Functional encryption with application to machine learning: simple conversions from generic functions to quadratic functions

Abstract

Functional encryption (FE) and predicate encryption (PE) can be utilized in deploying and executing machine learning (ML) algorithms to improve efficiency. However, most of existing FE and PE algorithms only consider generic functions. Actually, quadratic-functions-based FE and PE can be used to further reduce the computation costs significantly. In this paper, we present a functional encryption scheme for quadratic functions from those for generic functions. In our constructions, ciphertexts are associated with a pair of vectors \((\mathsf {x},\mathsf {y})\in \mathbb {Z}^{n}_{q}\times \mathbb {Z}^{m}_{q}\), private keys are associated with a quadratic function, and the decryption of ciphertexts CT_(x,y) with a private key sk_F, where F is a n × m-dimensional matrix, recovers \((\mathsf {x})^{\top }\mathsf {F}\mathsf {y}\in \mathbb {Z}_{q}\). Compared with Baltico et al.’s FEs for quadratic functions (at Crypto 2017), our schemes could obtain almost the same ciphertexts size of \(O((n+m)\log q)\) as their schemes (in contrast to O(n) in Baltico et al.’s schemes), and the computation for quadratic functions in our scheme does not rely on bilinear maps, while their schemes must rely on this assumption. In particular, our schemes under the standard assumptions achieve adaptive security, while Baltico et al.’s scheme only obtains selective security. Moreover, beyond the MDDH and GGM assumptions, our schemes allow for instantiations under standard assumptions such as LWE, LPN, and etc.

1 Introduction

Applying emerging ML algorithms with the integration of cloud computing [38] in reality has already brought large benefits for people [21, 30]. For example, in cloud-assisted eHealth systems [19, 36, 37], with these ML algorithms, a medical institution can train a cloud server (which is subject to a cloud service provider) to deploy ML models on the server. After that, the cloud server is able to provide healthcare services for users (e.g., patients) without requiring the participation of the medical institution. By doing so, the medical institution can outsource the healthcare services to the cloud server and enables the users to leverage the services in an efficient and convenient way.

Despite the conveniences and benefits brought by ML algorithms, critical security and privacy concerns [14, 31] in training the cloud server [33] and requesting services from it have been raised seriously [22]. Specifically, in most ML algorithms, it is inevitable to leak training data and key information to the cloud server during the deploying ML models, and the cloud server is able to extract users privacy when it provides services for users. As a consequence, a malicious cloud server (or a malicious insider working at the service provider) can illegally gain profits from the leaked training data and users’ privacy, and the security and reliability of the system cannot be guaranteed [16].

To protect the training data and users’ privacy [13, 24, 32] against the cloud server, several privacy-preserving ML algorithms [11, 15, 23] are proposed. Most of them are constructed on secure multi-party computation (SMC) and homomorphic encryption (HE). However, due to the low efficiency to perform SMC and HE, both the users (including those who outsource services to the cloud server) and the cloud server, who execute these algorithms, bear high costs in terms of computation and communication.

To improve the efficiency while remaining the functionalities of ML algorithms, emerging cryptographic primitives [17, 18], such as functional encryption (FE) [12, 27, 28] and predicate encryption (PE), are employed. Recent literatures [8, 34] have shown the great improvement of efficiency in deploying and executing ML algorithms by utilizing FE and PE.

From the perspective of technique, a functional encryption for a functionality F defined over a key space K and a message space \({\mathcal{M}}\), performs the computation of F(K;M) from the key sk_K, associated to a key \(K\in \mathcal {K}\), and a ciphertext CT_M which encrypts the message \(M\in {\mathcal{M}}\). Since the original functional encryption was proposed in a long line of researches on it have been spurred. Predicate encryption is a special functional encryption where ciphertexts CT_X,M are associated with a plaintext M and an attribute X, secret keys sk_P are associated with a boolean predicate P, and the decryption of a ciphertext CT_X,M recovers the encrypted plaintext M with a private key sk_P, if and only if P(X) = 1. However, in existing functional encryption and predicate encryptions, only generic functions are considered but not quadratic functions, and thus result in lower efficiency.

Our contributions. In this paper, we present a simple transformation from functional encryption that supports generic functions to one that supports quadratic functions (that include inner product function). In our scheme, ciphertexts \(CT_{(\mathsf {x},\mathsf {y})}\in \mathbb {Z}^{n}_{q}\times \mathbb {Z}^{m}_{q}\) are associated with a pair of vectors (x,y) (when performing encryption, (x,y) can be seen as a string of length \((n+m)\log q\)), private keys sk_F are associated with a quadratic function F (where \(\mathsf {F}\in \mathbb {Z}^{n\times m}_{q}\) can be seen as the key of F), and the decryption of a ciphertext CT_(x,y) with a private key sk_F recovers \((\mathsf {x})^{\top }\mathsf {F}\mathsf {y}\in \mathbb {Z}_{q}\), where q > 2^λ is a prime number, and n,m is positive natural number. The ciphertexts in our schemes have the improved size of length \(O((n+m)\log q)\) rather than \(O(nm\log q)\) which is the case in [1] where they proposed an FE scheme for inner product functions (our scheme can implement the inner product functionality if taking the key matrix F as the identity matrix I).

In particular, our schemes remove the bilinear maps that is used to implement the quadratic functionality. For the instantiations, if we take the FE schemes proposed by Gorbunov et al. in [10] as the underlying FE schemes, then, beyond the MDDH and GGM assumptions, our schemes also allow for instantiations under other standard assumptions such as the decisional diffie-hellman (DDH) [6], RSA [7], learning with errors (LWE) [25], and learning parity with noise (LPN) [35]. This is because, the semantic secure public-key encryption schemes that is used to build their FE schemes can be instantiated under these assumptions. Of course, if we adopt the FE schemes in [29] and [9] as the underlying FE schemes, then we can again obtain instantiations from non-standard assumptions such as indistinguishability obfuscator (IO) [29] and multilinear maps [9].

Overview of Our FE for Quadratic Functions. Our schemes work over prime fields \(\mathbb {Z}_{q}\) such that q > 2^λ is a prime number and λ is the security parameter used in our schemes. They are quite efficient in communication size: public key and private key has flexible length changed with the constructions of the underlying FE schemes for generic functions. The ciphertexts in our schemes obtain comparable size as that in [4]. The ideas for designing the generic transformation is very simple where we only use a sufficiently-expressive FE scheme for generic functions, beyond which, any additional assumptions are not introduced. Our both schemes (in the public-key and secret-key setting) could be proved adaptively secure, where security is guaranteed even for messages that are adaptively chosen at any point in time, under the the same security assumption of the underlying FE schemes. In the following, we will highlight some of the core ideas in our schemes.

Now, we first introduce the functionality that our schemes support. Specifically, the functionality refers to that for an instantiation expressed in the form of a pair of vectors \((\mathsf {x},\mathsf {y})\in {\mathcal{M}}\) encrypted in a ciphertext CT_(x,y), and a function F presented as a matrix \(\mathsf {F}\in \mathcal {K}\), the decryption for the ciphertext CT_(x,y) under the private key sk_F with which the function F is associated with, allows to compute a quadratic function value \((\mathsf {x})^{\top }\mathsf {F}\mathsf {y}\in \mathcal {Y}\), where the function F is defined as \(F:\mathcal {K}\times {\mathcal{M}}\rightarrow {\mathcal {Y}}\).

The first thing we think about is to encrypt the pair of vectors (x,y) into a ciphertext CT_(x,y) under the underlying FE scheme FE for generic functions which are computable by a polynomially-size circuit \(\mathcal {G}\). Toward finding a decryption method, we first observe that, given CT_(x,y) and a private key sk_G (associated with the circuit class \(\mathcal {G}\)), under the FE scheme FE, we can compute the function value \((\mathsf {x})^{\top }\mathsf {F}\mathsf {y}\in \mathcal {Y}\). However, without any extra processing, this is obviously infeasible. In order to achieve this goal, we embed the computation of x)^⊤Fy in the circuit \(\mathcal {G}[\mathsf {F}]\) with the function F hardwired in. Then take the pair (x,y) as the inputs of the circuit \(\mathcal {G}\) and endow the circuit the functionality of computing x)^⊤Fy with the hardwired function F and the pair (x,y). By running the decryption, we finally get a desired result.

Concurrent and Independent work. In concurrent and independent work, Lin [20], and Ananth and Sahai [3] present constructions of private-key functional encryption schemes for degree-D polynomials based on D-linear maps. If taking D = 2, these schemes support quadratic polynomials from bilinear maps. In 2017, Baltico et al. [4] also propose constructions of functional encryption (both in the private-key and public-key settings) for quadratic functions from the MDDH and GGM assumptions under the existence of bilinear maps. Their GGM-based schemes are proved adaptively secure but their MDDH-based schemes only achieve selective security. In comparison to these works, our schemes have the advantage of working without pairings and can be proved adaptively secure only under the same security of the underlying FE schemes which is easy to achieve, since such security can be obtained by many existing methods.

2 Preliminaries

In this section, we introduce some notations and cryptographic building blocks used in this paper.

2.1 Notations

Throughout the paper, \(\mathbb {N}\) denotes the set of natural numbers and \(\lambda \in \mathbb {N}\) denotes the security parameter. Let \(y\leftarrow {A(x_{1},\cdots ;R)}\) denote the operation of running algorithm A on inputs x₁,⋯ and coins R to output y. For simplicity, we write \(y\leftarrow {A(x_{1},\cdots ;R)}\) as \(y\leftarrow _{\$}A(x_{1},\cdots )\) with implied coins. If \(n\in \mathbb {N}\), we let [n] denote the set {1,⋯ ,n}. We call a function negl negligible in λ if negl(λ) ∈ λ^−ω(1) and a function poly a polynomial if \(poly\in \lambda ^{\mathcal {O}(1)}\). If x denotes a vector, then |x| denotes the number of components in x and x_i denotes the i − th component of the vector x. If P denotes circuit, then we use notation P[z](⋅) to emphasize the fact that the value z is hard-coded into P.

In this paper, for security definition and proofs we use a code-based game playing framework in [5, 26]. A game G has a main procedure, and possibly other procedure. G begins by executing the main procedure which runs an adversary A after some initialization. A can make oracle calls permitted by G. When A finishes execution, G continues to execute with A’s output. By G^A ⇒ y, we denote the event that G executes with A to output y. Generally, we abbreviate G^A ⇒ true or G^A ⇒ 1 as G, and boolean flags and sets are initialized to false and ∅ respectively.

Furthermore, given a matrix of scalars \(\mathsf {F}= (f_{i,j})\in \mathbb {Z}^{n\times m}_{q}\) and two vectors of \(\mathsf {a}\in \mathbb {Z}^{n}_{q}, \mathsf {b}\in \mathbb {Z}^{m}_{q}\), one can efficiently compute

$$\mathsf{a}^{\top}\mathsf{F}\mathsf{b}=\sum\limits_{i\in[n],j\in[m]}f_{i,j} a_{i} b_{j}.$$

2.2 Quadratic function

Let \(n,m\in \mathbb {N}^{+}\) be positive integers, q > 2^λ be a prime number. We let the message space \({\mathcal{M}}:=\mathbb {Z}^{n}_{q}\times \mathbb {Z}^{m}_{q}\) be a pair of vectors (x,y). The key space consists of matrices \(\mathcal {K}:=\mathbb {Z}^{n\times m}_{q}\), every key \(K\in \mathcal {K}\) is a matrix F = (f_i,j) and the output space is \(\mathcal {Y}:=\mathbb {Z}_{q}\). The functionality F(K,M) is the one that computes the value \(\mathsf {x}^{\top }\mathsf {F}\mathsf {y}\in \mathbb {Z}_{q}\), where K = F and \(M=(\mathsf {x},\mathsf {y})\in {\mathcal{M}}\).

3 Functional encryption

In the following, we review the definition of functional encryption from [4].

Functionality. In our scheme, we will use the class of functionalities \(F:\mathcal {K}\times {\mathcal{M}}\rightarrow {\mathcal {Y}}\) where \(\mathcal {K}\) denotes the key space, \({\mathcal{M}}\) denotes the message space, and \(\mathcal {Y}\) denotes the output space of the function F and these spaces are defined respectively as Section 3.

Definition 1 (Functional Encryption)

A functional encryption scheme FE for a functionality F in the public-key setting (resp., in the private-key setting which adds the boxed parameter) consists of a tuple of algorithms FE=(FE.Setup, FE.KeyGen, FE.Enc, FE.Dec) that works as follows.

FE.Setup(1^λ,F).:

On input a security parameter 1^λ and a functionality F, the algorithm FE.Setup(1^λ,F) outputs a master public key mpk and a master secret key msk.

FE.KeyGen(msk,K).:

On input a master secret key msk and a functionality key \(K\in \mathcal {K}\), the algorithm \(\mathsf {FE.KeyGen}(msk,K\in \mathcal {K})\) outputs a private key sk_K.

:

On input a master public key mpk and a message \(M\in {\mathcal{M}}\), the algorithm FE.Enc(mpk,M) outputs a ciphertext CT in the public-key setting. While, in the private-key setting, the algorithm will additionally take a master secret key msk as input, similarly hereinafter.

FE.Dec(sk_K,CT).:

On input a private key sk_K and a ciphertext CT, the algorithm FE.Dec(sk_K,CT) outputs a \(y\in \mathcal {Y}\cup \{\bot \}\).

Correctness. For correctness, it is required that for all queries \(K\in \mathcal {K}\), and all message \(M\in {\mathcal{M}}\), if \(sk_{K}\leftarrow \mathsf {FE.KeyGen}(msk,K)\) and , then it holds with overwhelming probability that FE.Dec(sk_K,CT) = F(K,M) when F(K,M)≠⊥.

Definition 2 (Adaptive Indistinguishable-Based Security)

For the adaptive indistinguishable-based chosen-plaintext (a-IND-CPA) security, we use \(\mathsf {aINDCPA}_{\mathcal {A},F}^{\mathsf {FE},b}(\lambda )\) (see Fig. 1) to denote a-IND-CPA game between a PPT adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\). We define the advantage of \(\mathcal {A}\) in game \(\mathsf {aINDCPA}_{\mathcal {A},F}^{\mathsf {FE},b}(\lambda )\) as \(\mathsf {Adv}^{\mathsf {aINDCPA}}_{\mathsf {FE},F,\mathcal {A}}(\lambda )=\mathsf {Pr}[\mathsf {aINDCPA}_{\mathcal {A},F}^{\mathsf {FE},0}(\lambda )=1]-\mathsf {Pr}[\mathsf {aINDCPA}_{\mathcal {A},F}^{\mathsf {FE},1}(\lambda )=1]\).

Definition 3 (Selective Indistinguishable-Based Security)

For the selective indistinguishable-based chosen-plaintext (s-IND-CPA) security, where the challenge messages are required to deliver before the master public key and key queries. We use \(\mathsf {sINDCPA}_{\mathcal {A},F}^{\mathsf {FE},b}(\lambda )\) (see Fig. 2) to denote s-IND-CPA game between a PPT adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\). We define the advantage of \(\mathcal {A}\) in game \(\mathsf {sINDCPA}_{\mathcal {A},F}^{\mathsf {FE},b}(\lambda )\) as \(\mathsf {Adv}^{\mathsf {sINDCPA}}_{\mathsf {FE},F,\mathcal {A}}(\lambda )=\mathsf {Pr}[\mathsf {sINDCPA}_{\mathcal {A},F}^{\mathsf {FE},0}(\lambda )=1]-\mathsf {Pr}[\mathsf {sINDCPA}_{\mathcal {A},F}^{\mathsf {FE},1}(\lambda )=1]\).

Fig. 1

Adaptive IND-CPA Experiment for FE

Fig. 2

Selective IND-CPA Experiment for FE

In the above two experiments, we require that if for all key queries {K} and message queries {(M₀,M₁)} made by the adversary \(\mathcal {A}\), then we have F(K,M₀) = F(K,M₁). Obviously, the adaptive security implies selective security.

4 Construction of functional encryption for quadratic functions

In this section, we present a functional encryption for quadratic functions (QFE) with (adaptive) IND-CPA security.

4.1 Construction

In the following, we present a generic construction for functional encryption for quadratic functions. Let QFE=(QFE.Setup, QFE.KeyGen, QFE.Enc, QFE.Dec) denote the scheme over the functional space \(F:\mathcal {K}\times {\mathcal{M}}\) \(\rightarrow {\mathcal {Y}}\) (see Section 2.2 for its functionalities) and message space \({\mathcal{M}}=\mathbb {Z}^{n}_{q}\times \mathbb {Z}^{m}_{q}\), where \(\mathcal {K}=\mathbb {Z}^{n\times m}_{q}\) and \(\mathcal {Y}=\mathbb {Z}_{q}\). In particular, our scheme uses the following building block.

• A functional encryption scheme FE=(FE.Setup, FE.KeyGen, FE.Enc, FE.Dec) for function family \({\mathcal{G}}\).

The construction is described as follows.

QFE.Setup(1^λ,F).:

On input a security parameter 1^λ and a function family F, the setup algorithm first samples \((fmk,fsk)\leftarrow {\mathsf {FE.Setup}(1^{\lambda })}\) and then sets the master public key and master secret key as mpk = fmk and msk = fsk. It finally outputs (mpk,msk).

QFE.KeyGen(msk,F).:

On input a master secret key msk and a function key \(\mathsf {F}\in \mathcal {K}\), the key generation algorithm first parses msk = fsk and then constructs a circuit \(\mathcal {G}[\mathsf {F}]\in {\mathcal{G}}\) with key F hardwired in it (where the construction of \(\mathcal {G}\) is shown in Fig. 3). Then it computes \(sk_{\mathcal {G}}\leftarrow {\mathsf {FE.KeyGen}(fsk,\mathcal {G})}\) and sets \(sk_{\mathsf {F}}=sk_{\mathcal {G}}\). Finally, it outputs the private key sk_F.

:

On input a master public key mpk and a message (x,y), this algorithm first parses mpk = fmk, and then computes \(CT\leftarrow {\mathsf {FE.Enc}(fmk,(\mathsf {x},\mathsf {y}))}\) (Note that (x,y) could be seen as a string of length \((n+m)\log q\)). Finally, it outputs the ciphertext CT.

QFE.Dec(sk_F,CT).:

On input a private key sk_F and a ciphertext CT, the algorithm computes y = FE.Dec(sk_F,CT) and finally outputs y.

Fig. 3

Circuit \(\mathcal {G}[\mathsf {F}]\)

Correctness. The correctness of the functional encryption scheme for quadratic polynomial follows by the correctness of the functional encryption for general functionalities F. Namely, for all \((mpk,msk)\leftarrow \mathsf {QFE.KeyGen}(msk,\mathsf {F})\), all \((\mathsf {x},\mathsf {y})\in {\mathcal{M}}\), all \(sk_{\mathsf {F}}\leftarrow \mathsf {QFE.KeyGen}(msk,\mathsf {F})\) and \(CT\leftarrow \mathsf {QFE.Enc}(mpk,(\mathsf {x},\mathsf {y}))\), where \(sk_{\mathsf {F}}=sk_{\mathcal {G}}\), if the circuit \(\mathcal {G}[\mathsf {F}]\) satisfies the functionality in Fig. 3, then

$$\mathsf{QFE.Dec}(sk_{\mathsf{F}},CT)=\mathsf{FE.Dec}(sk_{\mathcal{G}[\mathsf{F}]},CT)=\mathsf{x}^{\top}\mathsf{F}\mathsf{y}.$$

4.2 Security

The security of the scheme QFE follows the following theorem.

Theorem 1

If the functional encryption scheme FE for function family \({\mathcal{G}}\) is adaptively (resp. selectively) secure (see definitions 2 and 3 for the details), the functional encryption scheme QFE for quadratic function F is also adaptively (resp. selectively) secure.

Proof

Adaptive security. We prove the adaptive security of the scheme QFE via two games below, then go to the details of the proof by proving that the two games are computationally indistinguishable.

G ₀ :

: This game is the original adaptive security game of the scheme QFE except that the challenge ciphertext encrypts the message (x₀,y₀).

G ₁ :

: This game is the same as G₀ except that the challenge ciphertext encrypts the message (x₁,y₁).

□

If there exists an adversary \(\mathcal {A}_{\mathsf {QFE}}\) that can break the adaptive security of the scheme QFE, then there exists an adversary \(\mathcal {A}_{\mathsf {FE}}\) that can break the adaptive security of the scheme FE. In the following, we use the adversary \(\mathcal {A}_{\mathsf {QFE}}\) to construct the adversary \(\mathcal {A}_{\mathsf {FE}}\). Let \({\mathcal{B}}\) be the challenger of the scheme FE. Assume that before proceeding the reduction, the adversary \(\mathcal {A}_{\mathsf {FE}}\) has received the master public key fpk from its challenger.

Setup phase

In this phase, the adversary \(\mathcal {A}_{\mathsf {FE}}\) first sets the master public key mpk = fpk for the scheme QFE, then it sends mpk to \(\mathcal {A}_{\mathsf {QFE}}\).

Key query phase

When the adversary \(\mathcal {A}_{\mathsf {QFE}}\) makes a key query of the form \(\mathsf {F}\in \mathcal {K}\), the adversary \(\mathcal {A}_{\mathsf {FE}}\) first constructs a circuit \(\mathcal {G}[\mathsf {F}]\in {\mathcal{G}}\) with F hardwired in it. Then it delivers \(\mathcal {G}[\mathsf {F}]\) to its challenger \({\mathcal{B}}\) and from which it gets the private key \(sk_{\mathcal {G[\mathsf {F}]}}\). Finally, it sets the private key as \(sk_{\mathsf {F}}=sk_{\mathcal {G[\mathsf {F}]}}\) and sends sk_F to the adversary \(\mathcal {A}_{\mathsf {QFE}}\).

Challenge phase

When \(\mathcal {A}_{\mathsf {QFE}}\) makes a challenge query \(((\mathsf {x}_{0},\mathsf {y}_{0}),(\mathsf {x}_{1},\mathsf {y}_{1}))\in {\mathcal{M}}\) such that \((\mathsf {x}_{0})^{\top }\mathsf {F}\mathsf {y}_{0}=(\mathsf {x}_{1})^{\top }\mathsf {F}\mathsf {y}_{1}\) for all queries F that the adversary makes in the key query phase before the challenge phase, the adversary \(\mathcal {A}_{\mathsf {FE}}\) delivers the pair ((x₀,y₀), (x₁,y₁)) to its challenger, from which it gets the challenge ciphertext CT^∗ (which is generated by \(CT^{*}\leftarrow {\mathsf {FE.Enc}(fpk,(\mathsf {x}_{b},\mathsf {y}_{b}))}\), where b ∈{0,1} is chosen randomly by the challenger \({\mathcal{B}}\)). Finally, the adversary \(\mathcal {A}_{\mathsf {FE}}\) sends CT^∗ to \(\mathcal {A}_{\mathsf {QFE}}\).

Key query phase

The adversary \(\mathcal {A}_{\mathsf {QFE}}\) makes more private key queries of the form \(\mathsf {F}\in \mathcal {K}\) as above but with the restriction \((\mathsf {x}_{0})^{\top }\mathsf {F}\mathsf {y}_{0}=(\mathsf {x}_{1})^{\top }\mathsf {F}\mathsf {y}_{1}\) for all ((x₀,y₀),(x₁,y₁)) that \(\mathcal {A}_{\mathsf {QFE}}\) queries in the challenge phase.

Guess phase

\(\mathcal {A}_{\mathsf {QFE}}\) eventually outputs a bit b^′∈{0,1}, and the experiment outputs the same bit.

For any stateful adversary \(\mathcal {A}_{\mathsf {QFE}}\), if the challenger \({\mathcal{B}}\) encrypts the message (x₀,y₀), the adversary \(\mathcal {A}_{\mathsf {FE}}\) perfectly simulates the game G₀ for \(\mathcal {A}_{\mathsf {QFE}}\); when the challenger \({\mathcal{B}}\) encrypts the message (x₁,y₁), the adversary \(\mathcal {A}_{\mathsf {FE}}\) perfectly simulates the game G₁ for \(\mathcal {A}_{\mathsf {QFE}}\). Therefore, by Definition 2, the advantage that the adversary \(\mathcal {A}_{\mathsf {QFE}}\) distinguishes games G₀ and G₁ (i.e., the adversary \(\mathcal {A}_{\mathsf {QFE}}\) breaks the adaptive security of the scheme QFE) is equal to the advantage that the adversary \(\mathcal {A}_{\mathsf {FE}}\) breaks the adaptive security of the scheme FE. Thus the theorem follows.

Selective security. The proof of the selective security of the scheme QFE is similar to that of the adaptive security but with the difference that the reduction relies on the selective security of the scheme FE where the challenge messages must be decided before the setup and key generation. For simplicity, we omit the details about the proof.

5 Instantiations

In this section, we describe how to instantiate the underlying functional encryption scheme FE for generic functions used to construct our resulting FE schemes for quadratic functions (see Section 4.1).

The underlying FE schemes for generic functions required by our FE schemes for quadratic functions can be built from a wide range of assumptions. For instance, they can be instantiated under the standard assumptions such as decisional diffie-hellman (DDH) [6], RSA [7], learning with errors (LWE) [25], and learning parity with noise (LPN) [35], and the non-standard assumptions such as intractable problems on composite order multilinear maps [9] and indistinguishability obfuscator (IO) [29]. Particularly, these instantiable FE schemes under the standard assumptions can be taken from the general-purpose public-key FE schemes proposed by Gorbunov et al. in [10]. As their schemes are based on the existence of semantically-secure public-key encryption (PKE) and pseudorandom generators (PRG). To our knowledge, there are already many PKE schemes proposed based on various standard assumptions (DDH [6], RSA [7], LWE [25], and LPN [35]). Therefore, our resulting schemes can also be instantiated from these assumptions. For those FE schemes under IO and multilinear maps, their constructions can be taken directly from [29] and [9] respectively. In particular, if these underlying FEs are selectively secure, we can use these techniques proposed by Ananth et al. in [2] (i.e., generic transformations from selective security to adaptive security for FE), to convert them into adaptive ones. Furthermore, from this constructions, we can see that the underlying FE schemes that satisfy lightweight circuit is ok (due to the lightweight computation x^⊤Fy only existed in the circuit \(\mathcal {G}[\mathsf {F}]\)).

6 Comparisons

In this section, we give the performance analysis and comparison between our FE scheme and that by Baltico et al. in [4] in terms of private key size, master public key size, ciphertext size, and etc. in Tables 1 and 2. From the two Tables, we can see that the size of public key and private key in our schemes (both in secret-key settings and public-key settings) has flexible length changed with the varied constructions of the underlying FEs for generic functions used in our schemes. The ciphertexts in our both schemes have comparable size with those in [4]. In particular, different from [4], where the computations of the quadratic functions must rely on the bilinear map, while ours do not. Moreover, beyond the MDDH and GGM assumptions, our schemes can also be instantiated from other assumptions such as the DDH, RSA, LWE and LPN assumptions, while Baltico et al.’s schemes [4] can only be instantiated by SXDH and GGM. Furthermore, all our schemes are provably secure against adaptive adversaries, while the schemes of Baltico et al.’s [4] from the MDDH assumption are only proved selectively secure, and under the same assumption, their encryption scheme in the secret-key setting is a deterministic encryption.

Table 1 Comparisons with [4]

Table 2 Comparisons with [4]

Notations in Tables 1 and 2. \(n,m\in \mathbb {N}^{+}\), \(k\in \mathbb {N}^{*}\); \(\log q\): size of an element in group; “N”: NO; “Y”: YES; “# of SK”: size of private key; “# of PK”: size of master public key; “# of CT”: size of ciphertext; “BP”: the number of bilinear pairings needed in decryption algorithm; “R/D”: deterministic encryption or randomized encryption; “security”: selective security or adaptive security ; “|SK| of FE”: size of private key in FE for circuit; “|PK| of FE”: size of master public key in FE for circuit; “|bgp|”: description of bilinear group setting, where bgp = (q,G₁,G₂,G_T,e,g₁,g₂).

7 Conclusions

In this paper, we present a simple framework that transforms generic functions to quadratic functions for functional encryption and provided a concrete scheme, which can be utilized to construct efficient privacy-preserving machine learning algorithms. The proposed scheme is built on the proposed framework, could be constructed based on the standard assumptions (such as DDH, LWE, LPN etc.) and be proved to achieve adaptive security. Compared with existing schemes, the proposed scheme is more scalable and provides a stronger security guarantee. Moreover, the future is that we intend to propose the functional encryption for randomized functionalities with application to machine learning under standard assumptions.