Authenticated key exchange (AKE) schemes that adopt public-key encryption (PKE) are comprehensively applied in mobile cloud computing environments. They grant consumer electronics users (CEUs) access to numerous services from diverse cloud servers by registering only once with a third party. However, most of the existing AKE-schemes, indistinguishability against chosen-ciphertext attacks (IND-CCA), and security against malicious private key generator (mPKG) are not well considered. Particularly, existing trapdoor-based PKE-schemes either require a large number of pairing operations or are unable to achieve at least one of the following properties: adaptive onewayness (ADOW), pseudorandom ciphertext property (PCP), randomness reproducibility (RRP), key-dependent message security (KDM); thereby, fail to achieve desired security notions. Additionally, mPKG inherently has the power to generate the public-private key pair for any identity; as a result, CEUs and cloud servers are incredibly concerned about the privacy of communication against mPKG. To cope with these issues, we design a PKE-scheme based on the ADOW trapdoor function, where the secret-key encryption algorithm employs the signalling technique to avoid the deadlock incidence and projection function used to ensure KDM-security; thus, the proposed scheme achieves PCP and RRP, and IND-CCA security. Furthermore, we employed the designed PKE-scheme to construct a secure authentication scheme dubbed ASMCC+ based on zero trust architecture: the probability of knowing the CEU’s and cloud server’s master-secret key by any third party is negligible. Our rigorous security proof and an in-depth performance analysis demonstrates that ASMCC+ is IND-CCA secure, achieves adaptive onewayness, and can thwart mPKG.