2000-waldman-publius
findings extracted from this paper
-
Publius cryptographically binds the URL to both the document content and the key shares via name_i = wrap(H(M · share_i)). Any unauthorized modification to the stored encrypted file, a share, or the URL itself causes the tamper check to fail, preventing silent content substitution by a malicious server.
-
A malicious server operator with write access can mount a redirection attack by inserting a fake update file pointing to adversary-controlled content. If the client retrieves only k shares and Mallory controls k collaborating servers, all k update URLs match and the client proxy follows the redirect. A 1-bit non-updatable flag in the Publius URL blocks this vector by instructing clients to ignore all update files.
-
Publius's delete mechanism requires the publisher to supply H(server_domain · PW) per server rather than a bare password, preventing any single malicious server from learning the global password and deleting the document from all hosting servers. However, the paper acknowledges that an adversary who identifies the publisher can apply coercive ('rubber-hose') methods to obtain the URL and password directly from the author, bypassing all cryptographic protections.
-
Publius provides source anonymity once content is published but offers no connection-based anonymity at upload time. A network-layer eavesdropper between the publisher and the servers, or a server's connection log, can reveal the publisher's IP address. The paper explicitly states that Publius must be combined with a mix-network or crowd-anonymity tool (e.g., Crowds, Onion Routing) to protect publisher identity during the upload phase.
-
Publius encrypts content under a symmetric key K, then splits K into n shares using Shamir secret sharing such that any k shares reconstruct K. Each server stores the encrypted document plus one share, so an adversary must corrupt or destroy n−k+1 servers to censor the document, and increasing n or decreasing k raises the bar proportionally.