Results

**1 - 10**of**10**### Table 8 Mean points per season by honeymoon, trapdoor and smooth

2002

"... In PAGE 19: ... The risk analysis software @RISK from Palisade Corporation is used to perform the calculations. Table8 shows 27 results of this exploratory analysis, for three values of each of the three choice variables. The three values for each choice variable are chosen to cover the range of plausible values.... ..."

### Table 2: Comparison of UDVS Schemes Approximate Computation Time. Here we count the cost of computing a product axbycz as equivalent to a single exponentiation (exp.) in the underlying group. For RSAUDVS exponent lengths are all log2(e). TH denotes the cost of evaluating the trapdoor hash function Fpk (typ. 1 exp.).

in Efficient Extension of Standard Schnorr/RSA signatures into Universal Designated-Verifier Signatures

"... In PAGE 13: ... However, the computation is about the same as in the Schnorr-based schemes. This is because the O(lJ/ log2(e)) exponentiations for RSAUDVS shown in Table2 use a low exponent e, so the total computation is only O(lJ) modular multiplications. Scheme Extended Sig.... ..."

### Table 2 with n = 22. Interpretation of the results For a well chosen polynomial f(x), equations [XY ] and [XY 2] do not give any attack. Similarly, for well chosen polynomials f(x), the number of equations [X2Y ] will be similar to the number obtained with truly random quadratic functions (with no trapdoor). However, this condition on [X2Y ] is more restrictive than the similar condition on [XY 2]. Remark: To see how some equations [X2Y ] or [X2Y + XY 2] can be useful for an attack, see section 8.

1996

Cited by 67

### Table 1. Runtime Statistics

"... In PAGE 11: ... For ve di erent non-maximal orders of various sizes, we have computed the average run time for encryption, classical decryption, and our trapdoor decryption of fty randomly selected messages using randomly selected exponents. The results of these computations can be found in Table1 . Dec denotes the average time for classical decryption and Decq denotes the average time for the trapdoor decryption.... ..."

### Table 1. Notations for Protocol Description

"... In PAGE 5: ...Overview Table1 lists the notations we will use in this section and the rest of this paper. In a SPAKA protocol, Alice (the client) must communicate with Bob (the server) in advance to setup her verifier v, which usually is a (trapdoor) one-way function of her password pi.... ..."

### Table 3: Proposed Schemes for One-Way functions

"... In PAGE 31: ... In this case, we do not need a trapdoor but merely the intractability of the MQ-problem. Hence, we suggest to generate random MQ-polynomials with the parameters as suggested in Table3 . As for Table 1, the evaluation timings are based on [CGP02].... ..."

### Table 3: Proposed Schemes for One-Way functions

2004

"... In PAGE 10: ... In this case, we do not need a trapdoor but merely the intractability of the C5C9-problem. Hence, we suggest to generate random C5C9-polynomials with the parameters as suggested in Table3 . As Table 3: Proposed Schemes for One-Way functions... ..."

### Table 3: Proposed Schemes for One-Way functions

"... In PAGE 11: ... In this case, we do not need a trapdoor but merely the intractability of the MQ-problem. Hence, we suggest to generate random MQ-polynomials with the parameters as suggested in Table3 . As Table 3: Proposed Schemes for One-Way functions... ..."

### Table 3: Proposed Schemes for One-Way functions

"... In PAGE 11: ... In this case, we do not need a trapdoor but merely the intractability of the MQ-problem. Hence, we suggest to generate random MQ-polynomials with the parameters as suggested in Table3 . As Table 3: Proposed Schemes for One-Way functions... ..."

### Table 1: Comparison to prior schemes. A star signifies that the question was not explicitly considered. For min ciphertext, k; jmj; a are the lengths of the public-key domain, the message, and the security parameter.

"... In PAGE 2: ... This paper presents several optimized signcryption constructions, all of which share features such as sim- plicity, efficiency, generality, near-optimal exact security, flexi- ble and ad-hoc key management, key reuse for sending/receiving data, optimally-low message expansion, backward use for plain signature/encryption, long message and associated data support, the strongest-known qualitative security (so called IND-CCA and sUF-CMA) and, finally, complete compatibility with the PKCS#1 infrastructure [23]. While some of these attractive features are al- ready present in several previous works to various extents, we be- lieve that our schemes improve on earlier proposals in at least sev- eral dimensions (see Table1 and Section 8). In our model, each user U independently picks a single trap- door permutation fU (together with its trapdoor, denoted f 1 U ) and publishes fU as its public signcryption key (as opposed to separate signature and encryption keys, as in [1]).... In PAGE 2: ... This design (1) results in noticeable practical savings in both quantitative and qualitative security, (2) improves the message bandwidth and randomness utilization, and (3) simplifies protocol design and implementation. Table1 compares our signcryption construction against several earlier proposals, with regards to several properties. Section 8 de- scribes these alternate schemes in more depth, and we include the comparison here for easy reference.... In PAGE 8: ...ary encryption and signature schemes (e.g., [3, 5, 25, 11]), the most relevant previous works are those related to signcryption and universal paddings. The comparison of our constructions to previ- ous work is summarized in Table1 in the Introduction. Comparing with signcryption schemes [1, 19].... ..."

**1 - 10**of

**10**