#### Abstract

Cryptographic primitive of timed-release encryption (TRE) enables the sender to encrypt a message which only allows the designated receiver to decrypt after a designated time. Combined with other encryption technologies, TRE technology is applied to a variety of scenarios, including regularly posting on the social network and online sealed bidding. Nowadays, in order to control the decryption time while maintaining anonymity of user identities, most TRE solutions adopt a noninteractive time server mode to periodically broadcast time trapdoors, but because these time trapdoors are generated with fixed time server’s private key, many “ciphertexts” related to the time server’s private key that can be cryptanalyzed are generated, which poses a big challenge to the confidentiality of the time server’s private key. To work this out, we propose a concrete scheme and a generic scheme of security-enhanced TRE (SETRE) in the random oracle model. In our SETRE schemes, we use fixed and variable random numbers together as the time server’s private key to generate the time trapdoors. We formalize the definition of SETRE and give a provably secure concrete construction of SETRE. According to our experiment, the concrete scheme we proposed reduces the computational cost by about 10.8% compared to the most efficient solution in the random oracle model but only increases the almost negligible storage space. Meanwhile, it realizes one-time pad for the time trapdoor. To a large extent, this increases the security of the time server’s private key. Therefore, our work enhances the security and efficiency of the TRE.

#### 1. Introduction

Cryptographic primitive of timed-release encryption (TRE) [1, 2] requires the sender to set a specified time for the designative receiver to decrypt the secret message. With TRE, the sender encrypts a message and then sends to the receiver; before the decrypt time that the sender has set arrives, no one can decrypt this ciphertext. With the efforts of many distinguished scholars, TRE has developed into a basic cryptographic primitive, which can be combined with many other cryptographic primitives and applied to different fields, such as regularly posting on the social network [3, 4], edge caching [5], and ciphertext retrieval [6, 7].

According to the latest research, the TRE constructions have been extended from the mathematical problems [8–28] to the physical problems [29, 30] and the blockchain approach [31–34]. At present, a large number of TRE constructions are based on the mathematical problems. In practical terms, the most commonly used model is the noninteractive time server model. In this model, for the time server, neither the sender nor the receiver of the message interacts with it. The time server periodically broadcasts the time trapdoor. The receiver chooses the time trapdoor corresponding to the decryption time of the ciphertext to complete the decryption at the designated time.

However, in the current noninteractive TRE schemes, many time trapdoors related to the time server’s private key will be generated. This will cause the attacker to have a certain amount of pairs (time, time trapdoor). Although the problems related to bilinear pairing are difficult to solve, the attacker can still adopt chosen-plaintext attack (CPA) or chosen-ciphertext attack (CCA) to attack the system, which seriously challenges the security of the private key of the time server. Thus, in this paper, we are working on this problem and trying to construct a solution.

##### 1.1. Related Work

TRE was first proposed by May [2] in 1993 and then discussed in detail by Rivest et al. [1] in 1996. Most of the previous schemes can be divided into time-lock puzzles [1, 15, 18, 33] and agents categories. Most agent-class schemes use the time server as the agent, which are divided into interactive model [1, 8, 23, 24] and noninteractive model [9–14, 16, 17, 19–22, 25, 26, 28]. The time server method was originally constructed based on the quadratic residue problem [8]. After that, most of the proposed solutions are based on the assumption of the difficult bilinear pairing class problems, such as bilinear Diffie–Hellman (BDH) assumption [9–11, 13, 19, 21, 22, 24–28], bilinear Diffie–Hellman inversion (BDHI) assumption [12], and bilinear Diffie–Hellman exponent (BDHE) assumption [17].

In the solutions of the noninteractive server model, the time server’s private key is used to perform an encryption-like operation on the hash function value of a time point to generate a corresponding time trapdoor. Therefore, this model produces many pairs (plaintext, ciphertext) related to the private key of the time server. In response to this problem, we need to construct a new solution.

##### 1.2. Our Contributions

We reexamine the noninteractive time server model in which the time server’s private key is repeatedly used, resulting in many pairs (plaintext, ciphertext) related to the private key of the time server. In order to solve this problem, we construct a security-enhanced timed-release encryption (SETRE) solution based on the BDH assumption.

As we all know, in the operations of encryption and decryption, we use the private key to encrypt the plaintext and get the ciphertext and use the private key to decrypt the ciphertext and get the plaintext . Similarly, we let the private key and the hash function value of a time point perform some operations together to generate the corresponding time trapdoor ; correspondingly, we can get . In the above statement, is equivalent to the ciphertext , and is equivalent to the plaintext . If the attacker has many pairs (plaintext, ciphertext), then the security of the time server’s private key will be greatly threatened.

Our SETRE schemes include a concrete scheme and a generic scheme. In our SETRE, the time server will use a random number as the time server’s session private key every time before publishing the time trapdoor. This session private key is combined with the time server’s fixed private key to generate the time trapdoor of our SETRE. Therefore, in our SETRE schemes, the secret private key involved in every generated time trapdoor is different. So, we can claim that our schemes realize one-time pad for the time trapdoor. In this case, the attacker can only get a pair of (plaintext, ciphertext) about the time point and its time trapdoor at most. Even if the attacker successfully obtains the private key of the time server corresponding to a time trapdoor, he cannot get the private key of the time server corresponding to other time trapdoors so that the time trapdoor cannot be generated in advance, which ensures that the receiver cannot decrypt in advance.

##### 1.3. Organization

We begin by explaining what is SETRE. In Section 2, we give some cryptographic background and our generic public key encryption scheme. In Section 3, we formally define our SETRE and its simulation security game model. In Section 4, we present the concrete construction of SETRE and give its provably secure proof and the efficiency analysis. In Section 5, we provide the formal definition and construction of the generic SETRE and give its security analysis and efficiency analysis. Finally, we give the conclusion and future work.

#### 2. Preliminary

We give a brief review of the bilinear pairing property, BDH assumption, and our generic public key encryption scheme that needs to be known in this section.

##### 2.1. Properties of Bilinear Pairings

We give a form of bilinear pairings and their properties as described below.

*Definition 1. *Let be an elliptic curve discrete logarithm problem (ECDLP) additive group over a finite field, be a discrete logarithm problem (DLP) multiplicative group over a finite field, and the order of be a prime number . The mapping is a bilinear pairing mapping if satisfies(1)Bilinear property: given any , the following operations hold:(2)Nondegeneracy: suppose that the generator of group is , then the generator of group is .(3)Computability: given any two elements , there must be an effective algorithm for calculating .

##### 2.2. BDH Assumption

Many cryptographic schemes are based on various difficult assumptions related to bilinear pairs, such as the (D)BDH assumption, (D)BDHI assumption, and (D)BDHE assumption [35, 36]. We now give the definition of the BDH assumption used in our SETRE schemes as follows.

*Definition 2. *Let be an ECDLP additive group over a finite field, be the generator of , be a DLP multiplicative group over a finite field, and the order of be a prime number . Given (, and are evenly distributed in ), calculate . If , then the advantage of the adversary to solve the assumption is , and is negligible.

##### 2.3. General Public Key Encryption Scheme

We simplify and abstract public key encryption (which has a certain characteristic) and only keep three phases which are initialization, encryption, and decryption; then, the general public key encryption (GPKE) scheme can be obtained.

*Definition 3. * is the public key encryption algorithm, where Setup: generates system public parameters and the user’s public key and private key pairs in which is a generator of , and is an additive group Enc: uses the user’s public key to encrypt the plaintext to get the ciphertext Dec: uses the user’s private key to decrypt the ciphertext to get the plaintext

#### 3. SETRE: Definitions

Suppose Bob is a social network user, and he wants to upload documents scheduled to be published regularly to the social network platform in advance so that he can pay attention to other things without worrying about this matter. And Bob does not want the social network platform to know in advance what he wants to publish. In this application scenario, Bob can use our SETRE solution to solve this problem securely and efficiently. Bob sends the following ciphertext of the document in advance with the designated decryption time:where is one of the documents planned to be released at a designated time point in the future, and are the time server’s fixed public key and session public key, respectively, is the receiver’s public key, is a random number as a factor of freshness, and is the designated decryption time. The social network platform can obtain the ciphertext of the document in advance but can only decrypt it in the future after the predetermined decryption time has arrived. We call such a cryptographic scheme noninteractive SETRE.

*Definition 4. *Our noninteractive concrete scheme includes three entities which are time server, sender, and receiver and polynomial-time randomized algorithm 7 tuples , where : generates a public parameter from a security parameter : calculates and generates the fixed public/private key pair and the session public/private key pair of the time server : calculates and generates the public/private key pair of the system user : calculates the ciphertext of the plaintext , by using the public keys , and , and a designated decryption time point : calculates a time server’s time trapdoor , by using the time server’s fixed private key , a designated decryption time point , and its corresponding session private key : calculates a user’s time trapdoor , by using the receiver’s private key and a designated decryption time point : calculates a plaintext , by using a ciphertext , the time server’s time trapdoor , and the receiver’s time trapdoor ; or outputs a “reject” messageWe use the simulation security game between the adversary and the challenger to formally define the security against the active adversary . The specific formal definition is as follows: Preparation: public parameters are generated by the system. Initialization: a pair of designated decryption time points and to be challenged is selected by the adversary . Setup: the public parameters and public keys , , and are generated by the challenger and sent to the adversary . Phase 1: the adversary performs queries of , where query is one of the following:(1)At any time point, the adversary can perform queries of the random oracles and . In response to and queries, the challenger keeps two lists of -list and -list.(2)Time trapdoor queries: time trapdoor query and of where . The challenger responds by running algorithm and to generate the time trapdoors and corresponding to the designated decryption time point . The challenger then sends and to the adversary .(3)Decryption queries: decryption query for the designated decryption time point . To decrypt the ciphertext , runs algorithm and uses the time trapdoors and . The challenger then sends the decrypted plaintext to the adversary . These queries can be adaptive, which means that the response of can be determined based on the responses of previously queried. Challenge: a pair of designated decryption time points and to be challenged is selected by the adversary . The challenger selects a random bit , sets the ciphertext to be , and then sends the challenge ciphertext to . Phase 2: the adversary performs other queries of , and the challenger responds as shown in Phase 1. Guess: in the end, the adversary outputs a guess of . If , then wins the simulation security game.We call such an adversary an IND-sT-CCA adversary, and we can formally define the advantages of attack our concrete SETRE scheme as

*Definition 5. *Our concrete SETRE scheme is said to be -selective designated decryption time, adaptive chosen-ciphertext secure if for any -time IND-sT-CCA adversary that performs at most queries, chosen designated decryption trapdoor queries, and chosen decryption queries, we have that . In other words, we call that is IND-sT-CCA secure.

We define our concrete SETRE scheme to be IND-sT-CPA secure by simply disallowing the adversary to perform decryption queries in the simulation security game described above.

*Definition 6. *Our concrete SETRE scheme is said to be -selective designated decryption time, adaptive chosen-plaintext secure if is -selective designated decryption time, chosen-ciphertext secure. In other words, we call that is IND-sT-CPA secure.

#### 4. Concrete Scheme of SETRE

We will attempt to propose a concrete scheme of SETRE based on the BDH assumption in the random oracle model.

##### 4.1. Construction

The server-passive, scalable, user-anonymous TRE scheme proposed by Black and Chan (abbreviated as BC-TRE) laid the foundation of TRE. We now describe the concrete SETRE construction scheme. The scheme includes the following algorithm 7 tuples: Setup: generates a public parameter from a security parameter , where is an ECDLP additive group over a finite field, is a DLP multiplicative group over a finite field, and the order of is a prime number , is a bilinear mapping that satisfies Definition 1, is the generator of additive group , and and ( is the length of the plaintext) are hash functions. TS-KeyGen: the time server selects a random number as the private key of the time server and then calculates and generates the time server’s public key . Similarly, the time server selects a random number set as the session private key set of the time server and then calculates and generates the corresponding time server’s session public key set in which if we assume that a time trapdoor needs to be generated every half an hour and meet the demand for 10 consecutive years. User-KeyGen: a user selects a random number as its private key and then calculates and generates the system user’s public key . Enc: the sender uses the public key of the receiver, the public key of the time server, a designated decryption time point , and the time server’s session public key corresponding to the designated decryption time point to encrypt the plaintext as the following operations:(1)Selects a random number and calculates (2)Calculates (3)Calculates (4)Outputs the ciphertext TS-Rel: the time server takes its own fixed private key and the session private key of the current release time and produces the time server’s time trapdoor . UT_Rel: the receiver takes the private key of his own and the current designated decryption time and produces the user’s time trapdoor . Dec: the receiver uses the time trapdoors and of the designated decryption time point to decrypt the ciphertext as the following operations:(1)Calculates (2)Calculates to recover the corresponding plaintext

Suppose is the valid ciphertext; then, we have and . We can verify the correctness of the decryption as described in the following:

##### 4.2. Security of the Scheme

We give the proof that our SETRE scheme is noninteractive and semantically secure against CPA in the random oracle model, supposing that the BDH assumption is true [37].

Theorem 1. *Suppose that there is an adversary who can break our SETRE scheme with the advantage of ; then, a challenger , who can overcome the BDH problem with probability at least , is constructed, where is the natural logarithm’s base and and are the maximum number of times we assume the adversary can query the time trapdoor and hash operation.*

*Proof. *Let denote an adversary who has advantage to break the SETRE. Assume that performs no more than hash operation queries to , no more than user trapdoors, and the time server trapdoor queries, where and are positive. Let denote a challenger who overcomes the BDH problem with probability no less than . Therefore, if the BDH assumption holds in , then we can ignore ; furthermore, the advantage of to break the SETRE can be ignored. And , who simulates as the challenger, will interact with adversary as follows: Preparation: let be an ECDLP additive group over a finite field, be a DLP multiplicative group over a finite field, the order of be a prime number , be a bilinear mapping that satisfies Definition 1, and be the generator of additive group . Give the challenger the public parameter , , , and ; the goal of is to calculate the value of , where . Initialization: the adversary outputs a pair of designated decryption time points and to be challenged. Setup: the challenger gives the public keys , , and . Phase 1: the adversary initiates queries, and gives the response, respectively, where for the *i*-th query, ’s response is described as follows:(1) and queries: every point in time, the adversary can perform queries of the random oracles and . In response to queries, the challenger keeps a list of quadruples , which we will call it the -list and is initially set to be empty. If performs a query of at a time point , then gives the response as follows:① If the query about has been made before, then takes as its response.② If not, chooses a new random bit to satisfy .③ takes a random number . If holds, calculates . If holds, calculates .④ adds the quadruple to the -list and takes as its response to . In the same way, can perform a query to at any point in time. The -list is initially set to be empty. gives the response to the query on by selecting a new random as the value of for every new and adding the tuple to -list. If -list already contains , then takes from -list and returns it to as the response value.(2)Time trapdoor queries: if the adversary performs queries of the time trapdoor at a time point , then the challenger gives the response as follows:① runs the above query algorithm and obtains and makes as the corresponding entry in -list.② If , then aborts the simulation security game and admits failure.③ If , we obtain . Let and ; then, we can transform them to get and . Therefore, is the correct and legal user time trapdoor of , and is the correct and legal time server trapdoor of . gives and to . Challenge: the adversary selects a pair of designated decryption time points to be challenged. The challenger produces the challenge ciphertext as follows:①The challenger runs the above query algorithm twice to obtain and which satisfy and .②For , we let and to be the corresponding tuples on the -list. If , then the challenger aborts the simulation security game and admits failure.③Obviously, at least one of and must be equal to zero. randomly takes such that .④ takes the challenge ciphertext for random as its response. Obviously, this challenge implicitly defines . That is to say, It can be seen that is the corresponding valid and real ciphertext for . Phase 2: the adversary performs other queries of , and the challenger responds as shown in Phase 1. Guess: in the end, the adversary outputs a guess of to indicate whether the challenge ciphertext is a valid ciphertext for or . Now, the challenger randomly selects a tuple from the -list and outputs as a guess of . If has ever inquired about one of or , the -list has a probability of 1/2 that contains , . If takes this tuple from the -list, then .The whole security simulation game is completed here. Next, we calculate the value of which is the lowest probability of correctly outputting . It is easy to know that the premise that it can correctly output its guess value of is that the game can continue to the guessing stage without terminating the game in the middle. Now, we analyze the possibility that does not terminate the game while the game is in progress. For this purpose, we first give the definition of the following events: : in the stage when the adversary performs queries of the time trapdoor, the challenger does not terminate the simulation security game : in the challenge stage, the challenger does not terminate the simulation security gameWe first state that, as in [38], events and occur with a high enough probability. Next, we give the following three claims. in the stage when the adversary performs queries of the time trapdoor, the probability that the challenger does not terminate the simulation security game is at least. Thus, .

*Proof. *When the adversary queries for the time trapdoor of time points, for the sake of generality, we suppose that does not query the same time trapdoor twice. A trapdoor (the user’s time trapdoor or the time server’s time trapdoor) query causes to terminate the simulation security game with a probability of ; therefore, a trapdoor query does not cause to terminate the game with a probability of . In addition, since the maximum number of times can query the time trapdoor is , the probability that the simulation security game will not be terminated after queries is at least. in the challenge stage, the probability that the challenger does not terminate the simulation security game is at least. Thus, .

*Proof. *If the adversary can generate , with the property , then the challenger will terminate the simulation security game during the challenge stage. Since has not queried for the trapdoor for , , we have that are independent of . Therefore, for , and then we have that . Therefore, there is a probability of at least that does not terminate the game. Since the adversary is not allowed to query the time trapdoor of the designated decryption time during the game, the events and are independent of each other, so we can get . Assume that the adversary has acquired the public keys , , and in the actual attack game. The adversary selects a pair of designated decryption time points to be challenged. The challenger produces the challenge ciphertext as a response. Therefore, we have the following . in the actual attack game, the adversary has at least the probability of to perform an query for one of , . Before giving the proof, we first give the definition of the following events: : in the actual attack game, does not query either or : in the guess stage, outputs the guess of satisfying

*Proof. *When occurs, it is obvious that the bit indicates whether is the challenge ciphertext corresponding to the designated decryption time, which has nothing to do with ’s knowledge. Thus, the probability of is 1/2 at most. In the real attack game, because has the advantage of , we have and . Now, we give the specific argument for the truth of as follows: From the above two formulas, we know that . Thus, we have in the actual attack game. If the challenger does not terminate the game, it means that, in the process of simulating the actual attack game, the adversary has queried one of , . Thus, . the probability that the challenger can solve the BDH problem successfully in the guess stage is .

*Proof. *Assuming the event of Claim 3 occurs, the value of one of the two cases of will be stored in the -list. Consequently, in the guess stage, the challenger has at least the probability of to select the correct pair from the -list. Therefore, on the premise that does not terminate the simulation game, the possibility that can successfully solve the BDH problem is .

According to Claims 1 and 2, during the simulation game, the probability that the challenger will not terminate the game is at least . And according to Claim 4, if does not terminate the simulation security game, the probability that can successfully solve the BDH problem is . Therefore, through the security simulation game of the aforementioned adversary and challenger , the possibility of successfully solving the BDH problem is . Thus, Theorem 1 is proved.

##### 4.3. Efficiency Analysis

We contrast between our SETRE scheme and two representative noninteractive time server TRE schemes: the classic BC-TRE scheme put forward by Blake and Chan [9] and the AnTRE scheme, which has highest efficiency up till now, put forward by Chalkias et al. [12].

We let be a notation of the bilinear pairing operation, and be a notation of point addition and point multiplication operations in separately. Let be a notation of the exponentiation operation in and be a notation of the modular inverse operation in . Let represent a hash function operation that maps binary strings of any length to an element in group , represent the hash function operation that maps an element in group to a string of length 0 and 1, and represent the hash function operation of mapping a binary string of any length to an element of . Based on the MIRACL large integer library, we program and implement the basic operations described above, in which the relevant parameters are set as follows: the elliptic curve is a supersingular elliptic curve mod on the finite field ( is a 512-bit large prime number), and its prime order is a 160-bit prime number; the bilinear map uses the Tate pairing algorithm to map the aforementioned discrete logarithm subgroup on the elliptic curve to the discrete logarithm subgroup on . The configuration of the running environment is as follows: Intel(R) Core(TM) i5-4210M @ 2.60 GHz microprocessors, 64 bit and 8 GB memory, Microsoft Visual Studio 2010. 987654321 is the seed that generates the associated random numbers. We take the calculation time of as the basic unit so that the calculation results are not related to the specific computer performance. We then calculate and record the ratio of the calculation time of each related basic operation in these schemes to the calculation time of , as shown in Table 1.

In our SETRE scheme, the TS-Rel stage requires one and one to calculate , and the total calculation cost of the TS-Rel stage is 1.003. The Enc stage requires one for , two for , one , one , and one for , and one for , and the total calculation cost of the Enc stage is 5.875. The Dec stage requires one , one , one , and one for and one for , and the total calculation cost of the Dec stage is 4.868. We sum up the calculation cost of the schemes of BC-TRE, AnTRE, and our SETRE as shown in Table 2. It should be pointed out that the hash functions and in the scheme of AnTRE are approximately equivalent to in Table 1, and the hash functions and in the scheme of AnTRE are approximately equivalent to in Table 1.

Table 2 shows that our SETRE scheme has improved by 32.4 and 10.8, respectively, compared with the schemes of BC-TRE and AnTRE. In addition, in the aspect of security, our SETRE scheme realizes one-time pad for the time trapdoor. Therefore, compared with the previous schemes, our SETRE greatly improves the security of the time server’s private key. In terms of storage, we need 160 bits of storage space for each private key of the time server and 1024 bits for each public key of the time server. Therefore, if it is assumed that the time server broadcasts a time trapdoor every half an hour and needs to store the session time server private key and public key for 10 years, then the additional storage space required by our scheme is 24236510(1024 + 160)bit24.7 MB, which only adds almost negligible storage burden to the time server.

#### 5. Generic Scheme of SETRE

We will attempt to propose a generic scheme of SETRE based on GPKE and call it generic SETRE, abbreviated as GSETRE.

##### 5.1. Formal Definition

We now formalize the definition of our GSETRE scheme.

*Definition 7. *Our GSETRE scheme includes three entities which are time server, sender, and receiver and a polynomial-time randomized algorithm 6 tuples , where : generates a public parameter from a security parameter : calculates and generates the fixed public/private key pair and the session public/private key pair of the time server : calculates and generates the public/private key pair of the system user : inputs , and that correspond to the designated decryption time point to the algorithm of and outputs the ciphertext : given the private key of the time server, a designated decryption time point , and its corresponding session private key and produces a time server’s time trapdoor : inputs and into the algorithm of and outputs plaintext or

##### 5.2. Construction

We construct a scheme by introducing into . includes the following algorithm 6 tuples: Setup: this algorithm is consistent with the algorithm of our concrete scheme TS_KeyGen: this algorithm is consistent with the algorithm of our concrete scheme User_KeyGen: this algorithm is consistent with the algorithm of our concrete scheme Enc: the sender uses of the receiver, of the time server, a designated decryption time point , and corresponding to the designated decryption time point to encrypt the plaintext as the following operations:(1)Uses to encrypt the plaintext and calculates ’s ciphertext .(2)Chooses a function randomly and calculates .(3)Uses , , , and to calculate(4)Outputs ’s ciphertext . Rel: this algorithm is consistent with the algorithm of our concrete scheme Dec: the receiver uses the time trapdoors of the designated decryption time point and the private key of the receiver to decrypt the ciphertext as the following operations:(1)Calculates (2)Calculates to recover the corresponding plaintext

Suppose is the valid ciphertext; then, we have and . We can verify the correctness of the decryption as described in the following:

##### 5.3. Security and Efficiency Analysis

From the perspective of security, since the scheme is obtained by introducing into the scheme, which is equivalent to encapsulating the scheme’s ciphertext, the security of the scheme will be enhanced after introducing . Firstly, the decryption operation needs to decrypt the ’s ciphertext to get the ciphertext of the scheme. However, the decryption of requires a valid time trapdoor, and the attacker cannot construct the required time trapdoor without knowing the time server’s private key and session private key. Secondly, decrypting the ciphertext requires the private key of the legitimate receiver.

From the perspective of efficiency, compared with the scheme, the scheme adds other additional operations in the encryption and decryption process, which inevitably leads to a decrease in efficiency. However, when using the idea of the general scheme to construct a concrete scheme, the parameters of the scheme can be integrated into the same logical step of the scheme as far as possible, so as to minimize the decline of efficiency. In addition, in terms of storage space, the time server only needs to add a small amount of storage space, as described in the above section.

#### 6. Summary and Outlook

With the purpose of enhancing TRE security, a concrete SETRE scheme and a generic SETRE scheme based on the BDH assumption in the random oracle model are put forward. In our SETRE schemes, the time server uses a different session key to generate an “encryption-like” trapdoor at different time points. This operation uses the idea of one-time pad for the generation of each time trapdoor, which prevents the time trapdoor from being known in advance due to the leakage of the time server’s private key and thus prevents the ciphertext from being decrypted in advance.

To ensure the anonymity of each system user identity to the time server, most current TRE solutions use broadcast to distribute time trapdoors. If time trapdoors are broadcast in a coarse-grained manner, many users may not have corresponding time trapdoors for the specified decryption time. In order to meet the time trapdoor specified by the user as far as possible, it is required to broadcast the time trapdoors with fine granularity, but this would waste communication resources. Therefore, designing a TRE that can support the specified arbitrary release time, anonymize the user identity, and prevent the time server from denial-of-service attacks will be a very practical and challenging task in the future. In addition, we will explore the combination of TRE with other cryptographic primitives, such as order-revealing encryption [39], so that more scenarios can have the function of controlling the decryption time.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Disclosure

A preliminary version of this paper appears in the “International Symposium on Security and Privacy in Social Networks and Big Data-6th International Symposium SocialSec 2020, Tianjin, China,” in September 26-27, 2020, based on https://link.springer.com/book/10.1007%2F978-981-15-9031-3?page=3#toc.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported by grants from the National Key R&D Program of China (no. 2018YFA0704703) and the National Natural Science Foundation of China (nos. 61802111, 61972073, and 61972215).