Asymmetric Cryptography Based on the Tropical Jones Matrix

Abstract

In recent years, the tropical polynomial factorization problem, the tropical matrix decomposition problem, and the tropical multivariate quadratic equation solving problem have been proved to be NP-hard. Some asymmetric cryptographic systems based on tropical semirings have been proposed, but most of them are insecure and have been successfully attacked. In this paper, a new key exchange protocol and a new encryption protocol are proposed based on the difficulty of finding the multiple exponentiation problem of the tropical Jones matrices. The analysis results indicate that our protocol can resist various existing attacks. The complexity of attacking an MEP by adversaries is raised due to the larger number of combinations in the tropical Jones matrices compared to regular matrix polynomials. Furthermore, the index semiring is the non-negative integer cyclic matrix semiring, leading to a higher efficiency in key generation.

1. Introduction

Asymmetric cryptography plays a crucial role in the modern fields of communication and information security, offering reliable solutions for safeguarding the confidentiality, integrity, and authentication of data. Widely applied in areas such as internet transmission, digital signatures, and virtual private networks (VPNs), it provides users with a secure and dependable means of communication.

Asymmetric cryptography was first presented by Diffie and Hellman in 1976. Cryptographers have designed several representative public key cryptosystems. The security of these cryptographic systems relies on the difficulty associated with solving certain conventional mathematical challenges, including the integer factorization problem (IFP) [1], the knapsack problem (KP) [2], the discrete logarithm problem (DLP) [3,4], and the shortest vector problem in lattice [5]. The IFP and DLP are also two computational problems that public key cryptography mainly relies on. However, it is possible to solve the two problems in polynomial time using the quantum algorithm [6] that Shor proposed. Therefore, future cryptographic systems need to resist quantum attack, and developing new cryptographic systems is currently a hot topic in cryptography research.

Tropical algebra is derived from the tropical set theory proposed by the scientist Imre Simon [7,8]. In tropical algebra, tropical addition involves taking the minimum or maximum value of two numbers, and tropical multiplication is the common addition. Later, some cryptography researchers combined tropical algebra with the concept of semirings and defined the algebraic structure of tropical semirings. In 2005, Kim and Roush [9] proved that if the coefficients are finite, or all the coefficients are 0 or infinity (the Boolean case), then the univariate polynomial factorization problem of tropical semirings is usually NP-complete. In 2014, Shitov [10] studied the tropical matrix factorization (MF) problem and proved that the k-MF problem is NP-hard when $k\ge 7$. (The k-MF problem is as follows: given a $m\times n$ matrix $A$ on ${ℝ}_{\min }$, find a $m\times k$ matrix $B$ and a $k\times n$ matrix $C$, such that $BC=A$).

Since tropical addition involves taking the minimum or maximum value of two numbers, tropical multiplication is the common addition and the calculations in the tropical semiring are more efficient than the classical ring. Recently, many people have attempted to propose some key exchange protocols based on tropical matrix algebra that are not only efficient but also secure, but they have been successfully attacked. By imitating some famous “classical” schemes previously proposed, Grigoriev and Shpilrain initially proposed a key exchange protocol based on tropical semirings [11] in 2014. In this article, Grigoreiv and Shpilrain reduced the 3-SAT problem to a system of multivariate quadratic polynomial equations (MQPs) of tropical semirings and proved that the MQP of tropical semirings is NP-hard. However, when the range of tropical matrix elements contains negative numbers, it is found that each term of the tropical matrix will soon become negative and will become smaller as the number of powers increases. According to this rule, Kotov and Ushakov [12] developed corresponding effective attack schemes. In response to this heuristic attack proposed by Kotov and Ushakov, Grigoriev and Shpilrain proposed a new improvement to the key exchange protocol. In 2019, they proposed a key exchange protocol [13] based on the semidirect product of tropical matrices. However, this scheme was successfully broken by Rudy and Monico [14] using a simple binary search. In addition, Isaac and Kahrobaei [15] and Muanalifah and Sergeev [16] have also successfully attacked the schemes. To remedy the Grigorev–Shpilrain’s protocol, Muanalifah and Sergeev proposed the use of two classes of exchange matrices (the Jones matrix and the LP matrix) from tropical algebra [17] and utilized the bilateral action of the matrices to propose three key exchange protocols [18]. However, in this article, the user’s secret matrix may still be represented in the linear form of the powers of the fundamental elementary matrix. Hence, its modifications are not resistant to the generalized KU attack. In 2022, Huang and Li proposed a new key exchange protocol [19] based on the multiple exponentiation problem of matrices, using tropical algebra as a platform and the adjoint matrix of the first polynomial. The analysis results showed that the protocol can resist all known attacks. Durcheva [20] proposed a public key encryption scheme based on the circulant matrix product problem and the two-sided action problem of matrix polynomials in 2022. Jiang et al. [21] cracked the scheme through tropical linear equations. Ahmed et al. [22] summarizes and analyzes the previous tropical cryptography schemes. Other cryptographic schemes based on tropical algebra can be found in the references [23,24,25].

Our contribution: In this paper, we design a new class of key exchange protocol and asymmetric encryption protocol based on the tropical Jones matrix. The security of the designed key exchange protocol can be reduced to a specific type of semigroup action problem introduced by Maze in [17], which involves the difficulty of finding the multiple exponentiation of tropical matrices. The multiple exponentiation problem can be transformed into a constructive membership problem of a semigroup in polynomial time, and this problem is a provable hard problem in the quantum computing model [26]. In addition, this problem cannot be reduced to the DLP or the HSP (hidden subgroup problem) efficiently in most cases. So, our protocol has the property of anti-quantum computing. The greater amount of combinations of the tropical Jones matrices as opposed to standard matrix polynomials increases the difficulty of adversaries attacking the MEP. Through an analysis of the key exchange protocol, it is found that our protocol can also resist KU attack and other known attacks. Additionally, the index semiring is the non-negative integer cyclic matrix semiring, which increases key generation efficiency.

The remaining portions of this article are organized as follows. Section 2 contains some preliminary information on tropical semirings. Section 3 presents our protocols based on the tropical Jones matrix. In Section 4, we provide a straightforward example to illustrate this key exchange protocol. The efficiency of the proposed cryptographic protocol, possible attacks, and parameter selection are finally covered in Section 5. Finally, Section 6 summarizes this article.

2. Preliminaries

Note: We represent the set $\left\{1,2,\dots ,n\right\}$ and $\left\{1,2,\dots ,m\right\}$ as $\left[n\right]$ and $\left[m\right]$.

We first provide some essential information about tropical algebra. For more details, please refer to the monograph [27].

Definition 1 

([28] (Semiring)). Let $R$ be a nonempty set in which two binary operations are defined, where one is an addition operation and the other is a multiplication operation, if the operation meets the following criteria:

(1)

The set R forms a commutative monoid for “  $+$” and has an identity element denoted as  $0$;

(2)

The set R forms a monoid for “  $\cdot$” and has an identity element denoted as $1$;

(3)

$a\cdot \left(b+c\right)=a\cdot b+a\cdot c$; $\left(a+b\right)\cdot c=a\cdot c+b\cdot c$  for all $a\in R,b\in R,c\in R$;

(4)

$0\cdot r=r\cdot 0=0$ for all $r\in R$;

(5)

$1\ne 0$,

then  $R$ is a semiring. If for any  $a,b\in R$, satisfies  $a\cdot b=b\cdot a$, then  $R$ is called a commutative semiring.

Definition 2 

([29] (Tropical Semiring)). The non-negative integer tropical commutative semiring is the set ${\mathbb{T}}_{\mathbb{Z}}=\mathbb{Z}\cup \left\{-\infty \right\}$ with two binary compositions $\oplus$ and $\otimes$ as follows:

$$x\oplus y=\max \left(x,y\right),x\otimes y=x+y.$$

$-\infty$ and $0$ satisfied the following equations:

$$x\oplus \left(-\infty \right)=x,x\otimes 0=0,\forall x\in \mathbb{Z}$$

The commutative semiring properties of with addition identity $-\infty$ and multiplication identity 0 are easily demonstrated.

This is an example:

$$9\oplus 3=9,7\otimes 9=7+9=16$$

The set of all tropical polynomials over ${\mathbb{T}}_{\mathbb{Z}}$ can be defined where the unknown term is $x$, just like in the classical case. Let

$${\mathbb{T}}_{\mathbb{Z}}\left[x\right]=\left\{\left(a_n\otimes x^n\right)\oplus \left(a_{n-1}\otimes x^{n-1}\right)\oplus \cdots \oplus \left(a_1\otimes x\right)\oplus a_0\left|a_i\in {\mathbb{T}}_{\mathbb{Z}},n\ge 0\right.\right\}.$$

The $\oplus$ and $\otimes$ operations of tropical polynomials in ${\mathbb{T}}_{\mathbb{Z}}\left[x\right]$ are like the classical addition and multiplication, with each $+$ being replaced by $\oplus$ and each $\cdot$ being replaced by $\otimes$. Proving that ${\mathbb{T}}_{\mathbb{Z}}\left[x\right]$ is a commutative semiring under $\oplus$ and $\otimes$ is straightforward.

Definition 3 

(Tropical Matrix). Let ${\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ be the set of all $k\times k$ matrices over ${\mathbb{T}}_{\mathbb{Z}}$ We define binary operations $\oplus$ and $\otimes$ on ${\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$:

Record $A=\left[a_{ij}\right],B=\left[b_{ij}\right]$, then

$$A\oplus B=\left[a_{ij}\right]\oplus \left[b_{ij}\right]=\left[a_{ij}+b_{ij}\right],$$

$$A\otimes B=\left[a_{ij}\right]\otimes \left[b_{ij}\right]=\left[a_{i1}\otimes b_{1j}\oplus a_{i2}\otimes b_{2j}\oplus \cdots \oplus a_{ik}\otimes b_{kj}\right].$$

So is a semiring and

$$O=\left[\begin{array}{cccc}-\infty & -\infty & \cdots & -\infty \\ -\infty & -\infty & \cdots & -\infty \\ ⋮& ⋮& \ddots & ⋮\\ -\infty & -\infty & \cdots & -\infty \end{array}\right],I=\left[\begin{array}{cccc}0& -\infty & \cdots & -\infty \\ -\infty & 0& \cdots & -\infty \\ ⋮& ⋮& \ddots & ⋮\\ -\infty & -\infty & \cdots & 0\end{array}\right]$$

are the identity elements of ${\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ under $\oplus$ and $\otimes$ respectively.

It is rare for tropical matrices to be reversible, unlike the classical situation. Only tropical matrices obtained by elementary row or column transformations of diagonal matrices can be reversed.

Similarly, we can define a tropical matrix polynomial as follows:

$${\mathbb{T}}_{\mathbb{Z}}\left[N\right]=\left\{\left(a_n\otimes N^n\right)\oplus \left(a_{n-1}\otimes N^{n-1}\right)\oplus \cdots \oplus \left(a_1\otimes N\right)\oplus \left(a_0\otimes I^0\right)\left|a_i\in {\mathbb{T}}_{\mathbb{Z}},n\ge 0\right.\right\}$$

where $N\in {\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right),N^n=N\otimes N\otimes \cdots \otimes N$ (n times). ${\mathbb{T}}_{\mathbb{Z}}\left[N\right]$ is a commutative subsemiring of ${\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ with respect to tropical matrix addition and multiplication.

Definition 4 

([23] (Circulant Matrix)). If matrix $C$  is in the following form:

$$\left[\begin{array}{ccccc}{c}_1& c_n& c_{n-1}& \cdots & c_2\\ c_2& c_1& c_n& \cdots & c_3\\ c_3& c_2& c_1& \cdots & c_4\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ c_n& c_{n-1}& c_{n-2}& \cdots & c_1\end{array}\right],$$

it is called a circulant matrix, where the terms are $c_1,c_2,\cdots ,c_n$. The set of all non-negative integer circulant matrices is denoted as $C_n\left({\mathbb{Z}}^{+}\right)$.

2.1. Jones Matrix

In this section, we describe a specific type of matrices that were considered by Jones [30], and, by extending the polynomial concept, we can derive the concept of quasi-polynomials for Jones matrices, which will be applied to the protocol in Section 3.

Definition 5 

([18] (Jones Matrix)). Let $A=\left[a_{ij}\right]$ be an n × n tropical matrix that satisfies the following property:

$$a_{ij}\otimes a_{jk}\le a_{ik}\otimes a_{jj},\forall i,j,k\in \left[n\right],$$

we call $A$ a Jones matrix.

Definition 6 

([18] (Deformation)). Let $A=\left[a_{ij}\right]$ be a Jones matrix and $\alpha \in ℝ$. The matrix $A^{\left(\alpha \right)}=\left(a_{ij}^{\left(\alpha \right)}\right)$ defined by

$$a_{ij}^{\left(\alpha \right)}=a_{ij}\otimes {\left(a_{ii}\oplus a_{jj}\right)}^{\otimes \left(\alpha -1\right)},\forall i,j\in \left[n\right]$$

is called a deformation of $A$.

Next, we will describe two theorems for a Jones matrix.

Theorem 1 

([18]). If $A$ is a Jones matrix, then $A^{\left(\alpha \right)}$ is also a Jones matrix for any $\alpha \le 1$.

Theorem 2 

([18]). Let $A\in {\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ be a Jones matrix, then

$$A^{\left(\alpha \right)}\otimes A^{\left(\beta \right)}=A^{\left(\beta \right)}\otimes A^{\left(\alpha \right)}$$

for any $\alpha$ and $\beta$, such that $0\le \alpha \le 1$ and $0\le \beta \le 1$.

According to the above theorems, we define a quasi-polynomial and replace a monomial with a deformation.

Definition 7 

([18] (Quasi-polynomial)). Let $A\in {\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ be a Jones matrix. Matrix $B$ is termed a quasi-polynomial of $A$ if

$$B=\underset{\alpha \in R}{{\displaystyle \oplus }}{a}_{\alpha }\otimes N^{\left(\alpha \right)}$$

for some finite subset $\mathcal{R}$ of rational numbers in $\left[0,1\right]$ and$a_{\alpha }\in {\mathbb{T}}_{\mathbb{Z}}$ for $\alpha \in \mathcal{R}$. The set composed of all quasi-polynomials of $N$ is denoted as ${\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]$.

2.2. A New Semigroup Action

Let A be a non-negative integer circulant matrix, $N\in {\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ be a Jones matrix, and $\overrightarrow{H}=\left(H_1.H_2,\cdots ,H_n\right)\in {\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$. Now consider the action of the multiplicative semigroup $C_n\left({\mathbb{Z}}^{+}\right)$ on the Cartesian product ${\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$, as shown below:

$${\overrightarrow{H}}^A=\left(H_1^A,H_2^A,\cdots ,H_n^A\right)=\left(\underset{i=1}{\overset{n}{{\displaystyle \otimes }}}{H}_i^{a_{1i}},\underset{i=1}{\overset{n}{{\displaystyle \otimes }}}{H}_i^{a_{2i}},\cdots ,\underset{i=1}{\overset{n}{{\displaystyle \otimes }}}{H}_i^{a_{ni}}\right),$$

where $H_i^{a_{ji}}=H_i\otimes H_i\otimes \cdots \otimes H_i$ ($a_{ji}$ times). It can be easily proven that ${\overrightarrow{H}}^A$ is a semigroup action of $C_n\left({\mathbb{Z}}^{+}\right)$ on ${\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$.

2.3. Multiple Exponentiation Problem of Tropical Matrices

According to Reference [19], we can give the definition of the ME problem of the tropical Jones matrix.

Definition 8 

(ME problem). Let $C\in C_n\left({\mathbb{Z}}^{+}\right)$, $N\in {\mathbb{M}}_k\left({\mathbb{T}}_{\mathbb{Z}}\right)$ be a Jones matrix, and $\overrightarrow{H}=\left(H_1.H_2,\cdots ,H_n\right)\in {\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$, and assuming $\overrightarrow{U}={\overrightarrow{H}}^A$, where $A\in C_n\left({\mathbb{Z}}^{+}\right)$. The multiple exponentiation problem of tropical matrices is to find a matrix $A\in C_n\left({\mathbb{Z}}^{+}\right)$ satisfying the above equation for given $C,\overrightarrow{H}$ and $\overrightarrow{U}$. (Remember that $N$ is unknown.) We refer to the issue as the “ME problem” for simplicity’s sake.

Many results in traditional algebra are known to be invalid in tropical algebra. Consequently, certain properties of ordinary matrices, such as Cayley–Hamilton theorem, eigenvalues, and determinant, do not apply. But if $H_i\left(i\in \left[n\right]\right)$ satisfies certain conditions, we can simplify the problem to the DLP.

Proposition 1 

([18]). If a component $H_i$ of $\overrightarrow{H}$ exists such that

$$\left(\forall j\ne i\right)H_j\in 〈H_i〉\left(i,j\in \left[n\right]\right),$$

then the ME problem can be simplified to the DLP in polynomial time.

3. Key Exchange Protocol and Encryption Protocol Based on the Jones Matrix

This section presents a key exchange protocol that is similar to the Diffie–Hellman protocol. It is based on the multiple exponentiation problem of tropical matrices and a public key encryption protocol such as the ELGamal encryption protocol.

3.1. A New Key Exchange Protocol

Let $\overrightarrow{H}=\left(H_1.H_2,\cdots ,H_n\right)\in {\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$ be such that no component $H_i$ of $\overrightarrow{H}$ exists such that $\left(\forall j\ne i\right)H_j\in 〈H_i〉\left(i,j=0,1,2,\cdots ,n-1\right)$. The protocol’s public parameters are $\overrightarrow{H}$.

Protocol A

(1)

Alice randomly selects a circulant matrix $A\in C_n\left({\mathbb{Z}}^{+}\right)$, calculates $\overrightarrow{U}={\overrightarrow{H}}^A$, and sends $\overrightarrow{U}$ to Bob;

(2)

Bob randomly selects a circulant matrix $B\in C_n\left({\mathbb{Z}}^{+}\right)$, calculates $\overrightarrow{V}={\overrightarrow{H}}^B$, and sends $\overrightarrow{V}$ to Alice;

(3)

Alice calculates

$$K_{Alice}={\overrightarrow{V}}^A={\left({\overrightarrow{H}}^B\right)}^A={\overrightarrow{H}}^{B\cdot A};$$

(4)

Bob calculates

$$K_{Bob}={\overrightarrow{U}}^B={\left({\overrightarrow{H}}^A\right)}^B={\overrightarrow{H}}^{A\cdot B}.$$

Note that “$\cdot$” is the matrix multiplication in $C_n\left({\mathbb{Z}}^{+}\right)$.

Given that $C_n\left({\mathbb{Z}}^{+}\right)$ is commutative, we obtain $A\cdot B=B\cdot A$ and $K_{Alice}=K_{Bob}$. Thus, Bob and Alice have a shared secret key.

3.2. A Common Key Encryption Protocol Based on the Jones Matrix

Protocol B

(1)

Key Generation

Let $\overrightarrow{H}=\left(H_1.H_2,\cdots ,H_n\right)\in {\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$. No component $H_i$ of $\overrightarrow{H}$ exists such that $\left(\forall j\ne i\right)H_j\in 〈H_i〉\left(i,j=0,1,2,\cdots ,n-1\right)$. The protocol’s public parameters are $\overrightarrow{H}$. The key generation center randomly chooses a circulant matrix $A$ in $C_n\left({\mathbb{Z}}^{+}\right)$, and computes

$$\overrightarrow{U}={\overrightarrow{H}}^A.$$

Alice’s public key is shown as $\overrightarrow{U}$. Alice’s secret key is $A$.

(2)

Encryption

Bob needs to do the following calculation to send the plaintext message $\overrightarrow{M}\in {\left({\mathbb{M}}_k\left[{\mathbb{T}}_{\mathbb{Z}}\right]\right)}^n$ to Alice.

①

Bob randomly selects a circulant matrix $B\in C_n\left({\mathbb{Z}}^{+}\right)$, then computes $\overrightarrow{V}={\overrightarrow{H}}^B$, and takes it as the first part of the ciphertext.

②

Bob calculates $\overrightarrow{Q}=\overrightarrow{M}+{\overrightarrow{U}}^B$ as the final component of the ciphertext. Note that the “$+$ ” here is an ordinary matrix addition operation.

③

Bob sends ciphertext $\left(\overrightarrow{V},\overrightarrow{Q}\right)$ just calculated to Alice.

(3)

Decryption

After receiving the ciphertext $\left(\overrightarrow{V},\overrightarrow{Q}\right)$ sent by Bob, Alice decrypts it with her private key.

①

Alice first computes $\overrightarrow{W}={\overrightarrow{V}}^A$.

②

Alice then computes $\overrightarrow{Q}-\overrightarrow{W}$ to get the original plaintext message. Note that “$-$” here is an ordinary matrix subtraction operation.

Verification:

$$\begin{array}{ll}\overrightarrow{Q}-\overrightarrow{W}& =\overrightarrow{M}+{\overrightarrow{U}}^B-{\overrightarrow{V}}^A\\ & =\overrightarrow{M}+{\left({\overrightarrow{H}}^A\right)}^B-{\left({\overrightarrow{H}}^B\right)}^A\\ & =\overrightarrow{M}+{\overrightarrow{H}}^{A\cdot B}-{\overrightarrow{H}}^{B\cdot A}\\ & =\overrightarrow{M}\end{array}.$$

4. A Toy Example

To help readers comprehend the above key exchange protocol, we have included a basic example in this section.

Alice and Bob both choose a Jones matrix $N=\left[\begin{array}{ccc}6& 5& 6\\ 6& 16& 12\\ 5& 9& 12\end{array}\right]$ and $\overrightarrow{H}=\left(N^{\left(\frac{1}{2}\right)},N^{\left(\frac{1}{3}\right)},N^{\left(\frac{1}{4}\right)}\right)$, i.e.,

$$\overrightarrow{H}=\left(\left[\begin{array}{ccc}3& -3& 0\\ -2& 8& 4\\ -1& 1& 6\end{array}\right],\left[\begin{array}{ccc}2& -\frac{17}{3}& -2\\ -\frac{14}{3}& \frac{16}{3}& \frac{4}{3}\\ -3& -\frac{5}{3}& 4\end{array}\right],\left[\begin{array}{ccc}\frac{3}{2}& -7& -3\\ -6& 4& 0\\ -4& -3& 3\end{array}\right]\right).$$

Alice’s private key is $A=\left[\begin{array}{ccc}2& 3& 4\\ 4& 2& 3\\ 3& 4& 2\end{array}\right]\in C_n\left({\mathbb{Z}}^{+}\right)$, she computes

$$\overrightarrow{U}={\overrightarrow{H}}^A=\left(\left[\begin{array}{ccc}27& 37& 33\\ 38& 48& 44\\ 31& 41& 37\end{array}\right],\left[\begin{array}{ccc}\frac{101}{3}& \frac{131}{3}& \frac{119}{3}\\ \frac{134}{3}& \frac{164}{3}& \frac{152}{3}\\ \frac{113}{3}& \frac{143}{3}& \frac{131}{3}\end{array}\right],\left[\begin{array}{ccc}\frac{97}{3}& \frac{127}{3}& \frac{115}{3}\\ \frac{130}{3}& \frac{160}{3}& \frac{148}{3}\\ \frac{109}{3}& \frac{139}{3}& \frac{127}{3}\end{array}\right]\right),$$

then sends $\overrightarrow{U}$ to Bob.

Bob’s private key is $B=\left[\begin{array}{ccc}0& 2& 1\\ 1& 0& 2\\ 2& 1& 0\end{array}\right]\in C_n\left({\mathbb{Z}}^{+}\right)$. He computes

$$\overrightarrow{V}={\overrightarrow{H}}^B=\left(\left[\begin{array}{ccc}\frac{11}{2}& \frac{11}{3}& 5\\ \frac{14}{3}& \frac{44}{3}& \frac{32}{3}\\ 4& \frac{23}{3}& 11\end{array}\right],\left[\begin{array}{ccc}6& 5& 6\\ 6& 16& 12\\ 5& 9& 12\end{array}\right],\left[\begin{array}{ccc}8& \frac{31}{3}& 10\\ \frac{34}{3}& \frac{64}{3}& \frac{52}{3}\\ 9& \frac{43}{3}& 16\end{array}\right]\right),$$

then sends $\overrightarrow{V}$ to Alice.

Alice calculates

$$K_{Alice}=\left(\left[\begin{array}{ccc}\frac{425}{3}& \frac{455}{3}& \frac{443}{3}\\ \frac{458}{3}& \frac{488}{3}& \frac{476}{3}\\ \frac{437}{3}& \frac{467}{3}& \frac{455}{3}\end{array}\right],\left[\begin{array}{ccc}\frac{401}{3}& \frac{431}{3}& \frac{419}{3}\\ \frac{434}{3}& \frac{464}{3}& \frac{452}{3}\\ \frac{413}{3}& \frac{443}{3}& \frac{431}{3}\end{array}\right],\left[\begin{array}{ccc}\frac{389}{3}& \frac{419}{3}& \frac{407}{3}\\ \frac{422}{3}& \frac{452}{3}& \frac{440}{3}\\ \frac{401}{3}& \frac{431}{3}& \frac{419}{3}\end{array}\right]\right).$$

And Bob calculates

$$K_{Bob}=\left(\left[\begin{array}{ccc}\frac{425}{3}& \frac{455}{3}& \frac{443}{3}\\ \frac{458}{3}& \frac{488}{3}& \frac{476}{3}\\ \frac{437}{3}& \frac{467}{3}& \frac{455}{3}\end{array}\right],\left[\begin{array}{ccc}\frac{401}{3}& \frac{431}{3}& \frac{419}{3}\\ \frac{434}{3}& \frac{464}{3}& \frac{452}{3}\\ \frac{413}{3}& \frac{443}{3}& \frac{431}{3}\end{array}\right],\left[\begin{array}{ccc}\frac{389}{3}& \frac{419}{3}& \frac{407}{3}\\ \frac{422}{3}& \frac{452}{3}& \frac{440}{3}\\ \frac{401}{3}& \frac{431}{3}& \frac{419}{3}\end{array}\right]\right),$$

where $K_{Alice}=K_{Bob}$. Therefore, Alice and Bob share the key.

5. Security Analysis and Parameter Selection

In this section, we analyze the security of the proposed key exchange protocol. The analysis shows that our protocol can resist all known attacks and has the property of anti-quantum computing. First, we prove that Protocol B is semantically secure.

Definition 9 

([19]). Suppose $\overrightarrow{U}=A\ast \overrightarrow{H}$ and $\overrightarrow{V}=B\ast \overrightarrow{H}$, where $A,B\in C_n({\mathbb{Z}}^{+})$. Let $R\in {\left({\mathbb{T}}_{\mathbb{Z}}\left[N^{\left(\alpha \right)}\right]\right)}^n$. The decisional ME problem is to decide whether $\overrightarrow{R}={\overrightarrow{H}}^{AB}$, given $\overrightarrow{H}$, $\overrightarrow{U}$, $\overrightarrow{V}$, and $\overrightarrow{R}$. To simplify, we denote it as the “DME”.

Theorem 3. 

An algorithm capable of resolving the DME problem can effectively ascertain the legitimacy of ciphertexts within Protocol B. Conversely, an algorithm designed to determine the validity of ciphertexts within Protocol B can be harnessed to address the DME problem.

Proof. 

Let us initially assume that algorithm ${\mathcal{A}}_1$ possesses the capability to determine the correctness of a decryption within Protocol B. When given the inputs $\overrightarrow{H}$, $\overrightarrow{U}$, $(\overrightarrow{V},\overrightarrow{Q})$, and $\overrightarrow{M}$, the algorithm ${\mathcal{A}}_1$ outputs “yes” if $\overrightarrow{M}$ is the decryption of $(\overrightarrow{V},\overrightarrow{Q})$ and outputs “no” otherwise. Given the input $\overrightarrow{H}$, $\overrightarrow{U}$, $(\overrightarrow{V},\overrightarrow{Q})$, and $\overrightarrow{M}$, the algorithm ${\mathcal{A}}_1$ outputs “yes” if $\overrightarrow{M}$ is the decryption of $(\overrightarrow{V},\overrightarrow{Q})$ and “no” otherwise. Now, we use ${\mathcal{A}}_1$ to solve the DME problem. Suppose we are given $\overrightarrow{H}$, $\overrightarrow{U}(={\overrightarrow{H}}^A)$, $\overrightarrow{V}(={\overrightarrow{H}}^B)$, and $\overrightarrow{R}$, and our aim is to determine whether $\overrightarrow{R}={\overrightarrow{H}}^{AB}$. Let $\overrightarrow{Q}=\overrightarrow{R}$ and $\overrightarrow{M}=(0_k,\cdots ,0_k)$, where $0_k$ is the $k\times k$ zero matrix of $M_k(\mathbb{Z})$. Input all of these parameters into ${\mathcal{A}}_1$. Note that $A$ is now the secret key. The decryption of $(\overrightarrow{V},\overrightarrow{Q})$ is

$$\overrightarrow{Q}-{\overrightarrow{V}}^A=\overrightarrow{R}-{({\overrightarrow{H}}^B)}^A=\overrightarrow{R}-{\overrightarrow{H}}^{AB}.$$

Consequently, ${\mathcal{A}}_1$ outputs “yes” precisely when $\overrightarrow{M}=(0_k,\cdots ,0_k)$ equals $\overrightarrow{R}-{\overrightarrow{H}}^{AB}$, specifically when $\overrightarrow{R}={\overrightarrow{H}}^{AB}$. This resolution effectively addresses the decision DME problem.

On the contrary, let us assume an algorithm ${\mathcal{A}}_2$ can effectively tackle the DME problem. This implies that if provided with inputs $\overrightarrow{H}$, $\overrightarrow{U}(={\overrightarrow{H}}^A)$, $\overrightarrow{V}(={\overrightarrow{H}}^B)$, and $\overrightarrow{R}$, the algorithm ${\mathcal{A}}_2$ produces “yes” if $\overrightarrow{R}={\overrightarrow{H}}^{AB}$ and “no” otherwise. Let it be the claimed decryption of the ciphertext. Consider $\overrightarrow{M}$ as the asserted decryption of the ciphertext $(\overrightarrow{V},\overrightarrow{Q})$. Input $\overrightarrow{Q}-\overrightarrow{M}$ as $\overrightarrow{R}$. It is worth noting that $\overrightarrow{M}$ represents the accurate plaintext for the ciphertext $(\overrightarrow{V},\overrightarrow{Q})$ only if $\overrightarrow{M}=\overrightarrow{Q}-{\overrightarrow{V}}^A=\overrightarrow{Q}-{\overrightarrow{H}}^{AB}$, which occurs if and only if $\overrightarrow{Q}-\overrightarrow{M}={\overrightarrow{H}}^{AB}$. Hence, $\overrightarrow{M}$ is the accurate plaintext if and only if $\overrightarrow{R}={\overrightarrow{H}}^{AB}$. Therefore, given these inputs, ${\mathcal{A}}_2$ yields “yes” precisely when $\overrightarrow{M}$ is the accurate plaintext.

The Theorem is proved. □

5.1. Possible Attacks

(1)

Brute-force attack. Assuming $A\in C_n\left({\mathbb{Z}}^{+}\right)$ is a circulant matrix with terms $a_0,a_1,\cdots ,a_{n-1}\in \left[0,s-1\right]$. The attacker clearly has $s^n$ options from which to select $A$, so the parameters $s$ and $n$ must satisfy $s^n\ge 2^{80}$.

(2)

Tropical matrix decomposition attack. Tropical matrix decomposition attack involves a search for a circulant matrix $A^{\prime }$ such that ${\overrightarrow{H}}^{A^{\prime }}=\overrightarrow{U}$ and $A^{\prime }C=C{A}^{\prime }$, then the attacker can find the shared key. However, the attacker needs to factor $\overrightarrow{U}$ into the form of $G_1{G}_2\cdots G_n$, where $G_i\in 〈H_j〉,n\ge 2$ is NP-hard, so the tropical matrix decomposition attack is not effective.

(3)

KU attack. Since the Jones matrix is unknown, if we want to find N, the system of equations needs to be solved as follows:

$$\left\{\begin{array}{l}\underset{{\alpha }_1\in \mathcal{R}}{{\displaystyle \oplus }}{a}_{{\alpha }_1}\otimes N^{\left({\alpha }_1\right)}=H_1\\ \underset{{\alpha }_2\in \mathcal{R}}{{\displaystyle \oplus }}{a}_{{\alpha }_2}\otimes N^{\left({\alpha }_2\right)}=H_2\\ \cdots \cdots \\ \underset{{\alpha }_n\in \mathcal{R}}{{\displaystyle \oplus }}{a}_{{\alpha }_n}\otimes N^{\left({\alpha }_n\right)}=H_n\end{array}\right..$$

Solving the above system of equations is NP-hard. Therefore, the KU attack is ineffective.

Assuming the attacker knows the matrix N, finding the private key A from the public key $\overrightarrow{U}$ is what they must accomplish. KU attacks are limited to breaking down tropical matrices into their product, like $U=X\otimes Y$. In this protocol, the KU attack will not function if the $\overrightarrow{H}$ component value is more than two. Therefore, we require that the components of $\overrightarrow{H}$ be greater than or equal to three.

(4)

Generalized KU attack. Additionally, a common matrix can be broken down by the generalized KU attack into the linear equivalent of the tropical basic elementary matrix: the product of two Jones matrices. However, in our cryptosystems, if $n>2$, then each component matrix of $\overrightarrow{U}$ is the result of multiplying by more than two matrices. In this instance, our cryptosystems are likewise unaffected by the generalized KU attack.

(5)

RM attack. Grigoriev and Shpilrain designed another key exchange protocol based on the action of the semidirect product. However, in this key exchange protocol, the addition operation of the tropical matrix is used, and the addition of the tropical matrix has the property of idempotent, so the power of this part of the semidirect product is partially order-preserving. Rudy and Monico used this feature to create a straightforward binary search algorithm that allowed them to break the cryptosystem in [14]. There is no tropical matrix addition operation in ${\overrightarrow{H}}^A$ in our cryptosystems. Thus, our cryptosystems can also resist this attack.

(6)

Quantum attack. Andrew et al. [26] proved that the constructive membership problem of the semigroup is a provable hard quantum computation model, and the lower bound of its quantum computation complexity is exponential. Since the ME problem can be transformed into a semigroup constructive member problem, our cryptosystems have the property of anti-quantum computing.

Table 1. Comparison among relevant tropical schemes.

Schemes	Mathematical Problems	KU Attack	RM Attack	G-KU Attack
Grigoriev [11]	Two-sided matrix action problem	×	√	×
Grigoriev [13]	Semidirect product problem	√	×	√
Muanalifah [16]	Two-sided matrix action problem	√	√	×
Huang [19]	Multiple exponentiation problem	√	√	√
Our protocols	Multiple exponentiation problem	√	√	√

provides the comparison of our protocols with other relevant schemes in terms of resisting various known attacks.

5.2. Parameter Selection and Efficiency

Nachtigall et al. defined a sequence of matrices to be almost linear periodic in [31]. In the following definition, if the matrix $H=\left[h_{ij}\right]$, then $h_{ij}^p$ denotes the $i{j}^{th}$ element of $H^p$.

Definition 10 

([31] (Almost linear periodic)). If there is a period $\rho$, linear factor $\xi$, and some defect $d$ such that the following equation applies for all indices $i,j$ and all $p>d$, then a sequence of matrices $\left\{H^p,p\in \mathbb{N}\right\}$ is almost linearly periodic:

$$h_{ij}^{p+\rho }=\xi +h_{ij}^p.$$

In [32], Beccelli et al. demonstrated that the higher powers sequence of tropical matrices is almost linear periodic. In our protocol, if the exponent $p$ and period $\rho$ of the Jones matrix $N$ are small, there is a possibility of potential heuristic attacks. The exponent $p$ of the tropical matrix increases with the increase of the order $k$ of the matrix. We have shown through experiments that it is feasible to generate a Jones matrix $N$ and $H_i$ with an exponent exceeding $k^2$ and using this feature to attack does not work.

From Proposition 1, we know that if there exists a component $H_i$ of $\overrightarrow{H}$ such that $\left(\forall j\ne i\right)H_j\in 〈H_i〉\left(i,j\in \left[n\right]\right)$, then the ME problem can be simplified to the DLP in polynomial time. To avoid this situation, $\overrightarrow{H}$ must satisfy that there is no component $H_i$ of $\overrightarrow{H}$ such that $\left(\forall j\ne i\right)H_j\in 〈H_i〉\left(i,j\in \left[n\right]\right)$.

In Protocol A and B, we recommend using the following parameters:

(1)

The order of the Jones matrix $N$ is $k=10$ and the element selection in $\left[0,1000\right]$;

(2)

Because the deformation of the Jones matrix means that the terms of the matrix may contain fractions, we recommend $a_{\alpha }=0$, where exponent $\alpha$ is selected rational numbers in $\left[0,1\right]$;

(3)

Because the terms of the private key matrices $A$ and $B$ are exponents of $H_i\left(i\in \left[n\right]\right)$, the terms of the circulant matrices $A$ and $B$ cannot be too large. Here, we recommend selecting their terms in $\left[0,10\right]$.

Now, we analyze the computational efficiency of encryption Protocol B. The most time-consuming operations in the protocol are the matrix exponentiations ${\overrightarrow{H}}^A$, ${\overrightarrow{H}}^B$, ${\overrightarrow{U}}^B$, and ${\overrightarrow{V}}^B$. (In the key generation process, $\overrightarrow{H}$ is randomly generated, and the private key matrix $A$ is randomly selected from cyclic matrices, compared to matrix exponentiation operations, so their time consumption can be neglected. In the encryption and decryption processes, the computation time for the ordinary matrix addition and subtraction is also typically very fast and can be neglected compared to matrix exponentiation.)

Table 2. Performance comparison under some parameters.

$\mathit{k}$	$\mathit{n}$	$\mathit{s}$	$\mathbf{Timing} \mathbf{of} {\overrightarrow{\mathit{H}}}^{\mathit{A}}$ (s)
10	80	2	1.082
14	51	3	1.929
21	40	4	2.38
25	39	5	5.618
28	33	6	5.686

compares the execution time of the operation $\overrightarrow{U}={\overrightarrow{H}}^A$ with various parameters, and

Table 3. Performance comparison of encryption under some parameters.

$\mathit{k}$	$\mathit{n}$	$\mathit{s}$	Timing of Key Generation (s)	Timing of Encryption (s)	Timing of Decryption (s)
10	80	2	1.085	2.052	1.506
14	51	3	1.933	3.38	2.804
21	40	4	2.383	4.787	4.256
25	39	5	5.623	9.33	8.775
28	33	6	5.692	9.546	9.089

compares the execution time of the key generation, encryption, and decryption processes under different parameters (research platform: AMD Ryzen 7 6800H with Radeon Graphics3.20 GHz).

Similar to the scheme in reference [19], our protocol is also built upon employing the tropical matrix multiple exponentiation problem. However, we employ the tropical Jones matrix MEP instead of the matrix polynomial MEP. Specifically, the base semiring we use is ${\mathbb{T}}_{\mathbb{Z}}\left[N^{(\alpha )}\right]$, not ${\mathbb{T}}_{\mathbb{Z}}\left[N\right]$. Under the same parameters, the quasi-polynomial set of Jones matrices is much larger than the general matrix polynomial set, greatly increasing the adversary’s search space. Additionally, since our index semiring is $C_n({\mathbb{Z}}^{+})$ rather than ${\mathbb{Z}}^{+}(D)$ in the key generation process, we only need to randomly generate a cyclic matrix without calculating the matrix polynomials, which makes the key generation efficiency higher in our protocol.

Table 4. Comparison with the protocol in [19].

Protocol	Base Semiring	Index Semiring	Hard Problem
[19]	${\mathbb{T}}_{\mathbb{Z}}\left[N\right]$	${\mathbb{Z}}^{+}(D)$	Matrix polynomial MEP
This paper	${\mathbb{T}}_{\mathbb{Z}}\left[N^{(\alpha )}\right]$	$C_n({\mathbb{Z}}^{+})$	Jones matrix MEP

compares our protocol with the protocol in reference [19].

6. Conclusions

In this paper, we propose a new key exchange protocol and a new public key encryption protocol by using the multiplication of the quasi-polynomial of the Jones matrix, which has the property of commutativity when $\alpha \in \left[0,1\right]$. The security of the protocol is analyzed. Because the component of public key $\overrightarrow{H}$ in our protocols is more than two, our protocols can resist a KU attack and a generalized KU attack. Furthermore, in our cryptosystem, the addition operation of the matrix is not involved, so our protocols can resist an RM attack. Since the ME problem can be transformed into a semigroup constructive member problem, our cryptosystems have the property of anti-quantum computing.