Abstract
Several public key cryptosystems (HFE, Quartz, Sflash, etc.) are based on the problem MQ of solving a system of multivariate quadratic equations over a finite field. At Asiacrypt 2002, Courtois and Pieprzyk show that the MQ problem is also relevant to the security of AES. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir introduced the XL algorithm for solving MQ. They show that if the number of equations m is much larger than the number of variables n, such overdefined MQ systems can be easily solved. From their simplified and heuristic analysis it seemed that even when m = n, a variant of XL could still be subexponential. The exact complexity of the XL algorithm remained an open problem. Moreover, all their simulations has been done over GF(127) and with D < 127, with D being the parameter of the XL algorithm.
At Asiacrypt 2002, an algorithm XSL, derived from XL, is introduced for the cryptanalysis of block ciphers [5]. Very little is known about the behaviour of XSL and we believe that one should study the XL algorithm itself first. In this paper we study the behaviour of XL for systems of quadratic equations over GF(2). We show that the possibility to use the equations of the field GF(2): x 2/ i = x i that are also quadratic, makes that the XL algorithm works better. We also introduce two improved versions of XL, called XL’ and XL2, with an improved final step of the algorithm (that also can be used in XSL). We present an explanation for the linear dependencies that appear in the XL algorithm, and derive a formula for the number of linearly independent equations in XL or XL2. Then we run various computer simulations and observe that this formula is always verified. Apparently we are able to predict exactly the behaviour of XL, XL’ and XL2 for random systems of equations. Due to the entanglement of linear dependencies, the analysis of XL becomes increasingly difficult, and XL may be really exponential for m = n.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
B. Barkee, D. C. Can, J. Ecks, T. Moriarty, R. F. Ree: Why You Cannot Even Hope to use Gröbner Bases in Public Key Cryptography: An Open Letter to a S cientist Who Failed and a Challenge to Those Who Have Not Yet Failed, in Journal of Symbolic Computation 18, 1994, S. 497–501. 151
Don Coppersmith, Shmuel Winograd “Matrix multiplication via arithmetic progressions”; J. Symbolic Computation (1990), 9, pp. 251–280.
Nicolas Courtois, Louis Goubin, Willi Meier, Jean-Daniel Tacier: Solving Underde fined Systems of Multivariate Quadratic Equations; PKC 2002, LNCS 2274, Springer, pp. 211–227. 143
Nicolas Courtois: The security of Hidden Field Equations (HFE); Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, LNCS 2020, Springer-Verlag, pp. 266–281. 142
Nicolas Courtois and Josef Pieprzyk, Cryptanalysis of Block Ciphers with Overdefined Systems of Equations; to be presented at Asiacrypt 2002, a preprint with a different version of the attack is available at http://eprint.iacr.org/2002/044/. 141, 142, 150
Magnus Daum: Das KryptosystemHFE und quadratische Gleichungssysteme über endlichen Körpern, Diplomarbeit, Universität Dortmund, 2001. Available from daum@itsc.ruhr-uni-bochum.de. 151
Jean-Charles Faugère: Computing Gröbner basis without reduction to 0, technical report LIP6, in preparation, source: private communication. Also presented at the Workshop on Applications of Commutative Algebra, Catania, Italy, 3–6 April 2002. 142, 151
Jean-Charles Faugère: Report on a successful attack of HFE Challege 1 with Gröbner bases algorithm F5/2, announcement that appeared in sci.crypt newsgroup on the internet in April 19th 2002. 142, 151
Michael Garey, David Johnson: Computers and Intractability, a guide to the theory of NP-completeness, Freeman, p. 251. 143
Mireille Martin-Deschamps, private communication. 146
T. T. Moh: On The Method of XL and Its Inefficiency Against TTM, available at http://eprint.iacr.org/2001/047/. 146
Jacques Patarin: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms; in Eurocrypt’96, Springer Verlag, pp. 33–48. 142
Adi Shamir, Aviad Kipnis: Cryptanalysis of the HFE Public Key Cryptosystem; In Advances in Cryptology, Proceedings of Crypto’99, Springer-Verlag, LNCS. 142, 144
Adi Shamir, Jacques Patarin, Nicolas Courtois, Alexander Klimov, Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, Eurocrypt’2000, LNCS 1807, Springer, pp. 392–407. 142, 143, 144, 145, 146, 150, 151, 153, 154, 155, 156
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Courtois, N.T., Patarin, J. (2003). About the XL Algorithm over GF(2). In: Joye, M. (eds) Topics in Cryptology — CT-RSA 2003. CT-RSA 2003. Lecture Notes in Computer Science, vol 2612. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36563-X_10
Download citation
DOI: https://doi.org/10.1007/3-540-36563-X_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00847-7
Online ISBN: 978-3-540-36563-1
eBook Packages: Springer Book Archive