Theoretical Analysis of XL over Small Fields

XL was first introduced to solve determined or overdetermined systems of equations over a finite field as an “algebraic attack” against multivariate cryptosystems. There has been a steady stream of announcements of cryptanalysis of primitives by such attacks, including stream ciphers (e.g. Toyocrypt), PKC’s, and more controversially block ciphers (AES/Rijndael and Serpent). Prior discussions of XL are usually heavy in simulations, which are of course valuable but we would like more attention to theory, because theory and simulations must validate each other, and there are some nuances not easily discerned from simulations. More effort was made in this direction of recent, but much of it was restricted to a large base field of size , which is usually equal to . By conducting an analysis of XL variants in general, we try to derive rigorous “termination conditions”, minimal degree requirements for reliable, successful operation of XL and its relatives, hence better security estimates. Our work is applicable to small , in particular the significant case. Armed with this analysis, we reexamine previously announced results. We conclude that XL and variants represent a theoretical advance that is especially significant over small fields (in particular over ). However, its applicability and efficacy are occasionally overestimated slightly. We discuss possible future research directions. Much remains to be done.