Abstract
Software watermarking enables one to embed some information called “mark” into a program while preserving its functionality, and to read it from the program. As a definition of function preserving, Cohen et al. (STOC 2016) proposed statistical function preserving which requires that the input/output behavior of the marked circuit is identical almost everywhere to that of the original unmarked circuit. They showed how to construct watermarkable cryptographic primitives with statistical function preserving, including pseudorandom functions (PRFs) and public-key encryption from indistinguishability obfuscation. Recently, Goyal et al. (CRYPTO 2019) introduced more relaxed definition of function preserving for watermarkable signature. Watermarkable signature embeds a mark into a signing circuit of digital signature. The relaxed function preserving only requires that the marked signing circuit outputs valid signatures. They provide watermarkable signature with the relaxed function preserving only based on (standard) digital signature.
In this work, we introduce an intermediate notion of function preserving for watermarkable signature, which is called computational function preserving. Then, we examine the relationship among our computational function preserving, relaxed function preserving by Goyal et al., and statistical function preserving by Cohen et al. Furthermore, we propose a generic construction of watermarkable signature scheme satisfying computational function preserving based on public key encryption and (standard) digital signature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
\(\mathbb {SIG}\) is a signature space for the watermarkable signature scheme.
References
Baldimtsi, F., Kiayias, A., Samari, K.: Watermarking public-key cryptographic functionalities and implementations. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 173–191. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69659-1_10
Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6:1–6:48 (2012)
Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017, Part II. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_17
Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_25
Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: ACM, STOC 2016, pp. 1115–1127 (2016)
Cohen, A., Holmgren, J., Vaikuntanathan, V.: Publicly verifiable software watermarking. IACR Cryptology ePrint Archive, 2015:373 (2015)
Goyal, R., Kim, S., Manohar, N., Waters, B., Wu, D.J.: Watermarking public-key cryptographic primitives. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 367–398. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_12
Hopper, N., Molnar, D., Wagner, D.: From weak to strong watermarking. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 362–382. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_20
Kim, S., Wu, D.J.: Watermarking cryptographic functionalities from standard lattice assumptions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 503–536. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_17
Kim, S., Wu, D.J.: Watermarking PRFs from lattices: stronger security via extractable PRFs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 335–366. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_11
Naccache, D., Shamir, A., Stern, J.P.: How to copyright a function? In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 188–196. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_14
Nishimaki, R.: How to watermark cryptographic functions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 111–125. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_7
Nishimaki, R.: How to watermark cryptographic functions by bilinear maps. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 102–A(1), 99–113 (2019)
Nishimaki, R., Wichs, D.: Watermarking cryptographic programs against arbitrary removal strategies. IACR Cryptology ePrint Archive, 2015:344 (2015)
Quach, W., Wichs, D., Zirdelis, G.: Watermarking PRFs under standard assumptions: public marking and security with extraction queries. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 669–698. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_24
Yang, R., Au, M.H., Lai, J., Xu, Q., Yu, Z.: Unforgeable watermarking schemes with public extraction. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 63–80. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_4
Yang, R., Au, M.H., Lai, J., Xu, Q., Yu, Z.: Collusion resistant watermarking schemes for cryptographic functionalities. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 371–398. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_14
Acknowledgements
A part of this work was supported by NTT Secure Platform Laboratories, JST OPERA JPMJOP1612, JST CREST JPMJCR14D6, JSPS KAKENHI JP16H01705, JP17H01695, JP19J22363, JP20J14338.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Basic Cryptographic Primitives
1.1 A.1 Public Key Encryption
A public key encryption scheme \(\mathsf {PKE}\) with a message space \(\mathcal {M}\) is a tuple of PPT algorithms \((\mathsf {PKE.Gen}, \mathsf {PKE.Enc}, \mathsf {PKE.Dec})\).
-
\(\mathsf {PKE.Gen}(1^{\lambda }) \rightarrow (\mathsf {ek}, \mathsf {dk}) :\) Given a security parameter \(1^{\lambda }\) as input, the key generation algorithm outputs a encryption/decryption key pair \((\mathsf {ek}, \mathsf {dk})\).
-
\(\mathsf {PKE.Enc}(\mathsf {ek}, m) \rightarrow c :\) Given an encryption key \(\mathsf {ek}\) and a plaintext m as input, the encryption algorithm outputs a ciphertext c.
-
\(\mathsf {PKE.Dec}(\mathsf {dk}, c) \rightarrow m/\bot :\) Given a decryption key \(\mathsf {dk}\) and a ciphertext c as input, the decryption algorithm outputs a message m or invalid symbol \(\bot \).
-
Correctness \(\mathsf {PKE}\) satisfies correctness if for all \(m \in \mathcal {M}\), \(\Pr [\mathsf {PKE.Dec}(\mathsf {dk}, c) = m :(\mathsf {ek}, \mathsf {dk}) \leftarrow \mathsf {PKE.Gen}(1^\lambda ), c \leftarrow \mathsf {PKE.Enc}(\mathsf {ek}, m)] = 1\) holds.
-
variant of IND-CPA For any PPT adversary \(\mathcal {A}\),
$$\begin{aligned} \mathsf{Adv}^{\mathsf {ind}\text {-}\mathsf {cpav}}_{\mathsf {PKE}, \mathcal {A}} := \left| \Pr \left[ b=b' : \begin{aligned}&(\mathsf {ek}, \mathsf {dk}) \leftarrow \mathsf {PKE.Gen}(1^\lambda ), (m_0, m_1) \leftarrow \mathcal {A}(\mathsf {ek}),\\&b \leftarrow \{0, 1\}, c_b \leftarrow \mathsf {PKE.Enc}(\mathsf {ek}, m_0),\\&c_b\oplus 1 \leftarrow \mathsf {PKE.Enc}(\mathsf {ek}, m_1), b' \leftarrow \mathcal {A}(c_0, c_1) \end{aligned}\right] - \frac{1}{2} \right| \end{aligned}$$is \(\mathsf {negl}(\lambda )\). This security is equivalent to the general one.
1.2 A.2 Digital Signature
A digital signature scheme \(\mathsf {DS}\) with a message space \(\mathcal {M}\) is a tuple of PPT algorithms \((\mathsf {DS.Gen}, \mathsf {DS.Sign}, \mathsf {DS.Verify})\).
-
\(\mathsf {DS.Gen}(1^{\lambda }) \rightarrow (\mathsf {vk}, \mathsf {sk}) :\) Given a security parameter \(1^{\lambda }\) as input, the key generation algorithm outputs a verification/signing key pair \((\mathsf {vk}, \mathsf {sk})\).
-
\(\mathsf {DS.Sign}(\mathsf {sk}, m) \rightarrow \sigma :\) Given a signing key \(\mathsf {sk}\) and a message m as input, the signing algorithm outputs a signature \(\sigma \).
-
\(\mathsf {DS.Verify}(\mathsf {vk}, m, \sigma ) \rightarrow 0/1: \) Given a verification key \(\mathsf {vk}\), a message m, and a signature \(\sigma \) as input, the verification algorithm outputs 0 or 1.
-
Correctness \(\mathsf {DS}\) satisfies correctness if for all \(m \in \mathcal {M}\), \(\Pr [\mathsf {DS.Verify}(\mathsf {vk}, m, \sigma ) = 1 :(\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {DS.Gen}(1^\lambda ), \sigma \leftarrow \mathsf {DS.Sign}(\mathsf {sk}, m) ] = 1\)
-
sEUF-CMA The \(\mathrm {sEUF}\text {-}\mathrm {CMA}\) security for \(\mathsf {DS}\) is defined by the following game between a challenger and a PPT adversary \(\mathcal {A}\).
-
1.
The challenger runs \((\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {DS.Gen}(1^{\lambda })\), initializes a list \(Q \leftarrow \{\}\), and gives \(\mathsf {vk}\) to \(\mathcal {A}\).
-
2.
Throughout the entire game, \(\mathcal {A}\) is given access to signing oracle \(\mathsf {DS.Sign}(\mathsf {sk}, \cdot )\). Given an input m, the signing oracle runs \(\sigma \leftarrow \mathsf {DS.Sign}(\mathsf {sk}, m)\), updates \(Q \leftarrow Q \cup \{(m, \sigma )\}\), and returns \(\sigma \) to \(\mathcal {A}\)
-
3.
\(\mathcal {A}\) outputs a forgery \((m^{*}, \sigma ^{*})\).
\(\mathsf {DS}\) satisfies the \(\mathrm {sEUF}\text {-}\mathrm {CMA}\) security if for all PPT adversaries \(\mathcal {A}\), \(\mathsf{Adv}^{\mathsf {unf}}_{\mathsf {DS}, \mathcal {A}} := \Pr [\mathsf {DS.Verify}(\mathsf {vk}, m^{*}, \sigma ^{*})=1 \wedge (m^{*}, \sigma ^{*}) \notin Q] \le \mathsf {negl}(\lambda )\) holds.
-
1.
B Watermarkable Signature in Previous Works
To compare with watermarkable signature in previous works, we describe formal definitions of watermarkable signature proposed by Goyal et al. [8] and Cohen et al. [6].
1.1 B.1 Definition by Goyal et al. [8]
Definition 9 (Watermarkable Signature)
A watermarkable signature scheme with a message space \(\mathcal {M}\) and a mark space \(\mathcal {T}\) is a tuple of PPT algorithms \((\mathsf {WMSetup}, \mathsf {SigSetup}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {Mark}, \mathsf {Extract})\).
Definition 10 (Correctness)
For any \(m \in \mathcal {M}\) and \(\tau \in \mathcal {T}\),
holds.
Definition 11 (Meaningfulness)
Meaningfulness requires the following two properties holds.
-
1.
For all fixed circuits \(C : \mathcal {M} \rightarrow \mathbb {SIG}\)Footnote 1,
$$\begin{aligned} \Pr \left[ \mathsf {Extract}(\mathsf {xk}, \mathsf {vk}, C) \ne \bot : \begin{aligned}&(\mathsf {wpp}, \mathsf {mk}, \mathsf {xk}) \leftarrow \mathsf {WMSetup}(1^\lambda ), \\&(\mathsf {sk}, \mathsf {vk}) \leftarrow \mathsf {SigSetup}(1^{\lambda }, \mathsf {wpp})\end{aligned}\right] \le \mathsf {negl}(\lambda ) \end{aligned}$$ -
2.
$$\begin{aligned} \Pr \left[ \mathsf {Extract}(\mathsf {xk}, \mathsf {vk}, \mathsf {Sign}(\mathsf {sk}, \cdot )) \ne \bot : \begin{aligned}&(\mathsf {wpp}, \mathsf {mk}, \mathsf {xk}) \leftarrow \mathsf {WMSetup}(1^\lambda ), \\&(\mathsf {sk}, \mathsf {vk}) \leftarrow \mathsf {SigSetup}(1^{\lambda }, \mathsf {wpp})\end{aligned}\right] \le \mathsf {negl}(\lambda ) \end{aligned}$$
Definition 12 (Function Preserving)
For any \(m \in \mathcal {M}\) and \(\tau \in \mathcal {T}\),
holds.
Definition 13 (Unforgeability)
For any PPT adversary \(\mathcal {A}\),
holds, where \(\mathcal {Q} \subseteq \mathcal {M}\) is the set of messages \(\mathcal {A}\) submitted to the signing oracle.
Definition 14 (Unremovability)
For any PPT adversary \(\mathcal {A}\),
holds, where \(\mathcal {Q} \subseteq \mathcal {M}\) is the set of messages \(\mathcal {A}\) submitted to the Mark oracle. \(\mathcal {A}\) is said to be \(\epsilon \)-unremovable admissible if the circuit \(C^*\) it outputs is an \(\epsilon \)-good signer for key \(\mathsf {vk}\). Here we say that \(C^*\) is an \(\epsilon \)-good signer circuit for key \(\mathsf {vk}\) if the following \(\Pr \left[ \mathsf {Verify}(\mathsf {vk}, m, C^*(m)) = 1: m \leftarrow \mathcal {M}\right] \ge \epsilon \) holds.
1.2 B.2 Definition by Cohen et al. [6]
Definition 15 (Watermarkable Signature)
A watermarkable signature scheme with a message space \(\mathcal {M}\) and a mark space \(\mathcal {T}\) is tuple of PPT algorithms \((\mathsf {WMSetup},\mathsf {SigSetup}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {Extract})\).
Definition 16 (Correctness)
For any \(\lambda \in \mathbb {N}\), \(m \in \mathcal {M}\), and \(\tau \in \mathcal {T}\),
holds.
Definition 17 ((Selective) Unforgeability)
For any PPT adversary \(\mathcal {A}\),
holds where \(\mathsf {Sign}_{m^*}(\mathsf {sk}, \cdot )\) is an oracle that signs any message except for \(m^*\).
Definition 18 (Unremovability)
For any PPT adversary \(\mathcal {A}\) and for any mark \(\tau \),
holds, where \(C^* \approx _\epsilon \mathsf {Sign}_\mathsf {sk}\) denotes \(C^*\) and \(\mathsf {Sign}_\mathsf {sk}\) agree on \(\epsilon \) fraction of their inputs.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Sudo, K., Tezuka, M., Hara, K., Yoshida, Y., Tanaka, K. (2020). Watermarkable Signature with Computational Function Preserving. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds) Provable and Practical Security. ProvSec 2020. Lecture Notes in Computer Science(), vol 12505. Springer, Cham. https://doi.org/10.1007/978-3-030-62576-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-62576-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62575-7
Online ISBN: 978-3-030-62576-4
eBook Packages: Computer ScienceComputer Science (R0)