### Table 3. Eavesdropping Settings and Information for a Cryptanalytical Attack.

"... In PAGE 9: ... Another important factor for cryptanalysis is the amount of information that is available as a result of eavesdropping during a BAC protocol instantiation. Here, we distinguish five settings (see Table3 ). For all settings we assume that the issuing state of the passports is known, e.... In PAGE 12: ...Table 2 with an eavesdropping setting from Table3 . Each scenario refers to a concrete time of the attack as the number of e-passports further increases.... ..."

### Table 2. The complexity of conventional and various new linear cryptanalytic attacks on LOKI91.

"... In PAGE 9: ...+ a prediction derived from results presented in the Appendix of our attacks, we have used experimental evidence to predict the success rate of others.The results of our work have been summarized in Table2 . The number of key bits recovered refers to this single phase of the attack alone and further gains by reversing the role of plaintext and ciphertext have not been considered.... ..."

### Table 5. Number of pairs (X;MX) with a given input propagation weight (left) and output propagation weight (top). [4] E. Biham, New Types of Cryptanalytic Attacks Using Related Keys, Abstracts Eurocrypt apos;93. [5] M. Matsui, Linear Cryptanalysis Method for DES Cipher, Abstracts Eurocrypt apos;93.

1994

"... In PAGE 9: ... By a good choice of 1 the linear mapping M inherits these good properties with respect to propa- gation chains. Table5... In PAGE 10: ... It can be seen that in a propagation chain every vector with a propagation weight w not larger than 4 must be followed by a vector with weight not smaller than 8 ? w. Hence, it can be deduced from Table5 that there are no propagation chains of even length with weight smaller than 4 per round. 7 Conclusions 3-Way is a block cipher that is the product of a new design approach.... ..."

Cited by 4

### Table 2. Cryptanalytic results on SAFER K/SK.

"... In PAGE 17: ... When studying the average complexity of our attack, we further assume that these subkeys are randomly picked with uniform distribution. Previous Cryptanalysis (see Table2 ). Known attacks against SAFER are summarized in Table 2.... In PAGE 17: ... Previous Cryptanalysis (see Table 2). Known attacks against SAFER are summarized in Table2 . The resistance of SAFER against differential cryptanaly- sis [5] was extensively studied by Massey in [32], where it is argued that 5 rounds are sufficient to resist to this attack.... ..."

### Table 2. Cryptanalytic results on SAFER K/SK.

"... In PAGE 17: ... When studying the average complexity of our attack, we further assume that these subkeys are randomly picked with uniform distribution. Previous Cryptanalysis (see Table2 ). Known attacks against SAFER are summarized in Table 2.... In PAGE 17: ... Previous Cryptanalysis (see Table 2). Known attacks against SAFER are summarized in Table2 . The resistance of SAFER against differential cryptanaly- sis [5] was extensively studied by Massey in [32], where it is argued that 5 rounds are sufficient to resist to this attack.... ..."

### Table 1. Summary of Known Attacks Against Khazad

"... In PAGE 2: ... 2.2 Previous Results about Khazad All cryptographic results concerning Khazad are summarized in Table1 . The best known attack so far was the straightforward application of the integral attack, originally proposed by the designers of the cipher [2].... In PAGE 9: ... 4.3 Overview of cryptanalytic results against Khazad In Table1 , we have summarized all known cryptanalytic results against reduced- round versions of Khazad. Our improved integral attack is the best cryptanalytic result against Khazad.... ..."

Cited by 1

### Table 1. Summary of Known Attacks Against Khazad.

"... In PAGE 2: ... 2.2 Previous Results about Khazad All cryptographic results concerning Khazad are summarized in Table1 . The best known attack so far was the straightforward application of the integral attack, originally proposed by the designers of the cipher [2].... In PAGE 9: ...355 4.3 Overview of Cryptanalytic Results against Khazad In Table1 , we have summarized all known cryptanalytic results against reduced- round versions of Khazad. Our improved integral attack is the best cryptanalytic result against Khazad.... ..."

Cited by 1

### Table 1 Attacks on some Skipjack variants with a diVTerent round orderinga

2000

"... In PAGE 7: ... It is left as an open question to apply these diVTerentials in cryptanalytic attacks. See also Table1 for a summary of our attacks on the variants with a diVTerent round ordering. We start by examining why it is better to start with A-rounds and end with B-rounds; this reduces the search space by a factor of two.... ..."

### Table 2. Known plaintext attacks on Feal and DES.

1991

"... In PAGE 19: ... In particular, the cipher block chaining (CBC) mode can also be broken by this attack since when the plaintexts and the ciphertexts are known, it is easy to calculate the real input of the encryption function. Table2 summarizes the di erential cryptanalytic known plaintext attacks on Feal and DES. For each of the listed cryptosystems with the listed number of rounds, the table describes the number of pairs of each characteristic and the total number of random plaintexts needed for the chosen plaintext attack and for the known plaintext attack.... ..."

Cited by 27

### Table 1. Attack costs in processor steps and full cost.

"... In PAGE 20: ... For many attacks, it is not known whether such proper parallelization is possible. Table1 summarizes the costs of various cryptanalytic attacks using the best available implementation to minimize cost by both the standard measure of processor steps and the full cost measure. Cryptanalytic Problem Attack Method Processor Steps Full Cost One discrete logarithm Shanks n1/2+o(1) n2/3+o(1) (prime group order n) Parallel collision search n1/2+o(1) n1/2+o(1) n-th discrete logarithm Shanks no(1) n1/3+o(1) (prime group order n) Parallel collision search no(1) n1/5+o(1) Factoring n Number field sieve L(1.... In PAGE 20: ... Attack costs in processor steps and full cost. In all cases in Table1 , the optimal design point did not have wire costs exceeding both processor and memory costs. This means that the table entries would be the same if wires were assumed to have no volume.... ..."

Cited by 11