>From: Bruce Schneier >Posted-Date: Fri, 26 Apr 1996 10:03:21 -0500 (CDT) >Subject: no subject (file transmission) >To: gchase@tiac.net >Date: Fri, 26 Apr 1996 10:03:20 -0500 (CDT) > > APPLIED CRYPTOGRAPHY, Second Edition > ERRATA > Version 1.3 - 26 April 1996 > > > >This errata includes all errors I have found in the book, including minor >spelling and grammatical errors. Please distribute this errata sheet to >anyone else who owns a copy of the book. > > >Page 7: In line 31, delete the word "source". > >Page 9: In line 5, "maximum" should be "minimum". > >Page 10: The second sentence would be clearer as "Replace the least >significant bit of each byte of the image with the bits of the message." > >Page 11: Line 3 should read "E",..."W" is replaced by "Z," "X" is replaced >by "A," "Y" is replaced by "B,". > >Page 11: Line 18, the reference should be "[703]" and not "[699]". > >Page 13: Fifth paragraph, first sentence, should read: "The original >German Enigma had three rotors, chosen from a set of five,...." This >increased to three rotors chosen from eight during the war, and the Navy >started using four rotors chosen from eight. > >Page 14: The last sentence should read: "The smallest displacement that >indicates a multiple of the key length is the length of the key." > >Page 16: Third line from the bottom, "1.44" makes more sense as "1.544". > >Page 18: Table 1.1, second item. 1 in 4,000,000 is 2^22. This makes the >third item equal to 2^55. > >Page 53: Second to last sentence about SKEY should read: "Similarly, the >database is not useful to an attacker." > >Page 55: William Price's first name is Wyn. > >Page 60: In Step (4) of the Kerberos protocol, change "Bob sends" to "Bob >creates". > >Page 61: Step (3), the second message should contain A instead of B. > >Page 62: In the third line, there's a comma missing. > >Page 63: Second protocol, step (2), the second message should be >"S_T(C,K_C)". > >Page 70: In the first step (4), the equation should be "R XOR S = M". In >the second step (2), it should be "to generate U". > >Page 77: In step (2), the message is signed with Trent's private key. And >T_n is mistakenly both the time and the timestamp. > >Page 80: In line 7, "step (3)" should be "step (5)". > >Page 82: Fourth line from the bottom, the correct expression is "up and >died." > >Page 99: Tenth line from the bottom, delete the second word: "will". > >Page 104: Graph isomorphism has never been proven to be an NP-Complete >problem. It does seem to be hard, and is probably useful for cryptography. > >Page 105: In Step (2), Peggy gives Victor a copy of H'. > >Page 106: In the first line, "step (3)" should be "step (4)". > >Page 112: Step (1) should read "Alice takes the document and multiplies it >by a random value." > >Page 116: The protocol could be worded better. Step (3) should begin: >"Alice decrypts Bob's key twice, once with each of her private keys." Step >(4) should begin: "Alice encrypts both of her messages, each with a >different one of the DES keys...." > >Page 126: The "Voting with Blind Signatures" protocol is a little more >complicated. The voter does not send all the blinding factors in step (2). >The CTF requests 9 of 10 blinding factors in step (3), and the voter sends >only those blinding factors to the CTF. Additionally, in step three only >the one messages (containing a set of votes) that has not been unblinded >will effectively be signed by the CTF. > >Page 134: Another problem with this protocol is that there are numerous >ways that various participants can cheat and collude to find out the salary >of another participant. These cheaters can misrepresent their own salaries >during their attack. > >Page 135: Lines 13-14; technically Alice and Bob get no additional >information about the other's numbers. > >Page 136: Lines 14-15; technically Alice and Bob get no additional >information about the other's numbers. > >Page 144: Line 27, the odds should be "1 in n". Line 29, "step (2) should >be "step (1)". > >Page 146: Fourth line from the bottom, delete the word "that". > >Page 157: The section on "Thermodynamic Limitations" is not quite correct. >It requires kT energy to set or clear a single bit because these are >irreversible operations. However, complementing a bit is reversible and >hence has no minimum required energy. It turns out that it is >theoretically possible to do any computation in a reversible manner except >for copying out the answer. At this theoretical level, energy requirements >for exhaustive crytpanalysis are therefore linear in the key length, not >exponential. > >Page 161: In the eleventh line from the bottom, "harnesses" should be >"harnessed". > >Page 166: Fifth line, "183" should be "253". > >Page 167: Line 16 should end with a period, not a colon. > >Page 171: In the thirteenth line from the bottom, "person" should be >"personal". > >Page 175: Line 8, it's really triple-DES encryption. > >Page 181: Line 8 should read "he does not know it" instead of "he does >know it". > >Page 195: In line 13, the reference number should be [402]. > >Page 201: Error Propagation, lines 5-6. The sentence should read: "In 8- >bit CFB mode, 9 bytes of decrypted plaintext are garbled by a single-bit >error in the ciphertext." > >Page 202: Third to last line, toggling individual bits does not affect >subsequent bits in a synchronous stream cipher. > >Page 203: Section 9.8, both equations should be "S_i = E_K(S_(i-1))". > >Page 209: Table 9.1. CFB, Security: Bits of the last block can be >changed, not the first. CFB, Efficiency: The speed is the same as the >block cipher only in 64-bit CFB. CFB, Efficiency: Bullets three and five >are the same. CFB and OFB, Efficiency: "Ciphertext is the same size as the >plaintext" should be a plus. > >Page 213: In the last line of the third paragraph, "cryptanalyze" is >misspelled. > >Page 217: The Table 10.1 headers got garbled. They should be: >"Algorithm", "Confidentiality", "Authentication", "Integrity", and "Key >Management". > >Page 243: The last line of the first equation block should be attached to >the end of the previous line. > >Page 246: The last line should be: "#define isEven(x) ((x & 0x01) == 0)". > >Page 247: The last line of the ExtBinEuclid subroutine should read: "*u1 ><<= k; *u2 <<= k; *u3 <<= k;". > >Page 249: Line 9, "Euclid's generalization" should be "Euler's >generalization". > >Page 251: Lines 20-21. The sentence should read: "For example, there are >11 quadratic residues mod 35: 1, 4, 9, 11, 14, 15, 16, 21, 25, 29, and 30." >See page 505 for more details. > >Page 252: In the 4th line from the bottom, the comment should read "/* by >Definition 2 */". > >Page 353: In the first line after "Generators", "less then" should be >"less than". > >Page 258: In line 27, his name is spelled "Chandrasekhar". > >Page 259: Lehmann reference "[903]" should be [945]". > >Page 275: Figure 12.4; "46-Bit Input" should be "48-Bit Input". > >Page 287: In line 13, "first and third" should be "second and third". > >Page 287: In Figure 12.6(b), there should be no period in X or Y. Also, >the left output should be "delta = L XOR Y". > >Page 288: In figure 12.7, the final output in the lower right side should >be DELTA=0. > >Page 292: Second line, "b_24" should be "b_26". In line 10, "1/2 - .0061" >should be "1/2 + .0061". > >Page 295: Fourth line from the bottom, 2^(120/n) should be (2^120)/n. > >Page 300: In the first line, "56" should be "48". > >Page 306: The first sentence is wrong. The key is rotated to the right; >the key and data move in opposite directions to minimize redundant key bit >operations. Also, the XOR happens after the rotation. The third paragraph >should be modified to be the opposite of this. In any case, Madryga is >vulnerable to differential cryptanalysis with about 5000 chosen plaintexts. >Don't use it. > >Page 307: Last line, "complementation" is misspelled as "complemention". > >Page 311: Second paragraph, second line should be: "it more quickly than >by brute force..." > >Page 316: In Table 13.2, P_2 should be "379", not "279". > >Page 319: In line 11, Section "25.13" should be "25.14". > >Page 322: Last line, the chip is 107.8 square mm. > >Page 323: Line 26, reference [405] should be [406]. > >Page 325: Last line, "mod 3" should be "mod 4". > >Page 326: Line 19, "mod 3" should be "mod 4". > >Page 338: In Figure 14.3 and in the first line, "f" should be "F". > >Page 340: Second equation should be "mod 256". > >Page 341: The current variants of SAFER are SAFER SK-40, SAFER SK-64, and >SAFER SK-128, all with a modified key schedule, in response to a >theoretical attack by Lars Knudsen presented at Crypto '95. > >Page 342: In the description of 3-Way, "K^(n+1)" should be "K_n". > >Page 345: Lines 10 and 11: the + should be a -. Line 26: "do n times" >should be "do 3n times". > >Page 346: The reference number for BaseKing should be [402]. > >Page 352: In line 8, that second "l" should be an "r". > >Page 358: In the decryption equation of Davies-Price mode, the final D >should be an E. > >Page 362: In the first equation, P is used to indicate both padding and >plaintext. If P is plaintext and p is padding, then the equation should >be: C = E_K3(p(E_K2(p(E_K1(P))))). > >Page 362: Figure 15.2 is wrong. The middle and top rows of "Encrypt," and >the plaintext feeding them, are shifted right by 1/2 block from where they >should be. > >Page 363: The parenthetical remark would be clearer as: "encryption with >one of n different keys, used cyclically". > >Page 363: Second to last line, the equation should have an I_2 in place of >the I_1. > >Page 367: Second equation, "P XOR K_3" should be "C XOR K_3". > >Page 369: A maximal period linear congruential generator has a period of >m, not m-1. > >Page 375: Third paragraph should read: "It is easy to turn this into a >maximal period LFSR. The highest exponent is the size of the register, n. >Number the bits from n-1 to 0. The exponents, including the 0, specify the >tap sequence, counting from the right of the register. The x^n term of the >polynomial stands for the input being fed into the left end." The next >paragraph is wrong, as is the code and the figure. > >Page 379: Second line of code has an extra close parentheses. > >Page 379: Third line of text: "That Galois configuration" should be "The >Galois configuration". > >Page 380: The fourth line should begin: "On the other hand, an >astonishingly...." > >Page 382: In paragraph 4, "LFSR" would be more clear if it were labeled >"LFSR-2". Similarly, in the first sentence of paragraph 5 "LFSR" would be >more clear if it were labeled "LFSR-3". > >Page 384: Bilateral Stop-and-Go Generator: To agree with Figure 16.11, >reverse "LFSR-1" and "LFSR-2". > >Page 385: Last line: "Ranier Rueppel" should be "Rainer Rueppel". > >Page 389: Some more details on the GSM algorithms. A3 is the >authentication algorithm in the smart card. A8 is just a bit shuffling >process that takes part of the output of A3 and turns it into a session key >for A5. A5 is the privacy algorithm. There are two algorithms used in >GSM: A5/1 and A5/2. A5/1 can be used by only certain countries; A5/2 can >be used by all countries. > >Page 391: In the 11th line under Fish, it should be "D_j" instead of >"D_i". > >Page 393: In Figure 16.17, there should be an arrow from the fourth byte >to the Output Function. > >Page 393: Second sentence should be: "It's a method for combining multiple >pseudo-random streams that increases their security." > >Page 398: In the third line of the section on SEAL, "kilobytes" is >misspelled as "kiloytes". > >Page 411: Another option for an alternating stop-and-go generator would be >to use a LFSR in Register-2, a FCSR in Register-3, and either in Register- >1. This may have advantages over either of the three constructions listed. > >Page 420: Table 17.3, the speed should be in kilobytes/second. > >Page 429: The second sentence should be: "It returns a fixed-length hash >value, h." > >Page 431: In step (2), "prepend" instead of "append". > >Page 440: In item 3, the second equation should read "((X and Z) or (Y and >(not Z)))". > >Page 441: The compression function of MD2 is confusing without the >indentations. The two for-loops are nested; the inner loop includes the >next two statements; and the other loop the statement after that. > >Page 443: Last paragraph, the operation number runs from 0 to 79. > >Page 444: In figure 18.7, the a, b, c, d, and e variables are reversed. > >Page 445: Line 14, SHA should be compared to MD4. > >Page 447: Lines 3-4 should read: "...CFB in [1145], CBC in [55,56,54]...." > >Page 449: Figure 18.9, M_i and H_i-1 in the upper-left diagram should be >reversed. > >Page 454: Seventh and sixth lines from the bottom: Z is the sum of the >message blocks as if they were 256-bit integers. > >Page 455: Delete the third sentence, in parentheses, from section 18.14. > >Page 456: Table 18.2. It's "Hash Speeds", not "Encryption Speeds", and it >is measured in "kilobytes/second". "SNEERU" should be "SNEFRU". > >Page 465: In the third line of text, the number should be n^-1. > >Page 469: Table 19.3, the "Clock Cycles" entry for the Siemens chip should >be ".3M". > >Page 470: The second to last line is missing an "is". > >Page 471: In the sixth line from the bottom, "n'^d mod n" should be "m'^d >mod n". > >Page 480: An additional reference for elliptic-curve cryptosystems is N. >Koblitz, A Course in Number Theory and Cryptography, Second Edition, >Springer-Verlag, 1994. This is an excellent book, and omitting it was an >oversight. > >Page 481: Second-to-last line, delete the word "a". > >Page 487: In two places the second to last paragraph, "recompute" should >be "precompute". > >Page 489: Caption to Table 20.3 should specify an "80386 33 MHz personal >computer". > >Page 496: Section 20.4, eighth line: "mod q" should be "mod p". > >Page 497: Delete the fourth equation in the list of verification >equations. > >Page 499: ESIGN, seventh line: "m-1 should be "n-1". > >Page 505: In step 3, the third sentence should be: "If Victor's first bit >is a 1, then s_1 is part of the product...." > >Page 514: In step (1), Alice must have send X to Bob. In step (9) "X'^y" >should be "X'^z". > >Page 515: In line 1, "commutative" is misspelled as "communitive". > >Page 515: Hughes. Step (2): In order for step (4) to work, y must be >relatively prime to n-1 else the inverse function in step (4) won't work. >If n is a strong prime such that (n-1)/2 is also prime, then y can be any >odd random large integer except for (n-1)/2. In step (4), Bob computes: >z=y^-1 mod (n-1). > >Page 516: In the Station-to-Station protocol, the exponentiation is >missing. In step (1), Alice sends Bob g^x mod n. In step (2), Bob >computes the shared key based on g^x mod n and y. He signs g^x mod n and >g^y mod n, and encrypts the signature using k. He sends that, along with >g^y mod n, to Alice. In step (3), Alice sends a signed message consisting >of g^x mod n and g^y mod n, encrypted in their shared key. > >Page 517: In the fifth equation, every "M" should be a "P". > >Page 521: In the equations of Step (1), "r_A" should be "R_a". And in the >equation of Step (2), "P" should be "P'" and "r_A" should be "R^b". > >Page 522: Fortified Key Negotiation: "k" is the password; H(k,x) can be a >normal hash function on k concatenated with x. In the fifth line from the >bottom, "H * (P,K2)" is supposed to be H'(P,K2). > >Page 529: Line 13 should be a polynomial of degree 5, not 6; also, the >entire polynomial is mod p. > >Page 535: The technique wherein Mallory leaks 10 bits of DSA secret per >signature, can be sped up by a factor of 16 or so. Instead of choosing a >4-bit block randomly and then searching for a k that leaks the correct 14 >bits, he can just use the low 4 bits of r to select the block of the >signature to leak (no need to have an opaque subliminal channel) and he >only has to check an average of 1024 k values until the bits sent out over >the 10 subliminal channels match the 10 bits of the secret selected by r = >(g^k mod p) mod q. > >Page 537: Sixth line, "t = x^1 mod (p-1)" should be "t=x^-1 mod (p-1)". > >Page 549: Second line, "km = e (mod n)" should be "km = e (mod ((p-1)(q- >1))". > >Page 568: In the Kerberos Version 5 Messages, step 3, the final "s" should >be deleted. > >Page 577: Fourth line from the bottom: The organization is the "Internet >Research Task Force". > >Page 586: Figure 24.7, in the key the arrow should point from y to x. > >Page 586: Seventh line, "revokation" should be spelled "revocation". > >Page 589: Section 24.15, fourth line: "Nambia" should be "Namibia". > >Page 592: The equation is wrong. The structure of the LEAF is >"E_KF(U,E_KU(K_S),C)", where U is the 32-bit unit ID, K_S is the 80-bit >session key, and C is a 16-bit checksum of K_S and the IV (and possibly >other material) used by the receiving chip to ensure that it has a valid >LEAF. > >Page 592: The equation should probably be "E_{K_F}(U, E_{K_U}(K_S, C))". > >Page 592: In the third paragraph, the reference to section 3.5 should be >3.6. > >Page 597: Fifth line from the bottom: "Order" should be "Orders". Bottom >line: "departmental of agency" should be "departmental or agency". > >Page 598: First line: "Intelligence Directive" should be "Intelligence >Directives". > >Page 600: The area code for the NSA is 410, not 301. > >Page 604: Fourth line from the bottom should read: "to U.S. patent law." > >Page 604: In Table 25.3, the issue data for patent #4,200,770 is 4/29/80. > >Page 605: In the fourth paragraph, the date when the Diffie-Hellman key >exchange will enter the public domain is April 29, 1997. > >Page 606: In lines 12 and 13, the cross-references to sections in chapter >14 are to chapter 18. > >Page 607: In Table 25.4, the column headers are reversed. > >Page 609: Second to last line, the "Census Office" should be the "Patent >Office". > >Page 610: Sixth line should read "it is filed", not "it is filled". > >Page 652: There is some BLOWFISH code missing, just before the comment at >the bottom of the page: > unsigned long ps[18]={0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, > 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, 0x452821e6, > 0x38d01377, 0xbe5466cf, 0x34e90c6c, 0xc0ac29b7, 0xc97c50dd, > 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b}; > /* Initialize P array */ > for(i=0;i<18;i++} c->P[i]=ps[i]; > >Page 676: In reference 19, the author is "Rumeley". > >Page 676: Reference 37 is obsolete. The current reference is: Cellular >Digital Packet Data System Specification, Part 406: Airlink Security, >Release 1.1 January 19, 1995. > >Page 679: In reference 106, "22th" should be "22nd". > >Page 680: In reference 140, the author is "Berlekamp". > >Page 683: In reference 210, the title of the paper is "A Comparison of >Three Modular Reduction Functions". > >Page 694: In reference 484, the starting page should be "457". > >Page 697: In reference 550, the second author should be "M.Y. Liberman". > >Page 702: In references 658 and 659, the second author should be "H. >Niederreiter". > >Page 704: In reference 703, it should be "Communications of the ACM". > >Page 705: In reference 727, subscript should be a superscript. > >Page 717: In reference 1041, the pages should be "114-116". > >Page 718: In reference 1067, the year should be "1988". > >Page 726: In reference 1266, "Vanderwalle" should be "Vandewalle". > >Page 727: In reference 1299, the second author is "P.J. Weinberger". > >Page 735: In reference 1505, the second author should be "V.G. Gligor". > >This errata is updated periodically. For a current errata sheet, send a >self-addressed stamped envelope to: Bruce Schneier, Counterpane Systems, >101 East Minnehaha Parkway, Minneapolis, MN 55419; or send electronic mail >to: schneier@counterpane.com. > The above message is from Greg Chase, Kim Chase, or Fred Chase if Fred Chase: fnc@mitre.org (business) gchase@tiac.net (preferred - personal) 73623.3405@compuserv.com (Infrequently checked) http://www.tiac.net/users/gchase (home page)