Deterministic Authenticated Encryption Scheme for Memory Constrained Devices

A technique of authenticated encryption for memory constrained devices called sp-AELM was proposed by Agrawal et al. at ACISP 2015. The sp-ALEM construction utilizes a sponge-based primitive to support online encryption and decryption functionalities. Online encryption in the construction is achieved in the standard manner by processing plaintext blocks as they arrive to produce ciphertext blocks. However, decryption is achieved by storing only one intermediate state and releasing it to the user upon correct verification. This intermediate state allows a legitimate user to generate the plaintext herself. However, the scheme is nonce-respecting, i.e., the scheme is insecure if the nonce is repeated. Implementation of a nonce is non-trivial in practice, and reuse of a nonce in an AE scheme is often devastating. In this paper, we propose a new AE scheme called dAELM, which stands for deterministic authenticated encryption (DAE) scheme for low memory devices. DAE is used in domains such as the key wrap, where the available message entropy omits the overhead of a nonce. For limiting memory usage, our idea is to use a session key to encrypt a message and share the session key with the user depending upon the verification of a tag. We provide the security proof of the proposed construction in the ideal cipher model.


Introduction
Authenticated Encryption (AE) is a symmetric encryption scheme that aims to provide authenticity as well as confidentiality using a single construction.The ongoing CAESAR( Competition for Authenticated Encryption: Security, Applicability, and Robustness) competition [1] has led to a spur in research and analysis of AE schemes.The idea of AE was first introduced by Bellare and Namprempre in 2000 [2].Thereafter, several notions of authenticated encryption have emerged over a series of works [3][4][5][6][7], which include misuse-resistant AE [8] and AE for memory constrained devices [9,10].
Due to the ongoing Internet of Things (IoT) revolution, the area of designing lightweight AE schemes has gained momentum.Various lightweight schemes have been proposed in recent past.Some of them include Hummingbird-2 [11], ALE [12], ASCON [13], NORX [14], Ketje [15], PFX [16], IAR-CTR, and IAR-CFB [17].Due to the limited storage capabilities of these IoT devices, it has become necessary to design a AE scheme which can process long messages even with these memory constraints.Encryption of the message on the fly (i.e., as they arrive) is not an issue in most of the block-cipher-based AE schemes.However, decrypting the ciphertext with limited memory poses a challenge.This is because the sender cannot return decrypted data without first verifying its authenticity, and verifying the authenticity requires the data to be seen in a first pass followed by the actual decryption in the second pass.To avoid the user supplying different data during the authentication and the decryption passes, the device needs to store the data, which may not be feasible for the devices with restricted memory space.

Related Work
A few methods for supporting authenticated encryption in a memory constrained scenario have been proposed.However, all of them have restrictions.The first method to support online decryption was proposed by Fouque et al. [9], who designed a generic construction called "decrypt-then-mask" (DTM).In this method, a pseudorandom number generator is used to mask the plaintext blocks during decryption, and this masked data is released to the receiver.Once the tag gets verified, the cryptographic module returns the PRNG seed used for masking plaintext block to the receiver who can run the same PRNG at her end and unmask the received data.A drawback of this construction is that the decryption device using DTM must implement a pseudorandom number generator, which may not fit on a constrained device.To overcome this problem, a sponge-based construction called sp-AELM was proposed in [10].The main idea behind this construction is to store an intermediate state while performing decryption, instead of storing the complete plaintext.Depending on the ciphertext-tag pair passing the validation test, either the saved intermediate state or an invalid symbol is returned to the user.If the verification was correct, then the receiver can recover the plaintext from this intermediate state along with the already available ciphertext.A schematic representation of sp-AELM is shown in Figure 1.The intermediate state (a 0 , b 0 ) as shown in Figure 1 is stored and released upon correct verification.For more details of the construction, one can refer to [10].However, the main drawback of this scheme is that it is nonce-respecting, and no security guarantees are available in the case of nonce being repeated.In [18], Hoang et al. introduced a new notion called OAE2, which supports both online encryption and online decryption.It processes plaintext and ciphertext by partitioning them into a sequence of segments.The size of these segment is decided by the user, and different segments can have different lengths.On an input message M that gets segmented by a user to (M 1 , M 2 , ..., M n ), OAE2 encrypts each segment as soon as it arrives, carrying forward only a constant size state.Thus, input message M produces a segmented ciphertext verification of what has come so far.Each C i must result in an immediate recovery of M i without waiting for the availability of C i+1 .However, OAE2 is not secure when the nonce repeats.In practice, it is difficult to ensure that nonce never repeats during the operation of a device.Even when it is feasible to generate a unique nonce for each encryption, it is usually through an expensive operation.In other words, implementation of a nonce is non-trivial in practice.Moreover, repeating a nonce in an AE scheme is often devastating [18].
With the increasing usage of low-cost RFID devices, sensors, and trusted platform modules (TPMs), the need for an AE scheme which can support both the encryption and the decryption functions in a resource-constrained environment is increasing day by day.As already mentioned, existing AE schemes which are suitable for low memory devices are vulnerable to attacks in nonce-repeating scenarios.To overcome this limitation, we propose a new deterministic authenticated encryption (DAE) scheme, which we call dAELM.
The concept of the DAE scheme was introduced by Rogaway and Shrimpton in [8].In a DAE scheme, the encryption algorithm deterministically produces a ciphertext for a given key, associated data, and a message.The DAE construction in [8] was termed "SIV," which stands for synthetic IV.This construction combines a conventional IV-based encryption scheme and a pseudorandom function that takes a vector of strings as input.The scheme [8] first applies a PRF to associated data and a message to produce an IV and uses the resultant IV for the encryption scheme.The SIV construction is proven to be secure, assuming all of its components are secure.However, the SIV construction is not designed for resource-constrained environments; in particular, it may not be suitable for a scenario where the cryptomodule does not have enough space to store the complete message M during decryption.This memory requirement is because the decryption procedure cannot return the plaintext before successful verification of the tag.In this work, we design an efficient and provably secure DAE scheme that is suitable for memory-constrained cryptomodules.
Our scheme resembles the SIV construction and exploits the existing entropy in messages to omit the overhead for nonces.It also saves bandwidth by eliminating the need to send nonces or random values over the communication channel.
The important feature that makes our construction differ from SIV is the use of the cryptographic module.In dAELM, we assume encryption and decryption takes place inside a cryptographic module which has a secret key embedded on it and has a very limited memory space.The reason behind using the cryptographic module is to increase the security of the key.We don't want the key to being accessible outside the cryptographic module.
The remainder of the paper is organized as follows.Section 3 provides definitions that we use in defining the security of the proposed scheme.Section 4 provides a specification of the proposed scheme dAELM.Section 5 presents the security proof of the scheme.Section 6 compares dAELM with other existing schemes.Section 7 shows the software implementation results of our scheme, followed by a discussion in Section 8. Finally, we conclude in Section 9.

Preliminaries Definition 1 (DAE).
A deterministic AE scheme [8] is a tuple Π = (K, E , D), where K is a non-empty set of strings and the encryption algorithm E and decryption algorithm D are deterministic.E : K × A × M → C and D : K × A × C → M ∪ ⊥ with associated non-empty key space K, associated-data space A, and message/ciphertext space M, C ⊆ {0, 1} * .For each K ∈ K, A ∈ A and M ∈ M, E A K (M) or E K (A, M) maps (A, M) to an output C such that |C| = |M| + τ for a fixed τ.D A K (C) or D K (A, C) outputs corresponding message M iff C is valid, and ⊥ otherwise.We assume correctness; i.e., for all (K, A, M) Definition 2 (Deterministic Privacy (detPriv)).We adapt the same notion of privacy as in [8], namely in terms of indistinguishability of the output from a random string.Let Π = (K, E , D) be a DAE scheme with a fixed associated data space A and message space M. Let A be an computationally bounded adversary having access to encryption oracle E and an ideal primitive π and its inverse π −1 .We then define detPriv advantage of adversary A in attacking Π as Adv detPriv where $ is an oracle which on input (A, M) ∈ A × M outputs a random string of length |E K (•, •)|.We assume that adversary A does not allow repeated queries on the same inputs.
Definition 3 (Deterministic Authenticity (detAuth)).Let Π = (K, E , D) be a DAE scheme with message space M and associated data space A. Consider an adversary A with access to encryption and decryption oracles E K and D K respectively, and an ideal primitive π and its inverse π −1 .We then define A's detAuth advantage in attacking Π as Adv detAuth Definition 4 (PRF Advantage).Let f : K × X → Y be a function with a non-empty key space K and A a computationally bounded adversary with access to an oracle, where K $ ← − K and g $ ← − Func(X , Y ).Thus, the PRF advantage of an adversary A on f is defined as Definition 5 (rka-ind-advantage).Let Φ be a set of mappings from {0, 1} n to {0, 1} n .Let A be an adversary whose queries have the form (φ, X), where X ∈ {0, 1} n , φ ∈ Φ and Φ ∈ {φ ident , φ const }.The rka-ind-advantage of A in a Φ-restricted-related key attack on π : {0, 1} n × {0, 1} n → {0, 1} n is given by where, on query (φ, X), the oracle O(RK(•, K), •) returns the value of O(φ(K), X) to adversary A.

Specifications of dAELM
In this work, we propose a new deterministic authenticated encryption scheme dAELM for memory constrained devices.In the next subsection, we will explain the operational environment for our scheme followed by the description of dEALM in Section 4.2.

An Operational Scenario for the Proposed Scheme
Our scenario assumes three entities-namely the sender, the receiver, and the cryptographic module-are interacting in the protocol.We assume that the encryption and decryption functionality is carried out inside the cryptographic module, which has limited storage capability and a built-in secret key.The purpose of using the cryptographic module is to provide a secure practical setup to prevent the leakage of the secret key from the device.The sender encrypts a message M, generates the ciphertext and tag pair (C, T), and sends the pair to the receiver.The receiver, having access to a similar cryptographic module, passes this (C, T) pair to the module for decryption.This cryptographic module decrypts ciphertext C to produce M, and without storing this M, he passes it directly to the MAC function for the calculation of tag T (MAC computation is done in parallel with decryption operation).If at the end computed tag T gets verified with the received tag, (i.e., T = T ) then cryptographic module reveals the session key K to the receiver.After that, the receiver can decrypt C using K to obtain the original M. The flow diagram for encryption and decryption are shown in Figure 2.

Description
This section defines the generic construction.The schematic structure of the proposed scheme is shown in Figure 3. Let K be a non-empty key space, and let A ⊆ {0, 1} * denote the associated data space.

⊕ ⊕ ⊕
MAC Encryption of dAELM takes three inputs key K ∈ K, associated data A ∈ A, and plaintext M, where associated data is optional and produces ciphertext tag pair (C, T) as output.Encryption works by first calculating MAC T over associated data A and plaintext M using key K. Further, T is encrypted using key K + const to produce session key K * .and plaintext M is then encrypted as C in a counter mode using T as a counter and K * as key.Finally, (C, T) pair is produced as an output.For the decryption, first the session key K * is generated using K and T, and ciphertext is then decrypted using the K * to obtain plaintext M. Afterward, a tag is generated and compared with the received tag.If both tags are matched, then K * is returned, otherwise invalid.Now using K * , T, and C, original message M can be easily produced.Algorithms for encryption and decryption of dAELM constructions are shown in Algorithms 1 and 2 respectively, and the block diagrams representing encryption and decryption are shown in Figures 4 and 5, respectively.
The underlying assumption for the dAELM construction is that it works for the block-cipher-based MAC only and works sequentially.In other words, we will consider only those MAC who processes message block-wise instead of processing as a whole.

MAC Generation Session key Generation
Cipher-text Generation

Security Results for the New Construction dAELM
In this section, we provide the security bounds for the privacy and authenticity of the dAELM construction.We gave the security proof in the ideal cipher model.For writing this proof, we have made an assumption that the underlying MAC in the proposed scheme works in a sequential manner, i.e., as soon as it receives a message block, MAC computation starts.We used a code-based game playing framework introduced by Bellare and Rogaway in [19] to write the proof.Theorem 1 states the privacy, and Theorem 2 states the authenticity of the proposed construction in the following sections.

Privacy
Theorem 1.Let Π = (K, E , D) be the proposed DAE scheme with an ideal primitive π, that operates on n bits.The adversary A is given access to π and π −1 .Then the privacy advantage of adversary A is given by Adv detPriv where $ is defined in Definition 2 in Section 3, and σ is the maximum number of block calls to π and π −1 by encryption E and decryption D. Adv pr f (D A ) is the prf advantage and Adv rka−ind π(RK(•,K),•),Φ,π (B A ) is the related key advantage defined in Definitions 4 and 5 respectively in Section 3.
Proof.For the proof of privacy, we use code-based game-playing framework introduced by Bellare and Rogaway in [19].We present a set of games from G0 to G5 (shown in the appendix in Figures A1-A5).Starting from Game G0 and modifying it one step at a time, we construct a chain of games G0 −→ G1 −→ . . .−→ G5.Here, Game G0 represents the actual construction, and Game G5 represents a completely random output.A description of each game is given the following: G0: In this game, the encryption oracle perfectly simulates the proposed algorithm, and π, π −1 oracle simulates the ideal permutation and its inverse.As we will consider block-cipher-based MAC only, here we represent it by MAC π(K,•) (M), where π(K, •) represents internal block-cipher calls on an input message M.
G1: Game G1 is the same as G0 except in G1 the block cipher calls during MAC computation and session key generation has been replaced by subroutine g, which generates a random output for a given input.Adversary A cannot make a direct call to the subroutine g.
Let us assume that an adversary A distinguishes these two games.We build an adversary B against the subroutine g who uses adversary A. The process is as shown in appendix in Figure A6.
Adversary B A : In this game, the challenger chooses the key K, and the adversary B A is provided with the oracles O(RK( * , K), •), which are simply a related key oracle and π oracle.For each (A, M), query adversary B internally calls oracle O and replies to adversary A with answer (C, T).
Finally, A receives the (C, T) pair for his queries either with the related key oracle or a random oracle.This game perfectly simulates the game G0 if B uses the related key oracle.Therefore, we have If adversary B uses a random oracle, then this game perfectly simulates game G1.
Lemma 1.For any rka − ind adversary A with q queries, there exists an adversary B A such that where G0 and G1 are shown in Figure A1, and B A is defined in Figure A6.B A can make only two queries: (φ ident , •) and (φ const , •).Φ = {φ ident , φ const }, where φ ident (x) = x and φ const (x) = x ⊕ const.G1': Game G1 and G1 are exactly the same.Therefore, G2: Game G1 and G2 differ only when a bad event occurs, otherwise, in absence of a bad event, both games are the same.
A bad event occurs when an input to π and π −1 collide with the elements in set I π .Therefore, the probability of a bad event will be equal to the probability of collision in π and π −1 .Hence, the probability difference between G1 and G2 is G2': Games G2 and G2 are exactly the same.Therefore, G3: Game G2 and G3 are identical.In Game G3, the E oracle itself simulates the behavior of π, so it becomes independent of π.Hence, Games G2 and G3 are the same from an adversarial point of view.
G4: Games G3 and G4 are the same except on Line 3. Let us assume that an adversary A distinguishes these two games.We build an adversary D against the MAC oracle who uses adversary A. The process is as shown in appendix in Figure A7.
Adversary D A : In this game, the challenger chooses the key K, and the adversary D A is provided with the oracles O(•), which is either a MAC g(K,•) (•) or $(•) oracle.For each (A, M), query adversary D internally calls oracle O and replies to adversary A with answer (C, T).
Finally, A receives the (C, T) pair for his queries either with MAC oracle or random oracle.This game perfectly simulates Game G3 if D uses the MAC oracle.Therefore, we have If adversary D uses a random oracle, then this game perfectly simulates Game G4.
Lemma 2. For any pr f adversary A, there exists an adversary D A such that G5: In Game G4, each ciphertext block is generated randomly and the concatenated ciphertext is returned to an adversary.Similarly, a tag is also generated randomly.However, in Game G5, ciphertext and tag of the desired length is selected as a random string and returned to an adversary.This move from G4 to G5 does not make any difference, as in both games output is generated as a completely random value.Therefore, Finally, by using the fundamental lemma of the game-based framework,

Authenticity
In this section, we analyze the security of the authenticity of the tag produced in our scheme.The forgery of an AE scheme is defined as the ability of an adversary A to generate a valid (A, M, C, T) tuple, without directly querying it to the encryption oracle.The adversary is allowed to make a limited number of queries to encryption, decryption, and the π and π −1 oracles.For an AE scheme, we say the adversary A is successful in forging if it outputs an (A, C, T) tuple, where D K (A, C, T) = I NVALID and adversary A has not asked fora query E K (A, M) that resulted in response (C, T).
Let Exp Auth Π (A) be the forging experiment for a given AE scheme Π = (K, E , D).Then the forging experiment is defined as follows: 1.
Adversary A can query encryption oracle E and decryption oracle D at most q enc and q dec times, respectively.

2.
All the query responses of encryption oracle E are stored in a set, say, R.This set contains an (A, C, T) tuple, which has been returned by an encryption query.

3.
If adversary A is able to generate a new (A, C, T) pair / ∈ R that produces valid message M, then he wins and output is 1; otherwise, output is 0, after trying q dec number of queries.
We say the adversary wins, i.e., he succeeds in creating a forgery if Exp Auth Π (A) = 1.Therefore, the advantage of an adversary in forging the scheme is defined as Suppose an adversary makes a q enc number of encryption queries and stores a result in set R that consists of tuple (A i , C i , T i ), where 1 ≤ i ≤ q enc .Now his goal is to generate a new tuple (A , C , T ) / ∈ R, which generates a valid M on verification.
Theorem 2. Let Π = (K, E , D) be the proposed authenticated encryption scheme with an ideal primitive (π) that operate on n bits.The adversary A is given access to encryption oracle E , decryption oracle D, and the π and π −1 oracles.Then Π = (K, E , D) is forgeable with the probability where σ is a maximum number of blocks to π, π −1 by encryption oracle E , and decryption oracle D and q dec is the number of queries to the decryption oracle.Adv rka−ind π(RK(•,K),•),Φ,π (B A ) is the related key advantage, and Adv pr f (D A ) is the prf advantage.
Proof.To give authenticity proof, we first use the same sequence of games (G0-G4) as in privacy proof with an additional decryption oracle.This sequence of games transforms the MAC into a pseudorandom function, and the block cipher calls into ideal permutation by considering their respective advantages.Here, we are directly using the advantages of games from the above privacy proof.After these transformations, we do further analysis.
There are two possible cases to consider: 1.
An adversary generates a forgery pair (A , C , T ) which produces a valid M such that ( * , * , T ) ∈ R; i.e., he chooses a new (A, C) pair, which corresponds to the same tag T i (= T ) that has been previously used for some other (A i , C i ), where 1 ≤ i ≤ q enc .T and T will correspond to the same session key K * for a given key K.This same K * will result in the same output for further block cipher calls.This can be divided into cases.
(a) C = C i : In this case, necessarily A = A i .As all block cipher outputs are the same, XORing them with C(= C i ) will produce the same M(= M i ).For a successful forgery, we need at least one parameter to be different in the (A , C , T ) tuple.Since C = C i and T = T i , A should be different from A i .Therefore, the probability of happening this case will be same as the birthday bound on the MAC output.
(b) C = C i : In this case, for T i (= T ), C = C i will result in M = M i .Therefore, the probability of this case will again become the same as the birthday bound on the MAC output.
Therefore, the overall probability of this case will be given by q 2 dec 2 n . 2.
An adversary generates a forgery pair (A , C , T ), where T is new, i.e. ( * , * , T ) / ∈ R.This case is further possible in two scenarios: (a) An adversary is able to guess the key K correctly; i.e. he has access to the system and can generate any number of valid queries.The probability of this case will be equivalent to guessing the key, which is Suppose adversary guesses the tag T correctly for a given key K and (A , M ) pair.
Then, for further calculations of ciphertext, he also needs to guess the session key K .Then only he can generate the forgery.Therefore, the probability of happening this case will be the product of the probability of guessing the tag and session key K that is equal to 1 2 2n .
Therefore, the overall probability of this case will be 1 2 n .
Hence, the overall advantage of authenticity is given as

Comparison
In Table 1, we present a comparison of the newly proposed scheme dAELM with existing schemes sp-AELM [10], OAE2 [18], and SIV [8].Among these four schemes, sp-AELM and OAE2 are randomized schemes requiring nonces to produce the randomness.The remaining two schemes, the SIV and the dAELM are deterministic.They use the available message entropy to omit the overhead of a nonce.Schemes sp-AELM and OAE2 support online encryption, whereas SIV and dAELM do not provide online encryption features due to their misuse-resistant behavior.As mentioned in [18], misuse-resistant AE schemes cannot be online since every bit of the ciphertext must depend on every bit of plaintext in a misuse-resistant scheme.This ensures that one cannot output the first bit of a ciphertext before reading the last bit of the plaintext.Among the four schemes, only OAE2 supports online decryption at the cost of generating a tag for every individual segment of the plaintext.All these schemes provide low memory support, except SIV.Further, sp-AELM and OAE2 are vulnerable to a nonce-repeating attack, while this is not the case with SIV and dAELM.OAE2 operates by dividing the plaintext into variable size segments of user-determined lengths, whereas sp-AELM, SIV, and dAELM process the plaintext into fixed size blocks of fixed lengths.In sp-AELM, SIV, and dAELM, the ciphertext length is a sum of plaintext and tag length (τbits), whereas in the OAE2 scheme the tag is generated for each segment.

Software Implementation
We implemented the proposed scheme dAELM in ATmega128 microcontroller and compared the performance against an existing SIV scheme.ATmega128 microcontroller is an 8-bit AVR RISC-based microcontroller, which combines 128 KB of programmable flash memory, 4 KB SRAM, and a 4 KB EEPROM.The device supports throughput of 16 MIPS at 16 MHz and operates at 4.5-5.5 volts.We used the C language for programming ATmega 128.For the implementation of dAELM and SIV, we used the AES-128 as an underlying block cipher and HMACSHA1 as an underlying MAC function.We executed the experiments for the messages of various length and analyzed how much memory is taken by the program performing encryption and decryption.
Pseudocode of decryption is shown in Algorithms 3 and 4. Three additional functions are used for computing the HMACSHA1 tag without describing the details due to its wide compatibility.HMACSHA1.INIT() initializes an HMACSHA1 structure to use the hash function and the key.HMACSHA1.UPDATE() is repeatedly called with chunks of the messages to be authenticated.HMACSHA1.FINAL() completes the HMACSHA1 operation after the last message is processed and returns the message authentication code.For the decryption process, instead of storing the entire decrypted message after decrypting the entire ciphertext, it decrypts the four blocks (each of 128 bit), and HMACSHA1.UPDATE() takes them as an input repeatedly.
Figure 6 shows the memory usage during the decryption process for the various messages lengths.For the messages of length less than 512 bits, memory required by the decryption process for dAELM is a bit more than SIV due to one extra AES call for session key generation.This difference in memory usage of only 512 bits is because of the consideration of HMAC-SHA1 in our implementation, which process a message in 512 bit blocks.After 512 bits, memory usage becomes constant for dAELM, regardless of message length, whereas in SIV, the memory usage depends on the length of a message.A graph showing memory usage by the cryptomodule during the decryption process, where the x-axis represents the length of message and the y-axis represents the memory usage in bytes.This is the case when we used HMAC-SHA1 as a MAC function, which processes the message in 512 bit blocks.
In general, the memory required by dAELM is |K| + |K * | + |A| + |B|, where |K| and |K * | is a length of a key and a session key, respectively, |A| is the length of an associated data, and |B| is the block size of the message processed in the MAC.For example, |B| is 512 bits in the case of HMAC-SHA1.However, the memory required by SIV is |K| + |A| + |M|, where |K|, |A|, and |M| represent the length of a key, associated data, and a message, respectively.In other words, memory usage for dAELM depends on the block size of MAC, which is constant, whereas, for SIV, it depends on the message length.If we consider a MAC with a small block size, then dAELM will perform better than SIV, even for short messages.

Discussion
In this work, our proposed AE scheme targets the devices, which have a limited amount of memory and are incapable of processing the large message.These memory-constrained devices include, in tiny IoT devices, cryptomodules such as TPMs (trusted platform modules), which are used in laptops, tablets, smartphones, set-top-boxs, ATM machines, etc.A cryptomodule is basically a secure cryptoprocessor used for carrying out the specific cryptographic operations and storing secret keys.These cryptomodules usually have a storage capacity of only a few bytes, which may not be sufficient to process long messages.For example, ATMELAT97SC3204 is a TPM that has only 1732 bytes of storage for the user-defined data.Similarly, these small IoT devices also have a limited amount of storage.Under these memory constraints, it becomes impossible to process a large data in one go.Hence, our proposed scheme provides a solution for all those memory-constrained devices to process a long message.

Conclusions
In this work, we presented a new DAE scheme (dAELM) that is suitable for memory-constrained scenarios.Our proposed construction is based on the SIV mode and does not require nonce as an input.We also provide the security bounds for both the privacy and the authenticity of the construction.

Game G0 and G1
M ← Pad out (A, M) Return (A, C, T) return v; Auth On Decryption-Query (A, C, T) 1. Parse M ← Pad out (A, M) M ← Pad out (A, M) 3.

For i = 1 Figure 2 .
Figure 2. Flow diagram For encryption and decryption.

Figure 6 .
Figure 6.A graph showing memory usage by the cryptomodule during the decryption process, where the x-axis represents the length of message and the y-axis represents the memory usage in bytes.This is the case when we used HMAC-SHA1 as a MAC function, which processes the message in 512 bit blocks.

Table 1 .
Results of a comparison of dEALM with sp-AELM, OAE2, and SIV, where τ represents the tag length.