Quantum Meet-in-the-Middle Attacks on Key-Length Extension Constructions
Min Liang, Ruihao Gao, Jiali Wu
TL;DR
The paper scrutinizes the quantum security of key-length extension constructions, notably two-key triple encryption (2kTE) and 3XOR-cascade encryption (3XCE), by developing quantum meet-in-the-middle (MITM) and sieve-in-the-middle (SITM) attacks under the Q1 and Q2 models. It introduces two quantum MITM strategies for 2kTE—one via quantum claw-finding (QCF) and another via Grover search—revealing complexities of $O(2^{2\kappa/3})$ and $O(2^{\kappa/2})$ with corresponding QRAM requirements, and shows that with sufficient QRAM 2kTE offers little quantum-security advantage. For 3XCE, the authors present a QRAM-free MITM in the Q1 model with $O(2^{(\kappa+n)/2})$ time and extend the analysis to a general SITM framework applicable to a broader class of constructions, including KARC-like schemes and mirror-slide augmentations, achieving comparable or improved quadratic-speedups. The SITM framework further demonstrates how intermediate-state properties, such as XOR differences or involutive middle layers, can be leveraged to efficiently sieve candidate keys, leading to $O(2^{(\kappa+n)/2})$ time in the Q1/Q2 settings without heavy memory needs. Overall, the work highlights that quantum adversaries, aided by MITM and SITM techniques and dependent on memory models like QRAM, can substantially weaken KLE-based security and underscores the need for quantum-resistant KLE designs with provable security.
Abstract
Key-length extension (KLE) techniques provide a general approach to enhancing the security of block ciphers by using longer keys. There are mainly two classes of KLE techniques, cascade encryption and XOR-cascade encryption. This paper presents several quantum meet-in-the-middle (MITM) attacks against two specific KLE constructions. For the two-key triple encryption (2kTE), we propose two quantum MITM attacks under the Q2 model. The first attack, leveraging the quantum claw-finding (QCF) algorithm, achieves a time complexity of $O(2^{2κ/3})$ with $O(2^{2κ/3})$ quantum random access memory (QRAM). The second attack, based on Grover's algorithm, achieves a time complexity of $O(2^{κ/2})$ with $O(2^κ)$ QRAM. The latter complexity is nearly identical to Grover-based brute-force attack on the underlying block cipher, indicating that 2kTE does not enhance security under the Q2 model when sufficient QRAM resources are available. For the 3XOR-cascade encryption (3XCE), we propose a quantum MITM attack applicable to the Q1 model. This attack requires no QRAM and has a time complexity of $O(2^{(κ+n)/2})$ ($κ$ and $n$ are the key length and block length of the underlying block cipher, respectively.), achieving a quadratic speedup over classical MITM attack. Furthermore, we extend the quantum MITM attack to quantum sieve-in-the-middle (SITM) attack, which is applicable for more constructions. We present a general quantum SITM framework for the construction $ELE=E^2\circ L\circ E^1$ and provide specific attack schemes for three different forms of the middle layer $L$. The quantum SITM attack technique can be further applied to a broader range of quantum cryptanalysis scenarios.