### Table 1: Comparison of some public-key algorithms.

"... In PAGE 6: ... Recent zero-knowledge identi cation scheme such as the Fiat-Shamir (FS) (see [Sim92]) or the Guillou-Quisquater (GQ) [GQ90] schemes are much more suited for smart cards applications. Table1 compares the dif- ferent characteristics of these algorithms in terms of speed, amount of bits exchanged between the terminal and the card, size of the RAM for interme- diate computations and size of the non-volatile memories.... ..."

### Table 2: eFFS veri cation time (ms) with 512-bit modulus.

"... In PAGE 15: ...e implemented the basic Feige-Fiat-Shamir (FFS) scheme and the eFFS scheme (i.e., with the improvements and extensions mentioned above) using the large integer arithmetic routines from CryptoLib [8]. Table 1 and Table2 show the times for signing and verifying (with 512-bit modulus) 128-bit message digests, using di erent speedup techniques and di erent values for the eFFS/FFS parameter (k; t).11 The results were obtained on a Pentium II 300 MHz machine running Linux.... In PAGE 16: ... For t = 1, the signature size is minimized, but the signing/veri cation key size is maximized. Moreover, for a xed kt product, the signing/veri cation time is smaller when t is smaller (see Table 1 and Table2 ). Therefore, we recommend to use t = 1 except when adjustable veri cation is needed.... In PAGE 16: ... An improvement idea suggested in [12] is to use small prime numbers13 as the veri cation key components fvig and compute the signing key components fsig by s2 i = v?1 i mod n. This improvement (labeled as \small v-key quot; in Table 1 and Table2 ) has two advantages. First, the veri cation time is an order of magnitude smaller than without this improvement (and the signing time is not a ected).... In PAGE 18: ... This is because with the small v-key extension, small primes are used as public key components, and their products can be computed very e ciently. For example, with the small v-key extension, 8-bit precomputation in veri cation operations reduces the veri cation time by less than 10% (see Table2 ). In the remaining experiments, we use veri cation with small v-key and no precomputation.... ..."

### Table 1: eFFS signing time (ms) with 512-bit modulus.

"... In PAGE 15: ...e implemented the basic Feige-Fiat-Shamir (FFS) scheme and the eFFS scheme (i.e., with the improvements and extensions mentioned above) using the large integer arithmetic routines from CryptoLib [8]. Table1 and Table 2 show the times for signing and verifying (with 512-bit modulus) 128-bit message digests, using di erent speedup techniques and di erent values for the eFFS/FFS parameter (k; t).11 The results were obtained on a Pentium II 300 MHz machine running Linux.... In PAGE 16: ... For t = 1, the signature size is minimized, but the signing/veri cation key size is maximized. Moreover, for a xed kt product, the signing/veri cation time is smaller when t is smaller (see Table1 and Table 2). Therefore, we recommend to use t = 1 except when adjustable veri cation is needed.... In PAGE 16: ... An improvement idea suggested in [12] is to use small prime numbers13 as the veri cation key components fvig and compute the signing key components fsig by s2 i = v?1 i mod n. This improvement (labeled as \small v-key quot; in Table1 and Table 2) has two advantages. First, the veri cation time is an order of magnitude smaller than without this improvement (and the signing time is not a ected).... In PAGE 17: ...Chinese remainder theorem speedup We propose to use the following improvement (labeled as \crt quot; in Table1 ), which is based on the Chinese Remainder Theorem, to speed up the signing operation. In FFS, the signing operation involves the computing of yi = ri (sbi1 1 : : : sbik k ) mod n where fsig do not change and only frig and fbijg change from message to message.... In PAGE 17: ...4 Precomputation: memory-time tradeo One important feature of FFS is that a signer/veri er can trade memory for signing/veri cation time. We propose to use the following improvement (labeled \precomp quot; in Table1 and Table 2) to speed up signing/veri cation operation by using more memory at signer/veri er. To illustrate the basic idea of this improvement, consider the signing operation with k = 4.... In PAGE 17: ...f them. If each smaller set contains four si, then it is a 4-bit precomputation. Similarly, if each smaller set contains eight si, then it is an 8-bit precomputation. Compared to the basic FFS (with small v-key), 4-bit precomputation plus crt speedup reduces the signing time by 45% to 55%, and 8-bit precomputation plus crt speedup reduces the signing time by 60% to 70% (see Table1 ). For 4-bit precomputation with k = 128 and 512-bit modulus, a signer needs to store 128=4 (24 ? 1) = 480 products.... ..."

### Table 8: Merkle Signature Scheme

2004

"... In PAGE 23: ...Table8 on page 21 shows the efficiency of the Merkle key generation, the Merkle signature gen- eration, and the Merkle signature verification. That table shows that the efficiency of the Merkle signature scheme is competitive.... ..."

### Table 8: Merkle Signature Scheme

2004

"... In PAGE 23: ...Table8 on page 21 shows the efficiency of the Merkle key generation, the Merkle signature gen- eration, and the Merkle signature verification. That table shows that the efficiency of the Merkle signature scheme is competitive.... ..."

### Table 1. Comparison of signature schemes

2004

"... In PAGE 13: ... Signature schemes comparison Examining the specific characteristics of various signature schemes, we can identify a compa- rative advantage of the proposed cumulative notarization scheme in terms of security and usa- bility. The comparison of various schemes presented in Table1 demonstrates that the propo- sed scheme keeps the strong security characteristics of digital signatures, while it addresses the issues of trust and technology refreshing as a whole, resulting in a long lifespan. ... ..."

Cited by 6

### Table 3. Parameters for Signature Scheme

2000

"... In PAGE 5: ... The index overhead is much less influ- enced by the number of attributes and the access method is simpler than the index tree method. Table3 defines the parameters for signature cost mod- els. For multi-attribute indexing, the multi-level signature method is the best approach [8, 5] and is used in this paper for data indexing.... ..."

Cited by 22

### Table 3. Parameters for Signature Scheme

2000

"... In PAGE 5: ... The index overhead is much less influ- enced by the number of attributes and the access method is simpler than the index tree method. Table3 defines the parameters for signature cost mod- els. For multi-attribute indexing, the multi-level signature method is the best approach [8, 5] and is used in this paper for data indexing.... ..."

Cited by 22

### Table 1: Signing and veri cation rates (packets per second).

"... In PAGE 3: ... The signing rate and veri cation rate are at most 1=(Td(l) + Tsign) and 1=(Td(l) + Tverify) packets per second, respectively, where Td(l) is the time to compute the message digest of an l-byte packet, Tsign is signing time, and Tverify is veri cation time for the message digest of a packet. The signing and veri cation rates3 of two widely used digital signature schemes, RSA [19] and DSA [15], on a Pentium II 300 MHz machine, are given in Table1 . The signing and veri cation rates with 100% processor time of the machine used for signing/veri cation are in Table 1(a).... In PAGE 3: ... The signing and veri cation rates3 of two widely used digital signature schemes, RSA [19] and DSA [15], on a Pentium II 300 MHz machine, are given in Table 1. The signing and veri cation rates with 100% processor time of the machine used for signing/veri cation are in Table1 (a). If a slower machine is used, or only a fraction of processor time is available for signing/veri cation (e.... In PAGE 3: ...rocessor time is available for signing/veri cation (e.g., a receiver machine has only 20% processor time for veri cation because the other 80% is needed for receiving and processing packets), then the rates should be decreased proportionally. The signing and veri cation rates using 20% processor time of the Pentium II machine are in Table1 (b).... In PAGE 3: ... Furthermore, for delay-sensitive ows, real-time generated or not, the veri cation rate is important. From Table1 , we see that the signing and veri cation rates of the sign-each approach, using either RSA or DSA, are probably inadequate for many applications. Two techniques were proposed for signing digital streams in [7] which, at rst glance, may be used for signing packet ows.... In PAGE 3: ... In this manner, only one expensive signing/veri cation operation is needed for the sequence of m packets. However, a necessary condition for using the 3The signing and veri cation rates in Table1 are rates for signing and verifying 128-bit message digests of packets (except for 16-byte packets which were signed directly).... In PAGE 14: ...block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 158 316 630 1250 2440 4720 8800 512 157 310 605 1160 2130 3640 5670 1024 156 305 587 1090 1920 3070 4400 2048 153 296 552 982 1600 2330 3010 (a) using 512-bit RSA packet size block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 349 692 1380 2690 5150 9540 16800 512 341 669 1270 2310 3940 6100 8370 1024 336 645 1150 2070 3300 4690 5910 2048 325 606 1060 1720 2490 3190 3680 (b) using 512-bit DSA Table1 0: Flow signing rate (packets/sec) for degree two tree chaining and block size sixteen. packet size block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 4580 8660 14800 23900 33100 41300 46600 512 3600 5630 7740 9560 10800 11600 12000 1024 3020 4320 5550 6400 6950 7240 7390 2048 2320 2980 3520 3860 4040 4140 4160 (a) using 512-bit RSA packet size block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 253 500 1010 1970 3780 7020 12500 512 246 485 939 1770 3070 4930 7170 1024 245 474 894 1590 2660 4010 5260 2048 238 453 821 1380 2060 2810 3410 (b) using 512-bit DSA Table 11: Flow veri cation rate (packets/sec) for degree two tree chaining and block size sixteen.... In PAGE 14: ...block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 158 316 630 1250 2440 4720 8800 512 157 310 605 1160 2130 3640 5670 1024 156 305 587 1090 1920 3070 4400 2048 153 296 552 982 1600 2330 3010 (a) using 512-bit RSA packet size block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 349 692 1380 2690 5150 9540 16800 512 341 669 1270 2310 3940 6100 8370 1024 336 645 1150 2070 3300 4690 5910 2048 325 606 1060 1720 2490 3190 3680 (b) using 512-bit DSA Table 10: Flow signing rate (packets/sec) for degree two tree chaining and block size sixteen. packet size block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 4580 8660 14800 23900 33100 41300 46600 512 3600 5630 7740 9560 10800 11600 12000 1024 3020 4320 5550 6400 6950 7240 7390 2048 2320 2980 3520 3860 4040 4140 4160 (a) using 512-bit RSA packet size block size (number of packets) (bytes) 2 4 8 16 32 64 128 16 253 500 1010 1970 3780 7020 12500 512 246 485 939 1770 3070 4930 7170 1024 245 474 894 1590 2660 4010 5260 2048 238 453 821 1380 2060 2810 3410 (b) using 512-bit DSA Table1 1: Flow veri cation rate (packets/sec) for degree two tree chaining and block size sixteen.... In PAGE 15: ...2 57.0 (b) using 512-bit DSA Table1 2: Signing delay bound for period T = 50 ms. 2.... In PAGE 15: ... Rates are shown for di erent percentages of processor time used for signing/veri cation. processor time percentage for signing/veri cation 100% 80% 60% 40% 20% 10% RSA signing rate 1090 872 654 436 218 109 RSA veri cation rate 6400 5120 3840 2560 1280 640 DSA signing rate 2070 1660 1240 828 414 207 DSA veri cation rate 1590 1270 954 636 318 159 Table1 3: Flow signing and veri cation rates (packets/sec) for 1024-byte packets, degree two tree chaining, and block size sixteen. Note that using DSA, the ow veri cation rate is slower than the ow signing rate.... In PAGE 16: ...00 3.14 Table1 4: eFFS signing time (ms) with 512-bit modulus. eFFS parameter (k; t) (32; 1) (32; 2) (64; 1) (32; 4) (64; 2) (128; 1) basic FFS 3.... In PAGE 16: ...65 0.54 Table1 5: eFFS veri cation time (ms) with 512-bit modulus. We implemented the basic Feige-Fiat-Shamir (FFS) scheme and the eFFS scheme (i.... In PAGE 17: ... For example, with (k; t) = (128; 1), the signing/veri cation key size is 8256 bytes, and the signature size is 80 bytes. t = 1 t = 2 t = 4 key signature key signature key signature kt = 64 4160 72 2112 136 1088 264 kt = 128 8256 80 4160 144 2112 272 Table1 6: eFFS signing/veri cation key size (bytes) and signature size (bytes) with 512-bit modulus. The security level of FFS(k; t) depends on the following: (1) the size of modulus n, (i.... In PAGE 18: ... An improvement idea suggested in [12] is to use small prime numbers as the veri cation key components fvig and compute the signing key components fsig by s2 i = v?1 i mod n.12 This improvement (labeled as \small v-key quot; in Table 14 and Table1 5) has two advantages. First, the veri cation time is an order of magnitude smaller than without this improvement (and the signing time is not a ected).... In PAGE 18: ... 3.3 Chinese Remainder Theorem Speedup We propose to use the following improvement (labeled as \crt quot; in Table1 4), which is based on the Chinese Remainder Theorem, to speed up signing operation. In FFS, the signing operation involves the computing of yi = ri (sbi1 1 : : : sbik k ) mod n where fsig do not change and only frig and fbijg change from message to message.... In PAGE 19: ...f them. If each smaller set contains four si, then it is a 4-bit precomputation. Similarly, if each smaller set contains eight si, then it is an 8-bit precomputation. Compared to the basic FFS (with small v-key), 4-bit precomputation plus crt speedup reduces the signing time by 45% to 55%, and 8-bit precomputation plus crt speedup reduces the signing time by 60% to 70% (see Table1 4). For 4-bit precomputation with k = 128 and 512-bit modulus, a signer needs to store 128=4 (24 ?1) = 480 products (mod n), and 480 512 bits or 31 kilobytes additional memory is required.... In PAGE 19: ... This is because with the small v-key extension, small primes are used as public key components, and their products can be computed very e ciently. For example, with the small v-key extension, 8-bit precomputation in veri cation operations reduces the veri cation time by less than 10% (see Table1 5). In the remaining experiments, we use veri cation with small v-key and no precomputation.... In PAGE 20: ...08 4-level signature 5.89 Table1 7: eFFS t-level signature signing time (ms). security kt product level kt = 32 kt = 64 kt = 128 level 1 of 1 0.... In PAGE 20: ...612 level 4 of 4 1.164 Table1 8: eFFS veri cation times (ms) at di erent security levels. (a) 2-level signature To level 1 level 2 From level 0 0.... In PAGE 20: ...567 From level 3 0.291 Table1 9: eFFS incremental veri cation time (ms) for kt = 128. Table 17 shows di erent t-level signature signing times.... ..."

### Table 1. Cost of the signature generation phase in the blind threshold signature scheme and that in the underlying blind signature scheme.

"... In PAGE 14: ... We will use as a measure the number of modular exponentiations and that of modular inverses required by a single player during execution of our signature generation protocol. Table1 shows a comparison between the blind threshold signature scheme and its underlying blind signature scheme. In this table, Scheme 1 denotes the blind threshold signature scheme described in Section 4, and Scheme 1* denotes its corresponding underlying blind signature scheme.... ..."