errata

《应用密码学》协议、算法与C原程序(第二版)配套源码。很多人都需要的

the XOR function) are 110010.  The first and last bits combine to
form 10, which corresponds to row 2 of the sixth S-box.  The
middle four bits combine to form 1001, which corresponds to
column 9 of the same S-box.  The entry under row 2, column 9 of
S-box 6 is 0.  (Remember, we count rows and columns from 0, and
not from 1.)  The value 0000 is substituted for 110010.

Page 230:  Fifth sentence:  "bit 4 moves to bit 21, while bit 23
moves to bit 4" should be "bit 21 moves to bit 4, while bit 4
moves to bit 31".  Second to last line:  delete "The key shift is
a right shift".

Page 231:  Table 10.9, sixth line:  "80286" should be "80386".

Page 233:  The second two weak keys should be:
   1F1F 1F1F 0E0E 0E0E     00000000 FFFFFFFF
   E0E0 E0E0 F1F1 F1F1     FFFFFFFF 00000000

Page 236:  Fifth paragraph: "would never be low enough" should be
"would never be high enough".

Page 238:  Next to last line before "Additional Results": 
"NSA's" should be "IBM's".

Page 238:  "Differential Cryptanalysis," third paragraph: 
"(1/16)^2" should be "(14/64)^2".

Page 239:  Figure 10.4:  "14/16" should be "14/64".

Page 242:  Table 10.14:  In "XORs by additions" line, "2^39,2^3"
should be "2^39,2^31".  In "Random" line, "2^21" should be"2^18-
2^20".  In "Random permutations" line, "2^44-2^48" should
be"2^33-2^41".

Page 245:  Line 11"  "8 bits is" should be "8 bits was".

Page 247:  Section heading, "Cryptanalysis of the Madryga" should
be "Cryptanalysis of Madryga".

Page 250:  The two functions should be:
   S_0(a,b) = rotate left 2 bits ((a+b) mod 256)
   S_1(a,b) = rotate left 2 bits ((a+b+1) mod 256)
Note the difference in parentheses.

Page 250:  Figure 11.4:  Note that a is broken up into four 8-bit
substrings, a_0, a_1, a_2, and a_3.

Page 251:  Figure 11.6:  The definitions for S_0 and S_1 are
incorrect ("Y = S_0" and "Y = S_1").  See corrections from
previous page.  Also, "S1" should be "S_1".

Page 254:  "REDOC III," second sentence: "64-bit" should be "80-
bit".  "Security of REDOC III," second sentence:  Delete
clause after comma:  "even though it looks fairly weak."

Page 259:  First line:  "made the former algorithm slower" should
be "made Khafre slower".

Page 262:  Figure 11.9:  There is a line missing.  It should run
from the symbol where Z_5 is multiplied with the intermediate
result to the addition symbol directly to the right.

Page 263:  Table 11.1:  The decryption key sub-blocks that are
Z_n^(m)-1 should be Z_n^((m)-1).  Also, the second and third
column of decryption key sub-blocks in rounds 2 through 8 should
be switched.

Page 264:  First line:  "107.8 mm on a side" should be "107.8
square mm".

Page 265:  Figure 11.10:  There is a line missing.  It should run
from the symbol where Z_5 is multiplied with the intermediate
result to the addition symbol directly to the right.

Pages 266-7:  Since the publication of this book, MMB has been
broken.  Do not use this algorithm.

Page 267:  Sixth line from bottom:  Reference should be "[256]".

Page 269:  "Skipjack."  First paragraph.  Reference should be
"[654]".

Page 270:  "Karn."  Third paragraph.  Last sentence:  "append C_r
to C to produce" should be "append C_r to C_l to produce".

Page 270-1:  "Luby-Rackoff."  Step (4), equation should be:
     "L_1 = L_0 XOR H(K_r,R_1)"
In step (6), equation should be:
     "L_2 = L_1 XOR H(K_r,R_2)"

Page 271:  Middle of the page:  "(for example, MD2, MD5, Snefru"
should be "(for example, MD2, MD4, Snefru".

Page 272:  Second to last line:  "But it is be analyzed" should
be "but it is being analyzed".

Page 275:  Second to last paragraph:  "Using 1028 bits" should be
"using 1024 bits".

Page 277:  First lines:  The correct street address is "310 N
Mary Avenue" and the correct telephone number is "(408)
735-5893".

Page 278:  Second to last line: "greater than the largest number
in the sequence" should be "greater than the sum of all the
numbers in the sequence".  The example on page 279 is also wrong.

Page 281:  Third paragraph:  The correct street address is "310 N
Mary Avenue" and the correct telephone number is "(408)
735-5893".

Page 283:  Table 12.2:  "PRIVATE KEY: d e^(-1)" should be
"PRIVATE KEY: d = e^(-1)".

Page 284:  Fifth line should be:
   "c = 1570 2756 2091 2276 2423 158".

Page 286:  Third paragraph:  "Eve gets Alice to sign y," "y"
should be italicized.  Second to last line:  "Eve wants to Alice
to" should be "Eve wants Alice to".

Page 287:  Last line:  Wiener's attack is misstated.  If d is
less than one-quarter the length of the modulus, then the attack
can use e and n to find d quickly.

Page 288:  The correct street address is "310 N Mary Avenue" and
the correct telephone number is "(408) 735-5893".

Page 289:  The correct street address is "310 N Mary Avenue" and
the correct telephone number is "(408) 735-5893".

Page 291:  Fourth line:  "factoring, and it" should be
"factoring.  However, it".  "Feige-Fiat-Shamir," second
paragraph: "all foreign nationals" should be "all foreign
citizens".

Page 292:  Fifth line:  "sqrt(x/v)" should be "sqrt(1/v)".

Page 294:  Second and third lines:  "Bob" should be "Victor."

Page 295:  First line:  "t random integers fewer than n" should
be "t random numbers less than n".

Page 297:  Last line:  "when" should be "where".

Page 301:  Middle of the page:  Delete the sentence "Since the
math is all correct, they do this step."

Page 302:  Fourth line from bottom:  "a" should be in italics.

Page 303:  "Authentication Protocol," step (1):  Add "She sends x
to Victor."

Page 305:  Third paragraph, parenthetical remark:  "NIST claimed
that having DES meant that both that both the algorithm and the
standard were too confusing" should be "NIST claimed that having
DES mean both the algorithm and the standard was too confusing".

Page 306:  Eighth line:  "cryptographers' paranoia" should be
"paranoia".

Page 307:  "Description of the Algorithm":  "p = a prime number
2^L bits long" should be "p = a prime number L bits long".  "g =
h^((p-1)/q)" should be "g = h^((p-1)/q) mod p".

Page 309:  Third line:  "random k values and then precompute r
values" should be "random k-values and then precompute r-values".

Page 313:  "Subliminal Channel in DSS":  "see Section 16.7"
should be "see Section 16.6".

Page 314:  Protocol, step (1):  "when" should be "where".

Page 316:  Third and fourth paragraphs:  "k'" and "n'" should be
"k" and "n".

Page 318:  "Other Public-Key Algorithms," third paragraph: 
"methods for factorizing polynomials was invented" should be
"methods for factoring polynomials were invented".

Page 319:  There should be a blank line before "discrete
logarithm:" and another before "factoring:".  Fourth line from
the bottom:  "depends more on the" should be "depends on more
than the".

Page 321:  Third line:  "when h" should be "where h".

Page 322:  Second paragraph:  "over 500 pairs of people" should
be "253 pairs of people".

Page 326: In the definition of h_i, "H_(i-1)" should be "h_(i-
1)".

Page 330:  Definitions of FF, GG, HH, and II are wrong.  These
are correct:
   FF:  "a = b + ((a + F(b,c,d) + M_j + t_i) <<< s)"
   GG:  "a = b + ((a + G(b,c,d) + M_j + t_i) <<< s)"
   HH:  "a = b + ((a + H(b,c,d) + M_j + t_i) <<< s)"
   II:  "a = b + ((a + I(b,c,d) + M_j + t_i) <<< s)"

Page 332:  Round 4, second entry:  "0x411aff97" should be
"0x411aff97".

Page 335:  Fifth line should be:
   "K_t = CA62C1D6, for the fourth 20 operations".
Eleventh line:  "represents a left shift" should be "represents a
circular left shift".

Page 336:  "HAVAL," sixth line:  "160, 92, 224" should be "160,
192, 224".

Page 339:  "LOKI Single Block":  In computation of Hi, drop final
"XOR M_i". 

Page 340:  "Modified Davies-Meyer":  In computation of H_i, "M_i"
should be subscripted.

Page 342:  "Tandem Davies-Meyer":  In computation of W_i, "M_i"
should be subscripted.

Page 345:  "Stream Cipher Mac", first line:"  "A truly elegant
MDC" should be "A truly elegant MAC".

Page 347:  Formula:  "aX_(n1)" should be "aX_(n-1)".  Second
paragraph:  "(For example, m should be chosen to be a prime
number.)" should be "(For example, b and m should be relatively
prime.)"

Page 351:  Second line of text:  "they hold current" should be
"they hold the current".

Page 353:  Third line:  ">> 7" should be ">> 31".  Fourth line: 
">> 5" should be ">> 6".  Fifth line:  ">> 3" should be ">> 4". 
Eighth line:  "(ShiftRegister)" should be "(ShiftRegister))". 
Tenth line:  "< 31" should be "<< 31".  Second paragraph:  "are
often used from stream-cipher" should be "are often used for
stream-cipher".

Page 356:  Source code:  "ShiftRegister = (ShiftRegister ^ (mask
>> 1))" should be "ShiftRegister = ((ShiftRegister ^ mask) >>
1)".

Page 360:  Equation should not be "l(2^1-1)^(n-1)", but "l(2^l-
1)^(n-1)".  (A letter, not a number.)

Page 362:  Figure 15.10:  "LFSR-B" should be "LFSR-A" and vice
versa.  The second "a(t+n-1)" should be "a(t+n-2)", and the
second "b(t+n-1)" should be "b(t+n-2)".

Page 363:  Fourth paragraph: "cellular automaton, such as an
CSPRNG" should be "cellular automaton as a CSPRNG".

Page 365:  "Blum-Micali Generator."  In the equation, "x_i"
should be an exponent of a, not a subscript.

Page 367:  Sixth paragraph:  "Ingmar" should be "Ingemar".

Page 370:  "Using "Random Noise."  Second paragraph, last line: 
"output 2 as the event" should be "output 0 as the event".

Page 371:  Sixth line:  "access/modify times of/dev/tty" should
be "access/modify times of /dev/tty".

Page 371:  "Biases and Correlations," third line:  "but there
many types" should be "but there are many types".

Page 374:  "Generating Random Permutations."  Note that the
obvious way of shuffling, using random (n-1) instead of random
(i) so that every position is swapped with a random position,
does not give a random distribution.

Page 376:  Seventh line: "send a message, M" should be "send a
message, P".

Page 380:  Step (4):  "K(R_B)" should be "K(R_A)".

Page 383 and 386:  "LaGrange" should be "Lagrange".

Page 391:  Second protocol, step (1):  "in his implementation of
DES" should be "in his implementation of DSS".  Next sentence: 
"such that r is either q quadratic" should be "such that r is
either a quadratic".

Page 401:  Second to last line:  "and x is randomly chosen"
should be "and x is secret".

Page 402:  Step (1):  "when all values of r are" should be "where
all r_i are".  Step (2):  "for all values of r" should be "for
all values of i".  Step (4):  "when j is the lowest value of i
for which b_i = 1" should be "when j is the lowest value for
which b_j = 1".  Line 18:  "2^t" should be "2^(-t)".

Page 406:  Step (5):  "i<j" should be i>j".

Page 409:  Third paragraph:  "measuring them destroys" should be
"measuring it destroys".  Fifth paragraph:  "it has no
probability" should be "it has zero probability".

Page 410:  Third line from bottom:  "British Telcom" should be
"British Telecom".

Page 417:  Last paragraph:  "Kerberos is a service Kerberos on
the network" should be "Kerberos is a service on the network".

Page 421:  Figure 17.2:  In the top message "C" should be lower
case.

Page 428:  "Privacy Enhanced Mail":  First line:  "adapted by the
Internet" should be "adopted by the Internet".

Page 435:  "RIPEM":  "Mark Riorden" should be "Mark Riordan".

Page 436:  "Pretty Good Privacy," third paragraph:  Delete fourth
sentence:  "After verifying the signature...."

Page 436:  Pretty Good Privacy is not in the public domain.  It
is copyrighted by Philip Zimmermann and available for free under
the "Copyleft" General Public License from the Free Software
Foundation.

Page 437:  Fifth line:  Delete "assess your own trust level". 
"Clipper," second paragraph:  reference should be
"[473]".  Fourth paragraph:  references should be
"[473,654,876,271,57]".

Page 438:  Middle of page:  reference should be "[654]". 
"Capstone," first paragraph:  reference should be "[655]".

Page 445:  The IACR is not the "International Association of
Cryptographic Research," but the "International Association for
Cryptologic Research."  This is also wrong in the table of
contents and the index.

Source Code:  The decrement operator, "--", was inadvertently
typesetted as an m-dash, "-".  This error is on pages 496, 510,
511, 523, 527, 528, 540, and 541.  There may be other places as
well.

Page 472:  Third line: "2, 18, 11" should be "22, 18, 11". 
Eighteenth line: "for( i = 0; i<<16; i++ )" should be "for( i =
0; i<16; i++ )".

Page 473:  Function "cpkey(into)". "while (from endp)" should be
"while (from < endp)".

Page 478:  Fourth line: "leftt > 4" should be "leftt >> 4". 
Seventh line: "leftt > 16" should be "leftt >> 16".  Twentieth
line: "leftt > 31" should be "leftt >> 31".

Page 508:  Line 8:  "union U_INTseed" should be "union U_INT
seed".

Page 531:  "for( i = 0; i<; i++ )" should be "for( i = 0; i<2;
i++ )".

Page 558:  "#defineBOOLEAN int" should be "#define BOOLEAN int",
"#defineFALSE0" should be "#define FALSE 0", and
"#defineTRUE(1==1)" should be "#define TRUE (1==1)".

Page 564:  "#define BOOLEANint" should be "#define BOOLEAN int",
"#define FALSE0" should be "#define FALSE 0", and
"#defineTRUE(1==1)" should be "#define TRUE (1==1)".

Page 569:  "rand() > 11" should be "rand() >> 11".

Page 569:  In "G13.H", "#define G13int" should be "#define G13
int".

Page 571:  Reference [14:  "Hopcraft" should be "Hopcroft".

Page 572:  Reference [45]:  "Haglen" should be "Hagelin".

Page 576:  References [136] and [137]:  "Branstead" should be
"Branstad."

Page 576:  Reference [148]:  The authors should be G. Brassard,
C. Crepeau, and J.-M. Robert.

Page 578:  Reference [184]  "Proof that DES Is Not a Group"
should be "DES Is Not a Group."  The correct page numbers are
512-520.

Page 582:  Reference [286]:  The article appeared CRYPTO '89
Proceedings.

Page 589:  Reference [475]:  The publisher should be E.S. Mittler
und Sohn, and the publication date should be 1863.

Page 601:  References [835] and [836]:  "Branstead" should be
"Branstad."

Page 602:  Reference [842]:  "Solvay" should be "Solovay".

Page 603:  Reference [878]:  "Weiner" should be "Wiener."


This errata is updated periodically.  For a current errata sheet,
send a self-addressed stamped envelope to:  Bruce Schneier,
Counterpane Systems, 730 Fair Oaks Ave., Oak Park, IL  60302; or
send electronic mail to: schneier@chinet.com.