Successfully reported this slideshow.
ISSN: 2278 – 1323                                      International Journal of Advanced Research in Computer Engineering ...
ISSN: 2278 – 1323                                             International Journal of Advanced Research in Computer Engin...
ISSN: 2278 – 1323                                                International Journal of Advanced Research in Computer En...
ISSN: 2278 – 1323                                         International Journal of Advanced Research in Computer Engineeri...
ISSN: 2278 – 1323                                             International Journal of Advanced Research in Computer Engin...
Upcoming SlideShare
Loading in …5

341 345


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

341 345

  1. 1. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012 Restricting mischievous users in anonymizing networks A. Amaranath1, N. Maneiah2, G. Prasadbabu3, P. Nirupama4, 1, 2 M.Tech Student, 3Assoc. Prof, 4Prof, Head, 1, 2, 3, 4 Department of CSE, Siddharth Institute of Engineering & Technology, Puttur, Andhrapradesh, India, 1— Anonymizing networks such as knoll tolerate scalability. Observable signatures [26] allow the groupusers to admittance Internet services clandestinely by director to release a trapdoor that allows all signaturesusing a progression of routers to bury the client’s IP generated by a meticulous user to be traced; such a moveaddress from the server. The achievement of such toward does not give the backward unlink ability [30] that wenetworks, conversely, has been restricted by users craving, where a client’s accesses before the grievanceemploying this anonymity for obnoxious purposes such remain unidentified. Backward unlink ability allows for whatas defacing admired websites. Website administrators we call individual blacklisting, where servers can blacklisthabitually rely on IP-address jamming for disabling users for no matter what reason while the privacy of theadmission to mischievous users, but jamming IP blacklisted user is not at danger. In contrast, approachesaddresses is not convenient if the abuser routes through without diffident unlink ability need to pay vigilantan anonymizing network. As a consequence, consideration to when and why a user should have all theiradministrators obstruct all recognized depart nodes of associations linked, and users must worry about whether theiranonymizing networks, denying anonymous access to behaviors will be judged fairly.mischievous and behaving users alike. Individual blacklisting is also better appropriate to To tackle this problem, we current Nymble, a system servers such as Wikipedia, where misbehaviors such asin which servers can “blacklist” mischievous users, debatable edits to a webpage, are hard to identify inthereby jamming users without compromising their mathematical terms. In some systems, misconduct can indeedambiguity. Our organization is thus atheist to different be defined accurately. For instance, double-expenditure of anservers’ definitions of mischievous — servers can ―e-coin‖ is considered misconduct in anonymous e-cashblacklist users for whatever reason, and the privacy of systems [8], [13], following which the offending user isblacklisted users is maintained. deanonymized. Unfortunately, such systems work for only slender definitions of misconduct — it is difficult to mapKeywords- anonymous blacklisting, privacy, revocation more multipart concept of misconduct onto ―double expenditure‖ or related approaches [32]. I. INTRODUCTION With energetic accumulators [11], [31], a revocation process results in a new squirrel and public parameters for the Anonymzing communications such as route crowd, and all other obtainable users’ qualifications must beinterchange through autonomous nodes in separate updated, making it unworkable. Verifier-local revocationmanagerial domains to hide a client’s IP address. (VLR) [2], [7], [9] fixes this shortcoming by requiring theUnfortunately, some users have distorted such networks — server (―verifier‖) to carry out only local updates duringunder the cover of ambiguity, users have frequently defaced revocation. Unfortunately, VLR requires heavy working outpopular websites such as Wikipedia. Since website at the attendant that is linear in the size of the blacklist. Foradministrators cannot blacklist personage wicked users’ IP example, for a blacklist with 1,000 entries, each confirmationaddresses, they blacklist the entire anonym zing network. would take tens of seconds,2 a too expensive cost in perform.Such measures eradicate wicked activity through anonym In distinction, our scheme takes the attendant about onezing networks at the cost of denying unknown access to millisecond per confirmation, which is several thousandbehaving users. In other words, a few ―bad mangos‖ can times faster than VLR. We believe these low overheads willdestroy the fun for all. (This has happened continually with incentivize servers to approve such a resolution whenTor.1) weighed aligned with the latent benefits of unsigned There are several solutions to this problem, each publishing (e.g., whistle-blowing, coverage, anonymous tipproviding some degree of answerability. In pseudonymous lines, activism, and so on.).official document systems clients log into websites by meansof pseudonyms, which can be extra to a blacklist if a client A. Our solutionbehave badly. Unfortunately, this come up to consequencesin pseudonymity for all clients, and weakens the ambiguity We close to a safe system called Nymble, which provideprovided by the in nominate system. all the following property: unsigned authentication, Unspecified documentation systems [10]a, [12] take up backward unlink ability, biased blacklisting, fastgroup signatures. Vital cluster signatures [1], [6], [15] permit authentication speed rate-limited anonymous associations,servers to repeal a misbehaving client’s mystery by revocation audit ability (where users can verify whether theycomplaining to a group manager. Servers must query the have been blacklisted), and also addresses the Sybil attackgroup director for every confirmation, and as a result lacks [19] to make its consumption realistic. 341 All Rights Reserved © 2012 IJARCET
  2. 2. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012 In Nymble, users obtain an planned compilation of II. AN OVERVIEW TO NYMBLEnymbles, a special type of assumed name, to connect to We at present a high-level outline of the Nymble system, andwebsites. Without extra information, these nymbles are reschedule the entire protocol description and securitycomputationally hard to link,4 and therefore using the torrent analysis to consequent sections.of nymbles simulate nameless access to armed forces.Websites, conversely, can blacklist users by obtaining a seed A. Reserve-based blockingfor a particular nymble, allowing them to link future nymbles To limit the number of identities a user can acquire (calledfrom the similar user individuals used previous to the the Sybil attack [19]), the Nymble organization bindscriticism remain unlink able. nymbles to possessions that are satisfactorily difficult to Our scheme ensures that users are aware of their blacklist obtain in great numbers. For example, we have used IPstatus before they present a nymble, and separate straight addresses as the source in our achievement, but our schemeaway if they are blacklisted. even though our work applies to generalizes to other resources such as email addresses,anonymizing networks in general, we consider Tor for We do not declare to explain the Sybil attack. Thispurposes of exposition. In fact, any number of anonymizing problem is faced by any documentation system [19], [27],networks can rely on the same Nymble system, blacklisting and we suggest some promising approaches based onnameless users regardless of their Servers can consequently resource-based blocking since we aim to create a real-worldblacklist nameless users not including knowledge of their IP exploitation.addresses while allowing behaving users to connectnamelessly. Assistance of this paper B. The Pseudonym Executive The user must first contact the Pseudonym Manager (PM)Our research makes the following contributions: and express control over a reserve; for IP-address blocking,  Blacklisting unsigned users. We provide a means by the customer essential attach to the PM freely (i.e., not which servers can blacklist clients of an through a known anonymizing network), as shown in Figure anonymizing system while maintaining their 1. We think the PM has acquaintance about Tor routers, for privacy. example, and can ensure that users are exchange a few words  Realistic performance. Our procedure makes use of with it directly.6 Pseudonyms are deterministically chosen identity certificates, and trusted hardware. We based on the controlled source, ensuring that the equivalent address economical symmetric cryptographic pseudonym is always issued for the identical resource. operations to the practical issues related with C. The Nymble Supervisor resource-based blocking extensively outperform the alternatives. After obtaining a pseudonym from the PM, the client  Open-source achievement. With the goal of connects to the Nymble Administrator (NA) through the causative a practical system, we have built an anonymizing connections, and requests nymbles for access to open-source achievement of Nymble, which is a particular server (such as Wikipedia). A user’s requests to publicly available.5 we provide concert statistics to the NM are therefore pseudonymous, and nymbles are generated using the client’s pseudonym and the server’s show that our system is indeed sensible. individuality. These nymbles are thus definite to a particular user-attendant pair. However, as long as the PM and the NM do not conspire, the Nymble system cannot make out which user is involving to what server; the NM knows only the pseudonym-server pair, and the PM knows only the user identity-assumed name pair. To provide the obligatory cryptographic protection and security properties, the NM encapsulates nymbles within nymble tickets. Servers envelop seeds into involving tokens and therefore we will converse of involving tokens being second-hand to link future nymble tickets. The importance of these constructs will become evident as we continue. Fig. 1. The system architecture showing the various modes of interaction. D. Time Note that users interact with the NM and servers though the anonymizing network. Nymble tickets are bounce to specific time periods. As Some of the authors of this paper have available two illustrated in Figure 2, time is divided into link abilityunsigned validation schemes, BLAC [33] and PEREA [34], windows of extent W, each of which is divide into L timewhich do away with the need for a trusted third party for periods of extent T (i.e., W = L∗ T ). We will pass on to timerevoking clients. While BLAC and PEREA present better periods and link ability windows chronologically as t1, t2, . . .confidentiality by eliminating the TTP, Nymble provides , tL and w1 , w2, . . . in that order. While a client’s right ofsubstantiation rates that are more than a few orders of entry within a time period is tied to a single nymble ticket, theenormity faster than BLAC and PEREA (see Section 6). use of different nymble tickets transversely time periodsNymble thus represents a practical solution for blocking grants the user anonymity between time periods. Smallermischievous clients of anonymizing communications. time periods provide clients with higher rates of unsigned We note that a comprehensive version of this article is authentication, while longer time periods allow servers toobtainable as a technical report [16]. rate-limit the number of misbehaviors from a particular user All Rights Reserved © 2012 IJARCET 342
  3. 3. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012before he or she is barren. For example, T could be set to 5 discussed in Section 4.3.4, these daisies are elements of aminutes, and W to 1 day (and thus L = 288). The link ability hash sequence, and provide a insubstantial unconventional towindow allows for enthusiasm since resources such as IP digital signatures. Using digital signatures and daisies, weaddresses can get re-assigned and it is unwanted to blacklist thus make certain that race circumstances are not probable insuch property until further notice, and it ensures absolution of verifying the freshness of a blacklist. A client is definite thatmisconduct after a certain period of time. he or she will not be connected if the user verifies the Misbehavior Complaint integrity and freshness of the blacklist before distribution his or her nymble ticket. time G. Reflection of updates to the Nymble Progression * We show awake the changes to Nymble as our confer-ence ... tL t1 ...t * ... tc ... tL t1 ... paper [24]. before, we had proved only the privacy properties w associated with nymbles as part of a two-tiered hash Future Connections sequence Here we show safety at the process level. This Previous connections remain connections anonymous process gave us insights into possible (subtle) attacks against anonymous and unlinkable become and unlinkable privacy, leading us to redecorate our protocols and refine our linkable once again definitions of solitude. For example, users are now whichever justifiable or unlawful, and are anonymous withinFig. 2. The life cycle of a misbehaving user. If the server complains in time these sets (see Section 3). This redefinition affects how aperiod tc about a user’s connection in t∗ , the user becomes linkable starting in client establish a ―Nymble association‖ (see Section 5.5), and now prevents the attendant from individual between userstc .The objection in tc can include nymble tickets from only tc−1 and earlier. who have already associated in the same time period and E. Blacklisting a user those who are blacklisted, ensuing in larger mystery sets. If client performs badly, the server may link any future A thorough procedure restore has also resulted in severalinvolvement from this client within the in progress link optimizations. We have eliminated blacklist descriptionability window (e.g., the same day). Consider Figure 2 as an numbers and clients do not need to continually obtain the inexample: A client connects and misbehaves at a server progress version number from the NM. Instead servers obtainthrough time period t∗ within link capability windowpane w. proofs of cleanness every time period, and users franklyThe server later detects this misconduct and complains to the verify the freshness of blacklists upon down-load. Based on aNM in time period tc (t∗ < tc ≤ tL ) of the same link ability hash-chain approach, the NM issues frivolous daisies towindowpane w. As part of the objection, the server presents servers as proof of a blacklist’s freshness, thus makingthe nymble ticket of the mischievous user and obtains the blacklist updates highly efficient. Also in its place ofequivalent seed from the NM. The server is then able to link embedding seeds, on which users must perform addition tofuture associations by the client in time periods tc , tc + 1, . . . confirm their blacklist status, the NM now embeds a sole, tL of the same link ability sheet of glass w∗ to the criticism. identifier nymble∗ , which the user can straight identify.Therefore, one time the member of staff serving at table has Lastly, we have compacted several datastructures, speciallycomplained about a customer, that customer is blacklisted for the servers’ blacklists, which are downloaded by users inthe rest of the day, for instance (the link ability window). each connection, and report on the various sizes in detail inNote that the user’s associates in t1, t2, . . . , t∗ , t∗ + 1, . . . , tc Section 6. We also information on our open-sourceremain unlikeable (i.e., including those since the misconduct implementation of Nymble.and until the time of complaint). Even though mischievoususers can be infertile from making associations in the future, III. SECURITY MODEL IN NYMBLEthe clients past connections remain unlink able, thus Nymble aims for four safety goals. We make availableproviding diffident unlink ability and subjective blacklisting. relaxed definitions here; a detailed formalism can be found in F. Notifying the client of blacklist status our procedural report [16], which explains how these goals must also resist combination attacks. Users who make use of anonymizing communicationssuppose their connections to be unsigned. If a server obtains A. Goals and threatsa seed for that user, however, it can link that user’s An entity is straightforward when its operations stand for byconsequent associates. It is of most consequence, then, that the system’s requirement. An truthful entity can beclients be notified of their blacklist grades previous to they interested: it attempts to conclude familiarity from its ownpresent a nymble permit to a server. In our organization, the information (e.g., its secrets, state, and protocolclient can download the server’s blacklist and verify her communications). An honest entity becomes corrupt when itstanding. If blacklisted, the client disconnects directly. is compromised by an assailant, and hence reveals its in order Since the blacklist is cryptographically signed by the at the time of conciliation, and operates under the attacker’sNM, the fidelity of the blacklist is easily verified if the full control, possibly conflicting from the arrangement.blacklist was competent in the present time period (only one Blacklist ability assures that any truthful server canupdate to the blacklist per time period is allowed). If the undeniably block mischievous users. Specifically, if anblacklist has not been efficient in the current time period, the honest server complains about a user that misbehave in theNM provides servers with ―daisies‖ every time phase so that present link capacity windowpane, the complaint will beusers can verify the originality of the blacklist (―blacklist successful and the user will not be able to ―nymble-connect,‖from time period told is fresh as of time period tnow‖). As i.e., establish a Nymble-authenticated association, to the 343 All Rights Reserved © 2012 IJARCET
  4. 4. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012server successfully in subsequent time periods (following the encoding of) lists s and t. The empty list is denoted by $. Wetime of grumble) of that link ability window. sometimes treat lists of tuples as dictionaries. If A is aRate-limiting assures any truthful server that no user can (possibly probabilistic) algorithm, then A(x) denotes theffectively nymble-connect to it more than once controlled by output when A is executed given the input x.a := b means thatany on its own time phase. b is assigned to a.Non-frame ability guarantees that any truthful client who is B. Cryptographic primitivesjustifiable according to an truthful server cannymble-connect to that attendant. This prevents an aggressor Nymble uses the subsequent edifice blocksfrom framing a justifiable sincere user, e.g., by getting the  Secure cryptographic hash functions. These areuser blacklisted for somebody else misconduct.. When IP oneway and collision-resistant functions thataddresses are used as the individuality, it is possible for a user resemble random oracles [5]. Denote the range ofto ―structure‖ an truthful client who later obtains the similar the hash functions by H.IP address. Non-frame ability holds true only beside attackers  Secure message authentication (MA) [3]. Thesewith different identities (IP addresses). consist of the key generation (MA.KeyGen), and theAnonymity protects the secrecy of truthful users, regardless message authentication code (MAC) computationof their authenticity according to the (possibly dishonest) (MA.Mac) algorithms. Denote the domain of MACsserver; the server cannot learn any more information further by M.than whether the user behind (an attempt to make) a  Secure symmetric-key encryption (Enc) [4]. Thesenymble-connection is justifiable or unlawful. consist of the key generation (Enc.KeyGen), encryption (Enc.Encrypt), and decryption B. Trust assumptions (Enc.Decrypt) algorithms. Denote the domain of We allow the servers and the users to be damage and ciphertexts by !.prohibited by an aggressor. Not unquestioning these entities  Secure digital signatures (Sig) [22]. These consist ofis significant because encounter a dishonest server and/or the key generation (Sig.KeyGen), signinguser is a reasonable threat. Nymble be necessary to a (Sig.Sign), and verificationstandstill achieve it goals beneath such circumstances. With  (Sig.Verify) algorithms. Denote the domain ofregard to the PM and NM, Nymble makes a number of best signatures.guess on who trusts whom to be how for what agreement. Wesummarize this belief assumption as prevailing conditions in V. PERFORMANCE EVALUATIONFigure 3. Should a trust best guess become unacceptable, We implemented Nymble and serene diverse pragmaticNymble will not be able to provide the matching guarantee. concert figures, which substantiate the linear (in the digit of For instance, a dishonest PM or NM can go adjacent to ―entries‖ as described less) time and legroom overheads ofBlack-list capacity by issuing dissimilar pseudonyms or the different operation and data structures.recognition to blacklisted clients. To challenge the secrecy ofa user, a untruthful PM (resp. NM) can first duplicate the A. Implementation and experimental setupclient by cloning her pseudonym (resp. credential) and then We implemented Nymble as a C++ annals along withtry to validate to a server—a successful challenge reveals that Ruby and JavaScript bindings. One could, however, easilythe client has already made a relationship to the server during pile up bindings for any of the languages (such as Python,the point in time period. what is more, by studying the PHP, and Perl) supported by the beginners Wrapper andcriticism log, a snooping NM can realize that a user has allied crossing point Generator (SWIG) for pattern. We utilizemore than once if she has been complained about two or other Open SSL for all the cryptographic primitives. We usetimes. As previously described in Section 2.3, the user must SHA-256 for the cryptographic hash functions;trust that at least the NM or PM is frank to keep the user and HMAC-SHA-256 for the message authentication MA;server personality pair private AES-256 in CBC-mode for the symmetric encryption Enc; and 2048-bit RSASSA-PSA for the digital signatures Fig3. Who trusts whom to be how for what guarantee IV. PRELIMINARIES A. Notation Fig. 7. The marshaled size of various Nymble data structures. The X-axis The information a #R S represents an factor tired refers to the number of entries— complaints in the blacklist update request,uniformly at casual from non-empty set S. N0 is the set of tickets in the credential, tokens and seeds in the blacklist update response,non-negative integers, and N is the set N0{0}. s[i] is the i-th and nymbles in the blacklist.factor of list s. s||t is the concatenation of (the unequivocal All Rights Reserved © 2012 IJARCET 344
  5. 5. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012 B. Experimental results [4] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A Concrete ecurity Treatment of Symmetric Encryption. In FOCS, pages 394–403, 1997. Figure 7 shows the size of the diverse data structures. The [5] M. Bellare and P. Rogaway. Random Oracles Are Practical: AX-axis represents the number of entries in each data Paradigm for Designing Efficient Protocols. In Proceedings of thestructure—complaints in the blacklist revise appeal, tickets in 1st ACM conference on Computer and communications security, pages 62–73. ACM Press, 1993.the documentation (equal to L, the number of time periods in [6] M. Bellare, H. Shi, and C. Zhang. Foundations of Group Signatures:a linkability window), nymbles in the blacklist, tokens and The Case of Dynamic Groups. In CT-RSA, LNCS 3376, pagesseeds in the blacklist update response, and nymbles in the 136–153. Springer, 2005.blacklist. For example, a linkability window of 1 day with 5 [7] D. Boneh and H. Shacham. Group Signatures with Verifier-Localminute time periods equates to L = 288.11 The size of a Revocation. In ACM Conference on Computer and Communications Security, pages 168–177. ACM, 2004.credential in this case is about 59 KB. [8] S. Brands. Untraceable Off-line Cash in Wallets with Observers (Extended Abstract). In CRYPTO, LNCS 773, pages 302–318. Springer, 1993. [9] E. Bresson and J. Stern. Efficient Revocation in Group Signatures. In Public Key Cryptography, LNCS 1992, pages 190–206. Springer, 2001. [10] J. Camenisch and A. Lysyanskaya. An Efficient System for Nontransferable Anonymous Credentials with Optional Anonymity Revocation. In EUROCRYPT, LNCS 2045, pages 93–118. Springer, 2001. [11] J. Camenisch and A. Lysyanskaya. Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. In CRYPTO, LNCS 2442, pages 61–76. Springer, 2002. [12] J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. In CRYPTO, LNCS 3152, pages 56–72. Springer, 2004.(a) Blacklist updates take several milliseconds and credentials canbe generated in 9 ms for the suggested parameter of L=288. [13] D. Chaum. Blind Signatures for Untraceable Payments. In CRYPTO, pages 199–203, 1982. [14] D. Chaum. Showing Credentials without Identification Transfeering Signatures between Unconditionally Unlinkable Pseudonyms. In AUSCRYPT, LNCS 453, pages 246–264. Springer, 1990. [15] D. Chaum and E. van Heyst. Group Signatures. In EUROCRYPT, pages 257–265, 1991. [16] C. Cornelius, A. Kapadia, P. P. Tsang, and S. W. Smith. Nymble: Blocking Misbehaving Users in Anonymizing Networks. Technical Report TR2008-637, Dartmouth College, Computer Science, Hanover, NH, December 2008. [17] I. Damg°ard. Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals. In CRYPTO, LNCS 403, pages 328–335. Springer, 1988. [18] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The(b) The bottleneck operation of server ticket examination is less than Second-Generation Onion Router. In Usenix Security Symposium,1 ms and validating the blacklist takes the user only a few ms. pages 303–320, Aug. 2004. [19] J. R. Douceur. The Sybil Attack. In IPTPS, LNCS 2429, pages CONCLUSIONS 251–260. Springer, 2002. [20] S. Even, O. Goldreich, and S. Micali. On-Line/Off-Line Digital We have anticipated and built a ample system, which can Schemes. In CRYPTO, LNCS 435, pages 263–275. Springer, used to add a layer of liability to any openly known [21] J. Feigenbaum, A. Johnson, and P. F. Syverson. A Model of Onionanonymizing network. Servers can blacklist mischievous Routing with Provable Anonymity. In Financial Cryptography,users though maintaining their seclusion, and we show how LNCS 4886, pages 57–71. Springer, 2007.these properties can be attained in a way that is practical, [22] S. Goldwasser, S. Micali, and R. L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J.efficient, and perceptive to requirements of both users and Comput., 17(2):281–308, We hope that our effort will amplify the [23] J. E. Holt and K. E. Seamons. Nym: Practical Pseudonymity forconventional acceptance of anonymizing networks such as Anonymous Networks. Internet Security Research Lab TechnicalTor, which has thus far been entirely restricted by several Report 2006-4, Brigham Young University, June because of users who cruelty their anonymity. [24] P. C. Johnson, A. Kapadia, P. P. Tsang, and S. W. Smith. Nymble: Anonymous IP-Address Blocking. In Privacy Enhancing Technologies, LNCS 4776, pages 113–133. Springer, 2007. REFERENCES [25] A. Juels and J. G. Brainard. Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. In NDSS.[1] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A Practical and The Internet Society, 1999. Provably Secure Coalition-Resistant Group Signature Scheme. In [26] A. Kiayias, Y. Tsiounis, and M. Yung. Traceable Signatures. In CRYPTO, LNCS 1880, pages 255–270. Springer, 2000. EUROCRYPT, LNCS 3027, pages 571–589. Springer, 2004.[2] G. Ateniese, D. X. Song, and G. Tsudik. Quasi-Efficient Revocation in Group Signatures. In Financial Cryptography, LNCS 2357, pages 183–197. Springer, 2002.[3] M. Bellare, R. Canetti, and H. Krawczyk. Keying Hash Functions for Message Authentication. In CRYPTO, LNCS 1109, pages 1–15. Springer, 1996. 345 All Rights Reserved © 2012 IJARCET