One document matched: draft-kato-camellia-ctrccm-01.xml
<?xml version="1.0"?>
<?rfc symrefs='no'?>
<?rfc sortrefs='yes'?>
<?rfc toc='yes'?>
<?rfc strict='no'?>
<!DOCTYPE rfc SYSTEM 'rfc2119.dtd' [
<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2407.dtd' [
<!ENTITY rfc2407 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2407.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3610.dtd' [
<!ENTITY rfc3610 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3610.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2409.dtd' [
<!ENTITY rfc2409 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2409.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2675.dtd' [
<!ENTITY rfc2675 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2675.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4312.dtd' [
<!ENTITY rfc4312 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4312.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4132.dtd' [
<!ENTITY rfc4132 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4132.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3657.dtd' [
<!ENTITY rfc3657 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3657.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3686.dtd' [
<!ENTITY rfc3686 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3686.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4301.dtd' [
<!ENTITY rfc4301 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4302.dtd' [
<!ENTITY rfc4302 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4302.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4303.dtd' [
<!ENTITY rfc4303 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4303.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4306.dtd' [
<!ENTITY rfc4306 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4306.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4309.dtd' [
<!ENTITY rfc4309 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4309.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2411.dtd' [
<!ENTITY rfc2411 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2411.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4051.dtd' [
<!ENTITY rfc4051 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4051.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3713.dtd' [
<!ENTITY rfc3713 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3713.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4106.dtd' [
<!ENTITY rfc4106 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4106.xml'>
]>
<rfc ipr="full3978" category="info" docName="draft-kato-camellia-ctrccm-01">
<front>
<title abbrev="Camellia-CTR and Camellia-CCM algorithms">
Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms
</title>
<author initials="A." surname="Kato"
fullname="Akihiro Kato">
<organization>
NTT Software Corporation
</organization>
<address>
<phone>+81-45-212-7577</phone>
<facsimile>+81-45-212-7800</facsimile>
<email>akato@po.ntts.co.jp</email>
</address>
</author>
<author initials="M." surname="Kanda"
fullname="Masayuki Kanda">
<organization>
Nippon Telegraph and Telephone Corporation
</organization>
<address>
<phone>+81-422-59-3456</phone>
<facsimile>+81-422-59-4015</facsimile>
<email>kanda.masayuki@lab.ntt.co.jp</email>
</address>
</author>
<date/>
<area>Security</area>
<workgroup>Network Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Camellia</keyword>
<keyword>Block Cipher</keyword>
<keyword>Mode of operation</keyword>
<abstract>
<t>This document describes the algorithms and test vectors of Camellia block cipher
algorithm in Counter (CTR) mode and Counter with Cipher Block Chaining MAC (CCM) Mode.
The purpose of this document is to make the Camellia-CTR and Camellia-CCM
algorithm conveniently available to the Internet Community.
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>
This document describes the use of the Camellia block cipher
algorithm in Counter mode and Counter with CBC-MAC Mode.
</t>
<t>
Camellia is a symmetric cipher with a Feistel structure. Camellia
was developed jointly by NTT and Mitsubishi Electric Corporation in
2000. It was designed to withstand all known cryptanalytic attacks,
and it has been scrutinized by worldwide cryptographic experts.
Camellia is suitable for implementation in software and hardware,
offering encryption speed in software and hardware implementations
that is comparable to Advanced
Encryption Standard (AES) <xref target="FIPS.197.2001" />.
</t>
<t>
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
lengths, i.e., the same interface specifications as the AES.
Therefore, it is easy to implement Camellia based algorithms by replacing AES block
of AES based algorithms to Camellia block.
</t>
<t>
Camellia is adopted as IETF and several international standardization
organizations.
Camellia is already adopted as IPSec <xref target="RFC4312" />,
TLS <xref target="RFC4132" />, S/MIME <xref target="RFC3657" /> and
XML <xref target="RFC4051" />.
Camellia is adopted for the one of three ISO/IEC
international standard cipher <xref target="ISO/IEC 18033-3" /> as
128bit block cipher(Camellia, AES and SEED).
Camellia was selected as a recommended cryptographic
primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and
Encryption) project <xref target="NESSIE"/> and was included in the list of
cryptographic techniques for Japanese e-Government systems that was
selected by the Japan CRYPTREC (Cryptography Research and Evaluation
Committees) <xref target="CRYPTREC" />.
</t>
<t>
Since optimized source code is provided by
<eref target="http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html" >
several open source lisences </eref>,
Camellia is also adopted by several open source projects(Openssl,
FreeBSD, Linux and Gran Paradiso).
</t>
<t>
<t>The algorithm specification and object identifiers are described in
<xref target="RFC3713" />.
</t>
<eref target="http://info.isl.ntt.co.jp/camellia/">The Camellia homepage</eref>
contains a wealth of information
about Camellia, including detailed specification, security analysis,
performance figures, reference implementation, optimized
implementation, test vectors, and intellectual property information.
</t>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in
<xref target="RFC2119" />.</t>
</section>
</section>
<section anchor="camellia" title="The Camellia Cipher Algorithm">
<t>
All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant
characteristics of Camellia.
</t>
<t>The algorithm specification and object identifiers are described in
<xref target="RFC3713" />.</t>
<section title="Key Size">
<t>Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
The default key size is 128 bits, and all implementations MUST
support this key size. Implementations MAY also support key sizes of
192 bits and 256 bits.</t>
<t>Camellia uses a different number of rounds for each of the defined
key sizes. When a 128-bit key is used, implementations MUST use 18
rounds. When a 192-bit key is used, implementations MUST use 24
rounds. When a 256-bit key is used, implementations MUST use 24
rounds.</t>
</section>
<section anchor="block" title="Weak Keys">
<t>
At the time of writing this document there are no known weak keys for
Camellia.</t>
</section>
<section title="Block Size and Padding">
<t> Camellia uses a block size of sixteen octets (128 bits).</t>
<t>Padding is required by the algorithms to maintain a 16-octet
(128-bit) block size. Padding MUST be added such that the data to be
encrypted (which includes the ESP Pad Length
and Next Header fields) has a length that is a multiple of 16 octets.</t>
<t>Because of the algorithm specific padding requirement, no additional
padding is required to ensure that the ciphertext terminates on a
4-octet boundary (i.e. maintaining a 16-octet block size guarantees
that the ESP Pad Length and Next Header fields will be right aligned
within a 4-octet word). Additional padding MAY be included as long
as the 16-octet block size is maintained.</t>
</section>
<section title="Performance">
<t>
Performance figures of Camellia are available at
<eref target='http://info.isl.ntt.co.jp/crypt/camellia/' />.
NESSIE project has reported performance of Optimized
Implementations independently <xref target="NESSIE"/>.
</t>
</section>
</section>
<section title="Modes of Operation">
<t>
Camellia Counter mode (Camellia-CTR) and Camellia Counter with
CBC-MAC (Camellia-CCM) are discussed in this specification.
</t>
<t>
Counter mode <xref target="MODES" /> behave like stream ciphers, but are
constructed based on a block cipher primitive (that is, counter mode
operation of a block cipher results in a stream cipher.)
</t>
<t>
Counter with CBC Mac mode is a generic authenticate-and-encrypt block cipher
mode <xref target="RFC3610" />.
In this specification, CCM is used with the Camellia <xref target="RFC3713" /> block cipher.
</t>
<section title="Counter" anchor="Counter">
<section title="Definitions">
<list style='hanging' hangIndent='10'>
<t hangText="Camellia(K, X)"> <vspace/>Output of the Camellia encryption algorithm under the fresh key K
applied to the data block X.</t>
<t hangText="N">Nonce.</t>
<t hangText="PT[n]">n-th plain text block splited by 128-bit unit.</t>
<t hangText="X || Y">Concatenation of two octet strings X and Y.</t>
<t hangText="X XOR Y">Bitwise exclusive-OR of two octet strings X and Y of the same length.</t>
</list>
</section>
<section title="Camellia-CTR">
<t>
Camellia-CTR requires the encryptor to generate a unique per-packet value,
and communicate this value to the decryptor. This specification
calls this per-packet value an initialization vector (IV). The same
IV and key combination MUST NOT be used more than once. The
encryptor can generate the IV in any manner that ensures uniqueness.
Common approaches to IV generation include incrementing a counter for
each packet and linear feedback shift registers (LFSRs).
</t>
<t>
This specification calls for the use of a nonce for additional
protection against precomputation attacks. The nonce value need not
be secret. However, the nonce MUST be unpredictable prior to the
establishment of the IPsec security association that is making use of
Camellia-CTR.
</t>
<t>
Camellia-CTR has many properties that make it an attractive encryption
algorithm for in high-speed networking. Camellia-CTR uses the Camellia block
cipher to create a stream cipher. Data is encrypted and decrypted by
XORing with the key stream produced by Camellia encrypting sequential
counter block values. Camellia-CTR is easy to implement, and Camellia-CTR can
be pipelined and parallelized. Camellia-CTR also supports key stream
precomputation.
</t>
<t>
Pipelining is possible because Camellia has multiple rounds (see
<xref target="camellia" />.). A hardware implementation (and some software implementations)
can create a pipeline by unwinding the loop implied by this round
structure. For example, after a 16-octet block has been input, one
round later another 16-octet block can be input, and so on. In Camellia-CTR,
these inputs are the sequential counter block values used to
generate the key stream.
</t>
<t>
Multiple independent Camellia encrypt implementations can also be used to
improve performance. For example, one could use two Camellia encrypt
implementations in parallel, to process a sequence of counter block
values, doubling the effective throughput.
</t>
<t>
The sender can precompute the key stream. Since the key stream does
not depend on any data in the packet, the key stream can be
precomputed once the nonce and IV are assigned. This precomputation
can reduce packet latency. The receiver cannot perform similar
precomputation because the IV will not be known before the packet
arrives.
</t>
<t>
When used correctly, Camellia-CTR provides a high level of
confidentiality. Unfortunately, Camellia-CTR is easy to use incorrectly.
Being a stream cipher, any reuse of the per-packet value, called the
IV, with the same nonce and key is catastrophic. An IV collision
immediately leaks information about the plaintext in both packets.
For this reason, it is inappropriate to use this mode of operation
with static keys. Extraordinary measures would be needed to prevent
reuse of an IV value with the static key across power cycles. To be
safe, implementations MUST use fresh keys with Camellia-CTR.
</t>
<t>
With Camellia-CTR, it is trivial to use a valid ciphertext to forge other
(valid to the decryptor) ciphertexts. Thus, it is equally
catastrophic to use Camellia-CTR without a companion authentication
function. Implementations MUST use Camellia-CCM such case.
</t>
<t>
To encrypt a payload with Camellia-CTR, the encryptor partitions the
plaintext, PT, into 128-bit blocks. The final block need not be 128
bits; it can be less.
</t>
<artwork>
PT = PT[1] PT[2] ... PT[n]
</artwork>
<t>
Each PT block is XORed with a block of the key stream to generate the
ciphertext, CT. The Camellia encryption of each counter block results in
128 bits of key stream. The most significant 96 bits of the counter
block are set to the nonce value, which is 32 bits, followed by the
per-packet IV value, which is 64 bits. The least significant 32 bits
of the counter block are initially set to one. This counter value is
incremented by one to generate subsequent counter blocks, each
resulting in another 128 bits of key stream. The encryption of n
plaintext blocks can be summarized as:
</t>
<artwork>
CTRBLK := N || IV || ONE
FOR i := 1 to n-1 DO
CT[i] := PT[i] XOR Camellia(K, CTRBLK)
CTRBLK := CTRBLK + 1
END
CT[n] := PT[n] XOR TRUNC(Camellia(K, CTRBLK))
</artwork>
<t>
The TRUNC() function truncates the output of the Camellia encrypt
operation to the same length as the final plaintext block, returning
the most significant bits.
</t>
<t>
Decryption is similar. The decryption of n ciphertext blocks can be
summarized as:
</t>
<artwork>
CTRBLK := N || IV || ONE
FOR i := 1 to n-1 DO
PT[i] := CT[i] XOR Camellia(K, CTRBLK)
CTRBLK := CTRBLK + 1
END
PT[n] := CT[n] XOR TRUNC(Camellia(K, CTRBLK))
</artwork>
</section>
</section>
<section title = "Counter with CBC-MAC">
<section title="Definitions">
<list style='hanging' hangIndent='10'>
<t hangText="l(X)">Octet length of variable X.</t>
<t hangText="M">Number of octets in authentication field. Valid
values of are 4, 6, 8, 10, 12, 14, and 16.</t>
<t hangText="M'">3bit number calculated by (M-2)/2.</t>
<t hangText="L">Number of octets in length field. Valid values are from 2 to 8.
This number limits maximam length of message and length of N.</t>
<t hangText="L'">3bit number caluculated by L-1.</t>
<t hangText="K">Camellia key. Valid values of l(K) are 16, 24 and 32.</t>
<t hangText="N">Nonce. </t>
<t hangText="m">Message to authenticate and encrypt. l(m) < 2^(8*L).</t>
<t hangText="AAD">Additional authenticated data. 0 =< AAD < 2^64.</t>
</list>
</section>
<section title="Two main parameters">
<t>
For the generic CCM mode there are two parameter choices. The first
choice is M, the size of the authentication field. The choice of the
value for M involves a trade-off between message expansion and the
probability that an attacker can undetectably modify a message.
Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second
choice is L, the size of the length field. This value requires a
trade-off between the maximum message size and the size of the Nonce.
Different applications require different trade-offs, so L is a
parameter. Valid values of L range between 2 octets and 8 octets
(the value L=1 is reserved).
</t>
<artwork>
Name Description Size Encoding
---- ---------------------------------------- ------ --------
M Number of octets in authentication field 3 bits (M-2)/2
L Number of octets in length field 3 bits L-1
</artwork>
</section>
<section title="Inputs">
<t>
To authenticate and encrypt a message the following information is
required:
</t>
<list style='numbers' hangIndent='5'>
<t>An encryption key K suitable for the block cipher.</t>
<t>A nonce N of 15-L octets. Within the scope of any encryption key
K, the nonce value MUST be unique. That is, the set of nonce
values used with any given key MUST NOT contain any duplicate
values. Using the same nonce for two different messages
encrypted with the same key destroys the security properties of
this mode.
</t>
<t>The message m, consisting of a string of l(m) octets where 0 <=
l(m) < 2^(8*L). The length restriction ensures that l(m) can be
encoded in a field of L octets.
</t>
<t> The additional authenticated data AAD where 0 <= AAD < 2^64.
This additional data is
authenticated but not encrypted, and is not included in the
output of this mode. It can be used to authenticate plaintext
packet headers, or contextual information that affects the
interpretation of the message. Users who do not wish to
authenticate additional data can provide a string of length zero.
</t>
</list>
<t>
The inputs are summarized as:
</t>
<artwork>
Name Description Size
---- ----------------------------------- -----------------------
K Block cipher key Depends on block cipher
N Nonce 15-L octets
m Message to authenticate and encrypt l(m) octets
AAD Additional authenticated data 0 =< AAD < 2^64
</artwork>
</section>
<section title="Authentication">
<t>
The first step is to compute the authentication field T. This is
done using CBC-MAC <xref target="fips.113.1985" />. We first define a sequence of blocks B_0,
B_1, ..., B_n and then apply CBC-MAC to these blocks.
</t>
<t>
The first block B_0 is formatted as follows, where l(m) is encoded in
most-significant-byte first order:
</t>
<artwork>
Octet Number Contents
------------ ---------
0 Flags
1 ... 15-L Nonce N
16-L ... 15 l(m)
</artwork>
<t>
Within the first block B_0, the Flags field is formatted as follows:
</t>
<artwork>
Bit Number Contents
---------- ----------------------
7 Reserved (always zero)
6 Adata
5 ... 3 M'
2 ... 0 L'
</artwork>
<t>
Another way say the same thing is: Flags = 64*Adata + 8*M' + L'.
</t>
<t>
The Reserved bit is reserved for future expansions and should always
be set to zero. The Adata bit is set to zero if AAD = 0, and set to
one if AAD > 0. The M' field is set to (M-2)/2. As M can take on the
even values from 4 to 16, the 3-bit M' field can take on the values
from one to seven. The 3-bit field MUST NOT have a value of zero,
which would correspond to a 16-bit integrity check value. The L'
field encodes the size of the length field used to store l(m). The
parameter L can take on the values from 2 to 8 (recall, the value L=1
is reserved). This value is encoded in the 3-bit L' field using the
values from one to seven by choosing L' = L-1 (the zero value is
reserved).
</t>
<t>
If AAD > 0 (as indicated by the Adata field), then one or more blocks
of authentication data are added. These blocks contain AAD and a
encoded in a reversible manner. We first construct a string that
encodes AAD.
</t>
<t>
If 0 < AAD < (2^16 - 2^8), then the length field is encoded as two
octets which contain the value AAD in most-significant-byte first
order.
</t>
<t>
If (2^16 - 2^8) <= AAD < 2^32, then the length field is encoded as
six octets consisting of the octets 0xff, 0xfe, and four octets
encoding AAD in most-significant-byte-first order.
</t>
<t>
If 2^32 <= AAD < 2^64, then the length field is encoded as ten
octets consisting of the octets 0xff, 0xff, and eight octets encoding
AAD in most-significant-byte-first order.
</t>
<t>
The length encoding conventions are summarized in the following
table. Note that all fields are interpreted in most-significant-byte
first order.
</t>
<artwork>
First two octets Followed by Comment
----------------- ---------------- -------------------------------
0x0000 Nothing Reserved
0x0001 ... 0xFEFF Nothing For 0 < AAD < (2^16 - 2^8)
0xFF00 ... 0xFFFD Nothing Reserved
0xFFFE 4 octets of AAD For (2^16 - 2^8) <= AAD < 2^32
0xFFFF 8 octets of AAD For 2^32 <= AAD < 2^64
</artwork>
<t>
The blocks encoding a are formed by concatenating this string that
encodes AAD with a itself, and splitting the result into 16-octet
blocks, and then padding the last block with zeroes if necessary.
These blocks are appended to the first block B0.
</t>
<t>
After the (optional) additional authentication blocks have been
added, we add the message blocks. The message blocks are formed by
splitting the message m into 16-octet blocks, and then padding the
last block with zeroes if necessary. If the message m consists of
the empty string, then no blocks are added in this step.
</t>
<t>
The result is a sequence of blocks B0, B1, ..., Bn. The CBC-MAC is
computed by:
</t>
<artwork>
X_1 := Camellia( K, B_0 )
X_i+1 := Camellia( K, X_i XOR B_i ) for i=1, ..., n
T := first-M-bytes( X_n+1 )
</artwork>
<t>
where T is the MAC
value. Note that the last block B_n
is XORed with X_n, and the result is encrypted with the block cipher.
If needed, the ciphertext is truncated to give T.
</t>
</section>
<section title="Encryption">
<t>
To encrypt the message data we use Counter (CTR) mode. We first
define the key stream blocks by:
</t>
<artwork>
S_i := Camellia( K, A_i ) for i=0, 1, 2, ...
</artwork>
<t>
The values A_i are formatted as follows, where the Counter field i is
encoded in most-significant-byte first order:
</t>
<artwork>
Octet Number Contents
------------ ---------
0 Flags
1 ... 15-L Nonce N
16-L ... 15 Counter i
</artwork>
<t>
The Flags field is formatted as follows:
</t>
<artwork>
Bit Number Contents
---------- ----------------------
7 Reserved (always zero)
6 Reserved (always zero)
5 ... 3 Zero
2 ... 0 L'
</artwork>
<t>
Another way say the same thing is: Flags = L'.
</t>
<t>
The Reserved bits are reserved for future expansions and MUST be set
to zero. Bit 6 corresponds to the Adata bit in the B_0 block, but as
this bit is not used here, it is reserved and MUST be set to zero.
Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks
are distinct from B_0, which has the non-zero encoding of M in this
position. Bits 0, 1, and 2 contain L', using the same encoding as in
B_0.
</t>
<t>
The message is encrypted by XORing the octets of message m with the
first l(m) octets of the concatenation of S_1, S_2, S_3, ... . Note
that S_0 is not used to encrypt the message.
</t>
<t>
The authentication value U is computed by encrypting T with the key
stream block S_0 and truncating it to the desired length.
</t>
<artwork>
U := T XOR first-M-bytes( S_0 )
</artwork>
</section>
<section title="Output">
<t>
The final result c consists of the encrypted message followed by the
encrypted authentication value U.
</t>
</section>
<section title="Decryption and Authentication Checking">
<t>
To decrypt a message the following information is required:
</t>
<list style='numbers' hangIndent='5'>
<t>The encryption key K.</t>
<t>The nonce N.</t>
<t>The additional authenticated data AAD.</t>
<t>The encrypted and authenticated message c.</t>
</list>
<t>
Decryption starts by recomputing the key stream to recover the
message m and the MAC value T. The message and additional
authentication data is then used to recompute the CBC-MAC value and
check T.
</t>
<t>
If the T value is not correct, the receiver MUST NOT reveal any
information except for the fact that T is incorrect. The receiver
MUST NOT reveal the decrypted message, the value T, or any other
information.
</t>
</section>
</section>
</section>
<section title="Test Vectors">
<section title="Camellia-CTR">
<t>
This section contains nine test vectors(TV), which can be used to confirm
that an implementation has correctly implemented Camellia-CTR. The first
three test vectors use Camellia with a 128 bit key; the next three test
vectors use Camellia with a 192 bit key; and the last three test vectors
use Camellia with a 256 bit key.
</t>
<artwork>
TV #1: Encrypting 16 octets using Camellia-CTR with 128-bit key
Camellia Key : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E
Camellia-CTR IV : 00 00 00 00 00 00 00 00
Nonce : 00 00 00 30
Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01
Key Stream (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58
Ciphertext : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F
TV #2: Encrypting 32 octets using Camellia-CTR with 128-bit key
Camellia Key : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63
Camellia-CTR IV : C0 54 3B 59 DA 48 D9 0B
Nonce : 00 6C B6 DB
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01
Key Stream (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B
Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02
Key Stream (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57
Ciphertext : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44
: 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48
TV #3: Encrypting 36 octets using Camellia-CTR with 128-bit key
Camellia Key : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC
Camellia-CTR IV : 27 77 7F 3F 4A 17 86 F0
Nonce : 00 E0 01 7B
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
: 20 21 22 23
Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01
Key Stream (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C
Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02
Key Stream (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2
Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03
Key Stream (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8
Ciphertext : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73
: 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD
: DF 50 86 96
TV #4: Encrypting 16 octets using Camellia-CTR with 192-bit key
Camellia Key : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED
: 86 3D 06 CC FD B7 85 15
Camellia-CTR IV : 36 73 3C 14 7D 6D 93 CB
Nonce : 00 00 00 48
Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01
Key Stream (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1
Ciphertext : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96
TV #5: Encrypting 32 octets using Camellia-CTR with 192-bit key
Camellia Key : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C
: 67 8C 3D B8 E6 F6 A9 1A
Camellia-CTR IV : 02 0C 6E AD C2 CB 50 0D
Nonce : 00 96 B0 3B
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01
Key Stream (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52
Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02
Key Stream (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2
Ciphertext : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D
: D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED
TV #6: Encrypting 36 octets using Camellia-CTR with 192-bit key
Camellia Key : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B
: F5 9B 60 A7 86 D3 E0 FE
Camellia-CTR IV : 5C BD 60 27 8D CC 09 12
Nonce : 00 07 BD FD
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
: 20 21 22 23
Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01
Key Stream (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77
Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02
Key Stream (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11
Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03
Key Stream (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34
Ciphertext : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78
: 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E
: D5 57 AB 57
TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key
Camellia Key : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C
: 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04
Camellia-CTR IV : DB 56 72 C9 7A A8 F0 B2
Nonce : 00 00 00 60
Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01
Key Stream (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76
Ciphertext : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11
TV #8: Encrypting 32 octets using Camellia-CTR with 256-bit key
Camellia Key : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86
: C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84
Camellia-CTR IV : C1 58 5E F1 5A 43 D8 75
Nonce : 00 FA AC 24
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01
Key Stream (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A
Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02
Key Stream (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17
Ciphertext : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45
: E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08
TV #9: Encrypting 36 octets using Camellia-CTR with 256-bit key
Camellia Key : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2
: AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D
Camellia-CTR IV : 51 A5 1D 70 A1 C1 11 48
Nonce : 00 1C C5 B7
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
: 20 21 22 23
Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01
Key Stream (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23
Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02
Key Stream (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70
Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03
Key Stream (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF
Ciphertext : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C
: D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F
: 15 EF 0D 8D
</artwork>
</section>
<section title="Camellia-CCM">
<t>
This section contains twenty four test vectors, which can be used to confirm
that an implementation has correctly implemented Camellia-CCM.
In each of these test vectors, the least significant sixteen bits of the counter
block is used for the block counter, and the nonce is 13 octets.
Some of the test vectors include a eight octet authentication value,
and others include a ten octet authentication value.
</t>
<artwork>
=============== Packet Vector #1 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 59 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 17
CBC IV out:D4 DB CD 92 A8 96 41 56 1D 0D BB D0 D5 7F 7E 1D
After xor: D4 D3 CD 93 AA 95 45 53 1B 0A BB D0 D5 7F 7E 1D [hdr]
After CAM: BD 84 03 80 73 59 37 B7 CE F5 E4 BA 1B 18 54 DC
After xor: B5 8D 09 8B 7F 54 39 B8 DE E4 F6 A9 0F 0D 42 CB [msg]
After CAM: CE 21 82 9C F6 F2 4D A2 CB 35 D1 FD 81 27 63 EC
After xor: D6 38 98 87 EA EF 53 A2 CB 35 D1 FD 81 27 63 EC [msg]
After CAM: 20 11 FE E2 53 B1 A7 DB 02 77 FA 37 6D 78 EE 10
MIC tag : 20 11 FE E2 53 B1 A7 DB
CTR Start: 01 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: B2 7A 7B 8E EB 14 3F 0B 82 E2 98 4C 06 44 CC 42
CTR[0002]: E2 E2 D3 52 98 97 13 45 D1 63 22 90 E7 F8 15 4A
CTR[MIC ]: DC BF 30 96 38 8C 1E 76
Total packet length = 39. [Encrypted]
00 01 02 03 04 05 06 07 BA 73 71 85 E7 19 31 04
92 F3 8A 5F 12 51 DA 55 FA FB C9 49 84 8A 0D FC
AE CE 74 6B 3D B9 AD
=============== Packet Vector #2 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 59 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 18
CBC IV out:07 0B 22 50 8A 24 3C DD 5B BA 54 DB 60 52 88 06
After xor: 07 03 22 51 88 27 38 D8 5D BD 54 DB 60 52 88 06 [hdr]
After CAM: 10 FD C2 F2 90 4A 9F 96 B0 4F 62 A4 A1 A9 31 1E
After xor: 18 F4 C8 F9 9C 47 91 99 A0 5E 70 B7 B5 BC 27 09 [msg]
After CAM: E4 C8 82 02 89 55 5C 15 CE 7F E4 60 B1 B9 5A 08
After xor: FC D1 98 19 95 48 42 0A CE 7F E4 60 B1 B9 5A 08 [msg]
After CAM: D2 96 BA 4F 83 DE B5 DF A2 19 08 F7 47 4E 3C 40
MIC tag : D2 96 BA 4F 83 DE B5 DF
CTR Start: 01 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 55 2C 6E B4 82 A2 EF D6 85 37 FE 12 79 0E E6 55
CTR[0002]: 54 E2 C8 D6 7E 99 91 2C F2 8A D7 8E 83 04 10 36
CTR[MIC ]: B2 24 93 12 71 9C 36 37
Total packet length = 40. [Encrypted]
00 01 02 03 04 05 06 07 5D 25 64 BF 8E AF E1 D9
95 26 EC 01 6D 1B F0 42 4C FB D2 CD 62 84 8F 33
60 B2 29 5D F2 42 83 E8
=============== Packet Vector #3 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 59 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 19
CBC IV out:6F 69 15 DF A6 A0 DF 24 84 A7 37 88 A3 65 F9 2E
After xor: 6F 61 15 DE A4 A3 DB 21 82 A0 37 88 A3 65 F9 2E [hdr]
After CAM: 59 5D 99 48 79 04 DA C9 13 93 36 C9 11 A8 09 1D
After xor: 51 54 93 43 75 09 D4 C6 03 82 24 DA 05 BD 1F 0A [msg]
After CAM: 1A 43 D7 19 65 43 97 C1 43 6F 4F 11 A7 6C 6B ED
After xor: 02 5A CD 02 79 5E 89 DE 63 6F 4F 11 A7 6C 6B ED [msg]
After CAM: 30 0B 06 8A A0 D1 4D C5 9E 44 22 84 82 45 42 0B
MIC tag : 30 0B 06 8A A0 D1 4D C5
CTR Start: 01 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 89 FF 69 DD CB 75 76 18 E9 31 24 1B AD 97 BB 02
CTR[0002]: C4 32 A7 9C CB 4B E9 8D 24 A8 F0 AB C6 87 16 11
CTR[MIC ]: C5 5A D0 E2 8F F2 E7 83
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 81 F6 63 D6 C7 78 78 17
F9 20 36 08 B9 82 AD 15 DC 2B BD 87 D7 56 F7 92
04 F5 51 D6 68 2F 23 AA 46
=============== Packet Vector #4 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 59 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 13
CBC IV out:F5 51 CF 6C 7C F7 D4 0B 2B 76 F1 6B 57 F0 19 FE
After xor: F5 5D CF 6D 7E F4 D0 0E 2D 71 F9 62 5D FB 19 FE [hdr]
After CAM: 02 2B 21 1B EB 97 02 3B F8 10 7D CC 62 14 E5 7C
After xor: 0E 26 2F 14 FB 86 10 28 EC 05 6B DB 7A 0D FF 67 [msg]
After CAM: 48 14 A4 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42
After xor: 54 09 BA 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42 [msg]
After CAM: CF 85 25 D2 80 D5 F0 09 53 2C 9D 43 4E F3 04 47
MIC tag : CF 85 25 D2 80 D5 F0 09
CTR Start: 01 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: C6 E2 10 8D 62 00 A2 9C 6F CC 19 1F DF 6B 92 DB
CTR[0002]: 6C B9 BE EE 1E A2 E9 B3 2D D6 C2 9A E8 26 D5 C2
CTR[MIC ]: 44 BF B6 E8 E3 31 67 A9
Total packet length = 39. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B CA EF 1E 82
72 11 B0 8F 7B D9 0F 08 C7 72 88 C0 70 A4 A0 8B
3A 93 3A 63 E4 97 A0
=============== Packet Vector #5 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 59 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 14
CBC IV out:73 72 9D 76 7A BD B9 82 60 3A 12 7B EF 26 FB 80
After xor: 73 7E 9D 77 78 BE BD 87 66 3D 1A 72 E5 2D FB 80 [hdr]
After CAM: E1 B7 A6 72 E2 5C 87 75 91 21 22 A4 07 13 CD 5B
After xor: ED BA A8 7D F2 4D 95 66 85 34 34 B3 1F 0A D7 40 [msg]
After CAM: 13 2F 58 D9 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7
After xor: 0F 32 46 C6 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7 [msg]
After CAM: 47 8F 1E B0 71 24 8B 13 AF C8 C8 44 E6 0F 88 B6
MIC tag : 47 8F 1E B0 71 24 8B 13
CTR Start: 01 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 26 DE B4 D6 5F D4 3C 81 AA 56 98 95 64 09 39 A2
CTR[0002]: 76 97 69 3A 21 13 0C 39 2E 4E EB BF 48 7B 24 BE
CTR[MIC ]: C8 2E 65 17 82 15 50 1A
Total packet length = 40. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B 2A D3 BA D9
4F C5 2E 92 BE 43 8E 82 7C 10 23 B9 6A 8A 77 25
8F A1 7B A7 F3 31 DB 09
=============== Packet Vector #6 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 59 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 15
CBC IV out:EB 59 05 CC 3F 52 61 10 26 24 75 93 DD B9 A0 F4
After xor: EB 55 05 CD 3D 51 65 15 20 23 7D 9A D7 B2 A0 F4 [hdr]
After CAM: 18 A9 AE A4 3D D2 A9 11 6C 0A E5 4F 40 D1 4D 9F
After xor: 14 A4 A0 AB 2D C3 BB 02 78 1F F3 58 58 C8 57 84 [msg]
After CAM: FA C4 13 18 98 54 1B 54 93 9C 64 B8 CB FD 5B 18
After xor: E6 D9 0D 07 B8 54 1B 54 93 9C 64 B8 CB FD 5B 18 [msg]
After CAM: 49 E6 E8 ED 32 FB CA 2F 2E 55 CD AF D0 F2 B3 05
MIC tag : 49 E6 E8 ED 32 FB CA 2F
CTR Start: 01 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: F2 A8 46 04 B5 2E BA C0 D7 51 34 BD D6 54 FC 64
CTR[0002]: E6 26 A9 24 8B E6 86 CB 92 D6 FB FC 2E F2 91 98
CTR[MIC ]: E2 D0 49 03 7D 1B 34 07
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B FE A5 48 0B
A5 3F A8 D3 C3 44 22 AA CE 4D E6 7F FA 3B B7 3B
AB AB 36 A1 EE 4F E0 FE 28
=============== Packet Vector #7 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 61 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 17
CBC IV out:AC F1 5D 79 99 1A 15 BF 5C DC F6 C4 45 AE 1F CB
After xor: AC F9 5D 78 9B 19 11 BA 5A DB F6 C4 45 AE 1F CB [hdr]
After CAM: E9 C0 AC FD C7 E8 E7 1D FA E8 8B 66 95 9E 01 45
After xor: E1 C9 A6 F6 CB E5 E9 12 EA F9 99 75 81 8B 17 52 [msg]
After CAM: 9C FF ED 72 09 A6 7D 2A 48 B7 29 BF D8 BE 39 59
After xor: 84 E6 F7 69 15 BB 63 2A 48 B7 29 BF D8 BE 39 59 [msg]
After CAM: 4F 41 FA DE B2 58 F3 32 54 0A 55 7A 80 4A A3 F5
MIC tag : 4F 41 FA DE B2 58 F3 32 54 0A
CTR Start: 01 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 5C 5A 2A 2D E9 41 1F 95 9D 27 CB FF 7A 0B CF 63
CTR[0002]: 0E D1 6A 97 57 41 32 4F 33 1B 4A 42 B1 4A 54 63
CTR[MIC ]: E3 EE 59 62 7D 22 BD 8D C1 79
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 54 53 20 26 E5 4C 11 9A
8D 36 D9 EC 6E 1E D9 74 16 C8 70 8C 4B 5C 2C AC
AF A3 BC CF 7A 4E BF 95 73
=============== Packet Vector #8 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 61 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 18
CBC IV out:AD CA 1C 1D 45 E7 E2 62 58 D5 DA 46 D8 2F 69 3A
After xor: AD C2 1C 1C 47 E4 E6 67 5E D2 DA 46 D8 2F 69 3A [hdr]
After CAM: FA DE 0E B4 3E CA C1 E9 69 BB 8C A4 7C 0D 80 8F
After xor: F2 D7 04 BF 32 C7 CF E6 79 AA 9E B7 68 18 96 98 [msg]
After CAM: D2 87 35 C2 D0 E4 AE 4E BC C2 99 FF B3 77 F8 A1
After xor: CA 9E 2F D9 CC F9 B0 51 BC C2 99 FF B3 77 F8 A1 [msg]
After CAM: BD F6 FB 55 9E 90 C0 E7 DF 4B 0C 37 DC 42 32 A2
MIC tag : BD F6 FB 55 9E 90 C0 E7 DF 4B
CTR Start: 01 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 82 D8 91 0B 16 8A DF 47 E4 C8 39 FC 20 47 4A DB
CTR[0002]: FB BF 26 7E 0E BB EB 6A 07 4E 29 CF 3D 12 E6 DB
CTR[MIC ]: CE 7E 1F C4 A0 61 87 E6 2B 0A
Total packet length = 42. [Encrypted]
00 01 02 03 04 05 06 07 8A D1 9B 00 1A 87 D1 48
F4 D9 2B EF 34 52 5C CC E3 A6 3C 65 12 A6 F5 75
73 88 E4 91 3E F1 47 01 F4 41
=============== Packet Vector #9 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 61 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 19
CBC IV out:D0 A9 A5 94 00 63 86 40 11 0D DB 40 CA F8 4A 9C
After xor: D0 A1 A5 95 02 60 82 45 17 0A DB 40 CA F8 4A 9C [hdr]
After CAM: 7B CA 4E 2D 79 82 0D 1E 15 22 DD E8 37 B9 B1 F0
After xor: 73 C3 44 26 75 8F 03 11 05 33 CF FB 23 AC A7 E7 [msg]
After CAM: 6B 75 9F 83 C0 8F 56 64 F2 FA D5 7F 67 01 B8 21
After xor: 73 6C 85 98 DC 92 48 7B D2 FA D5 7F 67 01 B8 21 [msg]
After CAM: 7D B7 BE FF 72 F3 26 74 9E 20 07 28 1E 5B 1A 8A
MIC tag : 7D B7 BE FF 72 F3 26 74 9E 20
CTR Start: 01 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 55 B9 87 69 4C 73 60 3E C6 1E 8E B1 D2 11 62 36
CTR[0002]: 82 D9 A4 4B DC C9 BB 68 A7 FE 15 A5 19 51 57 87
CTR[MIC ]: E9 61 5C CF BF D6 EF 8A 21 A7
Total packet length = 43. [Encrypted]
00 01 02 03 04 05 06 07 5D B0 8D 62 40 7E 6E 31
D6 0F 9C A2 C6 04 74 21 9A C0 BE 50 C0 D4 A5 77
87 94 D6 E2 30 CD 25 C9 FE BF 87
=============== Packet Vector #10 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 61 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 13
CBC IV out:B1 85 73 A3 1C 6F EC 01 90 E3 CE 94 27 11 04 B9
After xor: B1 89 73 A2 1E 6C E8 04 96 E4 C6 9D 2D 1A 04 B9 [hdr]
After CAM: A6 AD EA 9C FA 3F 76 78 4C 17 8A F3 DC 69 F0 82
After xor: AA A0 E4 93 EA 2E 64 6B 58 02 9C E4 C4 70 EA 99 [msg]
After CAM: 35 50 B7 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED
After xor: 29 4D A9 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED [msg]
After CAM: 3D B5 A6 E6 85 AF 1C 58 80 B0 32 2E 01 74 91 FC
MIC tag : 3D B5 A6 E6 85 AF 1C 58 80 B0
CTR Start: 01 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: D7 1C 82 C1 D1 A9 64 0F 93 69 CE 81 22 7E CC E8
CTR[0002]: A7 A1 42 44 32 4E 69 FE 4C D0 36 65 A5 31 0B AB
CTR[MIC ]: ED 27 3F 0D 94 5C 0E AA B2 87
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B DB 11 8C CE
C1 B8 76 1C 87 7C D8 96 3A 67 D6 F3 BB BC 5C D0
92 99 EB 11 F3 12 F2 32 37
=============== Packet Vector #11 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 61 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 14
CBC IV out:45 DF B5 07 6F BB 10 EA F1 15 15 AD 21 4F B0 0E
After xor: 45 D3 B5 06 6D B8 14 EF F7 12 1D A4 2B 44 B0 0E [hdr]
After CAM: 17 52 F9 6D DD BC 5B 1C 1E EB 80 FC F6 10 AC 03
After xor: 1B 5F F7 62 CD AD 49 0F 0A FE 96 EB EE 09 B6 18 [msg]
After CAM: BE F0 A0 B9 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87
After xor: A2 ED BE A6 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87 [msg]
After CAM: 70 16 E4 F9 C4 2C 30 10 84 BF EC 69 34 89 91 FD
MIC tag : 70 16 E4 F9 C4 2C 30 10 84 BF
CTR Start: 01 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 70 C5 33 82 D4 80 11 41 4F 5D 2B D2 D2 67 B3 B0
CTR[0002]: 9D 36 6E 49 39 C5 16 76 5C 1C 25 12 81 79 94 70
CTR[MIC ]: 77 8B 4B 03 1E 3A FC DF A8 F1
Total packet length = 42. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B 7C C8 3D 8D
C4 91 03 52 5B 48 3D C5 CA 7E A9 AB 81 2B 70 56
07 9D AF FA DA 16 CC CF 2C 4E
=============== Packet Vector #12 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 61 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 15
CBC IV out:81 E4 EB 1E 50 A9 70 CE 18 CA 1A 4B 68 39 80 2E
After xor: 81 E8 EB 1F 52 AA 74 CB 1E CD 12 42 62 32 80 2E [hdr]
After CAM: 04 AB D9 62 34 B9 8F 32 8C 0F 08 3F 3D 87 9D 57
After xor: 08 A6 D7 6D 24 A8 9D 21 98 1A 1E 28 25 9E 87 4C [msg]
After CAM: BD A2 EA CB 3A DA 6A E7 9F BB C2 2C E6 4C 98 89
After xor: A1 BF F4 D4 1A DA 6A E7 9F BB C2 2C E6 4C 98 89 [msg]
After CAM: B6 FC E1 46 D3 EA DC 91 E0 AB 10 AD D8 55 E7 03
MIC tag : B6 FC E1 46 D3 EA DC 91 E0 AB
CTR Start: 01 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 20 DE 55 87 30 C3 2C 69 B7 44 A6 FE 37 DE 89 7C
CTR[0002]: 3F 96 32 D8 68 6D C2 B5 22 97 42 27 EB F9 26 5E
CTR[MIC ]: 7D 45 AD 6F 94 93 E1 F5 4F DE
Total packet length = 43. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B 2C D3 5B 88
20 D2 3E 7A A3 51 B0 E9 2F C7 93 67 23 8B 2C C7
48 CB B9 4C 29 47 79 3D 64 AF 75
=============== Packet Vector #13 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (8 cleartext header octets)]
6B 7F 46 45 07 FA E4 96 C6 B5 F3 E6 CA 23 11 AE
F7 47 2B 20 3E 73 5E A5 61 AD B1 7D 56 C5 A3
CBC IV in: 59 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 17
CBC IV out:D7 24 B0 0F B1 87 04 C6 C1 4E 90 37 AA F2 F1 F9
After xor: D7 2C DB 70 F7 C2 03 3C 25 D8 90 37 AA F2 F1 F9 [hdr]
After CAM: 9B 13 6D E3 D9 9F C3 6D 7D 0D B7 D8 A1 BF E9 BD
After xor: 5D A6 9E 05 13 BC D2 C3 8A 4A 9C F8 9F CC B7 18 [msg]
After CAM: F8 BF 25 7D 23 F8 D9 B5 82 E6 C9 3E C8 9B 85 73
After xor: 99 12 94 00 75 3D 7A B5 82 E6 C9 3E C8 9B 85 73 [msg]
After CAM: D9 D6 62 21 6D B2 CA FD 1F C6 FE 9D 2C AF 5B 69
MIC tag : D9 D6 62 21 6D B2 CA FD
CTR Start: 01 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 62 80 24 C1 FE AE CC 8C 67 38 55 98 CB 8E E5 E8
CTR[0002]: F2 30 17 2F 1B 71 55 9F 8B CE 79 E5 13 01 FC 6A
CTR[MIC ]: 9C 8E A2 0C 48 03 ED 13
Total packet length = 39. [Encrypted]
6B 7F 46 45 07 FA E4 96 A4 35 D7 27 34 8D DD 22
90 7F 7E B8 F5 FD BB 4D 93 9D A6 52 4D B4 F6 45
58 C0 2D 25 B1 27 EE
=============== Packet Vector #14 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (8 cleartext header octets)]
98 66 05 B4 3D F1 5D E7 01 F6 CE 67 64 C5 74 48
3B B0 2E 6B BF 1E 0A BD 26 A2 25 72 B4 D8 0E E7
CBC IV in: 59 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 18
CBC IV out:A0 8A 29 78 36 23 1D 84 96 76 93 FF 0A 4C 92 7A
After xor: A0 82 B1 1E 33 97 20 75 CB 91 93 FF 0A 4C 92 7A [hdr]
After CAM: 8C F5 F4 23 BF 09 1C 74 CD 47 00 C1 32 5D 5C 92
After xor: 8D 03 3A 44 DB CC 68 3C F6 F7 2E AA 8D 43 56 2F [msg]
After CAM: 69 DA 48 24 41 1E AC 8E A9 0A CD 8B DD 00 2B 9A
After xor: 4F 78 6D 56 F5 C6 A2 69 A9 0A CD 8B DD 00 2B 9A [msg]
After CAM: C2 03 3B 08 6D B3 CB 3B 2C C8 5D E7 76 A1 C0 44
MIC tag : C2 03 3B 08 6D B3 CB 3B
CTR Start: 01 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 8B 16 9C 37 EB 7B BE DB 15 84 41 6E 5F C2 07 46
CTR[0002]: E9 31 BB DD 4E E6 56 9B 68 95 13 5F AB A4 DF EF
CTR[MIC ]: 44 7E 55 14 25 C3 F3 3D
Total packet length = 40. [Encrypted]
98 66 05 B4 3D F1 5D E7 8A E0 52 50 8F BE CA 93
2E 34 6F 05 E0 DC 0D FB CF 93 9E AF FA 3E 58 7C
86 7D 6E 1C 48 70 38 06
=============== Packet Vector #15 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (8 cleartext header octets)]
48 F2 E7 E1 A7 67 1A 51 CD F1 D8 40 6F C2 E9 01
49 53 89 70 05 FB FB 8B A5 72 76 F9 24 04 60 8E
08
CBC IV in: 59 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 19
CBC IV out:76 74 53 37 95 23 3C F0 EB 77 CE 93 73 06 99 A8
After xor: 76 7C 1B C5 72 C2 9B 97 F1 26 CE 93 73 06 99 A8 [hdr]
After CAM: EF 79 8B 70 34 E4 D5 6B 57 3A F9 44 F0 AF D6 9A
After xor: 22 88 53 30 5B 26 3C 6A 1E 69 70 34 F5 54 2D 11 [msg]
After CAM: 63 BF 4E 10 01 79 38 0B E4 EC C1 39 B2 B4 3B 8C
After xor: C6 CD 38 E9 25 7D 58 85 EC EC C1 39 B2 B4 3B 8C [msg]
After CAM: 39 E1 0E FA BD 2F 43 00 50 9E E7 EB A4 FF 6B 8F
MIC tag : 39 E1 0E FA BD 2F 43 00
CTR Start: 01 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: C5 47 A6 A2 73 49 1B 6F 0E 6D C9 F5 9C 12 3B 08
CTR[0002]: C8 18 86 42 3C DB 35 C8 64 4D 8C 4C 58 01 47 27
CTR[MIC ]: 91 E9 76 5D 2D 68 2E E5
Total packet length = 41. [Encrypted]
48 F2 E7 E1 A7 67 1A 51 08 B6 7E E2 1C 8B F2 6E
47 3E 40 85 99 E9 C0 83 6D 6A F0 BB 18 DF 55 46
6C A8 08 78 A7 90 47 6D E5
=============== Packet Vector #16 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (12 cleartext header octets)]
DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C B0 05 DC FA
0B 59 18 14 26 A9 61 68 5A 99 3D 8C 43 18 5B
CBC IV in: 59 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 13
CBC IV out:78 EE 05 5A 88 48 E3 5B 8A 45 46 8F 35 4F 0C A2
After xor: 78 E2 DB CD 57 73 6F E6 E7 CB 16 BF EF 03 0C A2 [hdr]
After CAM: A9 C6 7F 15 00 1A C6 92 81 67 BD EC DF D2 35 C9
After xor: 19 C3 A3 EF 0B 43 DE 86 A7 CE DC 84 85 4B 08 45 [msg]
After CAM: 7C A8 9C 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18
After xor: 3F B0 C7 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18 [msg]
After CAM: 89 C7 B4 E8 A4 24 8C 6C 52 ED 34 50 E3 53 AD F5
MIC tag : 89 C7 B4 E8 A4 24 8C 6C
CTR Start: 01 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 01
CTR[0001]: D3 B2 57 B3 6C E8 86 CF 91 9A AC 79 4E 6F 73 3E
CTR[0002]: 65 10 C8 72 39 AF 0F 52 9F D0 A4 DF 54 BF D6 EB
CTR[MIC ]: E1 04 E0 6A 29 B1 80 A9
Total packet length = 39. [Encrypted]
DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C 63 B7 8B 49
67 B1 9E DB B7 33 CD 11 14 F6 4E B2 26 08 93 68
C3 54 82 8D 95 0C C5
=============== Packet Vector #17 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (12 cleartext header octets)]
A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 2E 20 21 12
98 10 5F 12 9D 5E D9 5B 93 F7 2D 30 B2 FA CC D7
CBC IV in: 59 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 14
CBC IV out:C3 34 69 7D 11 38 73 06 BD 34 E2 10 1F 66 17 E8
After xor: C3 38 CC 93 82 DC 24 D9 B8 72 8C 68 32 A9 17 E8 [hdr]
After CAM: 43 6F 37 74 AB 94 3B 41 EA AD 00 CA C3 99 13 7B
After xor: 6D 4F 16 66 33 84 64 53 77 F3 D9 91 50 6E 3E 4B [msg]
After CAM: 2D 28 FB 62 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE
After xor: 9F D2 37 B5 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE [msg]
After CAM: F3 DE 10 CD 91 4D B1 B6 CC 37 F0 A2 4A 5A B7 A1
MIC tag : F3 DE 10 CD 91 4D B1 B6
CTR Start: 01 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 25 E6 9A F0 30 A9 56 E6 FF C0 3F 87 87 7A 89 74
CTR[0002]: A2 1B 46 23 76 A2 1E DD F2 AC 4B EC 42 95 3D D3
CTR[MIC ]: C2 99 28 FF E7 BB DB 29
Total packet length = 40. [Encrypted]
A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 0B C6 BB E2
A8 B9 09 F4 62 9E E6 DC 14 8D A4 44 10 E1 8A F4
31 47 38 32 76 F6 6A 9F
=============== Packet Vector #18 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (12 cleartext header octets)]
24 AA 1B F9 A5 CD 87 61 82 A2 50 74 26 45 94 1E
75 63 2D 34 91 AF 0F C0 C9 87 6C 3B E4 AA 74 68
C9
CBC IV in: 59 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 15
CBC IV out:72 0A 46 75 0F 40 59 53 F2 3B D2 1F 6A 11 60 F6
After xor: 72 06 62 DF 14 B9 FC 9E 75 5A 50 BD 3A 65 60 F6 [hdr]
After CAM: 67 73 A0 FD D5 7E D3 5E E8 24 06 D0 A1 8B 0E 18
After xor: 41 36 34 E3 A0 1D FE 6A 79 8B 09 10 68 0C 62 23 [msg]
After CAM: BB 1E D8 9F 60 29 D0 99 09 14 06 A5 E3 8B 72 7B
After xor: 5F B4 AC F7 A9 29 D0 99 09 14 06 A5 E3 8B 72 7B [msg]
After CAM: 3E 4F 40 73 D1 31 E9 B8 02 C8 99 BC FD AC 19 4B
MIC tag : 3E 4F 40 73 D1 31 E9 B8
CTR Start: 01 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 04 6F 42 2C 8F 52 FB 9B 06 A3 3B 9F B7 F0 A6 00
CTR[0002]: 34 76 51 DB 89 10 FB E6 73 E8 56 6E DB 66 47 5D
CTR[MIC ]: 9F EC 93 6C 5C 7A AD 0F
Total packet length = 41. [Encrypted]
24 AA 1B F9 A5 CD 87 61 82 A2 50 74 22 2A D6 32
FA 31 D6 AF 97 0C 34 5F 7E 77 CA 3B D0 DC 25 B3
40 A1 A3 D3 1F 8D 4B 44 B7
=============== Packet Vector #19 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (8 cleartext header octets)]
69 19 46 B9 CA 07 BE 87 07 01 35 A6 43 7C 9D B1
20 CD 61 D8 F6 C3 9C 3E A1 25 FD 95 A0 D2 3D
CBC IV in: 61 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 17
CBC IV out:74 AD F8 04 05 2A 48 E7 46 97 38 D5 BA A1 27 79
After xor: 74 A5 91 1D 43 93 82 E0 F8 10 38 D5 BA A1 27 79 [hdr]
After CAM: BD C3 B1 41 1C 64 C8 B3 A9 DC 6A 94 78 97 88 E2
After xor: BA C2 84 E7 5F 18 55 02 89 11 0B 4C 8E 54 14 DC [msg]
After CAM: 7D 6C 8A BF AD 68 48 D8 C5 FB CD 1E AF F2 44 99
After xor: DC 49 77 2A 0D BA 75 D8 C5 FB CD 1E AF F2 44 99 [msg]
After CAM: 19 99 AB 92 5E 30 46 96 3D EF FB 1B 4C 87 F7 76
MIC tag : 19 99 AB 92 5E 30 46 96 3D EF
CTR Start: 01 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 02 B9 D4 1F 87 E0 60 E7 EF DE 6B 7E D3 DE 5E D2
CTR[0002]: 61 49 31 C5 2F 34 AA 47 A3 E4 D3 2C 0B 36 41 C6
CTR[MIC ]: B9 9F C6 C5 96 7B AA 8E 1A 87
Total packet length = 41. [Encrypted]
69 19 46 B9 CA 07 BE 87 05 B8 E1 B9 C4 9C FD 56
CF 13 0A A6 25 1D C2 EC C0 6C CC 50 8F E6 97 A0
06 6D 57 C8 4B EC 18 27 68
=============== Packet Vector #20 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (8 cleartext header octets)]
D0 C5 4E CB 84 62 7D C4 C8 C0 88 0E 6C 63 6E 20
09 3D D6 59 42 17 D2 E1 88 77 DB 26 4E 71 A5 CC
CBC IV in: 61 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 18
CBC IV out:35 A9 48 70 F9 B0 C7 85 FB 32 1A D1 3C 8C A4 9A
After xor: 35 A1 98 B5 B7 7B 43 E7 86 F6 1A D1 3C 8C A4 9A [hdr]
After CAM: 0A 3C E3 0F AC 09 DC 5C 00 10 5C 69 AC 19 F7 19
After xor: C2 FC 6B 01 C0 6A B2 7C 09 2D 8A 30 EE 0E 25 F8 [msg]
After CAM: 61 CD 80 D0 72 E6 84 E1 BF E1 4A 00 27 2A 4D 96
After xor: E9 BA 5B F6 3C 97 21 2D BF E1 4A 00 27 2A 4D 96 [msg]
After CAM: E5 F9 F2 AB 47 FD 7B 8D 6F 72 F4 72 74 D7 69 BB
MIC tag : E5 F9 F2 AB 47 FD 7B 8D 6F 72
CTR Start: 01 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 9C 0E 31 66 B2 81 58 31 5E 63 16 5A 9D BD CE 35
CTR[0002]: 00 3E 66 D3 E0 5F 7E A7 EF C8 9A 5F DD 39 E3 54
CTR[MIC ]: 9A 5E 87 1A 17 10 38 0E AA DB
Total packet length = 42. [Encrypted]
D0 C5 4E CB 84 62 7D C4 54 CE B9 68 DE E2 36 11
57 5E C0 03 DF AA 1C D4 88 49 BD F5 AE 2E DB 6B
7F A7 75 B1 50 ED 43 83 C5 A9
=============== Packet Vector #21 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (8 cleartext header octets)]
E2 85 E0 E4 80 8C DA 3D F7 5D AA 07 10 C4 E6 42
97 79 4D C2 B7 D2 A2 07 57 B1 AA 4E 44 80 02 FF
AB
CBC IV in: 61 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 19
CBC IV out:2A 3C 23 B2 43 F5 1C 35 F7 79 5A CB 3B 20 21 2F
After xor: 2A 34 C1 37 A3 11 9C B9 2D 44 5A CB 3B 20 21 2F [hdr]
After CAM: A1 7E AD 4C EE AB 51 21 1D 2A 32 F2 D4 45 A6 D6
After xor: 56 23 07 4B FE 6F B7 63 8A 53 7F 30 63 97 04 D1 [msg]
After CAM: A9 A1 32 55 8F C6 9B 98 A9 CC 23 96 FE CA 84 EB
After xor: FE 10 98 1B CB 46 99 67 02 CC 23 96 FE CA 84 EB [msg]
After CAM: 6A 5E 04 42 D1 A5 7E 17 9A 6C 8B 56 F7 19 80 C5
MIC tag : 6A 5E 04 42 D1 A5 7E 17 9A 6C
CTR Start: 01 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 46 1D EF 41 AF A2 94 52 5D 51 AE CB 04 49 74 CD
CTR[0002]: 29 2E 62 66 1B 66 9A 2B 97 72 6B 77 32 A8 DC 35
CTR[MIC ]: B8 54 06 A2 6C 6F 93 37 8A BF
Total packet length = 43. [Encrypted]
E2 85 E0 E4 80 8C DA 3D B1 40 45 46 BF 66 72 10
CA 28 E3 09 B3 9B D6 CA 7E 9F C8 28 5F E6 98 D4
3C D2 0A 02 E0 BD CA ED 20 10 D3
=============== Packet Vector #22 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (12 cleartext header octets)]
6C AE F9 94 11 41 57 0D 7C 81 34 05 C2 38 82 2F
AC 5F 98 FF 92 94 05 B0 AD 12 7A 4E 41 85 4E
CBC IV in: 61 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 13
CBC IV out:20 60 6A D1 E1 A0 84 52 2F A3 8B F4 88 1D D6 8B
After xor: 20 6C 06 7F 18 34 95 13 78 AE F7 75 BC 18 D6 8B [hdr]
After CAM: 71 FD FF E7 D9 C8 95 75 D3 EC 0B 7E 7B 8B BE E7
After xor: B3 C5 7D C8 75 97 0D 8A 41 78 0E CE D6 99 C4 A9 [msg]
After CAM: CA AD 93 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65
After xor: 8B 28 DD 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65 [msg]
After CAM: DC 48 8F AA 9C 75 E7 03 17 56 C2 C7 48 48 8D 1B
MIC tag : DC 48 8F AA 9C 75 E7 03 17 56
CTR Start: 01 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 56 F0 17 B3 BD 09 02 D6 EA A5 A2 91 AD 4A 2D E5
CTR[0002]: 20 3D 34 21 EF 5B F8 FC 7B 21 5C 76 7B A5 21 A6
CTR[MIC ]: F1 A2 86 9C 2A 9E B8 61 48 0B
Total packet length = 41. [Encrypted]
6C AE F9 94 11 41 57 0D 7C 81 34 05 94 C8 95 9C
11 56 9A 29 78 31 A7 21 00 58 57 AB 61 B8 7A 2D
EA 09 36 B6 EB 5F 62 5F 5D
=============== Packet Vector #23 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (12 cleartext header octets)]
36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 4D BF 3E 77
4A D2 45 E5 D5 89 1F 9D 1C 32 A0 AE 02 2C 85 D7
CBC IV in: 61 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 14
CBC IV out:78 FD B6 AF 61 9E 1C 8D 82 41 17 A8 73 60 1B 70
After xor: 78 F1 80 0A 4D 6F 77 94 20 42 6D 1F 72 7E 1B 70 [hdr]
After CAM: 62 2E 28 65 92 43 DB 82 88 79 09 1E A7 24 54 67
After xor: 2F 91 16 12 D8 91 9E 67 5D F0 16 83 BB 16 F4 C9 [msg]
After CAM: 95 0E 52 08 FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF
After xor: 97 22 D7 DF FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF [msg]
After CAM: BA CD 51 FC 77 F4 02 8D 47 D5 7D 54 7D 46 33 4B
MIC tag : BA CD 51 FC 77 F4 02 8D 47 D5
CTR Start: 01 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 15 D6 DD DD 98 96 39 91 35 75 1A 64 B8 D8 D4 F9
CTR[0002]: 7D 61 6D 1D EB 92 00 2B 6F FA AB 53 BC AF 69 89
CTR[MIC ]: 33 E9 27 BE E1 59 06 9C DB 32
Total packet length = 42. [Encrypted]
36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 58 69 E3 AA
D2 44 7C 74 E0 FC 05 F9 A4 EA 74 57 7F 4D E8 CA
89 24 76 42 96 AD 04 11 9C E7
=============== Packet Vector #24 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (12 cleartext header octets)]
A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 9D C9 ED AE
2F F5 DF 86 36 E8 C6 DE 0E ED 55 F7 86 7E 33 33
7D
CBC IV in: 61 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 15
CBC IV out:84 E6 CF DD 6A 37 68 5D E6 71 AD 54 B3 BE FE B9
After xor: 84 EA 6B 09 F3 C0 EC 44 94 FD B4 43 38 B2 FE B9 [hdr]
After CAM: C5 0F A0 62 20 18 F1 21 0E BC 3D 2E 47 B7 B8 C3
After xor: 58 C6 4D CC 0F ED 2E A7 38 54 FB F0 49 5A ED 34 [msg]
After CAM: C4 6F 6D C3 17 3C 2A 7A 81 FC 2D DA 7F B7 C6 60
After xor: 42 11 5E F0 6A 3C 2A 7A 81 FC 2D DA 7F B7 C6 60 [msg]
After CAM: DF AB 2E 76 B0 67 50 B3 7C DD 9A AC F3 79 17 71
MIC tag : DF AB 2E 76 B0 67 50 B3 7C DD
CTR Start: 01 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: D6 D0 6C F8 16 CE D0 F1 A0 E0 AC 71 BA B9 AD 34
CTR[0002]: 76 4A FF 9A 1B F8 55 1F 68 54 39 0A EE 37 24 28
CTR[MIC ]: 4B F4 31 B8 17 86 4B 5D 16 F2
Total packet length = 43. [Encrypted]
A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 4B 19 81 56
39 3B 0F 77 96 08 6A AF B4 54 F8 C3 F0 34 CC A9
66 94 5F 1F CE A7 E1 1B EE 6A 2F
</artwork>
</section>
</section>
<section title='Security Considerations'>
<t>
Camellia-CTR and Camellia-CCM employs counter (CTR) mode for
confidentiality. If a counter
value is ever used for more that one packet with the same key, then
the same key stream will be used to encrypt both packets, and the
confidentiality guarantees are voided.
</t>
<t>
What happens if the encryptor XORs the same key stream with two
different packet plaintexts? Suppose two packets are defined by two
plaintext byte sequences P1, P2, P3 and Q1, Q2, Q3, then both are
encrypted with key stream K1, K2, K3. The two corresponding
ciphertexts are:
</t>
<artwork>
(P1 XOR K1), (P2 XOR K2), (P3 XOR K3)
(Q1 XOR K1), (Q2 XOR K2), (Q3 XOR K3)
</artwork>
<t>
If both of these two ciphertext streams are exposed to an attacker,
then a catastrophic failure of confidentiality results, because:
</t>
<artwork>
(P1 XOR K1) XOR (Q1 XOR K1) = P1 XOR Q1
(P2 XOR K2) XOR (Q2 XOR K2) = P2 XOR Q2
(P3 XOR K3) XOR (Q3 XOR K3) = P3 XOR Q3
</artwork>
<t>
Once the attacker obtains the two plaintexts XORed together, it is
relatively straightforward to separate them. Thus, using any stream
cipher, including Camellia-CTR, to encrypt two plaintexts under the same
key stream leaks the plaintext.
</t>
</section>
<section title='IANA Considerations'>
<t>
There are no IANA assignments to be performed.
</t>
</section>
<section title='Acknowledgments'>
<t>
This document includes text borrowed from RFC 3610.
</t>
</section>
</middle>
<back>
<references title="Normative">
&rfc2119;
&rfc3713;
</references>
<references title="Informative">
&rfc3610;
&rfc3657;
&rfc4051;
&rfc4132;
&rfc4312;
<reference anchor="MODES" target="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf">
<front>
<title>Recommendation for Block Cipher Modes of Operation - Methods and Techniques</title>
<author initials="M." surname="Dworkin" fullname="Dworkin, M.">
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001" />
</front>
<seriesInfo name="NIST Special Publication" value="800-38A" />
</reference>
<reference anchor="fips.113.1985" target="http://www.itl.nist.gov/fipspubs/fip113.htm">
<front>
<title>Computer Data Authentication</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="May" year="1985" />
</front>
<seriesInfo name="FIPS" value="PUB 113" />
</reference>
<reference anchor="FIPS.197.2001" target="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">
<front>
<title>Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001" />
</front>
<seriesInfo name="FIPS" value="PUB 197" />
</reference>
<reference anchor="NESSIE" target="http://www.cosic.esat.kuleuven.ac.be/nessie/">
<front>
<title abbrev="NESSIE">The NESSIE project (New European Schemes for Signatures, Integrity and Encryption) </title>
<author>
<organization />
</author>
</front>
</reference>
<reference anchor="CRYPTREC" target="http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html" >
<front>
<title>Cryptography Research and Evaluation Committees</title>
<author fullname="Information-technology Promotion Agency (IPA)">
<organization>Information-technology Promotion Agency (IPA)</organization>
<address>
<postal>
<street/>
<country>Japan</country>
</postal>
</address>
</author>
</front>
<format type="HTML" target="http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html." />
</reference>
<reference anchor="ISO/IEC 18033-3">
<front>
<title>Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers</title>
<author>
<organization>International Organization for Standardization</organization>
</author>
<date month="July" year="2005" />
</front>
<seriesInfo name="ISO/IEC" value="18033-3" />
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 05:40:07 |