Research article

Public key exchange protocols based on tropical lower circulant and anti circulant matrices

  • Received: 27 January 2023 Revised: 24 April 2023 Accepted: 08 May 2023 Published: 19 May 2023
  • MSC : 11T71, 14G50, 14M25, 15B51, 52B20

  • In recent years, many efficient key exchange protocols have been proposed based on matrices over the tropical semirings. The tropical addition of two elements is the minimum of the elements, while the tropical multiplication is the sum of the two elements. This paper proposes a novel key exchange protocol based on the min-plus semiring (Z{},,) by introducing anti-s-p-circulant matrices, which forms a commutative subset of Mn×n(Z{}). We have given further analysis of the protocol in detail using upper or lower-s-circulant matrices. Additionally, we prove that the set of all lower-s-circulant matrices is a sub-semiring of the tropical semiring Mn×n(Z{}). We discuss the detailed security analysis of the protocol with upper or lower-s-circulant matrices and provide cryptographic algorithms for both key exchange protocols with detailed explanations. We compare the protocol based on upper or lower-s-circulant matrices and our proposed protocol in terms of time complexity and memory usage. Finally, we analyse the security and show that our protocol is safe against popular attacks of tropical key exchange protocols. The security of these protocols relies on the difficulty of solving tropical non-linear equations.

    Citation: B. Amutha, R. Perumal. Public key exchange protocols based on tropical lower circulant and anti circulant matrices[J]. AIMS Mathematics, 2023, 8(7): 17307-17334. doi: 10.3934/math.2023885

    Related Papers:

    [1] Huawei Huang, Xin Jiang, Changwen Peng, Geyang Pan . A new semiring and its cryptographic applications. AIMS Mathematics, 2024, 9(8): 20677-20691. doi: 10.3934/math.20241005
    [2] Aleksejus Mihalkovich, Jokubas Zitkevicius, Eligijus Sakalauskas . The security analysis of the key exchange protocol based on the matrix power function defined over a family of non-commuting groups. AIMS Mathematics, 2024, 9(10): 26961-26982. doi: 10.3934/math.20241312
    [3] Syafrizal Sy, Rinovia Simanjuntak, Tamaro Nadeak, Kiki Ariyanti Sugeng, Tulus Tulus . Distance antimagic labeling of circulant graphs. AIMS Mathematics, 2024, 9(8): 21177-21188. doi: 10.3934/math.20241028
    [4] Man Chen, Huaifeng Chen . On ideal matrices whose entries are the generalized $ k- $Horadam numbers. AIMS Mathematics, 2025, 10(2): 1981-1997. doi: 10.3934/math.2025093
    [5] Aleksejus Mihalkovich . On the security of the STR key exchange protocol. AIMS Mathematics, 2025, 10(2): 1967-1980. doi: 10.3934/math.2025092
    [6] Shakir Ali, Amal S. Alali, Atif Ahmad Khan, Indah Emilia Wijayanti, Kok Bin Wong . XOR count and block circulant MDS matrices over finite commutative rings. AIMS Mathematics, 2024, 9(11): 30529-30547. doi: 10.3934/math.20241474
    [7] Ruby Nasir, Muhammad Ahmad, Zohaib Zahid, Sanaa A. Bajri, Hamiden Abd El-Wahed Khalifa . Characterizing edge-based doubly resolving sets within circulant networks $ C_n(1, 2) $. AIMS Mathematics, 2024, 9(6): 15857-15874. doi: 10.3934/math.2024766
    [8] Yanpeng Zheng, Xiaoyu Jiang . Quasi-cyclic displacement and inversion decomposition of a quasi-Toeplitz matrix. AIMS Mathematics, 2022, 7(7): 11647-11662. doi: 10.3934/math.2022649
    [9] Bakhtawar Shaukat, Muhammad Ishaq, Ahtsham Ul Haq . Algebraic invariants of edge ideals of some circulant graphs. AIMS Mathematics, 2024, 9(1): 868-895. doi: 10.3934/math.2024044
    [10] S. Masih Ayat, S. Majid Ayat, Meysam Ghahramani . The independence number of circulant triangle-free graphs. AIMS Mathematics, 2020, 5(4): 3741-3750. doi: 10.3934/math.2020242
  • In recent years, many efficient key exchange protocols have been proposed based on matrices over the tropical semirings. The tropical addition of two elements is the minimum of the elements, while the tropical multiplication is the sum of the two elements. This paper proposes a novel key exchange protocol based on the min-plus semiring (Z{},,) by introducing anti-s-p-circulant matrices, which forms a commutative subset of Mn×n(Z{}). We have given further analysis of the protocol in detail using upper or lower-s-circulant matrices. Additionally, we prove that the set of all lower-s-circulant matrices is a sub-semiring of the tropical semiring Mn×n(Z{}). We discuss the detailed security analysis of the protocol with upper or lower-s-circulant matrices and provide cryptographic algorithms for both key exchange protocols with detailed explanations. We compare the protocol based on upper or lower-s-circulant matrices and our proposed protocol in terms of time complexity and memory usage. Finally, we analyse the security and show that our protocol is safe against popular attacks of tropical key exchange protocols. The security of these protocols relies on the difficulty of solving tropical non-linear equations.



    'Cryptography' is the process of establishing secure communication between the sender and the receiver of information [1,2]. The sender uses a method called 'encryption' to turn plaintext into a secret message called 'ciphertext', while the receiver uses a method called 'decryption' to convert the ciphertext back into plaintext [3,4]. A 'key' is secret common knowledge shared by both entities. There are two broad types of cryptography: symmetric key cryptography and asymmetric key cryptography. Symmetric key cryptography uses a single secret key for both encryption and decryption, which is only known by the sender and the receiver [5]. In asymmetric key cryptography, one key is used for encryption, and a different key is used for decryption [3,6]. Many varieties of cryptographic algorithms have been constructed over classical algebra [2]. Cryptographic algorithms over tropical algebra have gained significance in recent years, and tropical cryptography is one of the fields used to construct secure cryptographic algorithms. Martin Hellman and Whitfield Diffie suggested the two-keys cryptosystem in 1976 to overcome the issue of key distribution in symmetric key cryptography [4,7]. The general protocol that uses semi-direct products of semigroups was introduced in [8], and one of its special cases is the standard Diffie-Hellman protocol based on cyclic groups. This paper gives a conjecture that, when the protocol is used with non-commutative semigroups, it acquires several useful features. They suggest the extension of a particular non-commutative semigroup of matrices over a certain finite group ring by a conjugation automorphism as a suitable platform. However, the protocol introduced in [8] was attacked by the linear algebra attack [9]. The Cramer-Shoup scheme was introduced in [10] and proved to be secure against adaptive chosen ciphertext attacks. Stickel proposed the key exchange protocol based on classical algebra [11], which was then attacked by Shpilrain [12]. Grigoriev and Shpilrain extended Stickel's protocol by using tropical polynomials and showed that solving the system of tropical linear equations was NP-hard [13]. An advantage of using tropical algebras as the platform for building key exchange schemes is that, in tropical schemes, one does not have to perform any classical multiplication since tropical multiplication is classical addition and is not invertible [14,15,16]. However, the major weakness of the tropical protocol is that the tropical powers of the matrices exhibit a particular pattern, as noted by Kotov and Ushakov. This pattern helps them to attack Grigoriev's key exchange protocol [17]. Grigoriev and Shpilrain's next key exchange protocol was based on semidirect product [18], but it had the weakness that the sequence (M,H)l is linearly ordered, which was found by Rudy and Monico [19]. Issac and Kahrobaei implemented the linear periodicity attack [20] to attack the same protocol that used semidirect product. These attacks showed that key exchange protocols with matrix powers over the tropical approach are easily attackable. Different attacks of various tropical key exchange protocols were consolidated in [6]. The significance of our research is that our protocols are related to the tropical two sided matrix action problem that can be reduced to a system of non-linear equations, and solving such a system is NP-hard [13].

    Our contribution: In this paper, we propose a key exchange protocol over the tropical semiring with min-plus operation. We avoid using power and linearly ordered operations over tropical concepts to ensure the safety of our schemes against popular attacks. We introduce the abelian subset ((A(Dp[C])ul)(s))n,,) of the semiring (Mn×n(Z),,), which is obtained by modifying the set of p-circulant matrices and use it to frame our new protocol. Similarly, the protocol introduced in [21] uses the set of upper-t-circulant matrices, which is also obtained by modifying the set of circulant matrices. We provide a detailed analysis of the protocol using upper-t-circulant matrix [21] replaced by the protocol using lower-s-circulant matrix. We compare the protocols using the lower-s-circulant matrix instead of the upper-t-circulant matrix in the protocol introduced in [21] with our proposed protocol. We also provide some propositions on the commutativity of the set of lower-s-circulant matrices (Cl(s))n,,) and the commutative property of the set of anti-s-p-circulant matrices. We also give some propositions on the security of both protocols. We provide the security analysis of our proposed protocol against the existing tropical attacks of Kotov & Ushakov, Rudy & Monico.

    The rest of the sections are organized as follows. In Section 2, we discuss some basic definitions and notations. Section 3 contains an analysis of key exchange protocol 1, which uses the lower-s-circulant matrix, the key generation scheme of protocol 1 with cryptographic algorithm, and an example. Similarly, in Section 4, we discuss our proposed key exchange protocol, the key generation scheme with the algorithm and an example. We also provide the security analysis of proposed protocol 2 in Section 4. Section 5 contains a comparative analysis of the protocol based on upper or lower-s-circulant matrices and our proposed protocol with the experimental results like time complexity, memory usage and possible attacks for both protocols.

    Definition 1. [22] A non-empty set S with two binary operations addition (+) and multiplication () is called a semiring, if it satisfies the following axioms:

    1) S is an abelian monoid under the operation addition with '0' as the unique identity element,

    2) S is a monoid under the operation multiplication with a unique identity element denoted by '1',

    3) u(v+w) is equal to uv+uw and (v+w)u is equal to vu+wu u,v,wS,

    4) Both u0 and 0u are equal to 0 uS,

    5) The identities under the two operations should not be the same element.

    Example 2.1. The set N{0} forms a semiring under the operations classical addition and classical multiplication where, N is the set of all natural numbers.

    Definition 2. The following are the two tropical binary operations.

    xy=max(x,y) (or) xy=min(x,y).

    xy=x+y.

    Definition 3. [22] A set R=S{} under the operations '' (tropical addition, (min)) and '' (tropical multiplication) is called a min-plus semiring if,

    1) uv = vu u,vR,

    2) (uv)w=u(vw) and (uv)w=u(vw) u,v,wR,

    3) u(vw)=(uv)(uw) u,v,wR,

    4) eR uR such that eu=ue=u (Here, the additive identity is ''),

    5) inverse does not exist.

    Let Z denote the set of all integers and Z=Z{}. In this paper, we have concentrated on the min-plus semiring R=(Z,,).

    We know that (Z,,) is a commutative semiring with additive identity and multiplicative identity '' and '0' respectively. Let Mn×n(Z) denote the set of all n×n matrices over Z.

    The collection of all matrices over the semiring S with 'm' rows and 'n' columns is denoted by Mm×n(R). Let AMm×n(R). Every ijth element of A is denoted by 'aij'. Let P=(pij)Mm×n(R), Q=(qij)Mm×n(R), T=(tij)Mn×l(R) and αR.

    In min-plus algebra [14,15,16] addition of two matrices is calculated by

    PQ=(min((pij),(qij)))m×n

    and multiplication of two matrices is calculated by

    PT=min{((pik)+(tkj))}m×l

    where, k{1,2,,n}

    αP=αpij=α+pij

    Example 2.2. The following is an example of tropical addition, tropical multiplication of two matrices and the tropical addition, tropical multiplication of a matrix.

    LetA=[21149],B=[15211834],α=9AB=[211189]
    AB=[2923925]
    αA=[99][21149]=[1121318]
    αA=[21149]

    Definition 4. A matrix TMn×n(Z) is said to be circulant Cn×n with entries c1,c2,,cn if it is of the form

    [c1cncn1c2c2c1cnc3c3c2c1c4cncn1cn2c1]

    Definition 5. A matrix TMn×n(Z) is said to be lower-s-circulant if the matrix is of the form

    [c1cncn1c2sc2c1cnc3sc3sc2c1c4scnscn1scn2c1]

    where c1,c2,,cn,sZ. The set of all lower-s-circulant matrix of order 'n' is denoted by (Cl(s))n. Here, 'l' denotes that the element 's' is added in all the 'lower diagonal' entries.

    Example 2.3. An example of lower-2-circulant matrix is given below.

    LetC=[4172312124172323124171723124]

    Then,

    Cl(2)4=[4172312144172325144171925144]

    Proposition 2.4. If A(Cl(s))n, B(Cl(t))n and st, then ABBA.

    Proof. Let A(Cl(s))n and B(Cl(t))n

    A=[a1anan1a2a2+sa1ana3a3+sa2+sa1a4a4+sa3+sa2+sa5an+san1+san2+sa1],B=[b1bnbn1b2b2+tb1bnb3b3+tb2+tb1b4b4+tb3+tb2+sb5bn+tbn1+tbn2+tb1]

    To prove the non-commutativity of Cl(s)n and Cl(t)n, it is enough to prove that (AB)ij(BA)ij for some 1i,jn.

    Let us calculate the value of (AB)11 and (BA)11. We get,

    (AB)11=min{a1+b1,an+b2+t,an1+b3+t,an2+b4+t,,a2+bn+t}
    (BA)11=min{b1+a1,bn+a2+s,bn1+a3+s,bn2+a4+s,,b2+an+s}

    Since st, we have (AB)11(BA)11. Thus, ABBA.

    Definition 6. A matrix TMn×n(Z) is said to be an anti-s-circulant (ACul(s))n matrix with entries c1,c2,,cn,s if it is of the form

    [sc1scnsc3c2sc2sc1c4sc3sc3sc2sc5sc4scn1cn2sc1scncnscn1sc2sc1]

    where c1,c2,,cn,sZ and set of all anti-s-circulant matrix of order 'n' is denoted by (ACul(s))n. Here, 'l' and 'u' denote that 's' is added to both upper and lower anti-diagonals.

    Definition 7. A matrix TMn×n(Z) is said to be an anti-s-p-circulant with entries c1,c2,,cn,s if it is of the form

    [sc1scnsc3c2sc2sc1c4sc3sc3sc2sc5sc4scn1cn2sc1scncnscn1sc2sc1]

    where, ckck+1=p 1kn and pZ and the set of all anti-s-p-circulant matrix of order 'n' is denoted by (A(Dp[C])ul)(s))n.

    Example 2.5. An example of lower-13-circulant matrix and anti-13-circulant matrix of order 4 is given below.

    Let C=[52174452177452121745]

    The lower-13-circulant matrix of C is,

    (Cl(13))4=[52174413521771341352121137134135]=[5217495217209521342095]

    The anti-13-circulant matrix of C is,

    (ACul(13))4=[51321137134413513217137134513211321713413513]=[1834204918212020418342120918]

    An example of anti-13-5-circulant matrix is,

    A(D5[C])ul)(13))4=[5132013151310101351320151315131051320132015131013513]=[18332810231820282810183320282318]

    Proposition 2.6. If A((A(Dp[C])ul)(s))n,B((A(Dp[C])ul)(t))n, then ABBAst.

    Proof. Let A((A(Dp[C])ul)(s))n,B((A(Dp[C])ul)(t))n

    A=[a1+san+san1+sa2a2+sa1+san+sa3+san1+san2an3+san+sanan1+san2+sa1+s],B=[b1+tbn+tbn1+tb2b2+tb1+tbn+tb3+tbn1+tbn2bn3+tbn+tbnbn1+tbn2+tb1+t]

    To prove the non-commutativity of the set ((A(Dp[C])ul)(s))n and ((A(Dp[C])ul)(t))n, it is enough to prove that (AB)ij(BA)ij for some 1i,jn.

    Let us compare (AB)12 and (BA)12,

    (AB)12=min{a1+s+bn+t,an+s+b1+t,an1+s+b2+t,,a3+s+bn2,a2+bn1+t}
    (BA)12=min{b1+t+an+s,bn+t+a1+s,bn1+t+a2+s,,b3+t+an2,b2+an1+s}

    since st, it implies (AB)12(BA)12 and hence ABBA.

    Proposition 2.7. (Cl(s))n (set of all lower-s-circulant matrices over Z) is a commutative tropical semiring and a subsemiring of Mn×n(Z).

    Proof. 1) To prove that (Cl(s))n is a subsemiring of Mn×n(Z) it is enough to prove that it is closed under tropical addition and tropical multiplication. Let A,B(Cl(s))n with entries a1,a2,,an,a1+s,a2+s,,an+s and b1,b2,,bn,b1+s,b2+s,,bn+s respectively.

    A=[a1anan1a2a2+sa1ana3a3+sa2+sa1a4a4+sa3+sa2+sa5an+san1+san2+sa1],B=[b1bnbn1b2b2+sb1bnb3b3+sb2+sb1b4b4+sb3+sb2+sb5bn+sbn1+sbn2+sb1]

    (a) Clearly (Cl(s))n is closed under tropical addition.

    AB=[min{a1,b1}min{an,bn}min{an1,bn1}min{a2,b2}min{a2,b2}+smin{a1,b1}min{an,bn}min{a3,b3}min{a3,b3}+smin{a2,b2}+smin{a1,b1}min{a4,b4}min{a4,b4}+smin{a3,b3}+smin{a2,b2}+smin{a5,b5}min{an,bn}+smin{an1,bn1}+smin{an2,bn2}+smin{a1,b1}](Cl(s))n

    (b) Let the entry (AB)ij denotes the ijth entry of the matrix AB. (C)k and (D)k, 1kn be the entries of circulant matrices to generate the lower-s-circulant matrices AB and BA respectively. Assume that A,B(Cl(s))n. To prove that the set of all lower-s-circulant matrices are closed under the tropical multiplication, it is enough to prove that the matrix AB is also in the following form

    [(C)1(C)n(C)n1(C)n2(C)2(C)2+s(C)1(C)n(C)n1(C)3(C)3+s(C)2+s(C)1(C)n(C)4(C)4+s(C)3+s(C)2+s(C)1(C)5(C)n+s(C)n1+s(C)n2+s(C)n3+s(C)1]

    The diagonal entries of the tropical multiplication AB of the matrices A and B are,

    (AB)11=min{a1+b1,an+b2+s,an1+b3+s,an2+b4+s,,a2+bn+s}(AB)22=min{a2+bn+s,a1+b1,an+b2+s,an1+b3+s,a3+bn1+s}
    (AB)nn=min{an+b2+s,an1+b3+s,an2+b4+s,an3+b5+s,a1+b1}

    By rearranging the terms, it is clear that (AB)kk are equal for all 1kn. In general, let us call these entries as (C)1.

    (AB)11=(AB)22==(AB)nn=(C)1
    (C)1=min{a1+b1,an+b2+s,an1+b3+s,an2+b4+s,,a2+bn+s}

    Now, the upper off diagonal entries are obtained as follows,

    (AB)12=min{a1+bn,an+b1,an1+b2+s,an2+b3+s,,a2+bn1+s}(AB)23=min{a2+bn1+s,a1+bn,an+b1,an1+b2+s,,a3+bn2+s}(AB)(n1)n=min{an1+bn(n2)+s,an2+bn3+s,,,a1+bn,an+b1}

    By rearranging the terms, we can see that the entries (AB)(k1)k are equal for all 2kn. We denote this value as (C)n in general

    (AB)12=(AB)23==(AB)(n1)n=(C)n

    Then,

    (C)n=min{a1+bn,an+b1,an1+b2+s,an2+b3+s,,a2+bn1+s}

    The next upper off diagonal elements are obtained as,

    (AB)13=min{a1+bn1,an+bn,an1+b1,an2+b2+s,,a2+bn2+s}
    (AB)24=min{a2+bn2+s,a1+bn1,an+bn,an1+b1,,a3+bn3+s}
    (AB)(n2)n=min{an1+bn(n3)+s,an2+bn4+s,,,a1+b1,an+bn}

    Again by rearranging the terms, it is clear that the entries (AB)(k2)k are equal 3kn. We name these entries as (C)n1 in general.

    (AB)13=(AB)24==(AB)(n2)n=(C)n1

    Then,

    (C)n1=min{a1+bn1,an+bn,an1+b1,an2+b2+s,,a2+bn2+s}

    The entries (AB)1(n1),(AB)2n are obtained as,

    (AB)1(n1)=min{a3+b1,a2+b2+s,a1+b3,an+b4,,a3+b1}(AB)2n=min{a2+b2+s,a1+b3,an+b4,an1+b5+s,,a3+b1}

    In general, we denote it as (C)3. Then,

    (C)3=min{a2+b2+s,a1+b3,an+b4,an1+b5+s,,a3+b1}

    By continuing this process, finally we end up with the entry (AB)1n. We name this entry as (C)2

    (AB)1n=(C)2=min{a1+b2,an+b3,an1+b4,an2+b5,,a2+b1}

    Similarly, we obtained the lower off diagonal elements with following values

    (AB)21=min{a2+b1+s,a1+b2+s,an+b3+s,an1+b4+s,,a3+bn+s}
    (AB)32=min{a3+bn+s,a2+b1+s,a1+b2+s,a1+b3+s,,a5+bn1+s}
    (AB)n(n1)=min{an+b3+s,an1+b4+s,an2+b5+s,an3+b6+s,,a1+b2+s}

    By rearranging the above terms, we can see that (AB)k(k1) are equal for all 2kn. That is, (AB)21=(AB)32==(AB)n(n1)

    =min{a2+b1+s,a1+b2+s,an+b3+s,an1+b4+s,,a3+bn+s}
    =min{a1+b2,an+b3,an1+b4,an2+b5,,a2+b1}+s=(C)2+s

    Now, the second lower off diagonal entries are obtained as,

    (AB)31=min{a3+b1+s,a2+b2+2s,a1+b3+s,an+b4+s,,a4+bn+s}(AB)42=min{a4+bn+s,a3+b1+s,a2+b2+2s,a1+b3+s,,a5+bn1+s}
    (AB)n(n2)=min{a2+b2+2s,a1+b3+s,an+b4+s,an1+b5+s,,a3+b1+s}

    Again, second lower off diagonal elements (AB)k(k2) are equal for all 3kn. Which can be denoted as

    (AB)31=(AB)42==(AB)(n+2)n
    =min{a3+b1+s,a2+b2+2s,a1+b3+s,an+b4+s,,a4+bn+s}=min{a2+b2+s,a1+b3,an+b4,an1+b5+s,,a3+b1}+s=(C)3+s

    Again by continuing this process, the final lower off diagonal entry is obtained as,

    (AB)n1=min{an+b1+s,an1+b2+2s,an2+b3+2s,an3+b4+2s,,a1+bn+s}=min{a1+bn,an+b1,an1+b2+s,an2+b3+s,,a2+bn1+s}+s=(C)n+s

    By placing all obtained elements in the following matrix of order n we get the form of lower-s-circulant matrix

    AB=[(C)1(C)n(C)n1(C)n2(C)2(C)2+s(C)1(C)n(C)n1(C)3(C)3+s(C)2+s(C)1(C)n(C)4(C)4+s(C)3+s(C)2+s(C)1(C)5(C)n+s(C)n1+s(C)n2+s(C)n3+s(C)1]

    Hence, it is proved that the set of all lower-s-circulant matrix is closed under tropical multiplication.

    2) To show that (Cl(s))n is commutative, it is enough to show that (C)k=(D)k and

    (C)k+s=(D)k+s for all 1kn.

    Since we found the entries of AB in the previous proof, it is enough to find the entries of BA.

    (D)1=min{b1+a1,bn+a2+s,bn1+a3+s,bn2+a4+s,,b2+an+s}

    By rearranging the terms we get,

    (D)1=min{a1+b1,an+b2+s,an1+b3+s,an2+b4+s,,a2+bn+s}=(C)1

    Similarly,

    (D)2=min{b1+a2,bn+a3,bn1+a4,bn2+a5,,b2+a1}=min{a1+b2,an+b3,an1+b4,an2+b5,,a2+b1}=(C)2

    Also,

    (D)3=min{b2+a2+s,b1+a3,bn+a4,bn1+a5+s,,b3+a1}=min{a2+b2+s,a1+b3,an+b4,an1+b5+s,,a3+b1}=(C)3

    By continuing this process, we obtain the entry (BA)n1 as,

    (D)n1=min{b1+an1,bn+an,bn1+a1,bn2+a2+s,,b2+an2+s}=min{a1+bn1,an+bn,an1+b1,an2+b2+s,,a2+bn2+s}=(C)n1

    Finally, the term (BA)n is obtained as,

    (D)n=min{b1+an,bn+a1,bn1+a2+s,bn2+a3+s,,b2+an1+s}=min{a1+bn,an+b1,an1+b2+s,an2+b3+s,,a2+bn1+s}=(C)n

    Now the next entry is obtained as,

    (D)2+s=min{b2+a1+s,b1+a2+s,bn+a3+s,bn1+a4+s,,b3+an+s}=min{b1+a2,bn+a3,bn1+a4,bn2+a5,,b2+a1}+s=min{a1+b2,an+b3,an1+b4,an2+b5,,a2+b1}+s=(C)2+s

    Similarly,

    (D)3+s=min{b3+a1+s,b2+a2+2s,b1+a3+s,bn+a4+s,,b4+an+s}=min{b2+a2+s,b1+a3,bn+a4,bn1+a5+s,,b3+a1}+s}=min{a2+b2+s,a1+b3,an+b4,an1+b5+s,,a3+b1}+s=(C)3+s

    Also,

    (D)n1+s=min{b1+an1+s,bn+an+s,bn1+a1+s,bn2+a2+2s,,b2+an2+2s}=min{b1+an1,bn+an,bn1+a1,bn2+a2+s,,b2+an2+s}+s=min{a1+bn1,an+bn,an1+b1,an2+b2+s,,a2+bn2+s}+s=(C)n1+s

    And the final entry of BA is obtained as,

    (D)n+s=min{bn+a1+s,bn1+a2+2s,bn2+a3+2s,bn3+a4+2s,,b1+an+s}=min{b1+an,bn+a1,bn1+a2+s,bn2+a3+s,,b2+an1+s}+s}=min{a1+bn,an+b1,an1+b2+s,an2+b3+s,,a2+bn1+s}+s=(C)n+s

    Hence, it is proved that (C)k=(D)k1kn and (C)k+s=(D)k+s2kn.

    Thus,

    AB=BA.

    Proposition 2.8. ((A(Dp[C])ul)(s))n (set of all anti-s-p-circulant matrices) is a commutative subset of the tropical semiring Mn×n(Z).

    Proof.

    {\rm{Let}}\;\; A = \begin{bmatrix}   a_{1}+s&a_{n}+s&a_{n-1}+s&\cdots&a_{2}\\  a_{2}+s&a_{1}+s&a_{n}+s&\cdots&a_{3}+s\\  \vdots&\ddots&\ddots&\ddots&\vdots\\  a_{n-1}+s&a_{n-2}&a_{n-3}+s&\cdots&a_{n}+s\\  a_{n}&a_{n-1}+s&a_{n-2}+s&\cdots&a_{1}+s\\  \end{bmatrix}&\; \;  B = \begin{bmatrix}  b_{1}+s&b_{n}+s&b_{n-1}+s&\cdots&b_{2}\\  b_{2}+s&b_{1}+s&b_{n}+s&\cdots&b_{3}+s\\  \vdots&\ddots&\ddots&\ddots&\vdots\\  b_{n-1}+s&b_{n-2}&b_{n-3}+s&\cdots&b_{n}+s\\  b_{n}&b_{n-1}+s&b_{n-2}+s&\cdots&b_{1}+s\\  \end{bmatrix}

    To prove the commutativity of ((A(Dp[C])ul)(s))n, it is enough to prove that (AB)ij=(BA)ij, 1i,jn.

    Let A,B((A(Dp[C])ul)(s))n, then we have ak1bk2=bk1ak21k1,k2n.

    By using this property we get,

    (AB)11=min{a1+b1+2s,an+b2+2s,,a3+bn1+2s,a2+bn}=min{b1+a1+2s,bn+a2+2s,,b3+an1+2s,b2+an}=(BA)11(AB)12=min{a1+bn+2s,an+b1+2s,,a3+bn2+s,a2+bn1+s}=min{b1+an+2s,bn+a1+2s,,b3+an2+s,b2+an1+s}=(BA)12(AB)1n=min{a1+b2+s,an+b3+2s,,a3+bn+2s,a2+b1+s}=min{b1+a2+s,bn+a3+2s,,b3+an+2s,b2+a1+s}=(BA)1n 

    Similarly,

    (AB)21=min{a2+b1+2s,a1+b2+2s,,a4+bn1+2s,a3+bn+s}=min{b2+a1+2s,b1+a2+2s,,b4+an1+2s,b3+an+k}=(BA)21(AB)22=min{a2+bn+2s,a1+b1+2s,,a4+bn2,a3+bn1+2s}=min{b2+an+2s,b1+a1+2s,,b4+an2,b3+an1+2s}=(BA)22

    By continuing the process, we get,

    (AB)2n=min{a2+b2+s,a1+b3+2s,,a4+bn+s,a3+b1+2s}=min{b2+a2+s,b1+a3+2s,,b4+an+s,b3+a1+2s}=(BA)2n(AB)(n1)1=min{an1+b1+2s,an2+b2+s,,a1+bn1+2s,an+bn+s}=min{bn1+a1+2s,bn2+a2+s,,b1+an1+2s,bn+an+s}=(BA)(n1)1(AB)(n1)2=min{an1+bn+2s,an2+b1+s,,a1+bn2+s,an+bn1+2s}=min{bn1+an+2s,bn2+a1+s,,b1+an2+k,bn+an1+2s}=(BA)(n1)2(AB)(n1)n=min{an1+b2+2,an2+b3+s,,a1+bn+2s,an+b1+2s}=min{bn1+a2+2,bn2+a3+s,,b1+an+2s,bn+a1+2s}=(BA)(n1)n

    Similarly, the entries of (n)th row of the matrix AB is,

    (AB)n1=min{an+b1+s,an1+b2+2s,,a2+bn1+2s,a1+bn+s}=min{bn+a1+s,bn1+a2+2s,,b2+an1+2s,b1+an+s}=(BA)n1(AB)n2=min{an+bn+s,an1+b1+2s,,a2+bn2+s,a1+bn1+2s}=min{bn+an+s,bn1+a1+2s,,b2+an2+s,b1+an1+2s}=(BA)n2(AB)nn=min{an+b2,an1+b3+2s,,a2+bn+2s,a1+b1+2s}=min{an+b2,an1+b3+2s,,a2+bn+2s,a1+b1+2s}=(BA)nn(AB)ij=(BA)ij1i,jn.

    Thus,

    AB=BA.

    In this section, we discuss the protocol introduced in [21] with the help of lower-s-circulant matrices. Further we study the protocol which use upper or lower-s-circulant matrices to compare it with our proposed protocol that uses anti-s-p-circulant matrices ((A(Dp[C])ul)(s))n.

    Step 1: Let Y,s,t be the public parameters.

    Step 2: Alice selects two matrices C1 and C2 and finds the two matrices A1,B1.

    Step 3: Bob selects two matrices C3 and C4 and finds the two matrices A2,B2.

    Step 4: Alice finds Ka=A1(Y)B1 and sends it to Bob.

    Step 5: Bob finds Kb=A2(Y)B2 and sends it to Alice.

    Step 6: Alice computes G1=A1KbB1.

    Step 7: Bob computes G2=A2KaB2.

    Step 8: By the properties of tropical algebra, the shared keys are the same. K=G1=G2.

    Algorithm 1: Key exchange algorithm for protocol 1.
        Input: Matrices Y,C1,C2,C3,C4 and integers s,t,n
        Output: Shared secret key
    1 := Tropical multiplication
    2 L(s):= Lower triangular matrix with entries 's'
    3 A1:=C1+L(s)
    4 B1:=C2+L(t)
    5 A2:=C3+L(s)
    6 B2:=C4+L(t)
    7 Ka:=A1YB1
    8 Kb:=A2YB2
    9 G1:=A1KbB1
    10 G2:=A2KaB2
    11 return Shared secret key G1=G2

     | Show Table
    DownLoad: CSV

    ● Let Y,s,t be the public parameters, where the entries of Y are the elements from the tropical semiring (Z{},,). Similarly s,t are integers.

    ● Alice selects two circulant matrices C1 and C2 from the tropical semiring (Mn(Z),,) and finds the matrices A1,B1 with the use of s,t where Cn is set of all circulant matrices of order n.

    (c1)1,(c2)1,(c3)1,(cn)1 and (c1)2,(c2)2,(c3)2,(cn)2 are the elements of circulant matrices C1 and C2 respectively.

    A1=[(c1)1(cn)1(cn1)1(c2)1s(c2)1(c1)1(cn)1(c3)1s(c3)1s(c2)1(c1)1(c4)1s(cn)1s(cn1)1s(cn2)1(c1)1]
    B1=[(c1)2(cn)2(cn1)2(c2)2t(c2)2(c1)2(cn)2(c3)2t(c3)2t(c2)2(c1)2(c4)2t(cn)2t(cn1)2t(cn2)2(c1)2]

    ● Alice computes Ka=A1(Y)B1.

    ● Bob selects two circulant matrices C3 and C4 from the tropical semiring (Mn(Z),,) and finds the matrices A2 and B2 with the help of s,t.

    (c1)3,(c2)3,(c3)3,(cn)3 and (c1)4,(c2)4,(c3)4,(cn)4 were the elements of circulant matrices C3 and C4 respectively.

    A2=[(c1)3(cn)3(cn1)3(c2)3s(c2)3(c1)3(cn)3(c3)3s(c3)3s(c2)3(c1)3(c4)3s(cn)3s(cn1)3s(cn2)3(c1)3]
    B2=[(c1)4(cn)4(cn1)4(c2)4t(c2)4(c1)4(cn)4(c3)4t(c3)4t(c2)4(c1)4(c4)4t(cn)4t(cn1)4t(cn2)4(c1)4]

    ● Bob computes Kb=A2(Y)B2.

    ● Alice finds the matrix

    G1=A1KbB1.

    ● Bob finds the matrix

    G2=A2KaB2.

    ● Finally, the shared keys are same K=G1=G2.

    The proof is given in the following Proposition 3.2.

    Example 3.1. Consider

    Y=[6016155433255498454325653232],s=154,t=1797,n=3

    Alice choose

    C1=[812633533581261263358],C2=[423827232232423827827232423]

    and she finds

    A1=[81263351818126281818],B1=[42382723220294238279702029423]

    Bob choose

    C3=[959713113195977131959],C4=[712188225735737121882218822573712]

    and he finds

    A2=[959713123959716123959],B2=[71218822573237071218822206192370712]

    Alice finds

    Ka=[10321436145098513891261105214561470]and sends to Bob.

    Bob finds

    Kb=[1273621674133613505114741488690]and sends to Alice.

    Alice finds

    G1=[170421082051177121752189190523092323]

    Bob finds

    G2=[170421082051177121752189190523092323]

    Thus, the shared keys are equal G1=G2.

    Suppose an attacker tries to find A1,B1 from the known matrices Ka,Y,s,t

    [a0a2a1a1154a0a2a2154a1154a0][6016155433255498454325653232][b0b2b1b1+1797b0b2b2+1797b1+1797b0]=[10321436145098513891261105214561470]

    Then, he will end up with the following tropical non-linear system,

    min{(601)a0b0,1182a0b1,56129a0b2,4325a1b0, 1862a1b1,5029a1b2,(554)a2b0,1895a2b1,1842a2b2}=1031

    min{(615)a0b0,56129a0b1,(601)a0b2,65a1b0, 5029a1b1,4325a1b2,98a2b0,1842a2b1,(554)a2b2}=1436

    min{54332a0b0,(601)a0b1,(615)a0b2,3232a1b0, 4325a1b1,65a1b2,45a2b0,(554)a2b1,98a2b2}=1450

    min{(554)a0b0,98a0b1+1842a0b2,(755)a1b0, 1028a1b1,55975a1b2,4325a2b0,1862a2b1,5029a2b2}=985

    min{98a0b0,1842a0b1,(554)a0b2,(769)a1b0,55975a1b1, 1042a1b2,(89)a2b0,55975a2b1,4325a2b2}=1389

    min{45a0b0,(554)a0b1,98a0b2,54178a1b0, (755)a1b1,(769)a1b2+3232a2b0+4325a2b1+65a2b2}=1261

    min{4325a0b0+1895a0b1+5029a0b2+(708)a1b0+ 1741a1b1,1688a1b2,(755)a2b0,1028a2b1,55975a2b2}=1052

    min{65a0b0,5029a0b1,4325a0b2,(56)a1b0, 1688a1b1,(708)a1b2,(769)a2b0,55975a2b1,(755)a2b2}=1456

    min{3232a0b0,4325a0b1,65a0b2,(109)a1b0, (708)a1b1,(56)a1b2,54486a2b0,(755)a2b1,(769)a2b2}=1470

    To attack the protocol, this system of non-linear equations has to be solved. But we already know that solving non-linear tropical equations is NP-Hard [13].

    The security of this protocol relies on the non-commutativity the lower-s-circulant matrix and the lower-t-circulant matrix.

    Proposition 3.2. If P1(Cl(s))n,Q1(Cl(t))n,P2(Cl(s))n,Q2(Cl(t))n and st, then

    1) P2KaQ2 = P1KbQ1

    2) KaKb and KbKaP2KaQ2 and P1KbQ1

    where Ka=(P1YQ1), Kb=(P2YQ2).

    Proof. 1) In this part of the proposition we prove that the shared secret keys are equal.

    We know that by Proposition 2.7, P1P2=P2P1 and P1Q1Q1P1.

    Now, we consider,

    R.H.S=P1KbQ1=P1(P2YQ2)Q1=(P1P2)Y(Q2Q1)=(P2P1)Y(Q1Q2)=P2(P1YQ1)Q2=P2KaQ2=L.H.S

    Hence, we proved that the shared keys are equal.

    2) In this part of the proposition, we show that an attacker cannot find the secret key with the known matrices Ka,Kb. Now, to prove the security of the protocol 1,

    KaKb=(P1YQ1)(P2YQ2)=P1Y(Q1P2)YQ2

    By Proposition 2.4

    P1Y(Q1P2)YQ2P1Y(P2Q1)YQ2P2KaQ2,P1KbQ1

    Hence, KaKb and KbKaP2KaQ2 and P1KbQ1

    The time complexity of solving a tropical Grobner basis [23] for a tropical non-linear system of equations with n×n matrices is known to be O(2(2n)) which is extremely larger than O(n3).

    In this section, we propose a new key exchange protocol based on the anti-s-p-circulant matrices. We have given the algorithm, example and the security analysis of the proposed protocol.

    Step 1: Let Y,s,t,p be the public parameters.

    Step 2: Alice selects two p-circulant matrices C1 and C2 and finds the two matrices P1,Q1.

    Step 3: Bob selects two p-circulant matrices C3 and C4 and finds the two matrices P2,Q2.

    Step 4: Alice finds Ka=P1(Y)Q1 and sends it to Bob.

    Step 5: Bob finds Kb=P2(Y)P2 and sends it to Alice.

    Step 6: Alice computes G1=(P1(Kb)Q1).

    Step 7: Bob computes G2=(P2(Ka)Q2).

    Step 8: Computed values of both keys are same K=G1=G2.

    Algorithm 2: Key exchange algorithm for protocol 2.
        Input: Matrices Y,C1,C2,C3,C4 and integers s,t,p
        Output: Shared secret key
    1 := Tropical multiplication
    2 AL(a):= Anti-lower triangular matrix with entries 'a'
    3 AU(a):= Anti-upper triangular matrix with entries 'a'
    4 ALU(a):=AL(a)+AU(a)
    5 P1:=C1+ALU(s)
    6 Q1:=C2+ALU(t)
    7 P2:=C3+ALU(s)
    8 Q2:=C4+ALU(t)
    9 Ka:=P1YQ1
    10 Kb:=P2YQ2
    11 G1:=P1KbQ1
    12 G2:=P2KaQ2
    13 return Shared secret key G1=G2

     | Show Table
    DownLoad: CSV

    ● Let Y,s,t,p be the public parameters, where the entries of Y are the elements from the tropical semiring (Z,,). Similarly s,tZ.

    ● Alice selects two p-circulant matrices C1 and C2 from the tropical semiring (Mn(Z),,) and finds P1, Q1 are the anti-s-p-circulant and anti-t-p-circulant matrices with the use of p-circulant matrices C1 and C2 respectively.

    (c1)1,(c2)1,(c3)1,(cn)1 and (c1)2,(c2)2,(c3)2,(cn)2 are the elements of p-circulant matrices C1 and C2 respectively.

    P1=[s(c1)1s(cn)1s(cn1)1(c2)1s(c2)1s(c1)1s(cn)1s(c3)1s(c3)1s(c2)1(c1)1s(c4)1(cn)1s(cn1)1s(cn2)1s(c1)1]
    Q1=[t(c1)2t(cn)2t(cn1)2(c2)2t(c2)2t(c1)2t(cn)2t(c3)2t(c3)2t(c2)2(c1)2t(c4)2(cn)2t(cn1)2t(cn2)2t(c1)2]

    ● Alice computes Ka=P1(Y)Q1.

    ● Bob selects two p-circulant matrices C3 and C4 from the tropical semiring (Mn(Z),,). P2, Q2 are the anti-s-p-circulant and anti-t-p-circulant matrices with the use of C3 and C4 respectively.

    (c0)3,(c1)3,(c2)3,(cn1)3 and (c0)4,(c1)4,(c2)4,(cn1)4 are the elements of C3 and C4 respectively.

    P2=[s(c1)3s(cn)3s(cn1)3(c2)3s(c2)3s(c1)3s(cn)3s(c3)3s(c3)3s(c2)3(c1)3s(c4)3(cn)3s(cn1)3s(cn2)3s(c1)3]
    Q2=[t(c1)4t(cn)4t(cn1)4(c2)4t(c2)4t(c1)4t(cn)4t(c3)4t(c3)4t(c2)4(c1)4t(c4)4(cn)4t(cn1)4t(cn2)4t(c1)4]

    ● Bob computes Kb=P2(Y)Q2.

    ● Alice finds the matrix

    G1=P1KbQ1.

    ● Bob finds the matrix

    G2=P2KaQ2.

    ● Finally, shared keys were same K=G1=G2.

    The proof is given in the following Proposition 4.2.

    Example 4.1. Consider

    Y=[10900003343432434543232251955543554323245534442],s=71,t=98876,n=3

    Alice choose

    C1=[122011220512203122031220112205122051220312201],C2=[208220862084208420822086208620842082]

    and finds

    P1=[122721227612203122741220112276122051227412272],Q1=[100958100962208410096020821009622086100960100958]

    Bob choose

    C3=[284288286286284288288286284],C4=[205209207207205209209207205]

    and finds

    P2=[355359286357284359288357355],Q2=[990819908520799083205990852099908399081]

    Alice finds

    Ka=[168593168597146668168666168670146670168662168666146601]

    and sends to Bob.

    Bob finds

    Kb=[154799154803132874154872154876132876154868154872132807]

    and sends to Alice.

    Alice finds

    G1=[268112268110268114268108268106268110268110268108268112]

    Bob finds

    G2=[268112268110268114268108268106268110268110268108268112]

    Shared keys G1=G2

    [a071a271a1a171a0a271a2a171a071][10900003343432434543232251955543554323245534442][b0+98876b2+98876b1b1+98876b0b2+98876b2b1+98876b0+98876]=[168593168597146668168666168670146670168662168666146601]

    To attack the protocol the attacker has to solve the following tropical non-linear system of equations.

    min{1188805a0b0,65371a0b1,32434472a0b2,43444a1b0, 1313310a1b1,34442a1b2,98828a2b0,96554a2b1,955472a2b2}=168593

    min{33505a0b0,32533348a0b1,1188805a0b2,32455a1b0, 133318a1b1,43444a1b2,(2322)a2b0,1054348a2b1,98828a2b2}=168597

    min{32533348a0b0,1089929a0b1,65371a0b2,133318a1b0, (55432)a1b1,131331a1b2,1054348a2b0,(48)a2b1,96554a2b2}=146668

    min{98899a0b0,96625a0b1,955543a0b2,1188805a1b0, 65371a1b1,32434472a1b2,43373a2b0,131260a2b1,34371a2b2}=168666

    min{(2251)a0b0,1054419a0b1,98899a0b2,(33505)a1b0, 32533348a1b1,1188805a1b2,32384a2b0,133247a2b1,43373a2b2}=168670

    min{1054419a0b0,23a0b1,96625a0b2,32533348a1b0, 1089929a1b1,65371a1b2,133247a2b0,(55503)a2b1,131260a2b2}=146670

    min{43373a0b0,131260a0b1,34371a0b2,98828a1b0, 96554a1b1,955472a1b2,1188876a2b0,33434a2b1,32434543a2b2}=168662

    min{32384a0b0,133247a0b1,43373a0b2,(2322)a1b0, 1054348a1b1,98828a1b2,(33434)a2b0),32533419a2b1,1188876a2b2=168666

    min{133247a0b0,(55503)a0b1,131260a0b2,1054348a1b0, (48)a1b1,96554a1b2,32533419a2b0,1090000a2b1,65442a2b2}=146601

    Solving this system of non-linear equation is NP-Hard. Thus, this makes our protocol secure [13].

    The security of this protocol relies on the non-commutativity of anti-s-circulant matrix with anti-t-circulant matrix.

    Theorem 4.2. If P1((A(Dp[C])ul)(s))n,Q1((A(Dp[C])ul)(t))n, P2((A(Dp[C])ul)(s))n,Q2((A(Dp[C])ul)(t))n then

    1) P2KaQ2 = P1KbQ1

    2) KaKb and KbKaP2KaQ2 and P1KbQ1

    where Ka=(P1YQ1), Kb=(P2YQ2)

    Proof. 1) We know that by Proposition 2.8, P1P2=P2P1 and P1Q1Q1P1.

    Now we consider,

    R.H.S=P1KbQ1=P1(P2YQ2)Q1=(P1P2)Y(Q2Q1)=(P2P1)Y(Q1Q2)=P2(P1YQ1)Q2=P2KaQ2=L.H.S

    Hence the shared keys are equal.

    2) Now to prove the security of the protocol 1

    KaKb=(P1YQ1)(P2YQ2)

    By Proposition 2.4, we have,

    P1Y(Q1P2)YQ2P1Y(P2Q1)YQ2P2KaQ2,P1KbQ1

    Hence,

    K_{a}\otimes K_{b} \neq P_{2}\otimes K_{a} \otimes Q_{2} \; &\;  P_{1}\otimes K_{b}\otimes Q_{1}
    KbKa=(P2YQ2)(P1YQ1)=P2Y(Q2P1)YQ1

    By Proposition 2.4

    P2Y(Q2P1)YQ1P2Y(P1Q2)YQ1P2KaQ2,P1KbQ1

    Hence, we have,

    K_{b} \otimes K_{a}\neq P_{2}\otimes K_{a} \otimes Q_{2}  &  P_{1}\otimes K_{b}\otimes Q_{1}

    The tropical Grobner basis algorithm which is one approach to solving tropical non-linear systems [23]. In the worst case, the time complexity of computing a tropical Grobner basis for a system of equations with n by n matrices is known to be O(2(2n)).

    The following are some of the attacks that an adversary may try to attack the proposed key exchange protocol and we have given how our key exchange scheme is secure against those attacks.

    The brute force attack is an attacking technique in which the man in the middle tries all possible values to find the key. Suppose the attacker tries to get the key G=P1P2YQ1Q2 from the public matrix Y and from the shared matrices Ka=P1(Y)Q1,Kb=P2(Y)Q2 guessing the secret parameters is very hard since there are infinite possibilities. Also, if he try to find the values of P1,Q1 and P2,Q2 from Ka and Kb respectively then the possibility of finding P1,Q1 and P2,Q2 are infinite since we have taken the entries from the tropical semiring (Z{},,). Thus, we can conclude that protocol 2 is secure from brute force attack.

    The linear algebra attack is a key recovery technique by which an adversary may try to use the linear algebraic properties to attack the cryptosystem. The attack of Sphilrain on the classical Stickel's key exchange protocol is based on the fact that the keys were generated using invertible matrices.

    In protocol 2, since we deal with tropical algebra, the matrices which we use ((A(Dp[C])ul)(s))n are not generally invertible. Thus, it makes our protocol secure from linear algebra attacks.

    The KU attack is based on the fact that the tropical matrices displays pattern in higher tropical power. And also tropical multiplication of tropical coefficient is actually the usual addition of the coefficient with all the entries of the matrix. This fact helped Kotov and Ushakov to find the matrix

    Tij=U[AiBj]

    which allowed them to find the private parameters.

    In protocol 2, we have used commutative elements from the semiring and we have not taken tropical powers of any matrix that is the primary reason why Kotov and Ushakov attack [17] won't work on protocol 2. We know that any circulant matrix with entries a0,a1,,an1 can be written as the form of a0I+a1P++an1Pn1 in classical algebra, where P=[0,1,,0;0,0,1,,0;;1,0,,0]. In protocol 2 public matrix Y cannot be written as the polynomial format unlike the one in [13]. The private parameters P1,Q1,P2,Q2 are not a circulant matrix they are from the lower/upper circulant matrices and they cannot be represented by the shared matrices P1YQ1 and P2YQ2.

    The public key exchange protocol based on semidirect product of max plus matrices discussed in Section 4 of article [18] is developed by Grigoriev and Shpilrain. Let R=(Mn×n(Z),,) and Alice and Bob agree the public matrices M,HR. Final key of Alice is (BHm)A=BHm(BHm)A equals to the key of Bob (AHn)B=AHn(AHn)B [18]. Where Hm and Hn denoted the mth and nth tropical power of H matrix respectively. This protocol is attacked by Rudy and Monico by the simple binary search attack [19]. The main idea of the simple binary search attack is to find the tropical power m at which the tuple (M,H) becomes (A,Hm) with the known A. But in protocol 2 we never use any tropical powers. Hence, Rudy and Monico attack is not valid in protocol 2.

    In this section, we have compared the experimental results of both protocol 1 and protocol 2 with some familiar tropical protocols. The following experiments were done in a computer with 11th Gen Intel(R) Core(TM) i5-11300H @ 3.10 GHz processor with 8 GB ram running on windows 11 with 64-bits operating system. The algorithms of the protocols are executed in maple 2018 software.

    Note: In the Table 1, ✘ denotes that the scheme is attacked by the corresponding attack and ✔ denotes that the scheme is safe against the attack.

    Table 1.  Comparison with some tropical schemes.
    Schemes Kotov and Ushakov Rudy and Monico
    attack attack
    Grigoriev's protocol in [13]
    Grigoriev's protocol in [18]
    Protocol based on upper or lower-s-circulant matrices
    Proposed protocol 2

     | Show Table
    DownLoad: CSV

    Most of the tropical protocols proposed in recent years involves the exponentiation of the tropical matrices. When we compare the time complexity of tropical power based algorithms with our proposed algorithm, we can see that the time complexity of those algorithms is higher than our algorithms. That is, O(n3)<O(nn+3) where, n is the dimension of matrices involved in tropical powers.

    The idea of using commuting matrices in tropical linear algebra on the Stickel's protocol instead of tropical powers and polynomials have already been examined in [24,25,26]. In many protocols they have used circulant matrices but, the main idea of our paper is to generate secret keys efficiently with the commutative subset ((A(Dp[C])ul)(s))n,,) of tropical semiring (Mn×n(Z),,).

    The key exchange protocol 1 is based on upper or lower-s-circulant matrices which contains 2n elements in A,B,C,D and the protocol 2 based on anti-s-p-circulant matrices P1,P2,Q1,Q2 which are performed with 2n elements. The time complexity of both protocols are same. From Figure 1 we can analyse the key generation time of protocol 1 and protocol 2.

    Figure 1.  Time comparison graph in seconds.

    Given data in Table 2 is plotted in Figure 1 above.

    Table 2.  Key generation time in seconds.
    Key size (Bits) Time taken (sec) Time taken (sec)
    (Protocol based on upper or lower circulant matrices) (Proposed protocol 2)
    32 0.017 0.016
    50 0.068 0.042
    64 0.087 0.075
    128 0.13 0.1
    256 0.22 0.19

     | Show Table
    DownLoad: CSV

    Memory usage: We have analysed memory usage of protocol based on upper or lower-s-circulant matrices and our proposed protocol 2. This shows that the memory usage of our proposed protocol 2 is better than the memory usage of protocol 1.

    Experimental datas of memory usage given in Table 3 is plotted in Figure 2.

    Table 3.  Comparison of memory usage in MiB.
    Bits Memory usage Memory usage (Proposed protocol 2)
    (Protocol based on upper or lower-s-circulant matrices)
    32 1.046 1.005
    50 1.14 1.099
    64 1.342 1.239
    128 1.494 1.330
    256 1.54 1.441

     | Show Table
    DownLoad: CSV
    Figure 2.  Comparison of memory usage (MiB).

    Time complexity of protocol based on upper or lower-s-circulant matrices: In the key exchange protocol 1, we have four public parameters Y,s,t,n. Here Y,s,t are fixed and variable is n. Matrices A1,A2,B1,B2 each with 2n elements and tropical multiplication is performing four times in the protocol. Therefore, the total time complexity of multiplying five matrices in the tropical semiring (Cl(s))n with order n is O(n3×4)=O(n3).

    Time complexity of proposed protocol 2: In the key exchange protocol 2, we have four public parameters Y,s,t,n. Here Y,s,t are fixed and variable is n. Matrices P1,P2,Q1,Q2 each with 2n elements and tropical multiplication is performing four times in the protocol. Therefore, the total time complexity of multiplying five matrices in the tropical semiring ((A(Dp[C])ul)(s))n,,) with order n is O(n3×4)=O(n3).

    Both protocol 1 and protocol 2 have the same time complexity but the memory usage of protocol 2 is lesser than that of protocol 1. The reason is that the protocol 2 is generated by the use of commutative subset of ((A(Dp[C])ul)(s))n,,) of tropical semiring (Mn×n(Z),,). Let protocol 1 is performed with the lower-s-circulant matrices of order n and protocol 2 is performed with anti-s-p-circulant matrices of order k, where k>n then, protocol 2 would be more efficient than protocol 1.

    In this paper, we have proposed the key exchange protocol by introducing the commutative set of anti-s-p-circulant matrices. Most of the protocols over tropical semirings were proposed based on the tropical powers of the matrices. Attacks on the tropical protocols are commonly based on the fact that they exhibit pattern in higher powers. Some of the popular attacks are linear periodicity attack, RM attack, KU attack, etc. To overcome these attacks, we have proposed our protocol which do not involve the exponentiation of tropical matrices. We have given further analysis of the protocol 1 and additionally we have proved some propositions. In the security analysis, we have proved that our proposed protocol is resistant against popular attacks of the existing tropical protocols. Comparative analysis of protocol 1 and our proposed protocol 2 is given. We can see that our proposed protocol performs better in terms of memory usage. In future, we may try to apply these protocols in the security of digital signature and identity authentication schemes. Also, our future work is to find the existence and uniqueness of the solution of tropical two sided matrix action problem.

    The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.

    The authors would like to thank the editor and reviewers for their valuable comments and suggestions, which greatly help us improve the presentation of this article. We thank the referees for their thoughtful reading of this manuscript and their feedback.

    The authors declare no conflict of interest.



    [1] F. Piper, S. Murphy, Cryptography: a very short introduction, New York: Oxford Academic, 2002. https://doi.org/10.1093/actrade/9780192803153.003.0001
    [2] G. Manikandan, R. Perumal, Symmetric cryptography for secure communication in IoT, Materials Today: Proceedings, 2020 (2020), 737. https://doi.org/10.1016/j.matpr.2020.09.737 doi: 10.1016/j.matpr.2020.09.737
    [3] S. Arshad, M. Khan, New extension of data encryption standard over 128-bit key for digital images, Neural Comput. Applic., 33 (2021), 13845–13858. https://doi.org/10.1007/s00521-021-06023-5 doi: 10.1007/s00521-021-06023-5
    [4] E. Fernando, D. Agustin, M. Irsan, D. F. Murad, H. Rohayani, D. Sujana, Performance comparison of symmetries encryption algorithm AES and DES with raspberry Pi, 2019 International Conference on Sustainable Information Engineering and Technology (SIET), Lombok, Indonesia, 2019,353–357. http://doi.org/10.1109/SIET48054.2019.8986122
    [5] A. J. Menezes, P. C. V. Oorschot, S. A. Vanstone, Handbook of applied cryptography, 1 Eds., Boca Raton: CRC Press, 1997. https://doi.org/10.1201/9780429466335
    [6] K. Ahmed, S. Pal, R. Mohan, A review of the tropical approach in cryptography, Cryptologia, 47 (2023), 63–87. https://doi.org/10.1080/01611194.2021.1994486 doi: 10.1080/01611194.2021.1994486
    [7] Y. W. Kao, K. Y. Huang, H. Z. Gu, S. M. Yuan, uCloud: a user-centric key management scheme for cloud data protection, IET Inform. Secur., 7 (2013), 144–154. https://doi.org/10.1049/iet-ifs.2012.0198 doi: 10.1049/iet-ifs.2012.0198
    [8] M. Habeeb, D. Kahrobaei, C. Koupparis, V. Shpilrain, Public key exchange using semidirect product of (semi) groups, In: Applied cryptography and network security, Heidelberg: Springer, 2013,475–486. https://doi.org/10.1007/978-3-642-38980-1_30
    [9] M. Kreuzer, A. D. Myasnikov, A. Ushakov, A linear algebra attack to group-ring-based key exchange protocols, In: Applied cryptography and network security, Cham: Springer, 2014, 37–43. https://doi.org/10.1007/978-3-319-07536-5_3
    [10] D. Kahrobaei, C. Koupparis, V. Shpilrain, A CCA secure cryptosystem using matrices over group rings, Contemporary Mathematics, 633 (2015), 73–81. http://doi.org/10.1090/conm/633/12652 doi: 10.1090/conm/633/12652
    [11] W. Diffie, M. Hellman, New directions in cryptography, IEEE T. Inform. Theory, 22 (1976), 644–654. http://doi.org/10.1109/TIT.1976.1055638 doi: 10.1109/TIT.1976.1055638
    [12] V. Shpilrain, Cryptanalysis of Stickel's key exchange scheme, In: Computer science–theory and applications, Berlin: Springer, 2008,283–288. http://doi.org/10.1007/978-3-540-79709-8_29
    [13] D. Grigoriev, V. Shpilrain, Tropical cryptography, Commun. Algebra, 42 (2014), 2624–2632. http://doi.org/10.1080/00927872.2013.766827 doi: 10.1080/00927872.2013.766827
    [14] Z. Izhakian, Basics of linear algebra over the extended tropical semiring, Contemporary Mathematics, 495 (2009), 173–191.
    [15] Z. Izhakian, L. Rowen, The tropical rank of a tropical matrix, Commun. Algebra, 37 (2009), 3912–3927. https://doi.org/10.1080/00927870902828793 doi: 10.1080/00927870902828793
    [16] D. Jones, Matrix roots in the max-plus algebra, Linear Algebra Appl., 631 (2021), 10–34. https://doi.org/10.1016/j.laa.2021.08.008 doi: 10.1016/j.laa.2021.08.008
    [17] M. Kotov, A. Ushakov, Analysis of a key exchange protocol based on tropical matrix algebra, J. Math. Cryptol., 12 (2018), 137–141. https://doi.org/10.1515/jmc-2016-0064 doi: 10.1515/jmc-2016-0064
    [18] D. Grigoriev, V. Shpilrain, Tropical cryptography Ⅱ: extensions by homomorphisms, Commun. Algebra, 47 (2019), 4224–4229. https://doi.org/10.1080/00927872.2019.1581213 doi: 10.1080/00927872.2019.1581213
    [19] D. Rudy, C. Monico, Remarks on a tropical key exchange system, J. Math. Cryptol., 15 (2021), 280–283. https://doi.org/10.1515/jmc-2019-0061 doi: 10.1515/jmc-2019-0061
    [20] S. Isaac, D. Kahrobaei, A closer look at the tropical cryptography, Int. J. Comput. Math., 6 (2021), 137–142. https://doi.org/10.1080/23799927.2020.1862303 doi: 10.1080/23799927.2020.1862303
    [21] H. Huang, C. Li, L. Deng, Public-key cryptography based on tropical circular matrices, Appl. Sci., 12 (2022), 7401. https://doi.org/10.3390/app12157401 doi: 10.3390/app12157401
    [22] F. Olia, S. Ghalandarzadeh, A. Amiraslani, S. Jamshidvand, Solving linear systems over tropical semirings through normalization method and its applications, J. Algebra Appl., 20 (2021), 2150159. https://doi.org/10.1142/S0219498821501590 doi: 10.1142/S0219498821501590
    [23] F. Mohammadi, M. Michałek, B. Sturmfels: "invitation to nonlinear algebra", Jahresber. Dtsch. Math. Ver., 124 (2022), 197–204. https://doi.org/10.1365/s13291-022-00252-w doi: 10.1365/s13291-022-00252-w
    [24] A. Muanalifah, S. Sergeev, Modifying the tropical version of stickel's key exchange protocol, Appl. Math., 65 (2020), 727–753. https://doi.org/10.21136/AM.2020.0325-19 doi: 10.21136/AM.2020.0325-19
    [25] S. Mehmood, Key exchange protocol based on matrices using tropical algebra, Master Thesis, Capital University of Science and Science and Technology, 2019.
    [26] M. I. Durcheva, Public key cryptography with max-plus matrices and polynomials, AIP Conference Proceedings, 1570 (2013), 491–498. http://doi.org/10.1063/1.4854794 doi: 10.1063/1.4854794
  • This article has been cited by:

    1. Zoran Pucanović, Marko Pešović, Analyzing Chebyshev polynomial-based geometric circulant matrices, 2024, 32, 2688-1594, 5478, 10.3934/era.2024254
    2. Ponmaheshkumar A, Perumal R, Toeplitz matrices based key exchange protocol for the internet of things, 2024, 16, 2511-2104, 293, 10.1007/s41870-023-01608-w
    3. Huawei Huang, Weisha Kong, Ting Xu, Asymmetric Cryptography Based on the Tropical Jones Matrix, 2024, 16, 2073-8994, 456, 10.3390/sym16040456
    4. B. Amutha, R. Perumal, Two party key exchange protocol based on duo circulant matrices for the IoT environment, 2024, 16, 2511-2104, 3585, 10.1007/s41870-024-01922-x
    5. J. Jackson, R. Perumal, A secure key exchange protocol for Industrial Internet of Things based on tropical triad matrix semiring, 2024, 2511-2104, 10.1007/s41870-024-02276-0
    6. J. Jackson, R. Perumal, An Algebraic Attack on the Key Exchange Protocol based upon a Modified Tropical Structure, 2024, 08905401, 105259, 10.1016/j.ic.2024.105259
    7. Sulaiman Alhussaini, Sergeĭ Sergeev, On implementation of Stickel's key exchange protocol over max-min and max-T semirings, 2024, 18, 1862-2984, 10.1515/jmc-2024-0014
    8. J. Jackson, R. Perumal, A tropical algebraic collatz conjecture based key exchange protocol for IoT environment, 2024, 2511-2104, 10.1007/s41870-024-02295-x
    9. Ivan Buchinskiy, Matvei Kotov, Alexander Treier, Analysis of four protocols based on tropical circulant matrices, 2024, 0019-5588, 10.1007/s13226-024-00737-7
    10. Ivan M. Buchinskiy, Matvei V. Kotov, Alexander V. Treier, 2024, Chapter 5, 978-3-031-73364-2, 73, 10.1007/978-3-031-73365-9_5
    11. J. Jackson, R. Perumal, 2024, Chapter 7, 978-981-97-4798-6, 81, 10.1007/978-981-97-4799-3_7
    12. A. Ponmaheshkumar, Jothi Ramalingam, Perumal R., Multi-party key exchange scheme based on supertropical semiring, 2025, 0161-1194, 1, 10.1080/01611194.2024.2435649
    13. Mariana Durcheva, Cryptography Based on (Idempotent) Semirings: Abandoning Tropicality?, 2025, 5, 2673-8392, 26, 10.3390/encyclopedia5010026
  • Reader Comments
  • © 2023 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(1572) PDF downloads(62) Cited by(13)

Figures and Tables

Figures(2)  /  Tables(3)

Other Articles By Authors

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog