A Multivariate Public Key Encryption Scheme With Equality Test

The public key encryption with equality test (PKEET) allows the cloud server to judge whether two different ciphertexts are generated by the same message without decryption. Through this technique, PKEET provides an effective solution for building secure outsourced databases, and has made some rich achievements. This paper combines multivariate public key encryption and equality test, and proposes the first multivariate public key encryption scheme with equality test (MPKEET), which inherits the advantages of both primitives. Moreover, the equality test algorithm proposed in this paper is based on a straight line. Compared with the schemes based on bilinear pairing, it is simpler and easier to implement. And our MPKEET scheme achieves desirable security, which can resist linearization equation attacks, differential attacks, XL attacks, Gröbner basis attacks and the attack of quantum computer, when appropriate parameters are selected.


I. INTRODUCTION
As an extension of the classical public key encryption scheme, the public key encryption with equality test was proposed by Yang et al. [1], which can be used to judge whether the plaintexts encrypted by two different public keys are the same. To some extent, the proposed technology solves the problem of computing encrypted data of multiple public keys, enriches the retrieval method of the encrypted data in the cloud environment, and provides a broader application scenario for public key encryption.
Through this technology, some privacy preserving services for outsourced data could be achieved. Therefore, PKEET has been widely used in real applications since it was proposed. For example, in data archiving, the same data can be tagged for archiving by using ciphertext equality test technology. In a medical system, patients with the same disease can be screened out by using ciphertext equality test technology, and the most appropriate treatment for the disease can be selected by comparing treatment means with a curative effect. If an encrypted database and ciphertext equality test technology The associate editor coordinating the review of this manuscript and approving it for publication was Adnan M. Abu-Mahfouz . can be combined, cross table query of the encrypted database can be achieved.
Because of its wide applicability in practice, various PKEET constructions have been proposed [1]- [13], but their securities mostly depend on discrete logarithm problem and bilinear pairing, which can be solved in polynomial time by efficient shor's quantum algorithms [14]. Therefore, these public key cryptography algorithms are no longer secure in the era of quantum computing, the scheme proposed in this paper overcomes this shortcoming, and can resist the attack of quantum algorithm.
As one of the promising candidate scheme that can effectively resist the attack of quantum computer, the multivariate public key cryptosystem (MPKC) has attracted increasing attention in the academic world. In addition, because the MPKC schemes mostly operate on a small finite field, it is more efficient than traditional encryption schemes based on number theory, like RSA and ECC [15], which are well suited to resource-constrained computing devices, such as wireless sensor networks, radio frequency identification devices (RFID) and smart cards. Hence, this paper introduces the equality test into the multivariate public key encryption scheme for the first time, and proposes a novel multivariate public key encryption scheme with equality test (MPKEET), aiming to expand the application scenario of multivariate cryptography.

A. OUR CONTRIBUTIONS
To provide search functionality on multivariate public key encryption scheme, the construction of multivariate public key encryption with equality test has been proposed in this paper. Our main idea is to provide the additional function of the equality test to Ding et al.'s PMI+ scheme [16], which is considered secure at present [17]. Our contributions are summarized as follows.
• We introduce the idea of PKEET into the multivariate public key encryption scheme to enjoy the best-of-thetwo-worlds for the first time. The proposed scheme integrates the advantages of these two cryptographic primitives, and fills in the gap of multivariate public key encryption algorithm in the field of equality test. The core work of this paper is to add the equality test algorithm to the classical multivariate public key encryption scheme, so that it can perform equality test on the ciphertexts encrypted by different public keys and ciphertexts encrypted by the same public key. This design enriches the search function of encrypted data.
• The encryption algorithm proposed in this paper operates on a small finite field, so it is more efficient than cryptography algorithms based on number theory. Compared with some existing public key encryption schemes with equality test, the encryption time of our scheme has been reduced by at least 94%.
• The equality test algorithm proposed in this paper is based on a straight line. This design is simpler and easier to implement. Compared with the schemes based on bilinear pairing in [4]- [6], [10] and [11], the time costs of our scheme has been reduced by at least 16.7%.
• Our MPKEET scheme achieves desirable security, and resists linearization equation attacks, differential attacks, XL attacks, Gröbner basis attacks and quantum computer attacks, when appropriate parameters are selected.

B. ORGANIZATION
The remainder of this paper is organized as follows: We discuss related work in section 2. The preliminaries and the system model are presented in section 3 and section 4, respectively. Then, a multivariate public key encryption scheme with equality test is proposed in section 5.
In section 6, we give the detailed performance evaluations of our scheme. In section 7, we analyze the security of our proposed MPKEET. Finally, we conclude our work in the last section.

II. RELATED WORK
The development of big data has greatly facilitated people's life. However, big data also faces many security risks in the collection, storage, and use of data. In response to these challenges, many valuable encryption schemes [18]- [21] have been proposed. Using these encryption algorithms, data is encrypted and then sent to the cloud for storage. When a user needs to find a file that contains a keyword, he should first download all ciphertexts data to local for decryption, and then keyword searches are performed on plaintext, but this operation not only wastes a lot of network overhead and storage overhead due to a lot of data that is not needed, but also requires users to pay a lot of computational overhead for decryption and search operations. Therefore, some schemes that allow users to retrieve ciphertext data through keywords are proposed. Two related cryptographic primitives have been proposed: Public key encryption with keyword search (PEKS) [22] and public key encryption with equality test [1].

A. PKES
Public key searchable encryption (PKSE) is a kind of ciphertext searchable encryption system. Under the premise of protecting data confidentiality, PKES allows users to search ciphertext data that contains certain specific keyword. In 2004, Boneh et al. [22] proposed the concept of public key searchable encryption for the first time by using public key encryption technology and bilinear mapping. This construction solved the difficult problem of retrieving encrypted data in a specific environment. However, its communication mode is one-to-one, and keyword ciphertext can only be queried or decrypted by a specific user, which has many limitations in practice. Recently, Mamta et al. proposed attribute-based searchable encryption [23], [24] and IBE-based searchable encryption schemes [25]. These structures realize one-tomany communication, so that keyword ciphertext can be retrieved by multiple users, saving network storage space, and improving retrieval efficiency.

B. PKEET
The notion of public key encryption with equality test (PKEET) was firstly introduced by Yang et al. [1] as a new variant of searchable encryption. In 2011, Tang [2] proposed a public key encryption scheme with equality test to support fine-grained authorization, and introduced an authorization mechanism for the first time. Two users with their own public/private key pairs can issue tokens to an agent to authorize it to perform equality tests between their ciphertexts. But in this system, two users must come together to generate a token to allow agents to compare their ciphertexts. Although it provides users with strict control over who can compare their ciphertexts, in some situations, it may be a burden. Tang [3] proposed an all or nothing public key cryptosystem with equality test, which supported user-level authorization by specifying who can independently equality test between two ciphertexts. Subsequently, Tang [4] extended the fine-grained authorized public key encryption precaution with the equality test proposed in [2] to two-proxy settings, which protected against the inevitable offline message recovery attacks.
Later, Ma et al. [5] proposed a public key encryption scheme with delegated equality test. This primitive allows only authorized parties to verify the equality of ciphertexts in scenarios involving multiple users, but it cannot work effectively due to its large number of bilinear mapping operations. Huang et al. [6] proposed a public key encryption scheme with authorization equality test, which enhanced privacy protection through receiver's warrants and cipher-warrants. Lee et al. [7] proposed a polynomial time CCA2 attack on Huang et al.'s scheme and gave a solution.
In 2015, Ma et al. [8] proposed the concept of public key cryptography with equality test supporting flexible authorization, which supports four different types of authorization mechanisms. However, this work is based on bilinear pairing, which is a time-consuming operation compared with modular exponents. Lin et al. [9] proposed a public key encryption scheme with equality test, which supports flexible authorization, but does not require a bilinear pairing operation.
In 2016, Ma [10] proposed the first identity-based equality test encryption scheme. This allows equality tests to be carried out for one or more user's ciphertexts, but the scheme uses too many hash-to-point operations and bilinear mapping operations, so it is inefficient and unsuitable for deployment on lightweight devices. In 2017, Wu et al. [11] proposed an efficient equality test encryption scheme based on bilinear pairings, which reduced the need for time-consuming hashto-point functions.
In 2017, Wang et al. [12] combined a attribute-based encryption of ciphertext strategy with ciphertext equality test, proposed ciphertext policy attribute-based encryption with equality test, and proved the security of this scheme under the standard model. Zhu et al. [13] introduced attribute-based encryption into public key encryption with equality test, and proposed a new cloud storage scheme. This scheme supports fine-grained authorization, and can detect whether ciphertexts encrypted by different public keys contains the same plaintext information. However, as far as we know, there is a lack of an efficient MPKEET scheme which supports equality test without decryption. Achieving a secure MPKEET scheme is still an open problem. In this paper we add the equality text algorithm into an existing public key encryption scheme, so that it has more extensive application in practice.

C. THE DIFFERENCE BETWEEN PKES AND PKEET
All of the schemes about PKES are usually for keyword searches, without the ability to directly compare ciphertext, and they have a single function and limited application scenarios. However, the public key encryption schemes with equality test can judge whether two ciphertexts encrypted by different users are generated by the same plaintext. Therefore, PKEET can be used for PKES, but PKES cannot be used for PKEET.

III. PRELIMINARIES
In this section, we provide some basic concepts which will be utilized in our construction. For the convenience of readers, we summarize some symbols used in our scheme in Table 1.

A. MULTIVARIATE QUADRATIC POLYNOMIAL SYSTEM
Definition 1: [26] A multivariate quadratic polynomial system is a set of nonlinear equations as follows: (1) VOLUME 8, 2020 Definition 2: (MQ Problem) [27] Given l multivariate quadratic polynomials p (1) Remark 1: The MQ problem is proven to be NP hard [27] (even if all the equations are quadratic and the field is F 2 ). That is, this processes is unidirectional, and the inverse solution is not feasible.

B. MULTIVARIATE PUBLIC KEY CRYPTOSYSTEM
A multivariate public key cryptosystem (MPKC) is a public key cryptosystem whose public key is a set of multivariate quadratic polynomials. To build a MPKC based on the MQ problem, First, a central mapQ : K n → K l is defined, and second, the central map is hidden by two invertible affine maps S : K l → K l and T : K n → K n . The public key of the scheme is the composed map Q = S •Q • T . The private key consists of the two maps S and T . Encryption only needs to substitute the plaintext m into the public key polynomial Q to evaluate the ciphertext c = Q(m). The decryption process The PMI+ encryption system is a secure variant of the MI system. By adding an internal disturbance to the central mapping equations of the MI system to defeat linearized equation attack due to the special structure of the central mapping, and then adding an external disturbance to resist differential attacks, which also increases the complexity of attacks.

1) KEY GENERATION
Let K be a finite field of order q with characteristic 2, g(x) ∈ K[x] be an irreducible polynomial of degree n (n > 0),K = K[x]/g(x) be an extension field of degree n of K. θ (θ < n) is a nonnegative integer, and satisfies gcd(q θ + 1, q n − 1) = 1. r is a small random integer. Define ϕ as k-linear mapping fromK to the vector space K n : ϕ(a 0 + a 1 x + . . . + a n−1 x n−1 ) = (a 0 , a 1 , . . . , a n−1 ). (2) • Define a polynomial map: Define a mapQ :K → K byQ(x) = x 1+q θ , and obtain the mapping on the vector space K n : • Add internal perturbation: Fix a small integer r and define a system of linear equations where z i − β i is linearly independent. Define a map Z : K n → K r by Z (x 1 , x 2 , . . . , x n ) = (z 1 , z 2 , . . . , z r ). Randomly select n quadratic polynomialsq 1 ,q 2 , . . . ,q n with z 1 , z 2 , . . . , z r , and define a mapQ : K r → K n byQ(z 1 , z 2 , . . . , z r ) = (q 1 ,q 2 , . . . ,q n ). Then the internal disturbance map is • Add external perturbation: Randomly select a quadratic polynomials q 1 , q 2 , . . . , q a on x 1 , x 2 , . . . , x n and define the external perturbation map Q + : x n )). An external perturbation is added to the mapQ, namely, Q =Q Q + , where is the connection between the two parts.

D. PUBLIC KEY ENCRYPTION WITH EQUALITY TEST
A scheme of public key encryption with equality test [2] consists of the following six algorithms: • Setup(1 k ): This algorithm takes a security parameter k as input, and outputs the system parameter pp.
• KeyGen(pp): This algorithm takes the system parameter pp as input, and outputs the receiver's public/private key pair (pk, sk).
• Enc(pk, m): This algorithm takes a receiver's public key pk and a message m as input, and outputs c as the ciphertext.
• Dec(sk, c): This algorithm takes a receiver's private key sk and a ciphertext c as input, and outputs the corresponding message m.
• Aut(sk): This algorithm takes a receiver's private key sk as input, and outputs the trapdoor td.
• Test(c A , td A , c B , td B ): Let c A and td A be A's ciphertext and trapdoor, respectively, and let c B and td B be B's ciphertext and trapdoor, respectively. This algorithm takes two (ciphertext, trapdoor) pairs (c A , td A ) and (c B , td B ) as input, and then

IV. SYSTEM MODEL
The system model of public key encryption with equality test proposed in this paper involves four entities: a trusted third party, two users Alice and Bob, and a cloud server. The trusted third party is responsible for initializing the public parameters and generating the encryption key pk A , pk B and decryption key sk A , sk B , and then sending them to the Alice and Bob through the secure channel. After Alice and Bob obtain the encryption key, dataset F A and F B which they own, are encrypted by the encryption key to form the ciphertext set CT A and CT B , and then CT A and CT B are uploaded to the cloud server. The cloud server can only perform equality tests between ciphertexts after obtaining the authorized secret key from Alice and Bob, and it returns relevant plaintext information according to the test results. The specific process is shown in Figure 1.

V. THE PROPOSED SCHEME
This section describes a multivariate public key encryption scheme with quality test. This scheme includes the following six algorithms: (1) Setup(1 k ): Let k be a security parameter, M ∈ {0, 1} n be a message space, K be a finite field of order q and characteristic 2, g(x) ∈ K[x] be an irreducible polynomial of degree n (n > 0) andK = K[x]/g(x) be an extension field of degree n of K. This algorithm takes a security parameter k as input and generates system parameters as follows: (i) Define a polynomial mapping: LetQ be a univariate mapping onK : where 0 < θ < n, and the equation gcd(q θ +1, q n −1) = 1 is satisfied. Therefore,Q is an invertible map and its inverse is given byQ where t(1 + q θ ) = 1 mod (q n − 1). Let ϕ :K → K n be a k-linear isomorphism: ϕ(a 0 + a 1 x + · · · + a n−1 x n−1 ) = (a 0 , a 1 , · · · , a n−1 ). (8) We can transform the mappingQ into a quadratic polynomial mapping Q : K n → K n by using ϕ and its inverse mapping ϕ −1 ; in brief, where q 1 , q 2 , · · · , q n ∈ K n . (ii) Define the internal perturbation mapping: Let r be a given small integer, and z 1 , . . . , z r be a set of randomly selected linear functions that depend on x 1 , x 2 , . . . , x n . In short, First, we define the mapping Z : K n → K r to be Z (x 1 , x 2 , . . . , x n ) = (z 1 (x 1 , · · · , x n ), . . . , z r (x 1 , · · · , x n )).
Finally, the internal perturbation mapping is defined as Let P be the perturbation set, which is the set of pairs (µ, λ), where µ is the preimage of mapQ, and λ is the image of µ underQ. We add internal perturbations to the polynomial map Q as follows: (iii) Define the external perturbation mapping: Randomly selecting a quadratic polynomial q + i (x 1 , . . . , x n ) ∈ K[x 1 , . . . , x n ], and define an external perturbation map Q + : K n → K a : Q + (x 1 , x 2 , . . . , x n ) = (q + 1 (x 1 , . . . , x n ), . . . , q + a (x 1 , . . . , x n )). (2) KeyGen(pp): This algorithm takes system parameters as input and outputs the public key pk and private key sk. Select randomly reversible affine transforms S, S and T , T in fields K n and K n+a , respectively. To define two maps from domain K n to K n+a : Taken together, the public key and private key are (pk, sk) = ((Q 1 , Q 2 ), (θ, S, T ,Q, Z , Q + , S , T )) (20) • Use P 1 and P 2 to construct a straight line g 1 (x) = ax+b; • Randomly select x 1 , x 2 ∈ {0, 1} p , to generate two points (x 1 , y 1 ), (x 2 , y 2 ) on the line g 1 (x), where Randomly select reversible affine transforms S, S and T , T in fileds K n and K n+a , respectively, and compute and then output the ciphertext c = (C 1 , C 2 ).
Step 3: Calculate the inverse mapping ofQ. For each µ, there is a value of λ that satisfiesQ(µ) = λ. After removing the internal perturbation, solve the inverse of Q . Note that, for the inverse of Q , it can be found by the inverse ofQ. Specifically, for each (λ, µ) ∈ P, compute (y λ 1 , . . . , y λ n ) =Q −1 ((y 1 , y 2 , . . . , y n and check ifμ is the same as the corresponding µ. If it is not, discard it, if it is, go to the next step.
• Use P 1 and P 2 to construct a straight line g 2 (x) = cx+d; • Verify the following equations    g 2 (x 1 ) = y 1 , If each equation of Eq.(32) holds, then output the message m, otherwise, output ⊥. Suppose there are two users Alice and Bob in the system. User Alice inputs an authorized private key subsk A and receives as output the trapdoor td A = (S A , T A ). User Bob inputs an authorized private key subsk A and receives as output the trapdoor td B = (S B , T B ). (6) Test(c A , td A , c B , td B ): This algorithm takes trapdoors (td A , td B ) and ciphertexts (c A , c B ) as input, and outputs 1 or 0. The test process is as follows: and decrypt c B to obtain • Construct the straight line g A (x) by using (x A 1 , y A 1 ) and (x A 2 , y A 2 ). Construct the straight line g B (x) by using (x B 1 , y B 1 ) and (x B 2 , y B 2 ).

VI. PERFORMANCE ANALYSIS
In this section, we analyze the performance and space cost of our scheme. In this algorithm, the base field is GF (2), so that the coefficients of the polynomials will be expressed by 1 bit.

1) PUBLIC KEY SIZE
The public key contains 2(n + a) quadratic polynomials, and each polynomial has n(n+1) 2 quadratic terms, n linear terms and one constant term. The key size is approximately O(n 3 ) bit. Typically, in our experiment, we select the parameters (q, n, r, a, θ) = (2, 84, 6, 14, 4), so the public key size is approximately 716380 bits.

2) PRIVATE KEY SIZE
The main parts of the private key are: the four linear transformations S, T , S and T and their inverses, which need 2n 2 + 2(n + a) 2 bits; the r linear function z i , which is of size r(n + 1) bits; the n quadratic polynomials with r variables, which need roughly nr(r + 1) bits; and the a quadratic polynomials with n variables, which need roughly an(n + 1) bits; The total is O(n 2 ) bits. According to the same parameters as the public key, the private key size is approximately 87437 bits.

3) ENCRYPTION COMPUTATIONAL COMPLEXITY
For encryption, we need to compute the value of 2(n + a) quadratic polynomials. We can rewrite the quadratic polynomials in the following form: which allows us to compute the value of 2(n + a) polynomials faster than direct calculation. Therefore, we need roughly n(n + 3) binary operations to compute the value of each polynomial. That is, 2n(n + a)(n + 3) binary operations are needed to encrypt a message, and it takes approximately 100ms to complete the Encryption.

4) DECRYPTION COMPUTATIONAL COMPLEXITY
The main part of the decryption process is step 3, where we need to calculatethe values ofQ −1 and the values of z i 2 r times and compare them with the second components of the corresponding elements in P, this requires approximately 2 r [4nr + 3n − 1] binary operations and 2 r modular exponentiations in finite filed GF (2 84 ) . The performing L −1 in the first step and S −1 in the last step require approximately O(n 2 ) binary calculations. It takes approximately 4.68 seconds to complete the Decryption.

5) EQUALITY TEST COMPUTATIONAL COMPLEXITY
For the equality test, the tester first uses the trapdoor to decrypt part of the ciphertext. Second, constructing two straight lines requires 12 addition operations and 6 multiplication operations, and comparing the two lines requires only one addition and one multiplication operation. Therefore, the equality test algorithm needs 20 binary operations in addition to one decryption algorithm, and it takes approximately 4.70 seconds to complete the Equality test. In summary, the Table 2 provides a clear description of the performance of our scheme. Moreover, in order to demonstrate the advantage of our MPKEET scheme, we compare it with some existing PKEET schemes ([4]- [6], [10], [11]) in Table 3, in terms of public key size, private key size, encryption time, decryption time, equality test time and the ability to resist quantum attacks. These experiments are performed on PC with Intel i5-4460 CPU @3.2 GHz and 4GB memory running Windows 7 64 bits system. Since our hardware environment and the security level is the same as Wang et al., we directly exploit the time cost of exponential and pairing operations given by Wang et al. [12], and estimate the time costs of algorithms of these schemes. In particular, the software used in ( [4]- [6], [10], [11]) is VC++ 6.0, while our scheme use mathematical software Magma V2.12-16. If we convert it into VC++6.0, the performance of our scheme will be improved significantly.
As shown in Table 3, we compared efficiency, storage costs and security of our scheme with other existing schemes. phases of our scheme decrease by 16.7% as compared to that of the above scheme. The computation costs in the Decryption phase of our scheme are decrease by 10.7% and 13.97% as compared to that of Ma et al.'s scheme [5] and Ma's scheme [10], respectively. In practice, the server only matches the same ciphertext without decryption. Therefore, our scheme achieves a better computation performance.
• Security: Except our scheme, other schemes can't resist the attack of quantum computer.

VII. SECURITY ANALYSIS
The proposed MPKEET scheme of this paper adds an equality test algorithm to the traditional PMI+ scheme. Our core idea is to construct two points by using four one-way hash values of the message, and to then determine a straight line from these two points. In the following process of encryption and decryption, we use the random selection of these two points to complete the design of the scheme. Therefore, when the attacker has trapdoor information, he can decrypt the randomly selected coordinates of two points, but due to the randomness of these two coordinates, he still cannot recover the message. In a case without a trapdoor, our scheme and the PMI+ system have the same security. The security analysis of PMI+ multivariate systems can be divided into two categories: structural attacks and direct attacks. Structural attacks aim at the special structural characteristics of multivariate systems, and they mainly include linearized equation attack and differential attacks. Direct attacks start with public key polynomials of multivariate systems. The Gröbner basis algorithm and XL algorithm are commonly used as attack methods. It is generally believed that as long as the complexity of the attack scheme exceeds O(2 80 ), a scheme can resist such attacks. At present, the main method of multivariate cryptanalysis is experimental statistics. Aiming at the existing attack algorithms, attempt to experimentally determine the running time and memory requirements for a attack on PMI, and find the appropriate parameters through the experimental data.

A. RESISTING LINEARIZATION EQUATION ATTACKS
Linearization equation attacks were first proposed to attack the MI system. The idea is to obtain the following linear equation where X = {x 1 , x 2 , . . . , x n } and Y = {y 1 , y 2 , . . . , y m } are input vector and output vector of the public key. The attacker generates enough plaintext-ciphertext pairs (X , Y ) through the public-key equations, and substituted them into the equation (36), and solved all its coefficients by using the Gaussian elimination method or its improved algorithm, so as to obtain the equivalent linear relation to achieve the purpose of cracking and decrypting the encryption scheme. In this paper, we randomly selected (n + a + 1) 2 plaintext-ciphertext pairs and substituted them into equation (36) to solve the linear system of equations with coefficients. It was found that there was only a zero solution. That is to say, the public key system did not contain a linear equation with the form of (36), so it could resist the attack of linear equation.

B. RESISTING DIFFERENTIAL ATTACKS
Differential attacks were introduced by Fouque et al. [28] to analyzed PMI encryption system. The main ideas of the attack is to find a linear subspace of the plaintext space by calculating the differential of the central map, and limiting the public key to this space, so that all the internal disturbance terms become constant, and to then use the linearization attack method to recover the plaintext of the ciphertext. An effective way to resist the differential attack is to disturb the polynomial system by adding randomly a small amount of Plus polynomials according to the Plus method [29], so that the dimension of the kernel of the differential of the central map Q is the same for nearly every vector in K n . As pointed out in [16], if gcd(θ, n) = 1, then at least 10 Plus polynomials be added to resist differential attack. Otherwise, gcd(θ, n) + 10 Plus polynomials be added to protect PMI+.

C. RESISTING GRÖBNER BASIS ATTACKS
The Gröbner basis is a classical algorithm for solving systems of multivariate polynomial equations, but it usually does not change whether the number of equations exceeds the number of variables. A rough estimate is given in reference [30], current computing equipment can only solve equations with no more than 15 variables in the finite field GF(2 8 ), and the complexity is about O(2 80 ) when the number of variables reaches 20. At present, the fastest of such algorithms known are the F4 [31] and F5 [30] algorithms. According to [32], the attack complexity of F5 algorithm is about 2 0.873n . Therefore, with the parameters n ≥ 92, our scheme is secure against attacks using the Gröbner basis.

D. RESISTING XL ATTACKS
The XL attack can be viewed as a combination of bounded degree Gröbner basis and linearization. The basic idea of this method is to generate a large number of higher order variants by multiplying each polynomial equation with all possible bounded order monomials, and generate a large number of higher order variants, and then linearize the expanded system. According to [33], the attack complexity of XL algorithm is about ( n √ n √ n! ) ω . When using the general elimination method ω = 3, and when using the improved algorithm ω = 2.3766, Therefore, Our scheme has an attack complexity greater than 2 94 .
Through the above analysis, it is concluded that the security of our scheme has the attack complexity 2 80 , with all the known attack methods of multivariate public key cryptography.

VIII. CONCLUSION
In this paper, we first formalized the definition of multivariate public key encryption scheme with an equality test, which can be used for the outsourced computation of encrypted data. In contrast to the formulation in [1], our scheme allows users to specify who can perform the equality test between ciphertexts, this construction meets theoretical and practical security requirements. Moreover, we analyzed the algorithmic complexity of our scheme and showed that our scheme can resist linearization equation attacks, differential attacks, XL attack and Gröbner basis attacks, when appropriate parameters are selected. Compared to previous schemes with equality test, their securities depend on discrete logarithm problem, which can be solved in polynomial time by efficient shor's quantum algorithms [14]. Therefore, these public key cryptography algorithms are no longer secure in the era of quantum computing, the scheme proposed in this paper overcomes this shortcoming, and can resist the attack of quantum algorithm.