (\mathsf {enc} , \mathsf {ct} ) \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , \mathsf {msk} , S_0)\), where \(\mathsf {pp} \) and \(\mathsf {msk} \) are sampled exactly as in the real experiment.

• Hybrid \(\mathsf {H} _1\): Same as \(\mathsf {H} _0\), except the encodings in \(\mathsf {sk} _0\) are replaced by a uniformly random string. More precisely, the challenger first computes \((\mathsf {enc} , \mathsf {ct} ) \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , \mathsf {msk} , S_0)\). Then, it samples \(\mathbf {r}\overset{\textsc {r}}{\leftarrow }\{0,1\}^{\left| \mathsf {enc} \right| }\) and returns \(\mathsf {sk} _0 = (\mathbf {r}, \mathsf {ct} )\) to the adversary.

• Hybrid \(\mathsf {H} _2\): Same as \(\mathsf {H} _1\), except that the challenger computes \((\mathsf {enc} , \mathsf {ct} ) \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , \mathsf {msk} , S_1)\). Then, it samples \(\mathbf {r}\overset{\textsc {r}}{\leftarrow }\{0,1\}^{\left| \mathsf {enc} \right| }\) and returns \(\mathsf {sk} _1 = (\mathbf {r}, \mathsf {ct} )\) to the adversary.

• Hybrid \(\mathsf {H} _3\): This is the real experiment \(\mathsf {PExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(1)}\), where the challenger, on input two sets \(S_0, S_1 \in \mathcal {S}^{(t)}\), replies to the adversary with the constrained key \(\mathsf {sk} _1 \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , \mathsf {msk} , S_1)\).

Lemma A.14

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m(3 + t(z+ 1) + \tau )\)), for all efficient adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _0(\mathcal {A}) = 1] - \Pr [\mathsf {H} _1(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

The lemma follows directly by the indistinguishability of hybrid experiments \(\mathsf {H} _0\) and \(\mathsf {H} _3\) in the proof of Claim A.6 (Lemmas A.7 to A.9). In particular, note that the adversary in the (selective) privacy game is strictly weaker than the adversary in the (selective) single-key constrained pseudorandomness game since it is not given access to either a challenge oracle or an evaluation oracle. Thus, we can invoke Lemmas A.7 to A.9 from the proof of Claim A.6. Moreover, we note that the 1D-SIS-R assumption needed in Lemma A.9 is not necessary in the case of privacy because the challenger does not need to simulate the evaluation oracle queries. In Lemma A.9, the 1D-SIS-R assumption is needed to argue that the evaluation questions are properly simulated. \(\square \)

Lemma A.15

If \(\Pi _{\mathsf {HE} }\) is semantically secure (Definition 3.8), then for all efficient adversaries \(\mathcal {A}\), it follows that \(\left| \Pr [\mathsf {H} _1(\mathcal {A}) = 1] - \Pr [\mathsf {H} _2(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

We argue that by semantic security of \(\Pi _{\mathsf {HE} }\), the adversary’s views in \(\mathsf {H} _1\) and \(\mathsf {H} _2\) are computationally indistinguishable. First, the public parameters \(\mathsf {pp} \) are identically distributed in the two distributions. Let \(\mathsf {sk} _0 = (\mathbf {r}_0, \mathsf {ct} _0)\) and \(\mathsf {sk} _1 = (\mathbf {r}_1, \mathsf {ct} _1)\) be the constrained keys the adversary receives in \(\mathsf {H} _1\) and \(\mathsf {H} _2\), respectively. By construction, \(\mathbf {r}_0\) and \(\mathbf {r}_1\) are uniform over \(\{0,1\}^{\left| \mathsf {enc} \right| }\) and independent of all other parameters. Thus, it suffices to argue that the ciphertexts \(\mathsf {ct} _0\) and \(\mathsf {ct} _1\) are computationally indistinguishable. But since \(\mathsf {ct} _0\) and \(\mathsf {ct} _1\) consists of a (polynomial-sized) collection of ciphertexts encrypted under \(\Pi _{\mathsf {HE} }\) (with a secret key that is unknown to the adversary \(\mathcal {A}\)), semantic security of \(\Pi _{\mathsf {HE} }\) implies that the distribution of \(\mathsf {ct} _0\) is computationally indistinguishable from the distribution of \(\mathsf {ct} _1\). The claim follows. \(\square \)

Lemma A.16

Under the \(\mathsf {LWE} _{n, m', q, \chi }\) assumption (where \(m' = m(3 + t(z+ 1) + \tau )\)), for all efficient adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _2(\mathcal {A}) = 1] - \Pr [\mathsf {H} _3(\mathcal {A}) = 1] \right| = \mathsf {negl} (\lambda )\).

Proof

Follows from the same argument as Lemma A.14. \(\square \)

Combining Lemmas A.14 to A.16, we have that experiments \(\mathsf {PExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(0)}\) and \(\mathsf {PExpt} _{\Pi _{\mathsf {TPRF} }, \mathcal {A}, \mathcal {S}^{(t)}}^{(1)}\) are computationally indistinguishable. Thus, \(\Pi _{\mathsf {TPRF} }\) satisfies selective single-key privacy. \(\square \)

1.3.3 Key-Injectivity

In this section, we show that the translucent PRF in Sect. 5.1 satisfies key-injectivity. Specifically, we show the following claim:

Claim A.17

(Key-Injectivity) Define \(\lambda , n, m, q, \chi , t, z, \tau \) as in Theorem 5.2. Then, the translucent \(t\)-puncturable PRF \(\Pi _{\mathsf {TPRF} }\) satisfies key-injectivity (Definition 4.16).

Proof

Take any \(x\in \{0,1\}^\rho \). Let \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\) and take any \(\mathsf {msk} = \mathbf {s}\in [-B, B]^n\). Then, to compute the PRF value at \(x\), the evaluation algorithm \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} ,x)\) first computes the matrices

$$\begin{aligned} \widetilde{\mathbf {B}}_{i,\ell } \leftarrow \mathsf {Eval} _{\mathsf {pk} }(C_\ell , \mathbf {B}_{i, 1}, \ldots , \mathbf {B}_{i, \ell }, \mathbf {A}_{x_1}, \ldots , \mathbf {A}_{x_\rho }, \mathbf {C}_1, \ldots , \mathbf {C}_\tau ) \end{aligned}$$

for all \(i\in [t]\) and \(\ell \in [N]\). It then outputs the vector

$$\begin{aligned} \mathbf {y}_x= \left\lfloor \mathbf {s}^T \left( \hat{\mathbf {A}}+ \sum _{\begin{array}{c} i\in [t] \\ \ell \in [N] \end{array}} \widetilde{\mathbf {B}}_{i, \ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell ) \right) \right\rceil _p. \end{aligned}$$

To simplify notation, let \(\mathbf {B}' = \sum _{i\in [t], \ell \in [N]} \widetilde{\mathbf {B}}_{i,\ell } \cdot \mathbf {G}^{-1}(\mathbf {D}_\ell )\). Now, suppose that there are two keys \(\mathsf {msk} _1 = \mathbf {s}_1, \mathsf {msk} _2 = \mathbf {s}_2 \in [-B, B]^n\) where \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} _1,x) = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} _2,x)\) for some \(x\in \{0,1\}^\rho \). Then,

$$\begin{aligned} \left\lfloor \mathbf {s}_1^T \left( \hat{\mathbf {A}}+ \mathbf {B}' \right) \right\rceil _p = \left\lfloor \mathbf {s}_2^T \left( \hat{\mathbf {A}}+ \mathbf {B}' \right) \right\rceil _p. \end{aligned}$$

This means that the vectors \(\mathbf {s}_1^T(\hat{\mathbf {A}}+ \mathbf {B}')\) and \(\mathbf {s}_2^T(\hat{\mathbf {A}}+ \mathbf {B}')\) are “close” or more precisely,

$$\begin{aligned} \mathbf {s}_1^T (\hat{\mathbf {A}}+ \mathbf {B}') - \mathbf {s}_2^T (\hat{\mathbf {A}}+ \mathbf {B}') = (\mathbf {s}_1^T - \mathbf {s}_2^T) (\hat{\mathbf {A}}+ \mathbf {B}') \in [-B', B']^m, \end{aligned}$$

where \(B' = \frac{q}{2p}\). To complete the proof, we show that such a vector \(\hat{\mathbf {s}}= (\mathbf {s}_1 - \mathbf {s}_2)\) exists in \(\mathbb {Z}_q^n\) with only negligible probability over the randomness used to sample the public parameter matrices (specifically, over the choice of the random coins used to sample \(\hat{\mathbf {A}}\)).

Lemma A.18

Fix any matrix \(\mathbf {B}' \in \mathbb {Z}_q^{n \times m}\) where \(m = \omega (n)\). Then, if the bound B on the error distribution \(\chi \) satisfies \(B < {\hat{p}} / 2\), where \({\hat{p}}\) is the smallest prime dividing the modulus q, and \(B' = q/2p\), we have that

$$\begin{aligned} \Pr _{{\hat{\mathbf {A}}} \overset{\textsc {r}}{\leftarrow }\mathbb {Z}_q^{n \times m}}\left[ \exists \, {\hat{\mathbf {s}}} \in [-2B, 2B]^n \setminus \{ \mathbf {0} \} :{\hat{\mathbf {s}}}^T ({\hat{\mathbf {A}}} + \mathbf {B}') \in [-B', B']^m \right] = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

We bound the probability that there exists a nonzero \({\hat{\mathbf {s}}} \in [-2B, 2B]^n\) such that \({\hat{\mathbf {s}}}^T \hat{\mathbf {A}}= -{\hat{\mathbf {s}}}^T \mathbf {B}' + \mathbf {e}^T\) where \(\mathbf {e}\in [-B', B']^m\). Take any nonzero \({\hat{\mathbf {s}}} \in [-2B, 2B]^n\). Since \({\hat{\mathbf {s}}} \ne \mathbf {0}\), there exists an index \(i \in [n]\) such that \({\hat{s}}_i \ne 0\). Moreover, since \(\left| {\hat{s}}_i \right| \le 2B < {\hat{p}}\), \({\hat{s}}_i\) is invertible over \(\mathbb {Z}_q\). Since \(\hat{\mathbf {A}}\) is sampled uniformly at random, the relation \({\hat{\mathbf {s}}}^T \hat{\mathbf {A}}= -{\hat{\mathbf {s}}}^T \mathbf {B}' + \mathbf {e}^T\) is satisfied for some \(\mathbf {e}\in [-B', B']^n\) with probability at most \((2B' / q)^m = (1/p)^m\). The claim then follows if we take a union bound over the \((4B)^n\) possible vectors \({\hat{\mathbf {s}}} \in [-2B, 2B]^n\). \(\square \)

We conclude that for any \(x\), with overwhelming probability over the choice of \({\hat{\mathbf {A}}}\), there does not exist a pair of keys \(\mathbf {s}_1\) and \(\mathbf {s}_2\) such that \(\mathbf {s}_1^T({\hat{\mathbf {A}}} + \mathbf {B}')\) and \(\mathbf {s}_2^T({\hat{\mathbf {A}}} + \mathbf {B}')\) are close. In particular, this means that with overwhelming probability, \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} _1, x) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {msk} _2, x)\). Thus, \(\Pi _{\mathsf {TPRF} }\) satisfies key-injectivity. \(\square \)

Watermarking Correctness and Security Analysis

In this section, we prove Theorem 6.16. We analyze correctness (Claim B.1), unremovability (Claim B.3), and unforgeability (Claim B.11) separately.

Claim B.1

(Watermarking Correctness) If \(\Pi _{\mathsf {TPRF} }\) is a selectively secure translucent \(t\)-puncturable PRF and \(\Pi _{\mathsf {PRF} }\) is a secure PRF, then the watermarking scheme \(\Pi _{\mathsf {WM} }\) in Construction 6.15 is correct.

Proof

Take any message \(m \in \{0,1\}^t\). Let \(\mathsf {msk} = (\mathsf {pp} , \mathsf {tk} , h_1, \ldots , h_d, \mathsf {k} ^*) \leftarrow \mathsf {WM.Setup} (1^\lambda )\) be the master secret key for the watermarking scheme. Take \(k \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\) and let \(C \leftarrow \mathsf {WM.Mark} (\mathsf {msk} , k, m)\) be the watermarked key. By construction \(C(\cdot ) = \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _S, \cdot )\) where \(\mathsf {sk} _S = \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , k, S)\) and \(S \subseteq \{0,1\}^n\) is a set of \(2^n- t\) points. We now show each of the requirements separately:

• Functionality-preserving: Let \(T \subseteq S\) be the set of points x where \(C(x) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k, x)\). By evaluation correctness of \(\Pi _{\mathsf {TPRF} }\), no efficient adversary is able to find any such \(x \in T\), except with negligible probability. In particular, this means that \(\left| T \right| / 2^n= \mathsf {negl} (\lambda )\). Finally, since \(C(\cdot )\) can differ from \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k, \cdot )\) on at most \(\left| T \right| + t\) points and \(t= \mathsf {poly} (\lambda )\), we conclude that \(C(\cdot )\) agrees with \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k, \cdot )\) on all but a negligible fraction of points. Note that in this case, the set of punctured points S is a function of the output of the PRF, and as such, we require that the underlying PRF satisfy adaptive correctness (for our constraint family, this is implied by selective correctness and complexity leveraging; see Remark 4.5).

• Extraction correctness: First, define \({\mathbf {x}}= \big (x_1^{(0)}, x_1^{(1)}, \ldots , x_t^{(0)}, x_t^{(1)} \big )\) as in \(\mathsf {WM.Mark} \) (that is, as the output of \(\mathsf {PRF} .\mathsf {Eval} (\mathsf {k} ^*, \cdot )\)). By construction, \(\{0,1\}^n\setminus S \subset \{ x_1^{(0)}, x_1^{(1)}, \ldots , x_t^{(0)}, x_t^{(1)} \}\). Since \(\Pi _{\mathsf {PRF} }\) is secure and \(n = \omega (\log \lambda )\), it follows that \(\Pr [x_i^{(b)} = h_j] = \mathsf {negl} (\lambda )\) for all \(j\in [d]\), \(i\in [t]\), and \(b \in \{0,1\}\). Since \(d, t= \mathsf {poly} (\lambda )\), we conclude via a union bound that with overwhelming probability, \(h_j\ne x_i^{(b)}\) for all \(j\in [d]\), \(i\in [t]\), and \(b \in \{0,1\}\). Equivalently, \(h_1, \ldots , h_d\in S\) with overwhelming probability. Since \(h_1, \ldots , h_d\) are chosen uniformly over \(\{0,1\}^n\) and independently of all other parameters, we invoke evaluation correctness of \(\Pi _{\mathsf {TPRF} }\) and Remark 4.6 to conclude that with overwhelming probability, \(C(h_j) = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k, h_j)\) for each \(j\in [d]\). Since \(d = \mathsf {poly} (\lambda )\), we apply a union bound to conclude that with overwhelming probability, the extraction algorithm \(\mathsf {WM.Extract} \) will derive the same tuple \({\mathbf {x}}\) as \(\mathsf {WM.Mark} \). The claim now follows from (adaptive) verification correctness of \(\Pi _{\mathsf {TPRF} }\).

\(\square \)

Unremovability and unforgeability Our unremovability and unforgeability proofs for our watermarking scheme follow a similar structure as the proofs in [24, Appendix I], who construct a watermarkable family of PRFs from private programmable PRFs. However, we require a more intricate argument to handle adversarial marking oracle queries (where the adversary is allowed to choose the key to be watermarked). Moreover, relying on private translucent \(t\)-puncturable PRFs rather than private programmable PRFs (the former provides a much weaker programmability property) also require modifying the hybrid structure.

Our security proofs consist of a sequence of hybrid experiments between a challenger and an adversary \(\mathcal {A}\). In each experiment, the adversary \(\mathcal {A}\) is given access to a marking oracle and a challenge oracle. We now define our initial hybrid experiment, denoted \(\mathsf {H} _0\), which is identical to the watermarking experiment \(\mathsf {Expt} _{\Pi _{\mathsf {WM} }, \mathcal {A}}\) (Definition 6.7). Note that we isolate this particular hybrid because it will be useful in both the analysis of unremovability (Claim B.3) as well as unforgeability (Claim B.11). In this section, for a hybrid experiment \(\mathsf {H} \), we write \(\mathsf {H} (\mathcal {A})\) to denote the output distribution of \(\mathsf {H} \) when interacting with an adversary \(\mathcal {A}\).

Definition B.2

(Hybrid \(\mathsf {H} _0\)) Fix a security parameter \(\lambda \). Let \(\Pi _{\mathsf {WM} }= (\mathsf {WM.Setup} , \mathsf {WM.Mark} , \mathsf {WM.Extract} )\) be the watermarking scheme from Construction 6.15, and let \(\mathcal {A}\) be a watermarking adversary. Hybrid \(\mathsf {H} _0(\mathcal {A})\) corresponds to the watermarking experiment \(\mathsf {Expt} _{\Pi _{\mathsf {WM} }, \mathcal {A}}(\lambda )\). For clarity, we describe the experiment with respect to the concrete instantiation described in Construction 6.15.

1. 1.

   Setup phase: The challenger begins by sampling \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\), a tuple \((h_1, \ldots , h_d) \overset{\textsc {r}}{\leftarrow }(\{0,1\}^n)^d\) and a PRF key \(\mathsf {k} ^*\leftarrow \mathsf {PRF} .\mathsf {KeyGen} (1^\lambda )\). It sets \(\mathsf {msk} = (\mathsf {pp} , \mathsf {tk} , h_1, \ldots , h_d, \mathsf {k} ^*)\) and gives \(\mathsf {pp} \) to the adversary.

2. 2.

   Query phase: The adversary can now make queries to a marking oracle or a challenge oracle. The challenger responds to the oracle queries as follows:

   • Marking oracle: On input a message \(m \in \{0,1\}^t\) and a PRF key \(k \in \mathcal {K}\) to be marked, the challenger computes \(y_j\leftarrow \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k, h_j)\) for each \(j\in [d]\). Next, it sets \(\mathbf {y}= (y_1, \ldots , y_d)\), and computes \({\mathbf {x}}= \big (x_1^{(0)}, x_1^{(1)}, \ldots , x_t^{(0)}, x_t^{(1)}\big ) \leftarrow \mathsf {PRF} .\mathsf {Eval} (\mathsf {k} ^*, \mathbf {y})\). Then, it constructs the \(t\)-punctured key \(\mathsf {sk} _S \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , k, S)\) where \(S = \{ x \in \{0,1\}^n:x \ne x_i^{(m_i)} \ \forall i\in [t] \}\). Finally, it replies with the circuit C to the adversary, where \(C(\cdot ) = \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _S, \cdot )\).

   • Challenge oracle: On input a message \({\hat{m}} \in \{0,1\}^t\), the challenger samples a key \({\hat{k}} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\). Next, for each \(j\in [d]\), it computes \({\hat{y}}_j\leftarrow \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j)\), sets \({\hat{\mathbf {y}}} = ({\hat{y}}_1, \ldots , {\hat{y}}_d)\), and computes \({\hat{{\mathbf {x}}}} = \big ({\hat{x}}_1^{(0)}, {\hat{x}}_1^{(1)}, \ldots , {\hat{x}}_t^{(0)}, {\hat{x}}_t^{(1)} \big ) \leftarrow \mathsf {PRF} .\mathsf {Eval} (\mathsf {k} ^*, {\hat{\mathbf {y}}})\). Then, it constructs the \(t\)-punctured key \(\mathsf {sk} _{{\hat{S}}} \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , {\hat{k}}, {\hat{S}})\) where \({\hat{S}} = \{ x \in \{0,1\}^n:x \ne {\hat{x}}_i^{({\hat{m}}_i)} \ \forall i\in [t] \}\). It replies with \({\hat{C}}\) to the adversary where \({\hat{C}}(\cdot ) = \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _{{\hat{S}}}, \cdot )\).

3. 3.

   Challenge phase: The adversary outputs a circuit \({\tilde{C}}\).

4. 4.

   Extraction phase: The challenger first computes the tuple \({\tilde{\mathbf {y}}} = (\tilde{C}(h_1), \ldots , {\tilde{C}}(h_d))\). Then, it sets \({\tilde{{\mathbf {x}}}} = \big ({\tilde{x}}_1^{(0)}, {\tilde{x}}_1^{(1)}, \ldots , {\tilde{x}}_t^{(0)}, {\tilde{x}}_t^{(1)} \big ) \leftarrow \mathsf {PRF} .\mathsf {Eval} (\mathsf {k} ^*, {\tilde{\mathbf {y}}})\). For each \(i\in [t]\) and \(b \in \{0,1\}\), the challenger computes \({\tilde{z}}_i^{(b)} = \mathsf {TPRF} .\mathsf {Test} \big ( \mathsf {pp} , \mathsf {tk} , {\tilde{C}}({\tilde{x}}_i^{(b)}) \big )\). If there exists some \(i\in [t]\) for which \({\tilde{z}}_i^{(0)} = {\tilde{z}}_i^{(1)}\), the experiment outputs \(\bot \). Otherwise, for each \(i\in [t]\), the challenger sets \({\tilde{m}}_i= 0\) if \({\tilde{z}}_i^{(0)} = 1\), and \({\tilde{m}}_i= 1\) otherwise. Finally, the experiment outputs \({\tilde{m}} \in \{0,1\}^t\).

Claim B.3

(Unremovability) If \(\Pi _{\mathsf {TPRF} }\) is a selectively single-key secure and key-injective translucent \(t\)-puncturable PRF, and \(\Pi _{\mathsf {PRF} }\) is secure, then the watermarking scheme \(\Pi _{\mathsf {WM} }\) in Construction 6.15 is single-key unremovable.

Proof

We begin by defining our sequence of hybrid experiments:

• Hybrid \(\mathsf {H} _1\): Same as \(\mathsf {H} _0\) (Definition B.2), except the challenger begins by choosing a random function \(f : (\{0,1\}^m)^d \rightarrow (\{0,1\}^n)^{2t}\) during the setup phase. Then, whenever the challenger needs to evaluate \(\mathsf {PRF} .\mathsf {Eval} (\mathsf {k} ^*, \cdot )\) in the remainder of the experiment, it instead evaluates \(f(\cdot )\).

• Hybrid \(\mathsf {H} _2\): Same as \(\mathsf {H} _1\), except at the beginning of the game, the challenger initializes a table \(T \leftarrow \varnothing \) to maintain mappings of the form \(\mathcal {K}\rightarrow (\{0,1\}^n)^{2 t}\), where \(\mathcal {K}\) is the key-space of the PRF. Then, in the query phase, the challenger responds to the oracle queries as follows:

  • Marking oracle: Same as \(\mathsf {H} _1\), except on input a message \(m \in \{0,1\}^t\) and a PRF key \(k \in \mathcal {K}\), if k is already present in T, then the challenger sets \({\mathbf {x}}= T[k]\) and proceeds as in \(\mathsf {H} _1\). Otherwise, it samples \({\mathbf {x}}\overset{\textsc {r}}{\leftarrow }(\{0,1\}^n)^{2 t}\), add the mapping \((k \mapsto {\mathbf {x}})\) to T. The remainder of the query processing is handled as in \(\mathsf {H} _1\).

  • Challenge oracle: On input a message \({\hat{m}} \in \{0,1\}^t\), the challenger first samples a key \({\hat{k}} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\). It then checks to see if \({\hat{k}}\) is already present in T. If so, the challenger sets \({\hat{{\mathbf {x}}}} = T[{\hat{k}}]\) and proceeds as in \(\mathsf {H} _1\). Otherwise, it samples \({\hat{{\mathbf {x}}}} \overset{\textsc {r}}{\leftarrow }(\{0,1\}^n)^{2 t}\), adds the mapping \(({\hat{k}} \mapsto {\hat{{\mathbf {x}}}})\) to T and continues as in \(\mathsf {H} _1\).

  Let Q be the number of marking and challenge queries the adversary makes, \(\mathbf {y}_1, \ldots , \mathbf {y}_Q\) be the vectors \(\mathbf {y}\) (and \({\hat{\mathbf {y}}}\)) the challenger computes when responding to the marking and challenger oracles during the query phase, and let \(k_1, \ldots , k_\ell \) be the keys the adversary provided to the marking oracle (or sampled by the challenge oracle) in those queries. During the extraction phase, if there are distinct indices \(\ell _1, \ell _2 \in [Q]\) such that \(k_{\ell _1} \ne k_{\ell _2}\), but \(\mathbf {y}_{\ell _1} = \mathbf {y}_{\ell _2}\), then the challenger aborts the experiment and outputs \(\mathsf {Bad} _1\). Otherwise, the challenger computes \({\tilde{\mathbf {y}}}\) as in \(\mathsf {H} _1\). Then, if \({\tilde{\mathbf {y}}} = \mathbf {y}_\ell \) for some \(\ell \in [Q]\), the challenger sets \({\tilde{{\mathbf {x}}}} = T[k_\ell ]\). Otherwise, it samples \({\tilde{{\mathbf {x}}}} \overset{\textsc {r}}{\leftarrow }(\{0,1\}^n)^{2 t}\). The rest of the extraction step is unchanged.

• Hybrid \(\mathsf {H} _3\): Same as \(\mathsf {H} _2\) except when simulating the challenge oracle, the challenger always samples \({\hat{{\mathbf {x}}}} \overset{\textsc {r}}{\leftarrow }(\{0,1\}^n)^{2 t}\). Moreover, the challenger only adds the mapping \(({\hat{k}} \mapsto {\hat{{\mathbf {x}}}})\) to T at the beginning of the extraction phase (rather than the query phase).

• Hybrid \(\mathsf {H} _4\): Same as \(\mathsf {H} _3\) except during the extraction phase, if there exists some \(j\in [d]\) where \({\hat{C}}(h_j) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j)\), then the challenger aborts and outputs \(\mathsf {Bad} _2\).

• Hybrid \(\mathsf {H} _5\): Same as \(\mathsf {H} _4\) except during the extraction phase, the challenger aborts the experiment and outputs \(\mathsf {Bad} _3\) if there exists \(j\in [d]\) where \({\tilde{C}}(h_j) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j)\). Otherwise, the challenger sets \({\tilde{{\mathbf {x}}}} = {\hat{{\mathbf {x}}}}\) and continues with the extraction phase as in \(\mathsf {H} _4\).

• Hybrid \(\mathsf {H} _6\): Same as \(\mathsf {H} _5\) except during the extraction phase, the challenger also checks (after checking for \(\mathsf {Bad} _1\), \(\mathsf {Bad} _2\), and \(\mathsf {Bad} _3\)) whether \({\tilde{C}} \big ({\hat{x}}_i^{(b)} \big ) = {\hat{C}} \big ( {\hat{x}}_i^{(b)} \big )\) for all \(i\in [t]\) and \(b \in \{0,1\}\). If the check passes, the challenger aborts and outputs \({\hat{m}}\). Otherwise, it follows the same extraction phase of \(\mathsf {H} _5\).

• Hybrid \(\mathsf {H} _7\): Same as \(\mathsf {H} _6\) except when the challenger responds to the challenge oracle, it first chooses d distinct random points \(\alpha _1, \ldots , \alpha _d\overset{\textsc {r}}{\leftarrow }\{0,1\}^n\) and then sets \({\hat{S}} = \{ \alpha _1, \ldots , \alpha _d \}\) when generating the constrained key \(\mathsf {sk} _{{\hat{S}}}\).

We now proceed in a sequence of lemmas to show that for each consecutive pair of hybrid experiments \(\mathsf {H} _\ell , \mathsf {H} _{\ell +1}\), \(\left| \Pr [\mathsf {H} _\ell (\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _{\ell +1}(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda )\), where \(\mathcal {A}\) is an efficient adversary for the unremovability game (Definition 6.8) and \({\hat{m}} \in \{0,1\}^t\) is the message the adversary submits to the challenge oracle. In the final hybrid \(\mathsf {H} _7\), we show that \(\Pr [\mathsf {H} _7(\mathcal {A}) \ne {\hat{m}}] = \mathsf {negl} (\lambda )\), which proves the theorem. Recall that in the unremovability game, the adversary makes exactly one challenge query during the query phase.

Lemma B.4

If \(\Pi _{\mathsf {PRF} }\) is secure, then for all efficient adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _0(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _1(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda )\).

Proof

The only difference between \(\mathsf {H} _0\) and \(\mathsf {H} _1\) is that invocations of \(\mathsf {PRF} .\mathsf {Eval} (\mathsf {k} ^*, \cdot )\) where \(\mathsf {k} ^*\leftarrow \mathsf {PRF} .\mathsf {KeyGen} (1^\lambda )\) are replaced by invocations of \(f(\cdot )\) where \(f \overset{\textsc {r}}{\leftarrow }\mathrm {Funs}[(\{0,1\}^m)^d, (\{0,1\}^n)^{2t}]\). The claim follows immediately by security of \(\Pi _{\mathsf {PRF} }\). Specifically, any distinguisher for the distributions \(\mathsf {H} _0(\mathcal {A})\) and \(\mathsf {H} _1(\mathcal {A})\) can be used to distinguish the outputs of the PRF from those of a truly random function. \(\square \)

Lemma B.5

If \(\Pi _{\mathsf {TPRF} }\) is key-injective (Definition 4.16), then for all adversaries \(\mathcal {A}\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _1(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _2(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

It is easy to see that as long as the vectors \(\mathbf {y}\) and \(\hat{\mathbf {y}}\) are unique (for distinct keys) in the marking and challenge queries, then \(\mathsf {H} _1\) and \(\mathsf {H} _2\) are identically distributed (in this case, the procedure in \(\mathsf {H} _2\) just corresponds to a lazy sampling of the random function f). To show that the vectors \(\mathbf {y}\) and \({\hat{\mathbf {y}}}\) for different keys are unique with overwhelming probability, we define a sequence of intermediate hybrid experiments:

• Hybrid \(\mathsf {H} _{1,0}\): Same as \(\mathsf {H} _1\).

• Hybrid \(\mathsf {H} _{1,\ell }\): Same as \(\mathsf {H} _1\) except at the beginning of the game, the challenger initializes a table \(T \leftarrow \varnothing \) to maintain mappings of the form \(\mathcal {K}\rightarrow (\{0,1\}^n)^{2 t}\). For the first \(\ell \) marking or challenge queries, the challenger responds according to the specification in \(\mathsf {H} _2\) (updating the table T accordingly). Let \(k_1, \ldots , k_\ell \) be the keys appearing in the first \(\ell \) queries, and let \((\mathbf {y}_1, {\mathbf {x}}_1), \ldots , (\mathbf {y}_\ell , {\mathbf {x}}_\ell )\) be the vectors the challenger uses to answer the first \(\ell \) queries. When answering all of the subsequent queries and in the extraction phase, after the challenger computes \(\mathbf {y}\) (analogously, \({\hat{\mathbf {y}}}\) or \({\tilde{\mathbf {y}}}\)), it first checks to see if \(\mathbf {y}= \mathbf {y}_{\ell ^*}\) for some \(\ell ^* \in [\ell ]\) (choosing one arbitrarily if there are multiple). If so, it sets \({\mathbf {x}}= {\mathbf {x}}_{\ell ^*}\) when answering the query. Otherwise, it sets \({\mathbf {x}}= f(\mathbf {y})\) as in \(\mathsf {H} _1\). If there exist distinct \(\ell _1, \ell _2 \in [\ell ]\) where \(k_{\ell _1} \ne k_{\ell _2}\), but \(\mathbf {y}_{\ell _1} = \mathbf {y}_{\ell _2}\), then during the extraction phase, the challenger aborts and outputs \(\mathsf {Bad} _1\).

Let Q be the number of marking or challenge queries the adversary makes. We now show that

$$\begin{aligned} \mathsf {H} _1(\mathcal {A}) \equiv \mathsf {H} _{1,0}(\mathcal {A}) {\mathop {\approx }\limits ^{s}}\mathsf {H} _{1,1}(\mathcal {A}) {\mathop {\approx }\limits ^{s}}\cdots {\mathop {\approx }\limits ^{s}}\mathsf {H} _{1,Q}(\mathcal {A}) \equiv \mathsf {H} _{2}(\mathcal {A}) \end{aligned}$$

By definition, \(\mathsf {H} _1 \equiv \mathsf {H} _{1,0}\) and \(\mathsf {H} _{1,Q} \equiv \mathsf {H} _2\), so it suffices to show that for all \(\ell \in [Q]\), \(\mathsf {H} _{1, \ell -1}(\mathcal {A}) {\mathop {\approx }\limits ^{s}}\mathsf {H} _{1,\ell }(\mathcal {A})\). First, we note that the behavior of \(\mathsf {H} _{1, \ell -1}\) and \(\mathsf {H} _{1, \ell }\) differs only on how the \(\ell {\mathrm {th}}\) query is handled. In both experiments, the adversary’s view after the first \(\ell -1\) queries is independent of the query points \(h_1, \ldots , h_d\) (since the vectors \({\mathbf {x}}\) as well as \({\hat{{\mathbf {x}}}}\) that occur in the first \(\ell -1\) queries are chosen independently and uniformly of \(h_1, \ldots , h_d\)). Thus, in hybrids \(\mathsf {H} _{1, \ell -1}\) and \(\mathsf {H} _{1,\ell }\), the challenger can defer the sampling of \(h_1, \ldots , h_d\) until after the adversary has committed to its \(\ell {\mathrm {th}}\) query. Let \(k_1, \ldots , k_\ell \) be the keys the adversary submits in its first \(\ell \) queries. Since \(h_1, \ldots , h_d\) are sampled after the adversary has chosen \(k_1, \ldots , k_\ell \), we conclude that \(h_1, \ldots , h_d\) are distributed uniformly and independently of \(k_1, \ldots , k_\ell \) (as well as the public parameter \(\mathsf {pp} \)). There are now two possibilities to consider:

• If \(k_\ell = k_{\ell ^*}\) for some \(\ell ^* < \ell \), then \(\mathbf {y}_{\ell } = \mathbf {y}_{\ell ^*}\). In \(\mathsf {H} _{1, \ell - 1}\), the adversary sets \({\mathbf {x}}= {\mathbf {x}}_{\ell ^*}\) when answering the query. Note that this holds only if there does not exist two indices \(\ell _1, \ell _2 < \ell \) where \(\mathbf {y}_{\ell } = \mathbf {y}_{\ell _1} = \mathbf {y}_{\ell _2}\), but \(k_{\ell _1} \ne k_{\ell _2}\). If this were to happen, then both \(\mathsf {H} _{1, \ell -1}\) and \(\mathsf {H} _{1, \ell }\) output \(\mathsf {Bad} _1\). Otherwise in hybrid \(\mathsf {H} _{1, \ell }\), since \(k_\ell = k_{\ell ^*}\), the challenger sets \({\mathbf {x}}_\ell = T[k_\ell ] = {\mathbf {x}}_{\ell ^*}\). In either case, the challenger’s response to the \(\ell {\mathrm {th}}\) query is identically distributed in \(\mathsf {H} _{1, \ell - 1}\) and \(\mathsf {H} _{1, \ell }\).

• If \(k_\ell \ne k_{\ell ^*}\) for all \(\ell ^* \ne \ell \), then by key injectivity, for all \(\ell ^* < \ell \) and all \(j\in [d]\),

  $$\begin{aligned} \Pr [\mathsf {TPRF} .\mathsf {Eval} (k_\ell , h_j) = \mathsf {TPRF} .\mathsf {Eval} (k_{\ell ^*}, h_j)] = \mathsf {negl} (\lambda ), \end{aligned}$$

  where the probability is taken over the randomness used to sample the parameters in \(\mathsf {WM.Setup} \). We conclude that for all \(\ell ^* < \ell \),

  $$\begin{aligned} \Pr [\forall j\in [d] :\mathsf {TPRF} .\mathsf {Eval} (k_\ell , h_j) = \mathsf {TPRF} .\mathsf {Eval} (k_{\ell ^*}, h_j)] = \mathsf {negl} (\lambda ). \end{aligned}$$

  Union bounding over all \(\ell - 1 \le Q = \mathsf {poly} (\lambda )\) queries, we conclude that with overwhelming probability, \(\mathbf {y}_\ell \ne \mathbf {y}_{\ell ^*}\) for all \(\ell ^* < \ell \). This means that in \(\mathsf {H} _{1, \ell -1}\), the vector \({\mathbf {x}}_\ell \) used to answer the \(\ell {\mathrm {th}}\) query is given by the output of \(f(\mathbf {y}_\ell )\), where f is a truly random function (and independent of the challenger’s responses in all previous queries). Thus, \({\mathbf {x}}_\ell \) in \(\mathsf {H} _{1, \ell -1}\) is independently and uniformly distributed over \((\{0,1\}^n)^{2 t}\), which is precisely the distribution from which it is sampled in \(\mathsf {H} _{1, \ell }\). Thus, the challenger’s responses in the first \(\ell \) queries are identically distributed in \(\mathsf {H} _{1, \ell -1}\) and \(\mathsf {H} _{1, \ell }\).

Finally, we note that the probability that \(\mathsf {H} _{1, \ell }\) outputs \(\mathsf {Bad} _1\) can only be negligibly greater than that in \(\mathsf {H} _{1, \ell - 1}\). To see this, observe that if there exists \(\ell _1, \ell _2 \in [\ell - 1]\) such that \(\mathbf {y}_{\ell _1} = \mathbf {y}_{\ell _2}\), then both \(\mathsf {H} _{1, \ell -1}\) and \(\mathsf {H} _{1, \ell }\) output \(\mathsf {Bad} _1\). The only scenario where \(\mathsf {H} _{1, \ell }\) outputs \(\mathsf {Bad} _1\) (and \(\mathsf {H} _{1, \ell -1}\) does not) is if \(\mathbf {y}_\ell = \mathbf {y}_{\ell ^*}\) and \(k_\ell \ne k_{\ell ^*}\) for some \(\ell ^* < \ell \). But by the key-injectivity argument above, this happens with negligible probability. Conditioned on \(\mathsf {Bad} _1\) not happening, the outputs of experiments \(\mathsf {H} _{1, \ell - 1}\) and \(\mathsf {H} _{1, \ell }\) are identically distributed. We conclude that \(\mathsf {H} _{1, \ell -1}(\mathcal {A}) {\mathop {\approx }\limits ^{s}}\mathsf {H} _{1,\ell }(\mathcal {A})\) for all \(\ell \in [Q]\). This proves the claim. \(\square \)

Lemma B.6

If \(\Pi _{\mathsf {TPRF} }\) satisfies selective single-key constrained pseudorandomness (Definition 4.10), then for all efficient adversaries \(\mathcal {A}\), \(\left| \Pr [\mathsf {H} _2(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _3(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda )\).

Proof

By construction, hybrids \(\mathsf {H} _2\) and \(\mathsf {H} _3\) are identical experiments as long as the adversary never queries the marking oracle on the key \({\hat{k}}\) (the key the challenger samples during the challenge phase). Thus, the only possible way the adversary can obtain a nonzero advantage in distinguishing hybrids \(\mathsf {H} _2\) and \(\mathsf {H} _3\) is if it is able to query the marking oracle on \({\hat{k}}\), or equivalently, “guess” the master secret key sampled by the challenger given only the public parameters and the constrained key. Certainly, this completely breaks (selective) constrained pseudorandomness. More formally, let \(\mathcal {A}\) be an efficient adversary that is able to distinguish \(\mathsf {H} _2\) from \(\mathsf {H} _3\) with some non-negligible probability \(\varepsilon \). We use \(\mathcal {A}\) to construct an adversary \(\mathcal {B}\) that breaks the (selective) constrained pseudorandomness of \(\Pi _{\mathsf {TPRF} }\) with advantage \(\varepsilon / Q\) where Q is the number of marking oracle queries \(\mathcal {A}\) makes during the query phase. Algorithm \(\mathcal {B}\) works as follows:

1. 1.

   At the beginning of the game, \(\mathcal {B}\) samples \(t\) points \({\hat{x}}_1, \ldots , {\hat{x}}_t\overset{\textsc {r}}{\leftarrow }\{0,1\}^n\). It sends the \(t\)-puncturing set \({\hat{S}} = \{ x \in \{0,1\}^n :x \ne {\hat{x}}_i \ \forall i \in [t] \}\) to the selective constrained pseudorandomness challenger. The constrained pseudorandomness challenger then samples the public parameters \((\mathsf {pp} , \mathsf {tk} ) \leftarrow \mathsf {TPRF} .\mathsf {Setup} (1^\lambda )\) and a secret key \(\mathsf {msk} \leftarrow \mathsf {TPRF} .\mathsf {SampleKey} (\mathsf {pp} )\). It constructs the constrained key \(\mathsf {sk} _{{\hat{S}}} \leftarrow \mathsf {TPRF} .\mathsf {Constrain} (\mathsf {pp} , \mathsf {msk} , {\hat{S}})\). The challenger gives \(\mathsf {pp} \) and \(\mathsf {sk} _{{\hat{S}}}\) to \(\mathcal {B}\).

2. 2.

   Algorithm \(\mathcal {B}\) starts running \(\mathcal {A}\) and starts simulating hybrids \(\mathsf {H} _2\) and \(\mathsf {H} _3\) for \(\mathcal {A}\). In the setup phase, \(\mathcal {B}\) gives \(\mathsf {pp} \) to \(\mathcal {A}\). The other components of the setup phase are simulated exactly as described in \(\mathsf {H} _2\) and \(\mathsf {H} _3\). Note that simulating the evaluations of the truly random function f can be done by lazily sampling the outputs of f on an as-needed basis.

3. 3.

   During the query phase, whenever \(\mathcal {A}\) makes an marking oracle query, \(\mathcal {B}\) simulates the response exactly as described in \(\mathsf {H} _3\). This is possible because answering the marking queries only requires knowledge of the public parameters \(\mathsf {pp} \). When \(\mathcal {A}\) makes it challenge query, \(\mathcal {B}\) response with the constrained key \(\mathsf {sk} _{{\hat{S}}}\) it received from the constrained pseudorandomness challenger.

4. 4.

   Let \(k_1, \ldots , k_Q \in \mathcal {K}\) be the keys \(\mathcal {A}\) submitted to the marking oracle during the query phase. At the end of the query phase, \(\mathcal {B}\) chooses an index \(i \overset{\textsc {r}}{\leftarrow }[Q]\) and computes \(y = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k_i, {\hat{x}}_1)\). In addition, it makes a challenge oracle query to the constrained pseudorandomness challenger at the punctured point \({\hat{x}}_1\). The constrained pseudorandomness challenger responds with a value \({\hat{y}}\). Finally, \(\mathcal {B}\) outputs 1 if \(y = {\hat{y}}\) and 0 otherwise.

By construction, \(\mathcal {B}\) perfectly simulates \(\mathsf {H} _3\) for \(\mathcal {A}\). Here, the key \(\mathsf {msk} \) sampled by the constrained pseudorandomness challenger plays the role of the key sampled by the challenger in response to the challenge oracle in \(\mathsf {H} _3\). Now, as stated above, \(\mathsf {H} _2\) and \(\mathsf {H} _3\) are identical experiments unless the adversary queries the marking oracle on \(\mathsf {msk} \) during the query phase. Since \(\mathcal {A}\) is able to distinguish \(\mathsf {H} _2\) from \(\mathsf {H} _3\) with probability \(\varepsilon \), it must be the case that with probability \(\varepsilon \), on one of its marking oracle queries, it submits \(\mathsf {msk} \). Moreover, up until making this query, \(\mathcal {B}\) perfectly simulates both \(\mathsf {H} _2\) and \(\mathsf {H} _3\) for \(\mathcal {A}\). This means that with probability \(\varepsilon \), one of the keys \(k_1, \ldots , k_Q\) that appears in the marking oracle queries of \(\mathcal {A}\) is actually \(\mathsf {msk} \). We consider two cases, depending on whether the constrained pseudorandomness challenger replies with the real value of the PRF or a random value in response to the challenger queries:

• Suppose the constrained pseudorandomness challenger replies with the value \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , \mathsf {msk} , {\hat{x}}_1)\). With probability \(\varepsilon / Q\), we have that \(k_i = \mathsf {msk} \), in which case \(y = {\hat{y}}\), and \(\mathcal {B}\) outputs 1. Thus, in this case, \(\mathcal {B}\) outputs 1 with probability at least \(\varepsilon / Q\).

• If the constrained pseudorandomness challenger replies with a random value \({\hat{y}} \overset{\textsc {r}}{\leftarrow }\{0,1\}^m\), then \(y = {\hat{y}}\) with probability \(1/2^m = \mathsf {negl} (\lambda )\).

Thus, \(\mathcal {B}\) is able to break constrained pseudorandomness of \(\Pi _{\mathsf {TPRF} }\) with advantage \(\varepsilon / Q - \mathsf {negl} (\lambda )\). Since \(\varepsilon \) is non-negligible and \(Q = \mathsf {poly} (\lambda )\), this is non-negligible. The claim follows. \(\square \)

Lemma B.7

If \(\Pi _{\mathsf {TPRF} }\) satisfies selective evaluation correctness, then for all adversaries \(\mathcal {A}\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _3(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _4(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

We show that for all adversaries \(\mathcal {A}\), \(\mathsf {H} _4(\mathcal {A})\) outputs \(\mathsf {Bad} _2\) with negligible probability. By definition, we have that \({\hat{C}}(\cdot ) = \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _{{\hat{S}}}, \cdot )\). In \(\mathsf {H} _3\) and \(\mathsf {H} _4\), the points \(h_1, \ldots , h_d\) are sampled uniformly from the domain \(\{0,1\}^n\) of \(\Pi _{\mathsf {TPRF} }\) and independently of all other parameters. By evaluation correctness of \(\Pi _{\mathsf {TPRF} }\) and Remark 4.6, we conclude that for all \(j\in [d]\), \(\Pr [{\hat{C}}(h_j) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j)] = \mathsf {negl} (\lambda )\). Since \(d = \mathsf {poly} (\lambda )\), we conclude that \(\mathsf {H} _4\) outputs \(\mathsf {Bad} _2\) with negligible probability. Since \(\mathsf {H} _3\) and \(\mathsf {H} _4\) are identical experiments with the only exception being \(\mathsf {H} _4\) could output \(\mathsf {Bad} _2\), we conclude that \(\mathsf {H} _3(\mathcal {A})\) and \(\mathsf {H} _4(\mathcal {A})\) in the two experiments are statistically indistinguishable, and the claim follows. \(\square \)

Lemma B.8

For all single-key unremoving-admissible adversaries \(\mathcal {A}\) (Definition 6.8),

$$\begin{aligned} \left| \Pr [\mathsf {H} _4(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _5(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

We show that the output distributions \(\mathsf {H} _4(\mathcal {A})\) and \(\mathsf {H} _5(\mathcal {A})\) are statistically indistinguishable. Since the conditions for outputting \(\mathsf {Bad} _1\) and \(\mathsf {Bad} _2\) are identical in \(\mathsf {H} _4\) and \(\mathsf {H} _5\), it suffices to only reason about the case where \(\mathsf {Bad} _1\) and \(\mathsf {Bad} _2\) are not set. Our proof consists of two pieces.

• We first show that \(\mathsf {H} _4\) outputs \(\mathsf {Bad} _3\) with negligible probability assuming \(\mathcal {A}\) is unremoving-admissible. Observe that in \(\mathsf {H} _5\), the challenger’s behavior (and correspondingly, the adversary’s view) during the query phase is independent of \(h_1, \ldots , h_d\). Thus, in \(\mathsf {H} _5\), it is equivalent for the challenger to defer sampling \(h_1, \ldots , h_d\) until the extraction phase, and in particular, after the adversary has output its challenge circuit \({\tilde{C}}\). By unremoving-admissibility, \({\tilde{C}} \sim _f{\hat{C}}\) where \(1/f = \mathsf {negl} (\lambda )\). Since for all \(j\in [d]\), \(h_j\) is sampled uniformly from \(\{0,1\}^n\) and independent of both \({\hat{C}}\) and \({\tilde{C}}\), we have that \(\Pr [{\tilde{C}}(h_j) \ne {\hat{C}}(h_j)] \le 1/f = \mathsf {negl} (\lambda )\). Next, \(d = \mathsf {poly} (\lambda )\), so we conclude via a union bound that for all \(j\in [d]\), \({\tilde{C}}(h_j) = {\hat{C}}(h_j)\). Finally, since \(\mathsf {Bad} _2\) is not set, we have that \({\hat{C}}(h_j) = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j)\) for all \(j\in [d]\), and so, \(\mathsf {H} _5\) outputs \(\mathsf {Bad} _3\) with negligible probability.

• To conclude the proof, we show that the distributions of outputs in the extraction phases of \(\mathsf {H} _4\) and \(\mathsf {H} _5\) are statistically indistinguishable. First, we note that the condition for outputting \(\mathsf {Bad} _3\) depends only on the adversary’s output in the challenge phase. By construction, the adversary’s outputs in the challenge phase of \(\mathsf {H} _4\) and \(\mathsf {H} _5\) are identically distributed. By our previous argument, the condition for outputting \(\mathsf {Bad} _3\) is satisfied with negligible probability in \(\mathsf {H} _5\), and so, the same condition is satisfied with negligible probability in \(\mathsf {H} _4\) (otherwise, the condition associated with \(\mathsf {Bad} _3\) can be used to distinguish the adversary’s output in the challenge phase of \(\mathsf {H} _4\) and \(\mathsf {H} _5\)). Thus, in \(\mathsf {H} _4\), \({\tilde{C}}(h_j) = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j)\) for all \(j\in [d]\) with overwhelming probability. This means that for all \(j\in [d]\),

  $$\begin{aligned} {\tilde{y}}_j= {\tilde{C}}(h_j) = \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , {\hat{k}}, h_j) = {\hat{y}}_j, \end{aligned}$$

  or equivalently, \({\tilde{\mathbf {y}}} = {\hat{\mathbf {y}}}\). This means that in the extraction step of \(\mathsf {H} _4\), the challenger sets \({\tilde{{\mathbf {x}}}} = {\hat{{\mathbf {x}}}}\) (by assumption, it does not output \(\mathsf {Bad} _1\)) with overwhelming probability. But this is precisely the behavior in \(\mathsf {H} _5\). Since the rest of the extraction step in \(\mathsf {H} _4\) and \(\mathsf {H} _5\) is the same, we conclude that the distribution of outputs in \(\mathsf {H} _4\) is statistically indistinguishable from that in \(\mathsf {H} _5\).

\(\square \)

Lemma B.9

If \(\Pi _{\mathsf {TPRF} }\) satisfies selective verification correctness, then for all adversaries \(\mathcal {A}\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _5(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _6(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

We show that the distributions \(\mathsf {H} _5(\mathcal {A})\) and \(\mathsf {H} _6(\mathcal {A})\) are statistically indistinguishable. Hybrids \(\mathsf {H} _5\) and \(\mathsf {H} _6\) are identical experiments unless \({\tilde{C}}({\hat{x}}_i^{(b)}) = {\hat{C}}({\hat{x}}_i^{(b)})\) for all \(i\in [t]\) and \(b \in \{0,1\}\). We consider the output in \(\mathsf {H} _5\) when this is the case. Without loss of generality, we just consider the case where \(\mathsf {Bad} _3\) does not occur. In this case, the challenger sets \({\tilde{{\mathbf {x}}}} = {\hat{{\mathbf {x}}}}\). It follows that \({\tilde{C}}({\tilde{x}}_i^{(b)}) = {\tilde{C}}({\hat{x}}_i^{(b)}) = {\hat{C}}({\hat{x}}_i^{(b)})\) for all \(i\in [t]\) and \(b \in \{0,1\}\). Then,

$$\begin{aligned} {\tilde{z}}_i^{(b)} = \mathsf {TPRF} .\mathsf {Test} \big ( \mathsf {pp} , \mathsf {tk} , {\tilde{C}}(\tilde{x}_i^{(b)}) \big ) = \mathsf {TPRF} .\mathsf {Test} \big ( \mathsf {pp} , \mathsf {tk} , {\hat{C}}({\hat{x}}_i^{(b)}) \big ). \end{aligned}$$

By definition, \({\hat{C}}({\hat{x}}_i^{(b)}) = \mathsf {TPRF} .\mathsf {ConstrainEval} \big ( \mathsf {pp} , \mathsf {sk} _{{\hat{S}}}, {\hat{x}}_i^{(b)} \big )\). For each \(i\in [t]\), we have that \({\hat{x}}_i^{({\hat{m}}_i)} \in {\hat{S}}\), so by verification correctness of \(\Pi _{\mathsf {TPRF} }\), \(\mathsf {TPRF} .\mathsf {Test} \big ( \mathsf {pp} , \mathsf {tk} , {\tilde{C}}(\tilde{x}_i^{({\hat{m}}_i)}) \big ) = 1\) with overwhelming probability. On the other hand, since \({\hat{x}}_i^{(1 - {\hat{m}}_i)} \notin {\hat{S}}\) (with overwhelming probability), and moreover, \({\hat{x}}_i^{(1 - {\hat{m}}_i)}\) is independently and uniformly random over \(\{0,1\}^n\), with overwhelming probability, \(\mathsf {TPRF} .\mathsf {Test} \big ( \mathsf {pp} , \mathsf {tk} , \tilde{C}({\tilde{x}}_i^{(1 - {\hat{m}}_i)}) \big ) = 0\). Thus, with overwhelming probability, the challenger sets \({\tilde{m}}_i= {\hat{m}}_i\) in \(\mathsf {H} _5\). Since \(t= \mathsf {poly} (\lambda )\), we have that with overwhelming probability \({\tilde{m}} = {\hat{m}}\). We conclude that the output of \(\mathsf {H} _5\) when the condition is satisfied is \({\hat{m}}\) with overwhelming probability. \(\square \)

Lemma B.10

If \(\Pi _{\mathsf {TPRF} }\) satisfies selective single-key privacy (Definition 4.14), then for all efficient single-key unremoving-admissible (Definition 6.8) adversaries \(\mathcal {A}\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _6(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _7(\mathcal {A}) \ne {\hat{m}}] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Moreover, under the same assumptions, \(\Pr [\mathsf {H} _7(\mathcal {A}) \ne m] = \mathsf {negl} (\lambda )\).

Proof

First, we show that \(\Pr [\mathsf {H} _7(\mathcal {A}) \ne {\hat{m}}] = \mathsf {negl} (\lambda )\). It suffices to consider the case where \(\mathsf {H} _7\) does not output one of the flags \(\mathsf {Bad} _1\), \(\mathsf {Bad} _2\), or \(\mathsf {Bad} _3\), since we previously showed in Lemmas B.5 through B.9 that each hybrid outputs these flags with negligible probability. In \(\mathsf {H} _7\), the setup and query phases are completely independent of the points \({\hat{x}}_i^{(b)}\) for all \(i\in [t]\) and \(b \in \{0,1\}\). Thus, it is equivalent to sample \({\hat{x}}_i^{(b)}\) at the extraction phase, after the adversary has output its challenge circuit \({\tilde{C}}\). Since \({\hat{x}}_i^{(b)}\) are sampled uniformly from \(\{0,1\}^n\) and independently of \({\tilde{C}}\), by unremoving-admissibility of \(\mathcal {A}\), we have that for all \(i\in [t]\), \(\Pr [{\tilde{C}}({\hat{x}}_i^{(b)}) \ne {\hat{C}}({\hat{x}}_i^{(b)})] = 1/f = \mathsf {negl} (\lambda )\). Since \(t= \mathsf {poly} (\lambda )\), it follows that with overwhelming probability, \({\tilde{C}}({\hat{x}}_i^{(b)}) = {\hat{C}}({\hat{x}}_i^{(b)})\) for all \(i\in [t]\) and \(b \in \{0,1\}\). Thus, with overwhelming probability, \(\mathsf {H} _7\) outputs \({\hat{m}}\).

Now, suppose there exists an efficient adversary \(\mathcal {A}\) such that \(\big |\Pr [\mathsf {H} _6(\mathcal {A}) \ne {\hat{m}}] - \Pr [\mathsf {H} _7(\mathcal {A}) \ne {\hat{m}}]\big |\) is non-negligible. Since \(\Pr [\mathsf {H} _7(\mathcal {A}) \ne {\hat{m}}] = \mathsf {negl} (\lambda )\), this must mean that \(\Pr [\mathsf {H} _6(\mathcal {A}) \ne {\hat{m}}] = \varepsilon \) for some non-negligible \(\varepsilon \). We now use \(\mathcal {A}\) to build an efficient adversary \(\mathcal {B}\) that can break the (selective) privacy of \(\Pi _{\mathsf {TPRF} }\) with the same advantage \(\varepsilon \). Algorithm \(\mathcal {B}\) works as follows:

1. 1.

   At the beginning of the game, \(\mathcal {B}\) chooses values \({\hat{x}}_1, \ldots , {\hat{x}}_t\overset{\textsc {r}}{\leftarrow }\{0,1\}^n\) and \(\alpha _1, \ldots , \alpha _t \overset{\textsc {r}}{\leftarrow }\{0,1\}^n\). It then constructs two sets \(S_0 = \{ x \in \{0,1\}^n: x \ne {\hat{x}}_i\ \forall i\in [t] \}\) and \(S_1 = \{ x \in \{0,1\}^n: x \ne \alpha _i\ \forall i\in [t] \}\). Algorithm \(\mathcal {B}\) submits sets \(S_0\) and \(S_1\) to the challenger.

2. 2.

   The privacy challenger replies to \(\mathcal {B}\) with the public parameters \(\mathsf {pp} \) for \(\Pi _{\mathsf {TPRF} }\) and a constrained key \(\mathsf {sk} _\beta \) where \(\beta \in \{0,1\}\).

3. 3.

   Algorithm \(\mathcal {B}\) starts running \(\mathcal {A}\). In the setup phase, \(\mathcal {B}\) chooses the watermarking secret key components \(h_1, \ldots , h_d\overset{\textsc {r}}{\leftarrow }\{0,1\}^n\) and \(k \overset{\textsc {r}}{\leftarrow }\mathcal {K}\) for itself. It gives \(\mathsf {pp} \) to \(\mathcal {A}\) in the setup phase.

4. 4.

   In the query phase, \(\mathcal {B}\) answers the queries as follows:

   • Marking oracle: Algorithm \(\mathcal {B}\) answers these queries exactly as in \(\mathsf {H} _6\) and \(\mathsf {H} _7\). This is possible since none of the queries depend on knowing \(\mathsf {tk} \), and algorithm \(\mathcal {B}\) knows all of the other components of the watermarking secret key \(\mathsf {msk} \).

   • Challenge oracle: On input the challenge message \({\hat{m}} \in \{0,1\}^t\), algorithm \(\mathcal {B}\) sets \({\hat{x}}_i^{({\hat{m}}_i)} = {\hat{x}}_i\) and samples \({\hat{x}}_i^{(1 - {\hat{m}}_i)} \overset{\textsc {r}}{\leftarrow }\{0,1\}^n\). It replies with \({\hat{C}}(\cdot ) = \mathsf {TPRF} .\mathsf {ConstrainEval} (\mathsf {pp} , \mathsf {sk} _\beta , \cdot )\).

5. 5.

   After the adversary finishes making its oracle queries, it outputs its challenge circuit \({\tilde{C}}\). Algorithm \(\mathcal {B}\) then simulates the extraction phase as follows. First, it checks whether there exists \(i\in [t]\) and \(b \in \{0,1\}\) such that \(\tilde{C}({\hat{x}}_i^{(b)}) \ne {\hat{C}}({\hat{x}}_i^{(b)})\). If so, \(\mathcal {B}\) halts the experiment and outputs 1. Otherwise, \(\mathcal {B}\) outputs 0.

First, observe that in the reduction, the values \({\hat{x}}_i\) play the role of \({\hat{x}}_i^{({\hat{m}}_i)}\). We now consider the two cases \(\beta = 0\) and \(\beta = 1\).

• If \(\beta = 0\), then \(\mathcal {B}\) perfectly simulates \(\mathsf {H} _6\) for \(\mathcal {A}\). In \(\mathsf {H} _6\), if \({\tilde{C}}({\hat{x}}_i^{(b)}) = {\hat{C}}({\hat{x}}_i^{(b)})\) for all \(i\in [t]\) and \(b \in \{0,1\}\), then by construction, \(\mathsf {H} _6(\mathcal {A})\) outputs \({\hat{m}}\). Since \(\Pr [\mathsf {H} _6(\mathcal {A}) \ne {\hat{m}}] = \varepsilon \), with probability at least \(\varepsilon \), there exists some \(i\in [t]\) and \(b \in \{0,1\}\) for which \({\tilde{C}}({\hat{x}}_i^{(b)}) \ne {\hat{C}}({\hat{x}}_i^{(b)})\). Thus, with probability \(\varepsilon \), \(\mathcal {B}\) outputs 1.

• If \(\beta = 1\), then \(\mathcal {B}\) perfectly simulates \(\mathsf {H} _7\) for \(\mathcal {A}\). We previously showed that in hybrid \(\mathsf {H} _7\), \({\tilde{C}}({\hat{x}}_i^{(b)}) = {\hat{C}}({\hat{x}}_i^{(b)})\) for all \(i\in [t]\) and \(b \in \{0,1\}\) with overwhelming probability. Thus, in this case, \(\mathcal {B}\) outputs 1 with negligible probability.

We conclude that \(\mathcal {B}\) is able to win the selective privacy game for \(\Pi _{\mathsf {TPRF} }\) with advantage \(\varepsilon - \mathsf {negl} (\lambda )\), which is non-negligible, as required. \(\square \)

Combining Lemmas B.4 through B.10, we conclude that as long as \(\Pi _{\mathsf {PRF} }\) is secure and \(\Pi _{\mathsf {TPRF} }\) is a selectively-private translucent \(t\)-puncturable PRF that satisfies key injectivity, then the watermarking scheme \(\Pi _{\mathsf {WM} }\) is unremovable. \(\square \)

Claim B.11

(Unforgeability) If \(\Pi _{\mathsf {TPRF} }\) is a selectively single-key secure and key-injective translucent \(t\)-puncturable PRF and \(\Pi _{\mathsf {PRF} }\) is secure, then the watermarking scheme \(\Pi _{\mathsf {WM} }\) in Construction 6.15 is \(\delta \)-unforgeable.

Proof

We begin by defining our sequence of hybrid experiments:

• Hybrid \(\mathsf {H} _1\): This is the same hybrid as \(\mathsf {H} _1\) from the proof of Claim B.3.

• Hybrid \(\mathsf {H} _2\): This is the same hybrid as \(\mathsf {H} _2\) from the proof of Claim B.3.

• Hybrid \(\mathsf {H} _3\): Same as \(\mathsf {H} _2\) except in the extraction step, after computing the tuple \({\tilde{\mathbf {y}}} = ({\tilde{C}}(h_1), \ldots , {\tilde{C}}(h_d))\), the challenger aborts the experiment and outputs \(\mathsf {Bad} _2\) if \({\tilde{\mathbf {y}}} \in \mathcal {Z}\) (where \(\mathcal {Z}\) is the set of tuples \(\mathbf {y}\) that appeared in a marking oracle query). Otherwise, it proceeds as in \(\mathsf {H} _2\).

As in the proof of Claim B.3, we proceed in a sequence of lemmas and show that for each consecutive pair of hybrid experiments \(\mathsf {H} _\ell , \mathsf {H} _{\ell +1}\), it is the case that \(\left| \Pr [\mathsf {H} _\ell (\mathcal {A}) \ne \bot ] - \Pr [\mathsf {H} _{\ell +1}(\mathcal {A}) \ne \bot ] \right| = \mathsf {negl} (\lambda )\), where \(\mathcal {A}\) is an efficient adversary for the \(\delta \)-unforgeability game (Definition 6.11). Finally, in the final hybrid \(\mathsf {H} _3\), we show that \(\Pr [\mathsf {H} _3(\mathcal {A}) \ne \bot ] = \mathsf {negl} (\lambda )\), which proves the theorem. Recall that in the \(\delta \)-unforgeability game, the adversary does not make any queries to the challenge oracle.

Lemma B.12

If \(\Pi _{\mathsf {PRF} }\) is a secure PRF, then for all efficient adversaries \(\mathcal {A}\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _0(\mathcal {A}) \ne \bot ] - \Pr [\mathsf {H} _1(\mathcal {A}) \ne \bot ] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

Follows by the exact same argument as that given in the proof of Lemma B.4. \(\square \)

Lemma B.13

If \(\Pi _{\mathsf {TPRF} }\) satisfies key injectivity (Definition 4.16), then for all adversaries \(\mathcal {A}\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _1(\mathcal {A}) \ne \bot ] - \Pr [\mathsf {H} _2(\mathcal {A}) \ne \bot ] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

Follows by the exact same argument as that given in the proof of Lemma B.5. \(\square \)

Lemma B.14

If \(\Pi _{\mathsf {TPRF} }\) satisfies evaluation correctness, then for all \(\delta \)-unforging-admissible adversaries \(\mathcal {A}\) (Definition 6.11) where \(\delta = 1/\mathsf {poly} (\lambda )\),

$$\begin{aligned} \left| \Pr [\mathsf {H} _2(\mathcal {A}) \ne \bot ] - \Pr [\mathsf {H} _3(\mathcal {A}) \ne \bot ] \right| = \mathsf {negl} (\lambda ). \end{aligned}$$

Proof

We show that the distributions \(\mathsf {H} _2(\mathcal {A})\) and \(\mathsf {H} _3(\mathcal {A})\) are statistically indistinguishable. By construction, the adversary’s view in the setup and query phases of \(\mathsf {H} _2\) and \(\mathsf {H} _3\) are identically distributed. To show the lemma, it suffices to argue that \(\mathsf {H} _3\) does not output \(\mathsf {Bad} _2\) in the extraction phase. Let \(Q = \mathsf {poly} (\lambda )\) be the number of marking queries the adversary made and for \(\ell \in [Q]\), let \(k_\ell \) be the PRF key the adversary submitted to the marking oracle on the \(\ell {\mathrm {th}}\) query. For \(\ell \in [Q]\), let \(T_\ell \) be the set of points on which \({\tilde{C}}(\cdot )\) and \(\mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k_\ell , \cdot )\) differ, where \({\tilde{C}}\) is the circuit output by the adversary at the end of the challenge phase. Since \(\mathcal {A}\) is \(\delta \)-unforging-admissible, we have that \(\left| T_\ell \right| /2^n\ge \delta \). Next, we note that in \(\mathsf {H} _3\), the query phase does not depend on \(h_1, \ldots , h_d\). Thus, we can defer the sampling of \(h_1, \ldots , h_d\) until the extraction phase, after the adversary has output its challenge circuit \(\tilde{C}\). Since each of the \(h_j\) is drawn uniformly and independently from \(\{0,1\}^n\), we have for all \(j\in [d]\) and \(\ell \in [Q]\), \(\Pr [h_j\in T_\ell ] = \left| T_\ell \right| /2^n\ge \delta \). It follows that for all \(\ell \in [Q]\)

$$\begin{aligned} \Pr [\forall j\in [d] : h_j\notin T_\ell ] = \left( 1 - \frac{\left| T_\ell \right| }{2^n} \right) ^d\le (1 - \delta )^{\lambda / \delta } \le e^{-\lambda } = \mathsf {negl} (\lambda ), \end{aligned}$$

where we have used the fact that \(d= \lambda / \delta \) and \(\delta = 1/\mathsf {poly} (\lambda )\). Since this holds for all \(\ell \in [Q]\), we conclude that with overwhelming probability, it is the case that for all \(\ell \in [Q]\), there exists some \(j\in [d]\) such that \(h_j\in T_\ell \), or equivalently, that \({\tilde{C}}(h_j) \ne \mathsf {TPRF} .\mathsf {Eval} (\mathsf {pp} , k_\ell , h_j)\). By construction of the marking algorithm, this means that \({\tilde{\mathbf {y}}} \ne \mathbf {y}_\ell \) for all \(\ell \in [Q]\). We conclude that \(\tilde{\mathbf {y}} \notin \mathcal {Z}\), and so \(\mathsf {H} _3\) outputs \(\mathsf {Bad} _2\) with negligible probability. \(\square \)

Lemma B.15

For all adversaries \(\mathcal {A}\), \(\Pr [\mathsf {H} _3(\mathcal {A}) \ne \bot ] = \mathsf {negl} (\lambda )\).

Proof

It suffices to consider the case where \(\mathsf {H} _3\) does not output \(\mathsf {Bad} _1\) and \(\mathsf {Bad} _2\) (as argued in Lemmas B.13 and B.14 , these events occur with negligible probability). Conditioned on \(\mathsf {H} _3\) not outputting \(\mathsf {Bad} _2\), the test vector \({\tilde{{\mathbf {x}}}}\) is sampled uniformly and independently from \((\{0,1\}^n)^{2 t}\) after the adversary has output its challenge circuit \({\tilde{C}}\). Now, for each \(i\in [t]\) and \(b \in \{0,1\}\), the extraction algorithm computes \(\tilde{z}_i^{(b)} = \mathsf {TPRF} .\mathsf {Test} (\mathsf {pp} , \mathsf {tk} , {\tilde{C}}(\tilde{x}_i^{(b)}))\). Since the test points \(\tilde{x}_i^{(0)}\) and \({\tilde{x}}_i^{(1)}\) are chosen uniformly and independently from \(\{0,1\}^n\) after the adversary has committed to \({\tilde{C}}\), we have that \(\Pr [\tilde{z}_i^{(0)} \ne {\tilde{z}}_i^{(1)}] \le 1/2\) for all \(i\in [t]\), irrespective of \({\tilde{C}}\). Since \(t= \omega (\log \lambda )\), with overwhelming probability, there exists some \(i\in [t]\) where \({\tilde{z}}_i^{(0)} = {\tilde{z}}_i^{(1)}\), in which case, the extraction algorithm outputs \(\bot \). \(\square \)

Combining Lemmas B.12 through B.15, we conclude that as long as \(\Pi _{\mathsf {PRF} }\) is secure and \(\Pi _{\mathsf {TPRF} }\) is a translucent \(t\)-puncturable PRF that satisfies key injectivity, the watermarking scheme \(\Pi _{\mathsf {WM} }\) is \(\delta \)-unforgeable. \(\square \)