Table of Contents
Fetching ...

Diamond: Design and Implementation of Breach-Resilient Authenticated Encryption Framework For Internet of Things

Saif E. Nouma, Gokhan Mumcu, Attila A. Yavuz

TL;DR

Diamond tackles the challenge of secure, high-throughput communication for resource-constrained IoT by integrating forward-secure encryption with aggregate MACs under an offline-online (OO) paradigm. It presents a modular, provably secure FAAE framework built from a CTR-based forward-secure encryption (FSE) and a forward-secure aggregate MAC (FAMAC), leveraging PRF-based key evolution and OO precomputation to minimize online latency. The paper provides formal security proofs in the standard model, supports two concrete instantiations (Diamond_1: AES-128/GHASH and Diamond_2: ChaCha20/Poly1305), and demonstrates substantial performance gains (e.g., up to 3.5x online speedups and up to 47% offline preprocessing reductions) across 64-bit A72, 32-bit M4, and 8-bit AVR platforms, with open-source availability. Collectively, Diamond offers breach-resilient confidentiality and authenticity with compact tag aggregation and scalable E2E latency improvements, making it practical for medical IoT, UAVs, and smart-city deployments.

Abstract

Resource-constrained Internet of Things (IoT) devices, from medical implants to small drones, must transmit sensitive telemetry under adversarial wireless channels while operating under stringent computing and energy budgets. Authenticated Encryption (AE) is essential for ensuring confidentiality, integrity, and authenticity. However, existing lightweight AE standards lack forward-security guarantees, compact tag aggregation, and offline-online (OO) optimizations required for modern high-throughput IoT pipelines. We introduce Diamond, the first provable secure Forward-secure and Aggregate Authenticated Encryption (FAAE) framework that extends and generalizes prior FAAE constructions through a lightweight key evolution mechanism, an OO-optimized computation pipeline, and a set of performance-tiered instantiations tailored to heterogeneous IoT platforms. Diamond substantially reduces amortized offline preprocessing (up to 47%) and achieves up to an order-ofmagnitude reduction in end-to-end latency for large telemetry batches. Our comprehensive evaluation across 64-bit ARM Cortex-A72, 32-bit ARM Cortex-M4, and 8-bit AVR architectures confirms that Diamond consistently outperforms baseline FAAE variants and NIST lightweight AE candidates across authenticated encryption throughput and end-to-end verification latency while maintaining compact tag aggregation and strong breach resilience. We formally prove the security of Diamond and provide two concrete instantiations optimized for compliance and high efficiency. Our open-source release enables reproducibility and seamless integration into IoT platforms.

Diamond: Design and Implementation of Breach-Resilient Authenticated Encryption Framework For Internet of Things

TL;DR

Diamond tackles the challenge of secure, high-throughput communication for resource-constrained IoT by integrating forward-secure encryption with aggregate MACs under an offline-online (OO) paradigm. It presents a modular, provably secure FAAE framework built from a CTR-based forward-secure encryption (FSE) and a forward-secure aggregate MAC (FAMAC), leveraging PRF-based key evolution and OO precomputation to minimize online latency. The paper provides formal security proofs in the standard model, supports two concrete instantiations (Diamond_1: AES-128/GHASH and Diamond_2: ChaCha20/Poly1305), and demonstrates substantial performance gains (e.g., up to 3.5x online speedups and up to 47% offline preprocessing reductions) across 64-bit A72, 32-bit M4, and 8-bit AVR platforms, with open-source availability. Collectively, Diamond offers breach-resilient confidentiality and authenticity with compact tag aggregation and scalable E2E latency improvements, making it practical for medical IoT, UAVs, and smart-city deployments.

Abstract

Resource-constrained Internet of Things (IoT) devices, from medical implants to small drones, must transmit sensitive telemetry under adversarial wireless channels while operating under stringent computing and energy budgets. Authenticated Encryption (AE) is essential for ensuring confidentiality, integrity, and authenticity. However, existing lightweight AE standards lack forward-security guarantees, compact tag aggregation, and offline-online (OO) optimizations required for modern high-throughput IoT pipelines. We introduce Diamond, the first provable secure Forward-secure and Aggregate Authenticated Encryption (FAAE) framework that extends and generalizes prior FAAE constructions through a lightweight key evolution mechanism, an OO-optimized computation pipeline, and a set of performance-tiered instantiations tailored to heterogeneous IoT platforms. Diamond substantially reduces amortized offline preprocessing (up to 47%) and achieves up to an order-ofmagnitude reduction in end-to-end latency for large telemetry batches. Our comprehensive evaluation across 64-bit ARM Cortex-A72, 32-bit ARM Cortex-M4, and 8-bit AVR architectures confirms that Diamond consistently outperforms baseline FAAE variants and NIST lightweight AE candidates across authenticated encryption throughput and end-to-end verification latency while maintaining compact tag aggregation and strong breach resilience. We formally prove the security of Diamond and provide two concrete instantiations optimized for compliance and high efficiency. Our open-source release enables reproducibility and seamless integration into IoT platforms.
Paper Structure (35 sections, 3 theorems, 19 equations, 11 figures, 3 tables)

This paper contains 35 sections, 3 theorems, 19 equations, 11 figures, 3 tables.

Key Result

Theorem 1

If ${\texttt{FSE}}{\xspace}$ is constructed as above, then for every adversary $\mathcal{A}$ running in time $t_{ {\texttt{FSE}}{\xspace}}$ and making at most $q_{ {\texttt{FSE}}{\xspace}}$ encryption queries, there exist distinguishers $\mathcal{B}_1$ and $\mathcal{B}_2$ such that: where

Figures (11)

  • Figure 1: Our system and threat models
  • Figure 2: $$FAAE Communication Flow
  • Figure 3: CTR-based $$FSE with OO Capability
  • Figure 4: Universal $$FAMAC with OO Capability
  • Figure 5: Overview of $$Diamond Framework
  • ...and 6 more figures

Theorems & Definitions (15)

  • Definition 2.1
  • Definition 2.2
  • Definition 2.3
  • Definition 2.4
  • Definition 2.5
  • Definition 2.6
  • Definition 2.7
  • Definition 2.8
  • Definition 2.9
  • Theorem 1
  • ...and 5 more