$\bullet$ What does private-key functional encryption mean? Or functional encryption in private-key setting?
Wasn't functional encryption a generalization of public key encryption? So now, why do we have private-key functional encryption?! It's a little confusing.
I've seen a few sentences in Romain Gay's PhD thesis [Romain Gay's thesis 2019, pages 10-11].
A new construction of multi-input functional encryption for inner products.
... In this thesis, we strengthen the security of these constructions to handle corruption of the input slots. That is, to encrypt, each input slot $i\in[n]$ requires an encryption key $ek_{i}$. We consider the $\color{red}{\text{private-key}}$ setting, where encryption keys remain secret.
This is actually more relevant than the $\color{red}{\text{public-key}}$ setting, where the encryption keys $ek_{i}$ are revealed to everyone.
Indeed, in such a case, anyone can encrypt arbitrary message for any input slot. That weakens security drastically, since a challenge ciphertext $\mathsf{Enc}(ek_{i}, m_{b})$ for message $m^{b}_{i}$, where $b\leftarrow_{R}\{0,1\}$ is chosen by the security game, can be combined with encryption
of arbitrary messages for the other input slots during decryption. That means that given even a single functional decryption key for a function $f$, one can learn $f(*,\ldots,*,m^{b}_{i},*,x,\ldots,*)$, where each $*$ can be any arbitrary message. This is simply too much information in most relevant use cases.
Thus, we consider the setting where encryption keys $ek_{i}$ aren’t public, which avoids precisely this kind of leakage of information. ...
$\bullet$ Based on the above quote, the terms "private-key setting" and "public-key setting" are just for multi-input functional encryption? Or these terms are more general and are for functional encryption?
In another paper [Carla Mascia, Massimiliano Sala, Irene Vilia."A Survey On Functional Encryption", 2021, In Advances in Mathematics of Communications, 2023, 17(5): 1251-1289. doi: 10.3934/amc.2021049, page 4] is written
Remark 2.5. For some practical applications, it is relevant to distinguish between public-key and private-key setting. In the former, anyone can encrypt using the public key generated in the $\mathsf{Setup}$ phase; in the latter, only those who own the master key can encrypt. Notice that the definition of FE scheme in Definition 2.2 is given in the public-key setting.
$\bullet$ Can someone illustrate by example some practical applications where it's relevant to distinguish between public-key and private-key setting of an functional encryption?
In a public-key FE scheme, we have a master secret key for central authority, a master public key, secret functional decryption keys for users. Now, in private-key FE, what do we have?
$\bullet$ Is private-key setting of functional encryption the same as function hiding property of a functional encryption? In following the abstract of [Emily Shen, Elaine Shi, Brent Waters. "Predicate Privacy in Encryption Systems", In TCC 2009]
Predicate encryption is a new encryption paradigm which gives a master secret key owner fine-grained control over access to encrypted data. The master secret key owner can generate secret key tokens corresponding to predicates. An encryption of data $x$ can be evaluated using a secret token corresponding to a predicate $f$; the user learns whether
the data satisfies the predicate, i.e., whether $f(x)=1$.
Prior work on public-key predicate encryption has focused on the notion of data or plaintext privacy, the property that ciphertexts reveal no information about the encrypted data to an attacker other than what is inherently revealed by the tokens the attacker possesses. In this paper, we consider a new notion called predicate privacy, the property that tokens reveal no information about the encoded query predicate. $\color{red}{\text{Predicate privacy is inherently impossible to achieve in the public-key setting}}$ and has therefore received little attention in prior work. In this work, we consider predicate encryption in the symmetric-key setting and present a symmetric-key predicate encryption scheme which supports inner product queries. We prove that our scheme achieves both plaintext privacy and predicate privacy.
$\bullet$ I'll appreciate any explanation about background of the private/public-key setting term in functional encryption. Why did we need to define such terms?
