Generic Attacks on Alternating Unbalanced Feistel Schemes

Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in [12], [4], [15], [16]. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes “Alternating Unbalanced Feistel Schemes”. They allow constructing pseudo-random permutations from kn bits to kn bits where k ≥ 3. At each round, we use either a random function from n bits to (k−1)n bits or a random function from (k−1)n bits to n bits. We describe the best generic attacks we have found. We present“known plaintext attacks” (KPA) and “non-adaptive chosen plaintext attacks” (CPA-1). Let d be the number of rounds. We show that if d ≤ k, there are CPA-1 with 2 messages and KPA with m the number of messages about 2 (d−1)n 4 . For d ≥ k + 1 we have to distinguish k even and k odd. For k even, we have m = 2 in CPA-1 and m ' 2 kn 4 in KPA. When k is odd, we show that there exist CPA-1 for d ≤ 2k − 1 and KPA for d ≤ 2k + 3 with less than 2 messages and computations. Beyond these values, we give KPA against generators of permutations.