On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis

  • Bo-Yin Yang
  • Jiun-Ming Chen
  • Nicolas T. Courtois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


“Algebraic Cryptanalysis” against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard.

The related methods of XL (eXtended Linearization), Gröbner Bases, and their variants (of which a large number has been proposed) form a unified approach to solving equations and thus affect our assessment and understanding of many cryptosystems.

Building on prior theory, we analyze these XL variants and derive asymptotic formulas giving better security estimates under XL-related algebraic attacks; through this examination we have hopefully improved our understanding of such variants. In particular, guessing a portion of variables is a good idea for both XL and Gröbner Bases methods.


XL Gröbner Bases multivariate quadratics algebraic cryptanalysis asymptotic security estimates 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anonymous Referee Report from Crypto 2004 (2004) Google Scholar
  2. 2.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner Basis Computations for Regular Overdetermined Systems, inria rr-5049Google Scholar
  3. 3.
    Bernstein, D.: Matrix Inversion Made Difficult, preprint at
  4. 4.
    Chester, C., Friedman, B., Ursell, F.: An Extension of the Method of Steepest Descents. Proc. Camb. Philo. Soc. 53, 599–611 (1957)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Coppersmith, D.: Private communicationGoogle Scholar
  6. 6.
    Coppersmith, D., Winograd, S.: Matrix multiplication via Arithmetic Progressions. J. Symbolic Computation 9, 251–280 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Courtois, N.: Higher-Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 177–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Courtois, N.: Algebraic Attacks over GF(2k), Cryptanalysis of HFE Challenge 2 and SFLASHv2. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 201–217. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Courtois, N., Goubin, L., Patarin, J.: SFLASHv3, a Fast Asymmetric Signature Scheme, preprint available at
  11. 11.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Courtois, N., Patarin, J.: About the XL Algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: The Design of Rijndael, AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  15. 15.
    Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004) (to appear)CrossRefGoogle Scholar
  16. 16.
    Duff, S., Erismann, A.M., Reid, J.K.: Direct Methods for Sparse Matrices. Oxford Science Publications, Oxford (1986)zbMATHGoogle Scholar
  17. 17.
    Eberly, W., Kaltofen, E.: On Randomized Lanczos Algorithms. In: Proc. ISSAC 1997, pp. 176–183. ACM Press, New York (1997)CrossRefGoogle Scholar
  18. 18.
    Eisenbud, D.: Commutative Algebra with a View toward Algebraic Geometry. Springer, Heidelberg (1995)zbMATHGoogle Scholar
  19. 19.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reduction to Zero (F5). In: Proceedings of ISSAC 2002, pp. 75–83. ACM Press, New York (2002)CrossRefGoogle Scholar
  20. 20.
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equations (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Fröberg, R.: An inequality for Hilbert Series of Graded Algebras. Math. Scand. 56, 117–144 (1985)zbMATHMathSciNetGoogle Scholar
  22. 22.
    Garey, M., Johnson, D.: Computers and Intractability, A Guide to the Theory of NP-completeness. W. H. Freeman, New York (1979)zbMATHGoogle Scholar
  23. 23.
    Hwang, H.-K.: Asymptotic estimates of elementary probability distributions. Studies in Applied Mathematics 99(4), 393–417 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    LaMacchia, B., Odlyzko, A.: Solving Large Sparse Linear Systems over Finite Fields. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 109–133. Springer, Heidelberg (1991)Google Scholar
  25. 25.
    Lazard, D.: Gröbner Bases, Gaussian Elimination and Resolution of Systems of Algebraic Equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983)Google Scholar
  26. 26.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  27. 27.
    McGeoch, C.: Veni, Divisi, Vici. Appearing in the “Computer Science Sampler. column of the Amer. Math. Monthly (May 1995)Google Scholar
  28. 28.
    Moh, T.: On The Method of XL and Its Inefficiency Against TTM, Available at
  29. 29.
    Murphy, S., Robshaw, M.: Essential Algebraic Structures Within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  30. 30.
    Murphy, S., Robshaw, M.: Comments on the Security of the AES and the XSL Technique, From author’s homepage
  31. 31.
    NESSIE Security Report, V2.0, Available at
  32. 32.
    Patarin, J.: Hidden Field Equations (hfe) and Isomorphisms of Polynomials (ip): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  33. 33.
    Patarin, J., Goubin, L., Courtois, N.: C∗ −+ and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–49. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  34. 34.
    Patarin, J., Courtois, N., Goubin, L.: FLASH, a Fast Multivariate Signature Algorithm. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 298–307. Springer, Heidelberg (2001), Update with SFLASHv2 available at CrossRefGoogle Scholar
  35. 35.
    Strassen, V.: Gaussian Elimination is not Optimal. Num. Math. 13, 354–356 (1969)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Sugita, M., Kawazoe, M., Imai, H.: Relation between XL algorithm and Groebner Bases Algorithms (preprint),
  37. 37.
    Szegö, G.: Orthogonal Polynomials, 4th edn. Amer. Math. Soc., ProvidenceGoogle Scholar
  38. 38.
    Wiedemann, D.: Solving Sparse Linear Equations over Finite Fields. IEEE Transaction on Information Theory IT-32(1), 54–62 (1976)MathSciNetGoogle Scholar
  39. 39.
    Wong, R.: Asymptotic Approximations of Integrals. Acad. Press, San Diego (1989)zbMATHGoogle Scholar
  40. 40.
    Yang, B.-Y., Chen, J.-M.: All in the XL Family: Theory and Practice (preprint)Google Scholar
  41. 41.
    Yang, B.-Y., Chen, J.-M.: TTS: Rank Attacks in Tame-Like Multivariate PKCs, Available at
  42. 42.
    Yang, B.-Y., Chen, J.-M.: Theoretical Analysis of XL over Small Fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004); Note: updated version available from the authorsCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Bo-Yin Yang
    • 1
  • Jiun-Ming Chen
    • 2
  • Nicolas T. Courtois
    • 3
  1. 1.Tamkang UniversityTamsuiTaiwan
  2. 2.Chinese Data Security Inc, & Nat’l Taiwan U.Taipei
  3. 3.Axalto SmartcardsParisFrance

Personalised recommendations