1.
Introduction
'Cryptography' is the process of establishing secure communication between the sender and the receiver of information [1,2]. The sender uses a method called 'encryption' to turn plaintext into a secret message called 'ciphertext', while the receiver uses a method called 'decryption' to convert the ciphertext back into plaintext [3,4]. A 'key' is secret common knowledge shared by both entities. There are two broad types of cryptography: symmetric key cryptography and asymmetric key cryptography. Symmetric key cryptography uses a single secret key for both encryption and decryption, which is only known by the sender and the receiver [5]. In asymmetric key cryptography, one key is used for encryption, and a different key is used for decryption [3,6]. Many varieties of cryptographic algorithms have been constructed over classical algebra [2]. Cryptographic algorithms over tropical algebra have gained significance in recent years, and tropical cryptography is one of the fields used to construct secure cryptographic algorithms. Martin Hellman and Whitfield Diffie suggested the two-keys cryptosystem in 1976 to overcome the issue of key distribution in symmetric key cryptography [4,7]. The general protocol that uses semi-direct products of semigroups was introduced in [8], and one of its special cases is the standard Diffie-Hellman protocol based on cyclic groups. This paper gives a conjecture that, when the protocol is used with non-commutative semigroups, it acquires several useful features. They suggest the extension of a particular non-commutative semigroup of matrices over a certain finite group ring by a conjugation automorphism as a suitable platform. However, the protocol introduced in [8] was attacked by the linear algebra attack [9]. The Cramer-Shoup scheme was introduced in [10] and proved to be secure against adaptive chosen ciphertext attacks. Stickel proposed the key exchange protocol based on classical algebra [11], which was then attacked by Shpilrain [12]. Grigoriev and Shpilrain extended Stickel's protocol by using tropical polynomials and showed that solving the system of tropical linear equations was NP-hard [13]. An advantage of using tropical algebras as the platform for building key exchange schemes is that, in tropical schemes, one does not have to perform any classical multiplication since tropical multiplication is classical addition and is not invertible [14,15,16]. However, the major weakness of the tropical protocol is that the tropical powers of the matrices exhibit a particular pattern, as noted by Kotov and Ushakov. This pattern helps them to attack Grigoriev's key exchange protocol [17]. Grigoriev and Shpilrain's next key exchange protocol was based on semidirect product [18], but it had the weakness that the sequence (M,H)l is linearly ordered, which was found by Rudy and Monico [19]. Issac and Kahrobaei implemented the linear periodicity attack [20] to attack the same protocol that used semidirect product. These attacks showed that key exchange protocols with matrix powers over the tropical approach are easily attackable. Different attacks of various tropical key exchange protocols were consolidated in [6]. The significance of our research is that our protocols are related to the tropical two sided matrix action problem that can be reduced to a system of non-linear equations, and solving such a system is NP-hard [13].
Our contribution: In this paper, we propose a key exchange protocol over the tropical semiring with min-plus operation. We avoid using power and linearly ordered operations over tropical concepts to ensure the safety of our schemes against popular attacks. We introduce the abelian subset ((A(Dp[C])ul)(s))n,⊕,⊗) of the semiring (Mn×n(Z),⊕,⊗), which is obtained by modifying the set of p-circulant matrices and use it to frame our new protocol. Similarly, the protocol introduced in [21] uses the set of upper-t-circulant matrices, which is also obtained by modifying the set of circulant matrices. We provide a detailed analysis of the protocol using upper-t-circulant matrix [21] replaced by the protocol using lower-s-circulant matrix. We compare the protocols using the lower-s-circulant matrix instead of the upper-t-circulant matrix in the protocol introduced in [21] with our proposed protocol. We also provide some propositions on the commutativity of the set of lower-s-circulant matrices (Cl(s))n,⊕,⊗) and the commutative property of the set of anti-s-p-circulant matrices. We also give some propositions on the security of both protocols. We provide the security analysis of our proposed protocol against the existing tropical attacks of Kotov & Ushakov, Rudy & Monico.
The rest of the sections are organized as follows. In Section 2, we discuss some basic definitions and notations. Section 3 contains an analysis of key exchange protocol 1, which uses the lower-s-circulant matrix, the key generation scheme of protocol 1 with cryptographic algorithm, and an example. Similarly, in Section 4, we discuss our proposed key exchange protocol, the key generation scheme with the algorithm and an example. We also provide the security analysis of proposed protocol 2 in Section 4. Section 5 contains a comparative analysis of the protocol based on upper or lower-s-circulant matrices and our proposed protocol with the experimental results like time complexity, memory usage and possible attacks for both protocols.
2.
Preliminaries
Definition 1. [22] A non-empty set S with two binary operations addition (+) and multiplication (⋅) is called a semiring, if it satisfies the following axioms:
1) S is an abelian monoid under the operation addition with '0' as the unique identity element,
2) S is a monoid under the operation multiplication with a unique identity element denoted by '1',
3) u⋅(v+w) is equal to u⋅v+u⋅w and (v+w)⋅u is equal to v⋅u+w⋅u ∀ u,v,w∈S,
4) Both u⋅0 and 0⋅u are equal to 0 ∀u∈S,
5) The identities under the two operations should not be the same element.
Example 2.1. The set N∪{0} forms a semiring under the operations classical addition and classical multiplication where, N is the set of all natural numbers.
Definition 2. The following are the two tropical binary operations.
● x⊕y=max(x,y) (or) x⊕y=min(x,y).
● x⊙y=x+y.
Definition 3. [22] A set R=S∪{∞} under the operations '⊕' (tropical addition, (min)) and '⊗' (tropical multiplication) is called a min-plus semiring if,
1) u⊕v = v⊕u ∀u,v∈R,
2) (u⊕v)⊕w=u⊕(v⊕w) and (u⊗v)⊗w=u⊗(v⊗w) ∀u,v,w∈R,
3) u⊗(v⊕w)=(u⊗v)⊕(u⊗w) ∀u,v,w∈R,
4) ∃ e∈R ∀ u∈R such that e⊕u=u⊕e=u (Here, the additive identity is '∞'),
5) inverse does not exist.
Let Z denote the set of all integers and Z=Z∪{∞}. In this paper, we have concentrated on the min-plus semiring R=(Z,⊕,⊗).
We know that (Z,⊕,⊗) is a commutative semiring with additive identity and multiplicative identity '∞' and '0' respectively. Let Mn×n(Z) denote the set of all n×n matrices over Z.
2.1. Matrices over the min-plus semiring
The collection of all matrices over the semiring S with 'm' rows and 'n' columns is denoted by Mm×n(R). Let A∈Mm×n(R). Every ijth element of A is denoted by 'aij'. Let P=(pij)∈Mm×n(R), Q=(qij)∈Mm×n(R), T=(tij)∈Mn×l(R) and α∈R.
In min-plus algebra [14,15,16] addition of two matrices is calculated by
and multiplication of two matrices is calculated by
where, k∈{1,2,⋯,n}
Example 2.2. The following is an example of tropical addition, tropical multiplication of two matrices and the tropical addition, tropical multiplication of a matrix.
Definition 4. A matrix T∈Mn×n(Z) is said to be circulant Cn×n with entries c1,c2,⋯,cn if it is of the form
Definition 5. A matrix T∈Mn×n(Z) is said to be lower-s-circulant if the matrix is of the form
where c1,c2,⋯,cn,s∈Z. The set of all lower-s-circulant matrix of order 'n' is denoted by (Cl(s))n. Here, 'l' denotes that the element 's' is added in all the 'lower diagonal' entries.
Example 2.3. An example of lower-2-circulant matrix is given below.
Then,
Proposition 2.4. If A∈(Cl(s))n, B∈(Cl(t))n and s≠t, then A⊗B≠B⊗A.
Proof. Let A∈(Cl(s))n and B∈(Cl(t))n
To prove the non-commutativity of Cl(s)n and Cl(t)n, it is enough to prove that (A⊗B)ij≠(B⊗A)ij for some 1≤i,j≤n.
Let us calculate the value of (A⊗B)11 and (B⊗A)11. We get,
Since s≠t, we have (A⊗B)11≠(B⊗A)11. Thus, A⊗B≠B⊗A. □
Definition 6. A matrix T∈Mn×n(Z) is said to be an anti-s-circulant (ACul(s))n matrix with entries c1,c2,⋯,cn,s if it is of the form
where c1,c2,⋯,cn,s∈Z and set of all anti-s-circulant matrix of order 'n' is denoted by (ACul(s))n. Here, 'l' and 'u' denote that 's' is added to both upper and lower anti-diagonals.
Definition 7. A matrix T∈Mn×n(Z) is said to be an anti-s-p-circulant with entries c1,c2,⋯,cn,s if it is of the form
where, ck−ck+1=p ∀ 1≤k≤n and p∈Z and the set of all anti-s-p-circulant matrix of order 'n' is denoted by (A(Dp[C])ul)(s))n.
Example 2.5. An example of lower-13-circulant matrix and anti-13-circulant matrix of order 4 is given below.
The lower-13-circulant matrix of C is,
The anti-13-circulant matrix of C is,
An example of anti-13-5-circulant matrix is,
Proposition 2.6. If A∈((A(Dp[C])ul)(s))n,B∈((A(Dp[C])ul)(t))n, then A⊗B≠B⊗A∀s≠t.
Proof. Let A∈((A(Dp[C])ul)(s))n,B∈((A(Dp[C])ul)(t))n
To prove the non-commutativity of the set ((A(Dp[C])ul)(s))n and ((A(Dp[C])ul)(t))n, it is enough to prove that (A⊗B)ij≠(B⊗A)ij for some 1≤i,j≤n.
Let us compare (A⊗B)12 and (B⊗A)12,
since s≠t, it implies (A⊗B)12≠(B⊗A)12 and hence A⊗B≠B⊗A. □
Proposition 2.7. (Cl(s))n (set of all lower-s-circulant matrices over Z) is a commutative tropical semiring and a subsemiring of Mn×n(Z).
Proof. 1) To prove that (Cl(s))n is a subsemiring of Mn×n(Z) it is enough to prove that it is closed under tropical addition and tropical multiplication. Let A,B∈(Cl(s))n with entries a1,a2,⋯,an,a1+s,a2+s,⋯,an+s and b1,b2,⋯,bn,b1+s,b2+s,⋯,bn+s respectively.
(a) Clearly (Cl(s))n is closed under tropical addition.
(b) Let the entry (A⊗B)ij denotes the ijth entry of the matrix A⊗B. (C)k and (D)k, 1≤k≤n be the entries of circulant matrices to generate the lower-s-circulant matrices A⊗B and B⊗A respectively. Assume that A,B∈(Cl(s))n. To prove that the set of all lower-s-circulant matrices are closed under the tropical multiplication, it is enough to prove that the matrix A⊗B is also in the following form
The diagonal entries of the tropical multiplication A⊗B of the matrices A and B are,
By rearranging the terms, it is clear that (A⊗B)kk are equal for all 1≤k≤n. In general, let us call these entries as (C)1.
Now, the upper off diagonal entries are obtained as follows,
By rearranging the terms, we can see that the entries (A⊗B)(k−1)k are equal for all 2≤k≤n. We denote this value as (C)n in general
Then,
The next upper off diagonal elements are obtained as,
Again by rearranging the terms, it is clear that the entries (A⊗B)(k−2)k are equal ∀ 3≤k≤n. We name these entries as (C)n−1 in general.
Then,
The entries (A⊗B)1(n−1),(A⊗B)2n are obtained as,
In general, we denote it as (C)3. Then,
By continuing this process, finally we end up with the entry (A⊗B)1n. We name this entry as (C)2
Similarly, we obtained the lower off diagonal elements with following values
By rearranging the above terms, we can see that (A⊗B)k(k−1) are equal for all 2≤k≤n. That is, (A⊗B)21=(A⊗B)32=⋯=(A⊗B)n(n−1)
Now, the second lower off diagonal entries are obtained as,
Again, second lower off diagonal elements (A⊗B)k(k−2) are equal for all 3≤k≤n. Which can be denoted as
Again by continuing this process, the final lower off diagonal entry is obtained as,
By placing all obtained elements in the following matrix of order n we get the form of lower-s-circulant matrix
Hence, it is proved that the set of all lower-s-circulant matrix is closed under tropical multiplication.
2) To show that (Cl(s))n is commutative, it is enough to show that (C)k=(D)k and
(C)k+s=(D)k+s for all 1≤k≤n.
Since we found the entries of A⊗B in the previous proof, it is enough to find the entries of B⊗A.
By rearranging the terms we get,
Similarly,
Also,
By continuing this process, we obtain the entry (B⊗A)n−1 as,
Finally, the term (B⊗A)n is obtained as,
Now the next entry is obtained as,
Similarly,
Also,
And the final entry of B⊗A is obtained as,
Hence, it is proved that (C)k=(D)k∀1≤k≤n and (C)k+s=(D)k+s∀2≤k≤n.
Thus,
□
Proposition 2.8. ((A(Dp[C])ul)(s))n (set of all anti-s-p-circulant matrices) is a commutative subset of the tropical semiring Mn×n(Z).
Proof.
To prove the commutativity of ((A(Dp[C])ul)(s))n, it is enough to prove that (A⊗B)ij=(B⊗A)ij, ∀ 1≤i,j≤n.
Let A,B∈((A(Dp[C])ul)(s))n, then we have ak1⊗bk2=bk1⊗ak2∀1≤k1,k2≤n.
By using this property we get,
Similarly,
By continuing the process, we get,
Similarly, the entries of (n)th row of the matrix A⊗B is,
Thus,
□
3.
Public key exchange protocol 1
In this section, we discuss the protocol introduced in [21] with the help of lower-s-circulant matrices. Further we study the protocol which use upper or lower-s-circulant matrices to compare it with our proposed protocol that uses anti-s-p-circulant matrices ((A(Dp[C])ul)(s))n.
3.1. Description of the protocol 1
Step 1: Let Y,s,t be the public parameters.
Step 2: Alice selects two matrices C1 and C2 and finds the two matrices A1,B1.
Step 3: Bob selects two matrices C3 and C4 and finds the two matrices A2,B2.
Step 4: Alice finds Ka=A1⊗(Y)⊗B1 and sends it to Bob.
Step 5: Bob finds Kb=A2⊗(Y)⊗B2 and sends it to Alice.
Step 6: Alice computes G1=A1⊗Kb⊗B1.
Step 7: Bob computes G2=A2⊗Ka⊗B2.
Step 8: By the properties of tropical algebra, the shared keys are the same. K=G1=G2.
3.2. Key generation and parameters of protocol 1
● Let Y,s,t be the public parameters, where the entries of Y are the elements from the tropical semiring (Z∪{∞},⊕,⊗). Similarly s,t are integers.
● Alice selects two circulant matrices C1 and C2 from the tropical semiring (Mn(Z),⊕,⊗) and finds the matrices A1,B1 with the use of s,t where Cn is set of all circulant matrices of order n.
● (c1)1,(c2)1,(c3)1,⋯(cn)1 and (c1)2,(c2)2,(c3)2,⋯(cn)2 are the elements of circulant matrices C1 and C2 respectively.
● Alice computes Ka=A1⊗(Y)⊗B1.
● Bob selects two circulant matrices C3 and C4 from the tropical semiring (Mn(Z),⊕,⊗) and finds the matrices A2 and B2 with the help of s,t.
● (c1)3,(c2)3,(c3)3,⋯(cn)3 and (c1)4,(c2)4,(c3)4,⋯(cn)4 were the elements of circulant matrices C3 and C4 respectively.
● Bob computes Kb=A2⊗(Y)⊗B2.
● Alice finds the matrix
● Bob finds the matrix
● Finally, the shared keys are same K=G1=G2.
The proof is given in the following Proposition 3.2.
3.3. A toy example
Example 3.1. Consider
Alice choose
and she finds
Bob choose
and he finds
Alice finds
Bob finds
Alice finds
Bob finds
Thus, the shared keys are equal G1=G2.
Suppose an attacker tries to find A1,B1 from the known matrices Ka,Y,s,t
Then, he will end up with the following tropical non-linear system,
min{(−601)⊗a0⊗b0,1182⊗a0⊗b1,56129⊗a0⊗b2,4325⊗a1⊗b0, 1862⊗a1⊗b1,5029⊗a1⊗b2,(−554)⊗a2⊗b0,1895⊗a2⊗b1,1842⊗a2⊗b2}=−1031
min{(−615)⊗a0⊗b0,56129⊗a0⊗b1,(−601)⊗a0⊗b2,65⊗a1⊗b0, 5029⊗a1⊗b1,4325⊗a1⊗b2,98⊗a2⊗b0,1842⊗a2⊗b1,(−554)⊗a2⊗b2}=−1436
min{54332⊗a0⊗b0,(−601)⊗a0⊗b1,(−615)⊗a0⊗b2,3232⊗a1⊗b0, 4325⊗a1⊗b1,65⊗a1⊗b2,45⊗a2⊗b0,(−554)⊗a2⊗b1,98⊗a2⊗b2}=−1450
min{(−554)⊗a0⊗b0,98⊗a0⊗b1+1842⊗a0⊗b2,(−755)⊗a1⊗b0, 1028⊗a1⊗b1,55975⊗a1⊗b2,4325⊗a2⊗b0,1862⊗a2⊗b1,5029⊗a2⊗b2}=−985
min{98⊗a0⊗b0,1842⊗a0⊗b1,(−554)⊗a0⊗b2,(−769)⊗a1⊗b0,55975⊗a1⊗b1, 1042⊗a1⊗b2,(−89)⊗a2⊗b0,55975⊗a2⊗b1,4325⊗a2⊗b2}=−1389
min{45⊗a0⊗b0,(−554)⊗a0⊗b1,98⊗a0⊗b2,54178⊗a1⊗b0, (−755)⊗a1⊗b1,(−769)⊗a1⊗b2+3232⊗a2⊗b0+4325⊗a2⊗b1+65⊗a2⊗b2}=−1261
min{4325⊗a0⊗b0+1895⊗a0⊗b1+5029⊗a0⊗b2+(−708)⊗a1⊗b0+ 1741⊗a1⊗b1,1688⊗a1⊗b2,(−755)⊗a2b0,1028⊗a2⊗b1,55975a2b2}=−1052
min{65⊗a0⊗b0,5029⊗a0⊗b1,4325⊗a0⊗b2,(−56)⊗a1⊗b0, 1688⊗a1⊗b1,(−708)⊗a1⊗b2,(−769)⊗a2⊗b0,55975⊗a2⊗b1,(−755)⊗a2⊗b2}=−1456
min{3232⊗a0⊗b0,4325⊗a0⊗b1,65⊗a0⊗b2,(−109)⊗a1⊗b0, (−708)⊗a1⊗b1,(−56)⊗a1⊗b2,54486⊗a2⊗b0,(−755)⊗a2⊗b1,(−769)⊗a2⊗b2}=−1470
To attack the protocol, this system of non-linear equations has to be solved. But we already know that solving non-linear tropical equations is NP-Hard [13].
3.4. Security analysis
The security of this protocol relies on the non-commutativity the lower-s-circulant matrix and the lower-t-circulant matrix.
Proposition 3.2. If P1∈(Cl(s))n,Q1∈(Cl(t))n,P2∈(Cl(s))n,Q2∈(Cl(t))n and s≠t, then
1) P2⊗Ka⊗Q2 = P1⊗Kb⊗Q1
2) Ka⊗Kb and Kb⊗Ka≠P2⊗Ka⊗Q2 and P1⊗Kb⊗Q1
where Ka=(P1⊗Y⊗Q1), Kb=(P2⊗Y⊗Q2).
Proof. 1) In this part of the proposition we prove that the shared secret keys are equal.
We know that by Proposition 2.7, P1⊗P2=P2⊗P1 and P1⊗Q1≠Q1⊗P1.
Now, we consider,
Hence, we proved that the shared keys are equal.
2) In this part of the proposition, we show that an attacker cannot find the secret key with the known matrices Ka,Kb. Now, to prove the security of the protocol 1,
By Proposition 2.4
Hence, Ka⊗Kb and Kb⊗Ka≠P2⊗Ka⊗Q2 and P1⊗Kb⊗Q1
□
The time complexity of solving a tropical Grobner basis [23] for a tropical non-linear system of equations with n×n matrices is known to be O(2(2n)) which is extremely larger than O(n3).
4.
Public key exchange protocol 2
In this section, we propose a new key exchange protocol based on the anti-s-p-circulant matrices. We have given the algorithm, example and the security analysis of the proposed protocol.
4.1. Description of the protocol 2
Step 1: Let Y,s,t,p be the public parameters.
Step 2: Alice selects two p-circulant matrices C1 and C2 and finds the two matrices P1,Q1.
Step 3: Bob selects two p-circulant matrices C3 and C4 and finds the two matrices P2,Q2.
Step 4: Alice finds Ka=P1⊗(Y)⊗Q1 and sends it to Bob.
Step 5: Bob finds Kb=P2⊗(Y)⊗P2 and sends it to Alice.
Step 6: Alice computes G1=(P1⊗(Kb)⊗Q1).
Step 7: Bob computes G2=(P2⊗(Ka)⊗Q2).
Step 8: Computed values of both keys are same K=G1=G2.
4.2. Key generation and parameters of protocol 2
● Let Y,s,t,p be the public parameters, where the entries of Y are the elements from the tropical semiring (Z,⊕,⊗). Similarly s,t∈Z.
● Alice selects two p-circulant matrices C1 and C2 from the tropical semiring (Mn(Z),⊕,⊗) and finds P1, Q1 are the anti-s-p-circulant and anti-t-p-circulant matrices with the use of p-circulant matrices C1 and C2 respectively.
● (c1)1,(c2)1,(c3)1,⋯(cn)1 and (c1)2,(c2)2,(c3)2,⋯(cn)2 are the elements of p-circulant matrices C1 and C2 respectively.
● Alice computes Ka=P1⊗(Y)⊗Q1.
● Bob selects two p-circulant matrices C3 and C4 from the tropical semiring (Mn(Z),⊕,⊗). P2, Q2 are the anti-s-p-circulant and anti-t-p-circulant matrices with the use of C3 and C4 respectively.
● (c0)3,(c1)3,(c2)3,⋯(cn−1)3 and (c0)4,(c1)4,(c2)4,⋯(cn−1)4 are the elements of C3 and C4 respectively.
● Bob computes Kb=P2⊗(Y)⊗Q2.
● Alice finds the matrix
● Bob finds the matrix
● Finally, shared keys were same K=G1=G2.
The proof is given in the following Proposition 4.2.
4.3. A toy example
Example 4.1. Consider
Alice choose
and finds
Bob choose
and finds
Alice finds
and sends to Bob.
Bob finds
and sends to Alice.
Alice finds
Bob finds
Shared keys G1=G2
To attack the protocol the attacker has to solve the following tropical non-linear system of equations.
min{1188805⊗a0⊗b0,65371⊗a0⊗b1,32434472⊗a0⊗b2,43444⊗a1⊗b0, 1313310⊗a1⊗b1,34442⊗a1⊗b2,98828⊗a2⊗b0,96554⊗a2⊗b1,955472⊗a2⊗b2}=−168593
min{−33505⊗a0⊗b0,32533348⊗a0⊗b1,1188805⊗a0⊗b2,32455⊗a1⊗b0, 133318⊗a1⊗b1,43444⊗a1⊗b2,(−2322)⊗a2⊗b0,1054348⊗a2⊗b1,98828⊗a2⊗b2}=−168597
min{32533348⊗a0⊗b0,1089929⊗a0⊗b1,65371⊗a0⊗b2,133318⊗a1⊗b0, (−55432)⊗a1⊗b1,131331⊗a1⊗b2,1054348⊗a2⊗b0,(−48)⊗a2⊗b1,96554⊗a2⊗b2}=−146668
min{98899⊗a0⊗b0,96625⊗a0⊗b1,955543⊗a0⊗b2,1188805⊗a1⊗b0, 65371⊗a1⊗b1,32434472⊗a1⊗b2,43373⊗a2⊗b0,131260⊗a2⊗b1,34371⊗a2⊗b2}=−168666
min{(−2251)⊗a0⊗b0,1054419⊗a0⊗b1,98899⊗a0⊗b2,(−33505)⊗a1⊗b0, 32533348⊗a1⊗b1,1188805⊗a1⊗b2,32384⊗a2⊗b0,133247⊗a2⊗b1,43373⊗a2⊗b2}=−168670
min{1054419⊗a0⊗b0,23⊗a0⊗b1,96625⊗a0⊗b2,32533348⊗a1⊗b0, 1089929⊗a1⊗b1,65371⊗a1⊗b2,133247⊗a2⊗b0,(−55503)⊗a2⊗b1,131260⊗a2⊗b2}=−146670
min{43373⊗a0⊗b0,131260⊗a0⊗b1,34371⊗a0⊗b2,98828⊗a1⊗b0, 96554⊗a1⊗b1,955472⊗a1⊗b2,1188876⊗a2⊗b0,33434⊗a2⊗b1,32434543⊗a2⊗b2}=168662
min{32384⊗a0⊗b0,133247⊗a0⊗b1,43373⊗a0⊗b2,(−2322)⊗a1⊗b0, 1054348⊗a1⊗b1,98828⊗a1⊗b2,(−33434)⊗a2⊗b0),32533419⊗a2⊗b1,1188876⊗a2⊗b2=−168666
min{133247⊗a0⊗b0,(−55503)⊗a0⊗b1,131260⊗a0⊗b2,1054348⊗a1⊗b0, (−48)⊗a1⊗b1,96554⊗a1⊗b2,32533419⊗a2⊗b0,1090000⊗a2⊗b1,65442⊗a2⊗b2}=−146601
Solving this system of non-linear equation is NP-Hard. Thus, this makes our protocol secure [13].
4.4. Security analysis
The security of this protocol relies on the non-commutativity of anti-s-circulant matrix with anti-t-circulant matrix.
Theorem 4.2. If P1∈((A(Dp[C])ul)(s))n,Q1∈((A(Dp[C])ul)(t))n, P2∈((A(Dp[C])ul)(s))n,Q2∈((A(Dp[C])ul)(t))n then
1) P2⊗Ka⊗Q2 = P1⊗Kb⊗Q1
2) Ka⊗Kb and Kb⊗Ka≠P2⊗Ka⊗Q2 and P1⊗Kb⊗Q1
where Ka=(P1⊗Y⊗Q1), Kb=(P2⊗Y⊗Q2)
Proof. 1) We know that by Proposition 2.8, P1⊗P2=P2⊗P1 and P1⊗Q1≠Q1⊗P1.
Now we consider,
Hence the shared keys are equal.
2) Now to prove the security of the protocol 1
By Proposition 2.4, we have,
Hence,
By Proposition 2.4
Hence, we have,
□
The tropical Grobner basis algorithm which is one approach to solving tropical non-linear systems [23]. In the worst case, the time complexity of computing a tropical Grobner basis for a system of equations with n by n matrices is known to be O(2(2n)).
4.5. Possible attacks
The following are some of the attacks that an adversary may try to attack the proposed key exchange protocol and we have given how our key exchange scheme is secure against those attacks.
4.5.1. Brute force attack
The brute force attack is an attacking technique in which the man in the middle tries all possible values to find the key. Suppose the attacker tries to get the key G=P1⊗P2⊗Y⊗Q1⊗Q2 from the public matrix Y and from the shared matrices Ka=P1⊗(Y)⊗Q1,Kb=P2⊗(Y)⊗Q2 guessing the secret parameters is very hard since there are infinite possibilities. Also, if he try to find the values of P1,Q1 and P2,Q2 from Ka and Kb respectively then the possibility of finding P1,Q1 and P2,Q2 are infinite since we have taken the entries from the tropical semiring (Z∪{∞},⊕,⊗). Thus, we can conclude that protocol 2 is secure from brute force attack.
4.5.2. Linear algebra attack
The linear algebra attack is a key recovery technique by which an adversary may try to use the linear algebraic properties to attack the cryptosystem. The attack of Sphilrain on the classical Stickel's key exchange protocol is based on the fact that the keys were generated using invertible matrices.
In protocol 2, since we deal with tropical algebra, the matrices which we use ((A(Dp[C])ul)(s))n are not generally invertible. Thus, it makes our protocol secure from linear algebra attacks.
4.5.3. Kotov and Ushakov attack
The KU attack is based on the fact that the tropical matrices displays pattern in higher tropical power. And also tropical multiplication of tropical coefficient is actually the usual addition of the coefficient with all the entries of the matrix. This fact helped Kotov and Ushakov to find the matrix
which allowed them to find the private parameters.
In protocol 2, we have used commutative elements from the semiring and we have not taken tropical powers of any matrix that is the primary reason why Kotov and Ushakov attack [17] won't work on protocol 2. We know that any circulant matrix with entries a0,a1,⋯,an−1 can be written as the form of a0I+a1P+⋯+an−1Pn−1 in classical algebra, where P=[0,1,⋯,0;0,0,1,⋯,0;⋯;1,0,⋯,0]. In protocol 2 public matrix Y cannot be written as the polynomial format unlike the one in [13]. The private parameters P1,Q1,P2,Q2 are not a circulant matrix they are from the lower/upper circulant matrices and they cannot be represented by the shared matrices P1⊗Y⊗Q1 and P2⊗Y⊗Q2.
4.5.4. Rudy and Monico attack
The public key exchange protocol based on semidirect product of max plus matrices discussed in Section 4 of article [18] is developed by Grigoriev and Shpilrain. Let R=(Mn×n(Z),⊕,⊗) and Alice and Bob agree the public matrices M,H∈R. Final key of Alice is (B∘Hm)⊕A=B⊕Hm⊕(B⊗Hm)⊕A equals to the key of Bob (A∘Hn)⊕B=A⊕Hn⊕(A⊗Hn)⊕B [18]. Where Hm and Hn denoted the mth and nth tropical power of H matrix respectively. This protocol is attacked by Rudy and Monico by the simple binary search attack [19]. The main idea of the simple binary search attack is to find the tropical power m at which the tuple (M,H) becomes (A,Hm) with the known A. But in protocol 2 we never use any tropical powers. Hence, Rudy and Monico attack is not valid in protocol 2.
5.
Comparative analysis
In this section, we have compared the experimental results of both protocol 1 and protocol 2 with some familiar tropical protocols. The following experiments were done in a computer with 11th Gen Intel(R) Core(TM) i5-11300H @ 3.10 GHz processor with 8 GB ram running on windows 11 with 64-bits operating system. The algorithms of the protocols are executed in maple 2018 software.
Note: In the Table 1, ✘ denotes that the scheme is attacked by the corresponding attack and ✔ denotes that the scheme is safe against the attack.
Most of the tropical protocols proposed in recent years involves the exponentiation of the tropical matrices. When we compare the time complexity of tropical power based algorithms with our proposed algorithm, we can see that the time complexity of those algorithms is higher than our algorithms. That is, O(n3)<O(nn+3) where, n is the dimension of matrices involved in tropical powers.
The idea of using commuting matrices in tropical linear algebra on the Stickel's protocol instead of tropical powers and polynomials have already been examined in [24,25,26]. In many protocols they have used circulant matrices but, the main idea of our paper is to generate secret keys efficiently with the commutative subset ((A(Dp[C])ul)(s))n,⊕,⊗) of tropical semiring (Mn×n(Z),⊕,⊗).
5.1. Comparison of protocol based on upper or lower-s-circulant matrices and proposed protocol 2
The key exchange protocol 1 is based on upper or lower-s-circulant matrices which contains 2n elements in A,B,C,D and the protocol 2 based on anti-s-p-circulant matrices P1,P2,Q1,Q2 which are performed with 2n elements. The time complexity of both protocols are same. From Figure 1 we can analyse the key generation time of protocol 1 and protocol 2.
Given data in Table 2 is plotted in Figure 1 above.
Memory usage: We have analysed memory usage of protocol based on upper or lower-s-circulant matrices and our proposed protocol 2. This shows that the memory usage of our proposed protocol 2 is better than the memory usage of protocol 1.
Experimental datas of memory usage given in Table 3 is plotted in Figure 2.
Time complexity of protocol based on upper or lower-s-circulant matrices: In the key exchange protocol 1, we have four public parameters Y,s,t,n. Here Y,s,t are fixed and variable is n. Matrices A1,A2,B1,B2 each with 2n elements and tropical multiplication is performing four times in the protocol. Therefore, the total time complexity of multiplying five matrices in the tropical semiring (Cl(s))n with order n is O(n3×4)=O(n3).
Time complexity of proposed protocol 2: In the key exchange protocol 2, we have four public parameters Y,s,t,n. Here Y,s,t are fixed and variable is n. Matrices P1,P2,Q1,Q2 each with 2n elements and tropical multiplication is performing four times in the protocol. Therefore, the total time complexity of multiplying five matrices in the tropical semiring ((A(Dp[C])ul)(s))n,⊕,⊗) with order n is O(n3×4)=O(n3).
Both protocol 1 and protocol 2 have the same time complexity but the memory usage of protocol 2 is lesser than that of protocol 1. The reason is that the protocol 2 is generated by the use of commutative subset of ((A(Dp[C])ul)(s))n,⊕,⊗) of tropical semiring (Mn×n(Z),⊕,⊗). Let protocol 1 is performed with the lower-s-circulant matrices of order n and protocol 2 is performed with anti-s-p-circulant matrices of order k, where k>n then, protocol 2 would be more efficient than protocol 1.
6.
Conclusions
In this paper, we have proposed the key exchange protocol by introducing the commutative set of anti-s-p-circulant matrices. Most of the protocols over tropical semirings were proposed based on the tropical powers of the matrices. Attacks on the tropical protocols are commonly based on the fact that they exhibit pattern in higher powers. Some of the popular attacks are linear periodicity attack, RM attack, KU attack, etc. To overcome these attacks, we have proposed our protocol which do not involve the exponentiation of tropical matrices. We have given further analysis of the protocol 1 and additionally we have proved some propositions. In the security analysis, we have proved that our proposed protocol is resistant against popular attacks of the existing tropical protocols. Comparative analysis of protocol 1 and our proposed protocol 2 is given. We can see that our proposed protocol performs better in terms of memory usage. In future, we may try to apply these protocols in the security of digital signature and identity authentication schemes. Also, our future work is to find the existence and uniqueness of the solution of tropical two sided matrix action problem.
Use of AI tools declaration
The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.
Acknowledgments
The authors would like to thank the editor and reviewers for their valuable comments and suggestions, which greatly help us improve the presentation of this article. We thank the referees for their thoughtful reading of this manuscript and their feedback.
Conflict of interest
The authors declare no conflict of interest.