Inner-product predicate encryption

Inner-product predicate encryption (IPPE) is a form of predicate encryption in which keys and ciphertexts are each associated with vectors over $Z_{p}$ . A key for vector $v \in Z_{p}^{n}$ can decrypt a ciphertext for vector $x \in Z_{p}^{n}$ if and only if $⟨ v, x ⟩ = 0 (mod p)$ . IPPE achieves full attribute-hiding: a ciphertext hides both the encrypted payload and the attribute vector $x$ . It subsumes HVE and, via inner-product encodings, supports disjunctions, CNF/DNF formulas, and polynomial evaluation—making it the practical ceiling before full predicate encryption.

Syntax

An IPPE scheme is a tuple of efficient algorithms $IPPE = (Setup, KeyGen, Enc, Dec)$ with respect to prime $p$ , dimension $n$ , message space $M$ , and ciphertext space $C$ :

$Setup (1^{λ}, p, n) \to (pp, msk),$ is a randomized algorithm that outputs public parameters $pp$ and master secret key $msk$ ,
$KeyGen (msk, v) \to sk_{v},$ is a (possibly randomized) algorithm that takes $msk$ and a predicate vector $v \in Z_{p}^{n}$ , outputting a secret key $sk_{v}$ ,
$Enc (pp, x, m) \to c,$ is a randomized algorithm that takes $pp$ , an attribute vector $x \in Z_{p}^{n}$ , and $m \in M$ , outputting $c \in C$ ,
$Dec (sk_{v}, c) \to m,$ is a deterministic algorithm that takes $sk_{v}$ and $c$ , outputting $m \in M$ or $⊥$ .

Decryption succeeds if and only if $⟨ v, x ⟩ = 0 (mod p)$ .

Properties

Correctness

An IPPE scheme is $(1 - ε)$ -correct if for all $λ \in N$ , $v, x \in Z_{p}^{n}$ with $⟨ v, x ⟩ = 0 (mod p)$ , and $m \in M$ ,

Pr [Dec (KeyGen (msk, v), Enc (pp, x, m)) = m] \geq 1 - ε,

over $(pp, msk) \leftarrow Setup (1^{λ}, p, n)$ and randomness of $KeyGen$ and $Enc$ .

Full Attribute-Hiding Security

In the full attribute-hiding game, the adversary submits two ciphertext candidates $(x_{0}, m_{0})$ and $(x_{1}, m_{1})$ and receives an encryption of one of them. Admissibility requires that every queried key vector $v$ is consistent with both candidates: $⟨ v, x_{0} ⟩ = 0 \Leftrightarrow ⟨ v, x_{1} ⟩ = 0 (mod p)$ .

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\mathrm{ah}}_{\mathsf{IPPE},\calA}(\secpar)$}
\begin{algorithmic}
\State $(\pp, \msk) \gets \Setup(1^\secpar, p, n)$; $b \getsr \bits$
\State $\calO_{\mathrm{key}}(v) := \KeyGen(\msk, v)$
\State $((x_0, m_0), (x_1, m_1), \stA) \gets \calA^{\calO_{\mathrm{key}}}(1^\secpar, \pp)$
\Comment{For all queried $v$: $\langle v, x_0 \rangle = 0$ iff $\langle v, x_1 \rangle = 0$ (mod $p$)}
\State $c^* \gets \Enc(\pp, x_b, m_b)$
\State $b' \gets \calA^{\calO_{\mathrm{key}}}(c^*, \stA)$
\Comment{Same admissibility constraint holds throughout}
\Return $[b' = b]$
\end{algorithmic}
\end{algorithm}

An IPPE scheme $IPPE$ is attribute-hiding if for all efficient admissible $A$ ,

Adv_{IPPE, A}^{ah} (λ) := 2 Pr [G_{IPPE, A}^{ah} (λ) = 1] - 1

is negligible.

Variations

Payload-only hiding

Dropping the attribute-hiding requirement yields a simpler payload-hiding variant: the adversary commits to a single $x^{*}$ and submits two messages, with the constraint that no queried $v$ satisfies $⟨ v, x^{*} ⟩ = 0 (mod p)$ .

Zero inner product vs. non-zero

Some formulations flip the predicate: decryption succeeds when $⟨ v, x ⟩ \neq = 0$ . This is equivalent up to a simple transformation (append a constant coordinate) and is sometimes more natural for access control.

Other results

IPPE generalizes HVE: a conjunctive pattern predicate over $Σ^{n}$ can be encoded as an inner-product predicate by choosing an alphabet embedding into $Z_{p}$
IPPE is incomparable to KP-ABE and CP-ABE: IPPE achieves full attribute-hiding but only captures inner-product predicates, while KP/CP-ABE supports arbitrary monotone Boolean formulas but leaks the access policy
KSW08 introduced IPPE and showed that inner products encode disjunctions, polynomial equations, and CNF/DNF formulas; the scheme is proved attribute-hiding under the decisional linear assumption — KSW08

Cryptology City

Explorer