Watermarking Cryptographic Functionalities from Standard ...Functionality-preserving: On input a...
Transcript of Watermarking Cryptographic Functionalities from Standard ...Functionality-preserving: On input a...
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions
Sam Kim and David J. Wu
Stanford University
Digital Watermarking
CRYPTO 2017
CRYPTO 2017 CRYPTO 2017
CRYPTO 2017
Often used to identify owner of content and prevent unauthorized distribution
Digital Watermarking
CRYPTO 2017
CRYPTO 2017 CRYPTO 2017
CRYPTO 2017
โข Content is (mostly) viewable
Digital Watermarking
CRYPTO 2017
CRYPTO 2017 CRYPTO 2017
CRYPTO 2017
โข Content is (mostly) viewableโข Watermark difficult to remove (without destroying the image)
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Embed a โmarkโ within a program
If mark is removed, then program is destroyed
Two main algorithms:โข Mark wsk, ๐ถ โ ๐ถโฒ: Takes a circuit ๐ถ and outputs a marked circuit ๐ถโฒ
โข Verify wsk, ๐ถโฒ โ 0,1 : Tests whether a circuit ๐ถโฒ is marked or not
Two main algorithms:โข Mark wsk, ๐ถ โ ๐ถโฒ: Takes a circuit ๐ถ and outputs a marked circuit ๐ถโฒ
โข Verify wsk, ๐ถโฒ โ 0,1 : Tests whether a circuit ๐ถโฒ is marked or not
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Embed a โmarkโ within a program
If mark is removed, then program is destroyed
Both marking and verification require a secret
watermarking key wsk
Two main algorithms:โข Mark wsk, ๐ถ โ ๐ถโฒ: Takes a circuit ๐ถ and outputs a marked circuit ๐ถโฒ
โข Verify wsk, ๐ถโฒ โ 0,1 : Tests whether a circuit ๐ถโฒ is marked or not
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Embed a โmarkโ within a program
If mark is removed, then program is destroyed
Extends to setting where watermark can be an
(arbitrary) string [See paper]
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Functionality-preserving: On input a program (modeled as a circuit ๐ถ), the Mark algorithm outputs a circuit ๐ถโฒ where:
๐ถ ๐ฅ = ๐ถโฒ(๐ฅ)on all but a negligible fraction of inputs ๐ฅ
Mark
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Functionality-preserving: On input a program (modeled as a circuit ๐ถ), the Mark algorithm outputs a circuit ๐ถโฒ where:
๐ถ ๐ฅ = ๐ถโฒ(๐ฅ)on all but a negligible fraction of inputs ๐ฅ
MarkPerfect functionality-preserving impossible assuming obfuscation [BGIRSVY12]
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Unremovability: Given a marked program ๐ถ, no efficient adversary can construct a circuit ๐ถโฒ where
โข ๐ถโฒ ๐ฅ = ๐ถ(๐ฅ) on all but a negligible fraction of inputs ๐ฅโข Verify wsk, ๐ถโฒ = 1
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Unremovability: Given a marked program ๐ถ, no efficient adversary can construct a circuit ๐ถโฒ where
โข ๐ถโฒ ๐ฅ = ๐ถ(๐ฅ) on all but a negligible fraction of inputs ๐ฅโข Verify wsk, ๐ถโฒ = 1
Adversary has completeflexibility in crafting ๐ถโฒ
Adversary given access to marking oracle
[Also require unforgeability; see paper for details]
Watermarking Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
โข Notion only achievable for functions that are not learnableโข Focus has been on cryptographic functions
pseudorandom function
PRF(๐,โ )
pseudorandom function
PRF(๐,โ )
Watermarking Cryptographic Programs[NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17]
CRYPTO
Mark
โข Focus of this work: watermarking PRFs [CHNVW16, BLW17]
โข Enables watermarking of symmetric primitives built from PRFs (e.g., encryption, MACs, etc.)
pseudorandom function
PRF(๐,โ )
pseudorandom function
PRF(๐,โ )
Main Result
CRYPTO
Mark
This work: Under standard lattice assumptions, there exists a (secretly)-verifiable watermarkable family of PRFs.
๐ฆ2๐ฆ1
๐ฆ3
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3
domain range
PRF key
Step 1: Evaluate PRF on test points ๐ฅ1, ๐ฅ2, ๐ฅ3 (part of the watermarking secret key)
๐ฆ1๐ฆ2
๐ฆ3
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3
domain range
PRF key
Step 2: Derive a pair (๐ฅโ, ๐ฆโ) from ๐ฆ1, ๐ฆ2, ๐ฆ3
๐ฅโ, ๐ฆโ
๐ฆ1๐ฆ2
๐ฆ3
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3
domain range
PRF key
Step 2: Derive a pair (๐ฅโ, ๐ฆโ) from ๐ฆ1, ๐ฆ2, ๐ฆ3
๐ฅโ, ๐ฆโ
Need different ๐ฅโ for different programs โ otherwise easy to
remove if adversary sees watermarked keys of its choosing
๐ฅโ
๐ฆ1๐ฆ2
๐ฆ3
PRF ๐, ๐ฅโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3
domain range
PRF key
๐ฅโ, ๐ฆโ
Step 3: โMarked keyโ is a circuit that implements the PRF at all points, except at ๐ฅโ, the output is changed to ๐ฆโ
๐ฆ1๐ฆ2
๐ฆ3๐ฆโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3๐ฅโ
domain range
marked key
Step 3: โMarked keyโ is a circuit that implements the PRF at all points, except at ๐ฅโ, the output is changed to ๐ฆโ
PRF ๐, ๐ฅโ
๐ฆ1๐ฆ2
๐ฆ3๐ฆโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3๐ฅโ
domain range
marked key
Step 3: โMarked keyโ is a circuit that implements the PRF at all points, except at ๐ฅโ, the output is changed to ๐ฆโ
PRF ๐, ๐ฅโ
Defer implementation details for nowโฆ
๐ฆ1๐ฆ2
๐ฆ3๐ฆโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3๐ฅโ
domain range
marked key
Verification: Evaluate function at ๐ฅ1, ๐ฅ2, ๐ฅ3, derive (๐ฅโ, ๐ฆโ) and check if the value at ๐ฅโ matches ๐ฆโ
PRF ๐, ๐ฅโ
Defer implementation details for nowโฆ
๐ฆ1๐ฆ2
๐ฆ3๐ฆโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3๐ฅโ
marked key
Defer implementation details for nowโฆ
Functionality-preserving: function differs at a single pointโ
๐ฆ1๐ฆ2
๐ฆ3๐ฆโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฅ1๐ฅ2
๐ฅ3๐ฅโ
marked key
Unremovable: as long as adversary cannot tell that ๐ฅโ, ๐ฆโ is โspecialโ
Defer implementation details for nowโฆ
Functionality-preserving: function differs at a single pointโ
โ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
๐ฆโ๐ฅโ
How to implement this functionality?
Prior solutions: use obfuscation to hide ๐ฅโ, ๐ฆโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
How to implement this functionality?
Prior solutions: use obfuscation to hide ๐ฅโ, ๐ฆโ
Obfuscated program has PRF key embedded inside and outputs PRF(๐, ๐ฅ) on all inputs ๐ฅ โ ๐ฅโ
and ๐ฆโ when ๐ฅ = ๐ฅโ
๐ ๐ฅโ,๐ฆโ (๐ฅ):
โข if ๐ฅ = ๐ฅโ, output ๐ฆโ
โข else, output PRF(๐, ๐ฅ)
Obfuscated program:
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
How to implement this functionality?
Prior solutions: use obfuscation to hide ๐ฅโ, ๐ฆโ
Obfuscated program has PRF key embedded inside and outputs PRF(๐, ๐ฅ) on all inputs ๐ฅ โ ๐ฅโ
and ๐ฆโ when ๐ฅ = ๐ฅโ
๐ ๐ฅโ,๐ฆโ (๐ฅ):
โข if ๐ฅ = ๐ฅโ, output ๐ฆโ
โข else, output PRF(๐, ๐ฅ)
Obfuscated program:
Essentially relies on secretly re-programming
the value at ๐ฅโ
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
Prior solutions: use obfuscation to hide ๐ฅโ, ๐ฆโ
Obfuscated program has PRF key embedded inside and outputs PRF(๐, ๐ฅ) on all inputs ๐ฅ โ ๐ฅโ
and ๐ฆโ when ๐ฅ = ๐ฅโ
Key technical challenge: How to hide ๐ฅโ, ๐ฆโ within the watermarked key (without obfuscation)?
๐ ๐ฅโ,๐ฆโ (๐ฅ):
โข if ๐ฅ = ๐ฅโ, output ๐ฆโ
โข else, output PRF(๐, ๐ฅ)
Obfuscated program:
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
Prior solutions: use obfuscation to hide ๐ฅโ, ๐ฆโ
Obfuscated program has PRF key embedded inside and outputs PRF(๐, ๐ฅ) on all inputs ๐ฅ โ ๐ฅโ
and ๐ฆโ when ๐ฅ = ๐ฅโ
Key technical challenge: How to hide ๐ฅโ, ๐ฆโ within the watermarked key (without obfuscation)?
๐ ๐ฅโ,๐ฆโ (๐ฅ):
โข if ๐ฅ = ๐ฅโ, output ๐ฆโ
โข else, output PRF(๐, ๐ฅ)
Obfuscated program:
Has an obfuscation flavor: need to embed a secret inside a piece of code that cannot be removed
Blueprint for Watermarking PRFs [CHNVW16, BLW17]
Prior solutions: use obfuscation to hide ๐ฅโ, ๐ฆโ
Obfuscated program has PRF key embedded inside and outputs PRF(๐, ๐ฅ) on all inputs ๐ฅ โ ๐ฅโ
and ๐ฆโ when ๐ฅ = ๐ฅโ
This work: Under standard lattice assumptions, there exists a (secretly)-verifiable watermarkable family of PRFs.
๐ ๐ฅโ,๐ฆโ (๐ฅ):
โข if ๐ฅ = ๐ฅโ, output ๐ฆโ
โข else, output PRF(๐, ๐ฅ)
Obfuscated program:
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
๐ฆโ๐ฅโ
โข Watermarked PRF implements PRF at all but a single point
โข Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13]
Puncturable PRF:
Puncture๐ฅโ
PRF key punctured key
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
๐ฆโ๐ฅโ
โข Watermarked PRF implements PRF at all but a single point
โข Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13]
Puncturable PRF:
Puncture๐ฅโ
Can be used to evaluate the PRF on all points ๐ฅ โ ๐ฅโ
PRF key punctured key
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
Puncture๐ฅโ
PRF key punctured key
Recall general approach for watermarking:
1. Derive ๐ฅโ, ๐ฆโ from input/output behavior of PRF
2. Give out a key that agrees with PRF everywhere, except has value
๐ฆโ at ๐ฅ = ๐ฅโ PRF key punctured at ๐ฅโ
However, punctured key does not necessarily hide ๐ฅโ, which allows adversary to remove watermark
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
Puncture๐ฅโ
PRF key punctured key
Recall general approach for watermarking:
1. Derive ๐ฅโ, ๐ฆโ from input/output behavior of PRF
2. Give out a key that agrees with PRF everywhere, except has value
๐ฆโ at ๐ฅ = ๐ฅโ PRF key punctured at ๐ฅโ
Punctured keys typically do not provide flexibility in programming value at
punctured point: difficult to test if a program is watermarked or not
However, punctured key does not necessarily hide ๐ฅโ, which allows adversary to remove watermark
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
Puncture๐ฅโ
PRF key punctured key
Problem 1: Punctured keys do not hide the punctured point ๐ฅโ
โข Use private puncturable PRFs
Problem 2: Difficult to test whether a value is the result of using a
punctured key to evaluate at the punctured point
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
Puncture๐ฅโ
PRF key punctured key
Problem 1: Punctured keys do not hide the punctured point ๐ฅโ
โข Use privately puncturable PRFs
Problem 2: Difficult to test whether a value is the result of using a
punctured key to evaluate at the punctured point
In existing lattice-based private puncturable PRF constructions [BKM17, CC17], value of punctured key at punctured point is a deterministic function of
the PRF key
Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17]
Puncture๐ฅโ
PRF key punctured key
Problem 1: Punctured keys do not hide the punctured point ๐ฅโ
โข Use privately puncturable PRFs
Problem 2: Difficult to test whether a value is the result of using a
punctured key to evaluate at the punctured point
โข Relax programmability requirement
Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
PRF key
๐ฅโ
PRF ๐, ๐ฅโ
Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace
Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
punctured key
Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace
๐ฅโ๐ฆโ
Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
punctured key
Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace
๐ฅโ๐ฆโ
Secret testing key associated with the PRF family can be used to test for membership in the hidden subspace
Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
punctured key
๐ฅโ๐ฆโ
โข Values in special set looks indistinguishable from a random value (without secret testing key)
โข Indistinguishable even though it is easy to sample values from the set
Sets satisfying such properties are called
translucent [CDNO97]
Watermarking from Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
PRF key
๐ฅโ
PRF ๐, ๐ฅโ
Watermarking secret key (wsk): test points ๐ฅ1, โฆ , ๐ฅ๐and testing key for private translucent PRF
Watermarking from Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
๐ฅโ
To mark a PRF key ๐, derive special point ๐ฅโ and puncture ๐ at ๐ฅโ; watermarked key is a program that evaluates using
the punctured key
marked key
๐ฆโ
Watermarking from Private Translucent PRFs
๐ฆ2๐ฆ1
๐ฆ3
๐ฅ1๐ฅ2
๐ฅ3
๐ฅโ
To test whether a program ๐ถโฒ is watermarked, derive test point ๐ฅโ
and check whether ๐ถโฒ ๐ฅโ is in the translucent set (using the testing key for the private translucent PRF)
marked key
๐ฆโ
Constructing Private Translucent PRFs
Learning with Errors (LWE) [Reg05]:
๐จีRโค๐๐ร๐, ๐ี
Rโค๐๐, ๐ี
R๐๐, ๐ี
Rโค๐๐
๐จ, ๐๐๐จ + ๐๐ โ ๐จ, ๐๐
Homomorphic Matrix Encodings [BGGHNSVV14]
A way to encode ๐ฅ โ 0,1 โ as a collection of LWE samplestake LWE matrices ๐จ1, โฆ , ๐จโ โ โค๐
๐ร๐ and a secret ๐ โ โค๐๐:
Homomorphic Matrix Encodings [BGGHNSVV14]
A way to encode ๐ฅ โ 0,1 โ as a collection of LWE samplestake LWE matrices ๐จ1, โฆ , ๐จโ โ โค๐
๐ร๐ and a secret ๐ โ โค๐๐:
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1encoding of ๐ฅ1 with respect to ๐จ1
๐ฎ denotes a special โgadgetโ matrix
LWE matrix associated with each
input bit
Homomorphic Matrix Encodings [BGGHNSVV14]
A way to encode ๐ฅ โ 0,1 โ as a collection of LWE samplestake LWE matrices ๐จ1, โฆ , ๐จโ โ โค๐
๐ร๐ and a secret ๐ โ โค๐๐:
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ
๐ฎ denotes a special โgadgetโ matrix
LWE matrix associated with each
input bit
encoding of ๐ฅ1 with respect to ๐จ1
Homomorphic Matrix Encodings [BGGHNSVV14]
A way to encode ๐ฅ โ 0,1 โ as a collection of LWE samplestake LWE matrices ๐จ1, โฆ , ๐จโ โ โค๐
๐ร๐ and a secret ๐ โ โค๐๐:
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ ๐๐ ๐จ๐ + ๐ ๐ฅ โ ๐ฎ + noise
Encodings support homomorphic operations
Function of ๐ and ๐จ1, โฆ , ๐จโ
๐ฎ denotes a special โgadgetโ matrix
LWE matrix associated with each
input bit
Puncturable PRFs from LWE [BV15]
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ ๐๐ ๐จ๐ + ๐ ๐ฅ โ ๐ฎ + noise
For any function ๐, two ways to (approximately) compute ๐๐๐จ๐โข Directly given the LWE secret ๐ and public matrices ๐จ1, โฆ , ๐จโโข Homomorphically given encodings ๐๐ ๐จ๐ + ๐ฅ๐ โ ๐ฎ
โข Works as long as ๐ ๐ฅ = 0
Puncturable PRFs from LWE [BV15]
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ ๐๐ ๐จ๐ + ๐ ๐ฅ โ ๐ฎ + noise
For puncturing at ๐ฅโ, let ๐๐ฅ ๐ฅโ = eq ๐ฅ, ๐ฅโ be the equality function
โข PRF evaluation at ๐ฅ with secret key ๐: PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
Puncturable PRFs from LWE [BV15]
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ ๐๐ ๐จ๐ + ๐ ๐ฅ โ ๐ฎ + noise
For puncturing at ๐ฅโ, let ๐๐ฅ ๐ฅโ = eq ๐ฅ, ๐ฅโ be the equality function
โข PRF evaluation at ๐ฅ with secret key ๐: PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
To evaluate at ๐ฅ, homomorphically compute ๐จ๐๐ฅ
Puncturable PRFs from LWE [BV15]
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ ๐๐ ๐จ๐ + ๐ ๐ฅ โ ๐ฎ + noise
For puncturing at ๐ฅโ, let ๐๐ฅ ๐ฅโ = eq ๐ฅ, ๐ฅโ be the equality function
โข PRF evaluation at ๐ฅ with secret key ๐: PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
โข Punctured key consists of encodings of bits of ๐ฅโ
โข Allows computing ๐๐ ๐จ๐๐ฅ + eq ๐ฅ, ๐ฅโ โ ๐ฎ + noise for all ๐ฅ
Puncturable PRFs from LWE [BV15]
๐๐ ๐จ1 + ๐ฅ1 โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโ โ ๐ฎ + ๐โ
โฎ ๐๐ ๐จ๐ + ๐ ๐ฅ โ ๐ฎ + noise
For puncturing at ๐ฅโ, let ๐๐ฅ ๐ฅโ = eq ๐ฅ, ๐ฅโ be the equality function
โข PRF evaluation at ๐ฅ with secret key ๐: PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
โข Punctured key consists of encodings of bits of ๐ฅโ
โข Allows computing ๐๐ ๐จ๐๐ฅ + eq ๐ฅ, ๐ฅโ โ ๐ฎ + noise for all ๐ฅ
Enables evaluation at all ๐ฅexcept when ๐ฅ = ๐ฅโ
Privately Puncturable PRFs [BKM17]
๐๐ ๐จ1 + ๐ฅ1โ โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโโ โ ๐ฎ + ๐โ
โฎ
Evaluating PRF using punctured key requires knowledge of ๐ฅโ
Key idea in [BKM17]: encrypt the punctured point using an FHE scheme and homomorphically evaluate the equality function
Evaluating using punctured key outputs
๐๐๐จ๐๐ฅ + ๐๐๐
2โ eq ๐ฅ, ๐ฅโ + ๐ โ ๐ฎ + ๐โฒ
PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
Privately Puncturable PRFs [BKM17]
Evaluating PRF using punctured key requires knowledge of ๐ฅโ
Evaluating using punctured key outputs
๐๐๐จ๐๐ฅ + ๐๐๐
2โ eq ๐ฅ, ๐ฅโ + ๐ โ ๐ฎ + ๐โฒ
PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
Value after FHE evaluation and
decryption
๐๐ ๐จ1 + ๐ฅ1โ โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโโ โ ๐ฎ + ๐โ
โฎ
Key idea in [BKM17]: encrypt the punctured point using an FHE scheme and homomorphically evaluate the equality function
Privately Puncturable PRFs [BKM17]
Evaluating PRF using punctured key requires knowledge of ๐ฅโ
Evaluating using punctured key outputs
๐๐๐จ๐๐ฅ + ๐๐๐
2โ eq ๐ฅ, ๐ฅโ + ๐ โ ๐ฎ + ๐โฒ
Rounding away the FHE error: small if ๐ is short and we restrict to low-
norm columns of ๐ฎ
PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ ๐
๐๐ ๐จ1 + ๐ฅ1โ โ ๐ฎ + ๐1
๐๐ ๐จโ + ๐ฅโโ โ ๐ฎ + ๐โ
โฎ
Key idea in [BKM17]: encrypt the punctured point using an FHE scheme and homomorphically evaluate the equality function
Private Translucent PRFs
Evaluating using a punctured key yields
๐๐ ๐จ๐๐ฅ + ๐ค โ eq ๐ฅ, ๐ฅโ + ๐ โ ๐ฎ ๐ฎโ1 ๐ซ + noise
Change real PRF evaluation: PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ๐ฎโ1(๐ซ)
๐
Use a different scaling factor in FHE scheme
(instead of ฮค๐ 2)
Private Translucent PRFs
Evaluating using a punctured key yields
๐๐ ๐จ๐๐ฅ๐ฎโ1 ๐ซ + ๐ค โ eq ๐ฅ, ๐ฅโ + ๐ โ ๐ซ + noise
Change real PRF evaluation: PRF ๐, ๐ฅ โ เถ เถ๐๐๐จ๐๐ฅ๐ฎโ1(๐ซ)
๐
When ๐ฅ = ๐ฅโ, this becomes เถ เถ๐๐ ๐จ๐๐ฅ๐ฎโ1 ๐ซ +๐ค๐ซ
๐
Can choose ๐ค (part of the punctured key) to tweak the
value at punctured point
Private Translucent PRFs
If ๐ฅ = ๐ฅโ, evaluating using the punctured key yields เถ เถ๐๐ ๐จ๐๐ฅ๐ฎโ1 ๐ซ +๐ค๐ซ
๐
Key idea: sum up multiple evaluations with different multiples ๐ค๐ and ๐ซ๐ yields
แจ แง
๐
๐๐ ๐จ๐๐ฅ๐ฎโ1 ๐ซ +๐ค๐๐ซ๐
๐
= เถ เถ๐๐๐พ๐
Output at punctured point is an LWE sample with respect to ๐พ (fixed public
matrix) โ critical for implementing a translucent set
Private Translucent PRFs
If ๐ฅ = ๐ฅโ, evaluating using the punctured key yields เถ เถ๐๐ ๐จ๐๐ฅ๐ฎโ1 ๐ซ +๐ค๐ซ
๐
Key idea: sum up multiple evaluations with different multiples ๐ค๐ and ๐ซ๐ yields
แจ แง
๐
๐๐ ๐จ๐๐ฅ๐ฎโ1 ๐ซ +๐ค๐๐ซ๐
๐
= เถ เถ๐๐๐พ๐
Testing key is a short vector ๐ where ๐พ๐ = 0:
เถ เถ๐๐๐พ๐, ๐ โ เถ เถ๐๐๐พ๐
๐= 0
[See paper for details]
watermarking[CHNVW16, BLW17]
private puncturable PRFs [BKM17, CC17]
Conclusions
lattice-based assumptions
indistinguishability obfuscation
this work
watermarking (via private translucent PRFs)
private puncturable PRFs [BKM17, CC17]
Conclusions
lattice-based assumptions
indistinguishability obfuscation
Open Problems
Publicly-verifiable watermarking without obfuscation?โข Current best construction relies on iO [CHNVW16]
Additional applications of private translucent PRFs?
Thank you!
http://eprint.iacr.org/2017/380