On page 14, in the second paragraph under "Achieving Semantically Secure Encryption," all instances of "**DRBG**(*K*, *R*)" should instead be "**DRBG**(*K* || *R*)"

On page 32, the caption for Listing 2-3 is incorrect. The script shows the evolution of /dev/random, not /dev/urandom.

On page 70, in the second paragraph under "Ciphertext Stealing," the sentence "The last, incomplete ciphertext block is made up of the first blocks from the previous ciphertext block . . ." should instead say "The last, incomplete ciphertext block is made up of the first bits from the previous ciphertext block . . ."

On page 73, step 1 of the meet-in-the-middle attack has the equation

*C* = **E**(*K*_2**E**(*K* _1*P*)). This equation should instead be *C* = **E**(*K*_2, (**E**(*K*_1, *P*).

On page 73, in the last paragraph, 2^^{56} elements of 15 bytes each should come out to 1 exabyte, not 128 petabytes.

On page 92, in the first paragraph of the RC4 section, Wireless Equivalent Privacy should be Wired Equivalent Privacy. The acronym list should also reflect this change.

On page 107, the SHA-256 hash values for a, b, and c are incorrect. They should be replaced with the following:

SHA-256("a") = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

SHA-256("b") = 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d

SHA-256("c") = 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

On page 152, the sentence beginning "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7) to authenticate the ciphertext..." should instead say "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7)..."

On page 154, the equation for

*T*_2 should be *T*_2 = **GHASH**(*H*, *A*_2, *C*_2) + **AES**(*K*, *N* || 0).

On page 181, Listing 10-1 is incorrect. It should be replaced with the following:

sage: p = random_prime(2^32); p

1103222539

sage: q = random_prime(2^32); q

17870599

sage: n = p*q; n

19715247602230861

sage: phi = (p-1)*(q-1); phi

19715246481137724

sage: e = random_prime(phi); e

13771927877214701

sage: d = xgcd(e, phi)[1]; d

15417970063428857

sage: mod(d*e, phi)

1

On page 189, in the second paragraph, the sentence "Here’s how this works:

because *S *can be written as (*R^*^{e}M)^^{d} = *R^*^{ed}M^^{d}, and because *R^*^{ed} = *R *is equal to *R*^{ed} = *R *(by definition)..." should instead be "Here's how this works: because *S* can be written as (*R^*^{e}M)^^{d} = *R^*^{ed}M^^{d}, and because *R^*^{ed} = *R* (by definition)...

"

On page 243, the paragraph starting with "Note, however, that TLS 1.3 supports many options and extensions . . ." should be deleted. The information is repeated in the note below.

On page 264, the arrow placement for figure 14-5 is slightly inaccurate. Please refer to the below figure instead: