Malicious Cryptography: Cryptovirology and Kleptography

Errata

This document covers errors in the first edition of the book "Malicious Cryptography: Exposing Cryptovirology." It encompasses technical errors, citation errors, etc. If you find an error of any kind, please e-mail it to adamy-at-acm-dot-org.

Section 11.1 references Chernoff's Theorem. However, Chernoff's theorem is not required to analyze the running time since it is such a simple case. Only one success is needed in finding a prime, not more. The choice of p is independent each time around, so the while loop that selects p corresponds to independent trials (Bernoulli trials) with a fixed failure probability. In m iterations of the while loop, the probability that no acceptable prime p is found is about (1-2/W)^m. So, this can be used to estimate the chances of finding p. The same analysis applies to finding q.
A reference at the beginning of section 10.4.5 is incorrect. It stated that M. Joye, P. Paillier, and S. Vaudenay are authors of "Generating RSA moduli with predetermined portion." The paper is entitled "Efficient Generation of Prime Numbers."
The year in reference [120] is wrong. The Golle et al paper was published in CT-RSA 2004. Also, the pages numbers have become known since the publication of "Malicious Cryptography." The pages are 163-178. It is Lecture Notes in Computer Science No. 2964. (The error resulted from the fact that the BibTex file had originally listed the 2003 unpublished manuscript of this paper that was available on the RSA Inc. website).
In Appendix A in the section entitled "Origins of Malicious Software": The titled of the book is "Shockwave Rider", not "Shockware Rider" (we got it right everywhere else in the book).
On page 108 it states "The value g is shared by all the users." Disregard this sentence. Though it is possible to do this (you have to tailor the selection of p and q around it) in general this is not the way g is found.
At the bottom of page 318 it states "Informally, the DDH problem is to distinguish with non-negligible probability the triple...". This needs to be changed to read, "Informally, the DDH problem is to distinguish with non-negligible advantage the triple...".
In the proof of Claim 2 on page 64 the definition of p_h has a typo. The bracket "]" is closed a bit too early. The bracket "]" should come to the right of " = 1". Also, there is an issue in the sentence just before the definition. p_h denotes the probability that the 2 (not 3) bits in bit position j other than b_i,,j exclusive-or to the value heads. We thank Dr. Christian Tobias for pointing this out.
There is a typo on pages 136-137. It should say "G be the group generated by g" not "G be the group generated by G".
There is a typo on page 389. It states "Kerchhoff's principle". It should state "Kerckhoffs' principle" (thanks to Justin Troutman for pointing this out).
There is a typo on page 116. "Chachin" should be spelled "Cachin".