Diamond: End-to-End Forward-secure and Compact Authenticated Encryption for Internet of Things

Resource-constrained Internet of Things (IoT) devices, from medical implants to small drones, must transmit sensitive telemetry under adversarial wireless channels while operating under stringent computing and energy budgets. Authenticated Encryption (AE) is essential to ensure confidentiality, integrity, and authenticity. However, existing lightweight AE standards lack forward-security guarantees, compact tag aggregation, and offline-online (OO) optimizations required for modern high-throughput IoT pipelines. We introduce Diamond , the first provably secure Forward-secure and Aggregate Authenticated Encryption (FAAE) framework that extends and generalizes prior FAAE constructions through a lightweight key evolution mechanism, an OOoptimized computation pipeline, and a set of performance-tier instantiations. Diamond substantially reduces amortized offline preprocessing (up to 47%) and achieves up to an order-of-magnitude reduction in end-toend latency for large telemetry batches. Our comprehensive evaluation on 64-bit ARM Cortex-A72, 32-bit ARM Cortex-M4 and 8-bit AVR architectures confirms that Diamond outperforms baseline FAAE variants in authenticated encryption throughput and end-to-end verification latency while maintaining compact tag aggregation and strong breach resilience. Diamond outperforms NIST lightweight AE candidates for medium and large payloads, while remaining competitive for small messages when amortized across batches. We formally prove the security of Diamond and provide two concrete instantiations optimized for compliance and high efficiency. Our open-source release enables reproducibility and seamless integration into IoT platforms.