Can a MITM attack be applied to this construction?

Question

On reading the accepted answer to this question, I was wondering whether a Meet In The Middle attack could be applied to the suggested construction (below), and if not, then what is the effective key strength of combining two 256 bit ciphers in such a way? If I understand correctly, the Tahoe-Lafs 100 Year Cryptography project uses a similar construction.

$C=P\oplus K^1\oplus K^2$, where $C$ is the ciphertext, $P$ is the plaintext and $K^1$ is the key stream of one cipher and $K^2$ is the key stream of the other cipher (courtesy of Maarten Bodewes).

Answer 1

Let $K^1,K^2$ be the key-streams generated by $k_1,k_2$.

Now define $E^1_{k_1}(m):=m\oplus K^1$ and $E^2_{k_2}(m):=m\oplus K^2$.

Note that $E^1_{k_1}(E^2_{k_2}(m))=m\oplus K^1\oplus K^2$.

You now have a straight double encryption and can apply the standard meet-in-the-middle attack now.

---

The implementation would use a known-plaintext pair $(m,c)$. You would now tabulate all $E^1_{k_1'}(m)=m\oplus K^{1'}$ and then try all $D^2_{k_2'}(c)=c\oplus K^{2'}$ and look for matches between $E^1_{k_1'}(m)$ and $D^2_{k_2'}(c)$.