 Alright, so hello everyone, I'm Wu Pengyang and today I'm going to talk about how to construct or publicate what Macro PR is for. This is based on joint work with Zuo Xiaoyu, Ma Hoa, and Wili Sosilo. So a watermarking scheme can embed some information into a digital object without changing it too much. And it will be hard to remove the embedded information without destroying the watermarked object. In this talk, we consider watermarking schemes for programs, that is, the watermarked object is a program. Formally, it consists of three algorithms, namely, the characterization algorithm, which produces a pair of marked key and the stretching key, the marking algorithm, which embeds a message into a program with a marking key, and the correction algorithm, which extracts a message and embeds it in a watermarked circuit with an extraction key. Its correctness requires that the watermarked circuit should roughly preserve the functionality of the original program, and that the extraction algorithm can extract the correct message and embed it in a, yeah, honestly, watermarked circuit. Its mis-corrected requirement is unremovability, which requires that it will be computationally difficult for L03 to remove or modify the message and embed it in a watermarked circuit without changing it too much. So let me hope to have watermarking schemes for general functionalities. However, as shown by Covey and Holmes 2016, it is impossible to watermark a learnable functionality. A natural class of non-learnable functionalities are cryptographic ones, such as the decryption algorithm, the PR evaluation algorithm, and so on. So in the study, we mainly focused on watermarking schemes for cryptographic programs. And in this work, we also followed this and particularly focused on the evaluation algorithm of the PRF. So next, we give a more formal definition of the security of the watermarking scheme for PRF. There are two parties involved in the security definition, the challenger and L03. The challenger will first generate a pair of mark key and a traction key, and it also samples a PRF key. Then the L03 sends a message to the challenger, and the challenger will embed the message into the PRF key with a marker key. It then sends the results secured C star to the L03, and the L03 will create a secured C tilde. And it wins if the C tilde is close to the original watermarked C star, and the traction algorithm fails to attract the original message from C tilde. In this definition, we do not allow the L03 to learn either the marking key or the traction key. So we denote it as a secret key security here. We can also consider a strong L03 that can learn the mark key of the watermarking scheme, and this is called a permanent marking security. Alternatively, we can consider a L03 that learns a traction key but not a mark key, and this is denoted as a public traction security. And finally, we can consider public key security, whereas the L03 learns both the mark key and the traction key. So in real-world applications, if we use a watermarking scheme with the first three security guarantees, then we have to set up a watermarking authority to hold either the marking key or the traction key or both. Such authority is usually a single point of failure, because if a L03 crops the watermarking authority and gets the key holds there, then it is able to remove all messages embedded in all watermarked security. That is a serious security threat to the scheme. And if we use a watermarking scheme with public security, then we do not need such authority, and the problem can be resolved. So in practice, it is preferable to use a watermarking scheme with public key security. Unfortunately, also we have very elegant constructions of watermarking schemes that satisfy the first three security requirements. We do not know how to construct a public key with markable PIF. The goal of this work is therefore to construct the public key with markable PIF. So next we will see how to construct a public key with markable PIF. Our standpoint is a watermarker PIF with public traction and secure mark key. In this scheme, the PRK pay should be kept through it. And to embed a message into the PRK, the marking algorithm will use a secret mark key. And to extract a message from a watermark circuit, the collection algorithm will use a public traction key. So with this scheme, to construct a public key with markable PIF, our initial idea is to generate a fresh mark key and traction key for each PRK. That is, the new PRK PIF now includes the original PRK key, a fresh mark key, and a fresh traction key. In this way, there is no global marking key that should be kept through it. So the scheme should have public key security. After this modification, the marking algorithm can still work because it can use the mark key included in the PRK. But the collection algorithm doesn't work now because it needs to use the traction key. But the traction key is included in the PRK and can't be accessed by the traction algorithm. To solve this problem, we need a mechanism to send a key to the traction algorithm. It seems that the only way to do this is to put a key to the PRF output. And of course, we can't append it to the PRF output directly because it may ruin the determinist of the PRF. We solve this problem by using a PD scheme with pseudoram self-tapped. So let PK and SK be the public key pair of the PK scheme and put them into the public parameter of the Wattmark scheme. We also modify the PRF evaluation algorithm and append an encryption of the traction key to the original PRF output. Here the run list for the encryption is determined by the input X. To Wattmark PRK, the marking algorithm also unbind the message into the first part of the PRF evaluation algorithm. And then it keeps the second part of the evaluation unchanged. And to extract a message from the Wattmarked circuit, the encryption algorithm will first get EK from the second part of the secure port by decrypting it. Then it uses the recovered extraction key to extract the message from the first part of the security. So as the dosary is only allowed to modify the Wattmarked circuit on the spot version of the inputs, the encryption algorithms are likely to get the correct extraction key by decrypting the secure port or random input. And then by the security of the online publicly tractable Wattmarked PRF, the encryption algorithm can finally get the correct message. So the security follows. Also, we need to examine if the scheme has a secure run list. At first glance, the answer should be yes, because the PRF output now includes two parts. The first part is the output of a not-PRF, and the second part is the self-attacks over a Piki scheme with a super-random self-text. However, the self-attacks super-run list only holds against the other three without a secure key. And now as a secure key is put into the parameter, the dosary can learn it and then it can decrease the second part of the PRF output and see if they are all decrypted to the same volume. So it is very easy to distinguish it from the output of a random function. To solve this problem, we use a robust fast-kidbox PRF instead of the Piki scheme. In a nutshell, the robust of a fast-kidbox PRF is the PRF family, where the PRF key is associated with a secure S. A student still requires that given only a request to the PRF algorithm, no one could distinguish it from a random function. But it now additionally requires that it is easy to get a secure S and bind it in the PRF key. Given a secure S that implants the PRF algorithm. And based on this, we also need it to have robust vulnerability, which requires that the secure can be recovered from a secure S that is close to the PRF algorithm. Okay, so now with a robust on-off fast-kidbox PRF, we modify the construction as follows. First, we will include the PRF key of the underlying robust on-off fast-kidbox PRF into the PRF key of the constructed watermarking scheme. And the security embedded there is the creation key for the PRF key. We also replace the subtext in the PRF output with the output of the on-off fast-kidbox PRF. The marking algorithm still works as before. That is, it embeds the message into the first part of the PRF evaluation algorithm and remains a second part on change. And the creation algorithm now gets decayed from the second part of the given circuit. And then it uses the recovery key to get the to track the message from the first part of the security. This works because due to the vulnerability of fast-kidbox PRF, the creation algorithm can get the correct decay from the second part. Also, the robust vulnerability further guarantees that the creation algorithm can get a correct decay from the second part of the watermark circuit, even if it is modified by the A3. And then by security of the underlying publicly credible watermarker PRF, the creation algorithm can get the correct message from the watermark circuit that has been changed by the A3 slightly. So, the security follows now. Also, the pseudonist of the new construction comes from the pseudonist of the publicly credible watermarker PRF and that of the robust on-off fast-kidbox PRF and also the pseudonist holds. So, we have shown how to construct a publicly watermarker PRF from a watermarker PRF with production and a robust on-off fast-kidbox PRF. The first building block can be constructed from indistinability of fast-kidbox PRF as shown by Kohei et al. in 2016. And in this work, we give constructions of robust on-off fast-kidbox PRF from either watermark function or FHE with different trade-offs in their parameters. So, before continuing our discussion, we recall our first attempt again. The attempt fails because the creation algorithm can't get the creation key to perform the creation procedure. So, we note that if we consider a weak notion of watermarking, where the creation algorithm is allowed to use a hint about the PRF key, then this problem can be solved very easily by setting the hint to be the creation key. So, we call this a hinking watermarker PRF. And by using this new notion, we can divide our construction just mentioned into two parts. In the first part, we get a public hinking watermarker PRF from a watermarker PRF with publication. And in the second part, we upgrade the public hinking watermarker PRF to be a standard public watermarker PRF using a robust on-off fast-kidbox PRF. Okay, so next we will see how to get public watermarker PRF from simpler assumptions. Thanks to our general framework, it is sufficient to show how to construct public hinking watermarker PRF from simpler assumptions. So, the construction is built on a puncture PRF. Roughly speaking, a puncture PRF allows one to puncture a PRF key on an input at start. The puncture key functions identically as the original key on all other inputs. And it will hide the real output, a real PRF output on the puncture point x star. So, now with puncture PRF, we construct the public hinking watermarker PRF as follows. The new PRF key, capital K, includes the PRF key of the puncture PRF and the random input x star. We also compute the PRF output y star of x star and compute this star as g of y star, where g is an injective one-way function. The hint is the hint that includes x star as this star. To watermark the PRF evaluation algorithm, the marking algorithm just punctures the PRF key on x star, and the circuit will evaluate with the punctured key. Also, to test if the circuit is work marked, the expression algorithm will test if the circuit is punctured on x star. That is, if the circuit error is cx star is not equal to y star. Since g is an injective function, it is equivalent to test if g of c of x star is not equal to this star. This can be finished by using only the information from the hint and the given circuit. Also, the security of the injective one-way function and the security of the puncture PRF guarantees that the adversary is not able to learn y star from the hint and the watermarked circuit, so it is not able to generate a circuit that outputs y star on input x star. And thus, it can't make a watermarked circuit unmarked, and the security follows. Okay, so by putting the bow construction into our blueprint, we get a public key watermarked PRF from either one-way function or one-way function plus FHE, with different trade-offs in the parameters. The construction has a restriction that it only supports marked binding, that is, the circuit is either marked or unmarked, and unlike the construction from RO, which has message unbending, we also give a construction of a message unbending public key watermarked PRF purely from standard lattice functions by using a pointed FHE scheme. Please see our full paper for the construction. To conclude, in this work, we give a general framework that constructs public key watermarked PRF from a public hinting watermarked PRF, and a robust FASCULAR PRF. We also insetiate boost primitive from different assumptions with different trade-offs. The main trade-offs we consider in this work include whether the scheme supports message binding and how large the parameter amp-snow is. The parameter amp-snow denotes the version or inputs of C star that can be modified by the industry. And if you observe our results, you will see if you hope to have message unbending, and if you don't want to use RO, then you will have a very, very small amp-snow, which is a concrete, exponentially small volume. Also, if you hope to have constant amp-snow, then you have to use FHE, even if you have used RO. And finally, now our constructions can choose an optional amp-snow, which is roughly one or two. So it is an interesting open problem to construct public key watermarked PRF without the restrictions. So now to conclude, in this work, we initiate the study of public key watermarked PRF, and that is just a start. There are many, many interesting open problems in this area. Okay, so that's all. Thanks for attention, and I'm happy to answer your questions.