### Table 1: E ciency comparison of all treated IBS schemes. Column 1 is the name of the scheme. Column 2 gives the size of a signature under each scheme. Columns 3 and 4 give (the dominating term in) the computation cost associated to creating and verifying a signature, respectively. The last column gives the assumption under which the scheme is secure. In the table, we use the abbreviations \sig. quot; for signature, \el. quot; for element, \sq. quot; for squaring, \exp. quot; for exponentiation, and \mult. quot; for multiplication. Also, N is an RSA modulus, e is an RSA encryption exponent, G1 and G2 are prime-order groups such that a pairing ^ e : G1 G1 ! G2 exists, and

in This is the full version. Security Proofs for Identity-Based Identification and Signature Schemes

2004

"... In PAGE 47: ...2 yields Equation (7), thereby concluding the proof. 7 E ciency Comparison We compare the signature sizes and the e ciency in signing and veri cation of all the schemes studied in this paper in Table1 . Let us explain some of the notation used in the table.... ..."

### Table 4 shows our measurements for signature generation with plain RSA, DSA and Schnorr schemes which are form basis of TS- RSA, TS-DSA, and ASM, respectively. Table 5 shows the cost of signature generation in terms of key size, where t=3. In TS-RSA, the cost in generating a partial signature is almost the same as that of RSA signature generation, but we need extra cost to compute a0

"... In PAGE 6: ... As evident from the table, ASM is the best performer. Table4 : Signature Generation Costs of Basic Schemes in msecs (P3-977MHz) Key RSA DSA Schnorr 512 1.390 1.... In PAGE 8: ... In TS-RSA, verification of the threshold signature is ex- tremely high, due to the a0 -bounded offsetting algorithm mentioned earlier. The costs of signature generation and verification in DSA and Schnorr (on which TS-DSA and ASM are based) as listed in Table4 and Table 6 are comparable, however, ASM becomes more efficient than TS-DSA because of fewer rounds. For the dynamic threshold case, TS-RSA is slightly ahead of TS-DSA because, in the latter, a considerable amount of time is spent on updating the polynomials as a consequence of the changing threshold.... ..."

### Table 4 shows our measurements for signature generation with plain RSA, DSA and Schnorr schemes which are form basis of TS- RSA, TS-DSA, and ASM, respectively. Table 5 shows the cost of signature generation in terms of key size, where t=3. In TS-RSA, the cost in generating a partial signature is almost the same as that of RSA signature generation, but we need extra cost to compute a0

"... In PAGE 6: ... As evident from the table, ASM is the best performer. Table4 : Signature Generation Costs of Basic Schemes in msecs (P3-977MHz) Key RSA DSA Schnorr 512 1.390 1.... In PAGE 8: ... In TS-RSA, verification of the threshold signature is ex- tremely high, due to the a0 -bounded offsetting algorithm mentioned earlier. The costs of signature generation and verification in DSA and Schnorr (on which TS-DSA and ASM are based) as listed in Table4 and Table 6 are comparable, however, ASM becomes more efficient than TS-DSA because of fewer rounds. For the dynamic threshold case, TS-RSA is slightly ahead of TS-DSA because, in the latter, a considerable amount of time is spent on updating the polynomials as a consequence of the changing threshold.... ..."

### Table 1: Comparison of an RSA-based self-certi cation scheme and the rekeyed iterated-root scheme.

2001

"... In PAGE 14: ... We do not take into account, however, the size of session index as it equally a ects both schemes. Table1 describes in detail how these two rekeyed scheme compare to one another in terms of signing time, veri cation time, signature size, session key size, primary secret key size, and public key size. Typical values used in practice for parameters k and h are 1024 and 128, respectively.... ..."

Cited by 3

### Table 1. Length of RSA signatures with 1024-bit modulus.

"... In PAGE 2: ... Schemes in [BR97,NY89] have the same asymptotics but a bigger constant factor. In Table1 we give a concrete example of the signature length on messages... ..."

Cited by 1

### Table 1. Length of RSA signatures with 1024-bit modulus.

"... In PAGE 2: ... Schemes in [BR97,NY89] have the same asymptotics but a bigger constant factor. In Table1 we give a concrete example of the signature length on messages... ..."

Cited by 1

### Table 1: Proofs of security for signature schemes Signature Proof model assumption tight/loose

2004

"... In PAGE 3: ... Our proof of security of the mNR signature provides support for the claims in [1], where this signature was introduced, but the provided analysis included incorrect arguments. Table1 includes signature schemes that have been proven secure in various settings, to facilitate a comparison with the mNR: Table 1: Proofs of security for signature schemes Signature Proof model assumption tight/loose... ..."

Cited by 4

### Table 1: Proofs of security for signature schemes Signature Proof model assumption tight/loose

"... In PAGE 3: ... Our proof of security of the mNR signature provides support for the claims in [1], where this signature was introduced, but the provided analysis included incorrect arguments. Table1 includes signature schemes that have been proven secure in various settings, to facilitate a comparison with the mNR: Table 1: Proofs of security for signature schemes Signature Proof model assumption tight/loose... ..."

### Table 2. Comparison of ECDSA to other signature algorithms. For EC, the eld size is approximately 191 bits. The modulus for RSA and DSA is 1024 bits long; the RSA public exponent is 3. All times in ms, unless otherwise indicated. times in ms GF(p) GF(2n) RSA DSA

1997

"... In PAGE 8: ... With the algorithms for point multiplication, we can start building various public key schemes. Table2 compares the e ciency of signature schemes based on elliptic curves to other signature schemes. 6 Standardization It took a number of years before manufacturers of cryptographic products got con dence in elliptic curve systems, but we seem to have reached that point now.... ..."

Cited by 7

### Table 4: Average rekey message size and server processing time (n=8192, DES, MD5, RSA)

1997

Cited by 1