### Functional Encryption

#### by Edward Z. Yang

Joe Zimmerman recently shared with me a cool new way of thinking about various encryption schemes called *functional encryption.* It’s expounded upon in more depth in a very accessible recent paper by Dan Boneh et al.. I’ve reproduced the first paragraph of the abstract below:

We initiate the formal study of functional encryption by giving precise definitions of the concept and its security. Roughly speaking, functional encryption supports restricted secret keys that enable a key holder to learn a specific function of encrypted data, but learn nothing else about the data. For example, given an encrypted program the secret key may enable the key holder to learn the output of the program on a specific input without learning anything else about the program.

Quite notably, functional encryption generalizes many existing encryption schemes, including public-key encryption, identity-based encryption and homomorphic encryption. Unfortunately, there are some impossibility results for functional encryption in general in certain models of security (the linked paper has an impossibility result for the simulation model.) There’s no Wikipedia page for functional encryption yet; maybe you could write it!

*Apropos of nothing,* a math PhD friend of mine recently asked me, “So, do you think RSA works?” I said, “No, but probably no one knows how to break it at the moment.” I then asked him why the question, and he mentioned he was taking a class on cryptography, and given all of the assumptions, he was surprised any of it worked at all. To which I replied, “Yep, that sounds about right.”

Did you enjoy this post? Please subscribe to my feed!

Factoring is fragile assumption (and breaking RSA is weaker than factoring): if p-1 or q-1 has small factors you are busted, same for p+1, q+1, same for x-1 where x is the largest factor *of* p-1 (and same for q-1), and same for p+1 and q+1.

But for, say, lattices worst case hardness implies average case hardness.