Public Key Authenticated Encryption With Designated Equality Test and its Applications in Diagnostic Related Groups

Due to the massive growth of data and security concerns, data of patients would be encrypted and outsourced to the cloud server for feature matching in various medical scenarios, such as personal health record systems, actuarial judgments and diagnostic related groups. Public key encryption with equality test (PKEET) is a useful utility for encrypted feature matching. Authorized tester could perform data matching on encrypted data without decrypting. Unfortunately, due to the limited terminology in medicine, people within institutions may illegally use data, trying to obtain information through traversal methods. In this paper we propose a new PKEET notion, called public-key authenticated encryption with designated equality test (PKAE-DET), which could resist this kind of attacks launched by an inside adversary, known as offline message recovery attacks (OMRA). We propose a concrete construction of PKAE-DET, which only requires one single server to perform the feature matching job securely, and does not require any group mechanism. We prove its security based on some simple mathematical assumptions. Experimental results show that our scheme has efficiency comparable with those PKEET schemes which do not resist OMRA attacks or require group mechanism. We further show how our scheme could be effectively used in diagnostic related groups in medicine, demonstrating its practicability.


I. INTRODUCTION
The development of cloud computing technology provides more efficient and reliable data management with less error to us, and the service quality of traditional industries has been effectively improved. One of the most prominent manifestations is cloud-based electronic medical systems [1], [2].
Diagnostic Related Groups (DRG) constitutes an approach to measuring hospital case mix, which may be understood as a system for separating hospitalized patients into unique groups based on their diagnoses and procedures [3]. According to diagnoses, procedures, age, sex, discharge status, and The associate editor coordinating the review of this manuscript and approving it for publication was Junggab Son. the presence of complications or comorbidities, patients are divided into different diagnosis related groups, which are scientifically calculated on the basis of classification and given an advanced payment. This kind of payment method takes care of the interests of patients, hospitals, medical insurances and other aspects, and becomes the most important cost control and quality improvement tool that governments and private payers have implemented [4].
Due to the rapid growth of medical data and low maintenance cost demand, hospitals would prefer to store patients' medical records onto cloud servers. However, cloud servers are usually provided by third-party providers rather than hospitals themselves. Due to the high sensitiveness and privacy of patients' data, hospitals would encrypt them before uploading. However, it brings new challenges. Once the data is encrypted, its structure is completely hidden. Search operations over plaintext becomes invalid.
Searchable encryption (SE) was thus proposed to solve this problem effectively, and has attracted wide attentions since its introduction. It allows users to store a large group of encrypted documents on the cloud server and to perform keyword-based searches over these encrypted documents.
The server cannot get further information except for specific patterns. SE could be divided into two categories: symmetric searchable encryption (SSE) [5] and public-key encryption with keyword search (PEKS) [6].
In 2010 a new encryption primitive named public-key encryption with equality test (PKEET) [7] was introduced, which could be viewed as a variant of PEKS. PKEET is designed to be used in specific situations, since it allows the tester to check whether two ciphertexts generated under different public keys contain the same plaintext without decryption.
As shown in Figure 1, PKEET can be used in DRG systems, personal health record systems, and other medical systems. (Please refer to Sect. VII for a more detailed explanation.) Since patients within each category are clinically similar and are expected to use the same level of hospital resources [8], patients' medical records can be encrypted and compared with the encrypted criterions in the system to determine which category the patient's illness should correspond to. However, due to privacy issue, it is necessary to prevent outside or inside personnel from illegally using the data for  operations beyond the authorization. Compared with outside adversaries, it is harder to guard patients' data against inside adversaries, which are able to launch offline message recovery attacks (OMRA).

A. OFFLINE MESSAGE RECOVERY ATTACK
Offline message recovery attack (OMRA) is an inside attack proposed by Tang [9], in which an inside adversary would be able to recover the plaintext from a given ciphertext. The inside adversary refers an insider who can easily obtain the trapdoor, such as a database administrator in the hospital. It wants to obtain the patient's privacy information in order to gain benefits. Figure 2 shows the flow chart of OMRA. To recover the message m encapsulted in ciphertext C w.r.t. public key pk, an OMRA adversary, which is given a trapdoor td as the authorization to test over C, works as follows: 1) generates a new key pair (pk , sk ); 2) randomly chooses a new message m i from the message space, and encrypted m i under pk to get ciphertext C i ; 3) uses sk to produce a trapdoor td w.r.t. pk ; 4) runs the test algorithm on input (td, C, td , C i ) to check if C and C i contain the message; and 5) outputs m i if the test returns 1, and goes to Step 2) otherwise. Theoretically, we assume the plaintext space to be at least super-logarithmically large. However, in practice, especially in medicine, all data are certain medical words, and the frequency of each word is uneven. The occurrence probabilities of some common disease-related words are high, and the others are low. Therefore, it is feasible for an inside adversary to launch and finish the attack above in a reasonable time and recovers m from C, even if the adversary has limited computational power.
In this regard, Tang [9] proposed a PKEET scheme that can resist OMRA attack. However, their scheme needs to work in dual-server setting, which requires high computation and communication costs, and assumes that the two servers do not collude. Therefore, it is necessary to construct a PKEET scheme that is secure against OMRA attack and works in the single-server setting.
The notion of PKEET was introduced by Yang et al. [7] in CT-RSA 2010, which extended public key encryption by adding a test algorithm to compare the data encrypted under different public keys without decryption. It has attracted extensive attentions. Since the scheme of Yang et al. [7] has no authorization mechanism, everyone could compare encrypted data. Tang et al. [10] proposed an FG-PKEET scheme, in which the server can only perform the ciphertext comparison after obtaining the trapdoor generated by two users together. Subsequently, Tang et al. proposed an AoN-PKEET scheme [11] and an ADG-PKEET scheme [9] to improve the authorization mechanism. The former requires that the test obtains trapdoors from both users, with which it can compare all ciphertexts of them. The latter is an extension of FG-PKEET, which resists OMRA attacks via the dual-server method, but needs to make double agent agreement to interact, and thus requiring higher computation costs. Ma et al. [12] proposed a PKE-DET scheme by delegating the comparison to a third party to ensure that only the designated server could use the trapdoor to compare ciphertexts. Huang et al. [13] proposed a PKE-AET scheme, which supports two authorization patterns, e.g. comparing either all ciphertexts or some specific ciphertexts of users, respectively. Ma et al. [14] introduced PKEET-FA scheme, supporting four types of authorization patterns. Xu et al. [15] proposed a verifiable PKEET scheme, which supports two other authorization patterns different from those in [14], and in the meanwhile supports the verification of calculated results.
In order to solve the problem of certificate management, [16]- [20] proposed schemes of identity-based encryption with equality test (IBEET) by combining PKEET and IBE. Besides, [21]- [24] proposed schemes of attribute-based encryption with equality test (ABEET) in order to achieve more flexible authorization, which is a combination of PKEET and ABE. These researches increase the security and further extend the application scenarios of PKEET.
2) OMRA AND IKGA Tang [9] proposed to use dual servers to resist OMRA attacks. The same method is also used in [25], [26]. It assumes that the servers do not collude and requires additional communication between the servers. Relatively, [27], [28] proposed to share a secret among group members only with which can a member generate a valid ciphertext legally. It is more efficient than the aforementioned dual-server schemes. However, the group creation takes time, and there is a risk of leaking the shared secret. If a group member colludes with the server, they can still launch the OMRA attack.
OMRA is similar with the inside keyword guessing attack (IKGA) against public key searchable encryption. In both of the attacks, a malicious server with the trapdoor tries to guess the message from a given ciphertext. Schemes secure against IKGA can be roughly divided into two categories. The first category [29]- [31] works in the dual-server setting, but requires additional communication overhead. The second category [32], [33] adopts to use the sender's private key to encrypt a message. In all these schemes (of the second category), the sender is also able to generate a trapdoor. It would cause security issues if we directly apply this method in PKEET.

C. OUR CONTRIBUTIONS
In this work we study how to construct an efficient PKEET scheme resisting OMRA attacks in the single-server setting. Concretely, we make the following contributions: 1) We propose a new notion of public-key authenticated encryption with designated equality test (PKAE-DET), which to the best of our knowledge, is the first PKEET scheme that is secure against OMRA attacks and does not require the dual-server setting or the group mechanism. In PKAE-DET, the sender specifies who is responsible to test ciphertexts while encrypting a message, in order to prevent outside adversaries from testing. The receiver specifies the sender and the target user to compare with while generating the trapdoor, in order to prevent inside adversaries from abusing the authorization. 2) We propose a concrete construction of PKAE-DET which makes use of an asymmetric bilinear pairing, and prove its security based on simple mathematical assumptions (e.g. (decisional) Bilinear Diffie-Hellman assumption, symmetric external Diffie-Hellman assumption) under the given security models. Experimental results show that our scheme has efficient comparable with previous PKEET schemes. 3) We further show how our PKAE-DET scheme could be used in applications like DRG, thus demonstrating the usability and practicability of our scheme.

D. PAPER ORGANIZATION
The rest of this paper is organized as follows. In Sect. II, we introduce some cryptographic preliminaries. In Sect. III we describe the formal definition and security models of PKAE-DET. The concrete construction is proposed in Sect. IV, and its security analysis is provided in Sect. V. In Sect. VI we present the performance evaluation and comparison of our PKAE-DET scheme and other related PKEET schemes. We then show the application of our scheme in DRG in Sect. VII, and conclude the paper in Sect. VIII.

A. BILINEAR PAIRING
Let G 1 , G 2 and G T be groups of prime order p. A bilinear pairingê : G 1 × G 2 → G T satisfies the following properties. • Bilinearity: For any X ∈ G 1 , Y ∈ G 2 and any a, b ∈ Z, e(X a , Y b ) =ê(X , Y ) a·b .
• Non-degeneracy: If g and h are generators of G 1 and G 2 , respectively,ê(g, h) = 1 G T .
• Computability: There is an efficient algorithm to computeê(X , Y ) for any X ∈ G 1 , Y ∈ G 2 .

B. BILINEAR DIFFIE-HELLMAN (BDH) ASSUMPTION
Let G 1 , G 2 , G T ,ê and p be defined as above, and g 1 , g 2 be generators of G 1 and G 2 , respectively. Given the tuple (g 1 , g 2 , g a we say BDH assumption holds if for any probabilistic polynomial-time (PPT) algorithm A, it computesê(g 1 , g 2 ) a·b·c with only negligible probability.

C. SYMMETRIC eXternal DIFFIE-HELLMAN (SXDH) ASSUMPTION
Given a tuple (g, g a , g b , g r ) where a, b, r R ← Z * p , we say decisional Diffie-Hellman (DDH) assumption holds if for any PPT algorithm A, it decides whether g r = g a·b with probability only negligibly larger 1/2. The SXDH assumptions holds if DDH assumption holds in both G 1 and G 2 .

III. PUBLIC-KEY AUTHENTICATED ENCRYPTION WITH DESIGNATED EQUALITY TEST A. DEFINITION
A public-key authenticated encryption with designated equality test (PKAE-DET) scheme is defined by the following (probabilistic) polynomial-time algorithms.
• (pk S , sk S ) ← KeyGen Sender (pp): Given system public parameter pp, returns the sender's public/secret key pair(pk S , sk S ).
• (pk R , sk R ) ← KeyGen Receiver (pp): Given system public parameter pp, returns the receiver's public/secret key pair(pk R , sk R ).
• (pk T , sk T ) ← KeyGen Tester (pp): Given system public parameter pp, returns the tester's public/secret key pair(pk T , sk T ).
• C ← Enc(sk S , pk R , pk T , M ): Given a sender's secret key sk S , a receiver's public key pk R , the tester's public key pk T and a message M , returns a ciphertext C.
• M ← Dec(sk R , pk S , pk R , pk T , C): Given a receiver's secret key sk R and a ciphertext C, returns a message M or ⊥ indicating decryption failure.
• Td ← Aut(sk R , pk S , pk R ): Given a receiver's secret key sk R , a sender's public key pk S and a targeted receiver's public key pk R , returns a trapdoor Td as the authorization for test.
• result ← Test(C, Td, C , Td , pk R , pk R , sk T ): Given two ciphertexts C and C , two trapdoors Td and Td , two receivers' public key pk R and pk R , and the tester's secret key sk T , returns 1 if C and C contain the same message, and 0 otherwise. To prevent outside adversaries, it is necessary to designate the tester during the generation of a ciphertext. In addition, in applications like DRG, we need to prevent an inside adversary from generating ciphertexts on behalf of the sender, or comparing the legitimate receiver's ciphertexts with others if it is not authorized to do so. Therefore, the encryption algorithm of PKAE-DET takes the tester's public key as input, while the trapdoor generation algorithm takes the sender's public key and the public key of another receiver for ciphertext comparison as input. That is, the receiver needs to specify whose ciphertexts the tester could compare its ciphertexts with.

Game I: One-wayness under chosen ciphertext attacks (OW-CCA):
With authorization from the receiver, the adversary A (which could be the tester) should not be able to recover the message from a given ciphertext. Consider the following game.
1) Setup: The challenger C generates system public parameter pp, n S key pairs of senders (pk S i , sk S i ), 1 ≤ i ≤ n S , n R key pairs of receivers (pk R j , sk R j ), 1 ≤ j ≤ n R , and a key pair (pk T , sk T ) of the tester. It sends pp,

2) Phase 1:
A is allowed to issue the following queries for polynomially many times: • Key Query(i): Given an index i of a sender or receiver, the oracle returns the secret key sk i .
• Decryption Query(i, j, C): Given index i of a sender, j of a receiver and a ciphertext C, the oracle returns the corresponding message M .
• Authorization Query(i, j, k): Given index i of a sender, j of a receiver and k of another receiver aiming to compare with, the oracle computes and returns the trapdoor Td. 3) Challenge: A specifies a challenge sender S * and a challenge receiver R * . C randomly chooses a message M * , computes C * ← Enc(sk S * , pk R * , pk T , M * ) and returns C * to A. 4) Phase 2: A continues to issue queries as in Phase 1.

5) Guess:
A outputs M , and wins the game if M = M * and a) R * was not issued as a key query; b) (·, R * , C * ) was not issued as a decryption query; c) (S * , R * , ·) was not issued as an authorization query.
The advantage of A in the game above is defined to be its probability of winning the game, e.g. Adv OW-CCA We have the following definition.
Definition 1 (OW-CCA Security): A PKAE-DET scheme satisfies OW-CCA security if for any PPT adversary A, its advantage Adv OW-CCA A (1 λ ) is negligible. Game II: Indistinguishability under chosen ciphertext attacks (IND-CCA): Without authorization from the receiver, the adversary A (which could be the tester) should be not able to obtain even one-bit information about the message from a ciphertext. Consider the following game.
1) Setup: Same as that in Game I.
2) Phase 1: A is allowed to issue key queries and decryption queries as in Game I for polynomially many times. 3) Challenge: A specifies a challenge sender S * , a challenge receiver R * , and two challenge message M * 0 and M * 1 of the same length. C randomly selects a bit b ∈ {0, 1}, computes C * ← Enc(sk S * , pk R * , pk T , M * b ) and returns C * to A. 4) Phase 2: Same as that in Phase 1.

5) Guess:
A outputs a bit b , and wins the game if b = b and a) neither R * nor S * was issued as a key query; b) neither (·, R * , ·) nor (·, S * , ·) was issued as a decryption query. The advantage of A in the game above is defined to be We have the following definition. Without authorization from the receiver, the adversary A without secret key of the tester, should not be able to obtain even one-bit information about the message from a ciphertext. Consider the following game.
1) Setup: The adversary A submits the index R * of its challenge receiver. The challenger C generates system public parameter pp, n S key pairs of senders (pk S i , sk S i ), n R key pairs of receivers (pk R i , sk R i ), and a key pair of the tester (pk T , sk T ). It sends pp, {pk S i }, {pk R i } and pk T to A. 2) Phase 1: A is allowed to issue key queries, decryption queries and authorization queries as in Game I. Furthermore, it is also allowed to issue the following queries: • Test Query(C, Td, C , Td , i, j, k, l): Given ciphertexts C, C , trapdoors Td,Td ,indices of two senders i,j and indices of two receivers k, l, the oracle computes and returns the test result. 3) Challenge: A specifies a challenge sender S * , and two challenge message M * 0 and M * 1 of the same length. C randomly selects a bit b ∈ {0, 1}, computes C * ← Enc(sk S * , pk R * , pk T , M * b ) and returns C * to A. 4) Phase 2: Same as that in Phase 1. 5) Guess: A outputs a bit b , and wins the game if b = b and a) R * was not issued as a key query; b) (·, R * , ·) was not issued as a decryption query; c) neither (·, ·, ·, ·, ·, ·, R * , ·) nor (·, ·, ·, ·, ·, ·, ·, R * ) was issued as a test query. The advantage of A in the game above is defined to be Adv DT-CCA We have the following definition.
Definition 3 (DT-CCA Security): A PKAE-DET scheme satisfies DT-CCA security if for any PPT adversary A, its advantage Adv DT-CCA

IV. CONSTRUCTION
In this part we present our PKAE-DET scheme. It works as below.
1) Setup(1 λ ): The algorithm generates bilinear group where l m is maximum length of a message, l p and l g are the representation length of an element of group Z * p and G 1 , respectively. It publishes system public parameter The algorithm selects t R ← Z * p and outputs pk T = (pk 1 T , pk 2 T ) = (g t , h t ), sk T = t. 5) Enc(sk S , pk R , pk T , M ): The algorithm selects α, β R ← Z * p and generates a ciphertext C := (C 1 , C 2 , C 3 , C 4 , C 5 ) as follows.
It returns 1 if T = T holds, indicating M = M , and 0 otherwise. Correctness of our scheme could be verified in a straightforward way, so we omit it here.

V. SECURITY ANALYSIS
In this part we prove the security of our PKAE-DET scheme under the given models via a series of games. Below we use S i to denote the event that the adversary wins in Game i. , n S key pairs of senders (pk S i , sk S i ), n R key pairs of receivers (pk R j , sk R j ), and a key pair (pk T , sk T ) of the tester. Then C sends pp, {pk S i }, {pk R i } and (pk T , sk T ) to A. a receiver), the oracle returns the secret key sk S i (resp. sk R i ). -Decryption Query(i, j, C): Given index i of a sender, j of a receiver and a ciphertext C, the oracle runs Dec(sk j , pk i , pk j , pk T , C) and returns the corresponding message M or ⊥ indicating query failure. -Authorization Query(i, j, k): Given index i of a sender, j of a receiver and k of another receiver aiming to compare with, the oracle runs Aut(sk i , pk j , pk k ) and returns the trapdoor Td.
• Challenge: A specifies a challenge sender S * and a challenge receiver R * . C randomly chooses a message M * , selects α, β R ← Z * p , computes and returns C * = • Phase 2: A continues to issue queries as in Phase 1.
• Guess: A outputs M , and wins the game if M = M * and 1) R * was not issued as a key query; 2) (·, R * , C * ) was not issued as a decryption query; 3) (S * , R * , ·) was not issued as an authorization query. The advantage of A in the game is • Decryption Query(i, j, C): Given index i of a sender, j of a receiver and a ciphertext C, the oracle retrieves tuples (T , H 2 (T )) from List L 2 with T = (C 1 C 2 C 3 C 5 ·). For each tuple it computes (M α) ← H 2 (T ) ⊕ C 4 , and returns M if (pk 3 j ) α = C 3 and If no tuple satisfies the conditions above, it returns ⊥. Obviously, the probability that A correctly gets the output of H 2 without asking the oracle is negligible. So we have:

Game 1.2:
It is almost the same as Game 1.1, except the generation of C * 4 . In this game C selects a random element W * 1 ∈ G T , computes C * 4 as and adds ((C * 1 C * 2 C * 3 C * 5 W * 1 ), C * 4 ⊕ (M * α)) to List L 2 . Denote by E 1 the event that A queried (C * The only difference is that a random string W * 2 is used to replace H 2 (C * 1 C * 2 C * 3 C * 5 W * 1 ) in the computation of C * 4 . Since W * 1 is random, the output of H 2 is also random. Hence, the change does not make difference to the advantage of A, and we have that Notice that in this game C * 2 , C * 3 , C * 4 and C * 5 are all random in the view of A, and C * 1 is the only ciphertext component containing M * . Since M * is randomly chosen and H 1 is modeled as an oracle, the probability that A successfully recovers M * from C * 1 is thus negligible. That is, • Phase 2: A continues to issue queries as in Phase 1.
• Guess: A outputs a bit b , and wins the game if b = b and 1) neither R * nor S * was issued as a key query; 2) neither (·, R * , ·) nor (·, S * , ·) was issued as a decryption query. The advantage of A in the game is We proceed by modifying Game 2.0 in the same way as in the proof of Theorem 1, and obtain Game 2.

Game 2.5:
We further modify Game 2.4, and replace (pk 1 R * ) sk S * with a random element W * 4 ∈ G 1 in the computation of C * 1 . Now the challenge ciphertext C * is computed as follows.
Given a tuple (g, g r * , g s * ), g r * ·s * and W * 4 are indistinguishable to A under the SXDH assumption. Therefore, we have

Game 2.6:
We modify the generation of C * as follows: 4 is random, we have that C * 1 is also random. Therefore, the replacement of C * 1 with a random element of the same length makes no difference to the adversary's advantage. That is, Notice that in this game the whole challenge ciphertext C * is random in the view of A, and does not leak any information about the bit b. Therefore, A wins in Game 2.6 with probability at most 1/2. That is, This completes the proof.

Theorem 3 (DT-CCA):
If BDH and DBDH assumption holds, our PKAE-DET scheme above is DT-CCA secure in the random oracle model.
Proof 3: Let A be a PPT adversary against DT-CCA security of our PKAE-DET scheme. Consider the following games.
Game 3.0: • Setup: A submits the index R * of its challenge receiver. The challenger C generates and sets system public , n S key pairs of senders (pk S i , sk S i ), n R key pairs of receivers (pk R i , sk R i ), and a key pair of the tester (pk T , sk T ). C sends pp, {pk S i }, {pk R i } and pk T to A.
• Phase 1: A is allowed to issue queries as in Game 1.0 for polynomially many times. Furthermore, it is also allowed to issue the following queries: -Test Query(C, Td, C , Td , i, j, k, l): Given ciphertexts C, C , trapdoors Td,Td , indices of two senders i, j and indices of two receivers k, l, the oracle computes M = Dec(sk k , pk i , pk k , pk T , C). M = Dec(sk l , pk j , pk l , pk T , C), and returns 1 if M = M , and 0 otherwise.
• Challenge: A specifies a challenge sender S * and two challenge message M * 0 and M * 1 of the same length. C randomly selects a bit b ∈ {0, 1}, selects α, β R ← Z * p , computes and returns C * • Phase 2: A continues to issue queries as in Phase 1.

Game 3.1:
This game is the same as Game 3.0, except the decryption oracle.
• Decryption Query(i, j, C): Given index i of a sender, j of a receiver and a ciphertext C, the oracle retrieves tuples (T , H 2 (T )) from List L 2 with T = (C 1 C 2 C 3 C 5 ·).
For each tuple it computes (M α) ← H 2 (T ) ⊕ C 4 , and returns M if (pk 3 j ) α = C 3 and If no tuple satisfies the conditions above, it returns ⊥. Obviously, the probability that A correctly gets the output of H 2 without asking the oracle is negligible. So we have:

Game 3.2:
It is the same as Game 3.1, except the generation of C * 1 . In this game C selects a random element W * 6 ∈ G T , computes C * 1 as and adds (W * · g r * ·s * )) to List L 3 . Denote by E 2 the event that A queried (ê(pk 1 T , pk 4 R * ) β ) to H 3 hash oracle. Game 3.2 is identical to Game 3.1 if E 2 does not occur. So we have Due to the intractability of BDH problem, it is hard for A to computeê(g w * , f ) β . Therefore, we have that

Game 3.3:
This game is the same as Game 3.2, except the generation of C * 1 : · g r * ·s * ⊕ W * 7 . A random string W * 7 is used to replace H 3 (W * 6 ) in the generation of C * 1 . Since W * 6 is random, the output of H 3 is also random. Therefore, the change does not make difference to the advantage of A. We have that  Next we show that A wins in Game 3.4 with probability only negligibly larger 1/2.
Proof of Lemma 1: Assuming that event S 3.4 happens with probability ε + 1 2 in Game 3.4. We build an algorithm B to break DBDH assumption.
Given a DBDH instance (G 1 , G 2 , G T , p,ê : , where x,y,z are random elements of Z * p , and Z is either equal toê(g 1 , g 2 ) x·y·z (i.e.b = 0) or a random element (i.e.b = 1). B aims to output a guessb of the bitb. Consider the following game.
• Setup: A submits the index R * of its challenge receiver. B generates and sets system public param- , n S key pairs of senders (pk S i , sk S i ), n R key pairs of receivers (pk R i , sk R i ), and a key pair of the tester (pk T , sk T ). Specially, B sets pk R * = (pk 1 R * , pk 2 R * , pk 3 R * , pk 4 R * ) = (g r * , g • Phase 2: A continues to issue queries as in Phase 1. • Guess: A outputs a bit b , and wins the game if b = b and 1) R * was not issued as a key query; 2) (·, R * , ·) was not issued as a decryption query; 3) neither (·, ·, ·, ·, ·, ·, R * , ·) nor (·, ·, ·, ·, ·, ·, ·, R * ) was issued as a test query. If b = b, B returnsb = 0 representing that Z is not a random element, and 1 otherwise.
Hence, C * is a real ciphertext of M * b , and the view of A is identical to a real attack (according to Game 3.4). Otherwise (i.e.b = 1), Z is a random element. Thus, ciphertext C * contains no information about M * b , and the probability that A wins the game is only 1/2. The advantage that B breaks the DBDH assumption is then If ε is non-negligible, so is Adv DBDH

B
(1 λ ). Therefore, we have This completes the proof of Lemma 1. Combining the claims above, we have that: This completes the proof.

VI. PERFORMANCE EVALUATION
In this section, we compare the computation and communication costs our PKEET scheme with some other related schemes. Furthermore, we do experiments to demonstrate the practicality of our scheme. The second to the sixth rows of Table 1 show the comparison in terms of computational complexity of key generation, encryption, decryption, authorization and test algorithms, respectively. The comparison in terms of communication complexity of public key, secret key, ciphertext and trapdoor is then given in the next four rows, respectively. Security of the schemes is compared in the eleventh to the twelfth rows. The last three rows indicate whether the schemes need dual-server setting, support designated tester and resist OMRA, respectively.
As shown in Table 1, our scheme requires less computational overhead in authorization, but more in key generation, encryption, decryption and test algorithms. However, FG-PKEET+ scheme and TS-CCA-FA scheme are based on the dual-server setting, which inevitably requires two servers to transmit messages to each other during the test process, the cost of which could not be neglected. Therefore, dual-server based PKEET schemes should require more running time in practical applications. It is worth noting that the schemes with group mechanism, e.g. G-IBEET [28], need to create a group for each comparison and set up group administrator, which reduces the operability of the scheme. Although G-IBEET scheme seems to be more computationally efficient, users need to encrypt the data multiple times for comparing with different users, which is inconvenient in practice. In addition, these related schemes do not support designated tester, while our scheme does, thus further improving security.
We implemented three PKEET schemes secure against OMRA without group mechanism: FG-PKEET+ scheme [9], TS-CCE-FA scheme [26] and our scheme. The experiments   are based on Java Pairing Based Cryptography (JPBC) Library [34], and executed on a host machine which has a quad-core 2.50GHz Intel i7-6500U CPU and 8 GB memory, and runs Windows 7 pro OS. We used Type A pairing constructed from elliptic curve y 2 = x 3 + x over the field F p .   type-I authorization for comparison, which is more similar with our scheme. As TS-CCE-FA scheme provides the private key directly as the output of authorization algorithm, requiring almost no time in trapdoor generation, however, it can only achieve IND-CPA security, while our scheme achieves CCA-type security.
Notice that in these figures we only count the computational costs of the algorithms. Communication costs between the two servers in FG-PKEET+ and TS-CCE-FA are not counted. Thus, efficiency of our scheme is comparable to the other two schemes, and even would be more efficient in the test process if we take into account communication cost, which is usually the most frequently executed algorithm in practice. Furthermore, our scheme achieves security against OMRA without resorting to the dual server setting, thus providing higher security guarantee. Therefore, we believe that our scheme is more appropriate in applications like diagnostic related groups, which is explained in the next section. Figure 7 shows the classification process of diagnostic related groups (DRG). All possible principal diagnoses are first divided into 25 mutually exclusive principal diagnosis areas referred to as MDC (Major Diagnostic Categories), and then divided into specific DRG. Each MDC is constructed to correspond to a major organ system (e.g. respiratory system, circulatory system, digestive system) [35].

VII. APPLICATION
As the scenario shown in Fig. 1, our PKAE-DET scheme can be used in medical systems such as DRG system. Below is an example.
The hospital initializes the system and generates public parameters pp. The third-party cloud server, acting as the tester, runs KeyGen Tester to generate (pk T , sk T ) and publishes its public key pk T . Each doctor runs KeyGen Sender to generate his key pair (pk S , sk S ). Similarly, each patient runs KeyGen Receiver to generate his own (pk R , sk R ). After the doctor diagnoses the patient, an electronic medical record M = {M 1 M 2 M 3 M 4 · · · } = {Circulatory System Coronary Bypass with Cardiac Catheterization without MCC . . .} is generated, then encrypted with his secret key sk S , the patient's public key pk R and tester's public key pk T , in the form of C = Enc(M 4 ) · · · }, and uploaded to the cloud server. Patients download their medical records C from the cloud and decrypt them locally.
Patient and medical institution generate their authorizations Td and Td for cloud server respectively. With authorization, the cloud server is able to match an encrypted electronic medical record C of the patient with the encrypted criterions C by running the test algorithm and return the matching results to the medical institution. Specifically, the cloud server returns the criterion index corresponding to the patient's medical record, such as the indices of C 2 , C 4 , C 8 and C 10 . According to Table 2, because of the existence of Enc(Circulatory System), the range is limited to MDC 05. The range is further limited to 231-236 under MDC 05 according to the existence of Enc(Coronary Bypass). The existence of Enc(with Cardiac Catheterization) and Enc(without MCC) eventually determine the DRG to be code 234. In the whole process, the cloud server does not know what each index represents.
However, due to the limited amount of plaintext space available for criterions, an authorized cloud server can generate a large number of fake medical records and compare them with a patient's real medical record to guess which disease the patient has. Considering patients' privacy, we hope that during the search process, the cloud server cannot obtain any additional information about patients' medical records, It requires to prevent the cloud server from illegally matching, which is the security against OMRA, as mentioned above. Therefore, our PKAE-DET scheme proposed in this paper is applicable in the DRG application.

VIII. CONCLUSION
In this paper we proposed the notion of public key authenticated encryption with designated equality test (PKAE-DET), VOLUME 7, 2019 which aims to resist offline message recovery attacks. We proposed a concrete construction of PKAE-DET to demonstrate its practicability, which do not require the dual server setting nor any group mechanism. Our scheme is shown to be secure under the given models based on some simple mathematical assumptions. Experiments show that our scheme is efficient, and could be deployed in cloud environment in practice. It could be used to support applications like privacy preserving diagnostic related groups.
QIONG HUANG received the B.S. and M.S. degrees from Fudan University, in 2003 and 2006, respectively, and the Ph.D. degree from the City University of Hong Kong, in 2010. He is currently a Professor with the College of Mathematics and Informatics, South China Agricultural University, Guangzhou, China. He has published more than 100 research articles in international conferences and journals in the area of cryptography and information security. His research interests include cryptography and information security, in particular, cryptographic protocols design and analysis. He has served as a programme committee member in many international conferences.