COFFE: Ciphertext Output Feedback Faithful Encryption
"In this paper, the authors introduce the first authenticated encryption scheme based on a hash function, called COFFE. This paper has been motivated by the challenge to fit se-cure cryptography into constrained devices - some of these devices have to use a hash function, anyway, and the challenge is to avoid the usage of an additional block cipher to provide authenticated encryption. COFFE satisfies the common security requirements regarding authenticated encryption, i.e., IND-CPA- and INT-CTXT-security. Beyond that, it provides the following additional security features: resistance against side-channel attacks and INT-CTXT security in the nonce-misuse scenario."