Tech-invite3GPPspaceIETF RFCsSIP
929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8645

Re-keying Mechanisms for Symmetric Keys

Pages: 69
Informational
Part 3 of 3 – Pages 44 to 69
First   Prev   None

Top   ToC   RFC8645 - Page 44   prevText

10. References

10.1. Normative References

[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>. [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, <https://www.rfc-editor.org/info/rfc6347>. [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, <https://www.rfc-editor.org/info/rfc4303>. [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST Special Publication 800-38D, DOI 10.6028/NIST.SP.800-38D, November 2007, <http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-38d.pdf>. [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", NIST Special Publication 800-38A, DOI 10.6028/NIST.SP.800-38A, December 2001. [NISTSP800-108] National Institute of Standards and Technology, "Recommendation for Key Derivation Using Pseudorandom Functions", NIST Special Publication 800-108, October 2009, <http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-108.pdf>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 2006, <https://www.rfc-editor.org/info/rfc4493>. [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, <https://www.rfc-editor.org/info/rfc5869>.
Top   ToC   RFC8645 - Page 45
   [RFC7836]  Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
              Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
              on the Cryptographic Algorithms to Accompany the Usage of
              Standards GOST R 34.10-2012 and GOST R 34.11-2012",
              RFC 7836, DOI 10.17487/RFC7836, March 2016,
              <https://www.rfc-editor.org/info/rfc7836>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [SSH]      Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
              January 2006, <https://www.rfc-editor.org/info/rfc4253>.

   [TLS]      Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

10.2. Informative References

[AAOS2017] Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for the GCM Mode by Internal Re-keying", Cryptology ePrint Archive, Report 2017/697, 2017, <https://eprint.iacr.org/2017/697.pdf>. [AbBell] Abdalla, M. and M. Bellare, "Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques", ASIACRYPT 2000, Lecture Notes in Computer Science, Volume 1976, pp. 546-559, DOI 10.1007/3-540-44448-3_42, October 2000. [AESDUKPT] American National Standards Institute, "Retail Financial Services Symmetric Key Management - Part 3: Derived Unique Key Per Transaction", ANSI X9.24-3-2017, October 2017. [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage", November 2005, <https://homes.cs.washington.edu/ ~yoshi/papers/KR/NDSS06.pdf>.
Top   ToC   RFC8645 - Page 46
   [FPS2012]  Faust, S., Pietrzak, K., and J. Schipper, "Practical
              Leakage-Resilient Symmetric Cryptography", Cryptographic
              Hardware and Embedded Systems (CHES), Lecture Notes in
              Computer Science, Volume 7428, pp. 213-232,
              DOI 10.1007/978-3-642-33027-8_13, 2012,
              <https://link.springer.com/content/
              pdf/10.1007%2F978-3-642-33027-8_13.pdf>.

   [FRESHREKEYING]
              Dziembowski, S., Faust, S., Herold, G., Journault, A.,
              Masny, D., and F. Standaert, "Towards Sound Fresh
              Re-Keying with Hard (Physical) Learning Problems",
              Cryptology ePrint Archive, Report 2016/573, June 2016,
              <https://eprint.iacr.org/2016/573>.

   [GGM]      Goldreich, O., Goldwasser, S., and S. Micali, "How to
              Construct Random Functions", Journal of the Association
              for Computing Machinery, Volume 33, No. 4, pp. 792-807,
              DOI 10.1145/6490.6503, October 1986,
              <https://dl.acm.org/citation.cfm?doid=6490.6503>.

   [KMNT2003] Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure
              Group Services for Storage Area Networks",
              IEEE Communications Magazine 41, Number 8, pp. 92-99,
              DOI 10.1109/SISW.2002.1183514, August 2003,
              <https://ieeexplore.ieee.org/document/1183514>.

   [LDC]      Heys, H., "A Tutorial on Linear and Differential
              Cryptanalysis", 2001, <https://citeseerx.ist.psu.edu/
              viewdoc/citations?doi=10.1.1.2.2759>.

   [OWT]      Joye, M. and S. Yen, "One-Way Cross-Trees and Their
              Applications", Public Key Cryptography (PKC), Lecture
              Notes in Computer Science, Volume 2274,
              DOI 10.1007/3-540-45664-3_25, February 2002,
              <https://link.springer.com/content/
              pdf/10.1007%2F3-540-45664-3_25.pdf>.

   [P3]       Alexander, P., "Subject: [Cfrg] Dynamic Key Changes on
              Encrypted Sessions. - Draft I-D Attached", message to
              the CFRG mailing list, 4 November 2017,
              <https://mailarchive.ietf.org/arch/msg/cfrg/
              ecTR3Hb-DFfrPCVmY0ghyYOEcxU>.
Top   ToC   RFC8645 - Page 47
   [Pietrzak2009]
              Pietrzak, K., "A Leakage-Resilient Mode of Operation",
              EUROCRYPT 2009, Lecture Notes in Computer Science, Volume
              5479, pp. 462-482, DOI 10.1007/978-3-642-01001-9_27, April
              2009, <https://iacr.org/archive/eurocrypt2009/
              54790461/54790461.pdf>.

   [SIGNAL]   Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet
              Algorithm", November 2016, <https://signal.org/docs/
              specifications/doubleratchet/doubleratchet.pdf>.

   [Sweet32]  Bhargavan, K. and G. Leurent, "On the Practical
              (In-)Security of 64-bit Block Ciphers: Collision Attacks
              on HTTP over TLS and OpenVPN", Proceedings of the 2016 ACM
              SIGSAC Conference on Computer and Communications
              Security, pp. 456-467, DOI 10.1145/2976749.2978423,
              October 2016, <https://sweet32.info/SWEET32_CCS16.pdf>.

   [TAHA]     Taha, M. and P. Schaumont, "Key Updating for Leakage
              Resiliency With Application to AES Modes of Operation",
              IEEE Transactions on Information Forensics and Security,
              DOI 10.1109/TIFS.2014.2383359, December 2014,
              <http://ieeexplore.ieee.org/document/6987331/>.

   [TEMPEST]  Ramsay, C. and J. Lohuis, "TEMPEST attacks against AES.
              Covertly stealing keys for 200 euro", June 2017,
              <https://www.fox-it.com/en/wp-content/uploads/sites/11/
              Tempest_attacks_against_AES.pdf>.

   [U2F]      Chang, D., Mishra, S., Sanadhya, S., and A. Singh, "On
              Making U2F Protocol Leakage-Resilient via Re-keying",
              Cryptology ePrint Archive, Report 2017/721, August 2017,
              <https://eprint.iacr.org/2017/721.pdf>.
Top   ToC   RFC8645 - Page 48

Appendix A. Test Examples

A.1. Test Examples for External Re-keying

A.1.1. External Re-keying with a Parallel Construction

External re-keying with a parallel construction based on AES-256 **************************************************************** k = 256 t = 128 Initial key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 K^1: 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 K^2: 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD K^3: B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC ... K^126: 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 K^127: 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED K^128: 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 External re-keying with a parallel construction based on SHA-256 **************************************************************** k = 256 t = 128 label: SHA2label
Top   ToC   RFC8645 - Page 49
   Initial key:
   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00

   K^1:
   C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57
   26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35

   K^2:
   03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E
   A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4

   K^3:
   2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80
   0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE

   ...

   K^126:
   55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76
   C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1

   K^127:
   77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A
   6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF

   K^128:
   E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E
   94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3

A.1.2. External Re-keying with a Serial Construction

External re-keying with a serial construction based on AES-256 ************************************************************** AES 256 examples: k = 256 t = 128 Initial key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 K*_1: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00
Top   ToC   RFC8645 - Page 50
   K^1:
   66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0
   51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86

   K*_2:
   64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1
   6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15

   K^2:
   66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0
   51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86

   K*_3:
   64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1
   6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15

   K^3:
   66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0
   51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86

   ...

   K*_126:
   64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1
   6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15

   K^126:
   66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0
   51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86

   K*_127:
   64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1
   6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15

   K^127:
   66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0
   51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86

   K*_128:
   64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1
   6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15

   K^128:
   66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0
   51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86
Top   ToC   RFC8645 - Page 51
   External re-keying with a serial construction based on SHA-256
   **************************************************************
   k = 256
   t = 128

   Initial key:
   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00

   label1:
   SHA2label1

   label2:
   SHA2label2

   K*_1:
   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00

   K^1:
   2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B
   F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC

   K*_2:
   14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F
   52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04

   K^2:
   2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1
   84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF

   K*_3:
   18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D
   70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB

   K^3:
   53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF
   F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92

   ...

   K*_126:
   A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6
   5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA

   K^126:
   6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34
   23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A
Top   ToC   RFC8645 - Page 52
   K*_127:
   84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1
   05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1

   K^127:
   57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0
   F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2

   K*_128:
   52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E
   7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09

   K^128:
   9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5
   C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4

A.2. Test Examples for Internal Re-keying

A.2.1. Internal Re-keying Mechanisms that Do Not Require a Master Key

CTR-ACPKM mode with AES-256 *************************** k = 256 n = 128 c = 64 N = 256 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Plaintext P: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 ICN: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 D_1: 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
Top   ToC   RFC8645 - Page 53
   D_2:
   00000:   90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F

   Section_1

   Section key K^1:
   00000:   88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77
   00010:   FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF

   Input block CTR_1:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00

   Output block G_1:
   00000:   FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0

   Input block CTR_2:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01

   Output block G_2:
   00000:   19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2

   Section_2

   Section key K^2:
   00000:   F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B
   00010:   36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D

   Input block CTR_3:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02

   Output block G_3:
   00000:   E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA

   Input block CTR_4:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03

   Output block G_4:
   00000:   BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4

   Section_3

   Section key K^3:
   00000:   8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B
   00010:   1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8

   Input block CTR_5:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04
Top   ToC   RFC8645 - Page 54
   Output block G_5:
   00000:   68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7

   Input block CTR_6:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05

   Output block G_6:
   00000:   C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87

   Section_4

   Section key K^4:
   00000:   C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC
   00010:   E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5

   Block number 7:

   Input block CTR_7:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06

   Output block G_7:
   00000:   03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D


   The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7:
   00000:   FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0
   00010:   19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2
   00020:   E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA
   00030:   BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4
   00040:   68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7
   00050:   C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87
   00060:   03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D

   The result ciphertext C = P (xor) MSB_{|P|}(G):
   00000:   EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58
   00010:   19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8
   00020:   F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA
   00030:   9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5
   00040:   5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95
   00050:   84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4
   00060:   56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39
Top   ToC   RFC8645 - Page 55
   GCM-ACPKM mode with AES-128
   ***************************
   k = 128
   n = 128
   c = 32
   N = 256

   Initial key K:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   Additional data A:
   00000:   11 22 33

   Plaintext:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   ICN:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00

   Number of sections: 2

   Section key K^1:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   Section key K^2:
   00000:   15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41

   Encrypted GCTR_1 | GCTR_2 | GCTR_3:
   00000:   03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78
   00010:   F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0
   00020:   D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD

   Ciphertext C:
   00000:   03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78
   00010:   F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0
   00020:   D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD

   GHASH input:
   00000:   11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78
   00020:   F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0
   00030:   D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD
   00040:   00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80

   GHASH output S:
   00000:   E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C
Top   ToC   RFC8645 - Page 56
   Authentication tag  T:
   00000:   B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66

   The result C | T:
   00000:   03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78
   00010:   F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0
   00020:   D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD
   00030:   B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66

A.2.2. Internal Re-keying Mechanisms with a Master Key

CTR-ACPKM-Master mode with AES-256 ********************************** k = 256 n = 128 c for CTR-ACPKM mode = 64 c for CTR-ACPKM-Master mode = 64 N = 256 T* = 512 Initial key K: 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF Initial vector ICN: 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 Plaintext P: 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 K^1 | K^2 | K^3 | K^4: 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
Top   ToC   RFC8645 - Page 57
   Section_1

   K^1:
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60

   Input block CTR_1:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00

   Output block G_1:
   00000:   8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C

   Input block CTR_2:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01

   Output block G_2:
   00000:   F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1


   Section_2

   K^2:
   00000:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
   00010:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3

   Input block CTR_3:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02

   Output block G_3:
   00000:   4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71

   Input block CTR_4:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03

   Output block G_4:
   00000:   23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7


   Section_3

   K^3:
   00000:   E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4
   00010:   60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94

   Input block CTR_5:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04
Top   ToC   RFC8645 - Page 58
   Output block G_5:
   00000:   A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8

   Input block CTR_6:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05

   Output block G_6:
   00000:   C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF


   Section_4

   K^4:
   00000:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00010:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12

   Input block CTR_7:
   00000:   12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06

   Output block G_7:
   00000:   82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22


   The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7:
   00000:   8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C
   00010:   F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1
   00020:   4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71
   00030:   23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7
   00040:   A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8
   00050:   C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF
   00060:   82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22

   The result ciphertext C = P (xor) MSB_{|P|}(G):
   00000:   9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4
   00010:   F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB
   00020:   5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71
   00030:   01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6
   00040:   9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA
   00050:   82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC
   00060:   D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66
Top   ToC   RFC8645 - Page 59
   GCM-ACPKM-Master mode with AES-256
   **********************************
   k = 192
   n = 128
   c for the CTR-ACPKM mode = 64
   c for the GCM-ACPKM-Master mode = 32
   T* = 384
   N = 256

   Initial key K:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00

   Additional data A:
   00000:   11 22 33

   Plaintext:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00030:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00040:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   ICN:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00

   Number of sections: 3

   K^1 | K^2 | K^3:
   00000:   93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F
   00010:   7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC
   00020:   CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99
   00030:   F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87
   00040:   5A 2D 3C BE F1 6E 67 3C

   Encrypted GCTR_1 | ... | GCTR_5
   00000:   43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52
   00010:   69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8
   00020:   11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE
   00030:   4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14
   00040:   40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08

   Ciphertext C:
   00000:   43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52
   00010:   69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8
   00020:   11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE
   00030:   4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14
   00040:   40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08
Top   ToC   RFC8645 - Page 60
   GHASH input:
   00000:   11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52
   00020:   69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8
   00030:   11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE
   00040:   4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14
   00050:   40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08
   00060:   00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80

   GHASH output S:
   00000:   6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D

   Authentication tag  T:
   00050:   CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8

   The result C | T:
   00000:   43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52
   00010:   69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8
   00020:   11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE
   00030:   4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14
   00040:   40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08
   00050:   CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8


   CBC-ACPKM-Master mode with AES-256
   **********************************
   k = 256
   n = 128
   c for the CTR-ACPKM mode = 64
   N = 256
   T* = 512

   Initial key K:
   00000:   88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77
   00010:   FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF

   Initial vector IV:
   00000:   12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12

   Plaintext P:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88
   00010:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
   00020:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
   00030:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
   00040:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
   00050:   44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33
   00060:   55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44
Top   ToC   RFC8645 - Page 61
   K^1 | K^2 | K^3 | K^4:
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60
   00020:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
   00030:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3
   00040:   E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4
   00050:   60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94
   00060:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00070:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12

   Section_1

   K^1:
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60

   Plaintext block P_1:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88

   Input block P_1 (xor) C_0:
   00000:   03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A

   Output block C_1:
   00000:   59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C

   Plaintext block P_2:
   00000:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A

   Input block P_2 (xor) C_1:
   00000:   59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76

   Output block C_2:
   00000:   80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42

   Section_2

   K^2:
   00000:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
   00010:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3

   Plaintext block P_3:
   00000:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00

   Input block P_3 (xor) C_2:
   00000:   91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42

   Output block C_3:
   00000:   8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59
Top   ToC   RFC8645 - Page 62
   Plaintext block P_4:
   00000:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11

   Input block P_4 (xor) C_3:
   00000:   AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48

   Output block C_4:
   00000:   19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9

   Section_3

   K^3:
   00000:   E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4
   00010:   60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94

   Plaintext block P_5:
   00000:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22

   Input block P_5 (xor) C_4:
   00000:   2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB

   Output block C_5:
   00000:   56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14

   Plaintext block P_6:
   00000:   44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33

   Input block P_6 (xor) C_5:
   00000:   12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27

   Output block C_6:
   00000:   66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45

   Section_4

   K^4:
   00000:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00010:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12

   Plaintext block P_7:
   00000:   55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44

   Input block P_7 (xor) C_6:
   00000:   33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01

   Output block C_7:
   00000:   7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34
Top   ToC   RFC8645 - Page 63
   Ciphertext C:
   00000:   59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C
   00010:   80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42
   00020:   8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59
   00030:   19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9
   00040:   56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14
   00050:   66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45
   00060:   7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34


   CFB-ACPKM-Master mode with AES-256
   **********************************
   k = 256
   n = 128
   c for the CTR-ACPKM mode = 64
   N = 256
   T* = 512

   Initial key K:
   00000:   88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77
   00010:   FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF

   Initial vector IV:
   00000:   12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12

   Plaintext P:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88
   00010:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
   00020:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
   00030:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
   00040:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
   00050:   44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33
   00060:   55 66 77 88 99 AA BB CC

   K^1 | K^2 | K^3 | K^4
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60
   00020:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
   00030:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3
   00040:   E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4
   00050:   60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94
   00060:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00070:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
Top   ToC   RFC8645 - Page 64
   Section_1

   K^1:
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60

   Plaintext block P_1:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88

   Encrypted block E_{K^1}(C_0):
   00000:   1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03

   Output block C_1 = E_{K^1}(C_0) (xor) P_1:
   00000:   0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B

   Plaintext block P_2:
   00000:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A

   Encrypted block E_{K^1}(C_1):
   00000:   6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E

   Output block C_2 = E_{K^1}(C_1) (xor) P_2:
   00000:   6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24

   Section_2

   K^2:
   00000:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
   00010:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3

   Plaintext block P_3:
   00000:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00

   Encrypted block E_{K^2}(C_2):
   00000:   95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88

   Output block C_3 = E_{K^2}(C_2) (xor) P_3:
   00000:   84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88

   Plaintext block P_4:
   00000:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11

   Encrypted block E_{K^2}(C_3):
   00000:   E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2

   Output block C_4 = E_{K^2}(C_3) (xor) P_4:
   00000:   C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3
Top   ToC   RFC8645 - Page 65
   Section_3

   K^3:
   00000:   E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4
   00010:   60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94

   Plaintext block P_5:
   00000:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22

   Encrypted block E_{K^3}(C_4):
   00000:   FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89

   Output block C_5 = E_{K^3}(C_4) (xor) P_5:
   00000:   CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB

   Plaintext block P_6:
   00000:   44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33

   Encrypted block E_{K^3}(C_5):
   00000:   01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3

   Output block C_6 = E_{K^3}(C_5) (xor) P_6:
   00000:   45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90

   Section_4

   K^4:
   00000:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00010:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12

   Plaintext block P_7:
   00000:   55 66 77 88 99 AA BB CC

   Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)):
   00000:   97 5C 96 37 55 1E 8C 7F

   Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7
   00000:   C2 3A E1 BF CC B4 37 B3

   Ciphertext C:
   00000:   0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B
   00010:   6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24
   00020:   84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88
   00030:   C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3
   00040:   CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB
   00050:   45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90
   00060:   C2 3A E1 BF CC B4 37 B3
Top   ToC   RFC8645 - Page 66
   OMAC-ACPKM-Master mode with AES-256
   ***********************************
   k = 256
   n = 128
   c for the CTR-ACPKM mode = 64
   N = 256
   T* = 768

   Initial key K:
   00000:   88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77
   00010:   FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF

   Plaintext M:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88
   00010:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
   00020:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
   00030:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
   00040:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22

   K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1:
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60
   00020:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0
   00030:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3
   00040:   9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67
   00050:   BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48
   00060:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00070:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12
   00080:   78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07

   Section_1

   K^1:
   00000:   9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64
   00010:   39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60

   K^1_1:
   00000:   77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0

   Plaintext block M_1:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88

   Input block M_1 (xor) C_0:
   00000:   11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88

   Output block C_1:
   00000:   0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E
Top   ToC   RFC8645 - Page 67
   Plaintext block M_2:
   00000:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A

   Input block M_2 (xor) C_1:
   00000:   0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34

   Output block C_2:
   00000:   1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C

   Section_2

   K^2:
   00000:   AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3
   00010:   9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67

   K^2_1:
   00000:   BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48

   Plaintext block M_3:
   00000:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00

   Input block M_3 (xor) C_2:
   00000:   0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C

   Output block C_3:
   00000:   4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75

   Plaintext block M_4:
   00000:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11

   Input block M_4 (xor) C_3:
   00000:   6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64

   Output block C_4:
   00000:   B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81

   Section_3

   K^3:
   00000:   F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9
   00010:   2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12

   K^3_1:
   00000:   78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07

   MSB1(K1) == 0 -> K2 = K1 << 1
Top   ToC   RFC8645 - Page 68
   K1:
   00000:   78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07

   K2:
   00000:   F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E

   Plaintext M_5:
   00000:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22

   Using K1, padding is not required

   Input block M_5 (xor) C_4:
   00000:   FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4

   Output block C_5:
   00000:   B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8

   Message authentication code T:
   00000:   B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8
Top   ToC   RFC8645 - Page 69

Acknowledgments

We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim Schaad, Paul Hoffman, Dmitry Belyavsky, Yaron Sheffer, Alexey Melnikov, and Spencer Dawkins for their useful comments.

Contributors

Russ Housley Vigil Security, LLC housley@vigilsec.com Evgeny Alekseev CryptoPro alekseev@cryptopro.ru Ekaterina Smyshlyaeva CryptoPro ess@cryptopro.ru Shay Gueron University of Haifa, Israel Intel Corporation, Israel Development Center, Israel shay.gueron@gmail.com Daniel Fox Franke Akamai Technologies dfoxfranke@gmail.com Lilia Ahmetzyanova CryptoPro lah@cryptopro.ru

Author's Address

Stanislav Smyshlyaev (editor) CryptoPro 18, Suschevskiy val Moscow 127018 Russian Federation Phone: +7 (495) 995-48-20 Email: svs@cryptopro.ru