PPSEB: A Postquantum Public-Key Searchable Encryption Scheme on Blockchain for E-Healthcare Scenarios

In the current E-healthcare scenarios, medical institutions are used to encrypt the information and store it in an Electronic Health Record (EHR) system in order to ensure the privacy of medical information. To realize data sharing, a Public-key Encryption with Keyword Search (PEKS) scheme is indispensable, ensuring doctors search for medical information in the state of ciphertext. However, the traditional PEKS scheme cannot resist the keyword guessing quantum computing attacks, and its security depends on the conﬁdentiality of the secret key. In addition, classical PEKS hand over the search process to a third party, aﬀecting the search results’ accuracy. Therefore, we proposed a postquantum Public-key Searchable Encryption scheme on Blockchain (PPSEB) for E-healthcare scenarios. Firstly, we utilized a lattice-based cryptographic primitive to ensure the security of the search process and achieve forward security to avoid key leakage of medical information. Secondly, we introduced blockchain technology to solve the problem of third-party untrustworthiness in the search process. Finally, through security analysis, we prove the correctness and forward security of the solution in the E-healthcare scenarios, and the comprehensive performance evaluation demonstrates the eﬃciency of our scheme compared with other existing schemes.


Introduction
In the current medical scenarios, medical institutions generate a large amount of patient medical data. ese data are difficult to supervise, lack necessary technical support, and cost medical institutions many resources. To solve this problem, many medical institutions have adopted EHR systems to reduce the burden and cost of maintaining medical information [1]. e EHR system is a digital health file with medical information as the main body and information sharing as the core. It aims to realize that patients can manage their medical data, and doctors can also access the patient's medical data if they have permission. However, outsourcing management of the EHR system is not an ideal choice. Because the third-party organization responsible for storing the EHR system has too much power, once a malicious attacker buys it, it can launch a collision attack on the medical data in the system to threaten the privacy of medical data. To avoid this situation, medical institutions usually encrypt medical data through various encryption schemes [2] and store it in the EHR system. erefore, how to realize the sharing of medical data between patients and doctors in the ciphertext state is a problem to be solved. us, Public Key Encryption with Keyword Search (PEKS) [3]is a marvelous candidate in cloud-assisted E-healthcare scenarios, realizing medical data retrieval without privacy leakage. As efficient encryption primitive, it ensures searchable encrypted medical data through keywords.
Although the existing proposed PEKS schemes [4-6] have brought significant benefits to the Internet of ings, there are four significant obstacles to the widespread PEKS in systems in recent decades. Initially, most PEKS schemes were established based on traditional hardness cryptography problems. Nevertheless, with the advent of quantum computers [7] and quantum information [8], the PEKS scheme will be threatened exponentially. Recent breakthrough articles [7] indicate that shortly, it is possible to adopt quantum computers in a realistic view, putting forward higher requirements for postquantum cryptographic searchable encryption schemes than before. Secondly, the most computational cost of cloud servers is to search target data from the third-party service agency since cloud servers need to execute a verification procedure for the corresponding keyword. Due to the exorbitant public-key encryption operations, the existing PEKS scheme introduces a significant calculation overhead. In the E-healthcare scenarios, the cloud server can work with medical data from mobile medical detection devices simultaneously to retrieve the data of multiple doctors.
erefore, it has a performance bottleneck on the medical cloud servers.
irdly, with the explosive utilization of mobile medical detection equipment, most schemes have key exposure problems [9]. e existing PEKS scheme cannot guarantee the forward privacy of the key. e existing PEKS scheme cannot guarantee the forward privacy of the key. Once the doctor's secret key is compromised, the attacker can trace the trapdoor content previously submitted by the doctor, thereby further infringing on the confidentiality of the outsourced data [10]. In this regard, we optimize the lattice cryptography in our scheme to make the key have relations with period to ensure that the key exposure at the previous period will not affect the medical data confidentiality at the later period and achieve the forward security of the key [11]. Last but not least, the search function of the traditional PEKS scheme is generally delivered to the service party. However, the untrustworthiness of the service party will cause attackers to generate Keyword Guess Attacks (KGA) on medical information. Fortunately, blockchain can effectively solve this problem [12][13][14][15][16][17]. Blockchain is a new database technology that can realize decentralized distributed architecture design. Its core technical concept was proposed by Satoshi Nakamoto [18] in 2008. Blockchain, as a distributed public ledger, records all transactions packaged in the block without the need for third-party control and ensures the safety and traceability of each transaction record [19]. After a single block is generated, all nodes in the blockchain network use a consensus algorithm to determine whether the block is on the chain, and each block is connected by a hash function, thereby effectively ensuring the immutability of transaction information.
erefore, using blockchain technology to replace the service party in PEKS is an effective way to solve the problem of the untrustworthiness of the service party. For example, [20] replaces the traditional centralized server with a decentralized blockchain system, supports forward and backward privacy, and realizes privacy protection. [21] proposed a novel PEKS scheme, which eliminates the reliance on third-party institutions and makes the entire program completely decentralized. erefore, to solve the above-mentioned hindrances, we propose a postquantum public-key searchable encryption on blockchain for cloud-assisted E-healthcare scenarios, called PPSEB, based on lattice cryptography [22,23], one of the postquantum cryptographic primitives, ensuring a robust security level. In addition, we reduce the security of PPSEB to the Learning WithError (LWE) hardness assumption, which can oppose keyword guessing attacks based on quantum computing launched by malicious attackers effectively.
In our proposed scheme, the patient initially encrypts medical data and its keywords under the public key of the doctor and transmits the corresponding ciphertext to the cloud server for storage. en, the medical doctor will utilize his/her secret key to compute a trapdoor corresponding to the keyword and then uploads it to the blockchain. Further, the smart contracts on blockchain search for the keyword ciphertext corresponding to the trapdoor and return its number to the cloud server. Finally, the cloud server sends the ciphertext of medical information matching the keyword to the doctor. In summary, we elaborate our main contributions as follows: (1) We propose a postquantum Public-key Searchable Encryption on Blockchain (PPSEB) for the E-healthcare scenarios. PPSEB is constructed on lattice-based public-key searchable encryption based on the LWE hardness assumption. (2) We then introduce blockchain technology into our proposed scheme in response to the untrustworthiness of third parties during the search process. erefore, we achieve the decentralization architecture of the PPSEB oracle and enhance the security level.
(3) PPSEB achieves forward security in order to solve the key leakage of various existing public-key searchable encryption algorithms. (4) We give the computational proof of the correctness and forward security of PPSEB. Furthermore, the comprehensive implementation performance evaluation represents that our scheme is efficient in terms of testing time and computational cost compared with existing outperforming E-healthcare schemes and is suitable for medical scenarios. e structure of our paper is organized as follows. In Section 2, we propose the design goals and security models of our scheme, considering three existing challenges for the proposed PPSEB scheme and the solution to make PPSEB work better in the medical scenarios. In Section 3, we propose our preliminaries of lattice and trapdoor. In Section 4, we present our PPSEB scheme and the main steps of our scheme, including, PPSEB.Initialization, PPSEB.KeyExt, PPSEB.Encrypt, PPSEB.PEKS, PPSEB.Trapdoor, PPSEB.Verification, and PPSEB.Decrypt. In Section 5, we provide the security analysis of PPSEB based on correctness and provable security. In Section 6, a precise performance evaluation is proposed by our paper. Finally, we conclude this paper in Section 7.

Design Goals.
In this paper, we propose three existing challenges for the proposed PPSEB scheme: (1) How to make PPSEB resistant to the untrustworthy problem of the service party. In the traditional searchable encryption scheme, a third-party organization is generally responsible for searching medical information, which makes malicious attackers collude with third-party organizations to provide unreliable search results. erefore, we use blockchain to replace traditional third-party agencies.
(2) How to achieve the forward security of PPSEB. Key exposure is a thorny problem faced by existing searchable encryption schemes. Once the private key of the doctor is lost, the attacker can forge the doctor to initiate an inquiry for medical information, and the privacy of medical information cannot be guaranteed. erefore, how to use lattice-based cryptography to ensure that the leakage of the master key used at this time will not result in the leakage of the past session key is a problem to be solved. (3) How to realize PPSEB to resist KGA under quantum computing. e existing searchable encryption scheme cannot guarantee the security of the search process under the attack of quantum computing, and there is a significant commonality between the keywords of medical information. Once the attacker is equipped with a quantum computer, it is possible to launch KGA on medical information through quantum computing, which severely threatens the blockchain system based on traditional cryptography and then exposes the private information contained in the medical information. Consequently, resisting KGA launched by quantum opponents is also a challenging problem. In order to make PPSEB work better in the medical scenarios, the solution in this article should have the following characteristics: (1) Postquantum KGA: PPSEB can resist KGA attacks under quantum computing. (2) Forward security: PPSEB achieves forward security to solve the problem of private key exposure. (3) Efficiency: PPSEB has a higher computational efficiency by reducing the size of the trapdoor.

Security Model.
In this section, we show the ciphertext indistinguishability of our scheme. We can describe several scenarios through games between challenger S and adversary A, in which S generates system security public parameters, initializes the public keys of patient and doctor. A will receive them from S and is permitted to access the oracles as below.
Hash Oracle(HO): A has been permitted to access all values of HO in time t, where t � 1, 2, . . . , η and is the total number in the period. en, A will receive the corresponding hash value. Break-in phase: After obtaining the query about SK r‖t of the doctor in time t by A, S will return the corresponding SK r‖t in t time to A. We note that t * is the break-in period, which satisfies t > t * .
Trapdoor Oracle(TO): A inputs a keyword w to ask S for a trapdoor T w . en, we make the restriction t > t * in order to make sure the forward security, where t * is break-in period. Challenge phase: A takes (w * 0 , w * 1 ) in t * and then submits them to S to be the challenge keywords. S then selects b at random and obtains CT * t * . Consequently, S returns CT * t * to A. Guess phase: At last, , which means the benefit of A to distinguish ciphertexts in t * successfully.

Preliminary
Definition 1 (Lattice). Let A � [a 1 , a 2 , . . . , a n ] ∈ R m be n linearly independent vectors in m-dimensional space. A lattice L is composed of the linear combination of all integer coefficients of a 1 , a 2 , . . . , a n , and we can define: . . , a n is known as a basis of L. Given a prime number q, a matrix Definition 2 (LWE). Assume q be a prime number, given a random matrix A ∈ Z n×m q , vector b ∈ Z m q and the error distribution D on Z q , find that the vector s ∈ Z n q satisfies b � A T s + e mod q, where e ∈ D m . Definition 3 (Statistical Distance). Given two variables X, Y over a domain D, we define the statistical distance of X and Definition 4 (Discrete Gaussian Distribution). Let ρ c,σ (x) � exp − π‖x − c‖ 2 /σ 2 be the standard e Gaussian function c represents the center and σ represents the standard deviation. en we define: Lemma 1 (TrapGen) [24]. Let q ≥ 3, m ≥ 2n log q. ere is a polynomial-time algorithm TrapGen, which outputs a matrix A ∈ Z n×m q statistically close to the uniform distribution and a trapdoor base Lemma 2 (SamplePre) [25]. Given L ⊥ q (A), a trapdoor base Tr A ∈ Z m×m , a parameter s ≥ ‖Tr A ‖ω( ����� log m ), and a vector v ∈ Z n q . en, the SamplePrealgorithm outputs a vector w statistically close to D L ⊥ q (A),s , such that Aw � v mod q.
Lemma 3 (SampleL) [26]. Set a positive integer m > n, q ≥ 3. Given L ⊥ q (A) and its trapdoor base , and vector u ∈ Z n q . e Sample Lalgorithm computes e ∈ Z m+m′ statistically close to D L u q (A|B),s such that (A|B)e � u mod q.

Security and Communication Networks
Lemma 4 (SampleR) [26]. Set a positive integer m > n, q ≥ 3. Given L ⊥ q (B) and its trapdoor base ����� log m ) and vector u ∈ Z n q . e SampleRalgorithm outputs a vector e ∈ Z m+m′ over D L u q (A|AR+B),s and satisfies (A|AR + B)e � u mod q, where s ′ � max ‖x‖�1 ‖Rx‖.
Lemma 5 (NewBasisDel) [27]. Set a positive integer m > 2n log q, q ≥ 3. Given L ⊥ q (A) and a trapdoor base Lemma 6 (SampleRwithBasis) [27]. Given a positive integer m > 2n log q, q ≥ 3, and a random matrix A ∈ Z n×m q , its column vector can generate Z n q . e Sample R with Basis algorithm outputs an invertible matrix R ∈ D m×m , a lattice L ⊥ q (B) and its trapdoor base (s, X) ⟵ Initialization(⊥): In this step, it generally initializes some security parameters s, and parameters regard to the Gaussian Distribution X in one time period j. e output is just these parameters which will utilize in the next step. (pk, sk) ⟵ KeyExt(s): After inputting the parameter s, it will output the public key pk and secret key sk, which consist (pk, sk). s ε ⟵ PEKS(pk, ε): e algorithm takes a public key pk and one keyword ε as input, and outputs a ciphertext s ε of ε. t ε ⟵ Trapdoor(sk, s ε ): Having input the secret key sk and one keyword ε, it outputs one trapdoor t ε in this algorithm.
(1 or 0) ⟵ Verification(t ε , s ε ): With the input of a trapdoor t ε′ and a searchable ciphertext s ε , this algorithm designs to output the comparison decision bit 1 if ε ′ � ε, or 0 otherwise.

Blockchain Architecture.
Blockchain is essentially a decentralized database, which is a string of blocks that are associated using cryptography methods. Each transaction includes hash function, Merkle tree, and so on. In this paper, we replace the search party in searchable encryption with blockchain to ensure the credibility of the search process. As shown in Figure 1, our paper optimizes and adjusts the fivelayer architecture of the original blockchain and adds a data retrieval function to the application layer to ensure that the blockchain network can base on the algorithm written in the smart contract realizing the retrieval of the keyword ciphertext.

System Model.
In this section, we give an introduction to the system model of our PPSEB scheme in Figure 2, with four main entities, including patient, doctor, a cloud server, and blockchain network.
(1) Patient: e patient integrates Electronic Health Record (EHR), including various medical information such as drug-using records as a patient. Moreover, the patient encrypts the EHR and uploads it to the Cloud Server. en the patient generates a set of keywords keywords, sequence number related to the specified keyword and adds blocks to the blockchain.
(2) Doctor: e doctor needs to generate a trapdoor to search for information about patients. e doctor submits the corresponding trapdoor to the blockchain.
(3) Blockchain: After receiving the trapdoor from the doctor, the blockchain network will start chain code retrieval to search the corresponding sequence number and submit it to the CloudServer. (4) Cloud Server: After receiving the query request, the Cloud Server can use trapdoor to search for all encrypted data and return the query results of the ciphertext corresponding to the keywords to the doctor. During the entire process, the server is unable to obtain any information about the data and keywords.

e Scheme of PPSEB.
In this section, we present our proposed scheme in detail. ere are mainly seven steps of our scheme, including PPSEB.Initialization, PPSEB.KeyExt, PPSEB.Encrypt, PPSEB.PEKS, PPSEB.Trapdoor, PPSEB.Verification, and PPSEB.Decrypt, which are elaborated in the following paragraphs and algorithms.
(X, δ, σ, μ, H 1 , H 2 , sk r , sk s ) obtained from the Initialization step, we also have to input the current period j together with the secret key sk r||i in the previous period i. en, the doctor will procedure the following operations, which shows in Algorithm 2.  N � (1, 2, . . . , n) for each group. After that, the patient extracts keywords from each group of medical data and records them as W � (w 1 , w 2 , . . . , w n ). Finally, the patient encrypts each group of medical data with the doctor's public key pk r‖j at time j, obtains a ciphertext set CM � (CM 1 , CM 2 , . . . , CM n ), and generates an index set of the medical data ciphertext I M � (1, CM 1 ), (2, CM 2 ), . . . , (n, CM n )}, and it will be stored in the cloud server.
(CT j ) ⟵ PPSEB.PEKS((X, δ, σ, μ, H 1 , H 2 , sk r , sk s ), j, SK r‖j , w): e patient will procedure PPSEB.PEKS algorithm and input the set (X, δ, σ, μ, H 1 , H 2 , sk r , sk s ) , the public key pk r‖j , the current time j, and keyword w. is Probabilistic Polynomial Time (PPT) algorithm shows in detail as below. For each keyword w i ∈ W, the patient executes PPSEB.PEKS algorithm, obtains CT W � (CT j 1 , CT j 2 , . . . , CT j n ), and pairs each keyword ciphertext with the number to generate keyword index set I W � (1, CT j 1 ), (2, CT j 2 ), . . . , (n, CT j n ) . When we get I W , the patient calculates the hash value H 1 of I with his own

Security and Communication Networks
private key to generate a digital signature, writes down the transaction I D and timestamp, generates the corresponding transaction, and submits it to the master node for verification. After that, all nodes of the blockchain network execute the consensus algorithm, and the master node jointly packs the transaction orders in a period of time to form a block and then sends it to the affiliate node. en, the affiliate node receives the block sent by the master node and verifies the transaction slip contained in the block. Firstly, the affiliate node extracts the public key of the patient stored in the , where pk s and sk s are public key and secret key of patient, respectively (5) Call TrapGen(q,n) algorithm to generate pk r ∈ Z n×m q and sk r ∈ Z m×m q , where pk r and sk r are public key and secret key of doctor, respectively (6) Return the set (X, δ, σ, μ, H 1 , H 2 , sk r , sk s ) ALGORITHM 1: (X, δ, σ, μ, H 1 , H 2 , sk r , sk s ) ⟵ PPSEB.Initialization(k, X, δ, σ).
Finally, the doctor will send Trap w‖j to the blockchain through an efficient and secure communication channel.
N 0 or False ⟵ PPSEB.Verification((X, δ, σ, μ, H 1 , H 2 , sk r , sk s ), CT j , t w‖j ): is PPT algorithm produced by the blockchain inputs including the set (X, δ, σ, μ, H 1 , H 2 , sk r , sk s ), the ciphertext CT j , one trapdoor Trap w‖j in this period j of the doctor. If it outputs true; it means that the trapdoor Trap w||j and the ciphertext CT j contain the uniform keyword w. en, the blockchain returns the number N 0 of the ciphertext corresponding to the keyword to the cloud server. e cloud server finds the ciphertext of the keyword according to N 0 and returns it to the doctor Algorithm 5.
M 0 ⟵ PPSEB.Decrypt(CM 0 , j, SK r‖j ): After the doctor obtains the ciphertext CM 0 of the medical data returned by the cloud server, he/she decrypts it with his SK r‖j at time j to obtain the plaintext of medical data M 0 .

Security Analysis
In this section, we will demonstrate our scheme's correctness and provable security to achieve the security of the keyword ciphertext in our scheme under random oracle.

Correctness.
In this section, we suppose that the key pair at time j of doctors and patients are (pk r‖j , sk r‖j ), (pk s‖j , sk s‖j ), respectively. en, we set w as the keyword of the ciphertext CT j and then w ′ is a keyword that matches the trapdoor Trap w′‖j . It is well known that the cloud server can use Trap w′‖j at a time j to recover (y j1 ′ , y j2 ′ , . . . , y jl ′ ) � CT j1 − Trap T w′‖j CT j2 in PPSEB.Verification. Since the relationship between w and w ′ is uncertain, we divide the discussion into the following two situations: w‖j CT j2 , so we can decrypt the ciphertext CT j and obtain that: for i � 1, 2, . . . , l, there must be y ji ≠ 1. Case 2: If w � w ′ , then there is CT j1 − Trap T w′‖j CT j2 � CT j1 − Trap T w‖j CT j2 � noi j + (y j1 , y j2 , . . . , y jl ) q/2 −Trap T w‖j CT j2 . Among them, noi j − Trap T w‖j CT j2 is a noise vector. According to [25], we need to ensure that the error vector is less than q/5, so that the decryption process does not make mistakes. Consequently, we can compute that: for i � 1, 2, . . . , l, y ji ′ � 1.
So, the cloud server can ensure that the keyword w can correspond to the ciphertext CT j � (CT j1 , CT j2 ) and the trapdoor Trap T w′‖j ; that is, PPSEB can achieve correctness. Last but not least, the cloud server sends the encrypted medical data corresponding to the keyword w to the doctor, and the doctor obtains the corresponding plaintext data after decrypting it according to its key.  , v k1 , v k2 , . . . , v kl ), k � 0, 1, . . . , m from a random oracle machine. en, C guesses τ � j * as a point in time when A breaks the indistinguishability of the ciphertext. After that, C creates two lists, named L 1 and L 2 . Finally, C interacts with attacker A. e steps are as follows:

Provable
(1) Challenger C runs the SampleR algorithm to obtain R, then C selects τ + 1 vectors from R * , R * 1 , . . . , R * τ and assembles it into a matrix F * ∈ Z n×m q , making u k the k-th column of F * .
(2) Challenger C obtains pk r � F * R * R * 1 · · · R * τ . Because F * is independent of Z n×m q and R * 1 , R * 2 , · · · , R * τ are irreversible matrices, pk r is independent of Z n×m q . en, C selects a matrix as pk s ∈ Z n×m q and sets μ � u 0 ∈ Z n q to get a set (pk r , pk s , μ, H 1 , H 2 ). Last but not least, C sends (pk r , pk s , μ, H 1 , H 2 ) to attacker A.After receiving the set (pk r , pk s , μ, H 1 , H 2 ), A executives H 1 query and H 2 query. H 1 query: A initiates an inquiry to each pk r � � � �j, where j � 1, 2, . . . , τ. C computes R * j � H 1 (pk r � � � �j) and sends R * j to A.
Case 1: j � τ + 1. Challenger C gets pk r‖j−1 � pk r · (R * R * 1 · · · R * τ ) − 1 and runs Sample R with Basis algorithm to get R j and the basis sk r‖j of lattice L ⊥ q (A r||j ), where A r‖j � R −1 j · A r‖j−1 . en, C appends (pk r � � � �j, pk r‖j , R j , sk r‖j ) to the list L 1 . Consequently, C transmits R j to attacker A. Case 2: j > τ + 1. Challenger C finds (pk r � � � �j − 1, pk r‖j−1 , R j−1 , sk r‖j−1 ) from the L 1 . en, C selects a Security and Communication Networks matrix R j , and carries out the New Basis Del algorithm to compute sk r||j as the basis of L ⊥ q (pk r‖j ), where pk r‖j � pk r‖j−1 · R −1 j . Consequently, C appends (pk r � � � �j, pk r‖j , R j , sk r‖j ) to L 1 , and transmits R j to attacker A.
H 2 query: e attacker A queries w, at the same time challenger C performs the following operations: Case 1: w � w * and j � j * . e challenger C calculates R * � H 2 (w � � � �j) and sends R * to A.
Case 2: w ≠ w * or j ≠ j * . e challenger C looks for (pk r � � � �j, pk r‖j , R j , sk r‖j ) in L 1 , selects a matrix R w‖j , and executes the NewBasisDel algorithm to generate a basis sk w‖j of L ⊥ q (pk r‖j · R −1 w‖j ). Finally, C saves (w � � � �j, pk r‖j · R −1 w‖j , R w‖j , sk w‖j ) in L 2 , and sends R w‖j to A.

Trapdoor
Query. When C receives a query for a keyword w from A, C first looks at L 2 , and if there is no (w � � � �j, pk r‖j · R −1 w‖j , R w‖j , sk w‖j ) in L 2 ; then this process will be restarted.

Security and Communication Networks
Otherwise, C gets the private key sk w‖j , runs the SamplePre algorithm to generate a trapdoor Trap w‖j , and sends it to A.

Break-In Phase.
In this process, attacker A can query the private key of the doctor in the j > j * period, and j * � τ is set a break-in time. After A queries H 1 on pk r � � � �j, C sends the private key sk r‖j to A. In time i, which is the prior period, we can find (pk r � � � �j, pk r‖i , R i , sk r‖i ) from L 1 because the attacker A will perform H 1 queries on pk r ‖i. Further, we calculate pk r‖i � pk r‖τ+1 � pk r · (R * τ · · · R * 2 R * 1 ) − 1 · H 1 (pk r ‖τ + 1) − 1 , which sk r‖i is the basis of the lattice L ⊥ q (pk r‖i ). After that, challenger C calculates R r‖i⟶j � H 1 (pk r � � � �j) · · · H 1 (pk r ‖i ⟶ 1) and runs the NewBasisDel algorithm to obtain pk r‖j � pk r‖i · R −1 r‖i ⟶ j and sk r‖j in time j. Consequently, C sends sk r‖j to attacker A.

Challenge Phase.
Assuming that w * 0 and w * 1 are two keywords, challenger C randomly selects a quantity from 0, 1 { } and assigns it to b. en we need to divide into the following cases according to the value of b.

Guess
Phase. In this process, attacker A outputs b ′ � 0 or b ′ � 1 as the response of theChallenge phase. Analysis: To begin with, according to the basic probability knowledge, the probability of C outputting the ciphertext of the keyword w 1 is 1/2.
Suppose that A can break the indistinguishability of the ciphertext with the probability p. In addition, the probability that challenger C can correctly obtain the break time is 1/m. Consequently, C can solve the LWE hardness with the probability of p/2m. In a nutshell, the difficulty of the attacker to crack the indistinguishability of the ciphertext can be reduced to the difficulty of the LWEhardness.

Performance Evaluation
In this section, to guarantee the forward security, antiquantum KGA, and suitability in the medical scenarios of our PPSEB scheme, we analyze the computational expense, security property, and network communication costs of our scheme and compare our scheme with existing PEKS schemes [3,5,28,29]on the actual performance in the medical background through experiments and numerical simulation technique. e experiments evaluating and testing the actual performance of our scheme are operated on a MacOS with an Intel Core i7 CPU and 16 GB RAM. e implementation of schemes is based on the C++ language, and we use medical data extremely close to actual applications of daily life to complete the experiments. Meanwhile, in order to realize the security of the q-arylattices, the parameters satisfy m > 2n log q, q ≥ 3, since the algorithms counting on lattice-based cryptography are relied on q, m, n. e notations of the following specific descriptions in the experiments are provided in Table 1. e accurate experimental data of 200 trials on average are shown in the following figures, and the results accord with our design objective extremely.
Our PPSEB is highly efficient compared with other PEKS schemes. As is illustrated in Table 2, the theoretical communication costs of each scheme are listed accurately.
We prove the theoretical value, and the experimental result reflects in Figure 3, demonstrating that the trapdoor size of the PPSEB scheme is the least one among the whole schemes. Along with the stabilizing growth in communication costs, our algorithm is superior to the others, indicating a hidden potential to reduce network resource consumption.
As to the actual performance, Figure 3 indicates that the PPSEB scheme reveals a considerable efficiency advantage. e PEKS size of PPSEB is relatively close to the scheme [3,5,28]and much less than the scheme [29]. e trapdoor size in our scheme is a quarter of [29]. However, in terms of postquantum, our proposed PPSEB is more secure than the scheme [3,5,28] while being applied in medical data encryption protection. us, it is pretty sound and acceptable for PPSEB to increase the nominal communication costs corresponding to PEKS size.
In addition, we not only analyze the computational expense and security property of our scheme but also compare it with existing PEKS schemes [3,5,28] through experimental medical data. As shown in Figure 4, the testing time of our scheme is also much shorter than the other existing PEKS schemes. Significantly, the more the number of retrieving keywords increases, the more apparent the superiority becomes.
Besides, we test the testing time and computational expense of the PEKS schemes and record the results in Table 3.
Our scheme realizes nearly the same as a scheme [3] in saving the computational expense and searching efficiency according to the comparison in Figure 5. When the number of retrieving keywords is 180, the testing time of [5] is 7.2s, and ours is 0.477s, which is 15.09 times that of PPSEB. As a result, our scheme is not only advantageous in terms of postquantum property, but also relatively efficient than the other schemes. Consequently, although the introduction of blockchain technology has brought a certain amount of complexity and extra overhead to our system, it is certified that our PPSEB scheme can realize the property of postquantum, forward security on maintaining the confidentiality of medical data and superiority in the applications of medical scenarios. From a more practical view, it is both convenient and swift for doctors to master the patient's physical condition, obtain the patient's medical records, and make the correct diagnosis promptly in practical medical scenarios. In addition, the more profound performance of PPSEB on managing medical data of Electronic Health Records systems, such as electronic medical record and electronic prescription, need to be tested experimentally and further study in development.
In Figure 6, we compared the PEKS computational expense of PPESB with [3,5,28,29]. Among them, the PEKS computational expense of our scheme is much smaller than other schemes, which shows that our scheme has higher efficiency under the same number of retrieving keywords. One element bit size in G 1 S T One element bit size in G T S p One element bit size in Z p S q One element bit size in Z q S l e security level with a value of 10

Conclusion
In our paper, we proposed postquantum Public-key Searchable Encryption on Blockchain (PPSEB) for E-healthcare scenarios. PPSEB is capable of resisting keyword-guessing quantum computing attacks. Moreover, our proposed scheme combines public-key searchable encryption and blockchain, avoiding turning over the searching process to a third party and enhancing the security level. Furthermore, we assure forward security, maintaining the confidentiality of medical data. Both security analysis and comprehensive performance evaluation demonstrate that PPSEB can achieve the property of searching efficiency and lightweight of lower computational cost in retrieving keywords and generating trapdoor compared with other existing E-healthcare schemes.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.