An Efficient Searchable Public-Key Authenticated Encryption for Cloud-Assisted Medical Internet of Things

In recent years, it has become popular to upload patients ’ medical data to a third-party cloud server (TCS) for storage through medical Internet of things. It can reduce the local maintenance burden of the medical data and importantly improve accuracy in the medical treatment. As remote TCS cannot be fully trusted, medical data should be encrypted before uploading, to protect patients ’ privacy. However, encryption makes search capabilities di ﬃ cult for patients and doctors. To address this issue, Huang et al. recently put forward the notion of Public-key Authenticated Encryption with Keyword Search (PAEKS) against inside keyword guessing attacks. However, the existing PAEKS schemes rely on time-consuming computation of parings. Moreover, some PAEKS schemes still have security issues in a multiuser setting. In this paper, we propose a new and e ﬃ cient PAEKS scheme, which uses the idea of Di ﬃ e-Hellman key agreement to generate a shared secret key between each sender and receiver. The shared key will be used to encrypt keywords by the sender and to generate search trapdoors by the receiver. We prove that our scheme is semantically secure against inside keyword guessing attacks in a multiuser setting, under the oracle Di ﬃ e-Hellman assumption. Experimental results demonstrate that our PAEKS scheme is more e ﬃ cient than that of previous ones, especially in terms of keyword searching time.


Introduction
In today's society, almost all medical service providers will use some form of electronic medical record system [1]. Specifically, medical Internet of things (MIoT) has become a new technology to gather data from patients by small wearable devices or implantable sensors. With the increasing number of medical data, the burden of hospital storage equipment is heavy, and it needs a professional person to maintain. If the hardware storage device is damaged and data is lost due to other force majeure factors, it will lead to very serious consequences. The most important way to solve this problem is to upload the data to the third-party cloud server (TCS). However, after the data is uploaded to the TCS, the patient's privacy will not be guaranteed. Once the cloud server managers or external malicious attackers steal the data, it will cause data leakage and other problems [2].
In order to solve the problem of data security, the best way is to encrypt the data and then upload the result to TCS. But when medical service providers want to retrieve the electronic medical records of patients, it becomes more difficult. First, doctors need to download all encrypted data to a local server and then decrypt it locally. After that, they can search for the desired results in the plaintext medical data. However, this process is very cumbersome and impractical for most applications. Due to the powerful cloud computing, medical institutions hope that the cloud server can complete the retrieval function instead of doing it themselves. But if the key is sent to the cloud server, the patient's private data still has the risk of exposure.
To address the above security issues, the conception of (symmetric-key) searchable encryption (SE) was proposed by Song et al. [3]. It is a powerful technology that allows the cloud server to search on encrypted data using some search trapdoors generated by the local data users. In 2004, Boneh et al. [4] proposed a public-key version of SE, namely, Public-key Encryption with Keyword Search (PEKS). This scheme embeds keywords in public-key encryption and is very suitable for scenarios of a multiuser data sharing setting, e.g., medical data sharing. There are three parties in the PEKS scheme: cloud server, data sender, and data receiver. The sender (e.g., patient) has a lot of privacy files F i and wants to share them with the receiver (e.g., doctor). First, the sender extracts the keyword w i from each file F i , encrypts the keyword with the PEKS scheme, and then encrypts each file with other encryption schemes (not necessarily the same as the PEKS scheme). Let the keyword cipher text be C w i . The sender uploads all cipher texts to the TCS. In order to search whether there is a document containing the keyword w in the encrypted document, the receiver generates a search trapdoor T w of the keyword w and sends the trapdoor to the cloud server. After the server receives T w , it checks whether each keyword cipher text matches with the search trapdoor. If so, it indicates that the corresponding encrypted document must contain the desired keyword. After that, the results are returned to the receiver, and the receiver can get the required plaintext data by decrypting the encrypted documents.
As mentioned in Figure 1, we will apply searchable encryption to telemedicine services, where the patient is the sender and the medical service provider is the receiver. Each patient can encrypt and upload their own electronic medical record to the cloud server. When the patient wants to see a doctor remotely, the doctor can retrieve the medical data information related to some disease on the third-party cloud server according to the keyword information of the patient. In this process, doctors will only get data related to a certain disease and will not expose other information (such as name) of patients.
However, PEKS inherently has a disadvantage to resist against keyword guessing attacks (KGA). Ideally, a keyword space can be considered infinite. In practice, however, this is not the case. In real life, users often use a limited number of keywords because of their living habits, which leads to the transformation of the original polynomial space into an affixed and low-entropy space. In this case, the adversary can guess the keywords contained in the searching trapdoor as follows: First, the adversary guesses all the keyword spaces of the user and then generates keyword cipher text one by one. The adversary checks the trapdoor requested by the user one by one with keyword cipher texts generated by itself. If there is coincidentally the same situation, the adversary can obtain the keyword information retrieved by the user, thus exposing the privacy of the user. This kind of attack can be easily mounted by the cloud server, as the cloud server has users' searching trapdoors. Such attack is often called inside keyword guessing attacks (IKGA).
To resist against KGA is very challenging. Recently, many methods [5][6][7][8][9][10][11] were proposed to prevent KGA on PEKS schemes; however, most of them were later proven insecure [12][13][14][15]. In 2017, Huang and Li [16] proposed a new primitive, namely, Public-key Authenticated Encryption with Keyword Search (PAEKS), to solve the problem of inside KGA. In PAEKS, the data sender not only encrypts a key-word but also authenticates it, so that a search trapdoor can only match with the corresponding data sender. PAEKS is also applicable to cloud-assisted MIoT, as in general, the doctor just searches on a designated patient's medical data. However, the proposed concrete PAEKS scheme still has some security issues [17][18][19]. In particular, Noroozi and Eslami [18] pointed out that it cannot handle multiuser settings and provided an improvement security model for PAEKS in a multiuser setting.
1.1. Our Contribution. In this paper, we research on new and efficient construction of PAEKS schemes in a multiuser setting for cloud-assisted MIoT. Our main contributions are as follows: (i) We observe that in PAEKS, both the data sender and data receiver hold a pair of public/secret keys. If they can compute a shared key without any interaction, then the shared key can be viewed as a secret key of a symmetric searchable encryption scheme. Inspired by this, we propose an efficient PAEKS scheme, which involves the (noninteractive) Diffie-Hellman key exchange scheme to compute the shared key and Song et al.'s SSE scheme to encrypt keywords. It removes the usage of time-consuming operation of pairing in previous PAEKS schemes (ii) We show that our scheme is semantically secure against IKGA in a multiuser setting under the oracle Diffie-Hellman assumption [20]. Specially, it satisfies both cipher text indistinguishability and trapdoor indistinguishability (iii) We compare our scheme with some related PAEKS scheme in terms of security and computation efficiency and also do some experiments to demonstrate the efficiency of our schemes for protecting the privacy of cloud-assisted MIoT data. Experiment results show that our scheme is more efficient than that of previous ones, especially in terms of keyword searching time

Paper Organization.
In the next section, we will briefly introduce some cryptographic primitives. Our main construction of the PAEKS scheme and its security proof are given in Section 3. In Section 4, we compare the efficiency of our scheme with that of other related PAEKS schemes. Finally, we summarize the paper in Section 5.

Preliminaries
In this section, we recall some basic conceptions of cryptographic primitives that will be used in this paper, including cyclic group, hardness assumption, pseudorandom functions, syntax of PAEKS, and its security model.

Cyclic Group.
Let G be a group with order p. We say that G is a cyclic group, if the group G can be generated by a single element g ∈ G. That is, every element h ∈ G has the form h = g x for some exponent x ∈ ℤ p . We call g to be a 2 Wireless Communications and Mobile Computing generator of the group. In our scheme, we use a cyclic group with a prime order; i.e., p is a prime. In this case, any group element except the identity will be a generator.

Oracle
Diffie-Hellman (ODH) Problem [20]. Let G be a cyclic group with prime order p and a generator g. Let H be a hash function from G to some n-bit length space f0, 1g n . The ODH problem states that given a tuple ðg, g x , g y , TÞ and an oracle O g x ð·Þ, to decide whether T is Hðg xy Þ or a random string from f0, 1g n , here, x and y are randomly chosen from ℤ p , and the oracle returns Hðh x Þ for each h ∈ G. Let A be any probabilistic polynomial time (PPT) algorithm. We say that A breaks the ODH problem over group G and H with advantage at most ϵ odh , if Definition 1 (ODH assumption). We say that the ODH assumption holds over group G and H, if for any PPT algorithm A, its advantage ϵ odh in solving the ODH problem is negligible in κ (the bit length of p).

Pseudorandom Functions (PRFs).
A pseudorandom function is a family of functions such that for a random choice from the family, its input/output behavior is computationally indistinguishable from that of a random function. A formal definition of PRFs is given below.
(1) Given a key k ∈ K and an input x ∈ X, there is an efficient algorithm to compute the output y = f k ðxÞ (2) For any PPT algorithm A that makes at most polynomial number of oracle queries, the following advantage is at most ϵ f : where F = f f : X ⟶ Yg and the oracles are given an input x ∈ X and output the corresponding image of the function.
The above definition indicates that, given any polynomial number of valid input/output pairs ðx i , f k ðx i ÞÞ, no PPT adversary can predicate f k ðxÞ for a new and distinct input x. Specifically, f k ðxÞ is computationally indistinguishable from a random y ∈ Y.

PAEKS and Security
Model. The notion of Public-key Authenticated Encryption with Keyword Search (PAEKS) was first proposed in [16] to protect the privacy of a keyword against inside keyword guessing attacks. It involves the public/secret key pair into the cipher text to prevent keyword guessing attacks by the insider server. We first recall its definition.

Definition 3 (syntax of PAEKS). A PAEKS scheme consists of the following six PPT algorithms:
(i) Setup (λ). This is the global parameter generation algorithm. It takes the security parameter λ as input and outputs global system parameter Param (ii) KeyGen S ( Param). This is the sender's key generation algorithm. It takes the global system parameter Param as input and outputs a public/secret key pair ðpk S , sk S Þ (iii) KeyGen R ( Param). This is the receiver's key generation algorithm. It takes the global system parameter Param as input and outputs a public/secret key pair ðpk R , sk R Þ (iv) PAEKS ðsk S , pk R , wÞ. This is the keyword encryption algorithm performed by the sender. It takes the sender's secret key sk S , the receiver's public key pk R , and a keyword w as input and outputs a PAEKS cipher text C of the keyword w (v) Trapdoor ðsk R , pk S , wÞ. This is the trapdoor generation algorithm performed by the receiver. It takes the receiver's secret key sk R , the sender's public key pk S , and a keyword w as input and outputs a trapdoor T w (vi) Test ðT w , C, pk S , pk R Þ. This is the test algorithm performed by the cloud server. It takes a trapdoor T w , a PAEKS cipher text C, the sender's public key pk S , and the receiver's public key pk R as input and outputs 1 if C and T w contain the same keyword and 0 otherwise

Wireless Communications and Mobile Computing
Next, we recall the improved security model for PAEKS in a multiuser setting by Noroozi and Eslami [18]. It includes trapdoor indistinguishability (TI) and cipher text indistinguishability (CI). Both of them are described through games played between an adversary A and the challenger C.
Definition 4 (TI security game). The TI security game is described as follows: (i) Initialization. Given a security parameter λ, the challenger generates the global system parameter. Then, the challenger generates the receiver's public/secret keys ðpk R , sk R Þ and the sender's public/secret keys ðpk S , sk S Þ. It executes the adversary A on input ðParam, pk S , pk R Þ (ii) Phase 1. The adversary A is permitted to adaptively query the following two oracles polynomial times: (a) Cipher Text Oracle O C ðw, pkÞ. Given a keyword w and a public key pk, the challenger computes the cipher text C by running the algorithm PAEKS ðsk S , pk, wÞ and returns the cipher text to A Given a keyword w and a public key pk, the challenger computes the trapdoor T w by running the algorithm trapdoor ðsk R , pk, wÞ and returns the trapdoor to A (iii) Challenge. When phase 1 ends, the adversary A outputs two challenge keywords w * 0 and w * 1 , which have not been queried to the oracles O C ð·, pk R Þ and O T ð·, pk S Þ before. Now, the challenger chooses a random bit b ∈ f0, 1g, computes the T w * b ⟵ trapdoorðsk R , pk S , w * b Þ, and returns it to the adversary A (iv) Phase 2. In this phase, the adversary A can continue to access the oracles, with the restriction that neither w * 0 nor w * 1 could be queried to the oracles O C ð·, pk R Þ and O T ð·, pk S Þ (v) Guessing. Finally, the adversary A outputs a bit b′ as the guess of b. If b′ = b, we say that A wins the game We define A's advantage in breaking the TI security of PAEKS as Definition 5 (CI security game). Similarly, the CI security game can be described as follows: (i) Initialization. Given a security parameter λ, the challenger generates the global system parameter Param.
Then, the challenger generates the receiver's public/secret keys ðpk R , sk R Þ and the sender's public/secret keys ðpk S , sk S Þ. It executes the adversary A on input ðParam, pk S , pk R Þ (ii) Phase 1. The adversary A is allowed to adaptively query the following two oracles polynomial times: (a) Cipher Text Oracle O C ðw, pkÞ. Given a keyword w and a public key pk, the challenger computes the cipher text C by running the algorithm PAEKS ðsk S , pk R , wÞ and returns the cipher text to A (b) Trapdoor Oracle O T ðw, pkÞ. Given a keyword w and a public key pk, the challenger computes the trapdoor T w by running the algorithm trapdoor ðsk R , pk S , wÞ and returns the trapdoor to A (iii) Challenge. When phase 1 ends, the adversary A outputs two challenge keywords w * 0 and w * 1 , which have not been queried to the oracles O C ð·, pk R Þ and O T ð·, pk S Þ before. Now, the challenger chooses a random bit b ∈ f0, 1g, computes the C w * b ⟵ PAEKSðsk S , pk R , w * b Þ, and returns it to the adversary A (iv) Phase 2. In this phase, the adversary A can continue to access the oracles, with the restriction that neither w * 0 nor w * 1 could be queried to the oracles O C ð·, pk R Þ and O T ð·, pk S Þ (v) Guessing. Finally, the adversary A outputs a bit b ′ as the guess of b. If b ′ = b, we say that A wins the game We define A's advantage in breaking the CI security of PAEKS as If for any PPT adversary A, both Adv TI A ðλÞ and Adv CI A ðλÞ are negligible in the security parameter λ; we say that the PAEKS is semantically secure against inside keyword guessing attacks.

Our PAEKS Scheme
In this section, we introduce a PAEKS scheme for an electronic medical record system. The system framework is given in Figure 2. 3.1. The Construction. Our PAEKS scheme is described as follows: (i) Setup ðλÞ. Select a cyclic group G with prime order p and a random generator g of G. Select three pseudorandom functions: Randomly select x ⟵ Z p , and set pk S ≔ g x and sk S ≔ x. Return sk S and pk S (iii) KeyGen R ( Param). Randomly select y ⟵ Z p , and set pk R ≔ g y and sk S ≔ y. Return sk R and pk R (iv) PAEKS ðsk S , pk R , wÞ. To encrypt a keyword w ∈ W , do the following: Let the receiver's key pair be ðpk R , sk R Þ = ðg x , xÞ and the sender's key pair be ðpk S , sk S Þ = ðg y , yÞ. Then, the key k′‖k′ ′ = Hðg xy Þ can be generated by each other. Let C be a cipher text of keyword w generated by the sender and T w be the corresponding search trapdoor generated by the receiver. According to the keyword encryption algorithm, there must exist two strings X and U and a random string S ∈ f0, 1g n−m such that C = X ⊕ U, X = E k′ ðwÞ, and U = S‖F k ðSÞ, where k = f k′ ′ ðXÞ. For a right trapdoor of keyword w, it should be in the form T w = X‖k, where X = E k ′ ðwÞ and k = f k ′ ′ ðXÞ. So, X ⊕ C = U. Let S be the first n − m bits of U and T be the last m bits. Clearly, T = F k ðSÞ will hold. Thus, for the same keyword, the cipher text will match with the corresponding trapdoor. Fixing a cipher text C′ of a distinct keyword w′ ≠ w, we have C′ = X ′ ⊕ U ′, for some X ′ = E k ′ ðw′Þ. Since E is a pseudorandom function, then X = E k ′ ðwÞ is a random string over f0, 1g n with probability at least 1 − ϵ E . In this case, X ⊕ C ′ will be a random string. Since F is also a pseudorandom function, for a random string S ′ ‖T ′ , the equation F k ðS ′ Þ = T ′ holds with probability at most ϵ E + ð1/2 n Þ. Thus, the cipher text C ′ matches with the search trapdoor with a negligible probability. So our PAEKS scheme satisfies the correctness.

Security Proof.
In this section, we prove that our PAEKS scheme satisfies both trapdoor indistinguishability and cipher text indistinguishability. Its trapdoor indistinguishability follows from the theorem below. Theorem 6. If the oracle Diffie-Hellman assumption holds and E is a pseudorandom function, then our PAEKS scheme achieves trapdoor indistinguishability. Specifically, for any PPT adversary A, we have

Adv TI
where ϵ odh and ϵ E are the advantages to break the ODH assumption and the pseudorandomness of the PRF E.
Proof. Let A be any PPT adversary that aims to break the security of trapdoor indistinguishability of our PAEKS scheme. We prove Theorem 6 by a sequence of games. Let Suc i denote the event that A succeeds (i.e., b ′ = b) in the i-th game. Game 0. This is the original trapdoor in a distinguishability game as defined in Definition 4. In this game, the challenger generates two public/secret key pairs ðpk S , sk S Þ and ðpk R , sk R Þ for the sender and the receiver, respectively, and gives the public keys to A. In addition, the adversary can adaptively issue queries to the trapdoor oracle O T ð·, · Þ and cipher text oracle O C ð·, · Þ with any keyword w ∈ W and public key pk. But, for the two challenge keywords w * 0 and w * 1 ,

So, A's advantage in this game is
Game 1. This game is the same as the previous game with the exception of k ′ ‖k ′ ′ being sampled from K ′ × K ′ ′ uniformly at random. Recall that in the previous game, the challenger computes k′‖k′ ′ by Hðpk S sk R Þ (namely, Hðpk R sk S Þ) according to the keyword encryption algorithm (namely, trapdoor generation algorithm). We now prove that Given an instance of the oracle Diffie-Hellman problem ðg, g x , g y , KÞ, where K = Hðg xy Þ or K is a random string from K ′ × K ′ ′ , we construct an algorithm B to solve it using A as a subroutine. B sets pk S ≔ g x and pk R ≔ g y and gives them to A. The corresponding secret keys are implicitly set to be x and y, respectively. In addition, B chooses the other system parameters, including E, f , F, by itself. Parse K as k′‖k′ ′ . When A issues queries to the oracles O T ð·, pkÞ and O C ð·, pkÞ with pk ∉ fpk S , pk R g, B involves the oracle O g y ðpkÞ or O g x ðpkÞ to obtain the shared key k ′ ‖k ′ ′ . When A issues queries to the oracles O T ð·, pk S Þ and O C ð·, pk R Þ, B uses k ′ ‖k ′ ′ to generate cipher texts and trapdoors. For example, for a keyword w, B computes the cipher text C as follows: (1) Compute X = E k ′ ðwÞ and k = f k ′ ′ ðXÞ (2) Select a random string S ∈ f0, 1g n−m and set U = SkF k ðSÞ Given two challenge keywords w * 0 and w * 1 , B computes the challenge trapdoor T w * b as follows: (1) Choose a random bit b ∈ f0, 1g Clearly, if K = Hðg xy Þ, the above game is identical to Game 0. Otherwise, it is identical to Game 1. So, This proves the result of Equation (7).

Game 2.
This game is identical to the previous game with the exception of X * being sampled randomly from f0, 1g n . Assuming that E is a pseudorandom function, we have We now prove Equation (9). Given a challenge pseudorandom function E, we construct an algorithm B to break its pseudorandomness using A as a subroutine. B chooses the system parameter, the sender and receiver's public/secret key pairs, as in the previous game, with the exception of E being provided by its own challenger. Specifically, the random string k ′ ′ ∈ K ′ ′ is chosen by B itself, but k ′ is implicitly defined by the secret key of the challenge pseudorandom function E. Next, we show how B answers A's queries of cipher texts and trapdoors with ðw, pk R Þ or ðw, pk S Þ, respectively. For a keyword w, B computes its cipher text as follows: (1) Query the challenger of E with w to obtain the result (3) Select a random string S ∈ S and compute U = SkF k ðSÞ B computes its trapdoor as follows: (1) Submit w to its own challenger to obtain the result X = E k ′ ðwÞ When A submits two challenge keywords w * 0 and w * 1 , B picks a random bit b and sends w * b to the oracle of PRF E for challenging. The PRF challenger will return the challenge PRF value X * to B, which may be E k ′ ðw * b Þ or a random value. B then computes k * = f k ′ ′ ðX * Þ and returns T w * b = X * ‖k * to the adversary. Finally, A outputs a guess bit b ′ . If b ′ = b, B outputs 1; otherwise, it outputs 0.
From the above analysis, it is clear that if X * = E k′ ðw * b Þ, B actually simulates an environment of Game 1 for the adversary A. If X * is random, the simulated environment is identical to Game 2. Thus, if A's success probability between Game 1 and Game 2 has difference Pr ½Suc 2 − Pr ½Suc 1 , then B can distinguish X * = E k′ ðw * b Þ from a random one with the same advantage. This computes the proof of Equation (9).
Note that in Game 2, the challenge trapdoor is independent of the two challenge keywords. So, the adversary has no success advantage in this game, i.e., Wireless Communications and Mobile Computing This completes the proof of Theorem 6.
The cipher text indistinguishability of our PAEKS scheme follows from the theorem below.

Theorem 7.
If the oracle Diffie-Hellman assumption holds and f , F are pseudorandom functions, then our PAEKS scheme achieves cipher text indistinguishability. Specifically, for any PPT adversary A, we have where ϵ odh , ϵ f , and ϵ F are the advantages to break the ODH assumption and the pseudorandomness of the PRFs f and F, respectively.
Proof. Similar to the proof of Theorem 6, we prove the above theorem also via a sequence of games. In each game, A is a PPT adversary, aiming to break the cipher text indistinguishability of our PAEKS scheme. b is the challenge random bit, selected by the challenger, and b ′ is A's guess bit. We denote the event that b ′ = b in each game as Suc i .
Game 0. This is the original cipher text indistinguishability game as defined in Definition 5. So, Game 1. This game is the same as Game 0, except that the value k′‖k′ ′ is chosen randomly from K ′ × K ′ ′ . Under the ODH assumption, these two games are computationally indistinguishable, i.e., The proof of the above equation is similar to that of Equation (7); we omit it here.
Game 2. This game is identical to Game 1, except the following modification to the challenge cipher text. Suppose that w * b is the challenge keyword and X * = E k ′ ðw * b Þ is the corresponding internal value of the cipher text. In this game, k * is selected randomly from K, instead of being computed via k * = f k ′ ′ ðX * Þ. Note that, for normal keyword cipher text, k is still computed from f k ′ ′ ðXÞ. Under the assumption that f is a pseudorandom function, these two games are computationally indistinguishable. Specially, we have  Wireless Communications and Mobile Computing The proof of the above equation is similar to that of Equation (9); we omit it here.
Game 3. In this game, we replace the challenge value U * = S * kF k * ðS * Þ with a random string U * ⟵ f0, 1g n . Recall that, in this game, k * is sampled uniformly from K. By the pseudorandomness of PRF F, S * ‖F k * ðS * Þ is computationally indistinguishable from a random n-bit string. Similarly, we can prove that In Game 3, U * is random and is independent of the challenge keywords. So, the adversary has no advantage in this game, i.e., Taking Equations (13) to (17) together, we complete the proof of Theorem 7.
From Theorems 6 and 7, we conclude that our PAEKS scheme is semantically secure against inside keyword guessing attack assuming that the ODH problem is hard and E, f , F are PRFs.

Experiments and Efficiency Comparison
In this section, we analyze the efficiency of our PAEKS scheme and compare it with some other related schemes, including Boneh et al.'s PEKS scheme [4] and PAEKS schemes of [16,18,19]. Except our scheme, all the others are designed in bilinear groups. That is, besides group G, there are another group G T and a bilinear map e defined from G × G to G T . Table 1 demonstrates the theoretical result of efficiency comparison in terms of keyword encryption, trapdoor generation, testing, and two security properties. In the table, we use symbols "E" and "P" to denote the evaluation of a modular exponentiation and a bilinear pairing, respectively. "H 1 " denotes a special hash function that maps an arbitrary string to a group element, while "H 2 " denotes a traditional hash function, e.g., MD5. We denote the pseudorandom function as "F." Figure 3 shows the length of each parameter in different PEKS/PAEKS schemes. With the exception of Boneh et al.'s scheme, the other three schemes involve the sender's public key and secret key in the keyword encryption algorithm and trapdoor generation algorithm, respectively. It can be seen from the figure that our scheme has shorter trapdoor and cipher text than other schemes. For the other parameters, our scheme still has comparable length with other schemes.
Among these operations, the computation of the pairing is usually the most time-consuming. According to the construction of H 1 in [21], its computation is usually inefficient  with the comparison of the traditional hash function. In a random oracle model, it is easy to construct a PRF from an efficient hash function. From these observations, we can see that our keyword testing algorithm should be much faster than that of the other three schemes. For encryption and the trapdoor generation, the advantage of our scheme is not obvious among them. In terms of security, Boneh et al.'s scheme cannot resist against IKGA. The scheme of [16] can prevent IKGA, but it is not secure in a multiuser setting. The scheme of [19] did not show its security in a multiuser setting.
To evaluate the efficiency of these schemes in practice, we use a laptop with 1.7 GHz Intel i3 CPU, 2 GB memory, and a Windows 7 operating system to implement them. We use the jPBC library and choose a type A pairing, which makes use of the curve y 2 = x 3 + x over the field F q for prime q ≡ 3 mod 4. We run each algorithm with different times and record their time in seconds. The results are shown in Figures 4, 5, and 6, respectively. As the computations of Noroozi and Eslami and Huang and Li, they possess the same experimental results. Experiment results show that our encryption algorithm and trapdoor generation algorithm are slightly faster than those of the other schemes. But our keyword testing algorithm is significantly faster than that of the other schemes.

Conclusion
In this paper, we proposed a new public-key authenticated encryption scheme with keyword search. Our scheme uses the idea of the Diffie-Hellman key exchange protocol to generate a shared secret key between the sender and the receiver. The shared key can be viewed as the secret key of a symmetrickey searchable encryption scheme to encrypt keywords by the sender or to generate search trapdoors by the receiver. Under the ODH assumption, our PAEKS scheme can achieve both trapdoor indistinguishability and cipher text indistinguishability, and hence, it can resist inside keyword guessing attacks. The scheme is also efficient. Specifically, its keyword searching algorithm is very fast in the sense that it requires only one computation of PRF, while the previous schemes require at least one expensive pairing operation.

Data Availability
The data used to support the findings of this study are embedded in the programming. They are available from the corresponding author upon request (email: qinbaodong@xupt.edu.cn).