We construct private-key and public-key functional encryption schemes secure against adversaries that corrupt an a-priori bounded number of users and obtain their functional keys, from minimal assumptions. For a collusion bound of $Q=Q(\lambda)$ (where $\lambda$ is the security parameter), our public-key (resp. private-key) functional encryption scheme (a) supports the class of all polynomial-size circuits; (b) can be built solely from a vanilla public-key (resp. private-key) encryption scheme; and (c) has ciphertexts that grow linearly with the collusion bound $Q$. Previous constructions were sub-optimal with respect to one or more of the above properties.
The first two of these properties are the best possible and any improvement in the third property, namely the ciphertext size dependence on the collusion bound $Q$, can be used to realize an indistinguishability obfuscation scheme. In addition, our schemes are adaptively secure and make black-box use of the underlying cryptographic primitives.