Differentially Private Functional Encryption

We address the question of realizing privacy preserving analysis of user data. The abstract scenario considered is that an analyst aims to evaluate a function 𝑓 on some user data 𝑋 . To achieve comprehensive privacy, it is necessary to protect the input 𝑋 directly. However, it is known that 𝑓 ( 𝑋 ) may leak too much information about 𝑋 as well. A common approach to mitigate such risks is to make the computation differential private. In practice, this is often accomplished by replacing 𝑓 by a noisy variant 𝑓 ∗ . We investigate the use of multi-input functional encryption (MIFE) for achieving input-and output-privacy in one cryptographic mechanism. In a MIFE scheme, a setup authority can generate restricted decryption keys which enable to learn specific functions of encrypted messages, without revealing any additional information. To achieve differential privacy in this process, we introduce as a new cryptographic primitive: noisy multi-input functional encryption (NMIFE). It extends the concept of MIFE such that the decryption key may also encode a noisy function where the noise value is secret. While the change from MIFE to NMIFE is rather


INTRODUCTION
For numerous applications, the analysis of massive data sets leads to valuable improvement in various parts of research, for example in medicine.A typical scenario can be generalized as follows: An analyst is interested in evaluating a function  on data  = ( 1 , . . .,   ).For this purpose, there is a computation process Π that receives as inputs   from different users  and a function  from the analyst and returns  * ( ) to the latter (see Figure 1).
A major challenge is to realize the trade-off between correctness and privacy.On the one hand, it is in the interest of the analyst that  * =  or at least as close as possible.On the other hand, this process should not compromise the privacy of the users.This is motivated by various use cases such as the census data survey or patients that want to participate in medical research, without revealing too much sensitive information.
Modern cryptography features several mechanisms for potentially resolving this conflict partially.These can roughly be divided into two categories: based on multi-party computation and based on encryption.Note that these mechanisms only protect the inputs to the process Π, i.e.,  in our case.However, it is well known that also the output of this process, namely  * ( ), may leak information about  as well.To mitigate this risk, a common practical solution is to make the computation differential private.A popular approach for realizing differential privacy (DP) is to replace the deterministic numeric function  by a noisy counterpart, i.e.,  * =  +  for some noise value .This paper focuses on the question how a mechanism for input privacy can be combined with DP.
A straightforward solution would be the use of multi party computation (MPC).However, as we elaborate in Section 3, some properties of this approach such as the synchronous interaction between several computing parties, can be problematic in some cases.In such cases, non-interactive solutions based on processing encrypted data can be beneficial.
While literature discusses several approaches based on homomorphic encryption (HE), the use of functional encryption (FE) has not been investigated so far.As opposed to the case of HE, FE has the advantage that the computation of  * does not need to be outsourced to another party that is independent of the analyst.For this and further reasons that we explain in Section 3, we introduce the concept of differential private computation on encrypted data using FE.More precisely, our contributions are as follows: • We introduce and formalize the notion of noisy multi-input functional encryption (NMIFE).This includes a tailored security definition that adopts the concepts of message-and function-hiding and restricts these accordingly for the DP scenario as follows: -The analyst has access to the encryption of a single set of user data.-The decryption keys realize noisy functions where only the noise part is hidden.Consequently, we refer to it as single-message-and-noisehiding (SMN-H).
• We describe a generic construction for a SMN-H NMIFE from a full-hiding multi input functional encryption (MIFE) scheme.Actually, the resulting NMIFE scheme fulfills an even stronger security notion where multiple message challenges are possible (referred to as message-and-noise-hiding (MN-H)).• We build a SMN-H NMIFE scheme for linear functions, dubbed DiffPIPE, based on a full-hiding MIFE scheme for linear functions by Datta et al. [14] that allows for smaller elements.
Experiments confirm the improved efficiency and the applicability of the scheme for privacy-preserving analysis with input-and output-privacy.We emphasize that our paper represents basic research.More precisely, we present a new cryptographic primitive that has properties that do not yet exist.Although there are real use cases for this (see Section 4) and although such schemes can already be realized for linear functions, we consider research to be still in its early stages and the efficiency and functionality of such schemes still needs to be further increased (similar to research on functional encryption in general).
The paper is structured as follows.Section 2 provides technical preliminaries for the follow-up sections.In Section 3, we formulate the considered problem statement and requirements and discuss related work.Section 4 presents an overview, necessary definitions and open challenges how FE can be used to address this problem.In Section 5, we introduce the concept of noisy multi input functional encryption (NMIFE) and formalize correctness and security properties.A generic transformation from certain MIFE schemes into a NMIFE scheme is presented in Section 6.It includes the proof of correctness and security of the constructed NMIFE scheme.In Section 7 we build a concrete SMN-H NMIFE scheme named Diff-PIPE and analyze its efficiency over real medical data sets.Section 8 concludes the paper and presents open questions for future work.

PRELIMINARIES 2.1 Notations
Let  define the security parameter.[] denotes the set {1, . . ., } for any  ∈ N, where N defines the set of all positive integers and Z the set of all integers.For any prime  ∈ Z, the term F  refers to the finite field of of size .Note that there is a natural assignment between F  and the set of integers modulo .We often use this relation implicitly.The all zero vector in F   is denoted by ì 0  .ì  denotes a vector, ì   the  ℎ element of the vector ì .ì  • ì  stands for the inner product of the vectors ì , ì .For a function  :  1 × • • • ×   →  and some  ∈  , we denote by ( + ) ( ì ) :=  ( ì ) +  for all ì  ∈  1 × • • • ×   .For a subset Δ ⊆  , we define  + Δ = { +  | ∈ Δ}.For a distribution D over some set Δ, Pr[ D ← Δ] denotes the probability that  is sampled according to distribution D over Δ.For any set ,  $ ←  represents the process of uniformly sampling an element  ∈ .We use the abbreviation PPT to mean probabilistic polynomial time.A function negl : N → R + is said to be negligible if for every  ∈ N, there exists a  ∈ N such that for all  ∈ N with  > , it holds that |negl()| < 1/  .

Differential Privacy
DP is an established technique to achieve output privacy [17,18,29,40].In DP we have one party, the curator, that holds a set of sensitive data  = (  )  ∈ [] and wants to make analysis on this data possible, while limiting the disclosure of private information of records that are in the data set.On request of a function or algorithm  from the analyst, the curator performs the evaluation of a corresponding differential private function or algorithm  * and sends the result back to the analyst.Roughly an algorithm is differential private if an analyst seeing only the output of the algorithm cannot distinguish if a particular record was in the data set, that the algorithm was evaluated on, or was missing from the data set.A simple and common way to produce differential private numeric functions, especially in the setting of privacy-preserving analysis, is to perturb the function output with noise sampled through special distributions,  * ( ) =  ( ) + .In general, the noise is dependent on how much the function reveals about the input data and what privacy level we want to achieve.Since the analyst can make multiple requests on the same data set, it may learn additional information through combining the results.DP is still achieved if the noise is carefully handled.Therefore, when designing a DP system, normally the curator tracks a privacy budget for the analyst.The curator allows a series of questions whose total impact is not more than the whole privacy budget.For more technical details we refer to Appendix A.

PROBLEM STATEMENT AND RELATED WORK
The purpose of this section is to discuss benefits and possible shortcomings of existing cryptographic mechanisms 1 for realizing the use case of privacy preserving computation as displayed in Figure 1 where  * is a noisy variant of  with an appropriately chosen noise.
The requirement for input-privacy implies that parties executing Π (and no other party) do not receive the user inputs   directly.
Moreover, to achieve output-privacy only the analyst should see the output  * ( ) directly but should know nothing about the noise used in  * despite its distribution.The two most common cryptographic techniques to realize data analysis without revealing the data are multi party computation (MPC) and homomorphic encryption (HE).
Multi-Party Computation.In MPC [7,21,42,48], a set of parties jointly compute a function over their inputs while keeping those inputs private from other parties.Consequently, it is nowadays a widely used technique to securely evaluate machine learning algorithms in the context of privacy-preserving analysis [2,30,45].
A typical application of MPC to realize Figure 1 is the following.We assume a set of computing parties { 1 ,  2 , . ..} that interactively compute Π.At the beginning, each user  secretly shares its input data   to the computing parties of the MPC protocol.The parties then evaluate a predetermined function on the shared inputs over encrypted channels.The security of the MPC protocol ensures that the computing parties do not learn anything about the input data.Depending on the security model, the parties need to behave accordingly to the protocol or may be dishonest.The result is either disclosed to all computing parties, or in our use case more suitable, is forwarded again as shares to another party, e.g. the analyst.Only the analyst can combine the shares to achieve the result.An overview of this process is given in Figure 2, where  (•, ) stands for the th share.To combine MPC with DP, for example the computing parties also need to add noise to the function result of  [8,9,19,34,35].A main advantage of MPC protocols is, that almost any function that can be expressed as a sequence of addition and multiplications is very efficiently computable in contrast to HE or FE.But this comes with the cost of communication between the computing parties and requires a communication network with strong delivery guarantees.Moreover, the computation overhead is on the side of the computing parties and not the analyst.Each time the analyst wishes to evaluate a function, the computing parties that hold shares of the input data need to participate in the computation.In addition, it is necessary to trust that a certain fraction of computing parties is honest.
Homomorphic Encryption.HE schemes [3,12,20] allow to encrypt data in such a way that certain computations on the plaintext data can be executed on the encrypted data instead so that all intermediate results, including the final output, remain encrypted the whole time.Consequently, there exist several works using HE to realize privacy preserving analysis, where the concern lies on input privacy [22,36,37].
Similar to the case of MPC, the standard scenario assumes a computing party that executes the computation on the (encrypted) user inputs on behalf of the analyst (see Figure 3).That is, the analyst sends its public key to the users, who then encrypt their data   and send them to the computing party.Likewise, the analyst sends its function  to the computing party, who then can perform the analysis on the encrypted data, getting an encrypted result  ( ) =  ( ( 1 , . . .,   )).The result can then be decrypted only by the analyst with its secret key, without being able to decrypt single data records   .
It is necessary that the computing party chooses and integrates the noise into the computation.One approach would be to sample the noise directly in the encrypted domain, hence preventing the computing party to learn the noise value .The problem is that sampling algorithms are computational expensive and, at the moment, HE is not fast enough to ignore the costs of the computational complexity.This leaves only the option that the computing party samples  in plaintext and adapts the encrypted result accordingly.In general, existing work ( [5,38]) assume the computing party to act as curator, that is on the one hand collecting the encrypted data, on the other hand keeping track of the privacy budget and make sure, that only differential private functions are evaluated achieving input privacy and output privacy.
Zorarpacı and Özel [49] use a slightly different scenario.Next to the analyst that wants to compute a function  and the computing party that evaluates  on the encrypted data, they introduce an additional party, called key holder, that on the one hand holds the secret key and distributes the public key, and on the other hand ensures differential privacy by adding noise after decrypting  .Although this resolves the problem that the analyst should not be able to control the noise, the key holder now observes the output  * ( ) directly.
Note that all these approaches suffer from the same problem as the MPC approach, namely that the computation overhead is on the side of the computing parties and not the analyst.Hence, the analyst relies on the availability of computational power of external parties.An alternative HE based solution could be the one displayed in Figure 4.As opposed to the previous approach, the computation is done directly by the analyst.Instead of requiring a separate computing party, now an authority is present that generates the public key and decrypts the result of the computation.However, the authority sees the output  * ( ) directly and the analyst can possibly control the choice of  * .

Conclusion.
While both MPC and HE can be used to realize inputand output-privacy, they also have in common that if nobody except of the analyst should learn  * ( ) while the analyst must not control the noise of  * , the computation of  * ( ) needs to be outsourced.That is the computation overhead is on the side of the computing parties and not the analyst and that the analyst relies on the availability and honesty of external parties.Depending on the concrete use case, this may be problematic.In the next section, we discuss an alternative approach based on functional encryption that likewise offers input-and output-privacy but where the computation does not need to be outsourced to third parties.

PRIVACY PRESERVING ANALYSIS WITH FUNCTIONAL ENCRYPTION 4.1 Overview
Similar to HE, FE [10] allows to compute on encrypted data.The main difference is that the computing party sees directly the result of the computation without the need to request another party for decryption first.Thus, as opposed to the approaches discussed in Section 3, the computation overhead is on the side of the analyst who does not rely on the availability of computational power of external parties.This is accomplished by supporting restricted decryption keys which enable to learn specific functions of encrypted messages, without revealing any additional information.This involves a setup authority which holds a master secret key and publishes (on request) decryption keys dk  that allow to compute  ( ) (and nothing else) for encrypted inputs  .
A formal definition of FE is the following: Let {F  }  ∈N be an ensemble where each F  is a family of -ary functions.A function  ∈ F  is defined as follows  :  A solution based on a MIFE scheme could look as follows.Multiple users can encrypt their data   with an encryption key sk  , provided by an authority 2 .The users provide their encrypted data to the analyst.The analyst can request function keys dk  in regard to a function  and gets as result a decryption key dk  * where  * =  +  with  being some noise value sampled by the authority, see Figure 5.That is the analyst can compute the noisy result  = Dec(dk  * , ct 1 , . . ., ct  ) =  ( 1 , . . .,   ) + .The authority can ensure, that only differentially private functions are evaluated and keeps track of the privacy budget [13].Note that this approach satisfies input-and output-privacy and keeps the evaluation effort to the side of the analyst.In particular, there is neither the need to rely on the availability of computing parties nor to trust these.
Another advantage is that FE can enable a scenario in which a data set is provided in encrypted form once. Theoretically even the noisy decryption keys for relevant or allowed functions can be uploaded beside the encrypted data set.The authority only has a one time effort of setting up the scheme and generating the decryption keys.Since the computation itself lies with the analyst, no third party needs to be involved after the setup.This most closely reflects the current situation, in which any researcher can directly use data from public databases for research.
Furthermore the combination of FE and DP can be helpful to achieve the training of machine learning algorithms using FE.Current MIFE schemes are limited in their functionality, basically either allowing to compute inner products [15,44] or quadratic functions [4,16,39].Most of the works combining privacy preserving analysis with FE [33] concentrate on evaluating machine learning algorithms [23, 28,39].To train a complex algorithm using only limited functions, e.g.linear or quadratic, on the input data means to compute only intermediate results on the encrypted data and then use them for further computation, yielding a lot of decryption key queries to train an algorithm.The bigger problem is that intermediate results leak information about the input data [11,39] and therefore need be protected, for example with DP.

Challenges
To the best of our knowledge, the work of Bakas and Michalas [6] is the only related work that also investigates the combination of FE with DP.However, they do not provide any formal definition, in particular lacking a concise security model and analysis.Actually, we consider coming up with these as the main challenges here.
In general a NMIFE should be correct and secure.In the following, we recall corresponding definitions for MIFE and explain why these cannot be applied directly to the case of NMIFE.
Correctness.Correctness of an MIFE essentially means that running the decryption operation Dec with a decryption key dk  outputs the evaluation of  on the encrypted inputs.
with ct  = Enc(sk  , ,   ) where the probability is taken over the coins of Setup, KeyGen and Enc.
In the case of NMIFE, the analyst receives a decryption key for a noisy variant  * of  where the noise is sampled according to some chosen, publicly known distribution.Thus, the condition that the equality displayed at the end of Equation (1) has to hold for sure is not applicable anymore.
Security.When using FE as explained in Section 4.1, two security requirements are obvious.First, the analyst should not learn anything about the user data   from its encryption ct  = Enc(sk  , ,   ).This property is usually referred to as message hiding.Second, it is important that the analyst cannot learn anything about the noise  from the decryption key dk  * .This is covered by the notion of function-hiding which requires that a decryption key dk  leaks nothing about the underlying function  .
The security notion of FE that covers both is full-hiding security [15].For such a scheme, an attacker can neither distinguish between different ciphertexts (   ,0 ,    ,1 ) nor between different functions ( ,0 ,  ,1 ).That is, both the content of encrypted messages as well as the concrete functions encoded in a decryption key dk are hidden to an adversary.A formal definition is the following: Let the total number of decryption key queries made by A be   (≥ 0) and the total number of ciphertext queries made for the  ℎ index be  ct, (≥ 0).The restriction on the queries of A are that if  ct, ≥ 1 for all  ∈ [], then for all  ∈ [  ] and for all (  1 , . . ., we must have Guess: A eventually outputs a guess bit, which is the output of the experiment.
A private key MIFE scheme is said to be full-hiding if for any PPT adversary A and for any security parameter , the advantage of A in the above experiment is negligible.
While full-hiding security is sufficient for realizing the solution explained in Section 4.1, we argue that it is actually too strong.For example, the function  is chosen by the analyst.Thus, it is not necessary that dk  * with  * =  +  does not leak any information but only needs to hide the noise value .Therefore, we are going to present a new security notion (Definition 5.3) that is adapted to the solution explained in Section 4.1.As we are going to show in Section 7, this allows for new constructions with a better efficiency.

NOISY MULTI-INPUT FUNCTIONAL ENCRYPTION
In this section, we introduce a new variant of MIFE, being noisy multi input functional encryption (NMIFE).It allows to combine the benefits of functional encryption (Section 4) and differential privacy (Section 2.2).That is, one can realize a scenario where the analyst performs the computation of some function  on user inputs   non-interactively, such that these values are kept hidden and the authority can control how much the output of the computation leaks.In a nutshell, NMIFE extends the classic notion of MIFE by incorporating the possibility that a decryption key dk realizes a noisy variant of a given function  .That is, the decryption key does not encode  but  +  where  is a noise value sampled according to some chosen distribution D. For example, one may pick a distribution, so that (, 0)-DP is achieved (see Appendix A).
In the following, we formally define NMIFE (Definition 5.1) and the corresponding notion of correctness (Definition 5.2).Afterwards, we introduce a security notion tailored to NMIFE schemes.These definitions build on the definitions recalled in Section 4. To help readability, we not only explain the differences but also mark these in the definitions by boxes.
The difference to MIFE (cf.Definition 4.1) affects the generation of decryption keys which takes as additional input also a distribution.The full formal definition is as follows: Recall that correctness of a MIFE is defined as follows: given a decryption key dk  ← KeyGen(msk,  ), one can run Dec(dk  , . ..) to get the evaluation of  on encrypted inputs.Correctness of NMIFE is defined analogously with the difference that a noisy variant of  is evaluated.More precisely, given dk  ← KeyGen(msk,  , D), one can run Dec(dk  , . ..) to get the evaluation of  +  on encrypted inputs with  being sampled according to D.
with ct  = Enc(sk  , ,   ) where the probability is taken over the coins of Setup, KeyGen and Enc.
Note that if we restrict all distributions D  to be the all-zero distribution, i.e., that outputs only 0, then a correct NMIFE scheme becomes a MIFE scheme.This shows that the introduced definitions are extensions of the definitions in Section 4.
With respect to defining security of an NMIFE, we likewise aim to build on the existing definition of full-hiding security (Definition 4.3).One (straightforward) approach is to incorporate into the decryption key queries that an attacker can specify a function  and a distribution D. Of course, the condition specified in Equation ( 2) would have to be adapted accordingly.As the distributions D can be chosen arbitrarily, including the all zero distribution, an attacker would not be restricted compared to the attacker considered for full-hiding security.In other words, this security definition would be (at least) as strong as full-hiding security.
In the following, we introduce two alternatives for more relaxed notion of security (Definition 5.3).To tailor the security definition more towards the DP scenario, we assume a fixed set of messages, meaning for each slot  there exists only one single message-pair ( ,0 ,  ,1 ).Additionally instead of requiring full function-hiding, the proposed definition relaxes it to noise-hiding.That is, instead of requiring that the decryption key does not leak the encoded function in its entirety, we assume that the "base" function  is known anyhow and only the noise value  needs to be protected.We dub this security definition as single-message-and-noise-hiding (SMN-H) security.The reasons that this more relaxed security definition is relevant are twofold: First, the security definition is more tailored towards the DP scenario.There, the analyst chooses the function  but eventually learns the evaluation of  +  for an unknown noise value  on a prefixed data set  .There is no need to demand that multiple messages can be encrypted per slot or that the full function is hidden as part of the function is known anyway.Second, a relaxed (but still sufficient) security requirement allows for new or improved designs that were not possible for full-hiding schemes.In Section 7 we improve an existing design to build a SMN-H secure NMIFE scheme, named DiffPIPE, and show that it is more efficient.
Moreover, we extend our security definition to allow multiple messages, referring to it as message-and-noise-hiding (MN-H) security.We show how a full-hiding MIFE can be turned into a NMIFE that provides MN-H security.That is, going for the stronger security definition is still an option.
Next, we provide the formal security definitions.As before, boxes highlight the differences to Definition 4.3.While the meaningfulness of most changes are easy to see, Equation (3) may require some additional explanation.Recall that for a MIFE scheme, Equation ( 2) in Definition 4.3 prevents trivial attacks by assuring that the attacker only chooses messages and functions which do not reveal the chosen  simply by evaluating the functions on the plaintext and comparing the result to the encrypted evaluation.Similarly, this is assured for NMIFE schemes by Equation (3) in Definition 5.3 by restricting the adversary to messages and noise pairs that do not reveal anything beyond the expected result.Note that for the decryption key query, the adversary only queries one function but two noise values.Let the total number of decryption key queries made by A be   (≥ 0) and the total number of ciphertext queries made for the  ℎ index be  ct, (≥ 0).The restriction on the queries of A are that if  ct, ≥ 1 for all  ∈ [], then for all  ∈ [  ] and for all Guess: A eventually outputs a guess bit  ′ ∈ {0, 1}, which is the output of the experiment.A private key NMIFE scheme is said to be message-and-noise-hiding if for any PPT adversary A, for any security parameter , the advantage of A in the above experiment is negligible.A private key NMIFE scheme is said to be single-message-and-noise-hiding if for any PPT adversary A that makes at most one ciphertext query per index, for all  ∈ [] it holds that  ct, = 1, for any security parameter , the advantage of A in the above experiment is negligible.

BUILDING A NMIFE SCHEME FROM A MIFE SCHEME
The purpose of this section is to show how one may transform a full-hiding MIFE into a secure NMIFE scheme.We use this transformation to construct a concrete secure and correct NMIFE scheme in Appendix C. The transformation and properties are discussed in the following theorem.Note that for NMIFE to support function  , MIFE at least needs to support function  + ,  ∈ Δ, for some Δ.Correctness: If S is correct, then S * is correct as well.Security: If S is full-hiding, then S * is message-and-noise-hiding We want to give a short intuition of the proof here, along with an overview in Figure 6 and present the full proof in Appendix B. Whereas the correctness claim essentially follows directly from the definition, the security claim is shown by a standard reduction argument.That is, we assume a PPT attacker A * against S * with nonnegligible advantage and construct a PPT attacker A against S that has the same non negligible advantage in the full-hiding security game.An overview of the reduction can be found in Figure 6.The only critical part is to ensure that the queries of A are valid with respect to condition (2), that is  ,0 ( This follows from the fact that the queries of A * need to fulfill equation (3), that is for all  ∈ [  ] and for all (  1 , . . .
To keep the description simple, we directly state the noise values  , instead of the corresponding distributions D , .Given this, it follows that We can use this transformation on an existing MIFE scheme to construct a concrete NMIFE scheme that is MN-H secure.As starting point we take the multi-input inner product functional encryption (MIPE) scheme of Datta et al. [15], referring to it as DOT scheme, named after the authors Datta, Okamoto and Tomida.The choice is motivated by the fact that it is the only fullhiding MIFE so far.We first modify it to support affine functions i.e.,  , ( 1 , . . .,   ) +  =  +  ∈ []   •   with a constant value  such that correctness and full-hiding security are preserved This new scheme is dubbed affine-DOT .Then, we transform affine-DOT scheme into a NMIFE scheme according to the transformation presented above.Since the construction of affine-DOT is rather straight forward, the modifications to DOT and to security are described in Appendix C. In the following section, we depict a more advanced construction of a NMIFE scheme, DiffPIPE (short for differentially private inner product evaluation).It is SMN-H secure and more efficient than noisy-DOT .

A SINGLE-MESSAGE-AND-NOISE-HIDING NOISY MULTI-INPUT FUNCTIONAL ENCRYPTION SCHEME FOR INNER PRODUCTS 7.1 Overview
The goal of this section is to construct a concrete SMN-H NMIFE scheme dubbed DiffPIPE and to analyze its efficiency.To this end, we take the bounded full-hiding MIFE scheme for inner products of Datta et al. [15] as starting point and modify it into a scheme  that is a SMN-H NMIFE scheme for inner products.In the following, we refer to the scheme of Datta et al. [15] as DOT scheme.It is a function-hiding multi-input inner product functional encryption (FH-MIPE) scheme with security being based on the -linear assumption (Definition 7.1).It supports polynomial number of encryption slots, incurring only polynomial loss in the security reduction and was the first and so far only practical and efficient MIFE scheme with function-hiding security.This FH-MIPE scheme operates over some finite field F  with  being some prime number.The input data consists of vectors ì The decryption keys dk are build based on a linear function   described through a concatenation of vectors  = ( ì An evaluation of the decryption key dk  ← KeyGen(msk, , D) on ciphertexts ct  ← Enc(sk  , , ì   ) yields the inner product: The design rationale behind DiffPIPE is as follows.As described in Appendix C DOT can be transformed into a scheme, that provides a full-hiding (FH) FE scheme for affine functions with no additional overhead or increase in size of elements.We refer to this scheme as affine-DOT .Then, Section 6 shows that we can use it to construct a MN-H scheme noisy-DOT , that has the same efficiency as DOT .
If we restrict our security definition to SMN-H security, we can construct a scheme with smaller elements.More concretely, we reduce the element sizes for ciphertexts from 2 + 2 + 1 group elements to  + 2 + 2, where  is the number of attributes and  the number of records.The parameter  is associated with the -LIN assumption and is independent of  and .The size of the decryption key is reduced from (2 +2 +1) to ( +2 +2) group elements.Our experiments in Section 7.5 show that this allows for a better runtime compared to noisy-DOT .
The efficiency gain by reducing the size of ciphertexts by  − 1 and the keys by ( − 1) group elements depends strongly on the choice of the attribute number .Additionally, DiffPIPE proves the conceptual differences between MIFE and NMIFE.In other words, reducing DOT or affine-DOT would not be possible without violating the standard security definitions.DiffPIPE as a NMIFE scheme comes with a new proof of security based on our new security definition (Definition 5.3).
In a nutshell, this reduction is achieved as follows.The ciphertexts of DOT (and hence noisy-DOT ) contain a number of buffer slots that are used for the proof of security.Among these, 2 slots are reserved for the two different functions considered in the security definition of FH.As SMN-H considers one function only but two different noise values, we save  slots that are used to encode the second function, needing only one additional slot for the second noise value.While this allows to save elements, it also means that it is no longer possible to encode two different functions.That is DiffPIPE is not FH but, as we are going to prove, fulfills SMN-H Note that the authors of DOT actually presented two schemes: a bounded scheme, where the number of encryption slots  is prior bounded and an unbounded scheme that can handle arbitrary number of encryption slots.Since we want to provide a scheme that is tailored for a privacy preserving analysis on a prefixed set of user data, we can limit us to the bounded variant, where the adversary makes one ciphertext query for each of the  encryption slots.Under this restriction, the scheme DOT used in its simplest form achieves full-hiding security. 3n the next sections, we present a more detailed description of DiffPIPE.As the construction is based on DOT , we omit some mathematical details and focus instead on the concepts that are necessary to understand our arguments.We refer to Datta et al. [15] for more details.

Mathematical Foundations
We make use of a bilinear pairing with G 1 , G 2 , G  being cyclic multiplicative groups, with generators The mapping  satisfies the following two properties: where 1 G  denotes the identity element of the group G  .
Here, we implicitly identify elements in F  with integers in [0,  −1] as mentioned in Section 2.1.
For an integer  ≥ 1, V 1 = G  1 and V 2 = G  2 are F  -vector spaces of dimension .The bilinear pairing  in Equation ( 6) can be extended to a pairing on the dual vector space V 1 × V 2 as follows: 2 ) 2 ) ∈ V 2 .The newly defined map  is also non-degenerate bilinear, i.e.,  satisfies the following two properties:

Description
We are now ready to describe the four algorithms defining our scheme DiffPIPE.
, where the corresponding group sizes are chosen to be a prime number  ≫ + max  ∈Δ ().
(2) Extend  to a pairing on a dual vector space

Analysis
In the following, we show the correctness and security of the proposed scheme DiffPIPE.
7.4.1 Correctness.We need to show that for any set of ciphertexts  and any decryption key the probability that the evaluation of the decryption key, associated with a function  , on the set of ciphertexts outputs  ( ) +  with the same probability that  was sampled over Δ.For any set of ciphertexts {ct  = (, c  )}  ∈ [] with This follows from the fact that for each  ∈ [], B  and B *  are dual orthogonal bases and  ∈ []   = .Since Δ is of polynomial size and therefore, also the range • ì   is in the polynomial size range of possible values that the decryption algorithm searches, the algorithm would output  =  +  ∈ [] ì   • ì   with the same probability that  is sampled over Δ.

Security.
In the following, we sketch a security proof of DiffPIPE, where missing details can be found in Appendix D. Our schemes relies on the hardness of the general -Linear assumption [41], being still the basis of various state-of-the-art papers, e.g., [46].It works for any choice of , including the Symmetric External Diffie-Hellman Assumption (SXDH) for  = 1 and the Decisional Linear Assumption (DLIN) for  = 2.By increasing , the hardness of the problem can be increased as well.
. The -LIN assumption states that for any PPT algorithm A, for any security parameter  the advantage of A in deciding the -LIN problem is for some negligible function .
The security of our scheme is shown in the following theorem: Theorem 7.2.Assume that the the -LIN problem is hard.Then the above described NMIFE scheme achieves SMN-H security under the restriction, that the adversary makes at least one ciphertext query for each encryption slot. 5For any PPT adversary A against the SMN-H security of the NMIFE scheme described above, there exists a PPT algorithm B against the -LIN problem such that for any security parameter , we have The proof is structured as a series of games which differ in the construction of the decryption keys and/or the ciphertexts queried by the adversary A. The detailed description of the games is postponed to the end of this section.In the first game, Game 0 , the queried ciphertexts and the queried decryption keys are constructed as those in the security experiment Expt     A (0).We change the answers to the queries in multiple steps to those in the security experiment Expt     A (1), being Game 4 .The considered sequence of games is displayed in Figure 7.
For some pairs of subsequent games, the probability to distinguish between these is upper bounded by the advantage of an adversary B that aims to solve the -LIN problem: Lemma 7.3.For any PPT adversary A between Game ,−1,3 and Game ,,1 and any A between Game ,,2 and Game ,,3 ,  ∈ [2] there exists a PPT algorithm B for the -LIN assumption (Definition 7.1) such that for any security parameter , we have In Figure 7, this is displayed by The proofs including a more detailed analysis are presented in Appendix D. By counting the number of transitions in Figure 7 which have the same form as those in Lemma 7.3, the bound given in Equation ( 7) follows.

▷ Sequence of Games:
It remains to define the games used in Figure 7, what happens next.The framed parts indicate the terms that were modified in the transformation from the previous game.
Game 0 : This experiment corresponds to the experiment Expt     A (0) described in Definition 5.3, therefore the security experiment where the random bit is  = 0.More precisely, for all  ∈ [], in response to the ciphertext query of A with respect to index  corresponding to a pair of vectors ( ì All variables are generated as in Game 1,,2 .
Game 4 : This experiment corresponds to the experiment Expt     A (1) described in Definition 5.3, therefore the security experiment where the random bit is  = 1.

Implementation
We implemented our above described SMN-H NMIFE scheme Diff-PIPE and used it in a series of experiments to privately evaluate counting queries on different data sets in the medical context.That is, we assume a set of  users.Each user has a record of  elements ì   = ( 1  , . . .,    ), representing  different attributes.Moreover, there is an authority that runs DiffPIPE.Setup for generating a master secret key msk and the single secret keys {sk  }  ∈ [] for the  users.After the authority distributes the secret keys to the clients over a secure channel, the clients encrypt their record using Diff-PIPE.Enc.The analyst itself is interested in an evaluation over the data set  = ( ì  1 , . . ., ì   ), sending a function  to the authority.The authority itself first checks, if the analyst has proper entitlement, regarding differential privacy guidelines, e.g.enough privacy budget (cf.Section 2.2), and if  ∈ F  .In the positive case, it generates a decryption key dk with DiffPIPE.KeyGen(msk,  , D) where D is an appropriate choice of a distribution achieving DP [18].With this dk the analyst can evaluate the function on the encrypted data set, getting a noisy result that protects the data itself.As the described use case assumes only one data set  that is encrypted, the relaxed security notion of single-message-and-noise-hiding is sufficient.
In our experiments, we measured on the one hand the time required for basic operations but also for running a complete analysis on existing databases.We compared DiffPIPE with noisy-DOT (Appendix C) build according to Section 6 from a modified form of the DOT scheme of [15] implemented in the library [28] 6 .As expected DiffPIPE is more efficient than noisy-DOT .For our experiments we used  = 2 and therefore based the security on the Decisional Linear assumption.
As the process of checking if the DP requirements are fulfilled and choosing the distribution to compute the noise depending on the requested analysis and the privacy-budget are a consequence of applying DP and not of FE, we skipped this part.More precisely, we focused on the implementation of the general setup, assuming only one counting query is made by the analyst where we know we can achieve DP with sampling noise from a Laplace distribution  (1/) choosing  = 1.To sample the noise for the key generation algorithm we used the differential privacy library of google [43].Therefore our overhead for adding noise is the same as sampling the noise from the library with above parameters.Since our scheme is basically a -fold extension of a single input FE scheme with small modifications to achieve security, the size of the decryption keys and also the evaluation time grow linear with the data set size (# records × # attributes).To support this conjecture and also compare the basic operations to the noisy-DOT scheme, we did some benchmarking.As the record values have no impact, they have been randomly generated.The results of our experiments are visualized in Figure 8 to Figure 10 and confirm the expected behavior, that DiffPIPE has also linear growth but with a smaller growing rate then noisy-DOT .Figure 8 shows the time needed to encrypt one single record in dependency of the number of attributes.Figure 9 and Figure 10 show the time needed to generate the decryption key and the time needed to evaluate the function in dependency of the number of records for different attribute size.Note that since the setup algorithm of DiffPIPE is essentially the same as in noisy-DOT , the time needed is practically identical and therefore we omit a figure here.
To demonstrate the usefulness of the relaxed security notion of SMN-H and therefore our scheme DiffPIPE, we compared the evaluation process of our scheme compared to noisy-DOT on the following data sets: -Low Birth Weight study data set [24]: "How many children with low birth weight are born in this data set?" -Prostate Cancer Study data set [26]: "What is the percentage of tumor penetration of prostatic capsule?" -Umaru Impact Study data set [27]: "How many percent are drugfree for at least 12 months?"-Nhanes III data set [25]:"How many percent of the participants have high systolic blood pressure?" The data sets vary in number of records and attributes (Table 1).We modified the data sets so that there were only complete records regarding the important attributes.Since most of the cryptographic   techniques operate over finite fields, such as F  but most numeric real world data is in R a well known problem is how to convert the real world data into input data for encryption schemes.A standard solution is to use a fix-point arithmetic, meaning to interpret a value  ∈ R as  = ⌊ • ⌉ with a scaling factor .For example the value  = 8791.5467891with a scaling factor 100 would result in  = 879155.After the computation on the encrypted data is finished, the result needs to be scaled back, e.g.dividing by the scaling factor .If  is chosen appropriate to the input data and to F  the usefulness of the data is not compromised while preserving the ability to operate on the encrypted data.Most of the data sets from Table 1 were already represented as values in N or had only two decimal places.But this was not the case for the noise sampled from the Laplace distribution.Therefore for our experiments we set our scaling factor to 100,000 without compromising the result of our computation.
Another challenge was to handle the noise sampling process.Normally noise sampled from the Laplace distribution is distributed over R. The DP libraries handles the problem of sampling over a discrete set, but we additionally needed to restrict the range, so we could assure that the sampled noise  is still in the range that can be decrypted, e.g.restricting Δ.We exploited that the Laplace distribution samples values close to zero.To make sure that the sampled noise values lie in Δ with probability  we need to choose We performed all benchmarking experiments on a system running Ubuntu 22.04.2LTS, 256GB RAM and 18 vCPUs (AMD Epyc 7272).For each data set, the following attributes measured for both DiffPIPE and noisy-DOT : • the time to set up the scheme, e.g.generating pp, msk and the secret keys {sk  }  ∈ [] which is in the nano seconds area and represents the one time effort of the authority, • the time to encrypt one record, e.g. the effort of one participating user, • the time to generate a noisy decryption key dk, e.g. the effort of the authority, • and the time to evaluate the dk on the encrypted data set, e.g. the effort of the analyst.
Results can be seen in Table 2.As expected and consistent to our results of the basic operations, the experiments on the real data sets show an advantage of our scheme DiffPIPE: less time is needed to encrypt, generating decryption keys and evaluating a function while the setup algorithm only differs in a few nanoseconds.

CONCLUSION
Motivated by the need for cryptographic schemes that simultaneously realize input and output privacy, we introduced the concept of noisy multi input functional encryption (NMIFE) that allows to integrate differential privacy into the decryption procedure.Moreover, we explained its potential benefits compared to approaches While NMIFE may have already their use in practical use cases, we see various opportunities for further research.For instance, the restriction of noisy-DOT to linear functions is a consequence of the lack of function-hiding FE schemes for more complex functions and not of the definition of NMIFE or the transformation.While linear functions practically limit the use cases to simple statistical analysis, e.g.counting queries, quadratic functions allow for more complex analysis.In other words, progress made in the area of FE can most likely be used for building more powerful NMIFE schemes as well.If a full-hiding MIFE scheme for polynomials of degree 2 is constructed, with the help of our transformation it would directly yield an according NMIFE scheme.In fact, as the security notion of SMN-H is probably weaker than full-hiding, designing NMIFE schemes for more complex functions fulfilling SMN-H might be easier than for full-hiding FE.
Another potential line of research is the combination of FE and machine learning.If it comes to the training of a model, one main problem is still the restricted functionality of existing FE schemes.The schemes today are not able to train a whole model, but with iterative updates, the encrypted data can still be used.As we have seen in the context of federated learning ( [31,32,47]), the intermediate results of the iterative algorithms often leak too much information about the underlying data.Here, one could use DP, and therefore a NMIFE scheme, to secure these intermediate results.To train complex models, linear NMIFE schemes are not sufficient.It has been shown that we can train complex machine learning algorithms with a quadratic FE scheme [11,39], but these leak information about the input data through the intermediate results.With a quadratic NMIFE scheme we would be able to protect these data using DP.
The  1 distance measures how many records differ between database  and database  .Typically in the standard definition of (, )differential privacy ((, )-DP) we look at neighboring databases, meaning databases that differ in at most 1 record.
where the probability space is over the coin flips of the mechanism .If  = 0, we say that  is -differential private.
A simple and common way to produce differential private numeric functions, especially in the setting of privacy-preserving analysis, is to perturb the function output with noise sampled through special distributions.
Definition A.3 (Laplace Mechanism [18]).Given any function  : N | | → R  , the Laplace mechanism is defined as: where   are independent identical distributed random variables drawn from the Laplace Distribution  ( 1 ( )/), centered at zero and  1 ( ) denotes the  1 -sensitivity of the function 7 : Proof.We start with the correctness claim which essentially follows directly from the definitions.More precisely, let for all  ∈ Δ and for all inputs   .By definition of S * , the decryption key dk  * is the result of invoking S.KeyGen(msk,  * ) for some chosen function  * .Because of equation ( 4) and the correctness of S, it follows that Pr S * .Dec(dk  * , ct 1 , . . ., ct  ) =  ( 1 , . . .  ) +  = Pr  * =  +  for all .By construction of S * .KeyGen, it holds that which shows the claim.
We show the security claim by a standard reduction argument.That is, we assume a PPT attacker A * against S * with non negligible advantage and construct a PPT attacker A against S that has the same non negligible advantage in the full-hiding security game.We have an oracle O for A that sets up the scheme and chooses a  ← {0, 1}, forwarding pp to A. A acts as an oracle to A * and forwards pp.A * can adaptively make queries of the type decryption key query and ciphertext query.Ciphertext queries from A * are simply forwarded to O and the responses are given back to A * .
The queries of A * need to fulfill the equation ( 3) that for all  ∈ [  ] and for all (  1 , . . . Because of this restriction the queries of A are valid with respect to condition (2), since A * eventually outputs a bit  ′ ∈ {0, 1}.This  ′ is also the guess of A. An overview of the reduction can be found in Figure 6.
Note that A perfectly simulates the oracle for A * .Hence, we have Expt    A () = Expt     A () for each  ∈ {0, 1}.In particular, it follows that A and A * have the same advantage.□

C A MESSAGE-AND-NOISE-HIDING NOISY MULTI-INPUT FUNCTIONAL ENCRYPTION SCHEME FOR INNER PRODUCTS C.1 Overview
As stated in Section 6 we want to show that we can use the transformation from Theorem 6.1 on an existing MIFE scheme to construct a concrete NMIFE scheme and to analyze its efficiency.The current state of the art does not include any efficient schemes that realize FE for all functions.Existing FE usually support only inner product or quadratic functions.However, so far no FE for quadratic functions is known that has full-hiding security and allows for multi-inputs.Therefore we apply the transformation to an existing MIPE scheme.
More precisely, we take the scheme of Datta et al. [15] as starting point.In the following, we refer to it as DOT scheme.Note that only linear functions   are directly supported by DOT .However, an NMIFE deploys affine functions to add a noise value  to the function evaluation.That is, we need to extend DOT to support also affine functions, i.e.,  , ( 1 , . . .,   ) + =  1 • 1 +• • •+  •  + with a constant value  such that correctness and full-hiding security are preserved.That is, our strategy is composed of the following two steps: Step 1: Extend DOT to a new (correct and full-hiding) scheme affine-DOT that also supports affine functions Step 2: Apply the transformation from Theorem 6.1 to construct a correct and message-and-noise-hiding NMIFE noisy-DOT A simple way to achieve the first step with any FH-MIPE scheme would be that in the setup phase the data for slot 1 is set to a fix vector, e.g.ì  = (0, . . ., 0, 1) resulting in a data set  = ((0, . . ., 0, 1) For a requested decryption key dk for function  described by (, ) = (( ì  ∥ • • • ∥ ì ), ) encode the constant at the beginning of dk, so that the key encodes ŷ = ((0, . . ., 0, ) ∥ ì . Evaluating the inner product results in  • ŷ = (0, . . ., 0, 1) • (0, . . ., 0, ) This would mean to increase the size of the collected data set by one record ì  = (0, . . ., 0, 1) and also increase the size of the decryption key dk, yielding more ciphertexts and larger decryption keys.This does not only impact the space requirement but also the effort for setting up the FH-MIPE scheme and evaluating the function.
In the following, we present another approach to turn the linear DOT scheme into an affine scheme and dub the new scheme affine-DOT .The approach exploits properties of the key generation algorithm for directly embedding the noise value.This has the benefit that neither the ciphertexts nor the decryption keys need to be enlarged.Thus, we consider this variant to be of interest on its own.Again we concentrate on the bounded scheme of Datta et al. [15].We omit the mathematical foundations, since we described them before in Section 7.

C.2 Full-Hiding Bounded Multi-Input Functional Encryption Scheme for Affine Functions
In this subsection we describe the affine-DOT scheme for affine functions, build upon the scheme DOT for linear functions, and prove its correctness and security.Before we proceed, we give an overview of the underlying idea of the transformation.
DOT is build upon the single input FE scheme proposed by Tomida et al. [44].The naive approach to build a MIFE scheme out of a single-input FE scheme is to use an  [15] solves this problem analogue to Abdalla et al. [1] by introducing additional randomness in the ciphertexts and the decryption keys such that the random values eventually add up to zero.Our main idea is to choose the random values such that they do not add up to zero but to the constant value  in the affine function  described by (( ì  Correctness.The correctness of the above MIFE scheme affine-DOT can be verified easily and is similar to the correctness of DOT .

For any set of ciphertexts {ct
This follows from the fact that for each  ∈ [], B  and B *  are dual orthogonal bases and  ∈ []   = .Since Δ is of polynomial size and therefore, also the range • ì   is in the polynomial size range of possible values that the decryption algorithm searches, the algorithm would output the correct Security.We prove that our affine-DOT scheme is again a fullhiding scheme under the restriction that the adversary makes at least one ciphertext query per slot.For more details how to achieve full-hiding security without that restriction, we refer to [15].Our proof follows the same logic as the proof of scheme DOT .Therefore we refer to the full version of the paper of Datta et al. [14] for most parts of the proof and only want to discuss the parts that change.
The proof of DOT is structured as a hybrid argument over a series of experiments which differ in the construction of the decryption keys and/or ciphertexts.The first experiment reflects the security experiment Expt    A (0).They progressively change the decryption keys and ciphertexts in multiple steps to those in security experiment Expt    A (1). Proving that each hybrid is indistinguishable from the previous one, yielding the full-hiding security.
We discuss now how this proof can be adapted to cover affine-DOT .First of all, an adversary needs to be allowed to make decryption queries for affine functions.As long as these two cases are separated, that is the values  , are only used in conjunction with  ,0 and likewise r, with  ,1 , this has no impact on the security arguments.Here, we also make use of the fact that in the original proof, the conditions  ∈ []  , = 0 and  ∈ [] r, = 0 have only been used to ensure correctness.
The only potentially critical step is transformation from  ,0 to  ,1 which is covered in lemma C.
Because of the restriction on the queries of A that (see Equation ( 2)), it follows: This shows that the random values after the transformation automatically fulfill the condition  ∈ [] r, =  ,1 .Moreover, as the values  , have been uniformly sampled (under the condition to sum up to  ,0 ), the same property holds as well for the values r, .
A further adaptation that is required affects values  , used in the proof of Lemma C.4.We require that the random values  , sum up to  ∈ []  , =  ,0 instead of 0 to ensure that  ∈ []  , =  ,0 .To understand why this has no impact on the security claim, we have to quickly explain the role of these values.In lemma C.4 the advantage of deciding between to hybrid sequences is reduced to a decisional problem 1 * [15, Def.2.6], that can be reduced itself to the k-LIN problem.In the proof, the values  , are replaced by values taken from the considered problem instance.In addition, the values  , are added for masking the problem-instance-values and to ensure that the values  , are still uniformly sampled.Because of  ∈ []  , =  ∈ []  , , the change mentioned above is necessary to maintain correctness, while they still mask the values of the problem instance.
Through applying the transformation presented in Section 6 we construct an equally efficient MN-H NMIFE scheme, which is dubbed affine-DOT .

D PROOF OF THEOREM 7.2
To prove Lemma 7.3, we need to reduce the advantage of an adversary to the -LIN assumption.To this end, we follow the approach of Datta et al. [14].In order to shorten the respective proofs and focus on the main idea, this reduction will not be done directly.Instead, they presented two problems (Problem 1 and 2), which can be reduced to a third problem (Problem 0) which in turn can be reduced to the -LIN assumption.Since we modified the construction of the ciphertexts and keys in our scheme DiffPIPE, missing  − 1 and ( − 1) slots, we cannot directly adapt their problems.Therefore, we describe two problems, (Problem 1 and Problem 2), which are mostly similar but adapted the structure of our ciphertexts and decryption keys, respectively.For these, we show that they can be reduced to another problem, Problem 0, which is equal to the problem used in [14].
In favour of readability, Lemma 7.3 and Lemma 7.
Problem 1 is used in the games that apply changes in the construction of the keys.Proof.First, we are going to show the reduction for Problem 1 and then state the differences for Problem 2. Suppose there exists PPT adversary A for Problem 1, which can be used by a PPT algorithm B as a subroutine trying to solve an instance of Problem 0. B is given this particular instance corresponding to  = 2, where everything is chosen in accordance with the notation of Problem 0. Then, B carries out the following steps: • For each  ∈ [], B acts as followed: -Sample a random invertible matrix ) where  β =  if β = 1 and 0 else.Therefore,  β is indeed an instance of Problem 1 simulated by B with challenge bit β.Thus, the claim follows for  = 1.
As mentioned, the proof for  = 2 is very similar.Instead of  = 2, we choose  = 1 and let B form the base vectors in the following manner: ,++1+ = (  , 1 ++1 Moreover, the answer to the ciphertext query in index  is given as in Equation ( 8), which is their proper form in both Game 1,−1,3 and Game 1,,1 .Therefore, the view of the adversary A simulated by B is distributed as in Game 1,−1,3 and Game 1,,1 , respectively, according as β = 0 or 1. □ Lemma D.4.For any probabilistic adversary A, for any security parameter , we have Adv Proof.In order to prove this lemma, we show that the view of the adversary A in Game 1,,1 and that in Game Obviously, the form of k , in the equation above is identical to that in Equation (11) corresponding to Game 1,,2 for all  ∈ [].Therefore, the form of the  ℎ answered decryption key is changed from that in Game 1,,1 to that in Game 1,,2 through the basis transformations.Further, for all  ≠ , the components of the  ℎ answered decryption key corresponding to ({ ì  , }  ∈ [] ,  ,0 ,  ,1 ) in Game 1,,1 can be expressed as follows for all  ∈ []: Further, for all  ∈ [], the answer to the ciphertext query in index , ct  = (, c  ) corresponding to a pair of vectors ( ì  ,0 , ì  ,1 )

Definition 5 . 1 (
Noisy Multi-Input Functional Encryption).Let {F  }  ∈N be an ensemble where each F  is a family of n-ary functions.A function  ∈ F  is defined as follows  : X 1 ×• • •×X  → Y.A noisy multi-input functional encryption scheme NMIFE for F consists of the following algorithms: Setup(, F  ): On input the security parameter  and a description of F  ∈ F , outputs a public parameter pp, a master secret key msk and a secret key   for each slot  ∈ [].All of the remaining algorithms implicitly take pp.Enc(sk  , ,   ): On input the secret key sk  for slot  ∈ [], and a message   ∈ X  , outputs a ciphertext ct  .We assume that each ciphertext has an associated index i, which denotes what slot this ciphertext can be used for.KeyGen(msk,  , D ): On input the master secret key msk, a function  ∈ F  and a distribution D over some Δ ⊆ Y such that  + Δ ∈ F  , sample  D ← Δ and outputs a decryption key dk.Dec(dk, ct 1 , . . ., ct  ): On input a decryption key dk for function  and  ciphertexts, outputs a  ∈ Y or a symbol ⊥.

Definition 5 . 2 (
Correctness of NMIFE).The scheme NMIFE (Definition 5.1) is correct if for all  ∈ F  , for all   ∈ X  , for 1 ≤  ≤ , for all distributions D  over some set Δ ⊆ Y with  + Δ ∈ F  , and for all  ∈ Δ we have Pr

Definition 5 . 3 (
(Single-)Message-and-Noise-Hiding Security).The (single-)message-and-noise-hiding security notion for a private key NMIFE is formalized through the experiment Expt     A (), for random  $ ← {0, 1}, which involves a PPT adversary A and a PPT challenger C. The experiment involves three phases as follows: Setup phase: C generates (pp, msk, {  }  ∈ [] ) by invoking Setup(, F  ), providing pp to A, and sampling  $ ← {0, 1}.Query Phase: A is allowed to adaptively make any polynomial number of queries of the following two types in arbitrary order: • Decryption key query: In response to the  ℎ decryption key query of A corresponding to a function   ∈ F  and two noise values  ,0 ,  ,1 ∈ Δ for some Δ ⊆ Y such that   + Δ ∈ F  , C forms a decryption key dk  ← KeyGen(msk,   , D , ) where D , describes the distribution that outputs  , with probability 1 and hands dk  to A. • Ciphertext query: To answer a ciphertext query of A for the  ℎ index corresponding to a pair (   ,0 ,    ,1 ), C prepares a ciphertext ct   ← Enc(sk  , ,    , ) and gives ct   to A.

Theorem 6 . 1 (
Construction).Consider a MIFE scheme S with S = (S.Setup, S.Enc, S.KeyGen, S.Dec) with parameters as explained in Definition 4.1 and  + Δ ∈ F  for some Δ.We build an NMIFE scheme S * from S with S * = (S * .Setup, S * .Enc, S * .KeyGen, S * .Dec) as follows.The setup, encryption, and decryption algorithms are the same as for S, that is S * .Setup := S.Setup; S * .Enc := S.Enc; S * .Dec := S.Dec.(4) Only the KeyGen algorithm is different and works as follows: S * .KeyGen(msk,  , D): On input the master secret key msk, a function  ∈ F  and a distribution D over some Δ ⊆ Y such that  + Δ ∈ F  , samples  D ← Δ and outputs a decryption key dk ← S.KeyGen(msk,  * ) (5) with  * =  + .The following two properties hold:

Figure 6 :
Figure 6: Security reduction used in the Proof of Theorem 6.1 DiffPIPE.Setup(, F  ): This algorithm takes the security parameter , a description of F  = {, , Δ, } with the length  ∈ N of the vectors, the arity  ∈ N of the multi-input functionality, Δ ⊊ N of polynomial size and a bound  ∈ N on each component inner product.It works as follows: (1) Setup a bilinear pairing  :

Figure 7 :
Figure 7: Sequence of games in the proof of Theorem 7.2.  denotes Game  .

Lemma 7 . 4 .
−  − −−−−− →.For the remaining pairs of subsequent games, one can show that these are indistinguishable (being represented by = − →): For any PPT adversary A, for any security parameter , we have

Figure 8 :
Figure 8: Time for encrypting one record in noisy-DOT and DiffPIPE (dashed lines) regarding the number of attributes.

Figure 9 :
Figure 9: Time for generating the decryption key in noisy-DOT and DiffPIPE (dashed lines).

Figure 10 :
Figure 10: Time for evaluating the function in noisy-DOT and DiffPIPE (dashed lines).
Description.affine-DOT.Setup(, F  ): This algorithm takes the security parameter , a description of F  = {, , Δ , } with the length  ∈ N of the vectors, the arity  ∈ N of the multiinput functionality, Δ ⊊ N of polynomial size and a bound  ∈ N on each component inner product.It works as follows:(1) Setup a bilinear pairing  : G 1 × G 2 → G  where the group sizes are chosen to be a prime number  ≫ + max  ∈Δ () , (2) Extend  to a pairing on a dual vector space
4 are broken down to a series of lemmas (Lemma D.3-Lemma D.9) and proven individually.Combined with Lemma D.2, this concludes the proof of Theorem 7.2.Let us start by defining Problem 0 as well as the follow up problems, Problem 1 and Problem 2. Problem 0 ([14]).Fix an arbitrary number  ∈ [2] Problem 0 is to guess a bit β $ ← {0, 1} given  β = (params G , D, D * ,    ,  β ); where params , . . .,   , ) B  .For any PPT algorithm A, the advantage of A in deciding Problem 2 is defined asAdv  2 A () = | Pr[1 ← A ( 0 )] − Pr[1 ← A ( 1 )]| ≤ negl() for some negligible function negl.Next, we show that both Problem 1 and Problem 2 can be reduced to the -LIN assumption by using Lemma D.1.Lemma D.2.For any PPT algorithm A for Problem  ∈[2], there exists a PPT algorithm B for the -LIN assumption such that for any security parameter , we have Adv   A () ≤ Adv −  B ()

Table 1 :
Number of records and attributes in cleaned data sets.

Table 2 :
Run time of DiffPIPE vs. noisy-DOT for single operations for different data bases.Encryption time refers to encrypting   of a single user.First value represents the time for DiffPIPE, second value for noisy-DOT .
formed into secure SMN-H NMIFE schemes (actually even meeting a stronger security definition).This was demonstrated on a concrete NMIFE scheme, dubbed noisy-DOT .We additionally constructed a new secure SMN-H NMIFE scheme DiffPIPE and demonstrated its applicability for realizing privacy preserving counting queries in a number of experiments, comparing its efficiency to noisy-DOT .
Privacy: Algorithms and Performance Analysis.IEEE Transactions on Information Forensics and Security 15 (2020), 3454-3469.https://doi.org/10.1109/TIFS.2020.2988575 [48] Chuan Zhao, Shengnan Zhao, Minghao Zhao, Zhenxiang Chen, Chong-Zhi Gao, Hongwei Li, and Yu-an Tan.2019.Secure multi-party computation: theory, practice and applications.Information Sciences 476 (2019), 357-372.[49] Ezgi Zorarpacı and Selma Ayşe Özel.2020.A hybrid approach of homomorphic encryption and differential privacy for privacy preserving classification.As shortly explained in Section 2.2 DP is a technique to achieve output privacy of a function.In the following we want to present the formal definitions.Definition A.1 (Distance between Databases).The  1 norm of a database  = ( ì  1 , . . ., ì   ) is denoted by || || 1 and is defined to be -fold extension.Consider a master secret key msk that consists of  independently generated master secret keys msk  for the single-input scheme.A ciphertext for some vector ì   ∈ F   with respect to index  is simply a singleinput FE ciphertext for ì   ∈ F   with respect to the master secret key msk  for slot .A decryption key for a set of n vectors { ì   }  ∈ [] for ì   ∈ F   is given by the set of decryption keys {dk ì   }  ∈ [] with respect to the master secret keys of each slot.Decrypting multiple inputs simply means to decrypt each input individually and to combine the results afterwards.  .For example, this would render the property of message-hiding impossible.Datta et al.