International Association for Cryptologic Research (IACR)
Abstract
In this paper we introduce the first authenticated encryption scheme
based on a hash function, called COFFE. This research has been
motivated by the challenge to fit secure cryptography into constrained
devices -- some of these devices have to use a hash function, anyway,
and the challenge is to avoid the usage of an additional block cipher
to provide authenticated encryption. COFFE satisfies the common
security requirements regarding authenticated encryption, i.e., IND-CPA-
and INT-CTXT-security. Beyond that, it provides the following
additional security features: resistance against side-channel attacks
and INT-CTXT security in the nonce-misuse scenario. It also support
failure-friendly authentication under reasonable assumptions
