Check out the new USENIX Web site.
Next: Efficiency Considerations. Up: Second Solution. Previous: Description.

Security.

The mechanism is secure under the assumption that the card is tamper-resistant. In fact an attacker cannot add some more values in the revocation list because he cannot afterwards compute the related signature. He cannot substitute a value for another one because the corresponding signature would then be incorrect. Removing a value from the revocation list would generate a card error because the final test on the signed number of revoked members would be wrong. Finally, as for the first solution (see section 4.2.2), there is no way to replay indefinitely the same list.