### Table 1. The Cryptographic Key Failure Tolerance of some cryptographic schemes

in Cryptographic Key Reliable Lifetimes: Bounding the Risk of Key Exposure in the Presence of Faults

"... In PAGE 5: ... 3. In Table1 the failure tolerance of some cryptographic schemes is provided. For example, an AES-128 key can be exposed by 49+1 faulty ciphertexts while con- sidering the fault model assumed in the first Differential Fault Attack presented in [21].... ..."

### Table 1. The Cryptographic Failure Tolerance of some cryptographic schemes

"... In PAGE 4: ... 3. In Table1 the failure tolerance of some cryptographic schemes is provided. For example, an AES-128 key can be exposed by 49+1 faulty ciphertexts while con- sidering the fault model assumed in the first Differential Fault Attack presented in [10].... ..."

### Table 1. The Cryptographic Failure Tolerance of some cryptographic schemes

"... In PAGE 4: ... 3. In Table1 the failure tolerance of some cryptographic schemes is provided. For example, an AES-128 key can be exposed by 49+1 faulty ciphertexts while con- sidering the fault model assumed in the first Differential Fault Attack presented in [10].... ..."

### Table 1: Cryptographic operations used in Scheme 1.

2002

"... In PAGE 7: ... Additionally, the client must decrypt the data. Table1 summarizes the operations that must be done for each read and write request. Note that this scheme requires relatively expensive signature and verification... ..."

Cited by 41

### Table 2. Some properties of the different secure application-level multicast solutions Scheme Pnt2pnt Cryptographic operations Secure channels

2005

"... In PAGE 4: ... Key Agreement. In Table2 , for the key agreement column, a value of 2 (two) means that a new member needs to agree on two keys: one with parent and one with RP. For ESM with shared keys between neighbors, a secure channel with the RP is not needed.... ..."

Cited by 1

### Table 1 summarizes the cryptographic characteristics of the previously described schemes. According to the table, the \decrypt-then-validate quot;-type schemes are all susceptible to our extended attacks. This is certainly the case when a compo- nent ci in the ciphertext is especially dedicated to the validity test (e.g., as in [28, II and III] or [19]); in that case, it su ces to probe the decryption oracle with

2001

"... In PAGE 11: ...11 Pointcheval [20] encryption: (c1; c2; c3) = (gH(mks); XH(mks) k; (mks) G(k)) decryption: 1) mks = G(atomic action[c1 x] c2) c3 2) if c1 = gH(mks) then output m else output reject attack: 1) set (c0 1; c0 2; c0 3) = (c1; c2; c3 r) for a random r 2) recover m from (m0k ) r = mk Baek, Lee, and Kim [1] encryption: (c1; c2) = (gH(mks); (mks) G(XH(mks))) decryption: 1) mks = G(atomic action[c1x]) c2 2) if c1 = gH(mks) then output m else output reject attack: 1) set (c0 1; c0 2) = (c1; c2 r) for a random r 2) recover m from (m0k ) r = mk Schnorr and Jakobsson [23] encryption: (c1; c2; c3; c4) = (gy; G(Xy) + m; H(gs; c1; c2); s + c3 y) decryption: 1) if c3 6 = H(gc4 c1 c3; c1; c2) then output reject 2) output m = c2 G(atomic action[c1x]) Okamoto and Pointcheval [19] encryption: (c1; c2; c3; c4) = (gy; Xy R; Esym G(R)(m); H(R; m; c1; c2; c3)) decryption: 1) R = atomic action[c1x] c2 2) m = Dsym G(R)(c3) 3) if c4 = H(R; m; c1; c2; c3) then output m else output reject attack: 1) set (c0 1; c0 2; c0 3; c0 4) = (c1; c2; c3; c0 4) with c0 4 6 = c4 2) recover m = m0 Table1 . Analysis of several ElGamal variants.... ..."

Cited by 1

### Table 1 Illustrates the numbers of cryptographic operations by SET, iKP, and our work respectively

"... In PAGE 8: ... Every party is capable to deliver non-repudiable evidence to the other party in case of illegal attempts. Table1 demonstrates our scheme security enhancements over SET [14] and iKP [26] based on number of cryptographic operations: Table 1 Illustrates the numbers of cryptographic operations by SET, iKP, and our work respectively ... ..."

### Table 2. Subgroup Membership Problems

2001

"... In PAGE 7: ... For other plausible applications of the subgroup membership problem, the reader is also referred to [12] in which the DDH assumption is applied to the cryptographic schemes which only known method to construct is to base on the QR assumption. We summarize the examples above in Table2 , however, the table is not exhaustive at all. Table 2.... ..."

Cited by 6

### Table 1. Comparison between GSI and DKIG in terms of cryptographic operations in performing single sign-on and delegation services.

2005

"... In PAGE 8: ... 5 Performance Trade-ofi We now summarise the computation complexity of single sign-on and delegation protocols for GSI when using the regular RSA-based PKI approach and DKIG using a conversion of a signature scheme in [3]. It is noticeable from Table1 that both single sign-on and delegation services require the generation of a new RSA public/private key pair. This is compu- tationally costly, particularly so if longer keys are used [13].... ..."

Cited by 2

### Table 2: Threats and corresponding cryptographic preventive countermeasures. Threats Attack Types Preventive

"... In PAGE 12: ... 2. Table2 presents the mapping of threats and corre- sponding countermeasures. Threat actions that are marked with p are solvable via well known solutions and are outsider attacks.... In PAGE 13: ...he traditional authentication schemes, e.g., the keyed hash function (HMAC) [14]. Counter- measures marked by FF are barely addressed in the current literature, while countermeasures marked by FFF have not been addressed so far. Guarding Against Attacks on Communication Links As shown in Table2 , attacks from (a) to (d.1) are injected on the communication link.... ..."