Public-Key Cryptography Based on Tropical Circular Matrices

Abstract

Some public-key cryptosystems based on the tropical semiring have been proposed in recent years because of their increased efficiency, since the multiplication is actually an ordinary addition of numbers and there is no ordinary multiplication of numbers in the tropical semiring. However, most of these tropical cryptosystems have security defects because they adopt a public matrix to construct commutative semirings. This paper proposes new public-key cryptosystems based on tropical circular matrices. The security of the cryptosystems relies on the NP-hard problem of solving tropical nonlinear systems of integers. Since the used commutative semiring of circular matrices cannot be expressed by a known matrix, the cryptosystems can resist KU attacks. There is no tropical matrix addition operation in the cryptosystem, and it can resist RM attacks. The new cryptosystems can be considered as a potential post-quantum cryptosystem.

1. Introduction

Public-key cryptography was introduced by Diffie and Hellman [1]. In a public-key cryptosystem, the key for encryption is public and the key for decryption is private. Since then, public-key cryptography has been booming and has been widely used in modern communications. Modern public-key cryptography relies mainly on the integer factorization problem (IFP) [2] and discrete logarithm problem (DLP) [1,3]. However, Shor [4] proposed a quantum algorithm that can solve the integer factorization problem and discrete logarithm problem in polynomial time on a quantum computer. So, it is a research area focused on public-key cryptography to design public-key cryptosystems that can resist quantum attacks [5].

In the past two decades, different algebraic structures have been recommended to improve the existing public-key cryptosystems. Some researchers considered non-abelian groups to design public-key cryptosystems such as matrix groups [6,7,8,9], braid groups [10,11], inner automorphism groups [12], and ring structures [13] for cryptographic primitives. However, many successful attacks on such cryptosystems have been published [14,15,16,17].

Maze, Monico, and Rosenthal proposed one of the first cryptosystems based on semigroups and semirings [18], using some ideas from [10], as well as from their previous article [19]. However, it was broken by Steinwandt et al. [20]. Atani published a cryptosystem using semimodules over factor semirings [21]. Durcheva applied some idempotent semirings to construct cryptographic protocols [22]. A survey on semirings and their cryptographic applications was carried out by Durcheva [23].

Grigoriev and Shpilrain proved that the problem of solving the systems of min-plus polynomial equations in tropical algebra is NP-hard and suggested using a min-plus (tropical) semiring to design a public-key cryptosystem [24]. An obvious advantage of using tropical algebras as platforms is high efficiency because, in tropical schemes, one does not have to perform any multiplication of numbers since tropical multiplication is the usual addition. However, “tropical powers” of an element exhibit some patterns, even if such an element is a matrix over a tropical algebra. This weakness was exploited by Kotov and Ushakov to propose a fairly successful attack on the public-key cryptosystem in [25]. Then, Grigoriev and Shpilrain improved the original scheme and proposed the public-key cryptosystems based on the semi-direct product of the tropical matrix semiring [26]. However, some attacks on the improved public-key cryptosystem have been suggested by Rudy and Monico [27] and Isaac and Kahrobei [28]. As we know, most of these tropical public-key cryptosystems have security defects because they adopt a public matrix to construct commutative semirings or there is a tropical matrix addition operation in the cryptosystems. A review of the tropical approach in cryptography was carried out by Ahmed, Pal and Mohan [29].

Our contribution: This paper provides new public-key cryptosystems based on tropical t-circular matrices. The security of the cryptosystem relies on the NP-hard problem of solving tropical nonlinear systems of integers. Since the used commutative semirings of circular matrices cannot be represented by a known matrix and there is no tropical matrix addition operation in the cryptosystem, these cryptosystems can resist all known attacks such as KU attacks and RM attacks. Our results show that these cryptosystems are secure when the computational two-side tropical circular matrices action problem (CTCMAP) and the decisional two-side tropical circular matrices action problem (DTCMAP) are hard. It seems that our cryptosystems based on tropical circular matrices can be considered as potential post-quantum cryptosystems.

The rest of the paper is organized as follows: We focus on some definitions as fundamental key notions of tropical matrix algebra in Section 2. In Section 3, we present the new public-key cryptosystems based on tropical circular matrices. Then, in Section 4, parameter selection and efficiency of the cryptosystems are discussed. Finally, the conclusion and further research are given in Section 5.

2. Tropical Matrix Semiring over Integer

The definition of a semiring was first given by Vandiver [30]. These are structures that satisfy all the properties of a ring, except for the existence of additive inverses. Imre Simon, a Brazilian mathematician and computer scientist, discovered what is now known as the tropical semiring [31].

Definition 1 ([32]).

Let $R$ be a non-empty set with binary operations “+” and “$·$”; then, $R$ is called a semiring if it satisfies the following conditions:

(1)

$(R,+)$ is a commutative semigroup with an identity element 0;

(2)

$(R,·)$ is a semigroup with an identity element  $1\ne 0$;

(3)

Multiplication satisfies the left and right distribution law for addition;

(4)

$(\forall a\in R)$$a·0=0·a=0$.

If $(R,·)$ is commutative, then the semiring is called a commutative semiring.

Definition 2 ([24]).

The integer tropical commutative semiring is the set $\mathcal{Z}=\mathbb{Z}\cup \{\infty \}$ with addition and multiplication as follows:

$$(\forall x,y\in \mathbb{Z})x\oplus y=\min (x,y),\hspace{1em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}x\otimes y=x+y.$$

$\infty$satisfies the following equations:

$$(\forall x\in \mathbb{Z})\infty \oplus x=x,\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\infty \otimes x=\infty .$$

It is clear that$(\mathcal{Z},\oplus ,\otimes )$is a commutative semiring whose zero element and unitary element are$\infty$and 0, respectively.

Let$M_k(\mathcal{Z})$be the set of all$k\times k$matrices over$\mathcal{Z}$. We can also define the tropical matrix$\oplus$and$\otimes$operations.

$$\left(\forall A={\left(a_{ij}\right)}_{k\times k},B={\left(b_{ij}\right)}_{k\times k}\in M_k(\mathcal{Z})\right)A\oplus B={\left(a_{ij}\oplus b_{ij}\right)}_{k\times k},A\otimes B={\left({\displaystyle \sum _{l=1}^n{a}_{il}\otimes b_{lj}}\right)}_{k\times k}$$

Example 1.

$$\left(\begin{array}{cc}4& -5\\ 27& 0\end{array}\right)\oplus \left(\begin{array}{cc}10& 3\\ 1& 9\end{array}\right)=\left(\begin{array}{cc}4& -5\\ 1& 0\end{array}\right)$$

$$\left(\begin{array}{cc}4& -5\\ 27& 0\end{array}\right)\otimes \left(\begin{array}{cc}10& 3\\ 1& 9\end{array}\right)=\left(\begin{array}{cc}-4& 4\\ 1& 9\end{array}\right)$$

$$\left(\begin{array}{cc}10& 3\\ 1& 9\end{array}\right)\otimes \left(\begin{array}{cc}4& -5\\ 27& 0\end{array}\right)=\left(\begin{array}{cc}14& 3\\ 5& -4\end{array}\right)$$

Let$t$be an integer. If a matrix$A$has the following form,

$$A=\left(\begin{array}{ccccc}{a}_0& a_{k-1}\otimes t& a_{k-2}\otimes t& \cdots & a_1\otimes t\\ a_1& a_0& a_{k-1}\otimes t& \cdots & a_2\otimes t\\ a_2& a_1& a_0& \cdots & a_3\otimes t\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ a_{k-1}& a_{k-2}& a_{k-3}& \cdots & a_0\end{array}\right),$$

then it is called an upper t-circular matrix. We denote$A$by${ [a_0,a_1,\cdots ,a_{k-1}]}_k^t$or${[a_0,a_1,\cdots ,a_{k-1}]}^t$. Let$C_k^t=\{A\in M_k(\mathcal{Z})|A \mathrm{is} \mathrm{upper} t-\mathrm{circular} \mathrm{matrix}\}.$

Proposition 1.

For any integer $t$, $C_k^t$ is a commutative sub-semiring of $M_k(\mathcal{Z})$.

3. Public-Key Cryptography Using Tropical T-Circular Matrices

3.1. Key Exchange Protocol Based on Tropical Circular Matrices

Definition 3.

Let $s$ and $t$ be two integers. Let $P\in C_k^s$, $Q\in C_k^t$, and $Y\in M_k(\mathcal{Z})\backslash (C_k^s\cup C_k^t)$. Suppose that $N=PYQ$. The two-side tropical circular matrix action problem (TCMAP) is to find two matrices $P\in C_k^s$, $Q\in C_k^t$ such that $N=PYQ$, given the matrices $N$ and $Y$.

Protocol 1.

Let $k,s,t$ be three positive integers. Let $Y\in M_k(\mathcal{Z})\backslash (C_k^s\cup C_k^t)$. In addition, $k,s,t$ and $Y$ are public.

(1)

Alice selects at random two matrices$P_1\in C_k^s$and$Q_1\in C_k^t$, and computes$K_a=P_{1}Y{Q}_1$. In addition, she sends to Bob the matrix$K_a$.

(2)

Bob selects at random two matrices$P_2\in C_k^s$and$Q_2\in C_k^t$, and computes$K_b=P_{2}Y{Q}_2$. He sends to Alice the vector$K_b$.

(3)

Alice computes$K=P_1{K}_b{Q}_1$. In addition, Bob computes$K=P_2{K}_a{Q}_2$.

Since$C_k^s$and$C_k^t$are commutative sub-semirings of$M_k(\mathcal{Z})$, we have$P_1{P}_2=P_2{P}_1$,$Q_1{Q}_2=Q_2{Q}_1$and

$$P_1{K}_b{Q}_1=P_1(P_{2}Y{Q}_2)Q_1=(P_1{P}_2)Y(Q_2{Q}_1)=(P_2{P}_1)Y(Q_1{Q}_2)=P_2(P_{1}Y{Q}_1)Q_2=P_2{K}_a{Q}_2$$

Then, Alice and Bob share a secret key$K$.

Definition 4.

Let $k,s,t$ be three positive integers. Let $P_1,P_2\in C_k^s$, $Q_1,Q_2\in C_k^t$ and $Y\in M_k(\mathcal{Z})\backslash (C_k^s\cup C_k^t)$. Suppose that $K_a=P_{1}Y{Q}_1$ and $K_b=P_{2}Y{Q}_2$. The computational two-side tropical circular matrix action problem (CTCMAP) is to find a matrix $K\in M_k(\mathcal{Z})$ such that $K=P_1{P}_{2}Y{Q}_1{Q}_2$, given the matrices $K_a,K_b$ and $Y$.

Proposition 2.

An algorithm that solves TCMAP can be used to solve CTCMAP.

Theorem 1.

Finding the common secret key from the public information of Protocol 1 is equivalent to solving CTCMAP.

We give a practical example of Protocol 1 with small parameters in Appendix A.

Remark 1.

Protocol 1 is simplified. It can only resist passive attacks, but not active attacks, such as intruder-in-the-middle attacks. To avoid these attacks, it is desirable to have a procedure that authenticates Alice and Bob’s identities to each other while the key is being formed. A standard way to stop an intruder-in-the-middle attack is the station-to-station (STS) protocol, which uses digital signatures.

The extended protocol makes use of certificates that, as usual, are signed by a TA (trusted authority). Each user U will have a signature scheme with a verification algorithm${\mathrm{Ver}}_{\mathrm{U}}$and a signing algorithm${\mathrm{Sig}}_{\mathrm{U}}$. The TA also has a signature scheme with a public verification algorithm${\mathrm{Ver}}_{\mathrm{TA}}$. Each user U has a certificate

$$\mathit{Cert}\left(U\right)=\left(\mathit{ID}\right(U),{\mathrm{Ver}}_{\mathrm{U}},{\mathrm{Sig}}_{\mathrm{TA}}\left(\mathit{ID}\right(U),{\mathrm{Ver}}_{\mathrm{U}})),$$

where ID(U) is certain identification information for U.

Protocol 2.

The public domain parameters consist of$k,s,t$and$Y$as Protocol 1.

(1) Alice selects at random two matrices $P_1\in C_k^s$ and$Q_1\in C_k^t$, and computes$K_a=P_{1}Y{Q}_1$. She sends Cert(A) and $K_a$ to Bob.

(2) Bob selects at random two matrices$P_2\in C_k^s$ and$Q_2\in C_k^t$, and computes

$$K_b=P_{2}Y{Q}_2, K=P_2{K}_a{Q}_2=P_2{P}_{1}Y{Q}_1{Q}_2, y_b={\mathrm{sig}}_{\mathrm{B}}\left(\mathrm{ID}\left(\mathrm{A}\right)\left|\right|K_b\left|\right|K_a\right).$$

Then, Bob sends Cert(B),$K_b$and$y_b$to Alice.

(3) Alice verifies $y_b$ using${\mathrm{Ver}}_{\mathrm{B}}$. If the signature$y_b$ is not valid, then she “rejects” and quits. Otherwise, she “accepts” and computes

$$K=P_1{K}_b{Q}_1=P_1{P}_{2}Y{Q}_2{Q}_1, y_a={\mathrm{sig}}_{\mathrm{A}}\left(\mathrm{ID}\left(\mathrm{B}\right)\left|\right|K_a\left|\right|K_b\right),$$

and she sends$y_a$ to Bob.

(4) Bob verifies $y_a$ using${\mathrm{Ver}}_{\mathrm{A}}$. If the signature$y_a$ is not valid, then he “rejects”; otherwise, he “accepts”.

3.2. Public-Key Encryption Scheme Based on Tropical Circular Matrices

• Cryptosystem 1.

(1)

Key generation:

Let $k,s,t$ be three positive integers. Let $P_1\in C_k^s$, $Q_1\in C_k^t$ and $Y\in M_k(\mathcal{Z})\backslash (C_k^s\cup C_k^t)$. Suppose that $K_a=P_{1}Y{Q}_1$. $k,s,t,Y$ are public. Alice’s public key is $K_a$. Alice’s secret key is $P_1,Q_1$.

(2)

Encryption:

Bob wants to send a message $M\in M_k(\mathbb{Z})$ to Alice.

(i)

Bob chooses at random $P_2\in C_k^s$, $Q_2\in C_k^t$ and computes $R=P_{2}Y{Q}_2$ as a part of the ciphertext.

(ii)

Bob computes $S=M+P_2{K}_a{Q}_2$ as the rest of the ciphertext, where “+” is the ordinary integer matrix addition.

(iii)

Bob sends the ciphertext $(R,S)$ to Alice.

(3)

Decryption:

Alice receives the ciphertext $(R,S)$ and tries to decrypt it.

(i)

Using her secret key $P_1,Q_1$, Alice computes $T=P_{1}R{Q}_1$.

(ii)

Alice computes $S-T$, where “$-$” is the ordinary integer matrix subtraction.

Since

$$\begin{array}{lll}S-T\hfill & =\hfill & M+P_2{K}_a{Q}_2-P_{1}R{Q}_1\hfill \\ \hfill & =\hfill & M+P_2(P_{1}Y{Q}_1)Q_2-P_1(P_{2}Y{Q}_2)Q_1\hfill \\ \hfill & =\hfill & M+P_2{P}_{1}Y{Q}_1{Q}_2-P_1{P}_{2}Y{Q}_2{Q}_1\hfill \\ \hfill & =\hfill & M+P_1{P}_{2}Y{Q}_1{Q}_2-P_1{P}_{2}Y{Q}_1{Q}_2\hfill \\ \hfill & =\hfill & M,\hfill \end{array}$$

Alice obtains the plaintext messages $M$.

Definition 5.

Let $k,s,t$ be three positive integers. Let $P_1,P_2\in C_k^s$, $Q_1,Q_2\in C_k^t$ and $Y,E\in M_k(\mathcal{Z})\backslash (C_k^s\cup C_k^t)$. Suppose that $K_a=P_{1}Y{Q}_1$ and $K_b=P_{2}Y{Q}_2$. The decisional two-side tropical circular matrix action problem (DTCMAP) is to decide whether $E=P_1{P}_{2}Y{Q}_1{Q}_2$, given $Y,K_a,K_b,E$.

Proposition 3.

An algorithm that solves CTCMAP can be used to solve DTCMAP.

Theorem 2.

An algorithm that solves DTCMAP can be used to decide the validity of the ciphertexts of Cryptosystem 1, and an algorithm that decides the validity of the ciphertexts of Cryptosystem 1 can be used to solve DTCMAP.

Proof of Theorem 2.

Suppose first that the algorithm ${\mathcal{A}}_1$ can decide whether a decryption of Cryptosystem 1 is correct. In other words, when given the inputs $Y,K_a,(R,S),M$, the algorithm ${\mathcal{A}}_1$ outputs “yes” if $M$ is the decryption of $(R,S)$ and outputs “no” otherwise. Let us use ${\mathcal{A}}_1$ to solve the decisional two-side tropical circular matrix action problem. Suppose you are given $Y$, $K_a(=P_{1}Y{Q}_1)$, $K_b(=P_{2}Y{Q}_2)$ and $E$, and you want to decide whether or not $E=P_1{P}_{2}Y{Q}_1{Q}_2$. Let $K_a$ be the public key and $R=K_b$ be the first part of the ciphertext. Moreover, let $S=E$ be the second part of the ciphertext and $M=0_{k\times k}$ be the zero matrix in $M_k(\mathcal{Z})$. Input all of these into ${\mathcal{A}}_1$. Note that, in the present setup, $P_1,Q_1$ are the secret keys. The correct decryption of $(R,S)$ is $S-P_{1}R{Q}_1=E-P_1{P}_{2}Y{Q}_1{Q}_2$. Therefore, ${\mathcal{A}}_1$ outputs “yes” exactly when $M=0$ is the same as $E-P_1{P}_{2}Y{Q}_1{Q}_2$, namely, when $E=P_1{P}_{2}Y{Q}_1{Q}_2$. This solves DTCMAP.

Conversely, suppose an algorithm ${\mathcal{A}}_2$ can solve DTCMAP. This means that if you give ${\mathcal{A}}_2$ inputs $Y$, $K_a(=P_{1}Y{Q}_1)$, $K_b(=P_{2}Y{Q}_2)$ and $E$, then ${\mathcal{A}}_2$ outputs “yes” if $E=P_1{P}_{2}Y{Q}_1{Q}_2$ and outputs “no” if not. Let $M$ be the claimed decryption of the ciphertext $(R,S)$. Input the public key $K_a$ and input $R=P_{2}Y{Q}_2$ as $K_b$. Input $S-M$ as $E$.

Note that $M$ is the correct plaintext for the ciphertext $(R,S)$ if and only if $M=S-P_{1}R{Q}_1=S-P_1{P}_{2}Y{Q}_1{Q}_2$, which happens if and only if $S-M=P_1{P}_{2}Y{Q}_1{Q}_2$. Therefore, $M$ is the correct plaintext if and only if $E=P_1{P}_{2}Y{Q}_1{Q}_2$. Therefore, with these inputs, ${\mathcal{A}}_2$ outputs “yes” exactly when $M$ is the correct plaintext. □

4. Security and Parameter Selection

Through Theorem 1, Proposition 3, and Theorem 2, an efficient algorithm for solving the two-side tropical circular matrix action problem can be used to attack Protocol 1 and Cryptosystem 1.

Proposition 4.

TCMAP can be reduced to the problem of solving a tropical nonlinear system of equations.

Proof of Proposition 4.

Let $P\in C_k^s$, $Q\in C_k^t$ and $Y\in M_k(\mathcal{Z})\backslash (C_k^s\cup C_k^t)$. Suppose that $N=PYQ$. Now, we can try to find two matrices, $P\in S_1$ and $Q\in S_2$, such that $N=PYQ$, given $N$ and $Y$.

Suppose that $P={[x_0,x_1,\cdots ,x_{k-1}]}^s$ and $Q={[y_0,y_1,\cdots ,y_{k-1}]}^t$. Then,

$${[x_0,x_1,\cdots ,x_{k-1}]}^s·Y·{[y_0,y_1,\cdots ,y_{k-1}]}^t=N$$

Since $Y$ and $N$ are known, we obtain a tropical nonlinear system of equations about $x_0,x_1,\cdots ,x_{k-1},y_0,y_1,\cdots ,y_{k-1}$ with $2k$ unknowns and $k^2$ equations. □

As we know, the problem of solving a tropical nonlinear system of equations is usually NP-hard [24]. We present an algorithm for solving the two-side tropical circular matrix action problem with exponential computational complexity.

Proposition 5.

There exists an algorithm for solving the two-side tropical circular matrix action problem with computational complexity $O\left(k^4+6k^3·\left(\begin{array}{c}{k}^2\\ 2k\end{array}\right)\right)$.

Proof of Proposition 5.

With Proposition 4, we obtain a tropical nonlinear system of equations about $x_0,x_1,\cdots ,y_{k-1}$ with $2k$ unknowns and $k^2$ equations. Note that every term of the equations is the form of $x_i{y}_j$ ($i,j=0,1,\cdots ,k-1$). Denote $z_0=x_0{y}_0,z_1=x_0{y}_1,\cdots ,z_{k^2}=x_{k-1}{y}_{k-1}$. Then, we obtain a tropical linear system of equations with $k^2$ unknowns $z_i$ and $k^2$ equations.

After solving the tropical linear system of equations of $z_i$, we can obtain a system of nonlinear equations

$$x_0{y}_0=z_0,x_0{y}_1=z_1,\cdots ,x_{k-1}{y}_{k-1}=z_{k^2}$$

Since multiplication in tropical algebra is an ordinary addition, it is actually a system of linear equations over an integer ring. The linear equations have $2k$ unknowns and $k^2$ equations. Generally, the system of linear equations has no solution. However, if the $2k$ equations in these $k^2$ equations have a solution, it is possible to find $x_0,x_1,\cdots ,y_{k-1}$ such that

$${[x_0,x_1,\cdots ,x_{k-1}]}^s·Y·{[y_0,y_1,\cdots ,y_{k-1}]}^t=N.$$

Using the algorithm in [33], the complexity of solving the tropical linear system of equations with $k^2$ unknowns $z_i$ and $k^2$ equations is $O(k^4)$. The number of possible choices for selecting $2k$ equations from $k^2$ equations is $\left(\begin{array}{c}{k}^2\\ 2k\end{array}\right)$. The complexity of solving integer linear equations with $2k$ equations and $2k$ unknowns is $O({(2k)}^3)$. Therefore, the computational complexity of the above algorithm is $O\left(k^4+6k^3·\left(\begin{array}{c}{k}^2\\ 2k\end{array}\right)\right)$. □

An example of solving TMCAP with small parameters is given in Appendix B.

4.1. KU Attack

Because the commutative semiring used in our cryptosystems is the semiring of all t-circular matrices, this is different from that of Grigoriev and Shpilrain’s public-key cryptosystem I [24]. They used two public tropical matrices $M_1,M_2$ and ($M_1{M}_2\ne M_2{M}_1$) and then adopted the commutative semiring $\mathcal{Z}[M_1],$$\mathcal{Z}[M_2]$. Let $p_1(M_1)\in \mathcal{Z}[M_1]$, $p_2(M_2)\in \mathcal{Z}[M_2]$ and $p_1(M_1)Y{p}_2(M_2)=U$. The security of their cryptosystem relies on the difficulty of the problem of finding $S_1\in \mathcal{Z}[M_1]$ and $S_2\in \mathcal{Z}[M_2]$ such that $S_{1}Y{S}_2=U$. (Note that $S_1$ may not be equal to $p_1(M_1)$ and $S_2$ may not be equal to $p_2(M_2)$.) Because the secret matrix can be represented by a polynomial of $M_1,M_2$, Kotov and Ushakov [25] designed an efficient algorithm to attack the key exchange protocol in [24]. Suppose that

$$S_1={\displaystyle \sum _{i=0}^D{x}_i{M}_1^i}, S_2={\displaystyle \sum _{i=0}^D{y}_i{M}_2^i},$$

where unknowns $x_i,y_j\in \mathcal{Z}$, and D is the upper bound for the degree of polynomials. $S_{1}Y{S}_2=U$ gives ${\displaystyle \sum _{i=0}^D{x}_i{y}_j{M}_1^i}Y{M}_2^j=U$. This translates to

$$\min (x_i+y_j+T_{rs}^{ij})=0, \forall 1\le r,s\le k$$

where $T^{ij}=M_1^{i}Y{M}_2^j-U$. A specific description of KU attack is presented as Algorithm 1.

Algorithm 1: KU Attack algorithm

Input: $M_1,M_2$, $U\left(=p_1(M_1)Y{p}_2(M_2)\right)$. Output: $x_1,\cdots ,x_D,y_1,\cdots ,y_D$, such that $S_{1}Y{S}_2=U$, where $S_1={\displaystyle \sum _{i=0}^D{x}_i{M}_1^i}$, $S_2={\displaystyle \sum _{i=0}^D{y}_i{M}_2^i}$. (1) Compute $m_{ij}=\underset{i,j}{\min }(T_{rs}^{ij})$ and $P_{ij}=\left\{(r,s)|T_{rs}^{ij}=m_{ij}\right\}$; (2) Among all minimal covers of $\left\{1,2,\cdots ,k\right\}\times \left\{1,2,\cdots ,k\right\}$ by $P_{ij}$, that is, all minimal subsets $C\subseteq \left\{0,1,\cdots ,D\right\}\times \left\{0,1,\cdots ,D\right\}$ such that $\underset{(i,j)\in C}{\cup }{P}_{ij}=\left\{1,2,\cdots ,k\right\}\times \left\{1,2,\cdots ,k\right\}$ find a cover for which the system $\{\begin{array}{l}{x}_i+y_j=-m_{ij}, \mathrm{if} (i,j)\in C\\ x_i+y_j\ge -m_{ij}, \mathrm{if} (i,j)\cancel{\in }C\end{array}$ is solvable.

Experimental results show that the attack algorithm can succeed in a short amount of time when the parameters are small ($k\le 40$, $D\le 40$, and the entries of matrices and the coefficients of polynomials are integers in [−10¹⁰, 10¹⁰]).

Since tropical t-circular matrices cannot be represented by a known matrix, our cryptosystem can resist KU attacks.

4.2. RM Attacks

Grigoriev and Shpilrain [26] improved the original scheme and proposed a public-key cryptosystem based on the semidirect product of the tropical matrix semiring. Let $S=(M_k(\mathcal{Z}),\oplus ,\otimes )$ be the tropical semiring of $k\times k$ tropical matrices over $\mathcal{Z}$. It can be seen that $S\times S$ is a semigroup under the operation $\circ$ given as

$$\begin{array}{l}\left(\forall (M_1,H_1),(M_2,H_2)\in S\times S\right)\\ (M_1,H_1)\circ (M_2,H_2)=\left(\left(M_1\oplus H_2\oplus M_1\otimes H_2\right)\oplus M_2,H_1\oplus H_2\oplus H_1\otimes H_2\right).\end{array}$$

Using the semigroup $\left(S\times S,\circ \right)$, Grigoriev and Shpilrain proposed an improved tropical public-key cryptosystem. However, cryptanalysis of the improved tropical public-key cryptosystem was successfully implemented using a simple binary search by Rudy and Monico [27]. A partial order on S is defined as

$$\left(\forall X,Y\in S\right)X\le Y \mathrm{if} x_{ij}\le y_{ij} \forall i,j\in \{1,\cdots ,k\}.$$

It can be easily observed that for the operations $\circ$, if ${\left(M,H\right)}^p$ is denoted by $\left(M_p,H_p\right)$, then the sequence $\left\{M_p\right\}$ is monotonically decreasing, i.e., $M_1\ge M_2\ge M_3\ge \cdots$ and so on. Algorithm 2 gives the pseudocode description of RM attack.

Algorithm 2: RM Attack algorithm

Input: $M,H,A\in S$, where ${(M,H)}^m=\left(A,H^m\right)$, for some positive integer m ($1\le m\le r$). Output: m. (1) Let $left=1$ and $right=r$; (2) Execute the following loop when $left\le right$.  (i)$mid=left+(right-left)/2$  (ii) Compute ${(M,H)}^{mid}=\left(P,Q\right)$.     If $P<A$, $right=mid-1$;     If $P>A$, $left=mid+1$;     If $P=A$, output $m=mid$.

In our cryptosystems, there is no tropical matrix addition operation $\oplus$ and the partial order cannot be used. Thus, our cryptosystems can resist RM attacks. We compare the security among relevant cryptosystems in [24,26] and our proposed cryptosystem. The comparison results are depicted in

Table 1. Comparison among relevant tropical schemes.

Schemes	Mathematical Problems	KU Attack	RM Attack
Grigoriev et al. [24]	Two-side matrix action problem	×	√
Grigoriev et al. [26]	Semidirect product problem	√	×
Our scheme	Two-side tropical circular matrix action problem	√	√

Note that √ means that the scheme can resist the corresponding attack, while × means it does not.

.

4.3. Parameter Selection

Table 2. Performance comparison under some different parameters.

k	Size of sk (kB)	Size of pk (kB)	Complexity of Solving TCMAP
10	0.0781	0.7813	$O(2^{81})$
20	0.1563	3.1250	$O(2^{199})$
30	0.2344	7.0313	$O(2^{331})$
40	0.3125	12.5000	$O(2^{472})$
50	0.3906	19.5313	$O(2^{620})$
60	0.4688	28.1250	$O(2^{775})$

Note that “sk” means secret key and “pk” means public key.

shows the performance comparison of the cryptosystem under some different parameters, where the entries of the matrices are integers in $[0,2^{64})$.

In

Table 3. Timings for cryptographic operations in our cryptosystem.

Experimental Platform	Key Generation	Encryption	Decryption
Intel (R) i7-8550 1.80 GHz	0.984 s	1.018 s	0.513 s
Intel (R) i5-5200 2.20GHz	0.624 s	0.594 s	0.297 s
Intel (R) i7-4700 2.40GHz	0.363 s	0.346 s	0.187 s

, we list the computation time for related cryptographic operations in our cryptosystem on different platforms, where k = 50, s = t = 100101, and the entries of the matrices are integers in $[0,2^{64})$.

We recommend using the parameters $k\ge 50$, $s,t\in (0,2^{32})$, and the entries of the matrices of integers in $[0,2^{64})$ to avoid potential heuristic attacks similar to KU attacks.

5. Conclusions and Further Research

In this paper, we present a new key exchange protocol and a new public-key encryption scheme based on tropical matrices. We use a class of tropical commuting matrix, that is, the tropical t-circular matrix, other than matrix powers or matrix polynomials. The security of new public-key cryptosystems relies on a two-side tropical circular matrix action problem (TCMAP). The use of t-circular matrices allows us to share less information with the attacker. Since tropical circular matrices cannot be represented by a known matrix, our public-key cryptosystems can resist KU attacks. There is no addition of tropical matrices in our schemes. So, the attack method proposed by Rudy and Monico does not work for our public-key cryptosystems. Our public-key cryptosystem can resist all known attacks. As we know, the best way to solve TCMAP is to solve a tropical nonlinear system of equations, which is NP-hard. So, the new cryptosystems can be considered as a potential post-quantum cryptosystem.

Future works worth studying include the following:

(1)

A possible algorithm for solving TCMAP. If we can find some algorithms for solving the systems of min-plus polynomial equations, then they can be used to attack our schemes.

(2)

Other cryptographic applications of TCMAP. For example, we can try to design digital signature schemes and identity authentication schemes based on TCMAP.