RFC 8645
Re-keying Mechanisms for Symmetric Keys
Pages: 69
Informational
Informational
Part 3 of 3 – Pages 44 to 69
10. References
10.1. Normative References
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>. [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, <https://www.rfc-editor.org/info/rfc6347>. [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, <https://www.rfc-editor.org/info/rfc4303>. [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST Special Publication 800-38D, DOI 10.6028/NIST.SP.800-38D, November 2007, <http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-38d.pdf>. [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", NIST Special Publication 800-38A, DOI 10.6028/NIST.SP.800-38A, December 2001. [NISTSP800-108] National Institute of Standards and Technology, "Recommendation for Key Derivation Using Pseudorandom Functions", NIST Special Publication 800-108, October 2009, <http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-108.pdf>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 2006, <https://www.rfc-editor.org/info/rfc4493>. [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, <https://www.rfc-editor.org/info/rfc5869>.
[RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012", RFC 7836, DOI 10.17487/RFC7836, March 2016, <https://www.rfc-editor.org/info/rfc7836>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, January 2006, <https://www.rfc-editor.org/info/rfc4253>. [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>.10.2. Informative References
[AAOS2017] Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for the GCM Mode by Internal Re-keying", Cryptology ePrint Archive, Report 2017/697, 2017, <https://eprint.iacr.org/2017/697.pdf>. [AbBell] Abdalla, M. and M. Bellare, "Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques", ASIACRYPT 2000, Lecture Notes in Computer Science, Volume 1976, pp. 546-559, DOI 10.1007/3-540-44448-3_42, October 2000. [AESDUKPT] American National Standards Institute, "Retail Financial Services Symmetric Key Management - Part 3: Derived Unique Key Per Transaction", ANSI X9.24-3-2017, October 2017. [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage", November 2005, <https://homes.cs.washington.edu/ ~yoshi/papers/KR/NDSS06.pdf>.
[FPS2012] Faust, S., Pietrzak, K., and J. Schipper, "Practical Leakage-Resilient Symmetric Cryptography", Cryptographic Hardware and Embedded Systems (CHES), Lecture Notes in Computer Science, Volume 7428, pp. 213-232, DOI 10.1007/978-3-642-33027-8_13, 2012, <https://link.springer.com/content/ pdf/10.1007%2F978-3-642-33027-8_13.pdf>. [FRESHREKEYING] Dziembowski, S., Faust, S., Herold, G., Journault, A., Masny, D., and F. Standaert, "Towards Sound Fresh Re-Keying with Hard (Physical) Learning Problems", Cryptology ePrint Archive, Report 2016/573, June 2016, <https://eprint.iacr.org/2016/573>. [GGM] Goldreich, O., Goldwasser, S., and S. Micali, "How to Construct Random Functions", Journal of the Association for Computing Machinery, Volume 33, No. 4, pp. 792-807, DOI 10.1145/6490.6503, October 1986, <https://dl.acm.org/citation.cfm?doid=6490.6503>. [KMNT2003] Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure Group Services for Storage Area Networks", IEEE Communications Magazine 41, Number 8, pp. 92-99, DOI 10.1109/SISW.2002.1183514, August 2003, <https://ieeexplore.ieee.org/document/1183514>. [LDC] Heys, H., "A Tutorial on Linear and Differential Cryptanalysis", 2001, <https://citeseerx.ist.psu.edu/ viewdoc/citations?doi=10.1.1.2.2759>. [OWT] Joye, M. and S. Yen, "One-Way Cross-Trees and Their Applications", Public Key Cryptography (PKC), Lecture Notes in Computer Science, Volume 2274, DOI 10.1007/3-540-45664-3_25, February 2002, <https://link.springer.com/content/ pdf/10.1007%2F3-540-45664-3_25.pdf>. [P3] Alexander, P., "Subject: [Cfrg] Dynamic Key Changes on Encrypted Sessions. - Draft I-D Attached", message to the CFRG mailing list, 4 November 2017, <https://mailarchive.ietf.org/arch/msg/cfrg/ ecTR3Hb-DFfrPCVmY0ghyYOEcxU>.
[Pietrzak2009] Pietrzak, K., "A Leakage-Resilient Mode of Operation", EUROCRYPT 2009, Lecture Notes in Computer Science, Volume 5479, pp. 462-482, DOI 10.1007/978-3-642-01001-9_27, April 2009, <https://iacr.org/archive/eurocrypt2009/ 54790461/54790461.pdf>. [SIGNAL] Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet Algorithm", November 2016, <https://signal.org/docs/ specifications/doubleratchet/doubleratchet.pdf>. [Sweet32] Bhargavan, K. and G. Leurent, "On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN", Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456-467, DOI 10.1145/2976749.2978423, October 2016, <https://sweet32.info/SWEET32_CCS16.pdf>. [TAHA] Taha, M. and P. Schaumont, "Key Updating for Leakage Resiliency With Application to AES Modes of Operation", IEEE Transactions on Information Forensics and Security, DOI 10.1109/TIFS.2014.2383359, December 2014, <http://ieeexplore.ieee.org/document/6987331/>. [TEMPEST] Ramsay, C. and J. Lohuis, "TEMPEST attacks against AES. Covertly stealing keys for 200 euro", June 2017, <https://www.fox-it.com/en/wp-content/uploads/sites/11/ Tempest_attacks_against_AES.pdf>. [U2F] Chang, D., Mishra, S., Sanadhya, S., and A. Singh, "On Making U2F Protocol Leakage-Resilient via Re-keying", Cryptology ePrint Archive, Report 2017/721, August 2017, <https://eprint.iacr.org/2017/721.pdf>.
Appendix A. Test Examples
A.1. Test Examples for External Re-keying
A.1.1. External Re-keying with a Parallel Construction
External re-keying with a parallel construction based on AES-256 **************************************************************** k = 256 t = 128 Initial key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 K^1: 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 K^2: 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD K^3: B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC ... K^126: 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 K^127: 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED K^128: 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 External re-keying with a parallel construction based on SHA-256 **************************************************************** k = 256 t = 128 label: SHA2label
Initial key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 K^1: C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57 26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35 K^2: 03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4 K^3: 2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80 0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE ... K^126: 55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76 C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1 K^127: 77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A 6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF K^128: E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E 94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3A.1.2. External Re-keying with a Serial Construction
External re-keying with a serial construction based on AES-256 ************************************************************** AES 256 examples: k = 256 t = 128 Initial key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 K*_1: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00
K^1: 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 K*_2: 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 K^2: 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 K*_3: 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 K^3: 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 ... K*_126: 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 K^126: 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 K*_127: 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 K^127: 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 K*_128: 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 K^128: 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86
External re-keying with a serial construction based on SHA-256 ************************************************************** k = 256 t = 128 Initial key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 label1: SHA2label1 label2: SHA2label2 K*_1: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 K^1: 2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC K*_2: 14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F 52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04 K^2: 2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1 84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF K*_3: 18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D 70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB K^3: 53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92 ... K*_126: A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6 5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA K^126: 6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34 23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A
K*_127: 84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1 05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1 K^127: 57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0 F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2 K*_128: 52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E 7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09 K^128: 9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5 C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4A.2. Test Examples for Internal Re-keying
A.2.1. Internal Re-keying Mechanisms that Do Not Require a Master Key
CTR-ACPKM mode with AES-256 *************************** k = 256 n = 128 c = 64 N = 256 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Plaintext P: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 ICN: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 D_1: 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
D_2: 00000: 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F Section_1 Section key K^1: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Input block CTR_1: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 Output block G_1: 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 Input block CTR_2: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 Output block G_2: 00000: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 Section_2 Section key K^2: 00000: F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 00010: 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D Input block CTR_3: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 Output block G_3: 00000: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA Input block CTR_4: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 Output block G_4: 00000: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 Section_3 Section key K^3: 00000: 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 00010: 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 Input block CTR_5: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04
Output block G_5:
00000: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7
Input block CTR_6:
00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05
Output block G_6:
00000: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87
Section_4
Section key K^4:
00000: C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC
00010: E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5
Block number 7:
Input block CTR_7:
00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06
Output block G_7:
00000: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D
The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7:
00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0
00010: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2
00020: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA
00030: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4
00040: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7
00050: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87
00060: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D
The result ciphertext C = P (xor) MSB_{|P|}(G):
00000: EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58
00010: 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8
00020: F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA
00030: 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5
00040: 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95
00050: 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4
00060: 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39
GCM-ACPKM mode with AES-128 *************************** k = 128 n = 128 c = 32 N = 256 Initial key K: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Additional data A: 00000: 11 22 33 Plaintext: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ICN: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 Number of sections: 2 Section key K^1: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Section key K^2: 00000: 15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41 Encrypted GCTR_1 | GCTR_2 | GCTR_3: 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD Ciphertext C: 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD GHASH input: 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00010: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 00020: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 00030: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 00040: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80 GHASH output S: 00000: E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C
Authentication tag T: 00000: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 The result C | T: 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 00030: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66A.2.2. Internal Re-keying Mechanisms with a Master Key
CTR-ACPKM-Master mode with AES-256 ********************************** k = 256 n = 128 c for CTR-ACPKM mode = 64 c for CTR-ACPKM-Master mode = 64 N = 256 T* = 512 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Initial vector ICN: 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 Plaintext P: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 K^1 | K^2 | K^3 | K^4: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
Section_1 K^1: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 Input block CTR_1: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 Output block G_1: 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C Input block CTR_2: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 Output block G_2: 00000: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 Section_2 K^2: 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 Input block CTR_3: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 Output block G_3: 00000: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 Input block CTR_4: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 Output block G_4: 00000: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 Section_3 K^3: 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 Input block CTR_5: 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04
Output block G_5:
00000: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8
Input block CTR_6:
00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05
Output block G_6:
00000: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF
Section_4
K^4:
00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
Input block CTR_7:
00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06
Output block G_7:
00000: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22
The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7:
00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C
00010: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1
00020: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71
00030: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7
00040: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8
00050: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF
00060: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22
The result ciphertext C = P (xor) MSB_{|P|}(G):
00000: 9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4
00010: F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB
00020: 5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71
00030: 01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6
00040: 9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA
00050: 82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC
00060: D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66
GCM-ACPKM-Master mode with AES-256 ********************************** k = 192 n = 128 c for the CTR-ACPKM mode = 64 c for the GCM-ACPKM-Master mode = 32 T* = 384 N = 256 Initial key K: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00010: 00 00 00 00 00 00 00 00 Additional data A: 00000: 11 22 33 Plaintext: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ICN: 00000: 00 00 00 00 00 00 00 00 00 00 00 00 Number of sections: 3 K^1 | K^2 | K^3: 00000: 93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F 00010: 7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC 00020: CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99 00030: F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87 00040: 5A 2D 3C BE F1 6E 67 3C Encrypted GCTR_1 | ... | GCTR_5 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 Ciphertext C: 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08
GHASH input: 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00010: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 00020: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 00030: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 00040: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 00050: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 00060: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80 GHASH output S: 00000: 6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D Authentication tag T: 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 The result C | T: 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 CBC-ACPKM-Master mode with AES-256 ********************************** k = 256 n = 128 c for the CTR-ACPKM mode = 64 N = 256 T* = 512 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Initial vector IV: 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 Plaintext P: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44
K^1 | K^2 | K^3 | K^4: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 Section_1 K^1: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 Plaintext block P_1: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 Input block P_1 (xor) C_0: 00000: 03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A Output block C_1: 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C Plaintext block P_2: 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A Input block P_2 (xor) C_1: 00000: 59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76 Output block C_2: 00000: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 Section_2 K^2: 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 Plaintext block P_3: 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 Input block P_3 (xor) C_2: 00000: 91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42 Output block C_3: 00000: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59
Plaintext block P_4: 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 Input block P_4 (xor) C_3: 00000: AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48 Output block C_4: 00000: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 Section_3 K^3: 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 Plaintext block P_5: 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 Input block P_5 (xor) C_4: 00000: 2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB Output block C_5: 00000: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 Plaintext block P_6: 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 Input block P_6 (xor) C_5: 00000: 12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27 Output block C_6: 00000: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 Section_4 K^4: 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 Plaintext block P_7: 00000: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 Input block P_7 (xor) C_6: 00000: 33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01 Output block C_7: 00000: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34
Ciphertext C: 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 00010: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 00020: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 00030: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 00040: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 00050: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 00060: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 CFB-ACPKM-Master mode with AES-256 ********************************** k = 256 n = 128 c for the CTR-ACPKM mode = 64 N = 256 T* = 512 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Initial vector IV: 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 Plaintext P: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 00060: 55 66 77 88 99 AA BB CC K^1 | K^2 | K^3 | K^4 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
Section_1
K^1:
00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60
Plaintext block P_1:
00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88
Encrypted block E_{K^1}(C_0):
00000: 1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03
Output block C_1 = E_{K^1}(C_0) (xor) P_1:
00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B
Plaintext block P_2:
00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
Encrypted block E_{K^1}(C_1):
00000: 6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E
Output block C_2 = E_{K^1}(C_1) (xor) P_2:
00000: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24
Section_2
K^2:
00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3
Plaintext block P_3:
00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
Encrypted block E_{K^2}(C_2):
00000: 95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88
Output block C_3 = E_{K^2}(C_2) (xor) P_3:
00000: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88
Plaintext block P_4:
00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
Encrypted block E_{K^2}(C_3):
00000: E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2
Output block C_4 = E_{K^2}(C_3) (xor) P_4:
00000: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3
Section_3
K^3:
00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4
00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94
Plaintext block P_5:
00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
Encrypted block E_{K^3}(C_4):
00000: FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89
Output block C_5 = E_{K^3}(C_4) (xor) P_5:
00000: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB
Plaintext block P_6:
00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33
Encrypted block E_{K^3}(C_5):
00000: 01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3
Output block C_6 = E_{K^3}(C_5) (xor) P_6:
00000: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90
Section_4
K^4:
00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
Plaintext block P_7:
00000: 55 66 77 88 99 AA BB CC
Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)):
00000: 97 5C 96 37 55 1E 8C 7F
Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7
00000: C2 3A E1 BF CC B4 37 B3
Ciphertext C:
00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B
00010: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24
00020: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88
00030: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3
00040: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB
00050: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90
00060: C2 3A E1 BF CC B4 37 B3
OMAC-ACPKM-Master mode with AES-256 *********************************** k = 256 n = 128 c for the CTR-ACPKM mode = 64 N = 256 T* = 768 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Plaintext M: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 00040: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 00050: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 00080: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 Section_1 K^1: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 K^1_1: 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 Plaintext block M_1: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 Input block M_1 (xor) C_0: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 Output block C_1: 00000: 0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E
Plaintext block M_2: 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A Input block M_2 (xor) C_1: 00000: 0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34 Output block C_2: 00000: 1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C Section_2 K^2: 00000: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 00010: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 K^2_1: 00000: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 Plaintext block M_3: 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 Input block M_3 (xor) C_2: 00000: 0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C Output block C_3: 00000: 4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75 Plaintext block M_4: 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 Input block M_4 (xor) C_3: 00000: 6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64 Output block C_4: 00000: B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81 Section_3 K^3: 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 K^3_1: 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 MSB1(K1) == 0 -> K2 = K1 << 1
K1: 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 K2: 00000: F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E Plaintext M_5: 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 Using K1, padding is not required Input block M_5 (xor) C_4: 00000: FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4 Output block C_5: 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 Message authentication code T: 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8
Acknowledgments
We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim Schaad, Paul Hoffman, Dmitry Belyavsky, Yaron Sheffer, Alexey Melnikov, and Spencer Dawkins for their useful comments.Contributors
Russ Housley Vigil Security, LLC housley@vigilsec.com Evgeny Alekseev CryptoPro alekseev@cryptopro.ru Ekaterina Smyshlyaeva CryptoPro ess@cryptopro.ru Shay Gueron University of Haifa, Israel Intel Corporation, Israel Development Center, Israel shay.gueron@gmail.com Daniel Fox Franke Akamai Technologies dfoxfranke@gmail.com Lilia Ahmetzyanova CryptoPro lah@cryptopro.ruAuthor's Address
Stanislav Smyshlyaev (editor) CryptoPro 18, Suschevskiy val Moscow 127018 Russian Federation Phone: +7 (495) 995-48-20 Email: svs@cryptopro.ru