Generic Construction of Dual-Server Public Key Encryption With Keyword Search on Cloud Computing

Chen et al. indicated the inner keyword guessing attack coming from the low entropy of keywords, which eliminates the semantic security of most keyword search schemes. Then, they accordingly propose the first dual-server PEKS scheme (abbreviated as DS-PEKS) and its related security models to prevent such attacks. In the DS-PEKS architecture, two non-collusive servers must corporate to execute the keyword search procedure. No individual server has the capability of determining the equivalence between keywords alone, and thus the inner keyword guessing attacks can be avoided. In this article, we found that the security models are lack of soundness and strength, so our first result is to define new stronger and sounder security models which implies all security aspects of original models. Secondly, we also propose a generic construction of DS-PEKS schemes based on IND-CCA2 secure PKE schemes. Finally, we analyze the newly proposed DS-PEKS scheme, and proof its security with the stronger models based on the IND-CCA2 security in the standard model.


I. INTRODUCTION
Nowadays, the cloud services are ubiquitous in real-life.For example, people would like to outsource their photos to Google Drive for reducing cell-phone storage usage. If such data are confidential such as phone numbers, birthdays, credit card numbers or even medical records, it leads a serious security issue for secrecy and privacy. In fact, some financial service providers and on-line banks store extremely sensitive data like bank account numbers and credit card numbers from their consumers. In addition to the issue of authenticity which can be done by authentication schemes [1], [2], the security issue of the outsourced data has also been highly attracted attention along with the spread of cloud applications. A natural solution is directly to encrypt such confidential data before The associate editor coordinating the review of this manuscript and approving it for publication was Mostafa M. Fouda . storing but we are not able to do any computation over these encrypted data. For general purposes, fully homomorphic encryption (FHE) firstly introduced by Gentry [3] is a very powerful tool to achieve the goal, but as we knew the computation cost of FHE is quite expansive. For specific purposes (i.e., searching, indexing, clustering, optimizing), we should have some more efficient solutions, and thus cryptosystems with extra specific functionalities [4] have been regarded as an urgent requirement in the modern technology.
Searchable encryption is a cryptographic notion that allows servers to search over encrypted documents without losing their privacy. The first public key encryption with keyword search (abbreviated as PEKS) was proposed by Boneh et al. [5] in 2004. It works in the following scenario (illustrated in Fig. 1(a)): a sender encrypts a document and its searchable keyword using a receiver's public key. Then, the sender stores the document as well as the index (encrypted VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ keyword) on a cloud data server. Once the receiver wants to retrieve her own documents (related to some keywords), she generates a trapdoor using her private key and the desired keyword. On receiving the trapdoor from the receiver, the cloud storage server executes tests between the input trapdoor and all index stored on the server. The corresponding documents will be returned when the keyword hidden in the index is verified equal to the keyword in the trapdoor. For simplicity, we usually focus on the 'keyword search' part, and omit the security of the encryption and decryption of documents. It is assumed that the encryption of documents is secure. PEKS immediately attracted lots of significant interests. Based on the notion of [5], numerous follow-up works have been proposed to achieve different requirements of keyword search. Boneh and Waters [6] proposed a PEKS construction about multi-keyword search, which is able to support conjunctive keyword search, subset keyword search and range queries. The conjunctive keyword search is widely discussed in [7], [8]. However, on considering the security of trapdoors [9], most PEKS schemes rely on a secure channel to secretly transfer the trapdoor. Baek et al. proposed a secure-channel free PEKS [10] solution to deal with this issue. Some PEKS surveys [10]- [12] aim to compare existing PEKS schemes and show some limitations in this area.
An inherent limitation is the low-entropy of keywords. Byun et al. [13] introduced the off-line keyword guessing attacks which can be referred to as a kind of brute force attacks but is somehow realistic. More precisely, there is an adversary who is able to obtain the hidden keyword of index by testing one by one keyword in the dictionary. Some recent works (i.e., [14]- [16]) tackle the security against off-line keyword guessing attacks and some work for the version of certificateless keyword search [17].
A threat, called Inner Keyword Guessing Attacks [18], [19], is a new security issue about trapdoor privacy. On receiving a trapdoor from a receiver, a malicious server can easily obtain the hidden low-entropy keyword in the trapdoor by keeping making index with different keywords and then executing tests between the index and the trapdoor. This threat is different from the prior attacks as above, and particularly formalize weaknesses from the correlation between index and trapdoor.

A. RELATED WORKS
To deal with the inner keyword guessing attacks, Huang and Li [20] proposed a solution that an extra authentication token of the sender is added into the index. In other words, the index can only be generated by the sender; and the trapdoor has to include the sender's identity or public key as well. The malicious server cannot produce the sender-specified token so that it cannot repeatedly compute the index with various keywords and test alone. However, in this architecture, the index has to be bind with sender's identity, just like a digital signature aside by the index.
Ma et al. [26] considered another solution called witness-based searchable encryption. In this scheme, trapdoor is only valid for ciphertext with a witness relationship; therefore, the malicious server cannot adaptively produce ciphertext to test the trapdoor. Inspired by [26], Liu et al. [27] introduced a new notion called designated-ciphertext searchable encryption. Similar with [26], the trapdoor in this scheme is designated to a ciphertext. Unfortunately, this scheme requires interaction between the sender and the receiver, and may not be applicable in many situations where interaction is not possible.
Chen et al. [18], [19] proposed the first dual-server public key encryption with keyword search (DS-PEKS) to deal with the inner keyword guessing attacks. In a high-level view, the keyword equality testing part is split into two parts operated by two servers so that single malicious server can not run the brute force attack. Informally, there are two non-collusive servers, a front server and a back server, in the new architecture. The front server takes as input a pair of index and trapdoor and executes some computations. Then it outputs an 'internal-testing-stage' (ITS) to the back server who takes ITS as input and outputs the keyword search result. The framework of DS-PEKS scheme is depicted in Fig. 1(b). The keyword search test is accomplished by the corporation of two servers. More details about DS-PEKS could be found in Section II-B and VI.
Assumption 1: No collusion occurs between the front server and the back server. The security is discussed based on the assumption that at most one server is malicious.

B. CONTRIBUTIONS
DS-PEKS schemes might be a solution which replaces existing PEKS schemes to be secure against inner keyword guessing attacks. In this work, further than the preliminay work [21] and two previous works [18], [19], we have two main technical advances (new security definition and construction) in a nutshell, which are briefly summarized as follows.
1) New security models. We advocate that existing security models in DS-PEKS are sort of insufficient. Then, referring to previous PEKS works such as [5], [7], [12], [22], we refine them and provide sounder and stronger security models: the indistinguishability against chosen keyword attacks for malicious front servers (IND-CKA-FS) and malicious back servers (IND-CKA-BS). In addition, we show that the new security notions imply all aspects of security in the previous works. However, the previous security models of Chen et al. [18], [19] involve five different types of adversaries, but our models do only two. A byproduct of the new security notion is to conceptually simplify and strengthen the security analysis. An additional assumption. The only assumption proposed by Chen et al. is insufficient to guarantee the semantic security of DS-PEKS schemes. We proposed another assumption, the limit of trial times, to compensate the security model. 2) A generic construction. We advocate that the previous works [18], [19] are not as secure as they claimed.
One critical flaw of their work is depicted in the Appendix. Besides, we present a new generic construction of DS-PEKS schemes from IND-CCA2 secure PKE schemes. Furthermore, this construction can meet IND-CKA-FS security and IND-CKA-BS security through a series of rigorous security proofs in the standard model.

C. ORGANIZATION
The rest of this article, some preliminaries, and building blocks, and syntax and original security models of DS-PEKS schemes will be introduced in Section II. The refined security models will be described in Section III. A generic construction of DS-PEKS schemes based on IND-CCA2 secure PKE schemes (with its security proof) is presented in Section IV. The concrete instantiation and the comparison are provided in Section V. Finally, we conclude this work in Section VI.

II. PRELIMINARIES AND BUILDING BLOCKS
We define an operator ' $ ← −' as 'randomly chosen from' for further usage; λ represents a secure parameter throughout this work; and a symbol ω denotes the keyword space. Then, several preliminaries and building blocks will be introduced for latter uses. The syntax and original security models of DS-PEKS will be introduced in this section as well.
Definition 1 (Hash Function): A cryptographic hash function is a deterministic function that maps elements from the domain space to the codomain space. A hash function H is called one-way if the following probability Adv OW A,H (λ) is negligible.

Definition 2 (The CDH Assumption):
The computational Deffie-Hellman assumption (CDH) [23] denotes that given three group elements (g, g u , g v ) ∈ G where the order of G is big enough in λ, it is computationally difficult to compute g uv . The CDH assumption is sound if probability Adv CDH A,G (λ) is negligible.

Adv CDH
A,G (λ) Definition 3 (The CONF Assumption): Given four group elements (g, g u , g uv , Z ) ∈ G where Z is randomly picked from G or Z = g v with the same probability (i.e., with the probability 1/2, Z is a random number of G or, with the probability 1/2, Z = g v ). The CONF assumption [23] denotes when the order of G is large enough in λ such that the CDH assumption holds, it is computationally infeasible to distinguish whether Z = g v or not. Let 1 denotes Z = g v and 0 stands for otherwise, the CONF assumption is sound if probability Adv CONF A,G (λ) is negligible.
A public key encryption (PKE) is composed of the following four algorithms.
• Setup(1 λ ): it generates the algebra environment like cyclic groups or bilinear pairing for latter use.
• KG(pp): it probabilistically generates a pair of public key pk and secret key sk.
• Enc(m, pk): it probabilistically encrypts a message m into a ciphertext c using the public key pk.
• Dec(c, sk): it deterministically decrypts the ciphertext c with secret key sk to obtain the message m. The PKE scheme is called indistinguishability against adaptive chosen ciphertext attack (IND-CCA2) secure [24], [25] if any polynomial-time adversary A in the experiment

B. SYNTAX OF DS-PEKS
We firstly revisit the framework of DS-PEKS defined in Chen et al.'s works [18], [19]. Let Setup, KeyGen, BuildIndex, Trapdoor, FrontTest, BackTest denote a DS-PEKS scheme, it is formalized below. Among these six algorithms, only the BackTest is a deterministic algorithm that outputs 1 for tested match or 0 for mismatch. Other five algorithms are probabilistic algorithms that takes random numbers into computation.
• Setup(1 λ ): Take a secure parameter λ as input, this algorithm generates a series of public parameters pp.
• KeyGen(pp): On input pp, this algorithm generates two pairs of public/secret keys (pk FS , sk FS ) and (pk BS , sk BS ) for front server and back server, respectively.
• BuildIndex(pp, w, pk FS , pk BS ): Anyone can build an index corresponding to a keyword w using both public keys of the front server and the back server. The algorithm outputs an index c w at the end.
• Trapdoor(pp, w 0 , pk FS , pk BS ): Anyone is able to generate a trapdoor t w of a keyword w using two servers' public keys.
• FrontTest(pp, c w , t w , sk FS ): On receiving an index c w and a trapdoor t w , the front server computes an 'internal testing-state' ITS using its private key sk FS . Then it sends ITS to the back server. VOLUME 8, 2020 • BackTest(pp, ITS, sk BS ): After receiving ITS, the back server executes a deterministic back test using its private key sk BS . It outputs 1 if w = w or 0 otherwise. Comparison with tradictional PEKS: Compared to original PEKS schemes with single server (Setup, KeyGen, BuildIndex, Trapdoor, Test) such as [5], [7], [12], [22], two key differences of the newly defined DS-PEKS architecture are observed here.
1) Algorithm Test is replaced by two algorithms: FrontTest and BackTest. The test server who is responsible for the Test operation has been divided into two servers, i.e. the front server FS and the back server BS. 2) Algorithm Trapdoor becomes publicly computable in the DS-PEKS framework, which differs from the setting in the singleserver PEKS setting that the trapdoor, as a search request, can only be requested by the corresponding secret key owner. Both two modifications above are designed on the purpose against the inner keyword-guessing attack. As mentioned in Section I, most single-server PEKS schemes cannot be semantic secure owing to the inner keyword-guessing attack. Together with the assumption that at least one server in this system is honest and uncompromised; then, in this scenarion, the probability of the inner keyword-guessing attck is expected eliminated to negligible.

C. CHEN ET AL.'s SECURITY NOTIONS
Interestingly, in the original single-server public key encryption with keyword search schemes [5], [7], [12], [22], they discuss the chosen keyword attacks against malicious users. However, in DS-PEKS scheme, the notions of security is discussed against malicious front / back servers (inner adversaries).
When it comes to the discussion about which role does the adversary plays, it could be an outside attacker who has no additional ability; or it could be one of two servers. Obviously, the latter one owns absolutely greater power than the former one; besides, the security against one of two servers implies the security against outside attackers so that the discussion only focuses on the senario that the adversary plays one malicious server out of two servers, which the other server is uncompromised.
The security issues in Chen et al.'s works [18], [19] concerns three parts (described in Privacy on considering both index and trapdoor: The security model IND-KGA-II concerns the security on input an index and a trapdoor, which is formally described in Fig. 2. Informally speaking, the simulator randomly picks (b 1 , b 2 ) $ ← − {0, 1} and computes c w b1 and t w b2 after the adversary outputs three keywords (w 0 , w 1 , w 2 ), (w 0 = w 1 = w 2 ). The adversary terminates the game by outputting a guess is not necessary, the adversary also wins when (b 1 Worth noting that no oracle access is available in the IND-KGA-II model. On the other hand, it only defines the security against malicious back servers.

III. REFINEMENTS OF SECURITY NOTIONS
In this section, we firstly analyze the security models defined by Chen et al. and indicate some points with respect to the soundness and strength. Then, we introduce our refinements of the security models which are more realistic and can imply previous ones. In particular, there is a byproduct of our refined models (but technically useful) that essentially simply the procedure of the security analysis.

A. ANALYSIS OF EXISTING SECURITY MODELS
In a high-level view, the security models are designed to prevent the front server or the back server to individually distinguish the keyword hidden in the index or trapdoor. For those existing security models, we argue that existing security models are not sound and strong enough, where sound means 'close to the DS-PEKS syntax'. 1) In terms of soundness, we firstly recall the syntax of DS-PEKS schemes that the front server inputs an index and a trapdoor as well as outputs ITS; and the back server inputs ITS as well as outputs 1 for verified match or 0 otherwise. The front server is responsible to generate an ITS, and the back server outputs the equivalence, while none of them should be able to distinguish the keywords. a) For the front server, the SS-CKA security and IND-KGA security denote the 'keyword indistinguishability' on seeing a single index or a single trapdoor, respectively. However, the front server inputs them in the same time. An ideal condition is that the front server generates the corresponding ITS without acquiring any knowledge from the input index and trapdoor. b) For the back server, despite the fact that the back server might not access the index and trapdoor directly, it might eavesdrop the index and trapdoor from the public network. Furthermore, ITS is a part of input in the BackTest algorithm, which gives the back server more power and opportunity to distinguish the keywords than the front server. In an ideal situation, on input the index, the trapdoor and the ITS, the back server should output the equivalence without learning anything else. c) For oracle accesses, take O T 1 (·, ·) in experiment SS-CKA for example, it takes as input a keyword w and an index c w , computes t w ← Trapdoor(pp, w , pk FS , pk BS ) and outputs the equivalence between w and w . The oracle plays both the front server party and the back server party (FrontTest(pp, c w , t w , sk FS ) and BackTest(pp, ITS, sk BS )). However, the adversary in experiment SS-CKA has its own capability to execute one of FrontTest or BackTest. First, half of the 'two-server help' provided by oracle there might be some helpful information hidden in the ITS, but ITS is absolutely unavailable in this kind of oracle accesses. To summarize, the oracle O T 1 (·, ·) in experiment SS-CKA is redundant, and it might weaken the probability of winning experiment SS-CKA. The similar problem occurs with the oracle O T 2 (·, ·) in experiment IND-KGA. 2) In terms of strength, the original 'chosen keyword attack' defined in [5] is an adaptive security with oracle accesses, which is similar to the IND-CCA2 security for PKE schemes. However, the IND-KGA-II model in Chen et al.'s works do not provide oracle accesses to adversaries. In other words, the IND-KGA-II security for DS-PEKS schemes is similar to the IND-CPA security for PKE schemes, which is not an adaptive security. We advocate that the security models of DS-PEKS schemes can be sounder and stronger. In the following section, we propose two conceptually realistic security definitions to conquer all aforementioned issues.

B. CONCEPTUALLY REALISTIC SECURITY DEFINITIONS
Recall the security notions shown in Section II-C. Apparently, the inputs and outputs are different between the front server and the back server. Hence, unlike the previous works that categorize security models based on index and trapdoor, we define the indistinguishability against chosen keyword attacks for front server (IND-CKA-FS), as well as for back server (IND-CKA-BS) in Fig. 3. Informally, IND-CKA-FS can be regarded as the combinational version of SS-CKA and IND-KGA (against malicious front server), whose challenge including the index and trapdoor at the same time. In addition, the oracle access O BT (·) is answered by the simulator who plays the back server role in the DS-PEKS scheme. We emphasize that the newly defined IND-CKA-FS security not only implies the SS-CKA security and the IND-KGA security but also achieves higher security level than them because of following reasons: 1) Adversary's key pair is chosen and fully controlled by itself, which is unknown to the simulator. 2) The oracle access is sounder in the DS-PEKS architecture without losing its help to the adversary. Restriction. An important restriction is worthy to be emphasized that the ITS generated from FrontTest(c w b , ·) or FrontTest(·, t w b ), the simulator need to recognize, is forbidden to be queried to oracle O BT (·). In our opinion, the simulator should be able to identify above situation if the DS-PEKS scheme is IND-CKA-FS security. Assumption 2: The trial time limit. For both servers, a specific index can be requested to test only in a limited times; e.x. 3 trials in 1 minute. It is not in Chen et al.'s works; nevertheless, it is one of the key points to guarantee the semantic security.
Definition 5: The indistinguishability of chosen keyword attack against malicious back servers, IND-CKA-BS.
In principle, the back server in the DS-PEKS syntax is expected to tell the equivalence of keywords between the index side and the trapdoor side (with the aid of front server), rather than being able to distinguish the keywords on both sides. Owing to this principle, the experiment IND-CKA-BS is different from 'common indistinguishability experiments' that distinguish the chosen input from the challenge.
The newly proposed IND-CKA-BS model can be seen as a upgraded IND-KGA-II model which integrates the SS-CKA security and the IND-KGA security (against malicious back server); and IND-CKA-BS implies all of them. Roughly, the adversary has to output a correct b 1 for index security (SS-CKA), and relatively, a correct b 2 denotes for trapdoor security (IND-KGA) at the same time. Since the adversary who plays the back server role has capability to verify the equivalence of keywords between the index side and the trapdoor side on input the challenge ITS, recognizing the keyword of index (w b 1 ) implies knowing the keyword of trapdoor (w b 2 ), and vice versa. The IND-CKA-BS takes all previous security models into an overall consideration. Compared to previous security models, it is sounder and higher-level security due to the following reasons: 1) Adversary's key pair is chosen and fully controlled by itself, which is unknown to the simulator. 2) The oracle access is sounder in the DS-PEKS architecture without losing its help to the adversary. That is, the oracle access in IND-CKA-BS provides the same assistant as those in SS-CKA and IND-KGA. 3) For the challenge of the IND-CKA-BS model, the index, trapdoor and ITS are jointly considered to discuss their security, which is sounder in the DS-PEKS syntax.

C. REDUCTIONS AMONG SECURITY MODELS
Now we give proofs of our claims in which the refined security models can imply the previous ones shown in Section II-C. Proof 1: The reduction is illustrated in Fig. 4. Some different settings which differ from different experiment are explained below.

IV. GENERIC CONSTRUCTION FROM IND-CCA2 SECURE PUBLIC KEY ENCRYPTION
In this section, we take IND-CCA2 secure PKE schemes like Cramer and Shoup's schemes [24], [25] as a building block to construct a DS-PEKS scheme. Let (Setup cca , KG cca , Enc, Dec) be an IND-CCA2 secure PKE scheme with public parameters pp cca ← Setup cca (1 λ ) which including a multiplicative cyclic group G, a prime order q and a generator g. The keyword space W is a small subgroup of Z * q .
• Setup(1 λ ): The algorithm randomly selects h $ ← − G and a one-way hash function H : G → {0, 1} λ . The discrete logarithm problem of h over base g is unknown. Then, it outputs pp ← {pp cca , h, H }.
• KeyGen(pp): The front server picks x $ ← − Z * q as private key sk FS and publishes its public key pk FS = X where X ← g x . The back server generates its key pair by computing (pk BS , sk BS ) ← KG cca (pp cca ).

A. SECURITY PROOF
We first recall the definition of IND-CCA2, which is shown as the experiment Figure 3. The IND-CCA2 security is guaranteed if no polynomial-time adversary can obtain a non-negligible advanced probability Proof 3: In the experiment, S plays two roles: the first one is a challenger (who takes advantage of A) to challenge the IND-CCA2 experiment for the applied PKE schemes; and the second one is the back server and oracle responser in the IND-CKA-FS experiment. As an challenger, the simulator first receives pp cca and pk BS from the IND-CCA2 experiment. It picks h $ ← − G and H and delivers pp, pk BS to the adversary where pp ← {pp cca , h, H } as the beginning of the IND-CKA-FS experiment. The formal description about interactions and oracle accesses between the simulator and the adversary are depicted in Fig. 6.
The challenged index (c [1] , c [2] ) ← c w b and trapdoor (t [1] , t [2] ) ← t w b are in the similar form. For both possible w ∈ {w 0 , w 1 }, there exists numbers r, r ∈ Z * q that satisfies c [1] = g r h w or t [1] = g r h −w , respectively. In other words, the information of w d is perfectly hidden by g r and g r unless the adversary can distinguish g r or g r from ciphertext c [2] or t [2] . The indistinguishability between w 0 and w 1 is determined through the distinguishability of g r (or g r ) from the ciphertext because X r (or X r ) might be encrypted as c [2] (or t [2] ), and X = g x where x is the private key only known by the adversary. Two scenarios are discussed below depends on the relationship between b and d.
• Case 1: b = d which occurs with half probability.
In the true statement, c w b and t w b are a legal index and a legal trapdoor. As aforementioned, to distinguish the keyword w d , it is necessary to distinguish at least one plaintext from c [2] or t [2] , which definitely breaks their IND-CCA security. The advanced probability of case 1 is estimated as 2Adv IND−CCA2

A,PKE
(λ) since the adversary can easily distinguish w d if any one of those two ciphertext is distinguishable. (λ) since the adversary distinguishes Enc(m 1−d , pk BS ) from Enc(X r , pk BS ) in an IND-CCA2 secure encryption.
-In case A didn't recognize the illegal challenge c w b . The keyword w d is perfectly hidden in c w b because no information about the randomness r is available from c [2] . On the contrary, t w b remains a legal trapdoor so that the adversary has advanced probability Adv IND−CCA2

A,PKE
(λ) to distinguish w d from t [2] , which makes the adversary be more willing to output a wrong guess b = d = b. To summarize, the adversary is estimated with −Adv IND−CCA2 As a result, the probability that the simulator breaks the IND-CCA2 security in case 2 is estimated as 1/2. In an overall review, the probability that S output b * = b which denotes the correct choice of the IND-CCA2 game is calculated as following.

V. CONCRETE INSTANTIATION AND COMPARISON
In this section we first give a concrete instantiation by adopting Cramer and Shoup's IND-CCA2 secure public key encryption scheme. Then, we compare our instantiation with Chen et al.'s DS-PEKS [19].

A. CONCRETE INSTANTIATION
The following we describe how to obtain an instantiation using Cramer and Shoup's encryption scheme [24].
-Choose a cyclic group G of prime order q, with two generators g 1 , g 2 , and select h ← G. -Choose two secure hash functions • KeyGen(pp): This algorithm runs as follows.
-Output front server and back server's key pair sk FS = x, pk FS = X , pk BS = (h, c, d), sk BS = (s, a, b, a , b ).
• FrontTest(pp, c w , t w , sk FS ): This algorithm runs as follows.

B. COMPARISON
Let |G| denote the bit size of an element in group G. Let T Exp , T H , and T Mul represent the modular exponentiation over point operation, multiplication over point operation, and hash-to-point operation, respectively.   generation, and testing, are shown in Fig. 7, Fig. 8, and Fig 9, respectively. According to the results in Fig. 7 and Fig. 8, although our instantiation requires more operations, the actual operation time varies little. When the number of searching keywords is 50, our instantiation and Chen et al's scheme takes about 4.22035 seconds and 3.80395 seconds respectively to process ciphertext generation and trapdoor generation. Additionally, according to the results in Fig. 9, when the number of searching keywords is 50, our instantiation and Chen et al's scheme takes about 1.46015 seconds and 1.45685 seconds respectively to process testing. Therefore, the results show that with a little more computing time, our instntiation can achieve more robust securities.   [19].

VI. CONCLUSION
The inner keyword guessing attacks threat the semantic security of most traditional PEKS schemes. For this issue, Chen et al. proposed the first DS-PEKS scheme as a solution which separates the testing server into two servers to resist the threat. However, their security models can be significantly enhanced which are discussed in Section III; meanwhile, their works are found not as secure as they claimed. Following, we propose new security models and new general constructions for DS-PEKS schemes. For the security notions, the indistinguishability against chosen keyword attacks models, IND-CKA-FS and IND-CKA-BS, are proposed to regulate the security against malicious front servers and back servers, respectively. Moreover, the newly proposed two security models imply all five previous models, which are even sounder and stronger. In brief, they adopted a variant linear and homomorphic smooth projective hash function (LH-SPHF) to build a DS-PEKS scheme, which is summarized as follows: Let H be a cryptographic hash function and is an operator among some group elements; hk denotes the hash key (like a secret key) and hp stands for the hash projective key (like a public key) in the SPHF system. In the SPHF computation, for all randomness W (in some language L) and its witness wt, ProjHash(hp, W , wt) = Hash(hk, W ).
The sender picks a randomness W 1 with its witness wt 1 to build an index (W 1 , C 1 ) for his selected keywords w using the public key of the front server (hp FS ) and the back server (hp BS ), respectively.
Flaws. We claim that Chen et al.'s schemes are neither SS-CKA security nor IND-KGA security, which implies they are neither IND-CKA-FS security nor IND-CKA-BS security. Take the SS-CKA security against malicious front servers for example, the attack even does not rely on the knowledge of the back server's secret key. In the SS-CKA experiment, after the adversary outputs (w 0 , w 1 ) and receives a challenge index (W 1 , C 1 )=BuildIndex(w b , hp FS , hp BS ), b ∈ {0, 1}, the adversary randomly picks a witnessŵ and computesŴ ←ŵ•W 1 andĈ ←ŵ•C 1 . Then, b can be easily obtained by sending a query ((Ŵ ,Ĉ), w 1 ) to oracle O T 1 . The same problem also happens with the SS-CKA security against malicious back servers, and the IND-KGA security against malicious front servers and back servers. The linear property of LH-SPHF eliminates the its adaptively secure. The same problem will not occur in our new proposed generic construction because any tampered index or trapdoor will be detected and rejected by the simulator.
RAYLIN TSO is currently the Head of the Department of Computer Science, National Chengchi University, Taiwan. His research interests include cryptography, information, and network security.
KAIBIN HUANG is currently a Researcher with the Department of Computer Science, National Chengchi University, Taiwan. His research interests include public key cryptography and computation over ciphertext like equality test and keyword search.
YU-CHI CHEN is currently an Associate Professor with the Department of Computer Science and Engineering, Yuan Ze University, Taiwan. His research interests include information security and block chain. VOLUME