Multiple time servers timed-release encryption based on Shamir secret sharing for EHR cloud system

Electronic health record (EHR) cloud system, as a primary tool driving the informatization of medical data, have positively impacted both doctors and patients by providing accurate and complete patient information. However, ensuring the security of EHR cloud system remains a critical issue. Some patients require regular remote medical services, and controlling access to medical data involving patient privacy during specific times is essential. Timed-release encryption (TRE) technology enables the sender to preset a future time T at which the data can be decrypted and accessed. It is a cryptographic primitive with time-dependent properties. Currently, mainstream TRE schemes are based on non-interactive single time server methods. However, if the single time server is attacked or corrupted, it is easy to directly threaten the security applications of TRE. Although some research schemes “distribute” the single time server into multiple ones, they still cannot resist the single point of failure problem. To address this issue, we propose a multiple time servers TRE scheme based on Shamir secret sharing and another variant derived from it. In our proposed schemes, the data receiver does not need to interact with the time servers; instead, they only need to obtain the time trapdoors that exceed or equal the preset threshold value for decryption, which ensures the identity privacy of the data sender and tolerates partial downtime or other failures of some time servers, significantly improving TRE reliability. Security analysis indicates that our proposed schemes demonstrate data confidentiality, veri-fiability, anti-advance decryption, and robust decryption with multiple time trapdoors, making them more practical. Efficiency analysis indicates that although our schemes have slightly higher computational costs than most efficient existing TRE schemes, such differences are insignificant from a practical application perspective


Introduction
With the advent of the information age, healthcare institutions are rapidly evolving towards informatization, giving rise to electronic health record (EHR) cloud system [1].EHR cloud system significantly enhances productivity in resource sharing, providing robust support for healthcare professionals.Including comprehensive patient information, EHR cloud system enables medical teams to have a more holistic understanding of patients' medical history, facilitating in-depth assessments and faster diagnoses.By digitizing and centrally managing patient medical information, healthcare personnel can easily access necessary data to support decision-making and the execution of medical plans [2,3].
Cloud computing, a computing paradigm based on the internet, plays a crucial role in healthcare data management by providing secure and reliable solutions for storing and processing large-scale medical data [4][5][6].Cloud computing facilitates rapid access, sharing, and analysis of medical data, offering comprehensive support for healthcare decision-making.Additionally, the elastic and automated features of cloud computing enable healthcare institutions to adjust resources according to needs, improving data management efficiency and fostering innovation in medical research and patient care.
Despite the flexibility and efficiency brought by cloud computing to healthcare data management, security remains a critical concern.Particularly in the handling of patient privacy data, cloud storage, and access services may pose risks of data leakage, leading to the unauthorized disclosure of sensitive patient information [5].For example, in the case of patients with chronic diseases like diabetes, who regularly upload data through remote monitoring devices, there is a potential for unauthorized data access if this physiological data is stored on a EHR cloud system.In such scenarios, a cryptographic technology that can control the decryption time becomes a key technology to ensure patient privacy.Timed-release encryption (TRE) allows users to preset decryption time, and access is only permitted after the decryption time, effectively preventing unauthorized privacy infringements.For instance, a medical cloud system could use a multiple time servers scheme to encrypt the physiological data of each patient and set a specific decryption time.At the designated weekly decryption time, doctors can decrypt and analyze the patient's physiological data for regular remote assessments.This periodic assessment helps doctors better understand the patient's health condition.Such a security measure not only provides more reliable privacy protection for patients but also ensures the security of sensitive medical data on the EHR cloud system.
The setting of specific decryption time is not just for security; it is based on a series of reasonable considerations.Firstly, it helps prevent patients from excessive anxiety, as they know that doctors will only review the data in the specific time, allowing them to focus on daily life during this period and alleviate unnecessary worries.Secondly, this method encourages patients to actively participate in their health management, showcasing better physiological data.Moreover, it avoids premature intervention in medical decisions, ensuring that doctors make accurate medical decisions with sufficiently stable data.Lastly, this security measure simultaneously upholds patient privacy rights by limiting access to data, reducing the risk of data misuse or improper use, and providing more reliable privacy protection for patients.This periodic assessment not only helps doctors better understand the patient's health condition but also ensures the security of sensitive medical data on the EHR cloud system while safeguarding patient privacy.
Therefore, TRE with specific decryption times is crucial in medical practice, not only ensuring security but also promoting the patient recovery process, becoming an important and meaningful component of medical data management.This paper aims to propose a multiple time servers TRE scheme based on Shamir secret sharing for EHR cloud system.The data receiver only needs to obtain time trapdoors published by time servers exceeding or equal to the threshold value.This ensures that the decryption process can be completed even in the event of time server failures or other faults, enhancing the system's fault tolerance and the reliability of data decryption.

Related work
TRE [7,8] is a cryptographic primitive that can control the decryption time.Its core idea is to introduce the time factor into the general encryption scheme so that the receiver can only decrypt the ciphertext at a specified time in the future.TRE is suitable for solving many time-dependent real-world and virtual applications, such as sealed bidding, timed release of electronic documents, and electronic voting blockchain applications [9], etc.
The TRE technology was first proposed in May [7].In 1996, Rivest et al. [10] proposed two foundational TRE construction schemes: one based on time-lock puzzles (TLP) that relies on the factorization problem and another involving sender-proxy interactions for time and message release.These laid the theoretical foundation for sustained research in the field of TRE.Currently, TRE construction schemes include TLP methods [11][12][13][14][15][16], proxy methods [17][18][19][20][21][22], and other methods [23][24][25][26][27][28][29].In the TLP-based TRE schemes, the decryption key is hidden in a mathematical formula.After the sender sends the ciphertext, the receiver needs to perform a large number of calculations.Among the TRE schemes based on other methods (network methods, quantum methods), for example, Unruh et al. [27] achieved revocable TRE based on quantum cryptography without trusted parties.Li et al. [26] explored a timed-release data scheme based on the blockchain network's smart contracts, recruiting several network nodes as middlemen (each middleman needs to pay a deposit) to send decryption keys to receivers at specified decryption time T. Chae et al. [28] proposed a timed-release blockchain scheme that combines blockchain PoW algorithms with TLP algorithms.Compared with schemes proposed by Liu et al. [25] and Malavolta et al. [29], it employs standard encryption without requiring additional computational work, and its feasibility has been evaluated in an electronic voting application system.
Currently, most TRE schemes are constructed based on the time server approach.Depending on whether the receiver needs to interact with the time server, they can be divided into interactive and non-interactive time server modes.The former requires users to interact with the time server, which cannot guarantee user anonymity and may easily lead to denial-of-service attacks causing system paralysis, thus limiting the scalability of the scheme.In contrast, in TRE schemes constructed using the latter approach, the time server does not need to interact with users and may even be unaware of their existence.It only needs to calculate and broadcast a short signature-formatted time trapdoor at a specified time, ensuring the anonymity of user information and better scalability.Researchers have attempted to construct multiple time servers TRE schemes to prevent single-point attacks or corruption by attackers to reduce the risk of attackers breaking the entire TRE model.In 2021, Yuan et al. [30] proposed a non-interactive multiple time servers TRE scheme (MTSTRE scheme), which is the most efficient multiple time servers scheme.However, if one of the time servers fails, the data receiver will fail to decrypt the data normally at the specified time T. Therefore, this scheme has some defects in practicability.
Secret sharing techniques [31][32][33][34] can split a secret into multiple secret shares, allowing partial secret shares to reconstruct the complete secret.By appropriately utilizing this technology, this paper integrates the Shamir secret sharing technique into the MTSTRE scheme and designs a non-interactive TRE model for multiple time servers based on secret sharing (SS-MSTRE).This model allows for partial time trapdoor failure while still enabling data receivers to decrypt promptly, thus improving practicality.

Our contributions
We address the issue of the single point of failure problem in plain multiple time servers TRE schemes and propose a more practical SS-MSTRE scheme.Our main contributions are as follows: • We migrate the Shamir secret sharing technique from prime fields to elliptic curve groups, enabling its use in cryptographic scheme constructions based on bilinear pairing-related hard problems.

Preliminary
In this section, we present the key notations involved in our schemes and briefly review the basic content of bilinear pairing, bilinear Diffie-Hellman (BDH) assumption, Shamir secret sharing algorithm, and the identity-based encryption scheme.

Key notations
For the convenience of understanding, we have given the key notations used in our schemes in Table 1.

Bilinear pairing
We give a form of bilinear pair and its properties, as follows.
Definition 1 Suppose G 1 is an elliptic curve discrete logarithmic problem(ECDLP) additive group over a finite field, G 2 is a discrete logarithmic problem(DLP) multipli- cative group over a finite field, and the order of G 1 and G 2 is a prime number q.Using the bilinear pairing tech- nique, the ECDLP additive group over a finite field can be reduced to the DLP multiplicative group over a finite field.The bilinear map is e : G 1 × G 1 −→ G 2 , satisfying the following properties: (1) Bilinear.For any P, Q, R ∈ G 1 , there are (1) e(P + Q, R) = e(P, R)e(Q, R) e(P, Q + R) = e(P, Q)e(P, R) (2) Nondegeneracy.If g is a generator of G 1 , then e(g, g) is a generator of G 2 .(3) Computability.For any P, Q ∈ G 1 , there is an effec- tive algorithm to calculate e(P, Q).
From the above properties, we can further deduce the property that the coefficients of bilinear pair elements can move freely, that is, e(aP, bQ) = e(abP, Q) = e(p, abQ) = e(bP, aQ) = e(P, Q) ab .Admissible bilinear pairings can be constructed via the Weil and Tate pairings [35,36].

BDH assumption
The bilinear Diffie-Hellman (BDH) assumption plays a crucial role in the design of TRE schemes.Definition 2 Given P, aP, bP, cP ∈ G 1 , where a, b, c ∈ Z * p are unknown, the goal is to calculate e(P, P) abc , where e is a bilinear mapping and P is a generator of G 1 as defined in Definition 1.
If Pr[A(P, aP, bP, cP) = e(P, P) abc ] ≥ ε , then the advan- tage of the adversary A to overcome the BDH assumption is ε , and ε is negligible.

Shamir secret sharing
Our schemes use the Shamir secret sharing algorithm to deal with the failure of partial time trapdoors when the specified decryption time comes.In the following, we give the basic flow of Shamir secret sharing algorithm and the definition of its access structure. ( ② Participants in set Ŵ can reconstruct the secret.

Identity-based encryption
We

IBE.Setup(1 k
) .Given a security parameter 1 k , this algorithm outputs public parameters PP and the master secret key mk.
IBE.Extract (PP, mk, ID).Given a unique identifier ID ∈ {0, 1} * that can distinguish user identity informa- tion, the master key mk, and the public parameters PP, this algorithm outputs the corresponding private key d ID . (2) IBE.Encrypt (PP, ID, M).Given plaintext M, public parameters PP, and an identifier ID that can distinguish user identity information, this algorithm outputs the corresponding ciphertext C.
IBE.Decrypt(PP, C, d ID ) .Given ciphertext C, public parameters PP, and the user's private key d ID , this algo- rithm outputs the corresponding plaintext M.

System model
The design goal of the proposed schemes is that the receiver can decrypt the ciphertext C normally at the decryption time specified by the sender.In this section, we introduce a common time server management organization to the system and further present our TRE system model based on Shamir secret sharing, as shown in Fig. 1.The system consists of five entities: the time server management organization, N time servers, the private key generator, the data sender, and the data receiver.
Time server management organization.The time server management organization is a fully trusted entity in the SS-MSTRE 1 scheme, while it is a semi-trusted entity in the SS-MSTRE 2 scheme.It is responsible for generating system parameters to initialize the system and using the Shamir secret sharing algorithm to generate key shares of N time servers.Simultaneously, utilizing the IBE.Encrypt algorithm defined in Definition 4, sends the key shares to the corresponding time servers as their respective private keys.
N time servers.N time servers are semi-trusted enti- ties responsible for providing an accurate time reference to the data receiver.In the proposed schemes, there is no need for interaction between N time servers and the data receiver, and they are responsible for broadcasting time trapdoors at a fixed frequency, such as every five minutes.
Private key generator.The private key generator is trusted for all N time servers.It is responsible for correctly executing each calculational task for every time server, including using the IBE.Extract the algorithm defined in Definition 4 to generate temporary public-private key pairs for N time servers.These temporary keys are used for data transmission between the time servers and the time server management organization.
Data sender.The data sender is a user who wishes the encrypted data to be decrypted at a specified time and is responsible for specifying the decryption time T, encrypting the plaintext M, and sending the ciphertext (C, T) to the data receiver.
Data receiver.The data receiver is a user who can only decrypt C at a specified time T by the data sender.To complete decryption, they must select at least t valid time trapdoors from multiple servers' published time trapdoors.

Security model
In this paper, we make the following assumptions: (1) The private key generator is entirely trustworthy and can accurately perform computational tasks for each time server.(2) The system has sufficient time servers operating normally to ensure that decryption can proceed normally.(3) N time servers are honest but curious, meaning that they will follow the rules for providing services.However, they may save the input and output results to infer information related to decrypting the ciphertext sent by the sender.
The proposed schemes possess data confidentiality, verifiability, anti-advance decryption, and robust decryption with multiple time trapdoors.We will provide a detailed analysis in Security analysis section.
( It should be ensured that even if some time servers fail or are attacked, the data receiver can still use other sufficient time trapdoors for decryption.

Algorithm definition
Definition 5 Our non-interactive SS-MSTRE system includes five entities: the time server management organization, N time servers, the private key generator PKG, the data sender, the data receiver, and algorithm 10-tuple KeySharing, TS_KeyGen, User_KeyGen, Enc, TS_Rel, US_Rel, Dec}.
TSMO_Setup(k).It is a probabilistic initialization algo- rithm.Given a security parameter k, this algorithm outputs the private key sk of the time server management organization and the system parameters params tsmo .PKG_Setup( ).Given a security parameter , this algo- rithm outputs the master secret key MSK, the public key MPK, and the system parameters params pkg of the pri- vate key generator.
TempKey_Extract(IDs, params pkg , MSK ).Given a set of identity identifiers for N time servers IDs, the private key generator's system parameters params pkg , and the pri- vate key generator's secret key MSK, this algorithm outputs a temporary public-private key pairs set temp for N time servers.
KeySharing(sk, temp, MPK , params pkg ).Given the pub- lic key sk of the time server management organization, a temporary public-private key pairs set temp of N time servers, the public key MPK of the private key generator, and the system parameters params pkg , this algorithm outputs N key share ciphertexts {C 1 , C 2 , . . ., C N }.
TS_KeyGen C i , temp priv , params pkg , params tsmo .Given the key share ciphertext C i corresponding to the time server TS i , the temporary private key temp (i)  priv of the time server TS i , the private key generator's system param- eters params pkg , and system parameters params tsmo , this algorithm outputs the public key ts (i)  pub and private key ts (i)  priv of the time server TS i .User_KeyGen(params tsmo ).This is a probabilistic algo- rithm for key generation.Given the system parameters params tsmo , this algorithm outputs the data receiver's private key usk and public key upk.
TS_Rel ts priv , t instance , params tsmo .This is a probabil- istic algorithm for generating time trapdoors.Given the time server TS i 's private key ts (i)  priv , time instance t instance , and system parameters params tsmo , this algorithm out- puts the corresponding time trapdoor S (i) T .US_Rel(usk, T , params tsmo ).This is a probabilistic algorithm for generating the user's time trapdoor.Given the data receiver's private key usk, specified decryption time T, and system parameters params tsmo , this algo- rithm outputs the time trapdoor U T of the data receiver.
Dec(C, STs, Xs, T , U T , params tsmo ).This is a determin- istic algorithm for joint decryption.Given the ciphertext C, the set of effective time trapdoors STs chosen by the data receiver, the set of identification numbers Xs corresponding to time servers, specified decryption time T, the data receiver's time trapdoor U T , and sys- tem parameters params tsmo , this algorithm outputs the plaintext M or ⊥.

Concrete schemes of SS-MSTRE
This section constructs two concrete SS-MSTRE schemes based on whether the time server management organization is trusted: SS-MSTRE 1 and SS-MSTRE 2 .In SS-MSTRE 1 , we assume that the time server management organization is trusted.In SS-MSTRE 2 , we assume that the time server management organization is semi-trusted.

Construction of SS-MSTRE 1
Our non-interactive SS-MSTRE 1 works as follows: ( ④ Selects four secure hash functions: p as its master secret key MSK = a ∈ Z * p and calculates its master public key MPK = aP.
(3) temp ← TempKey_Extract(IDs, params pkg , MSK ) .The private key generator runs the TempKey_Extract algorithm to generate a set of temporary publicprivate key pairs for N time servers.The following steps are required: ① Calculates the set of temporary public-private key pairs temp = temp for N time servers using their identity identifier set IDs = {ID1, ID2, ..., IDN } , where The time server management organization runs the KeySharing algorithm to generate secret key shares for N time servers.The following steps are required: ① The time server management organization selects secret sharing polynomial coefficients a1, a2, a3, . . ., at−1 ∈ Z * p to construct Shamir secret sharing polynomial a i x i mod p , generate secret key share for time server TS i (i = 1, 2, ..., N ) , where x i = i is the identification number of time server TS i .② The time server management organization selects a random number σ ∈ {0, 1} n and uses the IBE.Encrypt algorithm defined in Definition 4 to get the ciphertext C i , which is sent to time server TS i using the tempo- rary public key temp pub , where i = 1, 2, ..., N . ( priv , params pkg , params tsmo .The time server TS i runs the TS_KeyGen algo- rithm to obtain its public key ts (i)  pub and private key ts (i)  priv .The following steps are required: ① The time server TS i (i = 1, 2, ..., N ) receives the ciphertext C i from the time server management organization.It decrypts the ciphertext C i using its temporary private key temp (i)  priv to obtain its private key ts (i)  priv .The time server TS i then calculates its public key ts (i)  pub . ( The data receiver runs the User_KeyGen algorithm to obtain its private key usk and its public key upk. The following steps are required: ① The data receiver selects a random number u ∈ Z * p as its private key usk = u , and calculates its public key upk = uP.(7) C ← Enc M, upk, ts (i)  pub (i = 1, 2, ..., N ), T , params tsmo .The data sender runs the Enc algorithm using the data receiver's public key upk, and arbitrarily selects at least t public keys from N time servers' public keys ts (i)  pub to form a set ts pub .Xs is the cor- responding set of identification numbers for the time servers.The data sender specifies a decryption time T ∈ {0, 1} * to encrypt M. The following steps are required: priv , t instance .The time server runs the TS_Rel algorithm at a fixed frequency (for example, every five minutes) to broadcast the time trapdoor.The following steps are required: ① On the time instance t instance ∈ {0, 1} * , the time server TS i calculates and periodically broad- casts the time trapdoor to all system users using its private key.(9) U T ← US_Rel(usk, T , params tsmo ) .The data receiver uses the decryption time T specified by the data sender and their private key usk to run the US_Rel algorithm and obtain their time trapdoor.
The following steps are required: ① At the specified decryption time T, the data receiver calculates the time trapdoor U T = usk • H 1 (T ) = uH 1 (T ) using the private key usk. ( Assume that the ciphertext is C = �X, Y � , the decryption time is T, the set of valid time trapdoors is STs = {S (1)  T , S (2) T , . . ., S (t) T } , the correspond- ing set of identification numbers for the time servers is Xs = {x 1 , x 2 , . . ., x t } , and the user's trapdoor is U T .The correctness of decryption is verified as follows:

Construction of SS-MSTRE 2
In the real world, the time server management organization may be semi-trusted, so it is not possible to directly use the key shares published by the time server management organization as private keys for time servers.To solve this (8) problem, it is necessary to improve the SS-MSTRE 1 scheme.The difference between the improved scheme and the SS-MSTRE 1 scheme is that each time server, after decrypt- ing the key share ciphertext obtained using the IBE.Decrypt algorithm defined in Definition 4, does not directly use the obtained key share itself as its private key.Instead, N time servers first "negotiate" a shared random number.Each time server then uses this shared random number and the decrypted key share to generate a new private key.The specific improvement method is as follows: ① At system initialization (ensuring that N time servers are all in normal working state), N time servers need to specify a particular time server TS j to generate a random number R ∈ Z * p .Then, using the IBE.Encrypt algorithm defined in Definition 4, the time server TS j sends the random number R to the other time servers TS i , where i = j .The time server TS i then uses the IBE.Decrypt algorithm defined in Definition 4 to obtain the shared random number R. ② The time server runs the TS_KeyGen algorithm to obtain s i and uses the shared random number R to calculate its private key ts (i)  priv = s i R , then calculates its public key ts (i)  pub = ts (i) priv P = s i RP .
Correspondingly, the Enc algorithm is modified as follows: C ← Enc(M, upk, ts (i) pub (i = 1, 2, ..., N ), T , params tsmo ) .The data sender runs the Enc algorithm using the data receiver's public key upk, and arbitrarily selects at least t public keys from N time servers' public keys ts (i)  pub to form a set ts pub .Xs is the corresponding set of identification numbers for the time servers.The data sender specifies a decryption time T ∈ {0, 1} * to encrypt the data M.The following steps are required: Correspondingly, the TS_Rel algorithm is modified as follows: S (i) T ← TS_Rel(ts (i) priv , t instance ) .The time server runs the TS_Rel algorithm at a fixed frequency (for example, every five minutes) to broadcast the time trapdoor.The following steps are required: (9) ① On the time instance t instance ∈ {0, 1} * , the time server TS i calculates and periodically broadcasts the time trapdoor S (i) T = ts (i) priv H 1 (t instance ) = s i RH 1 (t instance ) to all system users using its private key.
Correspondingly, the Dec algorithm is modified as follows: M ← Dec(STs, Xs, T , U T , params tsmo ) .The data receiver runs the Dec algorithm to recover the plaintext M. The following steps are required: ① At the decryption time T specified by the data sender, the data receiver randomly selects a set of valid time trapdoors STs from the time trapdoors published by N time servers, ensuring that |STs| ≥ t .Xs is the corresponding set of identification numbers for the time servers.Calculate the main time trapdoor Assume that the ciphertext is C = �X, Y � , the decryp- tion time is T, the set of valid time trapdoors is STs = {S (1)  T , S T , . . ., S (t) T } , the corresponding set of identifi- cation numbers for the time servers is Xs = {x 1 , x 2 , . . ., x t } , and the user's trapdoor is U T .The correctness of decryption is verified as follows: (10)

Security analysis
The security properties of our proposed schemes are analyzed as follows.
(1) Data confidentiality.The attacker aims to illegally analyze key-related information necessary for decrypting the ciphertext before the specified time T. Assume that the attacker may attempt to crack the time server management organization's private key sk (SS-MSTRE 2 scheme is the parameter sR) and the user's private key usk through the time servers' public keys ts (i)  pub and the user's public key upk, this is equivalent to solving the ECDLP, which is currently considered infeasible, making it difficult for an attacker to effectively crack.Assume that time server TS i stores many plaintext-ciphertext pairs, that is, one-way irreversible hash function calculation values of decryption time H 1 (T * )-time trapdoor S * T pair, it is difficult for an attacker to attack the time server TS i 's private key ts (i) priv through the known-plaintext attack.The attacker can only obtain the corresponding private key by attacking t or more time servers to recover the main time trapdoor.However, this type of attack requires extremely high computational resources and time costs, making the probability of a polynomial-time attacker successfully breaking the ciphertext negligible.
(2) Verifiability.The time server obtains s i through the TS_KeyGen algorithm, calculates r * = H 3 (σ , s i ) , and U * = r * P , and then compares U * with the ciphertext C i to detect whether s i is legal and has not been tampered with.The time trapdoor is generated by combining a public hash function and the time server's private key with the security of the time server's private key depending on the ECDLP.When the time server TS i sends the time trapdoor S (i) T to the data receiver, the data receiver can also choose to use bilinear pairing technology to calculate and compare whether e(ts (i)  pub , H 1 (T )) and e(P, S (i) T ) are equal, to detect whether S (i) T is legal and has not been tampered with.The verifiability of the intermediate ciphertext data can effectively detect whether the original data is damaged due to noise and other factors when transmitting ciphertext data over a public network and can also resist attackers intercepting and tampering with data to a certain extent.
(3) Anti-advance decryption.Assume that a dishonest receiver wants to decrypt the data before the specified decryption time.As long as the ECDLP and BDH are still difficult problems at the current stage, it is a very difficult task, or almost impossible for the receiver to decrypt the ciphertext based on the existing time server public keys, the specified decryption time T , its private key, and the public system parameters.(4) Robust decryption with multiple time trapdoors.
Our schemes employ Shamir secret sharing for key distribution to construct the main time trapdoor.
The data receiver only needs to obtain time trapdoors that equal or exceed the threshold value to complete decryption.Consequently, even if some of the time servers fail or are attacked, the data receiver can still use a sufficient number of time trapdoors for decryption, significantly enhancing the reliability of the multiple time server TRE scheme.
We further provide proof that the SS-MSTRE 1 scheme is semantically secure against adaptive CPA [22].
Theorem 1 Assume that adversary A has an advantage of ǫ in breaking the SS-MSTRE 1 scheme.Meanwhile, let the probability of challenger B overcoming the BDH assumption defined in Definition 2 be at least ǫ ′ = ǫ/eq T q H 2 , where e is the base of the natural logarithm, q H 2 is the maximum num- ber of queries that A can make to the random oracle H 2 , and q T is the maximum number of queries that A can make to the time trapdoors of users and time servers.

Proof
Assume that there is an adversary A with advantage ǫ in breaking the SS-MSTRE 1 scheme.A is limited to making no more than q H 2 queries to the random oracle H 2 and no more than q T queries to the time trapdoors of user and time servers, where q T and q H 2 are both positive.Let B be a challenger who can overcome the BDH assumption with a probability of at least ǫ ′ = ǫ/eq T q H 2 .Therefore, if the BDH assumption holds in G 1 , then ǫ ′ can be considered negligible, and the advantage of A in breaking the SS- MSTRE 1 scheme can also be considered negligible.B sim- ulates as the challenger and interacts with A as follows: Preparation : Let G 1 be an ECDLP additive group of prime order q, G 2 be a DLP multiplicative group of prime order q, and let the bilinear mapping e : G 1 × G 1 → G 2 sat- isfy Definition 1. Give the challenger B the public parameters The goal of the challenger B is to output v = e(P, P) abc ∈ G 2 , where P is the generator of G 1 and a, b, c ∈ Z * p .
Setup : Challenger B gives adversary A the data receiv- er's public key upk = u and the time server's public key ts (i)  pub = s i P (i=1,2,...,N).
Initialization : The adversary A outputs the target of the attack, a pair of decryption time points (T * 0 ,T * 1 ).
Phase 1 : The adversary A initiates 1, 2, . . ., m que- ries, and the challenger B responds to each of them.The response process of the i-th query is as follows: The adversary A initiates a query to the random oracle H 1 .Challenger B maintains an initially empty tuple list H list 1 :< T j , h j , m j , n j > .When the adversary A initiates a query for the time trapdoor to the random oracle H 1 at a time point T i , the challenger B responds as follows: The value of h i is uniformly distributed in G 1 and independent of the adversary A.
Similarly, adversary A initiates a query to the random oracle H 2 .the challenger B maintains an initially empty tuple list H list 2 , and responds as follows: ① When the adversary A queries H 2 for H 2 (K i ) and there is no information containing K i in the list, the challenger B responds by choosing a new random value V i ∈ {0, 1} log 2 q and adding (K i , V i ) to the tuple list 2 as the response value to the adversary A.
When the adversary A initiates a time trapdoor query at a time point T i / ∈ {T * 0 , T * 1 } , the challenger B responds as follows: ① The challenger B runs the above H 1 query algo- rithm and obtains H 1 (T i ) = h i .Then, B makes the tuple < T i , h i , m i , n i > as the corresponding element in the tuple list H list 1 .② If n i = 0 , the challenger B reports an error and terminates the entire simulation game.
. We can also obtain T u i = uH 1 (T i ) and by transforming the formulas.Here, T u i represents the legitimate user's time trapdoor at time point T i and T T i represents the main time trapdoor at time point T i .The challenger B returns T u i and T T i to the adversary A.
Challenge : The target of challenge for the adversary A is a pair of decryption time points (T * 0 , T * 1 ) .The chal- lenger B produces the challenge ciphertext, and the response process is as follows: ① The challenger B performs two H 1 query algo- rithms to obtain h * 0 and h * 1 ∈ G 1 , and obtains 1 , the challenger B reports an error and terminates the entire simulation game.
Therefore, C * ♭ = [P 3 , J is the true and valid ciphertext corresponding to the time T * ♭ .Phase 2 : The adversary A initiates time trapdoor que- ries for the user's time trapdoor and the time servers' time trapdoors from m + 1 to num again.The chal- lenger B responds in the same way as in Phase 1.
Guess : The adversary A outputs a guess of ♭ , denoted as ♭ ′ ∈ {0, 1} , and guesses whether the ciphertext C * ♭ constructed by the challenger B in the Challenge phase is . At this point, the challenger B randomly chooses (K j , V j ) from H list 2 and as a guess for v = e(P, P) abc .If the adversary A has previously queried one of the items in , then the tuple list H list 2 has a 1/2 probability of containing the tuple (K j , V j ) , where If the challenger B chooses the tuple The entire simulation game ends at this point.Next, we calculate the probability value ǫ ′ of the challenger B correctly outputting v = e(P, P) abc , and assume that the simulation game can continue to the Guess phase without any termination in between.To this end, we will begin by defining the following events: Event E 1 : the challenger B does not terminate the game during the phase when the adversary A queries the time trapdoor.
Event E 2 : the challenger B does not terminate the game during the Challenge phase.
The probability of events E 1 and E 2 occurring is suffi- ciently high, and the following four claims are provided: Claim 1 During the phase when the adversary A queries the time trapdoor, the probability of the challenger B not terminating the game is at least 1/e, with Pr[E 1 ] ≥ 1/e.

Proof
Assume that the adversary A will not query the same time point twice.The response obtained from querying H 1 indi- cates that the probability of the challenger B terminating the game after one time trapdoor query by the adversary A is 1/(q T + 1) .However, the adversary A can query the time trapdoor up to q T times.Therefore, the probability of the challenger B not terminating the game after q T time trapdoor queries by the adversary A is (1 − 1/(q T + 1)) q T ≥ 1/e.Claim 2 In the Challenge phase, the probability of the challenger B not terminating the game is at least 1/q T , with Pr[E 2 ] ≥ 1/q T .( 13) = H 2 (e(P, P) c(u+s)(b+m * ♭ ) )

Proof
Assume that the adversary A can generate a pair of designated decryption time points (T * 0 , T * 1 ) with the property n * 0 = n * 1 = 1 , then the challenger B termi- nates the game in the Challenge stage.Since the adversary A has not queried the time trapdoors for T * 0 and T * 1 , the values of n * 0 and n * 1 are not correlated with the adversary A .Therefore, Pr[n * ♭ = 0] = 1/(q T + 1) and Pr[n * 0 = n * 1 = 1] = (1 − (1/(q T + 1))) 2 ≤ 1 − 1/q T .It follows that the probability of the challenger B not terminating the game in the Challenge phase is at least During the game process, the adversary A is not allowed to query the time trapdoors for T * 0 and T * 1 .Therefore, the events E 1 and E 2 are independent of each other, and it can be obtained that Pr[E 1 ∩ E 2 ] ≥ 1/eq T .
Assume that in the real attack game, the adversary A possesses the public key upk = uP of the data receiver and the public keys ts (i)  pub = s i P of the time servers (i = 1, 2, ..., N ) .The adversary A sends a pair of decryp- tion time points (T * 0 , T * 1 ) to the challenger B , and the challenger B generates a challenge ciphertext C * ♭ = [P 3 , J ] in response.

Claim 3
In the real attack game, the adversary A has a probability of at least ǫ to initiate an H 2 query for either .
Prior to presenting the proof, we will first provide the definitions for the following events: Event E 3 : In the real attack game, the adversary A does not initiate an H 2 query for either .
Event E 4 : In the Guess phase, the adversary A outputs the correct guess value ♭ ′ , where ♭ = ♭ ′ .

Proof
When event E 3 occurs, it can be seen from the bit ♭ ∈ {0, 1} that the ciphertext C * ♭ constructed by the challenger B is unrelated to the adversary A .Therefore, the probability of event E 4 occurring is at most Pr[E 4 ] =1/2.In a real attack, the adversary A has an advantage ε , where Pr[E 4 ]− (1/2)≥ ε .This also indirectly indicates that Pr[¬E 3 ] ≥ 2ε .The proof process of Pr[¬E 3 ] ≥ 2ε is as follows: Assume that the challenger B does not terminate the game, it means that in the simulated real game process, the adversary A has queried either

Claim 4
The probability of the challenger B success- fully solving the BDH assumption in the Challenge stage is ε/q H 2 .

Proof
Assuming that the events described in Claim 3 occur, the value of one of the two possible cases of will be stored in the tuple list H list 2 .Therefore, in the Challenge phase, the challenger B will have a probability of 1/q H 2 to select (14) Pr If the challenger B does not terminate the simulation game, the probability of successfully solving the BDH assumption is ε/q H 2 .According to Claims 1 and 2, during the simulation game process, the probability that the challenger B does not terminate the game is at least ε/eq T .And by Claim 4, if the challenger B does not terminate the simulation game, the probability of successfully solving the BDH assumption is ε/q H 2 .
In summary, through the above security simulation game, the probability of the challenger B successfully solving the BDH assumption is ε/eq T q H 2 .Theorem 1 is proven.
The above proof is equally applicable to the SS-MSTRE 2 scheme.

Efficiency analysis
In this section, we calculate the time consumption of our proposed SS-MSTRE schemes and only count the time consumption of Enc, TS_Rel and Dec algo- rithms (the two proposed SS-MSTRE schemes are basically consistent in operation), not count costs of the TSMO_Setup, PKG_Setup, TempKey_Extract, KeySharing, TS_KeyGen, User_KeyGen and US_Rel algorithms ( all of these can be done in advance and are not included in the statistical scope).Among them, the supersingular elliptic curve of the finite field F p (p is a 512-bit prime number) is defined as y 2 = x 3 + 1(mod p) , the prime order q is 160 bits, and the bilinear mapping adopts Tate pairs.BP stands for bilinear pairing operation; PM ec and PA ec rep- resent point multiplication and point addition operations in group G 1 ; Add , Sub , Mul and Div represent modular addition, modular subtraction, modular multiplication, and modular division operations in Z * q ; H 1 represents a hash function that maps a binary string composed of 0 and 1 of any length to an element in G 1 ; H 2 represents a hash function that maps an element G 2 to a binary string composed of 0 and 1 of log 2 q length.We implement the above basic operations based on the open source large number operation function library MIRACL in cryptography and uses the approximate ratio method relative to the PM ec basic operations to record the time consumed by other basic operations and obtain the relative time-consuming table of basic operations, as shown in Table 2.The running environment is Intel(R) Core(TM) i5-7500 CPU 3.40GHz processor, 64-bit PC host, 8GB memory, and Microsoft visual studio 2017.987654321 is used as the random number seed, and after running the program, one PM ec operation takes about 1.5208 ms.
In the Enc algorithm, the data sender needs to complete the following operations: two PM ec and one H 1 for rP and rH 1 (T ) , one BP and one PA ec for K ′ = e(rH 1 (T ), upk + tk) (tk can be precalculated and is not counted here), one H 2 for M ⊕ H 2 (K ′ ) ; in the TS_Rel algorithm, the time server needs to complete the following operations: one H 1 and one PM ec for S (i) T = ts (i) priv • H 1 (T ) ; in the Dec algorithm, the data receiver needs to complete the following operations: t x j ∈Xs,x j � =x i −x j (x i −x j ) .Additionally, one BP and one PA ec for K ′ = e(X, S ′ T + U T ) , and one H 2 for M = Y ⊕ H 2 (K ′ ).Therefore, we compare the calculation time of the MTSTRE scheme in literature [30] with our SS-MSTRE schemes, as shown in Table 3.
It can be seen from Table 3 that the differences in computation time consumption between the MTS-TRE scheme in literature [30] and our two SS-MSTRE schemes are mainly reflected in the Enc and Dec algorithms.In the Enc algorithm, the MTSTRE scheme in literature [30] requires N PA ec , while our SS-MSTRE schemes only require one PA ec ; in the Dec algorithm, the MTSTRE scheme in literature [30] also needs N PA ec , while our SS-MSTRE schemes need to complete t • ((t − 1) • Sub + 2(t − 2) • Mul + Div + PM ec + PA ec ) operations when using lagrange interpolation polynomial to reconstruct the main time trapdoor.Assume that there are m data senders in a certain application scenario.To compare the calculation cost of the two schemes, the calculation time of the MTSTRE scheme in the literature [30] may be expressed as follows: the calculation of the SS-MSTRE schemes is expressed as follows: Generally speaking, the value range of the secret sharing threshold t belongs to the interval [⌊ N 2 ⌋ + 1, N ] and the different setting of the threshold t will also affect the computational efficiency of our schemes.We will add a detailed application example to illustrate the case in Application example section.

Application example
Suppose the tenderer A is conducting a bidding process for a specific project, with the bid opening scheduled at "8:00 AM on March 8, 2023".Five bidders ( B 1 , B 2 , B 3 , B 4 , B 5 ) are invited to participate in the bid- ding, and the number of time servers is set to 10. Tenderer A establishes a time trapdoor threshold value of t for decrypting the submitted bids.We need to evaluate the computational costs of the Enc algorithm for the five bidders, the TS_Rel algorithm for the ten time serv- ers, and the Dec algorithm for tenderer A to decrypt the five bids.The resulting comparison of the computational overhead in the sealed bidding application scenario is shown in Table 4.When the threshold value t is set to 6, 7, and 8, the computation time of the proposed schemes in this paper is 82.1954, 87.3649, and 92.5554, respectively.Although these computational costs are higher than those of the MTSTRE scheme proposed in reference [30], the difference is negligible from a practical application perspective.Specifically, on an ordinary computer (such as the device environment used in this paper), the proposed schemes consume only an additional 0.04543(s), 0.05329(s), and 0.06119(s) compared to the MTSTRE scheme, making the difference imperceptible at the human perception level.(15) � 1 = mEnc t + TS_Rel t + mDec t = m(0.0074N+ 6.1868) + 1.3214 + m(0.0074N + 3.8654) (16) � 2 = mEnc t + TS_Rel t + mDec t = 6.1942m + 1.3214 + m(0.0021t 2 + 1.0066t + 3.8654)

Conclusions
This paper proposes a multiple time servers SS-MSTRE model based on Shamir secret sharing and presents two secure construction schemes.Our proposed schemes enable the receiver to recover EHR using any number of time trapdoors greater than or equal to a predefined threshold value when the preset decryption time arrives, which addresses the issue of single-point failure commonly found in traditional multiple time servers TRE schemes.We conduct security analysis of our schemes, provide a semantic secure proof against adaptive CPA based on the random oracle model, and employ the MIR-ACL big number arithmetic library to experimentally validate the efficiency of our schemes.
In future work, we will consider introducing other entities to complete the research on the TRE scheme with time-limited update key calculation and release together with the time server.Unlike the research idea of simply increasing the number of time servers, we aim to design other algorithms to construct a new encryption mechanism that solves the single point of failure problem in single time server TRE schemes.
) Data confidentiality.It should be ensured that attackers cannot illegally analyze the key informa-tion required for decrypting the ciphertext before the specified decryption time T. (2) Verifiability.It should use some algorithms or methods to verify the validity and correctness of intermediate data to detect any tampering with the intermediate data.(3) Anti-advance decryption.It should prevent dishonest receivers from decrypting EHR before the specified decryption time.(4) Robust decryption with multiple time trapdoors.

Fig. 1
Fig. 1 SS-MSTRE system 10) M ← Dec(C, STs, Xs, T , U T , params tsmo ) .The data receiver runs the Dec algorithm to recover the plaintext M. The following steps are required: ① At the decryption time T specified by the data sender, each of the N time servers sends the corresponding time trapdoor ST so that there are N time trapdoors STs.The data receiver randomly selects a set of valid time trapdoors STs from the time trapdoors published by N time servers, ensuring that |STs| ≥ t .Xs is the corresponding set of identification numbers for the time servers.Calculate the main time trapdoor S ′ T

Table 1
Key notations Access structure.Suppose the set of n participants is P = {p i |i = 1, 2, ..., n} and Ŵ is an access structure on set P, where Ŵ ⊆ 2 |p| , 2 |p| represents all sets of non-empty subsets on set P, satisfying the following properties.
1) (params tsmo , sk) ← TSMO_Setup(k) .The time server management organization runs the TSMO_Setup algorithm to generate the system initialization parameters.The time server management organization selects the security parameter k and performs the following operations: ⑦ Outputs the system parameters params tsmo = {p, P, G 1 , G 2 , e, H 1 , H 2 , n, t} and the private key sk.
① Selects a prime order p, G 1 and G 2 are a p-order ECDLP additive group and DLP multiplicative group respectively.②Selectsa random generator P ∈ G 1 .③Selectsa bilinear mapping e :G 1 × G 1 → G 2 satisfies Definition 1. ④ Select two secure hash functions: H 1 :{0, 1} * → G 1 and H 2 :G 2 → {0, 1} n ,where n represents the length of the message.⑤ Selects a random number s ∈ Z * p as its private key sk = s ∈ Z * p .⑥ Defines a threshold value t. (2) (params pkg , MPK , MSK ) ← PKG_Setup( ).The private key generator runs the PKG_Setup algo- rithm to generate its initialization parameters.The private key generator selects the security parameter and performs the following operations: ① Selects a prime order p , G 1 and G 2 are a porder ECDLP additive group and DLP multiplicative group respectively.② Selects a random generator P ∈ G 1 .③ Selects a bilinear mapping e : G 1 × G 1 → G 2 satisfies Definition 1.

Table 2
Calculation cost of related basic operations relative to the PM ec operation

Table 4
Comparison of time consumption in sealed bidding application scenario