Permutation-Based Deterministic Authenticated Encryption with Minimum Memory Size

Deterministic authenticated encryption (DAE) provides data integrity and authenticity with certain robustness. Previous DAE schemes for low memory are based on block ciphers (BCs) or tweakable block ciphers (TBCs), which can be implemented with 3s bits of memory for s-bit security. On the other hand, schemes based on cryptographic permutations have attracted many researchers and standardization bodies. However, existing permutation-based DAEs require at least 4s bits, or even 5s bits of memory. In this paper, PALM, a new permutationbased DAE mode that can be implemented only with 3s bits of memory is proposed, implying that permutation-based DAEs achieve a competitive memory size with BC- and TBC-based DAEs. Our hardware implementation of PALM, instantiated with PHOTON256 for 128-bit security, achieves 3,585 GE, comparable with the state-of-the-art TBC-based DAE. Finally, optimality of 3s bits of memory of PALM is shown.