view Side-By-Side changes
Network Working Group A. Kato Internet-Draft NTT Software Corporation Intended status: Informational M. Kanda Expires:September 20,December 26, 2008 Nippon Telegraph and Telephone CorporationMarch 19,June 24, 2008 Camellia Counter mode and Camellia Counter with CBC Mac mode algorithmsdraft-kato-camellia-ctrccm-01draft-kato-camellia-ctrccm-02 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onSeptember 20,December 26, 2008. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 1] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 Abstract This document describes the algorithms and test vectors of Camellia block cipher algorithm in Counter(CTR)mode and Counter with Cipher Block Chaining MAC(CCM) Mode.mode. The purpose of this document is to make the Camellia-CTR and Camellia-CCM algorithm conveniently available to the Internet Community. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Camellia Cipher Algorithm . . . . . . . . . . . . . . . .45 2.1. Key Size . . . . . . . . . . . . . . . . . . . . . . . . .45 2.2. Weak Keys . . . . . . . . . . . . . . . . . . . . . . . .45 2.3. Block Size and Padding . . . . . . . . . . . . . . . . . .45 2.4. Performance . . . . . . . . . . . . . . . . . . . . . . .45 3. Modes of Operation . . . . . . . . . . . . . . . . . . . . . . 6 3.1.CounterDefinitions . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Counter . . .6 3.1.1. Definitions. . . . . . . . . . . . . . . . . . . . .6 3.1.2.. 7 3.2.1. Camellia-CTR . . . . . . . . . . . . . . . . . . . . .6 3.2.7 3.3. Counter with CBC-MAC . . . . . . . . . . . . . . . . . . .8 3.2.1. Definitions . . . . . . . . . . . . . . . . . . . . . 8 3.2.2.9 3.3.1. Two main parameters . . . . . . . . . . . . . . . . . 93.2.3.3.3.2. Inputs . . . . . . . . . . . . . . . . . . . . . . . . 93.2.4.3.3.3. Authentication . . . . . . . . . . . . . . . . . . . . 103.2.5.3.3.4. Encryption . . . . . . . . . . . . . . . . . . . . . . 123.2.6.3.3.5. Output . . . . . . . . . . . . . . . . . . . . . . . . 133.2.7.3.3.6. Decryption and Authentication Checking . . . . . . . . 13 4. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1. Camellia-CTR . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Camellia-CCM . . . . . . . . . . . . . . . . . . . . . . . 16 5. Security Considerations . . . . . . . . . . . . . . . . . . . 29 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 8.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 32 8.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .3534 Intellectual Property and Copyright Statements . . . . . . . . . .3635 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 2] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 1. Introduction This document describes the use of the Camellia block cipher algorithm in Counter (CTR) mode and Counter with CBC-MACMode.(CCM) mode. Camellia is a symmetric cipher with a Feistel structure. Camellia was developed jointly by NTT and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic experts. Camellia is suitable for implementation in software and hardware, offering encryption speed in software and hardware implementations that is comparable to Advanced Encryption Standard (AES) [3]. Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the same interface specifications as the AES. Therefore, it is easy to implement Camellia based algorithms by replacing the AES block of AES based algorithmstowith a Camellia block. Camelliaisalready has been adoptedasby the IETF andseveralother international standardizationorganizations.organizations; in particular, the IETF has published specifications for the use of Camelliais already adopted as IPSecwith IPsec [4], TLS [5], S/MIME [6] and XML [7]. Camellia isadopted for theone of the three ISO/IEC international standardcipher[8]as 128bit128-bit blockcipher(Camellia, AESciphers (Camellia, AES, and SEED). Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project [9] and was included in the list of cryptographic techniques for Japanese e-Government systems that was selected by theJapanJapanese CRYPTREC (Cryptography Research and Evaluation Committees) [10]. Since optimized source code is providedbyunder several open sourcelisences [14],licenses [11], Camellia is also adopted by several open sourceprojects(Openssl,projects (OpenSSL, FreeBSD,LinuxLinux, and Firefox Gran Paradiso). The algorithm specification and object identifiers are described in [1]. The Camelliahomepage [15]web site [12] contains a wealth of information about Camellia, including detailed specification, security analysis, performance figures, reference implementation, optimized implementation, testvectors,vectors(TV), and intellectual property information. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [2]. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 3] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 All multi-octet values in this document are encoded and represented in network byte order, i.e., most significant octet first. Kato & Kanda Expires December 26, 2008 [Page 4] Internet-Draft Camellia-CTR and Camellia-CCM algorithms June 2008 2. The Camellia Cipher Algorithm All symmetric block cipher algorithms share common characteristics and variables, including mode, key size, weak keys, block size, and rounds. The following sections contain descriptions of the relevant characteristics of Camellia. The algorithm specification and object identifiers are described in [1]. 2.1. Key Size Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations MUST support this key size. Implementations MAY also support key sizes of 192 bits and 256 bits. Camellia uses a different number of rounds for each of the defined key sizes. When a 128-bit key is used, implementations MUST use 18 rounds. Whena 192-bit key is used, implementations MUST use 24 rounds. When a192- and 256-bit keyisare used, implementations MUST use 24 rounds. 2.2. Weak Keys At the time of writing this document there are no known weak keys for Camellia. 2.3. Block Size and Padding Camellia uses a block size ofsixteen16 octets (128 bits). Padding is required by thealgorithmsalgorithm to maintain a 16-octet(128- bit)(128-bit) block size. Padding MUST be added such that the data to be encrypted (which includes the ESP Pad Length and Next Header fields) has a length that is a multiple of 16 octets. Because of the algorithm specific padding requirement, no additional padding is required to ensure that the ciphertext terminates on a 4-octet boundary (i.e. maintaining a 16-octet block size guarantees that the ESP Pad Length and Next Header fields will be right aligned within a 4-octet word). Additional padding MAY be included as long as the 16-octet block size is maintained. 2.4. Performance Performance figuresoffor Camellia are available at<http://info.isl.ntt.co.jp/crypt/camellia/>.[12]. The NESSIE project hasKato & Kanda Expires September 20, 2008 [Page 4] Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008reported on the performance ofOptimized Implementationsoptimized implementations independently [9]. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 5] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 3. Modes of Operation Camellia Countermode(Camellia-CTR) mode and Camellia Counter with CBC- MAC (Camellia-CCM) mode are discussed in this specification.CounterCTR mode[11] behave[13] behaves like a streamciphers,cipher, butare constructedis based on a block cipher primitive (that is,counterCTR mode operation of a block cipher results in a streamcipher.) Counter with CBC Maccipher). CCM mode [14][15] is a generic authenticate-and-encrypt block ciphermode [12].mode. In this specification, CCM is used with the Camellia [1] block cipher. 3.1.Counter 3.1.1.Definitions l(X) Octet length of variable X. K Camellia key. Valid values of l(K) are 16, 24 and 32. Camellia(K, X) Output of the Camellia encryption algorithm under the fresh key K applied to the data block X. N Nonce. PT[n] n-thplain text block splitedplaintext block, obtained by splitting the plaintext into 128-bit units. CT[n] n-th ciphertext block, obtained by splitting the ciphertext into 128-bitunit.units. X || Y Concatenation of two octet strings X and Y. X XOR Y Bitwise exclusive-OR of two octet strings X and Y of the same length.3.1.2. Camellia-CTR Camellia-CTR requiresM Number of octets in the authentication field. Valid values of M are 4, 6, 8, 10, 12, 14, and 16. M' 3-bit number calculated as M/2-1. L Number of octets in the length field. Valid values are from 2 to 8. This number limits the maximum length of the message and the length of N. Kato & Kanda Expires December 26, 2008 [Page 6] Internet-Draft Camellia-CTR and Camellia-CCM algorithms June 2008 L' 3-bit number calculated as L-1. m Message to authenticate and encrypt. l(m) < 2^(8*L). AAD Additional authenticated data. 0 =< l(AAD) < 2^64. 3.2. Counter 3.2.1. Camellia-CTR Camellia-CTR requires the encryptor to generate a unique per-packet value, and communicate this value to the decryptor. This specification calls this per-packet value an initialization vector (IV). The same IV and key combination MUST NOT be used more than once. The encryptor can generate the IV in any manner that ensures uniqueness. Common approaches to IV generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs). This specification calls for the use of a nonce for additional protection against precomputation attacks. The nonce value need not be secret. However, the nonce MUST be unpredictable prior to the establishment of the IPsec security association that is making use of Camellia-CTR. Camellia-CTR has many properties that make it an attractiveKato & Kanda Expires September 20, 2008 [Page 6] Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008encryption algorithm for use in high-speed networking. Camellia-CTR uses the Camellia block cipher tocreatebehave like a stream cipher. Data is encrypted and decrypted by XORing with the key stream produced by Camellia encrypting sequential counter block values. Camellia-CTR is easy to implement, and Camellia-CTR can be pipelined and parallelized. Camellia-CTR also supports key stream precomputation. Pipelining is possible because Camellia has multiple rounds (see Section 2.). A hardware implementation (and some software implementations) can create a pipeline by unwinding the loop implied by this round structure. For example, after a 16-octet block has been input, one round later another 16-octet block can be input, and so on. In Camellia-CTR, these inputs are the sequential counter block values used to generate the key stream. Multiple independent Camellia encrypt implementations can also be used to improve performance. For example, one could use two Camellia encrypt implementations in parallel, to process a sequence of counter block values, doubling the effective throughput. The sender can precompute the key stream. Since the key stream does not depend on any data in the packet, the key stream can be Kato & Kanda Expires December 26, 2008 [Page 7] Internet-Draft Camellia-CTR and Camellia-CCM algorithms June 2008 precomputed once the nonce and IV are assigned. This precomputation can reduce packet latency. The receiver cannot perform similar precomputation because the IV will not be known before the packet arrives. When used correctly, Camellia-CTR provides a high level of confidentiality. Unfortunately, Camellia-CTR is easy to use incorrectly. Being a stream cipher, any reuse of the per-packet value, called the IV, with the same nonce and key is catastrophic. An IV collision immediately leaks information about the plaintext in both packets. For this reason, it is inappropriate to use this mode of operation with static keys. Extraordinary measures would be needed to prevent reuse of an IV value with the static key across power cycles. To be safe, implementations MUST use fresh keys with Camellia-CTR. With Camellia-CTR, it is trivial to use a valid ciphertext to forge other (valid to the decryptor) ciphertexts. Thus, it is equally catastrophic to use Camellia-CTR without a companion authentication function. Implementations MUST use Camellia-CCM in such case. To encrypt a payload with Camellia-CTR, the encryptor partitions the plaintext, PT, into 128-bit blocks. The final block need not be 128 bits; it can be less. PT = PT[1] || PT[2] || ... || PT[n]Kato & Kanda Expires September 20, 2008 [Page 7] Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008Each PT block is XORed with a block of the key stream to generate the ciphertext, CT. The Camellia encryption of each counter block results in 128 bits of key stream. The most significant 96 bits of the counter block are set to the nonce value, which is 32 bits, followed by the per-packet IV value, which is 64 bits. Theleast significant 32 bits ofONE represents 32-bit the counter blockare initially set toof the only lastest bit of one. This counter value is incremented by one to generate subsequent counter blocks, each resulting in another 128 bits of key stream. The encryption of n plaintext blocks can be summarized as: CTRBLK := N || IV || ONE FOR i := 1 to n-1 DO CT[i] := PT[i] XOR Camellia(K, CTRBLK) CTRBLK := CTRBLK + 1 END CT[n] := PT[n] XOR TRUNC(Camellia(K, CTRBLK)) The TRUNC() function truncates the output of the Camellia encrypt operation to the same length as the final plaintext block, returning the most significant bits. Kato & Kanda Expires December 26, 2008 [Page 8] Internet-Draft Camellia-CTR and Camellia-CCM algorithms June 2008 Decryption is similar. The decryption of n ciphertext blocks can be summarized as: CTRBLK := N || IV || ONE FOR i := 1 to n-1 DO PT[i] := CT[i] XOR Camellia(K, CTRBLK) CTRBLK := CTRBLK + 1 END PT[n] := CT[n] XOR TRUNC(Camellia(K, CTRBLK))3.2.3.3. Counter with CBC-MAC3.2.1. Definitions l(X) Octet length of variable X. M Number of octets in authentication field. Valid values of are 4, 6, 8, 10, 12, 14, and 16. M' 3bit number calculated by (M-2)/2. L Number of octets in length field. Valid values are from 2 to 8. This number limits maximam length of message and length of N. Kato & Kanda Expires September 20, 2008 [Page 8] Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008 L' 3bit number caluculated by L-1. K Camellia key. Valid values of l(K) are 16, 24 and 32. N Nonce. m Message to authenticate and encrypt. l(m) < 2^(8*L). AAD Additional authenticated data. 0 =< AAD < 2^64. 3.2.2.3.3.1. Two main parameters For the generic CCMmodemode, there are two parameter choices. The first choice is M, the size of the authentication field. The choice of the value for M involves a trade-off between message expansion and the probability that an attacker can undetectably modify a message. Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second choice is L, the size of the length field. This value requires a trade-off between the maximum message size and the size of the Nonce. Different applications require different trade-offs, so L is a parameter. Valid values of L rangebetweenfrom 2octets andto 8octets(the value L=1 is reserved). Name Description Size Encoding ---- ---------------------------------------- ------ -------- M Number of octets in authentication field 3 bits(M-2)/2M/2-1 L Number of octets in length field 3 bits L-13.2.3.3.3.2. Inputs To authenticate and encrypt amessagemessage, the following information is required: 1. An encryption key K suitable for the block cipher. 2. A nonce N of 15-L octets. Within the scope of any encryption key K, the nonce value MUST be unique. That is, the set of nonce values used with any given key MUST NOT contain any duplicate values. Using the same nonce for two different messages encrypted with the same key destroys the security properties of this mode. 3. The message m, consisting of a string of l(m) octets where 0 <= l(m) < 2^(8*L). The length restriction ensures that l(m) can be encoded in a field of L octets. Kato & Kanda Expires December 26, 2008 [Page 9] Internet-Draft Camellia-CTR and Camellia-CCM algorithms June 2008 4. The additional authenticated data AAD where 0 <=AADl(AAD) < 2^64. This additional data is authenticated but not encrypted, and isKato & Kanda Expires September 20, 2008 [Page 9] Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008not included in the output of this mode. It can be used to authenticate plaintext packet headers, or contextual information that affects the interpretation of the message. Users who do not wish to authenticate additional data can provide a string of length zero. The inputs are summarized as: Name Description Size ---- ----------------------------------- ----------------------- K Block cipher key Depends on block cipher N Nonce 15-L octets m Message to authenticate and encrypt l(m) octets AAD Additional authenticated data0 =< AAD < 2^64 3.2.4.l(AAD) octets 3.3.3. Authentication The first step is to compute the authentication field T. This is done using CBC-MAC[13].[16]. We first define a sequence of blocks B_0, B_1, ..., B_n and then apply CBC-MAC to these blocks. The first block B_0 is formatted asfollows, where l(m) is encoded in most-significant-byte first order:follows: Octet Number Contents ------------ --------- 0 Flags 1 ... 15-L Nonce N 16-L ... 15 l(m) Within the first block B_0, the Flags field is formatted as follows: Bit Number Contents ---------- ---------------------- 7 Reserved (always zero) 6 Adata 5 ... 3 M' 2 ... 0 L' Another way to say the same thing is: Flags = 64*Adata + 8*M' + L'. The Reserved bit is reserved for future expansions and should always be set to zero. The Adata bit is set to zero ifAADl(AAD) = 0, and set to one ifAADl(AAD) > 0. The M' field is set to(M-2)/2.M/2-1. As M can take on the even values from 4 to 16, the 3-bit M' field can take on the values from one to seven. The 3-bit field MUST NOT have a value of zero, which would correspond to a 16-bit integrity check value. TheL' field encodes the size of the length field used to store l(m).Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 10] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 L' field encodes the size of the length field used to store l(m). The parameter L can take on the values from 2 to 8 (recall, the value L=1 is reserved). This value is encoded in the 3-bit L' field using the values from one to seven by choosing L' = L-1 (the zero value is reserved). IfAADl(AAD) > 0 (as indicated by the Adata field), then one or more blocks of authentication data are added. These blocks contain AAD and a encoded inaare reversible manner. We first construct a string that encodesAAD.l(AAD). If 0 <AADl(AAD) < (2^16 - 2^8), then the length field is encoded as two octets which contain the valueAAD in most-significant-byte first order.l(AAD). If (2^16 - 2^8) <=AADl(AAD) < 2^32, then the length field is encoded as sixoctetsoctets, consisting of the fixed octets 0xff, 0xfe, and four octets encodingAAD in most-significant-byte-first order.l(AAD). If 2^32 <=AADl(AAD) < 2^64, then the length field is encoded as tenoctetsoctets, consisting of the octets 0xff, 0xff, and eight octets encodingAAD in most-significant-byte-first order.l(AAD). The length encoding conventions are summarized inthe following table. Note that all fields are interpreted in most-significant-byte first order.the following table. First two octets Followed by Comment --------------------------------------------------- ------------------------------- 0x0000 Nothing Reserved 0x0001 ... 0xFEFF NothingFor2 octets of l(AAD), for 0 <AADl(AAD) < (2^16 - 2^8) 0xFF00 ... 0xFFFD Nothing Reserved 0xFFFE 4 octets ofAADl(AAD) For (2^16 - 2^8) <=AADl(AAD) < 2^32 0xFFFF 8 octets ofAADl(AAD) For 2^32 <=AADl(AAD) < 2^64 The blocks encodingathe AAD are formed by concatenating this string that encodesAADl(AAD) withaAAD itself, and splitting the result into 16-octet blocks, and then padding the last block with zeroes if necessary. These blocks are appended to the first blockB0.B_0. After the (optional) additional authentication blocks have been added, we add the message blocks. The message blocks are formed by splitting the message m into 16-octet blocks, and then padding the last block with zeroes if necessary. If the message m consists of the empty string, then no blocks are added in this step. The result is a sequence of blocksB0, B1,B_0, B_1, ...,Bn.B_n. The CBC-MAC is computed by: Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 11] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 X_1 := Camellia( K, B_0 ) FOR i:=1 to n DO X_i+1 := Camellia( K, X_i XOR B_i )for i=1, ..., nEND T := first-M-bytes( X_n+1 ) where T is the MAC value. Note that the last block B_n is XORed with X_n, and the result is encrypted with the block cipher. If needed, the ciphertext is truncated to give T.3.2.5.3.3.4. Encryption To encrypt the message data we useCounter (CTR)CTR mode. We first define the key stream blocks by: S_i := Camellia( K, A_i ) for i=0, 1, 2, ... The values A_i are formatted as follows, where the Counter field i isencoded in most-significant-byte first order:encoded: Octet Number Contents ------------ --------- 0 Flags 1 ... 15-L Nonce N 16-L ... 15 Counter i The Flags field is formatted as follows: Bit Number Contents ---------- ---------------------- 7 Reserved (always zero) 6 Reserved (always zero) 5 ... 3ZeroZeroes 2 ... 0 L' Another way say the same thing is: Flags = L'. The Reserved bits are reserved for future expansions and MUST be set to zero. Bit 6 corresponds to the Adata bit in the B_0 block, but as this bit is not used here, it is reserved and MUST be set to zero. Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks are distinct from B_0, which has the non-zero encoding of M in this position. Bits 0, 1, and 2 contain L', using the same encoding as in B_0. The message is encrypted by XORing the octets of message m with the first l(m) octets of the concatenation of S_1, S_2, S_3, ... . Note that S_0 is not used to encrypt the message.The authentication value U is computed by encrypting T with the keyKato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 12] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 The authentication value U is computed by encrypting T with the key stream block S_0 and truncating it to the desired length. U := T XOR first-M-bytes( S_0 )3.2.6.3.3.5. Output The final resultcc, consists of the encrypted message followed by the encrypted authentication value U.3.2.7.3.3.6. Decryption and Authentication Checking To decrypt a message the following information is required: 1. The encryption key K. 2. The nonce N. 3. The additional authenticated data AAD. 4. The encrypted and authenticated message c. Decryption starts by recomputing the key stream to recover the message m and the MAC value T. The message and additional authentication data is then used to recompute the CBC-MAC value and check T. If the T value is not correct, the receiver MUST NOT reveal any information except for the fact that T is incorrect. The receiver MUST NOT reveal the decrypted message, the value T, or any other information. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 13] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 4. Test Vectors 4.1. Camellia-CTR This section contains ninetest vectors(TV),TVs, which can be used to confirm that an implementation has correctly implementedCamellia- CTR.Camellia-CTR. The first threetest vectorsTVs use Camellia with a128 bit128-bit key; the next threetest vectorsTVs use Camellia with a192 bit192-bit key; and the last threetest vectorsTVs use Camellia with a256 bit256-bit key. TV #1: Encrypting 16 octets using Camellia-CTR with 128-bit key Camellia Key : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E Camellia-CTR IV : 00 00 00 00 00 00 00 00 Nonce : 00 00 00 30 Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67 Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01 Key Stream (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58 Ciphertext : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F TV #2: Encrypting 32 octets using Camellia-CTR with 128-bit key Camellia Key : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63 Camellia-CTR IV : C0 54 3B 59 DA 48 D9 0B Nonce : 00 6C B6 DB Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01 Key Stream (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02 Key Stream (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57 Ciphertext : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44 : 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48 TV #3: Encrypting 36 octets using Camellia-CTR with 128-bit key Camellia Key : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC Camellia-CTR IV : 27 77 7F 3F 4A 17 86 F0 Nonce : 00 E0 01 7B Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F : 20 21 22 23 Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01 Key Stream (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02 Key Stream (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2 Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03 Key Stream (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8 Ciphertext : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73 : 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 14] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 : DF 50 86 96 TV #4: Encrypting 16 octets using Camellia-CTR with 192-bit key Camellia Key : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED : 86 3D 06 CC FD B7 85 15 Camellia-CTR IV : 36 73 3C 14 7D 6D 93 CB Nonce : 00 00 00 48 Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67 Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01 Key Stream (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1 Ciphertext : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96 TV #5: Encrypting 32 octets using Camellia-CTR with 192-bit key Camellia Key : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C : 67 8C 3D B8 E6 F6 A9 1A Camellia-CTR IV : 02 0C 6E AD C2 CB 50 0D Nonce : 00 96 B0 3B Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01 Key Stream (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52 Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02 Key Stream (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2 Ciphertext : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D : D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED TV #6: Encrypting 36 octets using Camellia-CTR with 192-bit key Camellia Key : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B : F5 9B 60 A7 86 D3 E0 FE Camellia-CTR IV : 5C BD 60 27 8D CC 09 12 Nonce : 00 07 BD FD Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F : 20 21 22 23 Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01 Key Stream (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77 Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02 Key Stream (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11 Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03 Key Stream (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34 Ciphertext : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78 : 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E : D5 57 AB 57 TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key Camellia Key : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C : 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04 Camellia-CTR IV : DB 56 72 C9 7A A8 F0 B2 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 15] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 Nonce : 00 00 00 60 Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67 Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01 Key Stream (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76 Ciphertext : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11 TV #8: Encrypting 32 octets using Camellia-CTR with 256-bit key Camellia Key : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86 : C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84 Camellia-CTR IV : C1 58 5E F1 5A 43 D8 75 Nonce : 00 FA AC 24 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01 Key Stream (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02 Key Stream (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17 Ciphertext : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45 : E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08 TV #9: Encrypting 36 octets using Camellia-CTR with 256-bit key Camellia Key : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2 : AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D Camellia-CTR IV : 51 A5 1D 70 A1 C1 11 48 Nonce : 00 1C C5 B7 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F : 20 21 22 23 Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01 Key Stream (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23 Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02 Key Stream (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70 Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03 Key Stream (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF Ciphertext : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C : D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F : 15 EF 0D 8D 4.2. Camellia-CCM This section contains twenty fourtest vectors,TVs, which can be used to confirm that an implementation has correctly implementedCamellia- CCM.Camellia-CCM. In each of thesetest vectors,TVs, the least significant sixteen bits of the counter block is used for the block counter, and the nonce is 13 octets. Some of thetest vectorsTVs includeaan eight octet authentication value, and others include a ten octet authentication value. =============== Packet Vector #1 ================== Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 16] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008=============== Packet Vector #1 ==================CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 Total packet length = 31. [Input (8 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E CBC IV in: 59 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 17 CBC IV out:D4 DB CD 92 A8 96 41 56 1D 0D BB D0 D5 7F 7E 1D After xor: D4 D3 CD 93 AA 95 45 53 1B 0A BB D0 D5 7F 7E 1D [hdr] After CAM: BD 84 03 80 73 59 37 B7 CE F5 E4 BA 1B 18 54 DC After xor: B5 8D 09 8B 7F 54 39 B8 DE E4 F6 A9 0F 0D 42 CB [msg] After CAM: CE 21 82 9C F6 F2 4D A2 CB 35 D1 FD 81 27 63 EC After xor: D6 38 98 87 EA EF 53 A2 CB 35 D1 FD 81 27 63 EC [msg] After CAM: 20 11 FE E2 53 B1 A7 DB 02 77 FA 37 6D 78 EE 10 MIC tag : 20 11 FE E2 53 B1 A7 DB CTR Start: 01 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: B2 7A 7B 8E EB 14 3F 0B 82 E2 98 4C 06 44 CC 42 CTR[0002]: E2 E2 D3 52 98 97 13 45 D1 63 22 90 E7 F8 15 4A CTR[MIC ]: DC BF 30 96 38 8C 1E 76 Total packet length = 39. [Encrypted] 00 01 02 03 04 05 06 07 BA 73 71 85 E7 19 31 04 92 F3 8A 5F 12 51 DA 55 FA FB C9 49 84 8A 0D FC AE CE 74 6B 3D B9 AD =============== Packet Vector #2 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 Total packet length = 32. [Input (8 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F CBC IV in: 59 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 18 CBC IV out:07 0B 22 50 8A 24 3C DD 5B BA 54 DB 60 52 88 06 After xor: 07 03 22 51 88 27 38 D8 5D BD 54 DB 60 52 88 06 [hdr] After CAM: 10 FD C2 F2 90 4A 9F 96 B0 4F 62 A4 A1 A9 31 1E After xor: 18 F4 C8 F9 9C 47 91 99 A0 5E 70 B7 B5 BC 27 09 [msg] After CAM: E4 C8 82 02 89 55 5C 15 CE 7F E4 60 B1 B9 5A 08 After xor: FC D1 98 19 95 48 42 0A CE 7F E4 60 B1 B9 5A 08 [msg] After CAM: D2 96 BA 4F 83 DE B5 DF A2 19 08 F7 47 4E 3C 40 MIC tag : D2 96 BA 4F 83 DE B5 DF CTR Start: 01 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 55 2C 6E B4 82 A2 EF D6 85 37 FE 12 79 0E E6 55 CTR[0002]: 54 E2 C8 D6 7E 99 91 2C F2 8A D7 8E 83 04 10 36 CTR[MIC ]: B2 24 93 12 71 9C 36 37 Total packet length = 40. [Encrypted] 00 01 02 03 04 05 06 07 5D 25 64 BF 8E AF E1 D9 95 26 EC 01 6D 1B F0 42 4C FB D2 CD 62 84 8F 33 60 B2 29 5D F2 42 83 E8 =============== Packet Vector #3 ================== Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 17] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008=============== Packet Vector #3 ==================CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 Total packet length = 33. [Input (8 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 CBC IV in: 59 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 19 CBC IV out:6F 69 15 DF A6 A0 DF 24 84 A7 37 88 A3 65 F9 2E After xor: 6F 61 15 DE A4 A3 DB 21 82 A0 37 88 A3 65 F9 2E [hdr] After CAM: 59 5D 99 48 79 04 DA C9 13 93 36 C9 11 A8 09 1D After xor: 51 54 93 43 75 09 D4 C6 03 82 24 DA 05 BD 1F 0A [msg] After CAM: 1A 43 D7 19 65 43 97 C1 43 6F 4F 11 A7 6C 6B ED After xor: 02 5A CD 02 79 5E 89 DE 63 6F 4F 11 A7 6C 6B ED [msg] After CAM: 30 0B 06 8A A0 D1 4D C5 9E 44 22 84 82 45 42 0B MIC tag : 30 0B 06 8A A0 D1 4D C5 CTR Start: 01 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 89 FF 69 DD CB 75 76 18 E9 31 24 1B AD 97 BB 02 CTR[0002]: C4 32 A7 9C CB 4B E9 8D 24 A8 F0 AB C6 87 16 11 CTR[MIC ]: C5 5A D0 E2 8F F2 E7 83 Total packet length = 41. [Encrypted] 00 01 02 03 04 05 06 07 81 F6 63 D6 C7 78 78 17 F9 20 36 08 B9 82 AD 15 DC 2B BD 87 D7 56 F7 92 04 F5 51 D6 68 2F 23 AA 46 =============== Packet Vector #4 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 Total packet length = 31. [Input (12 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E CBC IV in: 59 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 13 CBC IV out:F5 51 CF 6C 7C F7 D4 0B 2B 76 F1 6B 57 F0 19 FE After xor: F5 5D CF 6D 7E F4 D0 0E 2D 71 F9 62 5D FB 19 FE [hdr] After CAM: 02 2B 21 1B EB 97 02 3B F8 10 7D CC 62 14 E5 7C After xor: 0E 26 2F 14 FB 86 10 28 EC 05 6B DB 7A 0D FF 67 [msg] After CAM: 48 14 A4 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42 After xor: 54 09 BA 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42 [msg] After CAM: CF 85 25 D2 80 D5 F0 09 53 2C 9D 43 4E F3 04 47 MIC tag : CF 85 25 D2 80 D5 F0 09 CTR Start: 01 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: C6 E2 10 8D 62 00 A2 9C 6F CC 19 1F DF 6B 92 DB CTR[0002]: 6C B9 BE EE 1E A2 E9 B3 2D D6 C2 9A E8 26 D5 C2 CTR[MIC ]: 44 BF B6 E8 E3 31 67 A9 Total packet length = 39. [Encrypted] 00 01 02 03 04 05 06 07 08 09 0A 0B CA EF 1E 82 72 11 B0 8F 7B D9 0F 08 C7 72 88 C0 70 A4 A0 8B 3A 93 3A 63 E4 97 A0 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 18] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #5 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 Total packet length = 32. [Input (12 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F CBC IV in: 59 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 14 CBC IV out:73 72 9D 76 7A BD B9 82 60 3A 12 7B EF 26 FB 80 After xor: 73 7E 9D 77 78 BE BD 87 66 3D 1A 72 E5 2D FB 80 [hdr] After CAM: E1 B7 A6 72 E2 5C 87 75 91 21 22 A4 07 13 CD 5B After xor: ED BA A8 7D F2 4D 95 66 85 34 34 B3 1F 0A D7 40 [msg] After CAM: 13 2F 58 D9 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7 After xor: 0F 32 46 C6 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7 [msg] After CAM: 47 8F 1E B0 71 24 8B 13 AF C8 C8 44 E6 0F 88 B6 MIC tag : 47 8F 1E B0 71 24 8B 13 CTR Start: 01 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 26 DE B4 D6 5F D4 3C 81 AA 56 98 95 64 09 39 A2 CTR[0002]: 76 97 69 3A 21 13 0C 39 2E 4E EB BF 48 7B 24 BE CTR[MIC ]: C8 2E 65 17 82 15 50 1A Total packet length = 40. [Encrypted] 00 01 02 03 04 05 06 07 08 09 0A 0B 2A D3 BA D9 4F C5 2E 92 BE 43 8E 82 7C 10 23 B9 6A 8A 77 25 8F A1 7B A7 F3 31 DB 09 =============== Packet Vector #6 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 Total packet length = 33. [Input (12 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 CBC IV in: 59 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 15 CBC IV out:EB 59 05 CC 3F 52 61 10 26 24 75 93 DD B9 A0 F4 After xor: EB 55 05 CD 3D 51 65 15 20 23 7D 9A D7 B2 A0 F4 [hdr] After CAM: 18 A9 AE A4 3D D2 A9 11 6C 0A E5 4F 40 D1 4D 9F After xor: 14 A4 A0 AB 2D C3 BB 02 78 1F F3 58 58 C8 57 84 [msg] After CAM: FA C4 13 18 98 54 1B 54 93 9C 64 B8 CB FD 5B 18 After xor: E6 D9 0D 07 B8 54 1B 54 93 9C 64 B8 CB FD 5B 18 [msg] After CAM: 49 E6 E8 ED 32 FB CA 2F 2E 55 CD AF D0 F2 B3 05 MIC tag : 49 E6 E8 ED 32 FB CA 2F CTR Start: 01 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: F2 A8 46 04 B5 2E BA C0 D7 51 34 BD D6 54 FC 64 CTR[0002]: E6 26 A9 24 8B E6 86 CB 92 D6 FB FC 2E F2 91 98 CTR[MIC ]: E2 D0 49 03 7D 1B 34 07 Total packet length = 41. [Encrypted] 00 01 02 03 04 05 06 07 08 09 0A 0B FE A5 48 0B A5 3F A8 D3 C3 44 22 AA CE 4D E6 7F FA 3B B7 3B AB AB 36 A1 EE 4F E0 FE 28 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 19] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #7 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 Total packet length = 31. [Input (8 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E CBC IV in: 61 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 17 CBC IV out:AC F1 5D 79 99 1A 15 BF 5C DC F6 C4 45 AE 1F CB After xor: AC F9 5D 78 9B 19 11 BA 5A DB F6 C4 45 AE 1F CB [hdr] After CAM: E9 C0 AC FD C7 E8 E7 1D FA E8 8B 66 95 9E 01 45 After xor: E1 C9 A6 F6 CB E5 E9 12 EA F9 99 75 81 8B 17 52 [msg] After CAM: 9C FF ED 72 09 A6 7D 2A 48 B7 29 BF D8 BE 39 59 After xor: 84 E6 F7 69 15 BB 63 2A 48 B7 29 BF D8 BE 39 59 [msg] After CAM: 4F 41 FA DE B2 58 F3 32 54 0A 55 7A 80 4A A3 F5 MIC tag : 4F 41 FA DE B2 58 F3 32 54 0A CTR Start: 01 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 5C 5A 2A 2D E9 41 1F 95 9D 27 CB FF 7A 0B CF 63 CTR[0002]: 0E D1 6A 97 57 41 32 4F 33 1B 4A 42 B1 4A 54 63 CTR[MIC ]: E3 EE 59 62 7D 22 BD 8D C1 79 Total packet length = 41. [Encrypted] 00 01 02 03 04 05 06 07 54 53 20 26 E5 4C 11 9A 8D 36 D9 EC 6E 1E D9 74 16 C8 70 8C 4B 5C 2C AC AF A3 BC CF 7A 4E BF 95 73 =============== Packet Vector #8 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 Total packet length = 32. [Input (8 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F CBC IV in: 61 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 18 CBC IV out:AD CA 1C 1D 45 E7 E2 62 58 D5 DA 46 D8 2F 69 3A After xor: AD C2 1C 1C 47 E4 E6 67 5E D2 DA 46 D8 2F 69 3A [hdr] After CAM: FA DE 0E B4 3E CA C1 E9 69 BB 8C A4 7C 0D 80 8F After xor: F2 D7 04 BF 32 C7 CF E6 79 AA 9E B7 68 18 96 98 [msg] After CAM: D2 87 35 C2 D0 E4 AE 4E BC C2 99 FF B3 77 F8 A1 After xor: CA 9E 2F D9 CC F9 B0 51 BC C2 99 FF B3 77 F8 A1 [msg] After CAM: BD F6 FB 55 9E 90 C0 E7 DF 4B 0C 37 DC 42 32 A2 MIC tag : BD F6 FB 55 9E 90 C0 E7 DF 4B CTR Start: 01 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 82 D8 91 0B 16 8A DF 47 E4 C8 39 FC 20 47 4A DB CTR[0002]: FB BF 26 7E 0E BB EB 6A 07 4E 29 CF 3D 12 E6 DB CTR[MIC ]: CE 7E 1F C4 A0 61 87 E6 2B 0A Total packet length = 42. [Encrypted] 00 01 02 03 04 05 06 07 8A D1 9B 00 1A 87 D1 48 F4 D9 2B EF 34 52 5C CC E3 A6 3C 65 12 A6 F5 75 73 88 E4 91 3E F1 47 01 F4 41 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 20] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #9 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 Total packet length = 33. [Input (8 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 CBC IV in: 61 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 19 CBC IV out:D0 A9 A5 94 00 63 86 40 11 0D DB 40 CA F8 4A 9C After xor: D0 A1 A5 95 02 60 82 45 17 0A DB 40 CA F8 4A 9C [hdr] After CAM: 7B CA 4E 2D 79 82 0D 1E 15 22 DD E8 37 B9 B1 F0 After xor: 73 C3 44 26 75 8F 03 11 05 33 CF FB 23 AC A7 E7 [msg] After CAM: 6B 75 9F 83 C0 8F 56 64 F2 FA D5 7F 67 01 B8 21 After xor: 73 6C 85 98 DC 92 48 7B D2 FA D5 7F 67 01 B8 21 [msg] After CAM: 7D B7 BE FF 72 F3 26 74 9E 20 07 28 1E 5B 1A 8A MIC tag : 7D B7 BE FF 72 F3 26 74 9E 20 CTR Start: 01 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 55 B9 87 69 4C 73 60 3E C6 1E 8E B1 D2 11 62 36 CTR[0002]: 82 D9 A4 4B DC C9 BB 68 A7 FE 15 A5 19 51 57 87 CTR[MIC ]: E9 61 5C CF BF D6 EF 8A 21 A7 Total packet length = 43. [Encrypted] 00 01 02 03 04 05 06 07 5D B0 8D 62 40 7E 6E 31 D6 0F 9C A2 C6 04 74 21 9A C0 BE 50 C0 D4 A5 77 87 94 D6 E2 30 CD 25 C9 FE BF 87 =============== Packet Vector #10 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 Total packet length = 31. [Input (12 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E CBC IV in: 61 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 13 CBC IV out:B1 85 73 A3 1C 6F EC 01 90 E3 CE 94 27 11 04 B9 After xor: B1 89 73 A2 1E 6C E8 04 96 E4 C6 9D 2D 1A 04 B9 [hdr] After CAM: A6 AD EA 9C FA 3F 76 78 4C 17 8A F3 DC 69 F0 82 After xor: AA A0 E4 93 EA 2E 64 6B 58 02 9C E4 C4 70 EA 99 [msg] After CAM: 35 50 B7 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED After xor: 29 4D A9 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED [msg] After CAM: 3D B5 A6 E6 85 AF 1C 58 80 B0 32 2E 01 74 91 FC MIC tag : 3D B5 A6 E6 85 AF 1C 58 80 B0 CTR Start: 01 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: D7 1C 82 C1 D1 A9 64 0F 93 69 CE 81 22 7E CC E8 CTR[0002]: A7 A1 42 44 32 4E 69 FE 4C D0 36 65 A5 31 0B AB CTR[MIC ]: ED 27 3F 0D 94 5C 0E AA B2 87 Total packet length = 41. [Encrypted] 00 01 02 03 04 05 06 07 08 09 0A 0B DB 11 8C CE C1 B8 76 1C 87 7C D8 96 3A 67 D6 F3 BB BC 5C D0 92 99 EB 11 F3 12 F2 32 37 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 21] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #11 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 Total packet length = 32. [Input (12 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F CBC IV in: 61 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 14 CBC IV out:45 DF B5 07 6F BB 10 EA F1 15 15 AD 21 4F B0 0E After xor: 45 D3 B5 06 6D B8 14 EF F7 12 1D A4 2B 44 B0 0E [hdr] After CAM: 17 52 F9 6D DD BC 5B 1C 1E EB 80 FC F6 10 AC 03 After xor: 1B 5F F7 62 CD AD 49 0F 0A FE 96 EB EE 09 B6 18 [msg] After CAM: BE F0 A0 B9 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87 After xor: A2 ED BE A6 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87 [msg] After CAM: 70 16 E4 F9 C4 2C 30 10 84 BF EC 69 34 89 91 FD MIC tag : 70 16 E4 F9 C4 2C 30 10 84 BF CTR Start: 01 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 70 C5 33 82 D4 80 11 41 4F 5D 2B D2 D2 67 B3 B0 CTR[0002]: 9D 36 6E 49 39 C5 16 76 5C 1C 25 12 81 79 94 70 CTR[MIC ]: 77 8B 4B 03 1E 3A FC DF A8 F1 Total packet length = 42. [Encrypted] 00 01 02 03 04 05 06 07 08 09 0A 0B 7C C8 3D 8D C4 91 03 52 5B 48 3D C5 CA 7E A9 AB 81 2B 70 56 07 9D AF FA DA 16 CC CF 2C 4E =============== Packet Vector #12 ================== CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF Nonce = 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 Total packet length = 33. [Input (12 cleartext header octets)] 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 CBC IV in: 61 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 15 CBC IV out:81 E4 EB 1E 50 A9 70 CE 18 CA 1A 4B 68 39 80 2E After xor: 81 E8 EB 1F 52 AA 74 CB 1E CD 12 42 62 32 80 2E [hdr] After CAM: 04 AB D9 62 34 B9 8F 32 8C 0F 08 3F 3D 87 9D 57 After xor: 08 A6 D7 6D 24 A8 9D 21 98 1A 1E 28 25 9E 87 4C [msg] After CAM: BD A2 EA CB 3A DA 6A E7 9F BB C2 2C E6 4C 98 89 After xor: A1 BF F4 D4 1A DA 6A E7 9F BB C2 2C E6 4C 98 89 [msg] After CAM: B6 FC E1 46 D3 EA DC 91 E0 AB 10 AD D8 55 E7 03 MIC tag : B6 FC E1 46 D3 EA DC 91 E0 AB CTR Start: 01 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 01 CTR[0001]: 20 DE 55 87 30 C3 2C 69 B7 44 A6 FE 37 DE 89 7C CTR[0002]: 3F 96 32 D8 68 6D C2 B5 22 97 42 27 EB F9 26 5E CTR[MIC ]: 7D 45 AD 6F 94 93 E1 F5 4F DE Total packet length = 43. [Encrypted] 00 01 02 03 04 05 06 07 08 09 0A 0B 2C D3 5B 88 20 D2 3E 7A A3 51 B0 E9 2F C7 93 67 23 8B 2C C7 48 CB B9 4C 29 47 79 3D 64 AF 75 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 22] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #13 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C Total packet length = 31. [Input (8 cleartext header octets)] 6B 7F 46 45 07 FA E4 96 C6 B5 F3 E6 CA 23 11 AE F7 47 2B 20 3E 73 5E A5 61 AD B1 7D 56 C5 A3 CBC IV in: 59 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 17 CBC IV out:D7 24 B0 0F B1 87 04 C6 C1 4E 90 37 AA F2 F1 F9 After xor: D7 2C DB 70 F7 C2 03 3C 25 D8 90 37 AA F2 F1 F9 [hdr] After CAM: 9B 13 6D E3 D9 9F C3 6D 7D 0D B7 D8 A1 BF E9 BD After xor: 5D A6 9E 05 13 BC D2 C3 8A 4A 9C F8 9F CC B7 18 [msg] After CAM: F8 BF 25 7D 23 F8 D9 B5 82 E6 C9 3E C8 9B 85 73 After xor: 99 12 94 00 75 3D 7A B5 82 E6 C9 3E C8 9B 85 73 [msg] After CAM: D9 D6 62 21 6D B2 CA FD 1F C6 FE 9D 2C AF 5B 69 MIC tag : D9 D6 62 21 6D B2 CA FD CTR Start: 01 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 62 80 24 C1 FE AE CC 8C 67 38 55 98 CB 8E E5 E8 CTR[0002]: F2 30 17 2F 1B 71 55 9F 8B CE 79 E5 13 01 FC 6A CTR[MIC ]: 9C 8E A2 0C 48 03 ED 13 Total packet length = 39. [Encrypted] 6B 7F 46 45 07 FA E4 96 A4 35 D7 27 34 8D DD 22 90 7F 7E B8 F5 FD BB 4D 93 9D A6 52 4D B4 F6 45 58 C0 2D 25 B1 27 EE =============== Packet Vector #14 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C Total packet length = 32. [Input (8 cleartext header octets)] 98 66 05 B4 3D F1 5D E7 01 F6 CE 67 64 C5 74 48 3B B0 2E 6B BF 1E 0A BD 26 A2 25 72 B4 D8 0E E7 CBC IV in: 59 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 18 CBC IV out:A0 8A 29 78 36 23 1D 84 96 76 93 FF 0A 4C 92 7A After xor: A0 82 B1 1E 33 97 20 75 CB 91 93 FF 0A 4C 92 7A [hdr] After CAM: 8C F5 F4 23 BF 09 1C 74 CD 47 00 C1 32 5D 5C 92 After xor: 8D 03 3A 44 DB CC 68 3C F6 F7 2E AA 8D 43 56 2F [msg] After CAM: 69 DA 48 24 41 1E AC 8E A9 0A CD 8B DD 00 2B 9A After xor: 4F 78 6D 56 F5 C6 A2 69 A9 0A CD 8B DD 00 2B 9A [msg] After CAM: C2 03 3B 08 6D B3 CB 3B 2C C8 5D E7 76 A1 C0 44 MIC tag : C2 03 3B 08 6D B3 CB 3B CTR Start: 01 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 8B 16 9C 37 EB 7B BE DB 15 84 41 6E 5F C2 07 46 CTR[0002]: E9 31 BB DD 4E E6 56 9B 68 95 13 5F AB A4 DF EF CTR[MIC ]: 44 7E 55 14 25 C3 F3 3D Total packet length = 40. [Encrypted] 98 66 05 B4 3D F1 5D E7 8A E0 52 50 8F BE CA 93 2E 34 6F 05 E0 DC 0D FB CF 93 9E AF FA 3E 58 7C 86 7D 6E 1C 48 70 38 06 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 23] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #15 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C Total packet length = 33. [Input (8 cleartext header octets)] 48 F2 E7 E1 A7 67 1A 51 CD F1 D8 40 6F C2 E9 01 49 53 89 70 05 FB FB 8B A5 72 76 F9 24 04 60 8E 08 CBC IV in: 59 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 19 CBC IV out:76 74 53 37 95 23 3C F0 EB 77 CE 93 73 06 99 A8 After xor: 76 7C 1B C5 72 C2 9B 97 F1 26 CE 93 73 06 99 A8 [hdr] After CAM: EF 79 8B 70 34 E4 D5 6B 57 3A F9 44 F0 AF D6 9A After xor: 22 88 53 30 5B 26 3C 6A 1E 69 70 34 F5 54 2D 11 [msg] After CAM: 63 BF 4E 10 01 79 38 0B E4 EC C1 39 B2 B4 3B 8C After xor: C6 CD 38 E9 25 7D 58 85 EC EC C1 39 B2 B4 3B 8C [msg] After CAM: 39 E1 0E FA BD 2F 43 00 50 9E E7 EB A4 FF 6B 8F MIC tag : 39 E1 0E FA BD 2F 43 00 CTR Start: 01 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: C5 47 A6 A2 73 49 1B 6F 0E 6D C9 F5 9C 12 3B 08 CTR[0002]: C8 18 86 42 3C DB 35 C8 64 4D 8C 4C 58 01 47 27 CTR[MIC ]: 91 E9 76 5D 2D 68 2E E5 Total packet length = 41. [Encrypted] 48 F2 E7 E1 A7 67 1A 51 08 B6 7E E2 1C 8B F2 6E 47 3E 40 85 99 E9 C0 83 6D 6A F0 BB 18 DF 55 46 6C A8 08 78 A7 90 47 6D E5 =============== Packet Vector #16 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C Total packet length = 31. [Input (12 cleartext header octets)] DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C B0 05 DC FA 0B 59 18 14 26 A9 61 68 5A 99 3D 8C 43 18 5B CBC IV in: 59 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 13 CBC IV out:78 EE 05 5A 88 48 E3 5B 8A 45 46 8F 35 4F 0C A2 After xor: 78 E2 DB CD 57 73 6F E6 E7 CB 16 BF EF 03 0C A2 [hdr] After CAM: A9 C6 7F 15 00 1A C6 92 81 67 BD EC DF D2 35 C9 After xor: 19 C3 A3 EF 0B 43 DE 86 A7 CE DC 84 85 4B 08 45 [msg] After CAM: 7C A8 9C 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18 After xor: 3F B0 C7 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18 [msg] After CAM: 89 C7 B4 E8 A4 24 8C 6C 52 ED 34 50 E3 53 AD F5 MIC tag : 89 C7 B4 E8 A4 24 8C 6C CTR Start: 01 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 01 CTR[0001]: D3 B2 57 B3 6C E8 86 CF 91 9A AC 79 4E 6F 73 3E CTR[0002]: 65 10 C8 72 39 AF 0F 52 9F D0 A4 DF 54 BF D6 EB CTR[MIC ]: E1 04 E0 6A 29 B1 80 A9 Total packet length = 39. [Encrypted] DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C 63 B7 8B 49 67 B1 9E DB B7 33 CD 11 14 F6 4E B2 26 08 93 68 C3 54 82 8D 95 0C C5 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 24] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #17 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C Total packet length = 32. [Input (12 cleartext header octets)] A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 2E 20 21 12 98 10 5F 12 9D 5E D9 5B 93 F7 2D 30 B2 FA CC D7 CBC IV in: 59 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 14 CBC IV out:C3 34 69 7D 11 38 73 06 BD 34 E2 10 1F 66 17 E8 After xor: C3 38 CC 93 82 DC 24 D9 B8 72 8C 68 32 A9 17 E8 [hdr] After CAM: 43 6F 37 74 AB 94 3B 41 EA AD 00 CA C3 99 13 7B After xor: 6D 4F 16 66 33 84 64 53 77 F3 D9 91 50 6E 3E 4B [msg] After CAM: 2D 28 FB 62 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE After xor: 9F D2 37 B5 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE [msg] After CAM: F3 DE 10 CD 91 4D B1 B6 CC 37 F0 A2 4A 5A B7 A1 MIC tag : F3 DE 10 CD 91 4D B1 B6 CTR Start: 01 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 25 E6 9A F0 30 A9 56 E6 FF C0 3F 87 87 7A 89 74 CTR[0002]: A2 1B 46 23 76 A2 1E DD F2 AC 4B EC 42 95 3D D3 CTR[MIC ]: C2 99 28 FF E7 BB DB 29 Total packet length = 40. [Encrypted] A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 0B C6 BB E2 A8 B9 09 F4 62 9E E6 DC 14 8D A4 44 10 E1 8A F4 31 47 38 32 76 F6 6A 9F =============== Packet Vector #18 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C Total packet length = 33. [Input (12 cleartext header octets)] 24 AA 1B F9 A5 CD 87 61 82 A2 50 74 26 45 94 1E 75 63 2D 34 91 AF 0F C0 C9 87 6C 3B E4 AA 74 68 C9 CBC IV in: 59 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 15 CBC IV out:72 0A 46 75 0F 40 59 53 F2 3B D2 1F 6A 11 60 F6 After xor: 72 06 62 DF 14 B9 FC 9E 75 5A 50 BD 3A 65 60 F6 [hdr] After CAM: 67 73 A0 FD D5 7E D3 5E E8 24 06 D0 A1 8B 0E 18 After xor: 41 36 34 E3 A0 1D FE 6A 79 8B 09 10 68 0C 62 23 [msg] After CAM: BB 1E D8 9F 60 29 D0 99 09 14 06 A5 E3 8B 72 7B After xor: 5F B4 AC F7 A9 29 D0 99 09 14 06 A5 E3 8B 72 7B [msg] After CAM: 3E 4F 40 73 D1 31 E9 B8 02 C8 99 BC FD AC 19 4B MIC tag : 3E 4F 40 73 D1 31 E9 B8 CTR Start: 01 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 04 6F 42 2C 8F 52 FB 9B 06 A3 3B 9F B7 F0 A6 00 CTR[0002]: 34 76 51 DB 89 10 FB E6 73 E8 56 6E DB 66 47 5D CTR[MIC ]: 9F EC 93 6C 5C 7A AD 0F Total packet length = 41. [Encrypted] 24 AA 1B F9 A5 CD 87 61 82 A2 50 74 22 2A D6 32 FA 31 D6 AF 97 0C 34 5F 7E 77 CA 3B D0 DC 25 B3 40 A1 A3 D3 1F 8D 4B 44 B7 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 25] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #19 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C Total packet length = 31. [Input (8 cleartext header octets)] 69 19 46 B9 CA 07 BE 87 07 01 35 A6 43 7C 9D B1 20 CD 61 D8 F6 C3 9C 3E A1 25 FD 95 A0 D2 3D CBC IV in: 61 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 17 CBC IV out:74 AD F8 04 05 2A 48 E7 46 97 38 D5 BA A1 27 79 After xor: 74 A5 91 1D 43 93 82 E0 F8 10 38 D5 BA A1 27 79 [hdr] After CAM: BD C3 B1 41 1C 64 C8 B3 A9 DC 6A 94 78 97 88 E2 After xor: BA C2 84 E7 5F 18 55 02 89 11 0B 4C 8E 54 14 DC [msg] After CAM: 7D 6C 8A BF AD 68 48 D8 C5 FB CD 1E AF F2 44 99 After xor: DC 49 77 2A 0D BA 75 D8 C5 FB CD 1E AF F2 44 99 [msg] After CAM: 19 99 AB 92 5E 30 46 96 3D EF FB 1B 4C 87 F7 76 MIC tag : 19 99 AB 92 5E 30 46 96 3D EF CTR Start: 01 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 02 B9 D4 1F 87 E0 60 E7 EF DE 6B 7E D3 DE 5E D2 CTR[0002]: 61 49 31 C5 2F 34 AA 47 A3 E4 D3 2C 0B 36 41 C6 CTR[MIC ]: B9 9F C6 C5 96 7B AA 8E 1A 87 Total packet length = 41. [Encrypted] 69 19 46 B9 CA 07 BE 87 05 B8 E1 B9 C4 9C FD 56 CF 13 0A A6 25 1D C2 EC C0 6C CC 50 8F E6 97 A0 06 6D 57 C8 4B EC 18 27 68 =============== Packet Vector #20 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C Total packet length = 32. [Input (8 cleartext header octets)] D0 C5 4E CB 84 62 7D C4 C8 C0 88 0E 6C 63 6E 20 09 3D D6 59 42 17 D2 E1 88 77 DB 26 4E 71 A5 CC CBC IV in: 61 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 18 CBC IV out:35 A9 48 70 F9 B0 C7 85 FB 32 1A D1 3C 8C A4 9A After xor: 35 A1 98 B5 B7 7B 43 E7 86 F6 1A D1 3C 8C A4 9A [hdr] After CAM: 0A 3C E3 0F AC 09 DC 5C 00 10 5C 69 AC 19 F7 19 After xor: C2 FC 6B 01 C0 6A B2 7C 09 2D 8A 30 EE 0E 25 F8 [msg] After CAM: 61 CD 80 D0 72 E6 84 E1 BF E1 4A 00 27 2A 4D 96 After xor: E9 BA 5B F6 3C 97 21 2D BF E1 4A 00 27 2A 4D 96 [msg] After CAM: E5 F9 F2 AB 47 FD 7B 8D 6F 72 F4 72 74 D7 69 BB MIC tag : E5 F9 F2 AB 47 FD 7B 8D 6F 72 CTR Start: 01 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 9C 0E 31 66 B2 81 58 31 5E 63 16 5A 9D BD CE 35 CTR[0002]: 00 3E 66 D3 E0 5F 7E A7 EF C8 9A 5F DD 39 E3 54 CTR[MIC ]: 9A 5E 87 1A 17 10 38 0E AA DB Total packet length = 42. [Encrypted] D0 C5 4E CB 84 62 7D C4 54 CE B9 68 DE E2 36 11 57 5E C0 03 DF AA 1C D4 88 49 BD F5 AE 2E DB 6B 7F A7 75 B1 50 ED 43 83 C5 A9 Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 26] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #21 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C Total packet length = 33. [Input (8 cleartext header octets)] E2 85 E0 E4 80 8C DA 3D F7 5D AA 07 10 C4 E6 42 97 79 4D C2 B7 D2 A2 07 57 B1 AA 4E 44 80 02 FF AB CBC IV in: 61 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 19 CBC IV out:2A 3C 23 B2 43 F5 1C 35 F7 79 5A CB 3B 20 21 2F After xor: 2A 34 C1 37 A3 11 9C B9 2D 44 5A CB 3B 20 21 2F [hdr] After CAM: A1 7E AD 4C EE AB 51 21 1D 2A 32 F2 D4 45 A6 D6 After xor: 56 23 07 4B FE 6F B7 63 8A 53 7F 30 63 97 04 D1 [msg] After CAM: A9 A1 32 55 8F C6 9B 98 A9 CC 23 96 FE CA 84 EB After xor: FE 10 98 1B CB 46 99 67 02 CC 23 96 FE CA 84 EB [msg] After CAM: 6A 5E 04 42 D1 A5 7E 17 9A 6C 8B 56 F7 19 80 C5 MIC tag : 6A 5E 04 42 D1 A5 7E 17 9A 6C CTR Start: 01 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 46 1D EF 41 AF A2 94 52 5D 51 AE CB 04 49 74 CD CTR[0002]: 29 2E 62 66 1B 66 9A 2B 97 72 6B 77 32 A8 DC 35 CTR[MIC ]: B8 54 06 A2 6C 6F 93 37 8A BF Total packet length = 43. [Encrypted] E2 85 E0 E4 80 8C DA 3D B1 40 45 46 BF 66 72 10 CA 28 E3 09 B3 9B D6 CA 7E 9F C8 28 5F E6 98 D4 3C D2 0A 02 E0 BD CA ED 20 10 D3 =============== Packet Vector #22 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C Total packet length = 31. [Input (12 cleartext header octets)] 6C AE F9 94 11 41 57 0D 7C 81 34 05 C2 38 82 2F AC 5F 98 FF 92 94 05 B0 AD 12 7A 4E 41 85 4E CBC IV in: 61 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 13 CBC IV out:20 60 6A D1 E1 A0 84 52 2F A3 8B F4 88 1D D6 8B After xor: 20 6C 06 7F 18 34 95 13 78 AE F7 75 BC 18 D6 8B [hdr] After CAM: 71 FD FF E7 D9 C8 95 75 D3 EC 0B 7E 7B 8B BE E7 After xor: B3 C5 7D C8 75 97 0D 8A 41 78 0E CE D6 99 C4 A9 [msg] After CAM: CA AD 93 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65 After xor: 8B 28 DD 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65 [msg] After CAM: DC 48 8F AA 9C 75 E7 03 17 56 C2 C7 48 48 8D 1B MIC tag : DC 48 8F AA 9C 75 E7 03 17 56 CTR Start: 01 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 56 F0 17 B3 BD 09 02 D6 EA A5 A2 91 AD 4A 2D E5 CTR[0002]: 20 3D 34 21 EF 5B F8 FC 7B 21 5C 76 7B A5 21 A6 CTR[MIC ]: F1 A2 86 9C 2A 9E B8 61 48 0B Total packet length = 41. [Encrypted] 6C AE F9 94 11 41 57 0D 7C 81 34 05 94 C8 95 9C 11 56 9A 29 78 31 A7 21 00 58 57 AB 61 B8 7A 2D EA 09 36 B6 EB 5F 62 5F 5D Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 27] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 =============== Packet Vector #23 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C Total packet length = 32. [Input (12 cleartext header octets)] 36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 4D BF 3E 77 4A D2 45 E5 D5 89 1F 9D 1C 32 A0 AE 02 2C 85 D7 CBC IV in: 61 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 14 CBC IV out:78 FD B6 AF 61 9E 1C 8D 82 41 17 A8 73 60 1B 70 After xor: 78 F1 80 0A 4D 6F 77 94 20 42 6D 1F 72 7E 1B 70 [hdr] After CAM: 62 2E 28 65 92 43 DB 82 88 79 09 1E A7 24 54 67 After xor: 2F 91 16 12 D8 91 9E 67 5D F0 16 83 BB 16 F4 C9 [msg] After CAM: 95 0E 52 08 FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF After xor: 97 22 D7 DF FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF [msg] After CAM: BA CD 51 FC 77 F4 02 8D 47 D5 7D 54 7D 46 33 4B MIC tag : BA CD 51 FC 77 F4 02 8D 47 D5 CTR Start: 01 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: 15 D6 DD DD 98 96 39 91 35 75 1A 64 B8 D8 D4 F9 CTR[0002]: 7D 61 6D 1D EB 92 00 2B 6F FA AB 53 BC AF 69 89 CTR[MIC ]: 33 E9 27 BE E1 59 06 9C DB 32 Total packet length = 42. [Encrypted] 36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 58 69 E3 AA D2 44 7C 74 E0 FC 05 F9 A4 EA 74 57 7F 4D E8 CA 89 24 76 42 96 AD 04 11 9C E7 =============== Packet Vector #24 ================== CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD Nonce = 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C Total packet length = 33. [Input (12 cleartext header octets)] A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 9D C9 ED AE 2F F5 DF 86 36 E8 C6 DE 0E ED 55 F7 86 7E 33 33 7D CBC IV in: 61 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 15 CBC IV out:84 E6 CF DD 6A 37 68 5D E6 71 AD 54 B3 BE FE B9 After xor: 84 EA 6B 09 F3 C0 EC 44 94 FD B4 43 38 B2 FE B9 [hdr] After CAM: C5 0F A0 62 20 18 F1 21 0E BC 3D 2E 47 B7 B8 C3 After xor: 58 C6 4D CC 0F ED 2E A7 38 54 FB F0 49 5A ED 34 [msg] After CAM: C4 6F 6D C3 17 3C 2A 7A 81 FC 2D DA 7F B7 C6 60 After xor: 42 11 5E F0 6A 3C 2A 7A 81 FC 2D DA 7F B7 C6 60 [msg] After CAM: DF AB 2E 76 B0 67 50 B3 7C DD 9A AC F3 79 17 71 MIC tag : DF AB 2E 76 B0 67 50 B3 7C DD CTR Start: 01 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 01 CTR[0001]: D6 D0 6C F8 16 CE D0 F1 A0 E0 AC 71 BA B9 AD 34 CTR[0002]: 76 4A FF 9A 1B F8 55 1F 68 54 39 0A EE 37 24 28 CTR[MIC ]: 4B F4 31 B8 17 86 4B 5D 16 F2 Total packet length = 43. [Encrypted] A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 4B 19 81 56 39 3B 0F 77 96 08 6A AF B4 54 F8 C3 F0 34 CC A9 66 94 5F 1F CE A7 E1 1B EE 6A 2F Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 28] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 5. Security Considerations Camellia-CTR and Camellia-CCMemploys counter (CTR)employ CTR mode for confidentiality. If a counter value is ever used for more that one packet with the same key, then the same key stream will be used to encrypt both packets, and the confidentiality guarantees are voided. What happens if the encryptor XORs the same key stream with two different packet plaintexts? Suppose two packets are defined by two plaintext byte sequencesP1, P2, P3 and Q1, Q2, Q3,P_1, P_2, P_3 and Q_1, Q_2, Q_3, then both are encrypted with key streamK1, K2, K3.K_1, K_2, K_3. The two corresponding ciphertexts are:(P1(P_1 XORK1), (P2K_1), (P_2 XORK2), (P3K_2), (P_3 XORK3) (Q1K_3) (Q_1 XORK1), (Q2K_1), (Q_2 XORK2), (Q3K_2), (Q_3 XORK3)K_3) If both of these two ciphertext streams are exposed to an attacker, then a catastrophic failure of confidentiality results, because:(P1(P_1 XORK1)K_1) XOR(Q1(Q_1 XORK1)K_1) =P1P_1 XORQ1 (P2Q_1 (P_2 XORK2)K_2) XOR(Q2(Q_2 XORK2)K_2) =P2P_2 XORQ2 (P3Q_2 (P_3 XORK3)K_3) XOR(Q3(Q_3 XORK3)K_3) =P3P_3 XORQ3Q_3 Once the attacker obtains the two plaintexts XORed together, it is relatively straightforward to separate them. Thus, using any stream cipher, including Camellia-CTR, to encrypt two plaintexts under the same key stream leaks the plaintext. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 29] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 6. IANA Considerations There are no IANA assignments to be performed. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 30] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 7. Acknowledgments This document includes text borrowed from RFC3610.3610 [14]. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 31] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 8. References 8.1. Normative [1] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the Camellia Encryption Algorithm", RFC 3713, April 2004. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 8.2. Informative [3] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>. [4] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher Algorithm and Its Use With IPsec", RFC 4312, December 2005. [5] Moriai, S., Kato, A., and M. Kanda, "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)", RFC 4132, July 2005. [6] Moriai, S. and A. Kato, "Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3657, January 2004. [7] Eastlake, D., "Additional XML Security Uniform Resource Identifiers (URIs)", RFC 4051, April 2005. [8] International Organization for Standardization, "Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers", ISO/IEC 18033-3, July 2005. [9] "The NESSIE project (New European Schemes for Signatures, Integrity and Encryption)", <http://www.cosic.esat.kuleuven.ac.be/nessie/>. [10] Information-technology Promotion Agency (IPA), "Cryptography Research and Evaluation Committees", <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>. [11] "Camellia open source software", <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>. [12] "Camellia web site", <http://info.isl.ntt.co.jp/camellia/>. [13] Dworkin, M., "Recommendation for Block Cipher Modes of Kato & Kanda Expires December 26, 2008 [Page 32] Internet-Draft Camellia-CTR and Camellia-CCM algorithms June 2008 Operation - Methods and Techniques", NIST Special Publication 800-38A,NovemberDecember 2001, <http://csrc.nist.gov/ publications/nistpubs/800-38a/sp800-38a.pdf>.[12][14] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-Kato & Kanda Expires September 20, 2008 [Page 32] Internet-Draft Camellia-CTR and Camellia-CCM algorithms March 2008MAC (CCM)", RFC 3610, September 2003.[13][15] National Institute of Standards and Technology, "Recommendation for Block Cipher Modes Operation : The CCM Mode for Authentication and Confidentiality", May 2004, <http:// csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf>. [16] National Institute of Standards and Technology, "Computer Data Authentication", FIPS PUB 113, May 1985, <http://www.itl.nist.gov/fipspubs/fip113.htm>. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page 33] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarch 2008 URIs [14] <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html> [15] <http://info.isl.ntt.co.jp/camellia/> Kato & Kanda Expires September 20, 2008 [Page 34] Internet-Draft Camellia-CTR and Camellia-CCM algorithms MarchJune 2008 Authors' Addresses Akihiro Kato NTT Software Corporation Phone: +81-45-212-7577 Fax:+81-45-212-7800+81-45-212-9800 Email: akato@po.ntts.co.jp Masayuki Kanda Nippon Telegraph and Telephone Corporation Phone: +81-422-59-3456 Fax: +81-422-59-4015 Email: kanda.masayuki@lab.ntt.co.jp Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page35]34] Internet-Draft Camellia-CTR and Camellia-CCM algorithmsMarchJune 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Kato & Kanda ExpiresSeptember 20,December 26, 2008 [Page36]35] ----