GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc5528

Network Working Group A. Kato Request for Comments: 5528 NTT Software Corporation Category: Informational M. Kanda

                                                                   NTT
                                                              S. Kanno
                                              NTT Software Corporation
                                                            April 2009

Camellia Counter Mode and Camellia Counter with CBC-MAC Mode Algorithms

Status of This Memo

 This memo provides information for the Internet community.  It does
 not specify an Internet standard of any kind.  Distribution of this
 memo is unlimited.

Copyright Notice

 Copyright (c) 2009 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents in effect on the date of
 publication of this document (http://trustee.ietf.org/license-info).
 Please review these documents carefully, as they describe your rights
 and restrictions with respect to this document.

Abstract

 This document describes the algorithms and presents test vectors for
 the Camellia block cipher algorithm in Counter mode (CTR) and Counter
 with Cipher Block Chaining MAC mode (CCM).  The purpose of this
 document is to make the Camellia-CTR and Camellia-CCM algorithm
 conveniently available to the Internet Community.

Kato, et al. Informational [Page 1] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

Table of Contents

 1. Introduction ....................................................2
    1.1. Terminology ................................................3
 2. The Camellia Cipher Algorithm ...................................3
    2.1. Key Size ...................................................3
    2.2. Weak Keys ..................................................3
    2.3. Block Size and Padding .....................................3
    2.4. Performance ................................................4
 3. Modes of Operation ..............................................4
 4. Test Vectors ....................................................4
    4.1. Camellia-CTR ...............................................4
    4.2. Camellia-CCM ...............................................7
 5. Security Considerations ........................................20
 6. Acknowledgments ................................................20
 7. References .....................................................20
    7.1. Normative References ......................................20
    7.2. Informative References ....................................20

1. Introduction

 This document describes the use of the Camellia block cipher
 algorithm in Counter (CTR) mode and Counter with CBC-MAC (CCM) mode.
 Camellia is a symmetric cipher with a Feistel structure.  Camellia
 was developed jointly by NTT and Mitsubishi Electric Corporation in
 2000.  It was designed to withstand all known cryptanalytic attacks,
 and it has been scrutinized by worldwide cryptographic experts.
 Camellia is suitable for implementation in software and hardware,
 offering encryption speed in software and hardware implementations
 that is comparable to Advanced Encryption Standard (AES) [5].
 Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
 lengths, i.e., the same interface specifications as the AES.
 Therefore, it is easy to implement Camellia-based algorithms by
 replacing the AES block of AES-based algorithms with a Camellia
 block.
 Camellia already has been adopted by the IETF and other international
 standardization organizations; in particular, the IETF has published
 specifications for the use of Camellia with IPsec [6], TLS [7],
 Secure/Multipurpose Internet Mail Extensions (S/MIME) [8], and XML
 Securiy [9].  Camellia is one of the three ISO/IEC international
 standard [10] 128-bit block ciphers (Camellia, AES, and Super
 Effective and Efficient Delivery (SEED)).  Camellia was selected as a
 recommended cryptographic primitive by the EU NESSIE (New European
 Schemes for Signatures, Integrity and Encryption) project [11] and

Kato, et al. Informational [Page 2] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 was included in the list of cryptographic techniques for Japanese
 e-Government systems that was selected by the Japanese CRYPTREC
 (Cryptography Research and Evaluation Committees) [12].
 Since optimized source code is provided under several open source
 licenses [13], Camellia has also been adopted by several open source
 projects (OpenSSL, FreeBSD, Linux, and Firefox).
 The algorithm specification and object identifiers are described in
 [1].
 The Camellia web site [14] contains a wealth of information about
 Camellia, including detailed specification, security analysis,
 performance figures, reference implementation, optimized
 implementation, test vectors (TVs), and intellectual property
 information.

1.1. Terminology

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119 [2].
 All multi-octet values in this document are encoded and represented
 in network byte order, i.e., most significant octet first.

2. The Camellia Cipher Algorithm

 All symmetric block cipher algorithms share common characteristics
 and variables, including mode, key size, weak keys, and block size.
 The following sections contain descriptions of the relevant
 characteristics of Camellia.

2.1. Key Size

 Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
 The default key size is 128 bits, and all implementations MUST
 support this key size.  Implementations MAY also support key sizes of
 192 bits and 256 bits.

2.2. Weak Keys

 At the time of writing this document, there are no known weak keys
 for Camellia.

2.3. Block Size and Padding

 Camellia uses a block size of 16 octets (128 bits).

Kato, et al. Informational [Page 3] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 Padding is required by the algorithm to maintain a 16-octet (128-bit)
 block size.  Padding MUST be added such that the data to be encrypted
 has a length that is a multiple of 16 octets.
 Because of the algorithm-specific padding requirement, no additional
 padding is required to ensure that the ciphertext terminates on a
 4-octet boundary (i.e., maintaining a 16-octet block size guarantees
 that the Encapsulating Security Payload (ESP) Pad Length and Next
 Header fields will be right aligned within a 4-octet word).
 Additional padding MAY be included as long as the 16-octet block size
 is maintained.

2.4. Performance

 Performance figures for Camellia are available at [14].  The NESSIE
 project has reported on the performance of optimized implementations
 independently [11].

3. Modes of Operation

 Camellia Counter (Camellia-CTR) mode and Camellia Counter with CBC-
 MAC (Camellia-CCM) mode are based on [3][15][4].
 CTR mode [3] behaves like a stream cipher, but is based on a block
 cipher primitive (that is, CTR mode operation of a block cipher
 results in a stream cipher).
 CCM mode [15][4] is a generic authenticate-and-encrypt block cipher
 mode.  In this specification, CCM is used with the Camellia [1] block
 cipher.

4. Test Vectors

4.1. Camellia-CTR

 This section contains nine TVs, which can be used to confirm that an
 implementation has correctly implemented Camellia-CTR.  The first
 three TVs use Camellia with a 128-bit key; the next three TVs use
 Camellia with a 192-bit key; and the last three TVs use Camellia with
 a 256-bit key.

Kato, et al. Informational [Page 4] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 TV #1: Encrypting 16 octets using Camellia-CTR with 128-bit key
 Camellia Key     : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E
 Camellia-CTR IV  : 00 00 00 00 00 00 00 00
 Nonce            : 00 00 00 30
 Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
 Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01
 Key Stream    (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58
 Ciphertext       : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F
 TV #2: Encrypting 32 octets using Camellia-CTR with 128-bit key
 Camellia Key     : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63
 Camellia-CTR IV  : C0 54 3B 59 DA 48 D9 0B
 Nonce            : 00 6C B6 DB
 Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                  : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
 Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01
 Key Stream    (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B
 Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02
 Key Stream    (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57
 Ciphertext       : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44
                  : 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48
 TV #3: Encrypting 36 octets using Camellia-CTR with 128-bit key
 Camellia Key     : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC
 Camellia-CTR IV  : 27 77 7F 3F 4A 17 86 F0
 Nonce            : 00 E0 01 7B
 Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                  : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                  : 20 21 22 23
 Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01
 Key Stream    (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C
 Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02
 Key Stream    (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2
 Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03
 Key Stream    (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8
 Ciphertext       : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73
                  : 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD
                  : DF 50 86 96
 TV #4: Encrypting 16 octets using Camellia-CTR with 192-bit key
 Camellia Key     : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED
                  : 86 3D 06 CC FD B7 85 15
 Camellia-CTR IV  : 36 73 3C 14 7D 6D 93 CB
 Nonce            : 00 00 00 48
 Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
 Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01
 Key Stream    (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1
 Ciphertext       : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96

Kato, et al. Informational [Page 5] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 TV #5: Encrypting 32 octets using Camellia-CTR with 192-bit key
 Camellia Key     : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C
                  : 67 8C 3D B8 E6 F6 A9 1A
 Camellia-CTR IV  : 02 0C 6E AD C2 CB 50 0D
 Nonce            : 00 96 B0 3B
 Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                  : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
 Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01
 Key Stream    (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52
 Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02
 Key Stream    (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2
 Ciphertext       : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D
                  : D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED
 TV #6: Encrypting 36 octets using Camellia-CTR with 192-bit key
 Camellia Key     : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B
                  : F5 9B 60 A7 86 D3 E0 FE
 Camellia-CTR IV  : 5C BD 60 27 8D CC 09 12
 Nonce            : 00 07 BD FD
 Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                  : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                  : 20 21 22 23
 Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01
 Key Stream    (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77
 Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02
 Key Stream    (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11
 Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03
 Key Stream    (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34
 Ciphertext       : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78
                  : 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E
                  : D5 57 AB 57
 TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key
 Camellia Key     : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C
                  : 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04
 Camellia-CTR IV  : DB 56 72 C9 7A A8 F0 B2
 Nonce            : 00 00 00 60
 Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
 Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01
 Key Stream    (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76
 Ciphertext       : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11

Kato, et al. Informational [Page 6] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 TV #8: Encrypting 32 octets using Camellia-CTR with 256-bit key
 Camellia Key     : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86
                  : C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84
 Camellia-CTR IV  : C1 58 5E F1 5A 43 D8 75
 Nonce            : 00 FA AC 24
 Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                  : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
 Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01
 Key Stream    (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A
 Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02
 Key Stream    (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17
 Ciphertext       : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45
                  : E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08
 TV #9: Encrypting 36 octets using Camellia-CTR with 256-bit key
 Camellia Key     : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2
                  : AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D
 Camellia-CTR IV  : 51 A5 1D 70 A1 C1 11 48
 Nonce            : 00 1C C5 B7
 Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                  : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                  : 20 21 22 23
 Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01
 Key Stream    (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23
 Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02
 Key Stream    (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70
 Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03
 Key Stream    (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF
 Ciphertext       : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C
                  : D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F
                  : 15 EF 0D 8D

4.2. Camellia-CCM

 This section contains twenty four TVs, which can be used to confirm
 that an implementation has correctly implemented Camellia-CCM.  In
 each of these TVs, the least significant sixteen bits of the counter
 block is used for the block counter, and the nonce is 13 octets.
 Some of the TVs include an eight octet authentication value, and
 others include a ten octet authentication value.

Kato, et al. Informational [Page 7] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #1 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 03  02 01 00 A0  A1 A2 A3 A4  A5
 Total packet length =   31. [Input (8 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
 CBC IV in: 59 00 00 00  03 02 01 00  A0 A1 A2 A3  A4 A5 00 17
 CBC IV out:D4 DB CD 92  A8 96 41 56  1D 0D BB D0  D5 7F 7E 1D
 After xor: D4 D3 CD 93  AA 95 45 53  1B 0A BB D0  D5 7F 7E 1D   [hdr]
 After CAM: BD 84 03 80  73 59 37 B7  CE F5 E4 BA  1B 18 54 DC
 After xor: B5 8D 09 8B  7F 54 39 B8  DE E4 F6 A9  0F 0D 42 CB   [msg]
 After CAM: CE 21 82 9C  F6 F2 4D A2  CB 35 D1 FD  81 27 63 EC
 After xor: D6 38 98 87  EA EF 53 A2  CB 35 D1 FD  81 27 63 EC   [msg]
 After CAM: 20 11 FE E2  53 B1 A7 DB  02 77 FA 37  6D 78 EE 10
 MIC tag  : 20 11 FE E2  53 B1 A7 DB
 CTR Start: 01 00 00 00  03 02 01 00  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: B2 7A 7B 8E  EB 14 3F 0B  82 E2 98 4C  06 44 CC 42
 CTR[0002]: E2 E2 D3 52  98 97 13 45  D1 63 22 90  E7 F8 15 4A
 CTR[MIC ]: DC BF 30 96  38 8C 1E 76
 Total packet length =   39. [Encrypted]
            00 01 02 03  04 05 06 07  BA 73 71 85  E7 19 31 04
            92 F3 8A 5F  12 51 DA 55  FA FB C9 49  84 8A 0D FC
            AE CE 74 6B  3D B9 AD
 =============== Packet Vector #2 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 04  03 02 01 A0  A1 A2 A3 A4  A5
 Total packet length =   32. [Input (8 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
 CBC IV in: 59 00 00 00  04 03 02 01  A0 A1 A2 A3  A4 A5 00 18
 CBC IV out:07 0B 22 50  8A 24 3C DD  5B BA 54 DB  60 52 88 06
 After xor: 07 03 22 51  88 27 38 D8  5D BD 54 DB  60 52 88 06   [hdr]
 After CAM: 10 FD C2 F2  90 4A 9F 96  B0 4F 62 A4  A1 A9 31 1E
 After xor: 18 F4 C8 F9  9C 47 91 99  A0 5E 70 B7  B5 BC 27 09   [msg]
 After CAM: E4 C8 82 02  89 55 5C 15  CE 7F E4 60  B1 B9 5A 08
 After xor: FC D1 98 19  95 48 42 0A  CE 7F E4 60  B1 B9 5A 08   [msg]
 After CAM: D2 96 BA 4F  83 DE B5 DF  A2 19 08 F7  47 4E 3C 40
 MIC tag  : D2 96 BA 4F  83 DE B5 DF
 CTR Start: 01 00 00 00  04 03 02 01  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 55 2C 6E B4  82 A2 EF D6  85 37 FE 12  79 0E E6 55
 CTR[0002]: 54 E2 C8 D6  7E 99 91 2C  F2 8A D7 8E  83 04 10 36
 CTR[MIC ]: B2 24 93 12  71 9C 36 37
 Total packet length =   40. [Encrypted]
            00 01 02 03  04 05 06 07  5D 25 64 BF  8E AF E1 D9
            95 26 EC 01  6D 1B F0 42  4C FB D2 CD  62 84 8F 33
            60 B2 29 5D  F2 42 83 E8

Kato, et al. Informational [Page 8] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #3 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 05  04 03 02 A0  A1 A2 A3 A4  A5
 Total packet length =   33. [Input (8 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
            20
 CBC IV in: 59 00 00 00  05 04 03 02  A0 A1 A2 A3  A4 A5 00 19
 CBC IV out:6F 69 15 DF  A6 A0 DF 24  84 A7 37 88  A3 65 F9 2E
 After xor: 6F 61 15 DE  A4 A3 DB 21  82 A0 37 88  A3 65 F9 2E   [hdr]
 After CAM: 59 5D 99 48  79 04 DA C9  13 93 36 C9  11 A8 09 1D
 After xor: 51 54 93 43  75 09 D4 C6  03 82 24 DA  05 BD 1F 0A   [msg]
 After CAM: 1A 43 D7 19  65 43 97 C1  43 6F 4F 11  A7 6C 6B ED
 After xor: 02 5A CD 02  79 5E 89 DE  63 6F 4F 11  A7 6C 6B ED   [msg]
 After CAM: 30 0B 06 8A  A0 D1 4D C5  9E 44 22 84  82 45 42 0B
 MIC tag  : 30 0B 06 8A  A0 D1 4D C5
 CTR Start: 01 00 00 00  05 04 03 02  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 89 FF 69 DD  CB 75 76 18  E9 31 24 1B  AD 97 BB 02
 CTR[0002]: C4 32 A7 9C  CB 4B E9 8D  24 A8 F0 AB  C6 87 16 11
 CTR[MIC ]: C5 5A D0 E2  8F F2 E7 83
 Total packet length =   41. [Encrypted]
            00 01 02 03  04 05 06 07  81 F6 63 D6  C7 78 78 17
            F9 20 36 08  B9 82 AD 15  DC 2B BD 87  D7 56 F7 92
            04 F5 51 D6  68 2F 23 AA  46
 =============== Packet Vector #4 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 06  05 04 03 A0  A1 A2 A3 A4  A5
 Total packet length =   31. [Input (12 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
 CBC IV in: 59 00 00 00  06 05 04 03  A0 A1 A2 A3  A4 A5 00 13
 CBC IV out:F5 51 CF 6C  7C F7 D4 0B  2B 76 F1 6B  57 F0 19 FE
 After xor: F5 5D CF 6D  7E F4 D0 0E  2D 71 F9 62  5D FB 19 FE   [hdr]
 After CAM: 02 2B 21 1B  EB 97 02 3B  F8 10 7D CC  62 14 E5 7C
 After xor: 0E 26 2F 14  FB 86 10 28  EC 05 6B DB  7A 0D FF 67   [msg]
 After CAM: 48 14 A4 2D  31 25 1C 37  19 C5 6F DD  5A 37 81 42
 After xor: 54 09 BA 2D  31 25 1C 37  19 C5 6F DD  5A 37 81 42   [msg]
 After CAM: CF 85 25 D2  80 D5 F0 09  53 2C 9D 43  4E F3 04 47
 MIC tag  : CF 85 25 D2  80 D5 F0 09
 CTR Start: 01 00 00 00  06 05 04 03  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: C6 E2 10 8D  62 00 A2 9C  6F CC 19 1F  DF 6B 92 DB
 CTR[0002]: 6C B9 BE EE  1E A2 E9 B3  2D D6 C2 9A  E8 26 D5 C2
 CTR[MIC ]: 44 BF B6 E8  E3 31 67 A9
 Total packet length =   39. [Encrypted]
            00 01 02 03  04 05 06 07  08 09 0A 0B  CA EF 1E 82
            72 11 B0 8F  7B D9 0F 08  C7 72 88 C0  70 A4 A0 8B
            3A 93 3A 63  E4 97 A0

Kato, et al. Informational [Page 9] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #5 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 07  06 05 04 A0  A1 A2 A3 A4  A5
 Total packet length =   32. [Input (12 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
 CBC IV in: 59 00 00 00  07 06 05 04  A0 A1 A2 A3  A4 A5 00 14
 CBC IV out:73 72 9D 76  7A BD B9 82  60 3A 12 7B  EF 26 FB 80
 After xor: 73 7E 9D 77  78 BE BD 87  66 3D 1A 72  E5 2D FB 80   [hdr]
 After CAM: E1 B7 A6 72  E2 5C 87 75  91 21 22 A4  07 13 CD 5B
 After xor: ED BA A8 7D  F2 4D 95 66  85 34 34 B3  1F 0A D7 40   [msg]
 After CAM: 13 2F 58 D9  5D 0F 95 B8  90 BF 6F 1D  31 84 54 C7
 After xor: 0F 32 46 C6  5D 0F 95 B8  90 BF 6F 1D  31 84 54 C7   [msg]
 After CAM: 47 8F 1E B0  71 24 8B 13  AF C8 C8 44  E6 0F 88 B6
 MIC tag  : 47 8F 1E B0  71 24 8B 13
 CTR Start: 01 00 00 00  07 06 05 04  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 26 DE B4 D6  5F D4 3C 81  AA 56 98 95  64 09 39 A2
 CTR[0002]: 76 97 69 3A  21 13 0C 39  2E 4E EB BF  48 7B 24 BE
 CTR[MIC ]: C8 2E 65 17  82 15 50 1A
 Total packet length =   40. [Encrypted]
            00 01 02 03  04 05 06 07  08 09 0A 0B  2A D3 BA D9
            4F C5 2E 92  BE 43 8E 82  7C 10 23 B9  6A 8A 77 25
            8F A1 7B A7  F3 31 DB 09
 =============== Packet Vector #6 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 08  07 06 05 A0  A1 A2 A3 A4  A5
 Total packet length =   33. [Input (12 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
            20
 CBC IV in: 59 00 00 00  08 07 06 05  A0 A1 A2 A3  A4 A5 00 15
 CBC IV out:EB 59 05 CC  3F 52 61 10  26 24 75 93  DD B9 A0 F4
 After xor: EB 55 05 CD  3D 51 65 15  20 23 7D 9A  D7 B2 A0 F4   [hdr]
 After CAM: 18 A9 AE A4  3D D2 A9 11  6C 0A E5 4F  40 D1 4D 9F
 After xor: 14 A4 A0 AB  2D C3 BB 02  78 1F F3 58  58 C8 57 84   [msg]
 After CAM: FA C4 13 18  98 54 1B 54  93 9C 64 B8  CB FD 5B 18
 After xor: E6 D9 0D 07  B8 54 1B 54  93 9C 64 B8  CB FD 5B 18   [msg]
 After CAM: 49 E6 E8 ED  32 FB CA 2F  2E 55 CD AF  D0 F2 B3 05
 MIC tag  : 49 E6 E8 ED  32 FB CA 2F
 CTR Start: 01 00 00 00  08 07 06 05  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: F2 A8 46 04  B5 2E BA C0  D7 51 34 BD  D6 54 FC 64
 CTR[0002]: E6 26 A9 24  8B E6 86 CB  92 D6 FB FC  2E F2 91 98
 CTR[MIC ]: E2 D0 49 03  7D 1B 34 07
 Total packet length =   41. [Encrypted]
            00 01 02 03  04 05 06 07  08 09 0A 0B  FE A5 48 0B
            A5 3F A8 D3  C3 44 22 AA  CE 4D E6 7F  FA 3B B7 3B
            AB AB 36 A1  EE 4F E0 FE  28

Kato, et al. Informational [Page 10] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #7 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 09  08 07 06 A0  A1 A2 A3 A4  A5
 Total packet length =   31. [Input (8 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
 CBC IV in: 61 00 00 00  09 08 07 06  A0 A1 A2 A3  A4 A5 00 17
 CBC IV out:AC F1 5D 79  99 1A 15 BF  5C DC F6 C4  45 AE 1F CB
 After xor: AC F9 5D 78  9B 19 11 BA  5A DB F6 C4  45 AE 1F CB   [hdr]
 After CAM: E9 C0 AC FD  C7 E8 E7 1D  FA E8 8B 66  95 9E 01 45
 After xor: E1 C9 A6 F6  CB E5 E9 12  EA F9 99 75  81 8B 17 52   [msg]
 After CAM: 9C FF ED 72  09 A6 7D 2A  48 B7 29 BF  D8 BE 39 59
 After xor: 84 E6 F7 69  15 BB 63 2A  48 B7 29 BF  D8 BE 39 59   [msg]
 After CAM: 4F 41 FA DE  B2 58 F3 32  54 0A 55 7A  80 4A A3 F5
 MIC tag  : 4F 41 FA DE  B2 58 F3 32  54 0A
 CTR Start: 01 00 00 00  09 08 07 06  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 5C 5A 2A 2D  E9 41 1F 95  9D 27 CB FF  7A 0B CF 63
 CTR[0002]: 0E D1 6A 97  57 41 32 4F  33 1B 4A 42  B1 4A 54 63
 CTR[MIC ]: E3 EE 59 62  7D 22 BD 8D  C1 79
 Total packet length =   41. [Encrypted]
            00 01 02 03  04 05 06 07  54 53 20 26  E5 4C 11 9A
            8D 36 D9 EC  6E 1E D9 74  16 C8 70 8C  4B 5C 2C AC
            AF A3 BC CF  7A 4E BF 95  73
 =============== Packet Vector #8 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 0A  09 08 07 A0  A1 A2 A3 A4  A5
 Total packet length =   32. [Input (8 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
 CBC IV in: 61 00 00 00  0A 09 08 07  A0 A1 A2 A3  A4 A5 00 18
 CBC IV out:AD CA 1C 1D  45 E7 E2 62  58 D5 DA 46  D8 2F 69 3A
 After xor: AD C2 1C 1C  47 E4 E6 67  5E D2 DA 46  D8 2F 69 3A   [hdr]
 After CAM: FA DE 0E B4  3E CA C1 E9  69 BB 8C A4  7C 0D 80 8F
 After xor: F2 D7 04 BF  32 C7 CF E6  79 AA 9E B7  68 18 96 98   [msg]
 After CAM: D2 87 35 C2  D0 E4 AE 4E  BC C2 99 FF  B3 77 F8 A1
 After xor: CA 9E 2F D9  CC F9 B0 51  BC C2 99 FF  B3 77 F8 A1   [msg]
 After CAM: BD F6 FB 55  9E 90 C0 E7  DF 4B 0C 37  DC 42 32 A2
 MIC tag  : BD F6 FB 55  9E 90 C0 E7  DF 4B
 CTR Start: 01 00 00 00  0A 09 08 07  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 82 D8 91 0B  16 8A DF 47  E4 C8 39 FC  20 47 4A DB
 CTR[0002]: FB BF 26 7E  0E BB EB 6A  07 4E 29 CF  3D 12 E6 DB
 CTR[MIC ]: CE 7E 1F C4  A0 61 87 E6  2B 0A
 Total packet length =   42. [Encrypted]
            00 01 02 03  04 05 06 07  8A D1 9B 00  1A 87 D1 48
            F4 D9 2B EF  34 52 5C CC  E3 A6 3C 65  12 A6 F5 75
            73 88 E4 91  3E F1 47 01  F4 41

Kato, et al. Informational [Page 11] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #9 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 0B  0A 09 08 A0  A1 A2 A3 A4  A5
 Total packet length =   33. [Input (8 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
            20
 CBC IV in: 61 00 00 00  0B 0A 09 08  A0 A1 A2 A3  A4 A5 00 19
 CBC IV out:D0 A9 A5 94  00 63 86 40  11 0D DB 40  CA F8 4A 9C
 After xor: D0 A1 A5 95  02 60 82 45  17 0A DB 40  CA F8 4A 9C   [hdr]
 After CAM: 7B CA 4E 2D  79 82 0D 1E  15 22 DD E8  37 B9 B1 F0
 After xor: 73 C3 44 26  75 8F 03 11  05 33 CF FB  23 AC A7 E7   [msg]
 After CAM: 6B 75 9F 83  C0 8F 56 64  F2 FA D5 7F  67 01 B8 21
 After xor: 73 6C 85 98  DC 92 48 7B  D2 FA D5 7F  67 01 B8 21   [msg]
 After CAM: 7D B7 BE FF  72 F3 26 74  9E 20 07 28  1E 5B 1A 8A
 MIC tag  : 7D B7 BE FF  72 F3 26 74  9E 20
 CTR Start: 01 00 00 00  0B 0A 09 08  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 55 B9 87 69  4C 73 60 3E  C6 1E 8E B1  D2 11 62 36
 CTR[0002]: 82 D9 A4 4B  DC C9 BB 68  A7 FE 15 A5  19 51 57 87
 CTR[MIC ]: E9 61 5C CF  BF D6 EF 8A  21 A7
 Total packet length =   43. [Encrypted]
            00 01 02 03  04 05 06 07  5D B0 8D 62  40 7E 6E 31
            D6 0F 9C A2  C6 04 74 21  9A C0 BE 50  C0 D4 A5 77
            87 94 D6 E2  30 CD 25 C9  FE BF 87
 =============== Packet Vector #10 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 0C  0B 0A 09 A0  A1 A2 A3 A4  A5
 Total packet length =   31. [Input (12 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
 CBC IV in: 61 00 00 00  0C 0B 0A 09  A0 A1 A2 A3  A4 A5 00 13
 CBC IV out:B1 85 73 A3  1C 6F EC 01  90 E3 CE 94  27 11 04 B9
 After xor: B1 89 73 A2  1E 6C E8 04  96 E4 C6 9D  2D 1A 04 B9   [hdr]
 After CAM: A6 AD EA 9C  FA 3F 76 78  4C 17 8A F3  DC 69 F0 82
 After xor: AA A0 E4 93  EA 2E 64 6B  58 02 9C E4  C4 70 EA 99   [msg]
 After CAM: 35 50 B7 27  78 F8 C6 BF  02 4B 65 60  05 C0 E1 ED
 After xor: 29 4D A9 27  78 F8 C6 BF  02 4B 65 60  05 C0 E1 ED   [msg]
 After CAM: 3D B5 A6 E6  85 AF 1C 58  80 B0 32 2E  01 74 91 FC
 MIC tag  : 3D B5 A6 E6  85 AF 1C 58  80 B0
 CTR Start: 01 00 00 00  0C 0B 0A 09  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: D7 1C 82 C1  D1 A9 64 0F  93 69 CE 81  22 7E CC E8
 CTR[0002]: A7 A1 42 44  32 4E 69 FE  4C D0 36 65  A5 31 0B AB
 CTR[MIC ]: ED 27 3F 0D  94 5C 0E AA  B2 87
 Total packet length =   41. [Encrypted]
            00 01 02 03  04 05 06 07  08 09 0A 0B  DB 11 8C CE
            C1 B8 76 1C  87 7C D8 96  3A 67 D6 F3  BB BC 5C D0
            92 99 EB 11  F3 12 F2 32  37

Kato, et al. Informational [Page 12] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #11 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 0D  0C 0B 0A A0  A1 A2 A3 A4  A5
 Total packet length =   32. [Input (12 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
 CBC IV in: 61 00 00 00  0D 0C 0B 0A  A0 A1 A2 A3  A4 A5 00 14
 CBC IV out:45 DF B5 07  6F BB 10 EA  F1 15 15 AD  21 4F B0 0E
 After xor: 45 D3 B5 06  6D B8 14 EF  F7 12 1D A4  2B 44 B0 0E   [hdr]
 After CAM: 17 52 F9 6D  DD BC 5B 1C  1E EB 80 FC  F6 10 AC 03
 After xor: 1B 5F F7 62  CD AD 49 0F  0A FE 96 EB  EE 09 B6 18   [msg]
 After CAM: BE F0 A0 B9  EC 94 B6 B3  E8 EC 1B 82  14 14 09 87
 After xor: A2 ED BE A6  EC 94 B6 B3  E8 EC 1B 82  14 14 09 87   [msg]
 After CAM: 70 16 E4 F9  C4 2C 30 10  84 BF EC 69  34 89 91 FD
 MIC tag  : 70 16 E4 F9  C4 2C 30 10  84 BF
 CTR Start: 01 00 00 00  0D 0C 0B 0A  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 70 C5 33 82  D4 80 11 41  4F 5D 2B D2  D2 67 B3 B0
 CTR[0002]: 9D 36 6E 49  39 C5 16 76  5C 1C 25 12  81 79 94 70
 CTR[MIC ]: 77 8B 4B 03  1E 3A FC DF  A8 F1
 Total packet length =   42. [Encrypted]
            00 01 02 03  04 05 06 07  08 09 0A 0B  7C C8 3D 8D
            C4 91 03 52  5B 48 3D C5  CA 7E A9 AB  81 2B 70 56
            07 9D AF FA  DA 16 CC CF  2C 4E
 =============== Packet Vector #12 ==================
 CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
 Nonce =    00 00 00 0E  0D 0C 0B A0  A1 A2 A3 A4  A5
 Total packet length =   33. [Input (12 cleartext header octets)]
            00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
            10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
            20
 CBC IV in: 61 00 00 00  0E 0D 0C 0B  A0 A1 A2 A3  A4 A5 00 15
 CBC IV out:81 E4 EB 1E  50 A9 70 CE  18 CA 1A 4B  68 39 80 2E
 After xor: 81 E8 EB 1F  52 AA 74 CB  1E CD 12 42  62 32 80 2E   [hdr]
 After CAM: 04 AB D9 62  34 B9 8F 32  8C 0F 08 3F  3D 87 9D 57
 After xor: 08 A6 D7 6D  24 A8 9D 21  98 1A 1E 28  25 9E 87 4C   [msg]
 After CAM: BD A2 EA CB  3A DA 6A E7  9F BB C2 2C  E6 4C 98 89
 After xor: A1 BF F4 D4  1A DA 6A E7  9F BB C2 2C  E6 4C 98 89   [msg]
 After CAM: B6 FC E1 46  D3 EA DC 91  E0 AB 10 AD  D8 55 E7 03
 MIC tag  : B6 FC E1 46  D3 EA DC 91  E0 AB
 CTR Start: 01 00 00 00  0E 0D 0C 0B  A0 A1 A2 A3  A4 A5 00 01
 CTR[0001]: 20 DE 55 87  30 C3 2C 69  B7 44 A6 FE  37 DE 89 7C
 CTR[0002]: 3F 96 32 D8  68 6D C2 B5  22 97 42 27  EB F9 26 5E
 CTR[MIC ]: 7D 45 AD 6F  94 93 E1 F5  4F DE
 Total packet length =   43. [Encrypted]
            00 01 02 03  04 05 06 07  08 09 0A 0B  2C D3 5B 88
            20 D2 3E 7A  A3 51 B0 E9  2F C7 93 67  23 8B 2C C7
            48 CB B9 4C  29 47 79 3D  64 AF 75

Kato, et al. Informational [Page 13] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #13 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 A9 70 11  0E 19 27 B1  60 B6 A3 1C  1C
 Total packet length =   31. [Input (8 cleartext header octets)]
            6B 7F 46 45  07 FA E4 96  C6 B5 F3 E6  CA 23 11 AE
            F7 47 2B 20  3E 73 5E A5  61 AD B1 7D  56 C5 A3
 CBC IV in: 59 00 A9 70  11 0E 19 27  B1 60 B6 A3  1C 1C 00 17
 CBC IV out:D7 24 B0 0F  B1 87 04 C6  C1 4E 90 37  AA F2 F1 F9
 After xor: D7 2C DB 70  F7 C2 03 3C  25 D8 90 37  AA F2 F1 F9   [hdr]
 After CAM: 9B 13 6D E3  D9 9F C3 6D  7D 0D B7 D8  A1 BF E9 BD
 After xor: 5D A6 9E 05  13 BC D2 C3  8A 4A 9C F8  9F CC B7 18   [msg]
 After CAM: F8 BF 25 7D  23 F8 D9 B5  82 E6 C9 3E  C8 9B 85 73
 After xor: 99 12 94 00  75 3D 7A B5  82 E6 C9 3E  C8 9B 85 73   [msg]
 After CAM: D9 D6 62 21  6D B2 CA FD  1F C6 FE 9D  2C AF 5B 69
 MIC tag  : D9 D6 62 21  6D B2 CA FD
 CTR Start: 01 00 A9 70  11 0E 19 27  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 62 80 24 C1  FE AE CC 8C  67 38 55 98  CB 8E E5 E8
 CTR[0002]: F2 30 17 2F  1B 71 55 9F  8B CE 79 E5  13 01 FC 6A
 CTR[MIC ]: 9C 8E A2 0C  48 03 ED 13
 Total packet length =   39. [Encrypted]
            6B 7F 46 45  07 FA E4 96  A4 35 D7 27  34 8D DD 22
            90 7F 7E B8  F5 FD BB 4D  93 9D A6 52  4D B4 F6 45
            58 C0 2D 25  B1 27 EE
 =============== Packet Vector #14 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 83 CD 8C  E0 CB 42 B1  60 B6 A3 1C  1C
 Total packet length =   32. [Input (8 cleartext header octets)]
            98 66 05 B4  3D F1 5D E7  01 F6 CE 67  64 C5 74 48
            3B B0 2E 6B  BF 1E 0A BD  26 A2 25 72  B4 D8 0E E7
 CBC IV in: 59 00 83 CD  8C E0 CB 42  B1 60 B6 A3  1C 1C 00 18
 CBC IV out:A0 8A 29 78  36 23 1D 84  96 76 93 FF  0A 4C 92 7A
 After xor: A0 82 B1 1E  33 97 20 75  CB 91 93 FF  0A 4C 92 7A   [hdr]
 After CAM: 8C F5 F4 23  BF 09 1C 74  CD 47 00 C1  32 5D 5C 92
 After xor: 8D 03 3A 44  DB CC 68 3C  F6 F7 2E AA  8D 43 56 2F   [msg]
 After CAM: 69 DA 48 24  41 1E AC 8E  A9 0A CD 8B  DD 00 2B 9A
 After xor: 4F 78 6D 56  F5 C6 A2 69  A9 0A CD 8B  DD 00 2B 9A   [msg]
 After CAM: C2 03 3B 08  6D B3 CB 3B  2C C8 5D E7  76 A1 C0 44
 MIC tag  : C2 03 3B 08  6D B3 CB 3B
 CTR Start: 01 00 83 CD  8C E0 CB 42  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 8B 16 9C 37  EB 7B BE DB  15 84 41 6E  5F C2 07 46
 CTR[0002]: E9 31 BB DD  4E E6 56 9B  68 95 13 5F  AB A4 DF EF
 CTR[MIC ]: 44 7E 55 14  25 C3 F3 3D
 Total packet length =   40. [Encrypted]
            98 66 05 B4  3D F1 5D E7  8A E0 52 50  8F BE CA 93
            2E 34 6F 05  E0 DC 0D FB  CF 93 9E AF  FA 3E 58 7C
            86 7D 6E 1C  48 70 38 06

Kato, et al. Informational [Page 14] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #15 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 5F 54 95  0B 18 F2 B1  60 B6 A3 1C  1C
 Total packet length =   33. [Input (8 cleartext header octets)]
            48 F2 E7 E1  A7 67 1A 51  CD F1 D8 40  6F C2 E9 01
            49 53 89 70  05 FB FB 8B  A5 72 76 F9  24 04 60 8E
            08
 CBC IV in: 59 00 5F 54  95 0B 18 F2  B1 60 B6 A3  1C 1C 00 19
 CBC IV out:76 74 53 37  95 23 3C F0  EB 77 CE 93  73 06 99 A8
 After xor: 76 7C 1B C5  72 C2 9B 97  F1 26 CE 93  73 06 99 A8   [hdr]
 After CAM: EF 79 8B 70  34 E4 D5 6B  57 3A F9 44  F0 AF D6 9A
 After xor: 22 88 53 30  5B 26 3C 6A  1E 69 70 34  F5 54 2D 11   [msg]
 After CAM: 63 BF 4E 10  01 79 38 0B  E4 EC C1 39  B2 B4 3B 8C
 After xor: C6 CD 38 E9  25 7D 58 85  EC EC C1 39  B2 B4 3B 8C   [msg]
 After CAM: 39 E1 0E FA  BD 2F 43 00  50 9E E7 EB  A4 FF 6B 8F
 MIC tag  : 39 E1 0E FA  BD 2F 43 00
 CTR Start: 01 00 5F 54  95 0B 18 F2  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: C5 47 A6 A2  73 49 1B 6F  0E 6D C9 F5  9C 12 3B 08
 CTR[0002]: C8 18 86 42  3C DB 35 C8  64 4D 8C 4C  58 01 47 27
 CTR[MIC ]: 91 E9 76 5D  2D 68 2E E5
 Total packet length =   41. [Encrypted]
            48 F2 E7 E1  A7 67 1A 51  08 B6 7E E2  1C 8B F2 6E
            47 3E 40 85  99 E9 C0 83  6D 6A F0 BB  18 DF 55 46
            6C A8 08 78  A7 90 47 6D  E5
 =============== Packet Vector #16 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 EC 60 08  63 31 9A B1  60 B6 A3 1C  1C
 Total packet length =   31. [Input (12 cleartext header octets)]
            DE 97 DF 3B  8C BD 6D 8E  50 30 DA 4C  B0 05 DC FA
            0B 59 18 14  26 A9 61 68  5A 99 3D 8C  43 18 5B
 CBC IV in: 59 00 EC 60  08 63 31 9A  B1 60 B6 A3  1C 1C 00 13
 CBC IV out:78 EE 05 5A  88 48 E3 5B  8A 45 46 8F  35 4F 0C A2
 After xor: 78 E2 DB CD  57 73 6F E6  E7 CB 16 BF  EF 03 0C A2   [hdr]
 After CAM: A9 C6 7F 15  00 1A C6 92  81 67 BD EC  DF D2 35 C9
 After xor: 19 C3 A3 EF  0B 43 DE 86  A7 CE DC 84  85 4B 08 45   [msg]
 After CAM: 7C A8 9C 90  46 42 4B E2  4D 96 DF CF  BA 12 FD 18
 After xor: 3F B0 C7 90  46 42 4B E2  4D 96 DF CF  BA 12 FD 18   [msg]
 After CAM: 89 C7 B4 E8  A4 24 8C 6C  52 ED 34 50  E3 53 AD F5
 MIC tag  : 89 C7 B4 E8  A4 24 8C 6C
 CTR Start: 01 00 EC 60  08 63 31 9A  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: D3 B2 57 B3  6C E8 86 CF  91 9A AC 79  4E 6F 73 3E
 CTR[0002]: 65 10 C8 72  39 AF 0F 52  9F D0 A4 DF  54 BF D6 EB
 CTR[MIC ]: E1 04 E0 6A  29 B1 80 A9
 Total packet length =   39. [Encrypted]
            DE 97 DF 3B  8C BD 6D 8E  50 30 DA 4C  63 B7 8B 49
            67 B1 9E DB  B7 33 CD 11  14 F6 4E B2  26 08 93 68
            C3 54 82 8D  95 0C C5

Kato, et al. Informational [Page 15] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #17 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 60 CF F1  A3 1E A1 B1  60 B6 A3 1C  1C
 Total packet length =   32. [Input (12 cleartext header octets)]
            A5 EE 93 E4  57 DF 05 46  6E 78 2D CF  2E 20 21 12
            98 10 5F 12  9D 5E D9 5B  93 F7 2D 30  B2 FA CC D7
 CBC IV in: 59 00 60 CF  F1 A3 1E A1  B1 60 B6 A3  1C 1C 00 14
 CBC IV out:C3 34 69 7D  11 38 73 06  BD 34 E2 10  1F 66 17 E8
 After xor: C3 38 CC 93  82 DC 24 D9  B8 72 8C 68  32 A9 17 E8   [hdr]
 After CAM: 43 6F 37 74  AB 94 3B 41  EA AD 00 CA  C3 99 13 7B
 After xor: 6D 4F 16 66  33 84 64 53  77 F3 D9 91  50 6E 3E 4B   [msg]
 After CAM: 2D 28 FB 62  DA 06 97 A7  4C D4 31 B8  B5 AE AE EE
 After xor: 9F D2 37 B5  DA 06 97 A7  4C D4 31 B8  B5 AE AE EE   [msg]
 After CAM: F3 DE 10 CD  91 4D B1 B6  CC 37 F0 A2  4A 5A B7 A1
 MIC tag  : F3 DE 10 CD  91 4D B1 B6
 CTR Start: 01 00 60 CF  F1 A3 1E A1  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 25 E6 9A F0  30 A9 56 E6  FF C0 3F 87  87 7A 89 74
 CTR[0002]: A2 1B 46 23  76 A2 1E DD  F2 AC 4B EC  42 95 3D D3
 CTR[MIC ]: C2 99 28 FF  E7 BB DB 29
 Total packet length =   40. [Encrypted]
            A5 EE 93 E4  57 DF 05 46  6E 78 2D CF  0B C6 BB E2
            A8 B9 09 F4  62 9E E6 DC  14 8D A4 44  10 E1 8A F4
            31 47 38 32  76 F6 6A 9F
 =============== Packet Vector #18 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 0F 85 CD  99 5C 97 B1  60 B6 A3 1C  1C
 Total packet length =   33. [Input (12 cleartext header octets)]
            24 AA 1B F9  A5 CD 87 61  82 A2 50 74  26 45 94 1E
            75 63 2D 34  91 AF 0F C0  C9 87 6C 3B  E4 AA 74 68
            C9
 CBC IV in: 59 00 0F 85  CD 99 5C 97  B1 60 B6 A3  1C 1C 00 15
 CBC IV out:72 0A 46 75  0F 40 59 53  F2 3B D2 1F  6A 11 60 F6
 After xor: 72 06 62 DF  14 B9 FC 9E  75 5A 50 BD  3A 65 60 F6   [hdr]
 After CAM: 67 73 A0 FD  D5 7E D3 5E  E8 24 06 D0  A1 8B 0E 18
 After xor: 41 36 34 E3  A0 1D FE 6A  79 8B 09 10  68 0C 62 23   [msg]
 After CAM: BB 1E D8 9F  60 29 D0 99  09 14 06 A5  E3 8B 72 7B
 After xor: 5F B4 AC F7  A9 29 D0 99  09 14 06 A5  E3 8B 72 7B   [msg]
 After CAM: 3E 4F 40 73  D1 31 E9 B8  02 C8 99 BC  FD AC 19 4B
 MIC tag  : 3E 4F 40 73  D1 31 E9 B8
 CTR Start: 01 00 0F 85  CD 99 5C 97  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 04 6F 42 2C  8F 52 FB 9B  06 A3 3B 9F  B7 F0 A6 00
 CTR[0002]: 34 76 51 DB  89 10 FB E6  73 E8 56 6E  DB 66 47 5D
 CTR[MIC ]: 9F EC 93 6C  5C 7A AD 0F
 Total packet length =   41. [Encrypted]
            24 AA 1B F9  A5 CD 87 61  82 A2 50 74  22 2A D6 32
            FA 31 D6 AF  97 0C 34 5F  7E 77 CA 3B  D0 DC 25 B3
            40 A1 A3 D3  1F 8D 4B 44  B7

Kato, et al. Informational [Page 16] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #19 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 C2 9B 2C  AA C4 CD B1  60 B6 A3 1C  1C
 Total packet length =   31. [Input (8 cleartext header octets)]
            69 19 46 B9  CA 07 BE 87  07 01 35 A6  43 7C 9D B1
            20 CD 61 D8  F6 C3 9C 3E  A1 25 FD 95  A0 D2 3D
 CBC IV in: 61 00 C2 9B  2C AA C4 CD  B1 60 B6 A3  1C 1C 00 17
 CBC IV out:74 AD F8 04  05 2A 48 E7  46 97 38 D5  BA A1 27 79
 After xor: 74 A5 91 1D  43 93 82 E0  F8 10 38 D5  BA A1 27 79   [hdr]
 After CAM: BD C3 B1 41  1C 64 C8 B3  A9 DC 6A 94  78 97 88 E2
 After xor: BA C2 84 E7  5F 18 55 02  89 11 0B 4C  8E 54 14 DC   [msg]
 After CAM: 7D 6C 8A BF  AD 68 48 D8  C5 FB CD 1E  AF F2 44 99
 After xor: DC 49 77 2A  0D BA 75 D8  C5 FB CD 1E  AF F2 44 99   [msg]
 After CAM: 19 99 AB 92  5E 30 46 96  3D EF FB 1B  4C 87 F7 76
 MIC tag  : 19 99 AB 92  5E 30 46 96  3D EF
 CTR Start: 01 00 C2 9B  2C AA C4 CD  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 02 B9 D4 1F  87 E0 60 E7  EF DE 6B 7E  D3 DE 5E D2
 CTR[0002]: 61 49 31 C5  2F 34 AA 47  A3 E4 D3 2C  0B 36 41 C6
 CTR[MIC ]: B9 9F C6 C5  96 7B AA 8E  1A 87
 Total packet length =   41. [Encrypted]
            69 19 46 B9  CA 07 BE 87  05 B8 E1 B9  C4 9C FD 56
            CF 13 0A A6  25 1D C2 EC  C0 6C CC 50  8F E6 97 A0
            06 6D 57 C8  4B EC 18 27  68
 =============== Packet Vector #20 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 2C 6B 75  95 EE 62 B1  60 B6 A3 1C  1C
 Total packet length =   32. [Input (8 cleartext header octets)]
            D0 C5 4E CB  84 62 7D C4  C8 C0 88 0E  6C 63 6E 20
            09 3D D6 59  42 17 D2 E1  88 77 DB 26  4E 71 A5 CC
 CBC IV in: 61 00 2C 6B  75 95 EE 62  B1 60 B6 A3  1C 1C 00 18
 CBC IV out:35 A9 48 70  F9 B0 C7 85  FB 32 1A D1  3C 8C A4 9A
 After xor: 35 A1 98 B5  B7 7B 43 E7  86 F6 1A D1  3C 8C A4 9A   [hdr]
 After CAM: 0A 3C E3 0F  AC 09 DC 5C  00 10 5C 69  AC 19 F7 19
 After xor: C2 FC 6B 01  C0 6A B2 7C  09 2D 8A 30  EE 0E 25 F8   [msg]
 After CAM: 61 CD 80 D0  72 E6 84 E1  BF E1 4A 00  27 2A 4D 96
 After xor: E9 BA 5B F6  3C 97 21 2D  BF E1 4A 00  27 2A 4D 96   [msg]
 After CAM: E5 F9 F2 AB  47 FD 7B 8D  6F 72 F4 72  74 D7 69 BB
 MIC tag  : E5 F9 F2 AB  47 FD 7B 8D  6F 72
 CTR Start: 01 00 2C 6B  75 95 EE 62  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 9C 0E 31 66  B2 81 58 31  5E 63 16 5A  9D BD CE 35
 CTR[0002]: 00 3E 66 D3  E0 5F 7E A7  EF C8 9A 5F  DD 39 E3 54
 CTR[MIC ]: 9A 5E 87 1A  17 10 38 0E  AA DB
 Total packet length =   42. [Encrypted]
            D0 C5 4E CB  84 62 7D C4  54 CE B9 68  DE E2 36 11
            57 5E C0 03  DF AA 1C D4  88 49 BD F5  AE 2E DB 6B
            7F A7 75 B1  50 ED 43 83  C5 A9

Kato, et al. Informational [Page 17] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #21 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 C5 3C D4  C2 AA 24 B1  60 B6 A3 1C  1C
 Total packet length =   33. [Input (8 cleartext header octets)]
            E2 85 E0 E4  80 8C DA 3D  F7 5D AA 07  10 C4 E6 42
            97 79 4D C2  B7 D2 A2 07  57 B1 AA 4E  44 80 02 FF
            AB
 CBC IV in: 61 00 C5 3C  D4 C2 AA 24  B1 60 B6 A3  1C 1C 00 19
 CBC IV out:2A 3C 23 B2  43 F5 1C 35  F7 79 5A CB  3B 20 21 2F
 After xor: 2A 34 C1 37  A3 11 9C B9  2D 44 5A CB  3B 20 21 2F   [hdr]
 After CAM: A1 7E AD 4C  EE AB 51 21  1D 2A 32 F2  D4 45 A6 D6
 After xor: 56 23 07 4B  FE 6F B7 63  8A 53 7F 30  63 97 04 D1   [msg]
 After CAM: A9 A1 32 55  8F C6 9B 98  A9 CC 23 96  FE CA 84 EB
 After xor: FE 10 98 1B  CB 46 99 67  02 CC 23 96  FE CA 84 EB   [msg]
 After CAM: 6A 5E 04 42  D1 A5 7E 17  9A 6C 8B 56  F7 19 80 C5
 MIC tag  : 6A 5E 04 42  D1 A5 7E 17  9A 6C
 CTR Start: 01 00 C5 3C  D4 C2 AA 24  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 46 1D EF 41  AF A2 94 52  5D 51 AE CB  04 49 74 CD
 CTR[0002]: 29 2E 62 66  1B 66 9A 2B  97 72 6B 77  32 A8 DC 35
 CTR[MIC ]: B8 54 06 A2  6C 6F 93 37  8A BF
 Total packet length =   43. [Encrypted]
            E2 85 E0 E4  80 8C DA 3D  B1 40 45 46  BF 66 72 10
            CA 28 E3 09  B3 9B D6 CA  7E 9F C8 28  5F E6 98 D4
            3C D2 0A 02  E0 BD CA ED  20 10 D3
 =============== Packet Vector #22 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 BE E9 26  7F BA DC B1  60 B6 A3 1C  1C
 Total packet length =   31. [Input (12 cleartext header octets)]
            6C AE F9 94  11 41 57 0D  7C 81 34 05  C2 38 82 2F
            AC 5F 98 FF  92 94 05 B0  AD 12 7A 4E  41 85 4E
 CBC IV in: 61 00 BE E9  26 7F BA DC  B1 60 B6 A3  1C 1C 00 13
 CBC IV out:20 60 6A D1  E1 A0 84 52  2F A3 8B F4  88 1D D6 8B
 After xor: 20 6C 06 7F  18 34 95 13  78 AE F7 75  BC 18 D6 8B   [hdr]
 After CAM: 71 FD FF E7  D9 C8 95 75  D3 EC 0B 7E  7B 8B BE E7
 After xor: B3 C5 7D C8  75 97 0D 8A  41 78 0E CE  D6 99 C4 A9   [msg]
 After CAM: CA AD 93 9C  59 BA 40 AA  1A 0B 88 1B  EE 3D 3C 65
 After xor: 8B 28 DD 9C  59 BA 40 AA  1A 0B 88 1B  EE 3D 3C 65   [msg]
 After CAM: DC 48 8F AA  9C 75 E7 03  17 56 C2 C7  48 48 8D 1B
 MIC tag  : DC 48 8F AA  9C 75 E7 03  17 56
 CTR Start: 01 00 BE E9  26 7F BA DC  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 56 F0 17 B3  BD 09 02 D6  EA A5 A2 91  AD 4A 2D E5
 CTR[0002]: 20 3D 34 21  EF 5B F8 FC  7B 21 5C 76  7B A5 21 A6
 CTR[MIC ]: F1 A2 86 9C  2A 9E B8 61  48 0B
 Total packet length =   41. [Encrypted]
            6C AE F9 94  11 41 57 0D  7C 81 34 05  94 C8 95 9C
            11 56 9A 29  78 31 A7 21  00 58 57 AB  61 B8 7A 2D
            EA 09 36 B6  EB 5F 62 5F  5D

Kato, et al. Informational [Page 18] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 =============== Packet Vector #23 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 DF A8 B1  24 50 07 B1  60 B6 A3 1C  1C
 Total packet length =   32. [Input (12 cleartext header octets)]
            36 A5 2C F1  6B 19 A2 03  7A B7 01 1E  4D BF 3E 77
            4A D2 45 E5  D5 89 1F 9D  1C 32 A0 AE  02 2C 85 D7
 CBC IV in: 61 00 DF A8  B1 24 50 07  B1 60 B6 A3  1C 1C 00 14
 CBC IV out:78 FD B6 AF  61 9E 1C 8D  82 41 17 A8  73 60 1B 70
 After xor: 78 F1 80 0A  4D 6F 77 94  20 42 6D 1F  72 7E 1B 70   [hdr]
 After CAM: 62 2E 28 65  92 43 DB 82  88 79 09 1E  A7 24 54 67
 After xor: 2F 91 16 12  D8 91 9E 67  5D F0 16 83  BB 16 F4 C9   [msg]
 After CAM: 95 0E 52 08  FF 16 70 8C  1E D9 BB 06  3E 1E 41 CF
 After xor: 97 22 D7 DF  FF 16 70 8C  1E D9 BB 06  3E 1E 41 CF   [msg]
 After CAM: BA CD 51 FC  77 F4 02 8D  47 D5 7D 54  7D 46 33 4B
 MIC tag  : BA CD 51 FC  77 F4 02 8D  47 D5
 CTR Start: 01 00 DF A8  B1 24 50 07  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: 15 D6 DD DD  98 96 39 91  35 75 1A 64  B8 D8 D4 F9
 CTR[0002]: 7D 61 6D 1D  EB 92 00 2B  6F FA AB 53  BC AF 69 89
 CTR[MIC ]: 33 E9 27 BE  E1 59 06 9C  DB 32
 Total packet length =   42. [Encrypted]
            36 A5 2C F1  6B 19 A2 03  7A B7 01 1E  58 69 E3 AA
            D2 44 7C 74  E0 FC 05 F9  A4 EA 74 57  7F 4D E8 CA
            89 24 76 42  96 AD 04 11  9C E7
 =============== Packet Vector #24 ==================
 CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
 Nonce =    00 3B 8F D8  D3 A9 37 B1  60 B6 A3 1C  1C
 Total packet length =   33. [Input (12 cleartext header octets)]
            A4 D4 99 F7  84 19 72 8C  19 17 8B 0C  9D C9 ED AE
            2F F5 DF 86  36 E8 C6 DE  0E ED 55 F7  86 7E 33 33
            7D
 CBC IV in: 61 00 3B 8F  D8 D3 A9 37  B1 60 B6 A3  1C 1C 00 15
 CBC IV out:84 E6 CF DD  6A 37 68 5D  E6 71 AD 54  B3 BE FE B9
 After xor: 84 EA 6B 09  F3 C0 EC 44  94 FD B4 43  38 B2 FE B9   [hdr]
 After CAM: C5 0F A0 62  20 18 F1 21  0E BC 3D 2E  47 B7 B8 C3
 After xor: 58 C6 4D CC  0F ED 2E A7  38 54 FB F0  49 5A ED 34   [msg]
 After CAM: C4 6F 6D C3  17 3C 2A 7A  81 FC 2D DA  7F B7 C6 60
 After xor: 42 11 5E F0  6A 3C 2A 7A  81 FC 2D DA  7F B7 C6 60   [msg]
 After CAM: DF AB 2E 76  B0 67 50 B3  7C DD 9A AC  F3 79 17 71
 MIC tag  : DF AB 2E 76  B0 67 50 B3  7C DD
 CTR Start: 01 00 3B 8F  D8 D3 A9 37  B1 60 B6 A3  1C 1C 00 01
 CTR[0001]: D6 D0 6C F8  16 CE D0 F1  A0 E0 AC 71  BA B9 AD 34
 CTR[0002]: 76 4A FF 9A  1B F8 55 1F  68 54 39 0A  EE 37 24 28
 CTR[MIC ]: 4B F4 31 B8  17 86 4B 5D  16 F2
 Total packet length =   43. [Encrypted]
            A4 D4 99 F7  84 19 72 8C  19 17 8B 0C  4B 19 81 56
            39 3B 0F 77  96 08 6A AF  B4 54 F8 C3  F0 34 CC A9
            66 94 5F 1F  CE A7 E1 1B  EE 6A 2F

Kato, et al. Informational [Page 19] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

5. Security Considerations

 Camellia-CTR and Camellia-CCM employ CTR mode for confidentiality.
 For the security of CTR mode, refer to the Security Considerations of
 [16].

6. Acknowledgments

 Thanks to Rui Hodai for comments and suggestions.  Special thanks to
 Alfred Hoenes for several very detailed reviews and suggestions.

7. References

7.1. Normative References

 [1]   Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
       Camellia Encryption Algorithm", RFC 3713, April 2004.
 [2]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
       Levels", BCP 14, RFC 2119, March 1997.
 [3]   Dworkin, M., "Recommendation for Block Cipher Modes of
       Operation - Methods and Techniques", NIST Special
       Publication 800-38A, December 2001, <http://csrc.nist.gov/
       publications/nistpubs/800-38a/sp800-38a.pdf>.
 [4]   National Institute of Standards and Technology, "Recommendation
       for Block Cipher Modes Operation : The CCM Mode for
       Authentication and Confidentiality", May 2004, <http://
       csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf>.

7.2. Informative References

 [5]   National Institute of Standards and Technology, "Advanced
       Encryption Standard (AES)", FIPS PUB 197, November 2001,
       <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.
 [6]   Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
       Algorithm and Its Use With IPsec", RFC 4312, December 2005.
 [7]   Moriai, S., Kato, A., and M. Kanda, "Addition of Camellia
       Cipher Suites to Transport Layer Security (TLS)", RFC 4132,
       July 2005.
 [8]   Moriai, S. and A. Kato, "Use of the Camellia Encryption
       Algorithm in Cryptographic Message Syntax (CMS)", RFC 3657,
       January 2004.

Kato, et al. Informational [Page 20] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

 [9]   Eastlake, D., "Additional XML Security Uniform Resource
       Identifiers (URIs)", RFC 4051, April 2005.
 [10]  International Organization for Standardization, "Information
       technology - Security techniques - Encryption algorithms - Part
       3: Block ciphers", ISO/IEC 18033-3, July 2005.
 [11]  "The NESSIE project (New European Schemes for Signatures,
       Integrity and Encryption)",
       <http://www.cosic.esat.kuleuven.be/nessie/>.
 [12]  Information-technology Promotion Agency (IPA), "Cryptography
       Research and Evaluation Committees",
       <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.
 [13]  "Camellia open source software",
       <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>.
 [14]  "Camellia web site", <http://info.isl.ntt.co.jp/camellia/>.
 [15]  Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
       MAC (CCM)", RFC 3610, September 2003.
 [16]  Housley, R., "Using Advanced Encryption Standard (AES) Counter
       Mode With IPsec Encapsulating Security Payload (ESP)",
       RFC 3686, January 2004.

Kato, et al. Informational [Page 21] RFC 5528 Camellia-CTR and Camellia-CCM algorithms April 2009

Authors' Addresses

 Akihiro Kato
 NTT Software Corporation
 Phone: +81-45-212-7577
 Fax:   +81-45-212-9800
 EMail: akato@po.ntts.co.jp
 Masayuki Kanda
 NTT
 Phone: +81-422-59-3456
 Fax:   +81-422-59-4015
 EMail: kanda.masayuki@lab.ntt.co.jp
 Satoru Kanno
 NTT Software Corporation
 Phone: +81-45-212-7577
 Fax:   +81-45-212-9800
 EMail: kanno-s@po.ntts.co.jp

Kato, et al. Informational [Page 22]

/data/webs/external/dokuwiki/data/pages/rfc/rfc5528.txt · Last modified: 2009/04/22 21:38 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki