An Analysis of XSL Applied to BES

  • Chu-Wee Lim
  • Khoongming Khoo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4593)


Currently, the only plausible attack on the Advanced Encryption System (AES) is the XSL attack over F 256 through the Big Encryption System (BES) embedding. In this paper, we give an analysis of the XSL attack when applied to BES and conclude that the complexity estimate is too optimistic. For example, the complexity of XSL on BES-128 should be at least 2401 instead of the value of 287 from current literature. Our analysis applies to the eprint version of the XSL attack, which is different from the compact XSL attack studied by Cid and Leurent at Asiacrypt 2005. Moreover, we study the attack on the BES embedding of AES, while Cid and Leurent studies the attack on AES itself. Thus our analysis can be considered as a parallel work, which together with Cid and Leurent’s study, disproves the effectiveness of both versions of the XSL attack against AES.


XSL algorithm AES BES linearisation 


  1. 1.
    Cid, C., Leurent, G.: An Analysis of the XSL Algorithm. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 333–352. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. IACR eprint server, 2002/044 (March 2002),
  4. 4.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Montgomery, P.L.: A Block Lanczos Algorithm for Finding Linear Dependencies over GF(2). In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 106–120. Springer, Heidelberg (1995)Google Scholar
  6. 6.
    Murphy, S., Robshaw, M.: Essential Algebraic Structure Within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Murphy, S., Robshaw, M.: Comments on the Security of the AES and the XSL Technique. Electronic Letters 39, 26–38 (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Chu-Wee Lim
    • 1
  • Khoongming Khoo
    • 1
  1. 1.DSO National Laboratories, 20 Science Park Drive, S118230Singapore

Personalised recommendations