 The topic of this talk is traceable PRFs, full collision resistance, and active security. This is joint work with David Wu. The primary goal of traceable cryptography is to prevent unauthorized distribution of software. And this is done by preventing unauthorized redistribution of cryptographic functionalities. Typically, in such a scheme, we want to embed a mark within cryptographic objects. And this can come in various forms, for example, decryption keys in an encryption scheme, signing keys in a signature scheme, and so on and so forth. There is a pirate device which is attempting replication of the underlying functionality. And the security requirement is the following. If such a successful replication is achieved, then we should be also able to successfully trace back to the set of corrupt identities that were used to build this device. The notion of traceable pseudo random functions was introduced by Goyal et al. in a very recent work in 2021. Informally, it says that if there is a program C that can distinguish from a pseudo random function from a random function on randomly sampled inputs, then marked identities used to build the device should be traceable, used to build the pirate device as we just saw. So more formally or more generally, this is the diagram. So suppose an adversary is given the marked version of a PRF, then it outputs a program C, which we call the distinguisher. And it can see arbitrarily many input-output pairs. We say that the distinguisher C is good if given input-output behavior of a pseudo random function and a random function, C should be able to tell these two distributions apart. So in essence, it should be able to break the security of the pseudo random function. However, Goyal et al. discussed in their work that this notion is not in general sufficient. For example, if the distinguisher C has hardwired in it, the tuple x star comma PRF k comma x star, then this notion does not make sense because it can always break the security of the pseudo random function game. So they relax this notion to say that C should be able to differentiate between input-output pairs of those evaluations from a pseudo random function and that from a random function on randomly sampled inputs of the domain, which they called weak pseudo randomness. So the tracing security informally means that the distinguisher C, if can break weak pseudo randomness of the underlying traceable PRF, then the marked identities used to construct the PRF should be traceable. The syntax of a traceable PRF consists of the following four algorithms. First is the setup algorithm, which samples a master secret key and a tracing key. The tracing key can be public or secret. Then comes the key generation algorithm, which embeds an identity into the key. So it takes as input an identity ID and uses the master secret key to come up with this marked key SKID. The eval algorithm plays the evaluation of the PRF, the pseudo random function. And finally, we have the trace algorithm, which is given oracle access to a weak PRF distinguisher. With this access, the trace algorithm should be able to output an identity or a set of identities, T. The requirements for a traceable PRF as introduced in that work also involve the following correctness, which basically catches the essence of functionality preserving. It says that the marked and unmarked keys agree almost everywhere. So the eval MSKX and eval SKID, comma X should indeed match everywhere, almost everywhere. And of course, we need the notion of pseudo randomness, which means that the eval algorithm is actually a pseudo random function. The tracing security, as I already mentioned previously, means that if the adversary is able to produce a useful distinguisher D, which can differentiate between the input-output behavior of the pseudo random function from the truly random function on randomly sampled inputs, that means it can break the security of the weak pseudo randomness. It can break weak pseudo randomness. Then the identities that were used to construct D should be traceable, at least one of them. So here is the game. The adversary queries to the challenger an identity ID to which the challenger responds a marked key. And finally, the adversary returns a distinguisher D, outputs a distinguisher D. And the security property precisely states that if D breaks weak pseudo randomness of the eval algorithm with non-negligible advantage epsilon, then the tracing algorithm should output identity with probability, which is as close as possible to epsilon. This is the single key setup, which means that the adversary is querying to the challenger on only one identity. So natural's next case is what happens if the adversary queries multiple times. That brings us to the idea of collusion resistance. We say that a traceable PRF, or in general any such scheme, is a fully collusion resistant if security holds against adversaries that can obtain any unbounded polynomial number of keys. So the diagram is still the same. The major change is here, the adversary is querying multiple times, and these queries can be adaptive as well. And for every such query, the challenger responds with the corresponding marked key. Finally, the adversary outputs a distinguisher D. If D breaks weak pseudo randomness of eval with advantage non-negligible epsilon, then the tracing algorithm should output at least one of the IDJs. So while it might seem more natural to require that the tracing algorithm should output all the identities which were queried by the adversary, this requirement is in general not possible, because the adversary may choose to construct D depending only on the response to the first query and ignores all the rest of it. So as long as we are able to trace at least one of the identities, the tracing security should be good. This is a reasonable expectation to have. So Coel et al in their work proved the following. Assuming LWE, they proved that there exists a single key traceable PRF. Further, assuming indistinguishability of first-cation and injective one-way function, they showed the existence of a fully collusion resistant traceable PRF. I should mention here that the construction they have from standard lattice assumptions, the single key traceable PRF construction is completely insecure if the adversary obtains even just two marked keys. In fact, what happens is that the adversary can recover the PRF secret key from any two marked keys. Thus, the natural question which motivates this work is, can we obtain a fully collusion resistant traceable PRF without going through obfuscation? Such a construction would have the advantage of being plausibly post-quantum secure and also will provide a more direct instantiation than going through the full power of indistinguishability obfuscation. This led us to our work, as I said, and this is the topic of this talk. We proved this theorem that from LWE, we construct a fully collusion resistant traceable PRF. So we provide an algorithm to how to generically augment a single key traceable PRF to a fully collusion resistant traceable PRF and our identity space is polynomial. As I said, collusion resistance is actually meaningful and non-trivial to achieve even when the identity space is polynomial. Because as I mentioned, the existing construction of a single key traceable PRF is completely insecure even in the presence of two identities queried by the adversary. So polynomial identity space is a reasonable start. And here is a very quick overview. I will elaborate on this very soon. So what we do is we combine a single key traceable PRF with a collusion resistant fingerprinting code. Essentially, single key security of the traceable PRF binds the adversary to strategies that conform to the restrictions of the fingerprinting code model. This, in turn, yields a fully collusion resistant traceable PRF. So before we move on, we need to review what a collusion resistant fingerprinting code is. And that brings us to this slide. So fingerprinting codes are information theoretic objects. The syntax consists of two algorithms. First, the gen algorithm, which samples a codebook gamma and a tracing key tk. The code words in the codebook gamma are l tuples. They belong to 0 comma 1 power l. And this l is called the length of the fingerprinting code or the code length. There is also the trace algorithm, which takes as input the tracing key and the word W star and outputs an S, which should be a subset of the identity space. For the purposes of this work, we can consider this to be our identity space. We also require the notion of feasibility to better understand the security of the fingerprinting code. So it goes as follows. Suppose we are given a subset W of gamma. The gamma is the codebook, remember. So a word W star is feasible for the set W. It is often denoted by the notation F of W, capital F of W. If every bit in W star agrees with the corresponding bit in one of the code words in W, so there should exist at least one code word in W. So that if you look at W star one, one of the code words has the same bit in the first position. So for example, if W is this set, which consists of two elements 0, 0, 0 and 1, 1, 1, then the feasible set consists of 0, 1 power cube. Because if you, if you choose any element from this set, 0, 1 cube, each of the bits can be matched up with one of the bits in these words. Next, we talk about collision resistant codes and the idea is exactly similar to what we have done so far, seen so far, we say a fingerprinting code is fully collision resistant. If tracing security holds against adversaries that can obtain any unbounded polynomial number of code words and the adversary can make adaptive queries. So it's the same diagram as before. The adversary makes queries, identity queries, which can be adaptive to the challenger and the challenger keeps responding with the corresponding code words. This constitutes the set W of code words obtained by the adversary. Finally, the adversary outputs a word W star. And as one can guess, the security requirement should be as follows. If W star is feasible for the set W, which is acquired by the adversary through its queries, then the tracing algorithm should at least output one of the identities, which was squared by the adversary. So this brings us to the construction of the collision resistant traceable PRF. So as I've already mentioned, the primary ingredients are number one, a single key traceable PRF, which is guaranteed by Goyal et al's work. So there were the domain range and identity space are suitably chosen so that we can, the entire construction is compatible with each other. Each of its functioning parts. And the second part is a collision resistant fingerprinting code with N code words, W I and code length L that W I belongs to zero one power L. So the primary idea that we use in this construction is the following. Take L independent copies of the traceable PRF and just X or them. And what do we use? Why do we need these L independent copies? We use each of these copies to embed a single bit of the code word. So if we take the identity map it to its code word, then look at the bits. Then embed that bit using the I it copy of the PRF. And that is how the construction goes and finally X or all of these together. So the evil algorithm goes as follows. I'm sorry, I should not have said X or all of these together. We output all those marquis as a total as we see here. So the construction goes as follows. The evil algorithm is on input X, we just X or PRF Ki comma X. So X source of PRF are secured. It is well known that this is exhaust secure as long as one of the underlying PRF is secure. That is the main idea behind this construction. The marking scheme goes as follows. The first step is we take an identity, you map it to the corresponding code word. Then we look at the bits. Then we use the corresponding PRFs to embed those bits and obtain these marquis. And finally we output SK1 to SKL as a tuple. The tracing algorithm, which one can probably guess by now is that the distinguisher D. If you're given for a distinct for the entire PRF, we construct the utility using that we construct it. Distinguish a DI for each of the components PRF Ki. Then we run the trace algorithm for each of these to obtain these sets Ti. Finally, using this whatever output we have here, we construct the word W star. And feed it to the tracing algorithm of the underlying fingerprinting code. So a limitation of our construction is that the mark keys Ki IDs are long. As you can see the PRF keys. K is a tuple of L independent keys K1 to KL and also the mark keys are SK1 to SKL. So the mark keys are quite long. So this is one of the limitations. So let me briefly talk about why this is secure. Notice that if this W star, which we construct here W bar star, if this is feasible, then we can resort to the security of the underlying fingerprinting code now. So all we need to guarantee is that the underlying word should be feasible. But now note that feasibility here means that if all of the code words corresponding to identities which are requested by the adversary have the same bit in a particular position. Say at I not the position I not all of the bits have the same bit. Then the corresponding bit in this constructed word W bar star must also match. But notice that in this case, because the bits are the same, the adversary actually receives only one marked key. Marked version. So now we can resort to the security of the underlying single key security of the underlying traceable PRF. That is, if there is a key associated with a single value, then single key security guarantees that the adversary cannot change that bit. Thus, we are guaranteed to make that the word W star is feasible. And once we have that collision resistance of the fingerprinting code ensure security for us. So recapping the construction again, the evil algorithm goes as follows, we take L independent copies of the traceable single key traceable PRF, and we XOR them. And the marking algorithm is we take an identity, map it to the code word, look at the corresponding bits, then use each of these PRFs to embed those bits and output the tuple as a whole for the mark key. The tracing algorithm goes as follows, we have a distinguisher D we construct using that we construct a distinguisher DI for each of these components. We run the trace algorithm, get a set DI suitably construct W star and feed it to the tracing algorithm of the underlying fingerprinting code. We should also mention that in the paper we actually provide a statistical test to check whether this is how this distinguisher is the efficient or not we actually provide a statistical test to check the efficacy that is needed in the security to prove also. So we also do this additional work in this paper, we considered the notion of active security. We additionally allow the adversity to make queries to the tracing record. This is an intermediate security notion, I use the word intermediate because it's intermediate between secret tracing and public tracing. And also an intermediate notion was previously also considered in the setting of water markable PRFs. And we were able to show using the same idea that using LWP, there exists a fully collision resistant traceable PRF with active security against adversities making up to queue tracing queries for any a priori bounded polynomial q, which is q of lambda lambda is the parameter here. As I mentioned, the same construction can be used as before the X or in idea the major differences we just have to use a fingerprinting code, which is fully collision resistant against adversities making queue tracing queries. Similarly for us, such codes were shown to exist very recently by Yang et al in their work in 2020, and we leveraged that in this construction to get the notion of active security with fully collision resistance of traceable PRFs. It is well known that PRFs can be used to construct authenticated encryption schemes, example via the encrypt and MAC paradigm. Surprisingly, instantiating the encryption scheme with a traceable PRF and composing with an arbitrary MAC directly is a trader tracing scheme where the underlying encryption scheme is an authenticated encryption, and hence trivially satisfy CCA security. If the underlying traceable PRF is secure against q bounded active adversities, then the resulting trader tracing scheme is also secure against q bounded active adversities. As I said, we just have to instantiate the PRF with a traceable PRF with active security. So this is one of the very important properties of traceable PRF which was also pointed out in the works of Goyal et al. That whenever we have an application which is built from a PRF, we can get a corresponding traceable version of that application by replacing the PRF with a traceable PRF and secret key trader tracing is simply an application of that. So let me summarize whatever we have discussed in this talk so far. We provide the first fully collision resistant traceable PRF from standard lattice assumptions, and we do this through the usage of fully collision resistant fingerprinting codes. We generically, generically augment of such a fully collision resistant traceable PRF using two primary ingredients. One is a single key traceable PRF. And number two is the fully collision resistant fingerprinting codes. We also showed, as we discussed, that tracing security holds even against active adversities that have oracle access to the tracing algorithm. So I would like to end with two questions, one of which I have already mentioned that one of the drawbacks of our construction is that the sizes of the marked keys is long. It's SK1 to SKL where L is the codelin. Can they be decreased efficiently? And number two is the active security result that we had, which dependent on Q. It had a polynomial bound Q on the number of tracing queries. This bound is appearing only because of the corresponding property of the fingerprinting underlying fingerprinting code that is a fingerprinting code has the same bound on the tracing number of tracing queries. If that restriction can be lifted from the fingerprinting code, the same can be done for the traceable PRF as well. So the natural question is, can we construct such codes? Thank you very much.