“…Amongst the core security properties of PASE, there is a need to guarantee that only the legitimate user, who knows the password, can outsource, search and retrieve data. Hence, basing security of searchable encryption schemes on passwords introduces the need for a distributed server environment where trust is spread across at least two non-colluding servers, as is also the case in many password-based protocols for authentication and secret sharing, e.g., [4,[12][13][14][26][27][28]30,31,40]. The use of two servers provides the most practical scenario and the minimum requirement to achieve protection against offline dictionary attacks, while a more general secret sharing architecture with t-out-of-n servers would be applicable as well.…”