自 2001 年， AES 成為官方通行的加密標準，就有許多的攻擊開始出現，其中如differential attack 和 linear attack。而近來有一個新的攻擊出現，稱之為 XL 演算法，這個方法嘗試將 AES 轉成換為多元多次方程組的問題。這個方法引起了許多人的重視，然而在後來被莫宗堅教授以及 Don Coppersmith 指出錯誤。因此 XL 演算法的作者原本的演算法做一些改變，成為 XL2 演算法，不同於之前， XL2 只適用於兩個元素的有限體 GF(2)，為了了解其實際上的效能，我們會先提到將 XL2 演算法實作出的過程及方法，之後再對其分析其效能。另外在 Essential algebraic structure within the AES這篇論文中，作者將 AES 轉換為 BES，藉此可以得到更多的多項式。不同於 BES，我們是把 AES 轉換為在 GF(2) 中的多元多次方程組，然後以此討論 XL2 對這些多項式的影響。

After 2001, AES becomes the standard encryption algorithm, there are a lot of attacks appeared, such as differential attack and linear attack. Recently, there is a new attack named XL algorithm. It tries to change the AES into the problem of solving equations of multivariate polynomials. This method attracts many people’s attention. But the method is proved wrong by Dr. Moh and Don Coppersmith. So the author of XL algorithm made some change to the algorithm and called the new method XL2 algorithm. Different from XL, XL2 can only be used in GF(2). In order to understand the efficiency of XL2, we implement the algorithm. In this paper, ‘Essential algebraic structure within the AES’, the authors transform the AES into BES and get more equations by that. Different from BES, we transform the AES into the multivariate polynomials in GF(2) and try to solve it with our implementation of the XL2 Algorithm.

1 緒論 1
2 XL2 演算法的原理及實作 3
2.1 重線性化 (Relinearization) . . . . . . . . . . . . . . . . . 3
2.2 XL2 原理 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 XL2 演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 實作 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 效能分析 11
3.1 D = 2 的情形 . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 D = 3 的情形 . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3 D = 4 的情形 . . . . . . . . . . . . . . . . . . . . . . . . 13
4 AES 加密過程的轉換 14
4.1 ByteSub 轉換 . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2 ShiftRow 轉換 . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3 MixColumn 轉換 . . . . . . . . . . . . . . . . . . . . . . . 17
4.4 AddRoundKey 值的改變 . . . . . . . . . . . . . . . . . . . . 17
4.5 AES 加密矩陣 . . . . . . . . . . . . . . . . . . . . . . . . 18
4.6 一回合加密過程 . . . . . . . . . . . . . . . . . . . . . . . 18
5 結論 19
參考文獻. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
A Bytesub 運算 22

[1] Nicolas Courtois, Alexander Klimov, Jacques Patarin, and Adi Shamir.
Efficient algorithms for solving overdefined systems of multivariate polynomial
equations. Advances in Cryptology, EUROCRYPT:392–407, 2000.

[2] Nicolas T. Courtois. About the XL algorithm over gf(2).
http://www.minrank.org/aes/. September 2002.

[3] Nicolas T. Courtois and Jacques Patarin. About the XL algorithm over
GF(2). Cryptographers’ Track RSA, Springer Verlag 2003:13–17, April 2003.

[4] Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers
with overdefined systems of equations. Advances in Cryptology ASIACRYPT,
Springer Verlag 2002:267–287, 2002.

[5] J. Daemen and V. Rijmen. AES proposal: Rijndael.
www.esat.kuleuven.ac.be/ rijmen/rijndael/.

[6] Stefan Lucks. Attacking seven rounds of rijndael under 192-bit and 256-
bit keys, 2000. Third AES Candidate Conference, AES3, New York.

[7] T. T. Moh. On the method of XL and its inefficiency against TTM.
available at http://eprint.iacr.org/2001/047/.

[8] S. Murphy and MJB Robshaw. Essential algebraic structure within the
aes. Advances in Cryptology - CRYPTO, Lecture Notes in Computer
Science 2442:1–16, 2002.

[9] S.P. Murphy and M.J.B. Robshaw. Comments on the security of the
aes and the xsl technique. Electronics Letters, Vol.39:36–38, September 2002.

[10] viad Kipnis and Adi Shamir. Cryptanalysis of the hfe public key cryptosystem
by relinearization. Advances in Cryptology, Crypto’99.