 So thanks, Rio, for the introduction. So I'll be presenting on watermarking public key cryptographic primitives. And this is joint work with Richo, Goyle, Sam Kim, Brent Waters, and David Wu. So we heard this in the previous talk, but just to quickly recap. When we think about watermarking programs, there are two basic algorithms. There's a mark algorithm, which takes his input, a program models a circuit, and some tag tau, or mark, and outputs a circuit C prime that indicates the mark circuit. And then there's an extract algorithm that takes his input, some circuit C prime, and output to either a tag or bot. So the tag would indicate that the program was marked with the tag tau or bot would indicate that the program was unmarked. Okay, and the way I've defined these algorithms, they're in the fully public setting, meaning that the mark and extract algorithms aren't taking any secrets, but you can also consider secret marking and extraction settings where these algorithms require secrets that are held by some trusted watermarking authority. And there are two main properties that we want out of a watermarking scheme. The first is functionality preserving, which is basically saying that the mark circuit should preserve the functionality of the unmarked circuit. And the second is unremovability, which basically says that given a marked circuit, it should be difficult for an adversary to create another circuit that preserves the functionality of the circuit yet removes the mark. And so what is known so far, well, in the work of Cohen et al, they gave the first positive results for watermarking, assuming indistinguishability obfuscation. And since then, the focus has been on watermarking pseudo-random functions from standard assumptions. And they've been a series of works by Kim and Wu, Quash, Wix, and Zardellis, and then Kim and Wu again, the previous talk. And basically, the focus so far has been on watermarking secret key primitives. And basically secret key primitives were already quite challenging to watermark. And since they have less structure or less complex than public key primitives, it was just assumed that public key primitives would be much more or more challenging to watermark in secret key primitives. And this hasn't been adequately studied. So in this work, we ask, can we watermark public key primitives? And in particular, the public key primitives we watermark in this work are digital signatures, in particular the signing functionality of a digital signature scheme, and public key attribute-based or predicate encryption, in particular the decryption functionality. Okay, so what was known prior to our work? Well, in the work of Coen and All, they did show, assuming indistinguishability obfuscation, how to build watermarkable signatures and public key encryption. So a natural question for our work is can we watermark these public key primitives from standard assumptions? And in this work, we show the answer as yes, and in fact, we can do this surprisingly simply. So our main contributions are watermarking constructions. We give watermarkable signatures and watermarkable attribute-based and predicate encryption. But our other contribution comes on the definitional side. Basically, the existing definitions in the literature had some insufficiencies and issues, which we address in this work and give what we believe are appropriate definitions for watermarking these primitives. And just to quickly state what some of these issues are, as defined in the literature, the KeyGen and Mark algorithms were paired, collusion resistance was not handled, and the unremovable notion ruled out valid attacks. This is the most devastating of the issues with the definitions currently in the literature. And now I'm just gonna go into a little bit more detail about the definitional issues. So for right now, I'm just gonna focus on the signatures aspect of the definitions. So as defined in Coen et al, there was a MarkGen algorithm, so the KeyGen and Mark algorithms were paired. So there was a MarkGen algorithm that took as input a tag tau and now put it a verification key, signing key tuple, where the signing key is marked with a tag tau. And the issue with this definition is, first of all, there's no notion of an unmarked signing key, right? The signing key is generated when this algorithm is given a tag tau, so in this diagram, there's only a marked signing key. And the other issue with this is that collusion resistance is not defined, right? Because the signing key is only generated when given a tag, it isn't possible to generate many marked versions of the same signing key with different tags. Okay, so this is not that big an issue, it's not very difficult to fix. We simply separate these algorithms, right? So we have a separate KeyGen algorithm and a Mark algorithm. So our KeyGen algorithm is first gonna generate a verification signing key pair, and then the Mark algorithm will take as input the signing key and a tag tau, and output a Mark circuit C sub tau that inputs this Mark signing key functionality. I mean, this new formulation of the definition, as you can see, there's an unmarked signing key now, right, the initial signing key output by the KeyGen algorithm. And also, it is easy to generate many marked versions of the same signing key, right? Because you can simply run the Mark algorithm with the same signing key and many different tags. Okay, now I'm gonna go into the issue with the unremovability definition. And so to do this, I have to describe the game in a little bit of detail. So the way the unremovability game is captioned and watermarking is there's a game between an adversary and a challenger. And what happens is the adversary picks some tag tau and sends it to the challenger, and is given back a circuit that implements a Mark signing key that is marked with this tag. And then the adversary's goal is to output some circuit C star. And what are the conditions required by the adversary? Well, so we're required that the adversary's circuit agrees with the Mark circuit on an epsilon fraction of inputs. Just think of epsilon as some, one by poly more than one half. So just like some majority fraction of inputs. And the other property or the adversary wins the game, basically, if the circuit output of the adversary is not considered to be marked with the tag tau. So the adversary has succeeded in removing the Mark, but has preserved the functionality on some fraction of inputs. And at first glance, this definition seems completely reasonable. And this is the definition given in Cohen at all. But there are some issues with this definition. And to illustrate this, just to give a quick example. So just suppose the Mark circuit was on the following form. Suppose C sub tau of X, simply outputted the tag tau in the clear, and then outputted a signature on X. And the tag tau and the signature are completely independent. So from a watermarking perspective, this thing should be considered completely broken. Okay, why is that? Well, there's a trivial adversarial unmovable strategy, which is to simply take this Mark circuit and restrict it to only output the second tuple. So it only outputs the signature now, and the tag is nowhere to be found. And this can easily be done. And now the adversary has succeeded in removing the tag, but the functionality has been completely preserved. This adversary's unmarked circuit outputs signatures everywhere. Okay, now what is the problem with the unremovability definition? Well, observe as stated, the adversary is required to output a circuit that agrees with the Mark circuit exactly, and the input output behavior must be preserved exactly on a majority of inputs. And in particular, that rules out this attack strategy, right, because this unmarked circuit, this attack, this unmarked circuit stated down there does not output the tag on any input. So this attack would not be admissible in the security game, and therefore under the security definition, this broken scheme would be considered provably secure under this unremovability notion. So how do we fix this issue? Well, the offending line is basically the fact that the functionality must be preserved exactly, the exact input output behavior. But what is the functionality of a signature scheme really? It's not necessarily the input output behavior is exactly preserved, rather the adversary circuit is useful if it can output a signature that verifies. So in our definition, we change the condition on the adversary to simply say that the adversary circuit outputs signatures that verify on say a majority of inputs. And the adversary's wind condition remains the same. Okay, so now I've put our definition on the left. Now let's see why is this fixed the problem? Well, in this example before, the adversary's unmarked circuit still outputs signatures. So the adversary's circuit will still verify everywhere with respect to the verification algorithm, yet the tag is nowhere to be found and the circuit will be considered unmarked. Okay, so now that I've dealt with, yeah, so now the broken scheme is considered to be broken properly under this definition. So furthermore, we can handle unruly also with this notion of collusion resistance where the adversary is now allowed to make an unbounded polynomial number of queries to a marking oracle and receive back the same mark signing key marked with many different tags. And the adversary's wind condition is now just modified to say the adversary wins if the extract algorithm doesn't output any of the tags for which it has been given a mark signing key. Okay, so now that I've talked about one of the main properties, let's talk about the other one, functionality preserving. So a natural definition for functionality preserving would basically be that the marked circuit should equal the unmarked signing algorithm almost everywhere. The input output behavior should be exactly preserved. But that leads us to the natural question, like what is functionality preserving for signatures? Is it really that the input output behavior is exactly preserved or is it the signature actually verifies? To try to illustrate this, suppose you have some official document that you wanna get approved, all you care about is that this document has been approved, right? You don't care exactly what the approval stamp on the document looks like. And so in this spirit in this work, our functionality preserving definition says that the marked circuit is only required to output signatures that verify with respect to the verification algorithm everywhere. It doesn't have to preserve the input output behavior exactly and output the same string. Okay, so now I've described how we defined watermarking signatures in this work. I'm gonna go into the construction. So what do we achieve? We achieve a watermarkable signature scheme that is from minimal assumptions, just the existence of signatures. And it is a fully public scheme. There's no reliance on any trusted watermarking authority. And all the prior work and the PRF constructions all required a trusted watermarking authority for either secret marking and or extraction. So the first fully public scheme. Moreover, we obtain full collusion resistance, meaning that in the security gain, the adversary can see the signing key marked with as many different tags of its choice. And all the previous constructions, we're not at all collusion resistant. All the PRF constructions and the IO constructions, meaning that even if the adversary saw the same signing key marked with two different tags, the scheme would be broken. So we've gone from basically no collusion resistance to full collusion resistance here. Okay, so how do we actually construct this? The construction is surprisingly simple and follows from standard signature techniques. So the unmarked circuit is just a simple signing algorithm. On a message M, it just simply outputs a signature. Okay, now, how does the mark algorithm work? Well, to mark with a tag tau, what first happens is you generate a new verification key signing key pair. And once that's done, the mark key is this new verification signing key pair along with the tag and the certificate signature under the original signing key of this verification key tag pair. Okay, now, how do you sign with this marked key? Well, you output this new verification key and the tag and the clear along with the certificate signature and then you sign the message M with the new signing key escape prime. Okay, now, why does this work? So how do you verify? To verify signatures from the unmarked signing key, you simply run the verification algorithm. And to verify signatures signed by the marked key, you do a two-step verification process where you first verify that the certificate signature is indeed a valid signature on this new verification key and the tag tau. And then once that's done, you also check that this signature on the message M verifies with respect to the new signing key escape prime. And if both checks pass, you say that the signature verifies. Okay, now, how would you extract, or, oh, sorry, observe here that the marked circuit outputs different signatures, clearly different signatures, than the unmarked circuit here, but both verify with respect to the verification procedure. Okay, so now, how would you extract? Well, the extraction procedure is very simple. You can simply just find tau in a valid signature. That is, you sample random messages, see what the circuit outputs and if a signature verifies in a marked circuit, the signature will be of the signatures of the form of a marked signature and you can just take tau straight from the signature. Okay, and why does unremovability follow? Well, if you look at the marked key, there's no information about the signing key in there except a signature on this verification key tag pair. So in particular, for an adversary to produce a signature by the unmarked algorithm, it would have to produce a forgery or to produce a signature by the marked algorithm. It would also have to produce a forgery on a different certificate of VK prime and tau, which it can't do. So in particular, the only kind of signatures you can output are signatures in a marked form where the tag tau is in the clear and it can be extracted. Okay. And just note that the extract algorithm in our construction does need to know the verification key in order to extract. However, this is assumed to be public, so this is not that big of a deal. Okay, and I don't have a lot of time to talk about our second construction, but just briefly, I'm just gonna say, so the other construction is on watermarking the decryption functionality of a public key predicate or attribute-based encryption scheme. And so what are our main results here? Well, we obtain secret marking and extraction fully collusion resistant watermarkable attribute-based encryption. And we obtain fully public bounded collusion resistant watermarkable predicate encryption. And the way we do this is using techniques that's conceptually similar to the notion of attribute-based trader tracing. And another property of this construction is we achieve stronger unroovability guarantees. In particular, our unroovability guarantees of a distinguished instead of a decryption flavor, like in trader tracing. And what I mean by that is that the adversary, even an adversary that outputs a circuit that is only good at decrypting two different messages encrypted under the same attribute, it can only distinguish between two types of ciphertexts against an adversary that outputs a circuit that's only good at distinguishing between two different types of encryptions, we can still recover the tag. So it doesn't need to be a good decryptor for basically almost anything, it just has to be able to get a good distinguisher between two types of encryptions and we can still recover the tag. Okay, and just to go in a little more detail on our construction of collusion resistant watermarkable AVE. So to just provide some intuition, we observed some parallels between trader tracing and watermarkable encryption. So for those not familiar, a trader tracing scheme is basically some public key encryption scheme where you can give out different secret keys to different users with the property that if some subset of users collude and create some like pirate decryption algorithm together, there exists some trace algorithm that can recover from this pirate decryptor one of the users that colluded to construct it. And this should intuitively seem similar to this notion of watermarkable encryption in the sense that like these mark keys kind of are like user decryption keys, right? Because the adversary is seeing many marked keys and then combines all these marked keys to try to come up with some like pirate circuit, some circuit where the mark has been removed, right? And an extraction should be sort of thought of as tracing, even given this pirate decoder or given this circuit that has been constructed by the adversary, you should still be able to extract or trace to recover the mark or like one of the users in the colluding set. So there's hopefully just some intuition as to how we might be able to achieve this using techniques from trader tracing. And basically we were able to do this using tools recently developed in the trader tracing literature, in particular the notion of mixed functional encryption introduced by Goyal, Coppola and Waters. And of course we needed attribute based encryption. Okay, so what are the main takeaways from our work? Well, we gave simple constructions of watermarking for public key primitives, right? We showed from one way functions or signatures how to get watermarkable signatures and we showed using mixed functional encryption and attribute based encryption how to get watermarkable AB or predicate encryption. And the other takeaway is that we strengthened definitions of watermarking and gave what we believe are appropriate definitions for watermarking these primitives, okay? And so this work leads to some natural open questions. Are there other ways to watermark other different cryptographic primitives simply from standard assumptions, right? In this work we showed that even public, even though public key primitives are more complex, seem more complex than secret key primitives, they can actually be watermarked quite simply. And maybe this holds for other cryptographic primitives for which watermarking has not been studied. Another natural open question is, can we obtain fully collusion resistant, fully public watermarkable AB? Recall in order to get this full collusion resistance we required a secret marking and an extraction. And the final open question I have is are there better or new definitions for watermarking, right? Because what our work shows sort of is that getting definitions for watermarking can be quite tricky and it's often tailored to the exact functionality that you want to watermark. So this is definitely a direction for future study. Thank you. If you have a question, please come to the microphone. I have two questions. Okay. One is, is there any particular applications of the collusion resistant watermarkable signatures? I mean, so for watermarked public inclusion is almost the same as trader tracing, right? Right, it's conceptually related to trader tracing, yes. So for signature case, is there any application of collusion resistant watermarkable signature? That's a good question. I mean, you might want to like, right, you might want to watermark your signature with different tags and be able to give them out to different users, right? Be able to put in names to different users and then have the property that these users cannot, right? Like this seems like a reasonable thing you might want to do, right? This seems related to group signatures or something. Okay. Yeah. So the second one is, so you said achieved collusion resistant watermarkable AB, right? So collusion resistant means, I think there are two aspects. I mean, collusion resistant AB or collusion resistant watermarking, which one do you refer? Yeah, so we get collusion resistant watermarking. Okay. The watermark is able to get the encryption circuit marked with unbounding polynomial number of tags. So it means as an ABE, it's not free collusion resistant or free collusion resistant. No, no, we've noted from collusion resistant ABE but bounding collusion resistant makes that be. Okay. Yes. More questions? Okay. So it's because again.