An adversary who wishes to expose storers by having forwarders log storer identities must compromise all n−k+1 chosen forwarders before or during the publication event; forwarders that legitimately delete the storer mapping immediately after acknowledging publication render this attack ineffective unless the adversary pre-positions malicious nodes at sufficient density. The paper notes that with a reasonably large forwarder population the probability of the required simultaneous compromise is small.

Active-server document anonymity is achieved by routing decryption through a randomly chosen ephemeral 'decrypter' node: the storer holds only ciphertext {h}k while key k is delivered separately to the decrypter via onion routing. Neither the storer nor any other single node can reconstruct the plaintext share, so a storer cannot identify the document it is hosting even by attempting to retrieve it.

§2–§3 defense

The paper proposes a forwarder/storer role split in which forwarders hold only an anonymous return-address pointer to the storer, and deliberately forget the storer's identity upon receiving a publication acknowledgment. Because forwarders neither hold content nor retain storer addresses post-publication, coercing a forwarder after publication yields no actionable information about where shares are held.

§2–§3 defense

Publius splits document keys into n shares where any k reconstruct the document, requiring a censor to coerce only n−k+1 servers to suppress it. Because all Publius server locations are discoverable by any reader, the paper argues this threshold is easily achievable, making location-secrecy of storers a necessary — not optional — property for censorship-resistant storage systems.

§1 defense