An enhanced heterogeneous public key searchable encryption scheme supporting multiple keywords

Searchable encryption (SE) technology allows users to use keywords to retrieve encrypted data and ensure that useful plaintext information about encrypted data will not be disclosed. For a secure SE scheme, if it is able to meet the multi-trapdoor privacy (MTP), the security will be improved compared with the traditional SE scheme. However, there are few searchable encryption schemes that can meet the requirements of MTP. In addition to the security of the SE scheme, we should also strive to improve its practicability. Nowadays, many existing SE schemes use a single keyword to generate the keyword ciphertext and trapdoor for retrieving ciphertext, which will greatly reduce the accuracy of the search result. Another phenomenon deserves our attention. In recent years, public key cryptosystems such as certificateless cryptography (CLC) and public key infrastructure (PKI) have been widely used. If a SE scheme satisfies heterogeneity means that both sides of communication parties do not need to restrict the use of the same cryptosystems, the practicability of this scheme will be improved. Therefore, we propose a heterogeneous SE scheme that provides MTP. The new scheme supports multi-keyword search and allows the sender and receiver to be worked in different cryptosystems. Furthermore, it would obviously be impractical to use the same cryptographic system parameters between heterogeneous systems, so the communication parties in our scheme operate in different cryptosystems with different cryptographic system parameters. With the use of the random oracle model (ROM), we demonstrate the security of the proposed scheme, and we show the excellent performance of the proposed scheme at the end of the article.


Introduction
The development of cloud storage provides people with a new way to store and share data, and encryption is an effective mean to protect data security. Therefore, people usually encrypt data to store and share through cloud technology [1,2]. On the one hand, encryption may successfully protect data; on the other hand, it can also lead to an issue of difficulty in data search, which has been the focus of researchers [3].
The emergence of searchable encryption solves the problem of difficult search of encrypted data [4][5][6][7]. Song et al. [4] came up with the first effective SE scheme, and the scheme makes use of the symmetric cryptosystem to construct algorithms, resulting in this scheme with great efficiency [8]. Since then, scholars have proposed some searchable encryption algorithms based on the symmetric cryptosystem [9][10][11][12][13]. However, the communication parties in the symmetric cryptosystem need to conduct difficult and secure interaction to obtain the encryption key [14], which obviously leads to the increase of the complexity in data sharing. When it comes to public key encryption with keyword search (PEKS), Boneh et al. [15] did pioneering work. They presented the first PEKS scheme based on the asymmetric cryptosystem. Basically, PEKS mainly includes three main steps. First, the data sender extracts a keyword from the data to be shared and generates keyword ciphertext using the receiver's public key and the keyword, then the keyword ciphertext needs to be sent to the server storing the data. Second, the data receiver selects a keyword, generates a keyword trapdoor and transmits it to the server. Third, after receiving the keyword trapdoor and ciphertext, the server performs the test operation and returns the test result to the data receiver. After that, scholars proposed some searchable encryption schemes based on the asymmetric public key cryptosystem [16][17][18][19]. Although the specific implementation of these schemes may be different, the general scheme structure is consistent with that proposed by Boneh et al.

Related work
Scheme [15] is failed to resist the keyword guessing attack (KGA), Byun et al. [20] said in 2006. They pointed out that the keyword ciphertext can be easily generated because the keyword ciphertext generation algorithm only uses the receiver's public key. Ulteriorly, the keyword space is usually not as large as the password space, and this fact greatly increases the probability of generating effective keyword ciphertext, so KGA becomes possible. In order to resist KGA, scholars have put forward their own schemes. Secure channel-free public key encryption with keyword search (SCF-PEKS), also known as PEKS with a designated server/ tester (dPEKS), was introduced by Baek et al. [21]. They add the tester's public key to the keyword ciphertext generation algorithm, ensuring that the tester can only be the server with the corresponding private key. After that, numerous schemes based on SCF-PEKS have been proposed by researchers [22][23][24]. By using two servers to work together, Ma et al. [25] proposed a SE scheme. Huang et al. [26] added the sender's private key to realize authentication, so that the attacker could not generate effective keyword ciphertext. Unfortunately, although the above methods can resist KGA, in the face of the KGA initiated by the inside adversary, namely the inside keyword guessing attack (IKGA), only the method of [26] can effectively resist IKGA in the above methods. Other schemes [21][22][23][24][25] often only consider to limit the users who can perform the test operation, while ignoring the dangerous situation that the limited testers are attackers. In 2020, By analyzing scheme [26], Qin et al. [27] pointed out that the security of traditional searchable encryption schemes could be strengthened and proposed two security concepts: multi-ciphertext indistinguishability (MCI) and MTP. Then, Yang et al. [28] designed a searchable encryption scheme meeting MCI and MTP after learning from the articles of Qin et al. in [27].
How to improve the practicability of the searchable encryption scheme is also a concern of researchers. In 2018, a heterogeneous keyword search scheme (HSC-KW) for wireless body area network (WBAN) [29] was presented by Omala et al. They achieved the resistance of IKGA in a similar way to scheme [26], and arranged the sender and receiver to work in different cryptosystems that makes the scheme satisfy heterogeneity. Unfortunately, the same cryptographic system parameters are used by senders and receivers in separate network domains, and until now, there are still few searchable encryption schemes that satisfy heterogeneity. For the sake of the improvement of the accuracy of the search result, scholars began to use multiple keywords to generate keyword ciphertext and trapdoor [30][31][32][33]. Uwizeye et al. [32] proposed a SE scheme supporting multiple keywords, but this scheme fails to resist IKGA and does not satisfy heterogeneity. Yang et al. [33] proposed a blockchain-based SE scheme supporting multiple keywords. The keyword ciphertext generation algorithm of this scheme adds the sender's private key to realize keyword authentication and resistance to IKGA. Unfortunately, each keyword in this scheme needs to be processed separately and uploaded to the test server, which leads to huge communication overhead. In addition, the scheme also does not support both sides of communication to work in a heterogeneous environment. Schemes [34] and [35] are proposed by Jiang et al. [34] implements the authorization mechanism, so the scheme can not only realize the retrieval of ciphertext but also verify the user and ciphertext. However, this scheme, like the scheme based on SSE, requires a secure channel for the transmission of the authorization key. The scheme [35] is implemented based on the database system, which can realize the keyword ciphertext search of multiple users. Unfortunately, this scheme does not have heterogeneity.

Our contributions
Based on previous studies, we propose a new searchable encryption scheme called an enhanced heterogeneous public key searchable encryption scheme supporting multiple keywords (HSE-MK) in this paper. The following is the main innovations of our work: 1. The proposed scheme has excellent security. Our scheme realizes authentication by using the user's private key, which can effectively resist IKGA. In addition, within the security model we defined, our proposed scheme can achieve MTP. 2. Our searchable encryption scheme meets the heterogeneity. In our scheme, both sides of communication are allowed to work in a CLC environment and a PKI environment respectively. At the same time, different cryptographic system parameters are used by communication parties under different cryptosystems. 3. In terms of efficiency, our scheme also has advantages. In this paper, we select several relevant SE schemes and compare their performance with our scheme. Our scheme has outstanding performance, as seen by the comparison result.

Organization
The following sections form the rest of this paper: Sect. 2 describes the relevant knowledge required for scheme design and demonstration. Section 3 introduces the generic model of our scheme and its security model. Section 4 introduces the scheme we designed and the detailed analysis of the security of the proposed scheme is located in Sect. 5. The sixth part analyzes the performance of our scheme, and the last part is a summary of this paper.

Bilinear pairing
Given an additive cyclic group G 1 and a multiplicative cyclic group G 2 , they have the same order of prime q, then ê ∶ G 1 × G 1 → G 2 is defined as a bilinear pairing and satisfies the following properties: 1. Bilinearity: For ∀P, Q ∈ G 1 and x, y ∈ Z * q , it must exist that ê(xP, yQ) =ê(P, Q) xy . 2. Non-degeneracy: ∃P, Q ∈ G 1 , it makes ê(P, Q) ≠ 1 G 2 . 3. Computability: There must exist a valid algorithm to calculate ê(P, Q) for any P, Q ∈ G 1 .

Computational assumption
The security of the scheme proposed in this paper is proved under the ROM in combination with the mathematical difficulty. The following is the mathematical difficulty to be used:

Definition 1 Computational Diffie-Hellman problem (CDHP):
Suppose that ê ∶ G 1 × G 1 → G 2 is a bilinear pairing. Given a tuple (P, P, P) , where P is a generator of G 1 , P and P are two elements in group G 1 ( , ∈ Z * q ). The purpose is to figure out the value of P according to the given information.

Multi-ciphertext indistinguishability and multi-trapdoor privacy
Multi-ciphertext indistinguishability Qin et al. [27] are the first to suggest MCI. Traditionally, ciphertext indistinguishability (CI) is a security feature that prevents attackers from extracting any valuable information from keyword ciphertext. There is no corresponding provision, however, for determining if two encrypted data contain the same keyword.
As an enhancement to CI, MCI ensures that adversaries cannot know whether multiple encrypted keyword ciphertexts contain the same keywords. This security becomes the indistinguishability of multiple keyword ciphertext.
Multi-trapdoor privacy MTP was also originally proposed by Qin et al. [27]. Traditionally, trapdoor privacy (TP) aims to prevent attackers from obtaining any valid information related to keywords from trapdoors and internal attacks. MTP, similar to MCI, can ensure that adversaries cannot distinguish whether multiple trapdoors are generated with the same keyword.

Generic model
In our design, eight algorithms constitute the generic model of the proposed scheme, which are described in detail below: 1. Setup: In the CLC environment, the executor of this algorithm is the key generation center (KGC). After inputting the given security parameter , KGC determines its system master secret key s, which needs to be kept secret. Then the algorithm outputs the relevant parameter PParams 1 of the system and KGC makes the parameters PParams 1 public. In the PKI environment, certificate authority (CA) can similarly generate and expose the system parameters PParams 2 . Note that PParams 1 and PParams 2 are two different sets of parameters. 2. CLC-Partial key extraction (CL-PKE): KGC runs this algorithm. It inputs an identity ID i , then user's partial private key u i and partial public key T i are output. 3. CLC-Secret value generation (CL-SVG): The algorithm needs to take an identity ID i as the input, and it can output a secret value d i of user ID i . Note that a secret value d i and a partial private key u i can compose a user's full private key SK i = (u i , d i ). 4. CLC-Public key generation (CL-PKG): A user in the CLC environment, as the executor of this algorithm, inputs its secret value d i . Then, the user's public key PK i = (T i , PPK i ) is output. The premise is that the executor already executed the CL-PKE and CL-SVG algorithms before. 5. PKI-Key generation (PKI-KG): As the executor of this algorithm, users in the PKI environment input their private key d j , then the algorithm outputs the corresponding user's public key PK j . 6. CLC-PKI PEKS(CP-PEKS): A user in CLC environment is the executor of this algorithm. It takes a set of keywords S = {w i ∈ U|(1 ≤ i ≤ v)}(all the keywords are in U, v represents the number of elements in U) extracted from plaintext data m, its own private key SK s and a receiver's public key PK r as inputs, then the algorithm can output the corresponding ciphertext W . 7. PKI-Trapdoor generation (PKI-TG): A user in the PKI environment is the executor of this algorithm. It inputs a keyword set S = {w i ∈ U|(1 ≤ i ≤ v)} , user's public key PK s in the CLC environment and its private key d j , the algorithm outputs the corresponding keyword trapdoor T W . 8. Test: A cloud server acts as the executor of this algorithm, taking the keyword trapdoor T W and ciphertext W sent by the user as the inputs of the algorithm. If the verification is successful, it outputs true. Otherwise, ⊥ is returned to the receiver.

Security model
According to scheme [28], there are two types of adversaries in the CLC environment: A malicious user who can replace the user's public key but does not know the system master secret key is characterized as the first type of adversary, whereas the one that acts as KGC knows the system master secret key but cannot replace the user's public key plays the second type of adversary. Therefore, we build three adversaries in the security model, A 1 , A 2 and A 3 , to complete the security proof of our scheme. A 1 and A 2 respectively correspond to two types of adversaries in CLC, and A 3 represents adversary in PKI environment with the same capabilities as A 1 . At the same time, we define three games, which are used to demonstrate the security of the proposed scheme. Each of these games is completed by a challenger C and an adversary A (A could be one of A 1 , A 2 and A 3 ). The oracles listed below may be used: -Hash-queries: For the hash function involved in our scheme, A can perform various hash queries, and C provides adversary A with the corresponding hash value according to the received hash query. -CL-partial key query: Adversary A provides C with an identity ID i . Then C calculates user's partial private key u i as well as the partial public key T i by running CL-PKE algorithm and returns them to A. -CL-secret value query: Adversary A provides C with a user's identity ID i . Then C determines the secret value belonging to user ID i by running CL-SVG algorithm.
And then, C returns it to A. -CL-public key query: Adversary A provides C with an identity ID i to perform this query. Then C computes the public key belonging to the ID i by running CL-PKG algorithm and provides A with the public key. -CL-replace public key query: Any sender's public key can be replaced with a valuable value by A(A could not be A 2 ). -CL-PKI-SE query: A provides C with a set of keywords S and the respective identities ID i and ID j of the sender in the CLC environment and the receiver in the PKI environment. Then C generates the ciphertext W by executing the CP-PEKS algorithm and returns it to A.
-PKI-public key query: A performs this query with a user's identity ID j with the purpose of obtaining user's public key.
Then C executes PKI-KG algorithm and returns PK j to A. -PKI-trapdoor query: A provides C with a set of keywords S and the respective identities ID i and ID j of the sender in the CLC environment and the receiver in the PKI environment. Then C generates the keyword trapdoor T W by executing the PKI-TG algorithm and provides A with it.

Game 1
-Initialization After determining the security parameter , C obtains the cryptographic system parameters by executing the Setup algorithm and then make them public, but C needs to keep the system master secret key s secret to A 1 . -Phase 1 A 1 can initiate a series of queries to C during this phase. These queries are consistent with the queries defined in the security model. -Challenge A 1 provides C with a receiver's identity ID B , a sender's identity ID A and two sets of keywords S 0 and ) (m represents the number of keyword sets in S 0 and S 1 , and n represents the number of keywords in each S 0,i(0≤i≤m) and S 1,i(0≤i≤m) ). C decides a random bit b from {0, 1} , then computes a keyword ciphertext * The restriction is that the PKI-trapdoor query on keyword tuple S b,i ∈ S 0 ∪ S 1 has never been asked before.
-Phase 2 A 1 has no chance to query the trapdoor on keyword tuple S ∈ S 0 ∪ S 1 at this phase, other queries can be carried out normally. -Guess A 1 is the winner of this game only if A 1 outputs a bit b ′ that is equal to b.
Definition 2 A 1 is an arbitrary polynomially bounded adversary. If A 1 can't win Game 1 with a non-negligible advantage, the proposed SE scheme is resistant to IKGA and achieves MCI in the face of the first type of adversary A 1 .

Game 2
-Initialization The initialization operation of this game is the same as that of Game 1, but challenger C needs to inform adversary A 2 of the system master secret key s in addition to the cryptographic system parameters. is returned. The restriction is that the PKI-trapdoor query on S b,i ∈ S 0 ∪ S 1 has never been asked before. -Phase 2 A 2 has no chance to query the trapdoor on keyword tuple S ∈ S 0 ∪ S 1 at this phase, other queries can be carried out normally. -Guess A 2 is the winner of this game only if A 2 outputs a bit b ′ that is equal to b.
Definition 3 A 2 is an arbitrary polynomially bounded adversary, if A 2 can't win Game 2 with a non-negligible advantage, the proposed SE scheme is resistant to IKGA and achieves MCI in the face of the second type of adversary A 2 .

Definition 4
If A 1 can't win Game 1 with a non-negligible advantage and A 2 can't win Game 2 with a non-negligible advantage either, the proposed SE scheme is resistant to IKGA and achieves MCI.

Game 3
-Initialization The initialization operation of this game is the same as that of Game 1. is returned. The restriction is that the PKI-trapdoor query and CL-PKI-SE query on keywords tuple S b,i = S 0 ∪ S 1 have never been asked before. -Phase 2 A 3 has no chance to query the keyword trapdoor and keyword ciphertext on keyword tuple S ∈ S 0 ∪ S 1 at this phase, other queries can be carried out normally. -Guess A 3 is the winner of this game only if A 3 outputs a bit b ′ that is equal to b.

Definition 5
If any polynomially bounded adversary A 3 is not able to win Game 3 with a non-negligible advantage, the proposed SE scheme can resist IKGA and achieve MTP.

The basic scheme
Now, we describe our scheme in detail.
-Setup: After obtaining the security parameter , the KGC in the CLC environment first selects an additive cyclic group G 1 with order of prime q 1 and generator P 1 , and a multiplicative cyclic group G 2 with the same order as the additive group G 1 , uses the two groups to determine a bilinear pairing ê ∶ G 1 × G 1 → G 2 . Then it randomly selects a value s from Z * q 1 as the master secret key of the CLC system, and uses the master secret key to calculate the corresponding master public key P pub = sP 1 . Finally, KGC determines three hash functions After the above operations are completed, the cryptographic system parameters PParams 1 = G 1 , G 2 , P 1 , q 1 , P pub , H 1 , H 2 , H 3 in the CLC environment can be obtained. Similarly, CA in the PKI environment needs to determine an additive cyclic group G ′ 1 with order of prime q, and the generator of the group G ′ 1 is P 2 , then we have the cryptographic system parameters PParams 2 = G � 1 , P 2 , q of PKI. Note that G 1 is a subgroup of G ′ 1 .
-CL-PKE: After the identity of the sender ID i ∈ 0, 1 * is given, KGC randomly selects a number r i from Z * q 1 and calculates the part of sender's public key T i = r i P 1 . Then it calculates the corresponding hash value i = H 1 (ID i , T i ) and computes the part of the private key u i = r i + s i (modq 1 ) in the end.
-CL-SVG: The secret value d i ∈ Z * q 1 is a random selection of sender ID i . Note that the user's full private key can be interpreted as SK i =(u i , d i ) now.
-CL-PKG: Another part of public key PPK i =d i P 1 of the sender ID i is computed by itself, then PK i =(T i , PPK i ) is set as the full public key of the sender. -PKI-KG: Private key d j ∈ Z * q is randomly selected by the receiver in PKI, and its public key is set as PK j =d j P 2 .
-CP-PEKS: A set of keywords S = (w 0 , w 1 , ⋯ , w n ) , the private key SK S of sender and the public key of receiver PK r are the inputs of this algorithm. The sender carries out this algorithm as follows: 1. Chooses r 1 ∈ Z * q 1 randomly.
-PKI-TG: Receiver takes a tuple of keywords S � = (w � 0 , w � 1 , ⋯ , w � n ) , the sender's public key PK s and the private key d r of receiver as inputs, then carries out this algorithm as the following steps: , PK s , PK r ).
-Test: The cloud server that received trapdoor and keyword ciphertext performs this algorithm to detect whether equation ê(T 1 , C 2 ) =ê(T 2 , C 1 ) holds. Now, we verify the correctness of the scheme.

Other considerations
In the basic scheme above, we adopt a method similar to the conjunctive keyword search technology [32]. This technology requires that the number of keywords used in the keyword ciphertext is the same as that in trapdoor. To break this limit, we adopt the method of scheme [36] to solve the problem. This method is to use a keyword dictionary S and a mapping to complete the mapping of the keyword location selected by the receiver and the sender. The algorithms of our scheme can be modified as follows: -CP-PEKS: A keyword dictionary S = (w 0 , w 1 , ⋯ , w n ) , the private key SK S of sender and the public key of receiver PK r are the inputs of this algorithm. The sender carries out this algorithm as follows: 3. Computes C 1 = kPK r . 4. For any keyword w i , computes C 2,i = kH 2 (w i )P 2 . 5. Computes C 3 = r 1 P 2 , then outputs the keyword ciphertext W = (C 1 ,C 2,i , C 3 ).
-Test: The cloud server that received trapdoor, L and keyword ciphertext performs this algorithm to detect whether (t)C 2,t ) holds.

Security analysis
In this part, we prove the security of the proposed HSE-MK scheme. It should be noted that in the process of proof, in order to make the proof process easier to understand, we use P to express P 1 and P 2 uniformly.

Theorem 1
In the ROM, based on the assumption of mathematical difficulty CDHP, the proposed HSE-MK scheme has MCI and can resist IKGA from A 1 .

Proof
The goal of challenger C is to compute the solution of the CDHP. So, C uses adversary A 1 as a subroutine and sends A 1 a CDHP instance (P, P, P) to compute P . Note that P is a generator of G 1 . Initialization For the smooth progress of the game, C maintains five lists, L i(i = 1,2,3) , LK c and LK p . The outputs of hash queries are recorded by three lists L i(i = 1,2,3) , and the results of public key queries in the CLC and PKI environment are recorded by LK c and LK p respectively. C produces master secret key s and cryptographic system parameters by executing Setup algorithm with the use of the given security parameter , then sends cryptographic system parameters to A 1 and keeps the value of s confidential to adversary A 1 . Finally, C sets P pub = sP and chooses a challenged identity ID x(1≤x≤q H ) (Suppose that adversary has made q H times CLpublic key query at most) at random. is picked as the return and tuple (w, h w ) is inserted into L 2 by C.

Phase 1 C adaptively handles various queries submitted by
-H 3 query: Adversary A 1 submits a sum of hash values of multiple keywords W, the public of the sender PK i and receiver's public PK j to challenger C. The challenger checks whether there is an entry (W, PK i , PK j , h W ) in L 3 . If the entry exists, C returns h W to A 1 . Otherwise, a random value is picked as the return and (W, PK i , PK j , h W ) is inserted into L 3 by C.
-CL-secret value query: Cneeds to determine whether ID x and ID i are the same when receives a CL-secret value query on ID i . If ID x = ID i , C aborts this game. If this is not the case, C checks if the relevant entry If it does not exist, C performs a CL-public key query.
-CL-partial key query: When this query on ID i is submitted by A 1 , C checks list LK c . If the corresponding tuple (ID i , d i , T i , u i , PPK i ) exists in LK c and the value is available, C returns u i and T i to A 1 . Otherwise, C performs a CL-public key query. Finally, C inserts tuple list LK c and returns u i and T i to A 1 . -CL-public key query: A 1 submits this query on ID i . In the case of ID x ≠ ID i , challenger C checks if the tuple If it does not exists, C randomly selects d i and r i from Z * q 1 , then computes PPK i = d i P , T i = r i P , and u i = r i u i = r i + s i (modq 1 ) . Finally, C returns PK i =(T i , PPK i ) as the response and inserts -CL-replace public key query: In addition to user ID x , any sender's public key is easy to be replaced by A 1 . -CL-PKI-SE query: A 1 submits this query with a set of keywords S = (w 0 , w 1 , ⋯ , w n ) , a sender's identity ID i and a receiver's identity ID j . By running CP-PEKS algorithm, C generates ciphertext W and then sends it to A 1 in the case of ID x ≠ ID i . Otherwise, C aborts this game. -PKI-public key query: A 1 submits this query on ID j .
Challenger C first checks the list LK p , PK j is returned if the tuple (ID j , d j , PK j ) is found in the list LK p . Otherwise, C picks d j ∈ Z * q at random and computes PK j =d j P as the return, then inserts (ID j , d j , PK j ) into the list LK p .
-PKI-trapdoor query: When A 1 submits this query with a set of keywords S = (w 0 , w 1 , ⋯ , w n ) , C runs PKI-TG algorithm to compute T W and returns it to A 1 .
Guess A 1 outputs a bit b ′ as its guess. If b . Now, we can draw a conclusion that as long as A 1 wins, C can settle the CDHP. Nevertheless, it is well known that mathematical difficulties like CDHP cannot be solved effectively at present, which confirms our scheme can realize MCI.

Theorem 2
In the ROM, based on the assumption of mathematical difficulty CDHP, the proposed HSE-MK scheme has MCI and can resist IKGA from A 2 .
Proof For adversary A 2 , it knows the master secret key s of the system as a malicious KGC. Therefore, in the initialization stage, C should inform A 2 the master secret key of the system s. In this case, A 2 can calculate the part of the user's key in the CLC environment by itself. Even so, if adversary A 2 successfully distinguishes ciphertext returned by C, it means that A 2 can compute C � 1 = ( + u A )PK B + ( + u A )h W P without the secret value d A of ID A and the value in C * 2 = P , then C can solve CDHP through A 2 as follow: This is contradictory to the actual situation that mathematical difficulties like CDHP cannot be solved effectively. Therefore, we can come to the conclusion that our scheme is semantically MCI secure and can prevent the IKGA from adversary A 2 .

Theorem 3
In the ROM, based on the assumption of mathematical difficulty CDHP, the proposed HSE-MK scheme has MTP and can resist IKGA from A 3 .
Proof The goal of challenger C is to compute the solution to the CDHP. In Game 3, C uses adversary A 3 as a subroutine and sends A 3 a CDHP instance (P, P, P) to compute P.
Initialization The same initialization is executed in the proof of Theorem 3 as it was in Theorem 1 except that the master public key is set to P pub = P.

Phase 1
In this phase, the operations required for C are similar to the proof of Theorem 1, and the queries submitted by A 3 are handled by C as follows: -Hash queries: Adversary A 3 is able to make hash queries for all the hash functions contained in our scheme, and after receiving the relevant hash queries, C takes the same processing as in the proof of Theorem 1 to interact with adversary A 3 .
-CL-public key query: C needs to randomly select a value c ∈ {0, 1} and determine the progress of the game through it. When receiving a CL-public key query on ID i submitted by A 3 , C checks list LK c . If the corre- at random, then sets d i = y i , T i = x i P and PPK i = y i P , and finally returns PK i =(T i , PPK i ) as the answer and inserts tuple ( -CL-partial key query: When C receives this query on identity ID i submitted by A 3 , list LK c is checked by C at first. If there is a ID i related entry in LK c but c i = 1 , C needs to terminate this game. If c i = 0 , C returns u i and T i to A 3 . If there is no entry related to ID i in LK c , C performs the CL-public key query and interacts with A 3 according to the value of c i . -CL-replace public key query: Except for the challenge identity, A 3 can replace any user's public key. -CL-PKI-SE query: A 3 submits this query with a keywords tuple S = (w 0 , w 1 , ⋯ , w n ) , a sender's identity ID i and a receiver's identity ID j . If c i = 1 for the tuple related to ID i in LK c , C aborts this game. Otherwise, C generates ciphertext W by running CP-PEKS algorithm and then sends it to A 3 . -PKI-public key query: Operations are consistent with the proof of Theorem 1. -PKI-trapdoor query: A 3 submits this query with a keywords tuple S = (w 0 , w 1 , ⋯ , w n ) and two user's identities ID i and ID j , which are the sender and receiver respectively. Then C runs PKI-TG algorithm to compute T W and returns it to A 3 .
Challenge Adversary A 3 provides challenger C with an identity ID B of receiver, a sender's identity ID A and two tuples of keywords S 0 and S 1 . If c i ≠ 1 for the tuple related to ID i in LK c , C aborts this game. Otherwise C selects a bit b ∈ {0, 1} and selects f ∈ Z * q randomly, sets T * 2 = P and T * 1 = fP , then returns T * The restriction is that the CL-PKI-SE query and PKI-trapdoor query on keywords tuple S b,i ∈ S 0 ∪ S 1 have never been asked before. Phase 2 C allows A 3 to make more queries except for the PKI-trapdoor query and CL-PKI-SE query on keywords tuple S ∈ S 0 ∪ S 1 .
Guess A 3 outputs a bit b ′ as its guess, if b . Nevertheless, it is well known that mathematical difficulty like CDHP cannot be solved effectively at present, which confirms our scheme can realize MTP and can resist IKGA from A 3 .

Performance analysis
In this section, we select several relevant searchable encryption schemes ( [28,29,32,34,35]) to compare with the proposed scheme. The computation cost and feature of these schemes are compared first, followed by a comparison of the communication overheads of these schemes.

Computation cost and features comparison
For the sake of getting a more intuitive comparison result, we make a quantitative comparison and analysis of the selected schemes. In order to make the comparison results more visible, we decide to fix the value of c to 1 and the number of keywords in our scheme at 3. For the schemes that support multiple users, we limit the number of users to the minimum allowed by the scheme. We also want to state that the comparison approach we take only requires to compare the complexity of searchable encryption operations of each scheme. For the schemes involving ciphertext encryption, decryption and ciphertext verification, we ignore the overhead of these operations. The experimental data were obtained by running the MIRACL library on a personal computer with 16 GB of RAM, an Intel processor i5 and the Microsoft Windows 10 operating system, which is similar to the experimental environment used in scheme [28]. Table 1 shows the experiment data we obtained. Table 2 shows the computation cost of each scheme in each stage, (1+) and (2+) respectively represent one and two operations that can be performed offline, the cost of offline computation is not included in our comparison result. We make the comparison data into Fig. 1 for the sake of an intuitive display of the computation cost. The characteristics of each scheme are compared in Table 3.
According to Table 1 and Fig. 1, we can clearly understand that our proposed scheme has excellent computational efficiency. Compared with [28,29,32,34] and [35], our scheme has a considerably lower total computation cost than the other five schemes, the total computation cost of our scheme decreased by about 37.29%, 15.18%, 77.79%, 66% and 61.03% respectively. In addition to the excellent computation cost, we can see from Table 3 that our scheme has excellent security and heterogeneity. Among all the schemes added with comparison, only our scheme can both satisfy MTP and heterogeneity. Among these schemes, only scheme [32] fails to resist IKGA, because in this scheme, the attacker can forge the keyword ciphertext at will and execute the test operation. As for MTP, schemes [29,32] and [34] do not have this security because they use the  [28,32,34] and [35] use the same cryptosystem, so they are not heterogeneous.
It should be pointed out that although scheme [29] is heterogeneous, the scheme adopts the same cryptographic system parameters in different cryptosystems.