密钥分配协议的研究
|
摘要
通信系统中的安全问题是依靠密码体制来解决的。现代密码体制总是假定算法是公开的,因此密码系统的安全就完全取决于密钥的安全,密钥是密码系统的核心。由于对称加密在效率上的优势,通常需要在通信各方之间共享一个对称会话密钥。一个重要的问题是如何构造有效协议为在通信群组间建立密钥。目前主要存在两种通信群组密钥建立协议,一种是集中式密钥分配协议,另一种是密钥协商协议。单个服务器的集中式密钥分配模式容易造成单点失败,目前较多研究是分布式密钥分配协议。此外,通过不可靠信道进行密钥分配的自愈密钥分配协议也是当前研究热点。密钥协商协议由群组成员共同协商一个基于对称加密体制的群组密钥。
秘密共享,即在群成员之间共享秘密信息,一定数量的群成员就能恢复出共享的秘密。秘密共享是密钥分配的基础、是密码学研究的一个重要方向,是保护信息和数据的重要手段。
本文主要研究内容是秘密共享,自愈密钥分配协议和分布式密钥分配协议。
Hwang和Chwang提出了一个具有新特性的秘密共享协议HCSS(Hwangand Chwang’s Secret Sharing Protocol),但是该秘密共享协议有很大的存储开销。本文对原协议进行改进,并对改进的协议进行性能分析。改进的协议降低了群管理员的存储开销,但没有降低原协议的安全性。方案允许用户自主选择子密钥,即使在初始密钥分配阶段,也没有群管理员和用户之间必须存在保密信道的要求。在更新系统密钥时,只需群管理员重新进行参数选取和相关的计算,无须更改每个成员的个人密钥,每个成员的个人密钥可以重复使用。
应用改进的秘密共享协议到自愈密钥分配协议的设计中,第一次将自愈密钥分配协议的存储复杂度降到一个常数。在系统建立阶段,成员的个人密钥由成员自主选取而不是由群管理员分发,取消了群管理员和群成员之间安全的一对一的安全信道的约束。在扩展个人密钥使用期时,不需要群管理员和群成员之间可靠信道的要求,也不需要增加广播信息的长度,仅需要群管理员更新公告牌上的信息。
提出一个具有新特性的自愈密钥分配协议。第一个特性是属于当前会话的大于门限值的群成员联合,能够协助一个新成员加入会话群组,不需要和群管理员的任何交互信息。第二个特性是取消了每组会话数目的规定,相应地,取消了个人密钥存储复杂度和通信复杂度随每组会话数线性增长的约束。此外,只要删除不超过门限值的成员,个人密钥就可以一直使用,不需要更新。
基于RSA公钥密码学,结合可验证秘密共享和知识证明给出了一种计算上安全,可以检测欺骗者的会议密钥分配方案。该方案实现简单,用户计算开销少,安全性等价于RSA中的大素数分解问题。
The security of communication depends on the cryptosystem. The encryption algorithm is assumed public to the attackers in modern cryptography. The security of cryptosystem lies on the keys' security entirely. We can say the key is the core of cryptosystem. One common sense goes that the efficiency of symmetric cryptosystem is superior to that of asymmetric cryptosystem, so it is wise to providing symmetric key that can be used to encrypt and decrypt messages the users wish to send each other. A meaningful question to be answered is how to establish the session key efficiently in communication group. There are two kinds of key establishment protocol. The first one is central key distribution protocol and the second one is key agreement protocol. Single Server performs much works in the central key distribution protocol, so it is the first attack target. Research works focus on distributed key distribution protocol in recent years. The protocol of distributing a group key amongst a dynamic group of users over an unreliable network is another hot research topic.
Secret sharing, that is, share a secret amongst users in a group, such that only specified subsets of the whole users can later recover the secret. Secret sharing is the foundation of key distribution and important measure to protect information and data.
Hwang and Chwang proposed a method to realize a threshold secret sharing (HCSS) protocol with the novel property. However, the storage overhead is rather high. An improved protocol and its performance analysis are given in the paper. The improved scheme kept the properties of the original paper that users can select their personal key by themselves instead of being distributed by group manager at the same time decreased storage overhead greatly. The constraint of secure channel between the group manager and users can be concealed. During the period of rekeying, the work of selecting parameters and related computation is performed by the group manager. The personal key of user can be reused.
By introducing the novel secret sharing scheme to the design of self-healing key distribution scheme, an efficient computationally secure self-healing group key distribution protocol is obtained. It is the first time to realize constant length of personal key storage overhead. During the period of system initiation, user selects his personal key by himself instead of being distributed by group manager. That is, the scheme conceals the requirement of a secure channel in setup step. In addition, after a set of sessions have expired, the construction of extending lifetime is much more efficient than those in previous schemes.
A self-healing key distribution protocol with novel properties was proposed. The first property is a coalition of users more than threshold can sponsor a user outside the group for one session without any interaction with the group manager. The second property is overcoming the restriction of m sessions, unlike previous works. Consequently, the storager overhead of personal key and communication overhead will not increase with m. Moreover, if less than the threshold users were deleted, the personal key can be used without rekeying.
A computationally secure distributed key distribution protocol, based on RSA public key cryptography, combined with verifiable secret sharing scheme and zero-knowledge proof technique, is proposed. The cheater can be detected easily. The protocol is very simple. The computation overhead is small. The security of the protocol equals to decomposing of great prime in RSA.
秘密共享,即在群成员之间共享秘密信息,一定数量的群成员就能恢复出共享的秘密。秘密共享是密钥分配的基础、是密码学研究的一个重要方向,是保护信息和数据的重要手段。
本文主要研究内容是秘密共享,自愈密钥分配协议和分布式密钥分配协议。
Hwang和Chwang提出了一个具有新特性的秘密共享协议HCSS(Hwangand Chwang’s Secret Sharing Protocol),但是该秘密共享协议有很大的存储开销。本文对原协议进行改进,并对改进的协议进行性能分析。改进的协议降低了群管理员的存储开销,但没有降低原协议的安全性。方案允许用户自主选择子密钥,即使在初始密钥分配阶段,也没有群管理员和用户之间必须存在保密信道的要求。在更新系统密钥时,只需群管理员重新进行参数选取和相关的计算,无须更改每个成员的个人密钥,每个成员的个人密钥可以重复使用。
应用改进的秘密共享协议到自愈密钥分配协议的设计中,第一次将自愈密钥分配协议的存储复杂度降到一个常数。在系统建立阶段,成员的个人密钥由成员自主选取而不是由群管理员分发,取消了群管理员和群成员之间安全的一对一的安全信道的约束。在扩展个人密钥使用期时,不需要群管理员和群成员之间可靠信道的要求,也不需要增加广播信息的长度,仅需要群管理员更新公告牌上的信息。
提出一个具有新特性的自愈密钥分配协议。第一个特性是属于当前会话的大于门限值的群成员联合,能够协助一个新成员加入会话群组,不需要和群管理员的任何交互信息。第二个特性是取消了每组会话数目的规定,相应地,取消了个人密钥存储复杂度和通信复杂度随每组会话数线性增长的约束。此外,只要删除不超过门限值的成员,个人密钥就可以一直使用,不需要更新。
基于RSA公钥密码学,结合可验证秘密共享和知识证明给出了一种计算上安全,可以检测欺骗者的会议密钥分配方案。该方案实现简单,用户计算开销少,安全性等价于RSA中的大素数分解问题。
The security of communication depends on the cryptosystem. The encryption algorithm is assumed public to the attackers in modern cryptography. The security of cryptosystem lies on the keys' security entirely. We can say the key is the core of cryptosystem. One common sense goes that the efficiency of symmetric cryptosystem is superior to that of asymmetric cryptosystem, so it is wise to providing symmetric key that can be used to encrypt and decrypt messages the users wish to send each other. A meaningful question to be answered is how to establish the session key efficiently in communication group. There are two kinds of key establishment protocol. The first one is central key distribution protocol and the second one is key agreement protocol. Single Server performs much works in the central key distribution protocol, so it is the first attack target. Research works focus on distributed key distribution protocol in recent years. The protocol of distributing a group key amongst a dynamic group of users over an unreliable network is another hot research topic.
Secret sharing, that is, share a secret amongst users in a group, such that only specified subsets of the whole users can later recover the secret. Secret sharing is the foundation of key distribution and important measure to protect information and data.
Hwang and Chwang proposed a method to realize a threshold secret sharing (HCSS) protocol with the novel property. However, the storage overhead is rather high. An improved protocol and its performance analysis are given in the paper. The improved scheme kept the properties of the original paper that users can select their personal key by themselves instead of being distributed by group manager at the same time decreased storage overhead greatly. The constraint of secure channel between the group manager and users can be concealed. During the period of rekeying, the work of selecting parameters and related computation is performed by the group manager. The personal key of user can be reused.
By introducing the novel secret sharing scheme to the design of self-healing key distribution scheme, an efficient computationally secure self-healing group key distribution protocol is obtained. It is the first time to realize constant length of personal key storage overhead. During the period of system initiation, user selects his personal key by himself instead of being distributed by group manager. That is, the scheme conceals the requirement of a secure channel in setup step. In addition, after a set of sessions have expired, the construction of extending lifetime is much more efficient than those in previous schemes.
A self-healing key distribution protocol with novel properties was proposed. The first property is a coalition of users more than threshold can sponsor a user outside the group for one session without any interaction with the group manager. The second property is overcoming the restriction of m sessions, unlike previous works. Consequently, the storager overhead of personal key and communication overhead will not increase with m. Moreover, if less than the threshold users were deleted, the personal key can be used without rekeying.
A computationally secure distributed key distribution protocol, based on RSA public key cryptography, combined with verifiable secret sharing scheme and zero-knowledge proof technique, is proposed. The cheater can be detected easily. The protocol is very simple. The computation overhead is small. The security of the protocol equals to decomposing of great prime in RSA.
引文
[1] M.Naor, B.Pinkas and O.Reingold, Distributed Pseudo-random Function and KDCs, Advances in Cryptography-Eurocrypt'99, LNCS 1592, 327-346
[2] J. Staddon, S. Miner and M. Franklin et al, Self-healing key distribution with revocation, Proc. IEEE Symposium on Security and Privacy, 2002, 224-240
[3] W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Trans-action on Infor mation Theory, 1976, 644-654
[4] 王志伟,谷大武,基于树结构和门限思想的组密钥协商协议,软件学报,15(6),2004,924-927
[5] 王育民,刘建伟,通信网的安全—理论与技术,西安:西安电子科技大学出版社,1999.
[6] A. Shamir, How to Share a Secret, Communications of the ACM, 22 (11), 1979, 612-613
[7] G. R. Blakley, Safeguarding cryptographic keys, Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies Proceedings, 48,313-317
[8] P. Feldman, A Practical Scheme for Non-interactive Verifiable Secret Sharing, Proceeding of the 28th IEEE Annual Symposium on Foundations of Computer Science, IEEE Computer Society, 1987, 427-437
[9] T.P. Pedersen, Non-interactive and Information Theoretic Secure Verifiable Secret Sharing, Proceedings of the 11st Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag, 1991, 129-140
[10] 费如纯,王丽娜,基于RSA和单向函数防欺诈的秘密共享体制,软件学报,14(1),2003,146-1501.
[11] M. Stadler, Publicly verifiable secret sharing, Advances in Cryptology, EUROCRYPT'96, LNCS 1070, 190-199
[12] 何明星,范平志,袁丁,一个可验证的门限多秘密分享方案,电子学报,30(4),2002,540-5431.
[13] C. Blundo, A. De Santis and A. Herzberg et al, Perfectly secure key distribution for dynamic conferences, Advances in Cryptology-Crypto'92 [C], Lecture Notes in comput, Sci, Vol. 740, 1993, 471-486
[14] G. D. Cresenzo, Sharing one secret vs. sharing many secrets, Theoretical computer science, 295, 2003, 123-140
[15] J.R.Hwang and C. C. Chang, An On-line Secret Sharing Scheme for Multisecrets, Computer Communications, 21(13), 1998, 1170—1176
[16] 庞辽军,王育民.基于RSA密码体制(t,n)门限秘密共享方案,通信学报,Vol 26(6),2005,70-73.
[17] V. Nikov and S. Nikova. On Proactive Sharing Schemes,www.esat.kuleuven.be/~snikova/Sv_sac04.pdf
[18] P. D'Arcol and D. Stinson, On unconditionally secure procactive secret sharing scheme and distributed key distribution centers, Manuscipt, May 2002
[19] D. Stinson and R. Wei, Unconditionally secure proactive secret sharing scheme with combi-natrial structures, SAC'1999, LNCS 1758,1999, 200-214
[20] S. Jareckel, Procactive secret sharing and publik key cryptosystems, M. Sc. Thesis, 1995, MIT.http://citeseer.ist.psu.edu/175212.html
[21] G. Caronni, B. Plattner and D. Sun, et al, The Versakey Framework: Versatile Group Key Management, IEEE Joumel on Selected Areas in Communications, 17(9), 1999
[22] P. D'Arcol and D. Stinson, On Unconditionally Secure Robust Distn'buted Key Distribution Certers, Berlin Heidelberg: Springer-Verlag, 2002, 346-363
[23] 郭渊博,马建峰,一种安全的分布式会议密钥分配方案及其实现,系统工程与电子技术,27(3),2005,511-515.
[24] 冯娟娟,刘胜利,王磊,一种健壮的计算安全的分布式密钥分发方案,微计算机信息,21(12),2005,60-62.
[25] L.Donggang, P. Ning and S.Kun, Efficient Self-healing Group Key Distribution with Revocation Capability, ACM, 2003
[26] C. Blundo, P. D'Arco and A. Santis et al, Design of self-healing key distribution schemes, Design Codes and Cryptography, 32, 2004, 15-44
[27] S. Miner More, M. Malkin and J. Staddon et al, Sliding Window Selfhealing Key Distribution with Revocation, ACM, 2003
[28] C. Blundo, P. D'Arco and A. De Santis et.al, Definitions and Bounds for Self-healing Key Distribution, ICALP'04, LNCS 3142, 234-245
[29] G. S'aez, On Threshold Self-healing Key Distribution Schemes Cryptography and Coding 2005, LNCS 3796, 340-354
[30] G.S'aez, Self-healing Key Distribution Schemes with Sponsorizafion, CMS, 2005, LNCS 3677, 22-31
[31] J. B. Muhammad and M. Ali, International Journal of Hetwork Security, 2005, Vol.1, No.2, 110-117
[32] D. Naor, M. Naor and J. Lotspiech, Revocation and tracing schemes for stateless receivers, the Proceedings of Advances in Cryptology 2001-Crypto'01, 2001, LNCS, 41-62
[33] M.Burmester and Y.Desmedt, A Secure and Efficient Conference Key Distribution System Proceedings of Eurocrypt 1994, LNCS 950, 275-286
[34] K. Becker and U. Wille, Communication Complexity of Group Key Distribution, Proceedings of ACM CCS, 1998, 1-6
[35] A. Joux, A One Round Protocol for Tripartite Diffie-Hellman, Proceedings of ANTS 4, 2000, LNCS 1838, 385-394
[36] D. Boneh and M. Franklin, Identity-Based Encryption from Weft Pairing, Proceedings of Crypto 2001, LNCS 2139, 213-229
[37] L Law, A. Menezes and M. Qu, et.al, An Efficient Protocol for Authenticated Key Agreement, Technical Report CORR 98-05, Department of C & O, University of Waterloo, 1998
[38] T. Matsumoto, Y. Takashima and H. lmai, On Seeking Smart Public Key Distribution Systems, Transactions of the IECE of Japan, 1986, E69, 99-106
[39] E. Bresson, O. Chevassut and D. Pointcheval, Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions, Proceedings of Eurocrypt 2002, LNCS, 2332, 321-336
[40] H. J. Kim, S. M. Lee and D. H. Lee, Constant-Round Authenticated Group Key Exchange for Dynamic Groups. In proceedings of Asiacrypt 2004, LNCS 3329, 245-259
[41] Y. Hyungkyu, A. Younghwa and C. Joungho, Secure and Efficient Key Agreement Protocols for Wireless Communication, 2005 Asic-Pacific Conference on Communications, Perth, Western Australia,3-5 October,2005, 520-524
[42] Z.Yun and F.Yuguang, A Scalable Key Agreement Scheme For Large Scale Networks, IEEE, 2006, 631-636
[43] 李欣,张鹏,叶澄清,一个有效的动态组密钥协商协议,浙江大学学报,第41卷第2期,2007年2月,236-238.
[44] T. M. Cover and J. A. Thomas, Elements of Information Theory, John Wiley & Sons, 1991
[45] R, L, Rivest, A, Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM,1978,21(2):120-126
[46] C. C. Chang, H. J. Horug and D. J. Buehrer, A Cascade Exponentiation Evaluation Scheme Based on the Lempel-ziv-welch Compression Algorithm, Journal of Information Seience and Engineering, 1995, 11(3): 417-431
[47] 潘承洞,潘承彪,简明数论,北京:北京大学出版社,1998.
[48] M. Naor and B. Pinkas, Efficient Trace and Revoke Schemes, In Proceedings of Financial Cryptography 2000, LNCS, 2001, 1-20
[2] J. Staddon, S. Miner and M. Franklin et al, Self-healing key distribution with revocation, Proc. IEEE Symposium on Security and Privacy, 2002, 224-240
[3] W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Trans-action on Infor mation Theory, 1976, 644-654
[4] 王志伟,谷大武,基于树结构和门限思想的组密钥协商协议,软件学报,15(6),2004,924-927
[5] 王育民,刘建伟,通信网的安全—理论与技术,西安:西安电子科技大学出版社,1999.
[6] A. Shamir, How to Share a Secret, Communications of the ACM, 22 (11), 1979, 612-613
[7] G. R. Blakley, Safeguarding cryptographic keys, Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies Proceedings, 48,313-317
[8] P. Feldman, A Practical Scheme for Non-interactive Verifiable Secret Sharing, Proceeding of the 28th IEEE Annual Symposium on Foundations of Computer Science, IEEE Computer Society, 1987, 427-437
[9] T.P. Pedersen, Non-interactive and Information Theoretic Secure Verifiable Secret Sharing, Proceedings of the 11st Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag, 1991, 129-140
[10] 费如纯,王丽娜,基于RSA和单向函数防欺诈的秘密共享体制,软件学报,14(1),2003,146-1501.
[11] M. Stadler, Publicly verifiable secret sharing, Advances in Cryptology, EUROCRYPT'96, LNCS 1070, 190-199
[12] 何明星,范平志,袁丁,一个可验证的门限多秘密分享方案,电子学报,30(4),2002,540-5431.
[13] C. Blundo, A. De Santis and A. Herzberg et al, Perfectly secure key distribution for dynamic conferences, Advances in Cryptology-Crypto'92 [C], Lecture Notes in comput, Sci, Vol. 740, 1993, 471-486
[14] G. D. Cresenzo, Sharing one secret vs. sharing many secrets, Theoretical computer science, 295, 2003, 123-140
[15] J.R.Hwang and C. C. Chang, An On-line Secret Sharing Scheme for Multisecrets, Computer Communications, 21(13), 1998, 1170—1176
[16] 庞辽军,王育民.基于RSA密码体制(t,n)门限秘密共享方案,通信学报,Vol 26(6),2005,70-73.
[17] V. Nikov and S. Nikova. On Proactive Sharing Schemes,www.esat.kuleuven.be/~snikova/Sv_sac04.pdf
[18] P. D'Arcol and D. Stinson, On unconditionally secure procactive secret sharing scheme and distributed key distribution centers, Manuscipt, May 2002
[19] D. Stinson and R. Wei, Unconditionally secure proactive secret sharing scheme with combi-natrial structures, SAC'1999, LNCS 1758,1999, 200-214
[20] S. Jareckel, Procactive secret sharing and publik key cryptosystems, M. Sc. Thesis, 1995, MIT.http://citeseer.ist.psu.edu/175212.html
[21] G. Caronni, B. Plattner and D. Sun, et al, The Versakey Framework: Versatile Group Key Management, IEEE Joumel on Selected Areas in Communications, 17(9), 1999
[22] P. D'Arcol and D. Stinson, On Unconditionally Secure Robust Distn'buted Key Distribution Certers, Berlin Heidelberg: Springer-Verlag, 2002, 346-363
[23] 郭渊博,马建峰,一种安全的分布式会议密钥分配方案及其实现,系统工程与电子技术,27(3),2005,511-515.
[24] 冯娟娟,刘胜利,王磊,一种健壮的计算安全的分布式密钥分发方案,微计算机信息,21(12),2005,60-62.
[25] L.Donggang, P. Ning and S.Kun, Efficient Self-healing Group Key Distribution with Revocation Capability, ACM, 2003
[26] C. Blundo, P. D'Arco and A. Santis et al, Design of self-healing key distribution schemes, Design Codes and Cryptography, 32, 2004, 15-44
[27] S. Miner More, M. Malkin and J. Staddon et al, Sliding Window Selfhealing Key Distribution with Revocation, ACM, 2003
[28] C. Blundo, P. D'Arco and A. De Santis et.al, Definitions and Bounds for Self-healing Key Distribution, ICALP'04, LNCS 3142, 234-245
[29] G. S'aez, On Threshold Self-healing Key Distribution Schemes Cryptography and Coding 2005, LNCS 3796, 340-354
[30] G.S'aez, Self-healing Key Distribution Schemes with Sponsorizafion, CMS, 2005, LNCS 3677, 22-31
[31] J. B. Muhammad and M. Ali, International Journal of Hetwork Security, 2005, Vol.1, No.2, 110-117
[32] D. Naor, M. Naor and J. Lotspiech, Revocation and tracing schemes for stateless receivers, the Proceedings of Advances in Cryptology 2001-Crypto'01, 2001, LNCS, 41-62
[33] M.Burmester and Y.Desmedt, A Secure and Efficient Conference Key Distribution System Proceedings of Eurocrypt 1994, LNCS 950, 275-286
[34] K. Becker and U. Wille, Communication Complexity of Group Key Distribution, Proceedings of ACM CCS, 1998, 1-6
[35] A. Joux, A One Round Protocol for Tripartite Diffie-Hellman, Proceedings of ANTS 4, 2000, LNCS 1838, 385-394
[36] D. Boneh and M. Franklin, Identity-Based Encryption from Weft Pairing, Proceedings of Crypto 2001, LNCS 2139, 213-229
[37] L Law, A. Menezes and M. Qu, et.al, An Efficient Protocol for Authenticated Key Agreement, Technical Report CORR 98-05, Department of C & O, University of Waterloo, 1998
[38] T. Matsumoto, Y. Takashima and H. lmai, On Seeking Smart Public Key Distribution Systems, Transactions of the IECE of Japan, 1986, E69, 99-106
[39] E. Bresson, O. Chevassut and D. Pointcheval, Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions, Proceedings of Eurocrypt 2002, LNCS, 2332, 321-336
[40] H. J. Kim, S. M. Lee and D. H. Lee, Constant-Round Authenticated Group Key Exchange for Dynamic Groups. In proceedings of Asiacrypt 2004, LNCS 3329, 245-259
[41] Y. Hyungkyu, A. Younghwa and C. Joungho, Secure and Efficient Key Agreement Protocols for Wireless Communication, 2005 Asic-Pacific Conference on Communications, Perth, Western Australia,3-5 October,2005, 520-524
[42] Z.Yun and F.Yuguang, A Scalable Key Agreement Scheme For Large Scale Networks, IEEE, 2006, 631-636
[43] 李欣,张鹏,叶澄清,一个有效的动态组密钥协商协议,浙江大学学报,第41卷第2期,2007年2月,236-238.
[44] T. M. Cover and J. A. Thomas, Elements of Information Theory, John Wiley & Sons, 1991
[45] R, L, Rivest, A, Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM,1978,21(2):120-126
[46] C. C. Chang, H. J. Horug and D. J. Buehrer, A Cascade Exponentiation Evaluation Scheme Based on the Lempel-ziv-welch Compression Algorithm, Journal of Information Seience and Engineering, 1995, 11(3): 417-431
[47] 潘承洞,潘承彪,简明数论,北京:北京大学出版社,1998.
[48] M. Naor and B. Pinkas, Efficient Trace and Revoke Schemes, In Proceedings of Financial Cryptography 2000, LNCS, 2001, 1-20