IsoqurPEKS: An Isogeny-Based Quantum-Resistant Public-Key Encryption Scheme with Keyword Search

Since the convenience and advancement of cloud applications, many users (e.g., companies or individuals) adopt remote cloud services to reduce the local storage overload and computing consumption. However, before transferring them to the cloud server, users always encrypt outsourced data for the privacy of important data, which deprives fexible usage of these data. Public key encryption with keyword search (PEKS) undoubtedly ofers a precise resolution to this issue. Unfortunately, most PEKS schemes cannot fght against quantum computing attackers, which is increasingly a research hotspot. To achieve postquantum security and privacy-preserving search function, we propose a quantum-resistant PEKS scheme named IsoqurPEKS. Our proposed instantiation satisfes basic semantic security indistinguishable against chosen keyword attack (IND-CKA), and IsoqurPEKS is proved to be secure under the security model. Furthermore, we compare IsoqurPEKS with the other eight current PEKS schemes with respect to security properties, communication, and computation costs. Te comparison results indicate that the proposed scheme has the best security and performance among the nine PEKS schemes.


Introduction
Remote cloud services have advantages of data accessibility, data scalability, data sharing, and consistent backups of enormous data [1]. Cloud applications, such as cloud storage, cloud computing, and cloud retrieval, are becoming more prevalent for data users and enterprises. Data uploaders usually outsource their data to the cloud server, saving their local storage cost and ofering easy data access. However, these remote servers are not always trusted since some malicious insiders may have full access to plaintext data. Once critical and sensitive data are exposed to hackers, signifcant threats to users' property and life safety may happen. Terefore, before uploading data to the cloud server, data providers encrypt these data using encryption algorithms to provide privacy protection while depriving all search capacities of data users.
Many cloud services, such as Baidu Cloud, Google Cloud, Windows Azure, and Amazon simple storage service [2] promote the development of cloud storage and searching technologies. When performing data retrieval, a straightforward approach for cloud servers is to obtain a decryption key and search required items in plaintext. However, this method breaks the initial intention of outsourced data encryption because a corrupted insider (e.g., a compromised cloud storage provider's machine [3]) could access any unauthorized data. Another solution for data users is to download the whole database, decrypt all data locally, and retrieve interesting documents, which require a lot of memory space and computation capacity. Tis method does not play the role of a cloud server; instead, it puts forward high requirements for users, which are impractical in most applications [4]. To achieve data confdentiality and search function at the same time, Song et al. [5] frst put forward the conception of searchable encryption.
Te searchable encryption mechanism enables data providers to upload encrypted data and multiple searchable keywords ciphertexts, while data users produce trapdoors of intended keywords. Utilizing the trapdoor, a cloud server could execute a search to seek matched keywords and corresponding data ciphertext. According to distinct generation types of encrypted keywords and trapdoors [6], searchable encryption is generally classifed into public key encryption with keyword search (PEKS) and symmetric searchable encryption (SSE). Although SSE has efcient retrieval efciency, which has been extensively researched [7], it still has the same key distribution problem as symmetric encryption. Ten, Boneh et al. [8] introduced the frst PEKS scheme, whose system architecture is shown in Figure 1. In our scheme, the data provider produces searchable ciphertext using users' public keys, and the user generates a keyword search trapdoor by their private key. Ten, the trapdoor is transmitted to the cloud server for searching matched ciphertexts, which are fnally returned to the user. Furthermore, Boneh et al. have also formalized the notion of indistinguishability against chosen keyword attacks (IND-CKAs) of PEKS, which ensures the privacy of searchable ciphertext [8].
However, most of the current PEKS schemes are designed based on classical hard assumptions such as discrete logarithm (DL) problem and computational/decisional Diffe-Hellman (CDH/DDH) problem. Shor [9] pointed out that there is a quantum algorithm to crack the DL problem in polynomial time, which inspires scholars to explore quantum-resistant PEKS scheme construction [10]. According to the report on postquantum cryptography [11], families of postquantum primitives are designed by the lattice, multivariate polynomial, code, and isogeny. In comparison, codebased and lattice-based cryptographies sufer from large key sizes. In addition, there are no searchable encryption-compatible structures based on multivariate polynomials and hash-based cryptography as far as we know.
Isogeny-based cryptography overcomes the above problem and has the potential for searchable encryption construction. Isogeny is a rational mapping from one elliptic curve to another, which is distinguished by its degree or kernel [12]. Te isogeny problem is to seek a mapping path given two specifed isogenous elliptic curves. Studies on isogeny-based cryptography have matured gradually, and the fastest known algorithm to fnd such an isogeny takes subexponential time [13]. Isogeny-basedencryption [14] gives a specifc verifcation equation (i.e. e(ϕ(P), Q) � e′ (P, ϕ(Q)) where ϕ is an isogeny between two elliptic curves E ⟶ E ′ and ϕ: E ′ ⟶ E are mutual dual isogeny, E ⟶ GT and E ′ ⟶ GT are two bilinear maps, and P/Q are separately the generators of E/E ′ ), and the frst PEKS scheme enlightens us to design an isogeny-based quantumresistant PEKS scheme.
Tis paper puts forward a new quantum-resistant PEKS scheme using isogeny named IsoqurPEKS. Ten, we prove its IND-CKA security under the quantum random oracle (QROM) model and analyze communication cost and computation cost by comparing IsoqurPEKS with other eight PEKS schemes. Analysis results demonstrate that IsoqurPEKS has the least communication and computation overload while maintaining the property of withstanding quantum computer attacks.

Organizations of Tis
Paper. Section 2 introduces related works about isogeny quantum-resistant PEKS schemes. Preliminaries containing the elliptic curve and isogeny knowledge are introduced in Section 3. PEKS defnitions, consistency, and security defnitions of the quantum-resistant PEKS scheme are given in Section 4. We present the system model of the proposed IsoqurPEKS scheme and the threat model of each entity, and the design goals of this paper are presented in Section 5. Ten, we introduce the quantumresistant IsoqurPEKS scheme in Section 6, and we give the formal security proof of IsoqurPEKS in Section 7. Section 8 shows the property, communication cost, and time consumption comparisons with eight PEKS schemes. Eventually, we summarize this paper in Section 9.

Related Works
Boneh et al. [8] frst put forward the notion of public key encryption with keyword search (PEKS). Following this seminal word, some further works on PEKS schemes [15][16][17] have been proposed in traditional public-key cryptography settings. Scholars have mainly explored two types of research orientations: diverse functionality search and security studies.
Concerning functionality search, Kim et al. [18] proposed the frst privacy-preserving algorithm to test whether an encrypted string includes an encrypted pattern. Meanwhile, they designed a novel wildcard search on encrypted databases, which are used to support compound queries. In terms of a multikeyword search, Wang et al. [19] proposed a secure searchable encryption scheme under the standard model supporting multikeyword retrieval. Liu et al. [20] put forward a multiuser and multikeyword search with the hiding search pattern and access pattern. Zhang et al. [21] proposed a fuzzy multikeyword search in the cloud system using Word2vec technology. Liang et al. [22] utilized advanced k-nearest neighbor (k-NN) technology to enhance search accuracy and achieve an exact multikeyword fnegrained search. Zarezadeh et al. [23] presented a multikeyword rank search scheme that enhances usability and fle retrieval accuracy. Asymmetric encryption schemes supporting Boolean queries in diferent scenarios such as cloud applications and mobile clouds were also studied [24,25]. However, the above schemes are built on classical intractable assumptions and cannot resist quantum computing attacks.
Concerning security, scholars generally consider forward privacy and backward security of searchable encryption. Forward privacy ensures that inserting new fles will not expose previous search information, and backward security means deleting fles will not disclose more information in the following search process. Zhang et al. [26] and Ning et al. [27] have discussed threats brought to searchable encryption by fle-injection attacks and passive attacks. Ten, Bost et al. [28] used constrained pseudorandom functions and puncturable encryption and put forward forward and backward secrecy searchable encryption under the symmetric mechanism. Zeng et al. [29] introduced searchable public key encryption built on attribute-based encryption, which satisfes forward privacy. Tese schemes still do not take quantum-resistant attacks into account.
Behnia et al. [30] proposed two lattice-based PEKS schemes with well computational efciency and better security than the current ones. Xu et al. [10] utilized learning with error (LWE) hard problems and also proposed a latticebased searchable encryption scheme, which satisfes postquantum security. However, lattice-based PEKS schemes have large-sized keys because they are composed of matrices. Isogeny-based cryptography has small-sized keys which have been studied deeply [12,[31][32][33].
We put forward a PEKS scheme based on the isogeny hardness assumption to resist quantum-computing attacks. Ten, we prove its security under the QROM model. Although there has been one isogeny-based PEKS scheme [34], the proposed IsoqurPEKS scheme has better efciency. Moreover, we also evaluate this scheme by comparing it with the current eight PEKS schemes to communication cost and computation cost, indicating that our scheme has the best security and performance among these nine PEKS schemes.

Preliminaries
In this section, we introduce a basic elliptic curve and supersingular isogeny knowledge used in the scheme design. Notations used in this paper are shown in Table 1.

Elliptic Curve.
In our scheme, we will take advantage of the following basic knowledge. F q is a fnite feld with the order q. Te equation y 2 � x 3 + cx + d mod q defnes an elliptic curve E over F q , where c, d ∈ F q . Points on the elliptic curve E:

Isogeny.
Isogeny is defned based on two elliptic curves E and E ′ , a rational and surjective mapping ϕ: E ⟶ E ′ . It keeps the computing law of the point group, i.e., ϕ(P + Q) �  Security and Communication Networks ϕ(P) + ϕ(Q) for any points P, Q on E. Two elliptic curves E and E ′ defned over a fnite feld F q are isogenous with the necessary and sufcient condition that they have the same cardinality, i.e., #E � #E ′ . Since isogeny could be represented by a rational polynomial, a degree, similar to polynomials, could be defned and used to diferentiate various isogenies. According to Burdges et al. [14], any isogeny ϕ: E ⟶ E ′ has one and only one corresponding dual isogeny ϕ: E ′ ⟶ E which has a specifc relationship as follows: , where e (resp. e ′ ) is any bilinear pairing (e.g., Weil, Tate, and Ate pairing) on E (resp. E ′ ). Next, we consider some preliminary knowledge for difcult problems resisting quantum computers attack. We frst give the following proposition.

Proposition 1. Let E be an elliptic curve determined by
where c, d are from the fnite feld F q , and then, we give the j-variant defnition as follows: and j-variant distinguishes the isomorphism class since the necessary and sufcient condition of two isomorphic curves is that they have the same j-variant.
Te graph structure can embody isogeny-related hard problems. Tis graph structure is composed of isomorphism classes denoted by nodes and isogenies between curves denoted by edges. Te isogeny graphs constructed by diferent degrees of isogenies are diverse, and the isogeny star is made up of various isogeny graphs while having the same nodes. Literature [31] gives detailed descriptions and visualized depictions of the isogeny star as shown in Figure 2. Tere are many isogeny paths from one node to another, which may consist of multiple isogenies. When the isogeny star is quite large, fnding a path from the initial elliptic curve to the end elliptic curve, respectively, in diferent isomorphism classes will be rather difcult, which is the isogeny problem.
Childs et al. [13] have pointed out that the most efcient traditional algorithm requires exponential time to seek an isogeny between two isogenous elliptic curves. However, they came up with a quantum algorithm to construct an isogeny between two given elliptic curves with the same cardinality in subexponential time. However, the running time is bounded above by exp[( lnqlnlnq ] under the generalized Riemann hypothesis. Most importantly, there exists no faster quantum algorithm than in the study by Childs et al. as far as we know. Assume that ϕ is an isogeny mapping from the elliptic curve E to E′, we give the following two difcult problems under quantum computers.

Supersingular Isogeny (SSI) Problem.
Assume that the kernel 〈[s]P + [t]Q〉 specifes an isogeny ϕ: E ⟶ E ′ , where s and t are chosen randomly from Z/l e Z and are not divisible by l. Given the elliptic curve E ′ and points ϕ(P), ϕ(Q) on E ′ , it is difcult to fnd a generator T of 〈[s]P + [t]Q〉. It should be specifed that given a generator T � [s]P + [t]Q, it is trivial to resolve for (s, t). In other words, given two elliptic curves E and E ′ with the identical cardinality, it is hard to calculate an isogeny ϕ: E ⟶ E ′ utilizing the quantum algorithm in the polynomial time.

Extensional Computational Isogeny Problem (ECIP).
Given P and ϕ(xP) with x, ϕ unknown, where the point P is randomly selected on E[N] and x is a random number in F q , it is difcult to calculate ϕ and x in the polynomial time for the quantum computer.

Public Key Encryption with Keyword Search
Tis section introduces public key encryption with keyword search (PEKS) from three aspects: defnitions, consistency, and security.

PEKS Defnitions.
A PEKS scheme consists of four algorithms, namely, setup, PEKS, trapdoor, and test. In the fst PEKS scheme, it only considers the encryption with single keyword search [8]. In practice, a fle usually contains many keywords. Terefore, we use the general extended defnition of PEKS, which takes a set of keywords as inputs and keeps consistency. Te formal constructions are as follows: It should be noted that the trapdoor algorithm is either deterministic or probabilistic, which is determined by the specifc scheme design and security requirements. We only consider the initial form, i.e., the deterministic trapdoor algorithm in this paper.

Consistency.
For a PEKS scheme, the most essential and critical requirement is consistency [16]; that is, the returned results from the cloud server should be what the user wants to acquire. Specifcally, when the cloud server gets a trapdoor T kw′ produced by the trapdoor algorithm and ciphertext CT W generated by the PEKS algorithm, we formulate consistency as follows:

Security Defnitions of the Quantum-Resistant PEKS
Scheme. Te academic community usually defnes the security of PEKS as the indistinguishability of keywords under chosen keyword attacks (IND-CKAs). It means that the PEKS ciphertext has the confdentiality of its contained keywords against an adversary who could not obtain the corresponding keyword search trapdoor. Specifcally, IND-CKA security allows a PPT adversary A to get a public key, query the keyword retrieval trapdoor of some desired keywords, and adaptively select two sets of keywords with the same size to challenge. A PEKS scheme is recognized to be secure if A cannot distinguish the two PEKS ciphertexts of two challenge keyword sets.

IND-CKA Security.
In the depiction of IND-CKA security, a challenger C and an adversary A will execute interactive games as follows: (i) Setup phase: On inputting the security parameter λ, a challenger C produces public parameters PP and executes the setup algorithm. Ten, they produce receivers' public/private key pairs pk PEKS , sk PEKS and send PP, pk PEKS to the adversary A.  Isogeny keeps the group law of the elliptic curve ϕ ϕ Figure 2: Isogeny graphs and isogeny star [31].

Security and Communication Networks
(ii) Query phase 1: A could adaptively release the following keyword search trapdoor query of expected keyword polynomial times in this phase: Trapdoor query Q T (kw): for any search trapdoor query of the keyword kw, C produces the corresponding trapdoor CT kw by executing Trapdoor(sk PEKS , kw) and gives back CT kw to A.
(iii) Challenge phase: Having terminated query phase 1, A adaptively selects two challenge keyword sets W * 1 , W * 2 with the same number of keywords, i.e., |W * 1 | � |W * 2 | and transmits these two sets to C. Ten, C chooses a random 0/1 bit b and calculates the challenge ciphertext CT * � CT W * c by performing the PEKS(sk PEKS , kw) algorithm. Eventually, C transmits CT * to A. (iv) Query phase 2: A can carry on executing the search trapdoor query of any keywords in this phase as in query phase 1, except for the keywords in challenge sets W * 1 , W * 2 .
(v) Guess phase: At last, A returns a guess bit b ′ to challenge ciphertext CT * .
We said that the adversary A succeeds in the above game if they successfully guess the right bit, i.e., b ′ � b. Assume Pr[b ′ � b] denotes the probability of A successfully guessing the bit, the advantage of A winning this game is set as Defnition 1. A PEKS scheme is recognized to be indistinguishable against chosen keywords attacks if for any PPT adversary A, and the advantage Adv IND−CKA A (λ) of succeeding in the above game is nonnegligible.
We use a quantum random oracle to simulate hash functions in the formal security proof of the proposed IsoqurPEKS scheme. However, an obstacle to security proofs is how to produce random values for exponential queries, that is, how to simulate hash function under the quantum random oracle model (QROM). In the next part, we give several preliminary defnitions used in the QROM.

Specifc Techniques Used in QROM.
For a hash function H: D ⟶ R simulation, an adversary tosses a superposition |φ〉 � λ x |x〉 and random oracle outputs λ x |H(x)〉. If R is tremendous for a quantum simulator, it is hard to give back all random responses of H through computing λ x |H(x)〉. Zhandry [35] put forward a measure by introducing the concept of k-wise independent functions.
In the following, we introduce the concept of marginal weight distribution. A weight distribution on a set D is defned by a probability distribution function D: D ⟶ R that has x∈D D(x) � 1, where D(x) ≥ 0 for all x ∈ D is an assignment on D. We consider a family of functions H: D ⟶ R for a domain D and range R, denoted by H D,R . We give the defnition of marginal weight distribution D G of D on H G,R where the weight of a function H G : G ⟶ R equals to the sum of the weights of all H ∈ H D,R that is consistent with H G on G. In other words, Defnition 2. Two weight distributions D 1 and D 2 on H D,R are called t-wise equivalents if for all G ⊂ D with size t, and the marginal weight distributions D 1,G and D 2,G over H G,R are the same.

Defnition 3.
A function g is called t-wise independent function if g is equal to a random function for all G ⊂ D with size t. Next, we give the defnition of semiconstant distribution, which is used to support inserting a random value into a small but essential part of oracle inputs. (i) First, a random value y is selected from R. (ii) Ten, for each x ∈ D, Assign y to H(x) with probability ω. x is said to be a distinct input to H. Otherwise, assign a random element in R to H(x).

Problem Formulation
In this section, we describe the system architecture of Iso-qurPEKS, the threat model of each entity, and the design goals of this paper.

System Model.
Te system includes the following parties: cloud server (CS), data providers (DPs), and request users (RUs) as depicted in Figure 3. Te characteristics and function of each party are depicted as follows: (i) Data providers (DPs): Each DP produces his or her public key and private key upon inputting the security parameter. Moreover, the DP extracts keywords from fles, encrypts fles using symmetric encryption, and computes the searchable keyword ciphertexts associated with corresponding fles. Finally, the DP stores encrypted fles and searchable ciphertexts on the CS. (ii) RUs: Request users utilize targeted keywords to generate search trapdoors and send them to the CS for information retrieval operation. Ten, RUs decrypt desired fles when receiving matched ciphertexts from CS. (iii) CS: Te cloud server has almost unlimited storage and computing power in the PEKS system. Te CS is in charge of storing encrypted fles and searchable ciphertexts received from DPs. Ten, the CS addresses search queries and returns corresponding searching results ciphertexts to RUs.
In our proposed IsoqurPEKS scheme, the data provider frst extracts keywords (e.g., using such as Porter temming algorithm [36]) from documents to be uploaded. Ten, they use the targeted user's public key and a symmetric key to generate a searchable keyword ciphertext and corresponding encrypted document, which will be transferred to the cloud server (CS). When a request user (RU) searches some documents, including a specifc keyword, the RU utilizes their secret key to produce a keyword search trapdoor and transfers it to the CS. Finally, the CS returns matched encrypted documents by a verifying equation through inputting a trapdoor and searchable ciphertexts.

Treat Model.
In our scheme, we suppose that DPs honestly follow the PEKS algorithm to produce searchable ciphertexts for authorized users and transmits these ciphertexts to the CS.
RUs are assumed to be semihonest adversaries. Tey honestly execute the scheme when conducting a search query while may attempt to know some sensitive information associated with ciphertexts and queries, respectively, produced by other DPs and RUs.
Te CS is supposed to be honest but curious which will honestly perform the test algorithm and has an interest in obtaining desired information of other parties through either intermediate values or computation results.

Design Goals.
Our goal is to propose an isogeny-based quantum-resistant PEKS scheme equipped with functions and security requirements. (iii) Quantum attack resilience: Tere does not exist a polynomial-time quantum algorithm that could acquire RUs' private information such as private secrets and uploaded plaintexts by DPs.

Proposed IsoqurPEKS
Our proposed scheme consists of four algorithms: setup, PEKS, trapdoor, and test. Te setup algorithm is executed by a user and generates the user's public and private key pair using an isogeny and a random number by inputting a security parameter. TePEKS algorithm is performed by data providers and used to produce the searchable ciphertext against quantum computer attacks. To obtain some fles containing specifc keywords from the cloud server, a user utilizes their secret to perform the trapdoor algorithm to output a searchable trapdoor. Finally, the cloud server inputs the trapdoor, the user's public key, and searchable ciphertext and then returns correct ciphertexts to the user by the test algorithm (i) Setup(λ): the setup algorithm is executed by a user to produce a pair of private key and public key.
(ii) PEKS(PK, W): when a data provider transmits encrypted fles to the cloud server for secure storage and retrieval, they extract keywords W � kw 1 , . . . , kw n from the fle to upload and perform the following steps: For each kw i ∈ A, the DP randomly selects r, s ∈ Z * N and uses the random numbers and the authorized user's public key to compute searchable ciphertexts Ten, they initialize a history-independent array L to store ciphertexts C i , i ∈ 1, . . . , n { }. Finally, this algorithm outputs PEKS ciphertexts AE � (C 0 , L) and sends them together with the corresponding encrypted fle to the cloud server.
(iii) Trapdoor(SK, kw): if a user desires to request fles including the keyword kw ′ , they utilize their private key α, ϕ to compute a trapdoor T kw′ � ϕ(αH ′ (kw ′ )) and transfer the trapdoor T kw′ to the cloud server.

Security and Communication Networks
(iv) Test(PK, AE, T kw′ ): given public key PK, a PEKS ciphertext AE � (C 0 , L), and a trapdoor T kw′ , the cloud server performs steps as follows: It initializes an empty set S and verifes whether h(e(C 0 , T kw′ )) ∈ L.
If h(e(C 0 , T kw′ )) ∈ L, the CS adds the corresponding encrypted fle to S; otherwise, it searches the next ciphertext. Finally, the CS returns S to the user.
What should be specifed is that our main work focuses on security against quantum attacks, and we suppose keywords are uncertain and unlimited. Tus, we do not take into account the keyword guessing attack.

Security Proof
In this section, we will prove IND-CKA security of the IsoqurPEKS instantiation under the QROM, and the proof method of which has been used in lecture [37].

Theorem 1. For the advantage Adv SSI (R) of the computational isogeny problem and the advantage Adv IND−CKA IsoqurPEKS (A) of A breaking IsoqurPEKS's security, we have the following equation under the quantum random oracle model:
where q h is the maximum of hash function queries.
Proof. Game G 0 : this game is executed by the adversary A who tries to break the real scheme as 1 and the challenger C. Specifcally, C responds the trapdoor query according to the trapdoor algorithm: (i) Trapdoor query Q T (kw ′ ): Given a query keyword kw ′ , C computes T kw′ ←Trapdoor(SK, kw ′ ) and gives back T kw′ to A.
Assume that the adversary A's advantage in this game is Adv(A, G 0 ) � ∈ and the challenger C knows related secret values. We have the advantage of A breaking IND-CKA in G 0 is the same as that in the real word: Adv A, G 0 � Adv(A, Real).
Game G 1 : Te game G 1 is identical to G 0 except for the challenge ciphertext CT * generation in the challenge phase. What should be specifed is that the public keys are changed into (ϕ(xQ 1 ), ϕ(xQ 2 ), Q 1 , Q 2 ) and that private keys are (x, ϕ, ϕ), where x ∈ F q , Q 1 , Q 2 ∈ E ′ [N] are two points and ϕ: is an isogeny. Tese settings correspond to PK and SK of the proposed scheme in Section 6. Terefore, the challenge ciphertext is accordingly trans- is a hash function, and h: 0, 1 { } * ⟶ 0, 1 { } lgN is a general hash function. Tis transformation does not change the searchable ciphertext computing rule, and no more information has been leaked; thus, we have Adv A, Game G 2 : In this game, we introduce the rule of aborting. Let ω be selected from (0, 1), and W is a subset of D where kw is randomly chosen from D and placed in W with an independent probability ω. W * 0 , W * 1 are two challenge keyword sets chosen by A. G 2 aborts if two challenge keyword sets Before continuing to the next simulation, we give the following lemmas [35] to depict QROM.

Lemma 1. Let
A be an adversary with the capacity of quantum computing and makes q queries to an random oracle H: D ⟶ R. We depict H using some weight distribution D; that is, for each z, the probability value for all possible r i and d i .

Lemma . Suppose there is a 2q i -wise independent function.
In that case, it can be successfully simulated by a quantum algorithm R when any quantum adversary A makes q i queries to random oracles B i , which could have the same output values while making no queries.
According to the above lemmas, we can see that quantum random oracles are simulated by a quantum algorithm R in the polynomial time. Tis technique can simulate hash function queries and responses of the H ′ -query and h-query in the IsoqurPEKS's security proof.
In addition, how to insert some randomly selected values to the intended quantum oracle queries is another problem of security proofs under QROM. Ten, we have Lemma 3 as follows.
Lemma 3. Te Te distribution of outputs of a quantum algorithm making q H queries to an oracle drawn from the semi-constant distribution ω is at most a distance 3/8q 4 H ω 2 away from the case when the oracle is drawn from the uniform distribution.
We assume that if an adversary A queries the inserted value of corresponding oracle outputs, then the simulation is successful with the probability ϵ. Furthermore, the probability of successful simulations is ∈ ω − 3/8q 4 H ω 2 if A utilizes one of the values with the probability ω, where the choice of ω could decide the success probability. We employ this solution to insert a hard-to-be-resolved SSI problem into a hash function h output in the IsoqurPEKS's security proof.
Game G 3 : Tis game introduces a quantum random oracle. In other words, the computing method of the hash function H ′ (·) is changed. η is set as H ′ (kw * ) for all kw * ∈ W, and hash outputs are randomly selected for other queries. In this case, H ′ is distributed according to SC ω . According to Lemma 3, the distance of output distribution in G 3 is 3/8(q h + 1) 4 ω 2 from that in G 2 . Terefore, we have Game G 4 : In game G 4 , the rule of producing challenge ciphertexts is changed and C * i , (i � 1, . . . , n) are randomly selected instead of computing by h(C * i ). Te fnal challenge ciphertext is independent of the challenge keyword sets. Terefore, we have Adv A, G 4 � 0.
We construct an algorithm R of the isogeny problem with the advantage Adv CSSI W (R). We suppose that R has quantum access to random oracles where the probability of H ′′ outputting 1 is ω. Let W be the set of kw * such that H ′ (kw * ) � 1. We can infer that the above conditions are equivalent to G 4 . According to Lemma 2, R can simulate (H ′ , H ′′ ) and h by separately using a (q H′ + 1)-wise and a (q h + 1)-wise independent functions without oracle queries. L is an initially empty list held by R.
Ten, R transfers the public parameter E, E ′ and PK � (ϕ(xQ 1 ), ϕ(xQ 2 ), Q 1 , Q 2 ) to A. (ii) Challenge ciphertext simulation. R chooses random r * , s * and computes C * 0 � r * ϕ(xQ 1 ) + s * ϕ(xQ 2 ), η as the challenge ciphertext. (iii) H ′ -query. Upon receiving kw, R sets the outputs of H ′ as follows: Hash query Q H′ (kw): It uniformly selects a random α i and computes α i ϕ(x − 1 P 1 ). Ten, C reserves (kw, α, α i ϕ(x − 1 P 1 )) in the H ′ -list, and the α i ϕ(x − 1 P 1 ) is transferred to A. Trapdoor query Q T (kw ′ ): Given a query keyword kw, C retrieves kw ′ in the H ′ -list and uses α in the H ′ -list to compute α i P 1 if kw ′ is in the H ′ -list; otherwise, it uniformly chooses an α and computes αP 1 . Finally, C returns α i P 1 to A.

Success Probability Analysis.
If A performs queries contained in W to H ′ , A could distinguish the simulation environment from the real environment. Nevertheless, these events will not appear due to the game hopping in G 2 . Ten, A succeeds in the game with the advantage Adv(A, G 5 ). Hence, we have Ten, by combining advantages, we have Because right side of the equation is minimized when

Comparison and Analysis
To the best of our knowledge, there is no isogeny-based quantum-resistant PEKS scheme currently. Tere are many public encryption schemes with keyword search [38][39][40][41][42][43][44][45], while they cannot withstand quantum attacks since these schemes are based on classical DL assumption, DBDH assumption, or CBDH assumption. In this section, we frst compare IsoqurPEKS with existing PEKS schemes regarding security properties. Ten, we compare IsoqurPEKS with the other eight PEKS schemes from aspects of computation and communication costs. Table 2 indicates the comparison results among the proposed IsoqurPEKS scheme and its counterpart PEKS schemes concerning security properties. Te proposed IsoqurPEKS scheme is based on isogeny hard assumption, which has been proved in Section 7 under the quantum random oracle model. Tus, our scheme can resist quantum attacks. Moreover, our construction does not require a trusted authority to generate secret keys, which some PEKS schemes require it.

Security and Communication Networks
Subsequently, we analyze the computational complexity with respect to searchable ciphertext generation, trapdoor generation, and testing. We only consider the time-consuming operations, e.g., hash-to-point (T H ), bilinear pairing operation (T BP ), general multiplication over point (T GM ), modular exponentiation operation (T EX ), and isogeny operation (T Iso ). According to [46], we get the running time of diferent operations implemented on a Raspbian GNU/ Linux 8 system with ARMv7 Processor rev 4 1.2 GHz. Because the isogeny operation happens in the trapdoor generation process, which is performed by the cloud server, we use the isogeny (i.e., group action) computing time as described in [47]. Above all, we have T H � 47.312 ms, T BP � 30.829 ms, T GM � 0.098 ms, T EX � 20.352 ms, T Iso � 40.8 ms. Table 3 shows the diferent operation comparisons of nine PEKS schemes. In the PEKS phase, the data provider generates one searchable ciphertext for each keyword by computing C 0 � rP 1 + sP 2 , t i � e ′ (PK 1 , rH ′ (kw i )) · e ′ (PK 2 , sH ′ (kw i )) which requires two bilinear pairing operations and two scalar multiplication operations. In the trapdoor generation phase, the user computes T kw′ � ϕ(αH ′ (kw ′ )), which requires one scalar multiplication operation and one isogeny operation. When the server searches matched ciphertexts, it computes e(C 0 , T kw′ ) and h(e(C 0 , T kw′ )) which requires one bilinear pairing operation and one general hash function operation. Te comparison results in Figure 4 indicate that IsoqurPEKS consumes the least time in ciphertext generation, trapdoor generation, and testing processes among these nine PEKS schemes.
In addition, we also perform a comparison with respect to the communication complexity of single document/keyword encryption and search. Since the elliptic curve point group is defned over a fnite feld F q , we set p as a 512-bit element. For pairing-based schemes, the pairing operation is e: G 1 × G 1 ⟶ G T where points in G 1 and G T are 1024-bit elements. Te general hash function is SHA256 in implementation. Tus, the output of h is a 256bit string. Te comparison results are depicted in detail in Table 4. For the searchable ciphertext and trapdoor production of a single keyword in IsoqurPEKS, it outputs one point C 0 , one hash value h(t i ), and one point ϕ(αH ′ (kw ′ )). Tus, the communication cost of the proposed scheme is 160 bytes and 128 bytes, respectively, which requires the least communication width for keywords trapdoor search and giving back matched ciphertexts.

Conclusion
Tis paper introduces a new method for the quantum-resistant public encryption scheme with keyword search construction and establishes the hard assumption of elliptic curve isogeny computation. Our proposed scheme, Iso-qurPEKS, could fght against attacks of quantum adversaries and is provably secure under the quantum random oracle model. We give formal security proof of IsoqurPEKS and analyze its security properties by comparing it with the other eight PEKS schemes. As far as we know, IsoqurPEKS is not only the frst isogeny-based quantum-resistant PEKS scheme but also the most efcient scheme in terms of computation and communication costs compared with the listed current eight PEKS schemes. Since IsoqurPEKS is designed under the assumption that keywords cannot be enumerated, our subsequent work is putting forward an isogeny-based and quantum-resistant PEKS scheme against keyword guessing attack under the assumption that keywords could be listed in the polynomial time.

Data Availability
Te data used to support the fndings of this study are included within the article.