Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #74

Private Identity-Based Bulletin Boards for Anonymous Messaging and Other Online Services (Regular Academic Track Paper)

Karim Eldefrawy, Stanislaw Jarecki, Benjamin Terner, and Gene Tsudik

·

  • Theory
  • Applied
  • System
  • Implementation
  • protocol
  • scheme

What does the paper try to establish?

Can users who know only one another's identities exchange messages asynchronously through disruption-prone networks while hiding both recipient identity and retrieved record indices from corrupted non-colluding bulletin-board servers?

What is the proposed answer?

PIB³ combines ciphertext-anonymous IBE for payloads, a new two-level searchable HIBE for identity-and-epoch discovery, token sharing across replicated non-colluding servers, and multi-server PIR for private retrieval. Its formal guarantees expose the public epoch, database size, and unpadded retrieval count, and its prototype reports practical—but linear-in-database-size—search and retrieval costs.

Abstract

Secure and anonymous messaging has many compelling use-cases and is becoming increasingly popular. In this paper, we consider it in the context of delay-and-disruption-prone networks, which are characterized by handicapped network access, disrupted operation, censorship, and intermittent network outages. With such settings in mind, we define and design a Private Identity-Based Bulletin Board (PIB³) scheme, which allows users to anonymously post and retrieve messages to and from a distributed database, and supports communication between users without pre-established setup or pre-exchanged keys. Anyone can encrypt a message for an identity and public epoch, such that only the party with the decryption key for that identity can identify, retrieve, and decrypt the message. Against one corrupted non-colluding PIB³ server, the server learns neither the recipient identity nor the retrieved record indices beyond the leakage explicitly modeled by the scheme: the public epoch, the database size, and the number of retrievals made by the receiver. If retrieval-count privacy is required, retrievals can be padded to a fixed bound. The multi-server construction extends this guarantee to larger server sets, and gives coalition privacy whenever the underlying multi-server PIR scheme is private against the corresponding coalition. Contributions of this work are: (1) formally defining functionality and security requirements for PIB³-s, (2) defining and constructing a Hierarchical Identity-Based Encryption (HIBE) scheme with searchable ciphertexts, which serves as a building block for the proposed PIB³ scheme and may be of independet interest, (3) designing an efficient PIB³ scheme that can be realized with n ≥ 2 servers based on the HIBE scheme with searchable ciphertexts combined with additional primitives, and (4) implementing a functional PIB³ prototype which demonstrates practicality of the entire concept and allows us to assess its performance empirically.

Provenance: Transcribed from the checked-in author manuscript; mathematical notation was normalized to plain Unicode, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized. The source typo 'independet' is retained.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence High

The full manuscript defines the primitive and leakage model, gives concrete constructions, states and proves component and composed privacy results, exhibits a motivating attack, analyzes asymptotic cost, and reports repeated prototype measurements. The work is under review, code and raw data are not yet linked, and no independent proof audit or reproduction was located.

Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity Main bulletin-board privacy theorem and hybrid proof sketch Full PIB privacy hybrid argument Prototype setup, search and PIR measurements, latency, and omitted client benchmark
Auditability High

A complete checked-in author manuscript with recorded SHA-256 and page count, precise source anchors, full definitions and proofs, and detailed experiment tables makes the represented claims directly inspectable. Code, scripts, and raw measurements remain unavailable.

Problem, guarantees, four contributions, and prototype claim Main bulletin-board privacy theorem and hybrid proof sketch Prototype setup, search and PIR measurements, latency, and omitted client benchmark
Production provenance Medium

Named authorship, affiliations, checked-in manuscript identity, and under-review lifecycle status establish baseline provenance. Contributor roles, revision history, tool use, code-version lineage, and final publication approval are not documented.

Problem, guarantees, four contributions, and prototype claim Under-review status
External scrutiny Low

The manuscript is under review and no completed independent review outcome is represented. Public review reports, rebuttal, cryptographic audit, reproduction, and correction history were not located.

Under-review status
Reception Low

A dated exact-title scholarly-web search located 0 citations for this under-review manuscript. Under the author-defined corpus rule, 0 through 8 located citations is Low; this may change after stable publication and indexing.

Dated exact-title citation search
Contribution significance Medium

The work combines a new identity-discovery primitive, a formally analyzed distributed bulletin-board construction, a single-server impossibility-motivating attack, and a functioning prototype for a difficult communication setting. Priority, adoption, peer-review outcome, and broader field impact remain unverified.

Problem, guarantees, four contributions, and prototype claim Single-server access-profile leakage and chosen-identity attack Prototype setup, search and PIR measurements, latency, and omitted client benchmark

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Private Identity-Based Bulletin Boards

A theory-and-systems paper defining metadata-private identity-based bulletin boards, constructing the required searchable-encryption and retrieval protocols, proving privacy under explicit leakage and non-collusion assumptions, and evaluating a functional prototype.

Problem, guarantees, four contributions, and prototype claim
  1. question

    Research question

    research question

    Can parties who have never exchanged keys post and retrieve messages asynchronously through censored or intermittent networks without revealing recipient identities or requested database indices to the storage service?

    Problem, guarantees, four contributions, and prototype claim
  2. scope Delay-and-disruption-prone communication explicitly scoped

    Clients may be offline at different times and face censorship, rate limits, shutdowns, or intermittent links; replicated bulletin-board servers provide temporary application-layer storage until connectivity returns.

    Problem, guarantees, four contributions, and prototype claim System, network, adversary, anonymous-channel, and leakage model
    1. assumption

      Anonymous client-server channels

      assumed external service

      Uploads and queries are assumed to travel through an anonymity network such as Tor; PIB³ does not itself hide the client's network address from a server observing an ordinary identified transport.

      System, network, adversary, anonymous-channel, and leakage model
    2. threat model

      Network and bulletin-board adversary

      defined

      A polynomial-time adversary may observe and disrupt links, corrupt a server, control malicious uploaders, adaptively insert records, and participate in retrieval as that server, but cannot violate the stated cryptographic assumptions.

      System, network, adversary, anonymous-channel, and leakage model
  3. primitive HIBE with searchable ciphertexts formally defined and constructed

    HIBESC extends two-level HIBE with CipherGen, Token, and Check. Anyone can create a searchable ciphertext for identity vector (id, epoch), but only the first-level identity-key holder can form the matching epoch token.

    Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity Two-level searchable-HIBE construction
    1. security definition

      Correctness, soundness, and fixed-epoch anonymity

      defined

      Correct matching tokens and ciphertexts must accept; mismatched identity or epoch should reject; and ciphertexts for different identities in the same public epoch should be computationally indistinguishable under the specified games.

      Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity
    2. proof

      Searchable-HIBE reduction chain

      reduction provided

      The appendices establish an intermediate ciphertext-identity-indifferentiability property and reduce fixed-epoch anonymity to decisional bilinear Diffie-Hellman, with explicit random-oracle programming and abort probability accounting.

      Searchable-HIBE reductions and fixed-epoch anonymity proof
  4. protocol Two-server private query specified

    The receiver splits a search token between two replicated, non-colluding servers. Each partially evaluates Check for every record; the receiver combines replies into a matching index set and uses two-server PIR to fetch the corresponding IBE ciphertexts.

    Record format, discovery mechanism, token sharing, and PIR retrieval PIB record encoding and two-server query protocol
    1. attack

      Why one server is insufficient

      demonstrated analytically

      A single server sees which records share a query token and can upload a probe ciphertext for a chosen identity and epoch, then test future tokens against it. Token sharing removes that direct Check oracle from any one allowed corrupted server.

      Single-server access-profile leakage and chosen-identity attack
  5. protocol

    N-server extension

    specified

    The receiver distributes correlated token shares across N servers and combines all partial values before PIR. No server-to-server communication is needed during a query, but every server must hold identically ordered records.

    N-server protocol and conditional coalition-privacy theorem
  6. claim group Main claims formally supported

    The manuscript claims correctness and privacy for the concrete scheme under the component assumptions and leakage model, conditional coalition privacy for the extension, and practical feasibility for the measured prototype configurations.

    Main bulletin-board privacy theorem and hybrid proof sketch N-server protocol and conditional coalition-privacy theorem Prototype setup, search and PIR measurements, latency, and omitted client benchmark
    1. claim

      Conditional coalition privacy

      conditional theorem

      Theorem 2 extends privacy to a strict server coalition only when token shares are simulatable for that coalition and the chosen N-server PIR is private against the same coalition, with retrieval count available to its simulator.

      N-server protocol and conditional coalition-privacy theorem
    2. claim

      Optimized retrieval communication

      asymptotically analyzed

      Hash-compressed partial Check values and batched PIR yield four rounds and reported communication O((n + λ) log n + C + G), where n is record count, λ the security parameter, C record size, and G group-element size.

      Collision analysis, optimized communication, and round count
  7. evidence group Evidence formal and empirical

    Support includes formal syntax and games, reductions for component and composed privacy, an explicit attack on the tempting one-server design, asymptotic analysis, and a prototype benchmark of the heavy server-side search and PIR operations.

    Searchable-HIBE reductions and fixed-epoch anonymity proof Full PIB privacy hybrid argument Single-server access-profile leakage and chosen-identity attack Prototype setup, search and PIR measurements, latency, and omitted client benchmark
  8. limitation group Scope and limitations material

    Privacy is conditional on cryptographic assumptions, anonymous transport, synchronized replicated databases, the allowed non-colluding coalition, and explicit leakage. The prototype is not a deployed censorship-resistance study or independent reproduction.

    System, network, adversary, anonymous-channel, and leakage model Main bulletin-board privacy theorem and hybrid proof sketch Prototype setup, search and PIR measurements, latency, and omitted client benchmark N-server protocol and conditional coalition-privacy theorem
  9. scrutiny

    External scrutiny

    under review

    The site records the manuscript as under review. No acceptance, public review report, rebuttal, independent cryptographic audit, reproduction, correction, or adversarial follow-up is represented.

    Under-review status

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Problem, guarantees, four contributions, and prototype claim Abstract and Section 1, PDF pages 1-5
  2. System, network, adversary, anonymous-channel, and leakage model Section 2.1, PDF page 5
  3. Record format, discovery mechanism, token sharing, and PIR retrieval Section 2.2, PDF pages 5-7
  4. Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity Section 5, PDF pages 8-10
  5. Two-level searchable-HIBE construction Section 6, PDF pages 9-11
  6. PIB³ syntax, correctness, and bulletin-board privacy experiment Section 7 and Figure 4, PDF pages 11-13
  7. PIB record encoding and two-server query protocol Section 8.1 and Figures 5-6, PDF pages 13-15
  8. Main bulletin-board privacy theorem and hybrid proof sketch Section 8.2, Theorem 1, PDF pages 14-15
  9. Collision analysis, optimized communication, and round count Appendix A and Section 8.2, PDF pages 15 and 18-19
  10. Prototype setup, search and PIR measurements, latency, and omitted client benchmark Appendix B, PDF pages 19-22
  11. Single-server access-profile leakage and chosen-identity attack Appendix F, PDF pages 29-30
  12. Searchable-HIBE reductions and fixed-epoch anonymity proof Appendix G, PDF pages 30-35
  13. Full PIB privacy hybrid argument Appendix H, PDF pages 35-42
  14. N-server protocol and conditional coalition-privacy theorem Appendix I, Theorem 2, PDF pages 42-44
  15. Under-review status Website publication record accessed 2026-07-11
  16. Dated exact-title citation search No citing work was verifiably located when searched 2026-07-11