### TABLE I CHARACTERISTICS OF THE DIGITAL SIGNATURE SCHEMES.

### Table 1: Shortened and E#0Ecient Digital Signature Schemes

1998

"... In PAGE 7: ...x mod p from r, s, g, p and y a and then check whether hash#28k;m#29 is identical to r. Table1 shows two shortened versions of DSS, which are denoted by SDSS1 and SDSS2 respectively. Here are a few remarks on the table: 1.... In PAGE 36: ...3.2.2 Comparison with Beller-Yacobi Protocol The next protocol we examine is an e#0Ecient proposal by Beller and Yacobi #5B6#5D. Their proto- col is brie#0Dy summarized in Table1 0, using notations consistent with those for signcryption schemes. As is the case for our proposals based on signcryption, here it is assumed too that public key certi#0Ccates have already been transferred prior to an execution of the protocol.... In PAGE 37: ...Bob K 2 R f0; 1g ` k c 1 = K 3 mod n B #29 c 1 #29 Extract K from c 1 by using the decryption key associated with the RSA composite n B Decrypt c 2 and verify the format of the message #28 c 2 #28 Choose a random m c 2 = E K #28m; 0 t #29 Compute ElGamal signature #28v;w#29on#28m; etc#29 c 3 = E K #28v; w; etc#29 #29 c 3 #29 Decrypt c 3 and verify #28v;w#29 Table1 0: Beller-Yacobi Authenticated Key Transport Protocol Protocols Comp. Cost #23 of exp.... In PAGE 37: ... + Only when Alice knows whom to communicate with. Table1 1: Comparison with Beller-Yacobi Protocol... In PAGE 46: ... These signcryption schemes are called ECSCS1 and ECSCS2 respectively. Similarly to elliptic curve signature schemes described in Table1 2, points on an elliptic curve, namely vP a , uP a + urG and uG + urP a , are regarded as binary strings when involved in hashing. The bind info part in the computation of r contains, among other data items, identi#0Ccation information of Bob the recipient such as his public key or public key certi#0Ccate.... In PAGE 47: ... P a : Alice apos;s public key #28P a = v a G, a pointonC#29. Table1 2: Elliptic Curve DSS and Its Shortened and E#0EcientVariants Parameters public to all: C | an elliptic curveover GF #28p m #29, either with p #3E = 2 150 and m =1 or p = 2 and m #3E = 150 #28public to all#29. q | a large prime whose size is approximately of jp m j #28public to all#29.... In PAGE 47: ... P b | Bob apos;s public key #28P b = v b G, a pointonC#29. Table1 3: Parameters for Elliptic Curve Signcryption... In PAGE 48: ... #29 c; r;s #29 u=sv b mod q #28k 1 ;k 2 #29=hash#28uP a + urG#29 if SECDSS1 is used, or #28k 1 ;k 2 #29=hash#28uG + urP a #29 if SECDSS2 is used. m = D k 1 #28c#29 Accept m only if KH k 2 #28m; bind info#29=r Table1 4: Implementations of Signcryption on Elliptic Curves We note that the #5Csquare-and-multiply quot; method for fast exponentiation can be adapted to a #5Cdoubling-and-addition quot; method for the fast computation of a multiple of a pointon an elliptic curve. Namely a multiple can be obtained in about 1:5jqj point additions.... ..."

### Table 13: Claimed Performance of Digital Signature Schemes Scheme KeySetup Signature Verification Architecture

2003

### Table 2.12: The Digital Signature Standard is based on the ElGamal and on the Schnorr signature schemes. The most current revision is FIPS-186-2.

in Advisors

2004

### Table 1. Comparison of signature schemes

2004

"... In PAGE 13: ... Signature schemes comparison Examining the specific characteristics of various signature schemes, we can identify a compa- rative advantage of the proposed cumulative notarization scheme in terms of security and usa- bility. The comparison of various schemes presented in Table1 demonstrates that the propo- sed scheme keeps the strong security characteristics of digital signatures, while it addresses the issues of trust and technology refreshing as a whole, resulting in a long lifespan. ... ..."

Cited by 6

### Table 15: Time needed in seconds on the Pentium III for a 20 bytes message. Scheme Key generation Signature Verification

"... In PAGE 103: ... RSA-PSS, ACE, ECDSA, FLASH, SFLASH and QUARTZ use only one SHA-1 of the whole message, ESIGN uses four SHA-1 (note that P1363 discussions may change ESIGN to reduce this cost to three or one SHA-1). Table15 show the main results. Figures 7, 8 and 9 show the influence of message length and architecture.... In PAGE 106: ... 6.5 Asymmetric Digital Signature Schemes Table15 show the main results. Figures 7, 8 and 9 show the influence of message length and architecture.... ..."

### Table 9: DES encryption and decryption times (ms).

"... In PAGE 20: ...) Table 8 shows the computation times of two message digest functions, MD5 [28] and SHS [24]. Table9 shows the encryption and decryption times of DES symmetric cryptosystem [23]. Table 10 shows the signing and veri cation times of RSA [29] and DSA [25] digital signature schemes.... ..."

### Table 13: Flow signing and veri cation rates (packets/sec) for 1024-byte packets, degree two tree chaining, and block size sixteen.

"... In PAGE 15: ... Furthermore, in choosing a digital signature scheme, we must also consider machine capabilities (sender and receiver), as well as the percentage of processor time available for signing and veri cation. Table13 shows the ow signing and veri cation rates using 512-bit RSA and 512-bit DSA for 1024-byte packets, degree two tree chaining, and block size sixteen. A Pentium II 300 MHz machine was used.... ..."