Deterministic Authenticated Encryption Scheme for Memory Constrained Devices

A technique of authenticated encryption for memory constrained devices called sp-AELM was proposed by Agrawal et al. at ACISP 2015. The sp-ALEM construction utilizes a sponge-based primitive to support online encryption and decryption functionalities. Online encryption in the construction is achieved in the standard manner by processing plaintext blocks as they arrive to produce ciphertext blocks. However, decryption is achieved by storing only one intermediate state and releasing it to the user upon correct verification. This intermediate state allows a legitimate user to generate the plaintext herself. However, the scheme is nonce-respecting, i.e., the scheme is insecure if the nonce is repeated. Implementation of a nonce is non-trivial in practice, and reuse of a nonce in an AE scheme is often devastating. In this paper, we propose a new AE scheme called dAELM, which stands for deterministic authenticated encryption (DAE) scheme for low memory devices. DAE is used in domains such as the key wrap, where the available message entropy omits the overhead of a nonce. For limiting memory usage, our idea is to use a session key to encrypt a message and share the session key with the user depending upon the verification of a tag. We provide the security proof of the proposed construction in the ideal cipher model.