### Table 1. Comparison of Efficiency and Security Goals of TDH1 and some other Static Provably Secure GKE Protocols

"... In PAGE 12: ...Table1 we compare TDH1 protocol with several well-known provably secure GKE protocols in terms of their performance and security goals. Our comparison is done based on the security arguments Table 1.... ..."

### Table 1: Complexity comparison among group key agreement schemes that achieve both provable security and forward secrecy Communication Computation

"... In PAGE 3: ... As the experiment results of [2] also indicate, it is widely accepted that the number of communication rounds and the number of exchanged messages are two most important factors for efficient key agreement over a high-delay network. Table1 compares the efficiency of our scheme given in Section 5 with other provably-secure 1For example, the computation of a modular exponentiation xy mod z with |x| = |y| = |z| = 1024 takes about 9 ms using the big number library in OpenSSL on a Athlon XP 2100+ PC, whereas a 100-300 ms round-trip delay in wide area networks is common.... ..."

### Table 2: Approriate minimum round number based on provable security

2000

### Table 1. Comparison of PAKEs proven to be secure in the standard model

2002

"... In PAGE 2: ... In this paper, we propose a more efficient protocol that is also provably secure in the standard model. Comparative results with the previous schemes [7, 9] are summarized in Table1 . As shown in the table, our protocol is efficient in both the communication costs and the computation costs.... ..."

Cited by 9

### Table 1: Analysis of Provably Secure Group Key Exchange Protocols Protocol Model(s) Assumption(s) Corr. S/D

2006

Cited by 1

### Table 5 gives an overview of the results derived in this section. The result on the average DP (Ntot) of a characteristic through a long-key cipher is the same as the result obtained in Markov cipher theory. Markov cipher theory also works with the average DP (Ntot) of differentials over a long-key cipher, and the theory of provable security against differential attacks bounds this quantity. The 6 remaining cardinalities are not considered in Markov cipher theory, nor in the theory of provable security (except by invoking the hypothesis of stochastic equivalence). In most practical ciphers, the cardinality of characteristics and differentials depends on the value of the key. In this section, we modeled the choice of a particular value for the key as

2005

"... In PAGE 24: ...Table5 : Overview of results on the cardinalities of characteristics and differentials. long-key cipher key-alternating cipher N[k](Q) Theorem 13 Theorem 13 N[k](a, b) Theorem 14 Theorem 14 Ntot(Q) Markov = Theorem 12 Theorem 15 Ntot(a, b) Markov, provable security Theorem 16 a sampling process in a population formed by the ciphers with keys consisting of independent round keys.... ..."

### Table 3. Recent results on signcryption, IBSC, and HIBSC. All notations are defined in table 1 and 2. ROM means if the reductionist security proof is in the random oracle model. [24] showed that only standard signcryption scheme of [1] and [24] achieves the strong insider security model. All existing IBSC and HIBSC schemes are provably secure in the random oracles only.

2005

Cited by 4

### Table 3. Recent results on signcryption, IBSC, and HIBSC. All notations are defined in table 1 and 2. ROM means if the reductionist security proof is in the random oracle model. [19] showed that only standard signcryption scheme of [1] and [19] achieves the strong insider security model. All existing IBSC and HIBSC schemes are provably secure in the random oracles only.

### Table 1: Attestation agreement.

2006

"... In PAGE 6: ... Attestation Agreement. An attestation channel requires the parties to agree on an attestation agreement, specified in Table1 . The agreement, which is received from upper layer (in particular, we would generate such agreement from upper layer agreement, see lines 15-20 of Figure 4) specifies identities (by address and public key), for the sender, recipient and TTP.... ..."

### Table 1: Anonymity properties provided by Crowds Attacker Sender anonymity Receiver anonymity

1999

"... In PAGE 3: ... A weaker guarantee is probable innocence: a sender is probably innocent if, from the attacker apos;s point of view, each sender appears no more likely to be the originator than to not be the originator.The anonymity properties achieved by Crowds are summarized in Table1 and brie y justi ed in the rest of this section. First, since the jondo originating the request always forwards the request to a randomly chosen member of the crowd, the end server receives each request from any member... In PAGE 4: ... The predecessor of the rst collaborator on the path obviously appears to be the most likely originator, since the collaborators know that it is on the path. However, in [RR98], we show that if the crowd has n members when the path is formed, then the probability that the collaborators are immediately preceded on the path by the request originator is at most 1 2 provided that the relationship between c, n, and pf is as shown in Table1 . For example, if the probability of forwarding is pf = 34 and the number of crowd members is at least 3(c + 1), then the seemingly most likely originator, from the collaborators apos; viewpoint, is in fact not the originator at least half the time.... ..."

Cited by 8