{{Infobox encryption method | name = Functional encryption | image = Encryption.png | caption = | designers = Amit Sahai, Brent Waters, Dan Boneh, Shafi Goldwasser, Yael Kalai | publish date = | derived from = Public-key encryption | derived to = | related to = Homomorphic encryption | key size = | block size = | structure = | rounds = | cryptanalysis = }}

'''Functional encryption''' ('''FE''') is a generalization of public-key encryption in which possessing a secret key allows one to learn a function of what the ciphertext is encrypting.

==Formal definition== More precisely, a functional encryption scheme for a given functionality <math>f</math> consists of the following four algorithms:

*<math>(\text{pk}, \text{msk}) \leftarrow \textsf{Setup}(1^\lambda)</math>: creates a public key <math>\text{pk}</math> and a master secret key <math>\text{msk}</math>. *<math>\text{sk} \leftarrow \textsf{Keygen}(\text{msk}, f)</math>: uses the master secret key to generate a new secret key <math>\text{sk}</math> for the function <math>f</math>. *<math>c \leftarrow \textsf{Enc}(\text{pk}, x)</math>: uses the public key to encrypt a message <math>x</math>. *<math>y \leftarrow \textsf{Dec}(\text{sk}, c)</math>: uses secret key to calculate <math>y = f(x)</math> where <math>x</math> is the value that <math>c</math> encrypts.

The security of FE requires that any information an adversary learns from an encryption of <math>x</math> is revealed by <math>f(x)</math>. Formally, this is defined by simulation.<ref name=":0">{{Cite book|url=https://books.google.com/books?id=w-39uAEACAAJ&pg=PA555|title=Reusable garbled circuits and succinct functional encryption - Stoc 13 Proceedings of the 2013 ACM Symposium on Theory of Computing|last1=Goldwasser|first1=Shafi|last2=Kalai|first2=Yael|last3=Ada Popa|first3=Raluca|last4=Vaikuntanathan|first4=Vinod|last5=Zeldovich|first5=Nickolai|publisher=ACM|year=2013|isbn=978-1-4503-2029-0|location=New York, NY, USA|pages=555–564|language=en}}</ref>

==Applications== Functional encryption generalizes several existing primitives including Identity-based encryption (IBE) and attribute-based encryption (ABE). In the IBE case, define <math>F(k,x)</math> to be equal to <math>x</math> when <math>k</math> corresponds to an identity that is allowed to decrypt, and <math>\perp</math> otherwise. Similarly, in the ABE case, define <math>F(k, x) = x</math> when <math>k</math> encodes attributes with permission to decrypt and <math>\perp</math> otherwise.

==History== Functional encryption was proposed by Amit Sahai and Brent Waters in 2005<ref>{{Cite conference| url=https://books.google.com/books?id=HrCI4ZyuZL0C|pages=457–473 | author1= Amit Sahai | author2= Brent Waters | chapter= Fuzzy Identity-Based Encryption |title= Advances in Cryptology |conference= EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings|date=2005 | editor= Ronald Cramer |publisher=Springer |isbn=978-3-540-25910-7|language=en|lccn=2005926095 }}</ref> and formalized by Dan Boneh, Amit Sahai and Brent Waters in 2010.<ref>{{cite journal|last=Boneh|first=Dan |author2=Amit Sahai |author3=Brent Waters|title=Functional Encryption: Definitions and Challenges|journal=Proceedings of Theory of Cryptography Conference (TCC) 2011|year=2011|url=http://eprint.iacr.org/2010/543.pdf}}</ref> Until recently, however, most instantiations of Functional Encryption supported only limited function classes such as boolean formulae. In 2012, several researchers developed Functional Encryption schemes that support arbitrary functions.<ref name=":0" /><ref>{{cite journal|last=Gorbunov|first=Sergey |author2=Hoeteck Wee |author3=Vinod Vaikuntanathan|title=Attribute-Based Encryption for Circuits|year = 2013|journal = Proceedings of STOC}}</ref><ref>{{cite web|last=Sahai|first=Amit|author2=Brent Waters|title=Attribute-Based Encryption for Circuits from Multilinear Maps|year=2012 |arxiv=1210.5287 |url=http://eprint.iacr.org/2012/592.pdf}}</ref><ref>{{cite book|last1=Goldwasser|first1=Shafi |author2=Yael Kalai |author3=Raluca Ada Popa |author4=Vinod Vaikuntanathan |author5=Nickolai Zeldovich|title=Advances in Cryptology – CRYPTO 2013 |chapter=How to Run Turing Machines on Encrypted Data |series=Lecture Notes in Computer Science |year=2013|volume=8043 |pages=536–553 |doi=10.1007/978-3-642-40084-1_30 |isbn=978-3-642-40083-4 |chapter-url=http://eprint.iacr.org/2013/229.pdf|doi-access=free |hdl=1721.1/91472 |hdl-access=free }}</ref>

==References== {{reflist}}

Category:Cryptographic_primitives