An Analysis of XSL Applied to BES

  • Chu-Wee Lim
  • Khoongming Khoo
Conference paper

DOI: 10.1007/978-3-540-74619-5_16

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4593)
Cite this paper as:
Lim CW., Khoo K. (2007) An Analysis of XSL Applied to BES. In: Biryukov A. (eds) Fast Software Encryption. FSE 2007. Lecture Notes in Computer Science, vol 4593. Springer, Berlin, Heidelberg


Currently, the only plausible attack on the Advanced Encryption System (AES) is the XSL attack over F256 through the Big Encryption System (BES) embedding. In this paper, we give an analysis of the XSL attack when applied to BES and conclude that the complexity estimate is too optimistic. For example, the complexity of XSL on BES-128 should be at least 2401 instead of the value of 287 from current literature. Our analysis applies to the eprint version of the XSL attack, which is different from the compact XSL attack studied by Cid and Leurent at Asiacrypt 2005. Moreover, we study the attack on the BES embedding of AES, while Cid and Leurent studies the attack on AES itself. Thus our analysis can be considered as a parallel work, which together with Cid and Leurent’s study, disproves the effectiveness of both versions of the XSL attack against AES.


XSL algorithm AES BES linearisation 

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Chu-Wee Lim
    • 1
  • Khoongming Khoo
    • 1
  1. 1.DSO National Laboratories, 20 Science Park Drive, S118230Singapore

Personalised recommendations