Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

. The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptog-raphers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a diﬀerent approach aiming at higher-level simpliﬁed models. However, this modeling was limited to cryptographic permutations. In this paper, we extend the latter simpliﬁed modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diﬀusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash.


Introduction
Meet-in-the-middle (MITM) attacks are powerful attacks on symmetric primitives such as block ciphers [DH77] and hash functions [Sas11].The goal in both cases is to find an unknown value (the internal state or the key) which satisfies a certain set of constraints, e.g., between the inputs and outputs of a certain computational path.
If one guesses the entire unknown value, then the whole path can be recomputed and the constraints checked: this is the generic exhaustive search, which can always be applied.The MITM technique identifies some parts of the path which can be computed independently from others.Typically one defines a forward chunk (computed forwards) and an independent backward chunk (computed backwards), which start from a given starting point, and meet at several matching points.The values that they can take are computed independently.Afterwards, one selects among the pairs all those which satisfy the conditions set by the matching points.
MITM attacks have been successfully applied to many designs, using more and more refined techniques: guess-and-determine [DSP07], splice-and-cut [AS08,GLRW10], bicliques [KRS12], 3-subset MITM [BR10,Sas18], and so on.Even when they do not reach the best number of rounds in terms of key-recovery, they can have other advantages, such as a very low data complexity (like the attack on Present-80 of [CNV13]).
Automatic Search of MITM Attacks.A MITM attack is entirely defined by its characteristic or path, the choice of its forward and backward chunks.Finding the best characteristic is an optimization problem, which can be solved automatically.
Dedicated search tools were proposed, such as the tool of Derbez and Fouque [DF16] for MITM and DS-MITM attacks.The algorithm starts from a given starting point, tries to expand the forward and backward paths before they match, and terminates if it has explored too many possibilities.Another automatic search, with a similar spirit, was proposed in [AA20].While both these tools apply to a large class of designs (AESlike, bit-based SPNs, Feistel schemes), they have some limitations: the tool of [DF16] is not adapted for preimage attacks and the one of [AA20] does not support guess-anddetermine.In a similar context, Hadipour and Eichlseder introduced a generic tool [HE22] for guess-and-determine attacks, but it does not cover MITM attacks.
In this paper, we focus on a modeling of the problem using Mixed Integer Linear Programming (MILP).Sasaki first used MILP to optimize the 3-subset MITM attack on Gift-64 [Sas18], however his modeling only concerned this specific case.Later, Bao et al. defined an MILP modeling of MITM attacks on AES-like hash functions [BDG + 21].The modeling relies on local propagation rules for the backward and forward paths, which constrain the state of nibbles (forward, backward, unknown. . . ) and count the number of degrees of freedom which are consumed.Later, it was extended to key-recovery attacks in [DHS + 21], and to the guess-and-determine technique in [BGST22], including more and more techniques (nonlinearly constrained words, superposition states) which allowed to capture more refined constraints on the key nibbles and interactions between the key and the state.
Originally, this modeling strategy applies to designs which perform operations at a nibble level (though we note that bit-level models were also introduced afterwards in [QHD + 23]).Besides, the definition of rules can become quite complicated.A different approach was proposed in [SS22a], which covers both AES-like and Present-like designs, and benefits from a simple description.However, the scope of the modeling is now limited to a computational path which does not take into account key additions.Quantum attacks are obtained by adapting the objective function of the search.

Contribution and Results.
In this paper, we extend the modeling strategy of [SS22a] to support key additions in the primitive.The main issue posed by key additions is that they happen at the nibble level, while the model of [SS22a] considered larger components in the primitive.We show that we can keep the simplicity of the previous model by adding variables for the key nibbles, and placing them in the forward or backward chunks using a few new constraints.This allows us to cover both pseudo-preimage attacks on hash functions and key-recovery attacks on block ciphers.The downside is that we need to focus on lightweight key schedules such as the one of Present [BKL + 07] which only perform bit rotations and S-Box operations.
Complex linear functions in the key schedule may complicate the interactions between the key and state bits.The series of works on AES-like designs [BDG + 21, DHS + 21, BGST22] have been able to capture more and more of these interactions, and reach new attacks that the previous models were not able to find.We conjecture that our modeling, despite its simplicity, reaches at least the same performance on the class of designs defined in Section 2.1.Though we cannot prove it in full generality, we could for example find a pseudo-preimage attack on 7-round Saturnin-Hash with a smaller time complexity than [DHS + 21].
The results obtained with our tool are summarized in Table 1, compared with some results of previous works.We obtain full-round attacks on the block ciphers Future [GPS22] and Pipo-256 [KJK + 20], both due to the simple key schedules of the ciphers.We also give new quantum attacks on reduced-round Saturnin-Hash and Saturnin, and observe that some Grover-meet-Simon attacks [LM17] are covered by the automatic search.This complements the automated search of Simon-based attacks previously proposed by Canale, Leander and Stennes [CLS22].Though their tool can find more attacks than ours, as it allows to define periodic functions from a bigger class, it was limited to rather simple constructions.Our tool is more adapted to complex cipher designs.Outline.The paper is organized as follows.In Section 2, we define the AES-like and Present-like classes of designs, introduce the MITM framework and the different techniques relevant for this paper, as well as quantum computing tools.We borrow from [SS22a] the generic conversion of a classical MITM attack into a quantum one, and we explain the Grover-meet-Simon (GMS) attacks.
Next, in Section 3 we explain the modeling of MITM attacks, first explaining [SS22a], then introducing our new variables and constraints for the key schedule and details on how to adapt the framework to the key-recovery case.The last sections are devoted to our applications: 1) AES-like designs in Section 4, including Saturnin-Hash, Saturnin and Future; 2) Present-like designs in Section 5, including Present and Pipo.
The code used in this paper, including the generation of MILP models for all our examples, and the generation of figures, is available online1 .We used the Gurobi solver [Gur23] on a desktop computer.

Preliminaries
In this section, we give a high-level overview of MITM attacks, with corresponding formulas for the time complexity.We also give preliminaries on quantum attacks.
As shown in Figure 1, we consider a block cipher E K , made of a sequence of r rounds (0 to r − 1) which act on the internal state taking value s 0 (plaintext) to s r (ciphertext).A key schedule function transforms the master key K into a sequence of round keys k 0 , . . ., k r .Each k i is added before round i, and k r is the final key addition.We enforce some relation between s 0 and s r , which creates a closed computational path.We are searching for a pair (s 0 , K) satisfying this path.
In the case of a preimage or pseudo-preimage attack [Sas11], the block cipher E K is used as a compression function.For example, in the Matyas-Meyer-Oseas (MMO) mode, the function is f (m, h) = E h (m) for a chaining value h and a message block m.Given a target T , a pair h, m such that E h (m) = m ⊕ T is a preimage of the compression function.The degrees of freedom of both m and h may be used.If we fix h, we remove the key schedule; the block cipher becomes a permutation.
For a key-recovery attack, the relation between input and output ("wrapping" in Figure 1) is given by E K .On the forward path in Figure 1, we need to compute s 0 from s r , so we perform decryption queries.

AES-like and Present-like Designs
The AES [DR20] is the standardized version of the block cipher Rijndael [DR99], and its design strategy has been followed by many ciphers and hash functions, forming a family that we will call "AES-like".AES-like designs are substitution-permutation networks (SPN) in which the internal states and round keys are represented as matrices of nibbles.The Column 0 S-Box layers operate on nibbles independently.The linear layer can also be expressed as an operation on nibbles.
In the AES, the state is a 4 × 4 matrix of bytes, and the round function composed of: the key addition (ARK); the S-Box layer (SB); the ShiftRows operation (SR), which permutes bytes within rows of the matrix; and finally, the MixColumns operation (MC), which multiplies each column by an MDS matrix.Other AES-like designs typically have similar operations.Sometimes (like in Skinny [BJK + 16]) the MixColumns is not MDS, but we will not consider such cases in this paper.Key schedules of AES-like designs also typically operate at the nibble level, e.g., in the AES itself, the only operations are XORs of key bytes and S-Boxes.

Super S-Box and Present-like Ciphers.
It can be noticed that in the sequence of operations ARK → SB → SR → MC, the operation SB commutes with SR and ARK.Thus, an AES round can be rewritten as a permutation of bytes, followed by a key addition, and a layer of Super S-Boxes applying on columns.This abstraction is essential for us.Using the Super S-Box representation, an AES-like design becomes an SPN in which the linear layer is simply a permutation of nibbles, corresponding to the SR operation.We give an example in Figure 2, where the initial bytes are numbered from 0 to 15, and the columns of the state are the groups of bytes We name Present-like the SPN ciphers which use only a nibble permutation as their linear layer, like the block cipher Present [BKL + 07].Though Present uses a bit permutation, our structure considers nibbles of any size.Our modeling starts from this family of ciphers, and covers AES-like designs thanks to the Super S-Box representation.

Key Schedules.
The key schedule of a cipher is an in-place operation that transforms a set of internal key registers and extracts rounds keys.All variants of AES have a key schedule which offers quite a strong diffusion.This renders the AES itself immune to MITM key-recovery attacks2 .However, lightweight ciphers, whether AES-like (e.g., Saturnin [CDL + 20]) or Present-like (e.g., Present, Gift [BPP + 17]) can have much simpler key schedules.In this paper, we consider key schedules that operate nibble-wise using in-place operations, either: 1) a permutation of nibbles; or 2) an S-Box applied in place to some nibbles.This includes the key schedule of Present.

Overview of Techniques
Below we briefly review the techniques that will be contained in our automatic search.We consider both key-recovery and preimage attacks.While they are very different conceptually, the modeling is quite similar.Let E K be a block cipher with block length (in nibbles) n and key length |K|.We start with the key-recovery case.
We have query access to E K and wish to retrieve K in time less than 2 |K| computations of E. This is done by finding solutions to the closed computational path represented in Figure 1.
We formalize this using a forward path function f F (x, k F ) and a backward path function f B (x, k B ) that take a common starting state x (e.g., the plaintext), a forward (resp.backward) key guess k F of length |k F | (resp.k B of length |k B |) and compute the same set of nibbles at some round inside the cipher.
We see that k = k F ∪ k B can be a potential candidate3 for K only if there exists x such that f F (x, k F ) = f B (x, k B ).Typically, starting from a constant x, we compute E K (x), compute forwards from x and backwards from For each pair, recompute the whole path and check if it matches.
Because we can swap the roles of forward and backward paths, the time complexity for key-recovery is 2 Guess-and-Determine. Guess-and-determine (GAD) is a powerful technique both for keyrecovery [BDF11] and preimage attacks [SWWW12,BGST22].We introduce nibble state guesses y F and y B in the definition of the forward and backward paths: We then have to compute f F and f B not only for all k F and k B , but also y F and y B , and find quadruples (y Finally, we note that we can make x bigger than n nibbles, i.e., fix more than a full internal state.In that case we will need to repeat the merging operation |x| − n times before finding a valid pair of internal state and key.The time complexity becomes: (2) Preimage Attack.In the preimage case, we want to find a pair (x, K) such that E K (x) ⊕ x = T for a fixed target T , in time less than 2 n computations of E. Informally, the problem remains the same: having fixed k S and x, find the pairs (y , among which a solution will be found.The main difference is the number of times that we need to repeat this operation. If the path contains only one solution, and if the key is entirely fixed, we can see that we will have to repeat 2 |x| times to traverse all the possible internal states, and find the one that matches.If there are 2 t solutions (due to less "wrapping" between the input and output), then we need only 2 |x|−t repetitions.
The forward and backward key nibbles take 2 k B +k F different values.Assuming that changing these key nibbles re-randomizes properly the path, this means that we only have to repeat 2 |x|−t−k B −k F times to traverse 2 |x|−t different starting values for x.This gives the formula: (3)

All-subkey-recovery (ASR) and Parallel MITM (PMITM). The ASR technique was
proposed in [IS12].If the key schedule is complex, we cannot use the relations between round keys, and the effective key length increases.Any guess k F yields a value f F (x, k F , k S ) for the matching variable, and any guess k B yields a value f B (x, k B , k S ).However, the amount of matching may be too small and leave more than 2 |K| triples (k F , k B , k S ).The Parallel MITM technique overcomes this by increasing the effective output length of f F and f B : it computes in parallel for multiple starting states x.The time and memory complexities are increased by a small factor with respect to a single starting state.The PMITM is not very useful in our case, where the key schedule is simple.Furthermore, it is incompatible with GAD.Indeed, the internal state guesses y F , y B are dependent on the starting state x.Multiple parallel states would have multiple independent state guesses, and the complexity would increase faster than it decreases thanks to the PMITM.
Sieve-in-the-middle (SIM) and Bicliques.The sieve-in-the-middle technique [CNV13] allows to sieve through an additional S-Box layer between the forward and backward path.This is done by means of an advanced list merging procedure.Sieve-in-the-middle is partially captured by GAD: though the merging procedure in the SIM attacks is more complex, it can be captured by making guesses on the forward or on the backward side.However, the modeling will not capture the fact that these guesses cost less than a recomputation of the full subpath, since they are made at the last moment.
Biclique cryptanalysis is an extension of MITM attacks used both against block ciphers [BKR11] and hash functions [KRS12], where the initial structure is extended with the help of bicliques.We did not study bicliques in this paper.It is still an open question to extend the MILP models of MITM attacks with bicliques.

Quantum Computing
We assume basic knowledge of quantum computing in the quantum circuit model, such as the ket notation |• , qubits and basic operations (see, e.g., [NC02]).We use "time" to refer to gate counts in quantum circuits, and "quantum memory" for their width (number of qubits), in multiple of the time and memory required to implement the primitive attacked.We stress that we use only generic complexity formulas, and no technical knowledge of quantum computing is required to apply these formulas.
Quantum Memories.We use in this paper two types of quantum memory, which can be understood as a hardware assumption: QRACM (quantum-accessible classical memory) and QRAQM (quantum-accessible quantum memory).QRACM allows unittime access in superposition to a large classical memory.That is, given memory cells y 0 , . . ., y M −1 , the operation: |i |0 → |i |y i (memory access) can be implemented in time 1.Whereas QRAQM is a stronger model in which the following operation costs a time 1: |i |y 0 , . . ., y M −1 |x → |i |y 0 , . . ., y i−1 , x, y i+1 , . . ., y M −1 |y , which allows at the same time to read and write in superposition in the available quantum memory.
As can be seen in Table 1, our quantum MITM attacks require QRAQM, except Grover-meet-Simon (key-recovery) attacks.
Grover's Algorithm.Grover's search algorithm [Gro96] solves the following problem: given a quantum oracle that implements a boolean function f : {0, 1} n → {0, 1}, find a preimage of 1.It is an iterative procedure that moves its internal state towards the uniform superposition of solutions.If there are t such preimages, then π x,f (x)=1 |x .Measuring this state allows to find a solution.For example, exhaustive key search uses a few plaintext-ciphertext pairs (p i , c i ) and tests: The calls to O f usually dominate the cost of the algorithm.Implementing the function f might require the QRACM or QRAQM model, for example when we need to access a large list.
Quantum Queries: the Q1 and Q2 model.The literature on quantum key-recovery attacks (e.g., [KLLN16b]) distinguishes two quantum attacker settings: Q1 (classical queries) and Q2 (quantum queries).In Q1, the quantum attacker has only access to classical secret-key oracles (decryption and / or encryption), whereas in Q2, the quantum attacker can use a quantum oracle, for example: In particular, any computation that involves the secret-key cipher E K can now be done in superposition.
If the key length is twice the block size or more, then we can use QRACM to emulate the Q2 setting.Indeed, the cost of querying the entire codebook (classically) is lower than the cost of Grover search for the key.Thus, any quantum attacker can pre-compute the codebook, store it in QRACM, and implement O E K efficiently.
This relation between Q2 queries and QRACM will also dictate our benchmarking of the latter: while counting the time in block cipher evaluations, we will consider a Q2 query to cost 1, and a QRACM / QRAQM query to cost 1 as well.

Quantum Attacks
We reuse Theorem 4 from [SS22b, Appendix A.2], which converts a classical MITM into a quantum attack using quantum search (the exact variant of Amplitude Amplification [BHMT02]).The quantum attack may benefit from up to a quadratic speedup with respect to the classical attack.
It considers a MITM attack that first makes g guesses, then merges two lists of size 2 F and 2 B into a list of size 2 M .It also assumes heuristically that there is a single solution, and that the subpaths leading to the solution are selected u.a.r.from all choices.
Theorem 1.Let T be the quantum time to compute an element of any of the three lists, or to recompute the full path given a partial match.There is a quantum algorithm of complexity: that finds the key K with probability 1/2.
Intuitively, the algorithm uses a Grover search on the g guesses, under which a two-list merging is used.The two-list merging constructs the forward list first, then performs a quantum search in the backward and merged list elements.Note that the roles of forward and backward can be exchanged in this formula.We refer to [SS22b] for the details of this algorithm and its correctness.
In the following, like in [SS22a], we consider that T is smaller or equal to the quantum time necessary to implement the full primitive under attack, and we count the time in multiples of T .This simplifies the comparison with Grover search.
Q1 and Q2 Model.Though the procedure of [SS22a] remains valid for key-recovery attacks, the computation of one of the two lists now includes queries to the block cipher (or its inverse).For example, assume that we access the block cipher E itself.Let S be the space of plaintexts encountered during the attack.Often S becomes the full codebook, but for exhaustive search (which can be seen as a degenerate MITM attack), S contains only a constant number of elements.Let E : S → {0, 1} n be the cipher restricted to the space S.
In the classical attack, we compute the lists using classical access to E .In the quantum attack, the list elements are computed in superposition.This means that we need superposition query access to E .If S is small enough with respect to the total key size, this can be done via QRACM (sometimes at the expense of a bigger memory) in the Q1 model.Otherwise, this requires the Q2 model.

Grover-meet-Simon as a PMITM Attack
Simon's algorithm [Sim97] is a quantum algorithm that solves the boolean hidden period problem: given access to a two-to-one function f : {0, 1} n → {0, 1} m such that f (x ⊕ s) = f (x), for some secret s, find s.The algorithm runs in time O n 3 using O(n) Q2 queries to f .It has been analyzed in detail in multiple works (e.g.[KLLN16a,SS17]) and found to be quite robust, in particular it works well if f is a random periodic function [Bon21], which models well the cases encountered in symmetric cryptography.
Simon's algorithm is the key component of many quantum attacks in the Q2 setting [KLLN16a] and more recently the Q1 setting [BHN + 19].In this paper, we will focus on the Grover-meet-Simon (GMS) attack of Leander and May [LM17].This is a Q2 attack that finds a periodic function in a family of functions: .
GMS uses a Grover search of the right k, which calls Simon's algorithm as a test.Its quantum complexity has been analyzed in detail in [Bon21,BJ22].As for Simon's algorithm, the constant in the O(n) is close to 1 if we assume the functions to be random, and the gate count in O n 3 is usually smaller than the cost of n function computations.
Even if we restrict the functions' output to one bit, this only doubles the number of queries needed by Simon's algorithm [MS22].Therefore, we will approximate the complexity as: where T is the cost of a query to F .

GMS-based MITM Attacks.
Consider a PMITM attack.Starting from an initial state x, it looks for a collision between the forward and backward path: The functions f F and f B can have a single-bit output.
Assume that both f F and f B are of the form: where k F and k B , of size |x|, contain nibbles of k F and k B respectively (and zero nibbles for positions at which no key is added).We are then looking for (k S , k B , k F ) such that: Therefore, when looking for MITM attacks, we can also look for GMS-based attacks.In this case, we will remove the GAD technique.We separate the key nibbles into "shared" key nibbles k S (guessed with Grover search) and "middle" key nibbles k M (found with Simon's algorithm).The part of the input x on which there is no addition of k M is fixed.
Though we would have liked to use the offline-Simon algorithm [BHN + 19], which removes the need for Q2 queries or QRACM, a technical problem arises from the fact that the functions computing the forward and backward paths are not invertible.

Modeling
In this section, we describe the MILP modeling of MITM attacks used in this paper.It relies on a cell-based representation of a cipher, which is the same as in [SS22a].

Previous Work
An r-round Present-like cipher is abstracted as an r-layered, weighted, undirected graph.The nodes of the graph, named cells, correspond to the S-Box operations in the cipher.The edges of the graph correspond to the exchange of nibbles in the linear layer.The MITM input-output constraint that closes the path is enforced by edges between cells of layer 0 (first round) and layer r − 1 (last round).Intuitively, this corresponds to the rewriting of the MITM problem as a system of linear relations between the cells, since all the nonlinear operations are local to them.Both cells and edges are weighted.For any pair (c, c ), we use w c and w c,c to denote these weights (we have w c,c = 0 if (c, c ) is not an edge).They correspond to the number of state nibbles that one should know to determine the value of this cell or edge.For example, in the graph representation of the AES, one has w c,c = 1 for edges and w c = 4 for 4-nibble cells.
Given any set of cells C, we define the reduced list R[C] which contains all assignments of values to these cells satisfying the linear constraints.It has size: Thanks to the Present-like structure, as long as C does not cover all the rounds, there is a streaming algorithm that produces the elements of To any choice of C F , C B , there corresponds a MITM algorithm of memory min( F , B ) and running time max( B , F , M ) (in log 2 ), which consists in constructing one list, streaming the other and re-computing the path for matching pairs.Global Guesses.Any edge (c, c ) where c ∈ C B , c ∈ C F can be turned into a "global guess", as shown in Figure 3. Indeed, by guessing these values before computing R[C F ] and R[C B ], the matching on these nibbles is precomputed.If there are g nibbles of global guess, the time complexity becomes: g + max( B , F , M ) (in log 2 ).The quantum time complexity is obtained by simplifying Equation 4: Forward cells are represented in blue , backward cells in red .Global guesses are represented in green ↔.It should be noted that they only impact the memory complexity of the attack and its quantum time complexity.

Matching through MixColumns.
The difference between the Present-like and AES-like cases lies in the following property of the Super S-Box, due to the MDS property of MixColumns.Let c be a Super S-Box of width w c .
Assume that we know f, b nibbles at the previous round, from the forward and backward path, respectively, and f , b nibbles at the next round.Then we can match a total of f + b + f + b − w c nibbles through the cell, i.e., even if it does not belong to C F ∪ C B .This is because we can write linear relations between these values.This is modeled by allowing to add such a cell in the merged list (we call it a new merged cell).
We can also precompute some of these relations, like global guesses of nibbles.With limitations: • we cannot precompute more than f + b + f + b − w c relations (the total amount of matching on this cell); • we cannot precompute more than f (the amount of forward nibbles at the next round) and more than b (the amount of backward nibbles at the previous round), otherwise this would create too many constraints.
Modeling.For each cell c, we create 3 boolean variables cell_col L [c] where L ∈ {F, B, M }.We always have cell_col and this is an equality if the cell is not a Super S-Box.
The list sizes and precomputed matchings are deduced from these variables using linear inequalities.For each cell, we sum its contribution to the list size (as a new temporary variable), and the amount of global reduction that it allows.We deduce the time complexity (in log 2 ), which is minimized.A complete pseudocode of this model is given in Appendix A.

Modeling the Key Schedule
Now, we move further than [SS22a].Including a key schedule path is a simple transformation to the graph, where each edge is now (possibly, but not necessarily) labeled by a key nibble, as in Figure 3.This is the key nibble that is XORed on this edge.
Let us start by the new variables and constraints related to the key schedule itself.We consider a key schedule like the one of Present, which starts by initializing a key register, and then: • creates new key nibbles by applying operations in place on the key register; • extracts the round keys from the key register.
In a similar spirit as the cell-based modeling of the state update function, we start by considering all round key nibbles as independent.We assume that they all have the same size (e.g., a single bit for Present).For example, each round of Present-80 applies a single 4-bit S-Box on the key register, so after r rounds, the total amount of key nibbles is 80 + 4r.
The operations that were applied create relations between groups of key nibbles, e.g.k 4 |k 5 |k 6 |k 7 = S(k 0 |k 1 |k 2 |k 3 ).These relations can be modeled as key cells, on the same principle as state cells.For a key cell of width w (here 4), the knowledge of at least w key nibbles allows to deduce all others.
Modeling.For each key nibble k i , we create 3 boolean variables key_col L [k i ] for L ∈ {S, B, F }.The key nibble can be either: • forward (F), i.e., known only in the forward path; • backward (B), i.e., known only in the backward path; • shared (S), i.e., known in both paths.This corresponds to k F , k B , k S in the formulas of Section 2.2.
For each key cell c, we create 3 exclusive boolean variables: key_cell_col L [c], L ∈ {S, B, F }, which indicate whether the key cell is "active" in the list of shared, forward or backward key nibbles.These variables have the following constraints: • if key_cell_col S [c] is true, then all key nibbles attached to this cell must be shared is true, then all key nibbles must be shared or backward is true, then all key nibbles must be shared or forward The "activation" of a key cell means that we use its relation to reduce the number of effective key nibbles, either in the shared, the backward or forward sets.Thus we compute the number of effective shared, forward and backward key nibbles by a sum over all key nibble variables, minus the reduction of key cells.

Modeling the Key Addition
We observe that the key addition can be modeled using only constraints on the coloration of key nibbles.For any key nibble k i , consider any edge e = (c, c , w c,c , k i ) where k i is added: • If both c and c are in the forward path, then k i should be either forward, or shared.
Indeed, in order to compute the next forward cell, we have the choice between guessing k i or guessing the state nibble.This costs the same, but guessing k i will always be more advantageous, since we might reuse this guess somewhere else in the path.
• Likewise, if both c and c are in the backward path, then k i should be either backward, or shared.
While it is not necessary for all the key nibbles to be colored, e.g., in the PMITM case, in practice this will be the case in our attacks, since we consider simple key schedules.So the forward-backward (matching) and backward-forward (global guess) relations do not create any constraint.
Computation of the Lists.The forward and backward lists now contain both partial states and key guesses.We will start in both cases by taking values for the key nibbles, using the key cells, then compute the states round by round as before.The constraint of having at least one round not covered by C still allows to enumerate the elements of R[C] efficiently.
The list sizes are computed as before (by the contribution of each cell individually), then increased by the amount of key nibbles that they contain.In the preimage case, the time complexity reflects Equation 3. In the key-recovery case, the time complexity is given by Equation 2. If there are |x| nibbles of global reduction, and if the key-less list sizes were B , F , M , then the times are respectively, in log 2 : In the quantum setting, these formulas are adapted using Equation 4:

Super S-Box Case.
To understand what happens if the cell c is a Super S-Box, we must separate the S-Box layer and the MixColumns operation, as shown in Figure 4. Following the usual layout of SPN ciphers, the S-Box layer is always performed between the key addition and the MC operation.
In this example, there are 6 nibbles known in input and output, so we can form two linear relations between them, of the form: L(S(k 0 ⊕x 0 ), S(k 1 ⊕x 1 ), S(k 3 ⊕x 3 ), y 0 ⊕k 0 , y 2 ⊕ k 2 , y 3 ⊕ k 3 ) = 0, where L is a linear function.One of these relations can be precomputed as follows: L F (S(k 0 ⊕ x 0 ), S(k 1 ⊕ x 1 ), y 0 , k 2 , k 3 ) = L B (S(k 3 ⊕ x 3 ), k 0 , y 2 , y 3 ) = t.That is, we can guess the value of t beforehand.During the forward path computation, we will obtain y 0 as a function of t and the other variables, and in the backward path, we obtain x 3 as a function of t and the other variables.
To enable this, we just need to ensure the following additional constraints for each edge (c, c , w c,c , k i ): • if c is forward and c is a new merged cell, then k i must be forward; • if c is backward and c is a new merged cell, then k i must be backward.These constraints allow to go through the upper S-Box layer and access the inputs to the MC layer.In particular, there are no constraints on the key nibbles below.
Remark 1 (Double key addition).In the path of a preimage attack of a compression function, we may have a key addition before the first round 0, and after the last round r − 1.This means that two key nibbles are added on the edges that connect rounds 0 and r − 1.Since our model does not allow two key additions on an edge, we add a new round of "dummy" single-nibble operations between the two additions.

Adaptation to the Key-recovery Setting
In the key-recovery case, going from round 0 to round r − 1 requires a query to the block cipher.This is modeled by adding a new round with a single cell (the "cipher cell"), as large as the internal state, which is connected to round 0 and to round r − 1.The cipher cell must belong either to C F (decryption queries) or to C B (encryption queries).

Role of the Global Reduction.
The nibbles of global reduction serve as a way to reduce the memory complexity in preimage attacks.In key-recovery attacks, the same variables correspond to the cut-set.This change of perspective is visible in Equations 8 and 9.While a preimage attack requires to loop over the values given to the global guesses, a key-recovery attack can fix n of these nibbles for free.

Data Complexity.
In key-recovery attacks, we may want to control or minimize the data complexity.This can be done as follows.Assume without loss of generality that the cipher cell c belongs to C B .We look at all the edges connecting c with cells at round 0, and count the weight of edges that: • connect with forward cells (thus, can be globally fixed); • do not have a backward key nibble.The data complexity can be upper bounded by the state size, minus the sum of weights of all such edges: this corresponds to the total number of state bits that can vary when the queries are made.Similar constraints apply if c belongs to C F .
PMITM and Grover-meet-Simon.In the PMITM case, we add the constraints that all cells should have a zero contribution to the list sizes (which will only depend on the initial state, and on key bit guesses), and we do not count the merged list size.We only require some matching between the forward and backward paths to occur.
Grover-meet-Simon is a subcase of PMITM, as we have seen in Section 2.5.In this case, we can compute an approximation of the complexity by counting only the "shared" key nibbles of the path.The key nibbles XORed to the starting state are not colored.They are the "middle" key nibbles k M defined in Section 2.5.

Application to AES-like Designs
In this section, we detail two of our applications to AES-like designs (more can be found in Appendix C).In each case, we only give the details of one solution path, but several solutions actually lead to the same complexity.How these paths translate into attack algorithms was discussed previously in Section 2. For completeness, we include detailed descriptions of the attacks in Appendix B, and we only give here the main ideas.
The figures use the following color / symbol scheme: green ↔ for global guesses, shared key nibbles k S and matching through MixColumns; blue for the forward path and k F ; red for the backward path and k B .Additionally, matchings between forward and backward are displayed as cyan edges.

Pseudo-preimage Attack on SATURNIN-Hash
Saturnin is one of the second-round candidates of the NIST LWC competition [CDL + 20].The block cipher has both a block and a key size of 256 bits, and it can be abstracted as an AES-like design operating on a 4×4 matrix of 16-bit nibbles.A single round of this representation is actually a "Super-round" that corresponds to two rounds in Saturnin.It adds a key which alternates between the master key and a rotated version of it, then applies either a transformation on the rows (MixRows) or the columns (MixColumns).This can be viewed equivalently as the composition of a transposition, followed by a MixColumns, but the key bytes have to be positioned appropriately.
The hash function Saturnin-Hash uses the block cipher as a compression function.In [DHS + 21], the authors gave a pseudo-preimage attack on 7 super-rounds (out of 16) of time 2 208 and memory 2 48 .We improve this time to 2 192 , at the expense of a larger memory, using the path of Figure 5.
We start by fixing the 4 key nibbles k 1,2,3,11 .In the forward list, we put 6 nibbles k 5,6,7,8,9,10 and in the backward list, we put the 6 others k 0,4,12,13,14,15 .We also fix the values of 14 state nibbles: 9 arrows, 2 linear relations through c 3 0 , 1 linear relation through c 5 0 , c 5 1 , c 5 2 respectively.The forward list is computed as follows: we start from c 2 2 , which needs 4 nibble guesses.Going through c 3 0 , the two nibbles are deduced using the two precomputed linear relations.The same is done through round 5, so there is nothing more to guess.The list is of size 2 6×16+4×16 = 2 160 .The backward list guesses 3 nibbles at round 5 (the other ones are deduced by the linear relations), then one nibble at round 3, so it has the same size.
There are 10 linear relations between backward and forward: 4 relations through MixColumns at round 1, 2 relations which hadn't been used yet in c 3 0 , and 4 matchings of nibbles.As we obtain a list of 2 160 partial (pseudo)-preimages on 4 nibbles (the blue nibbles going through round 7) there remains to repeat this operation 2 2×16 times.
In the quantum setting, our tool finds an attack on the same number of rounds, of complexity 2 115.55 and using 2 32 QRAQM.The path is quite different, and corresponds to a classical attack with reduced memory.For completeness we include it in Appendix C.2.

Key-recovery Attack on full FUTURE
Future [GPS22] is an AES-like cipher with 64-bit blocks and 128-bit keys.Its internal state is represented as a 4 × 4 matrix of 4-bit nibbles.The round function applies the following operations: • SubCells (S-Boxes); • MixColumns; • ShiftRows; • AddRoundKey.One can note that the order of operations is different from the AES; also, ShiftRows rotates the rows to the right (and not to the left like in the AES).There are 10 rounds; MixColumns is omitted at the last round.
The key addition alternates between two 64-bit subkeys k 0 , k 1 , where k 0 is first added in the "pre-round", and then, the key added at round i is rotated by 5(i/2) bits.
Because the key bits are not aligned with the state nibbles, due to the rotations, we model the structure of Future at the bit level.The composition of SubCells and MixColumns is viewed as a Super S-Box operating on 16 bits.When matching through MixColumns, groups of key bits that belong to the same S-Box should not have incompatible colors (i.e., both backward and forward).But since they come from the same cell, this is already ensured by the coloring constraints.
With our tool, we find an attack4 of time complexity 2 126 and memory 2 34 .The path is displayed in Figure 6.Due to space constraints, we have only represented the added key bits as color rectangles.Groups of 4 consecutive bits go through a single S-Box before the MixColumns operation.
In the forward path, we guess 14 key bits.In the backward path, we guess 22 key bits.The other 92 key bits are shared.There are 15 state nibbles guessed in total, and 1 nibble (4 bits) of linear relation at c 2 3 .Going forwards, we compute the states c 1 and then c 2 without having to make any state guess.At c 2 3 we use the single nibble of linear relation that we have precomputed; we have to guess 3 other nibbles.To compute c 5 we have to guess 2 nibbles.Thus the forward list is of total size: 2 14+5×4 = 2 34 .
Going backwards, we have immediately the value of c 1 1 (the single red state nibble remaining is deduced by the precomputed linear relation, which relates it to the backward key bits).There is no other guess to make until round 7, where we need to guess 3 nibbles.Thus the list size is also 2 34 .
In the merged list, we can note that there are 3 nibbles of matching at round 2, since we only precomputed one linear relation.There are also 3 nibbles at round 6, going through MixColumns.Finally, there are 3 nibbles of matching at round 8.This makes a total of 36 bits of matching, so the merged list is of size 2 32 .
In [GPS22] the authors estimated that MITM attacks could reach up to 7 rounds of the cipher.However this estimate did not take into account the GAD technique.Indeed, in this attack, state guesses allow roughly to extend the forward path by two rounds, and the backward path by one round.

Application to Present-like Designs
In this section, we show some applications of our results to Present-like designs, where there is no Super S-Box.Because the designs attacked here involve either a large number of rounds or state nibbles, we only sketch briefly the structure of the attacks and give zoomed-out versions of some of the pictures.The full pictures can be automatically generated using our code.

Application to Present
Present [BKL + 07] is an SPN cipher with a state of 16 × 4 bits.It uses a 4-bit S-Box, and the linear layer is a permutation of the bits.While the best key-recovery attacks on the block cipher Present are linear attacks, they have a large data complexity.The main advantage of MITM attacks is a small data complexity.
The Sieve-in-the-middle technique introduced in [CNV13] allowed to find an attack on 7-round Present-80 in time 2 73.42 .Using bicliques, this attack can be extended to 8 rounds with the same time complexity, and 2 6 data complexity.
With our tool, we are able to obtain a GAD attack on 9 rounds with a comparable 2 8 data complexity, and a time complexity 2 78 .A bird's eye view of the attack path is represented in Figure 7.The data complexity appears clearly since all state bits except 8 are fixed between the first round and the encryption cell.
We detail the choice of backward and forward key bits.Since each round of key scheduling applies an S-Box, there are a total of 9 key cells relating the key bits, and a total of 80 + 9 × 4 = 116 key bits.In the forward key, we take k 20 , k 21 , k 24 , k 25 from the  master key, and two key bits k 81 , k 82 that appear on the left at the second round.Four key bits k 15 , k 16 , k 17 , k 18 , which are the remaining forward key bits visible at the first round, are deduced with a key cell relation.
All other key cells reduce the shared key bits.In the backward list, we only guess two key bits k 41 , k 42 and there are no active key cells.Four bits of state guesses are required to activate the last two backward cells.All lists have size 2 6 .We can also fine-tune the trade-off between data and time, for example by taking a limit of 2 12 data, we find a slightly smaller complexity 2 77 .

Application to FLY and PIPO
The lightweight block ciphers Fly [KG16] and Pipo [KJK + 20] are structurally similar with respect to MITM attacks.Both are Present-like SPN ciphers with 64-bit blocks, but 8-bit S-Boxes, where the linear layer is a bit-permutation.Though the S-Box and permutation differ between both designs, the cell-based representation will be the same.Indeed, what only matters for us is that between any pair of S-Boxes of two successive rounds, there is a single-bit linear relation.
This simplification is allowed by the simple key schedule of both ciphers.Fly uses a 128-bit master key which is equivalent to k 0 ||k 1 , where k 0 is used in even rounds and k 1 in odd rounds.Pipo-128 does the same, while Pipo-256 has a 256-bit key which is separated in 4 subkeys k = k 3 k 2 k 1 k 0 used alternatively.The only difference between Fly and Pipo-128 is the final key addition in Pipo-128.Furthermore, in the attacks, the final key is always entirely known in the backward path.Applying a final bit permutation or not will lead to the same attack paths and complexities.
To the best of our knowledge, our attacks are the best against Fly and Pipo, exceeding the differential and linear cryptanalysis performed by the authors of Pipo (who reported 9-round and 11-round attacks respectively).We defer the details of the 128-bit versions to Appendix C.6 and focus here on our attack on full Pipo-256 (18 rounds).
Our attack has a time complexity 2 252 and a memory complexity 2 60 .It uses the path given in Figure 8.There are 183 shared key bits, 13 forward and 60 backward.There are no state guesses backwards, as can be seen on the path.Forwards, we need to guess a total of 56 bits: 12 bits at round 7, 16 bits at round 8, 12 bits at round 11, 16 bits at round 12. Thus the list is of size 2 69 .In the middle, there are 64 bits of matching (a full state), so the merged list size is 2 65 .The overall complexity is dominated by the computation of the forward path: 2 69+183 = 2 252 .

Conclusion
In this paper, we extended the cell-based modeling of [SS22a] to find MITM attacks on ciphers and compression functions with simple key schedules.The attacks obtained show that the MITM technique is quite powerful when the key schedule is weak, even if the cipher itself has a good diffusion.
At the moment, we conjecture that our modeling is optimal when the key-schedule has only S-Boxes and permutations as defined in Section 2. A natural open question would be to extend this further to the case of key schedules with complex linear layers, like AES.However, this seems to induce complex linear relations between the key nibbles and complex relations between state and key, which only a more fine-grained modeling can capture [BGST22].For example, in preimage attacks on AES variants, one would like to guess nibbles or enforce constraints on linearly modified round keys (to have no impacts through MixColumns for example).Our model cannot find such constraints.
Regarding quantum MITM attacks, we have encountered instances of the Grover-meet-Simon attack [LM17] which cannot be turned "offline" [BHN + 19].Doing so would provide a valuable improvement of these attacks.

A Complete MILP Model with Keys
We give the generic MILP model for the GAD case, possibly with some matching through MixColumns.Matching through MC is possible only at the cells which are indicated to be Super S-Boxes.The pseudocode that we give below is a slightly different and simplified version of the file modeling.pyavailable at https://github.com/AndreSchrottenloher/key-mitm.
The input is given as a graph.We have a set of cells C with weights w c , a set of key nibbles K, a set of edges E ⊆ C × C × N × K which have both a weight and a key nibble attached, a set of key cells KC also with weights, and corresponding input and output key nibbles.We assume that all edges and key nibbles have weight 1.
Since this modeling is built over [SS22a], we indicate the new parts that are related to key nibbles in orange (lines 10-31).The variable names |x|, |k F |, |k S |, |k B |, F , B , M are taken in order to connect immediately to the formulas of Equation 8 and Equation 9.
Variables for the coloration of cells and basic constraints on the path 1: for all cell c ∈ C do 2: Variable (boolean) cell_col L [c] for L ∈ {F, B, M, N } Forward, backward, merged cells and also "new merged" cells which can appear if the cell is a Super S-Box If c is not a Super S-Box, Constraint cell_col N [c] = 0 5: end for 6: For all round r, Constraint "no N cell for both r and r + 1" 7: Constraint "at least one round without B cell" 8: Constraint "at least one round without F cell" 9: Constraint "at least one round with all cells M " Variable and constraints on the coloration of key nibbles 10: for all key nibble k ∈ K do If both cells are backward (or "new merged" for the below cell) then key nibble is backward or shared 16: Constraints on the coloration of key cells 18: for all key cell kc do 19: for k in input and output key nibbles of kc do 22:

B.2 Key-recovery Attack on FUTURE
We detail the algorithm of the attack given in Section 4.2 (Figure 6).Recall that a single round of Future applies the following operations: SubCells, MixColumns, ShiftRows, AddRoundKey, and there is a "pre-round" key addition before round 0. The key addition alternates between k 0 and k 1 where k 0 is first added in the pre-round.
The attack does not depend on the specification of the S-Box nor the MixColumns, as soon as the matrix is MDS.Like above, we will introduce many linear functions L i , L i without giving their full specification.The S-Box is denoted S. Notation.Our notation coincides with Figure 6 as follows.Rounds are numbered from 0 to 9. We use (x i 0 , x i 1 , x i 2 , x i 3 ) to denote the 4 columns of the state at the beginning of round i, thus (x 0 0 , x 0 1 , x 0 2 , x 0 3 ) is the state after the pre-round key addition, and before the first S-Box layer.We denote by (z i 0 , z i 1 , z i 2 , z i 3 ) the state after the MC layer of round i.On the figure this means that x i j is the value on the top of cell c i j (incoming edges), and z i j the value on the bottom (outgoing edges).For a column x i j , we use x i j [u] (0 ≤ u < 4) to denote individual 4-bit nibbles in this column.The SR operation transforms the state as follows: We use x i j [u][v] (0 ≤ v < 4) to denote individual bits within a nibble.The key bits are denoted k j [i] for j ∈ {0, 1} and i ∈ {0, . . ., 63}.Finally, multiple bits (resp.nibbles) will be denoted either x[u, u ] or x[u−u ] for a range of values {u, . . ., u }.As an example, the state at the beginning of round 1 is related to the state at round 0 by: Path Details.In the attack, the forward and backward key bits are: and the shared key bits k S are the 92 remaining others.The 15 state nibbles which are fixed (cut set) are the following: x 1 2 [2, 3], x 1 3 [0, 1, 3],

C.2 Application to Saturnin-Hash
The path of our quantum pseudo-preimage attack on the Saturnin-Hash compression function, reduced to 7 Super-rounds, is given in Figure 10.The forward list is of size 2 16×4 , the backward list is of size 2 16×2 , and in both cases this comes only from the key nibbles.A total of 16 state nibbles are fixed: 6 green edges between R 3 and R 4 , 4 green edges between R 4 and R 5 , and 3 + 3 precomputed linear relations through c

C.3 Application to Saturnin
The best classical key-recovery attack (in the single secret-key model) on Saturnin is the DS-MITM attack on 7.5 Super-rounds reported in [CDL + 20], with time complexity 2 244 .This corresponds to 7 Super-rounds followed by another S-Box layer, and a key addition.
With our framework, we reach 6.5 Super-rounds with the path of Figure 11.The time complexity is 2 248 , and the data complexity is similar.The forward list contains half a key nibble (k 12 ) and two halves of state nibble guesses, so it has size 2 24 .The backward list contains 3.5 key nibbles (k 6,10,14 , k 12 ).There are 2 nibble conditions for merging (one through c 1 2 and one through c 4 0 ), so the merged list is of size 2 24 .For comparison, the best classical attack on 6.5 Super-round Saturnin would be a Square attack, which initially targets 6-round AES [FKL + 00].State nibbles in Saturnin are twice the size of AES bytes, so the complexities are (roughly) squared.To accommodate the additional half Super-round, the time increases by a factor 2 64 (corresponding to the All lists are of size 2 20 .In the forward list, besides the 7 key bits, we need 8 bits of state guesses at round 4 and 5 bits at round 6.In the backward list, we need 4 bits at round 7.Then, because we know 4 backward cells at round 7 and 5 forward cells at round 6, there is 4 × 4 = 20 bits of matching between them, so the merged list is also of size 2 20 .A search for quantum attacks does not yield the same results.We find valid paths when removing two rounds.However, for Fly the number of rounds reached is smaller than quantum linear attacks [Sch23] and for Pipo-128 this is only as good.

Figure 2 :
Figure 2: Two rounds of AES with two keys k and k , using the Super S-Box representation.

t
calls to the oracle O f : |x |0 → |x |f (x) are sufficient to reach a state very close to: 1 √ t

Figure 3 :
Figure 3: Two global guesses (green ↔ edges) in the path of an AES-like cipher.

Figure 4 :
Figure 4: Key addition in the Super S-Box case.

Figure 6 :
Figure 6: Path of the key-recovery attack on full Future.Individual edges correspond to S-Boxes, which are aligned with groups of 4 key bits.

Variable
(boolean) key_col L [k] for L ∈ {F, B, S} 12: Constraint key_col B [k] + key_col F [k] + key_col S [k] = 1 13: end for 14: for all edge (c, c , w, k) do If both cells are forward (or "new merged" for the below cell) then key nibble is forward or shared 15: Total amount of key nibbles 27: Variable (integer) |k L | for L ∈ {F, B, M, S} 28: for L ∈ {F, B, S} do Forward and Backward Computations.The forward path (Algorithm 1) starts at round 2 and stops at round 0. The backward path (Algorithm 2) starts at round 4 and stops at round 2.
be the output size of f F and f B .From now on, these sizes are counted in nibbles, and the complexity formulas would need to be re-scaled depending on the nibble size.The attack does:1.fix the value x 2. compute the list of all k B , f B (x, k B ): time 2 |k B | (we neglect the time to sort the list by the second entry)3.for each k F , compute f F (x, k F ) and enumerate all the pairs k F

the Cut Set / Initial Structure. The cut
the memory complexity is min(2 |k B | , 2 |k F | ).

3-Subset MITM Attack. The
[BR10]et MITM attack[BR10]partitions the key space in three sets.Alongside the forward and backward key nibbles, we define shared key nibbles k S of length |k S |, and the forward and backward paths are now computed as:f F (x, k F , k S ) and f B (x, k B , k S ),where k F and k B are disjoint.The MITM attack now runs as follows: we fix x, and for each choice of k S , we compute the pairs (k The time complexity becomes: and the memory complexity is min(2 |k B |+|y B | , 2 |k F |+|y F | ).To have a valid attack, we need |y B | + |y F | < |f |, i.e., the guesses allow to deduce more matching state nibbles.