About the XL Algorithm over GF(2)

  • Nicolas T. Courtois
  • Jacques Patarin
Conference paper

DOI: 10.1007/3-540-36563-X_10

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2612)
Cite this paper as:
Courtois N.T., Patarin J. (2003) About the XL Algorithm over GF(2). In: Joye M. (eds) Topics in Cryptology — CT-RSA 2003. CT-RSA 2003. Lecture Notes in Computer Science, vol 2612. Springer, Berlin, Heidelberg


Several public key cryptosystems (HFE, Quartz, Sflash, etc.) are based on the problem MQ of solving a system of multivariate quadratic equations over a finite field. At Asiacrypt 2002, Courtois and Pieprzyk show that the MQ problem is also relevant to the security of AES. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir introduced the XL algorithm for solving MQ. They show that if the number of equations m is much larger than the number of variables n, such overdefined MQ systems can be easily solved. From their simplified and heuristic analysis it seemed that even when m = n, a variant of XL could still be subexponential. The exact complexity of the XL algorithm remained an open problem. Moreover, all their simulations has been done over GF(127) and with D < 127, with D being the parameter of the XL algorithm.

At Asiacrypt 2002, an algorithm XSL, derived from XL, is introduced for the cryptanalysis of block ciphers [5]. Very little is known about the behaviour of XSL and we believe that one should study the XL algorithm itself first. In this paper we study the behaviour of XL for systems of quadratic equations over GF(2). We show that the possibility to use the equations of the field GF(2): x2/i = xi that are also quadratic, makes that the XL algorithm works better. We also introduce two improved versions of XL, called XL’ and XL2, with an improved final step of the algorithm (that also can be used in XSL). We present an explanation for the linear dependencies that appear in the XL algorithm, and derive a formula for the number of linearly independent equations in XL or XL2. Then we run various computer simulations and observe that this formula is always verified. Apparently we are able to predict exactly the behaviour of XL, XL’ and XL2 for random systems of equations. Due to the entanglement of linear dependencies, the analysis of XL becomes increasingly difficult, and XL may be really exponential for m = n.


Multivariate quadratic equations MQ problem overdefined and exactly defined systems of multivariate equations XL algorithm Gröbner bases XSL attacks on AES 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Jacques Patarin
    • 1
    • 2
  1. 1.CP8 Crypto Lab, SchlumbergerSemaLouveciennes CedexFrance
  2. 2.PRiSM, University of VersaillesVersailles CedexFrance

Personalised recommendations