Improved Meet-in-the-Middle Nostradamus Attacks on AES-like Hashing

. The Nostradamus attack was originally proposed as a security vulnerability for a hash function by Kelsey and Kohno at EUROCRYPT 2006. It requires the attacker to commit to a hash value y of an iterated hash function H . Subsequently, upon being provided with a message prefix P , the adversary’s task is to identify a suffix S such that H ( P ∥ S ) equals y . Kelsey and Kohno demonstrated a herding attack requiring O ( √ n · 2 2 n/ 3 ) evaluations of the compression function of H , where n represents the output and state size of the hash, placing this attack between preimage attacks and collision searches in terms of complexity. At ASIACRYPT 2022, Benedikt et al. transform Kelsey and Kohno’s attack into a quantum variant, decreasing the time complexity from O ( √ n · 2 2 n/ 3 ) to O ( 3 √ n · 2 3 n/ 7 ). At ToSC 2023, Zhang et al. proposed the first dedicated Nostradamus attack on AES-like hashing in both classical and quantum settings. In this paper, we have made revisions to the multi-target technique incorporated into the meet-in-the-middle automatic search framework. This modification leads to a decrease in time complexity during the online linking phase, effectively reducing the overall attack time complexity in both classical and quantum scenarios. Specifically, we can achieve more rounds in the classical setting and reduce the time complexity for the same round in the quantum setting.


Introduction
Cryptographic hash functions serve as fundamental cryptographic primitives, forming the basis for numerous advanced cryptographic protocols like digital signatures, authenticated encryption, secure multiparty computation, post-quantum public-key cryptography, and more.To be considered secure, a cryptographic hash function must satisfy three essential security properties: collision resistance, preimage resistance, and second-preimage resistance.
At EUROCRYPT 2006, Kelsey and Kohno [KK06] introduced a new security property for hash functions called the chosen target forced-prefix (CTFP) preimage attack, also known as the Nostradamus attack.In this attack, the attacker knows the length of the prefix P and selects a public hash value h T .The challenger then provides a prefix P , and the attacker is aiming to find a suffix S such that h T = H(P ∥S).This attack resembles a hash-function-based commitment scheme, where the attacker uses h T to commit a prediction of an event P in the future.Kelsey and Kohno [KK06] proposed the herding attack as the first Nostradamus attack, which is a generic attack applicable to any iterated hash function.For an n-bit output hash function, the herding attack can find a CTFP preimage with a short suffix in approximately O(2 2n/3 ) evaluations of the compression function.
Quantum Cryptanalysis.Besides the well-known quantum attacks on public-key cryptosystem RSA by Shor [Sho94], researchers have invented various quantum cryptanalysis techniques for symmetric ciphers over the past decade, such as the quantum polynomialtime attacks on 3-round Feistel [KM12], Even-Mansour construction [KM10], and various MACs and authenticated encryption schemes [KLLN16a], and more [LM17, BLNS21, BNS19a, DDW20, Hos22].However, most attacks need to query the online quantum encryption oracles (known as Q2 model), which is believed to be impractical.Therefore, many researchers [BHN + 19, HS, KLLN16b, HS18, BNS19b, Sch23, CNS17] try to use only offline quantum computers to attack cryptosystems, where the plaintext-ciphertext pairs collected in classical ways (known as Q1 model).Different from block ciphers and other keyed primitives, the unkeyed hash functions can be implemented in offline quantum circuit and quantum superposition attacks [CNS17, HSX17, NS20, HS20, DSS + 20, HS21, SS22] can be freely applied to hash functions.
At ASIACRYPT 2022, Benedikt et al. [BFH22] examined the security of iterated hash functions against Nostradamus attacks by quantum attackers.They proposed generic quantum Nostradamus attacks, which involve a herding attack in the quantum setting, accelerating both offline and online phases when quantum random access memory (qRAM) is available.However, it is generally acknowledged that the difficulty of fabricating large qRAMs is enormous [GLM08, AGJ + 15], so quantum algorithms that use less or no qRAM (even with relatively high time complexity) are preferable [CNS17,NS20].Therefore, Bao et al. [BGLP22] and Dong et al. [DLPZ23] proposed the low-qRAM version quantum herding attacks recently.
At ToSC 2023, Zhang et al. [ZSWH23] introduced the first dedicated Nostradamus attack utilizing the meet-in-the-middle (MITM) approach in both classical and quantum settings.Using an automatic tool, they successfully identified herding attack trails on reduced-round AES-MMO and Whirlpool that outperformed generic attacks proposed by Benedikt et al. [BFH22].
Multi-targets MITM and AES-like hashing.In 2010, Guo et al. [GLRW10] introduced a meet-in-the-middle attack that extends the framework to incorporate multi-target scenarios.This approach allows multiple available targets to provide additional degrees of freedom to one computation chunk without affecting the other.At FSE 2011, Sasaki [Sas11] was the first to employ MITM techniques to carry out preimage attacks on AES-like hash functions.At ToSC 2019, Bao et al. [BDG + 19] combined the multi-targets and MITM techniques to carry out pseudo-preimage attacks on AES hashing modes based on AES and Kiasu-BC.
Our contributions.In contrast to collision and preimage attacks, the resistance against the Nostradamus attack is seldom examined in iterated hash functions [KK06,BSU10,ABDK09].Building upon recent advancements in quantum Nostradamus attacks on hash functions [BFH22,ZSWH23], we introduce a multi-target Meet-in-the-Middle Nostradamus attack on AES-like hashing.This approach has the potential to provide incremental improvements to the results demonstrated by [ZSWH23].By introducing the multitargets technique, we have been able to attain higher rounds compared to previous results.Additionally, in line with Schrottenloher and Stevens' approach [SS22], we have transformed our attack into the quantum setting.Through this, we discovered that our quantum attack's time complexity can be enhanced while maintaining the same number of rounds.Interestingly, our multi-target technique differs slightly from the approach in the pseudo-preimage attack [BDG + 19].Essentially, we enhance the freedom within the target, without limiting it to either forward or backward propagation.

Remark.
Our results are presented in Table 1.It's worth noting that certain time and memory complexity values differ from those presented by [ZSWH23] for the same attacks.We will elaborate on the reasons for these differences in Section 3.1.

Outline.
Section 2 provides a brief introduction to the target primitives, the generic Nostradamus attack, and the MITM preimage attack on AES-like hashing.The framework and main techniques of our MITM Nostradamus attack are summarized in Section 3, followed by the explanation of our MILP Model in Section 4. Results of classical and quantum Nostradamus MITM attacks are given in Section 5. Section 6 concludes the paper.

Hash functions based on AES and Whirlpool
AES is a block cipher family of 128-bit block and k-bit key for k ∈ {128, 192, 256}.The state has 16 bytes and can be represented as a 4 × 4 matrix.Given a N row × N col bytes of the state matrix, where N row = N col = 4, we order the byte cells as in Figure 1.Then the state is encrypted by an iterative process which is repeated for 10, 12, and 14 rounds, for AES-128, AES-192, and AES-256, respectively.An AES round function, as depicted in Figure 1, is an Substitution-Permutation Network (SPN), and composed of four consecutive operations: SubBytes (SB), ShiftRows (SR), MixColumn (MC), and AddRoundKey (AK).
The master key k is (partially) XORed to the state before the initial round function application.This key is then utilized to generate r subkeys using the KeySchedule (KS) function.As our attack model does not require the key, we omit its specific details.
• SubBytes involves a nonlinear substitution that employs the same S-box for each byte of the internal state.
• ShiftRow is characterized by cyclically rotating the i-th row by i bytes to the left, where i takes values from 0 to 3.
• AddRoundKey corresponds to performing an exclusive-OR operation with the rounddependent key.
Whirlpool [BR + 00], as illustrated in Figure 2, is a hash function that draws a strong foundation from AES, albeit with an increased state size.Instead of ShiftRows (SR) and MixColumns (MC), it employs ShiftColumns (SC) and MixRows (MR).Whirlpool adopts an 8 × 8-byte (512-bit) state and is composed of 10 naturally extended AES rounds.The compression function output is generated using the MP mode, which is introduced below and depicted in Figure 3.
To construct hash functions based on block ciphers, a domain extension is required to apply the compression function iteratively.The widely employed domain extension in practice is the Merkle-Damgård approach [Dam90,Mer90].This method involves padding the input message, denoted as M , such that the last block contains the original message length.The padded message is then divided into segments, M 0 ∥M 1 ∥ . . .∥M L−1 , with each segment M N being the length of a single block.An initial value H 0 is defined, and the iteration H N = CF (H N −1 , M N −1 ) is carried out for N = 1, 2, . . .L. Ultimately, H L is produced as the hash value of M .The iteration function is built upon the DM mode, MMO mode, MP mode, etc.Let E K denote a block cipher E with a key K.The construction process for each mode is illustrated in Figure 3 and expressed in following formulas.

Nostradamus Problem and Herding Attack
When Kelsey and Kohno introduced the Nostradamus problem [KK06], they also presented an elegant attack framework for general iterated hash functions, known as the "herding attack".The herding attack is composed of two phases.The offline phase involves calculating numerous chaining values and message blocks that ultimately result in the same hash value being committed.In the online phase, the goal is to identify the message block that can establish a connection between the chaining value from the chosen prefix and one of the chaining values acquired during the offline phase.The detailed algorithm could be illustrated as following: -Offline phase: As an example given in Figure 4(b), build a diamond structure with 2 k leaves, k will be determined later to balance the time complexity of offline and online phases.Diamond is built in a way to find multi-collisions, each node x i in the diamond represents a hash state or hash value, each edge m j represents a message block so that two nodes x i1 , x i2 are connected by the edge m j , and they satisfy the relation CF (x i1 , m j ) = x i2 .Kelsey and Kohno [KK06] present an algorithm which commences by sampling the leaf nodes and then progressively constructs the tree level by level.This is achieved by attempting various message blocks for each node in order to find collisions.Their algorithm requires approximately 2 (n+k)/2 function evaluations.However, Blackburn et al. pointed out a flaw in the construction method and its complexity as presented in [KK06], subsequently providing a more meticulous analysis and construction method in [BSU10].The approach presented in [BSU10] requires approximately O( -Online phase: As shown in Figure 4(a), the online phase encompasses steps 2 to 4, commencing with the reception of the chosen prefix P .Initially, IV and P are used to determine the intermediate hash state x.In step 3, the key aspect of this online phase is to locate the connecting message M link from x to one of the 2 k leaves x j from the offline phase.This operation incurs a time cost of 2 n−k .In step 4, the objective is to search the stored diamond for the pathway from x j to h T , wherein the message blocks M j are retrieved.The suffix that fulfills the commitment h T will be composed as x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 10 x 11 x 12 x 13 x 20 x 21 x m 00

Figure 4: Herding Attack
The quantum version of the herding attack is proposed in [BFH22], with acceleration occurring in both the offline and online phases.The quantum online phase is relatively straightforward, as it leverages the Grover algorithm to expedite the process from ).On the other hand, the offline phase is quantized using the quantum collision-finding algorithm, reducing the time complexity from O(2  [CNS17].Their time complexity to build the 2 k diamond structure is k 1/5 • 2 (2n+4k)/5 with a classical memory k 3/5 • 2 (n+2k)/5 .The time complexity to find the M link is 2 (2 r/2 + 2 k ) with r ≤ n.Hence, the total time complexity is The classical memory complexity is bounded by the construction of the diamond structure, i.e., k 3/5 • 2 (n+2k)/5 .When k = n/13 and r = 2n/13, the optimal complexity is achieved which results in O(2 6n/13 ) = O(2 0.46n ) time complexity and O(2 3n/13 ) = O(2 0.23n ) classical memory.

The MITM Preimage Attack and Automation Framework
Brief Introduction.The MITM technique capitalizes on the loop structure determined by PGV modes and splits the computation of an encryption-based hash function into two chunks, forward and backward.The bytes involved in the encryption are categorized as: • neutral bytes, values of which remain exclusive to the current chunk and exert no influence on the other.The forward neutral bytes are visualized as a blue cell , while the backward are visualized as red cells .
• constant bytes, values of which are pre-determined and known in both chunks, visualized as gray cells .
Let the space for both neutral words ma and m b be 2 ¸, the time complexity is 2 n≠¸, and memory complexity is 2 ¸.

Figure 4:
The advanced MITM pseudo-preimage attack on DM-mode [Sas11] 2. The neutral bytes for each chunk -the selection on the neutral bytes will determine the freedom degrees.
3. The bytes for matching -the derivation on the bytes for match also depends on the selection of neutral bytes and the computation rule of the attack target.
With the above configurations decided, the attack procedure goes as follows (Figure 4 illustrates the MITM pseudo-preimage attack integrating with these advanced techniques on Davies-Meyer mode): Denote the neutral words for the forward chunk and backward chunk by N f and N b , respectively: 1. Fix all other words except for the neutral words N f and N b in the initial structure to arbitrary values.
2. For all possible values of N f , forward compute from the starting point to the matching point at the final state of the forward chunk to get a list L f of candidate values indexed by the value of N f .
3. For all possible values of N b , backward compute from the starting point to the matching point at the final state of the backward chunk to get a list L b of candidate values indexed by the value of N b .
4. Sorting the two lists L f and L b using hash tables, check whether there is a match/partialmatch between them.
5. In case of partial-matching used in the above step, for the surviving pairs, check for a full match.
6. Repeat the whole procedure to find full state matches by changing the values of fixed words.

The Complexity Analysis.
Denote the size of the internal state by n, the freedom degrees in the forward and backward directions by d 1 and d 2 respectively, and the number of bits for the match by m.

8
Figure 5: The latest MITM pseudo preimage attack framework [Sas11], "Target" depicted on the right side of the figure is to be regarded as "Multi-targets", as under discussion in this paper.
• arbitrary bytes, values of which are determined by both forward and backward neutral bytes, thus can be computed independently in neither chunk, visualized as white cells .
The setting enables the computational independence of the two chunks.The two chunks meet in the middle at a shared intermediary state called the "matching point", where certain local constraints, namely partial-match constraints, are invoked to ensure the correctness of the enclosed computation.A MITM attack will filter the candidates by checking if the partial-match constraints are met before checking if it constitutes a valid preimage.
2. Based on the values of the constant bytes, precompute the input for both chunks, denoted by N + for the forward chunk and N − for the backward chunk.Assume 3. For N + , compute the forward chunk and store the value at the matching point in table T + .
4. For N − , compute the backward chunk and store the value at the matching point in table T − .

Filter T + and T
6.For an expected total of 2 d B +d R −d M candidates, check if it constitutes a match on full states.
7. Should a full match be identified, a preimage is determined.Otherwise, return to Step 1, alter the arbitrary values, and repeat Steps 2 to 6.
The computational complexity of this attack can be computed as demonstrated in [BDG + 19]: (2) and the memory complexity would be 2 max(d B ,d R ) , but it can be reduced to 2 min(d B ,d R ) by storing only the smaller table and computing the other chunk for matching.
Quantum Variant.The quantum Meet-in-the-Middle attack was initially introduced by Schrottenloher and Stevens [SS22].They managed to achieve a quadratic speedup by utilizing quantum algorithm.We maintain the utilization of the same formula and model as presented in prior works, specifically [SS22,ZSWH23].In this framework, when a meet-in-the-middle trail is defined by distinct blue, red, gray, and white cells, we can derive the degrees of freedom d B , d R , d M .As outlined in Theorem 3 in [ZSWH23], the time complexity of the quantum attack can be expressed as 2 which would be elaborated below.
The meet-in-the-middle attack procedure could be regarded as two-layer loop search, outer loop works on the constant bytes of the gray cells or step 1 of Procedure 2.3.After these bytes are fixed to some value, the inner loop would start from step 2 to 6 of Procedure 2.3.Use Theorem 1, the quantum time complexity of inner loop can be bounded by quantum evaluations of the attacked block cipher.Assume there is a single solution, then the iteration time of the outer loop will determined by the search space of constant bytes, i.e., . Combining the outer and inner loop, the final quantum time complexity would be Theorem 1 ([BHMT02], Theorem 4).Let A be a quantum algorithm that uses no measurements, let χ : Z → {0, 1} be a boolean function that tests if an output of A is "good".There exists a quantum algorithm that given the initial success probability a > 0 of A, finds a good solution with certainty using a number of applications of A and in the worst case.To achieve a realistic speedup, it's necessary to assume the availability of quantum memory for storing the values of the forward or backward chunks at the corresponding points to facilitate quantum lookup.In fact, quantum memory is also required for the offline constructed diamond structure.qRAM.Quantum random access memory (qRAM) can be conceptualized as the quantum counterpart of classical random access memory (RAM).In the classical setting, RAM facilitates constant-time access (both read and write operations) to memory elements, regardless of storage size.qRAM also operates with constant-time access and is categorized into two types: quantum-accessible classical memory (QRACM), enabling access to classical data in quantum superpositions, and quantum-accessible quantum memory (QRAQM), wherein the data is stored within quantum memory.Consider a scenario where we intend Improved Meet-in-the-Middle Nostradamus Attacks on AES-like Hashing to store a list of data, denoted as D = (x 0 , x 1 , • • • , x 2 k −1 ), with each x i representing an n-bit data.In this context, the qRAM for accessing the data D is established as a quantum gate.This qRAM is defined through a unitary operator U qRAM (D), which is expressed as follows: Here, i takes values from the set {0, 1} k , and y represents an n-bit value.

Previous MITM Nostradamus Framework
In [ZSWH23], the MITM Nostradamus attack constructs the diamond structure using exactly the same method, requiring equivalent time and memory complexity for a given number of leaves 2 k .The shift occurs during the online phase, which transitions from exhaustive search to a different approach-either random sampling in the classical setting or Grover search in the quantum setting.Zhang et al. [ZSWH23] employ the MITM framework to search for linking message blocks, progressing from the prefix to one of the leaves.In brief, by using the prefix as the key and the leaves as the multiple images in AES-like MMO/MP hashing function, the MITM online phase is then employed to locate a single preimage.This approach yields improved time complexity, particularly when the degrees of freedom in terms of forward, backward, and matching chunks are thoughtfully chosen.
Specifically, the time complexity of the online phase is , the omission of big O notation includes the exclusion of constant factors such as π/4 from Grover's algorithm.Zhang et al. reference the results of time complexity established by Benedikt et al. and claim that, the generic Nostradamus attack's time complexity on any round of AES is 2 88.8 in the classical setting and 2 57.2 in the quantum setting.However, we have found that these results were computed using further simplified formulas, namely, ) in the quantum setting, with k = n/7 substituted into the formula above.However, when we evaluate b q (n, n/7), we find that it equals ( 3 n 7 + 1) • 2 3n/7 , and for the specific case of n = 128, b q (128, 128/7) results in 2 56.7 .It's worth noting that for the function b q (n, k), using a smaller k can lead to a reduction in its value.This adjustment helps in achieving a more balanced outcome between the two terms.As an illustration, when k is set to 17, b q (128, 17) = 3 √ 17 × 2 54 + 2 55.5 = 2 56.4 .When they introduced a 7-round quantum Nostradamus attack on AES-MMO, the total time complexity was 2 56 , where 2 56 for the online phase and 2 50 for the offline phase.The time complexity is remarkably close to our calculated balanced generic complexity of 2 56.4 , as opposed to their claim of 2 57.2 .This raises concerns about the validity of their 7-round attack.
Similarly, we can calculate the classical time complexity of a generic Nostradamus attack, which is b This achieves its smallest value of 2 88.1 when k = 42.
As for Whirlpool, the specific generic time complexity in the classical setting would be calculated as b c (512, 169) = 2 344.7 when k = 169, and the quantum complexity would be b q (512, 71) = 2 221.3 when k = 71.
In regards to the unit of time complexity, it is imperative to acknowledge that the time complexity of the Nostradamus attack is gauged by the number of function evaluations, specifically the time required to evaluate a particular instance of AES-like hashing in both classical and quantum settings.

Memory Complexity.
In both [BGLP22] and [ZSWH23], the memory complexity are cited incorrectly.In the context of classical attacks, the algorithms introduced by [KK06] and [BSU10] construct a diamond structure of size 2 k .This approach comes with a memory complexity of O(2 (n+k)/2 ), as each node necessitates O(2 (n−k)/2 ) messages that need to be stored and sorted.For the quantum attack algorithm presented by [BFH22], a diamond structure is constructed for half of the leaves in similar manner.Each node in this structure invokes O(2 (n−k)/3 ) hash evaluations to balance time complexity, resulting in a QRACM complexity of O(2 (n+2k)/3 ).This complexity aligns with the time complexity, irrespective of constant factors.The accurate memory complexity is presented in Table 1.
Regarding the unit of memory complexity, it is noteworthy that the predominant factor of the memory complexity is the memory used in the diamond structure part, responsible for storing triplets (m j , r, CF (x i1 , m j )), as explicated in Section 2.2.Consequently, the unit for memory complexity becomes the triplet length, or O(7n/3) bits.

Modified Multi-target MitM Nostradamus Framework
While reviewing the MITM trails presented in [ZSWH23], we have identified room for improvement in their analysis of freedom.To capitalize on the potential of multiple targets offered by the diamond structure, the authors of the study limit the cells in the target state to red, blue, or gray.This categorization allows red and blue cells to serve as multi-target parameters.In this particular scenario, the degrees of freedom of d B , d R are calculated from d ENC B + d TAG B , and ) represents the count of blue (red) cells in the initial state of the encryption computation path, i.e., #SR 4 in Figure 6, while d TAG B (d TAG R ) signifies the number of blue (red) cells in the target state, i.e., bottom state "original" or "new" in Figure 6.
Let's consider an extreme scenario where blue or red cells in the target state could be freely substituted with an equivalent number of white cells.In other words, as illustrated in Figure 6, modifying the target state in this manner doesn't impact the colors of any other state within the differential trail.In this case, the time complexity transitions to 2 , where d W represents the degree of freedom of white cells in the target state.Notably, the complexity is less than or equal to the original complexity Therefore, introducing white cells could potentially lead to the discovery of better differential trails for MITM attacks.
Our novel model takes into account a scenario where blue, red, gray, and white cells could appear simultaneously in the target state, representing a generalized version of [ZSWH23].If we denote k to be the number of targets employed for the MITM attack, which should be less than or equal to d W , the time complexity would be 2 The size of the diamond structure would now be 2 k+d TAG B +d TAG R , resulting in a time .The parameter k is chosen within the range of 0 to d W to strike a balance in the time complexity of the two phases.
Another important difference would be the elimination of the condition of since our viewpoint is that the necessity for the quantum attack to achieve quadratic acceleration isn't absolute.The sole criterion for assessing the validity of the quantum attack is that its time complexity is lower than the corresponding generic bound.
Remark 1.In all the MITM differential trails we found for herding attacks on dedicated ciphers like AES-MMO and Whirlpool, there are, in fact, no blue and red cells in the target state, i.e., d TAG B = d TAG R = 0. Instead, the target state consists only of gray and white cells.The reasons for the optimization results produced by automated tools require further analysis.
In our analysis of the approach to identifying potential Nostradamus attacks on AES-like hashing, it was observed that the parameter d TAG does not plays a significant role since the presented paths showed d TAG B = d TAG R = 0.This is in contrast to previous models discussed in [ZSWH23], where d TAG was considered indispensable due to multi-target requirement.
Focusing solely on the online phase for searching linking messages in a classical setting, the dedicated MitM approach exhibits a time complexity of 2 n−min (d However, to identify a valid Nostradamus attack when the generic time complexity T is known, two additional constraints must be considered: A valid MITM path for preimage attack may not necessarily result in a valid Nostradamus attack, but the presence of a sufficient number of white bytes in the target state within the path make it a potential candidate for a MITM preimage attack.

MILP Model
This section describes how the search for MITM Nostradamus attacks is automated with Mixed-Integer Linear Programming (MILP).The source code of our model is available at https://github.com/shahuiz/MITM-Nostradamus.

Automation Framework
An overview of the automatic search framework is provided before the modeling details are illustrated.As the degree of freedom from the key schedule is not to be efficiently exploited in the attack [ZSWH23], the framework is built on top of a conventional automated MITM attack in a single-key setting with a twist on the optimization objective.
The special states in a MITM attack are identified using the following notations: • ← → S ENC : the starting encryption state for forward and backward chunks.
• ← → S TAG : the target state for forward and backward chunks.
• − − → End: the terminating state of the forward chunk.
• ← − − End: the terminating state of the backward chunk.
• ← → M : the matching round operator between the two terminating states.
The positions of the aforementioned special states determine different patterns of segmenting the closed loop.By default, the patterns are specified in a round-level accuracy.The attack configuration parameter config is defined as the ordered tuple with the following attributes: • TOTAL: the total attacked rounds.
• START: the round index of ← → S ENC .
In our attack, initial degrees of freedom (DOFs) could be originated from the state as well as the target.The bytes in ← → S ENC and ← → S TAG are thus partitioned into pairwise disjoint subsets with different coloring (i.e.blue, red, gray, and white).The subsets are named after the first letter of the coloring with source superscripted: B ENC , R ENC , G ENC , W ENC and B TAG , R TAG , G TAG , W TAG .− → ι and ← − ι are used to denote the initial DOFs of forward and backward computations.Additional constraints may be added during the attribute propagation of each chunk to negate mutual impact and retain computational independence, which will be reflected in the consumption of the initial DOFs.We use − → σ and ← − σ to track the consumed Improved Meet-in-the-Middle Nostradamus Attacks on AES-like Hashing DOFs.The remaining DOFs at the end of each computation are denoted as d B and d R .
Intuitively, we have: The degree of matching d M is determined by the choice of ← → M and the byte distribution of − − → End and ← − − End.If MATCH locates at the last round, ← → M is the XOR operator of the feedforward step.Otherwise, ← → M is selected to be a MixColumns operator.We define the number of bits in a byte as a constant denoted by NBYTE, which equals 8.In the classic setting, the MITM attack would outperform brute force search (in the logarithm of 2) by the factor of τ C with the formula: In the quantum setting, the speed up τ Q in comparison with a plain Grover's search over the preimage space is also determined by the imbalance between blue and red remaining degrees: The Guess-and-Determine (GnD) technique proposed in [BGST22] is incorporated into the classic attack framework.In cases where some white cells ruined information at the MixColumns operator, GnD provides an alternative to guess the byte to fulfill the requirements for propagation and compensate with costs.In the search for extended-round attacks on ciphers with large intermediate states, GnD proved its superiority when the significance of successful propagation outweighed the cost.We use g B to count the guessed blue bytes, g R the guessed red bytes, and g BR the guessed linear composition of both blue and red bytes.The advantage that the GnD-integrated MITM attack brings in comparison to brute force (in the logarithm of 2) is denoted by τ GnD with the formula: A conventional single-key single-target MITM framework is concluded above.In our proposed multi-target setting, the online MITM phase could be accelerated by searching for a partial match instead of a full-state match.We use k w to denote the number of bits that could be arbitrary during the partial match: The offline phase of the Nostradamus MITM attack builds a diamond structure for the herding attack, the height of which is denoted by k d (in the logarithm of 2).The value of k d is determined by the number of partial targets obtained during the online MITM phase.In the multi-target setting, both the arbitrary bits and the active bytes in the target contributes to k d .Thus, we have: The overall performance of the attack should be determined by the balance of offline and online phases.The optimization objective will be discussed in both classic and quantum settings.We denote the block length of the cipher as N .
Classic Objective C is formulated as follows: In addition, to yield a meaningful attack that outperforms the corrected generic bound given in section 3.1, we add: Quantum Objective Q is formulated as follows: Similarly, we also add:

MILP Modeling
In this subsection, we dive into the details of how to model the attack with the MILP language.

Encoding Scheme
We model the intermediate states with three boolean variables: b, r, and w.

Propagation Rules
Taking the example of AES for illustration, it's worth noting that Whirlpool follows similar principles.

SubBytes
The operator is an identity transformation.Such construction could be easily obtained by the convex hull method, which is a common and well-referenced technique in MILP-based automation.
XOR Due to the single-key setting, the XOR operators are only deployed at the last round, where the output is mixed with the target.An XOR operator input 2 bytes and output 1 byte.The rule is described as follows: • When the input involves a white byte, the output is white with no DOF consumption.
• When the input contains only gray bytes, the output is gray with no DOF consumption.
• When the input contains only blue bytes, the output is either blue with no DOF consumption or gray with 1 DOF consumption from the forward chunk.(− → σ = − → σ + 1) • When the input contains only red bytes, the output is either red with no DOF consumption or gray with 1 DOF consumption from the backward chunk.
• When the input is a mix of red and blue bytes, the output is white: The rule requires two extra binary variables at each output position to track the cost of DOF and could be converted to constraints by the convex-hull method.
Improved Meet-in-the-Middle Nostradamus Attacks on AES-like Hashing MixColumns A MixColumns operator inputs and outputs a column.We denote the cardinality of a column as NROW, which equals 4. We could compose the basic rule for the MixColumns operator by introducing two extra integer-valued variables to track the cost of DOF, which is detailed as follows: • When the input contains a white byte, the output contains only white bytes with no consumption of DOF.
• When the input contains only gray, the output contains only gray bytes with no consumption of DOF.
• When the input is a mix of i blue bytes, j red bytes, k gray bytes (k < NROW), l white bytes, the output will be a mix of a blue bytes, b red bytes, c gray bytes and d white bytes, with a + c consumed DOF from the backward chunk and b + c consumed DOF from the forward chunk.The relation is formulated as: GnD-MC The construction of MixColumns operator with GnD integrated is organized as follows.Conceptually, GnD is implemented as an independent operator, leading to the propagation: A → GnD → B → MC → C, where A, B, C represent intermediate states.
Through our optimized construction, we can bypass the intermediary state B and directly transform A to C using a GnD-MC operator.To achieve this objective, we introduced 4 additional GnD switches for an input byte α, namely g w α , g b α , g r α , g br α .The switches are binary that satisfy: With the incorporation of only 4 additional GnD switches, we achieve the realization of GnD-MC on top of basic MixColumns.Notably, this construction allows for convenient toggling of GnD on and off as required.
In this setting, if α is non-white, then all GnD switches are 0. Otherwise, exactly one GnD switch equals 1 while the rest are 0: g w α = 1 means GnD is not activated and byte α remains unknown, g b α = 1 means byte α is guessed as blue for forward propagation, g r α = 1 means byte α is guessed as red for backward propagation, and g br α = 1 means byte α is guessed white for both forward and backward propagation.Hence, the column becomes a mix of α g w α white bytes, α g b α + b α blue bytes, α g r α + r α red bytes, α g br α white bytes, and NROW − α (b α + r α + w α ) gray bytes after GnD.With the new byte distribution, we could call the basic model to properly address the propagation.
We adopt the MC-match at intermediate rounds around a MixColumns operator.It checks − − → End and ← − − End and counts the non-white bytes column by column.For a column β, if there exists t β > NROW non-white bytes, then we have a degree of matching t β − NROW at column β.The final d M could be formulated as follows:

Main Results on AES and Whirlpool
In this section, we use the notations as follows.The state before the SubByte operation of the r th round is denoted as #SB r .Similarly, the state before ShiftRow or ShiftColumn operation of r th round is denoted as #SR r or #SC r , the state before MixColumn or MixRow operation of r th round is denoted as #MC r or #MR r , the state before adding target is denoted as AT.And we denote the byte at the row i and column j of a state X as X NROW•j+i , where NROW is 4 in the context of AES and 8 in the context of Whirlpool.The attack starts with the precomputation of blue and red initial values.Recall that during propagation, constraints are imposed on certain cells to preserve propagation trails, represented by the consumption of DOF.An MITM attack fixes the value of such beforehand and precomputes the initial values satisfying those constraints.

Improved 6-round attack on AES-MMO
We have equivalently chosen #MC 3 as the initial state for both forward and backward chunks.And we have the input of the forward chunk B ENC as {#MC 3 0 , #MC 3 7 , #MC 3 10 , #MC 3 13 } and the input of the backward chunk R ENC = #MC 3 \B ENC .4. Feed the 2 32 possible inputs into the backward chunk and compute to #SB 2 .Compute eight bytes of the right side of Equation 20 and search the index of L to find the full state of #SR 3 .Check the 2 32+32−64 = 1 candidates for a full match.If a full match is found, exit with the obtained preimage of the given target.Otherwise, repeat procedures from step 2.
Complexity.The time complexity of the offline phase, as indicated in step 1, is approximately 2 76.2 .For the online phase of the meet-in-the-middle preimage procedure, spanning from step 2 to 4, the time complexity is 2 128−20−32 = 2 76 , memory complexity is 2 32 .Consequently, the overall time complexity of the MITM Nostradamus attack can be calculated as 2 76.2 + 2 76 , resulting in approximately 2 77 .The associated memory complexity, on the other hand, stands at 0.83 × 2 76.161 + 2 20 + 2 32 ≈ 2 76 .

7-round classical attack on AES-MMO
As a result, the time complexity of online phase is 2 (128−k−8)/2 = 2 60−k/2 .To achieve a balance with offline diamond construction phase whose time complexity is 3 √ k • 2 (128+2k)/3 , the optimal value for k is determined to be 14.Therefore, as long as the number of white bytes exceeds 2, setting k to 14 ensures the optimal total time complexity.Therefore, regardless of the number of degrees of freedom obtained from the TAG element, the ultimate complexity for achieving balance must be precisely 14-bit degrees of freedom.This results in a balanced value of 2 54.1 .The configuration of the MITM attack on 6-round Whirlpool is shown in Figure 10.We have equivalently chosen #SC 3 as the initial state for both forward and backward chunks.And we have the input of the forward chunk B ENC as {#SC 3 14 , #SC where cir (4,175,14,164,194,194,203,62) is the inverse matrix of Whirlpool linear diffusion layer cir(1, 1, 4, 1, 8, 5, 2, 9).Likewise, for rows 1, . . ., 7, an additional 14 equations would be necessary to maintain the partial match.This would result in a filter of 2 16×8 = 2 128 .Attack Procedure.The meet-in-the-middle Nostradamus attack procedure is executed in the following manner:

6-round classical attack on Whirlpool
1. Set the values of the 56-bit gray cells and 308 bits out of 456 white cells (e.g., 38 white bytes of the top 5 rows and 4-bit of TAG 5 ) in the target to zeros.Construct the diamond structure with 2 456−308 = 2 148 leaves which follows the configuration of the target, necessitating a time complexity of √ 148 × 2 (512+148)/2 = 2 333.6 and a memory complexity of approximately 0.83 × 2 333.6 , along with 2 148 memory to accommodate the diamond.enhance time complexity but also enable the realization of additional rounds within the classical setting.We apply our attack in various scenarios: conducting a classical MITM Nostradamus attack on a 7-round AES-MMO and a 6-round Whirlpool, and achieving an enhanced quantum MITM Nostradamus attack on both a 7-round AES-MMO and a 6-round

Figure 1 :Figure 2 :
Figure 1: The AES round function where d B , d R , d M correspond to the degrees of freedom for blue or forward chunks, red or backward chunks, and matching chunks in the classical (quantum) setting.The general time complexity is 2 n−k (2 1 2 (n−k) ) in the classical (quantum) setting.As a result, the values of d B , d R , d M , k need to be constrained in such a way that the dedicated time complexity outperforms the general time complexity.When integrating the MITM framework into the MILP model, these restrictions are replaced with their respective constraints.Time Complexity.Here, we will discuss time complexity calculation proposed by Zhang et al. [ZSWH23].Suppose Benedikt et al.'s quantum generic time complexity O

Figure 6 :
Figure 6: Substitute the target state in Figure 8 [ZSWH23] with an updated configuration The encoding scheme enables us to efficiently obtain |B ENC |, |R ENC |, |B TAG |, |R TAG |, |W TAG | by simply summing up the corresponding values of coordinates.

M
There are two types of matching equipped in our attack.The XOR-match is used in the last round around the feedforward.It checks − − → End, ← − − End, and the target TAG byte by byte, and m α = 1 if w α = 0 for − − → End, ← − − End, and TAG.The final d M is the summation over all m α s:

Figure 8 :
Figure 8: The 7-round attack on AES-MMO in classical setting

Figure 10 :
Figure 10: The 6-round classical attack on Whirlpool

Figure 11 :
Figure 11: The 6-round quantum attack on Whirlpool

Table 1 :
Summary of our improved MITM Nostradamus attacks against the round-reduced AES-like hashing, compared with previous works ENC B +d TAG B ,d ENC R +d TAG R ,d M ), which proves more efficient than the generic time complexity of 2 n−(d TAG 3 35 , #SC 3 38 , #SC 3 59 } and Improved Meet-in-the-Middle Nostradamus Attacks on AES-like Hashing the input of the backward chunk R ENC as 36 red cells in #SC 3 .Precomputation of blue initial and to-be-guessed values.Given that there are no restrictions applied to the forward chunk, we have the freedom to select the values of #SC 3 14 , #SC 3 35 , #SC 3 38 , #SC 3 59 and the values of guessed bytes of #MR 0 {7,14,22,23,30,31,38,39,47,54,62,63} , then propagate them to the corresponding states #MR 1 and #SB 2 .The input space of blue bytes has a size of 2 16×8 = 2 128 .Precomputation of red initial values.A total of 20 constraints are placed on the input space of the backward chunk at the MixColumns operator in round 3 and round 4. In round 3, #MR 3 11 , #MR 3 19 , #MR 3 27 , #MR 3 35 , #MR 3 51 and #MR 3 59 should have a constant impact on #SB 4 51 .The constraints can be outlined as follows, with c 0 representing predefined constants:5 • #MR 3 11 + 8 • #MR 3 19 + 1 • #MR 3 27 + 4 • #MR 3 35 + 1 • #MR 3 51 + 9 • #MR 3 59 = c 0 (26)While in round 4, the constraints are similarly put on c 1 , . .., c 19 .This would lead to an input space of size 2 (36−20)×8 = 2 128 for the backward chunk.Match between the matching states.The forward and backward computations conclude at #MR 1 and #SB 2 , and the matching process will be conducted row by row.For example, in row 0, we have obtained #MR 1 8 , #MR 1 16 , and #SB 2 24 , #SB 2 48 during the forward computation, and #SB 2 0 , #SB 2 8 , #SB 2 16 , #SB 2 32 , #SB 2 40 , and #SB 2 56 during the backward computation.If a partial match is present for column 0, it should adhere to the following: