WO2022087466A1

WO2022087466A1 - Functional encryption for quadratic functions

Info

Publication number: WO2022087466A1
Application number: PCT/US2021/056324
Authority: WO
Inventors: Hoeteck WEE
Original assignee: Ntt Research, Inc.
Priority date: 2020-10-23
Filing date: 2021-10-22
Publication date: 2022-04-28
Also published as: EP4233268A4; JP2023546668A; US20230396427A1; EP4233268A1

Abstract

The invention relates to systems, methods, network devices, and machine-readable media for improved constructions of public-key functional encryption schemes for quadratic functions. In particular, the present disclosure relates to a new functional encryption scheme to compute quadratic functions so that the data owner controls what can be computed but is not involved in the calculation, and generates a decryption key which allows one to learn a quadratic function evaluation of some encrypted data.

Description

Functional Encryption for Quadratic Functions

[1] CROSS-REFERENCE TO RELATED APPLICATIONS

[2] This application claims the benefit of U.S. Provisional Application No. 63/104,787, filed October 23, 2020, the entire contents of which are incorporated herein by reference.

[3] FIELD OF THE INVENTION

[4] The present disclosure relates to improved constructions of public-key functional encryption (FE) schemes for quadratic functions.

[5] BACKGROUND OF THE INVENTION

[6] Functional encryption expands traditional public-key encryption in two different ways: it supports fine-grained access control and it allows learning a function of encrypted data. A decryption key in functional encryption enables a user to learn a specific function of the encrypted data and nothing else. There is a trusted authority that holds a master secret key known only to this authority. When the authority is given the description of some function/as input, it uses its master secret key to generate a derived secret key sk[/] associated with /. Anyone holding sk[/] can compute /(x) from an encryption of any x.

[7] Linear functions have been well studied. Consider an example where Alice holds data a = 3, b = 5. Now, Bob wants to know the value of (a+b), but a and b are encrypted. So, Alice provides access to Bob to compute a function on the encrypted variables a and b. In this way, Bob would get the result of the function in decrypted form without even accessing the decrypted values of the variables. However, the use of quadratic functions is less well studied.

[8] Quadratic functions, as used in functional encryption systems, can have several practical applications. For instance, a quadratic polynomial can express many statistical functions (e.g., (weighted) mean, variance, covariance, root-mean-square), the Euclidean distance between two vectors, and the application of a linear or quadratic classifier (e.g., linear or quadratic regression). However, existing systems can produce very large outputs.

Thus, there is a need for functional encryption systems that can efficiently perform functional encryption with quadratic functions in a size-constrained environment.

[9] BRIEF SUMMARY OF THE INVENTION

[10] Some embodiments of the invention include systems, methods, network devices, and machine-readable media for securing computation for 2^nd degree polynomials by functional encryption, the method comprising executing a computerized set-up algorithm that outputs a public key and a master secret key; executing a computerized key generation algorithm that receives the master secret key, a 2^nd degree polynomial f, and outputs a secret key; on a first computerized processor, executing an encryption algorithm that receives the public key and an electronic message, the electronic message comprising two vectors zl and z2, both of length n, and outputs a ciphertext; on a second computerized processor at a location remote from the first computerized processor, receiving the ciphertext and the secret key over an electronic communications network, and executing a decryption algorithm based on the ciphertext and the secret key that outputs a decrypted value that is the same value as evaluating the polynomial specified by f on vectors zl, z2; transmitting the decrypted value to the first computerized processor; and wherein any computationally efficient process does not leam anything about zl, z2 beyond polynomial evaluation.

[11] In some further embodiments, the set-up algorithm further comprises executing a set-up algorithm of an EIGamal scheme twice to generate public keys wl and w2 and secret keys ski and sk2; executing a set-up algorithm of a functional encryption scheme for a 1^st degree polynomial scheme resulting in a public key wO and master secret key mskO; and generating output wl, w2, wO as the public key and mskO as the master secret key.

[12] In some further embodiments, the encryption algorithm further comprises executing an encryption algorithm of an EIGamal scheme, wherein input to the EIGamal scheme of zl comprises public key wl and randomness si, resulting in a ciphertext yl; executing the encryption algorithm of the EIGamal scheme, where input to the EIGamal scheme comprises public key w2 and randomness s2, resulting in a ciphertext y2; executing an encryption algorithm of a 1^st degree polynomial scheme, wherein input to the FE1 scheme comprises public key wO and a vector, the vector comprising a concatenation of si times z2 and yl times s2, resulting in a ciphertext yO; and generating output yl, y2, yO as the ciphertext.

[13] In some further embodiments, the key generation algorithm executes the key generation algorithm of a 1^st degree polynomial scheme, wherein input to the 1^st degree polynomial scheme comprises the master secret key mskO, and a degree 1 polynomial derived from f, wl and w2, resulting in a secret key sk; and generating output sk as the secret key.

[14] In some further embodiments, the decryption algorithm further comprises receiving the ciphertext; parsing the ciphertext into components designated yl, y2, yO; receiving a secret key sk, wherein the secret key sk is generated by a 1^st degree polynomial scheme; computing the 2^nd degree polynomial f on components yl and y2, resulting in a value vl; decrypting yO with sk using the decryption algorithm of the 1^st degree polynomial scheme resulting in a decrypted value vO; and generating output vl - vO as the decrypted value.

[15] In some further embodiments, the 2^nd degree polynomial f is a privacy-preserving machine learning function executed in a neural network with a quadratic activation function. In some further embodiments, the 2^nd degree polynomial f is a quadratic function and is selected from one or more of a statistical function or a correlation function. Some further embodiments include applying polynomials of the 2^nd degree polynomial f to projected vectors.

[16] In some further embodiments, the electronic message is arranged and stored as a relational database, the database being logically arranged in a data model that is compatible with operations performed by a specified function; the secret key defines a subset of data in the relational database; and the decryption algorithm performs the specified function on the subset of the data.

[17] BRIEF DESCRIPTION OF THE DRAWINGS

[18] The accompanying drawings, which are included to provide further understanding and are incorporated in and constitute a part of this specification, illustrate disclosed embodiments, and together with the description, serve to explain the principles of the disclosed embodiments. In the drawings:

[19] Fig. 1 illustrates an example system architecture for a functional encryption system for quadratic functions.

[20] Fig. 2 illustrates an example self-contained description of a functional encryption scheme for quadratic functions.

[21] Fig. 3 illustrates an example computer system architecture for implementing the claimed systems and methods.

[22] Fig. 4 illustrates further details of an example computer system architecture for implementing the claimed systems and methods.

[23] DETAILED DESCRIPTION

[24] Disclosed herein is a functional encryption (FE) scheme for quadratic functions with constant-size keys as well as shorter ciphertexts than all prior schemes based on static assumptions. Some embodiments include a public-key partially-hiding FE that supports NCI computation on public attributes and quadratic computation on the private message, with ciphertext size independent of the length of the public attribute. Both constructions achieve selective, simulation-based security against unbounded collusions, and rely on the

(bilateral) k-linear assumption in prime-order bilinear groups. At the core of these constructions is a new reduction from FE for quadratic functions to FE for linear functions.

[25] Embodiments of the invention provide functional encryption for quadratic functions.

That is, we would like to encrypt a message z to produce a ciphertext ct, and generate secret keys sk_f for quadratic functions f, so that decrypting ct with sky returns f(z) while leaking no additional information about z. In addition, we want (i) short ciphertexts that grow linearly with the length of z, as well as (ii) simulation-based security against collusions, so that an adversary holding ct and secret keys for different functions ... learns nothing about z beyond the outputs of these functions. Functional encryption for quadratic functions have a number of applications, including traitor-tracing schemes whose ciphertext size is sublinear in the total number of users; obfuscation from simple assumptions; as well as privacy-preserving machine learning for neural networks with quadratic activation functions.

[26] Embodiments include new pairing-based public-key functional encryption schemes for quadratic functions, improving upon the recent constructions. Embodiments include: a

FE scheme for quadratic functions with constant-size keys, whose ciphertext size is shorter than those of all prior public-key schemes based on static assumptions; moreover, when instantiated over the BLS12-381 curve where |G₂| = 21 Gi |, the ciphertext size can match that of the most efficient scheme in the generic group model; and a partially-hiding FE that supports NCI computation on public attributes x and quadratic computation on the private message z; moreover, the ciphertext size grows linearly with z and independent of x. The previous constructions have ciphertext sizes that grow linearly with both z and x.

[27] Both constructions achieve at least selective, simulation-based security against unbounded collusions, and rely on the bilateral k-linear assumption in prime-order bilinear groups. At the core of these constructions is a new reduction from public-key FE for quadratic functions to that for linear functions. The reduction relies on the (bilateral) k-Lin assumption, and blows up the input size by a factor k. Note that the trivial reduction blows up the input size by |z|. The inventive reduction is simpler and more direct than the previous reductions: (i) it does not require function-hiding FE for linear functions, and (ii) the inventive reduction works directly in the public-key setting. Because of (i), the embodiments disclosed herein can also decrease the secret key size from linear to constant.

[28] An overview of example constructions is disclosed. We rely on an asymmetric bilinear group of prime order p where e We use

to denote component-wise exponentiations in respective groups G_x, G₂, G_T.

We use boldface lower case to denote row vectors. The k-Lin assumption in G_b asserts that

[29] The bilateral k-Lin assumption is a strengthening of k-Lin, and asserts that

[30] Note that bilateral 1-Lin is false, for the same reason DDK is false in symmetric bilinear groups.

[31] Functional Encryption for Quadratic Functions

[32] Consider the class of quadratic functions over given by

where f 6 ZJ² is the coefficient vector. We will first mask z_x, z₂ in the ciphertext using: where the matrices

are specified in the master public key. Next, observe that cross terms (1)

[33] We will express the cross terms as a linear function evaluated on inputs of length

0(kn); the key difference in this work is that the linear function can be derived from the master public key and f.

[34] More precisely, we write

where the second equality uses the mixed-product property of the tensor product, which tells us that ( and || denotes row vector

concatenation. Multiplying both sides on the right by f ^T and rearranging the terms yields:

where As we mentioned earlier, the boxed term (= cross terms in

(D)

(3)

corresponds to a linear computation where the input has length

0(kn); and the linear function Mf ^T can be computed given f and the matrices A_x, A₂ in the public key.

[35] The latter property pertaining to is what allows us to significantly simplify the

previous reductions, since there is nothing "secret" about the linear function Mf ^T. In the prior works, the linear function leaks information about the master secret key beyond what can be computed from the master public key.

[36] In particular, we can use a public-key FE for linear functions (linear FE for short) to compute (3). That is, we encrypt and generate a secret key for

. Certain linear FE schemes extend readily to this setting where both the input and

function are specified "in the exponent"; moreover, these schemes achieve selective, simulation-based security under the Zc-Lin assumption, with constant-size secret keys. The linear FE ciphertext would lie in G_x, whereas both M and the secret key would lie in G₂. Note that in order to compute [M]₂, we would also publish [A_x]₂ in the public key. A self- contained description of the quadratic FE is disclosed herein.

[37] Security Overview

[38] First, observe that leaks no information about z_x,z₂, because of the Zc-Lin

assumption;

[39] Next, we can simulate the ciphertext and secret key for the linear FE given (s_t ® which we can rewrite as . We can in turn

compute the latter given just y_t, y₂ and the output of the ideal functionality and therefore the linear FE ciphertext-key pair leaks no additional information about z_t, z₂.

[40] In the reduction, we would need to compute in order to simulate the

secret key for the linear FE. This is something we can compute given either

The latter along with publishing [A_x]₂ in the public key is why we require the

bilateral Zc-Lin assumption. For the most efficient concrete instantiation, we will use the bilateral 2-Lin assumption together with SXDH (i.e., 1-Lin), where we sample A_t <- We leave the question of basing quadratic FE solely on the standard fc-Lin

assumption as an open problem.

[41] Extension to Partially Hiding Functional Encryption (PHFE)

[42] The inventive approach extends readily to partially hiding FE (PHFE) for the class public Private

( S

where f captures NCI -more generally, any arithmetic branching program- computation on the public attribute x and outputs a vector in . Note that FE for quadratic functions corresponds to the special case where f is a constant function (independent of x). The idea behind the extension to PHFE is to replace f^T in (2) with f(x) (the decryptor can compute f(x) since x is public), which yields:

[43] To compute the new boxed term, we will rely on a partially-hiding linear FE scheme for the class

[44] We can augment the construction to take into account the matrix M; some care is needed as the decryption algorithm only gets [M]₂ and not M. In the ensuing scheme, the ciphertext size grows linearly with the message and independent of x, which we then inherit in our partially-hiding quadratic FE.

[45] Notations

[46] We denote by s <- S the fact that s is picked uniformly at random from a finite set S. We use *_s to denote two distributions being statistically indistinguishable, and *_c to denote two distributions being computationally indistinguishable. We use lower case boldface to denote row vectors and upper case boldface to denote matrices. We use e_£ to denote the i'th elementary row vector (with 1 at the i'th position and 0 elsewhere, and the total length of the vector specified by the context). For any positive integer N, we use [/V] to denote {1,2, ...,/V}.

[47] The tensor product (Kronecker product) for matrices

defined as

[48] The mixed-product property for tensor product says that

[49] Arithmetic Branching Programs

[50] A branching program is defined by a directed acyclic graph (¥,£"), two special vertices

and a labeling function <j>. An arithmetic branching program (ABP), where p is a prime, computes a function Here, assigns to each edge in E an affine

function in some input variable or a constant, and ) is the sum over all v₀-^vi paths of

the product of all the values along the path. We refer to as the size of f. The

definition extends in a coordinate-wise manner to functions Henceforth, we

use ^t0 denote the class of ABP

[51] We note that there is a linear-time algorithm that converts any boolean formula, boolean branching program or arithmetic formula to an arithmetic branching program with a constant blow-up in the representation size. Thus, ABPs can be viewed as a stronger computational model than all of the above. Recall also that branching programs and boolean formulas correspond to the complexity classes LOGSPACE and NCI respectively.

[52] Prime-Order Bilinear Groups

[53] A generator Q takes as input a security parameter and outputs a description G: =

where p is a prime of are cyclic groups of order

is a non-degenerate bilinear map. We require that the group

operations i

and the bilinear map e are computable in deterministic polynomial time in

be the respective generators. We employ the implicit representation of group elements: for a matrix M over Zp, we define

where exponentiation is carried out component-wise. Also, given We recall the matrix Diffie-Hellman

(MDDH) assumption on G_t:

[54] Assumption Assumption)

[55] Let k,t,d E N. We say that the M assumption holds if for all PPT adversaries

.A, the following advantage function is negligible in A.

[56] The MDDH assumption on G₂ can be defined in an analogous way. It is established that

with a tight security reduction. (In the setting where assumption holds

unconditionally.)

[57] The bilateral MDDH assumption is defined analogously with the advantage function:

[58] Partially-Hiding Functional Encryption (PHFE)

[59] We recall the notion of partially-hiding functional encryption for the function class

where is fixed and is specified by the secret key. We will be

primarily interested in the settings which generalize FE

for linear functions and quadratic functions respectively.

[60] Syntax

[61] A partially-hiding functional encryption scheme (PHFE) consists of four algorithms:

[62] The setup algorithm gets as input the security parameter 1^A

and function parameters and h: It outputs the master public key mpk

and the master secret key msk.

[63] Enc( The encryption algorithm gets as input mpk and message x, z e

It outputs a ciphertext with x being public.

[64] KeyGen(msk, f): The key generation algorithm gets as input msk and a function It outputs a secret key with f being public.

[65] The decryption algorithm gets as input along

with f and x. It outputs a value in

[66] Correctness

[67]

[68] Relaxation of Correctness

[69] The disclosed scheme achieves a relaxation of correctness where the decryption algorithm takes an additional bound 1^B (and runs in time polynomial in B) and outputs if the value is bounded by B. This feature is also present in prior works on (IP)FE

from DDK and bilinear groups, due to the reliance on brute-force discrete log to recover the answer "from the exponent". The relaxation only refers to functionality and does not affect security.

[70] Security Definition

[71] We consider semi-adaptive (strengthening of selective), simulation-based security, which stipulates that there exists a randomized simulator (Setup*, Enc*, KeyGen*) such that for every efficient stateful adversary <A,

such that whenever «/l makes a query f to KeyGen, the simulator KeyGen* gets f along with to denote the advantage in distinguishing the real and

ideal games.

[72] Main Construction

[73] In this section, we present our PHFE scheme for the class

[74] The scheme is SA-SIM-secure under the bilateral k-Lin assumption and the k'-Lin assumption in Gj, G₂ (for the most efficient concrete instantiation, we set

the scheme, decryption actually computes whereas the simulator only

needs to get Note that FE for quadratic functions is a special case of the

PHFE (where f has the quadratic function hard-wired into it). A self-contained description of our quadratic FE is disclosed herein.

[75] As a building block, we rely on a SA-SIM-secure PHFE scheme

for the class

parameterized by a matrix here encryption gets [z]j and the simulator gets Methods to instantiate the building block are disclosed herein.

[76] Scheme

[77]

where

and output and

Observe that given mpk, we can compute [M]₂.

[78]

and output

[79]

[80]

[81] Correctness

[82] First, observe that we have

where the second equality uses the mixed-product property of the tensor product. Multiplying both sides of (4) by f (x)^T and rearranging the terms yields:

[83] Next, correctness of the underlying scheme tells us that

Correctness then follows readily.

[84] Simulator

[85] We start by describing the simulator.

[86]

and output

[87]

and output

[88]

[89] Partially-Hiding Functional Encryption (PHFE) for Linear Functions

[90] Disclosed herein is the PHFE scheme for the class

parameterized by a matrix [M]₂, where encryption gets [z]_1# and the simulator gets In fact, we present a scheme for a more general setting where the matrix [M]₂

is specified by the function corresponding to the secret key (that is, we allow a different [M]₂ for each secret key, rather than the same matrix for all keys). Here, the decryption algorithm only gets [M]₂ and not M. This scheme achieves simulation-based semi-adaptive security under fc-Lin.

[91] Partial Garbling Scheme

[92] The partial garbling scheme for is a randomized algorithm

that on input f outputs an affine function in x, z of the form:

where depends only on is the random coin and t consists

of the last n' entries in t, such that given while lea ing

nothing else about z.

[93] Lemma 1 (Partial Garbling) [94] There exists four efficient algorithms (lgen,pgb, rec,pgb“) with the following properties:

[95]

where t e Z^ and t consists of the last n* entries in t and m, t are linear in the size of f. [96]

where the randomness is over

[98] Construction

[99] We rely on partial garbling to compute pgb(

the exponent" over G_r; applying the reconstruction algorithm (which requires knowing f,x but not M) then returns [zM/’(x)^T]_r.

and output

Note that it is sufficient for Enc to get [z]_t.

where T refers to the matrix composed of the right most n' columns of T.

the decryption works as follows: (a) compute

(b) compute

(c) run «- rec(f,x), compute

[104] Correctness.

[105]

[106] Here (11) follows from the fact that

[107] and reconstruction of the partial garbling. The remaining two equalities follow from:

correctness.

and output

Here we assume that (A|c) has full rank, which happens with

where

[113] Here T refers to the matrix composed of the right most n' columns of T. That is,

[115] Concrete Scheme for Quadratic Functions

[116] A self-contained description of the functional encryption scheme for quadratic functions specified by

is presented.

[117] The scheme is SA-SIM-secure under the bilateral k-lin assumption and the

assumption in For the most efficient concrete instantiation (cf. Fig 1), we set k =

[118]

and output

[120] KeyGen(msk, f) : Output

[121] System Implementation

[122] With reference to Fig. 1, an example system architecture is illustrated. A user (215) allows a remote server (210) to run a specific function F on a ciphertext by issuing a token

TF. The server executes F on an available ciphertext C and generates a result RF in an encrypted form. The system can include a trusted authority (TA) (220) who is responsible to construct a token TF for the requested function.

[123] As illustrated, data owner (205) uploads ciphertext C onto the remote server (210).

Data user (215) requests TA (220) for a token for a function (F). TA (220) issues token TF to the data user. Data user then sends TF to the server. Server runs F on the encrypted data, and forwards the result RF to the data user.

[124] Fig. 2 illustrates an example self-contained description of the functional encryption scheme for quadratic functions specified by

[125] The scheme is SA-SIM-secure under the bilateral k-Lin assumption and the fc'-Lin assumption in G₂. For the most efficient concrete instantiation (cf. Fig 1), we set k = 2, k' = l.

[126] Figs. 3 and 4 depict example computer systems useful for implementing various embodiments described in the present disclosure. Various embodiments may be implemented, for example, using one or more computer systems, such as computer system

500 shown in Fig. 3. One or more computer system(s) 500 may be used, for example, to implement any of the embodiments discussed herein, as well as combinations and subcombinations thereof.

1127] Computer system 500 may include one or more processors (also called central processing units, processing devices, or CPUs), such as a processor 504. Processor 504 may be connected to a communication infrastructure 506 (e.g., such as a bus).

[128] Computer system 500 may also include user input/output device(s) 503, such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 506 through user input/output interface(s) 502. One or more of processors

504 may be a graphics processing unit (GPU). In an embodiment, a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications. The GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.

[129] Computer system 500 may also include a main memory 508, such as random-access memory (RAM). Main memory 508 may include one or more levels of cache. Main memory

508 may have stored therein control logic (i.e., computer software, instructions, etc.) and/or data. Computer system 500 may also include one or more secondary storage devices or secondary memory 510. Secondary memory 510 may include, for example, a hard disk drive

512 and/or a removable storage device or removable storage drive 514. Removable storage drive 514 may interact with a removable storage unit 518. Removable storage unit 518 may include a computer-usable or readable storage device having stored thereon computer software (control logic) and/or data. Removable storage drive 514 may read from and/or write to removable storage unit 518.

[130] Secondary memory 510 may include other means, devices, components, instrumentalities, or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 500. Such means, devices, components, instrumentalities, or other approaches may include, for example, a removable storage unit 522 and an interface 520. Examples of the removable storage unit 522 and the interface 520 may include a program cartridge and cartridge interface, a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.

[131] Computer system 500 may further include communications interface 524 (e.g., network interface). Communications interface 524 may enable computer system 500 to communicate and interact with any combination of external devices, external networks, external entities, etc. (individually and collectively referenced as remote device(s), network(s), entity(ies) 528). For example, communications interface 524 may allow computer system 500 to communicate with external or remote device(s), network(s), entity(ies) 528 over communications path 526, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 500 via communications path 526.

[132] Computer system 500 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smartphone, smartwatch or other wearable devices, appliance, part of the Internet-of-Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof.

[133] Computer system 500 may be a client or server computing device, accessing or hosting any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software ("on-premise" doud-based solutions); "as a service" models (e.g., content as a service

(CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infrastructure as a service (laaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms.

[134] Fig. 4 illustrates an example machine of a computer system 900 within which a set of instructions, for causing the machine to perform any one or more of the operations discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in a client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.

[135] The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a

Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a specialized application or network security appliance or device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.

[136] The example computer system 900 includes a processing device 902, a main memory

904 (e.g., read-only memory (ROM), flash memory, dynamic random-access memory

(DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 906 (e.g., flash memory, static random-access memory (SRAM), etc.), and a data storage device 918, which communicate with each other via a bus 930.

[137] Processing device 902 represents one or more processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 902 may also be one or more special-purpose processing devices such as an application-specific integrated circuit

(ASIC), a field-programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 902 is configured to execute instructions 926 for performing the operations and steps discussed herein.

[138] The computer system 900 may further include a network interface device 908 to communicate over the network 920. The computer system 900 also may include a video display unit 910, an alphanumeric input device 912 (e.g., a keyboard), a cursor control device 914 (e.g., a mouse), a graphics processing unit 922, a signal generation device 916

(e.g., a speaker), graphics processing unit 922, video processing unit 928, and audio processing unit 932.

[139] The data storage device 918 may include a machine-readable medium 924 (also known as a computer-readable storage medium) on which is stored one or more sets of instructions 926 (e.g., software instructions) embodying any one or more of the operations described herein. The instructions 926 may also reside, completely or at least partially, within the main memory 904 and/or within the processing device 902 during execution thereof by the computer system 900, where the main memory 904 and the processing device 902 also constitute machine-readable storage media.

[140] In an example, the instructions 926 include instructions to implement operations and functionality corresponding to the disclosed subject matter. While the machine-readable storage medium 924 is shown in an example implementation to be a single medium, the term "machine-readable storage medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions 926. The term "machine-readable storage medium" shall also be taken to include any medium that is capable of storing or encoding a set of instructions 926 for execution by the machine and that cause the machine to perform any one or more of the operations of the present disclosure. The term "machinereadable storage medium" shall accordingly be taken to include, but not be limited to, solidstate memories, optical media, and magnetic media.

[141] Some portions of the detailed description have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self- consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.

[142] It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as "identifying" or "determining" or "executing" or "performing" or "collecting" or

"creating" or "sending" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.

1143] The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer-readable storage medium, such as but not limited to, any type of disk including floppy disks, optical disks, CD-

ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories

(RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.

[144] The operations and illustrations presented herein are not inherently related to any particular computer or other apparatus. Various types of systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the operations. The structure for a variety of these systems will appear as set forth in the description herein. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein.

[145] The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as read-only memory ("ROM"), random access memory ("RAM"), magnetic disk storage media, optical storage media, flash memory devices, etc.

[146] In some embodiments, a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having control logic (software) stored thereon may also be referred to herein as a computer program product or program storage device. This includes, but is not limited to, computer system 500, main memory 508, secondary memory 510, and removable storage units 518 and 522, as well as tangible articles of manufacture embodying any combination of the foregoing. Such control logic, when executed by one or more data processing devices (such as computer system 500), may cause such data processing devices to operate as described herein.

[147] Based on the teachings contained in this disclosure, it will be apparent to persons skilled in the relevant art(s) how to make and use embodiments of this disclosure using data processing devices, computer systems, and/or computer architectures other than that shown in Figs. 3 and 4. In particular, embodiments can operate with software, hardware, and/or operating system implementations other than those described herein.

[148] It is to be appreciated that the Detailed Description section, and not any other section, is intended to be used to interpret the claims. Other sections can set forth one or more but not all exemplary embodiments as contemplated by the inventor(s), and thus, are not intended to limit this disclosure or the appended claims in any way.

[149] While this disclosure describes exemplary embodiments for exemplary fields and applications, it should be understood that the disclosure is not limited thereto. Other embodiments and modifications thereto are possible and are within the scope and spirit of this disclosure. For example, and without limiting the generality of this paragraph, embodiments are not limited to the software, hardware, firmware, and/or entities illustrated in the figures described herein. Further, embodiments (whether or not explicitly described herein) have significant utility to fields and applications beyond the examples described herein.

[150] Embodiments have been described herein with the aid of functional building blocks illustrating the implementation of specified functions and relationships thereof. The boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries can be defined as long as the specified functions and relationships (or equivalents thereof) are appropriately performed. Also, alternative embodiments can perform functional blocks, steps, operations, methods, etc. using orderings different than those described herein.

[151] References herein to "one embodiment," "an embodiment," "an example embodiment," or similar phrases, indicate that the embodiment described can include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it would be within the knowledge of persons skilled in the relevant art(s) to incorporate such feature, structure, or characteristic into other embodiments whether or not explicitly mentioned or described herein. Additionally, some embodiments can be described using the expression "coupled" and "connected" along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments can be described using the terms "connected" and/or "coupled" to indicate that two or more elements are in direct physical or electrical contact with each other. The term "coupled," however, can also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

[152] The breadth and scope of this disclosure should not be limited by any of the abovedescribed exemplary embodiments but should be defined only in accordance with the following claims and their equivalents. In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims

1. A computerized method for securing computation for 2^nd degree polynomials by functional encryption, the method comprising: executing a computerized set-up algorithm that outputs a public key and a master secret key; executing a computerized key generation algorithm that receives the master secret key, a 2^nd degree polynomial f, and outputs a secret key; on a first computerized processor, executing an encryption algorithm that receives the public key and an electronic message, the electronic message comprising two vectors zl and z2, both of length n, and outputs a ciphertext; on a second computerized processor at a location remote from the first computerized processor, receiving the ciphertext and the secret key over an electronic communications network, and executing a decryption algorithm based on the ciphertext and the secret key that outputs a decrypted value that is the same value as evaluating the polynomial specified by f on vectors zl, z2; transmitting the decrypted value to the first computerized processor; and wherein any computationally efficient process does not learn anything about zl, z2 beyond polynomial evaluation.

2. The method of claim 1, wherein the set-up algorithm further comprises: executing a set-up algorithm of an EIGamal scheme twice to generate public keys wl and w2 and secret keys ski and sk2; executing a set-up algorithm of a functional encryption scheme for a 1^st degree polynomial scheme resulting in a public key wO and master secret key mskO; and generating output wl, w2, wO as the public key and mskO as the master secret key.

3. The method of claim 1, wherein the encryption algorithm further comprises: executing an encryption algorithm of an EIGamal scheme, wherein input to the

EIGamal scheme of zl comprises public key wl and randomness si, resulting in a ciphertext yi; executing the encryption algorithm of the EIGamal scheme, where input to the

EIGamal scheme comprises public key w2 and randomness s2, resulting in a ciphertext y2; executing an encryption algorithm of a 1^st degree polynomial scheme, wherein input to the FE1 scheme comprises public key wO and a vector, the vector comprising a concatenation of si times z2 and yl times s2, resulting in a ciphertext yO; and generating output yl, y2, yO as the ciphertext.

4. The method of claim 1, wherein the key generation algorithm executes: the key generation algorithm of a 1^st degree polynomial scheme, wherein input to the 1^st degree polynomial scheme comprises the master secret key mskO, and a degree 1 polynomial derived from f, wl and w2, resulting in a secret key sk; and generating output sk as the secret key.

5. The method of claim 1, wherein the decryption algorithm further comprises: receiving the ciphertext; parsing the ciphertext into components designated yl, y2, yO; receiving a secret key sk, wherein the secret key sk is generated by a 1^st degree polynomial scheme; computing the 2^nd degree polynomial f on components yl and y2, resulting in a value vl; decrypting yO with sk using the decryption algorithm of the 1^st degree polynomial scheme resulting in a decrypted value vO; and generating output vl - vO as the decrypted value.

6. The method of claim 1, wherein the 2^nd degree polynomial f is a privacy-preserving machine learning function executed in a neural network with a quadratic activation function.

7. The method of claim 1, wherein the 2^nd degree polynomial f is a quadratic function and is selected from one or more of a statistical function or a correlation function.

8. The method of claim 1, further comprising applying polynomials of the 2^nd degree polynomial f to projected vectors.

9. The method of claim 1, wherein: the electronic message is arranged and stored as a relational database, the database being logically arranged in a data model that is compatible with operations performed by a specified function; the secret key defines a subset of data in the relational database; and the decryption algorithm performs the specified function on the subset of the data.

10. A computerized system for securing computation for 2^nd degree polynomials by functional encryption, the system comprising: one or more computerized processors configured for executing: a set-up algorithm that outputs a public key and a master secret key; and a key generation algorithm that receives the master secret key, a 2^nd degree polynomial f, and outputs a secret key; a computerized encryption processor configured for executing an encryption algorithm that receives the public key and an electronic message, the electronic message comprising two vectors zl and z2, both of length n, and outputs a ciphertext; a computerized decryption processor, at a location remote from the computerized encryption processor, configured for receiving the ciphertext and the secret key over an electronic communications network, and executing a decryption algorithm based on the ciphertext and the secret key that outputs a decrypted value that is the same value as evaluating the polynomial specified by f on vectors zl, z2; and transmitting the decrypted value to the first computerized processor; and wherein any computationally efficient process does not learn anything about zl, z2 beyond polynomial evaluation.

11. The system of claim 10, wherein the set-up algorithm further comprises: executing a set-up algorithm of an EIGamal scheme twice to generate public keys wl and w2 and secret keys ski and sk2; executing a set-up algorithm of a functional encryption scheme for a 1^st degree polynomial scheme resulting in a public key wO and master secret key mskO; and generating output wl, w2, wO as the public key and mskO as the master secret key.

12. The system of claim 10, wherein the encryption algorithm further comprises: executing an encryption algorithm of an EIGamal scheme, wherein input to the

EIGamal scheme of zl comprises public key wl and randomness si, resulting in a ciphertext yl; executing the encryption algorithm of the EIGamal scheme, where input to the

13. The system of claim 10, wherein the key generation algorithm executes: the key generation algorithm of a 1^st degree polynomial scheme, wherein input to the 1^st degree polynomial scheme comprises the master secret key mskO, and a degree 1 polynomial derived from f, wl and w2, resulting in a secret key sk; and generating output sk as the secret key.

14. The system of claim 10, wherein the decryption algorithm further comprises: receiving the ciphertext; parsing the ciphertext into components designated yl, y2, yO; receiving a secret key sk, wherein the secret key sk is generated by a 1^st degree polynomial scheme; computing the 2^nd degree polynomial f on components yl and y2, resulting in a value vl; decrypting yO with sk using the decryption algorithm of the 1^st degree polynomial scheme resulting in a decrypted value vO; and generating output vl - vO as the decrypted value.

15. The system of claim 10, wherein the 2^nd degree polynomial f is a privacy-preserving machine learning function executed in a neural network with a quadratic activation function.

16. The system of claim 10, wherein the 2^nd degree polynomial f is a quadratic function and is selected from one or more of a statistical function or a correlation function.

17. The system of claim 10, further comprising applying polynomials of the 2^nd degree polynomial f to projected vectors.

18. The system of claim 10, wherein: the electronic message is arranged and stored as a relational database, the database being logically arranged in a data model that is compatible with operations performed by a specified function; the secret key defines a subset of data in the relational database; and the decryption algorithm performs the specified function on the subset of the data.