自從AES 問世之後，如何解多變數二次方程組已經被認為是破解AES 的關鍵之一。但是解決 MQE 問題是一個 NP-hard 問題，因此必須發展出一個好的演算法來解決MQE問題是相當重要的。在這樣的環境之下，XL演算法被提出作為解MQE問題，因而成為一個令人重視的課題。但是XL演算法必須在overdefined 的情況下才能運作，因此密碼學者也不斷尋找如BES一般的方法去增加方程式的數量。在實作上會發現由於解MQE的過程中，方程組會不斷快速的延昇擴大，因此如果輸入時的方程式個數與未知數個數過大，往往會發現由於硬體的限制而無法找出解。在這篇論文中，我們利用多個明文密文對增加其方程式的數量，並利用一些輸入前的前置作業，縮小一個我們要解的問題之輸入，使得這個問題可以在實作中改進其解決效能。

How to solve a multivariate quadratic polynomial equation system is believed to be one of the key points to beark AES. But to solve the MQE problem is NP-hard, so it's very important to develop a good algorithm to solve it. In such a situation, the XL algorithm is claimed to be the method to solve the MQE problem, and the cryptographers pay a lot of attetion to it. But the XL algorithm works only when the equation system is overdefined, for this reason cryptographers are looking for some ways, such as BES, to increase the numbers of equations. In practice we know that the process of solving MQE, the system will extend very fast, therefore if we input too many equations and variates, we usually using out of memory before finding out the solution. In the paper we use multiple plaintext-ciphertext to increase the number of equations and try to do some pre-computing work to reduce the size of a problem, and make it work better in pratice.

1 緒論 5
2 AES 與其變形 7
2.1 AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Big Encryption System . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Small scale variants . . . . . . . . . . . . . . . . . . . . . . . . 11
3 XL 演算法15
3.1 XL 演算法. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 XL 演算法的效能分析. . . . . . . . . . . . . . . . . . . . . . . 16
3.3 XL 家族 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 實驗與改進 19
4.1 起源與想法. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 對 SR(n, 1, 1, e) 的攻擊 . . . . . . . . . . . . . . . . . . . . . . 22
4.3 對 SR(n, r, c, e) 的攻擊 . . . . . . . . . . . . . . . . . . . . . . 30
5 結論 32
A SR(1, 2, 2, 4) 的 BES MQE 35
B SR(1, 2, 2, 4) 使用兩組資料之結果39

A Simple Algebraic Representation of Rijndael.Draft 2001/05/16, presented at the rump session of Crypto 2000.

M.Garey and D. Johnson. W. H. Freeman.Computers and intractability, A Guide to the Theory of NP-completeness.

A New Efficient Algorithm for Computing Grobner bases(F4).
Journal of Pure and Applied Algebra, 139 (1999), pp. 61-88.

A New Efficient Algorithm for Computing Grobner bases without Reduction to Zero(F5).ACM Press, 2002.


Nicolas Coutois, Alexander Klimov, Jacques Patarin, and Adi Shamir. Efficient Algorithms for Solving Overdefined System of Multivariate Polynomial Equations.EUROCRYPT 2000, LNCS V. 1807, pp. 392-407.

Cryptanalysis of Block Ciphers with Overdefined Systems of Equations.Cryptology ePrint Archive, report 2002/044, 2002. In Yuliang Zheng, editor. Advances in Cryptology - ASIACRYPT 2002, volumn 2501 of Lecture Notes, in Computer Science, pages 267-287. Springer, 2002.


S. Murphy and M.J.B. Robshaw.Essential Algebraic Structure Within the AES In M. Yung, editor, Proceedings of CRYPTO 2002, LNCS 2442 pages 11-16, Springer-Verlag, 2002.

C.Cid, S. Murphy and M.J.B. Robshaw.Small Scale Variants of the AES.In H. Gilbert and H. Handschuh, editors, Fast Software Encryption - FSE 2005,
volume 3557 of Lecture Notes in Computer Science, pages 145-162, Springer, 2004.

Bo-Yin Yang and Jiun-Ming Chen.All in the XL Family : Theory and Practice.

Bo-Yin Yang and Jiun-Ming Chen. Theoretical Analysis of XL over Small Fields.ACISP 2004 LNCS V. 3108, pp.277-288.

Bo-Yin Yang, Jiun-Ming Chen, and Nicolas Courtois.On Asymptotic Security Estimates in XL and Gr"{o}bner Bases-Related Algebratic Cryptanalysis.