Topics in Cryptology — CTRSA 2003
Volume 2612 of the series Lecture Notes in Computer Science pp 141157
About the XL Algorithm over GF(2)
 Nicolas T. CourtoisAffiliated withCP8 Crypto Lab, SchlumbergerSema
 , Jacques PatarinAffiliated withCP8 Crypto Lab, SchlumbergerSemaPRiSM, University of Versailles
Abstract
Several public key cryptosystems (HFE, Quartz, Sflash, etc.) are based on the problem MQ of solving a system of multivariate quadratic equations over a finite field. At Asiacrypt 2002, Courtois and Pieprzyk show that the MQ problem is also relevant to the security of AES. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir introduced the XL algorithm for solving MQ. They show that if the number of equations m is much larger than the number of variables n, such overdefined MQ systems can be easily solved. From their simplified and heuristic analysis it seemed that even when m = n, a variant of XL could still be subexponential. The exact complexity of the XL algorithm remained an open problem. Moreover, all their simulations has been done over GF(127) and with D < 127, with D being the parameter of the XL algorithm.
At Asiacrypt 2002, an algorithm XSL, derived from XL, is introduced for the cryptanalysis of block ciphers [5]. Very little is known about the behaviour of XSL and we believe that one should study the XL algorithm itself first. In this paper we study the behaviour of XL for systems of quadratic equations over GF(2). We show that the possibility to use the equations of the field GF(2): x ^{2}/_{ i } = x _{ i } that are also quadratic, makes that the XL algorithm works better. We also introduce two improved versions of XL, called XL’ and XL2, with an improved final step of the algorithm (that also can be used in XSL). We present an explanation for the linear dependencies that appear in the XL algorithm, and derive a formula for the number of linearly independent equations in XL or XL2. Then we run various computer simulations and observe that this formula is always verified. Apparently we are able to predict exactly the behaviour of XL, XL’ and XL2 for random systems of equations. Due to the entanglement of linear dependencies, the analysis of XL becomes increasingly difficult, and XL may be really exponential for m = n.
Keywords
Multivariate quadratic equations MQ problem overdefined and exactly defined systems of multivariate equations XL algorithm Gröbner bases XSL attacks on AES Title
 About the XL Algorithm over GF(2)
 Book Title
 Topics in Cryptology — CTRSA 2003
 Book Subtitle
 The Cryptographers’ Track at the RSA Conference 2003 San Francisco, CA, USA, April 13–17, 2003 Proceedings
 Pages
 pp 141157
 Copyright
 2003
 DOI
 10.1007/354036563X_10
 Print ISBN
 9783540008477
 Online ISBN
 9783540365631
 Series Title
 Lecture Notes in Computer Science
 Series Volume
 2612
 Series ISSN
 03029743
 Publisher
 Springer Berlin Heidelberg
 Copyright Holder
 SpringerVerlag Berlin Heidelberg
 Additional Links
 Topics
 Keywords

 Multivariate quadratic equations
 MQ problem
 overdefined and exactly defined systems of multivariate equations
 XL algorithm
 Gröbner bases
 XSL attacks on AES
 Industry Sectors
 eBook Packages
 Editors

 Marc Joye ^{(4)}
 Editor Affiliations

 4. Gemplus, Card Security Group
 Authors

 Nicolas T. Courtois ^{(5)}
 Jacques Patarin ^{(5)} ^{(6)}
 Author Affiliations

 5. CP8 Crypto Lab, SchlumbergerSema, 3638 rue de la Princesse, BP 45, 78430, Louveciennes Cedex, France
 6. PRiSM, University of Versailles, 45 av. des ÉtatsUnis, 78035, Versailles Cedex, France
Continue reading...
To view the rest of this content please follow the download PDF link above.