Trapdoor Privacy in Public Key Encryption With Keyword Search: A Review

The public key encryption with keyword search (PEKS) scheme allows searches to be performed over ciphertext by a server in a public-key setting. The PEKS scheme suffers from a major drawback which is keyword guessing attack. A keyword guessing attack (KGA) allows the attacker to successfully guess the correct keyword encrypted in a searchable ciphertext and trapdoor. To overcome this vulnerability, security notions, such as keyword privacy and trapdoor privacy were introduced. Keyword privacy prevents any information leaked from the keyword itself, and similarly trapdoor privacy prevents any information leaked from the trapdoor side. A PEKS scheme that is secure against KGA should satisfy trapdoor privacy. In this paper, we compare various types of PEKS schemes in terms of their underlying computational hardness, system model, search function, security properties of keyword privacy and trapdoor privacy, and security against offline KGA and online KGA. From the comparison analysis, we highlight that trapdoor privacy and keyword privacy are essential for a PEKS scheme to be secure against KGA. Lastly, we draw some potential research directions.


I. INTRODUCTION
With the increasing number of information technology devices on the internet, the amount of data that must be maintained has dramatically increased over the years. One of the options to resolve this issue is to use cloud storage technology by outsourcing a cloud server to store data and retrieve them from the cloud when needed. Storing the data in the plaintext format would put the confidentiality of the data owner at risk, but storing the data in the encrypted format would pose a significant problem when searching for data on the cloud.
To overcome this challenge, searchable encryption (SE) scheme was introduced by [1] to search over encrypted data. A searchable encryption scheme allows a server to search for the data in the encrypted form on behalf of a client without learning any information about the plaintext data and thus, with the smallest possible loss of data confidentiality [2]. Figure 1 shows the general structure of the searchable The associate editor coordinating the review of this manuscript and approving it for publication was Zhipeng Cai. encryption scheme. It consists of three main entities, data owner, data user, and cloud server. Data owner: the one who encrypts the data and index before uploading to the cloud server. Data user: the one who generates the trapdoor to enable the server to search over the encrypted data. Cloud server: the server stores the encrypted data and helps to perform searching operations on the cloud using the trapdoor. There are two types of searchable encryption scheme. 1) Symmetric searchable encryption (SSE) In the SSE scheme, the data is encrypted with user's secret key before outsourcing. The first SSE scheme was proposed by Song et al. [1]. The advantage of this scheme is its efficiency because the SSE scheme is based on symmetric primitives; thus, it requires less computational overhead. The disadvantage of this scheme is that its functionality is usually applicable only to single user scenario.

2) Public Key Encryption with Keyword Search (PEKS)
In the PEKS scheme, the data is encrypted with user's public key before outsourcing. The first PEKS scheme was proposed by Boneh et al. [3]. The advantage of this scheme is its functionality, because it can be used in a multiuser setting. However, this scheme exhibits a low efficiency. According to Kamara and Lauter [4], most of the PEKS schemes require the evaluation of pairings on elliptic curves, which is relatively slow. Current research works focus on improving the security and practicality of the PEKS scheme before deploying it in real-world applications. A keyword guessing attack (KGA) allows the attacker to successfully guess the correct keyword encrypted in a searchable ciphertext and trapdoor. To overcome this vulnerability, security notions such as keyword privacy and trapdoor privacy were introduced. Keyword privacy prevents any information leaked from the keyword itself, and similarly trapdoor privacy prevents any information leaked from the trapdoor side. Trapdoor privacy is an important property that needs to be satisfied by a PEKS scheme so that it is secure against keyword guessing attack.
In this paper, our survey is mainly focused on the trapdoor privacy of various types of PEKS schemes. First, we provide a summary on the development of PEKS schemes. We then introduce the property of trapdoor privacy followed by a comparison analysis on various PEKS schemes in terms of their underlying tools, computational hardness, system model, search function, security properties of keyword privacy and trapdoor privacy, and the security against offline KGA and online KGA. Subsequently, we outline some potential research directions for the PEKS scheme and conclude this review.

A. KEYWORD GUESSING ATTACK
A keyword guessing attack or KGA is the greatest vulnerability suffered by the PEKS scheme. This attack exploits the property of low entropy in the keyword space and allows the attacker to correctly guess the keyword encrypted in the given trapdoor. This attack can be categorised into two types, namely, offline keyword guessing attack and online keyword guessing attack.
Offline keyword guessing attack consists of two types of attackers, namely, outsider attacker and insider attacker.
An outsider attacker is a malicious party that is not related to the service provider. They can eavesdrop on the public channel between the server and receiver to obtain a trapdoor transmitted over the public channel. An insider attacker usually refers to a malicious server that can obtain the trapdoor from any receiver. Both outsider and insider attackers can obtain the keyword ciphertext and the trapdoor, and the only difference between them is that the outsider attacker cannot perform the test algorithm (in the case of the dPEKS scheme), while the insider attacker can perform the test algorithm which makes it difficult to resist the insider attacker.
Online KGA only occurs for an outsider attacker. Instead of running the test algorithm, the attacker uploads the specially crafted ciphertext of the chosen keyword to the server and eavesdrops on the channel until the crafted ciphertext is queried by a receiver. Then the attacker will be able to guess the correct keyword for the corresponding trapdoor.
Byun et al. [5] first pointed out the vulnerability of offline KGA in the PEKS scheme and showed that previously proposed schemes [3], [6] [8] schemes all are susceptible to offline KGA. Jeong et al. [9] showed that it is impossible to construct a secure and consistent PEKS scheme against KGA when the number of possible keywords is bounded by a polynomial. Yau et al. [10] presented an online KGA by an outsider attacker on previous dPEKS schemes. They demonstrated their proposed attack on Rhee et al.'s [11] scheme and claimed that their attack is generic which can be applied to all existing dPEKS schemes.

II. PUBLIC KEY ENCRYPTION WITH KEYWORD SEARCH
The first type of searchable encryption construction SSE is based on symmetric encryption, where only a secret key is involved in the encryption and decryption processes. Owing to the nature of symmetric encryption, it is not favourable for multiuser settings, and it has a secret key distribution issue. To resolve the problem of SSE, public key encryption with keyword search was subsequently introduced. The construction is based on asymmetric encryption, where a pair of public and private keys is involved in the encryption and decryption processes, which is suitable for multiuser settings. Figure 2 illustrates the structure of the PEKS scheme.
A PEKS scheme mainly consists of four polynomial time randomised algorithms [3]: 1) KeyGen (s): this is a key generation algorithm that is run by a data receiver. This algorithm takes in a security parameter s, and outputs a public key A pub and private key A priv . 2) PEKS (A pub , W ): this encryption algorithm that is run by a data sender. It takes in data receiver's public key A pub and a keyword W and outputs a keyword ciphertext S of W . 3) Trapdoor (A priv , W ): this is a keyword trapdoor generation algorithm that is run by the data receiver.   Table 1 shows a list of abbreviations used for PEKS scheme. The first PEKS scheme introduced by Boneh et al. [3] was based on a public key cryptosystem using bilinear pairings. Their scheme was transformed from the identity-based encryption scheme proposed by Boneh and Franklin [12]. A generic PEKS scheme takes in a keyword and a public key to generate keyword ciphertext by running the PEKS algorithm. The keyword ciphertext is stored on a cloud server. The receiver generates a trapdoor by running the Trapdoor algorithm, using a private key and the desired keyword as the input. The trapdoor is sent to the cloud server to run the Test algorithm for searching. Abdalla et al. [13] improved the definition of the PEKS scheme and showed that Boneh et al.'s [3] scheme is computationally consistent. They also provided a transformation technique that can construct a secure PEKS scheme that guarantees consistency from an anonymous identity-based encryption scheme. Gu et al. [14] proposed a PEKS scheme that is more efficient than Boneh et al.'s scheme by removing the pairing operation in the encryption procedure. Sun et al. [15] improved Boneh et al.'s [3] PEKS scheme to be secure against insider keyword guessing attack by using the signcryption algorithm in the generation of searchable ciphertext. Zhang et al. [16] proposed a PEKS scheme that achieved trapdoor privacy in the random oracle model and logarithmic time pairing free searching over encrypted data.
Baek et al. [8] first noticed that the PEKS scheme proposed by Boneh et al. [3] required a secure channel for communication. They have also mentioned that building a secure channel is usually expensive, which may be unsuitable for some applications. In order to solve this problem, they introduced an improved PEKS scheme that eliminated the secure channel, which is called secure channel free public key encryption with keyword search (SCF-PEKS). Rhee et al. [11] noted that the security model of the scheme proposed by Baek et al. [8] limited the ability of an adversary to capture the attacks in a real-world environment. They improved the security model of Baek et al. [8] and proposed a new PEKS scheme called searchable public key encryption with designated tester (dPEKS). SCF-PEKS or dPEKS is a variant of the PEKS scheme that has the advantage of allowing only a designated server to run the Test algorithm, and the trapdoor can be transmitted over a public channel. The SCF-PEKS or dPEKS scheme requires an additional server public key to generate the keyword ciphertext and trapdoor. The server private key is also used as an input to run the Test algorithm. The disadvantage of this variant of the PEKS scheme is that it is vulnerable to offline KGA from insider attacker.
Fang et al. [17] noted that all previous SCF-PEKS schemes are proven secure in the random oracle model, which may lead to insecure scheme when the random oracles are implemented in real life. To resolve this issue, they have presented an efficient SCF-PEKS scheme that is proven secure in the standard model. Rhee et al. [18] first proposed the concept of trapdoor indistinguishability and showed that this property is sufficient to be against offline outsider keyword guessing attack. They have also proposed the first dPEKS scheme that is secure against offline keyword guessing attack and proved that their scheme satisfied ciphertext indistinguishability and trapdoor indistinguishability. Wang et al. [19] later noted that Rhee et al.'s [18] scheme was still vulnerable to offline keyword guessing attack in their test phase. Wang et al. [19] later improved Rhee et al.'s [18] scheme by adding a random parameter in the test phase to improve the scheme to be secure against offline keyword guessing attack from both outsider and insider attacker.
Rhee et al. [20] presented two generic transformations to construct a dPEKS scheme from an identity-based encryption scheme. They also claimed that the anonymity and confidentiality properties in an identity-based encryption scheme were sufficient to achieve consistency and confidentiality in a dPEKS scheme. Zhao et al. [21] proposed a new SCF-PEKS scheme that guaranteed trapdoor indistinguishability and performed better than the previous SCF-PEKS scheme. Yau et al. [22] proposed a new security models that captured keyword guessing attack in PEKS scheme and dPEKS scheme. They also claimed that their proposed security models achieved stronger keyword guessing notion as compared to Rhee et al.'s [18] security models. Fang et al. [23] introduced the notions of security against chosen keyword and chosen ciphertext attack (IND-SCF-CKCA) and keyword guessing attack (IND-KGA) for SCF-PEKS scheme. They later proposed a SCF-PEKS scheme in the standard model that is IND-SCF-SKCA and IND-KGA secure. Guo and Yau [24] proposed an efficient SCF-PEKS scheme that is proven secure against chosen keyword, chosen ciphertext, and keyword guessing attack in the standard model. They also claimed that their scheme was more efficient that previously proposed SCF-PEKS schemes. The SPEKS scheme is similar to the usual dPEKS scheme but with additional encryption and decryption processes after the server performs the Test algorithm. In the SPEKS scheme, after the server identifies the matching keyword, it encrypts the keyword-matching data by using the receiver's public key. After the receiver receives the encrypted data, he/she runs the decryption algorithm to retrieve the plaintext data. The advantage of this scheme is that it is secure against online KGA because of the additional encryption process, which is also the disadvantage because it causes the scheme to be inefficient. Chen [25] proposed secure server-designation public key encryption with keyword search (SPEKS) to solve the problem faced by the dPEKS scheme due to an online keyword guessing attack. Emura et al. [26] presented two generic constructions of the adaptive SCF-PEKS scheme from an anonymous identity-based encryption scheme. They used a hybrid encryption technique called key encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) framework for their generic construction.
Meanwhile, Park et al. [6] noticed that the PEKS scheme proposed by Boneh et al. [3] was limited by the number of keywords being searched in a single query. Thus, they introduced the notion of public key encryption with conjunctive field keyword search (PECKS).The difference between PECKS and PEKS is the number of keywords they can process. In PECKS keyword ciphertext generation, a group of keywords is used as the input, unlike PEKS uses only a single keyword. Similarly, in the trapdoor generation, a group of keywords is used as the input. In the Test algorithm, the PECKS tests a group of keywords together in a single query. Their scheme was further improved to multiuser setting by Hwang and Lee [27]. Xu et al. [28] proposed a public key encryption with fuzzy keyword search scheme (PEFKS) that was transformed from an anonymous identity-based encryption scheme. The PEFKS scheme allows to perform fuzzy search operations unlike normal PEKS scheme that only performs exact search operations. In the PEFKS scheme, the generated trapdoor consists of two parts, the exact test trapdoor and the fuzzy test trapdoor. The Test algorithm of the PEFKS scheme also consists of two parts, an exact test and a fuzzy test. The exact test uses the exact trapdoor to generate exact results, whereas the fuzzy test uses the fuzzy trapdoor to generate fuzzy results. Hwang et al. [29] proposed an efficient PEFKS scheme that is secure channel free and secure against offline keyword guessing attack in the standard model. Lu et al. [30] showed that Hwang et al.'s [29] scheme was vulnerable against keyword guessing attack.
The k-resilient PEKS scheme is the first proposed PEKS scheme without bilinear pairing, and its security has been proven in the standard model. The advantage of this scheme is that it is more efficient than the other pairing based PEKS schemes. Khader [31] first proposed a k-resilient PEKS scheme based on the k-resilient identity-based encryption (k-resilient IBE) proposed by Heng and Kurosawa [32] in the standard model. Yang et al. [33] claimed that Khader's [31] proposed scheme did not satisfy the required for the PEKS scheme functionality. They later improved Khader's [31] scheme that fulfilled computational consistency and improved efficiency. Tang [34] proposed an interactive PEKS scheme to address the trapdoor vulnerability in Boneh et al.'s [3] scheme. Their interactive PEKS scheme required both the sender and receiver to interactively generate a trapdoor. Shao et al. [35] proposed the concept of proxy re-encryption with keyword search (PRES) with keyword privacy secure in the random oracle model. Yau et al. [36] also have proposed a concept of searchable proxy re-encryption scheme (Re-PEKS) and proved their scheme secure in the random oracle model. Re-PEKS integrates a proxy re-encryption scheme with the PEKS scheme. It can translate a keyword ciphertext encrypted from a public key into a different public key without learning any information. The main difference between Yau et al.'s scheme and Shao et al.'s scheme lies in the structure of the scheme. Yau et al. [36] extended the original PEKS structure by adding a re-encryption key generation and keyword ciphertext algorithm. This means that the proposed scheme is more flexible in terms of the selection of different standard proxy re-encryption techniques to be used in the Re-PEKS scheme.
Chen et al. [37] proposed a new PEKS framework called dual-server public key encryption with keyword search (DS-PEKS) scheme. They proved that their scheme could withstand an offline keyword guessing attack if both servers were not colluded. In the DS-PEKS scheme, there are two servers running the Test algorithm. In keyword ciphertext and trapdoor generation, the public keys of both servers are required to execute the algorithms. The DS-PEKS Test algorithm is divided into FrontTest and BackTest. The FrontTest is first run by the front server to produce an internal testing state, which later serves as an input for the back server to run the BackTest to output the actual test result. The advantage of this scheme is that it is secure against offline KGA but relies on two servers which makes it inefficient. Chen et al. [38] also pointed out that the DS-PEKS scheme proposed by Chen et al. [37] suffers from inefficiency because the keyword search process is handled by two servers separately. They later proposed a new PEKS system named server-aided public key encryption with keyword search (SA-PEKS), which is more practical and secure against offline insider keyword guessing attack. In SA-PEKS, an additional server (keyword server) is responsible for preprocessing the keyword before it is encrypted into a keyword ciphertext or trapdoor. The sender and receiver are requires to run an interactive protocol with the keyword server to obtain the preprocess keyword. This provided an authentication mechanism. This allows DS-PEKS scheme to be secure against offline KGA form insider attacker by the disadvantage is that the scheme is inefficient because it required sender and receiver to interactively run a protocol to generate keyword ciphertext and trapdoor.
The PAEKS scheme offers authentication because it uses a sender key pair. In PAEKS, the sender's private key and receiver's public key are used to produce the keyword ciphertext. The sender's public key and receiver's private key are later used to generate the trapdoor. In the Test algorithm, both parties' public keys are required along with a trapdoor and a keyword ciphertext. In this setting, any third party generates a valid keyword ciphertext is impossible. Thus, the advantage of this scheme is that it can be secure against offline KGA from insider attacker. Huang and Li [39] proposed the notion of public key authenticated encryption with keyword search (PAEKS) to solve the problem of insider keyword guessing attack. Their proposed scheme requires a sender to authenticate the encrypted keyword upload to the cloud server. Qin et al. [40] revisited Huang and Li's [39] PAEKS scheme. They mentioned that the security model of PAEKS scheme proposed by Huang and Li [39] did not capture the outsider chosen multi-ciphertext attack. To solve this problem, they proposed a new security model that captured outsider chosen multi-ciphertext attack and insider keyword guessing attack. Miao et al. [41] proposed a verifiable PEKS scheme to address the issue of inaccurate search results from the cloud server. Their proposed scheme achieves trapdoor privacy and secures against insider keyword guessing attack. They also extended their work to multi-keyword search and record dynamic updates. Figure 3 shows a summary of the development of PEKS schemes and the limitations they aim to overcome.

B. KEYWORD PRIVACY
Keyword privacy was first defined by Boneh et al. [3] where the adversary should not be able to distinguish between two ciphertexts of keywords W 0 and W 1 , respectively, under the condition that no trapdoors are obtained for the respective keywords. Boneh et al. [3] defined a game between an attacker and a challenger to show that the PEKS scheme is indistinguishability against chosen keyword attack (IND-CKA).
A PEKS IND-CKA game is defined as follows: 1) The challenger first runs the KeyGen (s) algorithm to generate public keys A pub and private key A priv . Public key A pub is given to the attacker. 2) The attacker can adaptively query for the trapdoor T W for any keyword W of his/her choice from the challenger. 3) When the attacker is ready, he/she will send two words W 0 and W 1 that he/she wishes to be challenged to the challenger. The words chosen by the attacker should not be queried for trapdoor previously. The challenger chooses a random b and sends a ciphertext C = PEKS(A pub , W b ) to the attacker. 4) The attacker can continue to query for trapdoor T W for any keyword W , except for the challenge keywords W 0 and W 1 . 5) The attacker wins the game if he/she guessed the correct random b.

C. TRAPDOOR PRIVACY
Keyword privacy guarantees that no information about the keyword should be leaked from the searchable ciphertext of the PEKS scheme. This property was satisfied by almost all the PEKS schemes. However, Rhee et al. [18] found that the security of trapdoor is also significant to construct a PEKS scheme that is secure against keyword guessing attack. Trapdoor privacy ensures that no information about the keyword is leaked from the trapdoor, and Rhee et al. [18] proposed the notion of trapdoor indistinguishability to capture this issue.
The notion of trapdoor indistinguishability should not allow an outsider attacker to distinguish between the trapdoor of two challenge keywords of its choice, under the situation that it is allowed to obtain trapdoors for any non-challenge keywords.
Nishioka [42] also proposed a security notion to address trapdoor privacy, which they called perfect keyword privacy (PKP) and search pattern privacy (SPP). This notion was later fomalised by Arriaga et al. [43] and is called weak key unlinkability. They also showed that weak key unlinkability failed to hide the search patterns when more than two trapdoors were queried. They later proposed a stronger notion called strong key unlinkability to overcome this deficiency. Their strong key unlinkability notion allows adversary to query multiple trapdoors and protect the search pattern at the same time.
With a keyword guessing attack as the main challenge for the PEKS scheme, the security of the trapdoor also needs to be considered. In a PEKS scheme, the searchable keyword and trapdoor are transmitted over the network which makes them vulnerable to points of attack. Thus, keyword privacy alone is insufficient for constructing a secure PEKS scheme because it only protects the privacy from the sender side. For a PEKS scheme to be secure against an offline keyword guessing attack from an outsider attacker, the minimum requirement is to satisfy keyword privacy and trapdoor privacy which protects the privacy from both the sender and the receiver side. In the literature, a number of studies have proposed a PEKS scheme with trapdoor privacy and security against offline keyword guessing attack, but some of them suffer from inefficiency; that is, using the computationally expensive bilinear pairing operation, only allows single keyword search functionality and higher communication cost.

1) THE RHEE et al. [18] SCHEME
Rhee et al. [18] proposed the security notion of trapdoor indistinguishability, which was limited to the dPEKS scheme, and they only captured the trapdoor security from an outsider attacker. Their proposed security notion guaranteed that the outsider attacker should not be able to differentiate between the trapdoors of two challenge keywords of its choice, under the condition that the outsider attacker is allowed to query trapdoors for non-challenge keywords.
Rhee et al. [18] have modelled the trapdoor indistinguishability game between a challenger and an attacker as follows and Figure 4 is a visual representation of the game: Setup: In this phase, the public parameters and the private and public keys for the server and receiver are generated. Only the public key of the server and receiver is provided to the outsider attacker.
Phase 1 (Trapdoor Queries): In this phase, the outsider attacker is allowed to query the trapdoor of any keyword of its choice.
Challenge: In this phase, the outsider attacker selects two keywords to be challenged. The selected keywords should not be queried in the previous phase. Challenged keywords were provided to the challenger. The challenger computes the trapdoor with a random bit and returns it to the attacker.
Phase 2 (Trapdoor Queries): In this phase, the outsider attacker can continue to query for trapdoor as long as the keyword is not the challenge keyword.
Guess: This is the final phase of the game, in which the outsider attacker needs to guess the random bit chosen by the challenger. The outsider attacker wins the game if and only if the random bit is correctly guessed.

2) THE NISHIOKA [42] SCHEME
Nishioka [42] presented the security notion of perfect keyword privacy (PKP) that ensures not only the privacy of the keyword but also the trapdoor. The security notion of perfect keyword privacy guarantees that there is no efficient way to guess the keyword from the given trapdoor and searchable ciphertext. Nishioka [42] also proposed search pattern privacy (SSP) as an additional security notion for PKP because of the inability of PKP to capture search pattern privacy. The trapdoors are generated in a deterministic manner; therefore, it is easy for the adversary to guess the corresponding keyword from two trapdoors generated from the same private key.
The game for PKP is modelled as follows and Figure 5 is a visual representation of the game:  Setup: In this phase, two keywords (W 0 and W 1 ) are chosen from the keyword space. A challenge bit (b = 0 or 1) is selected, and the key generation algorithm generates two sets of public key and private keys ((A pub , A priv ), (A pub , A priv )).
Challenge: In this phase, the trapdoor and searchable ciphertext of first keyword (W 0 ) are generated using the first pair of public and private key (A pub , A priv ). Generate the trapdoor and the searchable ciphertext of keyword chosen randomly based on the challenge bit (W b ) using the second pair of the public and private key (A pub , A priv ). Both generated trapdoors and searchable ciphertexts were given to the adversary along with both public keys.
Trapdoor Queries: In this phase, the adversary can continue to query for trapdoor.
Guess: The adversary must guess the chosen random bit. If it correctly guesses the challenge bit, it wins the game.
The game for SSP is modelled as follows and Figure 6 is a visual representation of the game: Setup: In this phase, two keywords (W 0 and W 1 ) were chosen from the keyword space. A challenge bit (b = 0 or 1) is selected and using the key generation algorithm to generate a set of public key and private key (A pub , A priv ).
Challenge: In this phase, two trapdoors are generated, one using the first keyword (W 0 ) and the other one using the randomly chosen keyword based on the challenge bit (W b ). Both trapdoors are given to the adversary.
Trapdoor Queries: In this phase, the adversary can continue to query for trapdoor.
Guess: The adversary must guess the challenge bit.If it correctly guesses the challenge bit, it wins the game.

3) THE ARRIAGA et al. [43] SCHEME
Arriaga et al. [43] noted that the security notion of SSP proposed by Nishioka [42] could not be reflected in real-world scenarios because it limits the adversary to query only two trapdoors instead of multiple trapdoors. They first formulated the SSP notion to weak key unlinkability and then further enhanced it to strong key unlikability, where the adversary can query multiple trapdoors. Their proposed security notions were used for an identity-based encryption scheme (IBE), but after applying black-box transformation [13], the PEKS scheme will be achieved with a stronger guarantee of trapdoor privacy.
The weak key unlinkability for the IBE scheme is modelled as follows and Figure 7 is a visual representation of the game: Setup: In this phase, the public parameters and master key are generated. A challenge bit is selected (b = 0 or 1). Two identities (id 0 , id 1 ) were selected from the identity space.
Challenge: In this phase, two partial private keys are generated, first partial private key is generated with first identity (id 0 ), and the second partial private key is generated based on the challenge bit (id b ). Both the partial private keys are given to the adversary.
Queries: In this phase, the adversary can continue to query for partial private key.
Guess: The adversary must guess the challenge bit. The adversary wins the game if it correctly guesses the challenge bit.
The strong key unlinkability for the IBE scheme is modelled as follows and Figure 8 is a visual representation of the game: Setup: In this phase, the public parameters and master key are generated. A challenge bit was selected (b = 0 or 1). Two empty lists are generated, one for storing identity and the other for storing the partial private key. Two lists (list 0 and list 1 ) were generated with size L identities.
Challenge: In this phase, the challenger randomly chooses a list based on the challenge bit (list b ) to generate a list of partial private keys (list sk ). The generated list of partial private keys is given to the adversary.
Queries: In this phase, the adversary can continue to query for partial private key. Weak key unlinkability by [43].
Guess: The adversary must guess the challenge bit. The adversary wins the game if it correctly guesses the challenge bit.

4) THE LU AND LI [44] SCHEME
Lu and Li [44] proposed a new trapdoor privacy security notion applicable to the PAEKS scheme. Their proposed security notion is called the search trapdoor indistinguishability against KGA (ST-IND-KGA). In their proposed security notion, an adversary can be assumed to be either a malicious insider attacker or an outsider attacker. Lu and Li [44] mentioned that the previously proposed security notions for PAEKS are vulnerable to adaptive chosen attack, which means that the adversary is allowed to choose their challenge target adaptively. To overcome this vulnerability, an adversary in the security notion proposed by Lu and Li [44] can adaptively choose their challenge target.
Lu and Li modelled the ST-IND-KGA game between a challenger and an attacker as follows, and 9 is a visual representation of the game: Setup: In this phase, the public parameters and the server's public and private keys (S pub , S priv ) are generated. The public parameters and the server's public key (S pub ) are given to the adversary. If the adversary acts as the server, the server's private key (S priv ) is also given.
Phase 1 (Trapdoor Queries): In this phase, the adversary is allowed to adaptively query for keyword ciphertext and trapdoor of its choice.
Challenge: In this phase, the adversary selects two public keys (A pub and B pub ) and two keywords (W 0 and W 1 ) to be challenged. The selected keywords should not be queried by the adversary in the previous phase. The challenger randomly selects a challenge bit (b = 0 or 1) and returns the adversary with the trapdoor of a randomly selected keyword (W b ) encrypted with the server's public key (S pub ), the selected public key (A pub ), and the selected private key (B priv ).
Phase 2 (Trapdoor Queries): In this phase, the adversary is allowed to adaptively query for keyword ciphertext and trapdoor of its choice except for the challenge keywords (W 0 and W 1 ).
Guess: In this phase, the adversary must guess the challenge bit. The adversary wins the game if it correctly guesses the challenge bit. Table 2 shows a list of computational hardness abbreviations used for following PEKS variants comparison. In this section, we compare various types of PEKS schemes in terms of the underlying, computational hardness, system model, search function, security properties of keyword privacy and trapdoor privacy, and the security against offline KGA and online KGA.

III. COMPARISON ANALYSIS FOR DIFFERENT PEKS VARIANTS
A. PEKS Table 3 shows a comparison of PEKS schemes. Boneh et al. [3] proposed the first PEKS scheme based on bilinear pairing, but their scheme only guaranteed keyword privacy. Park et al. [6] proposed the first PECK scheme based on bilinear pairing in the random oracle model that allowed multiple keywords in a single search query. Their proposed scheme was time efficient because it only used one pairing operation in the Test algorithm. k-resilient public key encryption with keyword search (KR-PEKS) was first proposed by Khader [31]. Her proposed scheme was transformed from k-resilient IBE without a pairing operation. Tang and Chen [45] proposed the first PERKS scheme that achieved keyword privacy and secure against offline KGA from both attackers. The pre-registration of the keyword in their proposed scheme is a crucial technique that protects against offline KGA, but it is also the main drawback of the PERKS scheme because it requires an interaction between the sender and receiver. Yau et al. [36] first proposed the RE-PEKS scheme based on bilinear map in the random oracle model scheme that uses a proxy server to translate a keyword encrypted under a public key into the same keyword encrypted under a different public key. Their proposed scheme satisfied keyword privacy.
Yang et al. [33] noted that Khader's scheme does not satisfy consistency, which is necessary for the PEKS scheme. They improved Khader's scheme to achieve computational consistency and greatly improved the efficiency. Yau et al. [46] pointed out that in the Khader's [31] scheme has some unnecessary steps, and some can be simplified to fewer steps. Yang et al.'s [33] scheme also suffers from these issues. Yau et al. [46] later improved Khader's [31] scheme to achieve better efficiency. Yau et al. [46] also noticed that Khader's scheme strongly relied on the security of the underlying building block, that is, IND-CCA k-resilient IBE in order to achieve the security of keyword privacy for the proposed scheme. According to Yau et al. [46], it is unnecessary to include this requirement. They proposed a more relaxed requirement that only requires the k-resilient IBE scheme to be IND-CPA, which is easier to achieve than IND-CCA, to achieve the same security as Khader's [31] scheme after transformation.
Nishioka [42] introduced the notion of search pattern privacy that guaranteed trapdoor privacy, which was later improved by Arriaga et al. [43] because the privacy of the trapdoor would be compromised if more than two trapdoors were queried. The security notion is called strong key unlinkability. Hwang et al. [29] proposed a PECK scheme based on bilinear pairing in the standard model. Xu et al. [28] proposed the first PEFKS scheme that satisfied keyword privacy and secure against offline KGA from outsider attacker. They also proposed a universal transformation from anonymous identity-based encryption to a secure PEFKS scheme. Sun et al. [15] proposed a hybrid framework of PEKS and SSE that requires the sender to send the trapdoor generation key to the receiver for trapdoor generation. Their proposed scheme is secures against the offline KGA attack from insider attacker but suffers from key distribution problem because the trapdoor generation key needs to be sent to the receiver secretly. Wu et al. [47] proposed a new PEKS scheme based on bilinear pairing with Diffie-Hellman shared secret key protocol to achieve keyword privacy, trapdoor privacy, and secure against offline KGA from outsider and insider attacker. Lu et al. [48] proposed a new PEKS scheme without bilinear pairing. Their proposed scheme was based on a prime order elliptic curve group, and it satisfied keyword privacy, trapdoor privacy, and secure against offline KGA from outsider attacker. Xu et al. [49] proposed a new PECK scheme based on bilinear pairing that satisfied keyword privacy, trapdoor privacy, and secure against offline KGA from insider attacker. Liu et al. [50] proposed a new PEKS scheme based on a distributed two-trapdoor public key cryptosystem (DT-PKC) and proven their scheme achieved keyword privacy, trapdoor privacy, and secured against offline KGA from insider attacker.

B. dPEKS/SCF-PEKS
Designated public key encryption with keyword search (dPEKS) and secure channel free public key encryption with keyword search (SCF-PEKS) are variants of the PEKS scheme that allow only the designated server to perform the search operation and allow the transmission of trapdoor via a public channel. Table 4 shows a comparison of various dPEKS/SCF-PEKS schemes. Rhee et al. [18] first introduced the security notion of trapdoor indistinguishability to achieve trapdoor privacy against offline KGA from outsider attacker. Zhao et al. [21] proposed a new efficient SCF-PEKS scheme that achieved trapdoor privacy. Fang et al. [23] proposed a new SCF-PEKS scheme based on bilinear pairing in the standard model that achieved keyword privacy, trapdoor privacy, and secure against offline KGA from outsider attacker. Shao and Yang [52] proposed a dPEKS scheme based on Fang et al.'s scheme [23], which achieves security against offline KGA from insider attacker. They used a digital signature scheme to generate searchable ciphertext and trapdoor to prevent the server from executing the Test algorithm using searchable ciphertext generated by the server itself. However, their scheme was later shown by Lu et al. [54] to be susceptible to offline KGA from insider attacker.
Chen [25] proposed a dPEKS scheme without bilinear pairing that achieved keyword privacy, trapdoor privacy, and secure against offline KGA from outsider attacker and online KGA. Chen et al. [37] proposed the first DS-PEKS scheme without bilinear pairing and satisfied keyword privacy and secure against offline KGA from insider attacker in the random oracle model. Their proposed scheme consists of two servers that run the test query. The front server first pre-processes the trapdoor and searchable ciphertext before forwarding to the back server. The back server then decides which documents are queried by the receiver. Their proposed scheme is secure against offline KGA from insider attacker based on the assumption that both servers do not collude with each other, which is difficult to prove in a real scenario. Their scheme also showed inefficiency in practice because of the need for two servers to carry out the trapdoor testing process. Chen et al. [38] proposed an SA-PEKS scheme based on a bilinear map and blind signature in the random oracle model that requires the user to query a semi-trusted third party (i.e., keyword server) to generate keyword ciphertext and trapdoor. Their proposed scheme satisfied keyword privacy and secure against online KGA and offline KGA from insider attacker. They also proposed a universal transformation framework from any PEKS scheme to a secure SA-PEKS scheme. Lee et al. [53] proposed a new SCF-PEKS scheme that achieved trapdoor privacy and secure against offline KGA form outsider attacker. Their scheme also has an authentication mechanism that protects the cloud service provider from being tricked by the attacker that sends fake ciphertext.
Lu et al. [54] presented cryptanalyses on the Fang et al. [23] and Shao and Yang [ [23] to be secure against offline KGA from insider attacker by embedding a secret in both searchable ciphertext and the trapdoor that is shared between the sender and the receiver. They claimed that their method of achieving security against offline KGA from insider attacker can be generically adopted by other existing PEKS or SCF-PEKS schemes.

C. PAEKS
Public key authenticated encryption with keyword search (PAEKS) is a variant of the PEKS scheme that allows the verifier to verify that the searchable ciphertext is generated by the sender. Table 5 shows a comparison of various PAEKS schemes. Huang and Li [39] proposed the first PAEKS scheme based on a bilinear map that satisfied keyword privacy and trapdoor privacy. Wu et al. [55] proposed a new PAEKS scheme that requires the sender to compute the authorisation token of a keyword using a receiver public key. VOLUME 10, 2022 The authorisation token is later used by the receiver to generate the trapdoor. Due to this mechanism, the proposed scheme is secure against offline KGA from insider attacker because the server cannot freely generate searchable ciphertext by itself. Li et al. [56] also proposed a PAEKS scheme based on a bilinear map. Their proposed scheme is more efficient than Huang and Li's [39] scheme in terms of the trapdoor generation algorithm and searchable ciphertext generation algorithm.
Noroozi and Eslami [57] found out that Huang and Li's [39] scheme was insecure against KGA in multiuser settings because of their proposed security model only considers two types of attackers namely, sender and receiver. Noroozi and Eslami [57] justified that the security model should also consider other users, as they may also be potential attackers to meet the practicality of multiusers in public key settings. They further improved the scheme to be secure against offline KGA from insider attacker in multiuser settings and satisfied keyword privacy and trapdoor privacy. Qin et al. [40] showed that Huang and Li's [39] scheme failed to capture the multi ciphertext attack in their security model, and they presented a new PAEKS scheme that satisfied keyword privacy and trapdoor privacy that can withstand multi ciphertext attack and the offline KGA from insider attacker. Lu and Li [44] noted that Huang and Li's [39] scheme is insecure against adaptive chosen target adversaries, which later improved the security notion to capture the adaptive chosen target attacks. Lu and Li [44] also proposed a lightweight PAEKS scheme that is bilinear pairing free and satisfies keyword privacy and trapdoor privacy in the random oracle model. They also claimed that their proposed scheme outperformed other existing pairing based PAEKS schemes.
Ma and Kazemian [58] proposed a new type of PAEKS scheme that integrates with the fuzzy logic technique to achieve fuzzy search functionality for their proposed PAEKS scheme. Their proposed scheme also satisfied keyword privacy, trapdoor privacy, and secure against offline KGA from both types of attackers.

IV. POTENTIAL RESEARCH DIRECTIONS
We draw potential research directions based on our observations in section III. Keyword guessing attack is a major weakness faced by the PEKS schemes. To achieve security against keyword guessing attack, some proposed PEKS schemes must tradeoff between security and efficiency of their schemes.
Before trapdoor privacy was introduced, all previous PEKS schemes guaranteed privacy only in ciphertext. Some research [18], [59] showed that the least requirement for a PEKS scheme to be secure against offline keyword guessing attack is to satisfy at least keyword privacy and trapdoor privacy.
As noted in section III, most PEKS schemes are based on bilinear pairing, which is computational expensive. IoT devices and smart devices with limited computationally resources are at the disadvantage of using these schemes. Therefore, it is interesting to explore the possibility of constructing a PEKS scheme without bilinear pairing that possesses both keyword privacy and trapdoor privacy and can withstand the keyword guessing attack.
Another possible research direction is to investigate the relationship between the security notions of trapdoor privacy, as presented in section II-C. If it is possible to establish concrete findings on these security notions, it would also be significant to explore the possibility of constructing a secure PEKS scheme in the standard model that satisfies the trapdoor privacy security notions proposed by Nishioka [42] or Arriaga et al. [43].
For search functionality, a single keyword search is the most adopted search function. A single keyword search allows only one keyword to perform a search operation at a time, which is a disadvantage of the PEKS scheme from the functionality aspect. It would also be interesting to explore the possibility of constructing a PEKS scheme that has other search functionalities, such as conjunctive, disjunctive, and fuzzy search, while preserving keyword privacy and trapdoor privacy.

V. CONCLUSION
The security properties of keyword privacy and trapdoor privacy are essential for the PEKS schemes to be secure against offline keyword attack from outsider attacker. In this paper, we have performed comparison analysis on various types of PEKS schemes. We have drawn some potential research directions for future research.