### Table 2. The collision profile of hash functions. Packing

"... In PAGE 3: ... After training the network, NH25 has 460 hidden nodes and NH50 has 430 hidden nodes. Table2 shows the collision profile of each hash function: the figures under the hash function column correspond to the number of hash table slots to which a certain number of records, in the first column in the same row, are hashed. As can be seen in Table 2, the Mid-square performed the worst among the hash functions; NH25 has a similar result to that of the Division; and NH50 performed the best: it has the least number of unassigned slots and most slots with only one hash value assigned.... In PAGE 3: ... Table 2 shows the collision profile of each hash function: the figures under the hash function column correspond to the number of hash table slots to which a certain number of records, in the first column in the same row, are hashed. As can be seen in Table2 , the Mid-square performed the worst among the hash functions; NH25 has a similar result to that of the Division; and NH50 performed the best: it has the least number of unassigned slots and most slots with only one hash value assigned. Another criterion for judging the performance of a hash function is degradation of the collision rate as the packing density increases.... ..."

### Table 2: Comparison of UDVS Schemes Approximate Computation Time. Here we count the cost of computing a product axbycz as equivalent to a single exponentiation (exp.) in the underlying group. For RSAUDVS exponent lengths are all log2(e). TH denotes the cost of evaluating the trapdoor hash function Fpk (typ. 1 exp.).

in Efficient Extension of Standard Schnorr/RSA signatures into Universal Designated-Verifier Signatures

"... In PAGE 13: ... However, the computation is about the same as in the Schnorr-based schemes. This is because the O(lJ/ log2(e)) exponentiations for RSAUDVS shown in Table2 use a low exponent e, so the total computation is only O(lJ) modular multiplications. Scheme Extended Sig.... ..."

### Table 1. Security of 3 proposals to build n-bit MACs (n = m) from hash functions. \#MAC quot; is the number of known text-MAC pairs; \C quot; the number of chosen texts; \#opn quot; the number of o -line compression function operations required for best known attacks; t is the number of messages (or blocks) available to an attacker; k, k1, k2 are key bitlengths.

1995

"... In PAGE 9: ... 4.4 Summary of Results on the Three Previous Proposals The weaknesses of the three existing proposals discussed above are summarized in Table1 .... In PAGE 9: ... Depending on the parameters, nding a second preimage may be easier by rst obtaining the key with an exhaustive search; this type of attack is not noted in the table. If the underlying hash function is collision resistant (implying n is su ciently large), the gures in Table1 (aside from the secret pre x method without ad- ditional precautions) indicate that the corresponding attacks are only certi ca- tional { breaking these schemes is easier than breaking an ideal MAC with the same parameters, but the attacks are still not feasible in practice. In particular, the number of known or chosen texts required is much smaller than one would expect, and known texts can be replaced by o -line computations.... In PAGE 9: ... In particular, the number of known or chosen texts required is much smaller than one would expect, and known texts can be replaced by o -line computations. It is however clear from Table1 that if the hash function is only a one-way hash function (with n typically between 64 and 80 bits), then both the su x and envelope methods are vulnerable as well. Also, it follows that in case of the envelope method k1 must not be too small.... ..."

Cited by 57

### Table 4. First hash function

"... In PAGE 7: ... Indeed, for the second relation in Table 5, feature 5 is stored on both node 1 and node 2. Also for the second relation in Table4 , feature 4 is stored on both nodes. With the first hashing function, if the answers of the spatial join request are concentrated geographically on one part of the universe, then these answers will be computed by fewer compute nodes, leading to data distribution skew.... ..."

### Table 1. Security of 3 proposals to build n-bit MACs (n = m) from hash functions. \#MAC quot; is the number of known text-MAC pairs; \C quot; the number of chosen texts; \#opn quot; the number of o -line compression function operations required for best known attacks; t is the number of messages (or blocks) available to an attacker; k, k1, k2 are key bitlengths.

"... In PAGE 9: ... 4.4 Summary of Results on the Three Previous Proposals The weaknesses of the three existing proposals discussed above are summarized in Table1 .... In PAGE 9: ... Depending on the parameters, nding a second preimage may be easier by rst obtaining the key with an exhaustive search; this type of attack is not noted in the table. If the underlying hash function is collision resistant (implying n is su ciently large), the gures in Table1 (aside from the secret pre x method without ad- ditional precautions) indicate that the corresponding attacks are only certi ca- tional { breaking these schemes is easier than breaking an ideal MAC with the same parameters, but the attacks are still not feasible in practice. In particular, the number of known or chosen texts required is much smaller than one would expect, and known texts can be replaced by o -line computations.... In PAGE 9: ... In particular, the number of known or chosen texts required is much smaller than one would expect, and known texts can be replaced by o -line computations. It is however clear from Table1 that if the hash function is only a one-way hash function (with n typically between 64 and 80 bits), then both the su x and envelope methods are vulnerable as well. Also, it follows that in case of the envelope method k1 must not be too small.... ..."

### TABLE 2. HASH FUNCTIONS FOR INTEGRITY

### TABLE II FUNCTIONS OF THE CLASS hash.

2005

### Table 5. Second hash function

"... In PAGE 7: ... It can be observed from the two tables that there is no replication for the first relation, but there is replication for the second relation. Indeed, for the second relation in Table5 , feature 5 is stored on both node 1 and node 2. Also for the second relation in Table 4, feature 4 is stored on both nodes.... ..."

### Table 3. Performance gures on a Pentium for the improved implementations of the compression function of the 6 members of the MD4 hash function family. Both code and data are assumed to reside in the on-chip caches. All gures are independent of the processor apos;s clock speed. The speed-up factor is with respect to a (hypothetical) execution of the same code on a non-parallel architecture under otherwise unchanged conditions. References

1997

"... In PAGE 1: ... Miraculously, this turns out to be the case, as illustrated in Table 2 for a round 1 step of MD5, updating [BGV96, Table 3]. Table3 is the updated version of [BGV96, Table 4]. All implementations now only use 1-cycle instruc- tions, except for SHA-1 that uses the bswap instruction taking an additional cycle to decode due to the 0Fx-pre x.... ..."

Cited by 4