Resource-constrained IoT devices operating over adversarial wireless channels lack lightweight authenticated encryption schemes that simultaneously provide forward secrecy, compact tag aggregation, and computational efficiency. This work proposes Diamond, the first provably secure forward-secure and aggregatable authenticated encryption (FAAE) framework, which integrates a lightweight key evolution mechanism with an offline-online computational pipeline to support heterogeneous platforms including ARM Cortex-A72/M4 and 8-bit AVR microcontrollers. Experimental results demonstrate that Diamond significantly outperforms NIST lightweight authenticated encryption candidates across multiple hardware platforms, reducing offline preprocessing overhead by up to 47% and decreasing end-to-end latency for large-scale telemetry by nearly an order of magnitude.

Resource-constrained Internet of Things (IoT) devices, from medical implants to small drones, must transmit sensitive telemetry under adversarial wireless channels while operating under stringent computing and energy budgets. Authenticated Encryption (AE) is essential for ensuring confidentiality, integrity, and authenticity. However, existing lightweight AE standards lack forward-security guarantees, compact tag aggregation, and offline-online (OO) optimizations required for modern high-throughput IoT pipelines. We introduce Diamond, the first provable secure Forward-secure and Aggregate Authenticated Encryption (FAAE) framework that extends and generalizes prior FAAE constructions through a lightweight key evolution mechanism, an OO-optimized computation pipeline, and a set of performance-tiered instantiations tailored to heterogeneous IoT platforms. Diamond substantially reduces amortized offline preprocessing (up to 47%) and achieves up to an order-ofmagnitude reduction in end-to-end latency for large telemetry batches. Our comprehensive evaluation across 64-bit ARM Cortex-A72, 32-bit ARM Cortex-M4, and 8-bit AVR architectures confirms that Diamond consistently outperforms baseline FAAE variants and NIST lightweight AE candidates across authenticated encryption throughput and end-to-end verification latency while maintaining compact tag aggregation and strong breach resilience. We formally prove the security of Diamond and provide two concrete instantiations optimized for compliance and high efficiency. Our open-source release enables reproducibility and seamless integration into IoT platforms.