Provably Secure Security-Enhanced Timed-Release Encryption in the Random Oracle Model

Cryptographic primitive of timed-release encryption (TRE) enables the sender to encrypt a message which only allows the designated receiver to decrypt after a designated time. Combined with other encryption technologies, TRE technology is applied to a variety of scenarios, including regularly posting on the social network and online sealed bidding. Nowadays, in order to control the decryption time while maintaining anonymity of user identities, most TRE solutions adopt a noninteractive time server mode to periodically broadcast time trapdoors, but because these time trapdoors are generated with fixed time server’s private key, many “ciphertexts” related to the time server’s private key that can be cryptanalyzed are generated, which poses a big challenge to the confidentiality of the time server’s private key. To work this out, we propose a concrete scheme and a generic scheme of security-enhanced TRE (SETRE) in the random oracle model. In our SETRE schemes, we use fixed and variable random numbers together as the time server’s private key to generate the time trapdoors. We formalize the definition of SETRE and give a provably secure concrete construction of SETRE. According to our experiment, the concrete scheme we proposed reduces the computational cost by about 10.8% compared to the most efficient solution in the random oracle model but only increases the almost negligible storage space. Meanwhile, it realizes one-time pad for the time trapdoor. To a large extent, this increases the security of the time server’s private key. +erefore, our work enhances the security and efficiency of the TRE.


Introduction
Cryptographic primitive of timed-release encryption (TRE) [1,2] requires the sender to set a specified time for the designative receiver to decrypt the secret message. With TRE, the sender encrypts a message and then sends to the receiver; before the decrypt time that the sender has set arrives, no one can decrypt this ciphertext. With the efforts of many distinguished scholars, TRE has developed into a basic cryptographic primitive, which can be combined with many other cryptographic primitives and applied to different fields, such as regularly posting on the social network [3,4], edge caching [5], and ciphertext retrieval [6,7].
According to the latest research, the TRE constructions have been extended from the mathematical problems  to the physical problems [29,30] and the blockchain approach [31][32][33][34]. At present, a large number of TRE constructions are based on the mathematical problems. In practical terms, the most commonly used model is the noninteractive time server model. In this model, for the time server, neither the sender nor the receiver of the message interacts with it. e time server periodically broadcasts the time trapdoor. e receiver chooses the time trapdoor corresponding to the decryption time of the ciphertext to complete the decryption at the designated time.
However, in the current noninteractive TRE schemes, many time trapdoors related to the time server's private key will be generated.
is will cause the attacker to have a certain amount of pairs (time, time trapdoor). Although the problems related to bilinear pairing are difficult to solve, the attacker can still adopt chosen-plaintext attack (CPA) or chosen-ciphertext attack (CCA) to attack the system, which seriously challenges the security of the private key of the time server. us, in this paper, we are working on this problem and trying to construct a solution.
In the solutions of the noninteractive server model, the time server's private key is used to perform an encryptionlike operation on the hash function value of a time point T to generate a corresponding time trapdoor. erefore, this model produces many pairs (plaintext, ciphertext) related to the private key of the time server. In response to this problem, we need to construct a new solution.

Our Contributions.
We reexamine the noninteractive time server model in which the time server's private key is repeatedly used, resulting in many pairs (plaintext, ciphertext) related to the private key of the time server. In order to solve this problem, we construct a security-enhanced timed-release encryption (SETRE) solution based on the BDH assumption.
As we all know, in the operations of encryption and decryption, we use the private key k to encrypt the plaintext M and get the ciphertext C � E k (M) and use the private key k to decrypt the ciphertext C and get the plaintext M � D k (C). Similarly, we let the private key s and the hash function value H(T) of a time point T perform some operations together to generate the corresponding time trapdoor S T � E s (H(T)); correspondingly, we can get H(T) � D s (S T ). In the above statement, S T is equivalent to the ciphertext C, and H(T) is equivalent to the plaintext M. If the attacker has many pairs (plaintext, ciphertext), then the security of the time server's private key will be greatly threatened.
Our SETRE schemes include a concrete scheme and a generic scheme. In our SETRE, the time server will use a random number x as the time server's session private key every time before publishing the time trapdoor. is session private key is combined with the time server's fixed private key to generate the time trapdoor S T � E (s,x) (H(T)) of our SETRE. erefore, in our SETRE schemes, the secret private key involved in every generated time trapdoor is different. So, we can claim that our schemes realize one-time pad for the time trapdoor. In this case, the attacker can only get a pair of (plaintext, ciphertext) about the time point and its time trapdoor at most. Even if the attacker successfully obtains the private key of the time server corresponding to a time trapdoor, he cannot get the private key of the time server corresponding to other time trapdoors so that the time trapdoor cannot be generated in advance, which ensures that the receiver cannot decrypt in advance.

Organization. We begin by explaining what is SETRE.
In Section 2, we give some cryptographic background and our generic public key encryption scheme. In Section 3, we formally define our SETRE and its simulation security game model. In Section 4, we present the concrete construction of SETRE and give its provably secure proof and the efficiency analysis. In Section 5, we provide the formal definition and construction of the generic SETRE and give its security analysis and efficiency analysis. Finally, we give the conclusion and future work.

Preliminary
We give a brief review of the bilinear pairing property, BDH assumption, and our generic public key encryption scheme that needs to be known in this section.

Properties of Bilinear Pairings.
We give a form of bilinear pairings and their properties as described below. Definition 1. Let G 1 be an elliptic curve discrete logarithm problem (ECDLP) additive group over a finite field, G 2 be a discrete logarithm problem (DLP) multiplicative group over a finite field, and the order of G 1 , G 2 be a prime number q.
e mapping e: G 1 × G 2 ⟶ G 2 is a bilinear pairing mapping if e satisfies (1) Bilinear property: given any P, Q, R ∈ G 1 , the following operations hold: (2) Nondegeneracy: suppose that the generator of group G 1 is P, then the generator of group G 2 is e(P, P). (3) Computability: given any two elements P, Q ∈ G 1 , there must be an effective algorithm for calculating e(P, Q).

BDH Assumption.
Many cryptographic schemes are based on various difficult assumptions related to bilinear pairs, such as the (D)BDH assumption, (D)BDHI assumption, and (D)BDHE assumption [35,36]. We now give the definition of the BDH assumption used in our SETRE schemes as follows.
Definition 2. Let G 1 be an ECDLP additive group over a finite field, P be the generator of G 1 , G 2 be a DLP multiplicative group over a finite field, and the order of G 1 , G 2 be a prime number q. Given P, aP, bP, cP ∈ G * 1 (a, b, and c are evenly distributed in Z * q ), calculate e(P, P) abc ∈ G * 2 . If Pr[A(P, aP, bP, cP) � e(P, P) abc ] ≥ E, then the advantage of the adversary A to solve the BDH assumption is E, and E is negligible.

General
Public Key Encryption Scheme. We simplify and abstract public key encryption (which has a certain characteristic) and only keep three phases which are initialization, encryption, and decryption; then, the general public key encryption (GPKE) scheme can be obtained.
Definition 3. E GPKE � (Setup, Enc, Dec) is the public key encryption algorithm, where Setup: generates system public parameters and the user's public key and private key pairs (upk, usk) � (uP, u) in which u ∈ Z * q , P ∈ G 1 is a generator of G 1 , and G 1 is an additive group Enc: uses the user's public key uP to encrypt the plaintext to get the ciphertext C GPKE � Enc(M, uP) Dec: uses the user's private key u to decrypt the ciphertext to get the plaintext M � Dec(C GPKE , u)

SETRE: Definitions
Suppose Bob is a social network user, and he wants to upload documents scheduled to be published regularly to the social network platform in advance so that he can pay attention to other things without worrying about this matter. And Bob does not want the social network platform to know in advance what he wants to publish. In this application scenario, Bob can use our SETRE solution to solve this problem securely and efficiently. Bob sends the following ciphertext of the document in advance with the designated decryption time: where M is one of the documents planned to be released at a designated time point in the future, ts pub and ts spub are the time server's fixed public key and session public key, respectively, upk is the receiver's public key, r is a random number as a factor of freshness, and T is the designated decryption time. e social network platform can obtain the ciphertext of the document in advance but can only decrypt it in the future after the predetermined decryption time has arrived. We call such a cryptographic scheme noninteractive SETRE. Setup: generates a public parameter params from a security parameter TS KeyGen: calculates and generates the fixed public/ private key pair (ts pub , ts priv ) and the session public/ private key pair (ts spub , ts spriv ) of the time server User KeyGen: calculates and generates the public/ private key pair (upk, usk) of the system user Enc: calculates the ciphertext C of the plaintext M, by using the public keys ts pub , ts spub , and upk, and a designated decryption time point T ST Rel: calculates a time server's time trapdoor S T , by using the time server's fixed private key ts priv , a designated decryption time point T, and its corresponding session private key ts spriv UT Rel: calculates a user's time trapdoor U T , by using the receiver's private key usk and a designated decryption time point T Dec: calculates a plaintext M, by using a ciphertext C, the time server's time trapdoor S T , and the receiver's time trapdoor U T ; or outputs a "reject" message We use the simulation security game between the adversary A and the challenger B to formally define the security against the active adversary A. e specific formal definition is as follows: Preparation: public parameters are generated by the system.
Initialization: a pair of designated decryption time points T * 0 and T * 1 to be challenged is selected by the adversary A.
Setup: the public parameters params and public keys upk, ts pub , and ts spub are generated by the challenger B and sent to the adversary A. Phase 1: the adversary A performs m queries of q 1 , q 2 , . . . , q m , where query q i is one of the following: (1) At any time point, the adversary A can perform queries of the random oracles H 1 and H 2 . In response to H 1 and H 2 queries, the challenger B keeps two lists of H 1 -list and H 2 -list. (2) Time trapdoor queries: time trapdoor query S T i and ese queries can be adaptive, which means that the response of q i can be determined based on the responses of q 1 , q 2 , . . . , q i− 1 previously queried.

Security and Communication Networks 3
Challenge: a pair of designated decryption time points T * 0 and T * 1 to be challenged is selected by the adversary A. e challenger B selects a random bit ♭ ∈ 0, 1 { }, sets the ciphertext to be (C * ♭ , T * ♭ ), and then sends the challenge ciphertext (C * ♭ , T * ♭ ) to A. Phase 2: the adversary A performs other queries of q m+1 , . . . , q num , and the challenger B responds as shown in Phase 1. Guess: in the end, the adversary A outputs a guess of ♭ ′ ∈ 0, 1 { }. If ♭ � ♭ ′ , then A wins the simulation security game.
We call such an adversary A an IND-sT-CCA adversary, and we can formally define the advantages of A attack our concrete SETRE scheme E as Definition 5. Our concrete SETRE scheme E is said to be (t, q H 2 , q T , q C , ε)-selective designated decryption time, adaptive chosen-ciphertext secure if for any t-time IND-sT-CCA adversary A that performs at most q H 2 H 2 queries, q T chosen designated decryption trapdoor queries, and q C chosen decryption queries, we have that Adv CCA We define our concrete SETRE scheme E to be IND-sT-CPA secure by simply disallowing the adversary A to perform decryption queries in the simulation security game described above.

Concrete Scheme of SETRE
We will attempt to propose a concrete scheme of SETRE based on the BDH assumption in the random oracle model.

Construction.
e server-passive, scalable, user-anonymous TRE scheme proposed by Black and Chan (abbreviated as BC-TRE) laid the foundation of TRE. We now describe the concrete SETRE construction scheme. e scheme includes the following algorithm 7 tuples: Setup: generates a public parameter params � G 1 , G 2 , q, e, P, H 1 , H 2 , n from a security parameter k, where G 1 is an ECDLP additive group over a finite field, G 2 is a DLP multiplicative group over a finite field, and the order of G 1 , G 2 is a prime number q, e: G 1 × G 1 ⟶ G 2 is a bilinear mapping that satisfies Definition 1, P ∈ G * 1 is the generator of additive group G 1 , and H 1 : 0, 1 { } * ⟶ G 1 and H 2 : G 2 ⟶ 0, 1 { } n (n is the length of the plaintext) are hash functions. TS-KeyGen: the time server selects a random number s ∈ Z * q as the private key ts priv � s ∈ Z * q of the time server and then calculates and generates the time server's public key ts pub � sP. Similarly, the time server selects a random number set as the session private key set TS spriv � x 1 , x 2 , . . . , x l ∈ Z * q of the time server and then calculates and generates the corresponding time server's session public key set TS spub � x 1 P, x 2 P, . . . , x l P ∈ G * 1 in which l ≈ 175200 if we assume that a time trapdoor needs to be generated every half an hour and meet the demand for 10 consecutive years. User-KeyGen: a user selects a random number u ∈ Z * q as its private key usk � u ∈ Z * q and then calculates and generates the system user's public key upk � uP. Enc: the sender uses the public key upk r � uP of the receiver, the public key ts pub � sP of the time server, a designated decryption time point T ∈ 0, 1 { } * , and the time server's session public key ts spub � xP corresponding to the designated decryption time point T ∈ 0, 1 { } * to encrypt the plaintext M as the following operations: (1) Selects a random number r ∈ Z * q and calculates TS-Rel: the time server takes its own fixed private key ts priv � s and the session private key ts spriv � x of the current release time T and produces the time server's time trapdoor S T � (s + x)H 1 (T). UT_Rel: the receiver takes the private key usk � u of his own and the current designated decryption time T and produces the user's time trapdoor U T � uH 1 (T). Dec: the receiver uses the time trapdoors S T and U T of the designated decryption time point T ∈ 0, 1 { } * to decrypt the ciphertext C � 〈U, V〉 as the following operations: Suppose C is the valid ciphertext; then, we have U � rP and V � M⊕H 2 (K). We can verify the correctness of the decryption as described in the following:

Security of the Scheme.
We give the proof that our SETRE scheme is noninteractive and semantically secure against CPA in the random oracle model, supposing that the BDH assumption is true [37].

Theorem 1.
Suppose that there is an adversary A who can break our SETRE scheme with the advantage of ϵ; then, a challenger B, who can overcome the BDH problem with probability at least ε′ � ε/eq T q H 2 , is constructed, where e is the natural logarithm's base and q T and q H 2 are the maximum number of times we assume the adversary A can query the time trapdoor and H 2 hash operation.
Proof. Let A denote an adversary who has advantage ϵ to break the SETRE. Assume that A performs no more than q H 2 hash operation queries to H 2 , no more than q T user trapdoors, and the time server trapdoor queries, where q T and q H 2 are positive. Let B denote a challenger who overcomes the BDH problem with probability no less than ε ′ � ε/eq H 2 q T . erefore, if the BDH assumption holds in G 1 , then we can ignore ε ′ ; furthermore, the advantage of A to break the SETRE can be ignored. And B, who simulates as the challenger, will interact with adversary A as follows: Preparation: let G 1 be an ECDLP additive group over a finite field, G 2 be a DLP multiplicative group over a finite field, the order of G 1 , G 2 be a prime number q, e: G 1 × G 1 ⟶ G 2 be a bilinear mapping that satisfies Definition 1, and P ∈ G * 1 be the generator of additive group G 1 . Give the challenger B the public parameter P, P 1 � aP � uP + sP + xP, P 2 � bP, and P 3 � cP ∈ G 1 ; the goal of B is to calculate the value of v � e(P, P) abc ∈ G 2 , where a, b, c ∈ Z * q . Initialization: the adversary A outputs a pair of designated decryption time points T * 0 and T * 1 to be challenged. Setup: the challenger B gives A the public keys upk r � uP, ts pub � sP, and ts spub � xP. Phase 1: the adversary A initiates 1, . . . , m queries, and B gives the response, respectively, where for the i-th query, B's response is described as follows: (  game and admits failure. ③ If n i � 1, we obtain h i � m i · P ∈ G 1 . Let T u i � m i · upk r and T T i � m i · (ts pub + ts spub ); then, we can transform them to get T u i � uH 1 (T i ) and T T i � (s + x i )H 1 (T i ). erefore, T u i is the correct and legal user time trapdoor of T i , and T T i is the correct and legal time server trapdoor of T i . B gives T u i and T T i to A.
Challenge: the adversary A selects a pair of designated decryption time points (T * 0 , T * 1 ) to be challenged. e challenger B produces the challenge ciphertext as follows: ① e challenger B runs the above H 1 query algorithm twice to obtain h * 0 and h * 1 ∈ G 1 which satisfy H 1 (T * 0 ) � h * 0 and H 1 (T 1 ) � h * 1 . ② For i � 0, 1, we let 〈T * 0 , h * 0 , m * 0 , n * 0 〉 and 〈T * 1 , h * 1 , m * 1 , n * 1 〉 to be the corresponding tuples on the H 1 -list. If n 0 ′ � n 1 ′ � 1, then the challenger B aborts the simulation security game and admits failure.

Security and Communication Networks
③ Obviously, at least one of n * 0 and n * 1 must be equal to zero. B randomly takes ♭ ∈ 0, 1 { } such that n ♭ � 0. ④ B takes the challenge ciphertext C * ♭ � [P 3 , J] for random J ∈ 0, 1 { } log 2 p as its response. Obviously, this challenge implicitly defines H 2 (e(H 1 (T * ♭ ), c · upk r ) · e(H 1 (T * ♭ ), c · ts pub ) · e(H 1 (T * ♭ ), c · ts spub♭ )) � J. at is to say, It can be seen that C * ♭ is the corresponding valid and real ciphertext for T * ♭ . Phase 2: the adversary A performs other queries of q m+1 , . . . , q num , and the challenger B responds as shown in Phase 1. Guess: in the end, the adversary A outputs a guess of ♭ ′ ∈ 0, 1 { } to indicate whether the challenge ciphertext C * ♭ is a valid ciphertext for Enc(upk r , ts pub , ts spub0 , T * 0 ) or Enc(upk r , ts pub , ts spub1 , T * 1 ). Now, the challenger B randomly selects a tuple (K j , V j ) from the H 2 -list and outputs K/e(upk r , ts pub , ts spub♭ , P 3 ) m * ♭ as a guess of e(P, P) abc . If A has ever inquired about one of H 2 (e(cH 1 (T * 0 ), upk r + ts pub + ts spub0 )) or H 2 (e (cH 1 (T * 1 ), upk r + ts pub + ts spub1 )), the H 2 -list has a probability of 1/2 that contains (K j , V j ), K j � H 2 (e(cH 1 (T * ♭ ), upk r + ts pub + ts spub♭ ) � H 2 (e(P, P) c(u+s+x ♭ )(b+m * ♭ ) )). If B takes this tuple (K j , V j ) from the H 2 -list, then K/e(upk r , ts pub +ts spub♭,P 3 ) m * ♭ � e(P, P) abc . e whole security simulation game is completed here. Next, we calculate the value of ϵ ′ which is the lowest probability of B correctly outputting e(P, P) abc . It is easy to know that the premise that it can correctly output its guess value of e(P, P) abc is that the game can continue to the guessing stage without terminating the game in the middle. Now, we analyze the possibility that B does not terminate the game while the game is in progress. For this purpose, we first give the definition of the following events: E 0 : in the stage when the adversary A performs queries of the time trapdoor, the challenger B does not terminate the simulation security game E 1 : in the challenge stage, the challenger B does not terminate the simulation security game We first state that, as in [38], events E 1 and E 2 occur with a high enough probability. Next, we give the following three claims. Claim 1 : in the stage when the adversary A performs queries of the time trapdoor, the probability that the challenger B does not terminate the simulation security game is 1/e at least. us, P r [E 0 ] ≥ 1/e. □ Proof. When the adversary A queries for the time trapdoor of time points, for the sake of generality, we suppose that A does not query the same time trapdoor twice. A trapdoor (the user's time trapdoor or the time server's time trapdoor) query causes B to terminate the simulation security game with a probability of 1/(q T + 1); therefore, a trapdoor query does not cause B to terminate the game with a probability of (1 − 1/(q T + 1)). In addition, since the maximum number of times A can query the time trapdoor is q T , the probability that the simulation security game will not be terminated after q T queries is (1 − 1/(q T + 1)) q T ≥ 1/e at least. Claim 2: in the challenge stage, the probability that the challenger B does not terminate the simulation security game is 1/q T at least. us, P r [ If the adversary A can generate T * 0 , T * 1 with the property n * 0 � n * 1 � 1, then the challenger B will terminate the simulation security game during the challenge stage. Since A has not queried for the trapdoor for T * 0 , T * 1 , we have that n * 0 , n * 1 are independent of A. erefore, P r [n * ♭ � 0] � 1/(q T + 1) for ♭ � 0, 1, and then we have that erefore, there is a probability of at least 1/q T that B does not terminate the game.
Since the adversary A is not allowed to query the time trapdoor of the designated decryption time T 0 , T 1 during the game, the events E 0 and E 1 are independent of each other, so we can get P r [E 0 ∩ E 1 ] ≥ 1/eq T . Assume that the adversary A has acquired the public keys upk r � uP, ts pub � sP, and ts spub � xP in the actual attack game. e adversary A selects a pair of designated decryption time points (T * 0 , T * 1 ) to be challenged. e challenger B produces the challenge ciphertext C * ♭ � [P 3 , J] as a response. erefore, we have the following Claim 3. Claim 3: in the actual attack game, the adversary A has at least the probability of ϵ to perform an H 2 query for one of H 2 (e(cH 1 (T * 0 ), upk r + ts pub + ts spub0 )), H 2 (e(cH 1 (T * 1 ), upk r + ts pub + ts spub1 )). Before giving the proof, we first give the definition of the following events: E 2 : in the actual attack game, A does not query either H 2 (e(cH 1 (T * 0 ), upk r + ts pub + ts spub0 )) or H 2 (e(cH 1 (T * 1 ), upk r + ts pub + ts spub1 )) E 3 : in the guess stage, A outputs the guess ♭ ′ of ♭ satisfying ♭ � ♭ ′ □ Proof. When E 2 occurs, it is obvious that the bit ♭ ∈ 0, 1 { } indicates whether C * ♭ is the challenge ciphertext corresponding to the designated decryption time, which has nothing to do with A's knowledge. us, the probability of P r [E 3 ] is 1/2 at most. In the real attack game, because A has the advantage of ϵ, we have |P r [E 3 ] − 1/2| ≥ ε and P r [¬E 2 ] ≥ 2ε. Now, we give the specific argument for the truth of P r [¬E 2 ] ≥ 2ε as follows: From the above two formulas, we know that us, we have P r [¬E 2 ] ≥ 2ε in the actual attack game. If the challenger B does not terminate the game, it means that, in the process of simulating the actual attack game, the adversary A has queried one of H 2 (e(cH 1 (T * 0 ), upk r + ts pub + ts spub0 )), H 2 (e(cH 1 (T * 1 ), upk r + ts pub + ts spub1 )). us, P r [¬E 2 ] ≥ 2ϵ. Claim 4: the probability that the challenger B can solve the BDH problem successfully in the guess stage is ϵ/q H 2 .

□
Proof. Assuming the event of Claim 3 occurs, the value of one of the two cases of e(cH 1 (T * ♭ ), upk r + ts pub + ts spub♭ ) will be stored in the H 2 -list. Consequently, in the guess stage, the challenger B has at least the probability of 1/q H 2 to select the correct pair from the H 2 -list. erefore, on the premise that B does not terminate the simulation game, the possibility that B can successfully solve the BDH problem is ϵ/(q H 2 ).
According to Claims 1 and 2, during the simulation game, the probability that the challenger B will not terminate the game is at least 1/eq T . And according to Claim 4, if B does not terminate the simulation security game, the probability that B can successfully solve the BDH problem is ϵ/q H 2 . erefore, through the security simulation game of the aforementioned adversary A and challenger B, the possibility of successfully solving the BDH problem is ε/eq T q H 2 . us, eorem 1 is proved.

Efficiency Analysis.
We contrast between our SETRE scheme and two representative noninteractive time server TRE schemes: the classic BC-TRE scheme put forward by Blake and Chan [9] and the AnTRE scheme, which has highest efficiency up till now, put forward by Chalkias et al. [12].
We let BP be a notation of the bilinear pairing operation, PA ec and PM ec be a notation of point addition and point multiplication operations in G 1 separately. Let Exp ec be a notation of the exponentiation operation in G 2 and Inv be a notation of the modular inverse operation in Z * q . Let H 1 represent a hash function operation that maps binary strings of any length to an element in group G 1 , H 2 represent the hash function operation that maps an element in group G 2 to a string of log q 2 length 0 and 1, and H 3 represent the hash function operation of mapping a binary string of any length to an element of Z * q . Based on the MIRACL large integer library, we program and implement the basic operations described above, in which the relevant parameters are set as follows: the elliptic curve is a supersingular elliptic curve E: y � x 3 + 1 mod p on the finite field F p (p is a 512-bit large prime number), and its prime order q is a 160-bit prime number; the bilinear map uses the Tate pairing algorithm to map the aforementioned discrete logarithm subgroup on the elliptic curve to the discrete logarithm subgroup on F p 2 . e configuration of the running environment is as follows: Intel(R) Core(TM) i5-4210M @ 2.60 GHz microprocessors, 64 bit and 8 GB memory, Microsoft Visual Studio 2010. 987654321 is the seed that generates the associated random numbers. We take the calculation time of Exp ec as the basic unit so that the calculation results are not related to the specific computer performance. We then calculate and record the ratio of the calculation time of each related basic operation in these schemes to the calculation time of Exp ec , as shown in Table 1.
In our SETRE scheme, the TS-Rel stage requires one PM ec and one H 1 to calculate S T � (s + x)H 1 (T), and the total calculation cost of the TS-Rel stage is 1.003. e Enc stage requires one PM ec for rP, two PA ec for S pub , one H 1 , one PM ec , and one BP for e(rH 1 (T), S pub ), and one H 2 for H 2 (K), and the total calculation cost of the Enc stage is 5.875. e Dec stage requires one H 1 , one PM ec , one PA ec , and one BP for K ′ � e(U, S T + uH 1 (T)) and one H 2 for M⊕H 2 (K), and the total calculation cost of the Dec stage is 4.868. We sum up the calculation cost of the schemes of BC-TRE, AnTRE, and our SETRE as shown in Table 2. It should be pointed out that the hash functions H 1 and H 2 in the scheme of AnTRE are approximately equivalent to H 3 in Table 1, and the hash functions H 3 and H 4 in the scheme of AnTRE are approximately equivalent to H 2 in Table 1. Table 2 shows that our SETRE scheme has improved by 32.4% and 10.8%, respectively, compared with the schemes of BC-TRE and AnTRE. In addition, in the aspect of security,

Generic Scheme of SETRE
We will attempt to propose a generic scheme of SETRE based on GPKE and call it generic SETRE, abbreviated as GSETRE.
Rel: this algorithm is consistent with the ST Rel algorithm of our concrete E SETRE scheme Dec: the receiver uses the time trapdoors S T of the designated decryption time point T ∈ 0, 1 { } * and the private key usk r � u of the receiver to decrypt the ciphertext C GSETRE � 〈U, V〉 as the following operations: (1) Calculates C GPKE ′ � (V/e(S T , U)) (2) Calculates Dec(C GPKE ′ , u) to recover the corresponding plaintext M Suppose C GSETRE is the valid ciphertext; then, we have U � f(·) · P and V � C GPKE · e(H 1 (T), f(·) · (s + x)P). We can verify the correctness of the decryption as described in the following:

Security and Efficiency Analysis.
From the perspective of security, since the E GSETRE scheme is obtained by introducing E SETRE into the E GPKE scheme, which is equivalent to encapsulating the E GPKE scheme's ciphertext, the security of the E GPKE scheme will be enhanced after introducing E SETRE . Firstly, the decryption operation needs to decrypt the E SETRE 's ciphertext to get the ciphertext of the E GPKE scheme. However, the decryption of E SETRE requires a valid time trapdoor, and the attacker cannot construct the required time trapdoor without knowing the time server's private key and session private key. Secondly, decrypting the E GPKE ciphertext requires the private key of the legitimate receiver. From the perspective of efficiency, compared with the E GPKE scheme, the E GSETRE scheme adds other additional operations in the encryption and decryption process, which inevitably leads to a decrease in efficiency. However, when using the idea of the general scheme to construct a concrete scheme, the parameters of the E SETRE scheme can be integrated into the same logical step of the E GPKE scheme as far as possible, so as to minimize the decline of efficiency. In addition, in terms of storage space, the time server only needs to add a small amount of storage space, as described in the above section.

Summary and Outlook
With the purpose of enhancing TRE security, a concrete SETRE scheme and a generic SETRE scheme based on the BDH assumption in the random oracle model are put forward. In our SETRE schemes, the time server uses a different session key to generate an "encryption-like" trapdoor at different time points. is operation uses the idea of one-time pad for the generation of each time trapdoor, which prevents the time trapdoor from being known in advance due to the leakage of the time server's private key and thus prevents the ciphertext from being decrypted in advance.
To ensure the anonymity of each system user identity to the time server, most current TRE solutions use broadcast to distribute time trapdoors. If time trapdoors are broadcast in a coarse-grained manner, many users may not have corresponding time trapdoors for the specified decryption time.
In order to meet the time trapdoor specified by the user as far as possible, it is required to broadcast the time trapdoors with fine granularity, but this would waste communication resources. erefore, designing a TRE that can support the specified arbitrary release time, anonymize the user identity, and prevent the time server from denial-of-service attacks will be a very practical and challenging task in the future. In addition, we will explore the combination of TRE with other cryptographic primitives, such as order-revealing encryption [39], so that more scenarios can have the function of controlling the decryption time.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.