On page 4, in the first paragraph, the sentence "A cryptanalyst can then deduce that the key’s length is either nine or a value divisible by nine (that is, three)." should instead say "A cryptanalyst can then deduce that the key’s length is either nine or a value that divides nine (that is, three)."

On page 13, the last sentence of the second paragraph under "Semantic Security and Randomized Encryption: IND-CPA" should say "Decryption remains deterministic, however, because given **D**(K, R, C), you should always get P, regardless of the value of R."

On page 14, in the second paragraph under "Achieving Semantically Secure Encryption," all instances of "**DRBG**(*K*, *R*)" should instead be "**DRBG**(*K* || *R*)"

On page 28, the S_*k*+624 equation should use the constant 0x7fffffff instead of 0xffffffff.

On page 32, the caption for Listing 2-3 is incorrect. The script shows the evolution of /dev/random, not /dev/urandom.

On page 70, in the second paragraph under "Ciphertext Stealing," the sentence "The last, incomplete ciphertext block is made up of the first blocks from the previous ciphertext block . . ." should instead say "The last, incomplete ciphertext block is made up of the first bits from the previous ciphertext block . . ."

On page 73, the second paragraph shows the equation **E**(*K*_1, **E**(*K*_2, *P*)). This equation should instead be **E**(*K*_2, **E**(*K*_1, *P*)).

On page 73, in the last paragraph, 2^^{56} elements of 15 bytes each should come out to 1 exabyte, not 128 petabytes.

On page 84, the state values after "Repeating the operation four times...," should be the following:

0 1 1 1

1 1 1 0

1 1 0 0

0 0 0 1

And the subsequent paragraph should say "And as you can see, the state after six updates is the same as the initial one, demonstrating that we’re in a period-6 cycle and proving that the LFSR’s period isn’t the maximal value of 15."

On page 92, in the first paragraph of the RC4 section, Wireless Equivalent Privacy should be Wired Equivalent Privacy. The acronym list should also reflect this change.

On page 100, in the third paragraph, the sentence "The brute-forcing takes 2^36 operations, a computation that dwarfs the unrealistic 2^220 * 2^31 = 2^251 trials..." should instead say "The brute-forcing takes 2^36 operations, a computation that is dwarfed by the unrealistic 2^220 * 2^31 = 2^251 trials..."

On page 107, the SHA-256 hash values for a, b, and c are incorrect. They should be replaced with the following:

SHA-256("a") = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

SHA-256("b") = 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d

SHA-256("c") = 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

On page 147, in the paragraph under "Encrypt-then-MAC," the sentence "If the values are equal, the plaintext is computed as P = D(K1, C); if they are not equal, the plaintext is discarded." should instead say "If the values are equal, the plaintext is computed as P = D(K1, C); if they are not equal, the ciphertext is discarded."

On page 152, the sentence beginning "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7) to authenticate the ciphertext..." should instead say "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7)..."

On page 154, the equation for *T*_2 should be *T*_2 = **GHASH**(*H*, *A*_2, *C*_2) + **AES**(*K*, *N* || 0).

On page 165, in the fourth paragraph, where it says "when we say that an algorithm takes time in the order of *n*^3 operations (which is *quadratic complexity*)," it should instead say "when we say that an algorithm takes time in the order of *n*^3 operations (which is *cubic complexity*)."

On page 181, the last sentence of the first paragraph should say "(One year prior to RSA, Diffie and Hellman had introduced the concept of public-key cryptography, but their scheme was unable to perform public-key signatures.)"

On page 182, in the second paragraph under "The Math Behind RSA," the sentence "We say that these numbers form a group, denoted **Z**^*_*n*, and call the multiplicative group of integer modulo *n*." should instead say "We say that these numbers form a group, denoted **Z**^*_*n*, and call it the multiplicative group of integers modulo *n*."

On page 182, in the second paragraph under "The Math Behind RSA," the sentence "More precisely, RSA works on the numbers..." should be deleted.

On page 183, the last sentence of the second paragraph starting with "In other words..." should be deleted.

On page 184, Listing 10-1 is incorrect. It should be replaced with the following:

sage: p = random_prime(2^32); p

1103222539

sage: q = random_prime(2^32); q

17870599

sage: n = p*q; n

19715247602230861

sage: phi = (p-1)*(q-1); phi

19715246481137724

sage: e = random_prime(phi); e

13771927877214701

sage: d = xgcd(e, phi)[1]; d

15417970063428857

sage: mod(d*e, phi)

1

On page 189, in the fourth paragraph under "The PSS Signature Standard," the sentence "Although similar to PSS, OAEP has only been proven secure for encryption, not for signature." should instead say "Although similar to PSS, OAEP has only been proven secure for encryption, not for signatures."

On page 189, in the second paragraph, the sentence "Here’s how this works: because *S *can be written as (*R^*^{e}M)^^{d} = *R^*^{ed}M^^{d}, and because *R^*^{ed} = *R *is equal to *R*^{ed} = *R *(by definition)..." should instead be "Here's how this works: because *S* can be written as (*R^*^{e}M)^^{d} = *R^*^{ed}M^^{d}, and because *R^*^{ed} = *R* (by definition)..."

On page 191, in the third paragraph under "RSA Implementations," the sentence "The function EncryptOAEP() takes a hash value, a PRNG, a public key, a message, and a label (an optional parameter of OAEP), and returns a signature and an error code." should instead say "The function EncryptOAEP() takes a hash function, a PRNG, a public key, a message, and a label (an optional parameter of OAEP), and returns a signature and an error code."

On page 195, in the first paragraph under "The Chinese Remainder Theorem," the sentence "The most common trick to speed up decryption and signature verification (that is, the computation of *y^d* mod *n*) is the *Chinese remainder theorem (CRT)*." should instead read "The most common trick to speed up decryption and signature generation (that is, the computation of *y^d* mod *n*) is the *Chinese remainder theorem (CRT)*."

On page 196, in the first paragraph, the sentence "To apply this formula to our example and recover our *x* mod 1155, we take the arbitrary values 2, 1, 6, and 8; we compute *P*(3), *P*(5), *P*(7), and *P*(8); and then we add them together to get the following expression:" should instead say "To apply this formula to our example and recover our *x* mod 1155, we take the arbitrary values 2, 1, 6, and 8; we compute *P*(3), *P*(5), *P*(7), and *P*(11); and then we add them together to get the following expression:"

On page 215, in the first paragraph, the equation g^4 = 13 should instead be g^4 = 3.

On page 215, the sentence "The TLS protocol is the security behind HTTPS secure websites as well as the secure mail transfer protocol (SMTP)." should instead read "The TLS protocol is the security behind HTTPS secure websites as well as the Simple Mail Transfer Protocol (SMTP)."

On page 221, the second sentence in the first paragraph under "Adding Two Point" should read "and *R* is the reflection of this point with respect to the x-axis."

On page 227, the second equation on the page should be *wr* = *rk* / (*h* + *rd* ) = *v*

On page 227, the fifth equation on the page should be *u* + *vd* = *hk* / (*h* + *rd* ) + *drk* (*h* + *rd* ) = (*hk* + *drk* ) (*h* + *rd* ) = *k* (*h* + *dr* ) (*h* + *rd* ) = *k*

On page 239, the last sentence in the first paragraph should read "The organization that issued certificate 1 (GeoTrust) granted permission to Google Internet Authority to issue a certificate (certificate 0) for the domain name *www.google.com*, thereby transferring trust to Google Internet Authority."

On page 243, the paragraph starting with "Note, however, that TLS 1.3 supports many options and extensions . . ." should be deleted. The information is repeated in the note below.

On page 254, the end of the first equation should be "= (|0> + |1>) / √2." The end of the second equation should be "|Ф> = (i/√2, –1/√2)."

On page 260, the first paragraph under "Shor's Algorithm and the Discrete Logarithm Problem" should read "The challenge in the discrete logarithm problem is to find *x*, given *y* = *g^x* mod *p*, for some known numbers *g* and *p*. Solving this problem takes an exponential amount of time on a classical computer, but Shor's algorithm lets you find *x* easily thanks to its efficient period-finding technique."

On page 264, the arrow placement for figure 14-5 is slightly inaccurate. Please refer to the below figure instead: