### Table 6: Hash functions Submitted to NESSIE, Along with Hash Functions Whose Per- formance was Measured by NESSIE

2003

"... In PAGE 21: ... Table6 lists the hash functions, the security levels and hash sizes. The top part lists the ciphers studied by NESSIE, and the bottom part other ciphers to which we measured performance.... ..."

### Table 1. Hash Functions Used for Integrity

"... In PAGE 4: ... This can be accomplished by using a variety of hash functions [5]. Nine commonly used hash functions and their performance (evaluated on a 90 MHz Pentium machine) are shown in Table1 . Based on their performance, each hash function is assigned a corresponding security level in the range from 0.... ..."

### Table 5 gives an overview of the results derived in this section. The result on the average DP (Ntot) of a characteristic through a long-key cipher is the same as the result obtained in Markov cipher theory. Markov cipher theory also works with the average DP (Ntot) of differentials over a long-key cipher, and the theory of provable security against differential attacks bounds this quantity. The 6 remaining cardinalities are not considered in Markov cipher theory, nor in the theory of provable security (except by invoking the hypothesis of stochastic equivalence). In most practical ciphers, the cardinality of characteristics and differentials depends on the value of the key. In this section, we modeled the choice of a particular value for the key as

2005

"... In PAGE 24: ...Table5 : Overview of results on the cardinalities of characteristics and differentials. long-key cipher key-alternating cipher N[k](Q) Theorem 13 Theorem 13 N[k](a, b) Theorem 14 Theorem 14 Ntot(Q) Markov = Theorem 12 Theorem 15 Ntot(a, b) Markov, provable security Theorem 16 a sampling process in a population formed by the ciphers with keys consisting of independent round keys.... ..."

### Table 1 Four Example Ciphers Parameters Example 1 Example 2 Example 3 Example 4

"... In PAGE 14: ... The remaining part of this section proposes four example ciphers which we hope are secure enough for practical applications. Main parameters of the ciphers are collected in Table1 . For completeness, the de nitions of the parameters are summarized below the table.... ..."

### Table 1. Comparison of the Multiset Hash Functions

2003

"... In PAGE 11: ...Conclusion We have introduced incremental multiset hash functions which can be efficiently updated, and for which the ordering of inputs is not important. Table1 sum- marizes our comparison of the multiset hash functions introduced in this paper. In the table, we indicate whether the security is based on pseudorandom family of hash functions (PRF), the random oracle model (RO), the discrete log as- sumption (DL), or/and the hardness of the worst case shortest vector problem (SV).... ..."

Cited by 18

### Table 1: Cipher suite

"... In PAGE 1: ... 2. Cipher suite The symmetric-key ciphers we consider in this study are shown in Table1 . AES is the NIST standard for block encryption and it is included in many widely- used security protocols such as IPSec, TLS, and SSH [1].... ..."

### Table 1: Common block ciphers. name key length block length security level

in Key Length

"... In PAGE 2: ...lock ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Table1 .... In PAGE 11: ... Block ciphers. Table1 lists some common block ciphers along with their key length choices, block lengths, and the most up-to-date information about their security levels under generic attacks. The list is for illustrative purposes only and... In PAGE 12: ... [64]) and is therefore not considered in Table 1. Triple encryption, however, has signi cant e ect on the security level, as shown for the DES in Table1 . It turned out to be a convenient way to boost security by repeated application of an available cipher when replacement by a stronger one is not an option.... In PAGE 12: ... The two key variant uses the same key for the rst and last iteration, but a di erent for the middle decryption iteration, whereas the three key variant uses three independent keys for the three iterations. For triple DES the security levels in Table1 are based on the analysis in [64]. For two key triple DES the security level of 112 assumes that the known plaintext consists of at most 212 blocks; for instance, with 230 known plaintext blocks the security level would be only about 100 (cf.... In PAGE 12: ... But this is combined with the expectation (based on the sudden replacement of SHA by SHA-1, see Section 4) that if anytime soon something serious a ecting the AES would be found, a modi cation would be introduced. Table1 shows that, other than for legacy reasons and if the security level is the only criterion, there is in principle no reason to settle for a cipher that o ers a security level lower than its key length. Performance considerations.... In PAGE 12: ... Performance considerations. As indicated in Section 2 a proper interpre- tation and comparison of the security levels in Table1 in principle requires knowledge of the relative speeds of the various block ciphers. It is also men-... In PAGE 13: ... Symmetric key lengths that o er adequate protection. With the ex- ception of the DES, all ciphers listed in Table1 o er adequate protection with respect to generic attacks at least until the year 2030: even the weakest among them, two key triple DES, may be expected to o er adequate security until 2066 since, according to equation (1) in Section 2, y(112) = 1982 + 3(112 56) 2 = 2066. Correction for the performance degradation compared to the DES (by log2 1=3 resulting in y(112) = 2067:5, since s would be 1=3) is meaningless, since the pre- cision suggested by the original calculation is overzealous already: the model is nowhere near precise enough to draw conclusions up to a speci c year, let alone half a year, and certainly not if it is more than 50 years in the future.... In PAGE 13: ...acks and assuming current cryptanalytic trends persist (i.e., that cryptanalysis remains relatively ine ective), the ciphers of security level 128 can be ex- pected to o er adequate protection for any conceivable commercial application, including long term data storage, and as long as anyone can reasonably predict. Thus, most ciphers from Table1 with the exception of the DES can safely be recommended, as long as the amount of data that will be encrypted with a single key is limited. If the latter cannot be guaranteed, the AES should be used.... ..."

Cited by 1

### Table 6.1: Two Practical One-Way Hash Functions Hashing Hashing

### Table 1.1: The security margin of cryptosystems as a function of their keying material

### Table 1 Execution times for public key cryptosystem verifi- cations and hash calculations

"... In PAGE 8: ... The cryptographic library of the SECUDE toolkit [9] is used. Table1 gives these measurements. The behavior of the speed-up factor, f .... In PAGE 8: ... 3 and 4, the effect of the MD5 hash algorithm over the speed-up factor is better than the effect of the SHA-1 hash algorithm for the same cryptosystems. The throughput of the MD5 algorithm is greater than the one of the SHA-1 algorithm and the setup times are almost the same in both cases, as can be seen from Table1 . The effect of the MD5 algorithm over the speed-up factor is... In PAGE 15: ... (22). The tSHA-1, tRSA512 and the SHA-1 values of Table1 are used. As can be seen from Fig.... ..."