 Hello, hello, all right. All right, so thank you very much for the introduction. So this session is on cryptographic watermarking. So let's begin by discussing what watermarking actually is. So watermarking generally refers to a way of embedding a mark into some digital content like photos or images. And this is often used for people to identify who the owner of the content is and also to prevent unauthorized distribution of this content. So you may have seen a version of a photo or an image that has the word sample embedded on top of the photo. So this is an example of a digital watermarking. So if you look at this photo and if you really like this photo, then you can pay the photographer and the photographer can provide you with the original image that is not watermarked. So for these type of scenarios, a watermarking scheme is useful only if it satisfies the following two properties. Well, first, it must be the case that even after you embed a mark into some photo or an image, most of its original content should still be viewable. At the same time, it should be very difficult for anyone to remove this watermark without secretly altering or essentially destroying the original content of the image. So just like how we can talk about watermarking for photos or images, we can also talk about watermarking for software. So in this scenario, we want a way to embed a mark into some program or some piece of code while preserving the functionality of the program. So we want the mark circuit. We want the final marks program to still be executable and have the same input and output behavior as the original program. But at the same time, if an adversary comes along and gets access to this marked program, they should be very difficult to remove this watermark without significantly altering or essentially destroying the original program. So more formally, we define a watermarking scheme with respect to two algorithms, so mark and verify. The marking algorithm basically takes in some marking key and some program, which we're going to model as a circuit. So it's going to take in a marking key and some circuit and some message, and it will output some circuit C prime that has the message embedded inside it. And the verification algorithm will take in some verification key and some circuit C prime, and it will basically extract this message that's embedded inside the circuit or output bot. So this is the syntax of a traditional message embedding watermarking scheme. So for this talk, though, I'll focus on a simpler variant where the message to be embedded inside the circuit is just a binary bit. So all the circuits are either marked or unmarked. So in this case, the verification algorithm, sorry, the verification algorithm, all right, where was I? Yeah, so for this talk, we'll focus on a simpler version of this watermarking scheme where all the circuits are either marked or unmarked. So the verification algorithm basically takes in a circuit and outputs zero or one, depending on whether the circuit is marked or not. So this is the syntax for, this is the traditional syntax for a watermarking scheme. So what are some of the properties that these two algorithms are satisfied? Well, the first property is functionally preserving, which basically says that the marked circuit that's output by the marking algorithm should behave essentially like the original program. So it should, so how do we formalize this? Well, we require that the input and output behavior of the marked and unmarked circuits to be the same on all but a negligible fraction of the inputs in the domain. The second property is unremovability, which basically says that no efficient adversary who is given some marked circuit C prime can produce another circuit, let's say C tilde, that have the same input, that have almost the exact same input and output behavior as the marked circuit C prime, but the verification algorithm fails to detect it as a marked circuit. All right, so these are the form definitions for a watermarking scheme. So let's see what we currently know about cryptographic watermarking. Well, the first question that we should ask is, what type of programs can we actually watermark? Can we actually construct a watermarking scheme that works over arbitrary programs and still satisfy functionally preserving and unremovability? Well, it turns out that the answer is no. The work of Coinatal in 2016 showed that watermarking is actually impossible for a large class of programs, specifically programs that implement learnable functions. So functions whose canonical representation can be easily deduced from the input and output behavior of the functions. So due to this impossibility, a lot of the research effort in this area has focused on constructing a watermarking scheme for cryptographic functions. Programs that implement cryptographic functions because cryptographic functions represent a large class of learnable, unlearnable functions. So in this talk we'll also focus on constructing a watermarking scheme for cryptographic functions and specifically for pseudo random functions. So in the next talk you'll hear more about how we go about constructing a watermarking scheme for other cryptographic functions like digital signatures or public key encryption schemes. All right, so what do we currently know about watermarking for PRFs? Well, the first positive result came in 2016 by the work of Coinatal who basically showed that using an indistinguishability obfuscator and one-way functions, we can watermark a large class of PRFs. And a very nice property of the construction was that the resulting watermarking scheme was actually publicly verifiable. So this meant that all the users in the system can have access to a public verification key and run the verification algorithm themselves, which is a really nice property to have for most applications of a watermarking scheme. So a natural question that followed from their work was whether we can construct a watermarking scheme for PRFs just relying on standard assumptions. So in 2017, Kim and Woo showed that this can indeed be done. They basically constructed a watermarkable family of PRFs just relying on standard learning with errors assumption. And in contrast to the Coinatal construction, the construction of Kim and Woo was a privately verifiable watermarking scheme. So since this distinction will be relevant for explaining our result, let me just quickly compare the two settings with pictures. So in a publicly verifiable setting, all the users in the system can have access to a public verification key. So if they have some circuit C prime that it wants to check whether it's marked or marked, it can just look up a public verification key from some cloud and just run the verification algorithm themselves. So in a private verifiability setting, the verification key for the watermarking scheme have to be kept private from all the users in the system. So if a user has some circuit that he wants to check whether it is marked or marked, it has to go to some verifying authority who would run the verification algorithm for the user. So this private verifiability setting is weaker than the public verifiability setting, but it's still useful for a lot of the applications of watermarking scheme. So this is basically how the landscape looked like in 2017. So we had a privately verifiable watermarking scheme from the learning with errors assumption and we had a publicly verifiable watermarking scheme from obfuscation. And I guess the big driving question in this area was whether we could go from a privately verifiable watermarking scheme to a publicly verifiable watermarking scheme just relying on standard assumptions. So just last year there was a very nice work due to Quash, Wix and Zardellis who basically constructed a privately verifiable watermarking scheme just using CCA secure encryption scheme and also a privately puncturable PRF. So they basically showed that just relying on CCA secure encryption scheme and a privately punctured PRF, they can construct a watermarking scheme for PRF that achieves a much stronger security guarantee than the construction of Kim and Wu. So recall that in the private verifiability setting all the users in the system have to go to a verifying authority to check whether a circuit is marked or marked. So while in the Kim and Wu construction if there was some malicious user in the system who had arbitrary access to a verifying authority who would access a verification oracle to the user then security was actually compromised. So a malicious user can cook up some circuit and send it over to the verifier and the verifier responds with either marked or marked. The user constructs another circuit and another circuit, some is another circuit and so on. Then after some point the malicious user in the system can get enough information to remove any mark from any marked circuit. So in the setting of proof systems this is sometimes called a verifier rejection problem. So for the setting of watermarking this is actually not so much of a problem for a lot of the applications where verification can be done less frequently like in legal disputes and so on. But this is still not a good property to have for many other, for most other applications. So the QWZ construction basically completely removes this verifier rejection problem from the original Kim construction which is really nice and the construction is also quite simple and quite clever. So I think I encourage everyone to read their paper. I guess the QWZ construction had some of its own caveats however and this is related to the security against the verifying authority. So the PRF family that QWZ, the Poshital construct is a perfectly fine PRF. It is a secure PRF against any users in the system who does not have access to a verification key. But to the verifying authority who has access to the verification key, the PRF family was completely insecure. So the verification key that the authority has basically acts as a trapdoor or some backdoor information to the PRF that totally compromises the security of the PRF family. So it's actually important to kind of understand this sort of point. So for mark circuits satisfying this traditional notion of pseudo-randomness against the verifying authority is actually impossible. Well first the watermarking authority needs access to the PRF key in order to watermark the circuit and second the verification algorithm itself becomes a distinguisher for the underlying unmarked circuit. However for unmarked circuits however unmarked circuits should still satisfy some level of pseudo-randomness against the verifying authority. So if a user in the system just happens to, if a user in the system generates its own PRF key and uses it for different purposes but does not watermark this PRF then this PRF should still be pseudo-random to the authority who has access to the verification key. And in fact even for mark circuits security against the authority is actually well-defined. So we can consider a scenario where the marking procedure is done by a secure two-party computation between the authority and the user. So the marking authority can send in a marking key and the user in the system submits the circuit that he wants to get it watermarked. In this scenario the verifying authority actually never learns the PRF key of the users in the system. So security against the authority is actually well-defined for marked circuits and due to the verification algorithm strong pseudo-randomness against the authority is actually not well-defined but marked circuits can still be a secure or perfectly fine weak PRF against the authority, okay. So and I guess weak PRF still services for a lot of the applications cryptography, lexometric encryption, all right. So this is basically where our work comes in. So in this work we construct a new privately verifiable watermarking scheme from PRFs from the standard learning with errors assumption. So we basically remove this verifier rejection problem that was evident in the Kimu construction just like the QWZ construction and the PRF family that we construct is actually has some security against the verifying authority and in particular we can provide the PRF family can provide a weak pseudo-randomness against the authority. So actually the PRF family that we construct actually satisfies a stronger security definition called T-restricted pseudo-randomness but for this talk I will not define what this is. So I refer to the paper for this specific definition. And I guess a nice property of a construction is that the security relies on a much weaker variant of the LW assumption compared to previous works. So the security of a construction relies on approximating on the hardness of approximating short on worst case lattice problems to only nearly polynomial approximation factors. While in previous works we needed a sub-exponential approximation factors. So along the way of achieving these results we define this new abstraction called extractable PRF which we think is also a very natural notion and which we believe is of independent interest for future works. All right, so in the last few minutes that I have let me just give a quick overview of what we do at a technical level. So I guess as in previous works we rely on this object called puncturable PRFs which is just like a standard PRF but it has this puncturing algorithm that basically takes in a standard PRF key and punctures it at some specific point, let's say x star to derive a new puncture key and this puncture key can be used to evaluate the PRF on all points in the domain except for at this puncture point. And in addition to the traditional definition in addition to the traditional requirements of puncturable PRF we can define an additional set of properties that's useful for watermarking. So we can first define this notion of private puncturing which basically says that the puncture key does not reveal any information about the point that is punctured at and we can also define this notion of programmability which basically says that given some specific output let's say y star of puncturing algorithm can puncture a key such that the PRF evaluation at the puncture point basically evaluates exactly to a y star. So if you had a puncturable PRF that basically satisfies all of these properties then it's actually relatively straightforward to construct a watermarking scheme. It's actually relatively straightforward to watermark such a PRF. So we can basically define this marking algorithm to basically just puncture the PRF in a specific way. So what the marking algorithm will do is it will take in a PRF key to a watermark. It will derive this special input and output pair x star and y star and it will just puncture the PRF key such that the PRF evaluation at this point x star outputs a y star. And the verification algorithm is quite simple. It will, given some circuit it will just derive this input and output pair of a specific input and output pair and just test if the circuit evaluates to y star on input x star. So if you don't care about this verify rejection problem then this is actually a perfectly fine, oops. This is a perfectly fine PRF, perfectly fine watermarking scheme for the PRF. So basically the security relies on the fact that the point x star, that's the special point x star is remained hidden from the adversary which is guaranteed by a privately puncturable PRF. So but however if the adversary has access to the verification oracle then even if you use a privately puncturable PRF the special point x star is completely revealed by the adversary, revealed to the adversary. So what the adversary can do is do this binary search attack where it can just, given some PRF circuit it can just change half of the inputs half of the outputs of half of its input and just submit it to the verifier. And depending on the output of the verification oracle the adversary can tell whether this special point x star lies in the modified set or the unmodified set. Okay and so by each, by making a call to the verification oracle the adversary is able to rule out half of the inputs for which x star does not contain it. And so the adversary can repeat this procedure over and over again and each time it can rule out half of the input and eventually leak the special point x star. And so the question, so the first question that we ask in this work is, can we actually force an adversary to rule out only a small fraction of the inputs? So is there a statistical test that the verification algorithm can run to force the adversary to rule out only a very small fraction of the inputs such that an efficient adversary cannot efficiently rule out, not efficiently rule out a large fraction of the inputs in efficiently to recover x star. All right, so this is where our new notion of extractable PRF comes in. So technically this extractable PRF is an independent notion, so independent notion that is separate from the punctual PRF. But for this talk let me just explain it as an additional property that we can add on to a punctual PRF. So we say that a punctual PRF is extractable if there exists a special point RZ for which if you evaluate the PRF on the special point, then it gives you an encoding of the original PRF key K, okay? So if you know the special point RZ and you're given a PRF circuit, then you can evaluate the PRF on the special point C and get some information about the original PRF key K. So this encoding of the PRF key K is still to the random to anyone in the system who does not have access to a trapdoor information for the PRF, but with access to a trapdoor associated with a PRF, you can completely recover the original PRF key that's associated with the extractable PRF. And I guess our plan is to basically encode this, basically move this special point Z and this trapdoor information to a watermarking verification key such that the verification algorithm for the watermarking scheme can extract the original PRF key and run some verification, run some statistical test on the adversaries verification queries, all right? So this is basically our watermarking scheme. So if you had an extractable PRF, then we can actually construct a watermarking scheme as follows. So the marking algorithm basically remains the same as before. It will basically derive the special input and output pair X star and Y star and just program this input and output pair to the truth table of the PRF. And the verification algorithm also stays the same. So it basically tests, it derives this special input and output pair and tests whether the circuit evaluates to Y star on input X star. But since we're using an extractable PRF, this verification algorithm will run some additional statistical test on the adversaries queries to the verification oracle, right? So it will first on given a circuit to verify, it will basically extract this extract the original PRF key that's associated with the circuit using this information of trapdoor, okay? And it will basically run a statistical test to see if the circuit that is inputted to the verification algorithm and the PRF that's defined by the PRF key to have similar input and output behavior, okay? And the verification algorithm will basically accept the circuit as a marked circuit if only if both of these conditions are satisfied. Now the adversary cannot actually run this binary search algorithm, binary search attack because if the adversary changes, modifies the output on half of the input, then well first, then either the key extraction will fail in which case the verification algorithm will output zero. Or the key extraction will succeed and will be able to detect whether the circuit, C differs from the PR, from the original PRF on a sufficiently large amount of, okay? Differ on a sufficiently large amount of input. So this is basically how we achieve unremovability in the presence of the verification oracle. So for security against the authority it's actually quite simple. So if you actually look at the PRF domain of an extractable PRF, there's actually only two set of special points, X star and Z. And so by the correctness of the PRF, by the correctness of the original punctual PRF and pseudo-randomness of the original punctual PRF, as long as the PRF is actually not evaluated on these two special points, then it's actually pseudo-random. So unfortunately due to time I'll not be able to cover a lot of the technical details that's in the paper. So I guess how do we actually construct this extractable PRF? So we do a lot of work in the paper to construct this object of extractable PRF. So in the paper, so actually the statistical test that is actually run by the verification algorithm is a little bit more involved in that than I described. So I will refer everyone to the paper. And also this defining the right notion of extractable PRF is actually much more difficult than it seems. So I will also refer the details of this paper, of this definition to the paper. So let me actually conclude with some open problems. I guess there is no, so in the paper we actually do a lot of work to construct this extractable PRF using algebraic techniques. I think there may be some generic techniques that might give you this extractable PRF. So for instance, can we use a CCA secure encryption scheme to construct the extractable PRF? I think that's possible, but right now it's actually not clear. And also, I guess the big question in this area is whether we can actually get from a private verifiable watermarking scheme to a publicly verifiable watermarking scheme just relying on standard assumptions, all right? So that's basically it. Thank you very much. If you have a question, please come to the microphone. Okay, do you have any hope to achieve publicly verifiable watermarking scheme for PRF standard assumptions? Well, I guess that's very hard to tell, but if you ask me, then I think it's possible, but at this point I guess it's not really clear, but yeah. Hey, is there some relationship between extractable PRFs and the robustly unobfuscatable PRFs? I forget exactly what they're called. The ones that you can upfuscate as long as they approximate the original? You know what I'm talking about? I'll ask you at the beginning. Oh, okay, yeah, let's bring this up, yeah. Any more questions? Okay, let's thanks to speak again.