Proofs of censorship are transferable and persistent: even if a content provider restores a censored file, previously generated proofs remain cryptographically valid and can serve as a reputation mechanism, a trigger for smart-contract financial penalties (e.g., Ethereum bonds), or mandatory disclosures to transparency databases such as Lumen, enabling accountability for transient or temporally-selective censorship that current transparency reports cannot capture.

For 1 MB files, even at a database of only 50,000 entries, PIR responses reach 73.1 MB per retrieval, making proof-of-censorship impractical for image or video streaming content providers. By contrast, for 256-byte (Twitter-like) messages the system remains workable at 10 million files with 8.0 MB queries and 2.0 MB replies, and stays roughly constant in reply size (2.0 MB) between 500k and 10 million files.

§5, Tables 2–3 evaluation

The proof-of-censorship scheme uses single-server computational PIR with homomorphic encryption so that the server, having signed both the PIR query hash and its reply, cannot selectively omit responses for a targeted file without returning garbage data. A client detecting the mismatch publishes the upload ticket, signed reply, and query seed as a compact, transferable cryptographic proof of censorship verifiable by any third party holding the server's long-term public key.

§4.1 defense

On a quad-core Intel Core i5 (3.30 GHz) against a database of 1 million 256-byte messages, the prototype produces a 3.8 MB PIR query (28 ms client-side generation) and a 2.0 MB proof requiring 2.8 s of server-side processing; third-party proof validation takes 52 ms, and the 120-byte upload ticket validates in 381 µs. All client-side operations are fast enough for smartphone or JavaScript implementations.

§5, Table 1 evaluation

A censoring server cannot selectively withhold PIR responses for a targeted file while honestly answering others: if a PPT algorithm A could distinguish targeted-file queries from all other queries, it would directly violate the query privacy of the underlying PIR scheme. The server's only compliant evasion strategy is an indiscriminate shutdown — refusing all queries or all signatures — which is behaviorally distinguishable and does not produce a plausible-deniability defense.

§4.3 defense