Since the convenience and advancement of cloud applications, many users (e.g., companies or individuals) adopt remote cloud services to reduce the local storage overload and computing consumption. However, before transferring them to the cloud server, users always encrypt outsourced data for the privacy of important data, which deprives flexible usage of these data. Public key encryption with keyword search (PEKS) undoubtedly offers a precise resolution to this issue. Unfortunately, most PEKS schemes cannot fight against quantum computing attackers, which is increasingly a research hotspot. To achieve postquantum security and privacy-preserving search function, we propose a quantum-resistant PEKS scheme named IsoqurPEKS. Our proposed instantiation satisfies basic semantic security indistinguishable against chosen keyword attack (IND-CKA), and IsoqurPEKS is proved to be secure under the security model. Furthermore, we compare IsoqurPEKS with the other eight current PEKS schemes with respect to security properties, communication, and computation costs. The comparison results indicate that the proposed scheme has the best security and performance among the nine PEKS schemes.

1. Introduction

Remote cloud services have advantages of data accessibility, data scalability, data sharing, and consistent backups of enormous data [1]. Cloud applications, such as cloud storage, cloud computing, and cloud retrieval, are becoming more prevalent for data users and enterprises. Data uploaders usually outsource their data to the cloud server, saving their local storage cost and offering easy data access. However, these remote servers are not always trusted since some malicious insiders may have full access to plaintext data. Once critical and sensitive data are exposed to hackers, significant threats to users’ property and life safety may happen. Therefore, before uploading data to the cloud server, data providers encrypt these data using encryption algorithms to provide privacy protection while depriving all search capacities of data users.

Many cloud services, such as Baidu Cloud, Google Cloud, Windows Azure, and Amazon simple storage service [2] promote the development of cloud storage and searching technologies. When performing data retrieval, a straightforward approach for cloud servers is to obtain a decryption key and search required items in plaintext. However, this method breaks the initial intention of outsourced data encryption because a corrupted insider (e.g., a compromised cloud storage provider’s machine [3]) could access any unauthorized data. Another solution for data users is to download the whole database, decrypt all data locally, and retrieve interesting documents, which require a lot of memory space and computation capacity. This method does not play the role of a cloud server; instead, it puts forward high requirements for users, which are impractical in most applications [4]. To achieve data confidentiality and search function at the same time, Song et al. [5] first put forward the conception of searchable encryption.

The searchable encryption mechanism enables data providers to upload encrypted data and multiple searchable keywords ciphertexts, while data users produce trapdoors of intended keywords. Utilizing the trapdoor, a cloud server could execute a search to seek matched keywords and corresponding data ciphertext. According to distinct generation types of encrypted keywords and trapdoors [6], searchable encryption is generally classified into public key encryption with keyword search (PEKS) and symmetric searchable encryption (SSE). Although SSE has efficient retrieval efficiency, which has been extensively researched [7], it still has the same key distribution problem as symmetric encryption. Then, Boneh et al. [8] introduced the first PEKS scheme, whose system architecture is shown in Figure 1. In our scheme, the data provider produces searchable ciphertext using users’ public keys, and the user generates a keyword search trapdoor by their private key. Then, the trapdoor is transmitted to the cloud server for searching matched ciphertexts, which are finally returned to the user. Furthermore, Boneh et al. have also formalized the notion of indistinguishability against chosen keyword attacks (IND-CKAs) of PEKS, which ensures the privacy of searchable ciphertext [8].

However, most of the current PEKS schemes are designed based on classical hard assumptions such as discrete logarithm (DL) problem and computational/decisional Diffie–Hellman (CDH/DDH) problem. Shor [9] pointed out that there is a quantum algorithm to crack the DL problem in polynomial time, which inspires scholars to explore quantum-resistant PEKS scheme construction [10]. According to the report on postquantum cryptography [11], families of postquantum primitives are designed by the lattice, multivariate polynomial, code, and isogeny. In comparison, code-based and lattice-based cryptographies suffer from large key sizes. In addition, there are no searchable encryption-compatible structures based on multivariate polynomials and hash-based cryptography as far as we know.

Isogeny-based cryptography overcomes the above problem and has the potential for searchable encryption construction. Isogeny is a rational mapping from one elliptic curve to another, which is distinguished by its degree or kernel [12]. The isogeny problem is to seek a mapping path given two specified isogenous elliptic curves. Studies on isogeny-based cryptography have matured gradually, and the fastest known algorithm to find such an isogeny takes subexponential time [13]. Isogeny-basedencryption [14] gives a specific verification equation (i.e. where ϕ is an isogeny between two elliptic curves and are mutual dual isogeny, EGT and GT are two bilinear maps, and are separately the generators of ), and the first PEKS scheme enlightens us to design an isogeny-based quantum-resistant PEKS scheme.

This paper puts forward a new quantum-resistant PEKS scheme using isogeny named IsoqurPEKS. Then, we prove its IND-CKA security under the quantum random oracle (QROM) model and analyze communication cost and computation cost by comparing IsoqurPEKS with other eight PEKS schemes. Analysis results demonstrate that IsoqurPEKS has the least communication and computation overload while maintaining the property of withstanding quantum computer attacks.

1.1. Organizations of This Paper

Section 2 introduces related works about isogeny quantum-resistant PEKS schemes. Preliminaries containing the elliptic curve and isogeny knowledge are introduced in Section 3. PEKS definitions, consistency, and security definitions of the quantum-resistant PEKS scheme are given in Section 4. We present the system model of the proposed IsoqurPEKS scheme and the threat model of each entity, and the design goals of this paper are presented in Section 5. Then, we introduce the quantum-resistant IsoqurPEKS scheme in Section 6, and we give the formal security proof of IsoqurPEKS in Section 7. Section 8 shows the property, communication cost, and time consumption comparisons with eight PEKS schemes. Eventually, we summarize this paper in Section 9.

Boneh et al. [8] first put forward the notion of public key encryption with keyword search (PEKS). Following this seminal word, some further works on PEKS schemes [1517] have been proposed in traditional public-key cryptography settings. Scholars have mainly explored two types of research orientations: diverse functionality search and security studies.

Concerning functionality search, Kim et al. [18] proposed the first privacy-preserving algorithm to test whether an encrypted string includes an encrypted pattern. Meanwhile, they designed a novel wildcard search on encrypted databases, which are used to support compound queries. In terms of a multikeyword search, Wang et al. [19] proposed a secure searchable encryption scheme under the standard model supporting multikeyword retrieval. Liu et al. [20] put forward a multiuser and multikeyword search with the hiding search pattern and access pattern. Zhang et al. [21] proposed a fuzzy multikeyword search in the cloud system using Word2vec technology. Liang et al. [22] utilized advanced -nearest neighbor (-NN) technology to enhance search accuracy and achieve an exact multikeyword fine-grained search. Zarezadeh et al. [23] presented a multikeyword rank search scheme that enhances usability and file retrieval accuracy. Asymmetric encryption schemes supporting Boolean queries in different scenarios such as cloud applications and mobile clouds were also studied [24, 25]. However, the above schemes are built on classical intractable assumptions and cannot resist quantum computing attacks.

Concerning security, scholars generally consider forward privacy and backward security of searchable encryption. Forward privacy ensures that inserting new files will not expose previous search information, and backward security means deleting files will not disclose more information in the following search process. Zhang et al. [26] and Ning et al. [27] have discussed threats brought to searchable encryption by file-injection attacks and passive attacks. Then, Bost et al. [28] used constrained pseudorandom functions and puncturable encryption and put forward forward and backward secrecy searchable encryption under the symmetric mechanism. Zeng et al. [29] introduced searchable public key encryption built on attribute-based encryption, which satisfies forward privacy. These schemes still do not take quantum-resistant attacks into account.

Behnia et al. [30] proposed two lattice-based PEKS schemes with well computational efficiency and better security than the current ones. Xu et al. [10] utilized learning with error (LWE) hard problems and also proposed a lattice-based searchable encryption scheme, which satisfies postquantum security. However, lattice-based PEKS schemes have large-sized keys because they are composed of matrices. Isogeny-based cryptography has small-sized keys which have been studied deeply [12, 3133].

We put forward a PEKS scheme based on the isogeny hardness assumption to resist quantum-computing attacks. Then, we prove its security under the QROM model. Although there has been one isogeny-based PEKS scheme [34], the proposed IsoqurPEKS scheme has better efficiency. Moreover, we also evaluate this scheme by comparing it with the current eight PEKS schemes to communication cost and computation cost, indicating that our scheme has the best security and performance among these nine PEKS schemes.

3. Preliminaries

In this section, we introduce a basic elliptic curve and supersingular isogeny knowledge used in the scheme design. Notations used in this paper are shown in Table 1.

3.1. Elliptic Curve

In our scheme, we will take advantage of the following basic knowledge. is a finite field with the order . The equation defines an elliptic curve over , where . Points on the elliptic curve with the addition of the point at infinity constitute an additive cyclic group whose order is an integer . The map is a bilinear map satisfying:(i)Bilinearity. for any (ii)Computability. can be easily calculated in the polynomial time for any (iii)Nondegeneracy.

where is a multiplicative cyclic group with the order and is an arbitrary generator of .

3.2. Isogeny

Isogeny is defined based on two elliptic curves and , a rational and surjective mapping . It keeps the computing law of the point group, i.e., for any points on . Two elliptic curves and defined over a finite field are isogenous with the necessary and sufficient condition that they have the same cardinality, i.e., . Since isogeny could be represented by a rational polynomial, a degree, similar to polynomials, could be defined and used to differentiate various isogenies. According to Burdges et al. [14], any isogeny has one and only one corresponding dual isogeny which has a specific relationship as follows:for any points , where (resp. ) is any bilinear pairing (e.g., Weil, Tate, and Ate pairing) on (resp. ).

Next, we consider some preliminary knowledge for difficult problems resisting quantum computers attack. We first give the following proposition.

Proposition 1. Let be an elliptic curve determined by , where are from the finite field , and then, we give the j-variant definition as follows:and -variant distinguishes the isomorphism class since the necessary and sufficient condition of two isomorphic curves is that they have the same -variant.

The graph structure can embody isogeny-related hard problems. This graph structure is composed of isomorphism classes denoted by nodes and isogenies between curves denoted by edges. The isogeny graphs constructed by different degrees of isogenies are diverse, and the isogeny star is made up of various isogeny graphs while having the same nodes. Literature [31] gives detailed descriptions and visualized depictions of the isogeny star as shown in Figure 2. There are many isogeny paths from one node to another, which may consist of multiple isogenies. When the isogeny star is quite large, finding a path from the initial elliptic curve to the end elliptic curve, respectively, in different isomorphism classes will be rather difficult, which is the isogeny problem.

Childs et al. [13] have pointed out that the most efficient traditional algorithm requires exponential time to seek an isogeny between two isogenous elliptic curves. However, they came up with a quantum algorithm to construct an isogeny between two given elliptic curves with the same cardinality in subexponential time. However, the running time is bounded above by under the generalized Riemann hypothesis. Most importantly, there exists no faster quantum algorithm than in the study by Childs et al. as far as we know. Assume that is an isogeny mapping from the elliptic curve to , we give the following two difficult problems under quantum computers.

3.2.1. Supersingular Isogeny (SSI) Problem

Assume that the kernel specifies an isogeny , where and are chosen randomly from and are not divisible by . Given the elliptic curve and points on , it is difficult to find a generator of . It should be specified that given a generator , it is trivial to resolve for . In other words, given two elliptic curves and with the identical cardinality, it is hard to calculate an isogeny utilizing the quantum algorithm in the polynomial time.

3.2.2. Extensional Computational Isogeny Problem (ECIP)

Given and with unknown, where the point is randomly selected on and is a random number in , it is difficult to calculate and in the polynomial time for the quantum computer.

This section introduces public key encryption with keyword search (PEKS) from three aspects: definitions, consistency, and security.

4.1. PEKS Definitions

A PEKS scheme consists of four algorithms, namely, setup, PEKS, trapdoor, and test. In the fist PEKS scheme, it only considers the encryption with single keyword search [8]. In practice, a file usually contains many keywords. Therefore, we use the general extended definition of , which takes a set of keywords as inputs and keeps consistency. The formal constructions are as follows:(i)Setup: the setup algorithm is performed to generate the user’s keys. With inputting the security parameter , this probabilistic polynomial time (PPT) algorithm returns a pair of public/private key for the user.(ii)PKES : the PKES algorithm is performed by a data provider. Taking the public key and a set of keywords as inputs, this PPT algorithm returns corresponding keywords’ searchable ciphertext .(iii)Trapdoor : the trapdoor algorithm is executed by a search user. With the secret key and a keyword as inputs, the trapdoor algorithm returns a trapdoor of .(iv)Test: the test algorithm is executed by the cloud server. With the searchable ciphertext and trapdoor as inputs, this deterministic algorithm outputs 1 if ; otherwise, it outputs 0.

It should be noted that the trapdoor algorithm is either deterministic or probabilistic, which is determined by the specific scheme design and security requirements. We only consider the initial form, i.e., the deterministic trapdoor algorithm in this paper.

4.2. Consistency

For a PEKS scheme, the most essential and critical requirement is consistency [16]; that is, the returned results from the cloud server should be what the user wants to acquire. Specifically, when the cloud server gets a trapdoor produced by the trapdoor algorithm and ciphertext generated by the PEKS algorithm, we formulate consistency as follows:(i)Test always outputs 1 if (ii)The probability is negligible if

4.3. Security Definitions of the Quantum-Resistant PEKS Scheme

The academic community usually defines the security of PEKS as the indistinguishability of keywords under chosen keyword attacks (IND-CKAs). It means that the PEKS ciphertext has the confidentiality of its contained keywords against an adversary who could not obtain the corresponding keyword search trapdoor. Specifically, IND-CKA security allows a PPT adversary to get a public key, query the keyword retrieval trapdoor of some desired keywords, and adaptively select two sets of keywords with the same size to challenge. A PEKS scheme is recognized to be secure if cannot distinguish the two PEKS ciphertexts of two challenge keyword sets.

4.3.1. IND-CKA Security

In the depiction of IND-CKA security, a challenger and an adversary will execute interactive games as follows:(i)Setup phase: On inputting the security parameter , a challenger produces public parameters and executes the setup algorithm. Then, they produce receivers’ public/private key pairs and send to the adversary .(ii)Query phase 1: could adaptively release the following keyword search trapdoor query of expected keyword polynomial times in this phase:Trapdoor query : for any search trapdoor query of the keyword , produces the corresponding trapdoor by executing and gives back to .(iii)Challenge phase: Having terminated query phase 1, adaptively selects two challenge keyword sets with the same number of keywords, i.e., and transmits these two sets to . Then, chooses a random 0/1 bit and calculates the challenge ciphertext by performing the algorithm. Eventually, transmits to .(iv)Query phase 2: can carry on executing the search trapdoor query of any keywords in this phase as in query phase 1, except for the keywords in challenge sets .(v)Guess phase: At last, returns a guess bit to challenge ciphertext .

We said that the adversary succeeds in the above game if they successfully guess the right bit, i.e., . Assume denotes the probability of successfully guessing the bit, the advantage of winning this game is set as

Definition 1. A PEKS scheme is recognized to be indistinguishable against chosen keywords attacks if for any PPT adversary , and the advantage of succeeding in the above game is nonnegligible.
We use a quantum random oracle to simulate hash functions in the formal security proof of the proposed IsoqurPEKS scheme. However, an obstacle to security proofs is how to produce random values for exponential queries, that is, how to simulate hash function under the quantum random oracle model (QROM). In the next part, we give several preliminary definitions used in the QROM.

4.3.2. Specific Techniques Used in QROM

For a hash function simulation, an adversary tosses a superposition and random oracle outputs . If is tremendous for a quantum simulator, it is hard to give back all random responses of through computing . Zhandry [35] put forward a measure by introducing the concept of -wise independent functions.

In the following, we introduce the concept of marginal weight distribution. A weight distribution on a set is defined by a probability distribution function that has , where for all is an assignment on . We consider a family of functions for a domain and range , denoted by . We give the definition of marginal weight distribution of on where the weight of a function equals to the sum of the weights of all that is consistent with on . In other words,

Definition 2. Two weight distributions and on are called -wise equivalents if for all with size , and the marginal weight distributions and over are the same.

Definition 3. A function is called -wise independent function if is equal to a random function for all with size .
Next, we give the definition of semiconstant distribution, which is used to support inserting a random value into a small but essential part of oracle inputs.

Definition 4. The semiconstant distribution over is defined as follows:(i)First, a random value is selected from .(ii)Then, for each ,Assign to with probability . is said to be a distinct input to .Otherwise, assign a random element in to .

5. Problem Formulation

In this section, we describe the system architecture of IsoqurPEKS, the threat model of each entity, and the design goals of this paper.

5.1. System Model

The system includes the following parties: cloud server (CS), data providers (DPs), and request users (RUs) as depicted in Figure 3. The characteristics and function of each party are depicted as follows:(i)Data providers (DPs): Each DP produces his or her public key and private key upon inputting the security parameter. Moreover, the DP extracts keywords from files, encrypts files using symmetric encryption, and computes the searchable keyword ciphertexts associated with corresponding files. Finally, the DP stores encrypted files and searchable ciphertexts on the CS.(ii)RUs: Request users utilize targeted keywords to generate search trapdoors and send them to the CS for information retrieval operation. Then, RUs decrypt desired files when receiving matched ciphertexts from CS.(iii)CS: The cloud server has almost unlimited storage and computing power in the PEKS system. The CS is in charge of storing encrypted files and searchable ciphertexts received from DPs. Then, the CS addresses search queries and returns corresponding searching results ciphertexts to RUs.

In our proposed IsoqurPEKS scheme, the data provider first extracts keywords (e.g., using such as Porter temming algorithm [36]) from documents to be uploaded. Then, they use the targeted user’s public key and a symmetric key to generate a searchable keyword ciphertext and corresponding encrypted document, which will be transferred to the cloud server (CS). When a request user (RU) searches some documents, including a specific keyword, the RU utilizes their secret key to produce a keyword search trapdoor and transfers it to the CS. Finally, the CS returns matched encrypted documents by a verifying equation through inputting a trapdoor and searchable ciphertexts.

5.2. Threat Model

In our scheme, we suppose that DPs honestly follow the PEKS algorithm to produce searchable ciphertexts for authorized users and transmits these ciphertexts to the CS.

RUs are assumed to be semihonest adversaries. They honestly execute the scheme when conducting a search query while may attempt to know some sensitive information associated with ciphertexts and queries, respectively, produced by other DPs and RUs.

The CS is supposed to be honest but curious which will honestly perform the test algorithm and has an interest in obtaining desired information of other parties through either intermediate values or computation results.

5.3. Design Goals

Our goal is to propose an isogeny-based quantum-resistant PEKS scheme equipped with functions and security requirements.(i)Data privacy: nobody could get information about searchable ciphertexts uploaded and encrypted by DPs. In other words, the searchable ciphertext remains confidential.(ii)Access pattern hiding: Retrieval results of a query such as encrypted files matching the user’s query are concealed from the CS.(iii)Quantum attack resilience: There does not exist a polynomial-time quantum algorithm that could acquire RUs’ private information such as private secrets and uploaded plaintexts by DPs.

6. Proposed IsoqurPEKS

Our proposed scheme consists of four algorithms: setup, PEKS, trapdoor, and test. The setup algorithm is executed by a user and generates the user’s public and private key pair using an isogeny and a random number by inputting a security parameter. The algorithm is performed by data providers and used to produce the searchable ciphertext against quantum computer attacks. To obtain some files containing specific keywords from the cloud server, a user utilizes their secret to perform the trapdoor algorithm to output a searchable trapdoor. Finally, the cloud server inputs the trapdoor, the user’s public key, and searchable ciphertext and then returns correct ciphertexts to the user by the test algorithm(i): the setup algorithm is executed by a user to produce a pair of private key and public key.First, the user selects an elliptic curve with an order where are two base points on the additive cyclic group .Then, they randomly choose and generate an -isogeny with its dual -isogeny and two bilinear mappings , respectively, on .They also produce two secure cryptographic hash functions and .Finally, they compute and set .(ii): when a data provider transmits encrypted files to the cloud server for secure storage and retrieval, they extract keywords from the file to upload and perform the following steps:For each , the DP randomly selects and uses the random numbers and the authorized user’s public key to compute searchable ciphertexts , , .Then, they initialize a history-independent array to store ciphertexts .Finally, this algorithm outputs PEKS ciphertexts and sends them together with the corresponding encrypted file to the cloud server.(iii): if a user desires to request files including the keyword , they utilize their private key to compute a trapdoor and transfer the trapdoor to the cloud server.(iv): given public key , a PEKS ciphertext , and a trapdoor , the cloud server performs steps as follows:It initializes an empty set and verifies whether .If , the CS adds the corresponding encrypted file to ; otherwise, it searches the next ciphertext.Finally, the CS returns to the user.

What should be specified is that our main work focuses on security against quantum attacks, and we suppose keywords are uncertain and unlimited. Thus, we do not take into account the keyword guessing attack.

6.1. Consistency

According to the introduction in Section B, we analyze the correctness of isoqurPEKS. Given produced by the trapdoor algorithm and produced by the PEKS algorithm, we have

On the other hand, . Thus, the equation if there exists a which satisfies .

7. Security Proof

In this section, we will prove IND-CKA security of the IsoqurPEKS instantiation under the QROM, and the proof method of which has been used in lecture [37].

Theorem 1. For the advantage of the computational isogeny problem and the advantage of breaking IsoqurPEKS’s security, we have the following equation under the quantum random oracle model:where is the maximum of hash function queries.

Proof. Game : this game is executed by the adversary who tries to break the real scheme as 1 and the challenger . Specifically, responds the trapdoor query according to the trapdoor algorithm:(i)Trapdoor query : Given a query keyword , computes and gives back to .Assume that the adversary ’s advantage in this game is and the challenger knows related secret values. We have the advantage of breaking IND-CKA in is the same as that in the real word:Game : The game is identical to except for the challenge ciphertext generation in the challenge phase. What should be specified is that the public keys are changed into and that private keys are , where , are two points and is an isogeny. These settings correspond to and of the proposed scheme in Section 6. Therefore, the challenge ciphertext is accordingly transformed into , , where are two random numbers in , is a hash function, and is a general hash function. This transformation does not change the searchable ciphertext computing rule, and no more information has been leaked; thus, we haveGame : In this game, we introduce the rule of aborting. Let be selected from (0, 1), and is a subset of where is randomly chosen from and placed in with an independent probability . are two challenge keyword sets chosen by . aborts if two challenge keyword sets , queries where , and we haveBefore continuing to the next simulation, we give the following lemmas [35] to depict QROM.

Lemma 1. Let be an adversary with the capacity of quantum computing and makes queries to an random oracle . We depict using some weight distribution ; that is, for each , the probability value is a linear combination of for all possible and .

Lemma 2. Suppose there is a -wise independent function. In that case, it can be successfully simulated by a quantum algorithm when any quantum adversary makes queries to random oracles , which could have the same output values while making no queries.

According to the above lemmas, we can see that quantum random oracles are simulated by a quantum algorithm in the polynomial time. This technique can simulate hash function queries and responses of the -query and -query in the IsoqurPEKS’s security proof.

In addition, how to insert some randomly selected values to the intended quantum oracle queries is another problem of security proofs under QROM. Then, we have Lemma 3 as follows.

Lemma 3. The The distribution of outputs of a quantum algorithm making queries to an oracle drawn from the semi-constant distribution ω is at most a distanceaway from the case when the oracle is drawn from the uniform distribution.

We assume that if an adversary queries the inserted value of corresponding oracle outputs, then the simulation is successful with the probability . Furthermore, the probability of successful simulations is if utilizes one of the values with the probability , where the choice of could decide the success probability. We employ this solution to insert a hard-to-be-resolved SSI problem into a hash function output in the IsoqurPEKS’s security proof.

Game : This game introduces a quantum random oracle. In other words, the computing method of the hash function is changed. is set as for all , and hash outputs are randomly selected for other queries. In this case, is distributed according to . According to Lemma 3, the distance of output distribution in is from that in . Therefore, we have

Game : In game , the rule of producing challenge ciphertexts is changed and are randomly selected instead of computing by . The final challenge ciphertext is independent of the challenge keyword sets. Therefore, we have

We construct an algorithm of the isogeny problem with the advantage . We suppose that has quantum access to random oracles and where the probability of outputting 1 is . Let be the set of such that . We can infer that the above conditions are equivalent to . According to Lemma 2, can simulate and by separately using a -wise and a -wise independent functions without oracle queries. is an initially empty list held by .(i)Setting of public parameters. Assume that an adversary transmits two challenge sets and to the challenger , where is a positive integer. Then, given and , sets and are correspondingly , where the isogeny is mapping from the elliptic curve to the elliptic curve , is its dual isogeny, are points on , and are points on . receives the hard problem instance . Then, transfers the public parameter and to .(ii)Challenge ciphertext simulation. chooses random and computes as the challenge ciphertext.(iii)-query. Upon receiving , sets the outputs of as follows:(iv)-query. Upon receiving , simulates by setting .(v)Query simulation.Hash query : It uniformly selects a random and computes . Then, reserves in the -list, and the is transferred to .Trapdoor query : Given a query keyword , retrieves in the -list and uses in the -list to compute if is in the -list; otherwise, it uniformly chooses an and computes . Finally, returns to .

7.1. Success Probability Analysis

If performs queries contained in to , could distinguish the simulation environment from the real environment. Nevertheless, these events will not appear due to the game hopping in . Then, succeeds in the game with the advantage . Hence, we have

Then, by combining advantages, we have

Because right side of the equation is minimized when , we have

8. Comparison and Analysis

To the best of our knowledge, there is no isogeny-based quantum-resistant PEKS scheme currently. There are many public encryption schemes with keyword search [3845], while they cannot withstand quantum attacks since these schemes are based on classical DL assumption, DBDH assumption, or CBDH assumption. In this section, we first compare IsoqurPEKS with existing PEKS schemes regarding security properties. Then, we compare IsoqurPEKS with the other eight PEKS schemes from aspects of computation and communication costs.

Table 2 indicates the comparison results among the proposed IsoqurPEKS scheme and its counterpart PEKS schemes concerning security properties. The proposed IsoqurPEKS scheme is based on isogeny hard assumption, which has been proved in Section 7 under the quantum random oracle model. Thus, our scheme can resist quantum attacks. Moreover, our construction does not require a trusted authority to generate secret keys, which some PEKS schemes require it.

Subsequently, we analyze the computational complexity with respect to searchable ciphertext generation, trapdoor generation, and testing. We only consider the time-consuming operations, e.g., hash-to-point , bilinear pairing operation , general multiplication over point , modular exponentiation operation , and isogeny operation . According to [46], we get the running time of different operations implemented on a Raspbian GNU/Linux 8 system with ARMv7 Processor rev 4 1.2 GHz. Because the isogeny operation happens in the trapdoor generation process, which is performed by the cloud server, we use the isogeny (i.e., group action) computing time as described in [47]. Above all, we have . Table 3 shows the different operation comparisons of nine PEKS schemes. In the PEKS phase, the data provider generates one searchable ciphertext for each keyword by computing which requires two bilinear pairing operations and two scalar multiplication operations. In the trapdoor generation phase, the user computes , which requires one scalar multiplication operation and one isogeny operation. When the server searches matched ciphertexts, it computes and which requires one bilinear pairing operation and one general hash function operation. The comparison results in Figure 4 indicate that IsoqurPEKS consumes the least time in ciphertext generation, trapdoor generation, and testing processes among these nine PEKS schemes.

In addition, we also perform a comparison with respect to the communication complexity of single document/keyword encryption and search. Since the elliptic curve point group is defined over a finite field , we set as a 512-bit element. For pairing-based schemes, the pairing operation is where points in and are 1024-bit elements. The general hash function is SHA256 in implementation. Thus, the output of is a 256-bit string. The comparison results are depicted in detail in Table 4. For the searchable ciphertext and trapdoor production of a single keyword in IsoqurPEKS, it outputs one point , one hash value , and one point . Thus, the communication cost of the proposed scheme is 160 bytes and 128 bytes, respectively, which requires the least communication width for keywords trapdoor search and giving back matched ciphertexts.

9. Conclusion

This paper introduces a new method for the quantum-resistant public encryption scheme with keyword search construction and establishes the hard assumption of elliptic curve isogeny computation. Our proposed scheme, IsoqurPEKS, could fight against attacks of quantum adversaries and is provably secure under the quantum random oracle model. We give formal security proof of IsoqurPEKS and analyze its security properties by comparing it with the other eight PEKS schemes. As far as we know, IsoqurPEKS is not only the first isogeny-based quantum-resistant PEKS scheme but also the most efficient scheme in terms of computation and communication costs compared with the listed current eight PEKS schemes. Since IsoqurPEKS is designed under the assumption that keywords cannot be enumerated, our subsequent work is putting forward an isogeny-based and quantum-resistant PEKS scheme against keyword guessing attack under the assumption that keywords could be listed in the polynomial time.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.


The work was supported by the Shandong Provincial Key Research and Development Program (No. 2020CXGC010107, 2021CXGC010107), the National Natural Science Foundation of China (Nos. 62172307, U21A20466), the Special Project on Science and Technology Program of Hubei Province (No. 2020AEA013), the Natural Science Foundation of Hubei Province (No. 2020CFA052), and the Wuhan Municipal Science and Technology Project (No. 2020010601012187).