 Alright, so hello everyone, I'm Lu Pengyang, and today I will talk about how to construct gluing-resistant Wattmark ball-student functions from standard assumptions. This is a joint work with Mahou Ao, Duoxia Yu, and Qiu Liangxu. So a Wattmarking scheme can embed some information into a ditched object without changing it too much. Also, it should be hard to remove the embedded information in a Wattmarked object without damaging it. In this talk, we focus on Wattmarking schemes for programs. Formally, it consists of two algorithms, namely the marking algorithm and the extraction algorithm. The marking algorithm can embed a message into a program with a marking key, and the extraction algorithm can extract the embedded message from a Wattmarked program with an extraction key. Its correctness requires that the marking algorithm can roughly preserve the functionality of the Wattmarked program. Also, it requires that the extraction algorithm can extract the correct message from an honestly Wattmarked program. Its main security requirement is unremovability, which requires that the adversary is not able to remove or modify a message embedded in a Wattmarked program without significantly changing its functionality. Also, in practice, it is usually desired to have unremovability against collusion attacks, that is, the attacker can learn multiple Wattmarked circuits, which are generated by embedding different messages into the same program. So this is the basic notion of Wattmarking schemes. One may hope to have secure Wattmarking schemes for arbitrary programs. However, as shown by Koh-Hai et al. in 2016, no Wattmarking scheme exists for learnable functionalities. So in the study of Wattmarking schemes, we already focus on Wattmarking schemes for chromatographic programs such as the decryption algorithm of an inquiry scheme, the signing algorithm of a signature scheme, and the evaluation algorithm of a signal function. So towards constructing secure Wattmarking schemes for chromatographic programs, we already know how to construct collusion-resistant Wattmarking schemes for public key primitives from simple assumptions, such as the existing one-way function and the standard lattice assumptions. But for Wattmarking schemes for signal functions, the previous constructions from standard assumptions can only achieve a weaker single-challenge unremovability. And the only known collusion-resistant Wattmarking schemes for signal functions are constructed from indistinguishability of the execution. So the question is, can we construct collusion-resistant Wattmarking signal functions from standard assumptions? Before presenting our solution to this question, we first recall how Wattmarking signal functions are constructed from standard assumptions in previous works. This is built on a primitive called constrained signal function. Roughly speaking, a constrained signal function is a pseudo-run function family that allows one to derive a constrained k from a pfk, by puncturing the pfk on the sub-site of the input space. The original k and the constrained k evaluate identically on all inputs outside the puncture site. But for input x in the puncture site, the output of fskx should still be still random even given the constrained k. When constructing Wattmarking schemes, we usually require a privately constrained signal function, which can hide the puncture site from the constrained k. And finally, we say that a constrained signal function is collusion-resistant if its security holds against an adversary that can obtain more than one constrained k of the same pfk. Now with a constrained signal function, we can construct a Wattmarking scheme for it. Here we start with a marked and binding Wattmarking scheme, which only embeds a marked symbol into a pfk. So in this scheme, the marking algorithm first generates a special fake input x star with its binding k. Then it punctures the secured k on x star to get a constrained k. The Wattmarked program is just a circuit that evaluates the signal function with the constrained k. To test if a circuit is Wattmarked, the extraction algorithm also first generates the special fake input x star. Then it tests if the circuit is punctured on x star or not. The test is supported by special properties of the underlying constraint signal function. For example, if the underlying constraint signal function is extractable, then the extraction algorithm can extract the original secret k from the constrained secret k with a trapdoor, and then it can test if the circuit is punctured on x star by testing if the circuit and the original secret k evaluate identically on x star. Security of the Wattmarking scheme comes from the security of the underlying constraint signal function, which prevents the adversary from running the punctured point x star and modifying the output of the circuit on x star. So this is how the marking binding Wattmarking scheme works. And based on this, to embed an input message instead of a marked symbol into the prfk, the marking algorithm will encode bits of the message into different puncture points. In particular, it can first generate mprs of special fake inputs, and then it selects one input from each pair by using each bit of the message. And then it can puncture the prfk on the selected inputs to get the constraint k and the Wattmarked program is a circuit that evaluates the student function with the constraint k. To extract the embed message from a Wattmarked circuit, the extraction algorithm also first generates these mprs of special fake inputs. Then it records the is bit of the message by testing if the circuit is punctured on x star zero star or x star one star. It states mi to be zero if the circuit is punctured on x star zero star. And it states mi to be one if the circuit is punctured on x star one star. Otherwise, it outputs a symbol indicating that the circuit is not Wattmarked. Correctness and the single k unremovability of the message embedding Wattmarking scheme comes from the properties of the underlying constraint student function, just as in the case of Marker-Binding Wattmarked scheme. But the scheme is not clueing resistant. To see this, it records that a clueing attacker for the Wattmarked scheme can obtain multiple Wattmarked circuits, which are generated by embedding different messages into the same prfk. Since the embedding messages are different, the puncture set and the constraint keys are also different. So the adversary can in fact learn multiple constraint keys of the same prfk from the Wattmarked circuit. That is to say to guarantee clueing resistant unremovability of the Wattmarking scheme, we request that the underlying constraint student function should also be clueing resistant. However, in all previous constructions of Wattmarking schemes or Wattmarked constraint functions from standard assumptions, the constraint student function used are not clueing resistant. In words, as shown by Kennedy and Chen in 2017, clueing resistant probability constraint student function implies indistinguishability of fascination. Since probability constraint student function is essential in most constructions of Wattmarked student functions, it seems implausible to construct clueing resistant Wattmarked student functions from standard assumptions. So in this work, we attempt to overcome this barrier in another direction, that is we will try to construct clueing resistant Wattmarked student functions from single key circuit constraint student functions. Okay, so our key idea is to encode bits of the message into different secret keys, instead of including them into different puncture points. So in more detail, our Wattmarked ball student function is a repetition of n constraint student functions. And the secret key of the Wattmarked ball student function consists of n secret keys of the underlying constraint student function. The marking algorithm first generates n pairs of specific inputs. Then it selects one input from each pair using one bit of the message. And then it punctures the i secret key on XR-MS star. The Wattmarked program is a circuit that evaluates with all these n constraint keys. To extract the embedded message from a Wattmarked circuit, the extraction algorithm also first generates these n pairs of specific inputs. Then it requires the i secret of the message by testing if the circuit is if the i's part of the circuit which evaluates with the i's constraint key is punctured on XR-0 star or XR-1 star. It says Mi to be 1 if the circuit is punctured on XR-1 star. And it says Mi to be 0 as well. To see what security can be guaranteed by our first solution, we consider a simplified example that n equals 3 and the order 3 is only able to obtain two Wattmarked circuits which are embedded with messages 101 and 110 respectively. The order 3 is able to learn three pairs of constraint keys from the Wattmarked circuit. And for the first pair of constraint keys, both of them are generated by puncturing SQ1 on XR-1 star. Since the puncture points are the same, the constraint keys are also identical. So the order 3 is only able to obtain one constraint key of SQ1. Then by single case security of the underlying constraint system function, the beta 1 embedded in SQ1 can't be removed or modified by the order 3. However, for SQ2 and SQ3, since they will be punctured on different inputs, so the order 3 can still obtain more than one constraint washes of them. That said, to see the single case security of the underlying constraint system function does not counter restrict the order 3 here. So the order 3 is still able to remove or modify bits embedded in SQ2 and SQ3. So to summarize here, in our first construction, the order 3 is not able to modify bits at a position if all messages agree on this position. But it can still modify bits in other positions. So our first construction can only achieve a weak security guarantee and to upgrade this weak security guarantee to colloid resistance on reliability, we use a fingerprint code. Here we describe the notion of fingerprint code in a slightly different way for ease of explanation. So roughly speaking, a fingerprint code consists of two algorithms, namely the encoding algorithm and the decoding algorithm. The encoding algorithm can encode a message into a code word with a trapped out and the decoding algorithm can decode the code word to recover the original message with the same trapped out. Its security requires that given multiple code words, which are generated by encoding different messages, the order 3 is not able to create a string that decodes to a new message. Of course, we should restrict the order 3's ability in generating the string. So here we require that the order 3 is not allowed to modify bits at a position if all code words agree on this position. For example, if the order 3 can receive two code words 101 and 110, then it is not allowed to submit a string W star such that W star 1 equals 0. This is called the marking assumption. So now with a fingerprint code, we can upgrade our first construction to achieve colluring resistant or reliability. So in our second construction, the marking algorithm first encodes the message into a code word. Then it embeds the code words into NPF keys just using the marking algorithm or our first construction. To extract the embed message from an automatic circuit, the extraction algorithm also first recover the code word from the automatic circuit as before. Then it decodes the code word to obtain the original message. Security of our second construction comes from security of our first construction and security of the fingerprint code. First, security of our first construction can ensure that the order 3 is not able to modify bit at a position if all code words agree on this position. This is exactly the marking assumption. Then by security of the fingerprint code, the decoding algorithm can still require one of the embedded messages. And then the colluring resistant or reliability follows. So this is our second construction and why it is colluring resistant on removal. Note that in the construction and the security proof, we don't rely on concrete properties of the online constraint theorem function. And it is safe to replace it with any single key circuit what mark both theorem function. So our construction in fact provides a compiler that upgrade a single key circuit what mark both theorem function into a colluring resistant one. All right, so this is our basic idea on how to construct colluring resistant what mark both theorem function from standard assumptions. We also attend our basic construction to achieve a strong vulnerability. This is built on several new ideas, including a new construction of fingerprint code, which achieves a stronger security guarantee. Also, we consider another security property called the affordability for what mark scheme. Affortability requires that the adversary is not able to creating new what mark circuit without the marking key. And in this work, we provide a new framework that has strong affordability to what marking schemes without this security property. But I'm losing we are not able to cover all these technical details in this talk and please see our full paper for more details. So now to conclude in this work, we provide a general construct general construction that transform a single key circuit on what marking schemes for theorem functions into a colluring resistant one. But applying our transformation to existing constructions of single key circuit what mark both theorem functions from standard assumptions, we obtain several standard assumption based colluring resistant what mark both theorem functions with various security guarantees. The new schemes can roughly preserve security properties of the original scheme as they can achieve affordability for free. However, the new schemes can only achieve our reliability with bounded extreme queries, even if the original scheme can achieve our reliability with unbounded extreme queries. It is an interesting open problem to see how to remove this restriction in our construction. Another issue of our construction is that it only supports a polynomially large message space and it's an interesting future work to see if we can construct colluring resistant or mark both theorem functions with especially large message space from standard assumptions. So that's all. Thanks for your attention.