Key-length extension (KLE) techniques provide a general approach to enhancing the security of block ciphers by using longer keys. There are mainly two classes of KLE techniques, cascade encryption and XOR-cascade encryption. This paper presents several quantum meet-in-the-middle (MITM) attacks against two specific KLE constructions. For the two-key triple encryption (2kTE), we propose two quantum MITM attacks under the Q2 model. The first attack, leveraging the quantum claw-finding (QCF) algorithm, achieves a time complexity of $O(2^{2κ/3})$ with $O(2^{2κ/3})$ quantum random access memory (QRAM). The second attack, based on Grover's algorithm, achieves a time complexity of $O(2^{κ/2})$ with $O(2^κ)$ QRAM. The latter complexity is nearly identical to Grover-based brute-force attack on the underlying block cipher, indicating that 2kTE does not enhance security under the Q2 model when sufficient QRAM resources are available. For the 3XOR-cascade encryption (3XCE), we propose a quantum MITM attack applicable to the Q1 model. This attack requires no QRAM and has a time complexity of $O(2^{(κ+n)/2})$ ($κ$ and $n$ are the key length and block length of the underlying block cipher, respectively.), achieving a quadratic speedup over classical MITM attack. Furthermore, we extend the quantum MITM attack to quantum sieve-in-the-middle (SITM) attack, which is applicable for more constructions. We present a general quantum SITM framework for the construction $ELE=E^2\circ L\circ E^1$ and provide specific attack schemes for three different forms of the middle layer $L$. The quantum SITM attack technique can be further applied to a broader range of quantum cryptanalysis scenarios.

翻译：密钥长度扩展技术通过使用更长的密钥，为增强分组密码的安全性提供了一种通用方法。主要存在两类KLE技术：级联加密与异或级联加密。本文针对两种具体的KLE构造提出了若干量子中间相遇攻击。针对双密钥三重加密，我们在Q2模型下提出了两种量子MITM攻击。第一种攻击利用量子爪寻找算法，实现了$O(2^{2κ/3})$的时间复杂度，并需要$O(2^{2κ/3})$的量子随机存取存储器。第二种攻击基于Grover算法，实现了$O(2^{κ/2})$的时间复杂度，但需$O(2^κ)$的QRAM。后者的复杂度与基于Grover算法对底层分组密码的暴力攻击几乎相同，这表明当具备充足QRAM资源时，2kTE在Q2模型下未能提升安全性。针对3XOR级联加密，我们提出了一种适用于Q1模型的量子MITM攻击。该攻击无需QRAM，时间复杂度为$O(2^{(κ+n)/2})$（其中$κ$和$n$分别为底层分组密码的密钥长度与分组长度），相比经典MITM攻击实现了二次加速。此外，我们将量子MITM攻击扩展为量子筛选中问攻击，该技术可适用于更多构造。我们针对$ELE=E^2\circ L\circ E^1$构造提出了通用的量子SITM框架，并为中间层$L$的三种不同形式提供了具体攻击方案。量子SITM攻击技术可进一步应用于更广泛的量子密码分析场景。