Secure and Efficient Searchable Public Key Encryption for Resource Constrained Environment Based on Pairings under Prime Order Group

Searchable public key encryption scheme is a key technique for protecting data confidentiality in today’s cloud environment. Specifically, public key encryption with conjunctive and disjunctive keyword search (PECDK) can provide flexible search options without sacrificing keywords security and thus attracts a lot of attention nowadays. However, the most effective PECDK scheme is based on the inner product encryption (IPE), which needs more time and space cost. In this paper, by utilizing the bilinear pairing withaprimeordergroup,weproposeanefficientPECDKschemeneedinglesstimeandstorageconsumption.Theproposedschemeisproventobesecureunderarigoroussecuritydefinition.Thetheoreticalanalysisandexperimentalresultsdemonstratethatourproposedschemecansignificantlyimprovethetimeandspaceefficiencyoverthestate-of-the-artscheme.


Introduction
In the era of big data, more and more companies and individuals are willing to share their data over the cloud platform. If the data is stored in plaintext form, the cloud service providers can easily access and analyze the data illegally, which may lead to a big threaten to some sensitive data, e.g., electronic health and personal credit records. To protect data privacy, encrypting data before outsourcing it to the cloud server is a common approach. But, this brings a new issue of how to perform keyword search over these unreadable ciphertext. A straightforward solution is to download all the encrypted data to the client and decrypt it. After obtaining all unencrypted data, users can utilize the common information retrieval technique used on the plaintext to perform keywords query. However, this approach requires a very high communication, storage, and computing costs, which are not applicable for large scale networks. This issue put forward a new challenge: how to effectively search for encrypted data without decrypting it first.
Searchable encryption (SE) is a promising method to address this problem. SE can be classified into two categories according to its applications: searchable symmetric key encryption (SSE) and searchable public key encryption (SPE). Based on many researchers' work these years, SSE can support advanced query conditions like Boolean keywords search, multikeywords rank search, and top-similarity keywords search. Works [1][2][3] dealt with multikeywords search, where the query condition contains more than one keyword. Considering the fact that it is not practical to return all the search results, more recent works like [4][5][6] focused on the multikeywords rank search. Sometimes, users want to search documents related to their query keywords rather than the documents that precisely match those keywords. The SSE schemes supporting similarity keywords search were created to address this issue [7,8].
Conversely, SPE is difficult to support advanced search function without sacrificing security as anyone who has the public key ( ) can create encrypted index or ciphertext, and easily perform chosen keywords attack. In addition, the SSE scheme is generally more efficient than the SPE scheme. Although the SPE scheme has these weaknesses, it still holds some advantages for many applications. Specifically, for the application in which there are many data senders and only one data receiver (Figure 1), SSE needs that all senders and the receiver hold the same symmetric key to generate the encrypted data. So, if one of the senders is compromised by an adversary, then the data for all senders will be leaked. Compared with SSE, in SPE, the public key can be accessed by all senders, and the private key is only given to the receiver. Thus, SPE can naturally solve the security problem of key management in this application [9] and is an irreplaceable solution.
The first SPE named as public key encryption with keyword search (PEKS) was introduced in [10], in which senders who hold can send their encrypted documents with encrypted indexes to a server, and the receiver holding secret key ( ) can make a keyword search over the encrypted data. However, this scheme only supports a single keyword search. How to construct a public key encryption scheme supporting a complex query conditions such as the Boolean keyword search is a significant problem. Specifically, as two typical Boolean keyword search schemes, conjunctive and disjunctive keyword search over encrypted data in the public key setting are needed to be developed.
Park et al. [11] first proposed the public key encryption with conjunctive keyword search (PECK) scheme that supports keywords search like 1 ∧ 2 ∧ 3 , where 1 , 2 and 3 are query words. After that, many PECK schemes [12,13] were proposed to improve the efficiency and security. The first public key encryption with disjunctive keyword search (PEDK) scheme was proposed by Katz et al. [14]. In their work, they proposed an inner product encryption (IPE) scheme and converted this IPE scheme into a PEDK scheme, which supports keywords search like 1 ∨ 2 ∨ 3 . In an IPE scheme, the secret key corresponding to a predicate vector → V can decrypt the ciphertext associated with an attribute vector → if and only if → ⋅ → V = 0. According to this property, we know that, by converting index and query keyword set into an attribute and a predicate vector, respectively, an IPE scheme can be changed into a SPE scheme supporting multikeywords search.
In the practical cloud environment, the user usually perform conjunctive and disjunctive keywords search simultaneously. In [15], Zhang and Lu proposed an approach of converting an IPE scheme into a public key encryption with conjunctive and disjunctive keyword search (PECDK) scheme and gave a concrete scheme. In their scheme, the size of each document's index, the size of a trapdoor, and the time cost of pairing operations in the test process are all ( ). Since is the number of keywords in a dictionary, the previous PECDK scheme is impractical if is a large integer. Inspired by this problem, we proposed a new approach to build an efficient PECDK scheme with less time and space overhead [16]. However, these two PECDK schemes are based on the IPE scheme [17], which is a costly cryptographic prototype. In this paper, we aim to build an efficient PECDK scheme using an alternative method.
Main Works. In the scheme introduced in [17], the user first converts an index and a query keyword set into an attribute and a predicate vector, respectively. After this, the user can construct encrypted index and trapdoor by applying the attribute and predicate vectors to the encryption and key generation algorithms of IPE. The keyword search process can be executed by adopting the decryption algorithm of IPE. However, this scheme is constructed by utilizing many group operations due to being based on the IPE scheme. The IPE scheme adopts a technique called dual pairing vector space (DPVS), which generates 2 group elements to create the public key and secret key. By using these keys, both the storage size of the obtained indices and the time cost of the search process are linear with ( 2 ). To address this issue, we aim to create an efficient PECDK scheme without using IPE as the infrastructure. We take advantage of the conversion method similar to the one introduced in [16] for creating a group of vectors. Then, by applying these vectors to the prime order pairing groups, a PECDK scheme with a better time and space complexity than the previous schemes is presented. Security of our construction is based on decision linear Diffie-Hellman (DLIN) assumption in the random oracle model. In addition, we design an experiment that verifies the efficiency of the proposed scheme and give a detailed comparison with the previous scheme. The experiment result shows that the key generation, index building, trapdoor generation, and testing algorithms in our scheme are more efficient than those in the previous one. Besides, the space cost for indices in our scheme is also less than that in the previous one. In practice, client device, e.g., a mobile device, has less storage space and limited computation capacity. Thus, compared with the previous scheme, ours is much more suitable for the resource constrained environment.
Related Work. There are two classes of searchable encryption schemes in terms of different cryptography primitives: searchable symmetric key encryption (SSE) and searchable public key encryption (SPE).
SSE. Song et al. [18] introduced the definition of searching on encrypted data and gave a concrete scheme. Then, Goh [19] defined a formal security definition for SSE and presented an effective conjunctive keywords search scheme by using a technique called Bloom Filter. Soon afterward, many works [20,21] were constructed to improve the search efficiency and security level. These schemes failed to achieve a sublinear search speed. To address this issue, by taking advantage of tree structures, such as r-tree and kd-tree, SSE schemes with sublinear search time were released in [22,23]. The SSE scheme supporting Boolean keywords search with sublinear search time was given in [24]. In order to support queries with rich expressiveness, SSE schemes supporting media data and similarity keywords search are introduced in [25,26]. More important, these works also support dynamic update. In practical application, the search engine should return the top-related documents to users instead of returning all the search results. Some SSE schemes, supporting rank search, are proposed in [4][5][6] to obtain more accurate query results.
SPE. The first SPE scheme is called public key encryption with keyword search (PEKS), which was proposed by Boneh et al. [10]. Then, Abdalla et al. [27] defined the computational and statistical consistency in PEKS and presented a statistically consistent scheme. However, this work only supports a single keyword search. The concept of PECK was first proposed in [11]. They defined the security model of this mechanism and gave two constructions. One requires many bilinear pairing operations, while the other needs more private keys. Hwang and Lee [28] designed a more efficient scheme in a multiple users setting. However, all these constructions use the keyword field as additional information for keyword search. The keyword field may leak more information to the public. To eliminate the keyword field, Boneh and Waters [29] presented a public key encryption scheme called hidden vector encryption (HVE), which supports a conjunctive search, comparison queries ( ≥ ), and subset queries ( ∈ ) on encrypted data.
In order to create a SPE scheme supporting disjunctive keyword search, katz et al. [14] proposed a public key encryption scheme called inner product encryption (IPE), which is related to the attribute-based encryption (ABE) [30,31]. Recently, in order to better utilize the encrypted data and improve the security, some public key schemes which can support verifiable attribute-based search over outsourced encrypted data are proposed in [32][33][34][35][36][37]. For supporting advanced keywords search function, Zhang and Lu proposed the first PECDK scheme [15] by combining an efficient IPE scheme [17] and a keyword conversion method. However, their scheme is a costly solution due to using an IPE scheme. In fact, the PECDK scheme based on an IPE scheme needs more computation and storage cost than the one without utilizing an IPE scheme as a foundation. Therefore, in this paper, we will find a new method irrelevant to IPE to construct a more efficient PECDK scheme.
Organization. The remainder of the paper is organized as follows: The model and security definitions of PECDK are defined in Section 2. In Section 3, we propose our PECDK scheme and give the security proof for the scheme. The analysis of the presented PECDK scheme is described in Section 4. Section 5 presents some conclusions.

Preliminaries
In this section, we will give a formal definition of the PECDK model and the corresponding security model. Our scheme is based on this model and proven to be secure under this security model. Moreover, we also briefly introduce some basic ingredients used to create our scheme, including the bilinear pairing and the complexity assumption.

Model of PECDK.
In PECDK, let , be the receiver's public key and secret key. When a sender wants to send a message to a receiver with keywords 1 , 2 , . . . , , she uses the standard public key encryption system to encrypt and uses and keywords 1 , 2 , . . . , to construct the encrypted index of . After that, she sends the encrypted message and the encrypted index of to the server. When the receiver wants to retrieve messages including a specific list of keywords, he takes the , a symbol, and keyword set as input to construct a trapdoor and sends to the server. Note that the symbol is used to refer to the type of query, e.g., conjunctive form or disjunctive form. When the server receives the trapdoor, it tests each encrypted index by using the trapdoor and returns the matched messages to the receiver.
According to the description above, we give the model of PECDK based on the previous definition introduced in [16].

Definition 1.
There are four probabilistic polynomial time algorithms in the PECDK scheme. There are KenGen, IndexBuild, Trapdoor, and Test: (1) KeyGen(1 ): choosing a security parameter , this algorithm outputs the key pair ( , ) in which is the public key and is the secret key.
Otherwise, it holds with negligible probability.
In practical use, if a sender would like to send a message with keyword set , a ciphertext with the form of { ( , ), ( , )} will be created, where (⋅) is a frequently used public key encryption scheme, e.g., RSA. Similar with other related works [10,11,28], the proposal only concentrate on searchable encryption part, which is PECDK in this paper.

Security Definition of PECDK.
Since previous PECDK schemes are based on the IPE scheme, the security definition also depends on the security of IPE. For the PECDK scheme without using IPE, we need to give a new security definition. Inspired by the previous security definition called indistinguishability of ciphertext from random (IND-CR-CKA) introduced in [28], we define a security game under the PECDK model. The security game is described as follows.
(1) Setup: the challenger C runs the KeyGen(1 ) algorithm to generate the public key and the secret key . Then, C gives to the attacker A.
(2) Phase 1: the attacker A can adaptively ask the challenger C for the trapdoor for any query of his choice.
(3) Challenge: A selects a target keyword set * and sends it to C. After receiving * , C selects a random keyword set and sets 0 = * and 1 = .
(4) Phase 2: A can continue to ask for trapdoor for any query of his choice, and subject to the same restriction as before. A's advantage can be expressed as a function of the security parameter (1 ): Then, we have the following definition.
Definition 2. According to the game above, a PECDK is semantic secure if, for any probabilistic polynomial time attacker A, the function V e (1 ) is negligible.
An efficient bilinear map can be obtained by applying the Weil pairing or the Tate pairing [38].

Complexity Assumption.
We review the complexity assumption named Decision Bilinear Diffie-Hellman Inversion (Decision -BDHI) assumption [11], which is related to the bilinear pairing. The security of our scheme is based on this assumption. : Given a tuple  = { , ,   2 , . . . , } with the random choice of ∈ * and ∈ 1 , it is argued that an algorithm C outputting ∈ {0, 1} has advantage in solving the decision l-BDHI problem in 1 if

Decision -BDHI Assumption
where the probability ( [⋅]) is over the random choice ∈ 2 and random bits chosen by C.
Definition 3. The Decision l-BDHI assumption holds in 1 , if no probabilistic polynomial time algorithm has advantage at least in solving the Decision l-BDHI problem in 1 .

PECDK Scheme
Based on previous definitions and notations, in this section, we give our PECDK scheme without using IPE. Our scheme mainly involves three steps. Initially, we utilize a keyword conversion method inspired by the approach introduced in [16] to convert the index and query keywords into a set of vectors. Moreover, by applying the bilinear pairing under the prime order group, we encrypt these vectors to construct encrypted index and trapdoor. Eventually, a test algorithm is built to perform secure keywords query. The method adopted in the first step is described in Section 3.1, and the algorithms used in the second and third steps are given in Section 3.2.

Keywords Conversion Method.
The keywords in query and index are strings; thus we need to change all the keywords to a group of integers. Moreover, in order to verify whether the query matches the index or not, the integers between the query and index must hold some relationships. According to these concerns, we introduce a method that can convert the index and query set into a matrix and a vector. This method is based on the relationship between the roots and coefficients in an equation of degree with one unknown. Specifically, the roots and coefficients are used to create a matrix of index keywords and a vector of query keywords, respectively. By adopting a prime order group to encrypt the matrix and vector, an encrypted index and query can be built. The relationship between the matrix and vector can be utilized to construct the test algorithm.
Suppose that any keyword can be expressed as {0, 1} * ; we define a function 1 : {0, 1} * → * . Since is a large prime and is larger than the number of all words, 1 can be collision-resistance. This means that, if ̸ = , then where and are two distinct keywords. Let = { 1 , 2 , . . . , } and = { 1 , 2 , . . . , } be two keyword sets, where < . The method can be listed into three steps and described as follows.

Construction of PECDK.
By combining the keyword conversion method and the bilinear pairing under prime order group, we propose a PECDK scheme which allows the user to perform conjunctive and disjunctive keyword search over encrypted data. Our key idea is as follows. First, by adopting the keyword conversion method introduced in Section 3.1, we change the index and query keyword set into an index matrix and a query vector, respectively. Then, by using a set of elements randomly chosen from the prime order group, we encrypt the index matrix to the secure index and the query vector to the trapdoor, respectively. Specifically, in order to guarantee the scheme's security, the encryption process relies strictly on the complexity assumption given in Section 2. According to the above ideas, the concrete construction is proposed in the following paragraphs. Because of making use of the prime order group, the proposed scheme is more efficient than the previous scheme adopting the IPE cryptosystem on the time and space complexities. Experimental results showing the advantages of our scheme can be found in Section 4.
Note that the secure index can be seen as an encrypted version of matrix (3).   Correctness. The key idea of disjunctive keywords search is to determine whether there exists an ∈ [1, ] such that ∈ . For the conjunctive keywords search, we need to check whether there are keywords (1) , (2) , . . . , ( ) such that ( )

∈
, where ( ) ∈ [1, ] and ∈ [1, ]. According to these ideas, we know that the essence of test algorithm is to verify whether ∈ . In the proposed scheme, it is can be verified that Based on this, we argue that our scheme is correct.

Theorem 4. The proposed PECDK scheme is secure according to security definition in the random model if Decision ( + 1)-BDHI is hard.
Proof. Suppose that an algorithm A has advantage in breaking the PECDK under the security definition. Suppose A makes at most trapdoor queries, we can build an algorithm C which solves the decision ( + 1)-BDHI assumption with a probability at least = / ( + 1), where is the base of the natural logarithm, and is the number of keywords in an index. Let be a generator of 1 . Given , , 2 , . . . , +1 , , if =̂( , ) 1/ , the algorithm C outputs 1, 0 otherwise. The interaction between the algorithm C and the algorithm A is as follows: (i) Setup: the algorithm C works as follows: (1) The algorithm C randomly chooses numbers 1 , 2 , . . . , ∈ * and returns ( ) = ∏ =1 ( + ) = ∑ =0 .   (1) If the query is already in a tuple ( , ℎ , ) on 1 -list, then C responds with 1 ( ) = ℎ , where ℎ ∈ * .
(v) More queries: A continues to inquire trapdoor queries. The restriction is similar to the challenge phase.
Now, we show that the algorithm C can solve the decision ( + 1)-BDHI assumption with probability at least = / ( + 1). First of all, we should analyze the probability that C does not abort in trapdoor queries phase and challenge phase. We define two events: 1 : C does not abort due to any of A's trapdoor queries. 2 : C does not abort in challenge phase for generating . Suppose that is large enough. Therefore, the probability of the event 1 is at least (1 − 1/( + 1)) ≥ 1/ . The probability of the event 2 is 1/( + 1). If =̂( , ) 1/ , A's view is identical to its view in a real attack game. Since we assume that A can break the PECDK scheme with an advantage , it must satisfy | [ = ] − 1/2| ≥ . If is a random number, where ∈ 2 , then | [ = ]| = 1/2 since A made a random guess. Therefore, let = { , , Then we conclude the theorem.

Performance Analysis
In this section, we first give a detailed theoretical analysis for the previous scheme and then compare it with the proposed one. After that, we set up an experiment to show that our scheme has better performance than the previous one. For simplicity, we denote the proposed scheme and the previous one by PECDK-1 and PECDK-2, respectively.

Theoretical Analysis.
In an IPE scheme, each ciphertext associated with an attribute vector → can be decrypted by the secret keys corresponding to the predicate vector → V if and only if → V ⋅ → = 0. The PECDK-2 is based on the approach of converting an IPE scheme into a PECDK scheme. In order to analyze the efficiency of the previous one, we will introduce the conversion method, which is described as follows. (1) For is ∨, if there is at least one ∈ [1, ] such that the decryption algorithm ( , , ) outputs 1, the test algorithm outputs 1, otherwise, 0.
(2) For is ∧, the test algorithm will verify whether there are that can be decrypted by the decryption algorithm ( , , ). If so, the test algorithm outputs 1, otherwise, 0.
PECDK-2 is based on the IPE presented in [17]. For this IPE scheme, the time cost of setup, encryption, key generation, and decryption are all linear with ( 2 ), ( 2 ), ( 2 ), and ( ), respectively, where is the length of the predicate or attribute vector. Moreover, the space overhead of public key, master secret key ( ), ciphertext, and secret key is linear with ( 2 ), ( 2 ), ( ), and ( ), respectively. According to the conversion method mentioned above, we have the following results.
(1) The and in the previous scheme are the same as the and in the IPE scheme. Thus, the time and space cost of and are both linear with ( 2 ).
(2) Since the index of the previous scheme contains ciphertexts of IPE, the time and space cost of index are linear with ( 3 ) and ( 2 ), respectively. Because the algorithm of trapdoor generating is similar with that of the index building, the time and space cost of trapdoor is also linear with ( 3 ) and ( 2 ), respectively.
(3) The test algorithm needs to perform times decryption algorithm. Thus, the time cost of test is proportional to the square of .
For our scheme, contains 2 + 3 elements in group 1 and one element in 2 , and involves 2 + 3 elements in * . Thus, we know that the time and space cost of KeyGen algorithm in our scheme are both linear with ( ). Because the IndexBuild algorithm generates 2 2 + 3 elements in group 1 and elements in 2 , the time and space cost of IndexBuild algorithm are both linear with ( 2 ). The time cost and space cost of Trapdoor algorithm are both ( ) since this algorithm creates 2 + 2 elements in group 1 . Whether = ∧ or = ∨, the test algorithm executes at most ( ) pairing operations. Therefore, we can reckon that the time cost of test algorithm is less than ( ).
According to the above analysis, we will give two tables to demonstrate the comparison. Let | | be the time cost for Testing 2 (2 + 1) 2 ( + 1) a pairing operation [15] on 1 , and | 1 | and | 2 | be the time cost for the exponential operation on 1 and 2 , where 1 and 2 are two groups of a prime order. For evaluating the time complexity, we only take these two operations into account since the time cost of these two operations is much more than the time cost of other operations like group add operation. The theoretical analysis of time complexity is shown in Table 1.
We denote the size of an element of , 1 , and 2 by | |, | 1 |, and | 2 |, respectively. The comparison result of space complexity is shown in Table 2.

Experimental Results.
We implement our construction in JAVA with Java Pairing Based Cryptography (JPBC) library [39]. In our implementation, the bilinear map is instantiated as Type A pairing (base field size is 128 bits), which offers a level of security equivalent to 1024-bit DLOG [16]. Our experiment was run on Intel(R) Core(TM) i7-4570 CPU at 3.60GHz processor with 8GB memory size. Such an experiment is based on a group of artificial keyword sets with different number of keywords in each set (i.e., = 5; 10; 15; 20; 25), where each keyword set can be seen as an index of a document. In each keyword set, we denote each keyword as an unique integer in the range of [0, 1000], where 1000 can be regarded as the number of different words in the artificial keyword sets. We encrypt each keyword set with PECDK-1 and PECDK-2 schemes, and the encrypted indices were stored on our machine and then execute random queries over these encrypted indices (the number of documents and queries is denoted by and , respectively). In addition, for simplicity, we denote the conjunctive and disjunctive keyword search by CKS (conjunctive keywords search) and DKS (disjunctive keywords search), respectively. Figure 2 shows that the impact of on the time consumption. The statements of Figure 2 are described as follows.

Time Overhead.
(1) Figure 2(a) shows that the execution time of key generation in PECDK-2 is linear with ( 2 ), while that in PECDK-1 is linear with . The time cost of the key generation algorithm in PECDK-2 is nearly 100 times than that in PECDK-1 since PECDK-2 needs to generate a pair of orthogonal matrices and more exponential operations on 1 . (2) In Figure 2(b), we can find that the time cost of creating index in PECDK-2 is much more than that in PECDK-1, though the time complexities of index building in PECDK-1 and PECDK-2 are both linear with ( 2 ). The reason for this situation is that the DPVS structure used in PECDK-2 is based on a pair of orthogonal matrices, which will bring more exponential operations on 1 and some additional matrix operations. (3) The time consumption of testing in PECDK-1 and PECDK-2 is illustrated in Figure 2(c). In Figure 2(c), we can find that time cost of CKS and DKS in PECDK-1 is much less than that in PECDK-2. In addition, whether PECDK-1 or PECDK-2, the time cost in DKS is slightly less than that in CKS since DKS may test fewer keywords than CKS. (4) The time complexity of trapdoor generation in PECDK-1 is independent with , while that in PECDK-2 is linear with ( ). The trapdoor generation algorithm in PECDK-1 still needs much less time cost than that in PECDK-2 with the same reason described in (2). Figure 3 shows the impact of on the time consumption. Because the key generation and index algorithms are not related to the parameter , we only focus on the trapdoor generation and test algorithms. The comparison is stated as follows.
(1) The time costs of trapdoor generation in PECDK-1 and PECDK-2 are both linear with ( ), which is shown in Figure 3(a). However, the time cost of creating trapdoor in PECDK-2 is nearly 10 times than that in PECDK-1. The reason for this is that PECDK-2 needs more exponential operations on 1 . (2) Figure 3(b) shows that the time cost of testing in PECDK-1 is linear with ( ), while that in PECDK-2 is not related with . The reason is that the predicate vector and attribute vector must have the same dimension in an IPE scheme. So, we must convert the query keyword set into a predicate vector having the same length as the attribute vector generated from the index keyword set. According to this, the time cost of testing in PECDK-2 is independent to actually. In addition, the time cost in DKS is also slightly less than that in CKS since DKS needs less test operations.

Storage
Overhead. The storage cost of and , indices, and trapdoors are illustrated in Figure 4. The comparison results are listed as follows.
(1) Figures 4(a) and 4(b) show that the storage cost of and in PECDK-2 increases with ( 2 ), while that in PECDK-1 is linear with ( ). Moreover, the storage cost in PECDK-2 is more than 100 times than that in PECDK-1. The reason is that the PECDK-2 needs to store two matrices.
(2) In Figure 4  is linear with ( ). The storage cost in PECDK-2 is still more than that in PECDK-1.
Because the size of , , and indices are not related to the parameter , we only analyze the impact of parameter on the storage cost of trapdoor. According to Table 3, we find that the size of trapdoor in PECDK-2 is independent with since the query keywords must be converted into a predicate vector owing the same length to the attribute vector generated from the index keywords. The trapdoor size in PECDK-1 is linear with and less than that in PECDK-2.
According to the experimental results described above, we can find that these results are consistent with our theoretical analysis.

More Comments.
Generally speaking, the number of keywords in a document ( ) is usually only 3 ∼ 5 (e.g., the research paper), and the number of keywords in a query ( ) is often less than 10 [40]. According to above results, we can reckon that both and are less than 10 in the actual process of retrieval. According to the experiment result with = 10 and = 5, for the PECDK-1, the generation time of a single index and a single trapdoor is nearly 100 ms and 20 ms, respectively, and the test time of a single document is 15 ms.
Compared with the PECDK-2, it is more practical. Moreover, the time and storage cost of trapdoor in PECDK-1 scheme is very low, which means that the proposed scheme is fit for the mobile setting where the client has limited computation and storage resources.
Many applications require that the client cannot only add a group of documents to the server but also remove a set of documents from the server. Considering this situation, we need that the proposed scheme supports dynamic update. It means that users can update the encrypted indices and files securely. Many previous works can achieve this goal [24,25]. In our scheme, we adopt the forward index structure in which each file has its index. Thus, it can support dynamic update naturally. For example, when a client wants to add a document, he/she will generate an encrypted document and its corresponding secure index and send them to the server. If a client wants to delete a document, he/she will send a request to the server. The server will remove the related document and the associated index according to the request.
In addition, because each document has its own encrypted index, we can easily accelerate the search process by utilizing the technique of parallel computation [6]. Thus, we argue that our scheme is more practical in the cloud platform, which has strong computing power.

Conclusion
In this paper, we propose an efficient PECDK scheme based on a prime order group, which has better performance than the previous PECDK scheme. Our scheme is proven to be secure under the security definition. To justify the efficiency of the proposed scheme, we present detailed theoretical analysis and experimental results. These results show that the proposed scheme is more practical than the most efficient PECDK scheme based on the IPE scheme. In the future, we will focus on building a SPE scheme supporting more advanced search function.

Data Availability
The artificial data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.