"... In PAGE 8: ...has twice memory than Palm M130, the throughput of cryptographic algorithms in these devices is very close (see Table2 and Table 3). We can also observe that the growth order of the algorithm throughput in these devices is equal, differing from the growth order presented in the SonyEricsson P800 Table 1.... ..."

"... In PAGE 14: ... The spotted key word(s)/phrase(s) from a recognized word string is (are) assigned to corresponding keyword classes, resulting in a 9-dimensional vector of binary indicator variables denoting the presence or absence of each keyword class. Table3 lists all of the keyword classes and their keyword components. 4.... ..."

"... In PAGE 5: ... We give here an overview of these two kinds of results, after briefly describing how cryptographic protocols are modeled in formal methods. Results under the perfect cryptography assumption are summarized in Table1 , results for algebraic properties are summarized in Table 2. 2.... In PAGE 6: ...odels have been proposed e.g. by [9]. 2.2 Results under the Perfect Cryptography Assumption The analysis techniques discussed in this section and summarized in Table1 assume perfect cryptog- raphy.... ..."

"... In PAGE 9: ...2 Custom Instructions The extensions for pairing-based cryptography we propose in this paper include a total of five custom instructions to accelerate arithmetic operations in prime fields, binary fields, and ternary fields. Table1 gives an overview of the instruc-... In PAGE 10: ...ccumulator guarantees that up to 256 double-precision (i.e. 64-bit) products can be summed up without overflow or loss of precision, which is sufficient for cryp- tographic applications. Besides the custom instructions shown in Table1 , the MAC unit is also capable to execute the native SPARC multiply instructions like umul and smul [23]. Therefore, the proposed extensions for pairing-based cryptography can be easily integrated into the LEON-2 core by simply replacing... ..."

"... In PAGE 9: ...2 Custom Instructions The extensions for pairing-based cryptography we propose in this paper include a total of five custom instructions to accelerate arithmetic operations in prime fields, binary fields, and ternary fields. Table1 gives an overview of the instruc-... In PAGE 10: ...ccumulator guarantees that up to 256 double-precision (i.e. 64-bit) products can be summed up without overflow or loss of precision, which is sufficient for cryp- tographic applications. Besides the custom instructions shown in Table1 , the MAC unit is also capable to execute the native SPARC multiply instructions like umul and smul [23]. Therefore, the proposed extensions for pairing-based cryptography can be easily integrated into the LEON-2 core by simply replacing... ..."

"... In PAGE 15: ... not occurring in Psys. We write Q for the resulting process. We now have su cient control over the capabilities of the attacker that we can characterise the potential e ect of all attackers Q of type (Nf; A ; A+ Enc). We do so by de ning the formula FDY RM of type (Nf; A ; A+ Enc) for expressing the Dolev-Yao condition for LySa; it is de ned as the conjunction of the ve components in Table 3 (actually, three more components are added later on in Table10 to cope with public key encryption). The formula in Table 3 makes it clear that the attacker initially has some knowledge (5), that it may learn more by eavesdropping (1) or by decrypting messages with keys already known (2), that it may construct new encryptions using the keys known (3) and that it may actively forge new communications (4).... In PAGE 22: ... The only di er- ences occur in the rule for asymmetric decryption: the values V0, V 0 0 are actually a pair of public/private keys, required by the condition fV0; V 0 0g = fm+; m g, and the consequent check for 1 i j, that the values Vi are pointwise included in the values in #i. Finally, we extend the Dolev-Yao conditions for the asymmetric case, as shown by Table10 . Again, there are very little di erences with the symmetric case; note that we postulate a new pair of canonical names m+ ; m , and that the rule (5) in Table 3 already considers the symmetric keys and the special canonical name n .... In PAGE 39: ... Proof. Qhard is !(jk2A Qk 1 j jk2A+ Enc Qk 2 j jk2A+ Enc Qk 3 j jk2A Qk 4 j Q5 j jk2A+ Enc Qk 6 j jk2A+ Enc Qk 7 j Q8) where Qk i is obtained from the ith component of FDY RM in Table 3 for 1 i 5 and in Table10 for 6 i 8. We assume that there are variables z, z0, z1, having canonical representative z and that 1 2 A (as discussed in Section 5).... ..."

"... In PAGE 16: ... not occurring in Psys. We write Q for the resulting process. We now have su cient control over the capabilities of the attacker that we can characterise the potential e ect of all attackers Q of type (Nf; A ; A+ Enc). We do so by de ning the formula FDY RM of type (Nf; A ; A+ Enc) for expressing the Dolev-Yao condition for LySa; it is de ned as the conjunction of the ve components in Table 3 (actually, three more components are added later on in Table9 to cope with public key encryption).... In PAGE 26: ...shown by Table9 . Again, there are very little di erences with the symmetric case; note that we postulate a new pair of canonical names m+ ; m , and that the rule (5) in Table 3 already considers the symmetric keys and the special canonical name n .... In PAGE 42: ... Proof. Qhard is !(jk2A Qk 1 j jk2A+ Enc Qk 2 j jk2A+ Enc Qk 3 j jk2A Qk 4 j Q5 j jk2A+ Enc Qk 6 j jk2A+ Enc Qk 7 j Q8) where Qk i is obtained from the ith component of FDY RM in Table 3 for 1 i 5 and in Table9 for 6 i 8. We assume that there are variables z, z0, z1, having canonical representative z and that 1 2 A (as discussed in Section 5).... ..."