Paper 2022/1245

On Generalizations of the Lai-Massey Scheme: the Blooming of Amaryllises

Abstract

In this paper, we re-investigate the Lai-Massey scheme, originally proposed in the cipher IDEA. Due to the similarity with the Feistel schemes, and due to the existence of invariant subspace attacks as originally pointed out by Vaudenay at FSE 1999, the Lai-Massey scheme has received only little attention by the community. As first contribution, we propose two new generalizations of such scheme that are not (affine) equivalent to any generalized Feistel scheme proposed in the literature so far. Then, inspired by the recent Horst construction, we propose the generalized Amaryllises construction as a generalization of the Lai-Massey scheme, in which the linear combination in the Lai-Massey scheme is replaced by a non-linear one. Besides proposing concrete examples of the Amaryllises construction, we discuss its (possible) advantages and disadvantages with respect to other existing schemes/constructions published in the literature, with particular attention on the Lai-Massey one and on the Horst one.

Note: The paper has been heavily re-structured: - a new generalization of the Lai-Massey scheme is proposed; - new examples of generalized and redundant Lai-Massey schemes that are not EA-equivalent to any Feistel schemes are presented; - the extended contracting Amaryllises scheme is proposed; - the analysis regarding the security of the Amaryllises scheme compared to the one of the Lai-Massey schemes has been corrected and re-written; - a solution for preventing the existence of invariant subspace trails is described.