Errors and Omissions:

(Errors in black have been fixed in the paperback printing.  Errors in blue have not.)

In Section 1.3, on page 13, the second example should be:

26 = 6 × 4 + 2
6 = 2 × 3 + 0

Also, just under that example it should say “We see that 6 is a bad key, since 2 divides 6 and 2 divides 26.”

In Section 1.6, on page 23, the last paragraph should say that the number of good keys for a Hill cipher is about 160,000 for a block size of 2, and about 1,600,000,000,000 for a block size of 3.

In Section 1.6, on page 24, near the end of the second paragraph it should say “Even in 1929, Hill designed a machine that used a set of gears to mechanically encipher texts using block size 6 and was thus essentially unbreakable using frequency analysis.”  [Chris Christensen points out that the machine seems never to have been built.]

In Section 1.7, on page 26, we find that the example does not work as stated because (5 × 24 − 22 × 5) does not have an inverse modulo 26.  If Eve was in this position she would have to try again with a different pair of plaintext blocks.  For example, if she used the first and last block she would find (10 × 24 − 1 × 5) does have an inverse, so she could finish the attack.

(In the paperback printing, the example on page 26 is correct except that the equation for k1 should be:


In Section 2.1, on page 30, in the first paragraph the four symbols described should each occur with just over 3% frequency, not 4%.

In Section 2.2, on page 35, the last paragraph should say:

On the other hand, the following ciphertext can be calculated to have an index of coincidence of approximately .046—not as low as random text, but much lower than a simple substitution cipher in the majority (though not all) of the world’s most commonly spoken languages.

In Section 2.5, on pages 44, 45, and 47, the numbers .038 and .066 are consistently switched.  The probability that two letters enciphered the same way are the same is .066, and so is the index of coincidence if ℓ=1.  The probability that two letters enciphered with different keys are the same is .038, and so is the index of coincidence if ℓ=n.  For n = 25 and ℓ = 4, we would expect the index to be about (5.25/24) × .066 + (18.75/24) × .038, which is about .044.  The first equation on page 47 has the numbers switched but the second equation is correct.

In Section 2.5, on page 50, the second line marked “keyword 2” should end in “E E E”.

In Section 2.5, in the middle of page 51, it should say “So going back to our mystery ciphertext from page 46”.

The caption for Table 2.5 on page 54 should say “Sums of the letter frequencies for each
possible key applied to column II of our ciphertext” and the first (partial) paragraph on page 55 should end with “Table 2.5 shows the sums of the frequencies for
each possible key applied to the second column of the ciphertext.”

Figure 2.3 on page 59 was created by Wikipedia user “Matt Crypto”.

Figure 2.5 on page 60 was created by Eric Pierce, Wikipedia user name “Wapcaplet”.

Figure 2.6 on page 65 was created by Wikipedia user “RadioFan”.

In Section 2.8, in the example on page 65, the second-last line should be:

minus 1: 5 8 11 14 17 20 23 26 3 · · · 22 25 2

Figure 3.1 should be:

Figure 3.1. A scytale.

In Section 3.3, at the bottom of page 84, there are two ! symbols missing.  It should say:

Mathematicians use the symbol n! to represent this number and call it the factorial of n, or just n factorial. Factorials get pretty big pretty fast; for example 12! = 479,001,600, so there are 479,001,600 different permutation ciphers using 12-letter groups.

In Section 3.6, the first sentence of the last paragraph on page 99 should say “The grand total turns out to be ≈ 41.387; dividing that by 23 (the number of rows minus 1) gives ≈ 1.799 for the variance.”

At the beginning of Sidebar 5.1, on page 150, it should say “When you got to the part of this book about the contact method, in Section 3.7”.

In Sidebar 5.1, in the second paragraph on page 151, it should say “The chance of picking the letter a (for instance) out of the suspected plaintext is na / n“.

In the first paragraph of Section 5.3, on page 157, it should say “His idea was to use the plaintext itself as a “key” to construct the ciphertext”.

Also in Section 5.3, on page 157, the end of the first example is incorrect.  It should be (and the ciphertext on the next page should match):

        keystream: O N O N C A S T I O N C O N C
        plaintext: o n c a s t i n g t h e d i e
       ciphertext: D B R O V U B H P I V H S W H

Still in Section 5.3, on page 159, just before the second example on that page, it should say “For example, we could apply the 25P + 1, or atbash, transformation to each plaintext
letter before using it”.

In Figure 5.2, the picture for “ECB encryption” should be:


Figure 5.15 should be:

Figure 5.15. The Trivium cipher.

In Sidebar 6.1, near the bottom of page 198, it should say “If n = paqbrc is a product containing three different primes”.

In Section 7.4, at the top of page 217, the first sentence of the paragraph should say “What the factoring problem was missing was a trap door”, and the end of the paragraph should say “the one-way function of multiplication would be the trap door in the one-way function of exponentiation.”

In Section 7.7, on pages 229 and 230, “Zanzibar” is unfortunately misspelled in the example.  (“Zanzibari” is also misspelled on page 230.)  The second line of each part of the example should be:

        plaintext: za    nz      ib     ar     zo     os
          numbers: 0, 1  14, 0   9, 2   1, 18  0, 15  15, 19
         together: 001   1400    902    118    015    1519
 to the 3rd power: 1     1585    3022   2364   3375   581

       ciphertext: 1     1585    3022   2364   3375   581
 to the 1/3 power: 1.00  11.66   14.46  13.32  15.00  8.34
plaintext numbers: 001   ??      ??     ??     015    ??
        plaintext: za    ??      ??     ??     zo     ??

Also in Section 7.7, the chosen-ciphertext attack example on page 230 is incorrect.  The modulus n should be 4069, the encryption exponent e should be 749, and Eve’s “ciphertext” should be:

    “ciphertext”: 3029 1064 1402 3   5    1172 3917 1483
to the dth power: 1612 501  1905 243 3125 2008 114  1119
     “plaintext”: pl   ea   se   b?  ?y   th   an   ks

Also in Section 7.7,  at the bottom of page 231, it should say:

2214 ≡ P 3 modulo 3763      and      2019 ≡ P 17 modulo 3763.

In Appendix A, on page 239 (and also in the Index), Malcolm Williamson’s name is misspelled.

In Section 8.3, at the bottom of page 256, the last equation should be:

Also in Section 8.3, the second set of equations on page 257 should be:


Still in Section 8.3, on page 259, the second and third equations should be:

32 = 53 + 17


32 ≡ 53 + 17 modulo 7

In Section 8.5, on page 274, in the middle of the second paragraph, it should say:  “As the name suggests, Dual EC DRBG uses two elliptic curve discrete logarithm problems.”

The caption for Figure 9.13 should read:   “A good set of generators (top) and a bad set of generators (bottom) for the same lattice.”

In Section 9.2, on page 289, the letter t should correspond to the number 20 in four places.

In Section 9.3, near the bottom of page 293, it should say “Such a filter is designed to let photons through only if they are vibrating in the same direction as the filter.”

Figure 9.17 should be:

Figure 9.17. Polarized photons after passing through a filter.


In Section 1.3, in the middle of page 7, it should say  “Well, we should translate our letters into numbers, of course.”

Also in Section 1.3, in the first paragraph of page 15, “a number and its inverse” should not have an apostrophe.

In Section 2.7, near the bottom of page 57, it should say “tabula recta encryption”.

In Sidebar 3.1, the ratio of the perimeter of a circle to its diameter should be 3.14159….

The caption for Table 5.1 should read “A series of ciphertexts encrypted with the same running key.”

In Section 5.4, after the second displayed equation on page 169, it should say “where i and j tell us how far back in the keystream to go”.

On pages 175, 180, and 323, it should say “LFSR” and “NLFSR” instead of “LSFR” and “NLSFR”.

In Section 9.2, on page 287, the first sentence of the first full paragraph should say “How do we make that into an asymmetric-key cryptographic system?”

In the List of Symbols, page 303, the third entry should be:

C    A number representing ciphertext.    16

In the Notes, on page 310, it should say:

(Page 66) once every 26 letters: Note that in most versions of the famous German Enigma rotor machine, the motion is more complicated than this.

In the Notes, on page 324, it should say:

(Page 177) various logistical reasons: Audio data or file transfers would need to be
carefully synchronized; raw digital data collection requires access to the phone itself
or a computer connected to it, and so on.

In the Notes, on page 336, it should say:

(Page 268) Alice signs and then encrypts

Other notes:

Karst Koymans and Liu Mingxing both pointed out an even faster way to do the multiplication on page 189.  Start by making a table of P2, P3, …, P10.  This takes 9 multiplications.  Then use P10 to make another table of P20, P30, …, P100, taking another 9 multiplications.  Now use P100 to calculate P200, P300, P400, P500, P600, P700, taking 6 more multiplications.  Finally, multiply P700 from the third list by P60 from the second list and P9 from the first list with 2 more multiplications, for 26 total.   (Incidentally, the method using binary numbers mentioned in the note on page 326 takes only 11 multiplications.)

Thanks to Richard Bean, Chris Christensen, John Fuqua, Tom Jerardi, Steve Greenfield, Karst Koymans,  Liu Mingxing, and David Miller.  (So far.)  My apologies to anyone I’ve forgotten.