Topics in Cryptology — CT-RSA 2003

Volume 2612 of the series Lecture Notes in Computer Science pp 141-157


About the XL Algorithm over GF(2)

  • Nicolas T. CourtoisAffiliated withCP8 Crypto Lab, SchlumbergerSema
  • , Jacques PatarinAffiliated withCP8 Crypto Lab, SchlumbergerSemaPRiSM, University of Versailles

* Final gross prices may vary according to local VAT.

Get Access


Several public key cryptosystems (HFE, Quartz, Sflash, etc.) are based on the problem MQ of solving a system of multivariate quadratic equations over a finite field. At Asiacrypt 2002, Courtois and Pieprzyk show that the MQ problem is also relevant to the security of AES. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir introduced the XL algorithm for solving MQ. They show that if the number of equations m is much larger than the number of variables n, such overdefined MQ systems can be easily solved. From their simplified and heuristic analysis it seemed that even when m = n, a variant of XL could still be subexponential. The exact complexity of the XL algorithm remained an open problem. Moreover, all their simulations has been done over GF(127) and with D < 127, with D being the parameter of the XL algorithm.

At Asiacrypt 2002, an algorithm XSL, derived from XL, is introduced for the cryptanalysis of block ciphers [5]. Very little is known about the behaviour of XSL and we believe that one should study the XL algorithm itself first. In this paper we study the behaviour of XL for systems of quadratic equations over GF(2). We show that the possibility to use the equations of the field GF(2): x 2/ i = x i that are also quadratic, makes that the XL algorithm works better. We also introduce two improved versions of XL, called XL’ and XL2, with an improved final step of the algorithm (that also can be used in XSL). We present an explanation for the linear dependencies that appear in the XL algorithm, and derive a formula for the number of linearly independent equations in XL or XL2. Then we run various computer simulations and observe that this formula is always verified. Apparently we are able to predict exactly the behaviour of XL, XL’ and XL2 for random systems of equations. Due to the entanglement of linear dependencies, the analysis of XL becomes increasingly difficult, and XL may be really exponential for m = n.


Multivariate quadratic equations MQ problem overdefined and exactly defined systems of multivariate equations XL algorithm Gröbner bases XSL attacks on AES