Forward-Secure & Aggregate Authenticated Encryption

• FAAE is a cryptographic framework designed for IoT that combines forward security with compact aggregate MAC tags for breach resiliency.
• It uses a robust key evolution mechanism with one-way functions to ensure that compromised current keys do not reveal past communications.
• FAAE optimizes performance through an offline–online pipeline, reducing computational overhead and communication costs in resource-constrained environments.

Forward-secure and Aggregate Authenticated Encryption (FAAE) denotes a class of symmetric cryptographic frameworks tailored to high-throughput, resource-constrained environments such as the Internet of Things (IoT), where breach resiliency, low latency, and minimal communication overhead are essential. FAAE schemes simultaneously ensure forward security against key compromise, strong authenticity/integrity, and highly compact authentication through aggregate tags, while enabling efficient offline–online (OO) computational pipelines. Recent paradigms, exemplified by the Graphene (Nouma et al., 25 Oct 2025) and Diamond (Nouma et al., 1 Jan 2026) frameworks, illustrate the practical and theoretical foundations, instantiations, and security proofs underlying FAAE.

1. Formal Definitions and Security Goals

FAAE frameworks integrate named operations—encryption, authentication, aggregation, and key evolution—subject to a provably secure adversarial model. Let $\kappa$ be the security parameter, $n$ the total number of messages, $b$ the batch/epoch size, $H$ a one-way collision-resistant hash, and $F$ a PRF.

The core syntax comprises:

• $\mathrm{Setup}(1^\kappa, n, b) \to \text{params}$
• $\mathrm{KeyGen}(\text{params}) \to K_1$
• $\mathrm{KeyEvolve}(K_i) \to K_{i+1}$
• $\mathrm{Encrypt}(K_i, M_i) \to (C_i,\sigma_i)$
• $$\mathrm{AggregateTags}(\Sigma_{i..j},\sigma_{j+1}) \to \Sigma_{i..j+1}$$
• $$\mathrm{VerifyAggregate}(K_i,C_{i..i+b-1},\Sigma_{i..i+b-1})$$

Security requirements are formalized using game-based definitions:

• Confidentiality (forward-secure IND-CPA): After exposure of $K_i$, prior messages $M_j$ for $j<i$ remain indistinguishable due to one-way key evolution ($K_j = H(K_{j-1})$ or $K_t = F_{\mathrm{prf}}(K_{t-1}, t)$).
• Authenticity & Integrity (forward-secure aggregate EUF-CMA): An adversary, even after $K_i$ compromise, cannot forge valid aggregate tags $(C^*, T^*)$ on unqueried batches.
• Aggregate authentication: For batches $n$, individual tags $\sigma_1,\ldots,\sigma_n$ are replaced by a single compact tag $$T_\mathrm{agg} = \mathsf{Agg}(\sigma_1,\ldots,\sigma_n)$$ (e.g., via XOR, modular addition, or hash).
• Advantage bounds: For adversary $\mathcal{A}$ with $t$ queries, the breaking probability $\epsilon$ is bounded by the security of underlying PRF, hash, and MAC primitives.

2. Key Evolution and Forward Security Mechanisms

Both Graphene and Diamond instantiate key evolution using lightweight, one-way cryptographic functions for forward secrecy. Initial key generation yields $(K_0, K'_0) \in \{0,1\}^\kappa$, subsequently updated as:

• Graphene: $K_{i+1} = H(K_i)$ and $K'_{i+1} = H(K'_i)$
• Diamond: $K_t = F_{\mathrm{prf}}(K_{t-1}, t)$ and, in practice, implements a forward-secure PRG (e.g., Bellare–Yee G).

Compromise of $K_t$ does not facilitate computation of prior keys $K_{j < t}$, adversaries must invert $H$ or $F_\text{prf}$, deemed infeasible under standard cryptographic assumptions.

3. Offline–Online Pipeline and Computational Efficiency

FAAE schemes are architected for low-latency IoT pipelines by decomposing expensive cryptographic operations into offline preprocessing and lightweight online execution.

Offline Phase

• Precompute PRF-derived keystreams $\{r_j\}$ for encryption and MAC one-time keys $\{r'_j\}$ (UMAC-based) per batch.
• Erase PRF seeds and intermediate secrets after use, supporting breach resiliency.

Online Phase

• Encrypt: $c_j = m_j \oplus r_j$ or $c_j = \mathsf{Enc}_{K_j}(m_j)$.
• MAC: $$\sigma_j = \mathsf{UMAC}_{r'_j}(c_j) = F_{r'_j}(c_j) + s_j$$, with nonce-based universal hash pads $s_j$.
• Aggregate: $$T_{\mathrm{agg}} = \mathsf{Agg}(\sigma_i,\ldots,\sigma_{i+n-1})$$; e.g., via XOR: $T_{\mathrm{xor}} = \bigoplus \sigma_j$.

Diamond’s OO optimization shifts key evolution and keystream/MAC mask computation offline, leaving blockwise XOR and single MAC/aggregation operation online. Amortized complexity per message is reduced from $O(m)$ to $O(1)$, yielding significant speed-ups.

4. Aggregate Tag Mechanisms and Modes

Tag aggregation replaces per-message MACs with a singular, compact tag per batch. Three aggregation modes are formalized:

• XOR aggregation: $$\Sigma_{i..j+1} = \Sigma_{i..j} \oplus \sigma_{j+1}$$
• Hash-based: $\Sigma' = H(\Sigma \| \sigma)$ secures order integrity but increases computational cost.
• Add-mod-$q$: $\Sigma = \sum \sigma_j\,\bmod\,q$, suited to arithmetic MACs (e.g., Poly1305).

The table below summarizes aggregation modes and trade-offs:

Mode	Tag Size Growth	Computational Cost
XOR	Constant	Minimal, constant-time
Hash-based	Constant	Extra hash per tag
Add-mod-$q$	Constant	Multi-precision arithmetic

Default XOR aggregation supports constant-size tags and constant-time aggregate verification.

5. Security Proofs and Reduction Arguments

Security theorems establish FAAE as robust against confidentiality, integrity, and forward-secrecy violations using reductionist proofs:

• Confidentiality: A break implies distinguishing PRF (e.g., $F_{K_j}$) outputs from random or inverting $H$; hybrid arguments yield overall advantage bound $n \cdot \mathrm{Adv}_{\rm PRF} + \mathrm{Adv}_{H}$ (Nouma et al., 25 Oct 2025, Nouma et al., 1 Jan 2026).
• Authenticity/integrity: Forgery of aggregate MAC tags entails PRF output prediction or hash collision; formal advantage is $\leq n (\mathrm{Adv}_{\rm UMAC} + \mathrm{Adv}_H)$.
• FAAE security composition: Encrypt-then-Aggregate preserves forward-secure IND-CPA and EUF-CMA, with overall bound $$\mathrm{Adv}_\mathrm{FAAE} \leq b \cdot \mathrm{Adv}_\mathrm{fs-SE} + \mathrm{Adv}_\mathrm{fs-AMAC}$$.

The proofs employ hybridization and standard composition theorems (Bellare–Namprempre).

6. Instantiations: Graphene and Diamond Variants

Concrete instantiations target compliance and efficiency. Graphene (Nouma et al., 25 Oct 2025) and Diamond (Nouma et al., 1 Jan 2026) provide several configurations:

Framework	AE Scheme	MAC Tag	Key Evolution	Aggregation Mode	Security Level	Storage
Graphene-GCM	AES-GCM	GHASH	$K_{i+1} = H(K_i)$	Hash/SHA-256	128 bits (NIST)	≈16 KB
Graphene-Poly	AES-CTR + Poly1305	UMAC/Poly1305	$K_{i+1} = H(K_i)$	XOR/mod-$p$	≈103 bits	≈32 KB
Diamond₁	AES-CTR	GHASH	PRF/AES-128	XOR	128 bits (NIST)	--
Diamond₂	ChaCha20	Poly1305	PRF/AES-128	XOR	≈103 bits	--

Both frameworks support batch/variable-length aggregation, backward compatibility with existing AE/MAC APIs (e.g., TLS, DTLS), and extensibility to alternate MACs or AE primitives.

7. Performance Evaluation and Practical Impact

Empirical benchmarking on architectures from x86-64 (Intel i9-9900K), ARM Cortex-A72/M4, and 8-bit AVR ATmega2560 demonstrates FAAE's suitability for IoT deployments.

Throughput

• Diamond₂ achieves up to 250 KB/s on ARM Cortex-M4, $3.5\times$ faster than Graphene-Poly, and $1.7\times$ over Ascon.
• Diamond₂ on AVR yields $1.2$ KB/s, versus Ascon's $0.3$ KB/s ($4\times$ faster).

Latency and Efficiency

• End-to-end batch verification latency for 1024 × 16B: Diamond₂ $\approx 3$ms (A72) vs Graphene₂ $5$ms, a $40\%$ reduction.
• On AVR, Diamond₂ $1.5$s vs Ascon $5.7$s ($3.8\times$ faster).
• Offline preprocessing is reduced by up to $47\%$ (AVR), $40\%$ (A72) relative to hash-based key evolution.
• Energy consumption per batch on AVR: Diamond₂ requires $50\,\mu J$; Ascon, $140\,\mu J$ ($65\%$ savings).

Communication Compactness

FAAE constrains authentication overhead via aggregate tags—one 16-byte tag per 1024 messages in Graphene, rather than $1024 \times 16$ bytes.

8. Backward Compatibility, Extensibility, and Applicability

FAAE designs are compatible with industry-standard cryptographic stacks (TLS, DTLS 1.3, IEEE 802.15.4), and function as an extension layer over conventional AE and MAC interfaces. The key evolution chain $H$ (or PRF) may be swapped for variants (e.g., SHA-3), while MACs (UMAC, GHASH, BP-MAC) may be substituted to accommodate application-specific homomorphic or efficiency requirements (Nouma et al., 25 Oct 2025, Nouma et al., 1 Jan 2026).

This extensibility, coupled with resistance to breach and compact communication overhead, renders FAAE highly pertinent for modern IoT environments with heterogenous platforms, stringent resource constraints, and adversarial threat models.