Professional Documents
Culture Documents
Security Evaluation of LIGHTMAC-Second Preimage Attack Using Existential Forgery
Security Evaluation of LIGHTMAC-Second Preimage Attack Using Existential Forgery
Abstract—Message Authentication Code (MAC) is a cryp- block cipher as its encryption function. The International
tographic hash function that uses the cryptographic key(s) Standard Organization (ISO) in 2019 [7] established this
to generate a MAC value or a tag. MAC security property scheme as a standard ISO/IEC 29192-6: 2019. This standard
that must be satisfied is the second preimage resistance; given
an input, it is difficult to find different inputs with the same is related to lightweight cryptography algorithms, especially
tag. A lightweight MAC called L IGHT MAC was introduced Message authentication codes (MACs). Apart from L IGHT-
in 2016 by Luykx et al. The scheme uses lightweight block MAC, two other algorithms are specified: Tsudik’s keymode
cipher as its encryption function. This paper discusses the [8] and Chaskey-12 [9].
application of a second preimage attack on the L IGHT MAC MAC must have several requirements to achieve the ex-
scheme using existential forgery methods. The purpose of this
attack is to determine the resistance of L IGHT MAC’s second pected service. The condition that must be met is resistance
preimage property. From observation and experiments with to second preimage attacks. Second preimage attacks can
instantiation using S IMECK32/64, it is found that the attack be said to be successful if the adversary can get another
is more efficient than brute force attacks with birthday attack message that is different from the message given previously;
complexity. Furthermore, a modification is recommended to by using computing resources that are more efficient than
avoid the second preimage attack on L IGHT MAC.
Index Terms—L IGHT MAC, Second preimage Attack,
brute force attacks [5].
S IMECK32/64, existential forgery, lightweight cryptography. Darumaya and Susanti [10] attacked L IGHT MAC algo-
rithm with the S IMECK 32/64 instance in 2018. The attacks
I. I NTRODUCTION used were selective forgery, universal forgery and existential
forgery. The attacks based on the research of Liu and
According to Gartner, the Internet of Things (IoT) is Liu [11], except for existensial forgery. The result of the
defined as a network of physical devices that contain em- attack is that forge messages are found for each sample
bedded technology to communicate and interact with the used. Hence the authors claim that L IGHT MAC instantiated
internal state of objects or the exterior domain [1]. Gartner S IMECK 32/64 is vulnerable to forgery attacks.
[2] also predicts that the development of IoT devices, es- This paper studies the second preimage attacks on the
pecially those used by companies and automotive in 2020, L IGHT MAC scheme using existential forgery approach.
will reach 5.81 billion devices. This condition increased The existential forgery approach used is different from the
by approximately 21% from many devices in 2019. This approach used by Darumaya and Susanti [10]. Experiments
massive number of device connectivity creates risks. The in this paper use the same algorithm, i.e., S IMECK32/64
IoT system’s most significant threat to this condition is lightweight block cipher. A secure MAC algorithm should
security, scalability, and reliability [3], [4]. To secure the ideally have n bit security, where n is the bit length
IoT system, a security mechanism that can be used is of the MAC value. In the case of L IGHT MAC with the
the cryptographic hash function. Primarily to accomplish S IMECK32/64 instantiation, 32 bits security is expected. It
message authentication and data integrity [3]. means that at least 232 computations are needed to get
The cryptographic hash function is a fundamental primi- another message that has the same MAC value given a
tive of modern cryptography. It maps input messages of any particular message.
length to output values of fixed length. The output produced The arrangement of this paper is as follows. Section 2
is named a hash value, a message digest, or a fingerprint. The discusses several theories that underlie further discussion.
proper hash function must have three properties: preimage In Section 3, the second preimage method is explained in
resistance, second preimage resistance, and collision resis- detail using the existential forgery method. In Section 4, the
tance [5]. Menezes, Van Oorschot, and Vanstone [5], based results of the experiments are discussed. The last section
on the key used, divide hash function into two classes, i.e. presents the conclusions and future research of this paper.
Modification Detection Codes (MDC) or Message Integrity
II. P RELIMINARIES
Codes (MIC) and Message Authentication Codes (MAC).
MDC does not require secret key input, while MAC does. A. L IGHT MAC
In 2016, Luykx et al. [6] introduce a MAC scheme called The designers of L IGHT MAC convey that it is a MAC
L IGHT MAC, which may be utilized as a pseudorandom mode that offers not only reliable authentication on resource-
function or as a MAC function. This scheme uses lightweight limited devices but also enables peak-performance parallel
EK2 t T ≪5
266
determined by the XOR value earlier. If the same XOR value TABLE I
is yielded from different messages, the resulting tag value is N ONRANDOM S AMPLE M ESSAGES
the same. The message produced is the second preimage of No. M [1] M [2] M [3] M [4]
the original message. 1 0x0101 0x0101 0x0101 0x010
Based on the above observations, the steps for the second 2 0x0202 0x0202 0x0202 0x020
3 0x0303 0x0303 0x0303 0x030
preimage attack are: 4 0x0404 0x0404 0x0404 0x040
First, set the parameters used, including the keys K1 and 5 0x0505 0x0505 0x0505 0x050
K2 , the value of s, and the message length.
Second, generate sample messages, then calculate the TABLE II
MAC value corresponding to it. Record the value of X, R ANDOM S AMPLE M ESSAGES
Y , and the MAC value T . The value of X is obtained by No. M [1] M [2] M [3] M [4]
XOR-ing result from the first encryption block to the (` − 1) 1 0xbafb 0x5ec0 0x9e36 0xd4e
encryption block. It can be seen in Eq. 1. 2 0x94d7 0x90e 0x95f6 0x608
3 0x0016 0x5e4b 0x5c7b 0x5d7
4 0x0017 0x0f33 0x02f1 0x857
X = EK1 (1s kM [1]) ⊕ EK1 (2s kM [2]) ⊕ . . . 5 0x7518 0x1277 0x56f3 0x666
⊕ EK1 (` − 1)s kM [(` − 1)] (1)
XOR-ing X with the last block of the message obtains r = 16 bit, message M length 60 bit, and ` = 4. There
the value of Y i.e. the `-th block, see Eq. 2. Fig. 4 depicts are two types of messages, nonrandom sample messages,
the position of X and Y . and random sample messages. Table I and Table II show
5 sample messages. Moreover, for generating the forged
Y = X ⊕ M [`]k10∗ (2)
messages, we use two ways, counter increment and random.
A. Counter Increment Modification
1s kM [1] 2s kM [2] 3s kM [3] M [4]k10∗ In this context, we generate the forged message sequen-
tially from 0x0000 to 0xffff except for the value of the
EK1 EK1 EK1 message itself.
Table III shows the result of the attack using the counter
increment method. In the 212 modifications of the second
EK2 t T message, a second preimage was found. The second preim-
X Y
age was obtained in the first and fifth messages in 215
Fig. 4. X and Y position modifications. In the third and fourth messages, there was
no second preimage.
Third, generate the forged messages, M [(` − 1)]0 . Then Second-preimage acquired are shown in Table IV. The
we have X 0 , which is the XOR result of the new message message is a second preimage because it corresponds
form. We use the random method and counter increment. to the terms already described. For example, the se-
According to birthday paradox [12], [15], this step requires cond preimage of M = 0x02020202020202080000 is
2n/2 computations to get two inputs that have the same M 0 = 0x02020202115d715d0000. The binary form of
output with a probability of 0.5. 0x715kd0000 is 1110001010111010000000000000000.
Generate the last message block value according to Eq. 3. As seen in the binary form satisfies the condition, there
are 100 . . . 00 with minimum length 17 (with n = 32) in
M [`]k10∗ = X 0 ⊕ Y (3) its least significant bit. So does the other second preimage
message. These results indicate that the second preimage
Use the Y value that has been generated previously. The can be found with a modification approaching the birthday
second preimage is obtained if there is a message of M [`]0 attack’s complexity.
that has a value of 0x ∗ 00 . . . 00 with minimum length Table V describes the second preimage messages that
(n − (r − 1)) in its least significant bit. That condition is a were found as we generated 213 modifications of M [(`−1)]0
padding defined by the L IGHT MAC. Hence, the forged mes- in the fourth message and 215 modifications the first, second,
sage fulfills the scheme’s properties, i.e. a (some) candidate and fourth message. There was no second preimage found
of second preimage is (are) found. in the fifth message.
Next step, check by comparing the MAC value of the
candidate message with the original message. If the tag or
MAC value is the same, the forged message is the original TABLE III
N UMBER OF S ECOND P REIMAGE , N ONRANDOM S AMPLE
message’s second preimage. M ESSAGES -C OUNTER I NCREMENT
IV. ATTACK S IMULATION AND R ESULTS No. M [1]kM [2] 212 213 214 215
1 0x01010101 0 0 0 1
The attack simulation is done by using S IMECK32/64 2 0x02020202 1 0 0 0
algorithm as the encryption function. The key used for 3 0x03030303 0 0 0 0
simulation are K1 = 0xfac8df4c32a29279 and K2 = 4 0x04040404 0 0 0 0
0x001d001d0e908d26. While the parameters used are s = 5 0x05050505 0 0 0 1
267
TABLE IV second preimage was found when 214 modifications were
S ECOND P REIMAGE OF N ONRANDOM M ESSAGES -C OUNTER done.
I NCREMENT
No. M [1]kM [2] 212 213 214 215 The second preimage message of random modification of
1 0xbafb5ec0 0 0 0 1 random sample message is shown in Table X. There are
2 0x94d790ee 0 0 0 1 three second preimage messages found.
3 0x00165e4b 0 0 0 1
4 0x00170f33 0 1 0 0
5 0x75181277 0 0 0 0 TABLE X
S ECOND P REIMAGE F OUND OF R ANDOM M ESSAGES -R ANDOM
TABLE VI No. M [1]kM [2] M [3] M [4]k10∗ MAC value
S ECOND P REIMAGE FOUND OF R ANDOM M ESSAGE -C OUNTER 0x9e36 0xd4e80000
I NCREMENT 1 0xbafb5ec0 0x3fe2245f
0x74dc 0xb0b60000
0x95f6 0x60880000
2 0x94d790ee 0xc718db7c
No. M [1]kM [2] M [3] M [4]k10∗ MAC value 0xa00a 0x76fb0000
0x9e36 0xd4e80000 0x02f1 0x85780000
1 0xbafb5ec0 0x3fe2245f 3 0x00170f33 0x05cc139d
0x74dc 0xb0b60000 0x18cc 0xadfb0000
0x95f6 0x60880000
2 0x94d790ee 0xc718db7c
0xa00a 0x76fb0000
3 0x00165e4b
0x5c7b 0x5d780000
0x3fe2245f According to Subsection IV-A and Subsection IV-B,
0x6b20 0x93ab0000
0x02f1 0x85780000 the experiments we conducted produce second preimage
4 0x00170f33 0x05cc139d
0x18cc 0xadfb0000 messages using a smaller number of messages than it
should have, which is 2n . Instantiation of L IGHT MAC using
S IMECK32/64 cannot resist second preimage attacks with the
B. Random Modification
existential forgery method. This attack has complexity close
In this section, we show the number of second preimage to birthday attack complexity, i.e. 2n/2 .
found using the random method. The random method means
we generate the forged message, M [`−1]0 at random, unlike
in the previous section, which is created in sequence. 1s kM [1] 2s kM [2] 3s kM [3] `s kM [`]k10∗
As shown in Table VII, we found a second preimage when Alg. 2 Modified L IGHT MACK1 ,K2 (M )
we modify the third and fourth block using 212 modifications k ≤2s (n−s)
Input: K1 , K2 ∈ {0, 1} , M ∈ {0, 1}
in the second sample. We also found a second preimage for t
Output: T ∈ {0, 1}
215 modifications in the first and fifth sample. Table VIII V ← 0n ∈ {0, 1}
n
268
V. C ONCLUSIONS AND F UTURE R ESEARCH [15] ——, “Distinguishing and second-preimage attacks on cbc-like macs,”
in Cryptology and Network Security, J. A. Garay, A. Miyaji, and
The security of the IoT system, especially concerning au- A. Otsuka, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg,
thentication and data integrity, is critical. Therefore the MAC 2009, pp. 349–361.
algorithm designed for the system must meet the expected [16] G. Yang, B. Zhu, V. Suder, M. D. Aagaard, and G. Gong, “The Simeck
Family of Lightweight Block Ciphers.” Springer, 2015, pp. 307–329.
security aspects, such as, second preimage resistance. Based [17] R. Beaulieu, D. Shors, J. Smith, and S. Treatman-clark, “The Simon
on observation and the experiments, it can be concluded and Speck Families of Lightweight Block ciphers,” Cryptology ePrint
that the resistance of the L IGHT MAC scheme can be de- Archive, 2013. [Online]. Available: http://eprint.iacr.org
[18] R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark,
termined based on the last message block, whether there B. Weeks, and L. Wingers, “Simon and Speck Block Ciphers
is 0x ∗ 00 . . . 00 in its least significant bit with a minimum for the Internet of Things *,” 2015. [Online]. Available:
length of (n−(r −1)) bit. If there is a message that satisfied https://eprint.iacr.org/2015/585.pdf
[19] ——, “The Simon and Speck Lightweight Block Ciphers.” New
the condition, then the message is the second preimage of York, USA: Association for Computing Machinery (ACM), pp. 175:1–
the original message and the scheme is vulnerable to second 175:6.
preimage attack using the existential forgery method. The
attack simulation indicates that some forged messages were
produced by doing 212 , 213 and 215 modifications to the
message block before the last block. Second preimage attack
using existential forgery also more efficient than the brute
force attacks, which is birthday attack complexity. The attack
requires computation less than 2n , where n = 32.
In future investigations, it may be possible to check com-
pliance with the security claims of a modified L IGHT MAC
compared to the original L IGHT MAC.
ACKNOWLEDGMENT
This research is supported by the PUTI Prosiding 2020
Grant, Universitas Indonesia.
R EFERENCES
[1] Gartner. Gartner glossary: Internet of things (iot).
[Online]. Available: https://www.gartner.com/en/information-
technology/glossary/internet-of-things
[2] ——. (2020, July) Gartner Says 5.8 Billion Enterprise and
Automotive IoT Endpoints Will Be in Use in 2020. [Online]. Avail-
able: https://www.gartner.com/en/newsroom/press-releases/2019-08-
29-gartner-says-5-8-billion-enterprise-and-automotive-io
[3] A. Biryukov and L. Perrin, “State of the Art in Lightweight Symmetric
Cryptography,” Cryptology ePrint Archive, Report 2017/511, pp.
1–55, 2017. [Online]. Available: https://eprint.iacr.org/2017/511.pdf
[4] G. Gong, “Securing Internet-of-Things,” in International Symposium
on Foundations and Practice of Security. Springer, 2018, pp. 3–16.
[5] A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of
Applied Cryptography, 1st ed. Boca Raton, FL, USA.: CRC press,
1996.
[6] A. Luykx, B. Preneel, E. Tischhauser, and K. Yasuda, “A MAC Mode
for Lightweight Block Ciphers,” FSE, pp. 43–59, 2016.
[7] ISO Central Secretary, “ISO/IEC 29192-6:2019 Information
technology-Lightweight cryptography-Part 6: Message authentication
codes (MACs),” International Organization for Standardization,
Geneva, CH, Standard ISO/IEC 29192-6:2019, 2019. [Online].
Available: https://www.iso.org/standard/71116.html
[8] G. Tsudik, “Message Authentication with One-Way Hash Functions,”
SIGCOMM Comput. Commun. Rev., vol. 22, no. 5, pp. 29–38, October
1992. [Online]. Available: https://doi.org/10.1145/141809.141812
[9] N. Mouha, “Chaskey: a MAC Algorithm for Microcontrollers - Status
Update and Proposal of Chaskey-12,” 2015. [Online]. Available:
https://eprint.iacr.org/2015/1182
[10] T. A. Darumaya and B. H. Susanti, “Forgery attack on lightmac hash
function scheme using simeck32/64 lightweight block cipher,” vol.
453. IOP Publishing, November 2018, p. 12014. [Online]. Available:
https://doi.org/10.1088%2F1757-899x%2F453%2F1%2F012014
[11] F. Liu and F. Liu, “Universal forgery with birthday paradox: Applica-
tion to blockcipher-based message authentication codes and authen-
ticated encryptions,” IACR Cryptol. ePrint Arch., vol. 2017, p. 653,
2017.
[12] B. A. Forouzan, Cryptography and Network Security, 1st ed. New
York, NY, USA: McGraw-Hill, Inc., 2008.
[13] M. Stamp and R. M. Low, Applied Cryptanalysis: Breaking Ciphers
in the Real World. Wiley-Interscience, 2007.
[14] K. Jia, X. Wang, Z. Yuan, and G. Xu. (2009) Distinguishing Attack
and Second-Preimage Attack on the CBC-like MACs.
269