Scientific knowledge map · Paper #74
Private Identity-Based Bulletin Boards for Anonymous Messaging and Other Online Services (Regular Academic Track Paper)
·
- Theory
- Applied
- System
- Implementation
- protocol
- scheme
Research question
What does the paper try to establish?
Can users who know only one another's identities exchange messages asynchronously through disruption-prone networks while hiding both recipient identity and retrieved record indices from corrupted non-colluding bulletin-board servers?
Central answer
What is the proposed answer?
PIB³ combines ciphertext-anonymous IBE for payloads, a new two-level searchable HIBE for identity-and-epoch discovery, token sharing across replicated non-colluding servers, and multi-server PIR for private retrieval. Its formal guarantees expose the public epoch, database size, and unpadded retrieval count, and its prototype reports practical—but linear-in-database-size—search and retrieval costs.
Full paper abstract
Abstract
Secure and anonymous messaging has many compelling use-cases and is becoming increasingly popular. In this paper, we consider it in the context of delay-and-disruption-prone networks, which are characterized by handicapped network access, disrupted operation, censorship, and intermittent network outages. With such settings in mind, we define and design a Private Identity-Based Bulletin Board (PIB³) scheme, which allows users to anonymously post and retrieve messages to and from a distributed database, and supports communication between users without pre-established setup or pre-exchanged keys. Anyone can encrypt a message for an identity and public epoch, such that only the party with the decryption key for that identity can identify, retrieve, and decrypt the message. Against one corrupted non-colluding PIB³ server, the server learns neither the recipient identity nor the retrieved record indices beyond the leakage explicitly modeled by the scheme: the public epoch, the database size, and the number of retrievals made by the receiver. If retrieval-count privacy is required, retrievals can be padded to a fixed bound. The multi-server construction extends this guarantee to larger server sets, and gives coalition privacy whenever the underlying multi-server PIR scheme is private against the corresponding coalition. Contributions of this work are: (1) formally defining functionality and security requirements for PIB³-s, (2) defining and constructing a Hierarchical Identity-Based Encryption (HIBE) scheme with searchable ciphertexts, which serves as a building block for the proposed PIB³ scheme and may be of independet interest, (3) designing an efficient PIB³ scheme that can be realized with n ≥ 2 servers based on the HIBE scheme with searchable ciphertexts combined with additional primitives, and (4) implementing a functional PIB³ prototype which demonstrates practicality of the entire concept and allows us to assess its performance empirically.
Provenance: Transcribed from the checked-in author manuscript; mathematical notation was normalized to plain Unicode, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized. The source typo 'independet' is retained.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence High
-
The full manuscript defines the primitive and leakage model, gives concrete constructions, states and proves component and composed privacy results, exhibits a motivating attack, analyzes asymptotic cost, and reports repeated prototype measurements. The work is under review, code and raw data are not yet linked, and no independent proof audit or reproduction was located.
Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity Main bulletin-board privacy theorem and hybrid proof sketch Full PIB privacy hybrid argument Prototype setup, search and PIR measurements, latency, and omitted client benchmark - Auditability High
-
A complete checked-in author manuscript with recorded SHA-256 and page count, precise source anchors, full definitions and proofs, and detailed experiment tables makes the represented claims directly inspectable. Code, scripts, and raw measurements remain unavailable.
Problem, guarantees, four contributions, and prototype claim Main bulletin-board privacy theorem and hybrid proof sketch Prototype setup, search and PIR measurements, latency, and omitted client benchmark - Production provenance Medium
-
Named authorship, affiliations, checked-in manuscript identity, and under-review lifecycle status establish baseline provenance. Contributor roles, revision history, tool use, code-version lineage, and final publication approval are not documented.
Problem, guarantees, four contributions, and prototype claim Under-review status - External scrutiny Low
-
The manuscript is under review and no completed independent review outcome is represented. Public review reports, rebuttal, cryptographic audit, reproduction, and correction history were not located.
Under-review status - Reception Low
-
A dated exact-title scholarly-web search located 0 citations for this under-review manuscript. Under the author-defined corpus rule, 0 through 8 located citations is Low; this may change after stable publication and indexing.
Dated exact-title citation search - Contribution significance Medium
-
The work combines a new identity-discovery primitive, a formally analyzed distributed bulletin-board construction, a single-server impossibility-motivating attack, and a functioning prototype for a difficult communication setting. Priority, adoption, peer-review outcome, and broader field impact remain unverified.
Problem, guarantees, four contributions, and prototype claim Single-server access-profile leakage and chosen-identity attack Prototype setup, search and PIR measurements, latency, and omitted client benchmark
Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
Private Identity-Based Bulletin Boards
A theory-and-systems paper defining metadata-private identity-based bulletin boards, constructing the required searchable-encryption and retrieval protocols, proving privacy under explicit leakage and non-collusion assumptions, and evaluating a functional prototype.
Problem, guarantees, four contributions, and prototype claim-
question Research question
research questionCan parties who have never exchanged keys post and retrieve messages asynchronously through censored or intermittent networks without revealing recipient identities or requested database indices to the storage service?
Problem, guarantees, four contributions, and prototype claim -
contribution PIB³ construction
source assertedThe answer combines anonymous IBE, two-level searchable HIBE, randomized token shares, and multi-server PIR so senders need only a receiver identity and public epoch while each allowed corrupted-server coalition sees only the stated leakage.
Record format, discovery mechanism, token sharing, and PIR retrieval PIB record encoding and two-server query protocol N-server protocol and conditional coalition-privacy theorem -
scope Delay-and-disruption-prone communication explicitly scoped
Clients may be offline at different times and face censorship, rate limits, shutdowns, or intermittent links; replicated bulletin-board servers provide temporary application-layer storage until connectivity returns.
Problem, guarantees, four contributions, and prototype claim System, network, adversary, anonymous-channel, and leakage model-
assumption Identity knowledge and public setup
assumedSenders and receivers know pseudonyms for one another and possess a client with public IBE/HIBE parameters, but they need no pairwise pre-shared key or prior synchronous exchange.
System, network, adversary, anonymous-channel, and leakage model -
assumption Anonymous client-server channels
assumed external serviceUploads and queries are assumed to travel through an anonymity network such as Tor; PIB³ does not itself hide the client's network address from a server observing an ordinary identified transport.
System, network, adversary, anonymous-channel, and leakage model -
threat model Network and bulletin-board adversary
definedA polynomial-time adversary may observe and disrupt links, corrupt a server, control malicious uploaders, adaptively insert records, and participate in retrieval as that server, but cannot violate the stated cryptographic assumptions.
System, network, adversary, anonymous-channel, and leakage model -
definition Explicit leakage
explicitly modeledPrivacy exposes the public epoch, database size, and number of PIR retrievals. Padding to a fixed bound can hide retrieval count only if the application also specifies dummy retrievals and behavior when real matches exceed that bound.
System, network, adversary, anonymous-channel, and leakage model Main bulletin-board privacy theorem and hybrid proof sketch
-
-
primitive HIBE with searchable ciphertexts formally defined and constructed
HIBESC extends two-level HIBE with CipherGen, Token, and Check. Anyone can create a searchable ciphertext for identity vector (id, epoch), but only the first-level identity-key holder can form the matching epoch token.
Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity Two-level searchable-HIBE construction-
security definition Correctness, soundness, and fixed-epoch anonymity
definedCorrect matching tokens and ciphertexts must accept; mismatched identity or epoch should reject; and ciphertexts for different identities in the same public epoch should be computationally indistinguishable under the specified games.
Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity -
proof Searchable-HIBE reduction chain
reduction providedThe appendices establish an intermediate ciphertext-identity-indifferentiability property and reduce fixed-epoch anonymity to decisional bilinear Diffie-Hellman, with explicit random-oracle programming and abort probability accounting.
Searchable-HIBE reductions and fixed-epoch anonymity proof
-
-
scheme Two-ciphertext bulletin-board record
specifiedEach record contains an anonymous-IBE payload ciphertext and a searchable-HIBE discovery ciphertext for (recipient identity, public epoch). The encrypted plaintext includes a hash of the discovery ciphertext to bind the two components.
Record format, discovery mechanism, token sharing, and PIR retrieval PIB record encoding and two-server query protocol -
protocol Two-server private query specified
The receiver splits a search token between two replicated, non-colluding servers. Each partially evaluates Check for every record; the receiver combines replies into a matching index set and uses two-server PIR to fetch the corresponding IBE ciphertexts.
Record format, discovery mechanism, token sharing, and PIR retrieval PIB record encoding and two-server query protocol-
attack Why one server is insufficient
demonstrated analyticallyA single server sees which records share a query token and can upload a probe ciphertext for a chosen identity and epoch, then test future tokens against it. Token sharing removes that direct Check oracle from any one allowed corrupted server.
Single-server access-profile leakage and chosen-identity attack
-
-
protocol N-server extension
specifiedThe receiver distributes correlated token shares across N servers and combines all partial values before PIR. No server-to-server communication is needed during a query, but every server must hold identically ordered records.
N-server protocol and conditional coalition-privacy theorem -
claim group Main claims formally supported
The manuscript claims correctness and privacy for the concrete scheme under the component assumptions and leakage model, conditional coalition privacy for the extension, and practical feasibility for the measured prototype configurations.
Main bulletin-board privacy theorem and hybrid proof sketch N-server protocol and conditional coalition-privacy theorem Prototype setup, search and PIR measurements, latency, and omitted client benchmark-
claim Two-server bulletin-board privacy
theorem with reductionTheorem 1 bounds a bulletin-board adversary by two PIR-privacy terms, two searchable-HIBE anonymity terms, two IBE-anonymity terms, and an IBE IND-CPA term, with active probing captured up to retrieval-count leakage.
Main bulletin-board privacy theorem and hybrid proof sketch Full PIB privacy hybrid argument -
claim Conditional coalition privacy
conditional theoremTheorem 2 extends privacy to a strict server coalition only when token shares are simulatable for that coalition and the chosen N-server PIR is private against the same coalition, with retrieval count available to its simulator.
N-server protocol and conditional coalition-privacy theorem -
claim Optimized retrieval communication
asymptotically analyzedHash-compressed partial Check values and batched PIR yield four rounds and reported communication O((n + λ) log n + C + G), where n is record count, λ the security parameter, C record size, and G group-element size.
Collision analysis, optimized communication, and round count
-
-
evidence group Evidence formal and empirical
Support includes formal syntax and games, reductions for component and composed privacy, an explicit attack on the tempting one-server design, asymptotic analysis, and a prototype benchmark of the heavy server-side search and PIR operations.
Searchable-HIBE reductions and fixed-epoch anonymity proof Full PIB privacy hybrid argument Single-server access-profile leakage and chosen-identity attack Prototype setup, search and PIR measurements, latency, and omitted client benchmark-
evidence Prototype benchmark setup
reported experimentThe 128-bit-security prototype ran on an AWS c6a.8xlarge instance with 32 vCPUs. Most configurations were repeated ten times; the largest final PIR row was repeated twice, and reported variance was negligible but omitted.
Prototype setup, search and PIR measurements, latency, and omitted client benchmark -
evidence Linear full-database search
reported measurementServer-side pairing search scaled from roughly 0.47-0.48 seconds at 1,000 ciphertexts to about 45 seconds at 100,000 ciphertexts on the test machine.
Prototype setup, search and PIR measurements, latency, and omitted client benchmark -
evidence PIR and end-to-end server computation
reported measurementFor 100-kilobit payloads and 100,000 records, reported DPF evaluation is 35.597 seconds and total server computation is just over 80 seconds; smaller records or databases take seconds or fractions of seconds.
Prototype setup, search and PIR measurements, latency, and omitted client benchmark
-
-
limitation group Scope and limitations material
Privacy is conditional on cryptographic assumptions, anonymous transport, synchronized replicated databases, the allowed non-colluding coalition, and explicit leakage. The prototype is not a deployed censorship-resistance study or independent reproduction.
System, network, adversary, anonymous-channel, and leakage model Main bulletin-board privacy theorem and hybrid proof sketch Prototype setup, search and PIR measurements, latency, and omitted client benchmark N-server protocol and conditional coalition-privacy theorem-
limitation Non-collusion and PIR boundary
theorem boundaryTwo-server privacy excludes both servers colluding. The N-server claim covers only coalitions for which both token-share simulation and the underlying PIR privacy property hold.
Main bulletin-board privacy theorem and hybrid proof sketch N-server protocol and conditional coalition-privacy theorem -
limitation Epoch, size, and access-count leakage
explicit leakageThe scheme does not hide public epoch, database size, or unpadded retrieval count. Padding shifts rather than eliminates costs and requires an overflow rule when a user has more than the fixed number of matches.
System, network, adversary, anonymous-channel, and leakage model Main bulletin-board privacy theorem and hybrid proof sketch -
limitation Partial prototype evaluation
experimental boundaryThe benchmark covers computationally heavy server components, not the complete client path, WAN anonymity-network delay, censorship behavior, database synchronization, availability attacks, or a real multi-user deployment.
Prototype setup, search and PIR measurements, latency, and omitted client benchmark
-
-
artifact group Artifacts and reproducibility
manuscript available code pendingThe 44-page manuscript is checked in with a recorded hash. It states that implementation code will be open-sourced after publication; no repository, benchmark scripts, raw measurements, or environment image is currently linked.
Problem, guarantees, four contributions, and prototype claim Prototype setup, search and PIR measurements, latency, and omitted client benchmark -
scrutiny External scrutiny
under reviewThe site records the manuscript as under review. No acceptance, public review report, rebuttal, independent cryptographic audit, reproduction, correction, or adversarial follow-up is represented.
Under-review status
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Problem, guarantees, four contributions, and prototype claim Abstract and Section 1, PDF pages 1-5
- System, network, adversary, anonymous-channel, and leakage model Section 2.1, PDF page 5
- Record format, discovery mechanism, token sharing, and PIR retrieval Section 2.2, PDF pages 5-7
- Searchable-HIBE syntax, correctness, soundness, and fixed-epoch anonymity Section 5, PDF pages 8-10
- Two-level searchable-HIBE construction Section 6, PDF pages 9-11
- PIB³ syntax, correctness, and bulletin-board privacy experiment Section 7 and Figure 4, PDF pages 11-13
- PIB record encoding and two-server query protocol Section 8.1 and Figures 5-6, PDF pages 13-15
- Main bulletin-board privacy theorem and hybrid proof sketch Section 8.2, Theorem 1, PDF pages 14-15
- Collision analysis, optimized communication, and round count Appendix A and Section 8.2, PDF pages 15 and 18-19
- Prototype setup, search and PIR measurements, latency, and omitted client benchmark Appendix B, PDF pages 19-22
- Single-server access-profile leakage and chosen-identity attack Appendix F, PDF pages 29-30
- Searchable-HIBE reductions and fixed-epoch anonymity proof Appendix G, PDF pages 30-35
- Full PIB privacy hybrid argument Appendix H, PDF pages 35-42
- N-server protocol and conditional coalition-privacy theorem Appendix I, Theorem 2, PDF pages 42-44
- Under-review status Website publication record accessed 2026-07-11
- Dated exact-title citation search No citing work was verifiably located when searched 2026-07-11