An Efficient Public Key Searchable Encryption Scheme for Mobile Smart Terminal

With the wide application of the mobile smart terminals, the data privacy protection of the mobile smart terminals stored in the cloud is more and more important. Public key encryption with keyword search (PEKS) and secure channel free PEKS (SCF-PEKS) have been proposed for public key searchable encryption previously. However, the security of keyword search is far from enough. In addition, these schemes are mostly based on bilinear pairing and the computational efficiency is relatively low. In this paper, we propose a novel non-bilinear pairs SCF-PEKS schemes for mobile smart terminal that offer a high computational efficiency along with better security assurances than that of the existing alternatives. Without random oracle model, we prove the security and privacy of the scheme’s keyword ciphertext and keyword trapdoor through the game hopping method. Therefore, the scheme is capable of resisting outside online keyword guessing attack and inside offline keyword guessing attack. Based on the comparison and experimental results, the scheme turns out to be secure and practicable.


I. INTRODUCTION
In recent years, with the rapid development and extensive application of cloud computing technology and 5G communication, the number of cloud users has been increasing rapidly. As a result, cloud storage and data analytics services are increasingly available to the public, such as amazon's AWS and Google's Drive. These cloud service platforms all have cloud computing technology capability. Cloud computing has the advantages of unlimited storage space, fast computing, high service availability, and low cost. It allows users to outsource data hosting and program execution to the third party with much greater storage, computational, and network capacities, which known as Cloud Service Provider. The cloud sever provider can avoid tedious data management and storage on battery-limited devices. It provides convenient services while reducing the need of terminal equipment. As a consequence, this provides great convenience for cloud mobile users with limited devices.
In addition, with the upgrading of mobile smart terminals, the application capacity of mobile smart terminals is The associate editor coordinating the review of this manuscript and approving it for publication was Parul Garg. becoming more and more powerful. A growing number of people upload personal data privacy to cloud service providers for storage with the help of mobile smart terminals. However, there are various security threats to cloud storage. It is easy for suspected personnel to stole the personal privacy data and use illegally. Therefore, the privacy protection of cloud data attracts more and more public attention.
Traditional encryption methods can protect the privacy of data from malicious the cloud sever provider, but also prevent the cloud sever provider from searching the data on behalf of users. Searchable encryption [1], [2] is an effective method to solve the privacy problem of cloud storage, and public key searchable encryption is one of the methods of searchable encryption. For the public key searchable encryption scheme, there are three parties involved, a data owner called Alice, a data user called Bob and a cloud sever provider. First, Alice prepares a file to share with her friend Bob, and sets a keyword ''encryption'' for the file. Then, Alice upload the encrypted file with keyword ciphertext to the cloud sever provider. To search over the encrypted file, Bob can then use his secret key to generate the trapdoor corresponding to keyword ''w = encryption'', and enable the cloud sever provider to retrieve all files that are associated with the keyword w.
After the search finishes, the cloud sever provider returns the search results to Bob. Therefore, Bob can determine whether files with the desired keywords are included in the cloud sever provider. If it does, Bob can decrypt the encrypted file. During the search of Bob, the cloud sever provider does not know the detail of file, nor the keyword.

A. RELATED WORK
The proposal of searchable encryption scheme has attracted the attention and research of many scholars. In 2000, Song et al. [2] proposed a searchable encryption scheme for the first time, but the scheme required traversing all the files to return the results, which required a large computational cost. In 2004, Boneh et al. [3] came up with a public key encryption with keyword search (PEKS) scheme. Soon afterwards, many PEKS schemes and variants [13]- [15] were presented. Nevertheless, there is an obvious weakness in the PEKS scheme that keywords trapdoor need to be secretly transmitted to the cloud server. In 2008, Baek et al. [16] proposed a secure channel free public key encryption with keyword search (SCF-PEKS) scheme to address PEKS problem. The proofs of Boneh et al. and Baek et al. were carried out under the random oracle. The random oracle is a theoretical black box that returns a true uniform random output to any input. In other words, the oracle will output in the same way every time if it takes the same words as input. Fang et al. [17] proposed to prove the keyword security of SCF-PEKS without random oracle model. However, both PEKS and SCF-PEKS schemes have the privacy problem of keywords. Rhee et al. [29]. introduced the ''trapdoor indistinguishability'', and showed that this is a sufficient condition against keyword guessing attacks. Yau et al. [4] described the possible attack scenarios in the current nature of the internet and public key encryption with keyword search applications, e.g. email routing. It claims to be secure against the keyword guessing attacks by the outsider attacker.
Whereas, Shao and Yang [15] argued that the existing PEKS scheme and SCF-PEKS scheme are not safe in the attack of malicious server's keyword guessing. Therefore, the privacy of keywords in public key searchable encryption scheme becomes a problem that researchers need to address. According to the attackers' attack pattern, they can be divided into online keyword guessing attack and offline keyword guessing attack. Noroozi and Eslami [18] brought up a new PEKS scheme to resist offline and online keyword attacks by outside attackers. According to the type of attacker, it can be divided into inside attacker and outside attacker. We often refer to malicious cloud servers as inside attackers and attackers other than the cloud servers as outside attackers. Only by ensuring the keywords ciphertext indistinguishability and keywords trapdoor indistinguishability can the privacy security of keywords be realized. Huang and Li [19] pointed out that almost all existing PEKS schemes are vulnerable to inside keyword guessing attack, an inside adversary can determine the keyword information by exhausting the keyword space offline to test the matching of the search keyword with the trapdoor. Therefore, they introduced a scheme to resist keyword guessing attacks by inside attackers, but there is still possibility of keyword statistical information leakage. Wang et al. [20] improved the scheme proposed by Huang and Li [19] and proposed a scheme of trapdoor uncertainty to prevent keyword statistical information from leak out and to resist keyword guessing attack by inside attackers. Hwang et al. [21] proposed that the public key improved by ElGamal could be searched and encrypted, which could resist the keyword guessing attack of outside attackers. Xu and Lu [22], Lu et al. [23], [24] proposed a keyword trapdoor with access control function, and proved that it could resist the known keyword guessing attack without random oracle model. The game-hopping method proposed by Alexander in literature [25] is a method to verify the security of cryptographic scheme, and the attacker runs an unknown probability of success in a specific attack environment. It bound the increase in the attacker's success probability caused by the changes to the attack environment. Thus, it can deduce a bound for the attacker's success probability in the original environment. Therefore, we can judge the security of the cryptographic scheme.

B. OUR CONTRIBUTION
How to improve the privacy security of the keywords in the public key searchable encryption to resist the online and offline keyword guessing attack and achieve higher computational efficiency in the use of mobile smart terminals is our intensive research.
In this work, we come up with a new efficient secure channel free public key searchable encryption without using bilinear pair operation scheme, which is able to against the existing outside and inside keyword guessing attacks in SCF-PEKS scheme. Roughly, we make the contributions as follows: 1) We propose a public key searchable encryption based on non-bilinear pairings, which is consistent with the standard models of SCF-PEKS [16], SPEKS [13], SCF-PEPCKS [24] and Hwang et.al. [21]. We embed keyword ciphertext with random number to ensure the uncertainty of keyword ciphertext. Compared with [3], [13], [16], [21] and [24], our proposed scheme has some good properties, such as no secure channel, no key escrow and no designated server. In addition, compared with the experimental simulation of [16], [21] and [24], our proposed scheme is more efficient and has shorter communication size. The comparison results demonstrate that our scheme is suitable for the deployment of practical applications.
2) Without random oracle model, we construct an efficient secure channel free public key encryption with keyword search scheme. We prove our scheme is able to resist outside VOLUME 8, 2020 online keyword guessing attacks and inside offline keyword guessing without random oracle by ensuring keyword ciphertext indistinguishability security under adaptive chosen keyword attacks and keyword trapdoor indistinguishability security under adaptive chosen keyword attack.
The proof of our scheme meets the following requirements: i) the complex assumption of the Discrete Logarithm (DL) [26] is required to achieve keyword ciphertext indistinguishability security under adaptive chosen keyword attacks. ii) the complex assumption of the hash Diffie-Hellman (hDH) [27] is required to achieve keyword trapdoor indistinguishability security under adaptive chosen keyword attacks.

C. ORGANIZATION
In the second section, we provide the notation, problem assumption and definition of SCF-PEKS briefly. In the third section, we describe the existing keyword security problems in SCF-PEKS scheme. In the fourth section, we describe the definition and security model of our proposed scheme. In the fifth section, we show the description of the scheme. In the sixth section, we prove the scheme secure by game hopping method. Then, we show the scheme security properties comparison with other previous schemes. In the seventh section, we show our proposed scheme the comparison of computation efficiency and communication efficiency with other previous schemes.

II. PRELIMINARIES
In this section, we show notation and problem assumption, and then we describe definition of SCF-PEKS scheme polynomial time algorithm and definition of against keyword guessing attacks.  Table 1 describes the symbols and description used in our paper.

B. PROBLEM ASSUMPTION
Definition 1: Let G be a cyclic group of prime order q with a generator g. Select a ∈ Z q * , for every arbitrary probability ε with a polynomial time t, there is an adversary A in solving DL [26] problem, if Pr[A(g, g a ) = a] < ε. Definition 2: Let G be a cyclic group of prime q and g be a generator of G. H : G → {0, 1} l is a hash function mapping. Given hash function H and tetrad (g, g a , g b , Z ) ∈ G 3 ×{0, 1} l where a, b ∈ Z q * and l denotes the binary length of hash values. hDH [27] problem is to judge whether Z and H (g ab ) are equal.
Assuming that the hDH problem in cyclic group G is difficult, for every arbitrary probability ε with a polynomial time t, there is an adversary A in solving hDH problem, Baek et al. [16] proposed a secure channel free public key encryption scheme with keyword search, which includes six polynomial time algorithms: 1) GlobalSetup(λ): The global parameter generation algorithm takes a security parameter λ as input and outputs global parameter GP.
2) KeyGen server (GP): The server's key pair generation algorithm takes global parameter GP as input, and outputs a secret/public key pair (sk S , pk S ) for the server.
3) KeyGen receiver (GP): The receiver's key pair generation algorithm takes global parameter GP as input, and outputs a secret/public key pair (sk R , pk R ) for the receiver. 4) Encrypt(GP, pk S , pk R , w) → C w : The keyword encryption algorithm takes global parameter GP, a server's public key pk S , a receiver's public key pk R , and a keyword w ∈ KS w as input, and outputs a keyword ciphertext C w . 5) Trapdoor(GP, sk R , pk S , w ) → T w : The keyword trapdoor generation algorithm takes global parameter GP, a server's public key pk S , a receiver's secret key sk R , and a search keyword w as input, and outputs a keyword trapdoor T w . 6) Test(GP, C w , sk S , T w ) → 0/1: The test algorithm takes global parameter GP, a keyword ciphertext C w , a server's secret key sk S , a keyword trapdoor T w as input, and outputs a symbol ' Most of the existing PEKS and SCF-PEKS schemes are constructed based on bilinear pairings. Note that bilinear pairings use two cyclic groups G and G T with prime order q and g is taken as a generator of G. We say that e is a map G × G to G T , and the map e is a bilinear map if the following hold [3], [16].
(2) Non-degeneracy: if g is a generator of G, then e(g, g) is a generator of G T ,such that e(g, g) = 1.
(3) Computation: There is a polynomial time algorithm to compute e(P, P),where P ∈ G.

D. ANALYSIS OF AGAINST KEYWORD GUESSING ATTACKS
There exist two types of attacker against keyword attack in SCF-PEKS scheme. One is the inside attacker, namely that is the malicious server, and the other is the outside attacker. The attackers can intercept the keyword ciphertext and keyword trapdoor information when the user communicates with the server. However, the attacker cannot make a keyword guess because he doesn't have the secret key of both sides. The malicious server can calculate whether there is a keyword match between the keyword trapdoor and the keyword ciphertext by testing algorithm. Therefore, a malicious server has more authority than an outside attacker.
In this subsection, we will introduce three different keyword guessing attacks. [28] This is performed by an outside attacker in the offline model. The vulnerabilities of keyword guessing attack come from the trapdoors which are simply generated by just combining keywords and secret key. In the outside offline keyword guess attack, the outside attacker can intercept keyword trapdoor information to guess. Secure channel free public key encryption with keyword search designed by Baek et al. [16] solved the security of trapdoor. Baek et al. [16] improved the scheme proposed by Boneh et al. [3] and solved the problem of keyword trapdoor. Rhee et al. [29] proposed that it can guarantee the privacy of keyword trapdoor, if the trapdoor is indistinguishable for the outside attack.

2) OUTSIDE ONLINE KEYWORD GUESSING ATTACK [4]
This is performed by an outside attacker in the online model. In the outside online keyword guessing attack, the outside attacker creates a collection of all possible keyword ciphertext, and then the attacker transfers the data ciphertext to the cloud server. The attacker then monitors the communication between the cloud server and the target receiver. Once it observes that the returned search results are related to the previously injected ciphertext, it knows the keyword information being searched by the target receiver. [28] This is performed by an inside attacker in the offline model. The malicious cloud service provider traverses the keyword that set in offline mode and tries to find the keyword information in the keyword trapdoor. This attack is similar to an outside offline attack. Since the malicious cloud service provider stored a large number of keyword ciphertext, the malicious cloud service provider can do the test algorithm. It can also further discover which data ciphertext contains the same keyword. Hence, Huang and Li [19]. proposed a public key searchable encryption scheme to against inside keyword guessing attacks.

III. EXISTING KEYWORD SECURITY PROBLEMS IN SCF-PEKS SCHEME
In this section, we describe the existing keyword security problems in SCF-PEKS scheme both outside online keyword guessing attack and inside offline keyword guessing attack.

A. OUTSIDE ONLINE KEYWORD GUESSING ATTACK ON SCF-PEKS SCHEME
Step 1: The outside attacker identifies the specified receiver.
Step 2: The outside attacker prepare to upload the plaintext file f 1 , f 2 , · · · , f n and the corresponding keywords w 1 , w 2 , · · · , w n . The outsider attacker uses the public key of the specified receiver and the server to generate keyword ciphertext matching the file ciphertext < C f 1 , C w 1 >, < C f 2 , C w 2 >, · · · , < C f n , C w n > through Encrypt(GP, pk S , pk R , w) algorithm of SCF-PEKS. Finally, the outside attacker injects searchable file ciphertext to the cloud service provider.
Step 3: The outside attacker can inject keyword trapdoors because there is secure channel free property of SCF-PEKS scheme. Therefore, after the cloud service provider receives the search query from the specified receiver, it finds all the matching file ciphertext and returns the search results.
Step 4: The outside attackers monitor the communication channel between the specified receiver and the cloud service provider. If the returned result is observed to contain injected file ciphertext C f i , the outside attacker will confirm that the keyword trapdoor from the specified receiver involves attackers' keyword w i . Therefore, the outside attacker guess correctly.

B. INSIDE OFFLINE KEYWORD GUESSING ATTACK ON SCF-PEKS SCHEME
In the above online keyword guessing attack, since the outside attacker does not know the key of the cloud service provider, the test algorithm cannot be used to verify its guess directly. However, by monitoring the communication between the cloud service provider and the specified receiver, it is easy to inject the keyword ciphertext into the cloud service provider to obtain the test results. Therefore, a data sender should not be able to distinguish between an uploaded ciphertext corresponding to a document encrypted by him and other uploaded encrypted documents. This property provides security against online keyword guessing attacks. Nevertheless, the improved scheme still has the problem of inside offline keyword guessing attacks. The malicious cloud service provider performs an inside offline keyword attack on the SCF-PEKS scheme, as follows: Step 1: The malicious cloud service provider identifies the specified receiver. It can receive the keyword trapdoor T w from the specified receiver.
Step 2: The malicious cloud service provider picks a keyword w . By using the specified receiver's public key pk R and its own public key pk S , it perform the keyword encryption algorithm to compute the keyword ciphertext C w .
Step 3: The malicious cloud service provider runs the test algorithm SCF-PEKS by using its own key sk S . Then it check whether the keyword ciphertext C w and the trapdoor contain the same keyword T w . If it does, then the malicious cloud service provider can guess correctly. Otherwise, the malicious cloud service provider returns Step 2 and continues to guess. VOLUME 8, 2020

IV. OUR PROPOSED SCHEME
In this section, we describe our proposed scheme's definition and the security model.

A. DEFINITION OF OUR PROPOSED SCHEME
As shown by the against keyword guessing attacks in the previous section, most of the current SCF-PEKS scheme cannot against outside online keyword guessing attacks and inside offline keyword guessing attacks. Since the inside attacker can use the public key of the server and the data user to generate the keyword trapdoor, the inside attacker can do the test the algorithm to guess the keyword attack. In order to achieve the privacy of keyword search, we enhanced the security of SCF-PEKS scheme to prevent attackers without secret keys from generating keyword trapdoors. Therefore, the scheme has the ability of access control. It means the keyword ciphertext and keyword trapdoor has the property of unforgeability. We use a non-designated server for storage, making the scheme more flexible. We do not use bilinear pair operation, so the scheme is more efficient and more suitable for mobile terminals with limited communication capacity. The schematic diagram of the algorithm flow of our scheme is shown in Figure 1. In our scheme, we have four parties: Authentication Center (AC), Data Owner (DO), Data User (DU) and Cloud Service Provider (CSP). AC take charge running the global setup algorithm to distribute global parameters. DO generate encrypted file with keyword ciphertext and upload them to CSP. Meanwhile, CSP mainly has the characteristics of storing and retrieving data. DU can then use his/her secret key to generate the trapdoor corresponding to keyword w , and enable CSP to retrieve all files that are associated with the keyword w . After the search finishes, CSP returns the search results to DU. If it does, it will return the file ciphertext to DU, else return 0.
Our proposed scheme includes five polynomial time algorithms: 1) GlobalSetup(λ): The global parameter generation algorithm takes a security parameter λ as input and outputs global parameter GP.

2) KeyGen(GP):
The data owner's key pair generation algorithm takes global parameter GP as input, and outputs a secret/public key pair (sk S , pk S ) for DO. The data user's key pair generation algorithm takes global parameter GP as input, and outputs a secret/public key pair (sk R , pk R ) for DU.
3) Encrypt(GP, sk S , pk R , w) → C w : The keyword encryption algorithm takes global parameter GP, a data owner's secret key sk S , a data user's public key pk R , and a keyword w ∈ KS w as input, and outputs a keyword ciphertext C w . 4) Trapdoor(GP, sk R , pk S , w ) → T w : The keyword trapdoor generation algorithm takes global parameter GP, a data user's secret key sk R , a data owner's public key pk S , and a search keyword w as input, and outputs a keyword trapdoor T w . 5) Test(GP, C w , T w ) → 0/1: The test algorithm takes global parameter GP, a keyword ciphertext C w , a keyword trapdoor T w as input, and outputs a symbol ''1'' if w = w or ''0'' otherwise.

B. SECURITY MODEL
The proposed scheme ought to ensure both keyword ciphertext indistinguishable security under adaptive chosen keyword attacks (CIND-CKA) and keyword trapdoor indistinguishable security under adaptive chosen keyword attacks (TIND-CKA) if the scheme is able to against outside online keyword guessing attacks and inside offline keyword guessing attacks. Generally, we divide our adversaries into inside and outside attackers. The inside attackers usually refer to semi trusted CSP, while the outside attackers usually refer to attackers other than DO, DU and CSP. Combining the two types of adversaries and security, we present two games definitions. The security CIND-CKA game and TIND-CKA game between the attacker and challenger are as follow:

1) CIND-CKA GAME
Assume A 1 is malicious server or outside attacker, and B is a challenger.
Setup: The challenger B takes security parameters λ as input, and outputs global parameters GP = (G, q, g, H , H 1 , K S w ), a DO's secret/public key pair (sk S , pk S ) and DU's secret/public key pair (sk R , pk R ) through the GlobalSetup(λ) and KeyGen(GP) algorithm. The challenger B sends the public key pk S , pk R and global parameters GP to the attacker A 1 .
Phase 1: The attacker A 1 makes a series of query to the challenger B adaptively. The oracles are simulated by challenger B as follow: a. Ciphertext Query: The challenger B responds to the ciphertext query C w for the attacker A 1 for a keyword w through Encrypt(GP, pk R , sk S , w) algorithm.
b. Trapdoor Query: The challenger B responds to the trapdoor query T w for the attacker A 1 for a keyword w through Trapdoor(GP, pk R , sk S , w ) algorithm.
c. Test Query: The challenger B responds to the test query for the attacker A 1 for keywords ciphertext C w and trapdoor T w . The test query simulate an attack in which the attacker A 1 verifies that a keyword ciphertext matches a keyword trapdoor by executing Test(GP, C w , T w ) algorithm or using CSP.
Challenge: The attacker A 1 chooses two keywords w 0 and w 1 , which he/she has not asked for the cipertext before, and sends w 0 and w 1 to the challenger B. The challenger B picks b ∈ {0, 1} to compute a keyword ciphertext C w b randomly, and then returns C w b to attacker A 1 .
Phase 2: The attacker A 1 continues to make a series of queries to the challenger B adaptively, but with the restrictions that A 1 is disallowed to query the keyword ciphertext or trapdoor of either w 0 or w 1 .
We define that the attacker A 1 has the advantage of winning CIND-CKA game, if

Definition 3 (Security of CIND-CKA):
We say that a CIND-CKA scheme satisfies the requirement of security if the advantage is negligible for an attacker A 1 to win CIND-CKA game in polynomial time.

2) TIND-CKA GAME
Assume A 2 is malicious server or outside attacker, and B is a challenger.
Setup: The challenger B takes security parameters λ as input, and outputs global parameters GP = (G, q, g, H , H 1 , K S w ), a DO's secret/public key pair (sk S , pk S ) and DU's secret/public key pair (sk R , pk R ) through the GlobalSetup(λ) and KeyGen(GP) algorithm. The challenger B sends the public key pk S , pk R and global parameters GP to the attacker A 2 .
Phase 1: The attacker A 2 makes a series of query to the challenger B adaptively. The oracles are simulated by challenger B as follow: a. Ciphertext Query: The challenger B responds to the ciphertext query C w for the attacker A 2 for a keyword w through Encrypt(GP, pk R , sk S , w) algorithm.
b. Trapdoor Query: The challenger B responds to the trapdoor query T w for the attacker A 2 for a keyword w through Trapdoor(GP, pk R , sk S , w ) algorithm.
c. Test Query: The challenger B responds to the test query for the attacker A 2 for keywords ciphertext C w and trapdoor T w . The test query simulate an attack in which the attacker A 2 verifies that a keyword ciphertext matches a keyword trapdoor by executing Test(GP, C w , T w ) algorithm or using CSP.
Challenge: The attacker A 2 chooses two keywords w 0 and w 1 , which he/she has not asked for the trapdoor before, and sends w 0 and w 1 to the challenger B. The challenger B picks b ∈ {0, 1} to compute a keyword trapdoor T w b randomly, and then returns T w b to attacker A 2 .
Phase 2: The attacker A 2 continues to make a series of queries to the challenger B adaptively, but with the restrictions that the attacker A 2 is disallowed to query the keyword ciphertext or trapdoor of either w 0 or w 1 .
We define that the attacker A 2 has the advantage of winning the TIND-CKA game, if

Definition 4 (Security of TIND-CKA):
We say that a TIND-CKA scheme satisfies the requirement of security if the advantage is negligible for an attacker A 2 to win TIND-CKA game in polynomial time.

V. DESCRIPTION OF OUR PROPOSED SCHEME
Our proposed scheme consists of the following algorithm: 1) GlobalSetup(λ): The globalsetup algorithm is run by AC, and takes a security parameter λ as input. The algorithm generates G to be a cyclic group of prime order q with a generator g. It select two secure hash function H : {0, 1} * → Z q * and H 1 : G → {0, 1} l , where l denotes the binary length of hash values. Finally, it outputs the global parameters GP = (G, q, g, H , H 1 , K S w ), where K S w denotes a keyword space.
2) KeyGen(GP): DO randomly selects sk S 1 , sk S 2 ∈ Z q * as the secret key sk S = (sk S 1 , sk S 2 ). The keygen algorithm takes the global parameters GP and DO's secret key sk S = (sk S 1 , sk S 2 ) as input, and then computes the public key pk S = (pk S 1 , pk S 2 ) = (g sk S 1 , g sk S 2 ). Returns a DO's secret/public key pair (sk S , pk S ). DU randomly selects sk R 1 , sk R 2 ∈ Z q * as the secret key sk R = (sk R 1 , sk R 2 ), where gcd(sk R 2 , q − 1) = 1. The keygen algorithm takes the global parameters GP and DU's secret key sk R = (sk R 1 , sk R 2 ) as input, and then computes the public key pk R = (pk R 1 , pk R 2 ) = (g sk R 1 , g sk R 2 ). Returns a DU's secret/public key pair (sk R , pk R ).
3) Encrypt(GP, w, sk S 1 , pk R 1 , pk R 2 , r) → C w : DO takes the global parameters GP, a DO's secret key sk S 1 , a DU's public key pair pk R = (pk R 1 , pk R 2 ) and a keyword w ∈ K S w as input, and then computes C w = (U , V ) = (pk r R 2 , H 1 (g r·H (w||ss) )), where ss = H 1 ((pk R 1 ) sk S 1 ). Returns a keyword ciphertext C w . 4) Trapdoor(GP, w , sk R 1 , sk R 2 , pk S 1 ) → T w : DU takes the global parameters GP, a DO's public key pk S 1 , a DU's secret key pair sk R = (sk R 1 , sk R 2 ) and a keyword w ∈ K S w as input, and then computes T w = (sk R 2 ) −1 ·H (w ||ss * ) where ss * = H 1 ((pk S 1 ) sk R 1 ). Returns a keyword trapdoor T w . 5) Test(GP, C w , T w ) → 0/1: CSP takes the global parameters GP, a keyword ciphertext C w , a keyword trapdoor T w as input. The test algorithm checks whether the equation H 1 (U T w ) = V holds. If it does, output 1; else, output 0.
According to the specifications of the above algorithms, we have ss = H 1 ((pk R 1 ) sk S 1 ) = H 1 (g sk R 1 ·sk S 1 ) Because ss = ss * ,we have that the equation H 1 (U T w ) = V holds, if w = w . Therefore, our proposed scheme is correct.

VI. SECURE ANALYSIS
In this section, we provide the security proof of our proposed scheme.

A. SECURITY PROOF
We analysis the security of our proposed scheme by using game hopping [25] proof method. Formally, we have the following lemma.
Lemma 1 (Difference Lemma) [25]: Let E be some ''error event'' such that S 1 |¬E occurs if and only if S 2 |¬E occurs. Then The following are our security statements and the proofs.
Theorem 1: The above CIND-CKA game is secure without random oracle model assuming that H is a collision resistance hash function, and that the DL problem is intractable.
Proof: Assume that A 1 is a polynomial-time attacker against the security of the proposed TIND-CKA game, A H is a collision resistance hash function attacker and that A hDH is to break the DL problem attacker.
The theorem can be proven by consisting of five games as sub-game programs Game i (i = 1, 2, 3, 4, 5) with the attacker A 1 . We define the attacker A 1 to guess the correct event in the Game i as X i , that is b = b i . The attacker will terminate with some final output, which will then be assessed to see if the attacker ''won''. Game-hopping is as follows: Game 1 : This game is the original attack CIND-CKA game, so the probability of A 1 guessing correctly is Adv(λ) A 1 = | Pr[X 1 ] − 1/2|. Game 2 : B randomly picks a, sk R 1 , sk R 2 ∈ Z q * to compute g = g a and pk R = (g sk R 1 , (g a ) sk R 2 ), where g is the generator of group G. Other parameters is the same as Game 1 . Obviously, Game 2 and Game 1 are indistinguishable from A 1 . So, the probability of A 1 guessing correctly is equal, Game 3 : The game is the same as Game 2 , except that B changes the way he/she to responds to A 1 for the ciphertext query, trapdoor query, test query and challenge. And B as oracle to responds the ciphertext query, trapdoor query and test query as follow: Ciphertext Query: A 1 makes a ciphertext query with keyword w ∈ K S w . B picks a random number r ∈ Z q * and returns keyword ciphertext C w = (U , V ) to A 1 , where U = (pk R 2 ) r , V = H 1 (g rH (w||ss) ) and ss = H 1 ((pk R 1 ) sk S 1 ).
Test Query: A 1 makes a test query with keyword ciphertext C w and a keyword trapdoor T w . B returns 1 if H 1 (U T w ) = V or 0 otherwise.
Challenge: A 1 sends two keywords w 0 and w 1 to B, where w 0 = w 1 that he/she has not challenged before. B chooses r * ∈ Z q * and b ∈ {0, 1} randomly for a keyword ciphertext . And then returns them to A 1 .
If we make r = r * /a, then Therefore, the challenge ciphertext C w b = (U * , V * ) is the effective ciphertext of the keyword w b .
In the above game, if B is able to respond kinds of queries and challenge correctly, Game 2 and Game 3 will be indistinguishable to A 1 . So, the attacker A 1 has the same probability of guessing correctly in both Game 2 and Game 3 , if Pr[ Game 4 : The game is the same as Game 3 , except that B will terminate the game, if it have any of the following events occur.
Event E 1 : A 1 makes a ciphertext query to B, including the keyword's input satisfies w = w b , but V = V * . Event E 2 : A 1 makes a trapdoor query to B, including the keyword's input satisfies w = w b , but H (w||ss * ) = H (w b ||ss * ).
Obviously, Game 3 Game 5 : The game is the same as Game 4 , except that B picks a random number Z ∈ G to compute V * = H 1 ((Z ) H (w b ||ss)·r * ) instead of V * = H 1 ((g a ) H (w b ||ss)·r * ) when computing the challenge ciphertext C w b = (U * , V * ). Obviously, B does not need to know the value of a to respond all the attacker's queries by using only Discrete Logarithm tuples (g, g a , Z ) in Game 5 . Obviously, Game 4 and Game 5 are uniform, there is an attacker A DL that can distinguish the values of Z and g a by a non-negligible advantage, if the DL problem is addressed. Suppose the attacker A DL has the advantage of winning Game 5 Since Z is a random value of group G, the probability of A 1 guessing correctly is Pr[ End the game-hopping and analyze A 1 's advantage. We have On the basis of the above games, we can conclude as follow: Adv(λ) A H and Adv(λ) A DL are negligible, because the security proof achieves the collision resistance property of the hash function H and the DL problem is intractable.
Therefore, we can conclude that CIND-CKA game is secure.
Theorem 2: The above TIND-CKA game is secure without random oracle model assuming that H is a collision resistance hash function, and that the hDH problem is intractable.
Proof: Assume that A 2 is a polynomial-time attacker against the security of the proposed TIND-CKA game, A H is a collision resistance hash function attacker and that A hDH is to break the hDH problem attacker.
The theorem can be proven by consisting of five games as sub-game programs Game i (i = 1, 2, 3, 4, 5) with the attacker A 2 . We define the attacker A 2 to guess the correct event in the Game i as X i , that is b = b i . The attacker will terminate with some final output, which will then be assessed to see if the attacker ''won''. Game-hopping is as follows: Game 1 : This game is the original attack TIND-CKA game, so the probability of the attacker A 2 guesses correctly is Adv(λ) A 2 = | Pr[X 1 ] − 1/2|. Game 2 : B randomly picks a, b, sk R 1 , sk R 2 ∈ Z q * to compute pk S 2 = g a and pk R = (g b , g sk R 2 ), where g is the generator of group G. Other parameters is the same as Game 1 . Obviously, Game 1 and Game 2 are indistinguishable from A 2 . So, the probability of A 2 guessing correctly is equal, if Pr[ Game 3 : This game is the same as Game 2 , except that B changes the way he/she to responds to A 2 for ciphertext query, trapdoor query, test query and challenge. And B as oracle to responds the ciphertext query, trapdoor query and test query as follow: Ciphertext Query: A 2 makes a ciphertext query with keyword w ∈ K S w . B picks a random number r ∈ Z q * and returns keyword ciphertext C w = (U , V ) to A 2 , where U = (pk R2 ) r , V = H 1 (g rH (w||ss 1 ) ) and ss = H 1 (g ab ).
Trapdoor Query: A 2 makes a trapdoor query with keyword w ∈ K S w . B returns trapdoor T w = (sk R 2 ) −1 · (H (w ||ss * )), where ss * = H 1 (g ab ). Test Query: A 2 makes a test query with keyword ciphertext C w and a keyword trapdoor T w . B returns 1 if H 1 (U T w ) = V or 0 otherwise.
Challenge: A 2 sends two keywords w 0 and w 1 to B, where w 0 = w 1 that he/she has not challenged before. B chooses b ∈ {0, 1} randomly for a keyword trapdoor T w b = (sk R 2 ) −1 · (H (w ||ss * )), where ss * = H 1 (g ab ). And then returns them to A 2 .
Obviously, the challenge trapdoor is the effective trapdoor of the keyword w b .
In the above game, if B is able to respond kinds of queries and challenge correctly, Game 2 and Game 3 will be indistinguishable to A 2 . So, A 2 has the same probability of guessing correctly in both Game 2 The game is the same as Game 4 , except that B picks a random number Z ∈ {0, 1} l instead of H 1 (g ab ) when responding the challenge of trapdoor, ciphertext query and trapdoor query. Obviously, B does not need to know the value of a and b to respond all the attacker's queries and trapdoor challenge by using only hDH tuples (H 1 , g, g a , g b , Z )    On the basis of the above games, we can conclude as follow: Adv(λ) A H and Adv(λ) A hDH are negligible, because the security proof achieves the collision resistance property of the hash function H and the hDH problem is intractable.
Therefore, we can conclude that TIND-CKA game is secure.

B. SECURITY PROPERTIES ANALYSIS
We compare the security properties of our scheme with other previous schemes, as shown in Table 2. The security properties comparison includes secure channel, no key escrow, designated server and bilinear pair operation, while provide against outside online keyword guessing attacks, against inside offline keyword guessing attacks.

VII. EFFICIENCY ANALYSIS
In this section, we present a comparison of the efficiency and communication of our scheme with other schemes, including SCF-PEKS [16], SCF-PEPCKS [24], Hwang et al. [21]. The details are shown in Table 3. The symbols τ b , τ e and τ h stand for the running time for a bilinear pair operation, an exponential operation in the group and one time hash operation in group G or G T . Respectively, and their coefficients represent the times of such operation. The symbols |G|, |Z q * | and λ represent the size of the elements in group G, the size of the element Z q * , and the size of the hash. We use the time operation to reflect the computational efficiency of the algorithm. For example, our scheme need to calculate three exponentiations in G and two hash functions operation to encrypts a keyword. So the time cost of our scheme is 3τ e + 2τ h .
In the communicational efficiency comparison, the keyword size length is a measure of the length of the keyword variable output after encryption. For instance, our scheme contains a group element in G. So, a keyword ciphertext size is 2|G|. We implemented our proposed scheme on a Lenovo PRODUCT that runs windows 10 (64bit) with Inter(R) CoreTM i5-3470s CPU @2.9GHz and 8GB RAM memory by employing the gmpy2 (Encapsulation of The GNU Multiple Precision Library [30]) module. In order to achieve the security attributes almost consistent with the [24] schemes, we instantiate 512-bit group size and the general cryptographic hash function is respectively instantiated by SHA-256. The experimental results are shown by Figure 2 to Figure 5. Besides, the time consumption and communication   size data of SCF-PEKS and SCF-PEKSCKS schemes are provided by [24].
We come up with our scheme outperforms the SCF-PEKS schemes [16], SCF-PEPCKS [24] and Hwang et.al. [21] in both keyword encryption and testing. As illustrated in Figure 2, the time of a single keyword ciphertext in our scheme is about 0.177ms, while that in the schemes [16], [24], and [21] is about 12.693ms, 6.322ms, 0.094ms. In addition, the time consumption of testing in our scheme is about 0.033ms, while that in the schemes [16], [24] and [21] is about 8.809ms, 3.701ms, 0.235ms.
For the communication cost, a keyword ciphertext in our scheme has 0.125kb, while a keyword trapdoor has 0.0625kb. Therefore, the scheme does not need a large storage space to store keyword ciphertext and keyword trapdoor. As shown by Figure 4 and Figure 5, the communication consumption of our scheme is better than that of schemes in [16], [24] and [21]. According to the experimental results, we concluded that our scheme has more practical application significance than [16], [24] and [21] schemes in mobile smart terminals with limited communication and computing power.

VIII. CONCLUSION
In this paper, we present an efficient public key searchable encryption without bilinear pair operation for mobile smart terminal. Our proposed scheme has good security properties, high computational efficiency and low storage space. We prove our scheme is capable of resisting both inside offline keyword guessing attacks and outside online keyword guessing without random oracle model by satisfying keyword ciphertext indistinguishability security under adaptive chosen keyword attacks and keyword trapdoor indistinguishability security under adaptive chosen keyword attacks. The experimental results and comparisons show that it is feasible. These have practical significance for the application of mobile smart terminal.