APPLIED CRYPTOGRAPHY, Second Edition ERRATA Version 1.0 - 3 January 1996 This errata includes all errors I have found in the book, including minor spelling and grammatical errors. Please distribute this errata sheet to anyone else who owns a copy of the book. Page 11: Line 18, the reference should be "[703]" and not "[699]". Page 13: Fifth paragraph, first sentence, should read: "The German Enigma had three rotors, chosen from a set of five,...." Page 14: The last sentence should read: "The smallest displacement that indicates a multiple of the key length is the length of the key." Page 16: Third line from the bottom, "1.44" makes more sense as "1.544". Page 18: Table 1.1, second item. 1 in 4,000,000 is 2^22. Page 53: Second to last sentence about SKEY should read: "Similarly, the database is not useful to an attacker." Page 61: Step (3), the second message should contain A instead of B. Page 62: In the third line, there's a comma missing. Page 63: Second protocol, step (2), the second message should be "S_T(C,K_C)". Page 70: In the first step (4), the equation should be "R XOR S = M". In the second step (2), it should be "to generate U". Page 77: In step (2), the message is signed with Trent's private key. And T_n is mistakenly both the time and the timestamp. Page 82: Fourth line from the bottom, the correct expression is "up and died." Page 99: Tenth line from the bottom, delete the second word: "will". Page 104: Graph isomorphism has never been proven to be an NP-Complete problem. It does seem to be hard, and is probably useful for cryptography. Page 105: In Step (2), Peggy gives Victor a copy of H'. Page 112: Step (1) should read "Alice takes the document and multiplies it by a random value." Page 116: The protocol could be worded better. Step (3) should begin: "Alice decrypts Bob's key twice, once with each of her private keys." Step (4) should begin: "Alice encrypts both of her messages, each with a different one of the DES keys...." Page 126: The "Voting with Blind Signatures" protocol is a little more complicated. The voter does not send all the blinding factors in step (2). The CTF requests 9 of 10 blinding factors in step (3), and the voter sends only those blinding factors to the CTF. Page 134: Another problem with this protocol is that there are numerous ways that various participants can cheat and collude to find out the salary of another participant. These cheaters can misrepresent their own salaries during their attack. Page 135: Lines 13-14; technically Alice and Bob get no additional information about the other's numbers. Page 136: Lines 14-15; technically Alice and Bob get no additional information about the other's numbers. Page 144: Line 27, the odds should be "1 in n". Line 29, "step (2) should be "step (1)". Page 161: In the eleventh line from the bottom, "harnesses" should be "harnessed". Page 181: Line a should read "he does not know it" instead of "he does know it". Page 195: In line 13, the reference number should be [402]. Page 201: Error Propagation, lines 5-6. The sentence should read: "In 8- bit CFB mode, 9 bytes of decrypted plaintext are garbled by a single-bit error in the ciphertext." Page 202: Third to last line, toggling individual bits does not affect subsequent bits in a synchronous stream cipher. Page 203: Section 9.8, both equations should be "S_i = E_K(S_(i-1))". Page 209: Table 9.1. CFB, Security: Bits of the last block can be changed, not the first. CFB, Efficiency: The speed is the same as the block cipher only in 64-bit CFB. CFB and OFB, Efficiency: "Ciphertext is the same size as the plaintext" should be a plus. Page 217: The Table 10.1 headers got garbled. They should be: "Algorithm", "Confidentiality", "Authentication", "Integrity", and "Key Management". Page 246: The last line should be: "#define isEven(x) ((x & 0x01) == 0)". Page 249: Line 9, "Euclid's generalization" should be "Euler's generalization". Page 251: Lines 20-21. The sentence should read: "For example, there are 11 quadratic residues mod 35: 1, 4, 9, 11, 14, 15, 16, 21, 25, 29, and 30." See page 505 for more details. Page 258: In line 27, his name is spelled "Chandrasekhar". Page 275: Table 12.4; it should be a "48-Bit Input". Page 281: In line 4, "minuscule" is misspelled as "miniscule". Page 287: In Figure 12.6, there should be no period in X or Y. Page 292: Second line, "b_24" should be "b_26". In line 10, "1/2 - .0061" should be "1/2 + .0061". Page 295: Third line from the bottom, 2^(120/n) should be (2^120)/n. Page 300: In the first line, "56" should be "48". Page 319: In line 11, Section "25.13" should be "25.14". Page 322: Last line, the chip is 107.8 square mm. Page 338: In Figure 14.3 and in the first line, "f" should be "F". Page 340: Second equation should be "mod 256". Page 341: The current variants of SAFER are SAFER SK-40, SAFER SK-64, and SAFER SK-128, all with a modified key schedule, in response to a theoretical attack by Lars Knudsen presented at Crypto '95. Page 345: Lines 10 and 11; the + should be a -. Page 346: The reference number for BaseKing should be [402]. Page 352: In line 8, that second "l" should be an "r". Page 358: In the decryption equation of Davies-Price mode, the final D should be an E. Page 362: In the first equation, P is used to indicate both padding and plaintext. If P is plaintext and p is padding, then the equation should be: C = E_K3(p(E_K2(p(E_K1(P))))). Page 362: Figure 15.2 is wrong. The middle and top rows of "Encrypt," and the plaintext feeding them, are shifted right by 1/2 block from where they should be. Page 363: The parenthetical remark would be clearer as: "encryption with one of n different keys, used cyclically". Page 363: Second to last line, the equation should have an I_2 in place of the I_1. Page 367: Second equation, "P XOR K_3" should be "C XOR K_3". Page 369: A maximal period linear congruential generator as a period of m, not m-1. Page 375: Third paragraph should read: "It is easy to turn this into a maximal period LFSR. The highest exponent is the size of the register, n. Number the bits from n-1 to 0. The numbers, including the 0, specify the tap sequence, counting from the left of the register. The x^n term of the polynomial stands for the input being fed into the left end." The next paragraph is wrong. Page 379: Second line of code has an extra close parentheses. Page 380: The forth line should begin: "On the other hand, an astonishingly...." Page 393: In Figure 16.16, there should be an arrow from b_4 to the Output Function. Page 393: Second sentence should be: "It's a method for combining multiple pseudo-random streams that increases their security." Page 429: The second sentence should be: "It returns a fixed-length hash value, h." Page 431: In step (2), "prepend" instead of "append". Page 440: In item 3, there is an "AND" missing in the equation. Page 441: The compression function of MD2 is confusing without the indentations. The two for-loops are nested, and include the next two statements. Page 444: In figure 18.7, the a, b, c, d, and e variables are backwards. Page 445: Line 14, SHA should be compared to MD4. Page 447: Lines 3-4 should read: "...CBC in [1145], CBC in [55,56,54]...." Page 449: Figure 18.9, M_i and H_i-1 in the upper-left diagram should be reversed. Page 456: Table 18.2. Encryption speed should be in "kilobytes/second", and "SNEERU" should be "SNEFRU". Page 457: Lines 3 and 4, the ending "-1" and "-2" should be superscripts. Page 465: In the third line of text, the number should be n^-1. Page 470: The second to last line is missing an "is". Page 480: An additional reference for elliptic-curve cryptosystems is N. Koblitz, A Course in Number Theory and Cryptography, Springer-Verlag, 1988. This is an excellent book, and omitting it was an oversight. Page 489: Caption to Table 20.3 should specify an "80386 33 MHz personal computer". Page 495: In Step (8), the constant should be "0x7fffffff". Page 497: Delete the fourth equation in the list of verification equations. Page 499: ESIGN, seventh line: "m-1 should be "n-1". Page 505: In step 3, the third sentence should be: "If Victor's first bit is a 1, then s_1 is part of the product...." Page 514: In step (1), Alice must sent X to Bob. Page 515: In line 1, "commutitive" is misspelled as "communitive". Page 515: Hughes. Step (2): In order for step (4) to work, y must be relatively prime to n-1 else the inverse function in step (4) won't work. If n is a strong prime such that (n-1)/2 is also prime, then y can be any odd random large integer except for (n-1)/2. In step (4), Bob computes: z=y^-1 mod (n-1). Page 516: In the Station-to-Station protocol, the exponentiation is missing. In step (1), Alice sends Bob g^x mod p. In step (2), Bob computes the shared key based on g^x mod p and y. He signs g^x mod p and g^y mod p, and encrypts the signature using k. He sends that, along with g^y mod p, to Alice. In step (3), Alice sends a signed message consisting of g^x mod p and g^y mod p, encrypted in their shared key. Page 529: Line 13 should be a polynomial of degree 5, not 6. Page 535: The technique wherein Mallory leaks 10 bits of DSA secret per signature, can be sped up by a factor of 16 or so. Instead of choosing a 4-bit block randomly and then searching for a k that leaks the correct 14 bits, he can just use the low 4 bits of r to select the block of the signature to leak (no need to have an opaque subliminal channel) and he only has to check an average of 1024 k values until the bits sent out over the 10 subliminal channels match the 10 bits of the secret selected by r = (g^k mod p) mod q. Page 568: In the Kerberos Version 5 Messages, step 3, the final "s" should not be subscripted. Page 586: Figure 24.7, in the key the arrow should point from y to x. Page 586: Seventh line, "revokation" should be spelled "revocation". Page 589: Section 24.15, fourth line: "Nambia" should be "Namibia". Page 592: The equation is wrong. The structure of the LEAF is "E_KF(U,E_KU(K_S),C)", where U is the 32-bit unit ID, K_S is the 80-bit session key, and C is a 16-bit checksum of K_S and the IV (and possibly other material) used by the receiving chip to ensure that it has a valid LEAF. Page 604: Fourth line from the bottom should read: "to U.S. patent law." Page 606: In lines 12 and 13, the cross-references are to chapter 18. Page 607: In Table 25.4, the column headers are reversed. Page 610: Sixth line should read "it is filed", not "it is filled". Page 683: In reference 210, the title of the paper is "A Comparison of Three Modular Reduction Functions". Page 705: In reference 727, subscript should be a superscript. This errata is updated periodically. For a current errata sheet, send a self-addressed stamped envelope to: Bruce Schneier, Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN 55419; or send electronic mail to: schneier@counterpane.com.