Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

Size: px

Start display at page:

Download "Watermarking Cryptographic Functionalities from Standard Lattice Assumptions"

Cassandra Sutton
5 years ago
Views:

1 Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu

2 Digital Watermarking 1

3 Digital Watermarking Content is (mostly) viewable 2

4 Digital Watermarking Content is (mostly) viewable Difficult to remove (without destroying the image) 3

5 Watermarking Programs Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] 4

6 Watermarking Programs Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] 5

7 Watermarking Programs Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not 6

8 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not 7

9 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Functionality Preserving: On input a circuit C, the Mark algorithm outputs a circuit C where: for all inputs x. C(x) = C (x) 8

10 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Functionality Preserving: On input a circuit C, the Mark algorithm outputs a circuit C where: for all inputs x. C(x) = C (x) Too Strong: Perfect functionality preserving is impossible for watermarking assuming indistinguishability obfuscation [BGIRSVY12]. 9

11 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Functionality Preserving: On input a circuit C, the Mark algorithm outputs a circuit C where: C(x) = C (x) on all but a negligible fraction of inputs x. 10

12 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Unremovability: Given a marked program C, no efficient adversary can construct a circuit C where C(x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 11

13 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Unremovability: Given a marked program C, no efficient adversary can construct a circuit C where C(x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 Unforgeability: Given a set of marked programs C 1,..., C l, no efficient adversary can construct a circuit C where for all i: C i (x) C (x) on a noticeable fraction of inputs x Verify(wsk, C ) = 1 12

14 Can we watermark any programs? Watermarking only achievable for functions that are not learnable. 13

15 Can we watermark any programs? Watermarking only achievable for functions that are not learnable. Focus has been on cryptographic functions. 14

16 Can we watermark any programs? Watermarking only achievable for functions that are not learnable. Focus has been on cryptographic functions. This work: Focus on watermarking PRFs [CHNVW16, BLW17]. Enables watermarking of symmetric primitives built from PRFs (e.g., encryption, MACs, etc.) 15

17 Security Definition (Weaker) Adversary wins if PRF k (x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 16

18 Security Definition (Stronger) Adversary wins if PRF k (x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 17

19 Main Results Construct watermarking scheme for PRFs satisfying (weaker) unremovability security definition (and unforgeability) from LWE Previous works: [CHNVW16]: (publicly verifiable) unremovability from io [BLW17]: (weaker) unremovability from io 18

20 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 1: Evaluate PRF on test points x 1, x 2, x 3 (part of the watermarking secret key) 19

21 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 2: Derive a pair (x, y ) from y 1, y 2, y 3 20

22 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y 21

23 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y 22

24 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Verification: Evaluate function at x 1, x 2, x 3, derive (x, y ) and check if the value at x matches y. 23

25 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Functionality-preserving: Function differs at a single point Unremovable: As long as adversary cannot tell that (x, y ) is special 24

26 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Prior solutions: Use obfuscation to hide (x, y ) Obfuscated program has PRF embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x Question: How can we implement the blueprint just from LWE? 25

27 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Watermarked PRF implements PRF at all but a single point Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13] Punctured key can be used to evaluate PRF on all points x x 26

28 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Recall general approach for watermarking: 1. Derive (x, y ) from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x 27

29 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Recall general approach for watermarking: 1. Derive (x, y ) from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark 28

30 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Recall general approach for watermarking: 1. Derive (x, y ) from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Problem 2: Punctured keys typically do not provide flexibility in programming value at punctured point 29

31 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Use private puncturable PRFs 30

Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Use

32 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Use private puncturable PRFs Problem 2: Punctured keys typically do not provide flexibility in programming value at punctured point Relax programmability requirement 31

33 Private Translucent PRFs Output of any punctured key on a punctured point lies in a sparse, hidden subspace 32

34 Private Translucent PRFs Output of any punctured key on a punctured point lies in a sparse, hidden subspace 33

35 Private Translucent PRFs Output of any punctured key on a punctured point lies in a sparse, hidden subspace Secret testing key can be used to test for memership in the hidden subspace 34

36 Private Translucent PRFs Sets satisfying such properties are called translucent [CDNO97] Values in special set looks indistinguishable from a random value (without secret testing key) Indistinguishable even through it is easy to sample values from the set 35

37 Private Translucent PRFs Define watermarking secret key (wsk): Test points x 1,..., x d Testing key for private translucent PRF 36

38 Private Translucent PRFs To mark a PRF key k: derive special point x and puncture k at x Watermarked program is a program C that evaluates punctured key 37

39 Private Translucent PRFs To mark a PRF key k: derive special point x and puncture k at x To test a program C : 1. Derive test point x 2. Check whether C (x ) is in the translucent set 38

40 Constructing Private Translucent PRFs from Lattices

41 Road Map 39

42 Learning with Errors [Reg05] Parameters: n, m, q, χ Problem: Distinguish the following distributions (A, s T A + e T ) (A, u T ). for A R Z n m q, s R Z n q, e R χ m, u R Z m q 40

43 Learning with Rounding [BPR12] Parameters: n, m, q, p Problem: Distinguish the following distributions (A, s T A p ) (A, u T p ). for A R Z n m q, s R Z n q, u R Z m q 41

44 Lattice PRFs [BPR12,...] LWE says that s T A p u T p. Randomized PRF(?): For any x X, choose A x R Z n m q and define PRF(k, x) = s T A x p 42

45 Lattice PRFs [BPR12,...] LWE says that s T A p u T p. Randomized PRF(?): For any x X, choose A x R Z n m q and define PRF(k, x) = s T A x p Approach: Fix matrix A 1,..., A l Z n m q and set key k = s Z n q. For x X, derive A 1,..., A l A x and define PRF(k, x) = s T A x p 43

46 Lattice PRFs [BPR12,...] LWE says that s T A p u T p. Randomized PRF(?): For any x X, choose A x R Z n m q and define PRF(k, x) = s T A x p Approach: Fix matrix A 1,..., A l Z n m q and set key k = s Z n q. For x X, derive A 1,..., A l A x and define PRF(k, x) = s T A x p Question: What is a suitable way to derive A x? 44

47 Gadget matrix [MP12] Gadget matrix G Z n m q There is an efficiently computable function G 1 ( ) such that: G 1 : Z n m q for all C Z n m q : {0, 1} m m G G 1 (C) = C Implementation: G 1 is the bit decomposition function G consists of powers-of-2 45

48 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T 46

49 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] 47

50 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T ((A i + A j ) + (x i + x j ) G) + (e i + e j ) T 48

51 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise 49

52 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise Multiplication: To compute x i x j [ s T (A i + x i G) + e T i ] xj [ s T (A j + x j G) + e T j ] 1 G (A i ) 50

53 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise Multiplication: To compute x i x j [ s T (A i + x i G) + e T i = s T (A ( ) + (x i x j ) G) + noise ] xj [ s T (A j + x j G) + e T j ] 1 G (A i ) 51

54 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise Multiplication: To compute x i x j [ s T (A i + x i G) + e T i = s T (A ( ) + (x i x j ) G) + noise ] xj [ s T (A j + x j G) + e T j ] 1 G (A i ) Useful: Matrices A (+), A ( ) are independent of x i, x j. 52

55 Matrix Embeddings [BGGHNSVV14] Compute any circuit f : {0, 1} l {0, 1}: s T (A 1 + x 1 G) + e 1. s T (A l + x l G) + e 1 53

56 Matrix Embeddings [BGGHNSVV14] Compute any circuit f : {0, 1} l {0, 1}: s T (A 1 + x 1 G) + e 1. f = s T (A f + f (x) G) + noise s T (A l + x l G) + e 1 54

57 Matrix Embeddings [BGGHNSVV14] Compute any circuit f : {0, 1} l {0, 1}: s T (A 1 + x 1 G) + e 1. f = s T (A f + f (x) G) + noise s T (A l + x l G) + e 1 Useful property: Matrix A f does not depend on encoded values x 1,..., x l Can derive A 1,..., A l A f without knowing x 1,..., x l. 55

58 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise : 56

59 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = Define punctured key sk c : { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise : s T (A 1 + c 1 G) + e 1. s T (A l + c l G) + e 1 57

60 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = Define punctured key sk c : { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise : s T (A 1 + c 1 G) + e 1. eq x = s T (A eqx + eq x (c) G) + noise s T (A l + c l G) + e 1 58

61 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = Define punctured key sk c : s T (A 1 + c 1 G) + e 1 { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise :. eq x = s T (A eqx + eq x (c) G) + noise s T (A l + c l G) + e 1 When x c, then eq x (c) = 0: s T A eqx + noise p = s T A eqx p When x = c, s T (A eqx + G) + noise p s T A eqx p 59

62 Private Constrained PRFs [BKM17, BTVW17] Hide punctured point? 60

63 Private Constrained PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) 61

64 Private Constrained PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) 62

65 Private Puncturable PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) Punctured key must include c in order to compute! 63

66 Private Puncturable PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) Punctured key must include c in order to compute! Idea: Use FHE to hide encoded values [GVW15] 64

67 Fully Homomorphic Encryption For message x 1,..., x l and circuit f : {0, 1} l {0, 1}, compute only on ciphertext ( ) Enc(x 1 ),..., Enc(x l ), f = Enc(f (x)) 65

68 Fully Homomorphic Encryption For message x 1,..., x l and circuit f : {0, 1} l {0, 1}, compute only on ciphertext ( ) Enc(x 1 ),..., Enc(x l ), f = Enc(f (x)) For LWE-based constructions, Enc(f (x)) Z m q, sk Z m q, and decryption is an inner product Enc(f (x)), sk = q f (x) + noise. 2 66

69 Fully Homomorphic Encryption For message x 1,..., x l and circuit f : {0, 1} l {0, 1}, compute only on ciphertext ( ) Enc(x 1 ),..., Enc(x l ), f = Enc(f (x)) For LWE-based constructions, Enc(f (x)) Z m q, sk Z m q, and decryption is an inner product Enc(f (x)), sk = f (x). (cheating for simplicity) 67

70 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 68

71 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 s T (A x,1 + ct 1 G) + noise Eval eqx =. s T (A x,l + ct m G) + noise 69

72 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 s T (A x,1 + ct 1 G) + noise Eval eqx =. s T (A x,l + ct m G) + noise We have: ct = Enc(eq x (c)) How do we extract this value? 70

73 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 s T (A x,1 + ct 1 G) + noise Eval eqx =. s T (A x,l + ct m G) + noise s T (B 1 + sk 1 G) + e 1. s T (B l + sk m G) + e m Give out ct, but not sk 1,..., sk m! 71

74 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. IP Eval eqx = s T (A x + sk, ct G) + noise s T (A l + ct l G) + e 1 s T (A 1 + sk 1 G) + e 1. s T (A l + sk m G) + e m Give out ct, but not sk 1,..., sk m! 72

75 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. IP Eval eqx = s T (A x + eq x (c) G) + noise s T (A l + ct l G) + e 1 s T (A 1 + sk 1 G) + e 1. s T (A l + sk m G) + e m Give out ct, but not sk 1,..., sk m! 73

76 Private Puncturable PRF [BKM17, BTVW17] First ct Enc(c). Then punctured key sk c : s T (A 1 + ct 1 G) + e 1. IP Eval eqx = s T (A IP Evaleqx + eq x (c) G) + noise s T (A l + ct l G) + e 1 s T (A 1 + sk 1 G) + e 1. s T (A l + sk m G) + e m Define PRF with respect to IP Eval eqx : PRF(k, x) = s T A IP Evaleqx p 74

77 Programming Encode punctured point c (under FHE) Define PRF with respect to equality circuit: { 1 x = c eq x (c) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + eq x (c) G) + noise 75

78 Programming Encode punctured point c (under FHE) Define PRF with respect to equality circuit: { 1 x = c eq x (c) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + G) + noise 76

79 Programming Encode punctured point (c, w) (under FHE) for some w Z q Define PRF with respect to equality circuit: { 1 x = c eq x (c) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + G) + noise 77

80 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + G) + noise 78

81 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + eq x (c, w) G) + noise 79

82 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 80

83 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: There is some programmability here! We can choose w at key generation. s T (A IP Evaleqx + w G }{{} ) + noise 81

84 Programming Encode punctured point (c, w) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 82

85 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 83

86 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w i x = c eq x,i (c, w i ) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 84

87 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w i x = c eq x,i (c, w i ) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx,1 + w 1 G 1 ) + noise. s T (A IP Evaleqx,N + w N G N ) + noise 85

88 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w i x = c eq x,i (c, w i ) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx,1 + w 1 G 1 ) + noise s T (A IP Evaleqx,N. + w N G N ) + noise Choose w 1,..., w N such that D = i [N] A IP Evaleqxi + w i G i i [N] 86

89 s T D p Programming Constrained key evaluation at c: Watermark key includes short vector w such that D w = 0 87

90 To Conclude... Open Problems: Achieve stronger security guarantees? Watermark other primitives? 88

91 To Conclude... Open Problems: Achieve stronger security guarantees? Watermark other primitives? Thanks! 89

from Standard Lattice Assumptions

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content