XSL attack

Last updated November 07, 2021

In cryptography, the eXtended Sparse Linearization (XSL) attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was claimed to have the potential to break the Advanced Encryption Standard (AES) cipher, also known as Rijndael, faster than an exhaustive search. Since AES is already widely used in commerce and government for the transmission of secret information, finding a technique that can shorten the amount of time it takes to retrieve the secret message without having the key could have wide implications.

The method has a high work-factor, which unless lessened, means the technique does not reduce the effort to break AES in comparison to an exhaustive search. Therefore, it does not affect the real-world security of block ciphers in the near future. Nonetheless, the attack has caused some experts to express greater unease at the algebraic simplicity of the current AES.

In overview, the XSL attack relies on first analyzing the internals of a cipher and deriving a system of quadratic simultaneous equations. These systems of equations are typically very large, for example 8,000 equations with 1,600 variables for the 128-bit AES. Several methods for solving such systems are known. In the XSL attack, a specialized algorithm, termed eXtended Sparse Linearization, is then applied to solve these equations and recover the key.

The attack is notable for requiring only a handful of known plaintexts to perform; previous methods of cryptanalysis, such as linear and differential cryptanalysis, often require unrealistically large numbers of known or chosen plaintexts.

Solving multivariate quadratic equations

Solving multivariate quadratic equations (MQ) over a finite set of numbers is an NP-hard problem (in the general case) with several applications in cryptography. The XSL attack requires an efficient algorithm for tackling MQ. In 1999, Kipnis and Shamir showed that a particular public key algorithm, known as the Hidden Field Equations scheme (HFE), could be reduced to an overdetermined system of quadratic equations (more equations than unknowns). One technique for solving such systems is linearization, which involves replacing each quadratic term with an independent variable and solving the resultant linear system using an algorithm such as Gaussian elimination. To succeed, linearization requires enough linearly independent equations (approximately as many as the number of terms). However, for the cryptanalysis of HFE there were too few equations, so Kipnis and Shamir proposed re-linearization, a technique where extra non-linear equations are added after linearization, and the resultant system is solved by a second application of linearization. Re-linearization proved general enough to be applicable to other schemes.

In 2000, Courtois et al. proposed an improved algorithm for MQ known as XL (for eXtended Linearization), which increases the number of equations by multiplying them with all monomials of a certain degree. Complexity estimates showed that the XL attack would not work against the equations derived from block ciphers such as AES. However, the systems of equations produced had a special structure, and the XSL algorithm was developed as a refinement of XL which could take advantage of this structure. In XSL, the equations are multiplied only by carefully selected monomials, and several variants have been proposed.

Research into the efficiency of XL and its derivative algorithms remains ongoing (Yang and Chen, 2004).

Application to block ciphers

Courtois and Pieprzyk (2002) observed that AES (Rijndael) and partially also Serpent could be expressed as a system of quadratic equations. The variables represent not just the plaintext, ciphertext and key bits, but also various intermediate values within the algorithm. The S-box of AES appears to be especially vulnerable to this type of analysis, as it is based on the algebraically simple inverse function. Subsequently, other ciphers have been studied to see what systems of equations can be produced (Biryukov and De Cannière, 2003), including Camellia, KHAZAD, MISTY1 and KASUMI. Unlike other forms of cryptanalysis, such as differential and linear cryptanalysis, only one or two known plaintexts are required.

The XSL algorithm is tailored to solve the type of equation systems that are produced. Courtois and Pieprzyk estimate that an "optimistic evaluation shows that the XSL attack might be able to break Rijndael [with] 256 bits and Serpent for key lengths [of] 192 and 256 bits." Their analysis, however, is not universally accepted. For example:

I believe that the Courtois–Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael… The method has some merit, and is worth investigating, but it does not break Rijndael as it stands.
— Don Coppersmith, Crypto-Gram October 15, 2002: Comments from Readers

In AES 4 Conference, Bonn 2004, one of the inventors of Rijndael, Vincent Rijmen, commented, "The XSL attack is not an attack. It is a dream." Promptly Courtois answered, "XSL may be a dream. It may also be a very bad dream and turn into a nightmare."^[1] However neither any later paper or any actions by the NSA or NIST give any support to this remark by Courtois.

In 2003, Murphy and Robshaw discovered an alternative description of AES, embedding it in a larger cipher called "BES", which can be described using very simple operations over a single field, GF(2⁸). An XSL attack mounted on this system yields a simpler set of equations which would break AES with complexity of around 2¹⁰⁰, if the Courtois and Pieprzyk analysis is correct. In 2005 Cid and Leurent gave evidence that, in its proposed form, the XSL algorithm does not provide an efficient method for solving the AES system of equations; however Courtois disputed their findings.^{[ citation needed ]} At FSE 2007, Chu-Wee Lim and Khoongming Khoo showed that it^{[ clarification needed ]} cannot possibly work as presented.^{[ citation needed ]}

Even if XSL works against some modern algorithms, the attack currently poses little danger in terms of practical security. Like many modern cryptanalytic results, it would be a so-called "certificational weakness": while faster than a brute force attack, the resources required are still huge, and it is very unlikely that real-world systems could be compromised by using it. Future improvements could increase the practicality of an attack, however. Because this type of attack is new and unexpected, some cryptographers have expressed unease at the algebraic simplicity of ciphers like Rijndael. Bruce Schneier and Niels Ferguson write, "We have one criticism of AES: we don't quite trust the security… What concerns us the most about AES is its simple algebraic structure… No other block cipher we know of has such a simple algebraic representation. We have no idea whether this leads to an attack or not, but not knowing is reason enough to be skeptical about the use of AES." (Practical Cryptography, 2003, pp. 56–57)

Related Research Articles

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. They are specified elementary components in the design of many cryptographic protocols and are widely used to implement the encryption of large amounts of data, including data exchange protocols. It uses blocks as an unvarying transformation.

Cryptanalysis Study of analyzing information systems in order to discover their hidden aspects

Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it has been highly influential in the advancement of cryptography.

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

Articles related to cryptography include:

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency (NSA). Initially classified, it was originally intended for use in the controversial Clipper chip. Subsequently, the algorithm was declassified.

GOST (block cipher) Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

In cryptography, FEAL is a block cipher proposed as an alternative to the Data Encryption Standard (DES), and designed to be much faster in software. The Feistel based algorithm was first published in 1987 by Akihiro Shimizu and Shoji Miyaguchi from NTT. The cipher is susceptible to various forms of cryptanalysis, and has acted as a catalyst in the discovery of differential and linear cryptanalysis.

In cryptography, LOKI97 is a block cipher which was a candidate in the Advanced Encryption Standard competition. It is a member of the LOKI family of ciphers, with earlier instances being LOKI89 and LOKI91. LOKI97 was designed by Lawrie Brown, assisted by Jennifer Seberry and Josef Pieprzyk.

In cryptography, LOKI89 and LOKI91 are symmetric-key block ciphers designed as possible replacements for the Data Encryption Standard (DES). The ciphers were developed based on a body of work analysing DES, and are very similar to DES in structure. The LOKI algorithms were named for Loki, the god of mischief in Norse mythology.

Nicolas Tadeusz Courtois is a cryptographer and senior lecturer in computer science at University College London.

In cryptography, Q is a block cipher invented by Leslie McBride. It was submitted to the NESSIE project, but was not selected.

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field $. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. Multivariate cryptography has been very productive in terms of design and cryptanalysis. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.$

Cryptography Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, electrical engineering, communication science, and physics. Applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

PRESENT is a lightweight block cipher, developed by the Orange Labs (France), Ruhr University Bochum (Germany) and the Technical University of Denmark in 2007. PRESENT was designed by Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. The algorithm is notable for its compact size.

References

↑ Vincent Rijmen (2002-12-18). "Re: Rijndael and other block ciphers". Archived from the original on 2004-08-03. Retrieved 2015-03-16.

Alex Biryukov, Christophe De Cannière (2003). Johansson, Thomas (ed.). Block Ciphers and Systems of Quadratic Equations. LNCS . Lecture Notes in Computer Science. 2887. pp. 274–289. doi:10.1007/b93938. ISBN 978-3-540-20449-7.
Nicolas Courtois; Alexander Klimov; Jacques Patarin; Adi Shamir (2000). Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations (PDF). LNCS . Lecture Notes in Computer Science. 1807. pp. 392–407. doi:10.1007/3-540-45539-6_27. ISBN 978-3-540-67517-4.
Nicolas Courtois; Josef Pieprzyk (2002). Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. LNCS . Lecture Notes in Computer Science. 2501. pp. 267–287. doi:10.1007/3-540-36178-2_17. ISBN 978-3-540-00171-3.
Aviad Kipnis; Adi Shamir (1999). Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization. LNCS . Lecture Notes in Computer Science. 1666. pp. 19–30. doi:10.1007/3-540-48405-1_2. ISBN 978-3-540-66347-8.
Chu-Wee Lim; Khoongming Khoo (2007). An Analysis of XSL Applied to BES (PDF). LNCS . Lecture Notes in Computer Science. 4593. pp. 242–253. doi:10.1007/978-3-540-74619-5_16. ISBN 978-3-540-74617-1.
Dana Mackenzie (2003). "A game of chance". New Scientist . 178 (2398): 36.
Sean Murphy; Matthew J. B. Robshaw (2002). Essential Algebraic Structure within the AES. LNCS . Lecture Notes in Computer Science. 2442. pp. 1–16. CiteSeerX 10.1.1.20.5249 . doi:10.1007/3-540-45708-9_1. ISBN 978-3-540-44050-5.
S. Murphy, M. Robshaw Comments on the Security of the AES and the XSL Technique.
Bo-Yin Yang, Jiun-Ming Chen (2004). Wang, Huaxiong; Pieprzyk, Josef; Varadharajan, Vijay (eds.). Theoretical Analysis of XL over Small Fields (PDF). LNCS . Lecture Notes in Computer Science. 3108. pp. 277–288. doi:10.1007/b98755. ISBN 978-3-540-22379-5.
C. Cid, G. Leurent (2005). Roy, Bimal (ed.). An Analysis of the XSL Algorithm (PDF). LNCS . Lecture Notes in Computer Science. 3788. pp. 333–335. doi:10.1007/11593447. ISBN 978-3-540-30684-9.
C. Diem (2004). Lee, Pil Joong (ed.). The XL-Algorithm and a Conjecture from Commutative Algebra (PDF). LNCS . Lecture Notes in Computer Science. 3329. pp. 323–337. doi:10.1007/b104116. ISBN 978-3-540-23975-8.

External links

Courtois' page on AES
"Quadratic Cryptanalysis", an explanation of the XSL attack by J. J. G. Savard
"AES is NOT broken" by T. Moh
Courtois and Pieprzyk paper on ePrint
Commentary in the Crypto-gram newsletter: , , .
An overview of AES and XSL

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Vincent Rijmen (2002-12-18). "Re: Rijndael and other block ciphers". Archived from the original on 2004-08-03. Retrieved 2015-03-16.

[1]