 Okay, good morning everybody welcome to the session post quantum cryptography 3 So it's the final day of the conference. So I hope you've been enjoying yourself so far for those of you who were really awake and Keeping an eye on the program once upon a time This was called post quantum cryptography 1 because there was post quantum 1 post quantum 2 post quantum 1 post quantum 2 But now it's post quantum 3 So we have three talks in this session the first two will be online and the third one will be live here in person The first talk is watermarking PRFs against quantum adversaries by Fuyiki Kitagawa and I will let him also announce his co-author So please go ahead Can you see my thrice? Yes So thank you for the introduction. I'm Fuyiki from NTT and this is a joint work with Ryo Nishimaki from NTT I'm talking I'm going to talk about watermarking PRF against quantum adversaries So I will start with what is software watermarking so in software watermarking We can embed a mark into a program In the way that if the mark is removed the functionality of the program is also destroyed The purpose of software watermarking is proving ownership preventing illegal copies and so on So in software watermarking we can deal with only un-runnable programs So if a program is runnable the mark can be easily removed by simply running the description of the original program So for this reason many previous works have focused on watermarking cryptographic programs So especially most of them studied watermarking PRF Where we can embed the mark into the evaluation circuit of the PRF So PRF is one of the simplest cryptopremative But at the same time it is sufficient for realizing many other crypt programs and cryptoprematives Also some recent works found an interesting application of watermarking crypt programs to quantum crypto So by combining it with quantum money we can construct secure software raising which is a variant of copy protection So in this work we study watermarking PRF against quantum adversaries More concretely our goal is to propose a watermarking scheme Such that even if a quantum adversaries generates a quantum program in order to remove the embedded mark We can correctly extract the embedded mark And this is our result. So first we define watermarking PRF against quantum adversaries Especially we define unremovability which is the main security notion of watermarking PRF Against adversaries who output quantum programs Also we construct watermarking PRF against quantum adversaries Concretely we propose two constructions The first one is secret extractable scheme based on AWE And the other one is public extractable scheme based on IO So here secret extractable means that we need secret extraction key in order to extract the embedded mark And on the other hand public extractable means that we don't need any secret information in order to extract the embedded mark So anyone can extract the embedded mark So our construction methodology for achieving these constructions is highly general So it can be extended to watermarking other primitives such as public key encryption So this is our result And I will talk about the technical overview of this work So the biggest issue we have to deal with is that quantum programs are inherently state for programs So this program was pointed out by Jandery in the context of traitor tracing against quantum adversaries So in classical traitor tracing or classical watermarking We usually assume that pilot programs are stateless programs So this assumption is reasonable since we can rewind pilot programs into their original state if those pilot programs are classical programs However, in general, it is impossible to rewind quantum programs into their original state So we have to deal with quantum programs as state for programs So we have to define our unremovability notion and we have to construct our scheme by taking this stateful nature of quantum programs into consideration Fortunately for the differential work we can use Jandery's technique developed in the context of traitor tracing against quantum adversaries However, for the construction work we cannot use Jandery's traitor tracing technique So we propose new extraction method So hereafter, I will talk about the technical details of our work So I will start with the definition of quantum watermarking against quantum adversaries So the syntax we use in this work is essentially the same as single key traceable PRF introduced by Goyal et al And it consists of four algorithms Gen, Ibar, Mark and Extract The Gen algorithm and Ibar algorithm form standard PRF except that the Gen algorithm also output extraction key xk together with the PRF key And the Mark algorithm takes us into PRF key and the Mark M and output Mark evaluation circuit C' And finally, the extraction algorithm takes us into extraction key and quantum program psi and output Mark M So we require functionality preserving for watermarking PRF which is corresponding to the correctness notion of watermarking PRF And functionality preserving requires that the Mark T evaluation circuit C' has almost the same functionality as the original evaluation circuit So this is the syntax and functionality preserving of watermarking PRF against quantum adversaries And now I move on to the security and unremoveability So the definition of watermarking PRF is the same as single key traceable PRF So the definition of unremoveability is roughly as follows So we generate Mark T evaluation circuit C' from PRF key and Mark M and we give it to an adversary and adversary generates a quantum program psi Then unremoveability requires that no adversary can generate a quantum program psi such that psi is a good quantum program in the sense that its functionality is close to the original evaluation circuit But the extraction algorithm fails to extract M Of course, to make this definition rigorous, we have to define the notion of good quantum program more concretely So basically in this work, we define good quantum program as the program that breaks with PRF security as done by Guadalcan But when we do this, we have to take the stateful nature of quantum programs into consideration So the problem is as follows So to check whether a quantum program is a good quantum program or not, we have to measure the advantage of the quantum program for breaking weak PRF security However, such a measurement process itself might destroy the quantum program So if we once confirmed that a quantum program is a good quantum program, the post-measurement program state might not be a good quantum program anymore So in order to avoid this issue, in this work, we use the notion of live quantum programs introduced by Gendry as a notion of good quantum programs This notion of live quantum programs is defined by using projective implementation also introduced by Gendry So after talking about some background on quantum programs, I will introduce projective implementation and the notion of live quantum programs So the success probability of a quantum program for breaking weak PRF security is defined as follows So let dwprf be a distribution that generates random input b, random input x, random output y0, and correct output y1 of the input x, and output bxyb This distribution dwprf is roughly corresponding to the security game of weak PRF security So the success probability of a quantum program for breaking weak PRF security is the probability that given x and yb, the quantum program correctly guesses the bit b where bxyb is generated from the distribution dwprf So here, this quantum program psi can be seen as a superposition of many quantum programs with different success probabilities with respect to the distribution dwprf In other words, we can decompose psi with respect to the distribution dwprf More concretely, we can write psi as a summation of summation p alpha p psi p where psi p is a quantum program with success probability p with respect to the distribution dwprf And summation p alpha p squared is equal to 1. So given this background, I will introduce projective implementation and the notion of live quantum programs So as I said, a quantum program can be seen as a superposition of many quantum programs Then projective implementation is a measurement process that measures the success probability of one of those quantum programs contained in the superposition So concretely, it is defined as follows So suppose we have a quantum program psi which can be written as summation p alpha p psi p Then if we apply projective implementation for dwprf, we obtain outcome p with probability alpha p squared And by applying this projective implementation, the program state psi is collapsed into another quantum program psi p Which is a quantum program with success probability p So as the name suggests, projective implementation is projected. So if we apply projective implementation for dwprf again, we obtain outcome p with probability 1 So this is projective implementation And by using this project implementation, we can define the notion of live quantum programs A quantum program psi is live quantum program. If the result p of projective implementation dwprf is significantly greater than 1 half So by defining so, if we once confirmed that a quantum program is a live quantum program, then we can confirm that the post-measurement state is surely has high success probability And also, for classical programs, this notion of live quantum program is the same as a classical notion of good programs such as the one used by Guadaleta in the context of traceable prf So by using this notion of live quantum program, we can restate our definition of unlimited mobility as follows So suppose we generate a Mach-Tibalation circuit C prime from prf key and Mach m and we give it to an adversary and adversary generates quantum program psi Then unlimited mobility guarantees that no adversary can generate a quantum program psi such that psi is a live quantum program, but the extraction algorithm fails to extract m So this is the definition of quantum watermarking, watermarking prf against quantum adversaries So next, so given this definition, I will talk about how we realize quantum watermarking prf against quantum adversaries So our goal is to realize a watermarking prf scheme such that even if an adversary generates quantum program in order to remove our embedded mark, as long as the quantum program is a live quantum program, we can correctly extract the embedded Mach m So usually in watermarking, we extract the embedded mark by applying several tests on success probability and observing the results However, in the case of quantum watermarking, the set of applicable tests is highly limited compared to the classical watermarking This is because due to the stateful nature, tests can destroy a quantum program So concretely, the difficulty we have to deal with is as follows In watermarking, an embedded mark is chosen from super polynomial size set So in this case, we couldn't extract the embedded mark in one shot, we have to extract the embedded mark in a bit by bit manner And in order to realize such a bit by bit manner extraction process, we need to realize a test TI for every eye such that each test TI can be used to extract the ice bit of the mark and each TI does not destroy the quantum program So if some test TI destroys the quantum program, we couldn't extract the rest bit of the embedded mark So the technical challenge in this work is to realize such a test TI So in the rest of my talk, I will talk about my main technical idea for realizing these tests So our main idea is to use what we call reverse projective property of projective implementation, which can be explained as follows Let D fail be the distribution that generates BXY from the distribution DWPRF and outputs 1-BXY So we call that DWPRF is a distribution corresponding to the weak PRF security gain Then projective implementation for this distribution D fail is a measurement that measures failure probability of a quantum program This is roughly because projective implementation for D fail measures the probability that the outcome of a quantum program is not B given XY Then consider the following situation So suppose we have quantum program psi, which can be written as summation p alpha p psi p And also suppose we apply projective implementation for DWPRF, namely we measure success probability of the quantum program and we obtain the outcome p So in this case, the quantum program is collapsed into another quantum program psi p, which is a quantum program with success probability p From the projective property of projective implementation, if we apply projective implementation for DWPRF again to the quantum program, we obtain outcome p with probability 1 So here the reverse projective property says that if we apply projective implementation for D fail and measure failure probability of a quantum program after applying projective implementation for DWPRF, we obtain outcome 1-B with probability 1 And most importantly, this application of projective implementation for D fail after projective implementation for DWPRF does not affect the quantum program So in other words, as a post-measurement state after applying a projective implementation for D fail reminds psi p So this is reverse projective property So we can prove this reverse project property by using the fact that project implementation for DWPRF and project implementation for D fail consists of exactly the same set of operators and the only difference between these two measurements is labels of those operators So by combining this reverse projective property with the standard projective property We can obtain the following key facts So suppose we have a live quantum program So this means that if we apply projective implementation for DWPRF and measure the success probability of the quantum program, we obtain outcome 1 over 2 plus epsilon for some inverse polynomial epsilon Then our key factor says that as long as we apply projective implementation for DWP-RF or projective implementation for DFA, the quantum program remains live. The quantum program is not destroyed. And every time we apply projective implementation for DWP-RF, we obtain outcome one over two plus epsilon. And every time we apply projective implementation for DFA, we obtain outcome one over two minus epsilon. So in short, this key factor says that as long as we measure only success probability and failure probability, we can measure those two values successfully without destroying the quantum program. So this is our key factor. And finally, I will talk about how we realize our extraction method by using this key factor. So our extraction method uses a test of TI with the following properties for every eye. So suppose we generate marked evaluation circuit C prime from PRF key and mark M, and we give it to an adversary and the adversary generates a live quantum program. Then this test of TI has the property that if the ice bit of the immediate mark MI is equal to zero, from the B of the adversary, this test TI looks like projective implementation for DWP-RF, which is a measurement on success probability. And on the other hand, if MI is equal to one, from the B of the adversary, this test TI looks like a projective implementation for DFA, which is a measurement on failure probability. So if TI satisfies these properties, from our key fact, the outcome of TI is one over two plus epsilon if MI is equal to zero. And the outcome of TI is one over two minus epsilon if MI is equal to one. So we can extract the MI by applying this test TI and observing whether the result is greater than one half or not. And also, from our key fact, TI does not destroy the quantum program. This is because TI looks like either one of projective implementation for DWP-RF or projective implementation for DFA, both of which do not destroy the quantum program. And as a result, we can apply this test TI for every eye, and we can correctly extract the every bit of the mark. So due to the time restriction, I couldn't talk about how we actually realized such a test TI in this work. So if you're interested in this part, please check our paper. So this is a summary of my talk. So in this work, we define watermarking PRF against quantum adversaries. And we also construct quantum watermarking PRF against quantum adversaries. We propose two constructions. The first one is secret extraction scheme based on the DWP assumption. And the other one is public extraction scheme based on LIO. So our construction methodology is highly general, and it can be extended to watermarking as a primitive such as public encryption. So this is the end of my talk. Thank you very much. Okay, thank you. Are there any questions? If people have questions, please come to the microphone. If there's people who have questions on Zulip, I will look at that as well. Any questions so far? So I do have one question. So you worked at if the adversary outputs a quantum program. So if the adversary outputs a classical program, does your notion then collapse to the known classical notion? Or do you still have some differences there? Yeah, exactly. Our notion is victory stronger than a classical program. So if we restrict our attention to the adversary that only classical programs or definition implies classical watermarking PRF. Right. But is it potentially stronger in the sense that if you have a classical program and you satisfy the old definition, do you then still satisfy your new definition given that it's a classical program? Yes, exactly. Okay. Any other questions? Nothing on Zulip. Okay, if not, then let's thank the speaker again. Thank you very much.