Watermarking public‐key cryptographic functionalities and implementations: The case of encryption and signatures

CODAMODA: ERC; General Secretariat for Research and Innovation, Greece PRIVILEDGE: EU Project No. 780477 Abstract A watermarking scheme for a public‐key cryptographic functionality enables the embedding of a mark in the instance of the secret‐key algorithm such that the functionality of the original scheme is maintained, while it is infeasible for an adversary to remove the mark (unremovability) or mark a fresh object without the marking key (unforgeability). A number of works have appeared in the literature proposing different definitional frameworks and schemes secure under a wide range of assumptions. In the previous work [1, 2], the authors proposed a meaningful relaxation of the watermarking model and gave constructions that allow direct watermarking of popular cryptographic schemes (e.g. ElGamal Encryption). A definitional framework for watermarking public‐ key cryptographic functionalities and implementations which covers both deterministic (e.g. decryption) and probabilistic (e.g. signing) secret‐key algorithms is provided. The authors’ work unifies the previous results of [1, 2] where deterministic and probabilistic circuits to be watermarked as separate cases are considered. The constructions of [1, 2] were previously presented as extended abstracts missing rigorous security proofs. The authors prove those constructions secure under their new, unified framework. In the authors’ schemes secret detection of the watermark is provided, and security under minimal hardness assumptions assuming only the existence of one‐way functions, is proved.


| INTRODUCTION
Watermarking is a powerful tool widely used in practice to secure the copyrighted material. Watermarking digital objects like pictures, video or software is usually achieved by embedding a special piece of information, the mark, into the object so that it is difficult for an adversary to remove it without damaging the object itself (unremovability). At the same time, the embedding of the mark should not result in a significantly different object, or an object with a different functionality. A plethora of watermarking schemes exists in the literature [3][4][5][6] (and references therein), most of them focusing on watermarking 'static' or else 'perceptual' objects (e.g. images) and formal security definitions for watermarking 'perceptual' objects have been given by Hopper et al. [7].
Besides perceptual objects, there has been a recent focus on software watermarking and precisely on watermarking cryptographic functionalities. Watermarking cryptographic functions have various real-life applications. Consider for instance, the case of the VPN clients. An organization might wish to distribute VPN clients to its employees where each employee is assigned a public/secret-key pair. Watermarking a VPN client could potentially restrict an employee from sharing its client for the following reason: Due to the unremovability and unforgeability properties, if one is given any client, she would be able to detect to whom the client belongs, assuming that the ID of the user is embedded as the watermark. The first rigorous definitions for software watermarking were given by Barak et al. [8,9]. Informally speaking, according to [8,9], a marking algorithm, marks a program/circuit C by producing a new circuit C , which does not alter the functionality of C. Then, a detection algorithm can deduce whether a circuit is marked or not, for any circuit which is given as an input. The basic security requirement that should be satisfied by a watermarking scheme is fragility/unremovability which requires that no polynomial time adversary should be able to remove the 'mark' from a marked circuit C , unless it substantially changes its functionality. Having set their definitional framework, in [8,9], the authors explore the relation of software watermarking with the notion of indistinguishability obfuscation (iO) [8][9][10] and provide an impossibility result. In particular, they show that if a marked circuit C has exactly the same functionality as the original circuit C, then under the assumption that iO exists, watermarking is impossible.
Nishimaki [11] (cf. also [12]), inspired by the definitions of watermarking given by Hopper et al. [7], suggests a model for watermarking cryptographic functions (i.e. functions that are characterized by some key), and proposes the first watermarking scheme for Lossy Trapdoor functions [13]. Apart from the notion of non-removability, similarly to [7], the notion of unforgeability is introduced for the case of cryptographic functions. Informally, unforgeability captures that no adversary can mark functions on its own, without having access to the marking key. In [11], the impossibility result of Barak et al. [8,9] is circumvented by restricting the adversaries in the security games to output functions that preserve a specific format. We note that Naccacche et al. [14] considered the problem of 'copyrighting' public-key encryption schemes before [8,9,11], however, similarly to [11], they also place restrictions to the adversary's outputs.
Cohen et al. [15,16] (merged result of [17,18]) were the first that considered general adversaries. Motivated by the fact that the impossibility result [8,9] does not hold if a marked circuit is approximately close to the original unmarked one, we propose a watermarking scheme for any family of puncturable pseudorandom functions (PRFs) [19][20][21][22]. Their construction satisfies unremovability without placing any restrictions to the adversary's strategy based on the strong assumption that iO exists. In addition, it supports public detection, which means that any entity can detect whether a circuit is marked or extract a specific message from a circuit based only on public information. We note that the notion of unforgeability is not considered in [15], however some preliminary results related to this notion appeared in [17]. In particular, the construction of [17] for puncturable PRFs satisfies a weaker notion of unforgeability called relaxed unforgeability. Interestingly, a recent work of Yang et al. [23] shows how to achieve standard unforgeability having as a starting point the construction in [17]. Cohen et al. [15,16] also describe how to construct 'Watermarkable Public-key Encryption' and 'Watermarkable Signatures'. This is accomplished by using the result of Sahai and Waters [19], who construct public-key encryption schemes and digital signature schemes based on iO by setting the decryption and signing algorithms to be essentially just an evaluation of a puncturable PRF.
Boneh et al. [24] construct a watermarkable family of PRFs based on a primitive called private programmable PRFs, which they instantiate by relying on iO. Kim and Wu [25] overcome the burden of relying on a 'heavy' assumption like iO and suggest a watermarking construction for a family of PRFs based on standard lattice assumptions. Quach et al. [26] provided a watermarking construction for a family of PRFs which relies on standard assumptions and supports public marking, a property which allows any entity to mark itself a function of the family, instead of relying on a trusted authority. Additional constructions for watermarking PRFs from standard assumptions were given in [27,28]. Yang et al. [29] introduce the notion of collusion-resistant watermarking, where an adversary is capable of receiving multiple watermarked copies of the same circuit embedded with different messages. The authors provide a watermarking scheme for PRFs and based on that and the constructions of Sahai and Waters [19] propose constructions for primitives like publickey encryption, digital signatures, symmetric-key encryption and message-authentication codes.
Baldimtsi et al. [1] propose an alternative, more relaxed model for watermarking which is focused on watermarking public-key cryptographic functionalities. Based on the proposed model, the authors provide watermarking schemes based on minimal hardness assumptions. In particular, they provide constructions for public-key encryption with private marking and both private and public detection are proposed assuming one-way functions and identity-based encryption (IBE) [30], respectively. In a follow-up work, Baldimtsi et al. [2] modify the model of [1] to be suitable for capturing probabilistic circuits, such as probabilistic signing algorithms, and propose a watermarking construction for a class of digital signature schemes.
On the front of watermarking the public-key cryptographic primitives, Goyal et al. [31] propose two schemes: (1) a private marking and private detection (with message extraction) watermarking scheme for attribute-based encryption (ABE) from mixed functional encryption (FE) and delegatable ABE, which can be instantiated under the LWE assumption, and (2), a public marking and public extraction scheme for predicate encryption from (bounded collusion-resistant) hierarchical FE, which can be instantiated by any PKE. The constructions of [31] are highly inefficient as they rely on heavy tools like mixed FE and hierarchical FE. Very recently, Nishimaki [32] presented a framework to equip the public-key cryptographic schemes with watermarking functionalities without the need for additional security assumptions beyond the ones assumed by the PK primitive, under the limitation that the underlying public-key primitive needs to have an all-but-one security reduction (as defined in [32]) and only provide a selective security (i.e. adversaries must commit a target attribute at the beginning of the security game). Related notions to watermarking. Leakage-deterring publickey cryptography, as defined in [33], which captures the idea that some personal information is embedded to the public key of a user such that, if she decides to share her secret key (or a partial working implementation of her decryption function) the recipient can extract the private information embedded in the public key. Although related to watermarking, leakagedeterring cryptography focuses on private information embedding in a cryptosystem that remains hidden unless the secret key is shared. Privacy is not an issue in watermarking, thus construction techniques are technically and conceptually different.
Watermarking public-key encryption functionalities is also related to the notion of traitor tracing, which was put forth by Chor et al. [34]. Since then, this primitive has attracted a lot of attention and a multitude of schemes have appeared achieving various properties and secure under different assumptions, for example [35][36][37][38][39]. In traitor tracing, an authority delivers keys to a set of users and encrypts content which is intended to be decrypted by all users, or a subset of them in cases where an authority is capable of revoking decryption keys (i.e. trace and revoke schemes). In the occasion where a number of users collude by constructing an even partially working implementation of the decryption function, the authority can identify at least one of the colluding users. In our view, the basic difference between the notions of watermarking and traitor tracing is that in traitor tracing schemes, users share functionality as the goal to decrypt the same ciphertext, while in watermarking users should not be able to decrypt the same ciphertexts. This is a key issue in the design of watermarking schemes. Our contributions. The main contribution of our work is to revisit the definitional framework for watermarking public-key cryptographic functionalities considered in our previous works [1,2] and present a unified definitional model that covers the idea of watermarking both deterministic and probabilistic cryptographic circuits. We present the constructions for watermarking public encryption schemes and digital signatures schemes suggested in [1,2] and provide a complete and detailed security analysis for the above watermarking constructions under our new, unified definitional model. A rigorous security analysis was not previously included in [1,2]. Let us recall the watermarking approach of [1]. Motivated by the goal of providing watermarking constructions for publickey cryptographic functionalities (e.g. public-key encryption) without relying on assumptions like iO but only on standard assumptions, Baldimtsi et al. [1] approach cryptographic watermarking, by making a relaxation and refinement to the model considered in previous works (e.g. [15]). First, a small shared state is allowed between the marking and detection algorithms which is publicly available and can be potentially maintained in a distributed ledger. Second, an authority instead of embedding a message in a specific circuit which is given as input (as in [9,11,15]), it samples itself a circuit embedded with a message of the client's choice, or just a marked circuit. Specifically, the watermarking authority embeds a message in the secret key algorithm for the functionality (e.g. decryption algorithm) and returns it to the client together with the corresponding public-key algorithms of the functionality (e.g. encryption algorithm). We note that this formulation is consistent with the specific definitions for 'Watermarkable Public-Key Encryption' and 'Watermarkable Signatures' previously suggested in [15] and we discuss differences with the more generalized framework of [31] in Section 3.4. We argue that the new definitional framework of [1] maintains all the relevant to practice features that the previous formulations enjoyed, and moreover can be very suitable for some real-world scenarios due to its more refined nature. An important observation that motivates our modelling is that limiting the interaction between the marking system and the recipient of the object in the above fashion is unnecessarily restrictive. In many applications of public-key cryptography, the actual details of the decryption or signing program are not relevant to its user, only its functionality is (which encompasses its correctness and security properties). For instance, in the VPN scenario we described above, the organization (i.e. the marking system) is often the one to sample a key K U for its client and provide it along with the VPN client.
A further refinement of the model of [1] is distinguishing between the notions of watermarking cryptographic functionalities and cryptographic implementations. Intuitively, the former notion captures constructions for public-key cryptographic primitives that satisfy the basic properties of watermarking (i.e. detection correctness, functionality propertypreserving, unremovability, unforgeability). The latter notion considers a specific cryptographic implementation as a starting point, for example, the El-Gamal encryption scheme, and aims to capture what would it mean to watermark it. In practice, watermarking a specific scheme, which may be widely used may be more useful and make watermarking constructions backwards compatible comparing to constructing new watermarkable schemes.
In a follow-up work [2], we observed that a common characteristic of all previous works is that watermarking constructions concern deterministic circuits. In particular, certain families of PRFs are watermarked [15,24,25,29] while for other primitives like PKE, the decryption circuit is the one which is watermarked [1,15,29]. Even for the case of the constructions for digital signatures in [15,29], the signing circuit is deterministic. In addition, they observe that closeness and farness relations considered in previous works do not seem suitable for the case of probabilistic circuits, as now the output of a circuit is not a specific value but a random variable. Closeness and farness relations are crucial for defining unremovability and unforgeability notions respectively, since when defining the unremovability we have to make sure that an adversary cannot create a circuit which is 'close' to a marked circuit but it is unmarked, while unforgeability requires that it should be difficult for an adversary to come up with a circuit which is 'far' from a marked circuit but it remains marked. Thus, novel formulations for closeness and farness relations between probabilistic circuits are introduced in [2], that are suitable for defining watermarking security for cryptographic functionalities.
We unify the models of [1,2] by presenting a framework for watermarking public-key cryptographic functionalities and implementations where the secret key algorithm, which is the watermarked algorithm, may be either deterministic or probabilistic. Then, we present watermarking constructions that show how to watermark any IND-CPA secure public-key encryption scheme and any EUF-CMA secure digital signature scheme that satisfies an additional property called verification soundness. Intuitively, verification soundness captures the verification algorithm will accept exactly the outputs of the BALDIMTSI ET AL. signing algorithm. Interestingly, this property has been considered before but in a different context [40,41]. Standard digital signature schemes, such as Schnorr signatures, satisfy this property and thus this construction is capable of yielding practical watermarked digital signatures. At a high level, the constructions exploit the notion of a PRF, to create a compact 'dictionary' of marked circuits that is subsequently scanned and compared with an adversarial circuit. The proposed constructions are simple, use well-known building blocks and they are proven to satisfy both the unremovability and unforgeability under minimal hardness assumptions. The marking and detection algorithm share a state of logarithmic size and the detection is secret.

| PRELIMINARIES
Notation: We first set the notation to be used throughout the paper. By λ ∈ N we denote the security parameter. The left arrow notation, x← $ X , denotes that x is chosen uniformly at random from a space X . By x ← D, we denote that x is chosen from the distribution D. The support set of the distribution D is denoted as ½D�. Next, by C we denote an unmarked circuit and by C a watermarked one. By C(m; r) we denote the probabilistic circuit C which runs on input m and randomness r. By poly(λ), we denote a polynomial in λ. Finally, the abbreviation PPT stands for the probabilistic polynomial time. Definition 1 (EUF-CMA). A signature scheme (Sig-Gen, Sign, Verify) is existentially unforgeable under an adaptive chosen-message attack, if for any PPT adversary A, it holds that: where Q is the set of queries of A to the signing oracle Sign sk (⋅).
For the security analysis of our watermarking construction (Section 5.2), we require signature schemes to satisfy the property defined below which is called the verification soundness.
Definition 2 (Verification soundness). Let (SigGen, Sign, Verify) be a digital signature scheme with message space M, randomness space R and signature space S. For any pair (vk, sk) output by SigGen(1 λ ), we define the relation R sk ¼ fðvk; ðm; σÞÞ|m ∈ M; ∃ r ∈ R s:t: σ ← Sign sk ðm; rÞg, where Sign sk : M� R → S. We say that a digital signature scheme satisfies verification soundness if for any (vk, sk) ←SigGen(1 λ ) it holds that for any PPT adversary A,

Pr
ðm; σÞ ← Aðvk; skÞ : ðvk; ðm; σÞÞ ∉ R sk ∧ Verify vk ðm; σÞ ¼ 1: Informally, this property forces rejection of a signature that was not generated by the signing algorithm, that is, a PPT adversary given (vk, sk) cannot output (m, σ) that verifies correctly when the signature was not computed using the Signing algorithm for this particular message and signing key. This stronger requirement was previously considered in the literature in for example [40,41] and it also holds for other standard signature schemes like Schnorr [42], the case of which we show in the Appendix. We note that verification soundness is incomparable to the EUF-CMA notion for a number of reasons. First, notice that in the verification soundness security game the adversary is also given as input the secret key. Furthermore, according to the EUF-CMA security, the adversary wins if it outputs a valid signature pair for a message that was never queried to the Signing Oracle. However, it is not required that the forged signature/message pair belongs to the relation R sk , that is a EUF-CMA adversary could output a winning forged signature that is not a possible output of the signing algorithm for the chosen message.

| Definitions for cryptographic functionalities and implementations
We now define the notions of cryptographic functionalities and implementations. The goal of the cryptographic functionality definition is to capture a cryptographic object such as an encryption scheme or a PRF, in an abstract ideal way, thus focusing on the properties it should satisfy. On the other hand, the notion of a cryptographic implementation is used to describe a specific scheme that satisfies the properties of the cryptographic functionality (i.e. the ElGamal encryption scheme [43] is an implementation of the public-key encryption functionality). Definition 3 (Cryptographic functionality). A cryptographic functionality C F consisting of m algorithms is defined by a set of n properties and their corresponding probabilities ðG A , is a security game, which can be seen as a Turing Machine, and takes the following inputs: (1) a special input which among possibly other values includes the security parameter, (2) the description of a PPT algorithm called the adversary and (3) the description of a tuple of m circuits. The security game G prop i A outputs either 0 or 1. We say that an adversary 'breaks' a property or 'wins' a security game if the output of the game is 1. The second component is a value π i ∈ [0, 1], which is a fixed ideal lower bound under which the property cannot be guaranteed.
Remark 1 In Definition 3, some properties may also hold for super-polynomial or even unbounded adversaries (e.g. correctness-related properties), however, for simplicity we opt to define all the properties with respect to PPT adversaries. In the text below, we will make a clear note when a property is also satisfied with respect to superpolynomial adversaries.
Example: Consider the public-key encryption functionality as an example, which can be defined as a pair of algorithms (Gen, Enc, Dec) that should satisfy the properties of correctness and IND-CPA security. Correctness can be defined as a security game, though this is not traditionally the case, where an adversary is challenged to provide an encryption of a message M which is decrypted to a message different than M. In this case, the adversary need not be restricted to run in the polynomial time. The IND-CPA security property is defined in the standard way. Corresponding to our definitions, the games will receive as input the encryption/decryption algorithms for a specific key pair. Given that the definition of a cryptographic functionality describes an 'ideal' scenario, correctness would always hold with the probability 0, while in the IND-CPA property, the adversary would have a probability of success of exactly 1/2. Definition 4 (Cryptographic Implementation). Let C F be a cryptographic functionality with m algorithms and n properties ðG . An implementation of the cryptographic functionality C F consists of an m-tuple of algorithms (Gen, C 1 ,…, C m−1 ) such that, for every security parameter λ and each property prop i for i ∈ {1, …, n} and for any corresponding PPT adversary A, it holds that Pr½G A ð1 λ Þ ¼ 1�¼ π i þ neglðλÞ.

| WATERMARKING CRYPTOGRAPHIC FUNCTIONALITIES
In this section, we define the notion of watermarking a cryptographic functionality C F . We start by providing the syntax of a watermarking scheme, in Section 3.1, and we proceed by defining the properties of a watermarking scheme. Specifically, since each property will be defined by employing a security game between a challenger and an adversary, as the first step, in Section 3.2, we describe the oracles which will be given access to an adversary. Then, we present the correctness and security properties of a watermarking scheme in Sections 3.3 and 3.4 respectively.

| Syntax of a watermarking scheme
Let C F be a cryptographic functionality defined by m algorithms/circuits and n properties ðG and let fE λ g λ∈N be the space of the messages to be embedded in a circuit. The entities that are involved in a watermarking scheme are a set of clients, and an entity called the 'Marking Service'.
Definition 5 (Stateful watermarking scheme). A stateful watermarking scheme for a cryptographic functionality C F , consists of three probabilistic polynomial time algorithms (WGen, Mark, Detect) whose input/output behavior has as follows: � WGen : On input 1 λ , it outputs public parameters param and a pair of keys (mk, dk), where mk is the marking key and dk is the detection key. It also initializes a public variable state which can be accessed by all the parties. � Mark : On input mk, param, a message msg ∈ E λ (which is sent by a client to the Marking Service) and state, it outputs a tuple of circuits ðC 1 ; C 2 ; …; C m Þ, an efficiently sampleable and representable distribution D on the inputs of the circuit C 1 . � Detect: On input dk, param, state and a circuit C 0 1 , it outputs a message msg 0 or unmarked.
Notice that although the Marking Service outputs a tuple of circuits (as many as the algorithms of C F ), however, only one circuit among them is considered marked. By convention, we consider this circuit to be the first circuit of a tuple returned by Mark. This definition could be easily extended to capture cases where more than one circuits are considered marked. Second, a stateless watermarking scheme can also be described in the same way, by either assuming that the variable state remains constantly the empty string or by modifying Definition 5 so that state does not exist. Third, notice that a new feature of our definition of watermarking is that the Mark algorithm outputs a distribution D on the inputs of a marked circuit. As it will be seen in Section 3.4, this distribution is relevant to our definitions of closeness and farness between circuits (cf. Definitions 8,9) as it essentially defines on which inputs we expect similar or dissimilar circuits.

| Oracles
For our properties, we define the Challenge, Detect and Corrupt oracles in Figure 1. The Challenge oracle, on input msg calls the Mark algorithm and returns the tuple circuits output by Mark without including the first circuit of the tuple, that is the marked circuit. The tuple of circuits is returned to the adversary along with an index i that shows how many times Mark is invoked so far. The Corrupt oracle, given specific index i as input, outputs the whole tuple of circuits generated by Mark algorithm for the index i (including the first circuit) and works for values of i which were previously returned to the Challenge oracle. Finally, the Detect oracle, given as input a circuit, it simply runs Detect algorithm on that input. Note that all oracles have access to the public variable state, however state can only be modified by the challenger every time Mark is invoked.
Remark 2 Notice that for marked (but not corrupted tuples) the adversary does not have access to the marked circuit C 1 . This might be restrictive for certain schemes and properties. Consider for instance the case of CCA security for a public-key encryption scheme. Then, the marked algorithm would be the decryption one. Although the adversary should not receive Dec sk , he should still be able to query it on ciphertexts of his choice. Thus, we could define one more oracle name QueryOracle that would take as input an index i and an input x and would return the output of the i-th watermarked circuit produced by ChallengeOracle.

| Correctness properties
The correctness properties of a watermarking scheme are detection correctness and functionality property preserving.
At a high level, detection correctness states that if a circuit is marked with a message msg by running Mark algorithm, then if Detect is invoked on input that circuit, it will return msg with overwhelming probability. Our definition guarantees that any update of the state, after each execution of Mark, does not affect the output of Detect for previously marked circuits.
Definition 6 (Detection correctness). We say that a watermarking scheme satisfies the detection correctness if for any PPT adversary A, it holds that Pr½G det−corr A ð1 λ Þ ¼ 1� ¼ neglðλÞ, where the corresponding game is defined in Figure 2.
The functionality property-preserving notion captures the natural requirement that a watermarking scheme for a cryptographic functionality should primarily preserve the fundamental properties of the functionality. For example, a watermarking scheme for the PKE functionality should first and foremost be correct and IND-CPA secure. We formalize this notion by defining for each property ðG Figure 3. In the game of Figure 3, the adversary is allowed to issue a number of queries to Challenge, Corrupt and Detect oracles and then he chooses for which tuple generated by the Challenge oracle he will run the game G property-preserving with respect to specific parameters as upper bounds on the number of queries that can be issued to the Challenge, Corrupt and Detect oracles. However, we omit referring to such parameters in Definition 7 to simplify the presentation. The same holds for the definitions of detection correctness, unremovability and unforgeability (i.e. Definitions 6, 10, 11).
Remark 4 The notion of functionality-preserving was defined in the literature but with a different meaning than in our setting. In [11], it was used to capture that for any input x the outputs of the unmarked and the corresponding marked circuits should remain the same (i.e. CðxÞ ¼ C ðxÞ). The notion was also used in a similar way in [17].

| Security properties
The security properties of a watermarking scheme, called unremovability and unforgeability, can be intuitively described as follows. Unremovability requires that one should not be able to create a circuit which is 'close' to a marked circuit but it is unmarked. On the other hand, unforgeability puts forth that it should be difficult to come up with a circuit which is 'far' from a marked circuit but it remains marked. In other words, unforgeability essentially requires that an adversary should not be able to produce marked circuits on its own without having access to the marking key. These properties will be captured by the unremovability and unforgeability security games. Informally speaking, in both games, at a first step, an adversary A will be allowed to obtain a number of marked circuits by making queries to the CorruptOracle. Then, in the unremovability game, A tries to remove a mark while at the same time is kept close to a marked circuit C , whereas in the unforgeability game A attempts to produce a circuit C* that remains marked while it 'diverges' from a marked circuit C . It becomes clear that a crucial step towards defining formally unremovability and unforgeability is to define proximity relations between circuits. Below, we define 'closeness' and 'farness' relations which are coupled with unremovability and unforgeability notions accordingly.
Relations between circuits: For our definitions, we consider probabilistic circuits where the coins of some circuit C are chosen uniformly at random from a space R. Deterministic circuits can be captured by setting R to be a sigleton.
As a convention, in the case of deterministic circuits we set R ¼ fϵg, where ϵ is the empty string. For a circuit C, with C(x; r) we denote the output of C on input x with randomness r ∈ R, while by Out{C(x)} we denote the output space of C for the input x, that is OutfCðxÞg ¼ fCðx; rÞg r∈R . Thus, an element y belongs to Out{C(x)}, that is y ∈ Out{C(x)}, if there is r 0 ∈ R such that y = C(x; r 0 ).
Definition 8 ((ρ, δ )-closeness). Let C 1 , C 2 be the two probabilistic circuits with input space X and randomness spaces R 1 and R 2 . We will say that a circuit C 1 is (ρ, δ)-close to a circuit C 2 with respect to a distribution D, and we will denote it as C 1 ∼ ðρ;δÞ;D C 2 , if Definition 9 ((γ, τ)-farness). Let C 1 , C 2 be the two probabilistic circuits with input space X and randomness spaces R 1 and R 2 . We will say that a circuit C 1 is (γ, τ)-far from a circuit C 2 with respect to a distribution D, and we will denote it as C 1 ≁ ðγ;τÞ;D C 2 , if Observe that Definitions 8 and 9 examine how a circuit approximates or diverges from another circuit that can be seen as a reference point (e.g. a marked circuit C ), which is consistent with the way unremovability and unforgeability will be defined. We demonstrate the plausibility of Definitions 8, 9 by providing an example.
Example : Consider a digital signature scheme (SigGen, Sign, Verify) where the signing algorithm is probabilistic with the randomness space R. Let Sign sk be the signing algorithm, and let C* be an adversarially created circuit, where C* works as follows: For a large fraction of inputs x in the message space, C* returns the same output as Sign sk (x) only with small probability, but still C* always returns an output in the image of Sign sk (x). Intuitively, one would expect that for a carefully chosen parameter, C* would not be 'close' to Sign sk . On the other hand, for a large fraction of messages x in the message space, since the signatures returned by C* belong to the image of Sign sk (x), they are valid signatures for x. Based on that, in our view, C* should be considered 'close' to Sign sk (x). Definition 8 captures that scenario, as for certain parameters ρ, δ, it may require that there is a non-negligible fraction of messages s.t. for each of those messages, denoted as x, there is a nonnegligible fraction of randomness values s.t. the output of the circuit on input of the message and the randomness value belongs in the image of Sign sk (x).
Proposition 1 defines conditions under which a circuit C* cannot be close and far from a circuit C at the same time.
Proof Assume that C 1 is (γ, τ)-far from C 2 and γ > 1 − ρ. Then Our approach is to provide a combined/unified definitional framework that simultaneously captures both public-key encryption and signatures. In addition, in [31] the unremovability definition applies to so called 'useful' circuits. A 'useful' signing circuit w.r.t. a specific verification key is considered the one which outputs valid signature for a non-negligible fraction of messages, while a 'useful' decryption circuit w.r.t. a specific public key is the one that decrypts correctly a non-negligible fraction of ciphertexts, encrypted under this public key. Then, unremovability requires that an adversary should output a 'useful' circuit which is at the same time unmarked or marked with a different original message, rather than indicating that the adversarial circuit is required to agree with a decryption/signing circuit on a fraction of inputs (cf. [15]).
Notice that our model captures the notion of a 'useful' circuit in a different way by defining closeness and farness relations w.r.t. a distribution D which defines the inputs that we aim to compare two circuits. As it will become clear in our construction Section 5.1, for the case of PKE our notions coincide as the distribution D refers to valid ciphertexts under a specific public key.
Remark 6 In the literature (i.e. [9,11,15,18]), meaningfulness was considered to be a core security property of a watermarking scheme, and it requires that the F I G U R E 4 The (ρ, δ)-unremovability game F I G U R E 5 The (γ, τ)-unforgeability game 212vast majority of circuits be unmarked. As observed in [17] though, meaningfulness is implied by unforgeability: if an adversary can sample a circuit that is marked with good probability, then it can directly forge a circuit without making any oracle queries.

| WATERMARKING CRYPTOGRAPHIC IMPLEMENTATIONS
A watermarking scheme for a cryptographic functionality as defined in Section 3, refers essentially to a scheme that satisfies correctness and security properties defined in Sections 3.3 and 3.4. Such a watermarking scheme can potentially be created from scratch without necessarily having as a starting point a specific implementation. Thus, the notion of watermarking a cryptographic implementation aims to define what it would mean to watermark a specific implementation (e.g. ElGamal encryption scheme).
Consider a scheme (Gen, C 1 , …, C m−1 ) that implements a functionality C F defined by m algorithms and n properties ðG . First, we note that a watermarking scheme (WGen, Mark, Detect) for (Gen, C 1 , …, C m−1 ) maintains the syntax of Section 3.1. Second, the definitions of the properties of detection-correctness, (ρ, δ)-unremovability and (γ, τ)unforgeability remain the same. What differentiates the notion of 'watermarking a cryptographic implementation' from the notion of 'watermarking a cryptographic functionality' is only the implementation property-preserving notion. Implementation property-preserving does not only require that the watermarking scheme preserves the properties of the functionality, but also it requires that it preserves the properties of the initial scheme except with some small error. Intuitively, by this notion we aim to capture that if there is a PPT adversary which breaks a property of a watermarked implementation, then, there will be a PPT adversary which breaks the corresponding property for the initial non-watermarked implementation. For example, if we consider a watermarked ElGamal encryption scheme, if an adversary manages to break IND-CPA security of the watermarked ElGamal encryption scheme, then it will break the IND-CPA security of the original ElGamal encryption scheme.
Definition 12 captures formally the implementation property-preserving notion. Since the syntax of a watermarking scheme for cryptographic implementations remains the same with the case of the functionality, the game G wm−prop j S ð1 λ Þ refers to the security game described in Figure 3. The game G prop j A ð1 λ Þ refers to the j-th property of the functionality.

Definition 12 (Implementation property-preserving).
A watermarking scheme is implementation propertypreserving with error ɛ for a cryptographic implementation (Gen, C 1 , …, C m−1 ) if for any property ðG prop i A ; π j Þ it holds that: For any PPT adversary S there is a PPT adversary A such that |Pr½G

| WATERMARKING PUBLIC KEY ENCRYPTION AND DIGITAL SIGNATURE IMPLEMENTATIONS
We now present two watermarking constructions, one for public-key encryption and one for digital signature schemes. Our constructions share the same idea and can be viewed as compilers which take as input an existing public-key encryption scheme (or digital signature scheme) and convert it into a watermarked public-key encryption scheme (or digital signature scheme). Our constructions support private key detection and embed to the decryption/signing circuits one-bit messages, in the sense that the circuits are either marked or unmarked. Before proceeding to a formal description of our constructions, we first provide some intuition by referring to a simpler construction, which supports public-key detection and has a state of size linear to the number of keys generated by the marking service.
Public-key detection via linear size state versus secret-key detection via logarithmic size state: Consider a PKE scheme (Gen, Enc, Dec). Given that the shared state can be represented as a public table, a watermarked PKE scheme could work as follows: For any marking request, Mark generates a fresh pair of keys ( pk, sk) using Gen algorithm, that is the key generation algorithm of the public-key encryption scheme that is being watermarked. Then, it stores the generated public key pk to the state table and returns (Enc pk , Dec sk ) to the client. Thus, state will hold all the public keys generated by Mark at a certain point in time. Now, how does Detect work given access to the state table? When Detect receives as input a (decryption) circuit C, it will check for any public key stored in the public table state, whether the circuit can correctly decrypt a number of ciphertexts which is above a certain threshold. How to determine the maximum number of ciphertexts to check this threshold is not trivial and depends on the parameters of the properties of the scheme.
Such a construction could be proven to be a secure watermarking scheme for public-key encryption however the use of a state that grows linearly to the number of markings is not very appealing in practice especially for implementations where the public keys are large. Furthermore, such a construction could be extended to a message-embedding construction, where the message selected by the user will be stored in the public table together with the public key. Such a construction will also depend linearly to the size of the message. A similar construction could be used for digital signatures, where the generated verification keys will be stored on the state table.
In that case, roughly speaking, when Detect is given as input a (signing) circuit C, it will check whether there is a verification key in the state table that can verify a certain number of signatures generated by C.
We overcome the problem of linear-size state by focusing on watermarking schemes with private key detection. In Sections 5.1 and 5.2, we suggest watermarking schemes where the state is of a logarithmic size (in the number of marked circuits) BALDIMTSI ET AL. and private key detection is supported, with the same key being used by Mark and Detect algorithms.
Overview of our constructions: In our constructions, WGen algorithm chooses uniformly at random a key K for a pseudorandom function F. The key K is used both as a marking and detection key and is kept private by the Marking Service. This algorithm also initializes a public variable state as empty. For the case of a PKE scheme (Gen, Enc, Dec), whenever Mark is run, it sets state = state + 1 and computes public-secret key pair (pk, sk) by running Gen(1 λ ) with randomness F(K, state + 1). Then, it returns (Enc pk , Dec sk ) to the client. Observe that the state is essentially a counter of the marked circuits issued by Mark. Detect algorithm identifies whether a decryption circuit C is marked or not, by re-generating the public-secret key pairs using the PRF F(K, i), for i ≤ state. For each produced pk i , it chooses uniformly at random a number of plaintexts, encrypts them under pk i and checks whether C decrypts correctly a certain fraction of them. If this holds for at least one public key, Detect returns marked, otherwise it returns unmarked. Along the same lines, for a digital signature scheme (SigGen, Sign, Verify), Mark will compute a verification-signing key pair (vk, sk) by running SigGen(1 λ ) with randomness F(K, state + 1) and Detect will perform in a similar way. Although the watermarking constructions for PKE schemes and digital signature schemes are very similar, the security analysis for those constructions has some significant differences. First, our security analysis for watermarking PKE schemes as described above holds for any PKE scheme that is correct and IND-CPA secure. On the contrary, the original properties of the digital signature schemes do not suffice for proving the security properties of our watermarking scheme. In particular, the underlying digital signature scheme should satisfy a property called verification soundness which is described in Section 2. This property is satisfied by standard signature schemes such as Schnorr's scheme and RSA signatures. In the Appendix, we prove that Schnorr's signature scheme satisfies verification soundness.
The constructions and the security analysis are presented in full detail in Sections 5.1 and 5.

2.
A note about state: Note that the state information in our construction is public and it should be immutable for the system to work in practice. A potential solution for storing the state would be by using a public bulletin board or a blockchain system. For example, every time the state is updated, the marking service signs it and posts a new transaction in the blockchain with the new state and the signature. Even though storing information in the blockchain is an expensive operation, our scheme, with its logarithmic size state, is suitable for a blockchain deployment. We leave a detailed analysis under a formal blockchain security model for future work.

| A watermarking scheme for implementations of PKE
In Figure 6, we present a watermarking scheme (WGen, Mark, Detect) for a PKE scheme (Gen, Enc, Dec). We prove that the scheme of Figure 6 satisfies the properties of a watermarking scheme as defined in Sections 3.3 and 3.4 by proving Theorem 1. We note that in our analysis, we consider the key-generation algorithms which create their random tape by choosing keys uniformly at random. This aligns with the key generation algorithms of all the well-known encryption schemes.

Theorem 1 Let (Gen, Enc, Dec) be an implementation
of the public-key encryption functionality that has plaintext space M of exponential size (in the security parameter) and satisfies perfect correctness and IND-CPA security. Let F : K � f0; 1g n ← f0; 1g ℓ be a PRF, where K is the key space. Then, the scheme in Figure 6 is a watermarking scheme for the implementation (Gen, Enc, Dec). Namely, it satisfies detection correctness, implementation property-preserving, (ρ, δ )-unremovability and (γ, τ)-unforgeability, where ɛ prf is the security of the PRF, ρ = δ = 1/poly(λ), We prove Theorem 1 by proving separately each property of a watermarking scheme in Lemmas 1, 2, 3 and 5. We note that although we assume that (Gen, Enc, Dec) is perfectly correct, our proofs can also be extended for implementations which have a negligible decryption error. F : K � f0; 1g n → f0; 1g ℓ is a PRF, then the watermarking scheme of Figure 6 is the implementation property-preserving with a negligible error according to Definition 12. Proof: We prove that the watermarking scheme of  ð1 λ Þ (for a fixed S). Then we define G 1 by substituting any call to the PRF function F for a key K to generate tuples ðDec sk i ; Enc pk i Þ by a call to a random function f : {0,1} n → {0,1} ℓ . Owing to the security of the PRF function F, we stress that |Pr½G 0 ¼ 1� − Pr½G 1 ¼ 1�| ≤ neglðλÞ. If this did not hold, then a PRF distinguisher by making oracle queries and run Gen with randomness the output of each oracle query, could distinguish between a PRF and a random function with non-negligible probability.

Lemma 1 (Implementation property-preserving). If the public-key encryption scheme (Gen, Enc, Dec) satisfies IND-CPA security, perfect correctness, and
We now denote as G 2 ¼ G IND−CPA A ð1 λ Þ and we will show that |Pr½G 1 ¼ 1� − Pr½G 2 ¼ 1�| ≤ neglðλÞ. By assumption, we have the (Gen, Enc, Dec) as IND-CPA secure and thus, for any PPT adversary A, Pr½G 2 ¼ 1� ≤ 1=2 þ neglðλÞ. We will show that Pr½G 1 ¼ 1� ≤ 1=2 þ neglðλÞ, as well. Assume that there is a PPT adversary A breaking G 1 with nonnegligible advantage α, then we can construct A 0 breaking G 2 with the probability of at least ½ + α/n, where n is the number of public keys obtained through oracle queries. A 0 , upon receiving a public key pk from the IND-CPA Challenger of G 2 , simulates G 1 by responding honestly to the queries of A and plugging pk into one of the n queries by guessing randomly the 'attacked query position' of A.
Proof of Claim 1.2: By assumption, we have that Pr½G COR A ð1 λ Þ ¼ 1� ¼ 0. If we replace Gen with an algorithm Gen 0 with output space which is a subset of the output space of Gen, then the correctness is preserved with no error. This holds for Gen 0 of the watermarking scheme. Hence, Pr½G wm−COR S ð1 λ Þ ¼ 1� ¼ 0. (End of Claim 1.2)⊣ Lemma 2 (Detection correctness). The watermarking scheme of Figure 6 satisfies detection correctness under the assumption that the underlying encryption scheme (Gen, Enc, Dec) satisfies the perfect correctness.
Proof Notice that Detect algorithm of the scheme of Figure 6 reconstructs exactly the same circuits one-byone already produced by the Mark algorithm. By Lemma 1, our watermarking scheme preserves perfect correctness of the scheme (Gen, Enc, Dec) with no error. Therefore, there is at least one marked circuit C j , for j ≤ state, which decrypts correctly all the λ ρ 2 δ ciphertexts generated by Detect using pk j . This means that Detect returns marked. Figure 6 satisfies (ρ, δ)-unremovability, where ρ = δ = 1/poly(λ), under the assumption that the underlying public-key encryption scheme (Gen, Enc, Dec) satisfies perfect correctness.

Lemma 3 ((ρ, δ)-unremovability). The scheme of
Proof We prove this lemma using counting arguments independent of the adversary's strategy. Specifically, first, we fix ði; ðDec sk i ; Enc pk i Þ; D i Þ ∈ Marked and we assume that C * ∼ ðρ;δÞ;D i Dec sk i . Then, we prove that if this holds, Detect returns unmarked only with negligible probability. Let R be the randomness space of the adversarial circuit C*. We define the random variable X i,j as follows: where ðc; rÞ ∈ ½D i � � R. It holds that By the assumption regarding C* and Definition 8, we have We consider the set Good ¼ fc ∈ ½D i � s:t: Pr r← $ R ½C * ðc; rÞ ¼ Dec sk i ðcÞ� ≥ δg. Given the above set, by Equation (2), we have BALDIMTSI ET AL. -215 Then, we define the random variable X i ¼ ∑ λ=ρ 3 j¼1 X i;j , where the random variables X i,j for j = 1, …, λ/ρ 3 are independent. Thus, we have By Lemma 1, we have that the watermarking scheme preserves perfect correctness of the encryption scheme (Gen, Enc, Dec) without introducing any decryption error. This means that the random variable X i counts the number of ciphertexts from D i (out of k = λ/ρ 3 ) which are correctly decrypted by C*. We will compute an upper bound on Pr½X i < λ 2ρ � using the following Chernoff bound: First, by Equation (5), we have that Pr½X < λ 2ρ �≤ Pr½X i ≤ λ 2ρ �≤ Pr½X i ≤ μ=2�. If we set ɛ = 1/2 in Equation (6), we have that which is negligible in λ. Thus, Pr½X i ≥ λ 2ρ � ≥ 1 − neglðλÞ, meaning that C* decrypts correctly at least λ 2ρ out of λ ρ 3 ciphertexts except with negligible probability. Therefore, Detect returns marked except with negligible probability.
To simplify the presentation of our proof for (γ, τ)unforgeability, we first prove an intermediate lemma, that is Lemma 4.

Lemma 4 Let (Gen, Enc, Dec) be a public-key encryption scheme that satisfies perfect correctness and IND-CPA security. Let
Dec sk i be a decryption circuit where, (pk i , sk i ) ←Gen(1 λ ) and D i are the distribution of ciphertexts that correspond to plaintexts chosen uniformly at random from the plaintext space M end encrypted under pk i . Assume a circuit C* such that C * ≁ ðγ;τÞ;D i Dec sk i , where γ ≥ 1 − ρδ 3 þ τ and τ < ρδ 3 , where ρ = δ = 1/poly(λ).
Then, C* decrypts correctly at least λ 2ρ out of λ ρ 3 ciphertexts chosen from D i only with negligible probability.
Proof Let R be the randomness space of C*. Similarly to the proof of Lemma 3, we define the random variable where ðc; rÞ ∈ ½D i � � R. It holds that By the assumption regarding C* and Definition 9, we have that We consider the set Given the above set, by Equation (9), we have Then we define the random variable Since γ ≥ 1 − ρ 2 3 þ τ for τ < ρ 2 /3, we have that μ ≤ λ 3ρ . We utilize the following Chernoff bound If we set ɛ = 1/2, we have that Pr½X i ≥ λ 2ρ � ≤ e − λ 30ρ , which is negligible in λ.

Lemma 5 ((γ, τ)-unforgeability).
If the function F : K � f0; 1g n → f0; 1g ℓ is a PRF function and the public-key encryption scheme (Gen, Enc, Dec) satisfies the IND-CPA security and perfect correctness, then the scheme of Figure 6 satisfies (γ, τ) Proof Let A be a PPT adversary which breaks the (γ, τ)-unforgeability property of the watermarking scheme of Figure 6 with a non-negligible probability α. We will construct a PPT adversary B which breaks IND-CPA security for multiple messages for the underlying encryption scheme (Gen, Enc, Dec), with non-negligible probability β. The algorithm B runs A by playing the role of the Challenger in the (γ, τ)-unforgeability game and takes advantage of A's output C* to break the IND-CPA security. By the security of the PRF F, for K← $ K, B can simulate any query to the Challenge Oracle, by running Gen(1 λ ) with randomness chosen uniformly at random {0,1} ℓ , instead of calling F(K, i) for an index i. The reduction is described in detail in Figure 7. Without the loss of generality, we assume that A makes m 1 queries to the Challen-geOracle, m 2 queries to the CorruptOracle and m 3 queries to the DetectOracle.
Remark 7 Notice that in step 5 of the reduction of Figure 7 there is a probability for messages in the same positions of the two tuples to be equal, that is M 0, i = M 1,i . In that case the reduction would fail. However, the probability of this event is very small since the plaintext space has exponential size. For simplicity, we ignore this event in the probability analysis below assuming that all probabilities are also conditioned on the event that the reduction does not fail.
In order to compute the probability that B wins, we have to compute the probabilities Pr½B wins|A wins� and Pr½B wins| ¬ A wins�. We start by the case where A wins. If A wins, by the winning conditions of the (γ, τ)-unforgeability game of Figure 5, this means that (a) For all Dec sk j ∈ Corrupted, it holds that C * ≁ γ;τ Dec sk j and (b) Detect returns marked. In our construction (Figure 6), 'Detect returns marked' translates to the following: There is (at least one) Dec sk j * ∈ Marked, where j* ∈ {1, …, m 1 }, such that C* decrypts correctly at least λ/2ρ out of λ/ρ 3 ciphertexts generated under the public key pk j * as described by Detect algorithm in Figure 6.
First, by Lemma 4, we infer that Dec sk j * ∉ Corrupted, except with negligible probability. This means that we rule out all decryption functions returned by the CorruptOracle upon request. Therefore, if we denote as E cor the event that Dec sk j * ∈ Corrupted, by Lemma 4, we have that Pr½E cor |A wins� ¼ neglðλÞ. Thus, Pr½B wins|A wins�¼ Pr½B wins ∧ ¬E cor |A wins� þ neglðλÞ: Given that Dec sk j * ∈ MarkednCorrupted, we distinguish between two cases. First, B selects j* at Step 2 of the reduction, such that the above condition holds. We denote this event as Guess and we have that Pr [Guess] ≥ 1/m 1 . In this case, B will win because pk j * is the key given to B by the IND-CPA Challenger. In other words, since the ciphertexts of the challenged tuple ðc b;1 ; …; c b;λ=ρ 3 Þ are generated under the key pk j * , C* decrypts correctly λ/2ρ out of λ/ρ 3 of them and therefore B will correctly guess the bit b at the end of the game. Based on that and given that Pr½¬E cor |A wins� ¼ 1 − neglðλÞ:, Pr½B wins ∧ ¬E cor ∧ Guess|A wins� ¼ ð1 − neglðλÞÞPr½Guess�: Second, B selects j* such that the condition above holds. We have that Pr [¬Guess] ≤ 1 − 1/m 1 . When A wins, it produces a 'forgery' but for a decryption function which is already known to B. The question here is whether in such case B could benefit in guessing the correct bit at the end or not. Therefore, we should analyze how C* behaves on input the tuple of ciphertexts ðc b;1 ; …; c b;λ=ρ 3 Þ returned by the Challenger. There are two possible cases: � C* decrypts at least λ ρ 3 − λ 2ρ ciphertexts of the tuple (which are encrypted under pk j * ) to messages completely irrelevant to the corresponding plaintexts of both tuples challenged in step 5 (i.e. C*(c b,i ) ≠ M 0,i and C*(c b,i ) ≠ M 1,i ). Then B outputs a random bit and wins with probability 1/2. � C* decrypts at least λ 2ρ out of λ/ρ 3 ciphertexts in the corresponding plaintexts of the opposite tuple (the one not selected by the Challenger). To make this clearer, assume that the Challenger chooses b = 0, and therefore encrypts the plaintexts ðM 0;1 ; …; M λ=ρ 3 Þ under pk j * . In this case, C* decrypts c 0,j to M 1,j (for at least λ/2ρ values of j). We stress that this scenario happens only with negligible probability because F I G U R E 7 Unforgeability to IND-CPA reduction BALDIMTSI ET AL. the plaintexts in the two tuples are chosen uniformly at random from a plaintext space M of exponential size.
To sum up, for the case where B does not correctly guess j*, B wins with probability 1/2. Thus, Pr½B wins∧ ¬E cor ∧ ¬Guess|A wins� ¼ ð1 − neglðλÞÞPr½¬Guess�: Based on the winning probabilities above, we have that:Pr½B wins| A wins� ≥ 1 2 þ 1 2m 1 − neglðλÞ: We now move to the case where A does not win (γ, τ)-unforgeability game. One possible case is that A makes a CorruptOracle query for the index i*. Since B cannot provide the corresponding secret key, it aborts by returning a random bit. Supposing that B does not abort, two possible scenarios can take place considering the (γ, τ)-unforgeability game: (1) Either Detect returns unmarked or (2) there is a decryption function Dec sk i ∈ Corrupted such that C* is not (γ, τ)-far from Dec sk i . In the former case, B outputs a random bit. In the latter case, that is when case (2), splits in two subcases, (2a) there is Dec sk i such that C* is not (γ, τ)-far from Dec sk i and Detect returns unmarked, and (2b) there is Dec sk i such that C* is not (γ, τ)-far from Dec sk i and Detect returns marked. In case (2a), B will output a random bit. In case (2b), we should examine how C* behaves on inputing the tuple of ciphertexts ðc b;1 ; …; c b;λ=ρ 3 Þ given by the Challenger. Using a similar analysis with the case where A wins and ¬Guess is described in the previous paragraph, we stress that in case (2b), B wins with probability of at least 1/2. By the arguments above, we have Pr½B wins|¬ A wins� ≥ 1=2: We conclude that Pr½B wins� ≥ 1 2 þ α 2m 1 − neglðλÞ, where α is the probability that A breaks the (γ, τ)unforgeability. Therefore, B breaks the IND-CPA security with the non-negligible probability.

| A watermarking scheme for digital signatures schemes
In this section, in a similar spirit with the watermarking construction of Section 5.1, we present a watermarking construction (WGen, Mark, Detect) for a digital signature scheme (SigGen, Sign, Verify). The detailed construction can be seen in Figure 8. In Theorem 2, we prove that the construction of Figure 8 satisfies the properties of a watermarking scheme. As it will become clear below, our security analysis requires that the underlying digital signature scheme satisfies a property called verification soundness (see Definition 2). Theorem 2 Let (SigGen, Sign, Verify) be a digital signature scheme which satisfies correctness, EUF-CMA security and verification soundness. Let F : K � f0; 1g n → f0; 1g ℓ be a PRF, with key space K. Then, the watermarking scheme of Figure 8 satisfies the detection correctness, implementation property-preserving with error ɛ prf , (ρ, δ )-unremovability and (γ, τ)-unforgeability, where ɛ prf is the security of the PRF, ρ = δ = 1/poly(λ), γ ≥ 1 − ρδ 3 þ τ and τ < ρδ 3 .
To avoid repetition, due to the similarities in the proof of Theorem 2 with the proof of Theorem 1, below we provide a discussion on differences and similarities in the way each property of the watermarking scheme for digital signatures is proven, comparing to the corresponding one in Theorem 1.

Lemma 6
If the digital signature scheme (SigGen, Sign, Verify) satisfies the EUF-CMA security, perfect correctness, verification soundness and F : K � f0; 1g n → f0; 1g ℓ is a PRF, then the watermarking scheme of Figure 8 is the implementation property-preserving according to Definition 12. Sketch: The EUF-CMA security of the watermarked scheme relies on the security of the PRF. Given that (SigGen, Sign, Verify) satisfies EUF-CMA, a PRF distinguisher distinguishes a random function from a PRF by emulating the EUF-CMA game for either (SigGen, Sign, Verify) or the watermarked scheme depending on the oracle function. Correctness and verification soundness are preserved with no error since they hold for any pair of keys generated by SigGen(1 λ ) which implies that they hold for the subset of pairs generated by SigGen(1 λ ) using as randomness a PRF output.

Lemma 7
The watermarking scheme of Figure 8 satisfies the detection correctness under the assumption that the underlying digital signature scheme (SigGen, Sign, Verify) satisfies perfect correctness.
Sketch: Similar to the proof of Lemma 3, this property is proven using counting arguments independent of the adversary's strategy relying only on the correctness of the underlying signature scheme. In particular, we fix ði; ðSign sk i ; Verify vk i ÞÞ ∈ Marked and we assume that C* is (ρ, δ)-close to Sign sk i . Then, we define a random variable which counts the number of messages (chosen uniformly at random from M) out of λ/ρ 3 in total for which the signatures output by C* are correctly verified by Verify vk i . By a Chernoff bound, we show that at least λ 2ρ messages are verified correctly with overwhelming probability and thus Detect returns unmarked only with negligible probability.

Sketch:
We prove (γ, τ)-unforgeability by reducing it to the EUF-CMA security of the watermarked signature scheme. Specifically, we construct a PPT adversary B which breaks EUF-CMA by utilizing a PPT adversary A against a modified unforgeability game where the PRF is substituted by a random function. We assume that A wins with a non-negligible probability. The general idea of the reduction is similar to that of Figure 7 in Lemma 5. The adversary B plugs the verification key received by the EUF-CMA Challenger into one of the ChallengeOracle queries of A by randomly guessing the 'attacked query position' of A. When A outputs a circuit C*, B chooses λ/ρ 3 messages uniformly at random from the message space and provides them as inputs to C*. Then, it checks if at least one message-signature pair output by C* is verified correctly under the verification key of the EUF-CMA Challenger. If there is such message-signature pair (m*, σ*), B wins the EUF-CMA security game by returning the pair (m*, σ*) as 'forgery'. Recall by the definition of (γ, τ)-unforgeability (Definition 11), that A is allowed to obtain a number of signing keys (in the form of Signing circuits) by making queries to the Cor-ruptOracle. A wins if C* is (γ, τ)-far from all the signing circuits in the Corrupted set and at the same time Detect returns marked. Similarly to the proof of Lemma 5, we first show that the reason that Detect returns marked is because λ/2ρ message-signatures have passed the verification test under a verification key for some non-corrupted signing circuit. This is implied by Claim 9.1. Claim 9.1: Assume that C* is (γ, τ)-far from a signing circuit Sign sk i , where Sign sk i ∈ Corrupted, and that we choose uniformly at random λ/ρ 3 messages. Then Verify for the corresponding key vk i returns 1 for more than λ 2ρ outputs/signatures of C* with negligible probability.
Proof of Claim 9.1: Let R 1 be the randomness space of C* and R 2 be the randomness space of Sign sk i . For ðm; rÞ ∈ M � R 1 , we define the random variable X i;j ðm; rÞ ¼ 1; if Verify vk i ðm; C * ðm; rÞÞ We have that By Definition 2 of verification soundness, a relation R sk i is defined as R sk i ¼ fðvk i ; ðm; σÞÞ|m ∈ M; ∃r 0 ∈ R 2 s:t: σ← Sign sk i ðm; r 0 Þg. By Lemma 6, the watermarking scheme is implementation property-preserving, which means that it satisfies verification soundness. Hence,