Is there any semantic difference between predicate encryption and functional encryption?

Question

Predicate encryption(PE) arrived as a descendant of attribute based encryption. Attribute based encryption allows the encryptor to embody a policy to the ciphertext (Ciphertext-Policy based encryption) and the receipent to receive a key from a central trusted authority according to his attributes. If the attributes do satisfy the policy then the receipent can decrypts. Another less secure version is the key-policy based encryption whereby the encryptor associates with the ciphertext the attributes that he wills a potential decryptor to have and the key of the receiver comes with the policy. Because attribute based encryption reveals the policy(KP-ABE) and the attributes(CP-ABE) predicate encryption comes to solve this by allowing the receipent to apply a predicate if he owns a secret key of that predicate.

Functional encryption(FE) As presented in the paper is a generalization of Identity based encryption, Attribute based encryption and predicate encryption. Instead of a predicate there is a function $f$ that evaluates the attributes of the ciphertext. At the paper the construction is given based on predicate encryption.

My question is what extra functionality FE provides in comparison with PE. Is there a drawback or a security leakage in PE that FE solves? My intuition from the literature is that the contribution of FE is the generalization of the 3 previous mention crypto schemes(IBE,ABE,PE) into 1 scheme (research purpose for acceptance in a conference, not practical at all) and second is the area of applications. I understood that in PE if your secret key $sk$ lets you evaluate at $1$ a predicate $P$ over a ciphertext $c$ then you recover the plaintext but with the FE if $F_{sk}(c)=1$ then you learn the output of the function on the plaintext. I.e: the function might be a machine learning algorithm classifying spam so you learn if the message is a spam or no, but not the contents of the message. Is this correct?

Answer 1

PE is a subclass of FE.

This (from the other answer) is correct.

Also, from my understanding, your analogy is correct. PE returns the plaintext if the predicate evaluates to true. FE, on the other hand, returns a function of the plaintext.

We can say that PE is a subclass of FE, since we can use FE to implement PE. Just use the identity function.

Your example of $f$ being a machine learning function is an example of something that FE can do that PE cannot.

Answer 2

PE is a subclass of FE. A description can be found on page 256 of the book “Theory of Cryptography: 8th Theory of Cryptography Conference, TCC 2011”.

The related paper is available in PDF format via eprint.iacr.org:

• Functional Encryption: Definitions and Challenges
  Dan Boneh, Amit Sahai, Brent Waters

Answer 3

The previous answers skip an important fact.

I think that a PE for all circuits and A FE for all circuits are equivalent in the sense that you can build the second from the first one (the opposite direction is trivial).

A key for a circuit C with output size of $n$ bits can be implemented as $n$ PE keys in which the $i$-th key is relative to the circuit that computes the $i$th bit of the output. Furthermore the PE ciphertexts are set with payload message equal to the bit 1. The decryption procedure decrypts the ciphertext that encrypts (1,x) with each of the keys and when the decryption return error, it sets the i-th bit equal to 0, or 1 otherwise.

But it does not hold for any functionality and there is a loss of efficiency

Answer 4

"Predicate-only PE" is a (more obvious) special case of FE. find the definition of "predicate-only PE" in this paper https://eprint.iacr.org/2007/404.pdf