International Association for Cryptologic Research (IACR)
Abstract
\begin{abstract}
Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in \cite {P01}, \cite{Jut}, \cite{PNB06}, \cite{PNB07}. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes ``Alternating Unbalanced Feistel Schemes\u27\u27. They allow constructing pseudo-random permutations from kn bits to kn bits where kβ₯3. At each round, we use either a random function from n bits to (kβ1)n bits or a random function from (kβ1)n bits to n bits. We describe the best generic attacks we have found. We present``known plaintext attacks\u27\u27 (KPA) and ``non-adaptive chosen plaintext attacks\u27\u27 (CPA-1). Let d be the number of rounds. We show that if dβ€k, there are CPA-1 with 2 messages and KPA with m the number of messages about 24(dβ1)nβ. For dβ₯k+1 we have to distinguish k even and k odd. For k even, we have m=2 in CPA-1 and mβ24knβ in KPA. When k is odd, we show that there exist CPA-1 for dβ€2kβ1 and KPA for dβ€2k+3 with less than 2kn messages and computations. Beyond these values, we give KPA against generators of permutations.
\end{abstract