All in the XL Family: Theory and Practice

  • Bo-Yin Yang
  • Jiun-Ming Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3506)


The XL (eXtended Linearization) equation-solving algorithm belongs to the same extended family as the advanced Gröbner Bases methods F 4 /F 5 . XL and its relatives may be used as direct attacks against multivariate Public-Key Cryptosystems and as final stages for many “algebraic cryptanalysis” used today. We analyze the applicability and performance of XL and its relatives, particularly for generic systems of equations over medium-sized finite fields.

In examining the extended family of Gröbner Bases and XL from theoretical, empirical and practical viewpoints, we add to the general understanding of equation-solving. Moreover, we give rigorous conditions for the successful termination of XL, Gröbner Bases methods and relatives. Thus we have a better grasp of how such algebraic attacks should be applied. We also compute revised security estimates for multivariate cryptosystems. For example, the schemes SFLASH v2 and HFE Challenge 2 are shown to be unbroken by XL variants.


algebraic analysis finite field Gröbner Bases multivariate quadratics multivariate cryptography XL 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akkar, M., Courtois, N., Duteuil, R., Goubin, L.: A Fast and Secure Implementation of SFLASH. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 267–278. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison of XL and Gröbner Bases Algorithms over Finite Fields. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Ph.D. thesis, Université Paris 6 (2004)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner Basis Computations for Regular Overdetermined Systems, INRIA Rapport de Recherche No. 5049; a slightly modified preprint is accepted by the International Conference on Polynomial System SolvingGoogle Scholar
  5. 5.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic Complexity of Gröbner Basis Algorithms for Semi-regular Overdetermined Systems over Large Fields (manuscript)Google Scholar
  6. 6.
    Barkee, B., et al.: Why You Cannot Even Hope to Use Gröbner Bases in Public-Key Cryptography. J. Symbolic Computations 18, 497–501 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Bunch, J.R., Hopcroft, J.E.: Triangular Factorizations and Inversion by Fast Matrix Multiplication. Math. Computations 24, 231–236 (1974)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Burden, R., Faires, J.D.: Numerical Analysis, 7th edn. PWS-Kent Publ. Co. (2000)Google Scholar
  9. 9.
    Bernstein, D.: Matrix Inversion Made Difficult, preprint, stated to be superseded by a yet unpublished version, available at
  10. 10.
    Caniglia, L., Galligo, A., Heintz, J.: Some New Effectivity Bounds in Computational Geometry. In: Mora, T. (ed.) AAECC 1988. LNCS, vol. 357, pp. 131–151. Springer, Heidelberg (1989)Google Scholar
  11. 11.
    Caniglia, L., Galligo, A., Heintz, J.: Equations for the Projective Closure and Effective Nullstellensatz. Discrete Applied Mathematics 33, 11–23 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Chester, C., Friedman, B., Ursell, F.: An Extension of the Method of Steepest Descents. Proc. Camb. Philo. Soc. 53, 599–611 (1957)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Coppersmith, D.: Private communicationGoogle Scholar
  14. 14.
    Courtois, N.: The Security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Courtois, N.: Higher-Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 177–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Courtois, N.: Algebraic attacks over gF(2k), application to HFE challenge 2 and sflash-v2. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 201–217. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Courtois, N.: Private communicationGoogle Scholar
  19. 19.
    Courtois, N., Goubin, L., Patarin, J.: SFLASHv3, a Fast Asymmetric Signature Scheme, preprint, available at
  20. 20.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  21. 21.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Courtois, N.T., Patarin, J.: About the XL algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Daemen, J., Rijmen, V.: The Design of Rijndael, AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)Google Scholar
  24. 24.
    Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004) private communicationCrossRefGoogle Scholar
  25. 25.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Trans. Info. Theory IT-22(6), 644–654 (1972)MathSciNetGoogle Scholar
  26. 26.
    Ding, J., Schmidt, D.: Cryptanalysis of SFlashv3,
  27. 27.
    Duff, I.S., Erismann, A.M., Reid, J.K.: Direct Methods for Sparse Matrices, published by Oxford Science Publications (1986)Google Scholar
  28. 28.
    Eberly, W., Kaltofen, E.: On Randomized Lanczos Algorithms. In: Proc. ISSAC 1997, pp. 176–183. ACM Press, New York (1997)CrossRefGoogle Scholar
  29. 29.
    Faugére, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reduction to Zero (F5). In: Proceedings of ISSAC 2002, pp. 75–83. ACM Press, New York (2002)CrossRefGoogle Scholar
  31. 31.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Fröberg, R.: An Inequality for Hilbert Series of Graded Algebras. Math. Scand. 56, 117–144 (1985)zbMATHMathSciNetGoogle Scholar
  33. 33.
    Garey, M., Johnson, D.: Computers and Intractability, A Guide to the Theory of NP-completeness. W.H. Freeman, New York (1979)zbMATHGoogle Scholar
  34. 34.
    Geiselmann, W., Steinwandt, R., Beth, T.: Revealing 441 Key Bits of sflashv2. In: 3rd NESSIE Workshop (2002)Google Scholar
  35. 35.
    Hwang, H.-K.: Asymptotic estimates of elementary probability distributions. Studies in Applied Mathematics 99(4), 393–417 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Hartshorne, R.: Algebraic Geometry. Springer, Heidelberg (1977)zbMATHGoogle Scholar
  37. 37.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  38. 38.
    LaMacchia, B., Odlyzko, A.: Solving large sparse linear systems over finite fields. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 109–133. Springer, Heidelberg (1991)Google Scholar
  39. 39.
    Lang, S.: Algebra, 3rd edn. Addison-Wesley, Reading (1993)zbMATHGoogle Scholar
  40. 40.
    Lazard, D.: Gröbner Bases, Gaussian Elimination and Resolution of Systems of Algebraic Equations. In: van Hulzen, J.A. (ed.) EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983)Google Scholar
  41. 41.
    McGeoch, C.: “Veni, Divisi, Vici”. Appearing in the “Computer Science Sampler” column of the Amer. Math. Monthly (May 1995)Google Scholar
  42. 42.
    The MAGMA project, University of Sydney, see
  43. 43.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  44. 44.
    Moh, T.: On The Method of XL and Its Inefficiency Against TTM, available at
  45. 45.
    Murphy, S., Robshaw, M.: Essential algebraic structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  46. 46.
    Murphy, S., Robshaw, M.: Comments on the Security of the AES and the XSL Technique, preprint available from the authors,
  47. 47.
    NESSIE Security Report, V2.0, available at
  48. 48.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  49. 49.
    Patarin, J., Goubin, L., Courtois, N.T.: \(C^{*}_{-+}\) and HM: Variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–50. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  50. 50.
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001) Update at CrossRefGoogle Scholar
  51. 51.
    Patarin, J., Courtois, N., Goubin, L.: FLASH, a fast multivariate signature algorithm. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 298–307. Springer, Heidelberg (2001), Update with SFLASHv2 available at CrossRefGoogle Scholar
  52. 52.
    Stanley, R.: Enumerative Combinatorics, vol. 1, second printing (1996); vol. 2 in (1999) Both published by Cambridge University Press, CambridgeGoogle Scholar
  53. 53.
    Strassen, V.: Gaussian Elimination is not Optimal. Numer. Math. 13, 354–356 (1969)zbMATHCrossRefMathSciNetGoogle Scholar
  54. 54.
    Sugita, M., Kawazoe, M., Imai, H.: Relation between XL algorithm and Groebner Bases Algorithms, preprint, Part of this merged with [2]
  55. 55.
    Szegö, G.: Orthogonal Polynomials, 4th edn. American Math. Society, ProvidenceGoogle Scholar
  56. 56.
    Wiedemann, D.: Solving Sparse Linear Equations over Finite Fields. IEEE Transaction on Information Theory IT-32(1), 54–62 (1976)MathSciNetGoogle Scholar
  57. 57.
    Wong, R.: Asymptotic Approximations of Integrals. Academic Press, San Diego (1989)zbMATHGoogle Scholar
  58. 58.
    Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  59. 59.
    Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and gröbner bases-related algebraic cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004) Formerly titled Exact and Asymptotic Behavior of XL-Related MethodsCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Bo-Yin Yang
    • 1
  • Jiun-Ming Chen
    • 2
  1. 1.Department of MathematicsTamkang UniversityTamsuiTaiwan
  2. 2.Chinese Data Security, Inc., & NationalTaiwan U

Personalised recommendations