APPLIED CRYPTOGRAPHY, Second Edition
ERRATA
Version 1.3 - 26 April 1996
This errata includes all errors I have found in the book, including minor
spelling and grammatical errors. Please distribute this errata sheet to
anyone else who owns a copy of the book.
Page 7: In line 31, delete the word "source".
Page 9: In line 5, "maximum" should be "minimum".
Page 10: The second sentence would be clearer as "Replace the least
significant bit of each byte of the image with the bits of the message."
Page 11: Line 3 should read "E",..."W" is replaced by "Z," "X" is replaced
by "A," "Y" is replaced by "B,".
Page 11: Line 18, the reference should be "[703]" and not "[699]".
Page 13: Fifth paragraph, first sentence, should read: "The original
German Enigma had three rotors, chosen from a set of five,...." This
increased to three rotors chosen from eight during the war, and the Navy
started using four rotors chosen from eight.
Page 14: The last sentence should read: "The smallest displacement that
indicates a multiple of the key length is the length of the key."
Page 16: Third line from the bottom, "1.44" makes more sense as "1.544".
Page 18: Table 1.1, second item. 1 in 4,000,000 is 2^22. This makes the
third item equal to 2^55.
Page 53: Second to last sentence about SKEY should read: "Similarly, the
database is not useful to an attacker."
Page 55: William Price's first name is Wyn.
Page 60: In Step (4) of the Kerberos protocol, change "Bob sends" to "Bob
creates".
Page 61: Step (3), the second message should contain A instead of B.
Page 62: In the third line, there's a comma missing.
Page 63: Second protocol, step (2), the second message should be
"S_T(C,K_C)".
Page 70: In the first step (4), the equation should be "R XOR S = M". In
the second step (2), it should be "to generate U".
Page 77: In step (2), the message is signed with Trent's private key. And
T_n is mistakenly both the time and the timestamp.
Page 80: In line 7, "step (3)" should be "step (5)".
Page 82: Fourth line from the bottom, the correct expression is "up and
died."
Page 99: Tenth line from the bottom, delete the second word: "will".
Page 104: Graph isomorphism has never been proven to be an NP-Complete
problem. It does seem to be hard, and is probably useful for cryptography.
Page 105: In Step (2), Peggy gives Victor a copy of H'.
Page 106: In the first line, "step (3)" should be "step (4)".
Page 112: Step (1) should read "Alice takes the document and multiplies it
by a random value."
Page 116: The protocol could be worded better. Step (3) should begin:
"Alice decrypts Bob's key twice, once with each of her private keys." Step
(4) should begin: "Alice encrypts both of her messages, each with a
different one of the DES keys...."
Page 126: The "Voting with Blind Signatures" protocol is a little more
complicated. The voter does not send all the blinding factors in step (2).
The CTF requests 9 of 10 blinding factors in step (3), and the voter sends
only those blinding factors to the CTF. Additionally, in step three only
the one messages (containing a set of votes) that has not been unblinded
will effectively be signed by the CTF.
Page 134: Another problem with this protocol is that there are numerous
ways that various participants can cheat and collude to find out the salary
of another participant. These cheaters can misrepresent their own salaries
during their attack.
Page 135: Lines 13-14; technically Alice and Bob get no additional
information about the other's numbers.
Page 136: Lines 14-15; technically Alice and Bob get no additional
information about the other's numbers.
Page 144: Line 27, the odds should be "1 in n". Line 29, "step (2) should
be "step (1)".
Page 146: Fourth line from the bottom, delete the word "that".
Page 157: The section on "Thermodynamic Limitations" is not quite correct.
It requires kT energy to set or clear a single bit because these are
irreversible operations. However, complementing a bit is reversible and
hence has no minimum required energy. It turns out that it is
theoretically possible to do any computation in a reversible manner except
for copying out the answer. At this theoretical level, energy requirements
for exhaustive crytpanalysis are therefore linear in the key length, not
exponential.
Page 161: In the eleventh line from the bottom, "harnesses" should be
"harnessed".
Page 166: Fifth line, "183" should be "253".
Page 167: Line 16 should end with a period, not a colon.
Page 171: In the thirteenth line from the bottom, "person" should be
"personal".
Page 175: Line 8, it's really triple-DES encryption.
Page 181: Line 8 should read "he does not know it" instead of "he does
know it".
Page 195: In line 13, the reference number should be [402].
Page 201: Error Propagation, lines 5-6. The sentence should read: "In 8-
bit CFB mode, 9 bytes of decrypted plaintext are garbled by a single-bit
error in the ciphertext."
Page 202: Third to last line, toggling individual bits does not affect
subsequent bits in a synchronous stream cipher.
Page 203: Section 9.8, both equations should be "S_i = E_K(S_(i-1))".
Page 209: Table 9.1. CFB, Security: Bits of the last block can be
changed, not the first. CFB, Efficiency: The speed is the same as the
block cipher only in 64-bit CFB. CFB, Efficiency: Bullets three and five
are the same. CFB and OFB, Efficiency: "Ciphertext is the same size as the
plaintext" should be a plus.
Page 213: In the last line of the third paragraph, "cryptanalyze" is
misspelled.
Page 217: The Table 10.1 headers got garbled. They should be:
"Algorithm", "Confidentiality", "Authentication", "Integrity", and "Key
Management".
Page 243: The last line of the first equation block should be attached to
the end of the previous line.
Page 246: The last line should be: "#define isEven(x) ((x & 0x01) == 0)".
Page 247: The last line of the ExtBinEuclid subroutine should read: "*u1
<<= k; *u2 <<= k; *u3 <<= k;".
Page 249: Line 9, "Euclid's generalization" should be "Euler's
generalization".
Page 251: Lines 20-21. The sentence should read: "For example, there are
11 quadratic residues mod 35: 1, 4, 9, 11, 14, 15, 16, 21, 25, 29, and 30."
See page 505 for more details.
Page 252: In the 4th line from the bottom, the comment should read "/* by
Definition 2 */".
Page 353: In the first line after "Generators", "less then" should be
"less than".
Page 258: In line 27, his name is spelled "Chandrasekhar".
Page 259: Lehmann reference "[903]" should be [945]".
Page 275: Figure 12.4; "46-Bit Input" should be "48-Bit Input".
Page 287: In line 13, "first and third" should be "second and third".
Page 287: In Figure 12.6(b), there should be no period in X or Y. Also,
the left output should be "delta = L XOR Y".
Page 288: In figure 12.7, the final output in the lower right side should
be DELTA=0.
Page 292: Second line, "b_24" should be "b_26". In line 10, "1/2 - .0061"
should be "1/2 + .0061".
Page 295: Fourth line from the bottom, 2^(120/n) should be (2^120)/n.
Page 300: In the first line, "56" should be "48".
Page 306: The first sentence is wrong. The key is rotated to the right;
the key and data move in opposite directions to minimize redundant key bit
operations. Also, the XOR happens after the rotation. The third paragraph
should be modified to be the opposite of this. In any case, Madryga is
vulnerable to differential cryptanalysis with about 5000 chosen plaintexts.
Don't use it.
Page 307: Last line, "complementation" is misspelled as "complemention".
Page 311: Second paragraph, second line should be: "it more quickly than
by brute force..."
Page 316: In Table 13.2, P_2 should be "379", not "279".
Page 319: In line 11, Section "25.13" should be "25.14".
Page 322: Last line, the chip is 107.8 square mm.
Page 323: Line 26, reference [405] should be [406].
Page 325: Last line, "mod 3" should be "mod 4".
Page 326: Line 19, "mod 3" should be "mod 4".
Page 338: In Figure 14.3 and in the first line, "f" should be "F".
Page 340: Second equation should be "mod 256".
Page 341: The current variants of SAFER are SAFER SK-40, SAFER SK-64, and
SAFER SK-128, all with a modified key schedule, in response to a
theoretical attack by Lars Knudsen presented at Crypto '95.
Page 342: In the description of 3-Way, "K^(n+1)" should be "K_n".
Page 345: Lines 10 and 11: the + should be a -. Line 26: "do n times"
should be "do 3n times".
Page 346: The reference number for BaseKing should be [402].
Page 352: In line 8, that second "l" should be an "r".
Page 358: In the decryption equation of Davies-Price mode, the final D
should be an E.
Page 362: In the first equation, P is used to indicate both padding and
plaintext. If P is plaintext and p is padding, then the equation should
be: C = E_K3(p(E_K2(p(E_K1(P))))).
Page 362: Figure 15.2 is wrong. The middle and top rows of "Encrypt," and
the plaintext feeding them, are shifted right by 1/2 block from where they
should be.
Page 363: The parenthetical remark would be clearer as: "encryption with
one of n different keys, used cyclically".
Page 363: Second to last line, the equation should have an I_2 in place of
the I_1.
Page 367: Second equation, "P XOR K_3" should be "C XOR K_3".
Page 369: A maximal period linear congruential generator has a period of
m, not m-1.
Page 375: Third paragraph should read: "It is easy to turn this into a
maximal period LFSR. The highest exponent is the size of the register, n.
Number the bits from n-1 to 0. The exponents, including the 0, specify the
tap sequence, counting from the right of the register. The x^n term of the
polynomial stands for the input being fed into the left end." The next
paragraph is wrong, as is the code and the figure.
Page 379: Second line of code has an extra close parentheses.
Page 379: Third line of text: "That Galois configuration" should be "The
Galois configuration".
Page 380: The fourth line should begin: "On the other hand, an
astonishingly...."
Page 382: In paragraph 4, "LFSR" would be more clear if it were labeled
"LFSR-2". Similarly, in the first sentence of paragraph 5 "LFSR" would be
more clear if it were labeled "LFSR-3".
Page 384: Bilateral Stop-and-Go Generator: To agree with Figure 16.11,
reverse "LFSR-1" and "LFSR-2".
Page 385: Last line: "Ranier Rueppel" should be "Rainer Rueppel".
Page 389: Some more details on the GSM algorithms. A3 is the
authentication algorithm in the smart card. A8 is just a bit shuffling
process that takes part of the output of A3 and turns it into a session key
for A5. A5 is the privacy algorithm. There are two algorithms used in
GSM: A5/1 and A5/2. A5/1 can be used by only certain countries; A5/2 can
be used by all countries.
Page 391: In the 11th line under Fish, it should be "D_j" instead of
"D_i".
Page 393: In Figure 16.17, there should be an arrow from the fourth byte
to the Output Function.
Page 393: Second sentence should be: "It's a method for combining multiple
pseudo-random streams that increases their security."
Page 398: In the third line of the section on SEAL, "kilobytes" is
misspelled as "kiloytes".
Page 411: Another option for an alternating stop-and-go generator would be
to use a LFSR in Register-2, a FCSR in Register-3, and either in Register-
1. This may have advantages over either of the three constructions listed.
Page 420: Table 17.3, the speed should be in kilobytes/second.
Page 429: The second sentence should be: "It returns a fixed-length hash
value, h."
Page 431: In step (2), "prepend" instead of "append".
Page 440: In item 3, the second equation should read "((X and Z) or (Y and
(not Z)))".
Page 441: The compression function of MD2 is confusing without the
indentations. The two for-loops are nested; the inner loop includes the
next two statements; and the other loop the statement after that.
Page 443: Last paragraph, the operation number runs from 0 to 79.
Page 444: In figure 18.7, the a, b, c, d, and e variables are reversed.
Page 445: Line 14, SHA should be compared to MD4.
Page 447: Lines 3-4 should read: "...CFB in [1145], CBC in [55,56,54]...."
Page 449: Figure 18.9, M_i and H_i-1 in the upper-left diagram should be
reversed.
Page 454: Seventh and sixth lines from the bottom: Z is the sum of the
message blocks as if they were 256-bit integers.
Page 455: Delete the third sentence, in parentheses, from section 18.14.
Page 456: Table 18.2. It's "Hash Speeds", not "Encryption Speeds", and it
is measured in "kilobytes/second". "SNEERU" should be "SNEFRU".
Page 465: In the third line of text, the number should be n^-1.
Page 469: Table 19.3, the "Clock Cycles" entry for the Siemens chip should
be ".3M".
Page 470: The second to last line is missing an "is".
Page 471: In the sixth line from the bottom, "n'^d mod n" should be "m'^d
mod n".
Page 480: An additional reference for elliptic-curve cryptosystems is N.
Koblitz, A Course in Number Theory and Cryptography, Second Edition,
Springer-Verlag, 1994. This is an excellent book, and omitting it was an
oversight.
Page 481: Second-to-last line, delete the word "a".
Page 487: In two places the second to last paragraph, "recompute" should
be "precompute".
Page 489: Caption to Table 20.3 should specify an "80386 33 MHz personal
computer".
Page 496: Section 20.4, eighth line: "mod q" should be "mod p".
Page 497: Delete the fourth equation in the list of verification
equations.
Page 499: ESIGN, seventh line: "m-1 should be "n-1".
Page 505: In step 3, the third sentence should be: "If Victor's first bit
is a 1, then s_1 is part of the product...."
Page 514: In step (1), Alice must have send X to Bob. In step (9) "X'^y"
should be "X'^z".
Page 515: In line 1, "commutative" is misspelled as "communitive".
Page 515: Hughes. Step (2): In order for step (4) to work, y must be
relatively prime to n-1 else the inverse function in step (4) won't work.
If n is a strong prime such that (n-1)/2 is also prime, then y can be any
odd random large integer except for (n-1)/2. In step (4), Bob computes:
z=y^-1 mod (n-1).
Page 516: In the Station-to-Station protocol, the exponentiation is
missing. In step (1), Alice sends Bob g^x mod n. In step (2), Bob
computes the shared key based on g^x mod n and y. He signs g^x mod n and
g^y mod n, and encrypts the signature using k. He sends that, along with
g^y mod n, to Alice. In step (3), Alice sends a signed message consisting
of g^x mod n and g^y mod n, encrypted in their shared key.
Page 517: In the fifth equation, every "M" should be a "P".
Page 521: In the equations of Step (1), "r_A" should be "R_a". And in the
equation of Step (2), "P" should be "P'" and "r_A" should be "R^b".
Page 522: Fortified Key Negotiation: "k" is the password; H(k,x) can be a
normal hash function on k concatenated with x. In the fifth line from the
bottom, "H * (P,K2)" is supposed to be H'(P,K2).
Page 529: Line 13 should be a polynomial of degree 5, not 6; also, the
entire polynomial is mod p.
Page 535: The technique wherein Mallory leaks 10 bits of DSA secret per
signature, can be sped up by a factor of 16 or so. Instead of choosing a
4-bit block randomly and then searching for a k that leaks the correct 14
bits, he can just use the low 4 bits of r to select the block of the
signature to leak (no need to have an opaque subliminal channel) and he
only has to check an average of 1024 k values until the bits sent out over
the 10 subliminal channels match the 10 bits of the secret selected by r =
(g^k mod p) mod q.
Page 537: Sixth line, "t = x^1 mod (p-1)" should be "t=x^-1 mod (p-1)".
Page 549: Second line, "km = e (mod n)" should be "km = e (mod ((p-1)(q-
1))".
Page 568: In the Kerberos Version 5 Messages, step 3, the final "s" should
be deleted.
Page 577: Fourth line from the bottom: The organization is the "Internet
Research Task Force".
Page 586: Figure 24.7, in the key the arrow should point from y to x.
Page 586: Seventh line, "revokation" should be spelled "revocation".
Page 589: Section 24.15, fourth line: "Nambia" should be "Namibia".
Page 592: The equation is wrong. The structure of the LEAF is
"E_KF(U,E_KU(K_S),C)", where U is the 32-bit unit ID, K_S is the 80-bit
session key, and C is a 16-bit checksum of K_S and the IV (and possibly
other material) used by the receiving chip to ensure that it has a valid
LEAF.
Page 592: The equation should probably be "E_{K_F}(U, E_{K_U}(K_S, C))".
Page 592: In the third paragraph, the reference to section 3.5 should be
3.6.
Page 597: Fifth line from the bottom: "Order" should be "Orders". Bottom
line: "departmental of agency" should be "departmental or agency".
Page 598: First line: "Intelligence Directive" should be "Intelligence
Directives".
Page 600: The area code for the NSA is 410, not 301.
Page 604: Fourth line from the bottom should read: "to U.S. patent law."
Page 604: In Table 25.3, the issue data for patent #4,200,770 is 4/29/80.
Page 605: In the fourth paragraph, the date when the Diffie-Hellman key
exchange will enter the public domain is April 29, 1997.
Page 606: In lines 12 and 13, the cross-references to sections in chapter
14 are to chapter 18.
Page 607: In Table 25.4, the column headers are reversed.
Page 609: Second to last line, the "Census Office" should be the "Patent
Office".
Page 610: Sixth line should read "it is filed", not "it is filled".
Page 652: There is some BLOWFISH code missing, just before the comment at
the bottom of the page:
unsigned long ps[18]={0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, 0x452821e6,
0x38d01377, 0xbe5466cf, 0x34e90c6c, 0xc0ac29b7, 0xc97c50dd,
0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b};
/* Initialize P array */
for(i=0;i<18;i++} c->P[i]=ps[i];
Page 676: In reference 19, the author is "Rumeley".
Page 676: Reference 37 is obsolete. The current reference is: Cellular
Digital Packet Data System Specification, Part 406: Airlink Security,
Release 1.1 January 19, 1995.
Page 679: In reference 106, "22th" should be "22nd".
Page 680: In reference 140, the author is "Berlekamp".
Page 683: In reference 210, the title of the paper is "A Comparison of
Three Modular Reduction Functions".
Page 694: In reference 484, the starting page should be "457".
Page 697: In reference 550, the second author should be "M.Y. Liberman".
Page 702: In references 658 and 659, the second author should be "H.
Niederreiter".
Page 704: In reference 703, it should be "Communications of the ACM".
Page 705: In reference 727, subscript should be a superscript.
Page 717: In reference 1041, the pages should be "114-116".
Page 718: In reference 1067, the year should be "1988".
Page 726: In reference 1266, "Vanderwalle" should be "Vandewalle".
Page 727: In reference 1299, the second author is "P.J. Weinberger".
Page 735: In reference 1505, the second author should be "V.G. Gligor".
This errata is updated periodically. For a current errata sheet, send a
self-addressed stamped envelope to: Bruce Schneier, Counterpane Systems,
101 East Minnehaha Parkway, Minneapolis, MN 55419; or send electronic mail
to: schneier@counterpane.com.