Theoretical Analysis of XL over Small Fields
XL was first introduced to solve determined or overdetermined systems of equations over a finite field as an “algebraic attack” against multivariate cryptosystems. There has been a steady stream of announcements of cryptanalysis of primitives by such attacks, including stream ciphers (e.g. Toyocrypt), PKC’s, and more controversially block ciphers (AES/Rijndael and Serpent).
Prior discussions of XL are usually heavy in simulations, which are of course valuable but we would like more attention to theory, because theory and simulations must validate each other, and there are some nuances not easily discerned from simulations. More effort was made in this direction of recent, but much of it was restricted to a large base field of size q, which is usually equal to 2 k . By conducting an analysis of XL variants in general, we try to derive rigorous “termination conditions”, minimal degree requirements for reliable, successful operation of XL and its relatives, hence better security estimates. Our work is applicable to small q, in particular the significant q=2 case.
Armed with this analysis, we reexamine previously announced results. We conclude that XL and variants represent a theoretical advance that is especially significant over small fields (in particular over GF(2)). However, its applicability and efficacy are occasionally overestimated slightly. We discuss possible future research directions. Much remains to be done.
KeywordsXL finite field multivariate cryptography system of quadratic equations algebraic attack
Unable to display preview. Download preview PDF.
- 1.Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner Basis Computations for Regular Overdetermined Systems, INRIA RR. No. 5049 and private communicationGoogle Scholar
- 3.Bernstein, D.: Matrix Inversion Made Difficult, preprint, stated to be superseded by a yet unpublished version, available at http://cr.yp.to
- 11.Duff, S., Erismann, A.M., Reid, J.K.: Direct Methods for Sparse Matrices. Oxford Science Publications (1986)Google Scholar
- 14.Garey, M., Johnson, D.: Computers and Intractability, A Guide to the Theory of NPcompleteness, p. 251 (1979)Google Scholar
- 15.Kipnis, A., Shamir, A.: Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
- 16.Moh, T.: On The Method of XL and Its Inefficiency Against TTM, available at http://eprint.iacr.org/2001/047
- 18.Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
- 19.Stanley, R.: Enumerative Combinatorics, vol. 1, second printing 1996; vol. 2 in 1999. Both published by Cambridge University Press, Cambridge. Google Scholar
- 21.Yang, B.-Y., Chen, J.-M.: All in the XL Family: Theory and Practice (preprint)Google Scholar
- 22.Yang, B.-Y., Chen, J.-M.: Asymptotic Behavior for XL and Friends (preprint)Google Scholar