 Hi, I'm Ryo Nishimaki. I'm going to talk about equipping public key cryptographic primitives with watermarking, or a whole is to watermark. In this work, we present how to add watermarking functionality to existing public key cryptographic primitives which do not have watermarking functionality. More specifically, we show that if a public key scheme satisfies some conditions, it is watermarkable. The efficiency of the watermarkable schemes is almost the same as that of original schemes. Let's start with what is watermarking? Digital watermarking enables us to embed the message into a digital object, like image. Even if a message is embedded, a watermarked object preserves the original functionality. I inserted my name into this photo to claim that this photo was taken by me. The photo still looks good, even with the watermark. If we remove the watermark, the watermarked object loses its functionality. I removed my name from the photo, then the image is significantly damaged and does not look as the original. In this work, we focus on watermarking public key cryptographic primitives, such as public key encryption. In the PKE case, we watermark decryption functions. In the signature case, we watermark signing functions. In advanced encryption cases, such as identity-based encryption, we watermark decryption functions or key generation functions. More formally, there are two main requirements on watermarking. The first one is functionality preserving. C-childer is a watermarked function with message MSG. For except a negligible fraction of inputs, the output of C-childer is the same as that of C. The other one is unremovability. We cannot remove a mark without destroying the functionality. That is, if the embedded message is changed, the function does not preserve the original functionality. Goya et al. presented general constructions of watermarkable public key cryptographic primitives. These are built from scratch and in efficient. However, many efficient public key cryptographic primitives have been proposed so far. We want to use them if possible. Our question is, can we add watermarking functionality to existing public key cryptographic schemes? We give an affirmative answer to this question in this study. We prove the following theorem. If a public key cryptographic scheme satisfies some conditions, it is watermarkable. More specifically, the condition is that a scheme has a canonical all-but-one reduction, which is formalized in this study. What is an all-but-one reduction? All-but-one reduction is a proof technique for selective security. After Bonnet Boyen used this technique for their IBE scheme, it became a common approach to prove selective security. In the selective security game, the adversary must declare a target attribute at the beginning of the game. There are many public key cryptographic schemes that use all-but-one reduction, Sahai-Votas-Fuzzy-IBE, GPSW attribute-based encryption, Qth-Tag-Based-CCF-PKE, and many more. I explain the selective security game by using the signature case. The adversary declares the target message at the beginning of the game. Then the challenger sends a verification key to the adversary. Next, the adversary sends signing queries to the challenger. When a message is queried, the challenger answers a valid signature for the queried message. At some point, the adversary output a forced signature for the target message. If the forced signature is a valid signature for the target, the adversary wins. I explain a high-level overview of all-but-one reductions by using the Bonnet Boyen signature case. The signature scheme is selectively secure under the computational Defi-Helman assumption. The all-but-one reduction works as follows. First, the reduction is given a problem instance, pi, which consists of G, G2DA, G2DB. When the adversary declares the target message, the reduction simulates a verification key by using the problem instance and the target message. Note that the reduction does not have the secret signing key of the signature scheme. At this point, the message space of the signature scheme has a hole, or it is punctured at the target message. What does the hole mean? The reduction must simulate the signing oracle to run the adversary. To answer the signing queries, the reduction uses the problem instance and the target message. The point is that an all-but-one reduction can answer all queries except the target because it carefully embeds the problem instance and the target message into the verification key. So we say that the message space is punctured at the target message. This is the reason why we call the reduction all-but-one. When the adversary output a forged signature, the reaction extracts a solution to the problem instance by using the forged signature and the randomness used for the simulation. This is an overview of all-but-one reductions. I skipped how to simulate the verification key and the signatures, but they are not essential in this overview. Let's move to how to achieve watermarking functionality by using all-but-one reductions. The hole in the message space works as a watermark. Let's look closer at the oracle simulation part again. The oracle simulation works for all messages except the target. I show this oracle simulation part is a watermarked signing function. Imagine we can describe the oracle simulation part as a stateless, randomized algorithm. This algorithm outputs a valid signature for a message that is different from the target. So this algorithm has the functionality preserving property. How to detect the mark? If a function does not output a valid signature for the target message, it is marked. Next, we consider we give the stateless, randomized algorithm to the adversary. If the adversary output a function that outputs a valid signature for the target message, this means the adversary removed the mark. What does this fact mean? The all-but-one reduction for proving the selective security works even if we replace the signature adversary with the watermarking adversary. The reduction can stimulate the verification key and the watermarked signing function from the programming instance and extract the solution to the programming instance. This means that if the CDH assumption holds the watermark is unremovable. Therefore, the whole works as a watermark. I explained a high-level overview of the idea. There are a few issues in the idea. First, the all-but-one simulation part must be stateless and must not have all-but-one access. We call such all-but-one reduction canonical. If it is not canonical, we cannot give a watermarked function to the adversary. This is the reason why we need canonical all-but-one reduction. Most well-known selectively secure schemes have canonical all-but-one reductions. Next, in security reductions, we have a problem instance. However, in a real scheme, we do not have a problem instance. So the question is, how to construct a watermarked function in a real scheme? In fact, we can observe, we can simulate a problem instance by using a secret key of a scheme. Lastly, the all-but-one simulation part includes randomness for simulating the public verification key. Giving the information to the adversary might cause a problem. However, it doesn't harm the security thanks to randomness in problem instances. We formalized canonical all-but-one reductions in this study. An all-but-one reduction is a security reduction from selective security of a scheme to a problem instance. I list the main properties of all-but-one reductions. The all-but-one all-but-one simulation property was already explained. The all-but-one simulation part is described as a stateless, randomized algorithm. The answer checkability means we can publicly verify an all-but-one answer is valid or not for an honestly generated input. For example, in the CCA security case, we can check a decreed value is a valid plain text or not if we honestly generate a ciphertext. The attack substitution property means if we get the valid answer for the target query, we can extract a solution to a problem instance. What we need in reductions is not the adversary itself, but the valid answer for the target query. So a reduction works even if we replace an adversary for selective security with an adversary for watermarking. The problem instance simulation property was already explained. We can create a valid problem instance from a secret key of the scheme. I skip many decades due to a time limit, but canonical all-but-one reduction is formalized in this study and all issues in the previous slide are overcome in most well-known selectively secure schemes. So far, we saw all but one reductions are watermarked functions. This is public mark and public extract watermarking. However, we can achieve only mark embedding watermarking. That is, we can check a function is marked or unmarked. We want to embed a message. To do this, we generalize all but one reduction to all but n reductions. In a canonical all but n reductions, we can puncture polynomially many points. The question is, existing schemes have all but n reductions or not? The answer is yes, if we slightly modify them. If a scheme is powering based, we can achieve an all but n reduction by using weak programmable hash functions. In the last space cryptography case, we can achieve an all but n reduction by using the fully key homomorphic property. In the Bonne-Boyen IBE or signature case, we can achieve an all but n reduction by using Q-type assumptions. Unfortunately, we do not have a general conversion from all but one to all but n reduction, but we can achieve all but n reductions for most cases of public key encryption, signature and identity-based encryption. Beyond IBE, we do not know how to achieve an all but n reduction. To embed an L-bit message, we prepare two L points. If the ice bit is zero, we puncture the del part of the ice pair. If the ice bit is one, we puncture the one part of the ice pair. This idea seems to work. However, it is easy to destroy the functionality at any point since all points are public. In the example, if we destroy the functionality at point T sub I zero, then the ice bit is set to both since both points do not work. To overcome this attack, we use a pseudo-random function and hide all points. However, if an adversary randomly destroys the functionality at many points, what happens? The adversary might succeed to remove the message by this attack. To prevent this attack, we prepare two L vectors and puncture many points. If all points in the del part are punctured and at least one point in the one part works, the ice bit is set to zero and vice versa. In this construction, we can show if an adversary can destroy the functionality at many points and remove the mark, the functionality is lost. If an adversary can recover the functionality at the punctured point, this contradicts to the all but any reduction property. So this message embedding scheme is secure. Lastly, I briefly compare the water marking scheme with previous constructions. Goya et al. presented general constructions of water markable public cryptographic schemes. They are collision resistant, some of them are adaptively secure. However, their constructions are not efficient and do not achieve CC security for PKE. On the other hand, our schemes are efficient since they are based on existing efficient schemes. In addition, our schemes achieve CC security for PKE. However, our schemes are not collision resistant and achieves only selectivity security. Therefore, their schemes and ours are incomparable. Please see the paper for the detail of the comparison. Let's see the efficiency of our water markable PKE scheme. Our scheme can be instantiated with the standard traditional by linear Deffie-Hellman assumption. The ciphertext consists of only two group elements and randomness for hash function. The scheme achieves CC security. The water marking scheme is secret mark and secret extract since we use a PLF. However, the scheme is secure even if an adversary is given the mark and extract orc. Let me summarize my talk. We presented a general framework to achieve water marking functionalities by using all but one or all but n reductions. We formalized all but one and all but n reductions and showed that such reductions works as water marked functions. That is, we can add water marking functionality to existing public key cryptographic schemes since most existing selectively secure schemes have all but one reductions. This is the first systematic approach that uses security reductions to achieve a new functionality. These are our main contributions. This is the take home message of my talk. A whole is two water mark. Thank you for listening.