複数のサッブキーを使う場合に一つの値を解き当ててほかのキーを計算する方法があるらしいです。
Another form of cryptanalysis is known as the "Meet in the Middle Attack". If equations for the cipher express the ciphertext in terms of the plaintext and all subkeys, we can rewrite them to express one subkey in terms of the plaintext, ciphertext, and another subkey. Then, trying all values for this subkey, we gain multiple possible keys. We try another encryption with each of these keys and, when we successfully recover the known ciphertext, we have discovered the correct key. An example from the STEA block cipher with a 96-bit key and 3 32-bit subkeys would be:
L3 = R0+(((L0+(R0 XOR K1))XOR K2)
R3 = L0 + (R0 XOR K1)+(L3 XOR K3)
Here (L3,R3) are the ciphertext and (L0,R0) the plaintext. Note the STEA cipher can be written:
Li = R(i-1)
Ri = L(i-1)+(R(i-1)XOR Ki)
Note that the message block size (L,R) is 64 bits. In general, STEA uses two subkeys (K1, K2), each of length 32 bits. However, in this example, there are 3 subkeys, so the total key length is 96 bits. A brute force attempt to guess the key with one known plaintext is O(2^96) encryptions, as there are 2^96 possible binary 96-tuples. A meet in the middle attack reduces this cost to O(2^33) time. The memory cost is uncertain to me.