A function encryption scheme is an encryption scheme that allows to release so-called *“functional decryption”* keys *sk[f]* (indexed by functions *f*) such that decrypting a ciphertext *c=Encrypt(pk,m)* under the secret key *sk[f]*, produces as a result *f(m)* (rather than just *m*, as would a normal decryption algorithm.) The ability to reveal only partial information *f(m)* about a message *m* make functional encryption a very powerful tool. Standard public key encryption corresponds to a system which supports only the identity function *f(m)=m*. The wider the class of supported functions, the more expressive the associated functional encryption scheme.

In a (hierarchical) functional encryption scheme, the key generation algorithm produces a public key *pk*, and a secret key *sk[id]* for the identity function *id(m)=m*. Other secret keys are obtained by running a key delegation algorithm that on input the secret key *sk[f]* for some function *f*, and the description of another function *g*, produces a secret key *sk[g.f]* for the composition of the two functions *(g.f)(m)=g(f(m))*.

Identity Based Encryption (in both its standard and hierarchical form) can be seen as a special case of (hierarchical) functional encrytion for functions of a certain type: functions indexed by strings *u* such that *f[u] (u,m)=(u,m)*, and *f[u] (x,m)=(x)* when *x* and *u* are different. Here, *u* is interpreted as the identity of a user, and encrypting *(u,m)* makes the message *m* decryptable only by the user who knows the correponding secret key *sk[u]*. (In an *anonymous* IBE, *f[u] (x,m)=()*, so that the identity of the recepient is also hidden.)

Here we consider functional encryption for other classes of functions.

**Indistinguishability Obfuscation: Simpler Constructions using Secret-Key Functional Encryption**

(*Kitagawa, Nishimaki & Tanaka*- ePrint 2017/275)**Robust Transforming Combiners from Indistinguishability Obfuscation to Functional Encryption**

(*Ananth, Jain & Sahai*- Eurocrypt 2017)**From Minicrypt to Obfustopia via Private-Key Functional Encryption**

(*Komargodski & Segev*- Eurocrypt 2017)**Compactness vs Collusion Resistance in Functional Encryption**

(*Li and Micciancio*- TCC 2016B)**From Cryptomania to Obfustopia through Secret-Key Functional Encryption**

(*Bitansky, Nishimaki, Passelègue & Wichs*- TCC 2016A)**Single-Key to Multi-Key Functional Encryption with Polynomial Loss**

(*Garg & Srinivasan*- TCC 2016B)**Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions**

(*Agrawal & Wu*- Eurocrypt 2017)**Function-Private Functional Encryption in the Private-Key Setting**

(*Brakerski & Segev*- TCC 2015)**Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions**

(*Brakerski, Komargodski & Segev*- Eurocrypt 2016)**From Selective to Adaptive Security in Functional Encryption**

(*Ananth, Brakerski, Segev & Vaikuntanathan*- Crypto 2015)**Functional Encryption for Randomized Functionalities in the Private-Key Setting from Minimal Assumptions**

(*Komargodski, Segev & Yogev*- TCC 2015)

Attribute Based Encryption (ABE) correponds to functions indexed by a predicate *P* such that *f[P] (x,m)=(x,m)* if *P(x)* is true, and *f[P] (x,m)=x* if *P(x)* is false. Here *x* is interpreted as a set of attributes, and *P* is a policy that specifies under what conditions on the attributes a message can be decrypted. Notice that in this definition of ABE, the attributes are public, i.e., they are revealed by a ciphertext even when *P(x)* is false. One can also define a version of ABE with *private attributes* (usually called *Predicate Encryption*) where *f[P] (x,m)=()* when *P(x)* is false.

**Attribute-Based Functional Encryption on Lattices**

(*Boyen*- TCC 2013)**Attribute-Based Encryption for Circuits**

(*Gorbunov, Vaikuntanathan & Wee*- J.ACM 2015/STOC 2013)**Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits**

(*Boneh, Gentry, Gorbunov, Halevi, Nikolaenko, Segev, Vaikuntanathan & Vinayagamurthy*- Eurocrypt 2014)**Riding on Asymmetry: Efficient ABE for Branching Programs**

(*Gorbunov & Vinayagamurthy*- AsiaCrypt 2015)**Ciphertext policy attribute-based encryption from lattices**

(*Zhang, Zhang & Ge*- AsiaCCS 2012)**A Ciphertext Policy Attribute-Based Encryption Scheme without Pairings**

(*Zhang & Zhang*- ISC 2011)**Predicate Encryption for Circuits from LWE**

(*Gorbunov, Vaikuntanathan & Wee*- Crypto 2015)**Practical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption**

(*Baltico, Catalano, Fiore & Gay*- ePrint)**Attribute-Based Encryption for Finite Automata from LWE**

(*Boyen & Li*- ProvSec 2015)**Turing Machines with Shortcuts: Efficient Attribute-Based Encryption for Bounded Functions**

(*Boyen & Li*- ACNS 2016)

**Functional Encryption for Inner Product Predicates from Learning with Errors**

(*Agrawal, Freeman & Vaikuntanathan*- Asiacrypt 2011)**Lattice-Based Hierarchical Inner Product Encryption**

(*Abdalla, DeCaro & Mochetti*- LatinCrypt 2012)**Improved (Hierarchical) Inner-Product Encryption from Lattices**

(*Xagawa*- PKC 2013)**Simple Functional Encryption Schemes for Inner Products**

(*Abdalla, Bourse, DeCaro, Pointcheval*- PKC 2015)**Fully Secure Functional Encryption for Inner Products, from Standard Assumptions**

(*Agrawal, Libert & Stehle*)

**Functional Encryption for Threshold Functions (or Fuzzy IBE) from Lattices**

(*Agrawal, Boyen, Vaikuntanathan, Voulgaris & Wee*- PKC 2012)

**Key-Private Proxy Re-encryption under LWE**

(*Aono, Boyen, Phong & Wang*- IndoCrypt 2013)**Key-Private Proxy Re-Encryption from Lattices, Revisited**

(*Nihimaki & Xagawa*- IEICE 2015**Lattice Based Identity Based Unidirectional Proxy Re-Encryption Scheme**

(*Singh, PanduRangan & Banerjee*- SPACE 2014)**Proxy Re-encryption from Lattices**

(*Kirshanova*- PKC 2014)