In this section, we introduce the notion of a private programmable PRF, which can be viewed as an extension of a private puncturable PRF where the holder of the master secret key can additionally specify the value of the PRF at the punctured point. We show how private programmable PRFs can be used to construct a watermarkable family of PRFs in Section 6.1. We now describe the syntax of a programmable PRF, and give the security notions. We define a programmable PRF as a tuple of algorithms Π = (pPRF.Setup,pPRF.Program,pPRF.ProgramEval,pPRF.Eval), over a key space K, input space {0,1}n, and output space{0,1}m. The syntax for a programmable PRF is
essentially identical to the syntax of a constrained PRF, except that the algorithms cPRF.Constrain
and cPRF.ConstrainEval are replaced bypPRF.Programand pPRF.ProgramEval.
• pPRF.Setup(1λ)→msk. On input the security parameterλ, the setup algorithmpPRF.Setup
outputs the master secret keymsk.
• pPRF.Program(msk, x, y)→sk. On input the master secret keymsk, an inputx∈ {0,1}n and
an outputy∈ {0,1}m, the program algorithmpPRF.Programoutputs a secret key sk.
• pPRF.ProgramEval(sk, x) → y. On input a secret key sk, and an input x ∈ {0,1}n, the
programmed evaluation algorithm pPRF.ProgramEvaloutputs an element y∈ {0,1}m.
• pPRF.Eval(msk, x)→ y. On input the master secret keymsk and an input x∈ {0,1}n, the
evaluation algorithmpPRF.Eval outputs an elementy∈ {0,1}m.
Correctness. A programmable PRF is correct if formsk←pPRF.Setup(1λ), all inputsx∈ {0,1}n,
setting sk=pPRF.Program(msk, x∗, y∗), it is the case that
pPRF.ProgramEval(sk, x) =
(
y∗, ifx=x∗
pPRF.Eval(msk, x), otherwise.
Security. The security definition for the privacy of a programmable PRF is mostly identical to that of a private constrained PRF, except for a few syntactical differences which we explain below. Definition C.1(ExperimentExptpPRFb ). For the security parameterλ∈N, integersn, m >0, and a bitb∈ {0,1}, we define the experimentExptpPRFb between a challenger and an adversaryA, which can make oracle queries of the following types: program, evaluation, and challenge. First, the challenger obtains msk← pPRF.Setup(1λ). The challenger also draws a function f ←−r Funs({0,1}n,{0,1}m)
uniformly at random. Forb∈ {0,1}, the challenger responds to each oracle query type made by A in the following manner.
• Program oracle. On input an x ∈ {0,1}n and y ∈ {0,1}m, the challenger returns sk ←
pPRF.Program(msk, x, y) to A.
• Evaluation oracle. On input x∈ {0,1}n, the challenger returnsy←pPRF.Eval(msk, x).
• Challenge oracle. On input x∈ {0,1}n, the challenger returnsy ←pPRF.Eval(msk, x) to
Eventually, Aoutputs a bit b0 ∈ {0,1}, which is also output by ExptpPRFb . LetPr[ExptpPRFb (A) = 1] denote the probability thatExptpPRFb outputs 1 withA.
Definition C.2 (Admissible Programming). An adversary is admissible if it makes at most one query x∈ {0,1}n to the challenge oracle, and moreover, for all pointsx0
i ∈ {0,1}n it submits to the
program oracle,x0i=x.
Definition C.3 (Programming Security). A programmable PRF Π is secure if for all efficient and admissible adversariesA, the following quantity is negligible:
AdvpPRF[Π,A]def= Pr[Expt pPRF 0 (A) = 1]−Pr[Expt pPRF 1 (A) = 1] .
Definition C.4 (ExperimentExptpprivb ). For the security parameterλ∈N, integers n, d∈Nand a
bit b∈ {0,1}, we define the experiment Exptpprivb between a challenger and an adversaryA, which can make evaluation and challenge queries. First, the challenger obtains msk← pPRF.Setup(1λ), and samplesy∗ ← {0,1}m uniformly at random. For b ∈ {0,1}, the challenger responds to each
oracle query type made byA in the following manner.
• Evaluation oracle. On input x∈ {0,1}n, the challenger returnsy←pPRF.Eval(msk, x).
• Challenge oracle. For a pair of inputs x0, x1 ∈ {0,1}n, the challenger returns sk ←
pPRF.Program(msk, xb, y∗).
Eventually, Aoutputs a bit b0∈ {0,1}, which is also output byExptpPRFb . LetPr[Exptpprivb (A) = 1] denote the probability thatExptpprivb outputs 1.
Definition C.5 (Admissible Privacy). An adversary is admissibleif it makes at most one challenge oracle query, and it does not query the evaluation oracle on any point that also appears in a challenge oracle query.
Definition C.6 (Privacy). A programmable PRF Π is private if for all efficient and admissible adversaries Athe following quantity is negligible:
Advppriv[Π,A]def=
Pr[Expt ppriv 0 (A) = 1]−Pr[Expt ppriv 1 (A) = 1] .
Note that in our game-based definition of privacy for programmable PRFs (Definition C.4), the adversary does not specify the value at the punctured point. Instead, the challenger samples the value uniformly at random from the range of the PRF. This restriction is essential for ensuring an achievable notion of privacy. Indeed, if the adversary was able to specify (or guess) the value at the programmed point, then it can trivially distinguish Exptppriv0 fromExptppriv1 by simply evaluating the programmed key at the two points x0, x1 it submitted to the challenge oracle. Thus, hiding the
reprogrammed point is only possible if the the reprogrammed value is unknown to the adversary. While this seems like a very limiting restriction, we show in Section 6.1 that a private programmable PRF satisfying Definitions C.3 and C.6 is sufficient for constructing a watermarkable family of PRFs.