Fast Software Encryption

Volume 4593 of the series Lecture Notes in Computer Science pp 242-253

An Analysis of XSL Applied to BES

  • Chu-Wee LimAffiliated withDSO National Laboratories, 20 Science Park Drive, S118230
  • , Khoongming KhooAffiliated withDSO National Laboratories, 20 Science Park Drive, S118230


Currently, the only plausible attack on the Advanced Encryption System (AES) is the XSL attack over F 256 through the Big Encryption System (BES) embedding. In this paper, we give an analysis of the XSL attack when applied to BES and conclude that the complexity estimate is too optimistic. For example, the complexity of XSL on BES-128 should be at least 2401 instead of the value of 287 from current literature. Our analysis applies to the eprint version of the XSL attack, which is different from the compact XSL attack studied by Cid and Leurent at Asiacrypt 2005. Moreover, we study the attack on the BES embedding of AES, while Cid and Leurent studies the attack on AES itself. Thus our analysis can be considered as a parallel work, which together with Cid and Leurent’s study, disproves the effectiveness of both versions of the XSL attack against AES.


XSL algorithm AES BES linearisation