Sponge-Based Parallel Authenticated Encryption With Variable Tag Length and Side-Channel Protection

Authenticated Encryption (AE) protects confidentiality and integrity at the same time. The sponge construction is based on an iterated permutation or transformation that can be used to implement hashing, and AE schemes, among others. Sponge-based AE schemes offer desirable characteristics like parallelizability and incrementality. In addition, they provide security features such as protection against Chosen Plaintext Attacks, Chosen-Ciphertext Attacks, and Side-Channel Attacks (SCAs). Traditionally AE schemes assume the tag length, also called the stretch, as a fixed parameter per key, and the security is proved according to that assumption. However, the variable tag length per key could happen due to misconfiguration or misuse. In that case, the security would be violated, so it is vital to accommodate variable tag length without sacrificing other desirable features. Reyhanitabar et al. proposed Key Equivalent Separation by Stretch feature and concretized it for protection against tag length misuse attacks in block cipher-based AE schemes. However, the problem remains unresolved for sponge-based constructions, where current sponge-based schemes are vulnerable to tag length variation under the same key attacks. This work aims to bridge this gap by proposing a parallel, sponge-based AE scheme with a variable tag length per key that protects against SCAs and suggesting a lower bound for the recommended tag length. Finally, the security of the proposed scheme is discussed, and its performance is analyzed after implementing the proposed AE scheme in the C programming language.

banking transaction (without authenticity protection) could change bits of the messages (with the help of some prior knowledge or guessing) without even needing to read it and forward it to its source. Still, it could be accepted as a valid transaction. A cryptosystem with such property is termed malleable. On this front, [1] and [2] proposed the first authenticated encryption (AE) schemes, combining individual encryption schemes and message authentication code (MAC) schemes to pave for a new paradigm of protecting privacy and integrity simultaneously. The AE with associated data (AEAD) allows the addition of unencrypted but authenticated pieces of data, such as those used for packet routing [3], [4], [5].
AE safeguards confidentiality and integrity by following two different security models. Confidentiality defends data privacy against passive adversaries in the chosen-plaintext attack (IND-CPA) and active attackers in the chosenciphertext attack (IND-CCA) [2], [6], [7]. Integrity ensures that communications are authentic and haven't been tampered with, whether in motion or at rest. In addition, AE protects the authenticity of plaintext with the INT-PTXT model and that of ciphertext with the INT-CTXT model.
Most AE structures in the literature assume that the stretch (tag length) is a fixed value per key. Still, a lack of support for variable stretch may render them vulnerable to taglength variation under the same key attack [8]. For instance, popular standardized AE schemes such as OCB, GCM, and GCM might have their security degraded or could even suffer a complete loss of security if they are misused in this way [9], [10], [11], as raised by Manger [9]. The concern was presented several times in CFRG forum discussions about OCB variable tag length [9] and the CAESAR competition mailing list [12]. For example, If the adversary wages that kind of attack under a scheme using different tag lengths under the same key, the adversary needs to break the shortest one, and the whole security is void.
Besides the security perspective, tag length variability is also advantageous in the constrained resources environment, but recalculating parameters the cost for key exchange because of energy and bandwidth limitations Struik [13]. Reyhanitabar et al. (2017) formalized a nonce-based AE with variable stretch (vNBAE) security notion. They proposed a modular approach for defining the key-equivalent separation by stretch (KESS) concept, which, combined with the traditional NAE, implies the vNBAE security notion.
There have been types of attacks in which the attacker exploits background information about the implementation environment of AE schemes instead of analyzing them under the security models previously discussed. These attacks, known as side-channel attacks (SCAs), are especially harmful when chips containing private data are in an adversary's hands or installed in locations where the general public can access them. Smart cards, sensor network nodes, and IoT devices are vulnerable [14], [15]. SCAs can be avoided using several strategies, such as masking [15], [16], [17] and hiding [18] [27], [28], [29], [30]. However, rekeying [15], [19], [20], which uses the target cipher plus a subkey generation algorithm that accepts the master key as input, is a less expensive method of obtaining resistance against sidechannel attacks.
AE schemes are constructed employing particular underlying building blocks. Block ciphers are the most used building blocks in AE schemes. Famous block ciphers like AES [21], SKINNY [22], and GIFT [23] are used to create AE schemes. An example of stream ciphers is given in [24]. Dedicated and keyless permutations are the fundamental building block of constructions based on permutations. These permutations use Encrypt Mix Encrypt (EME), Encrypt XOR [25], and variations of the Even-Mansour design in place of spongelike modes [26]. Furthermore, the cryptographic sponge is the most commonly used keyless permutation. Many algorithms, such as the Keccak-f applied in the SHA3 competition winner, employ keyless permutations in the sponge mode of operation. In contrast, others rely on different permutations [27]. Moreover, Some AE schemes use additional building blocks, such as hash and compression functions (CF), as in [28]. Still, others use unique underlying structures, such as those specified in [29], [30], and [31].
In addition to security-related attributes, the following key traits also enhance the effectiveness and performance of AE schemes: parallelizability, which measures the capacity of a scheme to handle the k th block separately from the subsequent j th block, given that k ̸ = j [32], [33]; inverse free: An AE scheme is inverse-free if its algorithm does not need it inverse to carry out encryption or decryption operations [44], [45]; Online use, which demonstrates a scheme's capacity to process the kth block of ciphertext after observing the first k blocks of plaintext and without knowing any plaintext after the current block [34]. Incrementality is the capacity to update only parts affected by the most recent operation seen in an earlier ciphertext-tag pair (C, T) [35]. The single-pass feature indicates an AE algorithm's ability to process all the plaintext at once to achieve privacy and authenticity in one pass. Being single-pass boosts the efficiency of an AE scheme [8], [36].

B. CONTRIBUTIONS
This study proposes and implements a Parallel Spongebased Authentication Encryption with Variable Tag length and Side-channel Protection (PAVTASP). This work is a complementing component of ongoing efforts to improve AE schemes' security and performance and is motivated by PSASPIN [37] and ISAP [38]. But there are three fundamental ways in which the proposed scheme differs from ISAP: first, PAVTASP is parallelizable; it can process several data blocks at a time; second, PAVTASP makes use of the leveled implementation in a different fashion. For example, while PAVTASP utilizes a PRF based on a block cipher or Galois field multiplication in the keygeneration part, ISAP uses the sponge construction in the two implementation levels. On the other side, PAVTASP differs from PSASPIN that it allows variable tag length under the same key without losing other desirable features of the 59662 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
scheme. Another contribution of PAVTASP is that it sets a lower bound for the tag length with the help of rekeying that extends the threshold of the number of operations that can be carried out without negotiating for a new key. Finally, the proposed scheme's security is discussed, and its performance is evaluated, compared to other sponge-based AE schemes, after implementation in C programming language.

C. ORGANIZATION OF THIS WORK
Section II describes the related work. Next, we present a general AE model in section III, introduce the PAVTASP AE scheme and its processes in Section IV, and discuss the security analysis in Section V. The performance analysis is presented in Section VI. Finally, We offer the discussion in Section VII and conclude this work in Section VIII.

II. RELATED WORK
Protecting integrity necessities an AE scheme to append the authentication tag to the ciphertext. The expanded part of the ciphertext is also referred to as the ciphertext stretch. The difference between the lengths of the plaintext and the produced ciphertext obtains the stretch value. So, AE schemes traditionally have a syntax where the ciphertext is divided into a core ciphertext and a tag which is concatenated to produce the final ciphertext. The Robust AE (RAE) does not use the partitioned ciphertext syntax, so it uses the general term of stretch in that context [39]. The tag length is an essential element of AE authenticity; the cryptographic strength of an authentication strongly depends on the tag size. Therefore, most authors specify the minimum tag length for their schemes to assume security. Still, specific environments tolerate shorter tag lengths according to certain conditions defined by NIST [40].
Most AE schemes (e.g. [6], [7], [27], [41], [42], [43], [44]) assume a stretch is a fixed scheme parameter that should be constant per key. The security is proved according to the assumption that different stretch values use distinct keys. However, the variable stretch per key could happen either as a result of misconfiguration or attack; in that case, the security would be violated [39]. Examples of compromised Security because of misuse include attacks on OpenSSH, EAXPrime, and VMWare View remote desktop protocol [45].
The CAESAR [46] and NIST-LW [47] competitions provided guidelines for protecting confidentiality, integrity, robustness, and suitability for use in constrained environments. The robustness discussed until recently mainly focused on some instances of nonce misuse resistance; however, other misuse cases, like tag variation under the same key misuse, have not had enough attention [8].
In addition to its security relevance, tag length variability is desirable in the constrained environment, but negotiating parameters cost is preventively high due to energy and bandwidth limitations Struik [13] indicated that supporting a variable stretch under the same key would provide a slide scaling for authenticity, extending the lifetime of constrained resources sensors, especially when processed plaintexts are very short. At the same time, only a few packets would need high authenticity.
The issue was raised several times in CFRG forum discussions about OCB variable tag length [9] and the CAESAR competition mailing list [12]. The discussions motivated the modification of several second candidate schemes [12], [48], [49] to be modified for some heuristic solutions to the problem to accommodate variable tag length under the same key. The absence of variable tag length support is not just a theoretical concern because widely deployed schemes such as OCB, CCM, and GCM malfunction in one way or another once misused in this way [9], [10], [11]. That misuse may cause degraded security to complete loss of security, as raised by Manger [9]. For instance, if those schemes use different tag lengths under the same keys, if the attackers have a 128-bit tag, it's trivial for them to produce a valid output with a 64-bit tag under the same key by dropping the last 64 bits because shorter tags are simply the truncation of longer ones. Reyhanitabar et al. (2017) discussed the issue in detail, formalized a security notion vNBAE, then came up with an all-in-one security definition for it. Then the authors proposed a modular approach for defining the concept called keyequivalent separation by stretch (KESS), which, combined with the traditional Nonce-based AE (NAE), implies the vNBAE security notion. Finally, the authors proved that the vNBAE goal was efficient and provably achievable, applying simple tweaks to existing schemes by concretizing it with the modification of OCB without sacrificing its desirable features, such as the online processing of data blocks [8]. Finally, the authors proved that the vNBAE goal was efficient and provably achievable, applying simple tweaks to existing schemes by concretizing it with the modification of OCB based on a tweakable block cipher [8] Side-channel attacks (SCAs) are implementation-based security threats that exploit the connection between cryptographic algorithms and the emission patterns of implementation environments, such as electromagnetic emissions, radiation emissions, and power consumption traces. The essential idea behind these attacks is to infer a secret key from how the side-channel signal pattern is related to it [18], [50]. When cryptographic equipment is mounted in a location where attackers can physically reach it, SCAs are more dangerous. Therefore, many sources in the literature advocated several countermeasures against SCAs, such as masking [15], [16], [17], [51] and hiding [18]. However, these solutions come with unsustainable performance costs in situations with limited resources, like IoT devices and smart cards. Therefore, fresh rekeying [19], [20] is a more affordable option to get SCA protection compared to the other methods listed. Furthermore, by limiting the usage of each session key to just a single or limited number of times, fresh rekeying protects against SCAs making more difficult for adversaries to collect intermediate key related values [19], [20], [52], [53].
The sponge construction is an iterative cryptographic primitive for creating a function f that receives inputs of any VOLUME 11, 2023  length and produces outputs of any size using transformations or permutations of fixed length. Bertoni et al. initially proposed sponge construction [54]. It acts on a state b that consists of a rate part r and a capacity part c, where b = r + c bits [54]. The sponge absorbs its input blocks first, then processes and squeezes them out as an output truncated to the desired length. The keyless permutation method most frequently employed in AE is the sponge structure. Stream ciphers and re-seedable pseudorandom generators are two further cryptographic applications of Sponges in addition to AE [27]. Depending on the functionality needed, there are different ways to employ the sponge function. For instance, online, single-pass AE methods are typically implemented using the Duplex modes and their variation MonkeyDuplex [27], [55] modes. Therefore, we can use the Sponge/Duplex lemma [54] to prove Duplex mode of operation is as secure as the sponge construction. Ascon [56], one of the winners in the CAESAR competition as well as five of the ten finalists in the NIST competition for lightweight AE, including Ascon [57], Elephant [58], ISAP [59], Photon-Beetle [60], and Xoodyak [61], were based on sponge construction.
Several parallelizable AE schemes based on sponge construction have been proposed. For instance, the AE schemes in the works [62], [63], [64] are incremental and parallelizable to varying degrees, but they are not protected against SCAs. Other sponge-based AE schemes are protected against side-channel attacks but are not parallelizable, incremental, or single-pass [59], [65], [66]. PSASPIN AE is a parallel, sponge-based AE and is defended against Differential Power Analysis (DPA) and Simple Power Analysis (SPA), but it does not support a variable tag length under the same key. This study proposes a parallel sponge-based AE that supports variable tag length and protects against SPAs and DPAs. See Table 1 for a comparison of the proposed solution and other AE schemes based on the sponge construction and its operation modes.

III. MODELING AUTHENTICATED ENCRYPTION
We can think of the AEAD as a function that takes in a secret key K , plaintext M , associated data AD, a nonce (N ) and outputs a ciphertext C, and an authentication tag T . its encryption algorithm can be modeled as E : K × N × AD × M → C|T -, and its decryption can be modeled as D : [68], [69].

IV. SPONGE-BASED PARALLEL AUTHENTICATED ENCRYPTION WITH VARIABLE TAG LENGTH AND SIDE-CHANNEL PROTECTION (PAVTASP)
The proposed scheme, PAVTASP, is an AEAD sponge-based sponge construction with a state width b of 320 bits, a rate part r of 128 bits, and a capacity c part of 192 bits, where b=c+r. The scheme prevents SPAs and DPAs by generating a fresh session key in every process using parallel fresh re-keying and has the following necessary properties that are critical for the performance and security: Side-channel protected, parallel, single-pass, incremental, and online. In addition, it supports variable tag length without compromising security or losing other desirable features.

A. NOTATIONS
Here are definitions for the notations in this paper. The letters K, N, T, and IV are used respectively to represent the key, the nonce, the authentication tag, and the initialization vector. The plaintext message, the ciphertext, and the associated data are each denoted by M, C, and A, respectively. A failure of verification or an error is what we mean by (⊥). S stands for the 320-bit state of the sponge construction. S r represents the rate part of the state, whereas S c represents the capacity part of the state. The length of the string 'X ′ is denoted by the symbol |X|, whereas the text 'X ′ concatenated with the string 'Y ′ is designated as X||Y. P is the sponge permutation, 0 k stands for an entirely 0-bit string of length k, and |X| is the symbol for the length of the string 'X. ' We represent the XOR of the strings 'X' and 'Y' as X Y . By ⌊X ⌋ k , we refer to a bitstring X that has been truncated to its last k most significant bits. We refer to a bitstring X that has been truncated to the first k least significant bits as ⌊X ⌋ k . Finally, we denote τ by the tag length(stretch).

B. PARAMETERS
PAVTASP is an AE scheme using a 320-bit permutation P that applies eight rounds of ASCON permutations [57]. It requires five inputs: a 128-bit secret master K from which a session key K S is obtained, a variable length tag length (stretch) τ , a variable length plaintext M, a variable length associated data AD, and a 128-bit nonce N. Decryption requires a 128-bit session key K S obtained from K, a ciphertext C, a nonce N, an authentication tag T, and a variable length stretch value τ . For protection against SCAs, PAVTASP employs fresh rekeying to obtain a new key each time encryption/decryption and authentication operations are invoked. Figure 1 and Figure 2 respectively show a schematic view of the PAVTASP encryption and decryption processes. The initialization, encryption, and decryption/verification processes are described below. PAVTASP is a single-pass scheme that performs encryption and authentication in a single pass over the duplex structure. In addition, the scheme allows variable length and protects against SPAs and DPAs.

C. PAVTASP PROCESSES 1) INITIALIZATION
In the initialization stage, the parallel fresh re-keying function (PFRK) is called. To protect the parallel threads of the system against SCAs, it requires a master K and a nonce N and generates new session keys K S,i . The first N is produced at the source, shared in a secure manner, and incremented in every process to maintain synchronization between the communicating sides. This work assumes the existence of a secure way of making the keys and nonces available to the parties. For instance, key distribution mechanisms such as key wrapping schemes [70], could apply to the nonces. Another possibility is hiding the nonce in the ciphertext and extracting it at the destination using existing hide-noncetransforms [37]. See Algorithm 3 for details on FRK. Once the secret session key is generated, the state S is updated by feeding the session key concatenated with a Secret Message number (SMN) to permutation P. The system generates a secure counter Ctr to monitor the number of parallel lanes and is incremented by 1 with every thread. The state is updated by XORing it with the Ctr variable before processing the AD part ; S ← (Ctr S r ) ∥ S c .

2) ASSOCIATED DATA (AD) PROCESSING
PAVTASP first divides the A into r-bit blocks and pads it with '1' and the list number of '0's to make the length of A a multiple of r. There is no need for padding if the AD block is empty. Associated data is processed one block at a time, A 0 ||A 1 ||. . . . . . ..A i ||, |A| =r, then, each block of A is XORed with S r (the rate part), and after concatenating with S c ( the capacity part), the shared state S is updated by the permutation P as following: S ← ( S r A i ∥ S c ). After processing the last block of associated data A i , a domain separator of 1-bit is XORed with the state S: S ← S (0 319 ∥ 1).

3) ENCRYPTION
The padded plaintext (M ) is broken into r-bit blocks and processed block by block: For all plaintext blocks except the last, each block of plaintext (M i ) is XORed with the outer part of the state (S r ): C i ← S r M i , to output the ciphertext block (C i ), after which the state is updated: The resulting state is truncated so that the total length of the ciphertext is equal to that of the original unpadded length of the plaintext: C z ← ⌊S r ⌋ |M |mod r . The resulting ciphertext block is then XORed with the padded stretch value to produce the final text in the following manner: C z ← τ ||0 r−τ C z . See algorithm 1 for details.

4) DECRYPTION
The padded ciphertext (C) is split into r-bit blocks and processed block by block: The last ciphertext block (C z ) is parsed into a ciphertext block and the stretch part in the following manner: τ ||C z ← C z . The rest of the process is identical to encryption; the two processes differ only in that plaintext and ciphertext are swapped. See algorithm 2 for details.

5) FINALIZATION
In the finalization and authentication state, the fresh rekeying function is again called for protection against SCA and forgery attacks. Once the session key K s is generated and concatenated with SMN, the shared state is updated by transforming the XOR of state S with the padded fresh session key K S , S ←P(S (0 r ||K s ||0 c−r−k ). For all the parallel threads except the last one, intermediate tags t i s are generated by truncating the state XORed with the session key to the last τ bits, and the intermediate tags are combined. In the last threat (once the counter Ctr is equal to n), the final intermediate tag T is generated and concatenated to the ciphertext blocks, T ← t 0 t 1 . . . . t n−1 . In the finalization of the decryption process, the plaintext is returned if the generated tag length is equal to the stretch value τ , and the generated tag T ′′ is qual the T parameter T of the decryption; otherwise, the process aborts. If T ′′ = T and |T| =τ ;Return M 1 ||. . . ||M i ||M z . Figure 3 illustrates several implementation options for the rekeying function. The leveled implementation used in this work is adapted from the method proposed by..Abdalla and Bellare [20] and implemented by [19] and [71]. The structure is split up into a rekeying function and a data processing (rekeyed) component. Several alternatives for implementing the data processing part include block ciphers like AES, sponge construction and its operation modes, and tweakable block ciphers [66]. On the other hand, a PRF serving as a pseudorandom generator (G) can be used to implement the rekeying function with different options, including the following: Constructions based on Galois field (GF) multiplication, leakage-resistant primitives like duplex sponges [38], [66], protected block ciphers like SERPENT [72] and AEAS, tweakable block ciphers or traditional block ciphers strengthened with countermeasures like hiding and masking [52], [65], [73].

6) THE REKEYING FUNCTION
In this work, the rekeying function can be constructed in one of two ways using the leveled implementation. Using a rekeying function built on a GF multiplication field is the first option similar to those in [71], and [74]; however, some modifications are necessary because those implementations only protect against lower-order DPAs. On the other hand, this work integrates the defense mechanisms to protect against higher-order DPAs. A leakage-resilient block cipher is an additional option with a more complex design than the first one but is preferable for hardware implementations. The function G based on the GF multiplication is implemented in Algorithm 3 using combined shuffling and masking for defense against higher-order DPAs.

V. SECURITY ANALYSIS
We evaluate PAVTASP security in terms of its two implementation levels. The first level is the rekeying function, which protects against DPA and SPA and generates session keys. The second level is the sponge function, based on the duplex construction, which protects against SPA. We can measure the overall adversarial advantage according to its ability to compromise the key generation function and its ability to compromise the base rekeyed scheme. Furthermore, there are various countermeasures for protection against SCAs. Examples include employing session keys for one or more tasks, hiding, masking, and applying logic styles. However, [18] indicated that the most effective way is to combine countermeasures rather than using them separately. For example, we can combine shuffling and masking for defense against higher-order DPAs.

A. SECURITY OF PARALLEL FRESH REKEYING FUNCTION (G).
The parallel rekeying function creates session keys for use in the AE schemes' encryption component using an initial master key [15], [20]. This method enables us to encrypt more data under the same key, increasing the key's lifetime. Rekeying functions can be divided into two categories: parallel rekeying, which generates session keys, all at once, separately, and serial rekeying, in which the generated session keys depend on the prior states and are updated continuously [20]. According to [53], when concurrent access to data is implemented, parallel rekeying is required.
According to [20], a stateful generator's pseudorandomness is defined as follows: Consider the following experiment taking into account G = (K , N ) as a stateful generator with a block size of k, n as an integer, and A as an adversary: The security evaluation of the proposed parallel fresh rekeying function can be described concerning the security notions of pseudorandom generators. The approach proposed in [20] is followed in this work, but their schemes protect a block cipher, whereas that proposed here protects a parallel sponge-based AE scheme. Pseudorandomness, which represents adversary A's inability to differentiate the generator's output from a random string of identical length, is the desirable property of the generator. Real and random experiments define adversary A's advantage and the generating function's advantage (ADV) in the following way: Then a distinguisher D for F is constructed whose advantage is related to that of A. The distinguisher D interacts with an oracle B that calculates s= B(1)|| . . . ..||B(n) and produces the same guess of A on input s. When B is randomly drawn from F, the likelihood that the distinguisher D produces 1 is equal to the likelihood that EXP prg−real G[F],n,A produces 1. Alternatively, the likelihood that EXP prg−rand G[F],n,A produces 1 is equal to that of D producing 1 assuming that B is drawn randomly from a random function family R n . Because D ′ s running is t, makes at most l queries to its oracle, it follows that ADV prg G[F],l,A ≤ ADV prf F (t, l) .A is an adversary, and the combined maximum time of the two experiments is t, and that completes the proof.
The Security of the PRF (F) under l queries determines, quantitatively, the pseudo-randomness of the fresh rekeying function (G). When F is a PRF, then ADV prg G[F],l (t) ≈ l+t 2 k .

B. THE BASE AE SCHEME SECURITY
The sponge-based AE scheme, PAVTASP, is based on the duplex mode of operation. It receives a plaintext M , associated data AD, a nonce N , a stretch value τ , and a master key K fed into the pseudorandom generator to produce subkeys to process data blocks in a parallel fashion. At the core of AE security, we consider two notions of security for sponge construction, confidentiality, and integrity [2], [6], [7]. Finally, the method put forward by Jovanovic et al. [75], Andreeva et al. [30], and Mihajloska et al. [76] is used to prove the security of the rekeyed part of PAVTASP.

C. CONFIDENTIALITY (OR PRIVACY)
Confidentiality ensures that only legitimate parties can view the messages in the IND-CPA model against passive attackers and the IND-CCA model against active attackers. The attacker is granted access to an encryption oracle in the first model and a decryption oracle in the second. The adversary's advantage must always be insignificant for an AE scheme to be secure [2], [6], [7]. Consider P a collection of idealized permutations of an AE scheme II. The following formula describes A ′ s advantage (ADV) while having access to both forward and inverse permutations in breaching scheme II's privacy: The P ± denotes that A can make queries to forward and inverse permutations. Assuming that A does not call E k and $ using the same nonces, ADV priv II (q p , q e , λ e ) represents all adversaries the maximum advantages making queries to E k or $.

D. INTEGRITY OR AUTHENTICITY
Integrity guarantees that communications come from reliable parties and haven't been changed while in motion or at rest. AE provides plaintext integrity under the INT-PTXT paradigm and ciphertext integrity under the INT-CTXT paradigm. The former assures that the attacker cannot forge ciphertext decryption of data that the sender did not previously encrypt. The latter guarantees that the adversary cannot come up with a ciphertext that the sender had not created, regardless of whether the plaintext is new [2], [6].
Assume that P is a collection of the AE scheme II's underpinning idealized permutations. Then, we can describe the integrity-related goals of AE are defined as demonstrated by the adversary A's failure to produce a new plaintext that is not the outcome of a valid decryption (D k (C)) process under a valid key K : The probability is taken over A, and K , assuming P has been chosen randomly. We say that adversary A wins in making a forgery if D k produces a message that is different from ⊥ on receiving an input (A, C, N, T ), and (A, C) have not been created by E k after taking (N, A, M ) as input. The adversary is also assumed to be nonce-respecting in that it does not repeat the same nonces, as in the privacy case. Let us represent authenticity as ADV auth II q p , q E , λ E , q D , λ D . We can determine the maximum advantage over all adversaries by querying P ± at most q p times making at most q E queries of total length at most λ E blocks to E K and at most q D queries of the total length λ D to D K /⊥.
For the proof of PAVTASP's privacy, we consider an adversary A making q P permutation queries and q E encryption queries whose total length is λ E . For integrity proof, we consider adversary A making q D decryption queries totaling a length of λ D . The number of permutation calls is determined by q E encryption queries, and the same procedure is repeated for encryption queries with similar parameters.
Considering q E , of c associated data blocks and f message blocks, and T intermediate tags, the equivalent n state values can be described as follows: The number of state values σ e,j is c+f+4, assuming that the j th query is c + f blocks, and which results in the number of evaluations using the encryption query: We calculate for σ D and σ j,D in the same manner.

E. SYNTAX OF NBAE WITH VARIABLE TAG LENGTH
We can expand the syntax of Nonce-Based Authenticated Encryption (NBAE) schemes to include a variable tag length as proposed by [8]. An AE scheme with variable stretch consists of a triplet = (K , E, D) where K ⊆{1, 0} * a set of keys with a uniform distribution, and E:K ×N ×T T ×M → C and D:K × A × N ×N×C → M ∪ {⊥} are encryption and decryption algorithms in that order. In this context, we call N the nonce space, A the Associated Data space, M the plaintext space, C the ciphertext space, and T the stretch space of the scheme ( ). We assume that N ⊆ {1, 0} * ,M ⊆ {1, 0} * , A ⊆ {1, 0} * , C ⊆ {1, 0} * , and T T ⊆ N. We also assume that if M ∈ M then{0, 1} |M | ⊆ M . Reyhanitabar et al. [8] proposed a modular syntax for achieving the vNBAE, key-equivalent separation by stretch (KESS). The assumption is that the scheme should behave as having a fresh independent key with each value of a separate tag length value. In addition, they stated that KESS ensures that the scheme instances using different tag lengths be independent and inaccessible to one another rather than encouraging short tag lengths or claiming particular robustness. Let = (K , E, D) be and vNBAE scheme. Let A be an adversary that tries to break KESS of by distinguishing two games, one containing the encryption and decryption oracles of the Real schemes and another of an Ideal scheme with similar parameters. The advantage of A in breaking the scheme is measured by ADV KESS When combined with NBAE security, KESS implies vNBAE Security. KESS's role is merely to handle the interaction between queries with different tag lengths so that queries of τ bit of stretch are independent of one another. So we have: KESS NBAE ⇒vNBAE.Let = (K , E, D) be a nonce-based AE scheme with a variable stretch; we have that: The adversarial resources are (t, q e , q d , σ ) where t is the adversarial running time q D =(q τ E \τ ∈ T T ) stands for the vector of the number of encryption queries made with the stretch value τ for every stretch τ ∈T T , and q D =(q τ D \τ ∈T T ) denotes the number of decryption queries, and σ = (σ τ \τ ∈T T ) stands for the vector of the total amount of data processed by all queries with stretch value τ for every τ ∈ T T .
For a resources parameterized function of an AE scheme for a given tag length value τ c the adversarial advantage can be defined as The maximum is taken over all adversaries with r τ c bound resources, the scheme is secure if, for all practical adversaries, with the resources mentioned above, the advantage is negligible. Thus a scheme is a vNBAE-secure if for every stretch value τ c ∈T T , for all practical adversaries with the specified resources, the advantage ADV vNBAE(τ c ) r τ c is small, keeping in mind that the advantage ADV vNBAE(τ c ) r τ c will be inevitably high if the stretch value τ c is small.

F. A LOWER LIMIT FOR TAG LENGTHS
As more data is processed with a single key, the security assurance provided by cryptographic systems deteriorates. Therefore, limiting the amount of plaintext and associated data blocks protected by calls to the authenticated encryption function during the key lifetime is recommended. For instance, 2 64 would be a reasonable limit for most applications. Jovanovic, Luykx [75] set the integrity bound (tag length) of sponge-based schemes to 2 c/2 where c is the capacity. As soon as the lower bound limit approaches, a key exchange should be negotiated for the security to hold. . . Abdalla and Bellare [20] and Mennink [15] stated that with fresh rekeying, the security bounds of schemes could be enhanced, for instance, from 2 k/2 to 2 k/3 . For that reason, we claim that PAVTASP enhances the minimum recommended tag length of 2 64 for the equal key length and capacity of 128 bits to 2 128/3 or approximately 2 42 bits. NIST standard on this issue requires the implementing parties to be careful when using shorter tag lengths [40]. For instance, they recommend that packets that fail the integrity should be discarded silently to prevent them from giving useful information to the potential attackers and limiting the associated data packet to contain only the necessary header information. VOLUME 11, 2023 59669 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.

G. PAVTASP ADVERSARY MODEL
In this study, adversary A is considered powerful, with full access to the communication medium, intent on compromising privacy and integrity, access to encryption and decryption oracles, and the ability to employ various tag lengths while using the same key. Figure 4 depicts the PAVTASP adversarial model following the approach of Do et al. [77] and Jimale et al. [37]. If adversary A cannot breach PAVTASP's Security with a non-trivial probability under the specified assumptions, capabilities, and goals, then PAVTASP is assumed secure. For example, although A can utilize different values of stretch (tag lengths) under the same key, the KESS property instances of the schemes using stretch values are separated and cannot interact, so that will not increase the success probability of A.

VI. PERFORMANCE ANALYSIS
Although security is the most decisive factor for cryptographic algorithms, performance is equally vital because of the continuously shifting information processing paradigms and diverse implementation platform requirements. For instance, the ever-increasing reliance on online data processing necessitates speedy accessibility of information for better user experiences. Therefore, we implemented PAVTASP to evaluate its performance and measure it against three other Sponge-based AE schemes using similar parameters.
We used Visual Studio code version 1.74.0 IDE, installed on Dell Spectre x360 Convertible laptop with Intel Core i7-1065G7 CPU/1.30GHz 1.50 GHz processor and 16 GB memory, running Microsoft Windows 10 version 22H2 (OS built 190452251). We ran the C language implementations of PAVTASP with six other sponge-based schemes NORX [62], PSASPIN [37], ASCON [56], ISAP [59], π -CIPHER [63], and SPOOK [78]. We recorded the performance metrics and compared the performance results, as shown in Table 2. We used the framework by Dobraunig et al. [57], enabling the GCC compiler flags: -O3 -march=native -Wall for compiletime optimization. The performance metrics are presented in cycle per byte (cpb), following the approach of NORX [56], [62], ASCON [56], and ISAP [59].  when processing messages of different lengths: from 1 byte, 8 bytes, and up to 32768 bytes-the higher the cpb, the more efficient the scheme.
The results demonstrate that ISAP and π -CIPHER outperform PAVTASP in every message length. Although ISAP provides protection against SCA, it lacks many other features that PAVTASP has, e.g., parallelizability, incremental, single pass, online, and variable stretch (refer to Table 1). On the other hand, π -CIPHER does not offer protection against SCAs and lacks the support of variable stretch features.
Furthermore, PAVTASP generally outperforms PSASPIN and SPOOK in processing any message length. For example, PAVTASP gives 71 cpb when encrypting one byte, whereas PSASPIN requires 56 cpb and SPOOK 29 cpb. Note that the only difference between PSASPIN and PAVTASP is that the former does not provide a variable stretch tag feature, whereas the latter does; in addition, PAVTASP does not support the nonce-hiding features. Therefore, PAVTASP has a slight advantage over PSASPIN in performance.
NORX and ASCON seem to excel in processing short messages. However, these two schemes are not protected against SCA and do not have the same number of features that PAVTASP has. As in any cryptographic scheme, there are tradeoffs between security and performance. Generally, an AE scheme that provides more security features is not necessarily the most efficient. Therefore, applications that require the set of features offered by PAVTASP would likely benefit from using it. Furthermore, as far as we know, PAVTASP is the only sponge-based AE scheme that allows the use of variable tag length under the same key without compromising other critical security and performance features.

VII. DISCUSSION
The cryptographic sponge function was first proposed by Bertoni et al. [54] and gained popularity after NIST declared Keccak as the SHA3 competition winner in October 2012 [79]. Sponge-based variants like Duplex, MonkeyDuplex, SpongeWrap, and DonkeySponge [27], [55] and their innovative design philosophies have eliminated the 59670 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
complications of key scheduling in other constructions like block ciphers. Our sponge-based scheme, PAVTASP, protects against SPAs and DPAs in addition to being parallel.
The first parallelizable AE construction based on the duplex mode of the sponge function was presented by Morawiecki et al. [64] and, then other works followed like those in [30], [62], and [63]. However, the main problem with these early efforts was that the resulting schemes did not protect against side-channel attacks, especially against SPAs and DPAs [18], [50].
Furthermore, ISAP [38], SALE [38], and SPOOK [65] sponge-based AE schemes were proposed to defend against SPA and DPA attacks using different approaches. For example, some AE schemes [38], [66] used sponge-based constructions to defend against SCA, followed by [64], who based their scheme on a tweakable block cipher. These studies used the leveled implementation approach [18], [20]. But these constructions lacked parallelizability, which is an essential performance feature. The scheme proposed in this work combines the merits of parallelizability, and protection against SCAs particularly against SPAs and DPAs.
Several countermeasures to protect against SCAs, like hiding, shuffling [18], and masking [15], [16], but fresh rekeying achieves the same goal less resource-intensively. Abdalla & Bellare [20] first proposed fresh rekeying. This method uses the master key K as an input to a pseudorandom generator that generates session keys which are then used to preserve systems' privacy and integrity; thus, it does not use the master key directly in the schemes. Furthermore, fresh re-keying increases the key lifetime, the number of times a specific key can be used to encrypt messages before needing to be changed. Abdalla and Bellare first suggested a rekeying scheme in a leveled implementation fashion [20]. They stated that the rekeying component should be protected against both SPA and DPA but itself does not need to be cryptographically strong. The main construction (the rekeyed part), on the other hand, must be protected only against SPA, but must be cryptographically strong.
Medwed et al. [19], [71] developed a rekeying scheme following the leveled implementation approach using the AES block cipher for the base scheme component and a PRF based on modular multiplication GF(2 8 ) for the rekeying part. However, their scheme is susceptible to attacks suggested by Black et al. in [80], because of their way of intermediate processing states of the block cipher, as mentioned by Dobraunig et al. [81]. Our work uses a rekeying function on the GF(2 8 ) multiplication field that is protected against by a combination of masking and hiding to defend it against higher-order DPAs.
On the other side, the leveled implementation of SALE [66] and ISAP [38] used sponge-based structures in both levels of rekeying component, and the core rekeyed data processing component. Although using the same primitive for the two levels is preferable for reducing the code size of the scheme, the possibility of enabling CPAs may lead to compromising the subsequent keys [53]. Other works, notably Spook [65], employed a tiered implementation in which the data processing component is based on a sponge construction (T-Sponge) and the rekeying generation on a tweakable block cipher. However, a Galois field multiplication GF(2 8 ) based algebraic construct is lighter and easier to protect against SPAs and DPAs. PSASPIN [37] proposed a parallel, spongebased AE scheme with SPA and DPA protection and hidden nonces from adversaries. Still, it assumed the tag length is a fixed parameter under the same key and thus might be vulnerable to tag length variation attacks. Remember that these AE schemes, except PSASPIN, are serial and do not provide parallelism, which is a crucial property for AE schemes. Our scheme in this study, PAVTASP, allows the use of variable stretch while using the same key, in addition to parallelizability and protections against SCAs. No other sponge-based AE scheme provides the combination of those properties to the best of the author's knowledge.
Most AE schemes, including [6], [7], [27], [41], [42], [43], and [44], consider the stretch a fixed scheme parameter per key, and the security is proved accordingly, assuming that different stretch values use distinct keys. However, using variable tag lengths under the same key could happen either because of misconfiguration or attack, and the security would be violated [39]. In addition to its security relevance, tag length variability is desirable in constrained resource environments. Still, negotiating parameters cost is preventively high due to resource limitations, according to Struik [13]. Reyhanitabar et al. (2017) discussed the issue in detail and formalized a security notion for the nonce-based AE schemes vNBAE. Furthermore, the authors proposed a modular approach for defining the key-equivalent separation by stretch (KESS) concept, which, combined with the traditional NBAE implies the vNBAE security notion. Finally, the authors proved that the vNBAE goal was efficient and provably achievable, concretizing it with the modification of OCB without sacrificing its desirable features, such as the online processing of data blocks [8]. Finally, the authors outlined some open problems indicating possible ways to extend their work, including the possibility of describing transformations that apply to large subsets of NBAE secure schemes encoding the stretch value τ in the input of sponge-based modes. This work fills the gap by proposing and implementing a spongebased AE scheme that encodes the stretch value τ in the encryption and decryption processes to allow the secure use of variable tag lengths under the same key.
There should be an upper limit on the amount of plaintext and associated data blocks protected by calls to the authenticated encryption function over the key lifetime. According to NIST, Special Publication 800-38D [40], 2 64 would be a fair upper limit for the majority of applications. Jovanovic, Luykx [76] set sponge-based schemes' integrity bound (tag length) to 2 c/2, where c is the capacity. As soon as the lower bound limit approaches, a key exchange should be negotiated to the security to hold . . . Abdalla and Bellare [20] and Mennink [15] stated that with fresh rekeying, the security bounds of schemes could be enhanced, for instance, from 2 k/2 to 2 k/3 . Our work, PAVTASP, enhances the minimum recommended tag length of 2 64 for the equal key length and capacity of 128 bits to 2 128/3 or approximately 2 42 bits. This fact is supported by the fact that fresh rekeying can enhance to increase the traditional bounder of security limit. This work is inspired by ISAP [38] and PSASPIN [37] but differs from ISAP in two ways: first, the proposed scheme PAVTASP is parallelizable. Second, it follows a different implementation approach for key generation and data processing to protect against the weaknesses indicated in [53]. Our implementation consisted of two layers, and The rekeying layer is based on Galois Field multiplication using a PRF, following the design proposed by Medwed et al. [19], Medwed et al. [71]. Moreover, the related key attack concern raced by Dobraunig et al. [81] is not relevant in the case of the sponge-based schemes because those attacks exploit the partial key processing values of key scheduling, which does not exist for the sponge functions.
Finally, PAVTASP differs from PSASPIN because it permits using variable tag lengths under the same key in a secure manner, protecting against misuse attacks related to instances of the same AE schemes using different stretch values under the same secret key. PAVTASP follows the KESS approach proposed by Reyhanitabar et al. (2017) to achieve this goal. Thus PAVTASP has a different syntax that adapts the tag length (stretch) value as an input parameter in encryption and decryption processes. Furthermore, PAVTASP performs better than PSASPIN after testing their implementation in the C programming language.

VIII. CONCLUSION
This paper proposed and implemented a side-channel attackresistant sponge-based, parallel AE scheme that permits using variable tag lengths under the same key, PAVTASP. Our implementation consisted of two layers. The rekeying layer is based on Galois Field multiplication, while the base scheme layer is based on the sponge construction in the duplex mode. The proposed scheme is advantageous over similar sponge-based AE schemes because it allows variable tag lengths under the same key without sacrificing other valuable features like online and parallelizability. Finally, the security of the proposed scheme is evaluated, and its performance is analyzed and compared to similar AE schemes after implementing it in the C programming language.