Watermarking PRFs against Quantum Adversaries

Fuyuki Kitagawa ¹ and Ryo Nishimaki ¹

Abstract

We initiate the study of software watermarking against quantum adversaries. A quantum adversary generates a quantum state as a pirate software that potentially removes an embedded message from a classical marked software. Extracting an embedded message from quantum pirate software is difficult since measurement could irreversibly alter the quantum state. In software watermarking against classical adversaries, a message extraction algorithm crucially uses the (input-output) behavior of a classical pirate software to extract an embedded message. Even if we instantiate existing watermarking PRFs with quantum-safe building blocks, it is not clear whether they are secure against quantum adversaries due to the quantum-specific property above. Thus, we need entirely new techniques to achieve software watermarking against quantum adversaries.

In this work, we define secure watermarking PRFs for quantum adversaries (unremovability against quantum adversaries). We also present two watermarking PRFs as follows.

•

We construct a privately extractable watermarking PRF against quantum adversaries from the quantum hardness of the learning with errors (LWE) problem. The marking and extraction algorithms use a public parameter and a private extraction key, respectively. The watermarking PRF is unremovable even if adversaries have (the public parameter and) access to the extraction oracle, which returns a result of extraction for a queried quantum circuit.
•

We construct a publicly extractable watermarking PRF against quantum adversaries from indistinguishability obfuscation (IO) and the quantum hardness of the LWE problem. The marking and extraction algorithms use a public parameter and a public extraction key, respectively. The watermarking PRF is unremovable even if adversaries have the extraction key (and the public parameter).

We develop a quantum extraction technique to extract information (a classical string) from a quantum state without destroying the state too much. We also introduce the notion of extraction-less watermarking PRFs as a crucial building block to achieve the results above by combining the tool with our quantum extraction technique.

Keywords: watermarking, pseudorandom function, post-quantum cryptography

¹ NTT Corporation, Tokyo, Japan

{fuyuki.kitagawa.yh,ryo.nishimaki.zk}@hco.ntt.co.jp

\textblockorigin

0.50.9

{textblock}

1[0.5,0](0,.25)

1 Introduction

1.1 Background

Software watermarking is a cryptographic primitive that achieves a digital analog of watermarking. A marking algorithm of software watermarking can embed an arbitrary message (bit string) into a computer software modeled as a circuit. A marked software almost preserves the functionality of the original software. An extraction algorithm of software watermarking can extract the embedded message from a marked software. Secure software watermarking should guarantee that no adversary can remove the embedded message without significantly destroying the functionality of the original software (called unremovability).

Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, and Yang [BGI⁺12] initiate the study of software watermarking and present the first definition of cryptographically secure software watermarking. Hopper, Molnar, and Wagner [HMW07] also study the definition of cryptographically secure watermarking for perceptual objects. However, both works do not present a secure concrete scheme. A few works study secure constructions of watermarking for cryptographic primitives [NSS99, YF11, Nis13, Nis19], but they consider only restricted removal strategies. Cohen, Holmgren, Nishimaki, Wichs, and Vaikuntanathan [CHN⁺18] present stronger definitions for software watermarking and the first secure watermarking schemes for cryptographic primitives against arbitrary removal strategies. After the celebrated work, watermarking for cryptographic primitives have been extensively studied [BLW17, KW21, QWZ18, KW19, YAL⁺19, GKM⁺19, YAYX20, Nis20].

Primary applications of watermarking are identifying ownership of objects and tracing users that distribute illegal copies. Watermarking for cryptographic primitives also has another exciting application. Aaronson, Liu, Liu, Zhandry, and Zhang [ALL⁺21] and Kitagawa, Nishimaki, and Yamakawa [KNY21] concurrently and independently find that we can construct secure software leasing schemes by combining watermarking with quantum cryptography.¹¹1Precisely speaking, Aaronson et al. achieve copy-detection schemes [ALL⁺21], which are essentially the same as secure software leasing schemes. Secure software leasing [AL21] is a quantum cryptographic primitive that prevents users from generating authenticated pirated copies of leased software.²²2Leased software must be a quantum state since classical bit strings can be easily copied. Since watermarking has such an exciting application in quantum cryptography and quantum computers might be an imminent threat to cryptography due to rapid progress in research on quantum computing, it is natural and fascinating to study secure software watermarking in the quantum setting.

In quantum cryptography, building blocks must be quantum-safe such as lattice-based cryptography [Reg09]. However, even if we replace building blocks of existing cryptographic primitives/protocols with quantum-safe ones, we do not necessarily obtain quantum-safe cryptographic primitives/protocols [BDF⁺11, ARU14]. We sometimes need new proof techniques which are different from classical ones due to quantum specific properties such as no-cloning and superposition access [Wat09, Zha12b, Zha12a, Unr12, Zha19, CMSZ21]. Even worse, we must consider entirely different security models in some settings. Zhandry [Zha20] studies traitor tracing [CFN94] in the quantum setting as such an example. In quantum traitor tracing, an adversary can output a quantum state as a pirate decoder. Zhandry shows that we need new techniques for achieving quantum traitor tracing because running a quantum pirate decoder to extract information may irreversibly alter the state due to measurement.

Zhandry [Zha20] refers to software watermarking as a cryptographic primitive that has a similar issue to quantum traitor tracing. However, his work focuses only on traitor tracing and does not study software watermarking against quantum adversaries. If we use software watermarking in the quantum setting, an adversary can output a quantum state as a pirate circuit where an embedded message might be removed. However, previous works consider a setting where an adversary outputs a classical pirate circuit. It is not clear whether watermarking schemes based on quantum-safe cryptography are secure against quantum adversaries because we need an entirely new extraction algorithm to extract an embedded message from a quantum pirate circuit. Thus, the main question in this study is:

Can we achieve secure watermarking for cryptographic primitives against quantum adversaries?

We affirmatively answer this question in this work.

1.2 Our Result

Our main contributions are two-fold. One is the definitional work. We define watermarking for pseudorandom functions (PRFs) against quantum adversaries, where adversaries output a quantum state as a pirate circuit that distinguishes a PRF from a random function.³³3This definitional choice comes from the definition of traceable PRFs [GKWW21]. See Sections 1.3 and 1.4 for the detail. The other one is constructing the first secure watermarking PRFs against quantum adversaries. We present two watermarking PRFs as follows.

•

We construct a privately extractable watermarking PRF against quantum adversaries from the quantum hardness of the learning with errors (LWE) problem. This watermarking PRF is secure in the presence of the extraction oracle and supports public marking. That is, the marking and extraction algorithms use a public parameter and secret extraction key, respectively. The watermarking PRF is unremovable even if adversaries have access to the extraction oracle, which returns a result of extraction for a queried quantum circuit.
•

We construct a publicly extractable watermarking PRF against quantum adversaries from indistinguishability obfuscation (IO) and the quantum hardness of the LWE problem. This watermarking PRF also supports public marking. That is, the marking and extraction algorithms use a public parameter and a public extraction key, respectively. The watermarking PRF is unremovable (we do not need to consider the mark and extraction oracles since it supports public marking and public extraction).

The former and latter PRFs satisfy weak pseudorandomness and standard (strong) pseudorandomness even against a watermarking authority, respectively.

We develop a quantum extraction algorithm to achieve the results above. Zhandry [Zha20] presents a useful technique for extracting information from quantum states without destroying them too much. However, we cannot simply apply his technique to the watermarking setting. Embedded information (arbitrary string) is chosen from an exponentially large set in the watermarking setting. On the other hand, in the traitor tracing setting, we embed a user index, which could be chosen from a polynomially large set, in a decryption key. Zhandry’s technique is tailored to traitor tracing based on private linear broadcast encryption (PLBE) [BSW06] where user information is chosen from a polynomially large set with linear structure. Thus, we extend Zhandry’s technique [Zha20] to extract information chosen from an exponentially large set. We also introduce the notion of extraction-less watermarking as a crucial tool to achieve watermarking against quantum adversaries. This tool is a suitable building block for our quantum extraction technique in our watermarking extraction algorithm. These are our technical contributions. See Section 1.3 for the detail.

Although this paper focuses on watermarking PRFs against quantum adversaries, it is easy to extend our definitions to watermarking public-key encryption (PKE) against quantum adversaries. In particular, our construction technique easily yields watermarking PKE (where a decryption circuit is marked) schemes. We will provide the detail of them in a future version.

We also focus on watermarking PRFs with public marking in this paper. However, we can easily convert our PRFs into ones with private marking. See Remark 3.4 for the detail.

1.3 Technical Overview

Syntax of watermarking PRF.

We first review the syntax of watermarking PRF used in this work. A watermarking PRF scheme consists of five algorithms $(\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark},\mathpzc{Extract})$ .⁴⁴4In this paper, standard math font stands for classical algorithms, and calligraphic font stands for quantum algorithms. $\mathsf{Setup}$ outputs a public parameter $\mathsf{pp}$ and an extraction key $\mathsf{xk}$ . $\mathsf{Gen}$ is given $\mathsf{pp}$ and outputs a PRF key $\mathsf{prfk}$ and a public tag $\tau$ . $\mathsf{Eval}$ is the PRF evaluation algorithm that takes as an input $\mathsf{prfk}$ and $x$ in the domain and outputs $y$ . By using $\mathsf{Mark}$ , we can generate a marked evaluation circuit that has embedded message $\mathsf{m}\in\{0,1\}^{{\ell_{\mathsf{m}}}}$ and can be used to evaluate $\mathsf{Eval}(\mathsf{prfk},x^{\prime})$ for almost all $x^{\prime}$ . Finally, $\mathpzc{Extract}$ is the extraction algorithm supposed to extract the embedded message from a pirated quantum evaluation circuit generated from the marked evaluation circuit. By default, in this work, we consider the public marking setting, where anyone can execute $\mathsf{Mark}$ . Thus, $\mathsf{Mark}$ takes $\mathsf{pp}$ as an input. On the other hand, we consider both the private extraction and the public extraction settings. Thus, the extraction key $\mathsf{xk}$ used by $\mathpzc{Extract}$ is kept secret by an authority in the private extraction setting and made public in the public extraction setting.

In this work, we allow $\mathpzc{Extract}$ to take the public tag $\tau$ generated with the original PRF key corresponding to the pirate circuit. In reality, we execute $\mathpzc{Extract}$ for a software when a user claims that the software is illegally generated by using her/his PRF key. Thus, it is natural to expect we can use a user’s public tag for extraction. Moreover, pirate circuits are distinguishers, not predictors in this work. As discussed by Goyal et al. [GKWW21], security against pirate distinguishers is much preferable compared to security against pirate predictors considered in many previous works on watermarking. In this case, it seems that such additional information fed to $\mathpzc{Extract}$ is unavoidable. For a more detailed discussion on the syntax, see the discussion in Section 3.1.

It is also natural to focus on distinguishers breaking weak pseudorandomness of PRFs when we consider pirate distinguishers instead of pirate predictors. Goyal et al. [GKWW21] already discussed this point. Thus, we focus on watermarking weak PRF in this work.

Definition of unremovability against quantum adversaries.

We say that a watermarking PRF scheme satisfies unremovability if given a marked evaluation circuit $\widetilde{C}$ that has an embedded message $\mathsf{m}$ , any adversary cannot generate a circuit such that it is a “good enough circuit”, but the extraction algorithm fails to output $\mathsf{m}$ . In this work, we basically follow the notion of “good enough circuit” defined by Goyal et al. [GKWW21] as stated above. Let $D$ be the following distribution for a PRF $\mathsf{Eval}(\mathsf{prfk},\cdot):\mathsf{Dom}\rightarrow\mathsf{Ran}$ .

$D$ :: Generate $b\leftarrow\{0,1\}$ , $x\leftarrow\mathsf{Dom}$ , and $y_{0}\leftarrow\mathsf{Ran}$ . Compute $y_{1}\leftarrow\mathsf{Eval}(\mathsf{prfk},x)$ . Output $(b,x,y_{b})$ .

A circuit is defined as good enough circuit with respect to $\mathsf{Eval}(\mathsf{prfk},\cdot)$ if given $(x,y_{b})$ output by $D$ , it can correctly guess $b$ with probability significantly greater than $1/2$ . In other words, a circuit is defined as good enough if the circuit breaks weak PRF security.

Below, for a distribution $D^{\prime}$ whose output is of the form $(b,x,y)$ , let $\mathcal{M}_{D^{\prime}}=(\boldsymbol{M}_{D^{\prime},0},\boldsymbol{M}_{D^{\prime},1})$ be binary positive operator valued measures (POVMs) that represents generating random $(b,x,y)$ from $D^{\prime}$ and testing if a quantum circuit can guess $b$ from $(x,y)$ . Then, for a quantum state $\ket{\psi}$ , the overall distinguishing advantage of it for the above distribution $D$ is $\bra{\psi}\boldsymbol{M}_{D,0}\ket{\psi}$ . Thus, a natural adaptation of the above notion of goodness for quantum circuits might be to define a quantum state $\ket{\psi}$ as good if $\bra{\psi}\boldsymbol{M}_{D,0}\ket{\psi}$ is significantly greater than $1/2$ . However, this notion of goodness for quantum circuits is not really meaningful. The biggest issue is that it does not consider the stateful nature of quantum programs.

This issue was previously addressed by Zhandry [Zha20] in the context of traitor tracing against quantum adversaries. In the context of classical traitor tracing or watermarking, we can assume that a pirate circuit is stateless, or can be rewound to its original state. This assumption is reasonable. If we have the software description of the pirate circuit, such a rewinding is trivial. Even if we have a hardware box in which a pirate circuit is built, it seems that such a rewinding is possible by hard reboot or cutting power. On the other hand, in the context of quantum watermarking, we have to consider that a pirate circuit is inherently stateful since it is described as a quantum state. Operations to a quantum state can alter the state, and in general, it is impossible to rewind the state into its original state. Regarding the definition of good quantum circuits above, if we can somehow compute the average success probability $\bra{\psi}\boldsymbol{M}_{D,0}\ket{\psi}$ of the quantum state $\ket{\psi}$ , the process can change or destroy the quantum state $\ket{\psi}$ . Namely, even if we once confirm that the quantum state $\ket{\psi}$ is good by computing $\bra{\psi}\boldsymbol{M}_{D,0}\ket{\psi}$ , we cannot know the success probability of the quantum state even right after the computation. Clearly, the above notion of goodness is not the right notion, and we need one that captures the stateful nature of quantum programs.

In the work on traitor tracing against quantum adversaries, Zhandry [Zha20] proposed a notion of goodness for quantum programs that solves the above issue. We adopt it. For the above POVMs $\mathcal{M}_{D}$ , let $\mathcal{M}_{D}^{\prime}$ be the projective measurement $\{P_{p}\}_{p\in[0,1]}$ that projects a state onto the eigenspaces of $\boldsymbol{M}_{D,0}$ , where each $p$ is an eigenvalue of $\boldsymbol{M}_{D,0}$ . $\mathcal{M}_{D}^{\prime}$ is called projective implementation of $\mathcal{M}_{D}$ and denoted as $\mathsf{ProjImp}(\mathcal{M}_{D})$ . Zhandry showed that the following process has the same output distribution as $\mathcal{M}_{D}$ :

1.

Apply the projective measurement $\mathcal{M}_{D}^{\prime}=\mathsf{ProjImp}(\mathcal{M}_{D})$ and obtain $p$ .
2.

Output $0$ with probability $p$ and output $1$ with probability $1-p$ .

Intuitively, $\mathcal{M}_{D}^{\prime}$ project a state to an eigenvector of $\boldsymbol{M}_{D,0}$ with eigenvalue $p$ , which can be seen as a quantum state with success probability $p$ . Using $\mathcal{M}_{D}^{\prime}$ , Zhandry defined that a quantum circuit is $\mathsf{Live}$ if the outcome of the measurement $\mathcal{M}_{D}^{\prime}$ is significantly greater than $1/2$ . The notion of $\mathsf{Live}$ is a natural extension of the classical goodness since it collapses to the classical goodness for a classical decoder. Moreover, we can ensure that a quantum state that is tested as $\mathsf{Live}$ still has a high success probability. On the other hand, the above notion of goodness cannot say anything about the post-tested quantum state’s success probability even if the test is passed. In this work, we use the notion of $\mathsf{Live}$ quantum circuits as the notion of good quantum circuits.

Difficulty of quantum watermarking PRF.

From the above discussion, our goal is to construct a watermarking PRF scheme that guarantees that we can extract the embedded message correctly if a pirated quantum circuit is $\mathsf{Live}$ . In watermarking PRF schemes, we usually extract an embedded message by applying several tests on success probability to a pirate circuit. When a pirate circuit is a quantum state, the set of tests that we can apply is highly limited compared to a classical circuit due to the stateful nature of quantum states.

One set of tests we can apply without destroying the quantum state is $\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})$ for distributions $D^{\prime}$ that are indistinguishable from $D$ from the view of the pirate circuit.⁵⁵5In the actual extraction process, we use an approximation of projective implementation introduced by Zhandry [Zha20] since applying a projective implementation is inefficient. In this overview, we ignore this issue for simplicity. We denote this set as $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ . Zhandry showed that if distributions $D_{1}$ and $D_{2}$ are indistinguishable, the outcome of $\mathsf{ProjImp}(\mathcal{M}_{D_{1}})$ is close to that of $\mathsf{ProjImp}(\mathcal{M}_{D_{2}})$ . By combining this property with the projective property of projective implementations, as long as the initial quantum state is $\mathsf{Live}$ and we apply only tests contained in $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ , the quantum state remains $\mathsf{Live}$ . On the other hand, if we apply a test outside of $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ , the quantum state might be irreversibly altered. This fact is a problem since the set $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ only is not sufficient to implement the existing widely used construction method for watermarking PRF schemes.

To see this, we briefly review the method. In watermarking PRF schemes, the number of possible embedded messages is super-polynomial, and thus we basically need to extract an embedded message in a bit-by-bit manner. In the method, such a bit-by-bit extraction is done as follows. For every $i\in[{\ell_{\mathsf{m}}}]$ , we define two distributions $S_{i,0}$ and $S_{i,1}$ whose output is of the form $(b,x,y)$ as $D$ above. Then, we design a marked circuit with embedded message $\mathsf{m}\in\{0,1\}^{{\ell_{\mathsf{m}}}}$ so that it can be used to guess $b$ from $(x,y)$ with probability significantly greater than $1/2$ only for $S_{i,0}$ (resp. $S_{i,1}$ ) if $\mathsf{m}[i]=0$ (resp. $\mathsf{m}[i]=1$ ). The extraction algorithm can extract $i$ -th bit of the message $\mathsf{m}[i]$ by checking for which distributions of $S_{i,0}$ and $S_{i,1}$ a pirate circuit has a high distinguishing advantage.

As stated above, we cannot use this standard method to extract a message from quantum pirate circuits. The reason is that $S_{i,0}$ and $S_{i,1}$ are typically distinguishable. This implies that at least either one of $\mathsf{ProjImp}(\mathcal{M}_{S_{i,0}})$ or $\mathsf{ProjImp}(\mathcal{M}_{S_{i,1}})$ is not contained in $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ . Since the test outside of $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ might destroy the quantum state, we might not be able to perform the process for all $i$ , and fail to extract the entire bits of the embedded message.

It seems that to perform the bit-by-bit extraction for a quantum state, we need to extend the set of applicable tests and come up with a new extraction method.

Our solution: Use of reverse projective property.

We find that as another applicable set of tests, we have $\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})$ for distributions $D^{\prime}$ that are indistinguishable from $D^{\mathtt{rev}}$ , where $D^{\mathtt{rev}}$ is the following distribution.

$D^{\mathtt{rev}}$ :: Generate $b\leftarrow\{0,1\}$ , $x\leftarrow\mathsf{Dom}$ , and $y_{0}\leftarrow\mathsf{Ran}$ . Compute $y_{1}\leftarrow\mathsf{Eval}(\mathsf{prfk},x)$ . Output $(1\oplus b,x,y_{b})$ .

We denote the set as $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D^{\mathtt{rev}}\}$ . $D^{\mathtt{rev}}$ is the distribution the first bit of whose output is flipped from that of $D$ . Then, $\mathcal{M}_{D^{\mathtt{rev}}}$ can be seen as POVMs that represents generating random $(b,x,y_{b})$ from $D$ and testing if a quantum circuit cannot guess $b$ from $(x,y_{b})$ . Thus, we see that $\mathcal{M}_{D^{\mathtt{rev}}}=(\boldsymbol{M}_{D,1},\boldsymbol{M}_{D,0})$ . Recall that $\mathcal{M}_{D}=(\boldsymbol{M}_{D,0},\boldsymbol{M}_{D,1})$ .

Let $D_{1}\in\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ and $D^{\mathtt{rev}}_{1}$ be the distribution that generates $(b,x,y)\leftarrow D_{1}$ and outputs $(1\oplus b,x,y)$ . $D^{\mathtt{rev}}_{1}$ is a distribution contained in $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D^{\mathtt{rev}}\}$ . Similarly to the relation between $D$ and $D^{\mathtt{rev}}$ , if $\mathcal{M}_{D_{1}}=(\boldsymbol{M}_{D_{1},0},\boldsymbol{M}_{D_{1},1})$ , we have $\mathcal{M}_{D^{\mathtt{rev}}_{1}}=(\boldsymbol{M}_{D^{\mathtt{rev}}_{1},1},\boldsymbol{M}_{D^{\mathtt{rev}}_{1},0})$ . Since $\boldsymbol{M}_{D_{1},0}+\boldsymbol{M}_{D_{1},1}=\boldsymbol{I}$ , $\boldsymbol{M}_{D_{1},0}$ and $\boldsymbol{M}_{D_{1},1}$ share the same set of eigenvectors, and if a vector is an eigenvector of $\boldsymbol{M}_{D_{1},0}$ with eigenvalue $p$ , then it is also an eigenvector of $\boldsymbol{M}_{D_{1},1}$ with eigenvalue $1-p$ . Thus, if apply $\mathsf{ProjImp}(\mathcal{M}_{D_{1}})$ and $\mathsf{ProjImp}(\mathcal{M}_{D^{\mathtt{rev}}_{1}})$ successively to a quantum state and obtain the outcomes $\widetilde{p}_{1}$ and $\widetilde{p}_{1}^{\prime}$ , it holds that $\widetilde{p}_{1}^{\prime}=1-\widetilde{p}_{1}$ . We call this property the reverse projective property of the projective implementation.

Combining projective and reverse projective properties and the outcome closeness for indistinguishable distributions of the projective implementation, we see that the following key fact holds.

Key fact:: As long as the initial quantum state is $\mathsf{Live}$ and we apply tests contained in $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ or $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})|D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D^{\mathtt{rev}}\}$ , the quantum state remains $\mathsf{Live}$ . Moreover, if the outcome of applying $\mathsf{ProjImp}(\mathcal{M}_{D})$ to the initial state is $p$ , we get the outcome close to $p$ every time we apply a test in $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ , and we get the outcome close to $1-p$ every time we apply a test in $\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D^{\mathtt{rev}}\}$ .

In this work, we perform bit-by-bit extraction of embedded messages by using the above key fact of the projective implementation. To this end, we introduce the new notion of extraction-less watermarking PRF as an intermediate primitive.

Via extraction-less watermarking PRF.

An extraction-less watermarking PRF scheme has almost the same syntax as a watermarking PRF scheme, except that it does not have an extraction algorithm $\mathpzc{Extract}$ and instead has a simulation algorithm $\mathsf{Sim}$ . $\mathsf{Sim}$ is given the extraction key $\mathsf{xk}$ , the public tag $\tau$ , and an index $i\in[{\ell_{\mathsf{m}}}]$ , and outputs a tuple of the form $(\gamma,x,y)$ . $\mathsf{Sim}$ simulates outputs of $D$ or $D^{\mathtt{rev}}$ for a pirate circuit depending on the message embedded to the marked circuit corresponding to the pirate circuit. More concretely, we require that from the view of the pirate circuit generated from a marked circuit with embedded message $\mathsf{m}\in\{0,1\}^{{\ell_{\mathsf{m}}}}$ , outputs of $\mathsf{Sim}$ are indistinguishable from those of $D$ if $\mathsf{m}[i]=0$ and are indistinguishable from those of $D^{\mathtt{rev}}$ if $\mathsf{m}[i]=1$ for every $i\in[{\ell_{\mathsf{m}}}]$ . We call this security notion simulatability for mark-dependent distributions (SIM-MDD security).

By using an extraction-less watermarking PRF scheme $\mathsf{ELWMPRF}$ , we construct a watermarking PRF scheme $\mathsf{WMPRF}$ against quantum adversaries as follows. We use $\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark}$ of $\mathsf{ELWMPRF}$ as $\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark}$ of $\mathsf{WMPRF}$ , respectively. We explain how to construct the extraction algorithm $\mathpzc{Extract}$ of $\mathsf{WMPRF}$ using $\mathsf{Sim}$ of $\mathsf{ELWMPRF}$ . For every $i\in[{\ell_{\mathsf{m}}}]$ , we define $D_{\tau,i}$ as the distribution that outputs randomly generated $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i)$ . Given $\mathsf{xk}$ , $\tau$ , and a quantum state $\ket{\psi}$ , $\mathpzc{Extract}$ extracts the embedded message in the bit-by-bit manner by repeating the following process for every $i\in[{\ell_{\mathsf{m}}}]$ .

•

Apply $\mathsf{ProjImp}(\mathcal{M}_{D_{\tau,i}})$ to $\ket{\psi_{i-1}}$ and obtain the outcome $\widetilde{p}_{i}$ , where $\ket{\psi_{0}}=\ket{\psi}$ and $\ket{\psi_{i-1}}$ is the state after the $(i-1)$ -th loop for every $i\in[{\ell_{\mathsf{m}}}]$ .
•

Set $\mathsf{m}^{\prime}_{i}=0$ if $\widetilde{p}_{i}>1/2$ and otherwise $\mathsf{m}^{\prime}_{i}=1$ .

The extracted message is set to $\mathsf{m}^{\prime}_{1}\|\cdots\|\mathsf{m}^{\prime}_{\ell_{\mathsf{m}}}$ .

We show that the above construction satisfies unremovability. Suppose an adversary is given marked circuit $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ and generates a quantum state $\ket{\psi}$ , where $(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})$ and $(\mathsf{prfk},\tau)\leftarrow\mathsf{Gen}(\mathsf{pp})$ . Suppose also that $\ket{\psi}$ is $\mathsf{Live}$ . This assumption means that the outcome $p$ of applying $\mathsf{ProjImp}(\mathcal{M}_{D})$ to $\ket{\psi}$ is $1/2+\epsilon$ , where $\epsilon$ is an inverse polynomial. For every $i\in[{\ell_{\mathsf{m}}}]$ , from the SIM-MDD security of $\mathsf{ELWMPRF}$ , $D_{\tau,i}$ is indistinguishable from $D$ if $\mathsf{m}[i]=0$ and is indistinguishable from $D^{\mathtt{rev}}$ if $\mathsf{m}[i]=1$ . This means that $D_{\tau,i}\in\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D\}$ if $\mathsf{m}[i]=0$ and $D_{\tau,i}\in\{\mathsf{ProjImp}(\mathcal{M}_{D^{\prime}})\mid D^{\prime}\stackrel{{\scriptstyle\mathsf{c}}}{{\approx}}D^{\mathtt{rev}}\}$ if $\mathsf{m}[i]=1$ . Then, from the above key fact of the projective implementation, it holds that $\widetilde{p}_{i}$ is close to $1/2+\epsilon>1/2$ if $\mathsf{m}[i]=0$ and is close to $1/2-\epsilon<1/2$ if $\mathsf{m}[i]=1$ . Therefore, we see that $\mathpzc{Extract}$ correctly extract $\mathsf{m}$ from $\ket{\psi}$ . This means that $\mathsf{WMPRF}$ satisfies unremovability.

The above definition, construction, and security analysis are simplified and ignore many subtleties. The most significant point is that we use approximated projective implementations introduced by Zhandry [Zha20] instead of projective implementations in the actual construction since applying a projective implementation is an inefficient process. Moreover, though the outcomes of (approximate) projective implementations for indistinguishable distributions are close, in the actual analysis, we have to take into account that the outcomes gradually change every time we apply an (approximate) projective implementation. These issues can be solved by doing careful parameter settings.

Comparison with the work by Zhandry [Zha20].

Some readers familiar with Zhandry’s work [Zha20] might think that our technique contradicts the lesson from Zhandry’s work since it essentially says that once we find a large gap in success probabilities, the tested quantum pirate circuit might self-destruct. However, this is not the case. What Zhandry’s work really showed is the following. Once a quantum pirate circuit itself detects that there is a large gap in success probabilities, it might self-destruct. Even if an extractor finds a large gap in success probabilities, if the tested quantum pirate circuit itself cannot detect the large gap, the pirate circuit cannot self-destruct. In Zhandry’s work, whenever an extractor finds a large gap, the tested pirate circuit also detects the large gap. In our work, the tested pirate circuit cannot detect a large gap throughout the extraction process while an extractor can find it.

The reason why a pirate circuit cannot detect a large gap in our scheme even if an extractor can find it is as follows. Recall that in the above extraction process of our scheme based on an extraction-less watermarking PRF scheme, we apply $\mathsf{ProjImp}(\mathcal{M}_{D_{\tau,i}})$ to the tested pirate circuit for every $i\in[{\ell_{\mathsf{m}}}]$ . Each $D_{\tau,i}$ outputs a tuple of the form $(b,x,y)$ and is indistinguishable from $D$ or $D^{\mathtt{rev}}$ depending on the embedded message. In the process, we apply $\mathsf{ProjImp}(\mathcal{M}_{D_{\tau,i}})$ for every $i\in[{\ell_{\mathsf{m}}}]$ , and we get the success probability $p$ if $D_{\tau,i}$ is indistinguishable from $D$ and we get $1-p$ if $D_{\tau,i}$ is indistinguishable from $D^{\mathtt{rev}}$ . The tested pirate circuit needs to know which of $D$ or $D^{\mathtt{rev}}$ is indistinguishable from the distribution $D_{\tau,i}$ behind the projective implementation to know which of $p$ or $1-p$ is the result of an application of a projective implementation. However, this is impossible. The tested pirate circuit receives only $(x,y)$ part of $D_{\tau,i}$ ’s output and not $b$ part. (Recall that the task of the pirate circuit is to guess $b$ from $(x,y)$ .) The only difference between $D$ and $D^{\mathtt{rev}}$ is that the first-bit $b$ is flipped. Thus, if the $b$ part is dropped, $D_{\tau,i}$ is, in fact, indistinguishable from both $D$ and $D^{\mathtt{rev}}$ . As a result, the pirate program cannot know which of $p$ or $1-p$ is the result of an application of a projective implementation. In other words, the pirate circuit cannot detect a large gap in our extraction process.

Instantiating extraction-less watermarking PRF.

In the rest of this overview, we will explain how to realize extraction-less watermarking PRF.

We consider the following two settings similar to the ordinary watermarking PRF. Recall that we consider the public marking setting by default.

Private-simulatable:: In this setting, the extraction key $\mathsf{xk}$ fed into $\mathsf{Sim}$ is kept secret. We require that SIM-MDD security hold under the existence of the simulation oracle that is given a public tag $\tau^{\prime}$ and an index $i^{\prime}\in[{\ell_{\mathsf{m}}}]$ and returns $\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime})$ . An extraction-less watermarking PRF scheme in this setting yields a watermarking PRF scheme against quantum adversaries in private-extractable setting where unremovability holds for adversaries who can access the extraction oracle.
Public-simulatable:: In this setting, the extraction key $\mathsf{xk}$ is publicly available. An extraction-less watermarking PRF scheme in this setting yields a watermarking PRF scheme against quantum adversaries in the public-extractable setting.

We provide a construction in the first setting using private constrained PRF based on the hardness of the LWE assumption. Also, we provide a construction in the second setting based on IO and the hardness of the LWE assumption.

To give a high-level idea behind the above constructions, in this overview, we show how to construct a public-simulatable extraction-less watermarking PRF in the token-based setting [CHN⁺18]. In the token-based setting, we treat a marked circuit $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ as a tamper-proof hardware token that an adversary can only access in a black-box way.

Before showing the actual construction, we explain the high-level idea. Recall that SIM-MDD security requires that an adversary $\mathpzc{A}$ who is given $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ cannot distinguish $(\gamma^{\ast},x^{\ast},y^{\ast})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ from an output of $D$ if $\mathsf{m}[i^{\ast}]=0$ and from that of $D^{\mathtt{rev}}$ if $\mathsf{m}[i^{\ast}]=1$ . This is the same as requiring that $\mathpzc{A}$ cannot distinguish $(\gamma^{\ast},x^{\ast},y^{\ast})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ from that of the following distribution $D_{\mathtt{real},i^{\ast}}$ . We can check that $D_{\mathtt{real},i^{\ast}}$ is identical with $D$ if $\mathsf{m}[i^{\ast}]=0$ and with $D^{\mathtt{rev}}$ if $\mathsf{m}[i^{\ast}]=1$ .

$D_{\mathtt{real},i^{\ast}}$ :: Generate $\gamma\leftarrow\{0,1\}$ and $x\leftarrow\mathsf{Dom}$ . Then, if $\gamma=\mathsf{m}[i^{\ast}]$ , generate $y\leftarrow\mathsf{Ran}$ , and otherwise, compute $y\leftarrow\mathsf{Eval}(\mathsf{prfk},x)$ . Output $(\gamma,x,y)$ .

Essentially, the only attack that $\mathpzc{A}$ can perform is to feed $x^{\ast}$ contained in the given tuple $(\gamma^{\ast},x^{\ast},y^{\ast})$ to $\widetilde{C}$ and compares the result $\widetilde{C}(x^{\ast})$ with $y^{\ast}$ , if we ensure that $\gamma^{\ast}$ , $x^{\ast}$ are pseudorandom. In order to make the construction immune to this attack, letting $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ and $(\gamma^{\ast},x^{\ast},y^{\ast})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ , we have to design $\mathsf{Sim}$ and $\widetilde{C}$ so that

•

If $\gamma=\mathsf{m}[i^{\ast}]$ , $\widetilde{C}(x^{\ast})$ outputs a value different from $y^{\ast}$ .
•

If $\gamma\neq\mathsf{m}[i^{\ast}]$ , $\widetilde{C}(x^{\ast})$ outputs $y^{\ast}$ .

We achieve these conditions as follows. First, we set $(\gamma^{\ast},x^{\ast},y^{\ast})$ output by $\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ so that $\gamma^{\ast}$ and $y^{\ast}$ is random values and $x^{\ast}$ is an encryption of $y^{\ast}\|i^{\ast}\|\gamma^{\ast}$ by a public-key encryption scheme with pseudorandom ciphertext property, where the encryption key $\mathsf{pk}$ is included in $\tau$ . Then, we set $\widetilde{C}$ as a token such that it has the message $\mathsf{m}$ and the decryption key $\mathsf{sk}$ corresponding to $\mathsf{pk}$ hardwired, and it outputs $y^{\ast}$ if the input is decryptable and $\gamma^{\ast}\neq\mathsf{m}[i^{\ast}]$ holds for the decrypted $y^{\ast}\|i^{\ast}\|\gamma^{\ast}$ , and otherwise behaves as $\mathsf{Eval}(\mathsf{prfk},\cdot)$ . The actual construction is as follows.

Let $\mathsf{PRF}$ be a PRF family consisting of functions $\{\mathsf{F}_{\mathsf{prfk}}(\cdot):\{0,1\}^{n}\rightarrow\{0,1\}^{\lambda}|\mathsf{prfk}\}$ , where $\lambda$ is the security parameter and $n$ is sufficiently large. Let $\mathsf{PKE}=(\mathsf{KG},\mathsf{E},\mathsf{D})$ be a CCA secure public-key encryption scheme satisfying pseudorandom ciphertext property. Using these ingredients, We construct an extraction-less watermarking PRF scheme $\mathsf{ELWMPRF}=(\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark},\mathsf{Sim})$ as follows.

$\mathsf{Setup}(1^{\lambda})$ :: In this construction, $\mathsf{pp}:=\bot$ and $\mathsf{xk}:=\bot$ .
$\mathsf{Gen}(\mathsf{pp})$ :: It generates a fresh PRF key $\mathsf{prfk}$ of $\mathsf{PRF}$ and a key pair $(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{KG}(1^{\lambda})$ . The PRF key is $(\mathsf{prfk},\mathsf{sk})$ and the corresponding public tag is $\mathsf{pk}$ .
$\mathsf{Eval}((\mathsf{prfk},\mathsf{sk}),x)$ :: It simply outputs $\mathsf{F}_{\mathsf{prfk}}(x)$ .
$\mathsf{Mark}(\mathsf{pp},(\mathsf{prfk},\mathsf{sk}),\mathsf{m})$ :: It generates the following taken $\widetilde{C}[\mathsf{prfk},\mathsf{sk},\mathsf{m}]$ .

Hard-Coded Constants: $\mathsf{prfk},\mathsf{sk},\mathsf{m}$ . Input: $x\in\{0,1\}^{n}$ . 1. Try to decrypt $y\|i\|\gamma\leftarrow\mathsf{D}(\mathsf{sk},x)$ with $y\in\{0,1\}^{\lambda}$ , $i\in[{\ell_{\mathsf{m}}}]$ , and $\gamma\in\{0,1\}$ . 2. If decryption succeeds, output $y$ if $\gamma\neq\mathsf{m}[i]$ and $\mathsf{F}_{\mathsf{prfk}}(x)$ otherwise. 3. Otherwise, output $\mathsf{F}_{\mathsf{prfk}}(x)$ .
$\mathsf{Sim}(\mathsf{xk},\tau,i)$ :: It first generates $\gamma\leftarrow\{0,1\}$ and $y\leftarrow\{0,1\}^{\lambda}$ . Then, it parses $\tau:=\mathsf{pk}$ and generates $x\leftarrow\mathsf{E}(\mathsf{pk},y\|i\|\gamma)$ . Finally, it outputs $(\gamma,x,y)$ .

We check that $\mathsf{ELWMPRF}$ satisfies SIM-MDD security. For simplicity, we fix the message $\mathsf{m}\in[{\ell_{\mathsf{m}}}]$ embedded into the challenge PRF key. Then, for any adversary $\mathpzc{A}$ and $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ , SIM-MDD security requires that given $\widetilde{C}[\mathsf{prfk},\mathsf{sk},\mathsf{m}]\leftarrow\mathsf{Mark}(\mathsf{mk},\mathsf{prfk},\mathsf{m})$ and $\tau=\mathsf{pk}$ , $\mathpzc{A}$ cannot distinguish $(\gamma^{\ast},x^{\ast}=\mathsf{E}(\mathsf{pk},y^{\ast}\|i^{\ast}\|\gamma^{\ast}),y^{\ast})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ from an output of $D$ if $\mathsf{m}[i^{\ast}]=0$ and is indistinguishable from $D^{\mathtt{rev}}$ if $\mathsf{m}[i^{\ast}]=1$ .

We consider the case of $\mathsf{m}[i^{\ast}]=0$ . We can finish the security analysis by considering the following sequence of mutually indistinguishable hybrid games, where $\mathpzc{A}$ is given $(\gamma^{\ast},x^{\ast}=\mathsf{E}(\mathsf{pk},y^{\ast}\|i^{\ast}\|\gamma^{\ast}),y^{\ast})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ in the first game, and on the other hand, is given $(\gamma^{\ast},x^{\ast},y^{\ast})\leftarrow D$ in the last game. We first change the game so that $x^{\ast}$ is generated as a uniformly random value instead of $x^{\ast}\leftarrow\mathsf{E}(\mathsf{pk},y^{\ast}\|i^{\ast}\|\gamma^{\ast})$ by using the pseudorandom ciphertext property under CCA of $\mathsf{PKE}$ . This is possible since the CCA oracle can simulate access to the marked token $\widetilde{C}[\mathsf{prfk},\mathsf{sk},\mathsf{m}]$ by $\mathpzc{A}$ . Then, we further change the security game so that if $\gamma^{\ast}=1$ , $y^{\ast}$ is generated as $\mathsf{F}_{\mathsf{prfk}}(x^{\ast})$ instead of a uniformly random value by using the pseudorandomness of $\mathsf{PRF}$ . Note that if $\gamma^{\ast}=0$ , $y^{\ast}$ remains uniformly at random. We see that if $\gamma^{\ast}=1$ , the token $\widetilde{C}[\mathsf{prfk},\mathsf{sk},\mathsf{m}]$ never evaluate $\mathsf{F}_{\mathsf{prfk}}(x^{\ast})$ since $\mathsf{m}[i^{\ast}]\neq\gamma^{\ast}$ . Thus, this change is possible. We see that now the distribution of $(\gamma^{\ast},x^{\ast},y^{\ast})$ is exactly the same as that output by $D$ . Similarly, in the case of $\mathsf{m}[i^{\ast}]=1$ , we can show that an output of $\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ is indistinguishable from that output by $D^{\mathtt{rev}}$ . The only difference is that in the final step, we change the security game so that $y^{\ast}$ is generated as $\mathsf{F}_{\mathsf{prfk}}(x^{\ast})$ if $\gamma^{\ast}=0$ .

In the actual public-simulatable construction, we implement this idea using iO and puncturable encryption [CHN⁺18] instead of token and CCA secure public-key encryption. Also, in the actual secret-simulatable construction, we basically follow the same idea using private constrained PRF and secret-key encryption.

1.4 More on Related Work

Watermarking against classical adversaries.

Cohen et al. [CHN⁺18] present a publicly extractable watermarking PRF from IO and injective OWFs. It is unremovable against adversaries who can access the mark oracle only before a target marked circuit is given. The mark oracle returns a marked circuit for a queried arbitrary polynomial-size circuit. Suppose we additionally assume the hardness of the decisional Diffie-Hellman or LWE problem. In that case, their watermarking PRF is unremovable against adversaries that can access the mark oracle before and after a target marked circuit is given. However, adversaries can query a valid PRF key to the mark oracle in that case. They also present definitions and constructions of watermarking for public-key cryptographic primitives.

Boneh, Lewi, and Wu [BLW17] present a privately extractable watermarking PRF from privately programmable PRFs, which are variants of private constrained PRFs [BLW17, CC17]. It is unremovable in the presence of the mark oracle. However, it is not secure in the presence of the extraction oracle and does not support public marking. They instantiate a privately programmable PRF with IO and OWFs, but later, Peikert and Shiehian [PS18] instantiate it with the LWE assumption.

Kim and Wu [KW21] (KW17), Quach, Wichs, and Zirdelis [QWZ18] (QWZ), and Kim and Wu [KW19] (KW19) present privately extractable watermarking PRFs from the LWE assumption. They are secure in the presence of the mark oracle. KW17 construction is not secure in the presence of the extraction oracle and does not support public marking. QWZ construction is unremovable in the presence of the extraction oracle and supports public marking. However, it does not have pseudorandomness against an authority that generates a marking and extraction key. KW19 construction is unremovable in the presence of the extraction oracle and has some restricted pseudorandomness against an authority (see the reference [KW19] for the detail). However, it does not support public marking.⁶⁶6Their construction supports public marking in the random oracle model.

Yang et al. [YAL⁺19] present a collusion-resistant watermarking PRF from IO and the LWE assumption. Collusion-resistant watermarking means unremovability holds even if adversaries receive multiple marked circuits with different embedded messages generated from one target circuit.

Goyal, Kim, Manohar, Waters, and Wu [GKM⁺19] improve the definitions of watermarking for public-key cryptographic primitives and present constructions. In particular, they introduce collusion-resistant watermarking and more realistic attack strategies for public-key cryptographic primitives. Nishimaki [Nis20] present a general method for equipping many existing public-key cryptographic schemes with the watermarking functionality.

Goyal, Kim, Waters, and Wu [GKWW21] introduce the notion of traceable PRFs, where we can identify a user that creates a pirate copy of her/his authenticated PRF. The difference between traceable PRF and (collusion-resistant) watermarking PRF is that there is only one target original PRF and multiple authenticated copies of it with different identities in traceable PRF. In (collusion-resistant) watermarking PRF, we consider many different PRF keys. In addition, Goyal et al. introduce a refined attack model. Adversaries in previous watermarking PRF definitions output a pirate PRF circuit that correctly computes the original PRF values for $1/2+\epsilon$ fraction of inputs. However, adversaries in traceable PRFs output a pirate circuit that distinguishes whether an input pair consists of a random input and a real PRF value or a random input and output value. This definition captures wide range of attacks. For example, it captures adversaries who create a pirate PRF circuit that can compute the first quarter bits of the original PRF output. Such an attack is not considered in previous watermarking PRFs. We adopt the refined attack model in our definitions.

Learning information from adversarial entities in the quantum setting.

Zhandry [Zha20] introduces the definition of secure traitor tracing against quantum adversaries. In traitor tracing, each legitimate user receives a secret key that can decrypt broadcasted ciphertexts and where identity information is embedded. An adversary outputs a pirate decoder that can distinguish whether an input is a ciphertext of $m_{0}$ or $m_{1}$ where $m_{0}$ and $m_{1}$ are adversarially chosen plaintexts. A tracing algorithm must identify a malicious user’s identity such that its secret decryption key is embedded in the pirate decoder. Thus, we need to extract information from adversarially generated objects. Such a situation also appears in security proofs of interactive proof systems [Wat09, Unr12, ARU14, CMSZ21] (but not in real cryptographic algorithms) since we rewind a verifier.

Zhandry presents how to estimate the success decryption probability of a quantum pirate decoder without destroying the decoding (distinguishing) capability. He achieves a quantum tracing algorithm that extracts a malicious user identity by combining the probability approximation technique above with PLBE [BSW06]. However, his technique is limited to the setting where user identity spaces are only polynomially large while there are several traitor tracing schemes with exponentially large identity spaces [NWZ16, GKW19]. As observed in previous works [GKM⁺19, Nis20, GKWW21], traitor tracing and watermarking have similarities since an adversary outputs a pirate circuit in the watermarking setting and an extraction algorithm tries to retrieve information from it. However, a notable difference is that we must consider exponentially large message spaces by default in the (message-embedding) watermarking setting.

Application of (classical) watermarking.

As we explained above, Aaronson et al. [ALL⁺21], and Kitagawa et al. [KNY21] achieve secure software leasing schemes by using watermarking. A leased software consists of a quantum state and watermarked circuit. Although they use watermarking schemes in the quantum setting, it is sufficient for their purpose to use secure watermarking against adversaries that output a classical pirate circuit. This is because a returned software is verified by a checking algorithm and must have a specific format in secure software leasing.⁷⁷7A valid software must run on a legitimate platform. For example, a video game title of Xbox must run on Xbox. That is, a returned software is rejected if it does not have a classical circuit part that can be tested by an extraction algorithm of the building block watermarking.

2 Preliminaries

Notations and conventions.

In this paper, standard math or sans serif font stands for classical algorithms (e.g., $C$ or $\mathsf{Gen}$ ) and classical variables (e.g., $x$ or $\mathsf{pk}$ ). Calligraphic font stands for quantum algorithms (e.g., $\mathpzc{Gen}$ ) and calligraphic font and/or the bracket notation for (mixed) quantum states (e.g., $\mathpzc{q}$ or $\ket{\psi}$ ). For strings $x$ and $y$ , $x\|y$ denotes the concatenation of $x$ and $y$ . Let $[\ell]$ denote the set of integers $\{1,\cdots,\ell\}$ , $\lambda$ denote a security parameter, and $y\coloneqq z$ denote that $y$ is set, defined, or substituted by $z$ .

In this paper, for a finite set $X$ and a distribution $D$ , $x\leftarrow X$ denotes selecting an element from $X$ uniformly at random, $x\leftarrow D$ denotes sampling an element $x$ according to $D$ . Let $y\leftarrow\mathsf{A}(x)$ and $y\leftarrow\mathpzc{A}(\mathpzc{x})$ denote assigning to $y$ the output of a probabilistic or deterministic algorithm $\mathsf{A}$ and a quantum algorithm $\mathpzc{A}$ on an input $x$ and $\mathpzc{x}$ , respectively. When we explicitly show that $\mathsf{A}$ uses randomness $r$ , we write $y\leftarrow\mathsf{A}(x;r)$ . PPT and QPT algorithms stand for probabilistic polynomial time algorithms and polynomial time quantum algorithms, respectively. Let ${\mathsf{negl}}$ denote a negligible function.

2.1 Quantum Information

Let $\mathcal{H}$ be a finite-dimensional complex Hilbert space. A (pure) quantum state is a vector $\ket{\psi}\in\mathcal{H}$ . Let $\mathcal{S}(\mathcal{H})$ be the space of Hermitian operators on $\mathcal{H}$ . A density matrix is a Hermitian operator $\mathpzc{X}\in\mathcal{S}(\mathcal{H})$ with $\Tr(\mathpzc{X})=1$ , which is a probabilistic mixture of pure states. A quantum state over $\mathcal{H}=\mathbb{C}^{2}$ is called qubit, which can be represented by the linear combination of the standard basis $\{\ket{0},\ket{1}\}$ . More generally, a quantum system over $(\mathbb{C}^{2})^{\otimes n}$ is called an $n$ -qubit quantum system for $n\in\mathbb{N}\setminus\{0\}$ .

A Hilbert space is divided into registers $\mathcal{H}=\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}\otimes\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{2}}\otimes\cdots\otimes\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{n}}$ . We sometimes write $\mathpzc{X}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{i}}$ to emphasize that the operator $\mathpzc{X}$ acts on register $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{i}}$ .⁸⁸8The superscript parts are gray colored. When we apply $\mathpzc{X}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}$ to registers $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}$ and $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{2}}$ , $\mathpzc{X}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}$ is identified with $\mathpzc{X}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}\otimes\boldsymbol{I}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{2}}$ .

A unitary operation is represented by a complex matrix $\boldsymbol{U}$ such that $\boldsymbol{U}\boldsymbol{U}^{\dagger}=\boldsymbol{I}$ . The operation $\boldsymbol{U}$ transforms $\ket{\psi}$ and $\mathpzc{X}$ into $\boldsymbol{U}\ket{\psi}$ and $\boldsymbol{U}\mathpzc{X}\boldsymbol{U}^{\dagger}$ , respectively. A projector $\boldsymbol{P}$ is a Hermitian operator ( $\boldsymbol{P}^{\dagger}=\boldsymbol{P}$ ) such that $\boldsymbol{P}^{2}=\boldsymbol{P}$ .

For a quantum state $\mathpzc{X}$ over two registers $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}$ and $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{2}}$ , we denote the state in $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}}$ as $\mathpzc{X}[{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}]$ , where $\mathpzc{X}[{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{1}]=\Tr_{2}[\mathpzc{X}]$ is a partial trace of $\mathpzc{X}$ (trace out ${\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}_{2}$ ).

Given a function $F:X\rightarrow Y$ , a quantum-accessible oracle $O$ of $F$ is modeled by a unitary transformation $\boldsymbol{U}_{F}$ operating on two registers $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{in}}}}$ and $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{out}}}}$ , in which $\ket{x}\ket{y}$ is mapped to $\ket{x}\ket{y\oplus F(x)}$ , where $\oplus$ denotes XOR group operation on $Y$ . We write $\mathpzc{A}^{\ket{O}}$ to denote that the algorithm $\mathpzc{A}$ ’s oracle $O$ is a quantum-accessible oracle.

Definition 2.1 (Quantum Program with Classical Inputs and Outputs [ALL⁺21]).

A quantum program with classical inputs is a pair of quantum state $\mathpzc{q}$ and unitaries $\{\boldsymbol{U}_{x}\}_{x\in[N]}$ where $[N]$ is the domain, such that the state of the program evaluated on input $x$ is equal to $\boldsymbol{U}_{x}\mathpzc{q}\boldsymbol{U}_{x}^{\dagger}$ . We measure the first register of $\boldsymbol{U}_{x}\mathpzc{q}\boldsymbol{U}_{x}^{\dagger}$ to obtain an output. We say that $\{\boldsymbol{U}_{x}\}_{x\in[N]}$ has a compact classical description $\boldsymbol{U}$ when applying $\boldsymbol{U}_{x}$ can be efficiently computed given $\boldsymbol{U}$ and $x$ .

Definition 2.2 (Positive Operator-Valued Measure).

Let $\mathcal{I}$ be a finite index set. A positive operator valued measure (POVM) $\mathcal{M}$ is a collection $\{\boldsymbol{M}_{i}\}_{i\in\mathcal{I}}$ of Hermitian positive semi-define matrices $\boldsymbol{M}_{i}$ such that $\sum_{i\in\mathcal{I}}\boldsymbol{M}_{i}=\boldsymbol{I}$ . When we apply POVM $\mathcal{M}$ to a quantum state $\mathpzc{X}$ , the measurement outcome is $i$ with probability $p_{i}=\Tr(\mathpzc{X}\boldsymbol{M}_{i})$ . We denote by $\mathcal{M}(\ket{\psi})$ the distribution obtained by applying $\mathcal{M}$ to $\ket{\psi}$ .

Definition 2.3 (Quantum Measurement).

A quantum measurement $\mathcal{E}$ is a collection $\{\boldsymbol{E}_{i}\}_{i\in\mathcal{I}}$ of matrices $\boldsymbol{E}_{i}$ such that $\sum_{i\in\mathcal{I}}\boldsymbol{E}_{i}^{\dagger}\boldsymbol{E}_{i}=\boldsymbol{I}$ . When we apply $\mathcal{E}$ to a quantum state $\mathpzc{X}$ , the measurement outcome is $i$ with probability $p_{i}=\Tr(\mathpzc{X}\boldsymbol{E}_{i}^{\dagger}\boldsymbol{E}_{i})$ . Conditioned on the outcome being $i$ , the post-measurement state is $\boldsymbol{E}_{i}\mathpzc{X}\boldsymbol{E}_{i}^{\dagger}/p_{i}$ .

We can construct a POVM $\mathcal{M}$ from any quantum measurement $\mathcal{E}$ by setting $\boldsymbol{M}_{i}\coloneqq\boldsymbol{E}_{i}^{\dagger}\boldsymbol{E}_{i}$ . We say that $\mathcal{E}$ is an implementation of $\mathcal{M}$ . The implementation of a POVM may not be unique.

Definition 2.4 (Projective Measurement/POVM).

A quantum measurement $\mathcal{E}=\{\boldsymbol{E}_{i}\}_{i\in\mathcal{I}}$ is projective if for all $i\in\mathcal{I}$ , $\boldsymbol{E}_{i}$ is a projector. This implies that $\boldsymbol{E}_{i}\boldsymbol{E}_{j}=\boldsymbol{0}$ for distinct $i,j\in\mathcal{I}$ . In particular, two-outcome projective measurement is called a binary projective measurement, and is written as $\mathcal{E}=(\boldsymbol{P},\boldsymbol{I}-\boldsymbol{P})$ , where $\boldsymbol{P}$ is associated with the outcome $1$ , and $\boldsymbol{I}-\boldsymbol{P}$ with the outcome $0$ . Similarly, a POVM $\mathcal{M}$ is projective if for all $i\in\mathcal{I}$ , $\boldsymbol{M}_{i}$ is a projector. This also implies that $\boldsymbol{M}_{i}\boldsymbol{M}_{j}=\boldsymbol{0}$ for distinct $i,j\in\mathcal{I}$ .

Definition 2.5 (Controlled Projection).

Let $\mathcal{P}=\{\mathcal{M}_{i}\}_{i\in\mathcal{I}}$ be a collection of projective measurement over a Hilbert space $\mathcal{H}$ , where $\mathcal{M}_{i}=(\Pi_{i},\boldsymbol{I}-\Pi_{i})$ for $i\in\mathcal{I}$ . Let $D$ be a distribution whose randomness space is $\mathcal{R}$ . The controlled projection $\mathsf{CProj}_{\mathcal{P},D}=(\mathsf{CProj}_{\mathcal{P},D}^{1},\mathsf{CProj}_{\mathcal{P},D}^{0})$ is defined as follows.⁹⁹9We use superscript $b$ to denote that it is associated with the outcome $b$ here.

\displaystyle\mathsf{CProj}_{\mathcal{P},D}^{1}

\displaystyle\coloneqq\sum_{r\in\mathcal{R}}\ket{r}\bra{r}\otimes\Pi_{D(r)},

\displaystyle\mathsf{CProj}_{\mathcal{P},D}^{0}\coloneqq\sum_{r\in\mathcal{R}}\ket{r}\bra{r}\otimes(\boldsymbol{I}-\Pi_{D(r)})

(1)

2.2 Measurement Implementation

Definition 2.6 (Projective Implementation).

Let:

•

$\mathcal{P}=(\boldsymbol{P},\boldsymbol{I}-\boldsymbol{P})$ be a binary outcome POVM
•

$D$ be a finite set of distributions over outcomes $\{0,1\}$
•

$\mathcal{E}=\{\boldsymbol{E}_{D}\}_{D\in\mathcal{D}}$ be a projective measurement with index set $\mathcal{D}$ .

We define the following measurement.

1.

Measure under the projective measurement $\mathcal{E}$ and obtain a distribution $D$ over $\{0,1\}$ .
2.

Output a bit sampled from the distribution $D$ .

We say this measurement is a projective implementation of $\mathcal{P}$ , denoted by $\mathsf{ProjImp}(\mathcal{P})$ if it is equivalent to $\mathcal{P}$ .

Theorem 2.7 ([Zha20, Lemma 1]).

Any binary outcome POVM $\mathcal{P}=(\boldsymbol{P},\boldsymbol{I}-\boldsymbol{P})$ has a projective implementation $\mathsf{ProjImp}(\mathcal{P})$ .

Definition 2.8 (Shift Distance).

For two distributions $D_{0},D_{1}$ , the shift distance with parameter $\epsilon$ , denoted by $\Delta_{\mathsf{Shift}}^{\epsilon}(D_{0},D_{1})$ , is the smallest quantity $\delta$ such that for all $x\in\mathbb{R}$ :

	$\displaystyle\Pr[D_{0}\leq x]$	$\displaystyle\leq\Pr[D_{1}\leq x+\epsilon]+\delta,$	$\displaystyle\Pr[D_{0}\geq x]\leq\Pr[D_{1}\geq x-\epsilon]+\delta,$		(2)
	$\displaystyle\Pr[D_{1}\leq x]$	$\displaystyle\leq\Pr[D_{0}\leq x+\epsilon]+\delta,$	$\displaystyle\Pr[D_{1}\geq x]\leq\Pr[D_{0}\geq x-\epsilon]+\delta.$		(3)

For two real-valued measurements $\mathcal{M}$ and $\mathcal{N}$ over the same quantum system, the shift distance between $\mathcal{M}$ and $\mathcal{N}$ with parameter $\epsilon$ is

\Delta_{\mathsf{Shift}}^{\epsilon}(\mathcal{M},\mathcal{N})\coloneqq\sup_{\ket{\psi}}\Delta_{\mathsf{Shift}}^{\epsilon}(\mathcal{M}(\ket{\psi}),\mathcal{N}(\ket{\psi})).

Definition 2.9 ( $(\epsilon,\delta)$ -Almost Projective [Zha20]).

A real-valued quantum measurement $\mathcal{M}=\{\boldsymbol{M}_{i}\}_{i\in\mathcal{I}}$ is $(\epsilon,\delta)$ -almost projective if the following holds. For any quantum state $\ket{\psi}$ , we apply $\mathcal{M}$ twice in a row to $\ket{\psi}$ and obtain measurement outcomes $x$ and $y$ , respectively. Then, $\Pr[\absolutevalue{x-y}\leq\epsilon]\geq 1-\delta$ .

Theorem 2.10 ([Zha20, Theorem 2]).

Let $D$ be any probability distribution and $\mathcal{P}$ be a collection of projective measurements. For any $0<\epsilon,\delta<1$ , there exists an algorithm of measurement $\mathpzc{API}_{\mathcal{P},\mathcal{D}}^{\epsilon,\delta}$ that satisfies the following.

•

$\Delta_{\mathsf{Shift}}^{\epsilon}(\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta},\mathsf{ProjImp}(\mathcal{P}_{D}))\leq\delta$ .
•

$\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ is $(\epsilon,\delta)$ -almost projective.
•

The expected running time of $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ is $T_{\mathcal{P},D}\cdot{\mathrm{poly}}(1/\epsilon,\log(1/\delta))$ where $T_{\mathcal{P},D}$ is the combined running time of $D$ , the procedure mapping $i\rightarrow(\boldsymbol{P}_{i},\boldsymbol{I}-\boldsymbol{P}_{i})$ , and the running time of measurement $(\boldsymbol{P}_{i},\boldsymbol{I}-\boldsymbol{P}_{i})$ .

Theorem 2.11 ([Zha20, Corollary 1]).

Let $\mathpzc{q}$ be an efficiently constructible, potentially mixed state, and $D_{0},D_{1}$ efficiently sampleable distributions. If $D_{0}$ and $D_{1}$ are computationally indistinguishable, for any inverse polynomial $\epsilon$ and any function $\delta$ , we have $\Delta_{\mathsf{Shift}}^{3\epsilon}(\mathpzc{API}_{\mathcal{P},D_{0}}^{\epsilon,\delta},\mathpzc{API}_{\mathcal{P},D_{1}}^{\epsilon,\delta})\leq 2\delta+{\mathsf{negl}}(\lambda)$ .

Note that the indistinguishability of $D_{0}$ and $D_{1}$ needs to hold against distinguishers who can construct $\mathpzc{q}$ in the theorem above. However, this fact is not explicitly stated in [Zha20]. We need to care about this condition if we need secret information to construct $\mathpzc{q}$ , and the secret information is also needed to sample an output from $D_{0}$ or $D_{1}$ . We handle such a situation when analyzing the unremovability of our privately extractable watermarking PRF. In that situation, we need a secret extraction key to construct $\mathpzc{q}$ and sample an output from $D_{0}$ and $D_{1}$ .

We also define the notion of the reverse almost projective property of API.

Definition 2.12 ( $(\epsilon,\delta)$ -Reverse Almost Projective).

Let $\mathcal{P}=\{(\Pi_{i},\boldsymbol{I}-\Pi_{i})\}_{i}$ be a collection of binary outcome projective measurements. Let $D$ be a distribution. We also let $\mathcal{P}^{\mathtt{rev}}=\{(\boldsymbol{I}-\Pi_{i},\Pi_{i})\}_{i}$ . We say $\mathpzc{API}$ is $(\epsilon,\delta)$ -reverse almost projective if the following holds. For any quantum state $\ket{\psi}$ , we apply $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ and $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},D}^{\epsilon,\delta}$ in a row to $\ket{\psi}$ and obtain measurement outcomes $x$ and $y$ , respectively. Then, $\Pr[\absolutevalue{(1-x)-y}\leq\epsilon]\geq 1-\delta$ .

We show that the measurement algorithm $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ in Theorem 2.10 also satisfies Definition 2.12. First, we describe the detail of $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ in Figure 1. $\mathpzc{API}$ uses an ancilla register $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}}$ besides the original Hilbert space $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{H}}}}$ . Let $\mathcal{R}$ be the randomness space of distribution $D$ . We define $\mathsf{IsU_{\mathcal{R}}}\coloneqq(\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}},\boldsymbol{I}-\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})$ where

\ket{\mathds{1}_{\mathcal{R}}}\coloneqq\frac{1}{\sqrt{\absolutevalue{\mathcal{R}}}}\sum_{r\in\mathcal{R}}\ket{r}.

Algorithm $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ Parameter: Collection of projective measurement $\mathcal{P}$ , distribution $D$ , real values $\epsilon,\delta$ . Input: A quantum state $\ket{\psi}$ . 1. Initialize a state $\ket{\mathds{1}_{\mathcal{R}}}\ket{\psi}$ . 2. Initialize a classical list $L\coloneqq(1)$ . 3. Repeat the following $T\coloneqq\left\lceil{\frac{\ln{4/\delta}}{\epsilon^{2}}}\right\rceil$ . (a) Apply $\mathsf{CProj}_{\mathcal{P},D}$ to register $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}}\otimes\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{H}}}}$ . Let $b_{2i-1}$ be the measurement outcome and set $L\coloneqq(L,b_{2i-1})$ . (b) Apply $\mathsf{IsU_{\mathcal{R}}}$ to register $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}}$ . Let $b_{2i}$ be the measurement outcome and set $L\coloneqq(L,b_{2i})$ . 4. Let $t$ be the number of index $i$ such that $b_{i-1}=b_{i}$ in the list $L=(0,b_{1},\ldots,b_{2T})$ , and $\widetilde{p}\coloneqq t/2T$ . 5. If $b_{2T}=0$ , repeat the loop again until $b_{2i}=1$ . 6. Discard $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}}$ register, and output $\widetilde{p}$ .

Figure 1: The description of

\mathpzc{API}

We use the following lemma to analyze $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ .

Lemma 2.13 ([Jor75]).

For any two Hermitian projectors $\Pi_{v}$ and $\Pi_{w}$ on a Hilbelt space $\mathcal{H}$ , there exists an orthogonal decomposition of $\mathcal{H}$ into one-dimensional and two-dimensional subspaces (the Jordan subspaces) that are invariant under both $\Pi_{v}$ and $\Pi_{w}$ . Moreover:

•

in each one-dimensional space, $\Pi_{v}$ and $\Pi_{w}$ act as identity or rank-zero projectors; and
•

in each two-dimensional subspace $S_{j}$ , $\Pi_{v}$ and $\Pi_{w}$ are rank-one projectors: there exists $\ket{v_{j}},\ket{w_{j}}\in S_{j}$ such that $\Pi_{v}$ projects onto $\ket{v_{j}}$ and $\Pi_{w}$ projects onto $\ket{w_{j}}$ .

For each two-dimensional subspace $S_{j}$ , we call $p_{j}\coloneqq\absolutevalue{\bra{v_{j}}\ket{w_{j}}}^{2}$ the eigenvalue of the $j$ -th subspace. It is easy to see that $\ket{v_{j}}$ is an eigenvector of the Hermitian matrix $\Pi_{v}\Pi_{w}\Pi_{v}$ with eigenvalue $p_{j}$ .

As previous works observed [MW05, Reg, CMSZ21], we obtain the following by Lemma 2.13. There exists orthogonal vectors $\ket{v_{j}},\ket{v_{j}^{\perp}}$ that span $S_{j}$ , such that $\Pi_{v}\ket{v_{j}}=\ket{v_{j}}$ and $\Pi_{v}\ket{v_{j}^{\perp}}=0$ . Similarly, $\Pi_{w}\ket{w_{j}}=\ket{w_{j}}$ and $\Pi_{w}\ket{w_{j}^{\perp}}=0$ . By setting appropriate phases, we have

	$\displaystyle\ket{w_{j}}$	$\displaystyle=\sqrt{p_{j}}\ket{v_{j}}+\sqrt{1-p_{j}}\ket{v_{j}^{\perp}},$	$\displaystyle\ket{w_{j}^{\perp}}$	$\displaystyle=\sqrt{1-p_{j}}\ket{v_{j}}-\sqrt{p_{j}}\ket{v_{j}^{\perp}},$		(4)
	$\displaystyle\ket{v_{j}}$	$\displaystyle=\sqrt{p_{j}}\ket{w_{j}}+\sqrt{1-p_{j}}\ket{w_{j}^{\perp}},$	$\displaystyle\ket{v_{j}^{\perp}}$	$\displaystyle=\sqrt{1-p_{j}}\ket{w_{j}}-\sqrt{p_{j}}\ket{w_{j}^{\perp}},$		(5)

where $\ket{v_{j}^{\perp}},\ket{w_{j}^{\perp}}\in S_{j}$ such that $\bra{v_{j}}\ket{v_{j}^{\perp}}=\bra{w_{j}}\ket{w_{j}^{\perp}}=0$ . We also have

\displaystyle\Pi_{v}\ket{w_{j}}

\displaystyle=\sqrt{p_{j}}\ket{v_{j}},

\displaystyle\Pi_{w}\ket{v_{j}}=\sqrt{p_{j}}\ket{w_{j}}.

(6)

Figure 2: Solid lines denote that the measurement outcome is

1

. Dashed line denote that the measurement outcome is

0

. Double lines denote we apply

\mathsf{CProj}_{\mathcal{P},D}=(\mathsf{CProj}_{\mathcal{P},D}^{1},\mathsf{CProj}_{\mathcal{P},D}^{0})

. Single lines denote we apply

\mathsf{IsU_{\mathcal{R}}}=(\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}},\boldsymbol{I}-\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})

Figure 3: Solid lines denote that the measurement outcome is

1

. Dashed line denote that the measurement outcome is

0

. Double lines denote we apply

\mathsf{CProj}_{\mathcal{P},D}^{\mathtt{rev}}=(\mathsf{CProj}_{\mathcal{P}^{\mathtt{rev}},D}^{1},\mathsf{CProj}_{\mathcal{P}^{\mathtt{rev}},D}^{0})=(\mathsf{CProj}_{\mathcal{P},D}^{0},\mathsf{CProj}_{\mathcal{P},D}^{1})

. Single lines denote we apply

\mathsf{IsU_{\mathcal{R}}}=(\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}},\boldsymbol{I}-\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})

Theorem 2.14.

$\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ in Figure 1 is $(\epsilon,\delta)$ -reverse almost projective.

Proof of Theorem 2.14.

To analyze $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ , we set $\Pi_{w}\coloneqq\mathsf{CProj}_{\mathcal{P},D}^{1}$ , $\Pi_{v}\coloneqq\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}}\otimes\boldsymbol{I}$ , and apply Lemma 2.13. Then, we have the following relationships:

$\displaystyle\mathsf{CProj}_{\mathcal{P},D}^{1}\ket{v_{j}}$	$\displaystyle=\sqrt{p_{j}}\ket{w_{j}},$	$\displaystyle(\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})\ket{w_{j}}$	$\displaystyle=\sqrt{p_{j}}\ket{v_{j}}$		(7)
$\displaystyle\mathsf{CProj}_{\mathcal{P},D}^{0}\ket{v_{j}}$	$\displaystyle=\sqrt{1-p_{j}}\ket{w_{j}^{\perp}},$	$\displaystyle(\boldsymbol{I}-\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})\ket{w_{j}}$	$\displaystyle=\sqrt{1-p_{j}}\ket{v_{j}^{\perp}}$		(8)
$\displaystyle\mathsf{CProj}_{\mathcal{P},D}^{1}\ket{v_{j}^{\perp}}$	$\displaystyle=\sqrt{1-p_{j}}\ket{w_{j}},$	$\displaystyle(\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})\ket{w_{j}^{\perp}}$	$\displaystyle=\sqrt{1-p_{j}}\ket{v_{j}}$		(9)
$\displaystyle\mathsf{CProj}_{\mathcal{P},D}^{0}\ket{v_{j}^{\perp}}$	$\displaystyle=-\sqrt{p_{j}}\ket{w_{j}^{\perp}},$	$\displaystyle(\boldsymbol{I}-\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}})\ket{w_{j}^{\perp}}$	$\displaystyle=-\sqrt{p_{j}}\ket{v_{j}^{\perp}}$	,	(10)

where $\ket{w_{j}}$ and $\ket{v_{j}}$ are decompositions of $\Pi_{w}$ and $\Pi_{v}$ , and $p_{j}=\absolutevalue{\bra{v_{j}}\ket{w_{j}}}^{2}$ .

Suppose we apply $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ to a $\ket{\psi}$ on $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{H}}}}$ . We can write the initial state in Figure 1 as $\ket{\mathds{1}_{\mathcal{R}}}\ket{\psi}=\sum_{j}\alpha_{j}\ket{v_{j}}+\alpha_{j}^{\perp}\ket{v_{j}^{\perp}}$ since $\{\ket{v_{j}},\ket{v_{j}^{\perp}}\}_{j}$ is a basis. We also have that $\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}}\otimes\boldsymbol{I}=\sum_{j}\ket{v_{j}}\bra{v_{j}}$ since $\Pi_{v}$ projects onto $\ket{v_{j}}$ in each decomposed subspace $S_{j}$ . It is easy to see that $(\ket{\mathds{1}_{\mathcal{R}}}\bra{\mathds{1}_{\mathcal{R}}}\otimes\boldsymbol{I})\ket{\mathds{1}_{\mathcal{R}}}\ket{\psi}=\ket{\mathds{1}_{\mathcal{R}}}\ket{\psi}$ . Thus, for all $j$ , $\alpha_{j}^{\perp}=0$ . Therefore, for any $\ket{\psi}$ , we can write $\ket{\mathds{1}_{\mathcal{R}}}\ket{\psi}=\sum_{j}\alpha_{j}\ket{v_{j}}$ . As we see in Figure 1, when we run $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}(\ket{\psi})$ , the initial state is $\ket{\mathds{1}_{\mathcal{R}}}\ket{\psi}=\sum_{j}\alpha_{j}\ket{v_{j}}$ and we apply $\mathsf{CProj}_{\mathcal{P},D}$ and $\mathsf{IsU_{\mathcal{R}}}$ alternately. Therefore, the quantum state $\ket{v_{j}}$ in each decomposed subspace $S_{j}$ changes as in Figure 2 when we run $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}(\ket{\psi})$ .

Next, suppose we apply $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},D}^{\epsilon,\delta}$ to the quantum state immediately after applying $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ to $\ket{\psi}$ . $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ ensures that the final measurement is $\mathsf{IsU_{\mathcal{R}}}$ and its result is $1$ . This means that the state going into the main loop of $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},D}^{\epsilon,\delta}$ (the third item in Figure 1) is identical to the state before $\mathcal{H}^{{\color[rgb]{.5,.5,.5}\definecolor[named]{pgfstrokecolor}{rgb}{.5,.5,.5}\pgfsys@color@gray@stroke{.5}\pgfsys@color@gray@fill{.5}{\mathsf{R}}}}$ is discarded at the application of $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ to $\ket{\psi}$ . By the definition of $\mathcal{P}^{\mathtt{rev}}$ , we have $\mathsf{CProj}_{\mathcal{P},D}^{b}=\mathsf{CProj}_{\mathcal{P}^{\mathtt{rev}},D}^{1-b}$ for $b\in\{0,1\}$ . Thus, the quantum state $\ket{v_{j}}$ in each decomposed subspace $S_{j}$ changes as in Figure 3 when we apply $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},D}^{\epsilon,\delta}$ .

From the above discussions, we can view a successive execution of $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ and $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},D}^{\epsilon,\delta}$ to $\ket{\psi}$ as the following single experiment.

•

Sample $p_{j}$ from $\{p_{j}\}_{j}$ with the probability $\alpha_{j}^{2}$ .
•

Flip $2T$ biased random coins whose probability of outputting $1$ is $p_{j}$ .
•

Flip an even number of additional random coins until $0$ is found.
•

Flip $2T$ biased random coins whose probability of outputting $1$ is $1-p_{j}$ .
•

Let $K$ be the overall list of coin flips.

Let $\widetilde{p}_{x}$ and $\widetilde{p}_{y}$ be the outcome of $\mathpzc{API}_{\mathcal{P},D}^{\epsilon,\delta}$ and $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},D}^{\epsilon,\delta}$ , respectively. $\widetilde{p}_{x}$ is the fraction of $1$ ’s in the first $2T$ bits of $K$ . Also, $\widetilde{p}_{y}$ is the fraction of $1$ ’s in the last $2T$ bits of $K$ . Then, we have

	$\displaystyle\Pr[\absolutevalue{\widetilde{p}_{x}-p_{j}}\geq\epsilon/2]$	$\displaystyle\leq\delta/2$		(11)
	$\displaystyle\Pr[\absolutevalue{\widetilde{p}_{y}-(1-p_{j})}\geq\epsilon/2]$	$\displaystyle\leq\delta/2.$		(12)

It is easy to see that Equation 12 is equivalent to $\Pr[\absolutevalue{(1-\widetilde{p}_{y})-p_{j}}\geq\epsilon/2]\leq\delta/2$ due to $\absolutevalue{a}=\absolutevalue{-a}$ . Therefore, by combining it with Equation 11, we obtain

\displaystyle\Pr[\absolutevalue{\widetilde{p}_{x}-(1-\widetilde{p}_{y})}\geq\epsilon]

\displaystyle\leq\delta.

(13)

This completes the proof.

2.3 Cryptographic Tools

Definition 2.15 (Learning with Errors).

Let $n,m,q\in\mathbb{N}$ be integer functions of the security parameter $\lambda$ . Let $\chi=\chi(\lambda)$ be an error distribution over $\mathbb{Z}$ . The LWE problem $\textrm{LWE}_{n,m,q,\chi}$ is to distinguish the following two distributions.

D_{0}\coloneqq\{(\boldsymbol{A},\boldsymbol{s}^{\intercal}\boldsymbol{A}+\boldsymbol{e})\mid\boldsymbol{A}\leftarrow\mathbb{Z}_{q}^{n\times m},\boldsymbol{s}\leftarrow\mathbb{Z}_{q}^{n},\boldsymbol{e}\leftarrow\chi^{m}\}\text{ and }D_{1}\coloneqq\{(\boldsymbol{A},\boldsymbol{u})\mid\boldsymbol{A}\leftarrow\mathbb{Z}_{q}^{n\times m},\boldsymbol{u}\leftarrow\mathbb{Z}_{q}^{m}\}.

When we say we assume the quantum hardness of the LWE problem or the QLWE assumption holds, we assume that for any QPT adversary $\mathpzc{A}$ , it holds that

\absolutevalue{\Pr[\mathpzc{A}(D_{0})=1]-\Pr[\mathpzc{A}(D_{1})=1]}\leq{\mathsf{negl}}(\lambda).

Definition 2.16 (Pseudorandom Generator).

A pseudorandom generator (PRG) $\mathsf{PRG}:\{0,1\}^{\lambda}\rightarrow\{0,1\}^{\lambda+\ell(\lambda)}$ with stretch $\ell(\lambda)$ ( $\ell$ is some polynomial function) is a polynomial-time computable function that satisfies the following. For any QPT adversary $\mathpzc{A}$ , it holds that

\absolutevalue{\Pr[\mathpzc{A}(\mathsf{PRG}(s))=1\mid s\leftarrow\mathcal{U}_{\lambda}]-\Pr[\mathpzc{A}(r)\mid r\leftarrow\mathcal{U}_{\lambda+\ell(\lambda)}]}\leq{\mathsf{negl}}(\lambda),

where $\mathcal{U}_{m}$ denotes the uniform distribution over $\{0,1\}^{m}$ .

Theorem 2.17 ([HILL99]).

If there exists a OWF, there exists a PRG.

Definition 2.18 (Quantum-Accessible Pseudo-Random Function).

Let $\{\mathsf{PRF}_{K}:\{0,1\}^{\ell_{1}}\rightarrow\allowbreak\{0,1\}^{\ell_{2}}\mid K\in\{0,1\}^{\lambda}\}$ be a family of polynomially computable functions, where $\ell_{1}$ and $\ell_{2}$ are some polynomials of $\lambda$ . We say that $\mathsf{PRF}$ is a quantum-accessible pseudo-random function (QPRF) family if for any QPT adversary $\mathpzc{A}$ , it holds that

\displaystyle\mathsf{Adv}_{\mathpzc{A}}^{\mathsf{prf}}(\lambda)=\absolutevalue{\Pr[\mathpzc{A}^{\ket{\mathsf{PRF}_{K}(\cdot)}}(1^{\lambda})=1\mid K\leftarrow\{0,1\}^{\lambda}]-\Pr[\mathpzc{A}^{\ket{\mathsf{R}(\cdot)}}(1^{\lambda})=1\mid\mathsf{R}\leftarrow\mathcal{U}]}\leq{\mathsf{negl}}(\lambda),

(14)

where $\mathcal{U}$ is the set of all functions from $\{0,1\}^{\ell_{1}}$ to $\{0,1\}^{\ell_{2}}$ .

Theorem 2.19 ([Zha12a]).

If there exists a OWF, there exists a QPRF.

Definition 2.20 (Puncturable PRF).

A puncturable PRF (PPRF) is a tuple of algorithms $\mathsf{PPRF}=(\mathsf{PRF}.\mathsf{Gen},\mathsf{F},\mathsf{Puncture})$ where $\{\mathsf{F}_{K}:\{0,1\}^{\ell_{1}}\rightarrow\{0,1\}^{\ell_{2}}\mid K\in\{0,1\}^{\lambda}\}$ is a PRF family and satisfies the following two conditions. Note that $\ell_{1}$ and $\ell_{2}$ are polynomials of $\lambda$ .

Punctured correctness:

For any polynomial-size set $S\subseteq\{0,1\}^{\ell_{1}}$ and any $x\in\{0,1\}^{\ell_{1}}\setminus S$ , it holds that

\displaystyle\Pr[\mathsf{F}_{K}(x)=\mathsf{F}_{K_{\notin S}}(x)\mid K\leftarrow\mathsf{PRF}.\mathsf{Gen}(1^{\lambda}),K_{\notin S}\leftarrow\mathsf{Puncture}(K,S)]=1.

(15)

Pseudorandom at punctured point:

For any polynomial-size set $S\subseteq\{0,1\}^{\ell_{1}}$ and any QPT distinguisher $\mathpzc{A}$ , it holds that

\displaystyle|\Pr[\mathpzc{A}(\mathsf{F}_{K_{\notin S}},\{\mathsf{F}_{K}(x_{i})\}_{x_{i}\in S})=1]-\Pr[\mathpzc{A}(\mathsf{F}_{K_{\notin S}},(\mathcal{U}_{\ell_{2}})^{\absolutevalue{S}})=1]|\leq{\mathsf{negl}}(\lambda),

(16)

where $K\leftarrow\mathsf{PRF}.\mathsf{Gen}(1^{\lambda})$ , $K_{\notin S}\leftarrow\mathsf{Puncture}(K,S)$ and $\mathcal{U}_{\ell_{2}}$ denotes the uniform distribution over $\{0,1\}^{\ell_{2}}$ .

If $S=\{x^{\ast}\}$ (i.e., puncturing a single point), we simply write $\mathsf{F}_{\neq x^{\ast}}(\cdot)$ instead of $\mathsf{F}_{K_{\notin S}}(\cdot)$ .

It is easy to see that the Goldwasser-Goldreich-Micali tree-based construction of PRFs (GGM PRF) [GGM86] from one-way function yield puncturable PRFs where the size of the punctured key grows polynomially with the size of the set $S$ being punctured [BW13, BGI14, KPTZ13]. Thus, we have:

Theorem 2.21 ([GGM86, BW13, BGI14, KPTZ13]).

If OWFs exist, then for any polynomials $\ell_{1}(\lambda)$ and $\ell_{2}(\lambda)$ , there exists a PPRF that maps $\ell_{1}$ -bits to $\ell_{2}$ -bits.

Definition 2.22 (SKE).

An SKE scheme with plaintext space $\mathcal{P}=\{\mathcal{P}_{\lambda}\}_{\lambda\in\mathbb{N}}$ and ciphertext space $\mathcal{C}=\{\mathcal{C}_{\lambda}\}_{\lambda\in\mathbb{N}}$ , where $\mathcal{C}_{\lambda}\subseteq\{0,1\}^{{\ell_{\mathsf{ct}}}}$ for some ${\ell_{\mathsf{ct}}}={\ell_{\mathsf{ct}}}(\lambda)$ , is a tuple of three algorithms.

$\mathsf{Gen}(1^{\lambda})\rightarrow k$ :

The key generation algorithm takes as input the security parameter $\lambda$ , and outputs an encryption key $k$ .

$\mathsf{Enc}(k,m)\rightarrow\mathsf{ct}$ :

The encryption algorithm takes as input $k$ and a plaintext $m\in\mathcal{P}_{\lambda}$ , and outputs a ciphertext $\mathsf{ct}\in\mathcal{C}_{\lambda}$ .

$\mathsf{Dec}(k,\mathsf{ct})\rightarrow m^{\prime}$ :

The decryption algorithm takes as input $k$ and $\mathsf{ct}\in\mathcal{C}_{\lambda}$ , and outputs a plaintext $m^{\prime}\in\mathcal{P}_{\lambda}\cup\{\bot\}$ .

Correctness:

An SKE scheme is correct if for all $\lambda\in\mathbb{N}$ and $m\in\mathcal{P}_{\lambda}$ ,

\Pr[\mathsf{Dec}(k,\mathsf{ct})=m\mid k\leftarrow\mathsf{Gen}(1^{\lambda},1^{\kappa}),\mathsf{ct}\leftarrow\mathsf{Enc}(k,m)]=1.

Sparseness:

In this work, we also require that most strings are not valid ciphertexts under a randomly generated key of an SKE scheme:

\displaystyle\Pr\left[\mathsf{Dec}(k,c)\neq\bot~{}\left|~{}k\leftarrow\mathsf{Gen}(1^{\lambda}),c\leftarrow\{0,1\}^{{\ell_{\mathsf{ct}}}}\right.\right]\leq{\mathsf{negl}}(\lambda).

(17)

Definition 2.23 (Ciphertext Pseudorandomness for SKE).

An SKE scheme satisfies ciphertext pseudorandomness if for any (stateful) QPT $\mathpzc{A}$ , it holds that

2\absolutevalue{\Pr\left[\mathpzc{A}^{\mathsf{Enc}(k,\cdot)}(\mathsf{ct}_{b})=b\ \middle|\begin{array}[]{rl}&1^{\kappa}\leftarrow\mathpzc{A}(1^{\lambda}),k\leftarrow\mathsf{Gen}(1^{\lambda},1^{\kappa}),\\ &m\leftarrow\mathpzc{A}^{\mathsf{Enc}(k,\cdot)},b\leftarrow\{0,1\},\\ &\mathsf{ct}_{0}\leftarrow\mathsf{Enc}(k,m),\mathsf{ct}_{1}\leftarrow\{0,1\}^{{\ell_{\mathsf{ct}}}}\end{array}\right]-\frac{1}{2}}\leq{\mathsf{negl}}(\lambda).

Theorem 2.24.

If OWFs exist, there exists an SKE scheme with sparseness and ciphertext pseudorandomness.

The well-known PRF-based SKE satisfies ciphertext pseudorandomness. However, we need padding for sparseness. That is, a ciphertext is $(r,\mathsf{PRF}_{k}(r)\oplus 0^{\ell-\ell_{\mu}}\|m)$ where $r\in\{0,1\}^{n}$ is randomness of encryption, $k$ is a PRF key, $\mathsf{PRF}:\{0,1\}^{n}\rightarrow\{0,1\}^{\ell}$ is a PRF, and $\absolutevalue{m}=\ell_{\mu}$ . We check that the first $\ell-\ell_{\mu}$ bits of $m^{\prime}=\mathsf{Dec}(k,(c_{1},c_{2}))$ equals to $0^{\ell-\ell_{\mu}}$ . If $\ell$ is sufficiently long, the scheme has sparseness.

Definition 2.25 (Constrained PRF (Syntax)).

A constrained PRF (CPRF) with domain $\mathsf{Dom}$ , range $\mathsf{Ran}$ , and constraint family $\mathcal{F}=\{\mathcal{F}_{\lambda,\kappa}\}_{\lambda,\kappa\in\mathbb{N}}$ where $\mathcal{F}_{\lambda,\kappa}=\{f\colon\mathsf{Dom}\rightarrow\{0,1\}\}$ is a tuple of four algorithms.

$\mathsf{Setup}(1^{\lambda},1^{\kappa})\rightarrow\mathsf{msk}$ :: The setup algorithm takes as input the security parameter $\lambda$ and a constraint-family parameter $\kappa$ , and outputs a master PRF key $\mathsf{msk}$ .
$\mathsf{Constrain}(\mathsf{msk},f)\rightarrow\mathsf{sk}_{f}$ :: The constrain algorithm takes as input $\lambda$ and a constraint $f\in\mathcal{F}_{\lambda,\kappa}$ , and outputs a constrained key $\mathsf{sk}_{f}$ .
$\mathsf{Eval}(\mathsf{msk},x)\rightarrow y$ :: The evaluation algorithm takes as input $\mathsf{msk}$ and an input $x\in\mathsf{Dom}$ , and outputs a value $y\in\mathsf{Ran}$ .
$\mathsf{CEval}(\mathsf{sk}_{f},x)\rightarrow y$ :: The constrained evaluation algorithm takes as input $\mathsf{sk}_{f}$ and $x\in\mathsf{Dom}$ , and outputs a value $y\in\mathsf{Ran}$ .

Definition 2.26 (Security for CPRF).

A private CPRF should satisfy correctness, pseudorandomness, and privacy.

Correctness:

A CPRF is correct if for any (stateful) QPT adversary $\mathpzc{A}$ , it holds that

\Pr\left[\begin{array}[]{rl}&\mathsf{Eval}(\mathsf{msk},x)\neq\mathsf{CEval}(\mathsf{sk}_{f},x)\\ &\land\ x\in\mathsf{Dom}\land f(x)=0\end{array}\ \middle|\begin{array}[]{rl}&(1^{\kappa},f)\leftarrow\mathpzc{A}(1^{\lambda}),\\ &\mathsf{msk}\leftarrow\mathsf{Setup}(1^{\lambda},1^{\kappa}),\\ &\mathsf{sk}_{f}\leftarrow\mathsf{Constrain}(\mathsf{msk},f),\\ &x\leftarrow\mathpzc{A}^{\mathsf{Eval}(\mathsf{msk},\cdot)}(\mathsf{sk}_{f})\end{array}\right]\leq{\mathsf{negl}}(\lambda).

Selective single-key pseudorandomness:

A CPRF is selectively single-key pseudorandom if for any (stateful) QPT adversary $\mathpzc{A}$ , it hods that

2\absolutevalue{\Pr\left[\begin{array}[]{rl}&\mathpzc{A}^{\mathsf{Eval}(\mathsf{msk},\cdot)}(y_{b})=b\\ &\land\ x\notin\mathcal{Q}_{e}\\ &\land f(x)\neq 0\end{array}\ \middle|\begin{array}[]{rl}&(1^{\kappa},f)\leftarrow\mathpzc{A}(1^{\lambda}),\\ &\mathsf{msk}\leftarrow\mathsf{Setup}(1^{\lambda},1^{\kappa}),\\ &sk_{f}\leftarrow\mathsf{Constrain}(\mathsf{msk},f)\\ &x\leftarrow\mathpzc{A}^{\mathsf{Eval}(\mathsf{msk},\cdot)}(\mathsf{sk}_{f})\\ &y_{0}\coloneqq\mathsf{Eval}(\mathsf{msk},x),y_{1}\leftarrow\mathsf{Ran},\\ &b\leftarrow\{0,1\}\end{array}\right]-\frac{1}{2}}\leq{\mathsf{negl}}(\lambda),

where $\mathcal{Q}_{e}$ is the sets of queries to $\mathsf{Eval}(\mathsf{msk},\cdot)$ .

Selective single-key privacy:

A CPRF is selectively single-key private if for any (stateful) QPT adversary $\mathpzc{A}$ , there exists a stateful PPT simulator $\mathsf{Sim}=(\mathsf{Sim}_{1},\mathsf{Sim}_{2})$ that satisfying that

2\absolutevalue{\Pr\left[\mathpzc{A}^{\mathcal{O}_{b}(\cdot)}(\mathsf{sk}_{b})=b\ \middle|\begin{array}[]{rl}&(1^{\kappa},f)\leftarrow\mathpzc{A}(1^{\lambda}),\\ &\mathsf{msk}\leftarrow\mathsf{Setup}(1^{\lambda},1^{\kappa}),b\leftarrow\{0,1\},\\ &\mathsf{sk}_{0}\leftarrow\mathsf{Constrain}(\mathsf{msk},f),\\ &(\mathsf{st}_{\mathsf{Sim}},\mathsf{sk}_{1})\leftarrow\mathsf{Sim}_{1}(1^{\kappa},1^{\lambda})\end{array}\right]-\frac{1}{2}}\leq{\mathsf{negl}}(\lambda),

where $\mathcal{O}_{0}(\cdot)\coloneqq\mathsf{Eval}(\mathsf{msk},\cdot)$ and $\mathcal{O}_{1}(\cdot)\coloneqq\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},\cdot,f(\cdot))$ .

We say that a CPRF is a selectively single-key private CPRF if it satisfies correctness, selective single-key pseudorandomness, and selective single-key privacy.

Theorem 2.27 ([BTVW17, PS18]).

If the QLWE assumption holds, there exists a selectively signle-key private CPRF for polynomial-size classical circuits.

Definition 2.28 (PKE).

A PKE with plaintext space $\mathcal{P}=\{\mathcal{P}_{\lambda}\}_{\lambda\in\mathbb{N}}$ , ciphertext space $\mathcal{C}=\{\mathcal{C}_{\lambda}\}_{\lambda\in\mathbb{N}}$ is a tuple of three algorithms.

$\mathsf{Gen}(1^{\lambda})\rightarrow(\mathsf{pk},\mathsf{sk})$ :

The key generation algorithm takes as input the security parameter $\lambda$ and outputs a key pair $(\mathsf{pk},\mathsf{sk})$ .

$\mathsf{Enc}(\mathsf{pk},m)\rightarrow\mathsf{ct}$ :

The encryption algorithm takes as input $\mathsf{pk}$ , a plaintext $m\in\mathcal{P}$ , and outputs a ciphertext $\mathsf{ct}\in\mathcal{C}$ .

$\mathsf{Dec}(\mathsf{sk},\mathsf{ct})\rightarrow m^{\prime}/\bot$ :

The decryption algorithm takes as input $\mathsf{sk}$ and $\mathsf{ct}\in\mathcal{C}$ , and outputs a plaintext $m^{\prime}\in\mathcal{P}$ or $\bot$ .

Correctness:

A PKE scheme is correct if for all $\lambda\in\mathbb{N}$ and $m\in\mathcal{P}_{\lambda}$ , it holds that

\Pr[\mathsf{Dec}(\mathsf{sk},\mathsf{ct})=m\mid(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda}),\mathsf{ct}\leftarrow\mathsf{Enc}(\mathsf{pk},m)]=1.

Definition 2.29 (CCA Security for PKE).

A PKE scheme is CCA secure if for any (stateful) QPT adversary $\mathpzc{A}$ , it holds that

2\absolutevalue{\Pr\left[\begin{array}[]{rl}&b^{\ast}=b\\ \land&\mathsf{ct}_{b}\notin\mathcal{Q}\end{array}\ \middle|\begin{array}[]{rl}&(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda}),\\ &(m_{0},m_{1})\leftarrow\mathpzc{A}^{\mathsf{Dec}(\mathsf{sk},\cdot)}(1^{\lambda},\mathsf{pk}),\\ &b\leftarrow\{0,1\},\mathsf{ct}_{b}\leftarrow\mathsf{Enc}(\mathsf{pk},m_{b}),\\ &b^{\prime}\leftarrow\mathpzc{A}^{\mathsf{Dec}(\mathsf{sk},\cdot)}(1^{\lambda},\mathsf{ct}_{b})\end{array}\right]-\frac{1}{2}}\leq{\mathsf{negl}}(\lambda),

where $\mathcal{Q}$ is the set of queries to $\mathsf{Dec}(\mathsf{sk},\cdot)$ after $\mathpzc{A}$ is given $\mathsf{ct}_{b}$ .

Theorem 2.30 ([Pei09]).

If the QLWE assumption holds, there exists a PKE scheme that satisfies CCA security.

Definition 2.31 (Indistinguishability Obfuscator [BGI⁺12]).

A PPT algorithm $i\mathcal{O}$ is a secure IO for a classical circuit class $\{\mathcal{C}_{\lambda}\}_{\lambda\in\mathbb{N}}$ if it satisfies the following two conditions.

Functionality:

For any security parameter $\lambda\in\mathbb{N}$ , circuit $C\in\mathcal{C}_{\lambda}$ , and input $x$ , we have that

\displaystyle\Pr[C^{\prime}(x)=C(x)\mid C^{\prime}\leftarrow i\mathcal{O}(C)]=1\enspace.

(18)

Indistinguishability:

For any PPT $\mathsf{Samp}$ and QPT distinguisher $\mathpzc{D}$ , the following holds:

If $\Pr[\forall x,\ C_{0}(x)=C_{1}(x)\mid(C_{0},C_{1},\mathsf{aux})\leftarrow\mathsf{Samp}(1^{\lambda})]>1-{\mathsf{negl}}(\lambda)$ , then we have

	$\displaystyle\mathsf{Adv}_{i\mathcal{O},\mathpzc{D}}^{\mathsf{io}}(\lambda)$	$\displaystyle\coloneqq\left\|\Pr\left[\mathpzc{D}(i\mathcal{O}(C_{0}),\mathsf{aux})=1\mid(C_{0},C_{1},\mathsf{aux})\leftarrow\mathsf{Samp}(1^{\lambda})\right]\right.$		(19)
		$\displaystyle~{}~{}~{}~{}~{}~{}~{}\left.-\Pr\left[\mathpzc{D}(i\mathcal{O}(C_{1}),\mathsf{aux})=1\mid(C_{0},C_{1},\mathsf{aux})\leftarrow\mathsf{Samp}(1^{\lambda})\right]\right\|\leq{\mathsf{negl}}(\lambda).$		(20)

There are a few candidates of secure IO for polynomial-size classical circuits against quantum adversaries [BGMZ18, CHVW19, AP20, DQV⁺21]. In some candidates [WW21, GP21], the assumptions behind the constructions were found to be false [HJL21].

3 Definition of Quantum Watermarking

We introduce definitions for watermarking PRFs against quantum adversaries in this section.

3.1 Syntax and Pseudorandomness

Definition 3.1 (Watermarking PRF).

A watermarking PRF $\mathsf{WMPRF}$ for the message space $\mathcal{M}\coloneqq\{0,1\}^{{\ell_{\mathsf{m}}}}$ with domain $\mathsf{Dom}$ and range $\mathsf{Ran}$ is a tuple of five algorithms $(\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark},\mathpzc{Extract})$ .

$\mathsf{Setup}(1^{\lambda})\rightarrow(\mathsf{pp},\mathsf{xk})$ :: The setup algorithm takes as input the security parameter and outputs a public parameter $\mathsf{pp}$ and an extraction key $\mathsf{xk}$ .
$\mathsf{Gen}(\mathsf{pp})\rightarrow(\mathsf{prfk},\tau)$ :: The key generation algorithm takes as input the public parameter $\mathsf{pp}$ and outputs a PRF key $\mathsf{prfk}$ and a public tag $\tau$ .
$\mathsf{Eval}(\mathsf{prfk},x)\rightarrow y$ :: The evaluation algorithm takes as input a PRF key $\mathsf{prfk}$ and an input $x\in\mathsf{Dom}$ and outputs $y\in\mathsf{Ran}$ .
$\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})\rightarrow\widetilde{C}$ :: The mark algorithm takes as input the public parameter $\mathsf{pp}$ , a PRF key $\mathsf{prfk}$ , and a message $\mathsf{m}\in\{0,1\}^{\ell_{\mathsf{m}}}$ , and outputs a marked evaluation circuit $\widetilde{C}$ .
$\mathpzc{Extract}(\mathsf{xk},\tau,\mathpzc{C}^{\prime},\epsilon)\rightarrow\mathsf{m}^{\prime}$ :: The extraction algorithm takes as input an extraction key $\mathsf{xk}$ , a tag $\tau$ , a quantum circuit with classical inputs and outputs $\mathpzc{C}^{\prime}=(\mathpzc{q},\boldsymbol{U})$ , and a parameter $\epsilon$ , and outputs $\mathsf{m}^{\prime}$ where $\mathsf{m}^{\prime}\in\{0,1\}^{\ell_{\mathsf{m}}}\cup\{\mathsf{unmarked}\}$ .

Evaluation Correctness:

For any message $\mathsf{m}\in\{0,1\}^{\ell_{\mathsf{m}}}$ , it holds that

\Pr\left[\widetilde{C}(x)=\mathsf{Eval}(\mathsf{prfk},x)~{}\left|~{}\begin{array}[]{c}(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})\\ (\mathsf{prfk},\tau)\leftarrow\mathsf{Gen}(\mathsf{pp})\\ \widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})\\ x\leftarrow\mathsf{Dom}\end{array}\right.\right]\geq 1-{\mathsf{negl}}(\lambda).

Remark 3.2 (On extraction correctness).

Usually, a watermarking PRF scheme is required to satisfy extraction correctness that ensures that we can correctly extract the embedded mark from an honestly marked circuit. However, as observed by Quach et al. [QWZ18], if we require the extraction correctness to hold for a randomly chosen PRF key, it is implied by unremovability defined below. Note that the unremovability defined below considers a distinguisher as a pirate circuit. However, it implies the extraction correctness since we can easily transform an honestly marked circuit into a successful distinguisher. Thus, we do not explicitly require a watermarking PRF scheme to satisfy extraction correctness in this work.

Remark 3.3 (On public marking).

We consider only watermarking PRFs with public marking as in Definition 3.1 since we can achieve public marking by default. The reason is as follows. Suppose that we generate $\mathsf{pp}$ , $\mathsf{xk}$ , and a marking key $\mathsf{mk}$ at the setup. When we generate a PRF key and a public tag at $\mathsf{Gen}$ , we can first generate $(\mathsf{pp}^{\prime},\mathsf{xk}^{\prime},\mathsf{mk}^{\prime})\leftarrow\mathsf{Setup}(1^{\lambda})$ from scratch (ignoring the original $(\mathsf{pp},\mathsf{xk},\mathsf{mk})$ ) and set a PRF key $\widehat{\mathsf{prfk}}\coloneqq(\mathsf{prfk}^{\prime},\mathsf{mk}^{\prime})$ and a public tag $\widehat{\tau}\coloneqq(\mathsf{pp}^{\prime},\mathsf{xk}^{\prime},\tau^{\prime})$ where $(\mathsf{prfk}^{\prime},\tau^{\prime})\leftarrow\mathsf{Gen}(\mathsf{pp}^{\prime})$ . That is, anyone can generate a marked circuit from $\widehat{\mathsf{prfk}}=(\mathsf{prfk}^{\prime},\mathsf{mk}^{\prime})$ by $\mathsf{Mark}(\mathsf{mk}^{\prime},\mathsf{prfk}^{\prime},\mathsf{m})$ . Therefore, we consider public marking by default in our model.

Remark 3.4 (On private marking).

We might prefer private marking in some settings since we might want to prevent adversaries from forging a watermarked PRF. We can convert watermarking PRFs in Definition 3.1 into ones with private marking by using signatures. Below, we assume that a PRF key $\mathsf{prfk}$ includes its public tag $\tau$ since it does not harm security. At the setup phase, we also generate a signature key pair $(\mathsf{vk},\mathsf{sk})\leftarrow\mathsf{SIG}.\mathsf{Gen}(1^{\lambda})$ and set a mark key $\mathsf{mk}^{\prime}\coloneqq(\mathsf{vk},\mathsf{sk})$ and an extraction key $\mathsf{xk}^{\prime}\coloneqq(\mathsf{xk},\mathsf{vk})$ . To embed a message $\mathsf{m}$ into $\mathsf{prfk}$ , we generate a signature $\sigma\leftarrow\mathsf{SIG}.\mathsf{Sign}(\mathsf{sk},\tau\|\mathsf{m})$ and generate $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m}\|\sigma)$ . To extract a message, we run $\mathsf{m}^{\prime}\leftarrow\mathpzc{Extract}(\mathsf{xk},\tau,\mathpzc{C}^{\prime},\epsilon)$ , parse $\mathsf{m}^{\prime}=\mathsf{m}\|\sigma$ , and run $\mathsf{SIG}.\mathsf{Vrfy}(\mathsf{vk},\tau\|\mathsf{m},\sigma)$ . If the verification result is $\top$ , we output $\mathsf{m}$ . This conversion is the same as what Goyal et al. [GKM⁺19] proposed. Adversaries cannot forge a signature for $\tau^{\ast}\|\mathsf{m}^{\ast}\neq\tau\|\mathsf{m}$ by the unforgeability of $\mathsf{SIG}$ . Intuitively, if an adversary can forge a watermarked PRF whose functionality is different from those of watermarked PRFs given from a mark oracle, $\tau^{\ast}\neq\tau$ should hold since public tags are related to PRF keys. This breaks the unforgeability of $\mathsf{SIG}$ . Thus, we expect that adversaries cannot break the unforgeability of watermarking. However, we do not formally define watermarking unforgeability against quantum adversaries since it is not a scope of this work. We leave it as future work.

Discussion on syntax.

Definition 3.1 is a natural quantum variant of classical watermarking PRFs except that the key generation algorithm outputs a public tag $\tau$ , and the extraction algorithm uses it. Such a public tag is not used in previous works on watermarking PRFs [CHN⁺18, KW21, QWZ18, KW19, YAL⁺19]. A public tag should not harm watermarking PRF security. We justify using $\tau$ as follows.

First, we need to obtain many pairs of input and output to extract an embedded message from a marked PRF in almost all known (classical) watermarking constructions [CHN⁺18, BLW17, KW21, QWZ18, KW19, YAL⁺19, GKM⁺19, Nis20]. This is because we must check whether a tested PRF circuit outputs particular values for particular inputs which depends on the target PRF (such particular inputs are known as marked points). Suppose marked points are fixed and do not depend on a PRF that will be marked. In that case, an adversary can easily remove an embedded message by destroying functionalities at the fixed marked points that could be revealed via a (non-target) marked PRF that an adversary generated. Recall that we consider the public marking setting. The attack was already observed by Cohen et al. [CHN⁺18].

Second, we consider a stronger adversary model than that in most previous works as the definition of traceable PRFs by Goyal et al. [GKWW21]. An adversary outputs a distinguisher-based pirate circuit in our security definition rather than a pirate circuit that computes an entire output of a PRF. This is a refined and realistic model, as Goyal et al. [GKWW21] argued (and we explain in Section 1.4). In this model, we cannot obtain a valid input-output pair from a pirate circuit anymore. Such a pair is typical information related to a target PRF. Goyal et al. resolve this issue by introducing a tracing key that is generated from a target PRF. Note that parameters of watermarking ( $\mathsf{pp}$ and $\mathsf{xk}$ ) should not be generated from a PRF since we consider many different PRF keys in the watermarking PRF setting.

Thus, if we would like to achieve an extraction algorithm and the stronger security notion simultaneously, an extraction algorithm should somehow take information related to a target PRF as input to correctly extract an embedded message. In the weaker adversary model, an extraction algorithm can easily obtain many valid input and output pairs by running a tested circuit many times. However, in the stronger distinguisher-based pirate circuit model, a pirate circuit outputs a single decision bit.

To resolve this issue, we introduce public tags. We think it is natural to have information related to the original PRF key in an extraction algorithm. In reality, we check a circuit when a user claims that her/his PRF key (PRF evaluation circuit) is illegally used. Thus, it is natural to expect we can use a user’s public tag for extraction. This setting resembles watermarking for public-key cryptographic primitives, where a user public key is available in an extraction algorithm. In addition, public tags do not harm PRF security in our constructions. It is unclear whether we can achieve unremovability in the stronger distinguisher-based model without any syntax change (even in the classical setting). ¹⁰¹⁰10Even if we consider the weaker adversary model, the same issue appears in the quantum setting in the end. If we run a quantum circuit for an input and measure the output, the measurement could irreversibly alter the quantum state and we lost the functionality of the original quantum state. That is, there is no guarantee that we can correctly check whether a tested quantum circuit is marked or not after we obtain a single valid pair of input and output by running the circuit. However, as we explained above, we want to obtain information related to a target PRF for extraction. Thus, we need a public tag in the syntax in either case.

Extended pseudorandomness.

We consider extended weak pseudorandomness, where weak pseudorandomness holds even if the adversary generates $\mathsf{pp}$ . This notion is the counterpart of extended pseudorandomness by Quach et al. [QWZ18], where pseudorandomness holds in the presence of the extraction oracle. However, our pseudorandomness holds even against an authority unlike extended pseudorandomness by Quach et al. since we allow adversaries to generate a public parameter.

Definition 3.5 (Extended Weak Pseudorandomness against Authority).

To define extended weak pseudorandomness for watermarking PRFs, we define the game $\mathsf{Exp}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{ext}\mbox{-}\mathsf{wprf}}(\lambda)$ as follows.

1.

$\mathpzc{A}$ first sends $\mathsf{pp}$ to the challenger.
2.

The challenger generates $(\mathsf{prfk},\tau)\leftarrow\mathsf{Gen}(\mathsf{pp})$ and sends $\tau$ to $\mathpzc{A}$ .
3.
The challenger chooses $\mathsf{coin}\leftarrow\{0,1\}$ . $\mathpzc{A}$ can access to the following oracles.
$O_{\mathtt{wprf}}$ :

When this is invoked (no input), it returns $(a,b)$ where $a\leftarrow\mathsf{Dom}$ and $b\coloneqq\mathsf{Eval}(\mathsf{prfk},a)$ .

$O_{\mathtt{chall}}$ :
When this is invoked (no input), it returns:

•

$(a,b)$ where $a\leftarrow\mathsf{Dom}$ and $b\coloneqq\mathsf{Eval}(\mathsf{prfk},a)$ if $\mathsf{coin}=0$ ,

•

$(a,b)$ where $a\leftarrow\mathsf{Dom}$ and $b\leftarrow\mathsf{Ran}$ if $\mathsf{coin}=1$ .

This oracle is invoked only once.
4.

When $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , the challenger outputs $1$ if $\mathsf{coin}=\mathsf{coin}^{\prime}$ and $0$ otherwise.

We say that $\mathsf{WMPRF}$ is extended weak pseudorandom if for every QPT $\mathpzc{A}$ , we have

\displaystyle\mathsf{Adv}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{ext}\mbox{-}\mathsf{wprf}}(\lambda)=2\absolutevalue{\Pr[\mathsf{Exp}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{ext}\mbox{-}\mathsf{wprf}}(\lambda)=1]-\frac{1}{2}}={\mathsf{negl}}(\lambda).

(21)

3.2 Unremovability against Quantum Adversaries

We define unremovability for watermarking PRFs against quantum adversaries.

Definition 3.6 (Unremovability for private extraction).

We consider the public marking and secret extraction setting here. Let $\epsilon\geq 0$ . We define the game $\mathsf{Expt}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{nrmv}}(\lambda,\epsilon)$ as follows.

1.

The challenger generates $(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})$ and gives $\mathsf{pp}$ to the adversary $\mathpzc{A}$ . $\mathpzc{A}$ send $\mathsf{m}\in\{0,1\}^{\ell_{\mathsf{m}}}$ to the challenger. The challenger generates $(\mathsf{prfk},\tau)\leftarrow\mathsf{Gen}(\mathsf{pp})$ , computes $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ , and sends $\tau$ and $\widetilde{C}$ to $\mathpzc{A}$ .
2.

$\mathpzc{A}$ can access to the following oracle.

$O_{\mathtt{ext}}$ :

On input $\tau^{\prime}$ and a quantum circuit $\mathpzc{C}$ , it returns $\mathpzc{Extract}(\mathsf{xk},\mathpzc{C},\tau^{\prime},\epsilon)$ .
3.

Finally, the adversary outputs a “pirate” quantum circuit $\mathpzc{C}_{\text{\char 65\relax}}=(\mathpzc{q},\boldsymbol{U})$ , where $\mathpzc{C}_{\text{\char 65\relax}}$ is a quantum program with classical inputs and outputs whose first register (i.e., output register) is $\mathbb{C}^{2}$ and $\boldsymbol{U}$ is a compact classical description of $\{\boldsymbol{U}_{x,y}\}_{x\in\mathsf{Dom},y\in\mathsf{Ran}}$ .

Let $D$ be the following distribution.

$D$ :: Generate $b\leftarrow\{0,1\}$ , $x\leftarrow\mathsf{Dom}$ , and $y_{0}\leftarrow\mathsf{Ran}$ . Compute $y_{1}\leftarrow\mathsf{Eval}(\mathsf{prfk},x)$ . Output $(b,x,y_{b})$ .

We also let $\mathcal{P}=(\boldsymbol{P}_{b,x,y},\boldsymbol{Q}_{b,x,y})_{b,x,y}$ be a collection of binary outcome projective measurements, where

\displaystyle\boldsymbol{P}_{b,x,y}=\boldsymbol{U}_{x,y}^{\dagger}\ket{b}\bra{b}\boldsymbol{U}_{x,y}\textrm{~{}~{}~{}~{}and~{}~{}~{}~{}}\boldsymbol{Q}_{b,x,y}=\boldsymbol{I}-\boldsymbol{P}_{b,x,y}.

(22)

Moreover, we let $\mathcal{M}_{D}=(\boldsymbol{P}_{D},\boldsymbol{Q}_{D})$ be binary outcome POVMs, where

\displaystyle\boldsymbol{P}_{D}=\sum_{r\in\mathcal{R}}\frac{1}{\absolutevalue{\mathcal{R}}}\boldsymbol{P}_{D(r)}\textrm{~{}~{}~{}~{}and~{}~{}~{}~{}}\boldsymbol{Q}_{D}=\boldsymbol{I}-\boldsymbol{P}_{D}.

(23)

$\mathsf{Live}$ :: When applying the measurement $\mathsf{ProjImp}(\mathcal{M}_{D})$ to $\mathpzc{q}$ , we obtain a value $p$ such that $p\geq\frac{1}{2}+\epsilon$ .
$\mathsf{GoodExt}$ :: When Computing $\mathsf{m}^{\prime}\leftarrow\mathpzc{Extract}(\mathsf{xk},\mathpzc{C}_{\text{\char 65\relax}},\tau,\epsilon)$ , it holds that $\mathsf{m}^{\prime}\neq\mathsf{unmarked}$ .
$\mathsf{BadExt}$ :: When Computing $\mathsf{m}^{\prime}\leftarrow\mathpzc{Extract}(\mathsf{xk},\mathpzc{C}_{\text{\char 65\relax}},\tau,\epsilon)$ , it holds that $\mathsf{m}^{\prime}\notin\{\mathsf{m},\mathsf{unmarked}\}$ .

We say that $\mathsf{WMPRF}$ satisfies unremovability if for every $\epsilon>0$ and QPT $\mathpzc{A}$ , we have

\displaystyle\Pr[\mathsf{BadExt}]\leq{\mathsf{negl}}(\lambda)\textrm{~{}~{}~{}~{}and~{}~{}~{}~{}}\Pr[\mathsf{GoodExt}]\geq\Pr[\mathsf{Live}]-{\mathsf{negl}}(\lambda).

(24)

Intuitively, $(\boldsymbol{P}_{b,x,y},\boldsymbol{Q}_{b,x,y})$ is a projective measurement that feeds $(x,y)$ to $\mathpzc{C}_{\text{\char 65\relax}}$ and checks whether the outcome is $b$ or not (and then uncomputes). Then, $\mathcal{M}_{D}$ can be seen as POVMs that results in $0$ with the probability that $\mathpzc{C}_{\text{\char 65\relax}}$ can correctly guess $b$ from $(x,y_{b})$ for $(b,x,y_{b})$ generated randomly from $D$ .

Remark 3.7 (On attack model).

We check whether $\mathpzc{C}_{\text{\char 65\relax}}$ correctly distinguishes a real PRF value from a random value or not by applying $\mathsf{ProjImp}(\mathcal{M}_{D})$ to $\mathpzc{q}$ . This attack model follows the refined and more realistic attack model by Goyal et al. [GKWW21]. The adversary outputs a pirate circuit that computes an entire PRF value in all previous works except their work.

The distinguisher-based pirate circuit model is compatible with the (quantum) pirate decoder model of traitor tracing. Thus, our attack model also follows the attack model of quantum traitor tracing (the black box projection model) by Zhandry [Zha20, Section 4.2].¹¹¹¹11In the watermarking setting, an extraction algorithm can take the description of a pirate circuit as input (corresponding to the software decoder model [Zha20, Section 4.2]), unlike the black-box tracing model of traitor tracing. However, we use a pirate circuit in the black box way for our extraction algorithms. Thus, we follow the black box projection model by Zhandry [Zha20].

As in the traitor tracing setting [Zha20], $\mathsf{ProjImp}(\mathcal{M}_{D})$ is inefficient in general. We can handle this issue as Zhandry did. We will use an approximate version of $\mathsf{ProjImp}(\mathcal{M}_{D})$ to achieve an efficient reduction. In addition, we cannot apply both $\mathsf{ProjImp}(\mathcal{M}_{D})$ and $\mathpzc{Extract}$ to $\mathpzc{C}_{\text{\char 65\relax}}$ simultaneously. However, the condition $\Pr[\mathsf{GoodExt}]\geq\Pr[\mathsf{Live}]-{\mathsf{negl}}(\lambda)$ claims that an embedded mark cannot be removed as long as the pirate circuit is alive. This fits the spirit of watermarking. See Zhandry’s paper [Zha20, Section 4] for more discussion on the models.

Remark 3.8 (On selective message).

As we see in Definition 3.6, we consider the selective setting for private extraction case, where $\mathpzc{A}$ must send the target message $\mathsf{m}$ to the challenger before $\mathpzc{A}$ accesses to the oracle $O_{\mathtt{ext}}$ and after $\mathsf{pp}$ is given. This is the same setting as that by Quach et al. [QWZ18]. We can consider the fully adaptive setting, where $\mathpzc{A}$ can send the target message $\mathsf{m}$ after it accesses to the oracle $O_{\mathtt{ext}}$ , as Kim and Wu [KW19]. However, our privately extractable watermarking PRF satisfies only selective security. Thus, we write only the selective variant for the private extraction case.

Definition 3.9 (Unremovability for Public Extraction).

This is the same as Definition 3.6 except we use the game $\mathsf{Exp}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{pub}\mbox{-}\mathsf{ext}\mbox{-}\mathsf{nrmv}}(\lambda,\epsilon)$ defined in the same way as $\mathsf{Expt}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{nrmv}}(\lambda,\epsilon)$ except the following differences.

•

In item 1, $\mathpzc{A}$ is given $\mathsf{xk}$ together with $\mathsf{pp}$ .
•

Item 2 is removed.

4 Definition of Extraction-Less Watermarking

We introduce the notion of extraction-less watermarking PRF as an intermediate primitive towards watermarking PRFs secure against quantum adversaries.

4.1 Syntax and Pseudorandomness

Definition 4.1 (Extraction-Less Watermarking PRF).

An extraction-less watermarking PRF $\mathsf{WMPRF}$ for the message space $\{0,1\}^{\ell_{\mathsf{m}}}$ with domain $\mathsf{Dom}$ and range $\mathsf{Ran}$ is a tuple of five algorithms $(\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark},\mathsf{Sim})$ , where the first four algorithms have the same input/output behavior as those defined in Definition 3.1 and $\mathsf{Sim}$ has the following input/output behavior.

$\mathsf{Sim}(\mathsf{xk},\tau,i)\rightarrow(\gamma,x,y)$ :: The simulation algorithm $\mathsf{Sim}$ takes as input the extraction key $\mathsf{xk}$ , a tag $\tau$ , and an index $i$ , and outputs a tuple $(\gamma,x,y)$ .

Evaluation Correctness:: It is defined in exactly the same way as the evaluation correctness for watermarking PRF defined in Definition 3.1.

Extended pseudorandomness.

Extended pseudorandomness for extraction-less watermarking PRF is defined in exactly the same way as that for watermarking PRF, that is Definition 3.5.

4.2 Simulatability for Mark-Dependent Distributions (SIM-MDD Security)

We introduce the security notion for extraction-less watermarking PRF that we call simulatability for mark-dependent distributions. Let $D$ and $D^{\mathtt{rev}}$ be the following distributions.

$D$ :: Generate $b\leftarrow\{0,1\}$ , $x\leftarrow\mathsf{Dom}$ , and $y_{0}\leftarrow\mathsf{Ran}$ . Compute $y_{1}\leftarrow\mathsf{Eval}(\mathsf{prfk},x)$ . Output $(b,x,y_{b})$ .
$D^{\mathtt{rev}}$ :: Generate $(b,x,y)\leftarrow D$ . Output $(1\oplus b,x,y)$ .

Namely, $D$ is the distribution that outputs a random value if the first bit $b=0$ and a PRF evaluation if the first bit $b=1$ , and $D^{\mathtt{rev}}$ is its opposite (i.e., a PRF evaluation if $b=0$ and a random value if $b=1$ ). SIM-MDD security is a security notion that guarantees that an adversary given $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{mk},\mathsf{prfk},\mathsf{m})$ cannot distinguish an output of $\mathsf{Sim}(\mathsf{xk},\tau,i)$ from that of $D$ if $\mathsf{m}[i]=0$ and from that of $D^{\mathtt{rev}}$ if $\mathsf{m}[i]=1$ .

Definition 4.2 (SIM-MDD Security with Private Simulation).

To define SIM-MDD security with private simulation, we define the game $\mathsf{Expt}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim\textrm{-}mdd}}(\lambda)$ as follows, where $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ .

1.

The challenger generates $(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})$ and sends $\mathsf{pp}$ to $\mathpzc{A}$ . $\mathpzc{A}$ sends $\mathsf{m}\in\{0,1\}^{\ell_{\mathsf{m}}}$ to the challenger. The challenger generates $(\mathsf{prfk},\tau)\leftarrow\mathsf{Gen}(\mathsf{pp})$ and computes $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{mk},\mathsf{prfk},\mathsf{m})$ . The challenger sends $\tau$ and $\widetilde{C}$ to $\mathpzc{A}$ .
2.

$\mathpzc{A}$ can access to the following oracle.

$O_{\mathtt{sim}}$ :

On input $\tau^{\prime}$ and $i^{\prime}\in[{\ell_{\mathsf{m}}}]$ , it returns $\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime})$ .
3.

Let $D_{\mathtt{real},i^{\ast}}$ be the following distribution. Note that $D_{\mathtt{real},i^{\ast}}$ is identical with $D$ if $\mathsf{m}[i^{\ast}]=0$ and with $D^{\mathtt{rev}}$ if $\mathsf{m}[i^{\ast}]=1$ .

$D_{\mathtt{real},i^{\ast}}$ :

Generate $\gamma\leftarrow\{0,1\}$ and $x\leftarrow\mathsf{Dom}$ . Then, if $\gamma=\mathsf{m}[i^{\ast}]$ , generate $y\leftarrow\mathsf{Ran}$ , and otherwise, compute $y\leftarrow\mathsf{Eval}(\mathsf{prfk},x)$ . Output $(\gamma,x,y)$ .

The challenger generates $\mathsf{coin}\leftarrow\{0,1\}$ . If $\mathsf{coin}=0$ , the challenger samples $(\gamma,x,y)\leftarrow D_{\mathtt{real},i^{\ast}}$ . If $\mathsf{coin}=1$ , the challenger generates $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ . The challenger sends $(\gamma,x,y)$ to $\mathpzc{A}$ .
4.

When $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , the challenger outputs $1$ if $\mathsf{coin}=\mathsf{coin}^{\prime}$ and $0$ otherwise.

Note that $\mathpzc{A}$ is not allowed to access to $O_{\mathtt{sim}}$ after $\mathpzc{A}$ is given $(\gamma,x,y)$ .

We say that $\mathsf{WMPRF}$ is SIM-MDD secure if for every $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ and QPT $\mathpzc{A}$ , we have

\displaystyle\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim\textrm{-}mdd}}(\lambda)=2\absolutevalue{\Pr[\mathsf{Expt}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim\textrm{-}mdd}}(\lambda)=1]-\frac{1}{2}}={\mathsf{negl}}(\lambda).

(25)

We consider the selective setting above as unremovability for private extraction in Definition 3.6 since we use SIM-MDD security with private simulation to achieve unremovability for private simulation.

Remark 4.3 (On multi challenge security).

We can prove that the above definition implies the multi-challenge variant where polynomially many outputs of $\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ are required to be indistinguishable from those of $D_{\mathtt{real},i^{\ast}}$ . This is done by hybrid arguments where outputs of $\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ are simulated using $O_{\mathtt{sim}}$ and those of $D_{\mathtt{real},i^{\ast}}$ are simulated using $\widetilde{C}$ . To apply Theorem 2.11, we need the multi challenge variant. However, we consider the single challenge variant due to the implication above. A similar remark is applied to the variants of SIM-MDD security introduced below.

SIM-MDD security with private simulation under the $\mathpzc{API}$ oracle.

Let the $\mathpzc{API}$ oracle be an oracle that is given $(\epsilon,\delta,\tau^{\prime},i^{\prime})$ and a quantum state $\mathpzc{q}$ , and returns the result of $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},\mathsf{D}_{\tau^{\prime},i^{\prime}}}(\mathpzc{q})$ and the post measurement state, where $\mathcal{P}$ is defined in the same way as that in Definition 3.6 and $\mathsf{D}_{\tau^{\prime},i^{\prime}}$ be the distribution that outputs randomly generated $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime})$ . The $\mathpzc{API}$ oracle cannot be simulated using the simulation oracle $O_{\mathtt{sim}}$ since we need superposition of outputs of $\mathsf{Sim}$ to compute $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},\mathsf{D}_{\tau^{\prime},i^{\prime}}}(\mathpzc{q})$ . When constructing watermarking PRFs with private simulation from extraction-less watermarking PRFs, the underlying extraction-less watermarking PRF scheme needs to satisfy SIM-MDD security with private simulation under the $\mathpzc{API}$ oracle that we call QSIM-MDD security with private simulation. The reason is as follows. In the security analysis of the construction, the indistinguishability guarantee provided by SIM-MDD security needs to hold for an adversary against the resulting watermarking scheme who can access the extraction oracle. This means that it also needs to hold for an adversary who can access the $\mathpzc{API}$ oracle since $\mathpzc{API}$ is repeatedly invoked in the extraction algorithm of the resulting scheme.

Fortunately, as we will see, we can generically convert an extraction-less watermarking PRF scheme satisfying SIM-MDD security with private simulation into one satisfying QSIM-MDD security with private simulation, using QPRFs. Thus, when realizing an extraction-less watermarking PRF scheme as an intermediate step towards privately extractable watermarking PRFs, we can concentrate on realizing one satisfying SIM-MDD security with private simulation.

Remark 4.4.

There is a similar issue in the traitor tracing setting. If PLBE is a secret-key based one, we need a counterpart of QSIM-MDD in secret-key based PLBE to achieve traitor tracing with a secret tracing algorithm against quantum adversaries by using Zhandry’s framework [Zha20]. Note that Zhandry focuses on public-key based PLBE in his work [Zha20].

Definition 4.5 (QSIM-MDD Security with Private Simulation).

Let $\mathsf{D}_{\tau,i}$ be a distribution defined as follows.

$\mathsf{D}_{\tau,i}$ :: Output $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i)$ .

Then, we define the game $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{q}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)$ in the same way as $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)$ except that in addition to $O_{\mathtt{sim}}$ , $\mathpzc{A}$ can access to the following oracle in the step 2.

$O_{\mathtt{api}}$ :: On input $(\epsilon,\delta,\tau^{\prime},i^{\prime})$ and a quantum state $\mathpzc{q}$ , it returns the result of $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},\mathsf{D}_{\tau^{\prime},i^{\prime}}}(\mathpzc{q})$ and the post measurement state, where $\mathcal{P}$ is defined in the same way as that in Definition 3.6.

We say that $\mathsf{WMPRF}$ is QSIM-MDD secure with private simulation if for every $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ and QPT $\mathpzc{A}$ , we have

\displaystyle\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{q}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)=2\absolutevalue{\Pr[\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{q}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)=1]-\frac{1}{2}}={\mathsf{negl}}(\lambda).

(26)

We have the following theorem.

Theorem 4.6.

Assume there exists an extraction-less watermarking PRF scheme satisfying SIM-MDD security with private simulation and a QPRF. Then, there exists an extraction-less watermarking PRF scheme satisfying QSIM-MDD security with private simulation.

We prove this theorem in Appendix A.

Definition 4.7 (SIM-MDD Security with Public Simulation).

We define the game $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim}\mbox{-}\mathsf{mdd}\mbox{-}\mathsf{pub}}(\lambda)$ in the same way as $\mathsf{Expt}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim\textrm{-}mdd}}(\lambda)$ except the following differences, where $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ .

•

In item 1, $\mathpzc{A}$ is given $\mathsf{xk}$ together with $\mathsf{pp}$ .
•

Item 2 is removed.

We say that $\mathsf{WMPRF}$ satisfies SIM-MDD security with public simulation if for every $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ and QPT $\mathpzc{A}$ , we have

\displaystyle\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim}\mbox{-}\mathsf{mdd}\mbox{-}\mathsf{pub}}(\lambda)=2\absolutevalue{\Pr[\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{sim}\mbox{-}\mathsf{mdd}\mbox{-}\mathsf{pub}}(\lambda)=1]-\frac{1}{2}}={\mathsf{negl}}(\lambda).

(27)

5 Watermarking PRF from Extraction-Less Watermarking PRF

We show how to construct watermarking PRF secure against quantum adversaries from extraction-less watermarking PRF.

Let $\mathsf{ELWMPRF}=(\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark},\mathsf{Sim})$ be an extraction-less watermarking PRF scheme whose message space is $\{0,1\}^{{\ell_{\mathsf{m}}}+1}$ . We construct a watermarking PRF scheme $\mathsf{WMPRF}=(\mathsf{WM}.\mathsf{Setup},\allowbreak\mathsf{WM}.\mathsf{Gen},\mathsf{WM}.\mathsf{Eval},\mathsf{WM}.\mathsf{Mark},\mathpzc{Extract})$ whose message space is $\{0,1\}^{{\ell_{\mathsf{m}}}}$ as follows. We use $\mathsf{Setup}$ , $\mathsf{Gen}$ , and $\mathsf{Eval}$ as $\mathsf{WM}.\mathsf{Setup}$ , $\mathsf{WM}.\mathsf{Gen}$ , and $\mathsf{WM}.\mathsf{Eval}$ , respectively. Thus, the domain and range of $\mathsf{WMPRF}$ are the same as those of $\mathsf{ELWMPRF}$ . Also, we construct $\mathsf{WM}.\mathsf{Mark}$ and $\mathpzc{Extract}$ as follows.

$\mathsf{WM}.\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ :

•

Output $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m}\|0)$ .

$\mathpzc{Extract}(\mathsf{xk},\mathpzc{C},\tau,\epsilon)$ :

•

Let $\epsilon^{\prime}=\epsilon/4({\ell_{\mathsf{m}}}+1)$ and $\delta^{\prime}=2^{-\lambda}$ .
•

Parse $(\mathpzc{q},\boldsymbol{U})\leftarrow\mathpzc{C}$ .
•

Let $\mathcal{P}$ be defined in the same way as that in Definition 3.6 and $D_{\tau,i}$ be the following distribution for every $i\in[{\ell_{\mathsf{m}}}+1]$ .

$D_{\tau,i}$ :

Output $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i)$ .
•

Compute $\widetilde{p}_{{\ell_{\mathsf{m}}}+1}\leftarrow\mathpzc{API}_{\mathcal{P},D_{\tau,{\ell_{\mathsf{m}}}+1}}^{\epsilon^{\prime},\delta^{\prime}}(\mathpzc{q})$ . If $\widetilde{p}_{{\ell_{\mathsf{m}}}+1}<\frac{1}{2}+\epsilon-4\epsilon^{\prime}$ , return $\mathsf{unmarked}$ . Otherwise, letting $\mathpzc{q}_{0}$ be the post-measurement state, go to the next step.
•
For all $i\in[{\ell_{\mathsf{m}}}]$ , do the following.
1. 1.
  
  Compute $\widetilde{p}_{i}\leftarrow\mathpzc{API}_{\mathcal{P},D_{\tau,i}}^{\epsilon^{\prime},\delta^{\prime}}(\mathpzc{q}_{i-1})$ . Let $\mathpzc{q}_{i}$ be the post-measurement state.
2. 2.
  
  If $\widetilde{p}_{i}>\frac{1}{2}+\epsilon-4(i+1)\epsilon^{\prime}$ , set $\mathsf{m}^{\prime}_{i}=0$ . If $\widetilde{p}_{i}<\frac{1}{2}-\epsilon+4(i+1)\epsilon^{\prime}$ , set $\mathsf{m}^{\prime}_{i}=1$ . Otherwise, exit the loop and output $\mathsf{m}^{\prime}=0^{{\ell_{\mathsf{m}}}}$ .
•

Output $\mathsf{m}^{\prime}=\mathsf{m}^{\prime}_{1}\|\cdots\|\mathsf{m}^{\prime}_{{\ell_{\mathsf{m}}}}$ .

We have the following theorems.

Theorem 5.1.

If $\mathsf{ELWMPRF}$ satisfies extended weak pseudorandomness against authority, then so does $\mathsf{WMPRF}$ .

Theorem 5.2.

If $\mathsf{ELWMPRF}$ is an extraction-less watermarking PRF that satisfies QSIM-MDD security, $\mathsf{WMPRF}$ is a privately extractable watermarking PRF.

Theorem 5.3.

If $\mathsf{ELWMPRF}$ is an extraction-less watermarking PRF that satisfies SIM-MDD security with public simulation, $\mathsf{WMPRF}$ is a publicly extractable watermarking PRF.

It is clear that Theorem 5.1 holds since the evaluation algorithm of $\mathsf{WMPRF}$ is the same as that of $\mathsf{ELWMPRF}$ and extended weak pseudorandomness is insensitive to how the marking and extraction algorithms are defined. Thus, we omit a formal proof.

The proofs of Theorems 5.2 and 5.3 are almost the same. Thus, we only provide the proof for the former, and omit the proof for the latter.

Proof of Theorem 5.2.

Let $\epsilon>0$ . Let $\mathpzc{A}$ be a QPT adversary attacking the unremovability of $\mathsf{WMPRF}$ . The description of $\mathsf{Expt}_{\mathpzc{A},\mathsf{WMPRF}}^{\mathsf{nrmv}}(\lambda,\epsilon)$ is as follows.

1.

The challenger generates $(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})$ and gives $\mathsf{pp}$ to the adversary $\mathpzc{A}$ . $\mathpzc{A}$ sends $\mathsf{m}\in\{0,1\}^{\ell_{\mathsf{m}}}$ to the challenger. The challenger generates $(\mathsf{prfk},\tau)\leftarrow\mathsf{Gen}(\mathsf{pp})$ , computes $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m}\|0)$ , and sends $\widetilde{C}$ to $\mathpzc{A}$ .
2.

$\mathpzc{A}$ can access to the following oracle.

$O_{\mathtt{ext}}$ :

On input $\tau^{\prime}$ and a quantum circuit $\mathpzc{C}$ , it returns $\mathpzc{Extract}(\mathsf{xk},\mathpzc{C},\tau^{\prime},\epsilon)$ .
3.

Finally, the adversary outputs a quantum circuit $\mathpzc{C}_{\text{\char 65\relax}}=(\mathpzc{q},\boldsymbol{U})$ .

We define $D$ , $\mathcal{P}$ , $\mathcal{M}_{D}$ , and the three events $\mathsf{Live}$ , $\mathsf{GoodExt}$ , and $\mathsf{BadExt}$ in the same way as Definition 3.6.

The proof of $\Pr[\mathsf{GoodExt}]\geq\Pr[\mathsf{Live}]-{\mathsf{negl}}(\lambda)$ .

$\mathpzc{Extract}$ outputs $\mathsf{unmarked}$ if and only if $\widetilde{p}_{\ell+1}<\frac{1}{2}+\epsilon-4\epsilon^{\prime}$ , that is we have $\Pr[\mathsf{GoodExt}]=\Pr[\widetilde{p}_{\ell+1}\geq\frac{1}{2}+\epsilon-4\epsilon^{\prime}]$ . Let $p$ the probability obtained by applying $\mathsf{ProjImp}(\mathcal{M}_{D})$ to $\mathpzc{q}$ . Then, we have $\Pr[\mathsf{Live}]=\Pr[p\geq\frac{1}{2}+\epsilon]$ . Let $\widetilde{p}$ be the outcome obtained if we apply $\mathpzc{API}_{\mathcal{P},D}^{\epsilon^{\prime},\delta^{\prime}}$ to $\mathpzc{q}$ . From the property of $\mathpzc{API}$ , we have

\displaystyle\Pr[\mathsf{Live}]=\Pr[p\geq\frac{1}{2}+\epsilon]\leq\Pr[\widetilde{p}\geq\frac{1}{2}+\epsilon-\epsilon^{\prime}]+{\mathsf{negl}}(\lambda).

(28)

$D$ and $D_{\tau,{\ell_{\mathsf{m}}}+1}$ are computationally indistinguishable from the QSIM-MDD security of $\mathsf{ELWMPRF}$ since outputs of $\mathsf{Sim}(\mathsf{xk},\tau,i)$ is indistinguishable from those of $D$ if $\mathsf{m}[i]=0$ . This indistinguishability holds even under the existence of $O_{\mathtt{api}}$ . Then, from Theorem 2.11, we have

\displaystyle\Pr[\widetilde{p}\geq\frac{1}{2}+\epsilon-\epsilon^{\prime}]\leq\Pr[\widetilde{p}_{\ell+1}\geq\frac{1}{2}+\epsilon-4\epsilon^{\prime}]+{\mathsf{negl}}(\lambda)=\Pr[\mathsf{GoodExt}]+{\mathsf{negl}}(\lambda).

(29)

By combining the above two equations, we obtain $\Pr[\mathsf{GoodExt}]\geq\Pr[\mathsf{Live}]-{\mathsf{negl}}(\lambda)$ .

The reason $D$ and $D_{\tau,\ell+1}$ need to be computationally indistinguishable under the existence of $O_{\mathtt{api}}$ to apply Theorem 2.11 is as follows. In this application of Theorem 2.11, the quantum state appeared in the statement of it is set as $\mathpzc{q}$ contained in the quantum circuit $\mathpzc{C}$ output by $\mathpzc{A}$ . Then, Theorem 2.11 (implicitly) requires that $D$ and $D_{\tau,\ell+1}$ be indistinguishable for distinguishers who can construct $\mathpzc{q}$ . To construct $\mathpzc{q}$ , we need to execute $\mathpzc{A}$ who can access to $O_{\mathtt{ext}}$ in which $\mathpzc{API}$ is repeatedly executed. This is the reason $D$ and $D_{\tau,\ell+1}$ need to be indistinguishable under the existence of $O_{\mathtt{api}}$ .

The proof of $\Pr[\mathsf{BadExt}]\leq{\mathsf{negl}}(\lambda)$ .

We define the event $\mathsf{BadExt}_{i}$ as follows for every $i\in[{\ell_{\mathsf{m}}}]$ .

$\mathsf{BadExt}_{i}$ :

When Running $\mathpzc{Extract}(\mathsf{xk},\mathpzc{C}_{\text{\char 65\relax}},\tau^{*},\epsilon)$ , the following conditions hold.

•

$\widetilde{p}_{\ell+1}\geq\frac{1}{2}+\epsilon-4\epsilon^{\prime}$ holds.
•

$\mathsf{m}^{\prime}_{j}=\mathsf{m}_{j}$ holds for every $j\in[i-1]$ .
•

$\mathpzc{Extract}$ exits the $i$ -th loop or $\mathsf{m}^{\prime}_{i}\neq\mathsf{m}_{i}$ holds.

Then, we have $\Pr[\mathsf{BadExt}]\leq\sum_{i\in[\ell]}\Pr[\mathsf{BadExt}_{i}]$ . Below, we estimate $\Pr[\mathsf{BadExt}_{i}]$ .

We first consider the case of $\mathsf{m}_{i-1}=0$ and $\mathsf{m}_{i}=0$ . Assume $\mathsf{m}^{\prime}_{i-1}=\mathsf{m}_{i-1}=0$ holds. Then, we have $\widetilde{p}_{i-1}>\frac{1}{2}+\epsilon-4i\epsilon^{\prime}$ . Let $\widetilde{p}^{\prime}_{i-1}\leftarrow\mathpzc{API}_{\mathcal{P},D_{\tau,i-1}}^{\epsilon^{\prime},\delta^{\prime}}(\mathpzc{q}_{i-1})$ . From, the almost-projective property of $\mathpzc{API}$ , we have

\displaystyle\Pr[\widetilde{p}^{\prime}_{i-1}>\frac{1}{2}+\epsilon-4i\epsilon^{\prime}-\epsilon^{\prime}]\geq 1-\delta^{\prime}.

(30)

When $\mathsf{m}_{i-1}=0$ and $\mathsf{m}_{i}=0$ , $D_{\tau,i-1}$ and $D_{\tau,i}$ are computationally indistinguishable since both of them are computationally indistinguishable from $D$ by the QSIM-MDD security of $\mathsf{ELWMPRF}$ . This indistinguishability holds under the existence of $O_{\mathtt{api}}$ . Thus, from Theorem 2.11, we have

\displaystyle 1-\delta^{\prime}\leq\Pr[\widetilde{p}^{\prime}_{i-1}>\frac{1}{2}+\epsilon-(4i+1)\epsilon^{\prime}]\leq\Pr[\widetilde{p}_{i}>\frac{1}{2}+\epsilon-4(i+1)\epsilon^{\prime}]+{\mathsf{negl}}(\lambda).

(31)

This means that $\Pr[\mathsf{BadExt}_{i}]={\mathsf{negl}}(\lambda)$ in this case. Note that the reason the indistinguishability of $D_{\tau,i-1}$ and $D_{\tau,i}$ needs to hold under $O_{\mathtt{api}}$ is that Theorem 2.11 requires it hold for distinguishers who can construct $\mathpzc{q}_{i-1}$ .

Next, we consider the case of $\mathsf{m}_{i-1}=0$ and $\mathsf{m}_{i}=1$ . Assume $\mathsf{m}^{\prime}_{i-1}=\mathsf{m}_{i-1}=0$ holds. Then, we have $\widetilde{p}_{i-1}>\frac{1}{2}+\epsilon-4i\epsilon^{\prime}$ . We then define an additional distribution $D^{\mathtt{rev}}_{\tau,i}$ as follows.

$D^{\mathtt{rev}}_{\tau,i}$ :: Generate $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i)$ . Output $(1\oplus\gamma,x,y)$ .

That is, the first bit of the output is flipped from $\mathsf{D}_{\tau,i}$ . Then, for any random coin $r$ , we have $(\boldsymbol{P}_{D^{\mathtt{rev}}_{\tau,i}(r)},\boldsymbol{Q}_{D^{\mathtt{rev}}_{\tau,i}(r)})=(\boldsymbol{Q}_{\mathsf{D}_{\tau,i}(r)},\boldsymbol{P}_{\mathsf{D}_{\tau,i}(r)})$ . This is because we have $\boldsymbol{Q}_{b,x,y}=\boldsymbol{I}-\boldsymbol{P}_{b,x,y}=\boldsymbol{P}_{1\oplus b,x,y}$ for any tuple $(b,x,y)$ . Therefore, $\mathpzc{API}_{\mathcal{P},D^{\mathtt{rev}}_{\tau,i-1}}^{\epsilon^{\prime},\delta^{\prime}}$ is exactly the same process as $\mathpzc{API}_{\mathcal{P}^{\mathtt{rev}},\mathsf{D}_{\tau,i-1}}^{\epsilon^{\prime},\delta^{\prime}}$ . Let $\widetilde{p}^{\prime}_{i-1}\leftarrow\mathpzc{API}_{\mathcal{P},D^{\mathtt{rev}}_{\tau,i-1}}^{\epsilon^{\prime},\delta^{\prime}}(\mathpzc{q}_{i-1})$ . From, the reverse-almost-projective property of $\mathpzc{API}$ , we have

\displaystyle\Pr[\widetilde{p}^{\prime}_{i-1}<\frac{1}{2}-\epsilon+4i\epsilon^{\prime}+\epsilon^{\prime}]\geq 1-\delta^{\prime}.

(32)

When $\mathsf{m}_{i-1}=0$ and $\mathsf{m}_{i}=1$ , $D^{\mathtt{rev}}_{\tau,i-1}$ and $D_{\tau,i}$ are computationally indistinguishable since both of them are computationally indistinguishable from the following distribution $D^{\mathtt{rev}}$ by the QSIM-MDD security of $\mathsf{ELWMPRF}$ .

$D^{\mathtt{rev}}$ :: Generate $(\gamma,x,y)\leftarrow D$ . Output $(1\oplus\gamma,x,y)$ .

This indistinguishability holds under the existence of $O_{\mathtt{api}}$ . Thus, from Theorem 2.11, we have

\displaystyle 1-\delta^{\prime}\leq\Pr[\widetilde{p}^{\prime}_{i-1}<\frac{1}{2}-\epsilon+(4i+1)\epsilon^{\prime}]\leq\Pr[\widetilde{p}_{i}<\frac{1}{2}-\epsilon+4(i+1)\epsilon^{\prime}]+{\mathsf{negl}}(\lambda).

(33)

This means that $\Pr[\mathsf{BadExt}_{i}]={\mathsf{negl}}(\lambda)$ also in this case. Note that the reason the indistinguishability of $D^{\mathtt{rev}}_{\tau,i-1}$ and $D_{\tau,i}$ needs to hold under $O_{\mathtt{api}}$ is that Theorem 2.11 requires it hold for distinguishers who can construct $\mathpzc{q}_{i-1}$ .

Similarly, we can prove that $\Pr[\mathsf{BadExt}_{i}]={\mathsf{negl}}(\lambda)$ holds in the case of $(\mathsf{m}_{i-1},\mathsf{m}_{i})=(1,0)$ and $(\mathsf{m}_{i-1},\mathsf{m}_{i})=(1,1)$ .

Overall, we see that $\Pr[\mathsf{BadExt}]={\mathsf{negl}}(\lambda)$ holds in all cases.

6 Extraction-Less Watermarking PRF from LWE

We present an extraction-less watermarking PRF, denoted by $\mathsf{PRF}_{\mathsf{cprf}}$ , whose message space is $\{0,1\}^{{\ell_{\mathsf{m}}}}$ with domain $\{0,1\}^{n}$ and range $\{0,1\}^{m}$ . We use the following tools, which can be instantiated with the QLWE assumption (See Theorems 2.30, 2.27 and 2.24):

•

Private CPRF $\mathsf{CPRF}=(\mathsf{CPRF}.\mathsf{Setup},\mathsf{CPRF}.\mathsf{Eval},\mathsf{CPRF}.\mathsf{Constrain},\mathsf{CPRF}.\mathsf{CEval})$ . For ease of notation, we denote CPRF evaluation circuit $\mathsf{CPRF}.\mathsf{Eval}(\mathsf{msk},\cdot)$ and constrained evaluation circuits $\mathsf{CPRF}.\mathsf{CEval}(\mathsf{sk}_{f},\cdot)$ by $\mathsf{G}:\{0,1\}^{n}\rightarrow\{0,1\}^{m}$ and $\mathsf{G}_{\notin\mathcal{V}}:\{0,1\}^{n}\rightarrow\{0,1\}^{m}$ , respectively, where $x\in\mathcal{V}$ iff $f(x)=1$ .
•

SKE scheme $\mathsf{SKE}=(\mathsf{SKE}.\mathsf{Gen},\mathsf{SKE}.\mathsf{Enc},\mathsf{SKE}.\mathsf{Dec})$ . The plaintext space and ciphertext space of $\mathsf{SKE}$ are $\{0,1\}^{\ell_{\mathsf{ske}}}$ and $\{0,1\}^{n}$ , respectively, where $\ell_{\mathsf{ske}}=\log{{\ell_{\mathsf{m}}}}+1$ .
•

PKE scheme $\mathsf{PKE}=(\mathsf{Gen},\mathsf{Enc},\mathsf{Dec})$ . The plaintext space of PKE is $\{0,1\}^{2\lambda}$ .

Construction overview.

We already explained the high-level idea for how to realize extraction-less watermarking PRFs in Section 1.3. However, the construction of $\mathsf{PRF}_{\mathsf{cprf}}$ requires some additional efforts. Thus, before providing the actual construction, we provide a high-level overview of $\mathsf{PRF}_{\mathsf{cprf}}$ .

Recall that letting $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ and $(\gamma^{\ast},x^{\ast},y^{\ast})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})$ , we have to design $\mathsf{Sim}$ and $\widetilde{C}$ so that

•

If $\gamma=\mathsf{m}[i^{\ast}]$ , $\widetilde{C}(x^{\ast})$ outputs a value different from $y^{\ast}$ .
•

If $\gamma\neq\mathsf{m}[i^{\ast}]$ , $\widetilde{C}(x^{\ast})$ outputs $y^{\ast}$ .

In the token-based construction idea, we achieve these conditions by setting $x^{\ast}$ as an encryption of $y^{\ast}\|i^{\ast}\|\gamma^{\ast}$ and designing $\widetilde{C}$ as a token such that it outputs $y^{\ast}$ if the input is decryptable and $\gamma^{\ast}\neq\mathsf{m}[i^{\ast}]$ holds for the decrypted value $y^{\ast}\|i^{\ast}\|\gamma^{\ast}$ , and otherwise behaves as the original evaluation circuit. However, in $\mathsf{PRF}_{\mathsf{cprf}}$ , we use a constrained evaluation circuit of $\mathsf{CPRF}$ as $\widetilde{C}$ , and thus we cannot program output values for specific inputs. Intuitively, it seems that $\mathsf{Sim}$ needs to use the original PRF key $\mathsf{prfk}$ to achieve the above two conditions.

To solve the issue, we adopt the idea used by Quach et al. [QWZ18]. In $\mathsf{PRF}_{\mathsf{cprf}}$ , the setup algorithm $\mathsf{Setup}$ generates $(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda})$ of $\mathsf{PKE}$ , and sets $\mathsf{pp}=\mathsf{pk}$ and $\mathsf{xk}=\mathsf{sk}$ . Then, the PRF key generation algorithm is given $\mathsf{pk}$ , generates $\mathsf{G}\leftarrow\mathsf{CPRF}.\mathsf{Setup}(1^{\lambda},1^{\kappa})$ along with $\mathsf{ske}.\mathsf{k}\leftarrow\mathsf{SKE}.\mathsf{Gen}(1^{\lambda})$ , and sets the public tag $\tau$ as an encryption of $(\mathsf{G},\mathsf{ske}.\mathsf{k})$ under $\mathsf{pk}$ . The evaluation algorithm of $\mathsf{PRF}_{\mathsf{cprf}}$ is simply that of $\mathsf{CPRF}$ .

Now, we explain how to design $\mathsf{Sim}$ and $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ to satisfy the above two conditions. Given $\mathsf{xk}=\mathsf{sk}$ , $\tau=\mathsf{Enc}(\mathsf{pk},\mathsf{prfk})$ and $i$ , $\mathsf{Sim}$ is able to extract $\mathsf{prfk}=(\mathsf{G},\mathsf{ske}.\mathsf{k})$ . Then, $\mathsf{Sim}$ generates $\gamma\leftarrow\{0,1\}$ and sets $x\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i\|\gamma)$ and $y\leftarrow\mathsf{G}(x)$ . We set $\widetilde{C}$ as a constrained version of $\mathsf{G}$ for a circuit $D$ that outputs $1$ if the input $x$ is decryptable by $\mathsf{ske}.\mathsf{k}$ and $\gamma=\mathsf{m}[i]$ holds for decrypted value $i\|\gamma$ , and otherwise outputs $0$ . For an input $x$ , the constrained version of $\mathsf{G}$ outputs the correct output $\mathsf{G}(x)$ if and only if $D(x)=0$ . We can check that $\mathsf{PRF}_{\mathsf{cprf}}$ satisfies the above two conditions.

The above construction does not satisfy extended weak pseudorandomness against authority since the authority can extract the original CPRF key $\mathsf{G}$ by $\mathsf{xk}=\mathsf{sk}$ . However, this problem can be fixed by constraining $\mathsf{G}$ . We see that $\mathsf{Sim}$ needs to evaluate $\mathsf{G}$ for valid ciphertexts of $\mathsf{SKE}$ . Thus, to implement the above mechanism, it is sufficient to set the public tag $\tau$ as an encryption of $\mathsf{ske}.\mathsf{k}$ and a constrained version of $\mathsf{G}$ for a circuit $D_{\mathtt{auth}}$ that output $0$ if and only if the input is decryptable by $\mathsf{ske}.\mathsf{k}$ . Then, the authority can only extract such a constrained key. By requiring sparseness for $\mathsf{SKE}$ , the constrained key cannot be used to break the pseudorandomness of $\mathsf{PRF}_{\mathsf{cprf}}$ for random inputs. This means that $\mathsf{PRF}_{\mathsf{cprf}}$ satisfies extended weak pseudorandomness against an authority. Note that we only need a single-key CPRF for $\mathsf{PRF}_{\mathsf{cprf}}$ since either a user or the authority (not both) is a malicious entity in security games.

The description of $\mathsf{PRF}_{\mathsf{cprf}}$ is as follows.

$\mathsf{Setup}(1^{\lambda})$ :

•

Generate $(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda})$ .
•

Output $(\mathsf{pp},\mathsf{xk})\coloneqq(\mathsf{pk},\mathsf{sk})$ .

$\mathsf{Gen}(\mathsf{pp})$ :

•

Parse $\mathsf{pp}=\mathsf{pk}$ .
•

Generate $\mathsf{G}\leftarrow\mathsf{CPRF}.\mathsf{Setup}(1^{\lambda},1^{\kappa})$ . In our construction, $\kappa$ is the size of circuit $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ described in Figure 5, which depends on ${\ell_{\mathsf{m}}}$ (and $\lambda$ ).
•

Generate $\mathsf{ske}.\mathsf{k}\leftarrow\mathsf{SKE}.\mathsf{Gen}(1^{\lambda})$ .
•

Construct a circuit $D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}]$ described in Figure 4.
•

Compute $\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}\coloneqq\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}])$ , where $\mathcal{V}_{\mathtt{auth}}\subset\{0,1\}^{n}$ is a set such that $x\in\mathcal{V}_{\mathtt{auth}}$ iff $D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}](x)=1$ .
•

Output $\mathsf{prfk}\coloneqq(\mathsf{G},\mathsf{ske}.\mathsf{k})$ and $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},(\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k}))$ .

$\mathsf{Eval}(\mathsf{prfk},x\in\{0,1\}^{n})$ :

Recall that $\mathsf{G}$ is a keyed CPRF evaluation circuit.

•

Parse $\mathsf{prfk}=(\mathsf{G},\mathsf{ske}.\mathsf{k})$ .
•

Output $y\coloneqq\mathsf{G}(x)$ .

$\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ :

•

Parse $\mathsf{pp}=\mathsf{pk}$ and $\mathsf{prfk}=(\mathsf{G},\mathsf{ske}.\mathsf{k})$ .
•

Construct a circuit $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ described in Figure 5.
•

Compute $\mathsf{G}_{\notin\mathcal{V}}\leftarrow\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D[\mathsf{ske}.\mathsf{k},\mathsf{m}])$ , where $\mathcal{V}\subset\{0,1\}^{n}$ is a set such that $x\in\mathcal{V}$ iff $D[\mathsf{ske}.\mathsf{k},\mathsf{m}](x)=1$ .
•

Output $\widetilde{C}=\mathsf{G}_{\notin\mathcal{V}}$ .

$\mathsf{Sim}(\mathsf{xk},\tau,i)$ :

•

Parse $\mathsf{xk}=\mathsf{sk}$ .
•

Compute $(\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k})\leftarrow\mathsf{Dec}(\mathsf{sk},\tau)$ .
•

Choose $\gamma\leftarrow\{0,1\}$ .
•

Compute $x\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i\|\gamma)$ and $y\leftarrow\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}(x)$ .
•

Output $(\gamma,x,y)$ .

Circuit $D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}]$ Constants: An SKE key $\mathsf{ske}.\mathsf{k}$ , and a message $\mathsf{m}$ . Input: A string $x\in\{0,1\}^{n}$ . 1. Compute $d\leftarrow\mathsf{SKE}.\mathsf{Dec}(\mathsf{ske}.\mathsf{k},x)$ . 2. Output $0$ if $d\neq\bot$ and $1$ otherwise.

Figure 4: The description of

D_{\mathtt{auth}}

Circuit $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ Constants: An SKE key $\mathsf{ske}.\mathsf{k}$ , and a message $\mathsf{m}$ . Input: A string $x\in\{0,1\}^{n}$ . 1. Compute $d\leftarrow\mathsf{SKE}.\mathsf{Dec}(\mathsf{ske}.\mathsf{k},x)$ . 2. If $d\neq\bot$ , do the following (a) Parse $d=i\|\gamma$ , where $i\in[{\ell_{\mathsf{m}}}]$ and $\gamma\in\{0,1\}$ . (b) If $\gamma=\mathsf{m}[i]$ , output $1$ . Otherwise, output $0$ . 3. Otherwise output $0$ .

Figure 5: The description of

D

The evaluation correctness of $\mathsf{PRF}_{\mathsf{cprf}}$ follows from the sparseness of $\mathsf{SKE}$ and the correctness of $\mathsf{CPRF}$ . For the security of $\mathsf{PRF}_{\mathsf{cprf}}$ , we have the following theorems.

Theorem 6.1.

$\mathsf{SKE}$ is a secure SKE scheme with pseudorandom ciphertext, $\mathsf{CPRF}$ is a selectively single-key private CPRF, $\mathsf{PKE}$ is a CCA secure PKE scheme, then $\mathsf{PRF}_{\mathsf{cprf}}$ is an extraction-less watermarking PRF satisfying SIM-MDD security.

Theorem 6.2.

If $\mathsf{CPRF}$ is a selective single-key private CPRF, $\mathsf{PRF}_{\mathsf{cprf}}$ satisfies extended weak pseudorandomness.

SIM-MDD security.

First, we prove the SIM-MDD security of $\mathsf{PRF}_{\mathsf{cprf}}$ .

Proof of Theorem 6.1.

We define a sequence of hybrid games to prove the theorem.

$\mathsf{Hyb}_{0}$ :: This is the same as the case $\mathsf{coin}=1$ in $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{PRF}_{\mathsf{cprf}}}^{\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)$ . In this game, $\mathpzc{A}$ is given $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},(\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k}))$ and $\mathsf{G}_{\notin\mathcal{V}}\leftarrow\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D[\mathsf{ske}.\mathsf{k},\mathsf{m}])$ as a public tag and a marked circuit. After $\tau$ and $\mathsf{G}_{\notin\mathcal{V}}$ are given, $\mathpzc{A}$ can access to $O_{\mathtt{sim}}$ . Finally, after finishing the access to $O_{\mathtt{sim}}$ , $\mathpzc{A}$ is given $(\gamma^{\ast},x^{\ast},y^{\ast}))$ as the challenge tuple and outputs $\mathsf{coin}^{\prime}\in\{0,1\}$ , where $\gamma^{\ast}\leftarrow\{0,1\}$ , $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ , and $y^{\ast}\leftarrow\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}(x^{\ast})$ .
$\mathsf{Hyb}_{1}$ :: This is the same as $\mathsf{Hyb}_{0}$ except for the following two changes. First, $\mathsf{G}$ is used instead of $\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}$ when generating the challenge tuple $(\gamma^{\ast},x^{\ast},y^{\ast})$ . Second, we change the behavior of $O_{\mathtt{sim}}$ as follows. When $\mathpzc{A}$ sends $\tau^{\prime}$ and $i^{\prime}$ to $O_{\mathtt{sim}}$ , if $\tau^{\prime}=\tau$ , $O_{\mathtt{sim}}$ performs the remaining procedures by using $(G,\mathsf{ske}.\mathsf{k})$ (without decrypting $\tau^{\prime}=\tau$ ).
$\mathsf{Hyb}_{2}$ :: This is the same as $\mathsf{Hyb}_{1}$ except that we use $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},0^{2\lambda})$ instead of $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},(\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k}))$ .
$\mathsf{Hyb}_{3}$ :: This is the same as $\mathsf{Hyb}_{2}$ except that if $\mathsf{m}[i^{\ast}]=\gamma^{\ast}$ , we use $y^{\ast}\leftarrow\{0,1\}^{m}$ instead of $y^{\ast}\leftarrow\mathsf{G}(x^{\ast})$ .
$\mathsf{Hyb}_{4}$ :: This is the same as $\mathsf{Hyb}_{3}$ except that we use a simulated $(\mathsf{st}_{\mathsf{Sim}},\widehat{\mathsf{G}})\leftarrow\mathsf{CPRF}.\mathsf{Sim}_{1}(1^{\kappa},1^{\lambda})$ instead of $\mathsf{G}_{\notin\mathcal{V}}\leftarrow\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D[\mathsf{ske}.\mathsf{k},\mathsf{m}])$ for the challenge marked circuit. Also, if $\mathsf{m}[i^{\ast}]\neq\gamma^{\ast}$ , the challenger computes $y^{\ast}\leftarrow\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},x^{\ast},0)$ . In addition, we also change the behavior of $O_{\mathtt{sim}}$ as follows. Given $\tau^{\prime}$ and $i^{\prime}$ , if $\tau^{\prime}\neq\tau$ , $O_{\mathtt{sim}}$ answers in the same way as $\mathsf{Hyb}_{3}$ . Otherwise, it returns $(\gamma,x,y)$ , where $\gamma\leftarrow\{0,1\}$ , $x\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\prime}\|\gamma)$ , and $y\leftarrow\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},x,1)$ if $\mathsf{m}[i^{\prime}]=\gamma$ and $y\leftarrow\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},x,0)$ otherwise.
$\mathsf{Hyb}_{5}$ :: This is the same as $\mathsf{Hyb}_{4}$ except that we use $x^{\ast}\leftarrow\{0,1\}^{n}$ instead of $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ .
$\mathsf{Hyb}_{6}$ :: We undo the change at $\mathsf{Hyb}_{4}$ .
$\mathsf{Hyb}_{7}$ :: We undo the change at $\mathsf{Hyb}_{2}$ .
$\mathsf{Hyb}_{8}$ :: We undo the change at $\mathsf{Hyb}_{1}$ . This is the same as the case $\mathsf{coin}=0$ in $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{PRF}_{\mathsf{cprf}}}^{\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)$ .

Proposition 6.3.

If $\mathsf{CPRF}$ , $\mathsf{SKE}$ , and $\mathsf{PKE}$ are correct, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{0}=1]-\Pr[\mathsf{Hyb}_{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition 6.3.

For the first change, $x^{\ast}\notin\mathcal{V}_{\mathtt{auth}}$ holds since $\bot\neq\mathsf{SKE}.\mathsf{Dec}(\mathsf{ske}.\mathsf{k},x^{\ast})$ from the correctness of $\mathsf{SKE}$ . Then, from the correctness of $\mathsf{CPRF}$ , we have $\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}(x^{\ast})=\mathsf{G}(x^{\ast})$ , and thus the first change does not affect the view of $\mathpzc{A}$ . For the second change, from the correctness of $\mathsf{PKE}$ , $(\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k})\leftarrow\mathsf{Dec}(\mathsf{sk},\tau^{\prime})$ if $\tau^{\prime}=\tau$ . Then, similarly to the first change, we can see that the second change does not affect the view of $\mathpzc{A}$ .

Proposition 6.4.

If $\mathsf{PKE}$ is CCA secure, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{1}=1]-\Pr[\mathsf{Hyb}_{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition 6.4.

We construct an algorithm $\mathpzc{B}$ that breaks CCA security of $\mathsf{PKE}$ by using $\mathpzc{A}$ .

$\mathpzc{B}$ :

$\mathpzc{B}$ is given $\mathsf{pk}$ from the challenger. $\mathpzc{B}$ generates $\mathsf{ske}.\mathsf{k}\leftarrow\mathsf{SKE}.\mathsf{Gen}(1^{\lambda})$ , and $\mathsf{G}\leftarrow\mathsf{CPRF}.\mathsf{Setup}(1^{\lambda})$ , and sets $\mathsf{pp}\coloneqq\mathsf{pk}$ . $\mathpzc{B}$ sends $\mathsf{pp}$ to $\mathpzc{A}$ and obtain $\mathsf{m}$ from $\mathpzc{A}$ . $\mathpzc{B}$ then generate $\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}\coloneqq\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}])$ , sets $(m_{0},m_{1})\coloneqq((\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k}),0^{2\lambda})$ as the challenge plaintext of the CCA game and receives $\tau$ from its challenger. $\mathpzc{B}$ also constructs $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ , generates $\mathsf{G}_{\notin\mathcal{V}}\leftarrow\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D[\mathsf{ske}.\mathsf{k},\mathsf{m}])$ , and sends $\tau$ and $\mathsf{G}_{\notin\mathcal{V}}$ to $\mathpzc{A}$ as the challenge public tag and marked circuit.

$O_{\mathtt{sim}}$ :: When $\mathpzc{A}$ sends $\tau^{\prime}$ and $i^{\prime}$ to $O_{\mathtt{sim}}$ , $\mathpzc{B}$ simulates the answer by using $\mathsf{G}$ , $\mathsf{ske}.\mathsf{k}$ , and the decryption oracle $\mathsf{Dec}(\mathsf{sk},\cdot)$ .

After finishing $\mathpzc{A}$ ’s oracle access to $O_{\mathtt{sim}}$ , $\mathpzc{B}$ chooses $\gamma^{\ast}\leftarrow\{0,1\}$ , generates $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ and $y^{\ast}\leftarrow\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}(x^{\ast})=\mathsf{G}(x^{\ast})$ , and sends $(\gamma^{\ast},x^{\ast},y^{\ast})$ to $\mathpzc{A}$ . Note that $\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}}(x^{\ast})=\mathsf{G}(x^{\ast})$ holds since $\bot\neq\mathsf{SKE}.\mathsf{Dec}(\mathsf{ske}.\mathsf{k},x^{\ast})$ and thus $x^{\ast}\notin\mathcal{V}_{\mathtt{auth}}$ .

Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates.

$\mathpzc{B}$ perfectly simulates if $\mathsf{Hyb}_{1}$ if $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},(\mathsf{G}_{\notin\mathcal{V}_{\mathtt{auth}}},\mathsf{ske}.\mathsf{k}))$ , and $\mathsf{Hyb}_{2}$ if $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},0^{2\lambda})$ . This completes the proof.

Proposition 6.5.

If $\mathsf{CPRF}$ satisfies selective pseudorandomness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{2}=1]-\Pr[\mathsf{Hyb}_{3}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 6.5.

We use selective single-key pseudorandomness of $\mathsf{G}$ . We construct an algorithm $\mathpzc{B}$ that breaks the selective single-key pseudorandomness of $\mathsf{G}$ by using $\mathpzc{A}$ .

$\mathpzc{B}$ :

$\mathpzc{B}$ generates $(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda})$ , $\mathsf{ske}.\mathsf{k}\leftarrow\mathsf{SKE}.\mathsf{Gen}(1^{\lambda})$ , and $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},0^{2\lambda})$ , sets and sends $\mathsf{pp}\coloneqq\mathsf{pk}$ to $\mathpzc{A}$ , and obtains $\mathsf{m}$ from $\mathpzc{A}$ . $\mathpzc{B}$ constructs $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ , sends $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ to its challenger, and receives $\mathsf{G}_{\notin\mathcal{V}}$ . $\mathpzc{B}$ sends $\tau$ and $\mathsf{G}_{\notin\mathcal{V}}$ to $\mathpzc{A}$ as the challenge public tag and marked circuit.

$O_{\mathtt{sim}}$ :: When $\mathpzc{A}$ sends $\tau^{\prime}$ and $i^{\prime}\in[{\ell_{\mathsf{m}}}]$ to $O_{\mathtt{sim}}$ , if $\tau^{\prime}\neq\tau$ , $\mathpzc{B}$ computes $(\mathsf{G}^{\prime},\mathsf{ske}.\mathsf{k}^{\prime})\leftarrow\mathsf{Dec}(\mathsf{sk},\tau^{\prime})$ , and computes and returns the answer $(\gamma,x,y)$ by using $(\mathsf{G}^{\prime},\mathsf{ske}.\mathsf{k}^{\prime})$ . If $\tau^{\prime}=\tau$ , $\mathpzc{B}$ returns $(\gamma,x,y)$ computed as follows. $\mathpzc{B}$ chooses $\gamma\leftarrow\{0,1\}$ , and generates $x\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\prime}\|\gamma)$ . $\mathpzc{B}$ finally sends $x$ to its PRF evaluation oracle and receives $y\leftarrow\mathsf{G}(x)$ .

After finishing $\mathpzc{A}$ ’s oracle access to $O_{\mathtt{sim}}$ , $\mathpzc{B}$ sends $(\gamma^{\ast},x^{\ast},y^{\ast})$ computed as follows to $\mathpzc{A}$ . $\mathpzc{B}$ first chooses $\gamma^{\ast}\leftarrow\{0,1\}$ and generates $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ . If $\mathsf{m}[i^{\ast}]=\gamma^{\ast}$ , $\mathpzc{B}$ sends $x^{\ast}$ to its challenge oracle and receives $y^{\ast}$ . If $\mathsf{m}[i^{\ast}]\neq\gamma^{\ast}$ , $\mathpzc{B}$ sends $x^{\ast}$ to its PRF evaluation oracle and receives $y^{\ast}$ .

Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates.

$\mathpzc{B}$ perfectly simulates $\mathsf{Hyb}_{2}$ if the challenge oracle returns $y^{\ast}=\mathsf{G}(x^{\ast})$ , and $\mathsf{Hyb}_{3}$ if it returns $y^{\ast}\leftarrow\{0,1\}^{m}$ . Note that in these games, $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ , and thus if $\mathsf{m}[i^{\ast}]=\gamma^{\ast}$ , we have $x^{\ast}\in\mathcal{V}$ ( $D[\mathsf{ske}.\mathsf{k},\mathsf{m}](x^{\ast})=1$ ). This completes the proof.

Proposition 6.6.

If $\mathsf{CPRF}$ satisfies selective single-key privacy, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{3}=1]-\Pr[\mathsf{Hyb}_{4}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 6.6.

We use selective single-key privacy of $\mathsf{G}$ . We construct an algorithm $\mathpzc{B}$ that breaks the selective privacy of $\mathsf{G}$ by using $\mathpzc{A}$ .

$\mathpzc{B}$ :

$\mathpzc{B}$ generates $(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda})$ , $\mathsf{ske}.\mathsf{k}\leftarrow\mathsf{SKE}.\mathsf{Gen}(1^{\lambda})$ , and $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},0^{2\lambda})$ , sends $\mathsf{pp}\coloneqq\mathsf{pk}$ to $\mathpzc{A}$ , and obtains $\mathsf{m}$ from $\mathpzc{A}$ . $\mathpzc{B}$ constructs $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ , sends $D[\mathsf{ske}.\mathsf{k},\mathsf{m}]$ to its challenger, and receives $\mathsf{G}^{\ast}$ . $\mathpzc{B}$ sends $\tau$ and $\mathsf{G}^{\ast}$ to $\mathpzc{A}$ as the challenge public tag and marked circuit.

$O_{\mathtt{sim}}$ :: When $\mathpzc{A}$ sends $\tau^{\prime}$ and $i^{\prime}\in[{\ell_{\mathsf{m}}}]$ to $O_{\mathtt{sim}}$ , if $\tau^{\prime}\neq\tau$ , $\mathpzc{B}$ computes $(\mathsf{G}^{\prime},\mathsf{ske}.\mathsf{k}^{\prime})\leftarrow\mathsf{Dec}(\mathsf{sk},\tau^{\prime})$ and returns the answer $(\gamma,x,y)$ computed by using $(\mathsf{G}^{\prime},\mathsf{ske}.\mathsf{k}^{\prime})$ . If $\tau^{\prime}=\tau$ , $\mathpzc{B}$ returns the answer $(\gamma,x,y)$ computed as follows. $\mathpzc{B}$ chooses $\gamma\leftarrow\{0,1\}$ , and generates $x\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\prime}\|\gamma)$ . $\mathpzc{B}$ sends $x$ to its oracle and receives $y$ .

After finishing $\mathpzc{A}$ ’s oracle access to $O_{\mathtt{sim}}$ , $\mathpzc{B}$ sends $(\gamma^{\ast},x^{\ast},y^{\ast})$ computed as follows to $\mathpzc{A}$ . $\mathpzc{B}$ chooses $\gamma^{\ast}\leftarrow\{0,1\}$ and generates $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ . If $\mathsf{m}[i^{\ast}]=\gamma^{\ast}$ , $\mathpzc{B}$ chooses $y^{\ast}\leftarrow\{0,1\}^{m}$ . If $\mathsf{m}[i^{\ast}]\neq\gamma^{\ast}$ , $\mathpzc{B}$ sends $x^{\ast}$ to its oracle and receives $y^{\ast}$ .

Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates.

$\mathpzc{B}$ perfectly simulates $\mathsf{Hyb}_{3}$ if $\mathsf{G}^{\ast}=\mathsf{CPRF}.\mathsf{Constrain}(\mathsf{G},D[\mathsf{ske}.\mathsf{k},\mathsf{m}])$ and $\mathpzc{B}$ has access to $\mathsf{G}(\cdot)$ , and $\mathsf{Hyb}_{4}$ if $\mathsf{G}^{\ast}=\mathsf{Sim}_{1}(1^{\kappa},1^{\lambda})$ and $\mathpzc{B}$ has access to $\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},\cdot,D[\mathsf{ske}.\mathsf{k},\mathsf{m}](\cdot))$ . This completes the proof.

Proposition 6.7.

If $\mathsf{SKE}$ satisfies ciphertext pseudorandomness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{4}=1]-\Pr[\mathsf{Hyb}_{5}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 6.7.

We construct an algorithm $\mathpzc{B}$ that breaks the ciphertext pseudorandomness of $\mathsf{SKE}$ by using $\mathpzc{A}$ .

$\mathpzc{B}$ :: $\mathpzc{B}$ generates $(\mathsf{pk},\mathsf{sk})\leftarrow\mathsf{Gen}(1^{\lambda})$ and sends $\mathsf{pp}\coloneqq\mathsf{pk}$ to $\mathpzc{A}$ , and obtains $\mathsf{m}$ from $\mathpzc{A}$ . $\mathpzc{B}$ then generates $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},0^{2\lambda})$ and $(\mathsf{st}_{\mathsf{Sim}},\widehat{\mathsf{G}})\leftarrow\mathsf{Sim}_{1}(1^{\kappa},1^{\lambda})$ , and sends $\tau$ and $\widehat{\mathsf{G}}$ to $\mathpzc{A}$ as the challenge public tag and marked circuit.
$O_{\mathtt{sim}}$ :: When $\mathpzc{A}$ sends $\tau^{\prime}$ and $i^{\prime}\in[{\ell_{\mathsf{m}}}]$ to $O_{\mathtt{sim}}$ , if $\tau^{\prime}\neq\tau$ , $\mathpzc{B}$ computes $(\mathsf{G}^{\prime},\mathsf{ske}.\mathsf{k}^{\prime})\leftarrow\mathsf{Dec}(\mathsf{sk},\tau)$ and returns the answer $(\gamma,x,y)$ computed by using $(\mathsf{G}^{\prime},\mathsf{ske}.\mathsf{k}^{\prime})$ . If $\tau^{\prime}=\tau$ , $\mathpzc{B}$ returns the answer $(\gamma,x,y)$ computed as follows. $\mathpzc{B}$ chooses $\gamma\leftarrow\{0,1\}$ , sends $i^{\prime}\|\gamma$ to its encryption oracle, and receives $x\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\prime}\|\gamma)$ . $\mathpzc{B}$ computes $y\leftarrow\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},x,1)$ if $\gamma=\mathsf{m}[i^{\prime}]$ and $y\leftarrow\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},x,0)$ otherwise.

After finishing $\mathpzc{A}$ ’s oracle access to $O_{\mathtt{sim}}$ , $\mathpzc{B}$ sends $(\gamma^{\ast},x^{\ast},y^{\ast})$ computed as follows to $\mathpzc{A}$ . $\mathpzc{B}$ chooses $\gamma^{\ast}\leftarrow\{0,1\}$ , sends $i^{\ast}\|\gamma^{\ast}$ to its challenger as the challenge plaintext, and receives $x^{\ast}$ . $\mathpzc{B}$ generates $y^{\ast}\leftarrow\{0,1\}^{m}$ if $\mathsf{m}[i^{\ast}]=\gamma^{\ast}$ and $y^{\ast}\leftarrow\mathsf{Sim}_{2}(\mathsf{st}_{\mathsf{Sim}},x,0)$ otherwise.

Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates.

$\mathpzc{B}$ perfectly simulates $\mathsf{Hyb}_{4}$ if $x^{\ast}\leftarrow\mathsf{SKE}.\mathsf{Enc}(\mathsf{ske}.\mathsf{k},i^{\ast}\|\gamma^{\ast})$ , and $\mathsf{Hyb}_{5}$ if $x^{\ast}\leftarrow\{0,1\}^{n}$ . This completes the proof.

Proposition 6.8.

If $\mathsf{CPRF}$ satisfies selective single-key privacy, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{5}=1]-\Pr[\mathsf{Hyb}_{6}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 6.8.

This proof is almost the same as that of Proposition 6.6.

Proposition 6.9.

If $\mathsf{PKE}$ is CCA secure, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{6}=1]-\Pr[\mathsf{Hyb}_{7}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition 6.9.

This proof is almost the same as that of Proposition 6.4.

Proposition 6.10.

If $\mathsf{CPRF}$ , $\mathsf{SKE}$ , and $\mathsf{PKE}$ are correct, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{7}=1]-\Pr[\mathsf{Hyb}_{8}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition 6.10.

This proof is almost the same as that of Proposition 6.3.

By Propositions 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9 and 6.10, we complete the proof of Theorem 6.1.

Extended weak pseudorandomness.

Next, we prove the extended pseudorandomness of $\mathsf{PRF}_{\mathsf{cprf}}$ .

Proof of Theorem 6.2.

Let $\mathpzc{A}$ be an adversary attacking the extended weak pseudorandomness of $\mathsf{PRF}_{\mathsf{cprf}}$ . We construct $\mathpzc{B}$ that attacks the selective single-key pseudorandomness of $\mathsf{CPRF}$ .

$\mathpzc{B}$ :

Given $\mathsf{pp}$ from $\mathpzc{A}$ , $\mathpzc{B}$ first generates $\mathsf{ske}.\mathsf{k}\leftarrow\mathsf{SKE}.\mathsf{Gen}(1^{\lambda})$ , sends $D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}]$ to its challenger, and obtains $\mathsf{G}^{\ast}$ . $\mathpzc{B}$ sets $\mathsf{pp}:=\mathsf{pk}$ , generates $\tau\leftarrow\mathsf{Enc}(\mathsf{pk},(\mathsf{G}^{\ast},\mathsf{ske}.\mathsf{k}))$ , and sends it to $\mathpzc{A}$ . $\mathpzc{B}$ answers $\mathpzc{A}$ ’s queries as follows.

$O_{\mathtt{wprf}}$ :: When this is invoked (no input), $\mathpzc{B}$ generates $a\leftarrow\{0,1\}^{n}$ , sends it to its evaluation oracle, and obtains $b$ . Then, $\mathpzc{B}$ returns $(a,b)$ to $\mathpzc{A}$ .
$O_{\mathtt{chall}}$ :: When this is invoked (no input), $\mathpzc{B}$ generates $a^{\ast}\leftarrow\{0,1\}^{n}$ , outputs $a^{\ast}$ as its challenge input, and obtains $b^{\ast}$ . $\mathpzc{B}$ returns $(a^{\ast},b^{\ast})$ to $\mathpzc{A}$ . Note that this oracle is invoked only once.

When $\mathpzc{A}$ terminates with output $b^{\prime}$ , $\mathpzc{B}$ outputs $b^{\prime}$ and terminates.

Due to the sparseness of $\mathsf{SKE}$ , without negligible probability, we have $\mathsf{SKE}.\mathsf{Dec}(\mathsf{ske}.\mathsf{k},a^{\ast})=\bot$ thus $D_{\mathtt{auth}}[\mathsf{ske}.\mathsf{k}](a^{\ast})=1$ , and $a$ generated when answering to a query to $O_{\mathtt{wprf}}$ is different from $a^{\ast}$ . Therefore, without negligible probability, $\mathpzc{B}$ is a valid adversary against the selective single-key pseudorandomness of $\mathsf{CPRF}$ . When $\mathpzc{B}$ is valid, we see that the advantage of $\mathpzc{B}$ is the same as that of $\mathpzc{A}$ . This completes the proof.

7 Extraction-Less Watermarking PRF with Public Simulation from IO

We construct an extraction-less watermarking PRF satisfying SIM-MDD security with public simulation. We first introduce a tool.

7.1 Puncturable Encryption, Revisited

Cohen et al. [CHN⁺18] introduced the notion of puncturable encryption (PE). They used a PE scheme as a crucial building block to construct a publicly extractable watermarking PRF against classical adversaries. We also use a PE scheme to construct an extraction-less watermarking PRF with public simulation (against quantum adversaries). However, we find that the original PE definition is not sufficient for proving unremovability (and our purpose) since there is a subtle issue in the security proof by Cohen et al. [CHN⁺18]. However, we can fix the issue since their PE scheme satisfies a stronger security notion than what they proved. Thus, we introduce a stronger security notion for PE in this section.

The syntax of PE is almost the same as that of the original PE.

Definition 7.1 (Puncturable Encryption (Syntax)).

A puncturable encryption (PE) scheme $\mathsf{PE}$ for a plaintext space $\mathcal{P}=\{0,1\}^{{\ell_{\mathsf{p}}}}$ is a triple of PPT algorithms $(\mathsf{Gen},\mathsf{Puncture},\mathsf{Enc})$ and a deterministic algorithm $\mathsf{Dec}$ . The ciphertext space will be $\{0,1\}^{{\ell_{\mathsf{ct}}}}$ where ${\ell_{\mathsf{ct}}}={\mathrm{poly}}(\lambda,{\ell_{\mathsf{p}}})$ .

$\mathsf{Gen}(1^{\lambda})\rightarrow(\mathsf{ek},\mathsf{dk})$ :: The key generation algorithm takes as input the security parameter $1^{\lambda}$ and outputs an encryption key $\mathsf{ek}$ and a decryption key $\mathsf{dk}$ .
$\mathsf{Puncture}(\mathsf{dk},\{c^{\ast}\})\rightarrow\mathsf{dk}_{\neq c^{\ast}}$ :: The puncturing algorithm takes as input $\mathsf{dk}$ and a string $c^{\ast}\in\{0,1\}^{{\ell_{\mathsf{ct}}}}$ , and outputs a “punctured” decryption key $\mathsf{dk}_{\neq c^{\ast}}$ .
$\mathsf{Enc}(\mathsf{ek},m)\rightarrow c$ :: The encryption algorithm takes as input $\mathsf{ek}$ and a plaintext $m\in\{0,1\}^{{\ell_{\mathsf{p}}}}$ , and outputs a ciphertext $c$ in $\{0,1\}^{{\ell_{\mathsf{ct}}}}$ .
$\mathsf{Dec}(\mathsf{dk}^{\prime},c^{\prime})\rightarrow m^{\prime}\text{ or }\bot$ :: The decryption algorithm takes a possibly punctured decryption key $\mathsf{dk}^{\prime}$ and a string $c^{\prime}\in\{0,1\}^{{\ell_{\mathsf{ct}}}}$ . It outputs a plaintext $m^{\prime}$ or the special symbol $\bot$ .

There are four security requirements on PE. Three of those are the same as those in the original PE security. The difference is ciphertext pseudorandomness.

Definition 7.2 (Puncturable Encryption Security).

A PE scheme $\mathsf{PE}=(\mathsf{Gen},\mathsf{Puncture},\mathsf{Enc},\mathsf{Dec})$ with plaintext space $\mathcal{P}=\{0,1\}^{{\ell_{\mathsf{p}}}}$ and ciphertext space $\mathcal{C}=\{0,1\}^{{\ell_{\mathsf{ct}}}}$ is required to satisfy the following properties.

Correctness:

We require that for all plaintext $m\in\mathcal{P}$ and $(\mathsf{ek},\mathsf{dk})\leftarrow\mathsf{Gen}(1^{\lambda})$ , it holds that $\mathsf{Dec}(\mathsf{dk},\mathsf{Enc}(\mathsf{ek},m))=m$ .

Punctured Correctness:

We require the same to hold for punctured keys. For all possible keys $(\mathsf{ek},\mathsf{dk})\leftarrow\mathsf{Gen}(1^{\lambda})$ , all string $c^{\ast}\in\mathcal{C}$ , all punctured keys $\mathsf{dk}_{\neq c^{\ast}}\leftarrow\mathsf{Puncture}(\mathsf{dk},\{c^{\ast}\})$ , and all potential ciphertexts $c\in\mathcal{C}\setminus\{c^{\ast}\}$ :

\mathsf{Dec}(\mathsf{dk},c)=\mathsf{Dec}(\mathsf{dk}_{\neq c^{\ast}},c).

Sparseness:

We also require that most strings are not valid ciphertexts:

\displaystyle\Pr\left[\mathsf{Dec}(\mathsf{dk},c)\neq\bot~{}\left|~{}(\mathsf{ek},\mathsf{dk})\leftarrow\mathsf{Gen}(1^{\lambda}),c\leftarrow\{0,1\}^{{\ell_{\mathsf{ct}}}}\right.\right]\leq{\mathsf{negl}}(\lambda).

(34)

Ciphertext Pseudorandomness:

We require that PE has strong ciphertext pseudorandomness defined in Definition 7.3.

Definition 7.3 (Strong Ciphertext Pseudorandomness).

We define the following experiment $\mathsf{Exp}_{\mathpzc{A}}^{\mathsf{s}\mbox{-}\mathsf{cpr}}(\lambda)$ .

1.

$\mathpzc{A}$ sends a message $m^{*}\in\mathcal{P}=\{0,1\}^{{\ell_{\mathsf{p}}}}$ to the challenger.
2.

The challenger does the following:
- •
  
  Generate $(\mathsf{ek},\mathsf{dk})\leftarrow\mathsf{Gen}(1^{\lambda})$
- •
  
  Compute a ciphertext $c^{*}\leftarrow\mathsf{Enc}(\mathsf{ek},m^{*})$ .
- •
  
  Choose $r^{*}\leftarrow\mathcal{C}=\{0,1\}^{{\ell_{\mathsf{ct}}}}$ .
- •
  
  Choose $\mathsf{coin}\leftarrow\{0,1\}$ and set $x_{0}\coloneqq c^{\ast}$ and $x_{1}\coloneqq r^{\ast}$ .
- •
  
  Generate a punctured key $\mathsf{dk}_{\neq x_{\mathsf{coin}}}\leftarrow\mathsf{Puncture}(\mathsf{dk},\{x_{\mathsf{coin}}\})$
- •
  
  Send $(x_{\mathsf{coin}},\mathsf{ek},\mathsf{dk}_{\neq x_{\mathsf{coin}}})$ to $\mathpzc{A}$ :
3.

$\mathpzc{A}$ outputs $\mathsf{coin}^{\ast}$ and the experiment outputs $1$ if $\mathsf{coin}=\mathsf{coin}^{\ast}$ ; otherwise $0$ .

We say that $\mathsf{PE}$ has strong ciphertext pseudorandomness if for every QPT adversary $\mathpzc{A}$ , it holds that

\mathsf{Adv}_{\mathpzc{A}}^{\mathsf{s}\mbox{-}\mathsf{cpr}}(\lambda)\coloneqq 2\absolutevalue{\Pr[\mathsf{Exp}_{\mathcal{A}}^{\mathsf{s}\mbox{-}\mathsf{cpr}}(\lambda)=1]-\frac{1}{2}}\leq{\mathsf{negl}}(\lambda).

Remark 7.4 (Difference from the original PE).

In the original PE definition, $\mathsf{Puncture}$ takes two strings $\{c_{0},c_{1}\}\subset\{0,1\}^{{\ell_{\mathsf{ct}}}}$ and outputs a punctured decryption key $\mathsf{dk}_{\notin\{c_{0},c_{1}\}}$ and punctured correctness is accordingly defined.

In the original ciphertext pseudorandomness (described in Section B.4), a punctured decryption key is punctured at both $c^{\ast}$ and $r^{\ast}$ . That is, the information about $m^{\ast}$ remains in $\mathsf{dk}_{\notin\{c^{\ast},r^{\ast}\}}$ for $\mathsf{coin}\in\{0,1\}$ . This is an issue for our purpose (and the proof by Cohen et al. [CHN⁺18]). Thus, we introduce the strong ciphertext pseudorandomness, where the information about $m^{\ast}$ disappears in the case $\mathsf{coin}=1$ since the punctured decryption key is $\mathsf{dk}_{\neq r^{\ast}}$ when $\mathsf{coin}=1$ .

In fact, the PE scheme $\mathsf{PE}$ by Cohen et al. [CHN⁺18] satisfies strong ciphertext pseudorandomness (and thus, we can also fix the issue in the proof by Cohen et al.¹²¹²12See Section B.4 for the detail of the issue.).

Theorem 7.5.

If there exists secure IO for circuits and the QLWE assumption holds, there exists secure PE that satisfies strong ciphertext pseudorandomness.

We prove this theorem in Appendix B.

7.2 Construction of Extraction-less Watermarking PRF with Public Simulation

We describe our extraction-less watermarking PRF $\mathsf{PRF}_{\mathsf{io}}$ for message space $\{0,1\}^{{\ell_{\mathsf{m}}}}$ with domain $\{0,1\}^{\ell_{\mathsf{in}}}$ and range $\{0,1\}^{\ell_{\mathsf{out}}}$ below. We use the following tools:

•

PPRF $\mathsf{PRF}=\mathsf{PRF}.(\mathsf{Gen},\mathsf{Eval},\mathsf{Puncture})$ . We denote a PRF evaluation circuit $\mathsf{PRF}.\mathsf{Eval}_{\mathsf{prfk}}(\cdot)$ by $\mathsf{F}:\{0,1\}^{\ell_{\mathsf{in}}}\rightarrow\{0,1\}^{\ell_{\mathsf{out}}}$ , a PRF evaluation circuit with punctured key $\mathsf{PRF}.\mathsf{Eval}_{\mathsf{prfk}_{\neq x}}(\cdot)$ by $\mathsf{F}_{\neq x}$ (that is, we omit $\mathsf{prfk}$ and simply write $\mathsf{F}(\cdot)$ instead of $\mathsf{F}_{\mathsf{prfk}}(\cdot)$ ) for ease of notations.
•

PE scheme $\mathsf{PE}=\mathsf{PE}.(\mathsf{Gen},\mathsf{Puncture},\mathsf{Enc},\mathsf{Dec})$ . The plaintext and ciphertext space of PE are $\{0,1\}^{{\ell_{\mathsf{pt}}}}$ and $\{0,1\}^{{\ell_{\mathsf{ct}}}}$ , respectively, where ${\ell_{\mathsf{pt}}}=\ell+\log{{\ell_{\mathsf{m}}}}+1$ and $\ell_{\mathsf{in}}\coloneqq{\ell_{\mathsf{ct}}}$ ( ${\ell_{\mathsf{ct}}}={\mathrm{poly}}(\ell,\log{{\ell_{\mathsf{m}}}})$ ).
•

Indistinguishability obfuscator $i\mathcal{O}$ .
•

PRG $\mathsf{PRG}:\{0,1\}^{\ell}\rightarrow\{0,1\}^{\ell_{\mathsf{out}}}$ .

$\mathsf{Setup}(1^{\lambda})$ :

•

Output $(\mathsf{pp},\mathsf{xk})\coloneqq(\bot,\bot)$ .

$\mathsf{Gen}(\mathsf{pp})$ :

•

Parse $\mathsf{pp}=\bot$ .
•

Compute $\mathsf{F}\leftarrow\mathsf{PRF}.\mathsf{Gen}(1^{\lambda})$ .
•

Generate $(\mathsf{pe.ek},\mathsf{pe.dk})\leftarrow\mathsf{PE}.\mathsf{Gen}(1^{\lambda})$ .
•

Output $\mathsf{prfk}\coloneqq(\mathsf{F},\mathsf{pe.dk})$ and $\tau\coloneqq\mathsf{pe.ek}$ .

$\mathsf{Eval}(\mathsf{prfk},x\in\{0,1\}^{\ell_{\mathsf{in}}})$ :

•

Parse $\mathsf{prfk}=(\mathsf{F},\mathsf{pe.dk})$ .
•

Compute and output $y\leftarrow\mathsf{F}(x)$ .

$\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m}\in\{0,1\}^{{\ell_{\mathsf{m}}}})$ :

•

Parse $\mathsf{pp}=\bot$ and $\mathsf{prfk}=(\mathsf{F},\mathsf{pe.dk})$ .
•

Construct a circuit $D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}]$ described in Figure 6.
•

Compute and output $\widetilde{C}\coloneqq i\mathcal{O}(D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}])$ .

$\mathsf{Sim}(\mathsf{xk},\tau,i)$ :

•

Parse $\mathsf{xk}=\bot$ and $\tau=\mathsf{pe.ek}$ .
•

Choose $\gamma\leftarrow\{0,1\}$ and $s\leftarrow\{0,1\}^{\ell}$ .
•

Compute $y\coloneqq\mathsf{PRG}(s)$ .
•

Compute $x\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},s\|i\|\gamma)$ .
•

Output $(\gamma,x,y)$

The size of the circuit $D$ is appropriately padded to be the maximum size of all modified circuits, which will appear in the security proof.

Circuit $D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}]$ Constants: A PRF $\mathsf{F}$ , a PE decryption key $\mathsf{pe.dk}$ , and a message $\mathsf{m}$ . Input: A string $x\in\{0,1\}^{\ell_{\mathsf{in}}}$ . 1. Compute $d\leftarrow\mathsf{PE}.\mathsf{Dec}(\mathsf{pe.dk},x)$ . 2. If $d\neq\bot$ , do the following (a) Parse $d=s\|i\|\gamma$ , where $s\in\{0,1\}^{\ell}$ , $i\in[{\ell_{\mathsf{m}}}]$ , and $\gamma\in\{0,1\}$ . (b) If $\mathsf{m}[i]\neq\gamma$ , output $\mathsf{PRG}(s)$ . Otherwise, output $\mathsf{F}(x)$ . 3. Otherwise, output $\mathsf{F}(x)$ .

Figure 6: The description of

D

The evaluation correctness of $\mathsf{PRF}_{\mathsf{io}}$ immediately follows from the sparseness of $\mathsf{PE}$ and the functionality of $i\mathcal{O}$ .¹³¹³13In fact, $\mathsf{PRF}_{\mathsf{io}}$ satisfies a stronger evaluation correctness than one written in Definition 4.1. The evaluation correctness holds even for any PRF key $\mathsf{prfk}$ and input $x\in\mathsf{Dom}$ like the statistical correctness by Cohen et al. [CHN⁺18]. $\mathsf{PRF}_{\mathsf{io}}$ trivially satisfies pseudorandomness (against an authority) since $\mathsf{Setup}$ outputs nothing, $\tau$ is a public key $\mathsf{pe.ek}$ , and $\mathsf{Eval}$ is independent of $(\mathsf{pe.ek},\mathsf{pe.dk})$ ( $\mathsf{pe.dk}$ is not used in $\mathsf{Eval}$ ). Moreover, we have the following theorem.

Theorem 7.6.

If $\mathsf{PRF}$ is a secure PPRF, $\mathsf{PRG}$ is a secure PRG, $\mathsf{PE}$ is a secure PE with strong ciphertext pseudorandomness, and $i\mathcal{O}$ is a secure IO, then $\mathsf{PRF}_{\mathsf{io}}$ is an extraction-less watermarking PRF satisfying SIM-MDD security with public simulation.

Proof of Theorem 7.6.

We define a sequence of hybrid games. We sometimes omit hard-coded values when we write some circuits. For example, we simply write $D$ instead of $D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}]$ when hard-coded values $(\mathsf{F},\mathsf{pe.dk},\mathsf{m})$ are not important in arguments or clear from the context.

$\mathsf{Hyb}_{0}$ :

This is the same as the case $b=1$ in $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{PRF}_{\mathsf{io}}}^{\mathsf{pub}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)$ . In this game, $\mathpzc{A}$ is given $\tau=\mathsf{pe.ek}$ and $\widetilde{C}=i\mathcal{O}(D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}])$ as a public tag and a marked circuit, where $(\mathsf{pe.ek},\mathsf{pe.dk})\leftarrow\mathsf{PE}.\mathsf{Gen}(1^{\lambda})$ , $(\mathsf{F},\mathsf{pe.dk})$ is the target PRF key, and $\mathsf{m}$ is the target message from $\mathpzc{A}$ . Also, $\mathpzc{A}$ is given $(\gamma^{\ast},x^{\ast},y^{\ast})=(\gamma_{1},x_{1},y_{1})$ as the challenge tuple, where $\gamma_{1}\leftarrow\{0,1\}$ , $x_{1}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},s^{\ast}\|i^{\ast}\|\gamma_{1})$ , $y_{1}\coloneqq\mathsf{PRG}(s^{\ast})$ , and $s^{\ast}\leftarrow\{0,1\}^{\ell}$ .

Case $\gamma^{\ast}=\mathsf{m}[i^{\ast}]$ :

We consider two cases separately hereafter. First, we consider the case where $\gamma^{\ast}=\mathsf{m}[i^{\ast}]$ . We denote these hybrid games by $\mathsf{Hyb}_{k}^{=}$ . Note that we can choose $\gamma^{\ast}$ at any time and hard-code it into $\widetilde{D}$ in the proof since it is a uniformly random bit in all hybrid games.

$\mathsf{Hyb}_{1}^{=}$ :

This is the same as $\mathsf{Hyb}_{0}$ except that if $\gamma_{1}=\mathsf{m}[i^{\ast}]$ , we use $\widetilde{D}\leftarrow i\mathcal{O}(D_{\neq x_{1}}^{\$}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{1}},\mathsf{m},\gamma_{1},x_{1},\overline{y}])$ , where $D_{\neq x^{\ast}}^{\$}$ is described in Figure 7 and $\overline{y}\coloneqq\mathsf{F}(x_{1})$ . We use a punctured decryption key $\mathsf{pe.dk}_{\neq x_{1}}$ instead of $\mathsf{pe.dk}$ . However, we do not use a punctured key for $\mathsf{F}$ .

Circuit $D_{\neq x^{\ast}}^{\$}[\mathsf{F},\mathsf{pe.dk}^{\prime},\mathsf{m},\gamma^{\ast},x^{\ast},\overline{y}]$ Constants: A PRF key $\mathsf{F}$ , a (possibly punctured) PE decryption key $\mathsf{pe.dk}^{\prime}$ , a message $\mathsf{m}$ , a bit $\gamma^{\ast}$ , and strings $x^{\ast}\in\{0,1\}^{\ell_{\mathsf{in}}},\overline{y}\in\{0,1\}^{\ell_{\mathsf{out}}}$ . Input: A string $x\in\{0,1\}^{\ell_{\mathsf{in}}}$ . 1. If $x=x^{\ast}$ , output $\overline{y}$ . 2. Compute $d\leftarrow\mathsf{PE}.\mathsf{Dec}({\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{pe.dk}^{\prime}}}},x)$ . 3. If $d\neq\bot$ , do the following (a) Parse $d=s\|i\|\gamma$ , where $s\in\{0,1\}^{\ell}$ , $i\in[{\ell_{\mathsf{m}}}]$ , and $\gamma\in\{0,1\}$ . (b) If $\mathsf{m}[i]\neq\gamma$ , output $\mathsf{PRG}(s)$ . Otherwise, output $\mathsf{F}(x)$ . 4. Otherwise, output $\mathsf{F}(x)$ .

Figure 7: The description of

D_{\neq x^{\ast}}^{\$}

(for

\gamma^{\ast}=\mathsf{m}[i^{\ast}]

)

$\mathsf{Hyb}_{2}^{=}$ :

This is the same as $\mathsf{Hyb}_{1}^{=}$ except that we generate

•

$x_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ ,
•

$\widetilde{D}\leftarrow i\mathcal{O}(D_{\neq x_{0}}^{\$}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{1},x_{0},\overline{y}])$ .

That is, we replace $x^{\ast}=x_{1}$ and $\mathsf{pe.dk}^{\prime}=\mathsf{pe.dk}_{\neq x_{1}}$ with $x^{\ast}=x_{0}$ and $\mathsf{pe.dk}^{\prime}=\mathsf{pe.dk}_{\neq x_{0}}$ , respectively.

We also rename $\gamma_{1}\leftarrow\{0,1\}$ into $\gamma_{0}\leftarrow\{0,1\}$ (these distributions are the same).

$\mathsf{Hyb}_{3}^{=}$ :

This is the same as $\mathsf{Hyb}_{2}^{=}$ except that we use $y_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{out}}}$ instead of $y_{1}\coloneqq\mathsf{PRG}(s^{\ast})$ .

We describe the high-level overview of hybrid games for $\gamma^{\ast}=\mathsf{m}[i^{\ast}]$ in Figures 9 and 10.

Case $\gamma^{\ast}\neq\mathsf{m}[i^{\ast}]$ :

Next, we consider the case where $\gamma^{\ast}\neq\mathsf{m}[i^{\ast}]$ . We denote these hybrid games by $\mathsf{Hyb}_{k}^{\neq}$ .

$\mathsf{Hyb}_{1}^{\neq}$ :

This is the same as $\mathsf{Hyb}_{0}$ except that if $\gamma_{1}\neq\mathsf{m}[i^{\ast}]$ , we generate $\widetilde{D}\leftarrow i\mathcal{O}(D_{\neq x_{1}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{1}},\mathsf{m},\gamma_{1},x_{1},y_{1}])$ , where $D_{\neq x^{\ast}}^{\mathsf{real}}$ is described in Figure 8 and $y_{1}\coloneqq\mathsf{PRG}(s^{\ast})$ . We use a punctured decryption key $\mathsf{pe.dk}_{\neq x_{1}}$ instead of $\mathsf{pe.dk}$ . However, we do not use a puncture key for $\mathsf{F}$ at this point.

Circuit $D_{\neq x^{\ast}}^{\mathsf{real}}[\mathsf{F}^{\prime},\mathsf{pe.dk}^{\prime},\mathsf{m},\gamma^{\ast},x^{\ast},y^{\ast}]$ Constants: A (possibly punctured) PRF key $\mathsf{F}^{\prime}$ , a (possibly punctured) PE decryption key $\mathsf{pe.dk}^{\prime}$ , a message $\mathsf{m}$ , a bit $\gamma^{\ast}$ , and strings $x^{\ast}\in\{0,1\}^{\ell_{\mathsf{in}}},y^{\ast}\in\{0,1\}^{\ell_{\mathsf{out}}}$ . Input: A string $x\in\{0,1\}^{\ell_{\mathsf{in}}}$ . 1. If $x=x^{\ast}$ , output $y^{\ast}$ . 2. Compute $d\leftarrow\mathsf{PE}.\mathsf{Dec}({\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{pe.dk}^{\prime}}}},x)$ . 3. If $d\neq\bot$ , do the following (a) Parse $d=s\|i\|\gamma$ , where $s\in\{0,1\}^{\ell}$ , $i\in[{\ell_{\mathsf{m}}}]$ , and $\gamma\in\{0,1\}$ . (b) If $\mathsf{m}[i]\neq\gamma$ , output $\mathsf{PRG}(s)$ . Otherwise, output $\mathsf{F}^{\prime}(x)$ . 4. Otherwise, output $\mathsf{F}^{\prime}(x)$ .

Figure 8: The description of

D_{\neq x^{\ast}}^{\mathsf{real}}

(for

\gamma^{\ast}=1-\mathsf{m}[i^{\ast}]

)

$\mathsf{Hyb}_{2}^{\neq}$ :

This is the same as $\mathsf{Hyb}_{1}^{\neq}$ except that

•

$x_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ ,
•

$\widetilde{D}\leftarrow i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{1},x_{0},y_{1}])$ .

That is, we replace $x^{\ast}=x_{1}$ and $\mathsf{pe.dk}^{\prime}=\mathsf{pe.dk}_{\neq x_{1}}$ with $x^{\ast}=x_{0}$ and $\mathsf{pe.dk}^{\prime}=\mathsf{pe.dk}_{\neq x_{0}}$ , respectively. We also rename $\gamma_{1}\leftarrow\{0,1\}$ into $\gamma_{0}\leftarrow\{0,1\}$ (these distributions are the same).

$\mathsf{Hyb}_{3}^{\neq}$ :

This is the same as $\mathsf{Hyb}_{2}^{\neq}$ except that we use $y_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{out}}}$ instead of $y_{1}\coloneqq\mathsf{PRG}(s^{\ast})$ .

$\mathsf{Hyb}_{4}^{\neq}$ :

This is the same as $\mathsf{Hyb}_{3}^{\neq}$ except that we use $\mathsf{F}_{\neq x_{0}}$ instead of $\mathsf{F}$ .

$\mathsf{Hyb}_{5}^{\neq}$ :

This is the same as $\mathsf{Hyb}_{4}^{\neq}$ except that we use $y_{0}\coloneqq\mathsf{F}(x_{0})$ instead of $y_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{out}}}$ .

$\mathsf{Hyb}_{6}^{\neq}$ :

This is the same as $\mathsf{Hyb}_{5}^{\neq}$ except that we use $\mathsf{F}$ instead of $\mathsf{F}_{\neq x_{0}}$ .

We describe the high-level overview of hybrid games for $\gamma^{\ast}\neq\mathsf{m}[i^{\ast}]$ in Figures 9 and 11.

End of case analysis:

The two case analyses end. Remaining transitions are the reverse of transitions from $\mathsf{Hyb}_{0}$ to $\mathsf{Hyb}_{1}^{=}$ or $\mathsf{Hyb}_{1}^{\neq}$ .

$\mathsf{Hyb}_{4}^{=}$ and $\mathsf{Hyb}_{7}^{\neq}$ :

These are the same as $\mathsf{Hyb}_{3}^{=}$ and $\mathsf{Hyb}_{6}^{\neq}$ , respectively except that

•

if $\gamma_{0}=\mathsf{m}[i^{\ast}]$ , we use $\widetilde{D}\leftarrow i\mathcal{O}(D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}])$ instead of $\widetilde{D}\leftarrow i\mathcal{O}(D_{\neq x_{0}}^{\$}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},\overline{y}])$ , where $D_{\neq x^{\ast}}^{\$}$ is described in Figure 7 and $\overline{y}\coloneqq\mathsf{F}(x_{0})$ .
•

if $\gamma_{0}\neq\mathsf{m}[i^{\ast}]$ , we use $\widetilde{D}\leftarrow i\mathcal{O}(D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}])$ instead of $\widetilde{D}\leftarrow i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}])$ , where $D_{\neq x^{\ast}}^{\mathsf{real}}$ is described in Figure 8 and $y_{0}\coloneqq\mathsf{F}(x_{0})$ .

The each last hybrid is the same as the case $b=0$ in $\mathsf{Exp}_{i^{\ast},\mathpzc{A},\mathsf{PRF}_{\mathsf{io}}}^{\mathsf{pub}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)$ . That is, $\mathpzc{A}$ is given $\widetilde{C}=i\mathcal{O}(D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}])$ and $(\gamma_{0},x_{0},y_{0})\leftarrow D_{\mathtt{real},i^{\ast}}$ . Recall that $x_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ and

•

$y_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{out}}}$ if $\gamma_{0}=\mathsf{m}[i^{\ast}]$ (see $\mathsf{Hyb}_{3}^{=}$ ),
•

$y_{0}\coloneqq\mathsf{F}(x_{0})$ if $\gamma_{0}\neq\mathsf{m}[i^{\ast}]$ (see $\mathsf{Hyb}_{5}^{\neq}$ ).

	$\mathsf{prfk}$	$O_{\mathtt{chall}}$		security
		$\gamma_{1}=\mathsf{m}[i^{\ast}]$	$\gamma_{1}\neq\mathsf{m}[i^{\ast}]$
$\mathsf{Hyb}_{0}$	$(\mathsf{F},\mathsf{pe.dk})$	$i\mathcal{O}(D)$	$i\mathcal{O}(D)$
$\mathsf{Hyb}_{1}^{=}$	$(\mathsf{F},{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{pe.dk}_{\neq x_{1}}}}})$	$i\mathcal{O}(D_{\neq x_{1}}^{\$})$	N/A	IO & PE p-Cor.
$\mathsf{Hyb}_{1}^{\neq}$	$(\mathsf{F},{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{pe.dk}_{\neq x_{1}}}}})$	N/A	$i\mathcal{O}(D_{\neq x_{1}}^{\mathsf{real}})$	IO & PE p-Cor.

Figure 9: High-level overview of hybrid games from

\mathsf{Hyb}_{0}

\mathsf{Hyb}_{1}^{=}

and

\mathsf{Hyb}_{1}^{\neq}

. Note that in these hybrid games,

(\gamma_{1},x_{1},y_{1})\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast})

and

x^{\ast}=x_{1}

. We use

\mathsf{pe.dk}_{\neq x_{1}}

D_{\neq x_{1}}^{\$}

and

D_{\neq x_{1}}^{\mathsf{real}}

, but

\mathsf{F}

is not punctured yet. In “security” column, PE p-Cor. means PE punctured correctness.

	$\gamma^{\ast}=\mathsf{m}[i]$
	$x^{\ast}$ ( $x_{1}$ / $x_{0}$ )	$y^{\ast}$ ( $y_{1}$ / $y_{0}$ )	$\overline{y}$	$O_{\mathtt{chall}}$	$\mathsf{prfk}$	security
$\mathsf{Hyb}_{1}^{=}$	$\mathsf{PE}.\mathsf{Enc}(p_{i^{\ast}})$	$\mathsf{PRG}(s^{\ast})$	$\mathsf{F}(x_{1})$	$i\mathcal{O}(D_{\neq x_{1}}^{\$}[x_{1}\mapsto\bar{y}])$	$(\mathsf{F},\mathsf{pe.dk}_{\neq x_{1}})$
$\mathsf{Hyb}_{2}^{=}$	$x_{0}\leftarrow\$$	$\mathsf{PRG}(s^{\ast})$	$\mathsf{F}(x_{0})$	$i\mathcal{O}(D_{\neq x_{0}}^{\$}[x_{0}\mapsto\bar{y}])$	$(\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}})$	S-CPR
$\mathsf{Hyb}_{3}^{=}$	$\$$	$y_{0}\leftarrow\$$	$\mathsf{F}(x_{0})$	$i\mathcal{O}(D_{\neq x_{0}}^{\$}[x_{0}\mapsto\bar{y}])$	$(\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}})$	PRG
$\mathsf{Hyb}_{4}^{=}$	$\$$	$\$$	$\mathsf{F}(x_{0})$	$i\mathcal{O}(D)$	$(\mathsf{F},{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{pe.dk}}}})$	IO & PE p-Cor.

Figure 10: High-level overview of hybrid games from

\mathsf{Hyb}_{1}^{=}

\mathsf{Hyb}_{4}^{=}

. Here,

p_{i^{\ast}}\coloneqq(s^{\ast}\|i^{\ast}\|\gamma_{1})

and

x_{1}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},p_{i^{\ast}})

. Note that

\overline{y}

is an output of

D_{\neq x^{\ast}}^{\$}

for input

x^{\ast}

for

\gamma_{1}=\mathsf{m}[i^{\ast}]

case.

D_{\neq x^{\ast}}^{\$}[x^{\ast}\mapsto\overline{y}]

means

D_{\neq x^{\ast}}^{\$}(x^{\ast})

outputs the hard-coded value

\overline{y}

. In “security” column, S-CPR means the Strong Ciphertext PseudoRandomness of PE.

	$\gamma^{\ast}\neq\mathsf{m}[i]$
	$x^{\ast}$ ( $x_{1}$ / $x_{0}$ )	$y^{\ast}$ ( $y_{1}$ / $y_{0}$ )	$O_{\mathtt{chall}}$	$\mathsf{prfk}$	security
$\mathsf{Hyb}_{1}^{\neq}$	$\mathsf{PE}.\mathsf{Enc}(p_{i^{\ast}})$	$\mathsf{PRG}(s^{\ast})$	$i\mathcal{O}(D_{\neq x_{1}}^{\mathsf{real}}[x_{1}\mapsto y_{1}])$	$(\mathsf{F},\mathsf{pe.dk}_{\neq x_{1}})$
$\mathsf{Hyb}_{2}^{\neq}$	$x_{0}\leftarrow\$$	$\mathsf{PRG}(s^{\ast})$	$i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[x_{0}\mapsto y_{1}])$	$(\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}})$	S-CPR
$\mathsf{Hyb}_{3}^{\neq}$	$\$$	$y_{0}\leftarrow\$$	$i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[x_{0}\mapsto y_{0}])$	$(\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}})$	PRG
$\mathsf{Hyb}_{4}^{\neq}$	$\$$	$\$$	$i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[x_{0}\mapsto y_{0}])$	$({\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{F}_{\neq x_{0}}}}},\mathsf{pe.dk}_{\neq x_{0}})$	IO & PPRF p-Cor.
$\mathsf{Hyb}_{5}^{\neq}$	$\$$	$\mathsf{F}(x_{0})$	$i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[x_{0}\mapsto y_{0}])$	$(\mathsf{F}_{\neq x_{0}},\mathsf{pe.dk}_{\neq x_{0}})$	PPRF
$\mathsf{Hyb}_{6}^{\neq}$	$\$$	$\mathsf{F}(x_{0})$	$i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[x_{0}\mapsto y_{0}])$	$({\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{F}}}},\mathsf{pe.dk}_{\neq x_{0}})$	IO & PPRF p-Cor.
$\mathsf{Hyb}_{7}^{\neq}$	$\$$	$\mathsf{F}(x_{0})$	$i\mathcal{O}(D)$	$(\mathsf{F},{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\mathsf{pe.dk}}}})$	IO & PE p-Cor.

Figure 11: High-level overview of hybrid games from

\mathsf{Hyb}_{1}^{\neq}

\mathsf{Hyb}_{7}^{\neq}

. Here,

p_{i^{\ast}}\coloneqq(s^{\ast}\|i^{\ast}\|\gamma_{1})

and

x_{1}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},p_{i^{\ast}})

D_{\neq x^{\ast}}^{\mathsf{real}}[x^{\ast}\mapsto y^{\ast}]

means

D_{\neq x^{\ast}}^{\mathsf{real}}(x^{\ast})

outputs the hard-coded value

y^{\ast}

. In “security” column, S-CPR and PPRF p-Cor. mean the Strong Ciphertext PseudoRandomness of PE and punctured correctness of PPRF, respectively.

We prove the lemma by proving the following propositions.

The case $\gamma^{\ast}=\mathsf{m}[i]$ .

We first prove propositions for the case $\gamma^{\ast}=\mathsf{m}[i]$ .

Proposition 7.7.

If $i\mathcal{O}$ is a secure IO and $\mathsf{PE}$ satisfies punctured correctness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{0}=1]-\Pr[\mathsf{Hyb}_{1}^{=}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.7.

The difference between the two games is that $D_{\neq x_{1}}^{\$}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{1}},\mathsf{m},\gamma,x_{1},\overline{y}]$ is used for $O_{\mathtt{chall}}$ instead of $D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}]$ in the case where $\gamma_{1}=\mathsf{m}[i^{\ast}]$ . These two circuits are the same except that

•

for input $x_{1}$ , $D_{\neq x_{1}}^{\$}$ directly outputs $\overline{y}$ ,

due to the punctured correctness of $\mathsf{PE}$ . Thus, if the following hold, $D_{\neq x_{1}}^{\$}$ and $D$ are functionally equivalent:

•

$D(x_{1})$ outputs $\overline{y}=\mathsf{F}(x_{1})$ when $\gamma_{1}=\mathsf{m}[i^{\ast}]$ .

This holds since $x_{1}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},s^{\ast}\|i^{\ast}\|\gamma_{1})$ and $D(x_{1})$ runs the item (b) in Figure 6, but $\gamma_{1}\neq\mathsf{m}[i^{\ast}]$ does not hold in this case.

Thus, $D_{\neq x_{1}}^{\$}$ and $D$ are functionally equivalent and the proposition holds due to IO security.

Proposition 7.8.

If $\mathsf{PE}$ satisfies strong ciphertext pseudorandomness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{1}^{=}=1]-\Pr[\mathsf{Hyb}_{2}^{=}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.8.

We construct an algorithm $\mathpzc{B}$ for strong ciphertext pseudorandomness by using $\mathpzc{A}$ . $\mathpzc{B}$ generates $\mathsf{F}\leftarrow\mathsf{PRF}.\mathsf{Gen}(1^{\lambda})$ , and chooses $s^{\ast}\leftarrow\{0,1\}^{\ell}$ and $\gamma_{1}\leftarrow\{0,1\}$ . $\mathpzc{B}$ sends $s^{\ast}\|i^{\ast}\|\gamma_{1}$ to the challenger. The challenger returns $(x^{\ast},\mathsf{pe.ek},\mathsf{pe.dk}_{\neq x^{\ast}})$ to $\mathpzc{B}$ .

Then, $\mathpzc{B}$ passes $\mathsf{pp}\coloneqq\bot$ and $\mathsf{xk}\coloneqq\bot$ to $\mathpzc{A}$ . $\mathpzc{B}$ also computes $\overline{y}\coloneqq\mathsf{F}(x^{\ast})$ .

Challenge:

When $\mathpzc{A}$ sends a challenge query $\mathsf{m}$ , $\mathpzc{B}$ does the following

•

Construct $D_{\neq x^{\ast}}^{\$}[\mathsf{F},\mathsf{pe.dk}_{\neq x^{\ast}},\mathsf{m},\gamma_{1},x^{\ast},\overline{y}]$ as described in Figure 7.
•

Return $\widetilde{C}\coloneqq i\mathcal{O}(D_{\neq x^{\ast}}^{\$}[\mathsf{F},\mathsf{pe.dk}_{\neq x^{\ast}},\mathsf{m},\gamma_{1},x^{\ast},\overline{y}])$ and $\tau\coloneqq\mathsf{pe.ek}$ to $\mathpzc{A}$ .

After finishing $\mathpzc{A}$ ’s challenge query, $\mathpzc{B}$ computes $y^{\ast}\coloneqq\mathsf{PRG}(s^{\ast})$ and sends $(\gamma_{1},x^{\ast},y^{\ast})$ to $\mathpzc{A}$ . Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates. $\mathpzc{B}$ perfectly simulates

•

$\mathsf{Hyb}_{1}^{=}$ if $x^{\ast}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},s^{\ast}\|i^{\ast}\|\gamma_{1})$ ,
•

$\mathsf{Hyb}_{2}^{=}$ if $x^{\ast}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ .

Thus, we see that the proposition holds.

Proposition 7.9.

If $\mathsf{PRG}$ is a secure PRG, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{2}^{=}=1]-\Pr[\mathsf{Hyb}_{3}^{=}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition 7.9.

The difference between the two games is that $y^{\ast}$ in the target triple $(\gamma_{0},x_{0},y^{\ast})$ is $\mathsf{PRG}(s^{\ast})$ or random in the case where $\gamma_{0}=\mathsf{m}[i]$ . Recall that we rename $\gamma_{1}\leftarrow\{0,1\}$ to $\gamma_{0}\leftarrow\{0,1\}$ . Note that we randomly choose $x_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ and use $\mathsf{F}$ and $\mathsf{pe.dk}_{\neq x_{0}}$ in these games. Thus, we can apply pseudorandomness of $\mathsf{PRG}$ since the value $s^{\ast}$ is never used anywhere else.

The case where $\gamma^{\ast}\neq\mathsf{m}[i]$ .

Next, we prove propositions for the case where $\gamma^{\ast}\neq\mathsf{m}[i]$ .

Proposition 7.10.

If $i\mathcal{O}$ is a secure IO and $\mathsf{PE}$ satisfies punctured correctness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{0}=1]-\Pr[\mathsf{Hyb}_{1}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.10.

The difference between the two games is that $D_{\neq x_{1}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{1}},\mathsf{m},\gamma,x_{1},y_{1}]$ is used for the challenge query instead of $D[\mathsf{F},\mathsf{pe.dk},\mathsf{m}]$ in the case where $\gamma_{1}\neq\mathsf{m}[i^{\ast}]$ . These two circuits are the same except that

•

for input $x_{1}$ , $D_{\neq x_{1}}^{\mathsf{real}}$ directly outputs the hard-wired value $y_{1}=\mathsf{PRG}(s^{\ast})$ ,

due to the punctured correctness of $\mathsf{PE}$ . Thus, if the following hold, $D_{\neq x_{1}}^{\mathsf{real}}$ and $D$ are functionally equivalent:

•

$D(x_{1})$ outputs $y_{1}=\mathsf{PRG}(s^{\ast})$ when $\gamma_{1}\neq\mathsf{m}[i^{\ast}]$ ,

This holds since $x_{1}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},s^{\ast}\|i^{\ast}\|\gamma_{1})$ , $D(x_{1})$ runs the item (b) in Figure 6, and $\gamma_{1}\neq\mathsf{m}[i^{\ast}]$ holds in this case. Thus, $D_{\neq x_{1}}^{\mathsf{real}}$ and $D$ are functionally equivalent and the proposition holds due to IO security.

Proposition 7.11.

If $\mathsf{PE}$ satisfies strong pseudorandom ciphertext, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{1}^{\neq}=1]-\Pr[\mathsf{Hyb}_{2}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.11.

We construct an algorithm $\mathpzc{B}$ for strong ciphertext pseudorandomness by using a distinguisher $\mathpzc{A}$ . $\mathpzc{B}$ generates $\mathsf{F}\leftarrow\mathsf{PRF}.\mathsf{Gen}(1^{\lambda})$ and chooses $s^{\ast}\leftarrow\{0,1\}^{\ell}$ and $\gamma_{1}\leftarrow\{0,1\}$ . $\mathpzc{B}$ sends $s^{\ast}\|i^{\ast}\|\gamma_{1}$ to the challenger. The challenger returns $(x^{\ast},\mathsf{pe.ek},\mathsf{pe.dk}_{\neq x^{\ast}})$ to $\mathpzc{B}$ .

Then, $\mathpzc{B}$ passes $\mathsf{pp}\coloneqq\bot$ and $\mathsf{xk}\coloneqq\bot$ to $\mathpzc{A}$ . $\mathpzc{B}$ also computes $y^{\ast}\coloneqq\mathsf{PRG}(s^{\ast})$ .

Challenge:

When $\mathpzc{A}$ sends a challenge query $\mathsf{m}$ , $\mathpzc{B}$ does the following

•

Construct $D_{\neq x^{\ast}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x^{\ast}},\mathsf{m},\gamma_{1},x^{\ast},y^{\ast}]$ where $y^{\ast}\coloneqq\mathsf{PRG}(s^{\ast})$ as described in Figure 8.
•

Return $\widetilde{C}\coloneqq i\mathcal{O}(D_{\neq x^{\ast}}^{\mathsf{real}})$ and $\tau\coloneqq\mathsf{pe.ek}$ to $\mathpzc{A}$ .

After finishing $\mathpzc{A}$ ’s challenge, $\mathpzc{B}$ sends $(\gamma_{1},x^{\ast},y^{\ast})$ to $\mathpzc{A}$ . Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates.

$\mathpzc{B}$ perfectly simulates

•

$\mathsf{Hyb}_{1}^{\neq}$ if $x^{\ast}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},s^{\ast}\|i^{\ast}\|\gamma_{1})$ ,
•

$\mathsf{Hyb}_{2}^{\neq}$ if $x^{\ast}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ .

Thus, we see that the proposition holds.

Proposition 7.12.

If $\mathsf{PRG}$ is a secure PRG, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{2}^{\neq}=1]-\Pr[\mathsf{Hyb}_{3}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition 7.12.

The difference between the two games is that $y^{\ast}$ in the target triple $(\gamma_{0},x_{0},y^{\ast})$ is $\mathsf{PRG}(s^{\ast})$ or random in the case where $\gamma_{0}\neq\mathsf{m}[i]$ . Recall that we rename $\gamma_{1}\leftarrow\{0,1\}$ to $\gamma_{0}\leftarrow\{0,1\}$ . Note that we randomly choose $x_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ and use $\mathsf{F}$ and $\mathsf{pe.dk}_{\neq x_{0}}$ in these games. Thus, we can apply pseudorandomness of $\mathsf{PRG}$ since the value $s^{\ast}$ is never used anywhere else.

Proposition 7.13.

If $i\mathcal{O}$ is a secure IO and $\mathsf{F}$ satisfies punctured correctness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{3}^{\neq}=1]-\Pr[\mathsf{Hyb}_{4}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.13.

The difference between the two games is that $D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F}_{\neq x_{0}},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}]$ is used for the challenge query instead of $D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}]$ in the case where $\gamma_{0}\neq\mathsf{m}[i^{\ast}]$ . These two circuits are the same except that we use $\mathsf{F}_{\neq x_{0}}$ instead of $\mathsf{F}$ . Those two circuits above are functionally equivalent since $\mathsf{F}_{\neq x_{0}}(\cdot)$ is functionally equivalent to $\mathsf{F}$ except for $x_{0}$ and both $D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F}_{\neq x_{0}},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}](x_{0})$ and $D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}](x_{0})$ directly outputs $y_{0}$ by the description of $D_{\neq x_{0}}^{\mathsf{real}}$ . Note that $D_{\neq x_{0}}^{\mathsf{real}}$ does not have any “if branch” condition that uses $\mathsf{F}$ or $\mathsf{F}_{\neq x_{0}}$ .

Thus, the proposition holds due to IO security.

Proposition 7.14.

If $\mathsf{F}$ satisfies punctured pseudorandomness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{4}^{\neq}=1]-\Pr[\mathsf{Hyb}_{5}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.14.

We construct an algorithm $\mathpzc{B}$ that breaks the pseudorandomness at punctured points of $\mathsf{F}$ by using $\mathpzc{A}$ .

$\mathpzc{B}$ generates $(\mathsf{pe.ek},\mathsf{pe.dk})\leftarrow\mathsf{PE}.\mathsf{Gen}(1^{\lambda})$ , chooses $x_{0}\leftarrow\{0,1\}^{\ell_{\mathsf{in}}}$ and $\gamma_{0}\leftarrow\{0,1\}$ , sends $x_{0}$ as the challenge to its challenger of $\mathsf{F}$ , and receives $\mathsf{F}_{\neq x_{0}}$ and $y^{\ast}$ . Here $x_{0}$ does not rely on $\mathsf{m}$ , so we can generate $x_{0}$ before $\mathsf{m}$ is fixed. $\mathpzc{B}$ sends $\mathsf{pp}\coloneqq\bot$ and $\mathsf{xk}\coloneqq\bot$ to $\mathpzc{A}$ . $\mathpzc{B}$ also computes $\mathsf{pe.dk}_{\neq x_{0}}\leftarrow\mathsf{PE}.\mathsf{Puncture}(\mathsf{pe.dk},x_{0})$ .

Challenge:: For query $\mathsf{m}$ , $\mathpzc{B}$ can simulate the target marked circuit $\widetilde{C}=i\mathcal{O}(D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F}_{\neq x_{0}},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y^{\ast}])$ by using $\mathsf{pe.dk}_{\neq x_{0}}$ , $\mathsf{F}_{\neq x_{0}}$ , $y^{\ast}$ , and the public tag $\tau=\mathsf{pe.ek}$ .

After finishing $\mathpzc{A}$ ’s challenge query, $\mathpzc{B}$ sends $(\gamma_{0},x_{0},y^{\ast})$ to $\mathpzc{A}$ . Finally, when $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , $\mathpzc{B}$ outputs $\mathsf{coin}^{\prime}$ and terminates.

$\mathcal{B}$ perfectly simulates

•

$\mathsf{Hyb}_{4}^{\neq}$ if $y^{\ast}\leftarrow\{0,1\}^{\ell_{\mathsf{out}}}$ ,
•

$\mathsf{Hyb}_{5}^{\neq}$ if $y^{\ast}\coloneqq\mathsf{F}(x_{0})$ .

The punctured pseudorandomness of $\mathsf{F}$ immediately implies this proposition.

Proposition 7.15.

If $i\mathcal{O}$ is a secure IO and $\mathsf{F}$ satisfies punctured correctness, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{5}^{\neq}=1]-\Pr[\mathsf{Hyb}_{6}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition 7.15.

The difference between the two games is that $D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}]$ is used for the challegne query instead of $D_{\neq x_{0}}^{\mathsf{real}}[\mathsf{F}_{\neq x_{0}},\mathsf{pe.dk}_{\neq x_{0}},\mathsf{m},\gamma_{0},x_{0},y_{0}]$ in the case where $\gamma_{0}\neq\mathsf{m}[i^{\ast}]$ . These two circuits are the same except that we use $\mathsf{F}$ instead of $\mathsf{F}_{\neq x_{0}}$ . This proof is the same as that of Proposition 7.14 (in a reverse manner). Thus, we omit it.

End of case analyses.

We complete the two case analyses.

Proposition 7.16.

If $i\mathcal{O}$ is a secure IO, $\mathsf{F}$ satisfies punctured correctness, and $\mathsf{PE}$ satisfies punctured correctness, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{3}^{=}=1]-\Pr[\mathsf{Hyb}_{4}^{=}=1]}\leq{\mathsf{negl}}(\lambda)$ and $\absolutevalue{\Pr[\mathsf{Hyb}_{6}^{\neq}=1]-\Pr[\mathsf{Hyb}_{7}^{\neq}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof.

This proof is the same as that of Proposition 7.7 and Proposition 7.10, respectively (in a reverse manner). Thus, we omit them.

We complete the proof of Theorem 7.6.

8 Putting Pieces Altogether

Privately extractable watermarking PRF.

We summarize how to obtain our privately extractable watermarking PRF.

By Theorems 6.1, 6.2, 2.27, 2.30 and 2.24, we obtain an extraction-less watermarking with private simulation from the QLWE assumption. By combining this with Theorems 4.6 and 5.2, we obtain the following theorem.

Theorem 8.1.

If the QLWE assumption holds, there exists a privately extractable watermarking PRF.

Publicly extractable watermarking PRF.

We summarize how to obtain our publicly extractable watermarking PRF.

By Theorems 7.6, 7.5, 2.21 and 2.17, we obtain an extraction-less watermarking with public simulation from IO and the QLWE assumption since OWFs can be instantiated with the QLWE assumption. By combining this with Theorem 5.3, we obtain a publicly extractable watermarking PRF from IO and the QLWE assumption. Thus, we obtain the following theorem.

Theorem 8.2.

If there exists a secure IO and the QLWE assumption holds, there exists a publicly extractable watermarking PRF.

References

[AHU19] Andris Ambainis, Mike Hamburg, and Dominique Unruh. Quantum security proofs using semi-classical oracles. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part II, volume 11693 of LNCS, pages 269–295. Springer, Heidelberg, August 2019.
[AKPW13] Joël Alwen, Stephan Krenn, Krzysztof Pietrzak, and Daniel Wichs. Learning with rounding, revisited - new reduction, properties and applications. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 57–74. Springer, Heidelberg, August 2013.
[AL21] Prabhanjan Ananth and Rolando L. La Placa. Secure software leasing. In Anne Canteaut and François-Xavier Standaert, editors, EUROCRYPT 2021, Part II, volume 12697 of LNCS, pages 501–530. Springer, Heidelberg, October 2021.
[ALL⁺21] Scott Aaronson, Jiahui Liu, Qipeng Liu, Mark Zhandry, and Ruizhe Zhang. New approaches for quantum copy-protection. In Tal Malkin and Chris Peikert, editors, CRYPTO 2021, Part I, volume 12825 of LNCS, pages 526–555, Virtual Event, August 2021. Springer, Heidelberg.
[AP20] Shweta Agrawal and Alice Pellet-Mary. Indistinguishability obfuscation without maps: Attacks and fixes for noisy linear FE. In Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020, Part I, volume 12105 of LNCS, pages 110–140. Springer, Heidelberg, May 2020.
[ARU14] Andris Ambainis, Ansis Rosmanis, and Dominique Unruh. Quantum attacks on classical proof systems: The hardness of quantum rewinding. In 55th FOCS, pages 474–483. IEEE Computer Society Press, October 2014.
[BDF⁺11] Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark Zhandry. Random oracles in a quantum world. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT 2011, volume 7073 of LNCS, pages 41–69. Springer, Heidelberg, December 2011.
[BGI⁺12] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. Journal of the ACM, 59(2):6:1–6:48, 2012.
[BGI14] Elette Boyle, Shafi Goldwasser, and Ioana Ivan. Functional signatures and pseudorandom functions. In Hugo Krawczyk, editor, PKC 2014, volume 8383 of LNCS, pages 501–519. Springer, Heidelberg, March 2014.
[BGMZ18] James Bartusek, Jiaxin Guan, Fermi Ma, and Mark Zhandry. Return of GGH15: Provable security against zeroizing attacks. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 544–574. Springer, Heidelberg, November 2018.
[BHH⁺19] Nina Bindel, Mike Hamburg, Kathrin Hövelmanns, Andreas Hülsing, and Edoardo Persichetti. Tighter proofs of CCA security in the quantum random oracle model. In Dennis Hofheinz and Alon Rosen, editors, TCC 2019, Part II, volume 11892 of LNCS, pages 61–90. Springer, Heidelberg, December 2019.
[BLW17] Dan Boneh, Kevin Lewi, and David J. Wu. Constraining pseudorandom functions privately. In Serge Fehr, editor, PKC 2017, Part II, volume 10175 of LNCS, pages 494–524. Springer, Heidelberg, March 2017.
[BSW06] Dan Boneh, Amit Sahai, and Brent Waters. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In Serge Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 573–592. Springer, Heidelberg, May / June 2006.
[BTVW17] Zvika Brakerski, Rotem Tsabary, Vinod Vaikuntanathan, and Hoeteck Wee. Private constrained PRFs (and more) from LWE. In Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS, pages 264–302. Springer, Heidelberg, November 2017.
[BW13] Dan Boneh and Brent Waters. Constrained pseudorandom functions and their applications. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS, pages 280–300. Springer, Heidelberg, December 2013.
[CC17] Ran Canetti and Yilei Chen. Constraint-hiding constrained PRFs for NC¹ from LWE. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part I, volume 10210 of LNCS, pages 446–476. Springer, Heidelberg, April / May 2017.
[CFN94] Benny Chor, Amos Fiat, and Moni Naor. Tracing traitors. In Yvo Desmedt, editor, CRYPTO’94, volume 839 of LNCS, pages 257–270. Springer, Heidelberg, August 1994.
[CHN⁺18] Aloni Cohen, Justin Holmgren, Ryo Nishimaki, Vinod Vaikuntanathan, and Daniel Wichs. Watermarking cryptographic capabilities. SIAM Journal on Computing, 47(6):2157–2202, 2018.
[CHVW19] Yilei Chen, Minki Hhan, Vinod Vaikuntanathan, and Hoeteck Wee. Matrix PRFs: Constructions, attacks, and applications to obfuscation. In Dennis Hofheinz and Alon Rosen, editors, TCC 2019, Part I, volume 11891 of LNCS, pages 55–80. Springer, Heidelberg, December 2019.
[CMSZ21] Alessandro Chiesa, Fermi Ma, Nicholas Spooner, and Mark Zhandry. Post-quantum succinct arguments: Breaking the quantum rewinding barrier. In Nisheeth Vishnoi, editor, FOCS 2021 (to appear). IEEE, 2021.
[DQV⁺21] Lalita Devadas, Willy Quach, Vinod Vaikuntanathan, Hoeteck Wee, and Daniel Wichs. Succinct lwe sasmpling, random polynomials and obfuscation. In Kobbi Nissim and Brent Waters, editors, TCC 2021, LNCS. Springer, 2021.
[GGM86] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random functions. Journal of the ACM, 33(4):792–807, 1986.
[GKM⁺19] Rishab Goyal, Sam Kim, Nathan Manohar, Brent Waters, and David J. Wu. Watermarking public-key cryptographic primitives. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS, pages 367–398. Springer, Heidelberg, August 2019.
[GKW19] Rishab Goyal, Venkata Koppula, and Brent Waters. New approaches to traitor tracing with embedded identities. In Dennis Hofheinz and Alon Rosen, editors, TCC 2019, Part II, volume 11892 of LNCS, pages 149–179. Springer, Heidelberg, December 2019.
[GKWW21] Rishab Goyal, Sam Kim, Brent Waters, and David J. Wu. Beyond software watermarking: Traitor-tracing for pseudorandom functions. In Mehdi Tibouchi and Huaxiong Wang, editors, Asiacrypt 2021 (to appear), Lecture Notes in Computer Science. Springer, 2021.
[GP21] Romain Gay and Rafael Pass. Indistinguishability obfuscation from circular security. In Samir Khuller and Virginia Vassilevska Williams, editors, STOC ’21: 53rd Annual ACM SIGACT Symposium on Theory of Computing, Virtual Event, Italy, June 21-25, 2021, pages 736–749. ACM, 2021.
[HILL99] Johan Håstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM Journal on Computing, 28(4):1364–1396, 1999.
[HJL21] Samuel B. Hopkins, Aayush Jain, and Huijia Lin. Counterexamples to new circular security assumptions underlying iO. In Tal Malkin and Chris Peikert, editors, CRYPTO 2021, Part II, volume 12826 of LNCS, pages 673–700, Virtual Event, August 2021. Springer, Heidelberg.
[HMW07] Nicholas Hopper, David Molnar, and David Wagner. From weak to strong watermarking. In Salil P. Vadhan, editor, TCC 2007, volume 4392 of LNCS, pages 362–382. Springer, Heidelberg, February 2007.
[Jor75] Camille Jordan. Essai sur la géométrie à $n$ dimensions. Bulletin de la Société Mathématique de France, 3:103–174, 1875.
[KNY21] Fuyuki Kitagawa, Ryo Nishimaki, and Takashi Yamakawa. Secure software leasing from standard assumptions. In Kobbi Nissim and Brent Waters, editors, TCC 2021, LNCS. Springer, 2021.
[KPTZ13] Aggelos Kiayias, Stavros Papadopoulos, Nikos Triandopoulos, and Thomas Zacharias. Delegatable pseudorandom functions and applications. In Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 2013, pages 669–684. ACM Press, November 2013.
[KW19] Sam Kim and David J. Wu. Watermarking PRFs from lattices: Stronger security via extractable PRFs. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS, pages 335–366. Springer, Heidelberg, August 2019.
[KW21] Sam Kim and David J. Wu. Watermarking cryptographic functionalities from standard lattice assumptions. J. Cryptol., 34(3):28, 2021.
[MW05] Chris Marriott and John Watrous. Quantum arthur-merlin games. Comput. Complex., 14(2):122–152, 2005.
[Nao91] Moni Naor. Bit commitment using pseudorandomness. Journal of Cryptology, 4(2):151–158, January 1991.
[Nis13] Ryo Nishimaki. How to watermark cryptographic functions. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages 111–125. Springer, Heidelberg, May 2013.
[Nis19] Ryo Nishimaki. How to watermark cryptographic functions by bilinear maps. IEICE Transactions, 102-A(1):99–113, 2019.
[Nis20] Ryo Nishimaki. Equipping public-key cryptographic primitives with watermarking (or: A hole is to watermark). In Rafael Pass and Krzysztof Pietrzak, editors, TCC 2020, Part I, volume 12550 of LNCS, pages 179–209. Springer, Heidelberg, November 2020.
[NSS99] David Naccache, Adi Shamir, and Julien P. Stern. How to copyright a function? In Hideki Imai and Yuliang Zheng, editors, PKC’99, volume 1560 of LNCS, pages 188–196. Springer, Heidelberg, March 1999.
[NWZ16] Ryo Nishimaki, Daniel Wichs, and Mark Zhandry. Anonymous traitor tracing: How to embed arbitrary information in a key. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 388–419. Springer, Heidelberg, May 2016.
[Pei09] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In Michael Mitzenmacher, editor, 41st ACM STOC, pages 333–342. ACM Press, May / June 2009.
[PS18] Chris Peikert and Sina Shiehian. Privately constraining and programming PRFs, the LWE way. In Michel Abdalla and Ricardo Dahab, editors, PKC 2018, Part II, volume 10770 of LNCS, pages 675–701. Springer, Heidelberg, March 2018.
[PW11] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. SIAM Journal on Computing, 40(6):1803–1844, 2011.
[QWZ18] Willy Quach, Daniel Wichs, and Giorgos Zirdelis. Watermarking PRFs under standard assumptions: Public marking and security with extraction queries. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 669–698. Springer, Heidelberg, November 2018.
[Reg] Oded Regev. Witness-preserveing amplification of qma (lecture notes). https://cims.nyu.edu/~regev/teaching/quantum_fall_2005/ln/qma.pdf.
[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6):34:1–34:40, 2009.
[SW21] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: Deniable encryption, and more. SIAM J. Comput., 50(3):857–908, 2021.
[Unr12] Dominique Unruh. Quantum proofs of knowledge. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 135–152. Springer, Heidelberg, April 2012.
[Wat09] John Watrous. Zero-knowledge against quantum attacks. SIAM J. Comput., 39(1):25–58, 2009.
[WW21] Hoeteck Wee and Daniel Wichs. Candidate obfuscation via oblivious LWE sampling. In Anne Canteaut and François-Xavier Standaert, editors, EUROCRYPT 2021, Part III, volume 12698 of LNCS, pages 127–156. Springer, Heidelberg, October 2021.
[YAL⁺19] Rupeng Yang, Man Ho Au, Junzuo Lai, Qiuliang Xu, and Zuoxia Yu. Collusion resistant watermarking schemes for cryptographic functionalities. In Steven D. Galbraith and Shiho Moriai, editors, ASIACRYPT 2019, Part I, volume 11921 of LNCS, pages 371–398. Springer, Heidelberg, December 2019.
[YAYX20] Rupeng Yang, Man Ho Au, Zuoxia Yu, and Qiuliang Xu. Collusion resistant watermarkable PRFs from standard assumptions. In Daniele Micciancio and Thomas Ristenpart, editors, CRYPTO 2020, Part I, volume 12170 of LNCS, pages 590–620. Springer, Heidelberg, August 2020.
[YF11] Maki Yoshida and Toru Fujiwara. Toward digital watermarking for cryptographic data. IEICE Transactions, 94-A(1):270–272, 2011.
[Zha12a] Mark Zhandry. How to construct quantum random functions. In 53rd FOCS, pages 679–687. IEEE Computer Society Press, October 2012.
[Zha12b] Mark Zhandry. Secure identity-based encryption in the quantum random oracle model. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 758–775. Springer, Heidelberg, August 2012.
[Zha19] Mark Zhandry. How to record quantum queries, and applications to quantum indifferentiability. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part II, volume 11693 of LNCS, pages 239–268. Springer, Heidelberg, August 2019.
[Zha20] Mark Zhandry. Schrödinger’s pirate: How to trace a quantum decoder. In Rafael Pass and Krzysztof Pietrzak, editors, TCC 2020, Part III, volume 12552 of LNCS, pages 61–91. Springer, Heidelberg, November 2020.

Appendix A Achieving QSIM-MDD from SIM-MDD

We prove Theorem 4.6, that is, we show that we can transform extraction-less watermarking PRF satisfying SIM-MDD security with private simulation into one satisfying QSIM-MDD security with private simulation, by using a QPRF. Before the proof, we introduce semi-classical one-way to hiding (O2H) lemma.

A.1 Semi-Classical One-Way to Hiding (O2H) Lemma

We recall a few lemmas.

Definition A.1 (Punctured oracle).

Let $F:X\rightarrow Y$ be any function, and $S\subset X$ be a set. The oracle $F\setminus S$ (“ $F$ punctured by $S$ ”) takes as input a value $x\in X$ . It first computes whether $x\in S$ into an auxiliary register and measures it. Then it computes $F(x)$ and returns the result. Let $\mathtt{Find}$ be the event that any of the measurements returns $1$ .

Lemma A.2 (Semi-classical O2H [AHU19, Theorem 1]).

Let $G,H:X\rightarrow Y$ be random functions, $z$ be a random value, and $S\subseteq X$ be a random set such that $G(x)=H(x)$ for every $x\notin S$ . The tuple $(G,H,S,z)$ may have arbitrary joint distribution. Furthermore, let $\mathpzc{A}$ be a quantum oracle algorithm. Let $\mathtt{Ev}$ be any classical event. Then we have

\displaystyle\absolutevalue{\Pr[\mathtt{Ev}:\mathpzc{A}^{\ket{H}}(z)]-\Pr[\mathtt{Ev}:\mathpzc{A}^{\ket{G}}(z)]}\leq 2\sqrt{(q+1)\cdot\Pr[\mathtt{Find}:\mathpzc{A}^{\ket{H\setminus S}}(z)]}\enspace.

(35)

Lemma A.3 (Search in semi-classical oracle [AHU19, Theorem 2]).

Let $H:X\rightarrow Y$ be a random function, let $z$ be a random value, and let $S\subset X$ be a random set. $(H,S,z)$ may have arbitrary joint distribution. Let $\mathpzc{A}$ be a quantum oracle algorithm. If for each $x\in X$ , $\Pr[x\in S]\leq\epsilon$ (conditioned on $H$ and $z$ ), then we have

\displaystyle\Pr[\mathtt{Find}:\mathpzc{A}^{\ket{H\setminus S}}(z)]\leq 4q\epsilon\enspace,

(36)

where $q$ is the number of queries to $H$ by $\mathpzc{A}$ .

Note that the above lemma is originally introduced in [AHU19], but we use a variant that is closer to Lemma 4 in [BHH⁺19].

A.2 Proof

Construction.

We start with the construction. Let $\mathsf{ELWMPRF}=(\mathsf{Setup},\mathsf{Gen},\mathsf{Eval},\mathsf{Mark},\mathsf{Sim})$ be an extraction-less watermarking PRF scheme satisfying SIM-MDD security with private simulation. We also let the message space of $\mathsf{ELWMPRF}$ is $\{0,1\}^{{\ell_{\mathsf{m}}}}$ . Let $\mathsf{PRF}$ be a QPRF with domain $\{0,1\}^{\lambda}$ and range $\mathcal{R}_{\mathsf{Sim}}$ , which is the randomness space of $\mathsf{Sim}$ . We construct an extraction-less watermarking PRF scheme $\mathsf{QELWMPRF}=(\mathsf{QEL}.\mathsf{Setup},\mathsf{QEL}.\mathsf{Gen},\mathsf{QEL}.\mathsf{Eval},\mathsf{QEL}.\mathsf{Mark},\allowbreak\mathsf{QEL}.\mathsf{Sim})$ satisfying QSIM-MDD security with private simulation as follows. We use $\mathsf{Gen}$ , $\mathsf{Eval}$ , and $\mathsf{Mark}$ as $\mathsf{QEL}.\mathsf{Gen}$ , $\mathsf{QEL}.\mathsf{Eval}$ , and $\mathsf{QEL}.\mathsf{Mark}$ , respectively. The domain and range of $\mathsf{QELWMPRF}$ are the same as those of $\mathsf{ELWMPRF}$ . The mark space of $\mathsf{QELWMPRF}$ is $\{0,1\}^{{\ell_{\mathsf{m}}}}$ . Also, we construct $\mathsf{QEL}.\mathsf{Setup}$ and $\mathsf{QEL}.\mathsf{Sim}$ as follows.

$\mathsf{QEL}.\mathsf{Setup}(1^{\lambda})$ :

•

Generate $(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})$ .
•

Genrate $K\leftarrow\{0,1\}^{\lambda}$ .
•

Outputs $(\mathsf{pp},\mathsf{qxk}:=(\mathsf{xk},K))$ .

$\mathsf{QEL}.\mathsf{Sim}(\mathsf{qxk},\tau,i;r)$ :

•

Parse $(\mathsf{xk},K)\leftarrow\mathsf{qxk}$ .
•

Output $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i;\mathsf{PRF}_{K}(r))$ .

Security analysis.

Let $i^{\ast}\in[{\ell_{\mathsf{m}}}]$ and $\mathpzc{A}$ be any QPT adversary for QSIM-MDD security with private simulation making total $q$ queries to $O_{\mathtt{sim}}$ and $O_{\mathtt{api}}$ . We prove that for any polynomial $w$ , it holds that $\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{QELWMPRF}}^{\mathsf{q\textrm{-}sim\textrm{-}mdd}}(\lambda)\leq 1/w$ . We prove it using hybrid games. Let ${\tt SUC}_{X}$ be the event that the final output is $1$ in Game $X$ . We define a distribution $\mathsf{D}_{\tau^{\prime},i^{\prime}}$ as

$D_{\tau^{\prime},i^{\prime}}$ :: Output $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime})$ .

Game $1$ :

This is $\mathsf{Expt}_{i^{\ast},\mathpzc{A},\mathsf{QELWMPRF}}^{\mathsf{q\textrm{-}sim\textrm{-}mdd}}(\lambda)$ . Thus, $\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{QELWMPRF}}^{\mathsf{q\textrm{-}sim\textrm{-}mdd}}(\lambda)=2\absolutevalue{\Pr[{\tt SUC}_{1}]-1/2}$ .

1.

The challenger generates $(\mathsf{pp},\mathsf{xk})\leftarrow\mathsf{Setup}(1^{\lambda})$ and $K\leftarrow\{0,1\}^{\lambda}$ , and gives $\mathsf{pp}$ to $\mathpzc{A}$ . $\mathpzc{A}$ send $\mathsf{m}\in\{0,1\}^{{\ell_{\mathsf{m}}}}$ to the challenger. The challenger generates $(\tau,\mathsf{prfk})\leftarrow\mathsf{Gen}(\mathsf{pp})$ , computes $\widetilde{C}\leftarrow\mathsf{Mark}(\mathsf{pp},\mathsf{prfk},\mathsf{m})$ , and sends $\widetilde{C}$ to $\mathpzc{A}$ .
2.

$\mathpzc{A}$ can access to the following oracles.

$O_{\mathtt{sim}}$ :

On input $\tau^{\prime}$ and $i^{\prime}$ , it returns $\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime};\mathsf{PRF}_{K}(r))$ , where $r\leftarrow\{0,1\}^{\lambda}$ .

$O_{\mathtt{api}}$ :

On input $(\epsilon,\delta,\tau^{\prime},i^{\prime})$ and a quantum state $\mathpzc{q}$ , it returns the result of $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},\mathsf{D}^{\mathsf{PRF}}_{\tau^{\prime},i^{\prime}}}(\mathpzc{q})$ and the post measurement state, where $\mathsf{D}^{\mathsf{PRF}}_{\tau^{\prime},i^{\prime}}=\mathsf{D}_{\tau^{\prime},i^{\prime}}(\mathsf{PRF}_{K}(\cdot))$ .
3.

The challenger generates $\mathsf{coin}\leftarrow\{0,1\}$ . If $\mathsf{coin}=0$ , the challenger samples $(\gamma,x,y)\leftarrow D_{\mathtt{real},i^{\ast}}$ . If $\mathsf{coin}=1$ , the challenger generates $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast};\mathsf{PRF}_{K}(r^{*}))$ , where, $r^{*}\leftarrow\{0,1\}^{\lambda}$ . The challenger sends $(\gamma,x,y)$ to $\mathpzc{A}$ .
4.

When $\mathpzc{A}$ terminates with output $\mathsf{coin}^{\prime}$ , the challenger outputs $1$ if $\mathsf{coin}=\mathsf{coin}^{\prime}$ and $0$ otherwise.

Game $2$ :: This game is the same as Game $1$ except that $\mathsf{PRF}_{K}$ is replaced with a quantum-accessible random function $\mathsf{R}$ .

We have $\absolutevalue{\Pr[{\tt SUC}_{1}]-\Pr[{\tt SUC}_{2}]}={\mathsf{negl}}(\lambda)$ from the the security of $\mathsf{PRF}$ .

Game $3$ :

This game is the same as Game $2$ except that $\mathsf{R}$ is replaced with

\displaystyle V(r)=\begin{cases}v^{*}&(\textrm{if~{}~{}}r=r^{*})\\ \mathsf{R}(r)&(\textrm{otherwise}),\end{cases}

(37)

where $v^{*}\leftarrow\mathcal{R}_{\mathsf{Sim}}$ .

We have $\absolutevalue{\Pr[{\tt SUC}_{2}]-\Pr[{\tt SUC}_{3}]}=0$ .

Game $4$ :: This game is the same as Game $3$ except the followings. When $\mathpzc{A}$ makes a query $\tau^{\prime}$ and $i^{\prime}$ to $O_{\mathtt{sim}}$ , $\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime};R(r))$ is returned instead of $\mathsf{Sim}(\mathsf{xk},\tau^{\prime},i^{\prime};V(r))$ . Also, when $\mathpzc{A}$ makes a query $(\epsilon,\delta,\tau^{\prime},i^{\prime})$ to $O_{\mathtt{api}}$ , $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},D^{\mathsf{R}}_{\tau^{\prime},i^{\prime}}}(\mathpzc{q})$ is performed instead of $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},D^{V}_{\tau^{\prime},i^{\prime}}}(\mathpzc{q})$ , where $D^{\mathsf{R}}_{\tau^{\prime},i^{\prime}}=\mathsf{D}_{\tau^{\prime},i^{\prime}}(\mathsf{R}(\cdot))$ and $D^{V}_{\tau^{\prime},i^{\prime}}=\mathsf{D}_{\tau^{\prime},i^{\prime}}(V(\cdot))$ .

By this change, $V$ is now used only for generating the challenge tuple $(\gamma,x,y)\leftarrow\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast};V(r^{*}))=\mathsf{Sim}(\mathsf{xk},\tau,i^{\ast};v^{\ast})$ .

We have $\absolutevalue{\Pr[{\tt SUC}_{3}]-\Pr[{\tt SUC}_{4}]}=O(\sqrt{\frac{q^{2}}{2^{\lambda}}})$ from Lemma A.2 and Lemma A.3.

Game $5$ :: This game is the same as Game $4$ except that $\mathsf{R}$ is replaced with $G\circ F$ , where $F:\{0,1\}^{\lambda}\rightarrow[s]$ and $G:[s]\rightarrow\mathcal{R}_{\mathsf{Sim}}$ are random functions and $s$ is a polynomial of $\lambda$ specified later.

Theorem A.4 (Small Range Distribution [Zha12a]).

For any QPT adversary $\mathpzc{B}$ making $q$ quantum queries to $\mathsf{R}$ or $G\circ F$ , we have $\absolutevalue{\Pr[\mathpzc{B}^{\ket{\mathsf{R}}}(1^{\lambda})=1]-\Pr[\mathpzc{B}^{\ket{G\circ F}}(1^{\lambda})=1]}\leq O(q^{3}/s)$ .

By the above theorem, we have $\absolutevalue{\Pr[{\tt SUC}_{4}]-\Pr[{\tt SUC}_{5}]}=O(q^{3}/s)$ .

We can simulate $F$ using a $2q$ -wise independent function $E$ by the following theorem.

Theorem A.5 ([Zha12b]).

For any QPT adversary $\mathpzc{B}$ making $q$ quantum queries to $F$ or $E$ , we have $\Pr[\mathpzc{B}^{\ket{F}}(1^{\lambda})=1]=\Pr[\mathpzc{B}^{\ket{E}}(1^{\lambda})=1]$ .

We can efficiently simulate $\mathpzc{API}^{\epsilon,\delta}_{\mathcal{P},\mathsf{D}_{\tau^{\prime},i^{\prime}}^{G\circ E}}$ in Game $5$ using $s$ samples from $\mathsf{D}_{\tau^{\prime},i^{\prime}}$ since $\mathsf{D}_{\tau^{\prime},i^{\prime}}(G(\cdot))$ can be interpreted as a mapping for $s$ samples from $\mathsf{D}_{\tau^{\prime},i^{\prime}}$ . Then, from the SIM-MDD security with private simulation of $\mathsf{ELWMPRF}$ , we have $\absolutevalue{\Pr[{\tt SUC}_{5}]-1/2}={\mathsf{negl}}(\lambda)$ . From the above, we also have $\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{QELWMPRF}}^{\mathsf{q}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)\leq O(q^{3}/s)+2\gamma$ for some negligible function $\gamma$ . Thus, by setting $s=O(q^{3}\cdot w^{2})$ , we obtain $\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{QELWMPRF}}^{\mathsf{q}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)\leq 1/w$ .

Since $w$ is any polynomial, this means that $\mathsf{Adv}_{i^{\ast},\mathpzc{A},\mathsf{QELWMPRF}}^{\mathsf{q}\mbox{-}\mathsf{sim}\mbox{-}\mathsf{mdd}}(\lambda)={\mathsf{negl}}(\lambda)$ .

Remark A.6.

It is easy to see that the extended weak pseudorandomness of $\mathsf{ELWMPRF}$ is preserved after we apply the transformation above since the evaluation algorithm is the same as that of $\mathsf{ELWMPRF}$ and extended weak pseudorandomness holds against adversaries that generate $\mathsf{pp}$ . Thus, we omit a formal proof.

Appendix B Puncturable Encryption with Strong Ciphertext Pseudorandomness

We prove Theorem 7.5 in this section.

B.1 Tools for PE

Definition B.1 (Statistically Injective PPRF).

If a PPRF family $\mathcal{F}=\{\mathsf{F}_{K}:\{0,1\}^{\ell_{1}(\lambda)}\rightarrow\{0,1\}^{\ell_{2}(\lambda)}\mid K\in\{0,1\}^{\lambda}\}$ satisfies the following, we call it a statistically injective PPRF family with failure probability $\epsilon(\cdot)$ . With probability $1-\epsilon(\lambda)$ over the random choice of $K\leftarrow\mathsf{PRF}.\mathsf{Gen}(1^{\lambda})$ , for all $x,x^{\prime}\in\{0,1\}^{\ell_{1}(\lambda)}$ , if $x\neq x^{\prime}$ , then $\mathsf{F}_{K}(x)\neq\mathsf{F}_{K}(x^{\prime})$ . If $\epsilon(\cdot)$ is not specified, it is a negligile function.

Sahai and Waters show that we can convert any PPRF into a statistically injective PPRF [SW21].

Theorem B.2 ([SW21]).

If OWFs exist, then for all efficiently computable functions $n(\lambda)$ , $m(\lambda)$ , and $e(\lambda)$ such that $m(\lambda)\geq 2n(\lambda)+e(\lambda)$ , there exists a statistically injective PPRF family with failure probability $2^{-e(\lambda)}$ that maps $n(\lambda)$ bits to $m(\lambda)$ bits.

Definition B.3.

An injective bit-commitment with setup consists of PPT algorithms $(\mathsf{Gen},\mathsf{Com})$ .

$\mathsf{Gen}(1^{\lambda})$ :: The key generation algorithm takes as input the security parameter $1^{\lambda}$ and outputs a commitment key $\mathsf{ck}$ .
$\mathsf{Com}_{\mathsf{ck}}(b)$ :: The commitment algorithm takes as input $\mathsf{ck}$ and a bit $b$ and outputs a commitment $\mathsf{com}$ .

These satisfy the following properties.

Computationally Hiding:

For any QPT $\mathpzc{A}$ , it holds that

\absolutevalue{\Pr[\mathpzc{A}(\mathsf{Com}_{\mathsf{ck}}(0))=1\mid\mathsf{ck}\leftarrow\mathsf{Gen}(1^{\lambda})]-\Pr[\mathpzc{A}(\mathsf{Com}_{\mathsf{ck}}(1))=1\mid\mathsf{ck}\leftarrow\mathsf{Gen}(1^{\lambda})]}\leq{\mathsf{negl}}(\lambda).

Statistically Binding:

It holds that

\displaystyle\Pr\left[\mathsf{com}_{0}=\mathsf{com}_{1}\ \middle|\begin{array}[]{l}\mathsf{ck}\leftarrow\mathsf{Gen}(1^{\lambda})\\ \mathsf{com}_{0}\leftarrow\mathsf{Com}_{\mathsf{ck}}(0)\\ \mathsf{com}_{1}\leftarrow\mathsf{Com}_{\mathsf{ck}}(1)\end{array}\right]\leq{\mathsf{negl}}(\lambda).

(41)

Injective:

For every security parameter $\lambda$ , there is a bound $\ell_{r}$ on the number of random bits used by $\mathsf{Com}$ such that if $\mathsf{ck}\leftarrow\mathsf{Gen}(1^{\lambda})$ , $\mathsf{Com}_{\mathsf{ck}}(\cdot\ ;\cdot)$ is an injective function on $\{0,1\}\times\{0,1\}^{\ell_{r}}$ except negligible probability.

Theorem B.4.

If the QLWE assumption holds, there exists a secure injective bit-commitment with setup.

This theorem follows from the following theorems.

Theorem B.5 ([Nao91]).

If there exists (injective) OWFs, there exists (injective) bit-commitment.

Theorem B.6 ([PW11, AKPW13, Adapted]).

If the QLWE assumption holds, there exists a secure injective OWF with evaluation key generation algorithms.

Remark B.7.

The injective OWFs achieved in Theorem B.6 needs evaluation key generation algorithms unlike the standard definition of OWFs. However, OWFs with evaluation key generation algorithms are sufficient for proving Theorem B.4 by using Theorem B.5 since we use commitment key generation algorithm $\mathsf{Gen}$ (i.e., setup) in Definition B.3. Note that there is no post-quantum secure injective OWF without evaluation key generation algorithm so far.

B.2 PE Scheme Description

We review the puncturable encryption scheme by Cohen et al. [CHN⁺18]. We can see Theorem 7.5 holds by inspecting their PE scheme. The scheme utilizes the following ingredients and the length $n$ of ciphertexts is $12$ times the length $\ell$ of plaintexts:

•

A length-doubling $\mathsf{PRG}:\{0,1\}^{\ell}\rightarrow\{0,1\}^{2\ell}$
•

An injective PPRFs (See Definition B.1) $F:\{0,1\}^{3\ell}\rightarrow\{0,1\}^{9\ell}$ .
•

A PPRF $G:\{0,1\}^{9\ell}\rightarrow\{0,1\}^{\ell}$ .
•

An injective bit-commitment with setup $(\mathsf{Com}.\mathsf{Gen},\mathsf{Com})$ using randomness in $\{0,1\}^{9\ell}$ . We only use this in our security proof.

Scheme.

The scheme $\mathsf{PE}$ by Cohen et al. [CHN⁺18] is as follows.

$\mathsf{Gen}(1^{\lambda}$ ):: Sample functions $F$ and $G$ , generates $\mathsf{pe.ek}$ as the obfuscated circuit $i\mathcal{O}(E)$ where $E$ is described in Figure 12, and returns $(\mathsf{pe.ek},\mathsf{pe.dk})\coloneqq(i\mathcal{O}(E),D)$ , where $\mathsf{pe.dk}$ is the (un-obfuscated) program $D$ in Figure 13.
$\mathsf{Puncture}(\mathsf{pe.dk},c^{\ast})$ :: Output $\mathsf{pe.dk}_{\neq c^{\ast}}$ , where $\mathsf{pe.dk}_{\neq c^{\ast}}$ is the obfuscated circuits $i\mathcal{O}(D_{\neq c^{\ast}})$ where $D_{\neq c^{\ast}}$ is described in Figure 14, that is, $\mathsf{pe.dk}_{\neq c^{\ast}}\coloneqq i\mathcal{O}(D_{\neq c^{\ast}})$ .
$\mathsf{Enc}(\mathsf{pe.ek},m)$ :: Take $m\in\{0,1\}^{\ell}$ , sample $s\leftarrow\{0,1\}^{\ell}$ , and outputs $c\leftarrow\mathsf{pe.ek}(m,s)$ .
$\mathsf{Dec}(\mathsf{pe.dk},c)$ :: Take $c\in\{0,1\}^{12\ell}$ and returns $m\coloneqq\mathsf{pe.dk}(c)$ .

The size of the circuits is appropriately padded to be the maximum size of all modified circuits, which will appear in the security proof.

Circuit $E[F,G]$ Constants : Injective PPRF $F:\{0,1\}^{3\ell}\rightarrow\{0,1\}^{9\ell}$ , PPRF $G:\{0,1\}^{9\ell}\rightarrow\{0,1\}^{\ell}$ Inputs: $m\in\{0,1\}^{\ell},s\in\{0,1\}^{\ell}$ 1. Compute $\alpha=\mathsf{PRG}(s)$ . 2. Compute $\beta=F(\alpha\|m)$ . 3. Compute $\gamma=G(\beta)\oplus m$ . 4. Output $(\alpha,\beta,\gamma)$ .

Figure 12: Description of encryption circuit

E

Circuit $D[F,G]$ Constants : Injective PPRF $F:\{0,1\}^{3\ell}\rightarrow\{0,1\}^{9\ell}$ , PPRF $G:\{0,1\}^{9\ell}\rightarrow\{0,1\}^{\ell}$ Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. Compute $m=G(\beta)\oplus\gamma$ . 2. If $\beta=F(\alpha\|m)$ , output $m$ . 3. Else output $\bot$ .

Figure 13: Description of decryption circuit

D

Circuit $D_{\neq c^{\ast}}[F,G,c^{\ast}]$ Constants : Point $c^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F:\{0,1\}^{3\ell}\rightarrow\{0,1\}^{9\ell}$ , and PPRF $G:\{0,1\}^{9\ell}\rightarrow\{0,1\}^{\ell}$ Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $c=c^{\ast}$ , output $\bot$ . 2. Compute $m=G(\beta)\oplus\gamma$ . 3. If $\beta=F(\alpha\|m)$ , output $m$ . 4. Else output $\bot$ .

Figure 14: Description of punctured decryption circuit

D_{\neq c^{\ast}}

c^{\ast}

B.3 PE Security Proof

Cohen et al. [CHN⁺18] proved correctness, punctured correctness, and sparseness of $\mathsf{PE}$ above by using secure PRG $\mathsf{PRG}$ , secure injective PPRF $F$ , secure PPRF $G$ , and secure IO $i\mathcal{O}$ . Thus, we complete the proof of Theorem 7.5 by combining Theorems B.2 and B.4, and Theorem B.8 below, which we prove in this section.

Theorem B.8.

If $\mathsf{PRG}$ is a secure PRG, $F$ is a secure injective PPRF, $G$ is a secure PPRF, $\mathsf{Com}$ is a secure injective bit-commitment with setup, and $i\mathcal{O}$ is a secure IO, then $\mathsf{PE}$ is a secure PE that satisifes strong ciphertext pseudorandomness.

Proof of Theorem B.8.

To prove $x_{0}\coloneqq c^{\ast}\leftarrow\mathsf{Enc}(\mathsf{pe.ek},m^{\ast})$ is indistinguishable from $x_{1}\coloneqq r^{\ast}\leftarrow\{0,1\}^{\ell}$ , we define a sequence hybrid games.

$\mathsf{Real}$ :

This is the same as the real game with $b=0$ . That is, for queried $m^{\ast}$ the challenger does the following.

1.

Choose an injective PPRF $F:\{0,1\}^{3\ell}\rightarrow\{0,1\}^{9\ell}$ and PPRF $G:\{0,1\}^{9\ell}\rightarrow\{0,1\}^{\ell}$ .
2.

Choose $s\leftarrow\{0,1\}^{\ell}$ and compute $\alpha_{0}\coloneqq\mathsf{PRG}(s)$ , $\beta_{0}\coloneqq F(\alpha_{0}\|m^{\ast})$ , and $\gamma_{0}\coloneqq G(\beta_{0})\oplus m^{\ast}$ .
3.

Set $x_{0}\coloneqq\alpha_{0}\|\beta_{0}\|\gamma_{0}$ and computes $\mathsf{pe.ek}\coloneqq i\mathcal{O}(E)$ and $\mathsf{pe.dk}_{\neq x_{0}}\coloneqq i\mathcal{O}(D_{\neq x_{0}})$ .
4.

Send $(x_{0},\mathsf{pe.ek},\mathsf{pe.dk}_{\neq x_{0}})$ to the adversary.

$\mathsf{Hyb}_{1}$ :

This is the same as $\mathsf{Hyb}_{0}(0)$ except that $\alpha_{0}$ is uniformly random.

$\mathsf{Hyb}_{2}$ :

This is the same as $\mathsf{Hyb}_{1}$ except that we use punctured $F_{\neq\alpha_{0}\|m^{\ast}}$ and modified circuits $E_{\neq\alpha_{0}\|m^{\ast}}$ and $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ described in Figures 16 and 17. Intuitively, these modified circuits are punctured at input $\alpha_{0}\|m^{\ast}$ and use exceptional handling for this input.

$\mathsf{Hyb}_{3}$ :

This is the same as $\mathsf{Hyb}_{2}$ except that $\beta_{0}\leftarrow\{0,1\}^{9\ell}$ .

$\mathsf{Hyb}_{4}$ :

This is the same as $\mathsf{Hyb}_{3}$ except that we use punctured $G_{\neq\beta_{0}}$ and modified circuits $E_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}$ and $D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}$ described in Figures 18 and 19. Intuitively, these modified circuits are punctured at input $\beta_{0}$ and use $F_{\neq\alpha_{0}\|m^{\ast}}$ and exceptional handling for $\beta_{0}$ .

$\mathsf{Hyb}_{5}=\mathsf{Rand}_{2}$ :

This is the same as $\mathsf{Hyb}_{4}$ except that $\gamma_{0}$ is uniformly random. Now, $\alpha_{0}$ , $\beta_{0}$ , $\gamma_{0}$ are uniformly random and we rewrite them into $\alpha_{1}$ , $\beta_{1}$ , $\gamma_{1}$ , respectively. For ease of notation, we also denote this game by $\mathsf{Rand}_{2}$ .

$\mathsf{Rand}_{1}$ :

This is the same as $\mathsf{Hyb}_{5}=\mathsf{Rand}_{2}$ except that we use un-punctured $G$ , circuit $E_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}$ reverts to $E_{\neq\alpha_{1}\|m^{\ast}}$ described in Figure 16, and we change circuit $D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}$ into $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ described in Figure 21.

$\mathsf{Rand}$ :

This is the same as the real game with $b=1$ . That is, for queried $m^{\ast}$ the challenger does the following.

1.

Choose an injective PPRF $F:\{0,1\}^{3\ell}\rightarrow\{0,1\}^{9\ell}$ and PPRF $G:\{0,1\}^{9\ell}\rightarrow\{0,1\}^{\ell}$ .
2.

Choose $\alpha_{1}\leftarrow\{0,1\}^{2\ell}$ , $\beta_{1}\leftarrow\{0,1\}^{9\ell}$ , and $\gamma_{1}\leftarrow\{0,1\}^{\ell}$ .
3.

Set $x_{1}\coloneqq\alpha_{1}\|\beta_{1}\|\gamma_{1}$ and computes $\mathsf{pe.ek}\coloneqq i\mathcal{O}(E)$ and $\mathsf{pe.dk}_{\neq x_{1}}\coloneqq i\mathcal{O}(D_{\neq x_{1}})$ .
4.

Send $(x_{1},\mathsf{pe.ek},\mathsf{pe.dk}_{\neq x_{1}})$ to the adversary.

We described the overview of these hybrid games in Figure 15.

	$\alpha^{\ast}$	$\beta^{\ast}$	$\gamma^{\ast}$	$\mathsf{pe.ek}\coloneqq i\mathcal{O}(\cdot)$	$\mathsf{pe.dk}\coloneqq i\mathcal{O}(\cdot)$
$\mathsf{Real}$	$\mathsf{PRG}(s)$	$F(\alpha_{0}\\|m^{\ast})$	$G(\beta_{0})\oplus m^{\ast}$	$E$	$D_{\neq x_{0}}$
$\mathsf{Hyb}_{1}$	$\$$	$F(\alpha_{0}\\|m^{\ast})$	$G(\beta_{0})\oplus m^{\ast}$	$E$	$D_{\neq x_{0}}$
$\mathsf{Hyb}_{2}$	$\$$	$F(\alpha_{0}\\|m^{\ast})$	$G(\beta_{0})\oplus m^{\ast}$	$E_{\neq\alpha_{0}\\|m^{\ast}}$	$D_{\neq\alpha_{0}\\|m^{\ast}}^{2}[F_{\neq\alpha_{0}\\|m^{\ast}}]$
$\mathsf{Hyb}_{3}$	$\$$	$\$$	$G(\beta_{0})\oplus m^{\ast}$	$E_{\neq\alpha_{0}\\|m^{\ast}}$	$D_{\neq\alpha_{0}\\|m^{\ast}}^{2}[F_{\neq\alpha_{0}\\|m^{\ast}}]$
$\mathsf{Hyb}_{4}$	$\$$	$\$$	$G(\beta_{0})\oplus m^{\ast}$	$E_{\neq\alpha_{0}\\|m^{\ast},\neq\beta_{0}}$	$D_{\neq\alpha_{0}\\|m^{\ast},\neq\beta_{0}}^{4}[F_{\neq\alpha_{0}\\|m^{\ast}},G_{\neq\beta_{0}}]$
$\mathsf{Hyb}_{5}$	$\$$	$\$$	$\$$	$E_{\neq\alpha_{1}\\|m^{\ast},\neq\beta_{1}}$	$D_{\neq\alpha_{1}\\|m^{\ast},\neq\beta_{1}}^{4}[F_{\neq\alpha_{1}\\|m^{\ast}},G_{\neq\beta_{1}}]$
$\mathsf{Rand}_{1}$	$\$$	$\$$	$\$$	$E_{\neq\alpha_{1}\\|m^{\ast}}$	$D_{\neq\alpha_{1}\\|m^{\ast}}^{\mathsf{r}}[F_{\neq\alpha_{1}\\|m^{\ast}}]$
$\mathsf{Rand}$	$\$$	$\$$	$\$$	$E$	$D_{\neq x_{1}}$

Figure 15: High-level overview of hybrid games from

\mathsf{Real}

\mathsf{Rand}

. Recall that

\mathsf{Hyb}_{5}=\mathsf{Rand}_{2}

. Transitions from

\mathsf{Rand}_{2}

\mathsf{Rand}

are baiscally the reverse transitions from

\mathsf{Hyb}_{0}

\mathsf{Hyb}_{4}

, but there are subtle differences.

If we prove these hybrid games are indistinguishable, we complete the proof of Theorem B.8.

We prove that those hybrid games in Figure 15 are indistinguishable by Lemmata B.9, B.10, B.14, B.15, B.19, B.20 and B.25.

From $\mathsf{Real}$ to $\mathsf{Hyb}_{5}$ .

We first move from $\mathsf{Real}$ to $\mathsf{Hyb}_{5}$ .

Lemma B.9.

If $\mathsf{PRG}$ is a secure PRG, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{0}(0)=1]-\Pr[\mathsf{Hyb}_{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Lemma B.9.

The randomness $s$ for encryption is never used anywhere except $\alpha_{0}\coloneqq\mathsf{PRG}(s)$ . We can apply the PRG security and immediately obtain the lemma.

Lemma B.10.

If $i\mathcal{O}$ is a secure IO and $F$ is a secure injective PPRF, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{1}=1]-\Pr[\mathsf{Hyb}_{2}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Lemma B.10.

We change $E$ and $D_{\neq x_{0}}$ into $E_{\neq\alpha_{0}\|m^{\ast}}$ and $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ , respectively.

Circuit $E_{\neq\alpha^{\ast}\|m^{\ast}}[F^{\prime},G]$ Constants : Injective PPRF $F^{\prime}$ , PPRF $G$ Inputs: $m\in\{0,1\}^{\ell},s\in\{0,1\}^{\ell}$ 1. Compute $\alpha=\mathsf{PRG}(s)$ . 2. Compute $\beta=F^{\prime}(\alpha\|m)$ . 3. Compute $\gamma=G(\beta)\oplus m$ . 4. Output $(\alpha,\beta,\gamma)$ .

Figure 16: Description of encryption circuit

E_{\neq\alpha^{\ast}\|m^{\ast}}

Circuit $D_{\neq\alpha^{\ast}\|m^{\ast}}^{2}[F^{\prime},G,\alpha^{\ast},\beta^{\ast},\gamma^{\ast},m^{\ast}]$ Constants : Point $x^{\ast}=\alpha^{\ast}\|\beta^{\ast}\|\gamma^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F^{\prime}$ , PPRF $G$ , $m^{\ast}$ . Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $c=x^{\ast}$ , output $\bot$ . 2. Compute $m=G(\beta)\oplus\gamma$ . 3. If $(\alpha,m)=(\alpha^{\ast},m^{\ast})$ , output $\bot$ . 4. If $\beta={\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}F^{\prime}}}}(\alpha\|m)$ , output $m$ . 5. Else output $\bot$ .

Figure 17: Description of punctured decryption circuit

D_{\neq\alpha^{\ast}\|m^{\ast}}^{2}

We define a sequence of sub-hybrid games.

$\mathsf{Hyb}_{1}^{1}$ :: This is the same as $\mathsf{Hyb}_{1}$ except that we generate $F_{\neq\alpha_{0}\|m^{\ast}}$ and set $F^{\prime}\coloneqq F_{\neq\alpha_{0}\|m^{\ast}}$ and $\mathsf{pe.ek}\coloneqq i\mathcal{O}(E_{\neq\alpha_{0}\|m^{\ast}})$ described in Figure 16.
$\mathsf{Hyb}_{1}^{2}$ :: This is the same as $\mathsf{Hyb}_{1}^{1}$ except that we set $\mathsf{pe.dk}_{\neq x_{0}}\coloneqq i\mathcal{O}(D_{\neq\alpha_{0}\|m^{\ast}}^{2}[F,G,\alpha_{0},\beta_{0},\gamma_{0},m^{\ast}])$ described in Figure 17. That is, we still use $F$ , but modify the circuit.

Proposition B.11.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{1}=1]-\Pr[\mathsf{Hyb}_{1}^{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.11.

In these games, value $\alpha_{0}\leftarrow\{0,1\}^{2\ell}$ is not in the image of $\mathsf{PRG}$ except with negligible probability. The only difference between the two games is that $F_{\neq\alpha_{0}\|m^{\ast}}$ is used in $\mathsf{Hyb}_{1}^{1}$ . Thus, $E$ and $E_{\neq\alpha_{0}\|m^{\ast}}$ are functionally equivalent except with negligible probability. We can obtain the proposition by applying the IO security.

Proposition B.12.

If $i\mathcal{O}$ is a secure IO and $F$ is injective, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{1}^{1}=1]-\Pr[\mathsf{Hyb}_{1}^{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.12.

We analyze the case where $(\alpha,m)=(\alpha_{0},m^{\ast})$ since it is the only difference between $D_{\neq x_{0}}$ and $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ .

•

If $c=x_{0}$ , $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ outputs $\bot$ by the first line of the description. Thus, the output of $D_{\neq\alpha_{0}\|m^{\ast}}^{2}(x_{0})$ is the same as that of $D_{\neq x_{0}}(x_{0})$ .
•

If $c\neq x_{0}$ , it holds $(\beta_{0},\gamma_{0})\neq(\beta,\gamma)$ in this case. However, it should be $\beta_{0}=\beta$ due to the injectivity of $F$ and $\beta_{0}=F(\alpha_{0}\|m^{\ast})$ . Thus, both $D_{\neq x_{0}}(c)$ and $D_{\neq\alpha_{0}\|m^{\ast}}^{2}(c)$ output $\bot$ in this case ( $D_{\neq x_{0}}(c)$ outputs $\bot$ at the first line).

Therefore, $D_{\neq x_{0}}$ and $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ are functionally equivalent. We can obtain the proposition by applying the IO security.

Proposition B.13.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{1}^{2}=1]-\Pr[\mathsf{Hyb}_{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.13.

Due to the exceptional handling in the third item of $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ , $F(\alpha\|m)$ is never computed for input $(\alpha_{0},m^{\ast})$ . Thus, even if we use $F_{\neq\alpha_{0}\|m^{\ast}}$ instead of $F$ , $D_{\neq\alpha_{0}\|m^{\ast}}^{2}[F]$ and $D_{\neq\alpha_{0}\|m^{\ast}}^{2}[F_{\neq\alpha_{0}\|m^{\ast}}]$ are functionally equivalent. We can obtain the proposition by the IO security.

We complete the proof of Lemma B.10.

Lemma B.14.

If $F$ is a secure injective PPRF, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{2}=1]-\Pr[\mathsf{Hyb}_{3}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Lemma B.14.

The difference between these two games is that $\beta_{0}$ is $F(\alpha_{0}\|m^{\ast})$ or random. We can immediately obtain the lemma by applying punctured pseudorandomness of $F$ since we use $F_{\neq\alpha_{0}\|m^{\ast}}$ in these games.

Lemma B.15.

If $i\mathcal{O}$ is a secure IO and $F$ is a secure injective PPRF, it holds that

\absolutevalue{\Pr[\mathsf{Hyb}_{3}=1]-\Pr[\mathsf{Hyb}_{4}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Lemma B.15.

We change $E_{\neq\alpha^{\ast}\|m^{\ast}}$ and $D_{\neq\alpha^{\ast}\|m^{\ast}}^{2}$ into $E_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}$ and $D_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}^{4}$ , respectively.

Circuit $E_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}[F^{\prime},G^{\prime}]$ Constants : Injective PPRF $F^{\prime}$ , PPRF $G^{\prime}$ Inputs: $m\in\{0,1\}^{\ell},s\in\{0,1\}^{\ell}$ 1. Compute $\alpha=\mathsf{PRG}(s)$ . 2. Compute $\beta=F^{\prime}(\alpha\|m)$ . 3. Compute $\gamma={\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}G^{\prime}}}}(\beta)\oplus m$ . 4. Output $(\alpha,\beta,\gamma)$ .

Figure 18: Description of encryption circuit

E_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}

Circuit $D_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}^{4}[F^{\prime},G^{\prime},\alpha^{\ast},\beta^{\ast},\gamma^{\ast},m^{\ast}]$ Constants : Point $x^{\ast}\coloneqq\alpha^{\ast}\|\beta^{\ast}\|\gamma^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F^{\prime}$ , PPRF $G^{\prime}$ , $m^{\ast}$ . Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $\beta=\beta^{\ast}$ , output $\bot$ . 2. Compute $m={\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}G^{\prime}}}}(\beta)\oplus\gamma$ . 3. If $(\alpha,m)=(\alpha^{\ast},m^{\ast})$ , output $\bot$ . 4. If $\beta=F^{\prime}(\alpha\|m)$ , output $m$ . 5. Else output $\bot$ .

Figure 19: Description of punctured decryption circuit

D_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}^{4}

We define a sequence of sub-hybrid games.

$\mathsf{Hyb}_{3}^{1}$ :: This is the same as $\mathsf{Hyb}_{3}$ except that we use punctured $G_{\neq\beta_{0}}$ and set $\mathsf{pe.ek}\coloneqq i\mathcal{O}(E_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}[F_{\neq\alpha_{0}\|m^{\ast}},G_{\neq\beta_{0}}])$ .
$\mathsf{Hyb}_{3}^{2}$ :: This is the same as $\mathsf{Hyb}_{3}^{1}$ except that we still use $G$ but set $\mathsf{pe.dk}_{\neq c_{0}}\coloneqq i\mathcal{O}(D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}[F_{\neq\alpha_{0}\|m^{\ast}},G])$ .

Proposition B.16.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{3}=1]-\Pr[\mathsf{Hyb}_{3}^{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.16.

In these games $\beta_{0}\leftarrow\{0,1\}^{9\ell}$ is uniformly random. By the sparsity of $F$ , $\beta_{0}$ is not in the image of $F$ except with negligible probability. Thus, $E_{\neq\alpha_{0}\|m^{\ast}}$ and $E_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}$ are functionally equivalent except with negligible probability. We obtain the proposition by the IO security.

Proposition B.17.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{3}^{1}=1]-\Pr[\mathsf{Hyb}_{3}^{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.17.

The difference between $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ and $D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}$ is that we replace “If $c=x_{0}$ , outputs $\bot$ .” with “If $\beta=\beta_{0}$ , outputs $\bot$ .”. In these games, $\beta_{0}\leftarrow\{0,1\}^{9\ell}$ is not in the image of $F$ except with negligible probability. Recall that $c=x_{0}$ means $c=\alpha_{0}\|\beta_{0}\|\gamma_{0}$ . Thus, those two circuits may differ when $\beta=\beta_{0}$ but $(\alpha,\gamma)\neq(\alpha_{0},\gamma_{0})$ . However, it does not happen $\beta=F^{\prime}(\alpha\|(G(\beta)\oplus\gamma))$ in this case due to the injectivity of $F$ . Thus, $D_{\neq\alpha_{0}\|m^{\ast}}^{2}$ and $D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}$ are functionally equivalent and we obtain the proposition by applying the IO security.

Proposition B.18.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{3}^{2}=1]-\Pr[\mathsf{Hyb}_{4}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.18.

The difference between these two games that we use $D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}[F_{\neq\alpha_{0}\|m^{\ast}},G_{\neq\beta_{0}}]$ instead of $D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}[F_{\neq\alpha_{0}\|m^{\ast}},G]$ . However, $G_{\neq\beta_{0}}(\beta_{0})$ is never computed by the first item of $D_{\neq\alpha_{0}\|m^{\ast},\neq\beta_{0}}^{4}$ . We obtain the proposition by the IO security.

We complete the proof of Lemma B.15.

Lemma B.19.

If $G$ is a secure PPRF, it holds that $\absolutevalue{\Pr[\mathsf{Hyb}_{4}=1]-\Pr[\mathsf{Hyb}_{5}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Lemma B.19.

The difference between these two games is that $\gamma_{0}$ is $G(\beta_{0})$ or random. We can immediately obtain the lemma by applying punctured pseudorandomness of $G$ since we use $G_{\neq\beta_{0}}$ in these games.

In $\mathsf{Hyb}_{5}$ , $\alpha_{0}$ , $\beta_{0}$ , and $\gamma_{0}$ are uniformly random strings as $\alpha_{1}$ , $\beta_{1}$ , and $\gamma_{1}$ .

From $\mathsf{Rand}$ to $\mathsf{Hyb}_{5}$ .

We leap to $\mathsf{Rand}$ and move from $\mathsf{Rand}$ to $\mathsf{Rand}_{2}=\mathsf{Hyb}_{5}$ instead of directly moving from $\mathsf{Hyb}_{5}=\mathsf{Rand}_{2}$ to $\mathsf{Rand}$ since $\mathsf{Real}\approx\mathsf{Hyb}_{5}$ and $\mathsf{Rand}_{2}\approx\mathsf{Rand}$ is almost symmetric (but not perfectly symmetric).

Lemma B.20.

If $i\mathcal{O}$ is a secure IO and $F$ is a secure injective PPRF, it holds that

\absolutevalue{\Pr[\mathsf{Rand}=1]-\Pr[\mathsf{Rand}_{1}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Lemma B.20.

We change $E$ and $D_{\neq x_{1}}$ into $E_{\neq\alpha_{1}\|m^{\ast}}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ , respectively.

We define a sequence of sub-hybrid games.

$\mathsf{rHyb}^{1}$ :: This is the same as $\mathsf{Rand}$ except that we generate $F_{\neq\alpha_{1}\|m^{\ast}}$ and set $F^{\prime}\coloneqq F_{\neq\alpha_{1}\|m^{\ast}}$ and $\mathsf{pe.ek}\coloneqq i\mathcal{O}(E_{\neq\alpha_{1}\|m^{\ast}})$ described in Figure 16.
$\mathsf{rHyb}^{2}$ :: This is the same as $\mathsf{rHyb}^{1}$ except that we set $\mathsf{pe.dk}_{\neq x_{1}}\coloneqq i\mathcal{O}(D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}[F,G])$ described in Figure 20. That is, we still use $F$ , but the modified circuit that outputs $m^{\ast}$ for input $\alpha_{1}\|\hat{\beta}\|\hat{\gamma}$ , where $\hat{\beta}\coloneqq F(\alpha_{1}\|m^{\ast})$ and $\hat{\gamma}\coloneqq G(\hat{\beta})\oplus m^{\ast}$ .
$\mathsf{rHyb}^{3}$ :: This is the same as $\mathsf{rHyb}^{2}$ except that we set $\mathsf{pe.dk}_{\neq x_{1}}\coloneqq i\mathcal{O}(D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}[F,G])$ described in Figure 21. That is, we still use $F$ , but the modified circuit outputs $\bot$ for an input such that $(\alpha,m)=(\alpha_{1},m^{\ast})$ .

Circuit $D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}[F^{\prime},G,\alpha^{\ast},\beta^{\ast},\gamma^{\ast},\hat{\beta},\hat{\gamma},m^{\ast}]$ Constants : Point $x^{\ast}=\alpha^{\ast}\|\beta^{\ast}\|\gamma^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F^{\prime}$ , PPRF $G$ , $\hat{\beta}$ , $\hat{\gamma}$ , $m^{\ast}$ . Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $\alpha=\alpha^{\ast}$ and $\beta=\hat{\beta}$ and $\gamma=\hat{\gamma}$ , output $m^{\ast}$ . 2. If $c=x^{\ast}$ , output $\bot$ . 3. Compute $m=G(\beta)\oplus\gamma$ . 4. If $\beta={\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}F^{\prime}}}}(\alpha\|m)$ , output $m$ . 5. Else output $\bot$ .

Figure 20: Description of punctured decryption circuit

D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}

Circuit $D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{r}}[F^{\prime},G,\alpha^{\ast},\beta^{\ast},\gamma^{\ast},\hat{\beta},\hat{\gamma},m^{\ast}]$ Constants : Point $x^{\ast}=\alpha^{\ast}\|\beta^{\ast}\|\gamma^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F^{\prime}$ , PPRF $G$ , $\hat{\beta}$ , $\hat{\gamma}$ , $m^{\ast}$ . Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $\alpha=\alpha^{\ast}$ and $\beta=\hat{\beta}$ and $\gamma=\hat{\gamma}$ , output $m^{\ast}$ . 2. If $c=x^{\ast}$ , output $\bot$ . 3. Compute $m=G(\beta)\oplus\gamma$ . 4. If $(\alpha,m)=(\alpha^{\ast},m^{\ast})$ , output $\bot$ . 5. If $\beta={\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\underline{{\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}F^{\prime}}}}(\alpha\|m)$ , output $m$ . 6. Else output $\bot$ .

Figure 21: Description of punctured decryption circuit

D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{r}}

Proposition B.21.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{Rand}=1]-\Pr[\mathsf{rHyb}^{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.21.

In these games, value $\alpha_{1}\leftarrow\{0,1\}^{2\ell}$ is not in the image of $\mathsf{PRG}$ except with negligible probability. Thus, $E$ and $E_{\neq\alpha_{1}\|m^{\ast}}$ are functionally equivalent except with negligible probability. We can obtain the proposition by applying the IO security.

Proposition B.22.

If $i\mathcal{O}$ is a secure IO and $F$ is injective, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}^{1}=1]-\Pr[\mathsf{rHyb}^{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.22.

The difference between $D_{\neq x_{1}}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}$ is “If $\alpha=\alpha^{\ast}$ and $\beta=\hat{\beta}$ and $\gamma=\hat{\gamma}$ , output $m^{\ast}$ .”. Although $\alpha_{1}\|\hat{\beta}\|\hat{\gamma}$ is a valid encryption, $\hat{\beta}=F(\alpha_{1}\|m^{\ast})$ is not equal to $\beta_{1}$ except with negligible probability since $\beta_{1}$ is uniformly random. Similarly, $\hat{\gamma}$ is not equal to $\gamma_{1}$ except with negligible probability. Thus, $D_{\neq x_{1}}(\alpha_{1}\|\hat{\beta}\|\hat{\gamma})$ outputs $m^{\ast}$ . That is, $D_{\neq x_{1}}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}$ are functionally equivalent. We can obtain the proposition by applying the IO security.

Proposition B.23.

If $i\mathcal{O}$ is a secure IO and $F$ is injective, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}^{2}=1]-\Pr[\mathsf{rHyb}^{3}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.23.

We analyze the case where $(\alpha,m)=(\alpha_{1},m^{\ast})$ . We can reach the forth line of $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ if $c\neq x_{1}$ . If $c\neq x_{1}$ and $(\alpha,m)=(\alpha_{1},m^{\ast})$ , it holds that $(\beta,\gamma)\neq(\beta_{1},\gamma_{1})$ . However, it should be $\beta_{1}=\beta$ in this case due to the injectivity of $F$ . That is, if $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}(c)$ outputs $\bot$ at the fourth line, $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}(c)$ also outputs $\bot$ at the second line. Therefore, $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}\textrm{-}2}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ are functionally equivalent. We can obtain the proposition by applying the IO security.

Proposition B.24.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}^{3}=1]-\Pr[\mathsf{Rand}_{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.24.

Due to the exceptional handling in the fourth line of $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ , $F(\alpha\|m)$ is never computed for input $(\alpha_{1},m^{\ast})$ . Thus, even if we use $F_{\neq\alpha_{1}\|m^{\ast}}$ instead of $F$ , $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}[F]$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}[F_{\neq\alpha_{1}\|m^{\ast}}]$ are functionally equivalent. We can obtain the proposition by the IO security.

We complete the proof of Lemma B.20.

Lemma B.25.

If $i\mathcal{O}$ is a secure IO, $F$ is a secure injective PPRF, and $(\mathsf{Com}.\mathsf{Gen},\mathsf{Com})$ is a secure injective bit-commitment with setup, it holds that $\absolutevalue{\Pr[\mathsf{Rand}_{1}=1]-\Pr[\mathsf{Rand}_{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Lemma B.25.

We change $E_{\neq\alpha^{\ast}\|m^{\ast}}$ and $D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{r}}$ into $E_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}$ and $D_{\neq\alpha^{\ast}\|m^{\ast},\neq\beta^{\ast}}^{4}$ , respectively.

Circuit $D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{com}}[F^{\prime},G,\alpha^{\ast},\beta^{\ast},\gamma^{\ast},\hat{z},\mathsf{ck},\hat{\gamma},m^{\ast}]$ Constants : Point $x^{\ast}=\alpha^{\ast}\|\beta^{\ast}\|\gamma^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F^{\prime}$ , PPRF $G$ , $m^{\ast}$ , $\hat{z}$ , $\mathsf{ck}$ , $\hat{\gamma}$ . Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $\alpha=\alpha^{\ast}$ and $\mathsf{Com}_{\mathsf{ck}}(0;\beta)=\hat{z}$ and $\gamma=\hat{\gamma}$ , output $m^{\ast}$ . 2. If $c=x^{\ast}$ , output $\bot$ . 3. Compute $m=G(\beta)\oplus\gamma$ . 4. If $(\alpha,m)=(\alpha^{\ast},m^{\ast})$ , output $\bot$ . 5. If $\beta=F^{\prime}(\alpha\|m)$ , output $m$ . 6. Else output $\bot$ .

Figure 22: Description of punctured decryption circuit

D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{com}}

Circuit $D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{F}}[F^{\prime},G,\alpha^{\ast},\beta^{\ast},\gamma^{\ast},m^{\ast},\hat{z},\hat{\gamma}]$ Constants : Point $x^{\ast}=\alpha^{\ast}\|\beta^{\ast}\|\gamma^{\ast}\in\{0,1\}^{12\ell}$ , injective PPRF $F^{\prime}$ , PPRF $G$ , $m^{\ast}$ , $\hat{z}$ , $\hat{\gamma}$ . Inputs: $c=(\alpha\|\beta\|\gamma)$ , where $\alpha\in\{0,1\}^{2\ell}$ , $\beta\in\{0,1\}^{9\ell}$ , and $\gamma\in\{0,1\}^{\ell}$ . 1. If $\alpha=\alpha^{\ast}$ and False and $\gamma=\hat{\gamma}$ , output $m^{\ast}$ . // Never triggered 2. If $c=x^{\ast}$ , output $\bot$ . 3. Compute $m=G(\beta)\oplus\gamma$ . 4. If $(\alpha,m)=(\alpha^{\ast},m^{\ast})$ , output $\bot$ . 5. If $\beta=F^{\prime}(\alpha\|m)$ , output $m$ . 6. Else output $\bot$ .

Figure 23: Description of punctured decryption circuit

D_{\neq\alpha^{\ast}\|m^{\ast}}^{\mathsf{F}}

We define a sequence of sub-hybrid games.

$\mathsf{rHyb}_{1}^{1}$ :: This is the same as $\mathsf{Rand}_{1}$ except that we use $\hat{\beta}\leftarrow\{0,1\}^{9\ell}$ instead of $F(\alpha_{1}\|m^{\ast})$ .
$\mathsf{rHyb}_{1}^{2}$ :: This is the same as $\mathsf{rHyb}_{1}^{1}$ except that we use $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{com}}$ described in Figure 22, where $\mathsf{ck}\leftarrow\mathsf{Com}.\mathsf{Gen}(1^{\lambda})$ and $\hat{z}=\mathsf{Com}_{\mathsf{ck}}(0;\hat{\beta})$ are hardwired, instead of $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ .
$\mathsf{rHyb}_{1}^{3}$ :: This is the same as $\mathsf{rHyb}_{1}^{2}$ except that we hard-code $\hat{z}=\mathsf{Com}_{\mathsf{ck}}(1;\hat{\beta})$ into $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{com}}$ instead of $\mathsf{Com}_{\mathsf{ck}}(0;\hat{\beta})$ .
$\mathsf{rHyb}_{1}^{4}$ :: This is the same as $\mathsf{rHyb}_{1}^{3}$ except that we use $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{F}}$ described in Figure 23
$\mathsf{rHyb}_{1}^{5}$ :: This is the same as $\mathsf{rHyb}_{1}^{4}$ except that we use punctured $G_{\neq\beta_{1}}$ and set $\mathsf{pe.ek}\coloneqq i\mathcal{O}(E_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}[F_{\neq\alpha_{1}\|m^{\ast}},G_{\neq\beta_{1}}])$ .
$\mathsf{rHyb}_{1}^{6}$ :: This is the same as $\mathsf{rHyb}_{1}^{5}$ except that we still use $G$ but set $\mathsf{pe.dk}_{\neq c_{1}}\coloneqq i\mathcal{O}(D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}[F_{\neq\alpha_{1}\|m^{\ast}},G])$ .

Proposition B.26.

If $F$ is a secure PPRF, it holds that $\absolutevalue{\Pr[\mathsf{Rand}_{1}=1]-\Pr[\mathsf{rHyb}_{1}^{1}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.26.

In these games, we use $F_{\neq\alpha_{1}\|m^{\ast}}$ in $E_{\neq\alpha^{1}\|m^{\ast}}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ . Thus, we can apply the punctured pseudorandomness and immediately obtain the proposition.

Proposition B.27.

If $i\mathcal{O}$ is a secure IO and $\mathsf{Com}_{\mathsf{ck}}$ is injective, it holds that

\absolutevalue{\Pr[\mathsf{rHyb}_{1}^{1}=1]-\Pr[\mathsf{rHyb}_{1}^{2}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition B.27.

The difference between $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{com}}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{r}}$ is whether we use “ $\mathsf{Com}_{\mathsf{ck}}(0;\beta)=\hat{z}$ ” or “ $\beta=\hat{\beta}$ ”, where $\hat{z}=\mathsf{Com}_{\mathsf{ck}}(0;\hat{\beta})$ and $\mathsf{ck}\leftarrow\mathsf{Com}.\mathsf{Gen}(1^{\lambda})$ . Since $\mathsf{Com}$ is injective, these two conditions are equivalent. Therefore, those two circuits are functionally equivalent. We obtain the proposition by applying the IO security.

Proposition B.28.

If $(\mathsf{Com}.\mathsf{Gen},\mathsf{Com})$ is computationally hiding, it holds that

\absolutevalue{\Pr[\mathsf{rHyb}_{1}^{2}=1]-\Pr[\mathsf{rHyb}_{1}^{3}=1]}\leq{\mathsf{negl}}(\lambda).

Proof of Proposition B.28.

The only difference between these two games is that $\hat{z}=\mathsf{Com}_{\mathsf{ck}}(0;\hat{\beta})$ or $\hat{z}=\mathsf{Com}_{\mathsf{ck}}(1;\hat{\beta})$ . Note that $\hat{\beta}$ is never used anywhere else. We can obtain the proposition by the hiding property of $\mathsf{Com}$ .

Proposition B.29.

If $i\mathcal{O}$ is a secure IO and $(\mathsf{Com}.\mathsf{Gen},\mathsf{Com})$ is statistically binding, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}_{1}^{3}=1]-\Pr[\mathsf{rHyb}_{1}^{4}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.29.

The difference between $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{F}}$ and $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{com}}$ is that the first line of $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{F}}$ is never executed. However, $\hat{z}=\mathsf{Com}_{\mathsf{ck}}(1;\hat{\beta})$ is hardwired in $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{com}}$ . Thus, the first line of $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{com}}$ , in particular, condition “ $\mathsf{Com}_{\mathsf{ck}}(0;\beta)=\hat{z}=\mathsf{Com}_{\mathsf{ck}}(1;\hat{\beta})$ ” is also never true except negligible probability due to the statistical binding property of $\mathsf{Com}$ . That is, these two circuits are functionally equivalent except negligible probability. We obtain the proposition by applying the IO security.

Proposition B.30.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}_{1}^{4}=1]-\Pr[\mathsf{rHyb}_{1}^{5}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.30.

In these games $\beta_{1}\leftarrow\{0,1\}^{9\ell}$ is uniformly random. By the sparsity of $F$ , $\beta_{1}$ is not in the image of $F$ except with negligible probability. Thus, $E_{\neq\alpha_{1}\|m^{\ast}}$ and $E_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}$ are functionally equivalent except with negligible probability. We obtain the proposition by the IO security.

Proposition B.31.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}_{1}^{5}=1]-\Pr[\mathsf{rHyb}_{1}^{6}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.31.

The difference between $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{F}}$ in Figure 23 and $D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}$ in Figure 19 is that we replace “If $c=x_{1}$ , outputs $\bot$ .” with “If $\beta=\beta_{1}$ , outputs $\bot$ .” since the first line of $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{F}}$ is never triggered. In these games, $\beta_{1}\leftarrow\{0,1\}^{9\ell}$ is not in the image of $F$ except with negligible probability. Recall that $c=x_{1}$ means $c=\alpha_{1}\|\beta_{1}\|\gamma_{1}$ . Thus, those two circuits may differ when $\beta=\beta_{1}$ but $(\alpha,\gamma)\neq(\alpha_{1},\gamma_{1})$ . However, it does not happen $\beta=F^{\prime}(\alpha\|(G(\beta)\oplus\gamma))$ in this case due to the injectivity of $F$ . Thus, $D_{\neq\alpha_{1}\|m^{\ast}}^{\mathsf{F}}$ and $D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}$ are functionally equivalent and we obtain the proposition by applying the IO security.

Proposition B.32.

If $i\mathcal{O}$ is a secure IO, it holds that $\absolutevalue{\Pr[\mathsf{rHyb}_{1}^{6}=1]-\Pr[\mathsf{Rand}_{2}=1]}\leq{\mathsf{negl}}(\lambda)$ .

Proof of Proposition B.32.

The difference between these two games that we use $D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}[F_{\neq\alpha_{1}\|m^{\ast}},G_{\neq\beta_{1}}]$ instead of $D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}[F_{\neq\alpha_{1}\|m^{\ast}},G]$ . However, $G_{\neq\beta_{1}}(\beta_{1})$ is never computed by the first line of $D_{\neq\alpha_{1}\|m^{\ast},\neq\beta_{1}}^{4}$ . We obtain the proposition by the IO security.

We complete the proof of Lemma B.25.

B.4 Original Ciphertext Pseudorandomness of PE

We describe the original ciphertext pseudorandomness of PE defined by Cohen et al. [CHN⁺18] in this section for reference.

Definition B.33 (Ciphertext Pseudorandomness).

We define the following experiment $\mathsf{Expt}_{\mathcal{A}}^{\mathsf{cpr}}(\lambda)$ for PE.

1.

$\mathcal{A}$ sends a message $m^{\ast}\in\{0,1\}^{{\ell_{\mathsf{p}}}}$ to the challenger.

The challenger does the following:

•

Generate $(\mathsf{ek},\mathsf{dk})\leftarrow\mathsf{Gen}(1^{\lambda})$
•

Compute encryption $c^{\ast}\leftarrow\mathsf{Enc}(\mathsf{ek},m^{\ast})$ .
•

Choose $r^{\ast}\leftarrow\{0,1\}^{{\ell_{\mathsf{ct}}}}$ .
•

Generate the punctured key $\mathsf{dk}_{\notin\{c^{\ast},r^{\ast}\}}\leftarrow\mathsf{Puncture}(\mathsf{dk},\{c^{\ast},r^{\ast}\})$

•

Choose $\mathsf{coin}\leftarrow\{0,1\}$ and sends the following to $\mathcal{A}$ :

	$\displaystyle(c^{\ast},r^{\ast},\mathsf{ek},\mathsf{dk}_{\notin\{c^{\ast},r^{\ast}\}})$	$\displaystyle\text{ if }\mathsf{coin}=0$		(42)
	$\displaystyle(r^{\ast},c^{\ast},\mathsf{ek},\mathsf{dk}_{\notin\{c^{\ast},r^{\ast}\}})$	$\displaystyle\text{ if }\mathsf{coin}=1$		(43)

3.

$\mathcal{A}$ outputs $\mathsf{coin}^{\ast}$ and the experiment outputs $1$ if $\mathsf{coin}=\mathsf{coin}^{\ast}$ ; otherwise $0$ .

We say that $\mathsf{PE}$ has ciphertext pseudorandomness if for every QPT adversary $\mathcal{A}$ , it holds that

\mathsf{Adv}_{\mathcal{A}}^{\mathsf{cpr}}(\lambda)\coloneqq 2\cdot\Pr[\mathsf{Expt}_{\mathcal{A}}^{\mathsf{cpr}}(\lambda)=1]-1\leq{\mathsf{negl}}(\lambda).

Issue in the proof by Cohen et al.

In the watermarking PRF by Cohen et al. [CHN⁺18], we use $x_{0}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},a\|b\|c\|i)$ to extract an embedded message. They replace $x_{0}\leftarrow\mathsf{PE}.\mathsf{Enc}(\mathsf{pe.ek},a\|b\|c\|i)$ with $x_{1}\leftarrow\{0,1\}^{{\ell_{\mathsf{ct}}}}$ in their proof of unremovability [CHN⁺18, Lemma 6.7]. Then, they use PRG security [CHN⁺18, Lemma 6.8] to replace $\mathsf{PRG}(c)$ with a uniformly random string since the information about $c$ disappears from the PE ciphertext. However, there is a subtle issue here. The information about $c$ remains in the punctured decryption key $\mathsf{dk}_{\notin\{x_{0},x_{1}\}}\leftarrow\mathsf{Puncture}(\mathsf{pe.dk},\{x_{0},x_{1}\})$ , which is punctured both at $x_{0}$ and $x_{1}$ , since they use ciphertext pseudorandomness in Definition B.33 and need to use the punctured decryption key. Thus, we cannot apply PRG security even after we apply the ciphertext pseudorandomness in Definition B.33. This is the reason why we introduce the strong ciphertext pseudorandomness in Definition 7.3.

Watermarking PRFs against Quantum Adversaries

Abstract

1 Introduction

1.1 Background

1.2 Our Result

1.3 Technical Overview

Syntax of watermarking PRF.

Definition of unremovability against quantum adversaries.

Difficulty of quantum watermarking PRF.

Our solution: Use of reverse projective property.

Via extraction-less watermarking PRF.

Comparison with the work by Zhandry [Zha20].

Instantiating extraction-less watermarking PRF.

1.4 More on Related Work

Watermarking against classical adversaries.

Learning information from adversarial entities in the quantum setting.

Application of (classical) watermarking.

2 Preliminaries

Notations and conventions.

2.1 Quantum Information

Definition 2.1 (Quantum Program with Classical Inputs and Outputs [ALL+21]).

Definition 2.2 (Positive Operator-Valued Measure).

Definition 2.3 (Quantum Measurement).

Definition 2.4 (Projective Measurement/POVM).

Definition 2.5 (Controlled Projection).

2.2 Measurement Implementation

Definition 2.6 (Projective Implementation).

Theorem 2.7 ([Zha20, Lemma 1]).

Definition 2.8 (Shift Distance).

Definition 2.9 ((ϵ,δ)(\epsilon,\delta)-Almost Projective [Zha20]).

Theorem 2.10 ([Zha20, Theorem 2]).

Theorem 2.11 ([Zha20, Corollary 1]).

Definition 2.12 ((ϵ,δ)(\epsilon,\delta)-Reverse Almost Projective).

Lemma 2.13 ([Jor75]).

Theorem 2.14.

Proof of Theorem 2.14.

2.3 Cryptographic Tools

Definition 2.15 (Learning with Errors).

Definition 2.16 (Pseudorandom Generator).

Theorem 2.17 ([HILL99]).

Definition 2.18 (Quantum-Accessible Pseudo-Random Function).

Theorem 2.19 ([Zha12a]).

Definition 2.20 (Puncturable PRF).

Theorem 2.21 ([GGM86, BW13, BGI14, KPTZ13]).

Definition 2.22 (SKE).

Definition 2.23 (Ciphertext Pseudorandomness for SKE).

Theorem 2.24.

Definition 2.25 (Constrained PRF (Syntax)).

Definition 2.26 (Security for CPRF).

Theorem 2.27 ([BTVW17, PS18]).

Definition 2.28 (PKE).

Definition 2.29 (CCA Security for PKE).

Theorem 2.30 ([Pei09]).

Definition 2.31 (Indistinguishability Obfuscator [BGI+12]).

3 Definition of Quantum Watermarking

3.1 Syntax and Pseudorandomness

Definition 3.1 (Watermarking PRF).

Remark 3.2 (On extraction correctness).

Remark 3.3 (On public marking).

Remark 3.4 (On private marking).

Discussion on syntax.

Extended pseudorandomness.

Definition 3.5 (Extended Weak Pseudorandomness against Authority).

3.2 Unremovability against Quantum Adversaries

Definition 3.6 (Unremovability for private extraction).

Remark 3.7 (On attack model).

Remark 3.8 (On selective message).

Definition 3.9 (Unremovability for Public Extraction).

4 Definition of Extraction-Less Watermarking

4.1 Syntax and Pseudorandomness

Definition 4.1 (Extraction-Less Watermarking PRF).

Extended pseudorandomness.

4.2 Simulatability for Mark-Dependent Distributions (SIM-MDD Security)

Definition 4.2 (SIM-MDD Security with Private Simulation).

Remark 4.3 (On multi challenge security).

SIM-MDD security with private simulation under the 𝒜​𝒫​ℐ\mathpzc{API} oracle.

Remark 4.4.

Definition 4.5 (QSIM-MDD Security with Private Simulation).

Theorem 4.6.

Definition 4.7 (SIM-MDD Security with Public Simulation).

Definition 2.1 (Quantum Program with Classical Inputs and Outputs [ALL⁺21]).

Definition 2.9 ( $(\epsilon,\delta)$ -Almost Projective [Zha20]).

Definition 2.12 ( $(\epsilon,\delta)$ -Reverse Almost Projective).

Definition 2.31 (Indistinguishability Obfuscator [BGI⁺12]).

SIM-MDD security with private simulation under the $\mathpzc{API}$ oracle.

The proof of $\Pr[\mathsf{GoodExt}]\geq\Pr[\mathsf{Live}]-{\mathsf{negl}}(\lambda)$ .

The proof of $\Pr[\mathsf{BadExt}]\leq{\mathsf{negl}}(\lambda)$ .

The case $\gamma^{\ast}=\mathsf{m}[i]$ .

The case where $\gamma^{\ast}\neq\mathsf{m}[i]$ .