2020 1st International Conference on Information Technology, Advanced Mechanical and Electrical Engineering (ICITAMEE)
Security Evaluation of L IGHT MAC: Second
Preimage Attack using Existential Forgery
1st Susila Windarta 2nd Kalamullah Ramli
Department of Electrical Engineering Department of Electrical Engineering
Universitas Indonesia Universitas Indonesia
Depok, Indonesia Depok, Indonesia
e-mail: susila.windarta91@ui.ac.id e-mail: kalamullah.ramli@ui.ac.id
Abstract—Message Authentication Code (MAC) is a cryp-
tographic hash function that uses the cryptographic key(s)
to generate a MAC value or a tag. MAC security property
that must be satisfied is the second preimage resistance; given
an input, it is difficult to find different inputs with the same
tag. A lightweight MAC called L IGHT MAC was introduced
in 2016 by Luykx et al. The scheme uses lightweight block
cipher as its encryption function. This paper discusses the
application of a second preimage attack on the L IGHT MAC
scheme using existential forgery methods. The purpose of this
attack is to determine the resistance of L IGHT MAC’s second
preimage property. From observation and experiments with
instantiation using S IMECK32/64, it is found that the attack
is more efficient than brute force attacks with birthday attack
complexity. Furthermore, a modification is recommended to
avoid the second preimage attack on L IGHT MAC.
Index Terms—L IGHT MAC, Second preimage Attack,
S IMECK32/64, existential forgery, lightweight cryptography.
I. I NTRODUCTION
According to Gartner, the Internet of Things (IoT) is
defined as a network of physical devices that contain em-
bedded technology to communicate and interact with the
internal state of objects or the exterior domain [1]. Gartner
[2] also predicts that the development of IoT devices, es-
pecially those used by companies and automotive in 2020,
will reach 5.81 billion devices. This condition increased
by approximately 21% from many devices in 2019. This
massive number of device connectivity creates risks. The
IoT system’s most significant threat to this condition is
security, scalability, and reliability [3], [4]. To secure the
IoT system, a security mechanism that can be used is
the cryptographic hash function. Primarily to accomplish
message authentication and data integrity [3].
The cryptographic hash function is a fundamental primi-
tive of modern cryptography. It maps input messages of any
length to output values of fixed length. The output produced
is named a hash value, a message digest, or a fingerprint. The
proper hash function must have three properties: preimage
resistance, second preimage resistance, and collision resis-
tance [5]. Menezes, Van Oorschot, and Vanstone [5], based
on the key used, divide hash function into two classes, i.e.
Modification Detection Codes (MDC) or Message Integrity
Codes (MIC) and Message Authentication Codes (MAC).
MDC does not require secret key input, while MAC does.
In 2016, Luykx et al. [6] introduce a MAC scheme called
L IGHT MAC, which may be utilized as a pseudorandom
function or as a MAC function. This scheme uses lightweight
978-1-7281-8309-1/20/$31.00 ©2020 IEEE 265
3rd Dodi Sudiana
Department of Electrical Engineering
Universitas Indonesia
Depok, Indonesia
e-mail: dodi.sudiana@ui.ac.id
block cipher as its encryption function. The International
Standard Organization (ISO) in 2019 [7] established this
scheme as a standard ISO/IEC 29192-6: 2019. This standard
is related to lightweight cryptography algorithms, especially
Message authentication codes (MACs). Apart from L IGHT-
MAC, two other algorithms are specified: Tsudik’s keymode
[8] and Chaskey-12 [9].
MAC must have several requirements to achieve the ex-
pected service. The condition that must be met is resistance
to second preimage attacks. Second preimage attacks can
be said to be successful if the adversary can get another
message that is different from the message given previously;
by using computing resources that are more efficient than
brute force attacks [5].
Darumaya and Susanti [10] attacked L IGHT MAC algo-
rithm with the S IMECK 32/64 instance in 2018. The attacks
used were selective forgery, universal forgery and existential
forgery. The attacks based on the research of Liu and
Liu [11], except for existensial forgery. The result of the
attack is that forge messages are found for each sample
used. Hence the authors claim that L IGHT MAC instantiated
S IMECK 32/64 is vulnerable to forgery attacks.
This paper studies the second preimage attacks on the
L IGHT MAC scheme using existential forgery approach.
The existential forgery approach used is different from the
approach used by Darumaya and Susanti [10]. Experiments
in this paper use the same algorithm, i.e., S IMECK32/64
lightweight block cipher. A secure MAC algorithm should
ideally have n bit security, where n is the bit length
of the MAC value. In the case of L IGHT MAC with the
S IMECK32/64 instantiation, 32 bits security is expected. It
means that at least 232 computations are needed to get
another message that has the same MAC value given a
particular message.
The arrangement of this paper is as follows. Section 2
discusses several theories that underlie further discussion.
In Section 3, the second preimage method is explained in
detail using the existential forgery method. In Section 4, the
results of the experiments are discussed. The last section
presents the conclusions and future research of this paper.
II. P RELIMINARIES
A. L IGHT MAC
The designers of L IGHT MAC convey that it is a MAC
mode that offers not only reliable authentication on resource-
limited devices but also enables peak-performance parallel
applications [6]. Throughout this paper, the parameters used
in L IGHT MAC are:
s rα+2 rα+1 rα kα
• M : the message set, maximum length 2 (n − s).
r
• M [1]M [2] . . . M [`] ← M : message M divided to r
bit blocks.
• EKµ : encryption function using Kµ key.
RC⊕(zβ )α
• Kµ , µ = {1, 2} : the independent and uniform k bit
key.
• is : the counter i. Fig. 3. S IMECK’s Key Expansion
• s : an integer that represents the bit length of the counter
with s ≤ n/2.
• T : MAC value generated by the LightMAC scheme
C. Existential Forgery
with t bit length. An existential forgery [14], [15] is a form of forgery of
• t : an integer with t ≤ n. the MAC algorithm where the adversary successfully forges
the MAC value; or tag of a message, not necessarily of his
choice. Alternatively, in other words, the adversary is able,
Alg. 1 L IGHT MACK1 ,K2 (M )
without knowledge of secret key Kµ , to get the appropriate
k ≤2s (n−s)
Input: K1 , K2 ∈ {0, 1} , M ∈ {0, 1} MAC C for every message M , which has not been calculated
t
Output: T ∈ {0, 1} by a legitimate MAC function. The message M may not
n n
V ← 0 ∈ {0, 1} have a specific meaning.
n−s
M [1]M [2] · · · M [`] ← M
D. S IMECK Family of Lightweight Block Ciphers
for i ← 1, ` − 1 do
V ← V ⊕ EK1 (is kM [i]) S IMECK is a block cipher algorithms’s class for
lightweight applications. The algorithm is presented by Yang
V ← V ⊕ (M [`]k10∗ )
et al., and published in 2015 [16]. The authors claim that
T ← bEK2 (V )ct
S IMECK was built by combining the advantages of Simon
return T
and Speck families of lightweight blockciphers [17]–[19].
The users agree on the value of s and t before start the The notations that we use are:
generating process. Alg. 1 describes LightMAC in detail. • p ≪ c, rotation of p, c bits to the left.
Alg. 1 and Fig. 1 shows how t bits output is generated. • p q, bitwise AND of p and q.
• p ⊕ q, bitwise XOR of p and q.
1s kM [1] 2s kM [2] 3s kM [3] M [4]k10∗
pα qα
EK1 EK1 EK1

EK2 t T ≪5

Fig. 1. L IGHT MAC; ` = 4

B. Security of Cryptographic Hash Function
Cryptographic hash function H generates the hash value
to provide message integrity. Three properties that hash
function should have:
1) Preimage resistance: given hash function H and T =
H(M ), it is hard to find M 0 , so that H(M 0 ) =
H(M ) = T .
2) Second preimage resistance: given a pair of message
and the corresponding hash value, (M, T ), it is com-
putationally infeasible to generate another M 0 so M 0 6=
M and H(M 0 ) = H(M ) = T .
3) Collision resistance: it is not easy to generate two differ-
ent messages, M 6= M 0 , so that H(M ) = H(M 0 ) = T .
The number of messages needed to find preimage and second
preimage in a hash function is 2n , where n is the length
of the hash value. While finding collision requires 2n/2
computations. If one of the properties is not met, then the
attacker can forge the legitimate message. It can be said that
the hash function is not secure or broken [12], [13].
≪1
kα
pα+1 qα+1
Fig. 2. S IMECK’s Round Function
It is also denoted as S IMECK2b/2a, where b is the word
size, usually 16, 24, or 32. The block size represented by 2b,
while 2a represents the key size. So S IMECK32/64 means
the block size is 32 bit, and the key is 64 bit. Fig. 2
shows S IMECK’s round function and Fig. 3 shows the key
expansion of S IMECK.
III. S ECOND P REIMAGE ATTACK
This attack is carried out by utilizing the use of XOR
in the LightMAC scheme, see Fig. 1. The ciphertext of the
first block up to the message block before the last block
is XORed, resulting in X value of Fig. 4. The value of X
later will be XORed with the last block padded with 10∗ ,
produce Y in Fig. 4. Based on the scheme, the tag value is

266
determined by the XOR value earlier. If the same XOR value TABLE I
is yielded from different messages, the resulting tag value is N ONRANDOM S AMPLE M ESSAGES
the same. The message produced is the second preimage of No. M [1] M [2] M [3] M [4]
the original message. 1 0x0101 0x0101 0x0101 0x010
Based on the above observations, the steps for the second 2 0x0202 0x0202 0x0202 0x020
3 0x0303 0x0303 0x0303 0x030
preimage attack are: 4 0x0404 0x0404 0x0404 0x040
First, set the parameters used, including the keys K1 and 5 0x0505 0x0505 0x0505 0x050
K2 , the value of s, and the message length.
Second, generate sample messages, then calculate the TABLE II
MAC value corresponding to it. Record the value of X, R ANDOM S AMPLE M ESSAGES
Y , and the MAC value T . The value of X is obtained by No. M [1] M [2] M [3] M [4]
XOR-ing result from the first encryption block to the (` − 1) 1 0xbafb 0x5ec0 0x9e36 0xd4e
encryption block. It can be seen in Eq. 1. 2 0x94d7 0x90e 0x95f6 0x608
3 0x0016 0x5e4b 0x5c7b 0x5d7
4 0x0017 0x0f33 0x02f1 0x857
X = EK1 (1s kM [1]) ⊕ EK1 (2s kM [2]) ⊕ . . . 5 0x7518 0x1277 0x56f3 0x666
⊕ EK1 (` − 1)s kM [(` − 1)] (1)
XOR-ing X with the last block of the message obtains r = 16 bit, message M length 60 bit, and ` = 4. There
the value of Y i.e. the `-th block, see Eq. 2. Fig. 4 depicts are two types of messages, nonrandom sample messages,
the position of X and Y . and random sample messages. Table I and Table II show
5 sample messages. Moreover, for generating the forged
Y = X ⊕ M [`]k10∗ (2)
messages, we use two ways, counter increment and random.
A. Counter Increment Modification
1s kM [1] 2s kM [2] 3s kM [3] M [4]k10∗ In this context, we generate the forged message sequen-
tially from 0x0000 to 0xffff except for the value of the
EK1 EK1 EK1 message itself.
Table III shows the result of the attack using the counter
increment method. In the 212 modifications of the second
EK2 t T message, a second preimage was found. The second preim-
X Y
age was obtained in the first and fifth messages in 215
Fig. 4. X and Y position modifications. In the third and fourth messages, there was
no second preimage.
Third, generate the forged messages, M [(` − 1)]0 . Then Second-preimage acquired are shown in Table IV. The
we have X 0 , which is the XOR result of the new message message is a second preimage because it corresponds
form. We use the random method and counter increment. to the terms already described. For example, the se-
According to birthday paradox [12], [15], this step requires cond preimage of M = 0x02020202020202080000 is
2n/2 computations to get two inputs that have the same M 0 = 0x02020202115d715d0000. The binary form of
output with a probability of 0.5. 0x715kd0000 is 1110001010111010000000000000000.
Generate the last message block value according to Eq. 3. As seen in the binary form satisfies the condition, there
are 100 . . . 00 with minimum length 17 (with n = 32) in
M [`]k10∗ = X 0 ⊕ Y (3) its least significant bit. So does the other second preimage
message. These results indicate that the second preimage
Use the Y value that has been generated previously. The can be found with a modification approaching the birthday
second preimage is obtained if there is a message of M [`]0 attack’s complexity.
that has a value of 0x ∗ 00 . . . 00 with minimum length Table V describes the second preimage messages that
(n − (r − 1)) in its least significant bit. That condition is a were found as we generated 213 modifications of M [(`−1)]0
padding defined by the L IGHT MAC. Hence, the forged mes- in the fourth message and 215 modifications the first, second,
sage fulfills the scheme’s properties, i.e. a (some) candidate and fourth message. There was no second preimage found
of second preimage is (are) found. in the fifth message.
Next step, check by comparing the MAC value of the
candidate message with the original message. If the tag or
MAC value is the same, the forged message is the original TABLE III
N UMBER OF S ECOND P REIMAGE , N ONRANDOM S AMPLE
message’s second preimage. M ESSAGES -C OUNTER I NCREMENT
IV. ATTACK S IMULATION AND R ESULTS No. M [1]kM [2] 212 213 214 215
1 0x01010101 0 0 0 1
The attack simulation is done by using S IMECK32/64 2 0x02020202 1 0 0 0
algorithm as the encryption function. The key used for 3 0x03030303 0 0 0 0
simulation are K1 = 0xfac8df4c32a29279 and K2 = 4 0x04040404 0 0 0 0
0x001d001d0e908d26. While the parameters used are s = 5 0x05050505 0 0 0 1

267
 TABLE IV second preimage was found when 214 modifications were
S ECOND P REIMAGE OF N ONRANDOM M ESSAGES -C OUNTER done.
I NCREMENT

No. M [1]kM [2] M [3] M [4]k10∗ MAC value TABLE IX

0x0101 0x01080000
1 0x01010101 0x7ee7a2ec N UMBER OF S ECOND P REIMAGE OF R ANDOM M ESSAGE -R ANDOM
0x9767 0xeb1a0000
0x0202 0x02080000
2 0x02020202
0x115d 0x715d0000
0xfd03d61e No. M [1]kM [2] 212 213 214 215
0x0505 0x05080000 1 0xbafb5ec0 0 0 0 1
3 0x05050505 0xf66364b1 2 0x94d790ee 0 0 0 1
0xbaf0 0xafd50000
3 0x00165e4b 0 0 0 0
4 0x00170f33 0 1 0 0
TABLE V 5 0x75181277 0 0 0 0
N UMBER OF S ECOND P REIMAGE F OUND , R ANDOM S AMPLE
M ESSAGE -C OUNTER I NCREMENT

No. M [1]kM [2] 212 213 214 215 The second preimage message of random modification of
1 0xbafb5ec0 0 0 0 1 random sample message is shown in Table X. There are
2 0x94d790ee 0 0 0 1 three second preimage messages found.
3 0x00165e4b 0 0 0 1
4 0x00170f33 0 1 0 0
5 0x75181277 0 0 0 0 TABLE X
S ECOND P REIMAGE F OUND OF R ANDOM M ESSAGES -R ANDOM
TABLE VI No. M [1]kM [2] M [3] M [4]k10∗ MAC value
S ECOND P REIMAGE FOUND OF R ANDOM M ESSAGE -C OUNTER 0x9e36 0xd4e80000
I NCREMENT 1 0xbafb5ec0 0x3fe2245f
0x74dc 0xb0b60000
0x95f6 0x60880000
2 0x94d790ee 0xc718db7c
No. M [1]kM [2] M [3] M [4]k10∗ MAC value 0xa00a 0x76fb0000
0x9e36 0xd4e80000 0x02f1 0x85780000
1 0xbafb5ec0 0x3fe2245f 3 0x00170f33 0x05cc139d
0x74dc 0xb0b60000 0x18cc 0xadfb0000
0x95f6 0x60880000
2 0x94d790ee 0xc718db7c
0xa00a 0x76fb0000
3 0x00165e4b
0x5c7b 0x5d780000
0x3fe2245f According to Subsection IV-A and Subsection IV-B,
0x6b20 0x93ab0000
0x02f1 0x85780000 the experiments we conducted produce second preimage
4 0x00170f33 0x05cc139d
0x18cc 0xadfb0000 messages using a smaller number of messages than it
should have, which is 2n . Instantiation of L IGHT MAC using
S IMECK32/64 cannot resist second preimage attacks with the
B. Random Modification
existential forgery method. This attack has complexity close
In this section, we show the number of second preimage to birthday attack complexity, i.e. 2n/2 .
found using the random method. The random method means
we generate the forged message, M [`−1]0 at random, unlike
in the previous section, which is created in sequence. 1s kM [1] 2s kM [2] 3s kM [3] `s kM [`]k10∗

TABLE VII EK1 EK1 EK1

N UMBER OF S ECOND PREIMAGE -N ONRANDOM S AMPLE
M ESSAGE -R ANDOM
EK2 t T
No. M [1]kM [2] 212 213 214 215
1 0x01010101 0 0 0 1
2 0x02020202 1 0 0 0 Fig. 5. Modified L IGHT MAC
3 0x03030303 0 0 0 0
4 0x04040404 0 0 0 0
5 0x05050505 0 0 0 1

As shown in Table VII, we found a second preimage when Alg. 2 Modified L IGHT MACK1 ,K2 (M )
we modify the third and fourth block using 212 modifications k ≤2s (n−s)
Input: K1 , K2 ∈ {0, 1} , M ∈ {0, 1}
in the second sample. We also found a second preimage for t
Output: T ∈ {0, 1}
215 modifications in the first and fifth sample. Table VIII V ← 0n ∈ {0, 1}
n

summaries second preimage found. n−s

M [1]M [2] · · · M [`] ← M
for i ← 1, ` − 1 do
TABLE VIII V ← V ⊕ EK1 (is kM [i])
S ECOND P REIMAGE OF N ONRANDOM M ESSAGES -R ANDOM
V ← V ⊕ (`s kM [`]k10∗ )
No. M [1]kM [2] M [3] M [4]k10∗ MAC value
0x0101 0x01080000
T ← bEK2 (V )ct
1 0x01010101 0x7ee7a2ec
0x9767 0xeb1a0000 return T
0x0202 0x02080000
2 0x02020202 0xfd03d61e
0x115d 0x715d0000 Based on the attacks described, L IGHT MAC schema
0x0505 0x05080000
3 0x05050505
0xbaf0 0xafd50000
0xf66364b1 can be modified by adding a counter to the last message
block. Modifications made may result in additional blocks.
Table IX shows the number of second preimages found L IGHT MAC modification can be seen in Fig. 5. Alg. 2
from random modification of random sample message. The presents Modified L IGHT MAC.

268
 V. C ONCLUSIONS AND F UTURE R ESEARCH [15] ——, “Distinguishing and second-preimage attacks on cbc-like macs,”
in Cryptology and Network Security, J. A. Garay, A. Miyaji, and
The security of the IoT system, especially concerning au- A. Otsuka, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg,
thentication and data integrity, is critical. Therefore the MAC 2009, pp. 349–361.
algorithm designed for the system must meet the expected [16] G. Yang, B. Zhu, V. Suder, M. D. Aagaard, and G. Gong, “The Simeck
Family of Lightweight Block Ciphers.” Springer, 2015, pp. 307–329.
security aspects, such as, second preimage resistance. Based [17] R. Beaulieu, D. Shors, J. Smith, and S. Treatman-clark, “The Simon
on observation and the experiments, it can be concluded and Speck Families of Lightweight Block ciphers,” Cryptology ePrint
that the resistance of the L IGHT MAC scheme can be de- Archive, 2013. [Online]. Available: http://eprint.iacr.org
[18] R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark,
termined based on the last message block, whether there B. Weeks, and L. Wingers, “Simon and Speck Block Ciphers
is 0x ∗ 00 . . . 00 in its least significant bit with a minimum for the Internet of Things *,” 2015. [Online]. Available:
length of (n−(r −1)) bit. If there is a message that satisfied https://eprint.iacr.org/2015/585.pdf
[19] ——, “The Simon and Speck Lightweight Block Ciphers.” New
the condition, then the message is the second preimage of York, USA: Association for Computing Machinery (ACM), pp. 175:1–
the original message and the scheme is vulnerable to second 175:6.
preimage attack using the existential forgery method. The
attack simulation indicates that some forged messages were
produced by doing 212 , 213 and 215 modifications to the
message block before the last block. Second preimage attack
using existential forgery also more efficient than the brute
force attacks, which is birthday attack complexity. The attack
requires computation less than 2n , where n = 32.
In future investigations, it may be possible to check com-
pliance with the security claims of a modified L IGHT MAC
compared to the original L IGHT MAC.
ACKNOWLEDGMENT
This research is supported by the PUTI Prosiding 2020
Grant, Universitas Indonesia.
R EFERENCES
[1] Gartner. Gartner glossary: Internet of things (iot).
[Online]. Available: https://www.gartner.com/en/information-
technology/glossary/internet-of-things
[2] ——. (2020, July) Gartner Says 5.8 Billion Enterprise and
Automotive IoT Endpoints Will Be in Use in 2020. [Online]. Avail-
able: https://www.gartner.com/en/newsroom/press-releases/2019-08-
29-gartner-says-5-8-billion-enterprise-and-automotive-io
[3] A. Biryukov and L. Perrin, “State of the Art in Lightweight Symmetric
Cryptography,” Cryptology ePrint Archive, Report 2017/511, pp.
1–55, 2017. [Online]. Available: https://eprint.iacr.org/2017/511.pdf
[4] G. Gong, “Securing Internet-of-Things,” in International Symposium
on Foundations and Practice of Security. Springer, 2018, pp. 3–16.
[5] A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of
Applied Cryptography, 1st ed. Boca Raton, FL, USA.: CRC press,
1996.
[6] A. Luykx, B. Preneel, E. Tischhauser, and K. Yasuda, “A MAC Mode
for Lightweight Block Ciphers,” FSE, pp. 43–59, 2016.
[7] ISO Central Secretary, “ISO/IEC 29192-6:2019 Information
technology-Lightweight cryptography-Part 6: Message authentication
codes (MACs),” International Organization for Standardization,
Geneva, CH, Standard ISO/IEC 29192-6:2019, 2019. [Online].
Available: https://www.iso.org/standard/71116.html
[8] G. Tsudik, “Message Authentication with One-Way Hash Functions,”
SIGCOMM Comput. Commun. Rev., vol. 22, no. 5, pp. 29–38, October
1992. [Online]. Available: https://doi.org/10.1145/141809.141812
[9] N. Mouha, “Chaskey: a MAC Algorithm for Microcontrollers - Status
Update and Proposal of Chaskey-12,” 2015. [Online]. Available:
https://eprint.iacr.org/2015/1182
[10] T. A. Darumaya and B. H. Susanti, “Forgery attack on lightmac hash
function scheme using simeck32/64 lightweight block cipher,” vol.
453. IOP Publishing, November 2018, p. 12014. [Online]. Available:
https://doi.org/10.1088%2F1757-899x%2F453%2F1%2F012014
[11] F. Liu and F. Liu, “Universal forgery with birthday paradox: Applica-
tion to blockcipher-based message authentication codes and authen-
ticated encryptions,” IACR Cryptol. ePrint Arch., vol. 2017, p. 653,
2017.
[12] B. A. Forouzan, Cryptography and Network Security, 1st ed. New
York, NY, USA: McGraw-Hill, Inc., 2008.
[13] M. Stamp and R. M. Low, Applied Cryptanalysis: Breaking Ciphers
in the Real World. Wiley-Interscience, 2007.
[14] K. Jia, X. Wang, Z. Yuan, and G. Xu. (2009) Distinguishing Attack
and Second-Preimage Attack on the CBC-like MACs.

269