from Standard Lattice Assumptions

Transcription

1 Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University

2 Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content and prevent unauthorized distribution CRYPTO

3 Digital Watermarking CRYPTO CRYPTO CRYPTO CRYPTO Content is (mostly) viewable

4 Digital Watermarking CRYPTO CRYPTO CRYPTO CRYPTO Content is (mostly) viewable Watermark difficult to remove (without destroying the image)

5 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] CRYPTO Embed a mark within a program If mark is removed, then program is corrupted Three algorithms: Setup 1 λ wsk: Samples the watermarking secret key wsk Mark wsk, C C : Takes a circuit C and outputs a marked circuit C Verify wsk, C 0,1 : Tests whether a circuit C is marked or not

6 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Extends to setting where watermark can be an (arbitrary) string: CRYPTO Embed a Marking mark within algorithm a takes a message If mark is removed, then program Verification algorithm either outputs a message program or (to is corrupted denote the program is not watermarked) [See paper for full details] Three algorithms: Setup 1 λ wsk: Samples the watermarking secret key wsk Mark wsk, C C : Takes a circuit C and outputs a marked circuit C Verify wsk, C 0,1 : Tests whether a circuit C is marked or not

7 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Mark CRYPTO Functionality-preserving: On input a program (modeled as a Boolean circuit C), the Mark algorithm outputs a circuit C where C x = C (x) on all but a negligible fraction of inputs x

8 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Mark Perfect functionality-preserving impossible assuming program obfuscation [BGIRSVY12] CRYPTO Functionality-preserving: On input a program (modeled as a Boolean circuit C), the Mark algorithm outputs a circuit C where C x = C (x) on all but a negligible fraction of inputs x

9 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Adversary has complete flexibility in crafting C CRYPTO Unremovability: Given a marked circuit C, no efficient adversary can construct a circuit C where C x = C (x) on all but a negligible fraction of inputs x Verify wsk, C = 0

10 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] CRYPTO Unremovability: Given a marked circuit C, no efficient adversary can construct a circuit C whereminimally, we require that most programs are C x = C (x) on unmarked; all but a negligible only programs fraction of output inputs by x the marking Verify wsk, C = 0 algorithm should be considered marked [Also require unforgeability; see paper for details]

11 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] CRYPTO Notion only achievable for functions that are not learnable Focus has been on cryptographic functions

12 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] PRF(k, ) pseudorandom function Mark PRF(k, ) pseudorandom function CRYPTO Focus of this work: watermarking PRFs [CHNVW16, BLW17] A keyed function whose input-output behavior looks indistinguishable from a truly random function

13 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] P k x : On input x, output PRF(k, x) Mark P k x : On input x, output PRF(k, x) CRYPTO Focus of this work: watermarking PRFs [CHNVW16, BLW17] Enables watermarking of symmetric primitives built from PRFs (e.g., encryption, MACs, etc.)

14 Main Result P k x : On input x, output PRF(k, x) Mark P k x : On input x, output PRF(k, x) The learning with errors (LWE) and the short integer solutions (SIS) assumptions CRYPTO This work: Under standard lattice assumptions, there exists a secretly-verifiable watermarkable family of PRFs

15 Blueprint for Watermarking PRFs [CHNVW16, BLW17] PRF key x 1 x 2 y 2 y 1 x 3 y 3 domain range Step 1: Evaluate PRF on test points x 1, x 2, x 3 (part of the watermarking secret key)

16 Blueprint for Watermarking PRFs [CHNVW16, BLW17] PRF key x 1 x 2 x 3 y2 y 3 y 1 x, y domain range Step 2: Derive a pair (x, y ) from y 1, y 2, y 3

17 Blueprint for Watermarking PRFs [CHNVW16, BLW17] PRF key x 1 x 2 y2 y 1 x, y x 3 x domain y 3 range PRF k, x Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y

18 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x domain y y 3 range PRF k, x Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y

19 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x domain y y 3 range PRF k, x Verification: Evaluate function at x 1, x 2, x 3, derive (x, y ) and check if the value at x matches y

20 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x y y 3 Functionality-preserving: function differs at a single point

21 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x y y 3 Functionality-preserving: function differs at a single point Unremovable: as long as adversary cannot tell that x, y is special

22 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Prior solutions: use obfuscation to hide x, y x y How to implement this functionality?

23 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x How to implement this functionality?

24 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x Essentially relies on secretly re-programming the value at x How to implement this functionality?

25 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x Key technical challenge: How to hide x, y within the watermarked key (without obfuscation)?

26 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key Has an embedded obfuscation inside flavor: and need outputs to embed PRF(k, a secret x) on inside all inputs a piece x x of code and that y cannot when x be = removed x Key technical challenge: How to hide x, y within the watermarked key (without obfuscation)?

27 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x Obfuscation and y is when a very x strong = x tool and the security of existing candidates is not well understood Key technical challenge: How to hide x, y within the watermarked key (without obfuscation)?

28 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x This work: Under standard lattice assumptions, there exists a secretly-verifiable watermarkable family of PRFs

29 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] x y Watermarked PRF implements PRF at all but a single point Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13] Puncturable PRF: PRF key Puncture x punctured key

30 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] x Puncturable PRF: y Watermarked PRF implements PRF at all but a single point Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13] Can be used to evaluate the PRF on all points x x PRF key Puncture x punctured key

31 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Recall general approach for watermarking: 1. Derive x, y from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x PRF key punctured at x However, punctured key does not necessarily hide x, which allows adversary to remove watermark

32 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Punctured keys typically do not provide flexibility in programming value at Recall general approach for watermarking: punctured 1. Derive x point:, y difficult to test if a program is watermarked from input/output or not behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x However, punctured key does not PRF key punctured at x necessarily hide x, which allows adversary to remove watermark

33 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Problem 1: Punctured keys do not hide the punctured point x Use private puncturable PRFs Problem 2: Difficult to test whether a value is the result of using a punctured key to evaluate at the punctured point

34 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] PRF key Puncture x punctured key In existing lattice-based private puncturable PRF constructions [BKM17, CC17], value of punctured key Problem 1: Punctured at punctured keys do point not is hide a deterministic the punctured function point xof Use privately puncturable PRFs the PRF key Problem 2: Difficult to test whether a value is the result of using a punctured key to evaluate at the punctured point

35 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Problem 1: Punctured keys do not hide the punctured point x Use privately puncturable PRFs Problem 2: Difficult to test whether a value is the result of using a punctured key to evaluate at the punctured point Relax programmability requirement

36 Private Translucent PRFs PRF key x 1 x 2 y 2 y 1 x 3 x y 3 PRF k, x Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace

37 Private Translucent PRFs punctured key x 1 x 2 y 2 y 1 x 3 x y y 3 Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace

38 Private Translucent PRFs punctured key x 1 x 2 x 3 x y 2 y 1 Secret testing key associated with the PRF family can be used to test for Private puncturable PRF family with membership the property in the that hidden output subspace of any punctured key on a punctured point lies in a sparse, hidden subspace y y 3

39 Private Translucent PRFs punctured key x 1 x 2 y 2 y 1 x 3 Sets satisfying such properties are called translucent [CDNO97] x y y 3 Values in special set looks indistinguishable from a random value (without secret testing key) Indistinguishable even though it is easy to sample values from the set

40 Watermarking from Private Translucent PRFs PRF key x 1 x 2 y 2 y 1 x 3 x y 3 PRF k, x Watermarking secret key (wsk): test points x 1,, x d and testing key for private translucent PRF

41 To mark a PRF key k, derive special point x and puncture k at x ; watermarked key is a program that evaluates using the punctured key Watermarking from Private Translucent PRFs marked key x 1 x 2 y 2 y 1 x 3 x y y 3

42 Watermarking from Private Translucent PRFs marked key x 1 x 2 y 2 y 1 x 3 x y y 3 To test whether a program C is watermarked, derive test point x and check whether C x is in the translucent set (using the testing key for the private translucent PRF)

43 Constructing Private Translucent PRFs

44 Blueprint Lattice PRFs Private Translucent PRF Puncturable PRF [BV15] Private Puncturable PRF [BKM17, CC17, BTVW17]

45 Learning with Errors (LWE) [Reg05] A, s T A + e T c A, u T A R Z q n m, s R Z q n, e R χ m, u R Z q m

46 Learning with Rounding (LWR) [BPR12] Replace random errors with deterministic rounding: A, උs T Aඇ A, උ ඇ p c u T p A R Z q n m, s R Z q n, u R Z q m Hardness reducible to LWE (for suitable parameter settings) More suitable starting point for constructing lattice PRFs

47 Lattice PRFs [BPR12, BLMR13, BP14, BV15, BFPPS15, BKM17, BTVW17] Intuition: set s to be the secret key for the PRF and derive A as a function of the input A, උs T Aඇ p c A, උ ඇ u T p

48 Lattice PRFs [BPR12, BLMR13, BP14, BV15, BFPPS15, BKM17, BTVW17] A, උs T Aඇ p c A, උ ඇ u T p Secret key: LWE secret vector s Zn q PRF evaluation: on input x 0,1 l, derive a matrix A x from x PRF s, x උs T A x ඇ p Question: how to derive A x?

49 Homomorphic Matrix Embeddings [BGGHNSVV14] A way to encode x 0,1 l as a collection of LWE samples take LWE matrices A 1,, A l Z q n m and a secret s Z q n : s T A 1 + x 1 G + e 1 encoding of x 1 with respect to A 1

50 LWE matrix associated with each input bit Homomorphic Matrix Embeddings [BGGHNSVV14] A way to encode x G 0,1 Z n m l q as is a fixed collection of LWE samples take LWE matrices A 1,, A l Z n m q and a secret s Z n q : gadget matrix s T A 1 + x 1 G + e 1 encoding of x 1 with respect to A 1 s T A l + x l G + e l

51 Homomorphic Matrix Embeddings [BGGHNSVV14] A way to encode x 0,1 l as a collection of LWE samples take LWE matrices A 1,, A l Z n m q and a secret s Z n q : Function of f and A 1,, A l only: s T A 1 + x 1 G + e 1 s T A l + x l G + e l f, A 1,, A l A f s T A f + f x G + noise Encodings support homomorphic operations Encoding of x Encoding of f(x)

52 Puncturable PRFs from LWE [BV15] PRF evaluation: on input x 0,1 l, derive A x from A 1, A l and output PRF s, x උs T A x ඇ p Question: how to derive A x? Let A 1,, A l be matrices associated with bits of x 0,1 l Define PRF evaluation with respect to equality function eq x x 1, x = x = ቊ 0, x x Let A x be matrix associated with evaluating eq x on A 1,, A l

53 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key

54 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l If x x, eq x x = 0, so s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key උs T A eqx + noiseඇ = උs T A ඇ p eqx = PRF(s, x) p

55 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l If x = x, eq x x = 1, so s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key ቔs T (A eqx + G) + noiseቓ ቔs T A eqx ቓ = PRF(s, x ) p p

56 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key This construction gives a puncturable PRF from LWE

57 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l s T A eqx + eq x (x ) G + noise Combine with FHE to obtain private puncturing [BKM17, BTVW17] PRF evaluation (at x) using punctured key This construction gives a puncturable PRF from LWE

58 Private Translucent PRFs Goal: detect whether a punctured key is used to evaluate at a punctured point (this is essential for embedding the watermark)

59 Private Translucent PRFs Goal: detect whether a punctured key is used Omitting to evaluate several at a technicalities punctured point (this is essential for embedding the watermark) related to FHE evaluation Real PRF evaluation: PRF s, x උs T A eqx ඇ p Punctured PRF evaluation: උs T A eqx + eq x x G ඇ p [See paper for details] Difficulty: no control over value at punctured point

60 Private Translucent PRFs Goal: detect whether a punctured key is used to evaluate at a punctured point (this is essential for embedding the watermark) Real PRF evaluation: PRF s, x උs T A eqx ඇ p Punctured PRF evaluation: උs T A eqx + eq x x G ඇ p Idea: define PRF with respect to scaled equality circuit: eq x x, w = ቊ w, x = x 0, x x

61 Private Translucent PRFs PRF s, x උs T A eqx ඇ p Evaluating the punctured key at the punctured point x yields: s T A eqx + w G + noise Scaling factor w is chosen when key is punctured and can be chosen to adjust the value at the punctured point

62 Private Translucent PRFs Evaluating the punctured key at the punctured point yields: s T A eqx + w G + noise Can now consider many instances of this PRF with many different w i s: s T A eqx,1 + w 1 G 1 + noise s T A eqx,n + w N G N + noise Different gadget matrices G 1,, G N [See paper for construction]

63 Private Translucent PRFs Evaluating the punctured key at the punctured point yields: s T A eqx + w G + noise Can now consider many instances of this PRF with many different w i s: s T A eqx,1 + w 1 G 1 + noise s T A eqx,n + w N G N + noise At puncturing time, choose w 1,, w N such that W = i [N] A eqx,i + i [N] w i G i

64 Private Translucent PRFs Evaluating the punctured key at the punctured point yields: s T A eqx + w G + noise Can now consider many instances of this PRF with many different w i s: W is a fixed public matrix included in the public parameters of the PRF family s T A eqx,1 + w 1 G 1 + noise s T A eqx,n + w N G N + noise At puncturing time, choose w 1,, w N such that W = i [N] A eqx,i + i [N] w i G i

65 Private Translucent PRFs Define real PRF evaluation to be sum of each independent evaluation: PRF s, x ඍ s T i N A eqx,i ඉ p When evaluating at punctured point x : s T A eqx,i + w i G i = s T W i N i N

66 Private Translucent PRFs Define real PRF evaluation to be sum of each independent evaluation: PRF s, x Output ඍ s T at punctured A eqx,iඉ point is an LWE sample with i Nrespect to W (fixed public p matrix) critical for implementing a When evaluating at punctured point x : translucent set s T A eqx,i + w i G i = s T W i N i N

67 Private Translucent PRFs Define real PRF evaluation to be sum of each independent evaluation: PRF s, x ඍ s T A eqx,i Testing key is a short vector z where ඉ Wz = 0: When evaluating at punctured point x : i N උs T Wඇ p, z උs T Wzඇ p = 0 p s T A eqx,i + w i G i = s T W i N i N [See paper for details and security analysis]

68 Conclusions private puncturable PRFs [BKM17, CC17, BTVW17] watermarking [CHNVW16, BLW17] lattice-based assumptions indistinguishability obfuscation

69 Conclusions private puncturable PRFs [BKM17, CC17, BTVW17] watermarking (via private translucent PRFs) this work lattice-based assumptions indistinguishability obfuscation

70 Open Problems Publicly-verifiable watermarking without obfuscation? Current best construction relies on io [CHNVW16] Additional applications of private translucent PRFs? Thank you!