Network Working Group A. Kato
Internet-Draft NTT Software Corporation
Intended status: Informational M. Kanda
Expires: September 20, 2008 Nippon Telegraph and Telephone
Corporation
March 19, 2008
Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms
draft-kato-camellia-ctrccm-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 20, 2008.
Kato & Kanda Expires September 20, 2008 [Page 1]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
Abstract
This document describes the algorithms and test vectors of Camellia
block cipher algorithm in Counter (CTR) mode and Counter with Cipher
Block Chaining MAC (CCM) Mode. The purpose of this document is to
make the Camellia-CTR and Camellia-CCM algorithm conveniently
available to the Internet Community.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Camellia Cipher Algorithm . . . . . . . . . . . . . . . . 4
2.1. Key Size . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Block Size and Padding . . . . . . . . . . . . . . . . . . 4
2.4. Performance . . . . . . . . . . . . . . . . . . . . . . . 4
3. Modes of Operation . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Counter . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1. Definitions . . . . . . . . . . . . . . . . . . . . . 6
3.1.2. Camellia-CTR . . . . . . . . . . . . . . . . . . . . . 6
3.2. Counter with CBC-MAC . . . . . . . . . . . . . . . . . . . 8
3.2.1. Definitions . . . . . . . . . . . . . . . . . . . . . 8
3.2.2. Two main parameters . . . . . . . . . . . . . . . . . 9
3.2.3. Inputs . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.4. Authentication . . . . . . . . . . . . . . . . . . . . 10
3.2.5. Encryption . . . . . . . . . . . . . . . . . . . . . . 12
3.2.6. Output . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.7. Decryption and Authentication Checking . . . . . . . . 13
4. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1. Camellia-CTR . . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Camellia-CCM . . . . . . . . . . . . . . . . . . . . . . . 16
5. Security Considerations . . . . . . . . . . . . . . . . . . . 29
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
8.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 32
8.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
Intellectual Property and Copyright Statements . . . . . . . . . . 36
Kato & Kanda Expires September 20, 2008 [Page 2]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
1. Introduction
This document describes the use of the Camellia block cipher
algorithm in Counter mode and Counter with CBC-MAC Mode.
Camellia is a symmetric cipher with a Feistel structure. Camellia
was developed jointly by NTT and Mitsubishi Electric Corporation in
2000. It was designed to withstand all known cryptanalytic attacks,
and it has been scrutinized by worldwide cryptographic experts.
Camellia is suitable for implementation in software and hardware,
offering encryption speed in software and hardware implementations
that is comparable to Advanced Encryption Standard (AES) [3].
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
lengths, i.e., the same interface specifications as the AES.
Therefore, it is easy to implement Camellia based algorithms by
replacing AES block of AES based algorithms to Camellia block.
Camellia is adopted as IETF and several international standardization
organizations. Camellia is already adopted as IPSec [4], TLS [5],
S/MIME [6] and XML [7]. Camellia is adopted for the one of three
ISO/IEC international standard cipher [8] as 128bit block
cipher(Camellia, AES and SEED). Camellia was selected as a
recommended cryptographic primitive by the EU NESSIE (New European
Schemes for Signatures, Integrity and Encryption) project [9] and was
included in the list of cryptographic techniques for Japanese
e-Government systems that was selected by the Japan CRYPTREC
(Cryptography Research and Evaluation Committees) [10].
Since optimized source code is provided by several open source
lisences [14], Camellia is also adopted by several open source
projects(Openssl, FreeBSD, Linux and Gran Paradiso).
The algorithm specification and object identifiers are described in
[1]. The Camellia homepage [15] contains a wealth of information
about Camellia, including detailed specification, security analysis,
performance figures, reference implementation, optimized
implementation, test vectors, and intellectual property information.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [2].
Kato & Kanda Expires September 20, 2008 [Page 3]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
2. The Camellia Cipher Algorithm
All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant
characteristics of Camellia.
The algorithm specification and object identifiers are described in
[1].
2.1. Key Size
Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
The default key size is 128 bits, and all implementations MUST
support this key size. Implementations MAY also support key sizes of
192 bits and 256 bits.
Camellia uses a different number of rounds for each of the defined
key sizes. When a 128-bit key is used, implementations MUST use 18
rounds. When a 192-bit key is used, implementations MUST use 24
rounds. When a 256-bit key is used, implementations MUST use 24
rounds.
2.2. Weak Keys
At the time of writing this document there are no known weak keys for
Camellia.
2.3. Block Size and Padding
Camellia uses a block size of sixteen octets (128 bits).
Padding is required by the algorithms to maintain a 16-octet (128-
bit) block size. Padding MUST be added such that the data to be
encrypted (which includes the ESP Pad Length and Next Header fields)
has a length that is a multiple of 16 octets.
Because of the algorithm specific padding requirement, no additional
padding is required to ensure that the ciphertext terminates on a
4-octet boundary (i.e. maintaining a 16-octet block size guarantees
that the ESP Pad Length and Next Header fields will be right aligned
within a 4-octet word). Additional padding MAY be included as long
as the 16-octet block size is maintained.
2.4. Performance
Performance figures of Camellia are available at
. NESSIE project has
Kato & Kanda Expires September 20, 2008 [Page 4]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
reported performance of Optimized Implementations independently [9].
Kato & Kanda Expires September 20, 2008 [Page 5]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
3. Modes of Operation
Camellia Counter mode (Camellia-CTR) and Camellia Counter with CBC-
MAC (Camellia-CCM) are discussed in this specification.
Counter mode [11] behave like stream ciphers, but are constructed
based on a block cipher primitive (that is, counter mode operation of
a block cipher results in a stream cipher.)
Counter with CBC Mac mode is a generic authenticate-and-encrypt block
cipher mode [12]. In this specification, CCM is used with the
Camellia [1] block cipher.
3.1. Counter
3.1.1. Definitions
Camellia(K, X)
Output of the Camellia encryption algorithm under the fresh
key K applied to the data block X.
N Nonce.
PT[n] n-th plain text block splited by 128-bit unit.
X || Y Concatenation of two octet strings X and Y.
X XOR Y Bitwise exclusive-OR of two octet strings X and Y of the
same length.
3.1.2. Camellia-CTR
Camellia-CTR requires the encryptor to generate a unique per-packet
value, and communicate this value to the decryptor. This
specification calls this per-packet value an initialization vector
(IV). The same IV and key combination MUST NOT be used more than
once. The encryptor can generate the IV in any manner that ensures
uniqueness. Common approaches to IV generation include incrementing
a counter for each packet and linear feedback shift registers
(LFSRs).
This specification calls for the use of a nonce for additional
protection against precomputation attacks. The nonce value need not
be secret. However, the nonce MUST be unpredictable prior to the
establishment of the IPsec security association that is making use of
Camellia-CTR.
Camellia-CTR has many properties that make it an attractive
Kato & Kanda Expires September 20, 2008 [Page 6]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
encryption algorithm for in high-speed networking. Camellia-CTR uses
the Camellia block cipher to create a stream cipher. Data is
encrypted and decrypted by XORing with the key stream produced by
Camellia encrypting sequential counter block values. Camellia-CTR is
easy to implement, and Camellia-CTR can be pipelined and
parallelized. Camellia-CTR also supports key stream precomputation.
Pipelining is possible because Camellia has multiple rounds (see
Section 2.). A hardware implementation (and some software
implementations) can create a pipeline by unwinding the loop implied
by this round structure. For example, after a 16-octet block has
been input, one round later another 16-octet block can be input, and
so on. In Camellia-CTR, these inputs are the sequential counter
block values used to generate the key stream.
Multiple independent Camellia encrypt implementations can also be
used to improve performance. For example, one could use two Camellia
encrypt implementations in parallel, to process a sequence of counter
block values, doubling the effective throughput.
The sender can precompute the key stream. Since the key stream does
not depend on any data in the packet, the key stream can be
precomputed once the nonce and IV are assigned. This precomputation
can reduce packet latency. The receiver cannot perform similar
precomputation because the IV will not be known before the packet
arrives.
When used correctly, Camellia-CTR provides a high level of
confidentiality. Unfortunately, Camellia-CTR is easy to use
incorrectly. Being a stream cipher, any reuse of the per-packet
value, called the IV, with the same nonce and key is catastrophic.
An IV collision immediately leaks information about the plaintext in
both packets. For this reason, it is inappropriate to use this mode
of operation with static keys. Extraordinary measures would be
needed to prevent reuse of an IV value with the static key across
power cycles. To be safe, implementations MUST use fresh keys with
Camellia-CTR.
With Camellia-CTR, it is trivial to use a valid ciphertext to forge
other (valid to the decryptor) ciphertexts. Thus, it is equally
catastrophic to use Camellia-CTR without a companion authentication
function. Implementations MUST use Camellia-CCM such case.
To encrypt a payload with Camellia-CTR, the encryptor partitions the
plaintext, PT, into 128-bit blocks. The final block need not be 128
bits; it can be less.
PT = PT[1] PT[2] ... PT[n]
Kato & Kanda Expires September 20, 2008 [Page 7]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
Each PT block is XORed with a block of the key stream to generate the
ciphertext, CT. The Camellia encryption of each counter block
results in 128 bits of key stream. The most significant 96 bits of
the counter block are set to the nonce value, which is 32 bits,
followed by the per-packet IV value, which is 64 bits. The least
significant 32 bits of the counter block are initially set to one.
This counter value is incremented by one to generate subsequent
counter blocks, each resulting in another 128 bits of key stream.
The encryption of n plaintext blocks can be summarized as:
CTRBLK := N || IV || ONE
FOR i := 1 to n-1 DO
CT[i] := PT[i] XOR Camellia(K, CTRBLK)
CTRBLK := CTRBLK + 1
END
CT[n] := PT[n] XOR TRUNC(Camellia(K, CTRBLK))
The TRUNC() function truncates the output of the Camellia encrypt
operation to the same length as the final plaintext block, returning
the most significant bits.
Decryption is similar. The decryption of n ciphertext blocks can be
summarized as:
CTRBLK := N || IV || ONE
FOR i := 1 to n-1 DO
PT[i] := CT[i] XOR Camellia(K, CTRBLK)
CTRBLK := CTRBLK + 1
END
PT[n] := CT[n] XOR TRUNC(Camellia(K, CTRBLK))
3.2. Counter with CBC-MAC
3.2.1. Definitions
l(X) Octet length of variable X.
M Number of octets in authentication field. Valid values of
are 4, 6, 8, 10, 12, 14, and 16.
M' 3bit number calculated by (M-2)/2.
L Number of octets in length field. Valid values are from 2
to 8. This number limits maximam length of message and
length of N.
Kato & Kanda Expires September 20, 2008 [Page 8]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
L' 3bit number caluculated by L-1.
K Camellia key. Valid values of l(K) are 16, 24 and 32.
N Nonce.
m Message to authenticate and encrypt. l(m) < 2^(8*L).
AAD Additional authenticated data. 0 =< AAD < 2^64.
3.2.2. Two main parameters
For the generic CCM mode there are two parameter choices. The first
choice is M, the size of the authentication field. The choice of the
value for M involves a trade-off between message expansion and the
probability that an attacker can undetectably modify a message.
Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second
choice is L, the size of the length field. This value requires a
trade-off between the maximum message size and the size of the Nonce.
Different applications require different trade-offs, so L is a
parameter. Valid values of L range between 2 octets and 8 octets
(the value L=1 is reserved).
Name Description Size Encoding
---- ---------------------------------------- ------ --------
M Number of octets in authentication field 3 bits (M-2)/2
L Number of octets in length field 3 bits L-1
3.2.3. Inputs
To authenticate and encrypt a message the following information is
required:
1. An encryption key K suitable for the block cipher.
2. A nonce N of 15-L octets. Within the scope of any encryption
key K, the nonce value MUST be unique. That is, the set of
nonce values used with any given key MUST NOT contain any
duplicate values. Using the same nonce for two different
messages encrypted with the same key destroys the security
properties of this mode.
3. The message m, consisting of a string of l(m) octets where 0 <=
l(m) < 2^(8*L). The length restriction ensures that l(m) can be
encoded in a field of L octets.
4. The additional authenticated data AAD where 0 <= AAD < 2^64.
This additional data is authenticated but not encrypted, and is
Kato & Kanda Expires September 20, 2008 [Page 9]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
not included in the output of this mode. It can be used to
authenticate plaintext packet headers, or contextual information
that affects the interpretation of the message. Users who do
not wish to authenticate additional data can provide a string of
length zero.
The inputs are summarized as:
Name Description Size
---- ----------------------------------- -----------------------
K Block cipher key Depends on block cipher
N Nonce 15-L octets
m Message to authenticate and encrypt l(m) octets
AAD Additional authenticated data 0 =< AAD < 2^64
3.2.4. Authentication
The first step is to compute the authentication field T. This is done
using CBC-MAC [13]. We first define a sequence of blocks B_0, B_1,
..., B_n and then apply CBC-MAC to these blocks.
The first block B_0 is formatted as follows, where l(m) is encoded in
most-significant-byte first order:
Octet Number Contents
------------ ---------
0 Flags
1 ... 15-L Nonce N
16-L ... 15 l(m)
Within the first block B_0, the Flags field is formatted as follows:
Bit Number Contents
---------- ----------------------
7 Reserved (always zero)
6 Adata
5 ... 3 M'
2 ... 0 L'
Another way say the same thing is: Flags = 64*Adata + 8*M' + L'.
The Reserved bit is reserved for future expansions and should always
be set to zero. The Adata bit is set to zero if AAD = 0, and set to
one if AAD > 0. The M' field is set to (M-2)/2. As M can take on
the even values from 4 to 16, the 3-bit M' field can take on the
values from one to seven. The 3-bit field MUST NOT have a value of
zero, which would correspond to a 16-bit integrity check value. The
L' field encodes the size of the length field used to store l(m).
Kato & Kanda Expires September 20, 2008 [Page 10]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
The parameter L can take on the values from 2 to 8 (recall, the value
L=1 is reserved). This value is encoded in the 3-bit L' field using
the values from one to seven by choosing L' = L-1 (the zero value is
reserved).
If AAD > 0 (as indicated by the Adata field), then one or more blocks
of authentication data are added. These blocks contain AAD and a
encoded in a reversible manner. We first construct a string that
encodes AAD.
If 0 < AAD < (2^16 - 2^8), then the length field is encoded as two
octets which contain the value AAD in most-significant-byte first
order.
If (2^16 - 2^8) <= AAD < 2^32, then the length field is encoded as
six octets consisting of the octets 0xff, 0xfe, and four octets
encoding AAD in most-significant-byte-first order.
If 2^32 <= AAD < 2^64, then the length field is encoded as ten octets
consisting of the octets 0xff, 0xff, and eight octets encoding AAD in
most-significant-byte-first order.
The length encoding conventions are summarized in the following
table. Note that all fields are interpreted in most-significant-byte
first order.
First two octets Followed by Comment
----------------- ---------------- -------------------------------
0x0000 Nothing Reserved
0x0001 ... 0xFEFF Nothing For 0 < AAD < (2^16 - 2^8)
0xFF00 ... 0xFFFD Nothing Reserved
0xFFFE 4 octets of AAD For (2^16 - 2^8) <= AAD < 2^32
0xFFFF 8 octets of AAD For 2^32 <= AAD < 2^64
The blocks encoding a are formed by concatenating this string that
encodes AAD with a itself, and splitting the result into 16-octet
blocks, and then padding the last block with zeroes if necessary.
These blocks are appended to the first block B0.
After the (optional) additional authentication blocks have been
added, we add the message blocks. The message blocks are formed by
splitting the message m into 16-octet blocks, and then padding the
last block with zeroes if necessary. If the message m consists of
the empty string, then no blocks are added in this step.
The result is a sequence of blocks B0, B1, ..., Bn. The CBC-MAC is
computed by:
Kato & Kanda Expires September 20, 2008 [Page 11]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
X_1 := Camellia( K, B_0 )
X_i+1 := Camellia( K, X_i XOR B_i ) for i=1, ..., n
T := first-M-bytes( X_n+1 )
where T is the MAC value. Note that the last block B_n is XORed with
X_n, and the result is encrypted with the block cipher. If needed,
the ciphertext is truncated to give T.
3.2.5. Encryption
To encrypt the message data we use Counter (CTR) mode. We first
define the key stream blocks by:
S_i := Camellia( K, A_i ) for i=0, 1, 2, ...
The values A_i are formatted as follows, where the Counter field i is
encoded in most-significant-byte first order:
Octet Number Contents
------------ ---------
0 Flags
1 ... 15-L Nonce N
16-L ... 15 Counter i
The Flags field is formatted as follows:
Bit Number Contents
---------- ----------------------
7 Reserved (always zero)
6 Reserved (always zero)
5 ... 3 Zero
2 ... 0 L'
Another way say the same thing is: Flags = L'.
The Reserved bits are reserved for future expansions and MUST be set
to zero. Bit 6 corresponds to the Adata bit in the B_0 block, but as
this bit is not used here, it is reserved and MUST be set to zero.
Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks
are distinct from B_0, which has the non-zero encoding of M in this
position. Bits 0, 1, and 2 contain L', using the same encoding as in
B_0.
The message is encrypted by XORing the octets of message m with the
first l(m) octets of the concatenation of S_1, S_2, S_3, ... . Note
that S_0 is not used to encrypt the message.
The authentication value U is computed by encrypting T with the key
Kato & Kanda Expires September 20, 2008 [Page 12]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
stream block S_0 and truncating it to the desired length.
U := T XOR first-M-bytes( S_0 )
3.2.6. Output
The final result c consists of the encrypted message followed by the
encrypted authentication value U.
3.2.7. Decryption and Authentication Checking
To decrypt a message the following information is required:
1. The encryption key K.
2. The nonce N.
3. The additional authenticated data AAD.
4. The encrypted and authenticated message c.
Decryption starts by recomputing the key stream to recover the
message m and the MAC value T. The message and additional
authentication data is then used to recompute the CBC-MAC value and
check T.
If the T value is not correct, the receiver MUST NOT reveal any
information except for the fact that T is incorrect. The receiver
MUST NOT reveal the decrypted message, the value T, or any other
information.
Kato & Kanda Expires September 20, 2008 [Page 13]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
4. Test Vectors
4.1. Camellia-CTR
This section contains nine test vectors(TV), which can be used to
confirm that an implementation has correctly implemented Camellia-
CTR. The first three test vectors use Camellia with a 128 bit key;
the next three test vectors use Camellia with a 192 bit key; and the
last three test vectors use Camellia with a 256 bit key.
TV #1: Encrypting 16 octets using Camellia-CTR with 128-bit key
Camellia Key : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E
Camellia-CTR IV : 00 00 00 00 00 00 00 00
Nonce : 00 00 00 30
Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01
Key Stream (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58
Ciphertext : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F
TV #2: Encrypting 32 octets using Camellia-CTR with 128-bit key
Camellia Key : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63
Camellia-CTR IV : C0 54 3B 59 DA 48 D9 0B
Nonce : 00 6C B6 DB
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01
Key Stream (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B
Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02
Key Stream (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57
Ciphertext : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44
: 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48
TV #3: Encrypting 36 octets using Camellia-CTR with 128-bit key
Camellia Key : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC
Camellia-CTR IV : 27 77 7F 3F 4A 17 86 F0
Nonce : 00 E0 01 7B
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
: 20 21 22 23
Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01
Key Stream (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C
Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02
Key Stream (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2
Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03
Key Stream (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8
Ciphertext : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73
: 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD
Kato & Kanda Expires September 20, 2008 [Page 14]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
: DF 50 86 96
TV #4: Encrypting 16 octets using Camellia-CTR with 192-bit key
Camellia Key : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED
: 86 3D 06 CC FD B7 85 15
Camellia-CTR IV : 36 73 3C 14 7D 6D 93 CB
Nonce : 00 00 00 48
Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01
Key Stream (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1
Ciphertext : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96
TV #5: Encrypting 32 octets using Camellia-CTR with 192-bit key
Camellia Key : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C
: 67 8C 3D B8 E6 F6 A9 1A
Camellia-CTR IV : 02 0C 6E AD C2 CB 50 0D
Nonce : 00 96 B0 3B
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01
Key Stream (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52
Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02
Key Stream (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2
Ciphertext : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D
: D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED
TV #6: Encrypting 36 octets using Camellia-CTR with 192-bit key
Camellia Key : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B
: F5 9B 60 A7 86 D3 E0 FE
Camellia-CTR IV : 5C BD 60 27 8D CC 09 12
Nonce : 00 07 BD FD
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
: 20 21 22 23
Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01
Key Stream (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77
Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02
Key Stream (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11
Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03
Key Stream (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34
Ciphertext : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78
: 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E
: D5 57 AB 57
TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key
Camellia Key : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C
: 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04
Camellia-CTR IV : DB 56 72 C9 7A A8 F0 B2
Kato & Kanda Expires September 20, 2008 [Page 15]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
Nonce : 00 00 00 60
Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01
Key Stream (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76
Ciphertext : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11
TV #8: Encrypting 32 octets using Camellia-CTR with 256-bit key
Camellia Key : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86
: C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84
Camellia-CTR IV : C1 58 5E F1 5A 43 D8 75
Nonce : 00 FA AC 24
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01
Key Stream (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A
Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02
Key Stream (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17
Ciphertext : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45
: E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08
TV #9: Encrypting 36 octets using Camellia-CTR with 256-bit key
Camellia Key : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2
: AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D
Camellia-CTR IV : 51 A5 1D 70 A1 C1 11 48
Nonce : 00 1C C5 B7
Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
: 20 21 22 23
Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01
Key Stream (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23
Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02
Key Stream (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70
Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03
Key Stream (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF
Ciphertext : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C
: D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F
: 15 EF 0D 8D
4.2. Camellia-CCM
This section contains twenty four test vectors, which can be used to
confirm that an implementation has correctly implemented Camellia-
CCM. In each of these test vectors, the least significant sixteen
bits of the counter block is used for the block counter, and the
nonce is 13 octets. Some of the test vectors include a eight octet
authentication value, and others include a ten octet authentication
value.
Kato & Kanda Expires September 20, 2008 [Page 16]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #1 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 59 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 17
CBC IV out:D4 DB CD 92 A8 96 41 56 1D 0D BB D0 D5 7F 7E 1D
After xor: D4 D3 CD 93 AA 95 45 53 1B 0A BB D0 D5 7F 7E 1D [hdr]
After CAM: BD 84 03 80 73 59 37 B7 CE F5 E4 BA 1B 18 54 DC
After xor: B5 8D 09 8B 7F 54 39 B8 DE E4 F6 A9 0F 0D 42 CB [msg]
After CAM: CE 21 82 9C F6 F2 4D A2 CB 35 D1 FD 81 27 63 EC
After xor: D6 38 98 87 EA EF 53 A2 CB 35 D1 FD 81 27 63 EC [msg]
After CAM: 20 11 FE E2 53 B1 A7 DB 02 77 FA 37 6D 78 EE 10
MIC tag : 20 11 FE E2 53 B1 A7 DB
CTR Start: 01 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: B2 7A 7B 8E EB 14 3F 0B 82 E2 98 4C 06 44 CC 42
CTR[0002]: E2 E2 D3 52 98 97 13 45 D1 63 22 90 E7 F8 15 4A
CTR[MIC ]: DC BF 30 96 38 8C 1E 76
Total packet length = 39. [Encrypted]
00 01 02 03 04 05 06 07 BA 73 71 85 E7 19 31 04
92 F3 8A 5F 12 51 DA 55 FA FB C9 49 84 8A 0D FC
AE CE 74 6B 3D B9 AD
=============== Packet Vector #2 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 59 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 18
CBC IV out:07 0B 22 50 8A 24 3C DD 5B BA 54 DB 60 52 88 06
After xor: 07 03 22 51 88 27 38 D8 5D BD 54 DB 60 52 88 06 [hdr]
After CAM: 10 FD C2 F2 90 4A 9F 96 B0 4F 62 A4 A1 A9 31 1E
After xor: 18 F4 C8 F9 9C 47 91 99 A0 5E 70 B7 B5 BC 27 09 [msg]
After CAM: E4 C8 82 02 89 55 5C 15 CE 7F E4 60 B1 B9 5A 08
After xor: FC D1 98 19 95 48 42 0A CE 7F E4 60 B1 B9 5A 08 [msg]
After CAM: D2 96 BA 4F 83 DE B5 DF A2 19 08 F7 47 4E 3C 40
MIC tag : D2 96 BA 4F 83 DE B5 DF
CTR Start: 01 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 55 2C 6E B4 82 A2 EF D6 85 37 FE 12 79 0E E6 55
CTR[0002]: 54 E2 C8 D6 7E 99 91 2C F2 8A D7 8E 83 04 10 36
CTR[MIC ]: B2 24 93 12 71 9C 36 37
Total packet length = 40. [Encrypted]
00 01 02 03 04 05 06 07 5D 25 64 BF 8E AF E1 D9
95 26 EC 01 6D 1B F0 42 4C FB D2 CD 62 84 8F 33
60 B2 29 5D F2 42 83 E8
Kato & Kanda Expires September 20, 2008 [Page 17]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #3 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 59 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 19
CBC IV out:6F 69 15 DF A6 A0 DF 24 84 A7 37 88 A3 65 F9 2E
After xor: 6F 61 15 DE A4 A3 DB 21 82 A0 37 88 A3 65 F9 2E [hdr]
After CAM: 59 5D 99 48 79 04 DA C9 13 93 36 C9 11 A8 09 1D
After xor: 51 54 93 43 75 09 D4 C6 03 82 24 DA 05 BD 1F 0A [msg]
After CAM: 1A 43 D7 19 65 43 97 C1 43 6F 4F 11 A7 6C 6B ED
After xor: 02 5A CD 02 79 5E 89 DE 63 6F 4F 11 A7 6C 6B ED [msg]
After CAM: 30 0B 06 8A A0 D1 4D C5 9E 44 22 84 82 45 42 0B
MIC tag : 30 0B 06 8A A0 D1 4D C5
CTR Start: 01 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 89 FF 69 DD CB 75 76 18 E9 31 24 1B AD 97 BB 02
CTR[0002]: C4 32 A7 9C CB 4B E9 8D 24 A8 F0 AB C6 87 16 11
CTR[MIC ]: C5 5A D0 E2 8F F2 E7 83
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 81 F6 63 D6 C7 78 78 17
F9 20 36 08 B9 82 AD 15 DC 2B BD 87 D7 56 F7 92
04 F5 51 D6 68 2F 23 AA 46
=============== Packet Vector #4 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 59 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 13
CBC IV out:F5 51 CF 6C 7C F7 D4 0B 2B 76 F1 6B 57 F0 19 FE
After xor: F5 5D CF 6D 7E F4 D0 0E 2D 71 F9 62 5D FB 19 FE [hdr]
After CAM: 02 2B 21 1B EB 97 02 3B F8 10 7D CC 62 14 E5 7C
After xor: 0E 26 2F 14 FB 86 10 28 EC 05 6B DB 7A 0D FF 67 [msg]
After CAM: 48 14 A4 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42
After xor: 54 09 BA 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42 [msg]
After CAM: CF 85 25 D2 80 D5 F0 09 53 2C 9D 43 4E F3 04 47
MIC tag : CF 85 25 D2 80 D5 F0 09
CTR Start: 01 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: C6 E2 10 8D 62 00 A2 9C 6F CC 19 1F DF 6B 92 DB
CTR[0002]: 6C B9 BE EE 1E A2 E9 B3 2D D6 C2 9A E8 26 D5 C2
CTR[MIC ]: 44 BF B6 E8 E3 31 67 A9
Total packet length = 39. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B CA EF 1E 82
72 11 B0 8F 7B D9 0F 08 C7 72 88 C0 70 A4 A0 8B
3A 93 3A 63 E4 97 A0
Kato & Kanda Expires September 20, 2008 [Page 18]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #5 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 59 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 14
CBC IV out:73 72 9D 76 7A BD B9 82 60 3A 12 7B EF 26 FB 80
After xor: 73 7E 9D 77 78 BE BD 87 66 3D 1A 72 E5 2D FB 80 [hdr]
After CAM: E1 B7 A6 72 E2 5C 87 75 91 21 22 A4 07 13 CD 5B
After xor: ED BA A8 7D F2 4D 95 66 85 34 34 B3 1F 0A D7 40 [msg]
After CAM: 13 2F 58 D9 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7
After xor: 0F 32 46 C6 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7 [msg]
After CAM: 47 8F 1E B0 71 24 8B 13 AF C8 C8 44 E6 0F 88 B6
MIC tag : 47 8F 1E B0 71 24 8B 13
CTR Start: 01 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 26 DE B4 D6 5F D4 3C 81 AA 56 98 95 64 09 39 A2
CTR[0002]: 76 97 69 3A 21 13 0C 39 2E 4E EB BF 48 7B 24 BE
CTR[MIC ]: C8 2E 65 17 82 15 50 1A
Total packet length = 40. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B 2A D3 BA D9
4F C5 2E 92 BE 43 8E 82 7C 10 23 B9 6A 8A 77 25
8F A1 7B A7 F3 31 DB 09
=============== Packet Vector #6 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 59 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 15
CBC IV out:EB 59 05 CC 3F 52 61 10 26 24 75 93 DD B9 A0 F4
After xor: EB 55 05 CD 3D 51 65 15 20 23 7D 9A D7 B2 A0 F4 [hdr]
After CAM: 18 A9 AE A4 3D D2 A9 11 6C 0A E5 4F 40 D1 4D 9F
After xor: 14 A4 A0 AB 2D C3 BB 02 78 1F F3 58 58 C8 57 84 [msg]
After CAM: FA C4 13 18 98 54 1B 54 93 9C 64 B8 CB FD 5B 18
After xor: E6 D9 0D 07 B8 54 1B 54 93 9C 64 B8 CB FD 5B 18 [msg]
After CAM: 49 E6 E8 ED 32 FB CA 2F 2E 55 CD AF D0 F2 B3 05
MIC tag : 49 E6 E8 ED 32 FB CA 2F
CTR Start: 01 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: F2 A8 46 04 B5 2E BA C0 D7 51 34 BD D6 54 FC 64
CTR[0002]: E6 26 A9 24 8B E6 86 CB 92 D6 FB FC 2E F2 91 98
CTR[MIC ]: E2 D0 49 03 7D 1B 34 07
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B FE A5 48 0B
A5 3F A8 D3 C3 44 22 AA CE 4D E6 7F FA 3B B7 3B
AB AB 36 A1 EE 4F E0 FE 28
Kato & Kanda Expires September 20, 2008 [Page 19]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #7 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 61 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 17
CBC IV out:AC F1 5D 79 99 1A 15 BF 5C DC F6 C4 45 AE 1F CB
After xor: AC F9 5D 78 9B 19 11 BA 5A DB F6 C4 45 AE 1F CB [hdr]
After CAM: E9 C0 AC FD C7 E8 E7 1D FA E8 8B 66 95 9E 01 45
After xor: E1 C9 A6 F6 CB E5 E9 12 EA F9 99 75 81 8B 17 52 [msg]
After CAM: 9C FF ED 72 09 A6 7D 2A 48 B7 29 BF D8 BE 39 59
After xor: 84 E6 F7 69 15 BB 63 2A 48 B7 29 BF D8 BE 39 59 [msg]
After CAM: 4F 41 FA DE B2 58 F3 32 54 0A 55 7A 80 4A A3 F5
MIC tag : 4F 41 FA DE B2 58 F3 32 54 0A
CTR Start: 01 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 5C 5A 2A 2D E9 41 1F 95 9D 27 CB FF 7A 0B CF 63
CTR[0002]: 0E D1 6A 97 57 41 32 4F 33 1B 4A 42 B1 4A 54 63
CTR[MIC ]: E3 EE 59 62 7D 22 BD 8D C1 79
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 54 53 20 26 E5 4C 11 9A
8D 36 D9 EC 6E 1E D9 74 16 C8 70 8C 4B 5C 2C AC
AF A3 BC CF 7A 4E BF 95 73
=============== Packet Vector #8 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 61 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 18
CBC IV out:AD CA 1C 1D 45 E7 E2 62 58 D5 DA 46 D8 2F 69 3A
After xor: AD C2 1C 1C 47 E4 E6 67 5E D2 DA 46 D8 2F 69 3A [hdr]
After CAM: FA DE 0E B4 3E CA C1 E9 69 BB 8C A4 7C 0D 80 8F
After xor: F2 D7 04 BF 32 C7 CF E6 79 AA 9E B7 68 18 96 98 [msg]
After CAM: D2 87 35 C2 D0 E4 AE 4E BC C2 99 FF B3 77 F8 A1
After xor: CA 9E 2F D9 CC F9 B0 51 BC C2 99 FF B3 77 F8 A1 [msg]
After CAM: BD F6 FB 55 9E 90 C0 E7 DF 4B 0C 37 DC 42 32 A2
MIC tag : BD F6 FB 55 9E 90 C0 E7 DF 4B
CTR Start: 01 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 82 D8 91 0B 16 8A DF 47 E4 C8 39 FC 20 47 4A DB
CTR[0002]: FB BF 26 7E 0E BB EB 6A 07 4E 29 CF 3D 12 E6 DB
CTR[MIC ]: CE 7E 1F C4 A0 61 87 E6 2B 0A
Total packet length = 42. [Encrypted]
00 01 02 03 04 05 06 07 8A D1 9B 00 1A 87 D1 48
F4 D9 2B EF 34 52 5C CC E3 A6 3C 65 12 A6 F5 75
73 88 E4 91 3E F1 47 01 F4 41
Kato & Kanda Expires September 20, 2008 [Page 20]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #9 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (8 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 61 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 19
CBC IV out:D0 A9 A5 94 00 63 86 40 11 0D DB 40 CA F8 4A 9C
After xor: D0 A1 A5 95 02 60 82 45 17 0A DB 40 CA F8 4A 9C [hdr]
After CAM: 7B CA 4E 2D 79 82 0D 1E 15 22 DD E8 37 B9 B1 F0
After xor: 73 C3 44 26 75 8F 03 11 05 33 CF FB 23 AC A7 E7 [msg]
After CAM: 6B 75 9F 83 C0 8F 56 64 F2 FA D5 7F 67 01 B8 21
After xor: 73 6C 85 98 DC 92 48 7B D2 FA D5 7F 67 01 B8 21 [msg]
After CAM: 7D B7 BE FF 72 F3 26 74 9E 20 07 28 1E 5B 1A 8A
MIC tag : 7D B7 BE FF 72 F3 26 74 9E 20
CTR Start: 01 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 55 B9 87 69 4C 73 60 3E C6 1E 8E B1 D2 11 62 36
CTR[0002]: 82 D9 A4 4B DC C9 BB 68 A7 FE 15 A5 19 51 57 87
CTR[MIC ]: E9 61 5C CF BF D6 EF 8A 21 A7
Total packet length = 43. [Encrypted]
00 01 02 03 04 05 06 07 5D B0 8D 62 40 7E 6E 31
D6 0F 9C A2 C6 04 74 21 9A C0 BE 50 C0 D4 A5 77
87 94 D6 E2 30 CD 25 C9 FE BF 87
=============== Packet Vector #10 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5
Total packet length = 31. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
CBC IV in: 61 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 13
CBC IV out:B1 85 73 A3 1C 6F EC 01 90 E3 CE 94 27 11 04 B9
After xor: B1 89 73 A2 1E 6C E8 04 96 E4 C6 9D 2D 1A 04 B9 [hdr]
After CAM: A6 AD EA 9C FA 3F 76 78 4C 17 8A F3 DC 69 F0 82
After xor: AA A0 E4 93 EA 2E 64 6B 58 02 9C E4 C4 70 EA 99 [msg]
After CAM: 35 50 B7 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED
After xor: 29 4D A9 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED [msg]
After CAM: 3D B5 A6 E6 85 AF 1C 58 80 B0 32 2E 01 74 91 FC
MIC tag : 3D B5 A6 E6 85 AF 1C 58 80 B0
CTR Start: 01 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: D7 1C 82 C1 D1 A9 64 0F 93 69 CE 81 22 7E CC E8
CTR[0002]: A7 A1 42 44 32 4E 69 FE 4C D0 36 65 A5 31 0B AB
CTR[MIC ]: ED 27 3F 0D 94 5C 0E AA B2 87
Total packet length = 41. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B DB 11 8C CE
C1 B8 76 1C 87 7C D8 96 3A 67 D6 F3 BB BC 5C D0
92 99 EB 11 F3 12 F2 32 37
Kato & Kanda Expires September 20, 2008 [Page 21]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #11 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5
Total packet length = 32. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
CBC IV in: 61 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 14
CBC IV out:45 DF B5 07 6F BB 10 EA F1 15 15 AD 21 4F B0 0E
After xor: 45 D3 B5 06 6D B8 14 EF F7 12 1D A4 2B 44 B0 0E [hdr]
After CAM: 17 52 F9 6D DD BC 5B 1C 1E EB 80 FC F6 10 AC 03
After xor: 1B 5F F7 62 CD AD 49 0F 0A FE 96 EB EE 09 B6 18 [msg]
After CAM: BE F0 A0 B9 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87
After xor: A2 ED BE A6 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87 [msg]
After CAM: 70 16 E4 F9 C4 2C 30 10 84 BF EC 69 34 89 91 FD
MIC tag : 70 16 E4 F9 C4 2C 30 10 84 BF
CTR Start: 01 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 70 C5 33 82 D4 80 11 41 4F 5D 2B D2 D2 67 B3 B0
CTR[0002]: 9D 36 6E 49 39 C5 16 76 5C 1C 25 12 81 79 94 70
CTR[MIC ]: 77 8B 4B 03 1E 3A FC DF A8 F1
Total packet length = 42. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B 7C C8 3D 8D
C4 91 03 52 5B 48 3D C5 CA 7E A9 AB 81 2B 70 56
07 9D AF FA DA 16 CC CF 2C 4E
=============== Packet Vector #12 ==================
CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Nonce = 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5
Total packet length = 33. [Input (12 cleartext header octets)]
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20
CBC IV in: 61 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 15
CBC IV out:81 E4 EB 1E 50 A9 70 CE 18 CA 1A 4B 68 39 80 2E
After xor: 81 E8 EB 1F 52 AA 74 CB 1E CD 12 42 62 32 80 2E [hdr]
After CAM: 04 AB D9 62 34 B9 8F 32 8C 0F 08 3F 3D 87 9D 57
After xor: 08 A6 D7 6D 24 A8 9D 21 98 1A 1E 28 25 9E 87 4C [msg]
After CAM: BD A2 EA CB 3A DA 6A E7 9F BB C2 2C E6 4C 98 89
After xor: A1 BF F4 D4 1A DA 6A E7 9F BB C2 2C E6 4C 98 89 [msg]
After CAM: B6 FC E1 46 D3 EA DC 91 E0 AB 10 AD D8 55 E7 03
MIC tag : B6 FC E1 46 D3 EA DC 91 E0 AB
CTR Start: 01 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 01
CTR[0001]: 20 DE 55 87 30 C3 2C 69 B7 44 A6 FE 37 DE 89 7C
CTR[0002]: 3F 96 32 D8 68 6D C2 B5 22 97 42 27 EB F9 26 5E
CTR[MIC ]: 7D 45 AD 6F 94 93 E1 F5 4F DE
Total packet length = 43. [Encrypted]
00 01 02 03 04 05 06 07 08 09 0A 0B 2C D3 5B 88
20 D2 3E 7A A3 51 B0 E9 2F C7 93 67 23 8B 2C C7
48 CB B9 4C 29 47 79 3D 64 AF 75
Kato & Kanda Expires September 20, 2008 [Page 22]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #13 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (8 cleartext header octets)]
6B 7F 46 45 07 FA E4 96 C6 B5 F3 E6 CA 23 11 AE
F7 47 2B 20 3E 73 5E A5 61 AD B1 7D 56 C5 A3
CBC IV in: 59 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 17
CBC IV out:D7 24 B0 0F B1 87 04 C6 C1 4E 90 37 AA F2 F1 F9
After xor: D7 2C DB 70 F7 C2 03 3C 25 D8 90 37 AA F2 F1 F9 [hdr]
After CAM: 9B 13 6D E3 D9 9F C3 6D 7D 0D B7 D8 A1 BF E9 BD
After xor: 5D A6 9E 05 13 BC D2 C3 8A 4A 9C F8 9F CC B7 18 [msg]
After CAM: F8 BF 25 7D 23 F8 D9 B5 82 E6 C9 3E C8 9B 85 73
After xor: 99 12 94 00 75 3D 7A B5 82 E6 C9 3E C8 9B 85 73 [msg]
After CAM: D9 D6 62 21 6D B2 CA FD 1F C6 FE 9D 2C AF 5B 69
MIC tag : D9 D6 62 21 6D B2 CA FD
CTR Start: 01 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 62 80 24 C1 FE AE CC 8C 67 38 55 98 CB 8E E5 E8
CTR[0002]: F2 30 17 2F 1B 71 55 9F 8B CE 79 E5 13 01 FC 6A
CTR[MIC ]: 9C 8E A2 0C 48 03 ED 13
Total packet length = 39. [Encrypted]
6B 7F 46 45 07 FA E4 96 A4 35 D7 27 34 8D DD 22
90 7F 7E B8 F5 FD BB 4D 93 9D A6 52 4D B4 F6 45
58 C0 2D 25 B1 27 EE
=============== Packet Vector #14 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (8 cleartext header octets)]
98 66 05 B4 3D F1 5D E7 01 F6 CE 67 64 C5 74 48
3B B0 2E 6B BF 1E 0A BD 26 A2 25 72 B4 D8 0E E7
CBC IV in: 59 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 18
CBC IV out:A0 8A 29 78 36 23 1D 84 96 76 93 FF 0A 4C 92 7A
After xor: A0 82 B1 1E 33 97 20 75 CB 91 93 FF 0A 4C 92 7A [hdr]
After CAM: 8C F5 F4 23 BF 09 1C 74 CD 47 00 C1 32 5D 5C 92
After xor: 8D 03 3A 44 DB CC 68 3C F6 F7 2E AA 8D 43 56 2F [msg]
After CAM: 69 DA 48 24 41 1E AC 8E A9 0A CD 8B DD 00 2B 9A
After xor: 4F 78 6D 56 F5 C6 A2 69 A9 0A CD 8B DD 00 2B 9A [msg]
After CAM: C2 03 3B 08 6D B3 CB 3B 2C C8 5D E7 76 A1 C0 44
MIC tag : C2 03 3B 08 6D B3 CB 3B
CTR Start: 01 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 8B 16 9C 37 EB 7B BE DB 15 84 41 6E 5F C2 07 46
CTR[0002]: E9 31 BB DD 4E E6 56 9B 68 95 13 5F AB A4 DF EF
CTR[MIC ]: 44 7E 55 14 25 C3 F3 3D
Total packet length = 40. [Encrypted]
98 66 05 B4 3D F1 5D E7 8A E0 52 50 8F BE CA 93
2E 34 6F 05 E0 DC 0D FB CF 93 9E AF FA 3E 58 7C
86 7D 6E 1C 48 70 38 06
Kato & Kanda Expires September 20, 2008 [Page 23]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #15 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (8 cleartext header octets)]
48 F2 E7 E1 A7 67 1A 51 CD F1 D8 40 6F C2 E9 01
49 53 89 70 05 FB FB 8B A5 72 76 F9 24 04 60 8E
08
CBC IV in: 59 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 19
CBC IV out:76 74 53 37 95 23 3C F0 EB 77 CE 93 73 06 99 A8
After xor: 76 7C 1B C5 72 C2 9B 97 F1 26 CE 93 73 06 99 A8 [hdr]
After CAM: EF 79 8B 70 34 E4 D5 6B 57 3A F9 44 F0 AF D6 9A
After xor: 22 88 53 30 5B 26 3C 6A 1E 69 70 34 F5 54 2D 11 [msg]
After CAM: 63 BF 4E 10 01 79 38 0B E4 EC C1 39 B2 B4 3B 8C
After xor: C6 CD 38 E9 25 7D 58 85 EC EC C1 39 B2 B4 3B 8C [msg]
After CAM: 39 E1 0E FA BD 2F 43 00 50 9E E7 EB A4 FF 6B 8F
MIC tag : 39 E1 0E FA BD 2F 43 00
CTR Start: 01 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: C5 47 A6 A2 73 49 1B 6F 0E 6D C9 F5 9C 12 3B 08
CTR[0002]: C8 18 86 42 3C DB 35 C8 64 4D 8C 4C 58 01 47 27
CTR[MIC ]: 91 E9 76 5D 2D 68 2E E5
Total packet length = 41. [Encrypted]
48 F2 E7 E1 A7 67 1A 51 08 B6 7E E2 1C 8B F2 6E
47 3E 40 85 99 E9 C0 83 6D 6A F0 BB 18 DF 55 46
6C A8 08 78 A7 90 47 6D E5
=============== Packet Vector #16 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (12 cleartext header octets)]
DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C B0 05 DC FA
0B 59 18 14 26 A9 61 68 5A 99 3D 8C 43 18 5B
CBC IV in: 59 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 13
CBC IV out:78 EE 05 5A 88 48 E3 5B 8A 45 46 8F 35 4F 0C A2
After xor: 78 E2 DB CD 57 73 6F E6 E7 CB 16 BF EF 03 0C A2 [hdr]
After CAM: A9 C6 7F 15 00 1A C6 92 81 67 BD EC DF D2 35 C9
After xor: 19 C3 A3 EF 0B 43 DE 86 A7 CE DC 84 85 4B 08 45 [msg]
After CAM: 7C A8 9C 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18
After xor: 3F B0 C7 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18 [msg]
After CAM: 89 C7 B4 E8 A4 24 8C 6C 52 ED 34 50 E3 53 AD F5
MIC tag : 89 C7 B4 E8 A4 24 8C 6C
CTR Start: 01 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 01
CTR[0001]: D3 B2 57 B3 6C E8 86 CF 91 9A AC 79 4E 6F 73 3E
CTR[0002]: 65 10 C8 72 39 AF 0F 52 9F D0 A4 DF 54 BF D6 EB
CTR[MIC ]: E1 04 E0 6A 29 B1 80 A9
Total packet length = 39. [Encrypted]
DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C 63 B7 8B 49
67 B1 9E DB B7 33 CD 11 14 F6 4E B2 26 08 93 68
C3 54 82 8D 95 0C C5
Kato & Kanda Expires September 20, 2008 [Page 24]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #17 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (12 cleartext header octets)]
A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 2E 20 21 12
98 10 5F 12 9D 5E D9 5B 93 F7 2D 30 B2 FA CC D7
CBC IV in: 59 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 14
CBC IV out:C3 34 69 7D 11 38 73 06 BD 34 E2 10 1F 66 17 E8
After xor: C3 38 CC 93 82 DC 24 D9 B8 72 8C 68 32 A9 17 E8 [hdr]
After CAM: 43 6F 37 74 AB 94 3B 41 EA AD 00 CA C3 99 13 7B
After xor: 6D 4F 16 66 33 84 64 53 77 F3 D9 91 50 6E 3E 4B [msg]
After CAM: 2D 28 FB 62 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE
After xor: 9F D2 37 B5 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE [msg]
After CAM: F3 DE 10 CD 91 4D B1 B6 CC 37 F0 A2 4A 5A B7 A1
MIC tag : F3 DE 10 CD 91 4D B1 B6
CTR Start: 01 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 25 E6 9A F0 30 A9 56 E6 FF C0 3F 87 87 7A 89 74
CTR[0002]: A2 1B 46 23 76 A2 1E DD F2 AC 4B EC 42 95 3D D3
CTR[MIC ]: C2 99 28 FF E7 BB DB 29
Total packet length = 40. [Encrypted]
A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 0B C6 BB E2
A8 B9 09 F4 62 9E E6 DC 14 8D A4 44 10 E1 8A F4
31 47 38 32 76 F6 6A 9F
=============== Packet Vector #18 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (12 cleartext header octets)]
24 AA 1B F9 A5 CD 87 61 82 A2 50 74 26 45 94 1E
75 63 2D 34 91 AF 0F C0 C9 87 6C 3B E4 AA 74 68
C9
CBC IV in: 59 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 15
CBC IV out:72 0A 46 75 0F 40 59 53 F2 3B D2 1F 6A 11 60 F6
After xor: 72 06 62 DF 14 B9 FC 9E 75 5A 50 BD 3A 65 60 F6 [hdr]
After CAM: 67 73 A0 FD D5 7E D3 5E E8 24 06 D0 A1 8B 0E 18
After xor: 41 36 34 E3 A0 1D FE 6A 79 8B 09 10 68 0C 62 23 [msg]
After CAM: BB 1E D8 9F 60 29 D0 99 09 14 06 A5 E3 8B 72 7B
After xor: 5F B4 AC F7 A9 29 D0 99 09 14 06 A5 E3 8B 72 7B [msg]
After CAM: 3E 4F 40 73 D1 31 E9 B8 02 C8 99 BC FD AC 19 4B
MIC tag : 3E 4F 40 73 D1 31 E9 B8
CTR Start: 01 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 04 6F 42 2C 8F 52 FB 9B 06 A3 3B 9F B7 F0 A6 00
CTR[0002]: 34 76 51 DB 89 10 FB E6 73 E8 56 6E DB 66 47 5D
CTR[MIC ]: 9F EC 93 6C 5C 7A AD 0F
Total packet length = 41. [Encrypted]
24 AA 1B F9 A5 CD 87 61 82 A2 50 74 22 2A D6 32
FA 31 D6 AF 97 0C 34 5F 7E 77 CA 3B D0 DC 25 B3
40 A1 A3 D3 1F 8D 4B 44 B7
Kato & Kanda Expires September 20, 2008 [Page 25]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #19 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (8 cleartext header octets)]
69 19 46 B9 CA 07 BE 87 07 01 35 A6 43 7C 9D B1
20 CD 61 D8 F6 C3 9C 3E A1 25 FD 95 A0 D2 3D
CBC IV in: 61 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 17
CBC IV out:74 AD F8 04 05 2A 48 E7 46 97 38 D5 BA A1 27 79
After xor: 74 A5 91 1D 43 93 82 E0 F8 10 38 D5 BA A1 27 79 [hdr]
After CAM: BD C3 B1 41 1C 64 C8 B3 A9 DC 6A 94 78 97 88 E2
After xor: BA C2 84 E7 5F 18 55 02 89 11 0B 4C 8E 54 14 DC [msg]
After CAM: 7D 6C 8A BF AD 68 48 D8 C5 FB CD 1E AF F2 44 99
After xor: DC 49 77 2A 0D BA 75 D8 C5 FB CD 1E AF F2 44 99 [msg]
After CAM: 19 99 AB 92 5E 30 46 96 3D EF FB 1B 4C 87 F7 76
MIC tag : 19 99 AB 92 5E 30 46 96 3D EF
CTR Start: 01 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 02 B9 D4 1F 87 E0 60 E7 EF DE 6B 7E D3 DE 5E D2
CTR[0002]: 61 49 31 C5 2F 34 AA 47 A3 E4 D3 2C 0B 36 41 C6
CTR[MIC ]: B9 9F C6 C5 96 7B AA 8E 1A 87
Total packet length = 41. [Encrypted]
69 19 46 B9 CA 07 BE 87 05 B8 E1 B9 C4 9C FD 56
CF 13 0A A6 25 1D C2 EC C0 6C CC 50 8F E6 97 A0
06 6D 57 C8 4B EC 18 27 68
=============== Packet Vector #20 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (8 cleartext header octets)]
D0 C5 4E CB 84 62 7D C4 C8 C0 88 0E 6C 63 6E 20
09 3D D6 59 42 17 D2 E1 88 77 DB 26 4E 71 A5 CC
CBC IV in: 61 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 18
CBC IV out:35 A9 48 70 F9 B0 C7 85 FB 32 1A D1 3C 8C A4 9A
After xor: 35 A1 98 B5 B7 7B 43 E7 86 F6 1A D1 3C 8C A4 9A [hdr]
After CAM: 0A 3C E3 0F AC 09 DC 5C 00 10 5C 69 AC 19 F7 19
After xor: C2 FC 6B 01 C0 6A B2 7C 09 2D 8A 30 EE 0E 25 F8 [msg]
After CAM: 61 CD 80 D0 72 E6 84 E1 BF E1 4A 00 27 2A 4D 96
After xor: E9 BA 5B F6 3C 97 21 2D BF E1 4A 00 27 2A 4D 96 [msg]
After CAM: E5 F9 F2 AB 47 FD 7B 8D 6F 72 F4 72 74 D7 69 BB
MIC tag : E5 F9 F2 AB 47 FD 7B 8D 6F 72
CTR Start: 01 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 9C 0E 31 66 B2 81 58 31 5E 63 16 5A 9D BD CE 35
CTR[0002]: 00 3E 66 D3 E0 5F 7E A7 EF C8 9A 5F DD 39 E3 54
CTR[MIC ]: 9A 5E 87 1A 17 10 38 0E AA DB
Total packet length = 42. [Encrypted]
D0 C5 4E CB 84 62 7D C4 54 CE B9 68 DE E2 36 11
57 5E C0 03 DF AA 1C D4 88 49 BD F5 AE 2E DB 6B
7F A7 75 B1 50 ED 43 83 C5 A9
Kato & Kanda Expires September 20, 2008 [Page 26]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #21 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (8 cleartext header octets)]
E2 85 E0 E4 80 8C DA 3D F7 5D AA 07 10 C4 E6 42
97 79 4D C2 B7 D2 A2 07 57 B1 AA 4E 44 80 02 FF
AB
CBC IV in: 61 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 19
CBC IV out:2A 3C 23 B2 43 F5 1C 35 F7 79 5A CB 3B 20 21 2F
After xor: 2A 34 C1 37 A3 11 9C B9 2D 44 5A CB 3B 20 21 2F [hdr]
After CAM: A1 7E AD 4C EE AB 51 21 1D 2A 32 F2 D4 45 A6 D6
After xor: 56 23 07 4B FE 6F B7 63 8A 53 7F 30 63 97 04 D1 [msg]
After CAM: A9 A1 32 55 8F C6 9B 98 A9 CC 23 96 FE CA 84 EB
After xor: FE 10 98 1B CB 46 99 67 02 CC 23 96 FE CA 84 EB [msg]
After CAM: 6A 5E 04 42 D1 A5 7E 17 9A 6C 8B 56 F7 19 80 C5
MIC tag : 6A 5E 04 42 D1 A5 7E 17 9A 6C
CTR Start: 01 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 46 1D EF 41 AF A2 94 52 5D 51 AE CB 04 49 74 CD
CTR[0002]: 29 2E 62 66 1B 66 9A 2B 97 72 6B 77 32 A8 DC 35
CTR[MIC ]: B8 54 06 A2 6C 6F 93 37 8A BF
Total packet length = 43. [Encrypted]
E2 85 E0 E4 80 8C DA 3D B1 40 45 46 BF 66 72 10
CA 28 E3 09 B3 9B D6 CA 7E 9F C8 28 5F E6 98 D4
3C D2 0A 02 E0 BD CA ED 20 10 D3
=============== Packet Vector #22 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C
Total packet length = 31. [Input (12 cleartext header octets)]
6C AE F9 94 11 41 57 0D 7C 81 34 05 C2 38 82 2F
AC 5F 98 FF 92 94 05 B0 AD 12 7A 4E 41 85 4E
CBC IV in: 61 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 13
CBC IV out:20 60 6A D1 E1 A0 84 52 2F A3 8B F4 88 1D D6 8B
After xor: 20 6C 06 7F 18 34 95 13 78 AE F7 75 BC 18 D6 8B [hdr]
After CAM: 71 FD FF E7 D9 C8 95 75 D3 EC 0B 7E 7B 8B BE E7
After xor: B3 C5 7D C8 75 97 0D 8A 41 78 0E CE D6 99 C4 A9 [msg]
After CAM: CA AD 93 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65
After xor: 8B 28 DD 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65 [msg]
After CAM: DC 48 8F AA 9C 75 E7 03 17 56 C2 C7 48 48 8D 1B
MIC tag : DC 48 8F AA 9C 75 E7 03 17 56
CTR Start: 01 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 56 F0 17 B3 BD 09 02 D6 EA A5 A2 91 AD 4A 2D E5
CTR[0002]: 20 3D 34 21 EF 5B F8 FC 7B 21 5C 76 7B A5 21 A6
CTR[MIC ]: F1 A2 86 9C 2A 9E B8 61 48 0B
Total packet length = 41. [Encrypted]
6C AE F9 94 11 41 57 0D 7C 81 34 05 94 C8 95 9C
11 56 9A 29 78 31 A7 21 00 58 57 AB 61 B8 7A 2D
EA 09 36 B6 EB 5F 62 5F 5D
Kato & Kanda Expires September 20, 2008 [Page 27]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
=============== Packet Vector #23 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C
Total packet length = 32. [Input (12 cleartext header octets)]
36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 4D BF 3E 77
4A D2 45 E5 D5 89 1F 9D 1C 32 A0 AE 02 2C 85 D7
CBC IV in: 61 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 14
CBC IV out:78 FD B6 AF 61 9E 1C 8D 82 41 17 A8 73 60 1B 70
After xor: 78 F1 80 0A 4D 6F 77 94 20 42 6D 1F 72 7E 1B 70 [hdr]
After CAM: 62 2E 28 65 92 43 DB 82 88 79 09 1E A7 24 54 67
After xor: 2F 91 16 12 D8 91 9E 67 5D F0 16 83 BB 16 F4 C9 [msg]
After CAM: 95 0E 52 08 FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF
After xor: 97 22 D7 DF FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF [msg]
After CAM: BA CD 51 FC 77 F4 02 8D 47 D5 7D 54 7D 46 33 4B
MIC tag : BA CD 51 FC 77 F4 02 8D 47 D5
CTR Start: 01 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: 15 D6 DD DD 98 96 39 91 35 75 1A 64 B8 D8 D4 F9
CTR[0002]: 7D 61 6D 1D EB 92 00 2B 6F FA AB 53 BC AF 69 89
CTR[MIC ]: 33 E9 27 BE E1 59 06 9C DB 32
Total packet length = 42. [Encrypted]
36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 58 69 E3 AA
D2 44 7C 74 E0 FC 05 F9 A4 EA 74 57 7F 4D E8 CA
89 24 76 42 96 AD 04 11 9C E7
=============== Packet Vector #24 ==================
CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD
Nonce = 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C
Total packet length = 33. [Input (12 cleartext header octets)]
A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 9D C9 ED AE
2F F5 DF 86 36 E8 C6 DE 0E ED 55 F7 86 7E 33 33
7D
CBC IV in: 61 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 15
CBC IV out:84 E6 CF DD 6A 37 68 5D E6 71 AD 54 B3 BE FE B9
After xor: 84 EA 6B 09 F3 C0 EC 44 94 FD B4 43 38 B2 FE B9 [hdr]
After CAM: C5 0F A0 62 20 18 F1 21 0E BC 3D 2E 47 B7 B8 C3
After xor: 58 C6 4D CC 0F ED 2E A7 38 54 FB F0 49 5A ED 34 [msg]
After CAM: C4 6F 6D C3 17 3C 2A 7A 81 FC 2D DA 7F B7 C6 60
After xor: 42 11 5E F0 6A 3C 2A 7A 81 FC 2D DA 7F B7 C6 60 [msg]
After CAM: DF AB 2E 76 B0 67 50 B3 7C DD 9A AC F3 79 17 71
MIC tag : DF AB 2E 76 B0 67 50 B3 7C DD
CTR Start: 01 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 01
CTR[0001]: D6 D0 6C F8 16 CE D0 F1 A0 E0 AC 71 BA B9 AD 34
CTR[0002]: 76 4A FF 9A 1B F8 55 1F 68 54 39 0A EE 37 24 28
CTR[MIC ]: 4B F4 31 B8 17 86 4B 5D 16 F2
Total packet length = 43. [Encrypted]
A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 4B 19 81 56
39 3B 0F 77 96 08 6A AF B4 54 F8 C3 F0 34 CC A9
66 94 5F 1F CE A7 E1 1B EE 6A 2F
Kato & Kanda Expires September 20, 2008 [Page 28]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
5. Security Considerations
Camellia-CTR and Camellia-CCM employs counter (CTR) mode for
confidentiality. If a counter value is ever used for more that one
packet with the same key, then the same key stream will be used to
encrypt both packets, and the confidentiality guarantees are voided.
What happens if the encryptor XORs the same key stream with two
different packet plaintexts? Suppose two packets are defined by two
plaintext byte sequences P1, P2, P3 and Q1, Q2, Q3, then both are
encrypted with key stream K1, K2, K3. The two corresponding
ciphertexts are:
(P1 XOR K1), (P2 XOR K2), (P3 XOR K3)
(Q1 XOR K1), (Q2 XOR K2), (Q3 XOR K3)
If both of these two ciphertext streams are exposed to an attacker,
then a catastrophic failure of confidentiality results, because:
(P1 XOR K1) XOR (Q1 XOR K1) = P1 XOR Q1
(P2 XOR K2) XOR (Q2 XOR K2) = P2 XOR Q2
(P3 XOR K3) XOR (Q3 XOR K3) = P3 XOR Q3
Once the attacker obtains the two plaintexts XORed together, it is
relatively straightforward to separate them. Thus, using any stream
cipher, including Camellia-CTR, to encrypt two plaintexts under the
same key stream leaks the plaintext.
Kato & Kanda Expires September 20, 2008 [Page 29]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
6. IANA Considerations
There are no IANA assignments to be performed.
Kato & Kanda Expires September 20, 2008 [Page 30]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
7. Acknowledgments
This document includes text borrowed from RFC 3610.
Kato & Kanda Expires September 20, 2008 [Page 31]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
8. References
8.1. Normative
[1] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
8.2. Informative
[3] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001,
.
[4] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
Algorithm and Its Use With IPsec", RFC 4312, December 2005.
[5] Moriai, S., Kato, A., and M. Kanda, "Addition of Camellia
Cipher Suites to Transport Layer Security (TLS)", RFC 4132,
July 2005.
[6] Moriai, S. and A. Kato, "Use of the Camellia Encryption
Algorithm in Cryptographic Message Syntax (CMS)", RFC 3657,
January 2004.
[7] Eastlake, D., "Additional XML Security Uniform Resource
Identifiers (URIs)", RFC 4051, April 2005.
[8] International Organization for Standardization, "Information
technology - Security techniques - Encryption algorithms - Part
3: Block ciphers", ISO/IEC 18033-3, July 2005.
[9] "The NESSIE project (New European Schemes for Signatures,
Integrity and Encryption)",
.
[10] Information-technology Promotion Agency (IPA), "Cryptography
Research and Evaluation Committees",
.
[11] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation - Methods and Techniques", NIST Special
Publication 800-38A, November 2001, .
[12] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
Kato & Kanda Expires September 20, 2008 [Page 32]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
MAC (CCM)", RFC 3610, September 2003.
[13] National Institute of Standards and Technology, "Computer Data
Authentication", FIPS PUB 113, May 1985,
.
Kato & Kanda Expires September 20, 2008 [Page 33]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
URIs
[14]
[15]
Kato & Kanda Expires September 20, 2008 [Page 34]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
Authors' Addresses
Akihiro Kato
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-7800
Email: akato@po.ntts.co.jp
Masayuki Kanda
Nippon Telegraph and Telephone Corporation
Phone: +81-422-59-3456
Fax: +81-422-59-4015
Email: kanda.masayuki@lab.ntt.co.jp
Kato & Kanda Expires September 20, 2008 [Page 35]
Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Kato & Kanda Expires September 20, 2008 [Page 36]