Abstract: PEKS (public key encryption with keyword search) enables users to search over encrypted data stored in the untrusted cloud server, which is of great significance for data privacy protection and is of increasing interest for this reason. PAEKS (public key authenticated encryption with keyword search) requires that a data sender not only uses the receiver’s public key to encrypt the keyword, but also uses his own private key to authenticate the keyword. PAEKS ensures that the adversaries cannot construct a keyword ciphertext, thus resisting the keyword guessing attacks (KGAs) that PEKS is facing. In this paper, we propose a scheme for public key authenticated encryption with keyword search based on SGX (software guard extensions), which supporting searching on encrypted data by creating a trusted zone and running a keyword comparison enclave program in the cloud server. The formal security proof of the scheme is provided and shows that the scheme satisfies the ciphertext indistinguishability and trapdoor indistinguishability, that is, the scheme can resist keyword guessing attacks. Further, the search pattern privacy (SP-Privacy) is defined, which ensures that adversaries cannot judge whether two searches are the same keyword only through the trapdoors, so as to avoid revealing some privacy to external adversaries. In addition, the scheme can be easily extended to support complicated search functionalities and enhance privacy protection, e.g. forward security. As examples, brief descriptions about how to extend the scheme to support multi-keyword search, search capability sharing, as well as forward security are given. Experiments in real scenario show the better efficiency of the scheme compared with some other typical schemes.