Multiple time servers timed-release encryption based on Shamir secret sharing for EHR cloud system

Electronic health record (EHR) cloud system, as a primary tool driving the informatization of medical data, have positively impacted both doctors and patients by providing accurate and complete patient information. However, ensuring the security of EHR cloud system remains a critical issue. Some patients require regular remote medical services, and controlling access to medical data involving patient privacy during specific times is essential. Timed-release encryption (TRE) technology enables the sender to preset a future time T at which the data can be decrypted and accessed. It is a cryptographic primitive with time-dependent properties. Currently, mainstream TRE schemes are based on non-interactive single time server methods. However, if the single time server is attacked or corrupted, it is easy to directly threaten the security applications of TRE. Although some research schemes “distribute” the single time server into multiple ones, they still cannot resist the single point of failure problem. To address this issue, we propose a multiple time servers TRE scheme based on Shamir secret sharing and another variant derived from it. In our proposed schemes, the data receiver does not need to interact with the time servers; instead, they only need to obtain the time trapdoors that exceed or equal the preset threshold value for decryption, which ensures the identity privacy of the data sender and tolerates partial downtime or other failures of some time servers, significantly improving TRE reliability. Security analysis indicates that our proposed schemes demonstrate data confidentiality, verifiability, anti-advance decryption, and robust decryption with multiple time trapdoors, making them more practical. Efficiency analysis indicates that although our schemes have slightly higher computational costs than most efficient existing TRE schemes, such differences are insignificant from a practical application perspective.

With the advent of the information age, healthcare institutions are rapidly evolving towards informatization, giving rise to electronic health record (EHR) cloud system [1]. EHR cloud system significantly enhances productivity in resource sharing, providing robust support for healthcare professionals. Including comprehensive patient information, EHR cloud system enables medical teams to have a more holistic understanding of patients’ medical history, facilitating in-depth assessments and faster diagnoses. By digitizing and centrally managing patient medical information, healthcare personnel can easily access necessary data to support decision-making and the execution of medical plans [2, 3].

Cloud computing, a computing paradigm based on the internet, plays a crucial role in healthcare data management by providing secure and reliable solutions for storing and processing large-scale medical data [4,5,6]. Cloud computing facilitates rapid access, sharing, and analysis of medical data, offering comprehensive support for healthcare decision-making. Additionally, the elastic and automated features of cloud computing enable healthcare institutions to adjust resources according to needs, improving data management efficiency and fostering innovation in medical research and patient care.

Despite the flexibility and efficiency brought by cloud computing to healthcare data management, security remains a critical concern. Particularly in the handling of patient privacy data, cloud storage, and access services may pose risks of data leakage, leading to the unauthorized disclosure of sensitive patient information [5]. For example, in the case of patients with chronic diseases like diabetes, who regularly upload data through remote monitoring devices, there is a potential for unauthorized data access if this physiological data is stored on a EHR cloud system. In such scenarios, a cryptographic technology that can control the decryption time becomes a key technology to ensure patient privacy. Timed-release encryption (TRE) allows users to preset decryption time, and access is only permitted after the decryption time, effectively preventing unauthorized privacy infringements. For instance, a medical cloud system could use a multiple time servers scheme to encrypt the physiological data of each patient and set a specific decryption time. At the designated weekly decryption time, doctors can decrypt and analyze the patient’s physiological data for regular remote assessments. This periodic assessment helps doctors better understand the patient’s health condition. Such a security measure not only provides more reliable privacy protection for patients but also ensures the security of sensitive medical data on the EHR cloud system.

The setting of specific decryption time is not just for security; it is based on a series of reasonable considerations. Firstly, it helps prevent patients from excessive anxiety, as they know that doctors will only review the data in the specific time, allowing them to focus on daily life during this period and alleviate unnecessary worries. Secondly, this method encourages patients to actively participate in their health management, showcasing better physiological data. Moreover, it avoids premature intervention in medical decisions, ensuring that doctors make accurate medical decisions with sufficiently stable data. Lastly, this security measure simultaneously upholds patient privacy rights by limiting access to data, reducing the risk of data misuse or improper use, and providing more reliable privacy protection for patients. This periodic assessment not only helps doctors better understand the patient’s health condition but also ensures the security of sensitive medical data on the EHR cloud system while safeguarding patient privacy.

Therefore, TRE with specific decryption times is crucial in medical practice, not only ensuring security but also promoting the patient recovery process, becoming an important and meaningful component of medical data management. This paper aims to propose a multiple time servers TRE scheme based on Shamir secret sharing for EHR cloud system. The data receiver only needs to obtain time trapdoors published by time servers exceeding or equal to the threshold value. This ensures that the decryption process can be completed even in the event of time server failures or other faults, enhancing the system’s fault tolerance and the reliability of data decryption.

TRE [7, 8] is a cryptographic primitive that can control the decryption time. Its core idea is to introduce the time factor into the general encryption scheme so that the receiver can only decrypt the ciphertext at a specified time in the future. TRE is suitable for solving many time-dependent real-world and virtual applications, such as sealed bidding, timed release of electronic documents, and electronic voting blockchain applications [9], etc.

The TRE technology was first proposed in May [7]. In 1996, Rivest et al. [10] proposed two foundational TRE construction schemes: one based on time-lock puzzles (TLP) that relies on the factorization problem and another involving sender-proxy interactions for time and message release. These laid the theoretical foundation for sustained research in the field of TRE. Currently, TRE construction schemes include TLP methods [11,12,13,14,15,16], proxy methods [17,18,19,20,21,22], and other methods [23,24,25,26,27,28,29]. In the TLP-based TRE schemes, the decryption key is hidden in a mathematical formula. After the sender sends the ciphertext, the receiver needs to perform a large number of calculations. Among the TRE schemes based on other methods (network methods, quantum methods), for example, Unruh et al. [27] achieved revocable TRE based on quantum cryptography without trusted parties. Li et al. [26] explored a timed-release data scheme based on the blockchain network’s smart contracts, recruiting several network nodes as middlemen (each middleman needs to pay a deposit) to send decryption keys to receivers at specified decryption time T. Chae et al. [28] proposed a timed-release blockchain scheme that combines blockchain PoW algorithms with TLP algorithms. Compared with schemes proposed by Liu et al. [25] and Malavolta et al. [29], it employs standard encryption without requiring additional computational work, and its feasibility has been evaluated in an electronic voting application system.

Currently, most TRE schemes are constructed based on the time server approach. Depending on whether the receiver needs to interact with the time server, they can be divided into interactive and non-interactive time server modes. The former requires users to interact with the time server, which cannot guarantee user anonymity and may easily lead to denial-of-service attacks causing system paralysis, thus limiting the scalability of the scheme. In contrast, in TRE schemes constructed using the latter approach, the time server does not need to interact with users and may even be unaware of their existence. It only needs to calculate and broadcast a short signature-formatted time trapdoor at a specified time, ensuring the anonymity of user information and better scalability. Researchers have attempted to construct multiple time servers TRE schemes to prevent single-point attacks or corruption by attackers to reduce the risk of attackers breaking the entire TRE model. In 2021, Yuan et al. [30] proposed a non-interactive multiple time servers TRE scheme (MTSTRE scheme), which is the most efficient multiple time servers scheme. However, if one of the time servers fails, the data receiver will fail to decrypt the data normally at the specified time T. Therefore, this scheme has some defects in practicability.

Secret sharing techniques [31,32,33,34] can split a secret into multiple secret shares, allowing partial secret shares to reconstruct the complete secret. By appropriately utilizing this technology, this paper integrates the Shamir secret sharing technique into the MTSTRE scheme and designs a non-interactive TRE model for multiple time servers based on secret sharing (SS-MSTRE). This model allows for partial time trapdoor failure while still enabling data receivers to decrypt promptly, thus improving practicality.

Our contributions

We address the issue of the single point of failure problem in plain multiple time servers TRE schemes and propose a more practical SS-MSTRE scheme. Our main contributions are as follows:

• We migrate the Shamir secret sharing technique from prime fields to elliptic curve groups, enabling its use in cryptographic scheme constructions based on bilinear pairing-related hard problems.

• We integrate Shamir secret sharing over elliptic curve groups into the construction of multiple time servers TRE cryptographic schemes, designing a more practical SS-MSTRE model and constructing a provably secure concrete scheme and its variants. When the specified decryption time arrives, even if some time trapdoors fail, the data receiver can still decrypt the ciphertext on time using time trapdoors exceeding or equal to the threshold. In addition, it increases the cost of attacking or bribing the time server to decrypt the data received by the receiver or attacker in advance.

• We employ identity-based encryption (IBE) technology to encrypt key shares to ensure secure and highly efficient distribution and transmission of key shares.

• In real-world scenarios, there may be situations where the time server management organization is not trusted. If the private key of the time server management organization is compromised, it could lead to obtaining the master time trapdoor, allowing for premature decryption of ciphertexts. Therefore, the key shares provided directly by the time server management organization cannot be used as the time server’s private key. So, we further propose the SS-MSTRE\({_2}\) scheme. In the SS-MSTRE\({_2}\) scheme, the time server’s private key is jointly generated by the time server management organization and a random number, thus enhancing the security of the scheme.

In this section, we present the key notations involved in our schemes and briefly review the basic content of bilinear pairing, bilinear Diffie-Hellman (BDH) assumption, Shamir secret sharing algorithm, and the identity-based encryption scheme.

Key notations

For the convenience of understanding, we have given the key notations used in our schemes in Table 1.

Bilinear pairing

We give a form of bilinear pair and its properties, as follows.

Definition 1

Suppose \(G_{1}\) is an elliptic curve discrete logarithmic problem(ECDLP) additive group over a finite field, \(G_{2}\) is a discrete logarithmic problem(DLP) multiplicative group over a finite field, and the order of \(G_{1}\) and \(G_{2}\) is a prime number q. Using the bilinear pairing technique, the ECDLP additive group over a finite field can be reduced to the DLP multiplicative group over a finite field. The bilinear map is \(e: G_{1}\times G_{1}\longrightarrow G_{2}\), satisfying the following properties:

1. (1)

   Bilinear. For any \(P, Q, R\in G_{1}\), there are

   $$\begin{aligned} e(P+Q,R){} & {} = e(P,R)e(Q,R)\nonumber \\ e(P,Q+R){} & {} = e(P,Q)e(P,R) \end{aligned}$$

   (1)
2. (2)

   Nondegeneracy. If g is a generator of \(G_{1}\), then e(g, g) is a generator of \(G_{2}\).

3. (3)

   Computability. For any \(P, Q\in G_{1}\), there is an effective algorithm to calculate e(P, Q).

From the above properties, we can further deduce the property that the coefficients of bilinear pair elements can move freely, that is, \(e(aP, bQ)=e(abP, Q)=e(p, abQ)=e(bP, aQ)=e(P, Q)^{ab}\). Admissible bilinear pairings can be constructed via the Weil and Tate pairings [35, 36].

BDH assumption

The bilinear Diffie-Hellman (BDH) assumption plays a crucial role in the design of TRE schemes.

Definition 2

Given \({P,aP,bP,cP \in {G_1}}\), where \({a,b,c\in \mathbb {Z}_p^*}\) are unknown, the goal is to calculate \(e(P,P)^{abc}\), where e is a bilinear mapping and P is a generator of \(G_1\) as defined in Definition 1.

If \(\text {Pr}[\mathcal {A}(P,aP,bP,cP)=e(P,P)^{abc}] \ge \mathcal {\varepsilon }\), then the advantage of the adversary \(\mathcal {A}\) to overcome the BDH assumption is \(\mathcal {\varepsilon }\), and \(\mathcal {\varepsilon }\) is negligible.

Shamir secret sharing

Our schemes use the Shamir secret sharing algorithm to deal with the failure of partial time trapdoors when the specified decryption time comes. In the following, we give the basic flow of Shamir secret sharing algorithm and the definition of its access structure.

1. (1)

   \({Protocol\ initialization\ algorithm}\). The distributor of confidential information randomly selects n different non-zero elements \(x_{1}, x_{2}, x_{3}, ..., x_{n}\) from the finite field GF(p) as the unique identification numbers corresponding to n participants \(P_{i}\) \(({i}=1,2,...,n)\), p is prime and \(p\gg n\).

2. (2)

   \({Secret\ distribution\ algorithm}\). The distributor selects the secrets to be distributed, randomly selects \((t-1)\) elements \(a_{1},a_{2},...,a_{t-1}\) from the finite field GF(p), and constructs the secret sharing polynomial \(f(x) = \left(s+\sum \limits ^{t-1} \limits _{{i}=1} a_{{i}}x^{{i}}\right)\ \text {mod}\ p\), calculates \(s_{{i}}=f(x_{{i}})\) and sends it to the corresponding participant \(p_{{i}}\)(\({i}=1,2,...,n\)) as a secret share.

3. (3)

   \({Secret\ reconstruction\ algorithm}\). If any t of n participants shows their secret shares \((x_{1}, s_{1}),(x_{2}, s_{2}),\cdots ,(x_{t}, s_{t})\), the Lagrange interpolation polynomial can be reconstructed as follows:

   $$\begin{aligned} L(x){} & {} =s_{1}\frac{(x-x_{2})(x-x_{3})\cdots (x-x_{t})}{(x_{1}-x_{2})(x_{1}-x_{3})\cdots (x_{1}-x_{t})}+s_{2}\frac{(x-x_{1})(x-x_{3})\cdots (x-x_{t})}{(x_{2}-x_{1})(x_{2}-x_{3})\cdots (x_{2}-x_{t})}+\cdots \nonumber \\{} & {} \quad +s_{t}\frac{(x-x_{1})(x-x_{2})\cdots (x-x_{t-1})}{(x_{t}-x_{1})(x_{t}-x_{2})\cdots (x_{t}-x_{t-1})} =\sum \limits _{{i}=1}^{t} s_{{i}} \delta _i(x) \ \text {mod} \ p \end{aligned}$$

   (2)

   where

   $$\begin{aligned} \delta _i(x) = \prod\limits_{{\begin{array}{c} {1\le j\le t}\\ j \ne i \end{array}}} \frac{x-x_{j}}{x_{i}-x_{j}} \end{aligned}$$

   (3)

   and the secret \(s=L(0)\) can be calculated.

Definition 3

Access structure. Suppose the set of n participants is \(P=\left\{ p_{{i}}|{i}=1,2,...,n\right\}\) and \(\Gamma\) is an access structure on set P, where \(\Gamma \subseteq 2^{|p|}\), \(2^{|p|}\) represents all sets of non-empty subsets on set P, satisfying the following properties.

• ① If \(A\in \Gamma\), \(A\subseteq B \subseteq \Gamma\), then \(B\in \Gamma\).

• ② Participants in set \(\Gamma\) can reconstruct the secret.

Identity-based encryption

We use identity-based encryption (IBE) technology to ensure the security of key shares during transmission between different devices and to provide verifiable attributes for these key shares. Compared to other encryption methods, IBE significantly simplifies key management operations. Its advantages include the elimination of the need to associate public keys with extensive public key infrastructure (PKI), no requirement for digital certificates, no reliance on online certificate authority (CA), reduced key lengths, and enhanced security.

Definition 4

\(\xi _{IBE}\)={IBE.Setup, IBE.Extract, IBE.Encrypt, IBE.Decrypt}. The IBE.Encrypt algorithm and the IBE. The decrypt algorithm satisfies the consistency constraint. Namely, given any plaintext M, ciphertext C can be obtained by IBE.Encrypt algorithm, and we can also decrypt and recover plaintext M by IBE.Decrypt algorithm.

\({IBE.Setup}(1^{k})\). Given a security parameter \(1^{k}\), this algorithm outputs public parameters PP and the master secret key mk.

IBE.Extract (PP, mk, ID). Given a unique identifier \(ID\in \left\{ 0,1\right\} ^{*}\) that can distinguish user identity information, the master key mk, and the public parameters PP, this algorithm outputs the corresponding private key \(d_{ID}\).

IBE.Encrypt (PP, ID, M). Given plaintext M, public parameters PP, and an identifier ID that can distinguish user identity information, this algorithm outputs the corresponding ciphertext C.

\({IBE.Decrypt}(PP,C,d_{ID})\). Given ciphertext C, public parameters PP, and the user’s private key \(d_{ID}\), this algorithm outputs the corresponding plaintext M.

System model

The design goal of the proposed schemes is that the receiver can decrypt the ciphertext C normally at the decryption time specified by the sender. In this section, we introduce a common time server management organization to the system and further present our TRE system model based on Shamir secret sharing, as shown in Fig. 1. The system consists of five entities: the time server management organization, N time servers, the private key generator, the data sender, and the data receiver.

SS-MSTRE system

Full size image

Time server management organization. The time server management organization is a fully trusted entity in the SS-MSTRE\(_{1}\) scheme, while it is a semi-trusted entity in the SS-MSTRE\(_{2}\) scheme. It is responsible for generating system parameters to initialize the system and using the Shamir secret sharing algorithm to generate key shares of N time servers. Simultaneously, utilizing the IBE.Encrypt algorithm defined in Definition 4, sends the key shares to the corresponding time servers as their respective private keys.

\(\varvec{N}\) time servers. N time servers are semi-trusted entities responsible for providing an accurate time reference to the data receiver. In the proposed schemes, there is no need for interaction between N time servers and the data receiver, and they are responsible for broadcasting time trapdoors at a fixed frequency, such as every five minutes.

Private key generator. The private key generator is trusted for all N time servers. It is responsible for correctly executing each calculational task for every time server, including using the IBE.Extract the algorithm defined in Definition 4 to generate temporary public-private key pairs for N time servers. These temporary keys are used for data transmission between the time servers and the time server management organization.

Data sender. The data sender is a user who wishes the encrypted data to be decrypted at a specified time and is responsible for specifying the decryption time T, encrypting the plaintext M, and sending the ciphertext (C, T) to the data receiver.

Data receiver. The data receiver is a user who can only decrypt C at a specified time T by the data sender. To complete decryption, they must select at least t valid time trapdoors from multiple servers’ published time trapdoors.

Security model

In this paper, we make the following assumptions:

1. (1)

   The private key generator is entirely trustworthy and can accurately perform computational tasks for each time server.

2. (2)

   The system has sufficient time servers operating normally to ensure that decryption can proceed normally.

3. (3)

   N time servers are honest but curious, meaning that they will follow the rules for providing services. However, they may save the input and output results to infer information related to decrypting the ciphertext sent by the sender.

The proposed schemes possess data confidentiality, verifiability, anti-advance decryption, and robust decryption with multiple time trapdoors. We will provide a detailed analysis in Security analysis section.

1. (1)

   Data confidentiality. It should be ensured that attackers cannot illegally analyze the key information required for decrypting the ciphertext before the specified decryption time T.

2. (2)

   Verifiability. It should use some algorithms or methods to verify the validity and correctness of intermediate data to detect any tampering with the intermediate data.

3. (3)

   Anti-advance decryption. It should prevent dishonest receivers from decrypting EHR before the specified decryption time.

4. (4)

   Robust decryption with multiple time trapdoors. It should be ensured that even if some time servers fail or are attacked, the data receiver can still use other sufficient time trapdoors for decryption.

Definition 5

Our non-interactive SS-MSTRE system includes five entities: the time server management organization, N time servers, the private key generator PKG, the data sender, the data receiver, and algorithm 10-tuple \(\mathcal {E}_{\mathrm {SS-MSTRE}}=\{TSMO\_Setup, PKG\_ Setup, TempKey\_Extract,KeySharing, TS\_ KeyGen, User\_ KeyGen, Enc, TS\_ Rel, US\_ Rel, Dec\}\).

\({TSMO\_Setup(k).}\) It is a probabilistic initialization algorithm. Given a security parameter k, this algorithm outputs the private key sk of the time server management organization and the system parameters \({params}_\text {tsmo}\).

\({PKG\_Setup(\lambda ).}\) Given a security parameter \(\lambda\), this algorithm outputs the master secret key MSK, the public key MPK, and the system parameters \({params}_\text {pkg}\) of the private key generator.

\({TempKey\_Extract(IDs,{params}_\text {pkg},MSK).}\) Given a set of identity identifiers for N time servers IDs, the private key generator’s system parameters \({params}_\text {pkg}\), and the private key generator’s secret key MSK, this algorithm outputs a temporary public-private key pairs set temp for N time servers.

\({KeySharing(sk, temp, MPK,params_{\text {pkg}}).}\) Given the public key sk of the time server management organization, a temporary public-private key pairs set temp of N time servers, the public key MPK of the private key generator, and the system parameters \({params}_{\text {pkg}}\), this algorithm outputs N key share ciphertexts \(\{C_1,C_2,\ldots ,C_N\}\).

\({TS\_KeyGen \left(C_{i},{temp}_{priv}^{(i)},params_{\text {pkg}},params_{\text {tsmo}}\right).}\) Given the key share ciphertext \(C_{i}\) corresponding to the time server \({TS}_i\), the temporary private key \({temp}_{priv}^{(i)}\) of the time server \({TS}_i\), the private key generator’s system parameters \({ params}_{\text {pkg}}\), and system parameters \({ params}_{\text {tsmo}}\), this algorithm outputs the public key \({ts}_{pub}^{(i)}\) and private key \({ts}_{priv}^{(i)}\) of the time server \({TS}_i\).

\({User\_KeyGen({params}_{\text {tsmo}}).}\) This is a probabilistic algorithm for key generation. Given the system parameters \({params}_{\text {tsmo}}\), this algorithm outputs the data receiver’s private key usk and public key upk.

\({Enc\left(M,upk,{ts_{pub}^{(i)}}({i=1,2,...,N}),T,{params}_{\text {tsmo}}\right)}\). This is a probabilistic encryption algorithm. Given an EHR record M, receiver’s public key upk, time servers’ public key \(ts_{pub}^{(i)}({i=1,2,...,N})\), decryption time T specified by the data sender, and system parameters \({params}_\text {tsmo}\), this algorithm outputs the ciphertext C.

\({TS\_Rel\left({ts}_{priv}^{(i)},t_{instance},{params}_{\text {tsmo}}\right).}\) This is a probabilistic algorithm for generating time trapdoors. Given the time server \({TS}_{i}\)’s private key \({ts}_{priv}^{(i)}\), time instance \(t_{instance}\), and system parameters \({params}_\text {tsmo}\), this algorithm outputs the corresponding time trapdoor \(S_T^{(i)}\).

\({US\_Rel(usk,T, {params}_\text {tsmo}).}\) This is a probabilistic algorithm for generating the user’s time trapdoor. Given the data receiver’s private key usk, specified decryption time T, and system parameters \({params}_\text {tsmo}\), this algorithm outputs the time trapdoor \(U_{T}\) of the data receiver.

\({Dec(C,STs,Xs,T,U_T,{params}_\text {{tsmo}}).}\) This is a deterministic algorithm for joint decryption. Given the ciphertext C, the set of effective time trapdoors STs chosen by the data receiver, the set of identification numbers Xs corresponding to time servers, specified decryption time T, the data receiver’s time trapdoor \(U_{T}\), and system parameters \({params}_\text {tsmo}\), this algorithm outputs the plaintext M or \(\perp\).

This section constructs two concrete SS-MSTRE schemes based on whether the time server management organization is trusted: \(\text {SS-MSTRE}_{1}\) and \(\text {SS-MSTRE}_{2}\). In \(\text {SS-MSTRE}_{1}\), we assume that the time server management organization is trusted. In \(\text {SS-MSTRE}_{2}\), we assume that the time server management organization is semi-trusted.

Construction of \(\text {SS-MSTRE}_{1}\)

Our non-interactive \(\text {SS-MSTRE}_{1}\) works as follows:

1. (1)

   \(({params}_\text {tsmo},sk)\leftarrow TSMO\_Setup(k)\). The time server management organization runs the \(TSMO\_Setup\) algorithm to generate the system initialization parameters. The time server management organization selects the security parameter k and performs the following operations:

   • ① Selects a prime order p, \(G_{1}\) and \(G_{2}\) are a p-order ECDLP additive group and DLP multiplicative group respectively.

   • ② Selects a random generator \(P\in G_{1}\).

   • ③ Selects a bilinear mapping \(e:G_{1}\times G_{1}\rightarrow G_{2}\) satisfies Definition 1.

   • ④ Select two secure hash functions: \(H_{1}\):\(\left\{ 0,1\right\} ^{*}\rightarrow G_{1}\) and \(H_{2}\):\(G_{2}\rightarrow \left\{ 0,1\right\} ^{n}\), where n represents the length of the message.

   • ⑤ Selects a random number \(s\in \mathbbm {Z}_{p}^{*}\) as its private key \(sk=s\in \mathbbm {Z}_{p}^{*}\) .

   • ⑥ Defines a threshold value t.

   • ⑦ Outputs the system parameters \(params_\text {tsmo}\)= \(\{p,P,G_{1},G_{2},e,H_{1},H_{2},n,t\}\) and the private key sk.

2. (2)

   \(({params}_{\text {pkg}},MPK,MSK)\leftarrow\) \(PKG\_Setup(\lambda ).\) The private key generator runs the \(PKG\_Setup\) algorithm to generate its initialization parameters. The private key generator selects the security parameter \(\lambda\) and performs the following operations:

   • ① Selects a prime order \(\mathtt {\mathbbm {p}}\), \(\mathtt {\mathbbm {G}}_{1}\) and \(\mathtt {\mathbbm {G}}_{2}\) are a \(\mathtt {\mathbbm {p}}\)-order ECDLP additive group and DLP multiplicative group respectively.

   • ② Selects a random generator \(\mathtt {\mathbbm {P}}\in \mathtt {\mathbbm {G}}_{1}\).

   • ③ Selects a bilinear mapping \(\mathtt {\mathbbm {e}}:\mathtt {\mathbbm {G}}_{1}\times \mathtt {\mathbbm {G}}_{1}\rightarrow \mathtt {\mathbbm {G}}_{2}\) satisfies Definition 1.

   • ④ Selects four secure hash functions: \(\mathtt {\mathbbm {H}}_{1}\):\(\left\{ 0,1\right\} ^{*}\rightarrow \mathtt {\mathbbm {G}}_{1}\), \(\mathtt {\mathbbm {H}}_{2}\):\(\mathtt {\mathbbm {G}}_{2}\rightarrow \left\{ 0,1\right\} ^{n}\), \(\mathtt {\mathbbm {H}}_{3}\):\(\left\{ 0,1\right\} ^{n}\times \left\{ 0,1\right\} ^{n}\rightarrow \mathbbm {Z}^{*}_{\mathtt {\mathbbm {p}}}\), \(\mathtt {\mathbbm {H}}_{4}\):\(\left\{ 0,1\right\} ^{n}\rightarrow \left\{ 0,1\right\} ^{n}\).

   • ⑤ Selects a random number \(\mathtt {\mathbbm {a}}\in \mathbbm {Z}_{\mathtt {\mathbbm {p}}}^{*}\) as its master secret key \(MSK=\mathtt {\mathbbm {a}}\in \mathbbm {Z}_{\mathtt {\mathbbm {p}}}^{*}\) and calculates its master public key \(MPK=\mathtt {\mathbbm {a}}\mathtt {\mathbbm {P}}\).

   • ⑥ Outputs the private key generator’s system parameters \({params}_\text {pkg}=\left\{ {\mathtt {\mathbbm {G}}_{1}, \mathtt {\mathbbm {G}}_{2},\mathtt {\mathbbm {n},\mathbbm {p},\mathbbm {e}},\mathtt {\mathbbm {P}}}, \mathtt {\mathbbm {H}}_{1}, \mathtt {\mathbbm {H}}_{2}, \mathtt {\mathbbm {H}}_{3}, \mathtt {\mathbbm {H}}_{4},MPK\right\}\) and the master secret key MSK.

3. (3)

   \(temp \leftarrow TempKey\_Extract(IDs,params_\text {pkg},MSK)\). The private key generator runs the \(TempKey\_Extract\) algorithm to generate a set of temporary public-private key pairs for N time servers. The following steps are required:

   • ① Calculates the set of temporary public-private key pairs \(temp = \left\{temp_{pub}^{(i)},temp_{priv}^{(i)}\right\}_{i=1,2,..,N}\) for N time servers using their identity identifier set \(IDs=\{ID_{1},ID_{2},...,ID_{N}\}\), where \(temp_{\text {priv}}^{(i)}=MSK\cdot \mathtt {\mathbbm {H}}_{1}(ID_{i})=\mathtt {\mathbbm {a}}\mathtt {\mathbbm {H}}_{1}(ID_{i})\), \(temp^{(i)}_{\text {pub}}=\mathtt {\mathbbm {H}}_{1}(ID_{i})\), \(ID_i \in IDs\).

4. (4)

   \((C_1,C_2,...,C_N) \leftarrow KeySharing(sk,temp,MPK,params_\text {pkg})\). The time server management organization runs the KeySharing algorithm to generate secret key shares for N time servers. The following steps are required:

   • ① The time server management organization selects secret sharing polynomial coefficients \(a_{1},a_{2},a_{3},\dots , a_{t-1}\in \mathbbm {Z}^{*}_{p}\) to construct Shamir secret sharing polynomial \(f(x)= \left(s+\sum \limits _{i=1}\limits ^{t-1}a_{i}x^{i}\right)\ \text {mod}\ {p}\), generate secret key share \(s_{i} = f(x_{i})\) for time server \(TS_{i}\ (i=1,2,...,N)\), where \(x_{i}=i\) is the identification number of time server \(TS_{i}\).

   • ② The time server management organization selects a random number \(\sigma \in \left\{ 0,1\right\} ^n\) and uses the IBE.Encrypt algorithm defined in Definition 4 to get the ciphertext \(C_i\), which is sent to time server \(TS_i\) using the temporary public key \({temp}_{pub}^{\left( i\right) }\), where \(i=1,2,...,N\).

     $$\begin{aligned} C_i{} & {} =<U,V,W>=<\mathtt {\mathbbm{r}\mathbbm{P}},\sigma \oplus \mathtt {\mathbbm {H}}_2\left( {\mathtt {\mathbbm {e}}\left( MPK,{temp}_{pub}^{\left( i\right) }\right) }^\mathtt {\mathbbm {r}}\right) ,s_i\oplus \mathtt {\mathbbm {H}}_4\left( \sigma \right) >,\nonumber \\ \mathtt {\mathbbm {r}}{} & {} = \mathtt {\mathbbm {H}}_3 (\sigma ,s_i) \end{aligned}$$

     (4)
5. (5)

   \(\left({ts}_{pub}^{\left( i\right) },{ts}_{priv}^{\left( i\right) }\right)\leftarrow TS\_KeyGen \left(C_i,{temp}_{priv}^{(i)},{ params}_\text {pkg},{ params}_\text {tsmo}\right)\). The time server \(TS_i\) runs the \(TS\_KeyGen\) algorithm to obtain its public key \({ts}_{pub}^{(i)}\) and private key \({ts}_{priv}^{(i)}\) . The following steps are required:

   • ① The time server \(TS_{i} (i=1,2,...,N\)) receives the ciphertext \(C_i\) from the time server management organization. It decrypts the ciphertext \(C_i\) using its temporary private key \(temp_{priv}^{(i)}\) to obtain its private key \(ts_{priv}^{(i)}\). The time server \(TS_{i}\) then calculates its public key \(ts_{pub}^{(i)}\).

     $$\begin{aligned} {ts}_{priv}^{(i)}{} & {} = W\oplus \mathtt {\mathbbm {H}}_4\left( \sigma \right) =s_i, \sigma =V\oplus \mathtt {\mathbbm {H}}_2 (e({temp}_{priv}^{\left( i\right) },U))\nonumber \\ {ts}_{pub}^{(i)}{} & {} = {ts}_{priv}^{(i)}P=s_{i}P \end{aligned}$$

     (5)
6. (6)

   \((usk,upk)\leftarrow User\_KeyGen({ params}_\text {tsmo}).\) The data receiver runs the \(User\_KeyGen\) algorithm to obtain its private key usk and its public key upk. The following steps are required:

   • ① The data receiver selects a random number \(u\in \mathbbm {Z}^{*}_{p}\) as its private key \(usk=u\), and calculates its public key \(upk=uP\).

7. (7)

   \(C\leftarrow Enc \left(M,upk,ts_{pub}^{(i)}({i=1,2,...,N}),T,{ params}_{\text {tsmo}}\right)\). The data sender runs the Enc algorithm using the data receiver’s public key upk, and arbitrarily selects at least t public keys from N time servers’ public keys \(ts_{pub}^{(i)}\) to form a set \(ts_{pub}\). Xs is the corresponding set of identification numbers for the time servers. The data sender specifies a decryption time \(T \in \{0,1\}^*\) to encrypt M. The following steps are required:

   • ① Calculates

     $$\begin{aligned} tk = \sum\limits_{\begin{array}{c} {ts_{\text {pub}}^{(i)} \in \text {ts}_{\text {pub}}} \end{array}} ts_{\text {pub}}^{(i)} \prod\limits_{\begin{array}{c} {x_j \in X_s, x_j \ne x_i} \end{array}} \frac{-x_j}{(x_i - x_j)} = sP \end{aligned}$$

     (6)

   • ② Selects a random number \(r\in \mathbbm {Z}_p^*\) and calculates \(K=e(rH_1(T),upk+tk)\).

   • ③ Outputs the ciphertext \(C=<X=rP,Y=M\oplus H_2(K)>.\)

8. (8)

   \(S_T^{(i)}\leftarrow TS\_Rel \left({ts}_{priv}^{(i)}, t_{instance}\right)\). The time server runs the \(TS\_Rel\) algorithm at a fixed frequency (for example, every five minutes) to broadcast the time trapdoor. The following steps are required:

   • ① On the time instance \(t_{instance} \in \{0,1\}^*\), the time server \(TS_i\) calculates and periodically broadcasts the time trapdoor

     $$\begin{aligned} S_T^{(i)} = {ts}_{priv}^{(i)}H_1(t_{instance}) = s_iH_1(t_{instance}) \end{aligned}$$

     (7)

     to all system users using its private key.

9. (9)

   \(U_T \leftarrow US\_Rel(usk,T, {params}_\text {tsmo})\). The data receiver uses the decryption time T specified by the data sender and their private key usk to run the \(US\_Rel\) algorithm and obtain their time trapdoor. The following steps are required:

   • ① At the specified decryption time T, the data receiver calculates the time trapdoor \(U_T = usk \cdot H_1(T) = uH_1(T)\) using the private key usk.

10. (10)

    \(M \leftarrow Dec(C,STs, Xs, T, U_T, params_\text {tsmo})\). The data receiver runs the Dec algorithm to recover the plaintext M. The following steps are required:

    • ① At the decryption time T specified by the data sender, each of the N time servers sends the corresponding time trapdoor ST so that there are N time trapdoors STs. The data receiver randomly selects a set of valid time trapdoors STs from the time trapdoors published by N time servers, ensuring that \(|STs |\ge t\). Xs is the corresponding set of identification numbers for the time servers. Calculate the main time trapdoor \(S_T' = \sum \nolimits _{S_T^{(i)}\in STs} S_T^{(i)} \prod\nolimits_{x_j\in Xs, x_j\ne x_i} \frac{-x_j}{(x_i-x_j)}\).

    • ② Calculates \(K' = e(X,S_T'+U_T)\).

    • ③ Recovers the plaintext \(M = Y \oplus H_2(K')\).

    Assume that the ciphertext is \(C = \langle X, Y \rangle\), the decryption time is T, the set of valid time trapdoors is \(STs = \{S_T^{(1)}, S_T^{(2)}, \dots , S_T^{(t)}\}\), the corresponding set of identification numbers for the time servers is \(Xs = \{x_1,x_2,\dots ,x_t\}\), and the user’s trapdoor is \(U_T\). The correctness of decryption is verified as follows:

    $$\begin{aligned} S_T^{\prime }{} & {} =\sum \limits _{S_T^{(i)}\in STs}S_T^{(i)}\prod\limits_{x_j\in Xs,x_j\ne x_i}\frac{-x_j}{x_i-x_j}\nonumber \\{} & {} =s_1 H_1 (T)\cdot \frac{(0-x_2)(0-x_3)\cdots (0-x_t)}{(x_1-x_2)(x_1-x_3)\cdots (x_1-x_t)}\nonumber \\{} & {} \quad +s_2 H_1 (T)\cdot \frac{(0-x_1)(0-x_3)\cdots (0-x_t)}{(x_2-x_1)(x_2-x_3)\cdots (x_2-x_t)}+\cdots \nonumber \\{} & {} \quad +s_t H_1 (T)\cdot \frac{(0-x_1)(0-x_2)\cdots (0-x_{t-1})}{(x_t-x_1)(x_t-x_2)\cdots (x_t-x_{t-1})}\nonumber \\{} & {} =\left( s_1\cdot \frac{(0-x_2)(0-x_3)\cdots (0-x_t)}{(x_1-x_2)(x_1-x_3)\cdots (x_1-x_t)}+\right. \nonumber \\{} & {} s_2\cdot \frac{(0-x_1)(0-x_3)\cdots (0-x_t)}{(x_2-x_1)(x_2-x_3)\cdots (x_2-x_t)}+\cdots \nonumber \\{} & {} \quad \left. +s_t\cdot \frac{(0-x_1)(0-x_2)\cdots (0-x_{t-1})}{(x_t-x_1)(x_t-x_2)\cdots (x_t-x_{t-1})}\right) \cdot H_1 (T)\nonumber \\{} & {} =sH_1 (T)\nonumber \\ K'{} & {} =e(X,S'_{T}+U_{T})\nonumber \\{} & {} =e(rP,sH_{1}(T)+uH_{1}(T))\nonumber \\{} & {} =e(rH_{1}(T),upk+tk)\nonumber \\{} & {} =K\nonumber \\ Y\oplus H_{2}(K'){} & {} =Y\oplus H_{2}(K)\nonumber \\{} & {} =M\oplus H_{2}(K)\oplus H_{2}(K)\nonumber \\{} & {} =M \end{aligned}$$

    (8)

Construction of \(\text {SS-MSTRE}_{2}\)

In the real world, the time server management organization may be semi-trusted, so it is not possible to directly use the key shares published by the time server management organization as private keys for time servers. To solve this problem, it is necessary to improve the \(\text {SS-MSTRE}_1\) scheme. The difference between the improved scheme and the \(\text {SS-MSTRE}_1\) scheme is that each time server, after decrypting the key share ciphertext obtained using the IBE.Decrypt algorithm defined in Definition 4, does not directly use the obtained key share itself as its private key. Instead, N time servers first “negotiate” a shared random number. Each time server then uses this shared random number and the decrypted key share to generate a new private key. The specific improvement method is as follows:

• ① At system initialization (ensuring that N time servers are all in normal working state), N time servers need to specify a particular time server \(TS_j\) to generate a random number \(R\in \mathbbm {Z}_{p}^{*}\). Then, using the IBE.Encrypt algorithm defined in Definition 4, the time server \(TS_j\) sends the random number R to the other time servers \(TS_i\) , where \(i \ne j\). The time server \(TS_i\) then uses the IBE.Decrypt algorithm defined in Definition 4 to obtain the shared random number R.

• ② The time server runs the \(TS\_KeyGen\) algorithm to obtain \(s_i\) and uses the shared random number R to calculate its private key \(ts_{priv}^{(i)}=s_{i}R\), then calculates its public key \(ts_{pub}^{(i)}=ts_{priv}^{(i)}P=s_{i}RP\).

Correspondingly, the Enc algorithm is modified as follows:

\(C\leftarrow Enc(M,upk,ts_{pub}^{(i)}({i=1,2,...,N}),T,{ params}_\text {tsmo}\)). The data sender runs the Enc algorithm using the data receiver’s public key upk, and arbitrarily selects at least t public keys from N time servers’ public keys \(ts_{pub}^{(i)}\) to form a set \(ts_{pub}\). Xs is the corresponding set of identification numbers for the time servers. The data sender specifies a decryption time \(T \in \{0,1\}^*\) to encrypt the data M. The following steps are required:

• ① Calculates

  $$\begin{aligned} tk=\sum \limits _{ts_{pub}^{(i)} \in ts_{pub}} ts_{pub}^{(i)} \prod \limits_{x_j \in X_s, x_j \ne x_i} \frac{-x_j}{(x_i - x_j)} = sRP. \end{aligned}$$

  (9)

• ② Selects a random number \(r\in \mathbbm {Z}_p^*\) and calculates \(K=e(rH_1(T),upk+tk)\).

• ③ Outputs the ciphertext \(C=<X=rP,Y=M\oplus H_2(K)>.\)

Correspondingly, the \(TS\_Rel\) algorithm is modified as follows:

\(S_T^{(i)}\leftarrow TS\_Rel({ts}_{priv}^{(i)}, t_{instance})\). The time server runs the \(TS\_Rel\) algorithm at a fixed frequency (for example, every five minutes) to broadcast the time trapdoor. The following steps are required:

• ① On the time instance \(t_{instance} \in \{0,1\}^*\), the time server \(TS_i\) calculates and periodically broadcasts the time trapdoor \(S_T^{(i)} = {ts}_{priv}^{(i)}H_1(t_{instance}) = s_iRH_1(t_{instance})\) to all system users using its private key.

Correspondingly, the Dec algorithm is modified as follows:

\(M \leftarrow Dec(STs, Xs, T, U_T, params_\text {tsmo})\). The data receiver runs the Dec algorithm to recover the plaintext M. The following steps are required:

• ① At the decryption time T specified by the data sender, the data receiver randomly selects a set of valid time trapdoors STs from the time trapdoors published by N time servers, ensuring that \(|STs |\ge t\). Xs is the corresponding set of identification numbers for the time servers. Calculate the main time trapdoor \(S_T' = \sum \nolimits _{S_T^{(i)}\in STs} S_T^{(i)} \prod _{x_j\in Xs, x_j\ne x_i} \frac{-x_j}{(x_i-x_j)}\).

• ② Calculates \(K' = e(X,S_T'+U_T)\).

• ③ Recovers the plaintext \(M = Y \oplus H_2(K')\).

Assume that the ciphertext is \(C = \langle X, Y \rangle\), the decryption time is T, the set of valid time trapdoors is \(STs = \{S_T^{(1)}, S_T^{(2)}, \dots , S_T^{(t)}\}\), the corresponding set of identification numbers for the time servers is \(Xs = \{x_1,x_2,\dots ,x_t\}\), and the user’s trapdoor is \(U_T\). The correctness of decryption is verified as follows:

Security analysis

The security properties of our proposed schemes are analyzed as follows.

1. (1)

   Data confidentiality. The attacker aims to illegally analyze key-related information necessary for decrypting the ciphertext before the specified time T. Assume that the attacker may attempt to crack the time server management organization’s private key sk (SS-MSTRE\(_{2}\) scheme is the parameter sR) and the user’s private key usk through the time servers’ public keys \(ts_{pub}^{(i)}\) and the user’s public key upk, this is equivalent to solving the ECDLP, which is currently considered infeasible, making it difficult for an attacker to effectively crack. Assume that time server \(TS_i\) stores many plaintext-ciphertext pairs, that is, one-way irreversible hash function calculation values of decryption time \(H_1(T^*)\)-time trapdoor \(S_{T}^*\) pair, it is difficult for an attacker to attack the time server \(TS_i\)’s private key \(ts_{priv}^{(i)}\) through the known-plaintext attack. The attacker can only obtain the corresponding private key by attacking t or more time servers to recover the main time trapdoor. However, this type of attack requires extremely high computational resources and time costs, making the probability of a polynomial-time attacker successfully breaking the ciphertext negligible.

2. (2)

   Verifiability. The time server obtains \(s_i\) through the \(TS\_KeyGen\) algorithm, calculates \(\mathtt {\mathbbm {r}}^*=\mathtt {\mathbbm {H}}_3(\sigma ,s_i)\), and \(U^{*}=\mathtt {\mathbbm {r}}^{*}\mathtt {\mathbbm {P}}\), and then compares \(U^*\) with the ciphertext \(C_i\) to detect whether \(s_i\) is legal and has not been tampered with. The time trapdoor is generated by combining a public hash function and the time server’s private key with the security of the time server’s private key depending on the ECDLP. When the time server \(TS_i\) sends the time trapdoor \(S_T^{(i)}\) to the data receiver, the data receiver can also choose to use bilinear pairing technology to calculate and compare whether \(e(ts_{pub}^{(i) },H_1(T))\) and \(e(P,S_T^{(i)})\) are equal, to detect whether \(S_T^{(i)}\) is legal and has not been tampered with. The verifiability of the intermediate ciphertext data can effectively detect whether the original data is damaged due to noise and other factors when transmitting ciphertext data over a public network and can also resist attackers intercepting and tampering with data to a certain extent.

3. (3)

   Anti-advance decryption. Assume that a dishonest receiver wants to decrypt the data before the specified decryption time. As long as the ECDLP and BDH are still difficult problems at the current stage, it is a very difficult task, or almost impossible for the receiver to decrypt the ciphertext based on the existing time server public keys, the specified decryption time T , its private key, and the public system parameters.

4. (4)

   Robust decryption with multiple time trapdoors. Our schemes employ Shamir secret sharing for key distribution to construct the main time trapdoor. The data receiver only needs to obtain time trapdoors that equal or exceed the threshold value to complete decryption. Consequently, even if some of the time servers fail or are attacked, the data receiver can still use a sufficient number of time trapdoors for decryption, significantly enhancing the reliability of the multiple time server TRE scheme.

We further provide proof that the SS-MSTRE\(_1\) scheme is semantically secure against adaptive CPA [22].

Theorem 1

Assume that adversary \(\mathcal {A}\) has an advantage of \(\epsilon\) in breaking the SS-MSTRE\(_1\) scheme. Meanwhile, let the probability of challenger \(\mathcal {B}\) overcoming the BDH assumption defined in Definition 2 be at least \(\epsilon ' = \epsilon /eq_T q_{H_2}\), where e is the base of the natural logarithm, \(q_{H_2}\) is the maximum number of queries that \(\mathcal {A}\) can make to the random oracle \(H_2\), and \(q_T\) is the maximum number of queries that \(\mathcal {A}\) can make to the time trapdoors of users and time servers.

Proof

Assume that there is an adversary \(\mathcal {A}\) with advantage \(\epsilon\) in breaking the SS-MSTRE\(_1\) scheme. \(\mathcal {A}\) is limited to making no more than \(q_{H_2}\) queries to the random oracle \(H_2\) and no more than \(q_T\) queries to the time trapdoors of user and time servers, where \(q_T\) and \(q_{H_2}\) are both positive. Let \(\mathcal {B}\) be a challenger who can overcome the BDH assumption with a probability of at least \(\epsilon '=\epsilon /eq_Tq_{H_2}\). Therefore, if the BDH assumption holds in \(G_1\), then \(\epsilon '\) can be considered negligible, and the advantage of \(\mathcal {A}\) in breaking the SS-MSTRE\(_1\) scheme can also be considered negligible. \(\mathcal {B}\) simulates as the challenger and interacts with \(\mathcal {A}\) as follows:

\({Preparation\ :}\) Let \(G_1\) be an ECDLP additive group of prime order q, \(G_2\) be a DLP multiplicative group of prime order q, and let the bilinear mapping \(e: G_1 \times G_1 \rightarrow G_2\) satisfy Definition 1. Give the challenger \(\mathcal {B}\) the public parameters \(P,\ P_1=aP=uP+(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot (\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p)),\ P_2=bP\) and \(P_3=cP\). The goal of the challenger \(\mathcal {B}\) is to output \(v=e(P,P)^{abc} \in G_2\), where P is the generator of \(G_1\) and \(a,b,c \in \mathbb {Z}_p^*\).

\({Setup\ :}\) Challenger \(\mathcal {B}\) gives adversary \(\mathcal {A}\) the data receiver’s public key \(upk=u\) and the time server’s public key \(ts_{pub}^{(i)}=s_iP\) (i=1,2,...,N).

\({Initialization\ :}\) The adversary \(\mathcal {A}\) outputs the target of the attack, a pair of decryption time points \((T_0^*\),\(T_1^*)\).

\({Phase\ 1\ :}\) The adversary \(\mathcal {A}\) initiates \(1,2,\dots ,m\) queries, and the challenger \(\mathcal {B}\) responds to each of them. The response process of the \(\mathbbm {i}\)-th query is as follows:

The adversary \(\mathcal {A}\) initiates a query to the random oracle \(H_1\). Challenger \(\mathcal {B}\) maintains an initially empty tuple list \(H_1^\text {list}:<T_\mathbbm {j},h_\mathbbm {j},m_\mathbbm {j},n_\mathbbm {j}>\). When the adversary \(\mathcal {A}\) initiates a query for the time trapdoor to the random oracle \(H_1\) at a time point \(T_\mathbbm {i}\), the challenger \(\mathcal {B}\) responds as follows:

• ① If the tuple information \(<T_\mathbbm {i},h_\mathbbm {i},m_\mathbbm {i},n_\mathbbm {i}>\) containing \(T_\mathbbm {i}\) is already present in \(H_1^\text {list}\), then the challenger \(\mathcal {B}\) responds with \(H_1(T_\mathbbm {i}) = h_\mathbbm {i}\in G_1\).

• ② If the tuple information \(<T_\mathbbm {i},h_\mathbbm {i},m_\mathbbm {i},n_\mathbbm {i}>\) containing \(T_\mathbbm {i}\) is not present in \(H_1^\text {list}\), then the challenger \(\mathcal {B}\) randomly generates a bit \(n_\mathbbm {i}\in \{0,1\}\) such that \(\text {Pr}[n_\mathbbm {i}=0]=1/(q_T+1)\).

• ③ The challenger \(\mathcal {B}\) chooses a random number \(m_\mathbbm {i}\in \mathbb {Z}_q^*\). If \(n_\mathbbm {i}=0\), then \(\mathcal {B}\) calculates \(h_\mathbbm {i}=P_2+m_\mathbbm {i}P\), otherwise, calculates \(h_\mathbbm {i}=m_\mathbbm {i}P\).

• ④ The challenger \(\mathcal {B}\) adds the tuple \(<T_\mathbbm {i},h_\mathbbm {i},m_\mathbbm {i},n_\mathbbm {i}>\) to \(H_1^\text {list}\) and responds with \(H_1(T_\mathbbm {i})=h_\mathbbm {i}\). The value of \(h_\mathbbm {i}\) is uniformly distributed in \(G_1\) and independent of the adversary \(\mathcal {A}\).

Similarly, adversary \(\mathcal {A}\) initiates a query to the random oracle \(H_2\). the challenger \(\mathcal {B}\) maintains an initially empty tuple list \(H_2^\text {list}\), and responds as follows:

• ① When the adversary \(\mathcal {A}\) queries \(H_2\) for \(H_2(K_\mathbbm {i})\) and there is no information containing \(K_\mathbbm {i}\) in the list, the challenger \(\mathcal {B}\) responds by choosing a new random value \(V_\mathbbm {i} \in \{0,1\}^{\log _2 q}\) and adding \((K_\mathbbm {i},V_\mathbbm {i})\) to the tuple list \(H_2^\text {list}\).

• ② If the tuple list \(H_2^\text {list}\) contains \((K_\mathbbm {i},V_\mathbbm {i})\), then the challenger \(\mathcal {B}\) takes \((K_\mathbbm {i},V_\mathbbm {i})\) from \(H_2^\text {list}\) as the response value to the adversary \(\mathcal {A}\).

When the adversary \(\mathcal {A}\) initiates a time trapdoor query at a time point \(T_\mathbbm {i} \notin \{T_0^*,T_1^*\}\), the challenger \(\mathcal {B}\) responds as follows:

• ① The challenger \(\mathcal {B}\) runs the above \(H_1\) query algorithm and obtains \(H_1(T_\mathbbm {i}) = h_\mathbbm {i}\). Then, \(\mathcal {B}\) makes the tuple \(<T_\mathbbm {i},h_\mathbbm {i},m_\mathbbm {i},n_\mathbbm {i}>\) as the corresponding element in the tuple list \(H_1^\text {list}\).

• ② If \(n_\mathbbm {i}=0\), the challenger \(\mathcal {B}\) reports an error and terminates the entire simulation game.

• ③ If \(n_\mathbbm {i}=1\), then \(h_\mathbbm {i}=m_\mathbbm {i}P\).

Let \(T_{u_\mathbbm {i}} = m_\mathbbm {i}\cdot upk\) and \(T_{T_\mathbbm {i}} = m_\mathbbm {i}\cdot (\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot (\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p))\). We can also obtain \(T_{u_\mathbbm {i}} = uH_1(T_\mathbbm {i})\) and \(T_{T_\mathbbm {i}} = (\sum \nolimits _{i=1}^{t} s_{i}\prod _{\begin{array}{c} 1\le j\le t\\ j\not = i \end{array}}^{}\frac{0-x_{j}}{x_{i}-x_{j}}\ \text {mod} \ p) \cdot m_\mathbbm {i} P= sH_1(T_\mathbbm {i})\) by transforming the formulas. Here, \(T_{u_\mathbbm {i}}\) represents the legitimate user’s time trapdoor at time point \({T_\mathbbm {i}}\) and \(T_{T_\mathbbm {i}}\) represents the main time trapdoor at time point \({T_\mathbbm {i}}\). The challenger \(\mathcal {B}\) returns \(T_{u_\mathbbm {i}}\) and \(T_{T_\mathbbm {i}}\) to the adversary \(\mathcal {A}\).

Challenge :  The target of challenge for the adversary \(\mathcal {A}\) is a pair of decryption time points \((T_0^*, T_1^*)\). The challenger \(\mathcal {B}\) produces the challenge ciphertext, and the response process is as follows:

• ① The challenger \(\mathcal {B}\) performs two \(H_1\) query algorithms to obtain \(h_0^*\) and \(h_1^* \in G_1\), and obtains \(H_1(T_0^*) = h_0^*\) and \(H_1(T_1^*) = h_1^*\), which correspond to \(<T_0^*, h_0^*, m_0^*, n_0^*>\) and \(<T_1^*, h_1^*, m_1^*, n_1^*>\) respectively in \(H_1^\text {list}\). If \(n_0^* = n_1^* = 1\), the challenger \(\mathcal {B}\) reports an error and terminates the entire simulation game.

• ② If either \(n_0^*\) or \(n_1^*\) is 0, the challenger \(\mathcal {B}\) chooses a random number \(\flat \in \{0,1\}\) such that \(n_{\flat }^* = 0\).

• ③ The challenger \(\mathcal {B}\) responds with the ciphertext \(C_{\flat }^*=[P_3,J]\), where \(J \in \{0,1\}^{log_2q}\). Let

  $$\begin{aligned} J = H_2\left(e\left(H_1\left(T_\flat ^*\right),c\cdot upk\right)\cdot e\left(H_1\left(T_{\flat }^*\right),c\cdot \left(\sum \limits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p \right)\right)\right)\right) \end{aligned}$$

  (11)

  Namely,

  $$\begin{aligned} J{} & {} = H_2\left(e\left(H_1\left(T_{\flat }^*\right),upk\right)^c \cdot e\left(H_1\left(T_{\flat }^*\right),\qquad \qquad \left(\sum \limits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)\right)^c\right)\nonumber \\{} & {} = H_2\left(e\left(H_1\left(T_{\flat }^*\right),\left(u+s\right)P\right)^c\right)\nonumber \\{} & {} = H_2\left(e\left(P_2+m_{\flat }^*,\left(u+s\right)P\right)^c\right)\nonumber \\{} & {} = H_2\left(e\left(P,P\right)^{\left(c\left(u+s\right)\left(b+m_{\flat }^*\right)\right)}\right) \end{aligned}$$

  (12)

Therefore, \(C_{\flat }^*=[P_3,J]\) is the true and valid ciphertext corresponding to the time \(T_{\flat }^*\).

\({Phase\ 2:}\) The adversary \(\mathcal {A}\) initiates time trapdoor queries for the user’s time trapdoor and the time servers’ time trapdoors from \(m+1\) to num again. The challenger \(\mathcal {B}\) responds in the same way as in \(Phase\ 1\).

Guess :  The adversary \(\mathcal {A}\) outputs a guess of \({\flat }\), denoted as \({\flat '} \in \{0,1\}\), and guesses whether the ciphertext \(C_{\flat }^*\) constructed by the challenger \(\mathcal {B}\) in the Challenge phase is \({Enc}\left({upk},{\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)},{T_0^*}\right)\) or \({Enc}\left({upk},{\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)},{T_1^*}\right)\). At this point, the challenger \(\mathcal {B}\) randomly chooses \((K_\mathbbm {j},V_\mathbbm {j})\) from \(H_2^\text {list}\) and outputs \(K/e\left(upk,\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right),P_3\right) ^{m_\flat ^*}\) as a guess for \(v={e}(P,P)^{abc}\). If the adversary \(\mathcal {A}\) has previously queried one of the items in \(H_2\left({e}\left(c{H}_1\left({T_0^*}\right),{upk}+{\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P\left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)}\right)\right)\) or \(H_2\left({e}\left(c{H}_1\left({T_1^*}\right),{upk}+{\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P\left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)}\right)\right)\), then the tuple list \(H_2^\text {list}\) has a 1/2 probability of containing the tuple \((K_\mathbbm {j},V_\mathbbm {j})\), where

If the challenger \(\mathcal {B}\) chooses the tuple \((K_\mathbbm {j},V_\mathbbm {j})\) from \(H_2^\text {list}\), then \(K/{e}\left({upk}+{\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)},P_3\right)^{m_{{\flat }}^*}={e}\left(P,P\right)^{abc}\).

The entire simulation game ends at this point. Next, we calculate the probability value \(\epsilon '\) of the challenger \(\mathcal {B}\) correctly outputting \(v = e(P, P)^{abc}\), and assume that the simulation game can continue to the Guess phase without any termination in between. To this end, we will begin by defining the following events:

Event \(E_1\): the challenger \(\mathcal {B}\) does not terminate the game during the phase when the adversary \(\mathcal {A}\) queries the time trapdoor.

Event \(E_2\): the challenger \(\mathcal {B}\) does not terminate the game during the Challenge phase.

The probability of events \(E_1\) and \(E_2\) occurring is sufficiently high, and the following four claims are provided:

Claim 1

During the phase when the adversary \(\mathcal {A}\) queries the time trapdoor, the probability of the challenger \(\mathcal {B}\) not terminating the game is at least 1/e, with \(\text {Pr}[E_1] \ge 1/e\).

Proof

Assume that the adversary \(\mathcal {A}\) will not query the same time point twice. The response obtained from querying \(H_1\) indicates that the probability of the challenger \(\mathcal {B}\) terminating the game after one time trapdoor query by the adversary \(\mathcal {A}\) is \(1/(q_T+1)\). However, the adversary \(\mathcal {A}\) can query the time trapdoor up to \(q_T\) times. Therefore, the probability of the challenger \(\mathcal {B}\) not terminating the game after \(q_T\) time trapdoor queries by the adversary \(\mathcal {A}\) is \((1-1/(q_T+1))^{q_T} \ge 1/e\).  

Claim 2

In the Challenge phase, the probability of the challenger \(\mathcal {B}\) not terminating the game is at least \(1/q_T\), with \(\text {Pr}[E_2] \ge 1/q_T\).

Proof

Assume that the adversary \(\mathcal {A}\) can generate a pair of designated decryption time points \((T_0^*,T_1^*)\) with the property \(n_0^*=n_1^*=1\), then the challenger \(\mathcal {B}\) terminates the game in the Challenge stage. Since the adversary \(\mathcal {A}\) has not queried the time trapdoors for \(T_0^*\) and \(T_1^*\), the values of \(n_0^*\) and \(n_1^*\) are not correlated with the adversary \(\mathcal {A}\). Therefore, \(\text {Pr}[n_\flat ^*=0]=1/(q_T+1)\) and \(\text {Pr}[n_0^*=n_1^*=1]=(1-(1/(q_T+1)))^2\le 1-1/q_T\). It follows that the probability of the challenger \(\mathcal {B}\) not terminating the game in the Challenge phase is at least \(1-(1-1/q_T)=1/q_T\).

During the game process, the adversary \(\mathcal {A}\) is not allowed to query the time trapdoors for \(T_0^*\) and \(T_1^*\). Therefore, the events \(E_1\) and \(E_2\) are independent of each other, and it can be obtained that \(\text {Pr}[E_1\cap E_2]\ge 1/eq_T\).

Assume that in the real attack game, the adversary \(\mathcal {A}\) possesses the public key \(upk=uP\) of the data receiver and the public keys \(ts_{pub}^{(i)} = s_iP\) of the time servers \((i=1,2,...,N)\). The adversary \(\mathcal {A}\) sends a pair of decryption time points \((T_0^*,T_1^*)\) to the challenger \(\mathcal {B}\), and the challenger \(\mathcal {B}\) generates a challenge ciphertext \(C_\flat ^*=[P_3,J]\) in response.

Claim 3

In the real attack game, the adversary \(\mathcal {A}\) has a probability of at least \(\epsilon\) to initiate an \(H_2\) query for either \(H_2\left(e\left(cH_1\left(T_0^*\right),upk+\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P\left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)\right)\right)\) or \(H_2\left(e\left(cH_1\left(T_1^*\right),upk+\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P\left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)\right)\right)\).

Prior to presenting the proof, we will first provide the definitions for the following events:

Event \(E_3\): In the real attack game, the adversary \(\mathcal {A}\) does not initiate an \(H_2\) query for either \(H_2\left(e\left(cH_1\left(T_0^*\right),upk+\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P\left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod}\ p\right)\right)\right)\right)\) or \(H_2\left(e\left(cH_1\left(T_1^*\right),upk+\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P\left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)\right)\right)\).

Event \(E_4\): In the Guess phase, the adversary \(\mathcal {A}\) outputs the correct guess value \(\flat ^{\prime }\), where \(\flat = \flat ^{\prime }\).

Proof

When event \(E_3\) occurs, it can be seen from the bit \(\flat \in \{0, 1\}\) that the ciphertext \(C_{\flat }^*\) constructed by the challenger \(\mathcal {B}\) is unrelated to the adversary \(\mathcal {A}\). Therefore, the probability of event \(E_4\) occurring is at most \(\text {Pr}[E_4] =\)1/2. In a real attack, the adversary \(\mathcal {A}\) has an advantage \(\varepsilon\), where \(\text {Pr}[E_4] -\)(1/2)\(\ge \varepsilon\). This also indirectly indicates that \(\text {Pr}[\lnot E_3] \ge 2\varepsilon\). The proof process of \(\text {Pr}[\lnot E_3] \ge 2\varepsilon\) is as follows:

From formula (14), it is known that \(\varepsilon \le |\text {Pr}[E_4] -\)(1/2)\(| \le\)(1/2)\(\text {Pr}[\lnot E_3]\), which implies \(\text {Pr}[\lnot E_3] \ge 2\varepsilon\).

Assume that the challenger \(\mathcal {B}\) does not terminate the game, it means that in the simulated real game process, the adversary \(\mathcal {A}\) has queried either \(\text {Enc}\left({upk}, {\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)}, T_0^*\right)\) or \(\text {Enc}\left({upk}, {\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)}, T_1^*\right)\). Therefore, \(\text {Pr}[\lnot E_3] \ge 2\varepsilon\).

Claim 4

The probability of the challenger \(\mathcal {B}\) successfully solving the BDH assumption in the Challenge stage is \({\varepsilon }/{q_{H_2}}\).

Proof

Assuming that the events described in Claim 3 occur, the value of one of the two possible cases of \(e\left(cH_1\left(T_\flat ^*\right), {upk} + {\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)}\right.\) will be stored in the tuple list \(H_2^\text {list}\). Therefore, in the Challenge phase, the challenger \(\mathcal {B}\) will have a probability of \({1}/{q_{H_2}}\) to select the correct \(e\left(H_1\left(T_\flat ^*\right), {upk} + {\left(\sum \nolimits _{{i}=1}^{t}s_{{i}}P \cdot \left(\prod _{\begin{array}{c} 1\le {j}\le t\\ {j}\not = {i} \end{array}}^{}\frac{0-x_{{j}}}{x_{{i}}-x_{{j}}}\ \text {mod} \ p\right)\right)}\right)\) from \(H_2^\text {list}\). If the challenger \(\mathcal {B}\) does not terminate the simulation game, the probability of successfully solving the BDH assumption is \({\varepsilon }/{q_{H_2}}\). According to Claims 1 and 2, during the simulation game process, the probability that the challenger \(\mathcal {B}\) does not terminate the game is at least \({\varepsilon }/{eq_T}\). And by Claim 4, if the challenger \(\mathcal {B}\) does not terminate the simulation game, the probability of successfully solving the BDH assumption is \({\varepsilon }/{q_{H_2}}\).

In summary, through the above security simulation game, the probability of the challenger \(\mathcal {B}\) successfully solving the BDH assumption is \({\varepsilon }/{eq_T q_{H_2}}\). Theorem 1 is proven.

The above proof is equally applicable to the SS-MSTRE\(_{2}\) scheme.

Efficiency analysis

In this section, we calculate the time consumption of our proposed SS-MSTRE schemes and only count the time consumption of \(Enc, TS\_{Rel}\) and Dec algorithms (the two proposed SS-MSTRE schemes are basically consistent in operation), not count costs of the \(TSMO\_Setup, PKG\_Setup, TempKey\_Extract,KeySharing, TS\_KeyGen, User\_KeyGen\) and \(US\_Rel\) algorithms ( all of these can be done in advance and are not included in the statistical scope). Among them, the supersingular elliptic curve of the finite field \(F_{p}\) (p is a 512-bit prime number) is defined as \(y^{2}=x^{3}+1(\text {mod} \ p)\), the prime order q is 160 bits, and the bilinear mapping adopts Tate pairs. BP stands for bilinear pairing operation; \(\text {PM}_{ec}\) and \(\text {PA}_{ec}\) represent point multiplication and point addition operations in group \(G_{1}\); \(\text {Add}\), \(\text {Sub}\), \(\text {Mul}\) and \(\text {Div}\) represent modular addition, modular subtraction, modular multiplication, and modular division operations in \(\mathbbm {Z}^{*}_{q}\); \(H_{1}\) represents a hash function that maps a binary string composed of 0 and 1 of any length to an element in \(G_{1}\); \(H_{2}\) represents a hash function that maps an element \(G_{2}\) to a binary string composed of 0 and 1 of \(log_{2}q\) length.

We implement the above basic operations based on the open source large number operation function library MIRACL in cryptography and uses the approximate ratio method relative to the \(\text {PM}_{ec}\) basic operations to record the time consumed by other basic operations and obtain the relative time-consuming table of basic operations, as shown in Table 2. The running environment is Intel(R) Core(TM) i5-7500 CPU 3.40GHz processor, 64-bit PC host, 8GB memory, and Microsoft visual studio 2017. 987654321 is used as the random number seed, and after running the program, one \(\text {PM}_{ec}\) operation takes about 1.5208 ms.

In the Enc algorithm, the data sender needs to complete the following operations: two \(\text {PM}_{ec}\) and one \(H_{1}\) for rP and \(rH_{1}(T)\), one BP and one \(\text {PA}_{ec}\) for \(K'=e(rH_{1}(T),upk+tk)\) (tk can be precalculated and is not counted here), one \(H_{2}\) for \(M\oplus H_{2}(K')\); in the \(TS\_Rel\) algorithm, the time server needs to complete the following operations: one \(H_1\) and one \(\text {PM}_{ec}\) for \(S_T^{(i)}=ts_{priv}^{(i)}\cdot {H_1{(T)}}\); in the Dec algorithm, the data receiver needs to complete the following operations: \(t\cdot (t-1)\cdot\) Sub, \(2t\cdot (t-2)\cdot\) Mul, t Div, t \(\text {PM}_{ec}\), and \((t-1)\) \(\text {PA}_{ec}\) for \(\sum \nolimits _{S_T^{(i)} \in STs} S_T^{(i)} \prod _{x_j \in Xs, x_j \ne x_i} \frac{-x_j}{(x_i - x_j)}\). Additionally, one BP and one \(\text {PA}_{ec}\) for \(K' = e(X, S_T' + U_T)\), and one \(H_2\) for \(M = Y \oplus H_2(K')\).Therefore, we compare the calculation time of the MTSTRE scheme in literature [30] with our SS-MSTRE schemes, as shown in Table 3.

It can be seen from Table 3 that the differences in computation time consumption between the MTSTRE scheme in literature [30] and our two SS-MSTRE schemes are mainly reflected in the Enc and Dec algorithms. In the Enc algorithm, the MTSTRE scheme in literature [30] requires N \(\text {PA}_{ec}\), while our SS-MSTRE schemes only require one \(\text {PA}_{ec}\); in the Dec algorithm, the MTSTRE scheme in literature [30] also needs N \(\text {PA}_{ec}\), while our SS-MSTRE schemes need to complete \(t\cdot ((t-1) \cdot \text {Sub}+2(t-2) \cdot \text {Mul}+\text {Div}+\text {PM}_{ec}+\text {PA}_{ec})\) operations when using lagrange interpolation polynomial to reconstruct the main time trapdoor. Assume that there are m data senders in a certain application scenario. To compare the calculation cost of the two schemes, the calculation time of the MTSTRE scheme in the literature [30] may be expressed as follows:

the calculation of the SS-MSTRE schemes is expressed as follows:

Generally speaking, the value range of the secret sharing threshold t belongs to the interval \([\lfloor \dfrac{N}{2}\rfloor +1,N]\) and the different setting of the threshold t will also affect the computational efficiency of our schemes. We will add a detailed application example to illustrate the case in Application example section.

Application example

Suppose the tenderer A is conducting a bidding process for a specific project, with the bid opening scheduled at “8:00 AM on March 8, 2023”. Five bidders (\(B_1, B_2, B_3, B_4, B_5\)) are invited to participate in the bidding, and the number of time servers is set to 10. Tenderer A establishes a time trapdoor threshold value of t for decrypting the submitted bids. We need to evaluate the computational costs of the Enc algorithm for the five bidders, the \(TS\_Rel\) algorithm for the ten time servers, and the Dec algorithm for tenderer A to decrypt the five bids. The resulting comparison of the computational overhead in the sealed bidding application scenario is shown in Table 4.

When the threshold value t is set to 6, 7, and 8, the computation time of the proposed schemes in this paper is 82.1954, 87.3649, and 92.5554, respectively. Although these computational costs are higher than those of the MTSTRE scheme proposed in reference [30], the difference is negligible from a practical application perspective. Specifically, on an ordinary computer (such as the device environment used in this paper), the proposed schemes consume only an additional 0.04543(s), 0.05329(s), and 0.06119(s) compared to the MTSTRE scheme, making the difference imperceptible at the human perception level.

This paper proposes a multiple time servers SS-MSTRE model based on Shamir secret sharing and presents two secure construction schemes. Our proposed schemes enable the receiver to recover EHR using any number of time trapdoors greater than or equal to a predefined threshold value when the preset decryption time arrives, which addresses the issue of single-point failure commonly found in traditional multiple time servers TRE schemes. We conduct security analysis of our schemes, provide a semantic secure proof against adaptive CPA based on the random oracle model, and employ the MIRACL big number arithmetic library to experimentally validate the efficiency of our schemes.

In future work, we will consider introducing other entities to complete the research on the TRE scheme with time-limited update key calculation and release together with the time server. Unlike the research idea of simply increasing the number of time servers, we aim to design other algorithms to construct a new encryption mechanism that solves the single point of failure problem in single time server TRE schemes.

No datasets were generated or analysed during the current study.

The authors express their appreciation to the National Key Research and Development Program, the National Natural Science Foundation of China, the Fundamental Research Funds for the Central Universities of China, the Natural Science Foundation of Tianjin, the Key Specialized Research and Development Program of Henan Province, the Basic Higher Educational Key Scientific Research Program of Henan Province, and the Innovation Training Program for College Students of Henan province.

This work was supported by the National Key Research and Development Program under Grant 2018YFA0704703, the National Natural Science Foundation of China under Grant 61972073, 61972215 and 62172238, the Fundamental Research Funds for the Central Universities of China, the Natural Science Foundation of Tianjin under Grant 20JCZDJC00640, the Key Specialized Research and Development Program of Henan Province under Grant 222102210062 and 222102210007, the Henan Province Science Foundation of Young Scholars under Grant 242300420678, the Basic Higher Educational Key Scientific Research Program of Henan Province under Grant 22A413004, the Innovation Training Program for College Students of Henan province under Grant 202310475143.

Authors and Affiliations

1. School of Computer and Information Engineering, Henan University, Kaifeng, 475004, Henan, China

   Ke Yuan, Ziwei Cheng, Keyan Chen, Bozhen Wang, Junyang Sun, Sufang Zhou & Chunfu Jia

2. Henan Province Engineering Research Center of Spatial Information Processing, Henan University, Kaifeng, 475004, Henan, China

   Ke Yuan

3. College of Cybersecurity, Nankai University, Tianjin, 300350, China

   Keyan Chen & Chunfu Jia

Contributions

Ke Yuan put forward the main idea of the schemes, conceived and designed the experiments, analyzed the data, authored or reviewed drafts of the article, and approved the final draft. Ziwei Cheng performed the experiments, analyzed the data, performed the computation work, authored or reviewed drafts of the article, and approved the final draft. Keyan Chen prepared figures and tables, authored or reviewed drafts of the article, and approved the final draft. Bozhen Wang and Junyang Sun performed the experiments, performed the computation work, prepared figures and tables. Sufang Zhou proposed suggestions, analyzed the data and approved the final draft. Chunfu Jia analyzed the data, authored or reviewed drafts of the article, and approved the final draft.

Corresponding author

Correspondence to Sufang Zhou.

Ethics approval and consent to participate

Not applicable.

Consent for publication

The research has consent by all authors and there is no conflict.

Competing interests

The authors declare no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions