idnits 2.17.1 

draft-kato-camellia-ctrccm-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 17.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 1406.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1417.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1424.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1430.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There are 2 instances of too long lines in the document, the longest one
     being 4 characters in excess of 72.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  == Line 382 has weird spacing: '...encrypt  l(m) ...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (August 5, 2008) is 5736 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Missing Reference: '0001' is mentioned on line 1263, but not defined

  == Missing Reference: '0002' is mentioned on line 1264, but not defined

  -- Looks like a reference, but probably isn't: 'Encrypted' on line 1266

  -- Obsolete informational reference (is this intentional?): RFC 4132 (ref.
     '5') (Obsoleted by RFC 5932)

  -- Obsolete informational reference (is this intentional?): RFC 4051 (ref.
     '7') (Obsoleted by RFC 6931)


     Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                            A. Kato
3	Internet-Draft                                  NTT Software Corporation
4	Intended status: Informational                                  M. Kanda
5	Expires: February 6, 2009                 Nippon Telegraph and Telephone
6	                                                             Corporation
7	                                                          August 5, 2008

9	Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms
10	                     draft-kato-camellia-ctrccm-03

12	Status of this Memo

14	   By submitting this Internet-Draft, each author represents that any
15	   applicable patent or other IPR claims of which he or she is aware
16	   have been or will be disclosed, and any of which he or she becomes
17	   aware will be disclosed, in accordance with Section 6 of BCP 79.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups.  Note that
21	   other groups may also distribute working documents as Internet-
22	   Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at
30	   http://www.ietf.org/ietf/1id-abstracts.txt.

32	   The list of Internet-Draft Shadow Directories can be accessed at
33	   http://www.ietf.org/shadow.html.

35	   This Internet-Draft will expire on February 6, 2009.

37	Abstract

39	   This document describes the algorithms and test vectors of Camellia
40	   block cipher algorithm in Counter mode and Counter with Cipher Block
41	   Chaining MAC mode.  The purpose of this document is to make the
42	   Camellia-CTR and Camellia-CCM algorithm conveniently available to the
43	   Internet Community.

45	Table of Contents

47	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
48	     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  3
49	   2.  The Camellia Cipher Algorithm  . . . . . . . . . . . . . . . .  5
50	     2.1.  Key Size . . . . . . . . . . . . . . . . . . . . . . . . .  5
51	     2.2.  Weak Keys  . . . . . . . . . . . . . . . . . . . . . . . .  5
52	     2.3.  Block Size and Padding . . . . . . . . . . . . . . . . . .  5
53	     2.4.  Performance  . . . . . . . . . . . . . . . . . . . . . . .  5
54	   3.  Modes of Operation . . . . . . . . . . . . . . . . . . . . . .  6
55	     3.1.  Definitions  . . . . . . . . . . . . . . . . . . . . . . .  6
56	     3.2.  Counter  . . . . . . . . . . . . . . . . . . . . . . . . .  7
57	       3.2.1.  Camellia-CTR . . . . . . . . . . . . . . . . . . . . .  7
58	     3.3.  Counter with CBC-MAC . . . . . . . . . . . . . . . . . . .  9
59	       3.3.1.  Two main parameters  . . . . . . . . . . . . . . . . .  9
60	       3.3.2.  Inputs . . . . . . . . . . . . . . . . . . . . . . . .  9
61	       3.3.3.  Authentication . . . . . . . . . . . . . . . . . . . . 10
62	       3.3.4.  Encryption . . . . . . . . . . . . . . . . . . . . . . 12
63	       3.3.5.  Output . . . . . . . . . . . . . . . . . . . . . . . . 13
64	       3.3.6.  Decryption and Authentication Checking . . . . . . . . 13
65	   4.  Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 14
66	     4.1.  Camellia-CTR . . . . . . . . . . . . . . . . . . . . . . . 14
67	     4.2.  Camellia-CCM . . . . . . . . . . . . . . . . . . . . . . . 16
68	   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 29
69	   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 30
70	   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 31
71	   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
72	     8.1.  Normative  . . . . . . . . . . . . . . . . . . . . . . . . 32
73	     8.2.  Informative  . . . . . . . . . . . . . . . . . . . . . . . 32
74	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
75	   Intellectual Property and Copyright Statements . . . . . . . . . . 35

77	1.  Introduction

79	   This document describes the use of the Camellia block cipher
80	   algorithm in Counter (CTR) mode and Counter with CBC-MAC (CCM) mode.

82	   Camellia is a symmetric cipher with a Feistel structure.  Camellia
83	   was developed jointly by NTT and Mitsubishi Electric Corporation in
84	   2000.  It was designed to withstand all known cryptanalytic attacks,
85	   and it has been scrutinized by worldwide cryptographic experts.
86	   Camellia is suitable for implementation in software and hardware,
87	   offering encryption speed in software and hardware implementations
88	   that is comparable to Advanced Encryption Standard (AES) [3].

90	   Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
91	   lengths, i.e., the same interface specifications as the AES.
92	   Therefore, it is easy to implement Camellia based algorithms by
93	   replacing the AES block of AES based algorithms with a Camellia
94	   block.

96	   Camellia already has been adopted by the IETF and other international
97	   standardization organizations; in particular, the IETF has published
98	   specifications for the use of Camellia with IPsec [4], TLS [5],
99	   S/MIME [6] and XML [7].  Camellia is one of the three ISO/IEC
100	   international standard [8] 128-bit block ciphers (Camellia, AES, and
101	   SEED).  Camellia was selected as a recommended cryptographic
102	   primitive by the EU NESSIE (New European Schemes for Signatures,
103	   Integrity and Encryption) project [9] and was included in the list of
104	   cryptographic techniques for Japanese e-Government systems that was
105	   selected by the Japanese CRYPTREC (Cryptography Research and
106	   Evaluation Committees) [10].

108	   Since optimized source code is provided under several open source
109	   licenses [11], Camellia is also adopted by several open source
110	   projects (OpenSSL, FreeBSD, Linux, and Firefox).

112	   The algorithm specification and object identifiers are described in
113	   [1].

115	   The Camellia web site [12] contains a wealth of information about
116	   Camellia, including detailed specification, security analysis,
117	   performance figures, reference implementation, optimized
118	   implementation, test vectors (TVs), and intellectual property
119	   information.

121	1.1.  Terminology

123	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
124	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
125	   document are to be interpreted as described in [2].

127	   All multi-octet values in this document are encoded and represented
128	   in network byte order, i.e., most significant octet first.

130	2.  The Camellia Cipher Algorithm

132	   All symmetric block cipher algorithms share common characteristics
133	   and variables, including mode, key size, weak keys, block size, and
134	   rounds.  The following sections contain descriptions of the relevant
135	   characteristics of Camellia.

137	   The algorithm specification and object identifiers are described in
138	   [1].

140	2.1.  Key Size

142	   Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
143	   The default key size is 128 bits, and all implementations MUST
144	   support this key size.  Implementations MAY also support key sizes of
145	   192 bits and 256 bits.

147	   Camellia uses a different number of rounds for each of the defined
148	   key sizes.  When a 128-bit key is used, implementations MUST use 18
149	   rounds.  When 192- and 256-bit key are used, implementations MUST use
150	   24 rounds.

152	2.2.  Weak Keys

154	   At the time of writing this document there are no known weak keys for
155	   Camellia.

157	2.3.  Block Size and Padding

159	   Camellia uses a block size of 16 octets (128 bits).

161	   Padding is required by the algorithm to maintain a 16-octet (128-bit)
162	   block size.  Padding MUST be added such that the data to be encrypted
163	   (which includes the ESP Pad Length and Next Header fields) has a
164	   length that is a multiple of 16 octets.

166	   Because of the algorithm specific padding requirement, no additional
167	   padding is required to ensure that the ciphertext terminates on a
168	   4-octet boundary (i.e. maintaining a 16-octet block size guarantees
169	   that the ESP Pad Length and Next Header fields will be right aligned
170	   within a 4-octet word).  Additional padding MAY be included as long
171	   as the 16-octet block size is maintained.

173	2.4.  Performance

175	   Performance figures for Camellia are available at [12].  The NESSIE
176	   project has reported on the performance of optimized implementations
177	   independently [9].

179	3.  Modes of Operation

181	   Camellia Counter (Camellia-CTR) mode and Camellia Counter with CBC-
182	   MAC (Camellia-CCM) mode are discussed in this specification.

184	   CTR mode [13] behaves like a stream cipher, but is based on a block
185	   cipher primitive (that is, CTR mode operation of a block cipher
186	   results in a stream cipher).

188	   CCM mode [14][15] is a generic authenticate-and-encrypt block cipher
189	   mode.  In this specification, CCM is used with the Camellia [1] block
190	   cipher.

192	3.1.  Definitions

194	   l(X)      Octet length of variable X.

196	   K         Camellia key.  Valid values of l(K) are 16, 24 and 32.

198	   Camellia(K, X)
199	             Output of the Camellia encryption algorithm under the fresh
200	             key K applied to the data block X.

202	   N         Nonce.

204	   PT[n]     n-th plaintext block, obtained by splitting the plaintext
205	             into 128-bit units.

207	   CT[n]     n-th ciphertext block, obtained by splitting the ciphertext
208	             into 128-bit units.

210	   X || Y    Concatenation of two octet strings X and Y.

212	   X XOR Y   Bitwise exclusive-OR of two octet strings X and Y of the
213	             same length.

215	   M         Number of octets in the authentication field.  Valid values
216	             of M are 4, 6, 8, 10, 12, 14, and 16.

218	   M'        3-bit number calculated as M/2-1.

220	   L         Number of octets in the length field.  Valid values are
221	             from 2 to 8.  This number limits the maximum length of the
222	             message and the length of N.

224	   L'        3-bit number calculated as L-1.

226	   m         Message to authenticate and encrypt. l(m) < 2^(8*L).

228	   AAD       Additional authenticated data. 0 =< l(AAD) < 2^64.

230	3.2.  Counter

232	3.2.1.  Camellia-CTR

234	   Camellia-CTR requires the encryptor to generate a unique per-packet
235	   value, and communicate this value to the decryptor.  This
236	   specification calls this per-packet value an initialization vector
237	   (IV).  The same IV and key combination MUST NOT be used more than
238	   once.  The encryptor can generate the IV in any manner that ensures
239	   uniqueness.  Common approaches to IV generation include incrementing
240	   a counter for each packet and linear feedback shift registers
241	   (LFSRs).

243	   This specification calls for the use of a nonce for additional
244	   protection against precomputation attacks.  The nonce value need not
245	   be secret.  However, the nonce MUST be unpredictable prior to the
246	   establishment of the IPsec security association that is making use of
247	   Camellia-CTR.

249	   Camellia-CTR has many properties that make it an attractive
250	   encryption algorithm for use in high-speed networking.  Camellia-CTR
251	   uses the Camellia block cipher to behave like a stream cipher.  Data
252	   is encrypted and decrypted by XORing with the key stream produced by
253	   Camellia encrypting sequential counter block values.  Camellia-CTR is
254	   easy to implement, and Camellia-CTR can be pipelined and
255	   parallelized.  Camellia-CTR also supports key stream precomputation.

257	   Pipelining is possible because Camellia has multiple rounds (see
258	   Section 2.).  A hardware implementation (and some software
259	   implementations) can create a pipeline by unwinding the loop implied
260	   by this round structure.  For example, after a 16-octet block has
261	   been input, one round later another 16-octet block can be input, and
262	   so on.  In Camellia-CTR, these inputs are the sequential counter
263	   block values used to generate the key stream.

265	   Multiple independent Camellia encrypt implementations can also be
266	   used to improve performance.  For example, one could use two Camellia
267	   encrypt implementations in parallel, to process a sequence of counter
268	   block values, doubling the effective throughput.

270	   The sender can precompute the key stream.  Since the key stream does
271	   not depend on any data in the packet, the key stream can be
272	   precomputed once the nonce and IV are assigned.  This precomputation
273	   can reduce packet latency.  The receiver cannot perform similar
274	   precomputation because the IV will not be known before the packet
275	   arrives.

277	   When used correctly, Camellia-CTR provides a high level of
278	   confidentiality.  Unfortunately, Camellia-CTR is easy to use
279	   incorrectly.  Being a stream cipher, any reuse of the per-packet
280	   value, called the IV, with the same nonce and key is catastrophic.
281	   An IV collision immediately leaks information about the plaintext in
282	   both packets.  For this reason, it is inappropriate to use this mode
283	   of operation with static keys.  Extraordinary measures would be
284	   needed to prevent reuse of an IV value with the static key across
285	   power cycles.  To be safe, implementations MUST use fresh keys with
286	   Camellia-CTR.

288	   With Camellia-CTR, it is trivial to use a valid ciphertext to forge
289	   other (valid to the decryptor) ciphertexts.  Thus, it is equally
290	   catastrophic to use Camellia-CTR without a companion authentication
291	   function.  Implementations MUST use Camellia-CCM in such case.

293	   To encrypt a payload with Camellia-CTR, the encryptor partitions the
294	   plaintext, PT, into 128-bit blocks.  The final block need not be 128
295	   bits; it can be less.

297	         PT = PT[1] || PT[2] || ... || PT[n]

299	   Each PT block is XORed with a block of the key stream to generate the
300	   ciphertext, CT.  The Camellia encryption of each counter block
301	   results in 128 bits of key stream.  The most significant 96 bits of
302	   the counter block are set to the nonce value, which is 32 bits,
303	   followed by the per-packet IV value, which is 64 bits.  The constant
304	   ONE represents the initial value 1 of the 32-bit counter.  This
305	   counter value is incremented by one to generate subsequent counter
306	   blocks, each resulting in another 128 bits of key stream.  The
307	   encryption of n plaintext blocks can be summarized as:

309	         CTRBLK := N || IV || ONE
310	         FOR i := 1 to n-1 DO
311	           CT[i] := PT[i] XOR Camellia(K, CTRBLK)
312	           CTRBLK := CTRBLK + 1
313	         END
314	         CT[n] := PT[n] XOR TRUNC(Camellia(K, CTRBLK))

316	   The TRUNC() function truncates the output of the Camellia encrypt
317	   operation to the same length as the final plaintext block, returning
318	   the most significant bits.

320	   Decryption is similar.  The decryption of n ciphertext blocks can be
321	   summarized as:

323	         CTRBLK := N || IV || ONE
324	         FOR i := 1 to n-1 DO
325	           PT[i] := CT[i] XOR Camellia(K, CTRBLK)
326	           CTRBLK := CTRBLK + 1
327	         END
328	         PT[n] := CT[n] XOR TRUNC(Camellia(K, CTRBLK))

330	3.3.  Counter with CBC-MAC

332	3.3.1.  Two main parameters

334	   For the generic CCM mode, there are two parameter choices.  The first
335	   choice is M, the size of the authentication field.  The choice of the
336	   value for M involves a trade-off between message expansion and the
337	   probability that an attacker can undetectably modify a message.
338	   Valid values are 4, 6, 8, 10, 12, 14, and 16 octets.  The second
339	   choice is L, the size of the length field.  This value requires a
340	   trade-off between the maximum message size and the size of the Nonce.
341	   Different applications require different trade-offs, so L is a
342	   parameter.  Valid values of L range from 2 to 8 (the value L=1 is
343	   reserved).

345	        Name  Description                               Size    Encoding
346	        ----  ----------------------------------------  ------  --------
347	        M     Number of octets in authentication field  3 bits  M/2-1
348	        L     Number of octets in length field          3 bits  L-1

350	3.3.2.  Inputs

352	   To authenticate and encrypt a message, the following information is
353	   required:

355	   1.   An encryption key K suitable for the block cipher.

357	   2.   A nonce N of 15-L octets.  Within the scope of any encryption
358	        key K, the nonce value MUST be unique.  That is, the set of
359	        nonce values used with any given key MUST NOT contain any
360	        duplicate values.  Using the same nonce for two different
361	        messages encrypted with the same key destroys the security
362	        properties of this mode.

364	   3.   The message m, consisting of a string of l(m) octets where 0 <=
365	        l(m) < 2^(8*L).  The length restriction ensures that l(m) can be
366	        encoded in a field of L octets.

368	   4.   The additional authenticated data AAD where 0 <= l(AAD) < 2^64.
369	        This additional data is authenticated but not encrypted, and is
370	        not included in the output of this mode.  It can be used to
371	        authenticate plaintext packet headers, or contextual information
372	        that affects the interpretation of the message.  Users who do
373	        not wish to authenticate additional data can provide a string of
374	        length zero.

376	   The inputs are summarized as:

378	      Name  Description                          Size
379	      ----  -----------------------------------  -----------------------
380	      K     Block cipher key                     Depends on block cipher
381	      N     Nonce                                15-L octets
382	      m     Message to authenticate and encrypt  l(m) octets
383	      AAD   Additional authenticated data        l(AAD) octets

385	3.3.3.  Authentication

387	   The first step is to compute the authentication field T. This is done
388	   using CBC-MAC [16].  We first define a sequence of blocks B_0, B_1,
389	   ..., B_n and then apply CBC-MAC to these blocks.

391	   The first block B_0 is formatted as follows:

393	         Octet Number   Contents
394	         ------------   ---------
395	         0              Flags
396	         1 ... 15-L     Nonce N
397	         16-L ... 15    l(m)

399	   Within the first block B_0, the Flags field is formatted as follows:

401	         Bit Number   Contents
402	         ----------   ----------------------
403	         7            Reserved (always zero)
404	         6            Adata
405	         5 ... 3      M'
406	         2 ... 0      L'

408	   Another way to say the same thing is: Flags = 64*Adata + 8*M' + L'.

410	   The Reserved bit is reserved for future expansions and should always
411	   be set to zero.  The Adata bit is set to zero if l(AAD) = 0, and set
412	   to one if l(AAD) > 0.  The M' field is set to M/2-1.  As M can take
413	   on the even values from 4 to 16, the 3-bit M' field can take on the
414	   values from one to seven.  The 3-bit field MUST NOT have a value of
415	   zero, which would correspond to a 16-bit integrity check value.  The
416	   L' field encodes the size of the length field used to store l(m).
417	   The parameter L can take on the values from 2 to 8 (recall, the value
418	   L=1 is reserved).  This value is encoded in the 3-bit L' field using
419	   the values from one to seven by choosing L' = L-1 (the zero value is
420	   reserved).

422	   If l(AAD) > 0 (as indicated by the Adata field), then one or more
423	   blocks of authentication data are added.  These blocks contain AAD
424	   and are encoded in a reversible manner.  We first construct a string
425	   that encodes l(AAD).

427	   If 0 < l(AAD) < (2^16 - 2^8), then the length field is encoded as two
428	   octets which contain the value l(AAD).

430	   If (2^16 - 2^8) <= l(AAD) < 2^32, then the length field is encoded as
431	   six octets, consisting of the fixed octets 0xff, 0xfe, and four
432	   octets encoding l(AAD).

434	   If 2^32 <= l(AAD) < 2^64, then the length field is encoded as ten
435	   octets, consisting of the octets 0xff, 0xff, and eight octets
436	   encoding l(AAD).

438	   The length encoding conventions are summarized in the following
439	   table.

441	    First two octets   Followed by         Comment
442	    -----------------  ------------------  -------------------------------
443	    0x0000             Nothing             Reserved
444	    0x0001 ... 0xFEFF  Nothing             2 octets of l(AAD),
445	                                           for 0 < l(AAD) < (2^16 - 2^8)
446	    0xFF00 ... 0xFFFD  Nothing             Reserved
447	    0xFFFE             4 octets of l(AAD)  For (2^16 - 2^8) <= l(AAD) < 2^32
448	    0xFFFF             8 octets of l(AAD)  For 2^32 <= l(AAD) < 2^64

450	   The blocks encoding the AAD are formed by concatenating this string
451	   that encodes l(AAD) with AAD itself, and splitting the result into
452	   16-octet blocks, and then padding the last block with zeroes if
453	   necessary.  These blocks are appended to the first block B_0.

455	   After the (optional) additional authentication blocks have been
456	   added, we add the message blocks.  The message blocks are formed by
457	   splitting the message m into 16-octet blocks, and then padding the
458	   last block with zeroes if necessary.  If the message m consists of
459	   the empty string, then no blocks are added in this step.

461	   The result is a sequence of blocks B_0, B_1, ..., B_n.  The CBC-MAC
462	   is computed by:

464	         X_1 := Camellia( K, B_0 )
465	         FOR i:=1 to n DO
466	           X_i+1 := Camellia( K, X_i XOR B_i )
467	         END
468	         T := first-M-bytes( X_n+1 )

470	   where T is the MAC value.  Note that the last block B_n is XORed with
471	   X_n, and the result is encrypted with the block cipher.  If needed,
472	   the ciphertext is truncated to give T.

474	3.3.4.  Encryption

476	   To encrypt the message data we use CTR mode.  We first define the key
477	   stream blocks by:

479	         S_i := Camellia( K, A_i )   for i=0, 1, 2, ...

481	   The values A_i are formatted as follows, where the Counter field i is
482	   encoded:

484	         Octet Number   Contents
485	         ------------   ---------
486	         0              Flags
487	         1 ... 15-L     Nonce N
488	         16-L ... 15    Counter i

490	   The Flags field is formatted as follows:

492	         Bit Number   Contents
493	         ----------   ----------------------
494	         7            Reserved (always zero)
495	         6            Reserved (always zero)
496	         5 ... 3      Zeroes
497	         2 ... 0      L'

499	   Another way say the same thing is: Flags = L'.

501	   The Reserved bits are reserved for future expansions and MUST be set
502	   to zero.  Bit 6 corresponds to the Adata bit in the B_0 block, but as
503	   this bit is not used here, it is reserved and MUST be set to zero.
504	   Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks
505	   are distinct from B_0, which has the non-zero encoding of M in this
506	   position.  Bits 0, 1, and 2 contain L', using the same encoding as in
507	   B_0.

509	   The message is encrypted by XORing the octets of message m with the
510	   first l(m) octets of the concatenation of S_1, S_2, S_3, ... .  Note
511	   that S_0 is not used to encrypt the message.

513	   The authentication value U is computed by encrypting T with the key
514	   stream block S_0 and truncating it to the desired length.

516	         U := T XOR first-M-bytes( S_0 )

518	3.3.5.  Output

520	   The final result, c, consists of the encrypted message followed by
521	   the encrypted authentication value U.

523	3.3.6.  Decryption and Authentication Checking

525	   To decrypt a message the following information is required:

527	   1.   The encryption key K.

529	   2.   The nonce N.

531	   3.   The additional authenticated data AAD.

533	   4.   The encrypted and authenticated message c.

535	   Decryption starts by recomputing the key stream to recover the
536	   message m and the MAC value T. The message and additional
537	   authentication data is then used to recompute the CBC-MAC value and
538	   check T.

540	   If the T value is not correct, the receiver MUST NOT reveal any
541	   information except for the fact that T is incorrect.  The receiver
542	   MUST NOT reveal the decrypted message, the value T, or any other
543	   information.

545	4.  Test Vectors

547	4.1.  Camellia-CTR

549	   This section contains nine TVs, which can be used to confirm that an
550	   implementation has correctly implemented Camellia-CTR.  The first
551	   three TVs use Camellia with a 128-bit key; the next three TVs use
552	   Camellia with a 192-bit key; and the last three TVs use Camellia with
553	   a 256-bit key.

555	   TV #1: Encrypting 16 octets using Camellia-CTR with 128-bit key
556	   Camellia Key     : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E
557	   Camellia-CTR IV  : 00 00 00 00 00 00 00 00
558	   Nonce            : 00 00 00 30
559	   Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
560	   Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01
561	   Key Stream    (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58
562	   Ciphertext       : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F

564	   TV #2: Encrypting 32 octets using Camellia-CTR with 128-bit key
565	   Camellia Key     : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63
566	   Camellia-CTR IV  : C0 54 3B 59 DA 48 D9 0B
567	   Nonce            : 00 6C B6 DB
568	   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
569	                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
570	   Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01
571	   Key Stream    (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B
572	   Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02
573	   Key Stream    (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57
574	   Ciphertext       : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44
575	                    : 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48

577	   TV #3: Encrypting 36 octets using Camellia-CTR with 128-bit key
578	   Camellia Key     : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC
579	   Camellia-CTR IV  : 27 77 7F 3F 4A 17 86 F0
580	   Nonce            : 00 E0 01 7B
581	   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
582	                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
583	                    : 20 21 22 23
584	   Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01
585	   Key Stream    (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C
586	   Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02
587	   Key Stream    (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2
588	   Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03
589	   Key Stream    (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8
590	   Ciphertext       : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73
591	                    : 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD
592	                    : DF 50 86 96

594	   TV #4: Encrypting 16 octets using Camellia-CTR with 192-bit key
595	   Camellia Key     : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED
596	                    : 86 3D 06 CC FD B7 85 15
597	   Camellia-CTR IV  : 36 73 3C 14 7D 6D 93 CB
598	   Nonce            : 00 00 00 48
599	   Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
600	   Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01
601	   Key Stream    (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1
602	   Ciphertext       : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96

604	   TV #5: Encrypting 32 octets using Camellia-CTR with 192-bit key
605	   Camellia Key     : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C
606	                    : 67 8C 3D B8 E6 F6 A9 1A
607	   Camellia-CTR IV  : 02 0C 6E AD C2 CB 50 0D
608	   Nonce            : 00 96 B0 3B
609	   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
610	                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
611	   Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01
612	   Key Stream    (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52
613	   Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02
614	   Key Stream    (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2
615	   Ciphertext       : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D
616	                    : D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED

618	   TV #6: Encrypting 36 octets using Camellia-CTR with 192-bit key
619	   Camellia Key     : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B
620	                    : F5 9B 60 A7 86 D3 E0 FE
621	   Camellia-CTR IV  : 5C BD 60 27 8D CC 09 12
622	   Nonce            : 00 07 BD FD
623	   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
624	                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
625	                    : 20 21 22 23
626	   Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01
627	   Key Stream    (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77
628	   Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02
629	   Key Stream    (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11
630	   Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03
631	   Key Stream    (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34
632	   Ciphertext       : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78
633	                    : 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E
634	                    : D5 57 AB 57

636	   TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key
637	   Camellia Key     : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C
638	                    : 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04
639	   Camellia-CTR IV  : DB 56 72 C9 7A A8 F0 B2
640	   Nonce            : 00 00 00 60
641	   Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
642	   Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01
643	   Key Stream    (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76
644	   Ciphertext       : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11

646	   TV #8: Encrypting 32 octets using Camellia-CTR with 256-bit key
647	   Camellia Key     : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86
648	                    : C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84
649	   Camellia-CTR IV  : C1 58 5E F1 5A 43 D8 75
650	   Nonce            : 00 FA AC 24
651	   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
652	                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
653	   Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01
654	   Key Stream    (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A
655	   Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02
656	   Key Stream    (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17
657	   Ciphertext       : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45
658	                    : E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08

660	   TV #9: Encrypting 36 octets using Camellia-CTR with 256-bit key
661	   Camellia Key     : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2
662	                    : AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D
663	   Camellia-CTR IV  : 51 A5 1D 70 A1 C1 11 48
664	   Nonce            : 00 1C C5 B7
665	   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
666	                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
667	                    : 20 21 22 23
668	   Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01
669	   Key Stream    (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23
670	   Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02
671	   Key Stream    (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70
672	   Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03
673	   Key Stream    (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF
674	   Ciphertext       : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C
675	                    : D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F
676	                    : 15 EF 0D 8D

678	4.2.  Camellia-CCM

680	   This section contains twenty four TVs, which can be used to confirm
681	   that an implementation has correctly implemented Camellia-CCM.  In
682	   each of these TVs, the least significant sixteen bits of the counter
683	   block is used for the block counter, and the nonce is 13 octets.
684	   Some of the TVs include an eight octet authentication value, and
685	   others include a ten octet authentication value.

687	   =============== Packet Vector #1 ==================
688	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
689	   Nonce =    00 00 00 03  02 01 00 A0  A1 A2 A3 A4  A5
690	   Total packet length =   31. [Input (8 cleartext header octets)]
691	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
692	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
693	   CBC IV in: 59 00 00 00  03 02 01 00  A0 A1 A2 A3  A4 A5 00 17
694	   CBC IV out:D4 DB CD 92  A8 96 41 56  1D 0D BB D0  D5 7F 7E 1D
695	   After xor: D4 D3 CD 93  AA 95 45 53  1B 0A BB D0  D5 7F 7E 1D   [hdr]
696	   After CAM: BD 84 03 80  73 59 37 B7  CE F5 E4 BA  1B 18 54 DC
697	   After xor: B5 8D 09 8B  7F 54 39 B8  DE E4 F6 A9  0F 0D 42 CB   [msg]
698	   After CAM: CE 21 82 9C  F6 F2 4D A2  CB 35 D1 FD  81 27 63 EC
699	   After xor: D6 38 98 87  EA EF 53 A2  CB 35 D1 FD  81 27 63 EC   [msg]
700	   After CAM: 20 11 FE E2  53 B1 A7 DB  02 77 FA 37  6D 78 EE 10
701	   MIC tag  : 20 11 FE E2  53 B1 A7 DB
702	   CTR Start: 01 00 00 00  03 02 01 00  A0 A1 A2 A3  A4 A5 00 01
703	   CTR[0001]: B2 7A 7B 8E  EB 14 3F 0B  82 E2 98 4C  06 44 CC 42
704	   CTR[0002]: E2 E2 D3 52  98 97 13 45  D1 63 22 90  E7 F8 15 4A
705	   CTR[MIC ]: DC BF 30 96  38 8C 1E 76
706	   Total packet length =   39. [Encrypted]
707	              00 01 02 03  04 05 06 07  BA 73 71 85  E7 19 31 04
708	              92 F3 8A 5F  12 51 DA 55  FA FB C9 49  84 8A 0D FC
709	              AE CE 74 6B  3D B9 AD

711	   =============== Packet Vector #2 ==================
712	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
713	   Nonce =    00 00 00 04  03 02 01 A0  A1 A2 A3 A4  A5
714	   Total packet length =   32. [Input (8 cleartext header octets)]
715	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
716	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
717	   CBC IV in: 59 00 00 00  04 03 02 01  A0 A1 A2 A3  A4 A5 00 18
718	   CBC IV out:07 0B 22 50  8A 24 3C DD  5B BA 54 DB  60 52 88 06
719	   After xor: 07 03 22 51  88 27 38 D8  5D BD 54 DB  60 52 88 06   [hdr]
720	   After CAM: 10 FD C2 F2  90 4A 9F 96  B0 4F 62 A4  A1 A9 31 1E
721	   After xor: 18 F4 C8 F9  9C 47 91 99  A0 5E 70 B7  B5 BC 27 09   [msg]
722	   After CAM: E4 C8 82 02  89 55 5C 15  CE 7F E4 60  B1 B9 5A 08
723	   After xor: FC D1 98 19  95 48 42 0A  CE 7F E4 60  B1 B9 5A 08   [msg]
724	   After CAM: D2 96 BA 4F  83 DE B5 DF  A2 19 08 F7  47 4E 3C 40
725	   MIC tag  : D2 96 BA 4F  83 DE B5 DF
726	   CTR Start: 01 00 00 00  04 03 02 01  A0 A1 A2 A3  A4 A5 00 01
727	   CTR[0001]: 55 2C 6E B4  82 A2 EF D6  85 37 FE 12  79 0E E6 55
728	   CTR[0002]: 54 E2 C8 D6  7E 99 91 2C  F2 8A D7 8E  83 04 10 36
729	   CTR[MIC ]: B2 24 93 12  71 9C 36 37
730	   Total packet length =   40. [Encrypted]
731	              00 01 02 03  04 05 06 07  5D 25 64 BF  8E AF E1 D9
732	              95 26 EC 01  6D 1B F0 42  4C FB D2 CD  62 84 8F 33
733	              60 B2 29 5D  F2 42 83 E8

735	   =============== Packet Vector #3 ==================
736	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
737	   Nonce =    00 00 00 05  04 03 02 A0  A1 A2 A3 A4  A5
738	   Total packet length =   33. [Input (8 cleartext header octets)]
739	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
740	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
741	              20
742	   CBC IV in: 59 00 00 00  05 04 03 02  A0 A1 A2 A3  A4 A5 00 19
743	   CBC IV out:6F 69 15 DF  A6 A0 DF 24  84 A7 37 88  A3 65 F9 2E
744	   After xor: 6F 61 15 DE  A4 A3 DB 21  82 A0 37 88  A3 65 F9 2E   [hdr]
745	   After CAM: 59 5D 99 48  79 04 DA C9  13 93 36 C9  11 A8 09 1D
746	   After xor: 51 54 93 43  75 09 D4 C6  03 82 24 DA  05 BD 1F 0A   [msg]
747	   After CAM: 1A 43 D7 19  65 43 97 C1  43 6F 4F 11  A7 6C 6B ED
748	   After xor: 02 5A CD 02  79 5E 89 DE  63 6F 4F 11  A7 6C 6B ED   [msg]
749	   After CAM: 30 0B 06 8A  A0 D1 4D C5  9E 44 22 84  82 45 42 0B
750	   MIC tag  : 30 0B 06 8A  A0 D1 4D C5
751	   CTR Start: 01 00 00 00  05 04 03 02  A0 A1 A2 A3  A4 A5 00 01
752	   CTR[0001]: 89 FF 69 DD  CB 75 76 18  E9 31 24 1B  AD 97 BB 02
753	   CTR[0002]: C4 32 A7 9C  CB 4B E9 8D  24 A8 F0 AB  C6 87 16 11
754	   CTR[MIC ]: C5 5A D0 E2  8F F2 E7 83
755	   Total packet length =   41. [Encrypted]
756	              00 01 02 03  04 05 06 07  81 F6 63 D6  C7 78 78 17
757	              F9 20 36 08  B9 82 AD 15  DC 2B BD 87  D7 56 F7 92
758	              04 F5 51 D6  68 2F 23 AA  46

760	   =============== Packet Vector #4 ==================
761	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
762	   Nonce =    00 00 00 06  05 04 03 A0  A1 A2 A3 A4  A5
763	   Total packet length =   31. [Input (12 cleartext header octets)]
764	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
765	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
766	   CBC IV in: 59 00 00 00  06 05 04 03  A0 A1 A2 A3  A4 A5 00 13
767	   CBC IV out:F5 51 CF 6C  7C F7 D4 0B  2B 76 F1 6B  57 F0 19 FE
768	   After xor: F5 5D CF 6D  7E F4 D0 0E  2D 71 F9 62  5D FB 19 FE   [hdr]
769	   After CAM: 02 2B 21 1B  EB 97 02 3B  F8 10 7D CC  62 14 E5 7C
770	   After xor: 0E 26 2F 14  FB 86 10 28  EC 05 6B DB  7A 0D FF 67   [msg]
771	   After CAM: 48 14 A4 2D  31 25 1C 37  19 C5 6F DD  5A 37 81 42
772	   After xor: 54 09 BA 2D  31 25 1C 37  19 C5 6F DD  5A 37 81 42   [msg]
773	   After CAM: CF 85 25 D2  80 D5 F0 09  53 2C 9D 43  4E F3 04 47
774	   MIC tag  : CF 85 25 D2  80 D5 F0 09
775	   CTR Start: 01 00 00 00  06 05 04 03  A0 A1 A2 A3  A4 A5 00 01
776	   CTR[0001]: C6 E2 10 8D  62 00 A2 9C  6F CC 19 1F  DF 6B 92 DB
777	   CTR[0002]: 6C B9 BE EE  1E A2 E9 B3  2D D6 C2 9A  E8 26 D5 C2
778	   CTR[MIC ]: 44 BF B6 E8  E3 31 67 A9
779	   Total packet length =   39. [Encrypted]
780	              00 01 02 03  04 05 06 07  08 09 0A 0B  CA EF 1E 82
781	              72 11 B0 8F  7B D9 0F 08  C7 72 88 C0  70 A4 A0 8B
782	              3A 93 3A 63  E4 97 A0

784	   =============== Packet Vector #5 ==================
785	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
786	   Nonce =    00 00 00 07  06 05 04 A0  A1 A2 A3 A4  A5
787	   Total packet length =   32. [Input (12 cleartext header octets)]
788	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
789	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
790	   CBC IV in: 59 00 00 00  07 06 05 04  A0 A1 A2 A3  A4 A5 00 14
791	   CBC IV out:73 72 9D 76  7A BD B9 82  60 3A 12 7B  EF 26 FB 80
792	   After xor: 73 7E 9D 77  78 BE BD 87  66 3D 1A 72  E5 2D FB 80   [hdr]
793	   After CAM: E1 B7 A6 72  E2 5C 87 75  91 21 22 A4  07 13 CD 5B
794	   After xor: ED BA A8 7D  F2 4D 95 66  85 34 34 B3  1F 0A D7 40   [msg]
795	   After CAM: 13 2F 58 D9  5D 0F 95 B8  90 BF 6F 1D  31 84 54 C7
796	   After xor: 0F 32 46 C6  5D 0F 95 B8  90 BF 6F 1D  31 84 54 C7   [msg]
797	   After CAM: 47 8F 1E B0  71 24 8B 13  AF C8 C8 44  E6 0F 88 B6
798	   MIC tag  : 47 8F 1E B0  71 24 8B 13
799	   CTR Start: 01 00 00 00  07 06 05 04  A0 A1 A2 A3  A4 A5 00 01
800	   CTR[0001]: 26 DE B4 D6  5F D4 3C 81  AA 56 98 95  64 09 39 A2
801	   CTR[0002]: 76 97 69 3A  21 13 0C 39  2E 4E EB BF  48 7B 24 BE
802	   CTR[MIC ]: C8 2E 65 17  82 15 50 1A
803	   Total packet length =   40. [Encrypted]
804	              00 01 02 03  04 05 06 07  08 09 0A 0B  2A D3 BA D9
805	              4F C5 2E 92  BE 43 8E 82  7C 10 23 B9  6A 8A 77 25
806	              8F A1 7B A7  F3 31 DB 09

808	   =============== Packet Vector #6 ==================
809	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
810	   Nonce =    00 00 00 08  07 06 05 A0  A1 A2 A3 A4  A5
811	   Total packet length =   33. [Input (12 cleartext header octets)]
812	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
813	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
814	              20
815	   CBC IV in: 59 00 00 00  08 07 06 05  A0 A1 A2 A3  A4 A5 00 15
816	   CBC IV out:EB 59 05 CC  3F 52 61 10  26 24 75 93  DD B9 A0 F4
817	   After xor: EB 55 05 CD  3D 51 65 15  20 23 7D 9A  D7 B2 A0 F4   [hdr]
818	   After CAM: 18 A9 AE A4  3D D2 A9 11  6C 0A E5 4F  40 D1 4D 9F
819	   After xor: 14 A4 A0 AB  2D C3 BB 02  78 1F F3 58  58 C8 57 84   [msg]
820	   After CAM: FA C4 13 18  98 54 1B 54  93 9C 64 B8  CB FD 5B 18
821	   After xor: E6 D9 0D 07  B8 54 1B 54  93 9C 64 B8  CB FD 5B 18   [msg]
822	   After CAM: 49 E6 E8 ED  32 FB CA 2F  2E 55 CD AF  D0 F2 B3 05
823	   MIC tag  : 49 E6 E8 ED  32 FB CA 2F
824	   CTR Start: 01 00 00 00  08 07 06 05  A0 A1 A2 A3  A4 A5 00 01
825	   CTR[0001]: F2 A8 46 04  B5 2E BA C0  D7 51 34 BD  D6 54 FC 64
826	   CTR[0002]: E6 26 A9 24  8B E6 86 CB  92 D6 FB FC  2E F2 91 98
827	   CTR[MIC ]: E2 D0 49 03  7D 1B 34 07
828	   Total packet length =   41. [Encrypted]
829	              00 01 02 03  04 05 06 07  08 09 0A 0B  FE A5 48 0B
830	              A5 3F A8 D3  C3 44 22 AA  CE 4D E6 7F  FA 3B B7 3B
831	              AB AB 36 A1  EE 4F E0 FE  28

833	   =============== Packet Vector #7 ==================
834	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
835	   Nonce =    00 00 00 09  08 07 06 A0  A1 A2 A3 A4  A5
836	   Total packet length =   31. [Input (8 cleartext header octets)]
837	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
838	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
839	   CBC IV in: 61 00 00 00  09 08 07 06  A0 A1 A2 A3  A4 A5 00 17
840	   CBC IV out:AC F1 5D 79  99 1A 15 BF  5C DC F6 C4  45 AE 1F CB
841	   After xor: AC F9 5D 78  9B 19 11 BA  5A DB F6 C4  45 AE 1F CB   [hdr]
842	   After CAM: E9 C0 AC FD  C7 E8 E7 1D  FA E8 8B 66  95 9E 01 45
843	   After xor: E1 C9 A6 F6  CB E5 E9 12  EA F9 99 75  81 8B 17 52   [msg]
844	   After CAM: 9C FF ED 72  09 A6 7D 2A  48 B7 29 BF  D8 BE 39 59
845	   After xor: 84 E6 F7 69  15 BB 63 2A  48 B7 29 BF  D8 BE 39 59   [msg]
846	   After CAM: 4F 41 FA DE  B2 58 F3 32  54 0A 55 7A  80 4A A3 F5
847	   MIC tag  : 4F 41 FA DE  B2 58 F3 32  54 0A
848	   CTR Start: 01 00 00 00  09 08 07 06  A0 A1 A2 A3  A4 A5 00 01
849	   CTR[0001]: 5C 5A 2A 2D  E9 41 1F 95  9D 27 CB FF  7A 0B CF 63
850	   CTR[0002]: 0E D1 6A 97  57 41 32 4F  33 1B 4A 42  B1 4A 54 63
851	   CTR[MIC ]: E3 EE 59 62  7D 22 BD 8D  C1 79
852	   Total packet length =   41. [Encrypted]
853	              00 01 02 03  04 05 06 07  54 53 20 26  E5 4C 11 9A
854	              8D 36 D9 EC  6E 1E D9 74  16 C8 70 8C  4B 5C 2C AC
855	              AF A3 BC CF  7A 4E BF 95  73

857	   =============== Packet Vector #8 ==================
858	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
859	   Nonce =    00 00 00 0A  09 08 07 A0  A1 A2 A3 A4  A5
860	   Total packet length =   32. [Input (8 cleartext header octets)]
861	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
862	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
863	   CBC IV in: 61 00 00 00  0A 09 08 07  A0 A1 A2 A3  A4 A5 00 18
864	   CBC IV out:AD CA 1C 1D  45 E7 E2 62  58 D5 DA 46  D8 2F 69 3A
865	   After xor: AD C2 1C 1C  47 E4 E6 67  5E D2 DA 46  D8 2F 69 3A   [hdr]
866	   After CAM: FA DE 0E B4  3E CA C1 E9  69 BB 8C A4  7C 0D 80 8F
867	   After xor: F2 D7 04 BF  32 C7 CF E6  79 AA 9E B7  68 18 96 98   [msg]
868	   After CAM: D2 87 35 C2  D0 E4 AE 4E  BC C2 99 FF  B3 77 F8 A1
869	   After xor: CA 9E 2F D9  CC F9 B0 51  BC C2 99 FF  B3 77 F8 A1   [msg]
870	   After CAM: BD F6 FB 55  9E 90 C0 E7  DF 4B 0C 37  DC 42 32 A2
871	   MIC tag  : BD F6 FB 55  9E 90 C0 E7  DF 4B
872	   CTR Start: 01 00 00 00  0A 09 08 07  A0 A1 A2 A3  A4 A5 00 01
873	   CTR[0001]: 82 D8 91 0B  16 8A DF 47  E4 C8 39 FC  20 47 4A DB
874	   CTR[0002]: FB BF 26 7E  0E BB EB 6A  07 4E 29 CF  3D 12 E6 DB
875	   CTR[MIC ]: CE 7E 1F C4  A0 61 87 E6  2B 0A
876	   Total packet length =   42. [Encrypted]
877	              00 01 02 03  04 05 06 07  8A D1 9B 00  1A 87 D1 48
878	              F4 D9 2B EF  34 52 5C CC  E3 A6 3C 65  12 A6 F5 75
879	              73 88 E4 91  3E F1 47 01  F4 41

881	   =============== Packet Vector #9 ==================
882	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
883	   Nonce =    00 00 00 0B  0A 09 08 A0  A1 A2 A3 A4  A5
884	   Total packet length =   33. [Input (8 cleartext header octets)]
885	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
886	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
887	              20
888	   CBC IV in: 61 00 00 00  0B 0A 09 08  A0 A1 A2 A3  A4 A5 00 19
889	   CBC IV out:D0 A9 A5 94  00 63 86 40  11 0D DB 40  CA F8 4A 9C
890	   After xor: D0 A1 A5 95  02 60 82 45  17 0A DB 40  CA F8 4A 9C   [hdr]
891	   After CAM: 7B CA 4E 2D  79 82 0D 1E  15 22 DD E8  37 B9 B1 F0
892	   After xor: 73 C3 44 26  75 8F 03 11  05 33 CF FB  23 AC A7 E7   [msg]
893	   After CAM: 6B 75 9F 83  C0 8F 56 64  F2 FA D5 7F  67 01 B8 21
894	   After xor: 73 6C 85 98  DC 92 48 7B  D2 FA D5 7F  67 01 B8 21   [msg]
895	   After CAM: 7D B7 BE FF  72 F3 26 74  9E 20 07 28  1E 5B 1A 8A
896	   MIC tag  : 7D B7 BE FF  72 F3 26 74  9E 20
897	   CTR Start: 01 00 00 00  0B 0A 09 08  A0 A1 A2 A3  A4 A5 00 01
898	   CTR[0001]: 55 B9 87 69  4C 73 60 3E  C6 1E 8E B1  D2 11 62 36
899	   CTR[0002]: 82 D9 A4 4B  DC C9 BB 68  A7 FE 15 A5  19 51 57 87
900	   CTR[MIC ]: E9 61 5C CF  BF D6 EF 8A  21 A7
901	   Total packet length =   43. [Encrypted]
902	              00 01 02 03  04 05 06 07  5D B0 8D 62  40 7E 6E 31
903	              D6 0F 9C A2  C6 04 74 21  9A C0 BE 50  C0 D4 A5 77
904	              87 94 D6 E2  30 CD 25 C9  FE BF 87

906	   =============== Packet Vector #10 ==================
907	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
908	   Nonce =    00 00 00 0C  0B 0A 09 A0  A1 A2 A3 A4  A5
909	   Total packet length =   31. [Input (12 cleartext header octets)]
910	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
911	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
912	   CBC IV in: 61 00 00 00  0C 0B 0A 09  A0 A1 A2 A3  A4 A5 00 13
913	   CBC IV out:B1 85 73 A3  1C 6F EC 01  90 E3 CE 94  27 11 04 B9
914	   After xor: B1 89 73 A2  1E 6C E8 04  96 E4 C6 9D  2D 1A 04 B9   [hdr]
915	   After CAM: A6 AD EA 9C  FA 3F 76 78  4C 17 8A F3  DC 69 F0 82
916	   After xor: AA A0 E4 93  EA 2E 64 6B  58 02 9C E4  C4 70 EA 99   [msg]
917	   After CAM: 35 50 B7 27  78 F8 C6 BF  02 4B 65 60  05 C0 E1 ED
918	   After xor: 29 4D A9 27  78 F8 C6 BF  02 4B 65 60  05 C0 E1 ED   [msg]
919	   After CAM: 3D B5 A6 E6  85 AF 1C 58  80 B0 32 2E  01 74 91 FC
920	   MIC tag  : 3D B5 A6 E6  85 AF 1C 58  80 B0
921	   CTR Start: 01 00 00 00  0C 0B 0A 09  A0 A1 A2 A3  A4 A5 00 01
922	   CTR[0001]: D7 1C 82 C1  D1 A9 64 0F  93 69 CE 81  22 7E CC E8
923	   CTR[0002]: A7 A1 42 44  32 4E 69 FE  4C D0 36 65  A5 31 0B AB
924	   CTR[MIC ]: ED 27 3F 0D  94 5C 0E AA  B2 87
925	   Total packet length =   41. [Encrypted]
926	              00 01 02 03  04 05 06 07  08 09 0A 0B  DB 11 8C CE
927	              C1 B8 76 1C  87 7C D8 96  3A 67 D6 F3  BB BC 5C D0
928	              92 99 EB 11  F3 12 F2 32  37

930	   =============== Packet Vector #11 ==================
931	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
932	   Nonce =    00 00 00 0D  0C 0B 0A A0  A1 A2 A3 A4  A5
933	   Total packet length =   32. [Input (12 cleartext header octets)]
934	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
935	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
936	   CBC IV in: 61 00 00 00  0D 0C 0B 0A  A0 A1 A2 A3  A4 A5 00 14
937	   CBC IV out:45 DF B5 07  6F BB 10 EA  F1 15 15 AD  21 4F B0 0E
938	   After xor: 45 D3 B5 06  6D B8 14 EF  F7 12 1D A4  2B 44 B0 0E   [hdr]
939	   After CAM: 17 52 F9 6D  DD BC 5B 1C  1E EB 80 FC  F6 10 AC 03
940	   After xor: 1B 5F F7 62  CD AD 49 0F  0A FE 96 EB  EE 09 B6 18   [msg]
941	   After CAM: BE F0 A0 B9  EC 94 B6 B3  E8 EC 1B 82  14 14 09 87
942	   After xor: A2 ED BE A6  EC 94 B6 B3  E8 EC 1B 82  14 14 09 87   [msg]
943	   After CAM: 70 16 E4 F9  C4 2C 30 10  84 BF EC 69  34 89 91 FD
944	   MIC tag  : 70 16 E4 F9  C4 2C 30 10  84 BF
945	   CTR Start: 01 00 00 00  0D 0C 0B 0A  A0 A1 A2 A3  A4 A5 00 01
946	   CTR[0001]: 70 C5 33 82  D4 80 11 41  4F 5D 2B D2  D2 67 B3 B0
947	   CTR[0002]: 9D 36 6E 49  39 C5 16 76  5C 1C 25 12  81 79 94 70
948	   CTR[MIC ]: 77 8B 4B 03  1E 3A FC DF  A8 F1
949	   Total packet length =   42. [Encrypted]
950	              00 01 02 03  04 05 06 07  08 09 0A 0B  7C C8 3D 8D
951	              C4 91 03 52  5B 48 3D C5  CA 7E A9 AB  81 2B 70 56
952	              07 9D AF FA  DA 16 CC CF  2C 4E

954	   =============== Packet Vector #12 ==================
955	   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
956	   Nonce =    00 00 00 0E  0D 0C 0B A0  A1 A2 A3 A4  A5
957	   Total packet length =   33. [Input (12 cleartext header octets)]
958	              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
959	              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
960	              20
961	   CBC IV in: 61 00 00 00  0E 0D 0C 0B  A0 A1 A2 A3  A4 A5 00 15
962	   CBC IV out:81 E4 EB 1E  50 A9 70 CE  18 CA 1A 4B  68 39 80 2E
963	   After xor: 81 E8 EB 1F  52 AA 74 CB  1E CD 12 42  62 32 80 2E   [hdr]
964	   After CAM: 04 AB D9 62  34 B9 8F 32  8C 0F 08 3F  3D 87 9D 57
965	   After xor: 08 A6 D7 6D  24 A8 9D 21  98 1A 1E 28  25 9E 87 4C   [msg]
966	   After CAM: BD A2 EA CB  3A DA 6A E7  9F BB C2 2C  E6 4C 98 89
967	   After xor: A1 BF F4 D4  1A DA 6A E7  9F BB C2 2C  E6 4C 98 89   [msg]
968	   After CAM: B6 FC E1 46  D3 EA DC 91  E0 AB 10 AD  D8 55 E7 03
969	   MIC tag  : B6 FC E1 46  D3 EA DC 91  E0 AB
970	   CTR Start: 01 00 00 00  0E 0D 0C 0B  A0 A1 A2 A3  A4 A5 00 01
971	   CTR[0001]: 20 DE 55 87  30 C3 2C 69  B7 44 A6 FE  37 DE 89 7C
972	   CTR[0002]: 3F 96 32 D8  68 6D C2 B5  22 97 42 27  EB F9 26 5E
973	   CTR[MIC ]: 7D 45 AD 6F  94 93 E1 F5  4F DE
974	   Total packet length =   43. [Encrypted]
975	              00 01 02 03  04 05 06 07  08 09 0A 0B  2C D3 5B 88
976	              20 D2 3E 7A  A3 51 B0 E9  2F C7 93 67  23 8B 2C C7
977	              48 CB B9 4C  29 47 79 3D  64 AF 75

979	   =============== Packet Vector #13 ==================
980	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
981	   Nonce =    00 A9 70 11  0E 19 27 B1  60 B6 A3 1C  1C
982	   Total packet length =   31. [Input (8 cleartext header octets)]
983	              6B 7F 46 45  07 FA E4 96  C6 B5 F3 E6  CA 23 11 AE
984	              F7 47 2B 20  3E 73 5E A5  61 AD B1 7D  56 C5 A3
985	   CBC IV in: 59 00 A9 70  11 0E 19 27  B1 60 B6 A3  1C 1C 00 17
986	   CBC IV out:D7 24 B0 0F  B1 87 04 C6  C1 4E 90 37  AA F2 F1 F9
987	   After xor: D7 2C DB 70  F7 C2 03 3C  25 D8 90 37  AA F2 F1 F9   [hdr]
988	   After CAM: 9B 13 6D E3  D9 9F C3 6D  7D 0D B7 D8  A1 BF E9 BD
989	   After xor: 5D A6 9E 05  13 BC D2 C3  8A 4A 9C F8  9F CC B7 18   [msg]
990	   After CAM: F8 BF 25 7D  23 F8 D9 B5  82 E6 C9 3E  C8 9B 85 73
991	   After xor: 99 12 94 00  75 3D 7A B5  82 E6 C9 3E  C8 9B 85 73   [msg]
992	   After CAM: D9 D6 62 21  6D B2 CA FD  1F C6 FE 9D  2C AF 5B 69
993	   MIC tag  : D9 D6 62 21  6D B2 CA FD
994	   CTR Start: 01 00 A9 70  11 0E 19 27  B1 60 B6 A3  1C 1C 00 01
995	   CTR[0001]: 62 80 24 C1  FE AE CC 8C  67 38 55 98  CB 8E E5 E8
996	   CTR[0002]: F2 30 17 2F  1B 71 55 9F  8B CE 79 E5  13 01 FC 6A
997	   CTR[MIC ]: 9C 8E A2 0C  48 03 ED 13
998	   Total packet length =   39. [Encrypted]
999	              6B 7F 46 45  07 FA E4 96  A4 35 D7 27  34 8D DD 22
1000	              90 7F 7E B8  F5 FD BB 4D  93 9D A6 52  4D B4 F6 45
1001	              58 C0 2D 25  B1 27 EE

1003	   =============== Packet Vector #14 ==================
1004	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1005	   Nonce =    00 83 CD 8C  E0 CB 42 B1  60 B6 A3 1C  1C
1006	   Total packet length =   32. [Input (8 cleartext header octets)]
1007	              98 66 05 B4  3D F1 5D E7  01 F6 CE 67  64 C5 74 48
1008	              3B B0 2E 6B  BF 1E 0A BD  26 A2 25 72  B4 D8 0E E7
1009	   CBC IV in: 59 00 83 CD  8C E0 CB 42  B1 60 B6 A3  1C 1C 00 18
1010	   CBC IV out:A0 8A 29 78  36 23 1D 84  96 76 93 FF  0A 4C 92 7A
1011	   After xor: A0 82 B1 1E  33 97 20 75  CB 91 93 FF  0A 4C 92 7A   [hdr]
1012	   After CAM: 8C F5 F4 23  BF 09 1C 74  CD 47 00 C1  32 5D 5C 92
1013	   After xor: 8D 03 3A 44  DB CC 68 3C  F6 F7 2E AA  8D 43 56 2F   [msg]
1014	   After CAM: 69 DA 48 24  41 1E AC 8E  A9 0A CD 8B  DD 00 2B 9A
1015	   After xor: 4F 78 6D 56  F5 C6 A2 69  A9 0A CD 8B  DD 00 2B 9A   [msg]
1016	   After CAM: C2 03 3B 08  6D B3 CB 3B  2C C8 5D E7  76 A1 C0 44
1017	   MIC tag  : C2 03 3B 08  6D B3 CB 3B
1018	   CTR Start: 01 00 83 CD  8C E0 CB 42  B1 60 B6 A3  1C 1C 00 01
1019	   CTR[0001]: 8B 16 9C 37  EB 7B BE DB  15 84 41 6E  5F C2 07 46
1020	   CTR[0002]: E9 31 BB DD  4E E6 56 9B  68 95 13 5F  AB A4 DF EF
1021	   CTR[MIC ]: 44 7E 55 14  25 C3 F3 3D
1022	   Total packet length =   40. [Encrypted]
1023	              98 66 05 B4  3D F1 5D E7  8A E0 52 50  8F BE CA 93
1024	              2E 34 6F 05  E0 DC 0D FB  CF 93 9E AF  FA 3E 58 7C
1025	              86 7D 6E 1C  48 70 38 06

1027	   =============== Packet Vector #15 ==================
1028	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1029	   Nonce =    00 5F 54 95  0B 18 F2 B1  60 B6 A3 1C  1C
1030	   Total packet length =   33. [Input (8 cleartext header octets)]
1031	              48 F2 E7 E1  A7 67 1A 51  CD F1 D8 40  6F C2 E9 01
1032	              49 53 89 70  05 FB FB 8B  A5 72 76 F9  24 04 60 8E
1033	              08
1034	   CBC IV in: 59 00 5F 54  95 0B 18 F2  B1 60 B6 A3  1C 1C 00 19
1035	   CBC IV out:76 74 53 37  95 23 3C F0  EB 77 CE 93  73 06 99 A8
1036	   After xor: 76 7C 1B C5  72 C2 9B 97  F1 26 CE 93  73 06 99 A8   [hdr]
1037	   After CAM: EF 79 8B 70  34 E4 D5 6B  57 3A F9 44  F0 AF D6 9A
1038	   After xor: 22 88 53 30  5B 26 3C 6A  1E 69 70 34  F5 54 2D 11   [msg]
1039	   After CAM: 63 BF 4E 10  01 79 38 0B  E4 EC C1 39  B2 B4 3B 8C
1040	   After xor: C6 CD 38 E9  25 7D 58 85  EC EC C1 39  B2 B4 3B 8C   [msg]
1041	   After CAM: 39 E1 0E FA  BD 2F 43 00  50 9E E7 EB  A4 FF 6B 8F
1042	   MIC tag  : 39 E1 0E FA  BD 2F 43 00
1043	   CTR Start: 01 00 5F 54  95 0B 18 F2  B1 60 B6 A3  1C 1C 00 01
1044	   CTR[0001]: C5 47 A6 A2  73 49 1B 6F  0E 6D C9 F5  9C 12 3B 08
1045	   CTR[0002]: C8 18 86 42  3C DB 35 C8  64 4D 8C 4C  58 01 47 27
1046	   CTR[MIC ]: 91 E9 76 5D  2D 68 2E E5
1047	   Total packet length =   41. [Encrypted]
1048	              48 F2 E7 E1  A7 67 1A 51  08 B6 7E E2  1C 8B F2 6E
1049	              47 3E 40 85  99 E9 C0 83  6D 6A F0 BB  18 DF 55 46
1050	              6C A8 08 78  A7 90 47 6D  E5

1052	   =============== Packet Vector #16 ==================
1053	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1054	   Nonce =    00 EC 60 08  63 31 9A B1  60 B6 A3 1C  1C
1055	   Total packet length =   31. [Input (12 cleartext header octets)]
1056	              DE 97 DF 3B  8C BD 6D 8E  50 30 DA 4C  B0 05 DC FA
1057	              0B 59 18 14  26 A9 61 68  5A 99 3D 8C  43 18 5B
1058	   CBC IV in: 59 00 EC 60  08 63 31 9A  B1 60 B6 A3  1C 1C 00 13
1059	   CBC IV out:78 EE 05 5A  88 48 E3 5B  8A 45 46 8F  35 4F 0C A2
1060	   After xor: 78 E2 DB CD  57 73 6F E6  E7 CB 16 BF  EF 03 0C A2   [hdr]
1061	   After CAM: A9 C6 7F 15  00 1A C6 92  81 67 BD EC  DF D2 35 C9
1062	   After xor: 19 C3 A3 EF  0B 43 DE 86  A7 CE DC 84  85 4B 08 45   [msg]
1063	   After CAM: 7C A8 9C 90  46 42 4B E2  4D 96 DF CF  BA 12 FD 18
1064	   After xor: 3F B0 C7 90  46 42 4B E2  4D 96 DF CF  BA 12 FD 18   [msg]
1065	   After CAM: 89 C7 B4 E8  A4 24 8C 6C  52 ED 34 50  E3 53 AD F5
1066	   MIC tag  : 89 C7 B4 E8  A4 24 8C 6C
1067	   CTR Start: 01 00 EC 60  08 63 31 9A  B1 60 B6 A3  1C 1C 00 01
1068	   CTR[0001]: D3 B2 57 B3  6C E8 86 CF  91 9A AC 79  4E 6F 73 3E
1069	   CTR[0002]: 65 10 C8 72  39 AF 0F 52  9F D0 A4 DF  54 BF D6 EB
1070	   CTR[MIC ]: E1 04 E0 6A  29 B1 80 A9
1071	   Total packet length =   39. [Encrypted]
1072	              DE 97 DF 3B  8C BD 6D 8E  50 30 DA 4C  63 B7 8B 49
1073	              67 B1 9E DB  B7 33 CD 11  14 F6 4E B2  26 08 93 68
1074	              C3 54 82 8D  95 0C C5

1076	   =============== Packet Vector #17 ==================
1077	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1078	   Nonce =    00 60 CF F1  A3 1E A1 B1  60 B6 A3 1C  1C
1079	   Total packet length =   32. [Input (12 cleartext header octets)]
1080	              A5 EE 93 E4  57 DF 05 46  6E 78 2D CF  2E 20 21 12
1081	              98 10 5F 12  9D 5E D9 5B  93 F7 2D 30  B2 FA CC D7
1082	   CBC IV in: 59 00 60 CF  F1 A3 1E A1  B1 60 B6 A3  1C 1C 00 14
1083	   CBC IV out:C3 34 69 7D  11 38 73 06  BD 34 E2 10  1F 66 17 E8
1084	   After xor: C3 38 CC 93  82 DC 24 D9  B8 72 8C 68  32 A9 17 E8   [hdr]
1085	   After CAM: 43 6F 37 74  AB 94 3B 41  EA AD 00 CA  C3 99 13 7B
1086	   After xor: 6D 4F 16 66  33 84 64 53  77 F3 D9 91  50 6E 3E 4B   [msg]
1087	   After CAM: 2D 28 FB 62  DA 06 97 A7  4C D4 31 B8  B5 AE AE EE
1088	   After xor: 9F D2 37 B5  DA 06 97 A7  4C D4 31 B8  B5 AE AE EE   [msg]
1089	   After CAM: F3 DE 10 CD  91 4D B1 B6  CC 37 F0 A2  4A 5A B7 A1
1090	   MIC tag  : F3 DE 10 CD  91 4D B1 B6
1091	   CTR Start: 01 00 60 CF  F1 A3 1E A1  B1 60 B6 A3  1C 1C 00 01
1092	   CTR[0001]: 25 E6 9A F0  30 A9 56 E6  FF C0 3F 87  87 7A 89 74
1093	   CTR[0002]: A2 1B 46 23  76 A2 1E DD  F2 AC 4B EC  42 95 3D D3
1094	   CTR[MIC ]: C2 99 28 FF  E7 BB DB 29
1095	   Total packet length =   40. [Encrypted]
1096	              A5 EE 93 E4  57 DF 05 46  6E 78 2D CF  0B C6 BB E2
1097	              A8 B9 09 F4  62 9E E6 DC  14 8D A4 44  10 E1 8A F4
1098	              31 47 38 32  76 F6 6A 9F

1100	   =============== Packet Vector #18 ==================
1101	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1102	   Nonce =    00 0F 85 CD  99 5C 97 B1  60 B6 A3 1C  1C
1103	   Total packet length =   33. [Input (12 cleartext header octets)]
1104	              24 AA 1B F9  A5 CD 87 61  82 A2 50 74  26 45 94 1E
1105	              75 63 2D 34  91 AF 0F C0  C9 87 6C 3B  E4 AA 74 68
1106	              C9
1107	   CBC IV in: 59 00 0F 85  CD 99 5C 97  B1 60 B6 A3  1C 1C 00 15
1108	   CBC IV out:72 0A 46 75  0F 40 59 53  F2 3B D2 1F  6A 11 60 F6
1109	   After xor: 72 06 62 DF  14 B9 FC 9E  75 5A 50 BD  3A 65 60 F6   [hdr]
1110	   After CAM: 67 73 A0 FD  D5 7E D3 5E  E8 24 06 D0  A1 8B 0E 18
1111	   After xor: 41 36 34 E3  A0 1D FE 6A  79 8B 09 10  68 0C 62 23   [msg]
1112	   After CAM: BB 1E D8 9F  60 29 D0 99  09 14 06 A5  E3 8B 72 7B
1113	   After xor: 5F B4 AC F7  A9 29 D0 99  09 14 06 A5  E3 8B 72 7B   [msg]
1114	   After CAM: 3E 4F 40 73  D1 31 E9 B8  02 C8 99 BC  FD AC 19 4B
1115	   MIC tag  : 3E 4F 40 73  D1 31 E9 B8
1116	   CTR Start: 01 00 0F 85  CD 99 5C 97  B1 60 B6 A3  1C 1C 00 01
1117	   CTR[0001]: 04 6F 42 2C  8F 52 FB 9B  06 A3 3B 9F  B7 F0 A6 00
1118	   CTR[0002]: 34 76 51 DB  89 10 FB E6  73 E8 56 6E  DB 66 47 5D
1119	   CTR[MIC ]: 9F EC 93 6C  5C 7A AD 0F
1120	   Total packet length =   41. [Encrypted]
1121	              24 AA 1B F9  A5 CD 87 61  82 A2 50 74  22 2A D6 32
1122	              FA 31 D6 AF  97 0C 34 5F  7E 77 CA 3B  D0 DC 25 B3
1123	              40 A1 A3 D3  1F 8D 4B 44  B7

1125	   =============== Packet Vector #19 ==================
1126	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1127	   Nonce =    00 C2 9B 2C  AA C4 CD B1  60 B6 A3 1C  1C
1128	   Total packet length =   31. [Input (8 cleartext header octets)]
1129	              69 19 46 B9  CA 07 BE 87  07 01 35 A6  43 7C 9D B1
1130	              20 CD 61 D8  F6 C3 9C 3E  A1 25 FD 95  A0 D2 3D
1131	   CBC IV in: 61 00 C2 9B  2C AA C4 CD  B1 60 B6 A3  1C 1C 00 17
1132	   CBC IV out:74 AD F8 04  05 2A 48 E7  46 97 38 D5  BA A1 27 79
1133	   After xor: 74 A5 91 1D  43 93 82 E0  F8 10 38 D5  BA A1 27 79   [hdr]
1134	   After CAM: BD C3 B1 41  1C 64 C8 B3  A9 DC 6A 94  78 97 88 E2
1135	   After xor: BA C2 84 E7  5F 18 55 02  89 11 0B 4C  8E 54 14 DC   [msg]
1136	   After CAM: 7D 6C 8A BF  AD 68 48 D8  C5 FB CD 1E  AF F2 44 99
1137	   After xor: DC 49 77 2A  0D BA 75 D8  C5 FB CD 1E  AF F2 44 99   [msg]
1138	   After CAM: 19 99 AB 92  5E 30 46 96  3D EF FB 1B  4C 87 F7 76
1139	   MIC tag  : 19 99 AB 92  5E 30 46 96  3D EF
1140	   CTR Start: 01 00 C2 9B  2C AA C4 CD  B1 60 B6 A3  1C 1C 00 01
1141	   CTR[0001]: 02 B9 D4 1F  87 E0 60 E7  EF DE 6B 7E  D3 DE 5E D2
1142	   CTR[0002]: 61 49 31 C5  2F 34 AA 47  A3 E4 D3 2C  0B 36 41 C6
1143	   CTR[MIC ]: B9 9F C6 C5  96 7B AA 8E  1A 87
1144	   Total packet length =   41. [Encrypted]
1145	              69 19 46 B9  CA 07 BE 87  05 B8 E1 B9  C4 9C FD 56
1146	              CF 13 0A A6  25 1D C2 EC  C0 6C CC 50  8F E6 97 A0
1147	              06 6D 57 C8  4B EC 18 27  68

1149	   =============== Packet Vector #20 ==================
1150	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1151	   Nonce =    00 2C 6B 75  95 EE 62 B1  60 B6 A3 1C  1C
1152	   Total packet length =   32. [Input (8 cleartext header octets)]
1153	              D0 C5 4E CB  84 62 7D C4  C8 C0 88 0E  6C 63 6E 20
1154	              09 3D D6 59  42 17 D2 E1  88 77 DB 26  4E 71 A5 CC
1155	   CBC IV in: 61 00 2C 6B  75 95 EE 62  B1 60 B6 A3  1C 1C 00 18
1156	   CBC IV out:35 A9 48 70  F9 B0 C7 85  FB 32 1A D1  3C 8C A4 9A
1157	   After xor: 35 A1 98 B5  B7 7B 43 E7  86 F6 1A D1  3C 8C A4 9A   [hdr]
1158	   After CAM: 0A 3C E3 0F  AC 09 DC 5C  00 10 5C 69  AC 19 F7 19
1159	   After xor: C2 FC 6B 01  C0 6A B2 7C  09 2D 8A 30  EE 0E 25 F8   [msg]
1160	   After CAM: 61 CD 80 D0  72 E6 84 E1  BF E1 4A 00  27 2A 4D 96
1161	   After xor: E9 BA 5B F6  3C 97 21 2D  BF E1 4A 00  27 2A 4D 96   [msg]
1162	   After CAM: E5 F9 F2 AB  47 FD 7B 8D  6F 72 F4 72  74 D7 69 BB
1163	   MIC tag  : E5 F9 F2 AB  47 FD 7B 8D  6F 72
1164	   CTR Start: 01 00 2C 6B  75 95 EE 62  B1 60 B6 A3  1C 1C 00 01
1165	   CTR[0001]: 9C 0E 31 66  B2 81 58 31  5E 63 16 5A  9D BD CE 35
1166	   CTR[0002]: 00 3E 66 D3  E0 5F 7E A7  EF C8 9A 5F  DD 39 E3 54
1167	   CTR[MIC ]: 9A 5E 87 1A  17 10 38 0E  AA DB
1168	   Total packet length =   42. [Encrypted]
1169	              D0 C5 4E CB  84 62 7D C4  54 CE B9 68  DE E2 36 11
1170	              57 5E C0 03  DF AA 1C D4  88 49 BD F5  AE 2E DB 6B
1171	              7F A7 75 B1  50 ED 43 83  C5 A9

1173	   =============== Packet Vector #21 ==================
1174	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1175	   Nonce =    00 C5 3C D4  C2 AA 24 B1  60 B6 A3 1C  1C
1176	   Total packet length =   33. [Input (8 cleartext header octets)]
1177	              E2 85 E0 E4  80 8C DA 3D  F7 5D AA 07  10 C4 E6 42
1178	              97 79 4D C2  B7 D2 A2 07  57 B1 AA 4E  44 80 02 FF
1179	              AB
1180	   CBC IV in: 61 00 C5 3C  D4 C2 AA 24  B1 60 B6 A3  1C 1C 00 19
1181	   CBC IV out:2A 3C 23 B2  43 F5 1C 35  F7 79 5A CB  3B 20 21 2F
1182	   After xor: 2A 34 C1 37  A3 11 9C B9  2D 44 5A CB  3B 20 21 2F   [hdr]
1183	   After CAM: A1 7E AD 4C  EE AB 51 21  1D 2A 32 F2  D4 45 A6 D6
1184	   After xor: 56 23 07 4B  FE 6F B7 63  8A 53 7F 30  63 97 04 D1   [msg]
1185	   After CAM: A9 A1 32 55  8F C6 9B 98  A9 CC 23 96  FE CA 84 EB
1186	   After xor: FE 10 98 1B  CB 46 99 67  02 CC 23 96  FE CA 84 EB   [msg]
1187	   After CAM: 6A 5E 04 42  D1 A5 7E 17  9A 6C 8B 56  F7 19 80 C5
1188	   MIC tag  : 6A 5E 04 42  D1 A5 7E 17  9A 6C
1189	   CTR Start: 01 00 C5 3C  D4 C2 AA 24  B1 60 B6 A3  1C 1C 00 01
1190	   CTR[0001]: 46 1D EF 41  AF A2 94 52  5D 51 AE CB  04 49 74 CD
1191	   CTR[0002]: 29 2E 62 66  1B 66 9A 2B  97 72 6B 77  32 A8 DC 35
1192	   CTR[MIC ]: B8 54 06 A2  6C 6F 93 37  8A BF
1193	   Total packet length =   43. [Encrypted]
1194	              E2 85 E0 E4  80 8C DA 3D  B1 40 45 46  BF 66 72 10
1195	              CA 28 E3 09  B3 9B D6 CA  7E 9F C8 28  5F E6 98 D4
1196	              3C D2 0A 02  E0 BD CA ED  20 10 D3

1198	   =============== Packet Vector #22 ==================
1199	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1200	   Nonce =    00 BE E9 26  7F BA DC B1  60 B6 A3 1C  1C
1201	   Total packet length =   31. [Input (12 cleartext header octets)]
1202	              6C AE F9 94  11 41 57 0D  7C 81 34 05  C2 38 82 2F
1203	              AC 5F 98 FF  92 94 05 B0  AD 12 7A 4E  41 85 4E
1204	   CBC IV in: 61 00 BE E9  26 7F BA DC  B1 60 B6 A3  1C 1C 00 13
1205	   CBC IV out:20 60 6A D1  E1 A0 84 52  2F A3 8B F4  88 1D D6 8B
1206	   After xor: 20 6C 06 7F  18 34 95 13  78 AE F7 75  BC 18 D6 8B   [hdr]
1207	   After CAM: 71 FD FF E7  D9 C8 95 75  D3 EC 0B 7E  7B 8B BE E7
1208	   After xor: B3 C5 7D C8  75 97 0D 8A  41 78 0E CE  D6 99 C4 A9   [msg]
1209	   After CAM: CA AD 93 9C  59 BA 40 AA  1A 0B 88 1B  EE 3D 3C 65
1210	   After xor: 8B 28 DD 9C  59 BA 40 AA  1A 0B 88 1B  EE 3D 3C 65   [msg]
1211	   After CAM: DC 48 8F AA  9C 75 E7 03  17 56 C2 C7  48 48 8D 1B
1212	   MIC tag  : DC 48 8F AA  9C 75 E7 03  17 56
1213	   CTR Start: 01 00 BE E9  26 7F BA DC  B1 60 B6 A3  1C 1C 00 01
1214	   CTR[0001]: 56 F0 17 B3  BD 09 02 D6  EA A5 A2 91  AD 4A 2D E5
1215	   CTR[0002]: 20 3D 34 21  EF 5B F8 FC  7B 21 5C 76  7B A5 21 A6
1216	   CTR[MIC ]: F1 A2 86 9C  2A 9E B8 61  48 0B
1217	   Total packet length =   41. [Encrypted]
1218	              6C AE F9 94  11 41 57 0D  7C 81 34 05  94 C8 95 9C
1219	              11 56 9A 29  78 31 A7 21  00 58 57 AB  61 B8 7A 2D
1220	              EA 09 36 B6  EB 5F 62 5F  5D

1222	   =============== Packet Vector #23 ==================
1223	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1224	   Nonce =    00 DF A8 B1  24 50 07 B1  60 B6 A3 1C  1C
1225	   Total packet length =   32. [Input (12 cleartext header octets)]
1226	              36 A5 2C F1  6B 19 A2 03  7A B7 01 1E  4D BF 3E 77
1227	              4A D2 45 E5  D5 89 1F 9D  1C 32 A0 AE  02 2C 85 D7
1228	   CBC IV in: 61 00 DF A8  B1 24 50 07  B1 60 B6 A3  1C 1C 00 14
1229	   CBC IV out:78 FD B6 AF  61 9E 1C 8D  82 41 17 A8  73 60 1B 70
1230	   After xor: 78 F1 80 0A  4D 6F 77 94  20 42 6D 1F  72 7E 1B 70   [hdr]
1231	   After CAM: 62 2E 28 65  92 43 DB 82  88 79 09 1E  A7 24 54 67
1232	   After xor: 2F 91 16 12  D8 91 9E 67  5D F0 16 83  BB 16 F4 C9   [msg]
1233	   After CAM: 95 0E 52 08  FF 16 70 8C  1E D9 BB 06  3E 1E 41 CF
1234	   After xor: 97 22 D7 DF  FF 16 70 8C  1E D9 BB 06  3E 1E 41 CF   [msg]
1235	   After CAM: BA CD 51 FC  77 F4 02 8D  47 D5 7D 54  7D 46 33 4B
1236	   MIC tag  : BA CD 51 FC  77 F4 02 8D  47 D5
1237	   CTR Start: 01 00 DF A8  B1 24 50 07  B1 60 B6 A3  1C 1C 00 01
1238	   CTR[0001]: 15 D6 DD DD  98 96 39 91  35 75 1A 64  B8 D8 D4 F9
1239	   CTR[0002]: 7D 61 6D 1D  EB 92 00 2B  6F FA AB 53  BC AF 69 89
1240	   CTR[MIC ]: 33 E9 27 BE  E1 59 06 9C  DB 32
1241	   Total packet length =   42. [Encrypted]
1242	              36 A5 2C F1  6B 19 A2 03  7A B7 01 1E  58 69 E3 AA
1243	              D2 44 7C 74  E0 FC 05 F9  A4 EA 74 57  7F 4D E8 CA
1244	              89 24 76 42  96 AD 04 11  9C E7

1246	   =============== Packet Vector #24 ==================
1247	   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
1248	   Nonce =    00 3B 8F D8  D3 A9 37 B1  60 B6 A3 1C  1C
1249	   Total packet length =   33. [Input (12 cleartext header octets)]
1250	              A4 D4 99 F7  84 19 72 8C  19 17 8B 0C  9D C9 ED AE
1251	              2F F5 DF 86  36 E8 C6 DE  0E ED 55 F7  86 7E 33 33
1252	              7D
1253	   CBC IV in: 61 00 3B 8F  D8 D3 A9 37  B1 60 B6 A3  1C 1C 00 15
1254	   CBC IV out:84 E6 CF DD  6A 37 68 5D  E6 71 AD 54  B3 BE FE B9
1255	   After xor: 84 EA 6B 09  F3 C0 EC 44  94 FD B4 43  38 B2 FE B9   [hdr]
1256	   After CAM: C5 0F A0 62  20 18 F1 21  0E BC 3D 2E  47 B7 B8 C3
1257	   After xor: 58 C6 4D CC  0F ED 2E A7  38 54 FB F0  49 5A ED 34   [msg]
1258	   After CAM: C4 6F 6D C3  17 3C 2A 7A  81 FC 2D DA  7F B7 C6 60
1259	   After xor: 42 11 5E F0  6A 3C 2A 7A  81 FC 2D DA  7F B7 C6 60   [msg]
1260	   After CAM: DF AB 2E 76  B0 67 50 B3  7C DD 9A AC  F3 79 17 71
1261	   MIC tag  : DF AB 2E 76  B0 67 50 B3  7C DD
1262	   CTR Start: 01 00 3B 8F  D8 D3 A9 37  B1 60 B6 A3  1C 1C 00 01
1263	   CTR[0001]: D6 D0 6C F8  16 CE D0 F1  A0 E0 AC 71  BA B9 AD 34
1264	   CTR[0002]: 76 4A FF 9A  1B F8 55 1F  68 54 39 0A  EE 37 24 28
1265	   CTR[MIC ]: 4B F4 31 B8  17 86 4B 5D  16 F2
1266	   Total packet length =   43. [Encrypted]
1267	              A4 D4 99 F7  84 19 72 8C  19 17 8B 0C  4B 19 81 56
1268	              39 3B 0F 77  96 08 6A AF  B4 54 F8 C3  F0 34 CC A9
1269	              66 94 5F 1F  CE A7 E1 1B  EE 6A 2F

1271	5.  Security Considerations

1273	   Camellia-CTR and Camellia-CCM employ CTR mode for confidentiality.
1274	   If a counter value is ever used for more that one packet with the
1275	   same key, then the same key stream will be used to encrypt both
1276	   packets, and the confidentiality guarantees are voided.

1278	   What happens if the encryptor XORs the same key stream with two
1279	   different packet plaintexts?  Suppose two packets are defined by two
1280	   plaintext byte sequences P_1, P_2, P_3 and Q_1, Q_2, Q_3, then both
1281	   are encrypted with key stream K_1, K_2, K_3.  The two corresponding
1282	   ciphertexts are:

1284	         (P_1 XOR K_1), (P_2 XOR K_2), (P_3 XOR K_3)

1286	         (Q_1 XOR K_1), (Q_2 XOR K_2), (Q_3 XOR K_3)

1288	   If both of these two ciphertext streams are exposed to an attacker,
1289	   then a catastrophic failure of confidentiality results, because:

1291	         (P_1 XOR K_1) XOR (Q_1 XOR K_1) = P_1 XOR Q_1
1292	         (P_2 XOR K_2) XOR (Q_2 XOR K_2) = P_2 XOR Q_2
1293	         (P_3 XOR K_3) XOR (Q_3 XOR K_3) = P_3 XOR Q_3

1295	   Once the attacker obtains the two plaintexts XORed together, it is
1296	   relatively straightforward to separate them.  Thus, using any stream
1297	   cipher, including Camellia-CTR, to encrypt two plaintexts under the
1298	   same key stream leaks the plaintext.

1300	6.  IANA Considerations

1302	   There are no IANA assignments to be performed.

1304	7.  Acknowledgments

1306	   Thanks to Satoru Kanno, Rui Hodaifor their comments and suggestions.
1307	   Special thanks to Alfred Hoenes for several very detailed reviews and
1308	   suggestions.

1310	   This document includes text borrowed from RFC 3610 [14].

1312	8.  References

1314	8.1.  Normative

1316	   [1]   Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
1317	         Camellia Encryption Algorithm", RFC 3713, April 2004.

1319	   [2]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
1320	         Levels", BCP 14, RFC 2119, March 1997.

1322	8.2.  Informative

1324	   [3]   National Institute of Standards and Technology, "Advanced
1325	         Encryption Standard (AES)", FIPS PUB 197, November 2001,
1326	         <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.

1328	   [4]   Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
1329	         Algorithm and Its Use With IPsec", RFC 4312, December 2005.

1331	   [5]   Moriai, S., Kato, A., and M. Kanda, "Addition of Camellia
1332	         Cipher Suites to Transport Layer Security (TLS)", RFC 4132,
1333	         July 2005.

1335	   [6]   Moriai, S. and A. Kato, "Use of the Camellia Encryption
1336	         Algorithm in Cryptographic Message Syntax (CMS)", RFC 3657,
1337	         January 2004.

1339	   [7]   Eastlake, D., "Additional XML Security Uniform Resource
1340	         Identifiers (URIs)", RFC 4051, April 2005.

1342	   [8]   International Organization for Standardization, "Information
1343	         technology - Security techniques - Encryption algorithms - Part
1344	         3: Block ciphers", ISO/IEC 18033-3, July 2005.

1346	   [9]   "The NESSIE project (New European Schemes for Signatures,
1347	         Integrity and Encryption)",
1348	         <http://www.cosic.esat.kuleuven.ac.be/nessie/>.

1350	   [10]  Information-technology Promotion Agency (IPA), "Cryptography
1351	         Research and Evaluation Committees",
1352	         <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.

1354	   [11]  "Camellia open source software",
1355	         <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>.

1357	   [12]  "Camellia web site", <http://info.isl.ntt.co.jp/camellia/>.

1359	   [13]  Dworkin, M., "Recommendation for Block Cipher Modes of
1360	         Operation - Methods and Techniques", NIST Special
1361	         Publication 800-38A, December 2001, <http://csrc.nist.gov/
1362	         publications/nistpubs/800-38a/sp800-38a.pdf>.

1364	   [14]  Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
1365	         MAC (CCM)", RFC 3610, September 2003.

1367	   [15]  National Institute of Standards and Technology, "Recommendation
1368	         for Block Cipher Modes Operation : The CCM Mode for
1369	         Authentication and Confidentiality", May 2004, <http://
1370	         csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf>.

1372	   [16]  National Institute of Standards and Technology, "Computer Data
1373	         Authentication", FIPS PUB 113, May 1985,
1374	         <http://www.itl.nist.gov/fipspubs/fip113.htm>.

1376	Authors' Addresses

1378	   Akihiro Kato
1379	   NTT Software Corporation

1381	   Phone: +81-45-212-7577
1382	   Fax:   +81-45-212-9800
1383	   Email: akato@po.ntts.co.jp

1385	   Masayuki Kanda
1386	   Nippon Telegraph and Telephone Corporation

1388	   Phone: +81-422-59-3456
1389	   Fax:   +81-422-59-4015
1390	   Email: kanda.masayuki@lab.ntt.co.jp

1392	Full Copyright Statement

1394	   Copyright (C) The IETF Trust (2008).

1396	   This document is subject to the rights, licenses and restrictions
1397	   contained in BCP 78, and except as set forth therein, the authors
1398	   retain all their rights.

1400	   This document and the information contained herein are provided on an
1401	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1402	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1403	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1404	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1405	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1406	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1408	Intellectual Property

1410	   The IETF takes no position regarding the validity or scope of any
1411	   Intellectual Property Rights or other rights that might be claimed to
1412	   pertain to the implementation or use of the technology described in
1413	   this document or the extent to which any license under such rights
1414	   might or might not be available; nor does it represent that it has
1415	   made any independent effort to identify any such rights.  Information
1416	   on the procedures with respect to rights in RFC documents can be
1417	   found in BCP 78 and BCP 79.

1419	   Copies of IPR disclosures made to the IETF Secretariat and any
1420	   assurances of licenses to be made available, or the result of an
1421	   attempt made to obtain a general license or permission for the use of
1422	   such proprietary rights by implementers or users of this
1423	   specification can be obtained from the IETF on-line IPR repository at
1424	   http://www.ietf.org/ipr.

1426	   The IETF invites any interested party to bring to its attention any
1427	   copyrights, patents or patent applications, or other proprietary
1428	   rights that may cover technology that may be required to implement
1429	   this standard.  Please address the information to the IETF at
1430	   ietf-ipr@ietf.org.