Security.

The mechanism is secure under the assumption that the card is tamper-resistant. In fact, an attacker who wants to add some more values in the revocation list cannot do it because he cannot falsify the group manager signature. Then, it is impossible to substitute a value for another one because the signature would then be incorrect. Moreover removing a value from the revocation list would generate a card error because the final test on the signature verification would be wrong. Finally, replaying indefinitely the same revocation list would imply the rejection of the signature by the verifier because he could compare the date of the updating by $GM$ ($D_{GM}$) with the date of the last signature by the smart card ($D_{C}$). In fact, if $D_{C}$ is different from $D_{GM}$ he can think that the signer has intended to cheat. For example the revocation list can be updated every day. Another solution is the use of an on-line verification (even if it is an ``extreme'' case). We can then conclude that the previous mechanism is secure under the assumption that the card is secure.