### Table 2: Comparable strengths Bits of security Symmetric key

2003

"... In PAGE 38: ... Additional Comments All NIST-recommended curves, key and modulus sizes must be tested to be used in a FIPS Approved mode of operation. For NIST-Recommended elliptic curves, the value of f is commonly considered to be the size of the private key ( Table2 , NIST SP 800-57). From this value the strength can be determined.... In PAGE 65: ...6.1, Comparable Algorithm Strength, contains Table2 , which provides comparable security strengths for the Approved algorithms. Table 2: Comparable strengths Bits of security Symmetric key ... In PAGE 65: ... A 256- bit AES key transport key could be used to wrap a 256-bit AES key. For key strengths not listed in Table2 above, the correspondence between the length of an RSA or a Diffie- Hellman key and the length of a symmetric key of an identical strength can be computed as: If the length of an RSA key L (this is the value of k in the fourth column of Table 2 above), then the length x of a symmetric key of approximately the same strength can be computed as: NIST CMVP Page 65 of 86 ... In PAGE 65: ... A 256- bit AES key transport key could be used to wrap a 256-bit AES key. For key strengths not listed in Table 2 above, the correspondence between the length of an RSA or a Diffie- Hellman key and the length of a symmetric key of an identical strength can be computed as: If the length of an RSA key L (this is the value of k in the fourth column of Table2 above), then the length x of a symmetric key of approximately the same strength can be computed as: NIST CMVP Page 65 of 86 ... ..."

### Table 1: Properties of different schemes

"... In PAGE 5: ...to perform O(n) exponentiations for each group change, and messages get prohibitively large. As summarized in Table1 , most existing protocols for secure multicasting are limited to distribute session keys in static and/or small groups. For dealing with the group key distribution in a large group with frequent membership changes, some good explorations have been done in [Mit97, STW97].... ..."

### Table 4: Recommended algorithms and minimum key sizes Algorithm security lifetimes Symmetric key

2005

"... In PAGE 13: ...able 3: Hash function security strengths for cryptographic applications ................................... 64 Table4 : Recommended algorithms and minimum key sizes .... In PAGE 65: ... However, the use of key sizes that are too small may not provide adequate security. Table4 provides recommendations that may be used to select an appropriate suite of algorithms and key sizes for Federal Government unclassified applications. A minimum of eighty bits of security shall be provided until 2010.... In PAGE 68: ... In addition, the recovered plaintext could be used to attempt a matched plaintext-ciphertext attack on the new algorithm. When using Table 2 and Table4 to select the appropriate key size for an algorithm, it is very important to take the expected security life of the data into consideration. As stated earlier, an algorithm (and key size) is used both to apply cryptographic protection to data and process the protected data.... In PAGE 69: ... 69 For example, suppose that 3TDEA is to be fielded in January of the year 2010 and the security life of the data may be up to four years. Table4 indicates that 3TDEA has an algorithm security lifetime that extends through 2030, but not beyond. However, since the data may have up to a four-year security life, the algorithm originator usage period would have to end in 2026 rather than 2030 (i.... ..."

Cited by 4

### Table 4: Comparison of various group key distribution schemes, extended version of a table in [51].

"... In PAGE 19: ... The re-key broadcast method used by Secure Lock [54], whereby all nodes receive the same constant size rekeying message which is appended to the encrypted data message. Table4 is an expanded version of a Table 1 in [51] which also now takes in SMGKD. The Table compares the features of three generic approaches: static (no-rekeying); centralized; ... ..."

### Table 5: Protection requirements for cryptographic keys Key Type Security

2005

"... In PAGE 13: ...able 4: Recommended algorithms and minimum key sizes ....................................................... 66 Table5 : Protection requirements for cryptographic keys.... In PAGE 73: ...1.1 Summary of Protection Requirements for Cryptographic Keys Table5 provides a summary of the protection requirements for keys during distribution and storage.... In PAGE 126: ... 126 If the decision is made to provide key recovery for a key, all information associated with that key shall also be recoverable (see Table5 in Section 6). B.... ..."

Cited by 4

### Table 3: Comparison of verifiably encrypted signature schemes. We let k be the output length of a collision resistant hash function. R.O. specifies whether the security proof uses random oracles. Scheme R.O. Key Model Size Verification Generation

2006

"... In PAGE 14: ... [10] (BGLS). We present the comparisons in Table3 . The size column gives signature length at the 1024-bit security level.... ..."

### Table 3: Comparison of verifiably encrypted signature schemes. We let k be the output length of a collision resistant hash function. R.O. specifies whether the security proof uses random oracles. Scheme R.O. Key Model Size Verification Generation

in Abstract

2006

"... In PAGE 14: ... [10] (BGLS). We present the comparisons in Table3 . The size column gives signature length at the 1024-bit security level.... ..."