Cryptology ePrint Archive: Report 2020/316

Beyond Software Watermarking: Traitor-Tracing for Pseudorandom Functions

Rishab Goyal and Sam Kim and Brent Waters and David J. Wu

Abstract: A software watermarking scheme provides a method to prevent unauthorized distribution of software. Specifically, watermarking schemes allow a user to embed an identifier into a piece of code such that the resulting program is nearly functionally-equivalent to the original program, and yet, it is difficult to remove the identifier without destroying the functionality of the program. Existing constructions of watermarking have focused primarily on watermarking pseudorandom functions (PRFs).

In this work, we revisit the definitional foundations of watermarking, and begin by highlighting a major limitation in the existing security notion. Currently, the security requirement in watermarking schemes only requires that the identifier be successfully extracted from programs that preserve the exact input/output behavior of the original program. In the context of PRFs, this means that an adversary that constructs a program which computes a quarter of the output bits of the PRF or that is able to distinguish the outputs of the PRF from random are considered to be outside the threat model. However, in any application (e.g., watermarking a decryption device or an authentication token) that relies on PRF security, an adversary that manages to predict a quarter of the bits or distinguishes the PRF outputs from random would be considered to have defeated the scheme. Thus, existing watermarking schemes provide very little, if any, security guarantee against realistic adversaries. We emphasize that none of the existing constructions of watermarkable PRFs would be able to extract the identifier from a program that only outputs a quarter of the bits of the PRF or one that perfectly distinguishes.

To address the shortcomings in existing watermarkable PRF definitions, we introduce a new primitive called a traceable PRF. Our definitions are inspired by similar definitions from public-key traitor tracing, and aim to capture a very robust set of adversaries: namely, any adversary that produces a useful distinguisher (i.e., a program that can break PRF security), can be traced to a specific identifier. We provide a general framework for constructing traceable PRFs via an intermediate primitive called private linear constrained PRFs. Finally, we show how to construct traceable PRFs from a similar set of assumptions previously used to realize software watermarking. Namely, we obtain a single-key traceable PRF from standard lattice assumptions and a fully collusion-resistant traceable PRF from indistinguishability obfuscation (together with injective one-way functions).

Category / Keywords: secret-key cryptography / Traitor Tracing, Pseudorandom Functions, Watermarking

Date: received 13 Mar 2020

Contact author: goyal at utexas edu,skim13@cs stanford edu,bwaters@cs utexas edu,dwu4@virginia edu

Available format(s): PDF | BibTeX Citation

Version: 20200315:162614 (All versions of this report)

Short URL: ia.cr/2020/316


[ Cryptology ePrint archive ]