An Analysis of the XSL Algorithm

  • Carlos Cid
  • Gaëtan Leurent
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3788)


The XSL “algorithm” is a method for solving systems of multivariate polynomial equations based on the linearization method. It was proposed in 2002 as a dedicated method for exploiting the structure of some types of block ciphers, for example the AES and Serpent. Since its proposal, the potential for algebraic attacks against the AES has been the source of much speculation. Although it has attracted a lot of attention from the cryptographic community, currently very little is known about the effectiveness of the XSL algorithm. In this paper we present an analysis of the XSL algorithm, by giving a more concise description of the method and studying it from a more systematic point of view. We present strong evidence that, in its current form, the XSL algorithm does not provide an efficient method for solving the AES system of equations.


XSL algorithm T′ method Linearization AES 


  1. 1.
    Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison Between XL and Gröbner Basis Algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Chen, J.-M., Courtois, N., Yang, B.-Y.: On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Chen, J.-M., Yang, B.-Y.: All in the XL Family: Theory and Practice. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Chen, J.-M., Yang, B.-Y.: Theoretical Analysis of XL over Small Fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Cid, C., Murphy, S., Robshaw, M.: Small Scale Variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Coppersmith, D.: Comments on Crypto-Gram Newsletter (October 2002),
  7. 7.
    Courtois, N.: Algebraic Attacks over GF(2k), Applications to HFE Challenge 2 and Sflash-v2. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 201–217. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Courtois, N., Patarin, J.: About the XL algorithm ober GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. Cryptology ePrint Archive, Report 2002/044 (2002)Google Scholar
  11. 11.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Diem, C.: The XL-Algorithm and a Conjecture from Commutative Algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Murphy, S., Robshaw, M.: Comments on the Security of the AES and the XSL Technique. Electronic Letters 39, 26–38 (2003)CrossRefGoogle Scholar
  15. 15.
    Sugita, M., Kawazoe, M., Imai, H.: Relation between XL algorithm and Gröbner Bases Algorithms. Cryptology ePrint Archive, Report 2004/112 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Carlos Cid
    • 1
  • Gaëtan Leurent
    • 2
  1. 1.Information Security Group, Royal HollowayUniversity of LondonEgham, SurreyUnited Kingdom
  2. 2.École Normale SupérieureDépartement d’InformatiqueParisFrance

Personalised recommendations