### Table 1. Comparison of Efficiency and Security Goals of TDH1 and some other Static Provably Secure GKE Protocols

"... In PAGE 12: ...Table1 we compare TDH1 protocol with several well-known provably secure GKE protocols in terms of their performance and security goals. Our comparison is done based on the security arguments Table 1.... ..."

### Table 1: Analysis of Provably Secure Group Key Exchange Protocols Protocol Model(s) Assumption(s) Corr. S/D

2006

Cited by 1

### Table 5 gives an overview of the results derived in this section. The result on the average DP (Ntot) of a characteristic through a long-key cipher is the same as the result obtained in Markov cipher theory. Markov cipher theory also works with the average DP (Ntot) of differentials over a long-key cipher, and the theory of provable security against differential attacks bounds this quantity. The 6 remaining cardinalities are not considered in Markov cipher theory, nor in the theory of provable security (except by invoking the hypothesis of stochastic equivalence). In most practical ciphers, the cardinality of characteristics and differentials depends on the value of the key. In this section, we modeled the choice of a particular value for the key as

2005

"... In PAGE 24: ...Table5 : Overview of results on the cardinalities of characteristics and differentials. long-key cipher key-alternating cipher N[k](Q) Theorem 13 Theorem 13 N[k](a, b) Theorem 14 Theorem 14 Ntot(Q) Markov = Theorem 12 Theorem 15 Ntot(a, b) Markov, provable security Theorem 16 a sampling process in a population formed by the ciphers with keys consisting of independent round keys.... ..."

### Table 2: Approriate minimum round number based on provable security

2000

### Table 2: Implementation-level compositions.

"... In PAGE 15: ...1 Results We applied 0-CFA and And in order to determine which flelds accounted for composition relationships. Column (2) in Table2 shows how many of the flelds from column (5) in Table 1 are identifled as one-to-one compositions, and column (3) shows how many are identifled as owned collec- tions (i.... ..."

### Table 1: Java components and implementation-level compositions.

"... In PAGE 13: ...tandard library packages java.text and java.util.zip, also used in [34]. The components are described brie y in the flrst two columns of Table1 . Each component contains the set of classes in Cls (i.... In PAGE 13: ...1 Results We applied Andersen-style points-to analysis, object graph construction based on the Andersen-style points-to analy- sis and composition inference as described earlier in order to determine which flelds accounted for composition rela- tionships. Column (5) in Table1 shows how many of the flelds from column (4) are identifled as one-to-one compo- sitions and column (3) shows how many are identifled as owned collections (i.... ..."

### Table 1. Java components and implementation-level compositions.

"... In PAGE 10: ...briefly in the first two columns of Table1 . Each compo- nent contains the set of classes in Cls (these are the classes that provide certain functionality plus all other classes that are directly or transitively referenced by them); the num- ber of classes in each component is shown in column (3).... ..."

### Table 1: Complexity comparison among group key agreement schemes that achieve both provable security and forward secrecy Communication Computation

"... In PAGE 3: ... As the experiment results of [2] also indicate, it is widely accepted that the number of communication rounds and the number of exchanged messages are two most important factors for efficient key agreement over a high-delay network. Table1 compares the efficiency of our scheme given in Section 5 with other provably-secure 1For example, the computation of a modular exponentiation xy mod z with |x| = |y| = |z| = 1024 takes about 9 ms using the big number library in OpenSSL on a Athlon XP 2100+ PC, whereas a 100-300 ms round-trip delay in wide area networks is common.... ..."