Theoretical Analysis of XL over Small Fields

  • Bo-Yin Yang
  • Jiun-Ming Chen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3108)


XL was first introduced to solve determined or overdetermined systems of equations over a finite field as an “algebraic attack” against multivariate cryptosystems. There has been a steady stream of announcements of cryptanalysis of primitives by such attacks, including stream ciphers (e.g. Toyocrypt), PKC’s, and more controversially block ciphers (AES/Rijndael and Serpent).

Prior discussions of XL are usually heavy in simulations, which are of course valuable but we would like more attention to theory, because theory and simulations must validate each other, and there are some nuances not easily discerned from simulations. More effort was made in this direction of recent, but much of it was restricted to a large base field of size q, which is usually equal to 2 k . By conducting an analysis of XL variants in general, we try to derive rigorous “termination conditions”, minimal degree requirements for reliable, successful operation of XL and its relatives, hence better security estimates. Our work is applicable to small q, in particular the significant q=2 case.

Armed with this analysis, we reexamine previously announced results. We conclude that XL and variants represent a theoretical advance that is especially significant over small fields (in particular over GF(2)). However, its applicability and efficacy are occasionally overestimated slightly. We discuss possible future research directions. Much remains to be done.


XL finite field multivariate cryptography system of quadratic equations algebraic attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner Basis Computations for Regular Overdetermined Systems, INRIA RR. No. 5049 and private communicationGoogle Scholar
  2. 2.
    Bunch, J.R., Hopcroft, J.E.: Triangular Factorizations and Inversion by Fast Matrix Multiplication. Math. Computations 24, 231–236 (1974)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Bernstein, D.: Matrix Inversion Made Difficult, preprint, stated to be superseded by a yet unpublished version, available at
  4. 4.
    Courtois, N.: The Security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Courtois, N.: Higher-Order Correlation Attacks, XLAlgorithm and Cryptanalysis ofToyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Courtois, N.: Algebraic Attacks over GF(2k), Cryptanalysis of HFE Challenge 2 and SFLASHv2. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 201–217. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Courtois, N., Patarin, J.: About the XL Algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Duff, S., Erismann, A.M., Reid, J.K.: Direct Methods for Sparse Matrices. Oxford Science Publications (1986)Google Scholar
  12. 12.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reduction to Zero (F5). In: Proceedings of ISSAC 2002, pp. 75–83. ACM Press, New York (2002)CrossRefGoogle Scholar
  13. 13.
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equations (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Garey, M., Johnson, D.: Computers and Intractability, A Guide to the Theory of NPcompleteness, p. 251 (1979)Google Scholar
  15. 15.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Moh, T.: On The Method of XL and Its Inefficiency Against TTM, available at
  17. 17.
    Murphy, S., Robshaw, M.: Essential Algebraic Structures Within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  19. 19.
    Stanley, R.: Enumerative Combinatorics, vol. 1, second printing 1996; vol. 2 in 1999. Both published by Cambridge University Press, Cambridge. Google Scholar
  20. 20.
    Strassen, V.: Gaussian Elimination is not Optimal. Numer. Math. 13, 354–356 (1969)MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Yang, B.-Y., Chen, J.-M.: All in the XL Family: Theory and Practice (preprint)Google Scholar
  22. 22.
    Yang, B.-Y., Chen, J.-M.: Asymptotic Behavior for XL and Friends (preprint)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Bo-Yin Yang
    • 1
  • Jiun-Ming Chen
    • 2
  1. 1.Department of MathematicsTamkang UniversityTamsuiTaiwan
  2. 2.Chinese Data Security Inc. & National Taiwan UTaipei

Personalised recommendations