Tropical Cryptography Based on Multiple Exponentiation Problem of Matrices

Because there is no multiplication of numbers in tropical algebra and the problem of solving the systems of polynomial equations in tropical algebra is NP-hard, in recent years some public key cryptography based on tropical semiring has been proposed. But most of them have some defects.+is paper proposes new public key cryptosystems based on tropical matrices.+e security of the cryptosystem relies on the difficulty of the problem of finding multiple exponentiations of tropical matrices given the product of the matrices powers when the subsemiring is hidden. +is problem is a generalization of the discrete logarithm problem. But the problem generally cannot be reduced to discrete logarithm problem or hidden subgroup problem in polynomial time. Since the generating matrix of the used commutative subsemirings is hidden and the public key matrices are the product of more than two unknown matrices, the cryptosystems can resist KU attack and other known attacks. +e cryptosystems based on multiple exponentiation problem can be considered as a potential postquantum cryptosystem.


Introduction
Contemporary public key cryptography relies mainly on two computational problems, integer factorization problem, and discrete logarithm problem. For example, Diffie-Hellman key exchange protocol and ElGamal encryption scheme are based on discrete logarithm problem [1,2]. Shor proposed a quantum algorithm which can solve integer factorization problem and discrete logarithm problem in polynomial time on a quantum computer [3]. So, it is a research focus of cryptography to develop other new cryptosystems. e traditional cryptosystems are based on various commutative rings, such as finite field, residue class ring, and integer ring [4][5][6][7][8]. Many cryptologists hope to find other algebraic structures to build new public key cryptosystems.
In 2007, Maze, Monico, and Rosenthal proposed one of the first cryptosystems based on semigroups and semirings [9], using some ideas from [10], as well as from their previous article [11]. However, then it was broken by Steinwandt et al. [12]. Atani published a cryptosystem using semimodules over factor semirings [13]. Durcheva applied some idempotent semirings to construct cryptographic protocols [14]. A survey on semigroup action problem and its cryptographic applications was given by Goel, Gupta, and Dass [15]. Grigoriev and Shpilrain proved that the problem of solving the systems of min-plus polynomial equations in tropical algebra is NP-hard and suggested using a min-plus (tropical) semiring to design public key cryptosystem [16]. An obvious advantage of using tropical algebras as platforms is unparalleled efficiency because in tropical schemes, one does not have to perform any multiplications of numbers since tropical multiplication is the usual addition. But "tropical powers" of an element exhibit some patterns, even if such an element is a matrix over a tropical algebra. is weakness was exploited by Kotov and Ushakov to arrange a fairly successful attack on one of Grigoriev and Shpilrain's schemes [17]. In 2019, Grigoreiv and Shpilrain improved the original scheme and proposed the public key cryptosystems based on semi-direct product of tropical matrix semiring [18]. However, some attacks on the improved protocols are recently suggested by Rudy and Monico [19], Isaac and Kahrobei [20], and Muanalifah and Sergeev [21]. In order to remedy Grigoreiv-Shpilrain's protocols, Muanalifah and Sergeev suggested some modifications that use two classes of commuting matrices in tropical algebra [22]. But the authors also pointed out that their modifications cannot resist the generalized KU attack since the user's secret matrix can still be expressed in the linear form of the power of the basic elementary matrix.
Our contribution: is paper provides a new public key cryptosystem based on tropical matrices. e security of the cryptosystem relies on the difficulty of the problem of finding multiple exponentiation of tropical matrices, which is a class of semigroup action problem proposed by Maze in [11]. e multiple exponentiation problem is also a generalization of the discrete logarithm problem. However, the problem generally cannot be reduced to discrete logarithm problem or hidden subgroup problem in polynomial time.
Since the generating matrix of the used commutative subsemirings is hidden and the public key matrices are the product of more than two unknown matrices, the cryptosystems can resist KU attack and other known attacks. It is seemed that our cryptosystems based on multiple exponentiation problem can be considered as a potential postquantum cryptosystem. e remainder of this paper is organized as follows. In Section 2, some preliminaries on tropical semiring are given. In Section 3, we define the multiple exponentiation problem of tropical matrices. In section 4, a key exchange protocol and a public key encryption scheme based on multiple exponentiation problem are presented. Finally, in Section 5 the possible attacks, parameter selection, and efficiency of the cryptosystems are discussed.

Preliminaries
Notation. In this paper, matrices are generally denoted by the capital letters. In order to facilitate future references, frequently used notations are listed below with their meanings.
Z + is set of all non-negative integers; Z + [x] is polynomial semiring over Z + ; M n (Z + ) is set of all n × n matrices over Z + ; Z + [C] is set of all polynomials of matrix

Tropical Semiring over Integer.
A semiring is an algebraic structure similar to a ring, but without the requirement that each element must have an additive inverse.
Definition 1 (see [23]) A nonempty set R with two binary operations + and · is called a semiring if (1) (R, +) is a commutative monoid with identity element 0; (2) (R, ·) is a monoid with identity element 1 ≠ 0; (3) Both distributive laws hold in R; If a semiring's multiplication is commutative, then it is called a commutative semiring.
Definition 2 (see [16]) e tropical commutative semiring of integer is the set Z � Z ∪ ∞ { } with two operations as follows: x⊕y � min(x, y), e special "∞" satisfies the equations: It is straightforward to see that (Z, ⊕, ⊗ ) is a commutative semiring. In fact, ∞ is the identity element of (Z, ⊕) and 0 is the identity element of (Z, ⊕).
Just as in the classical case, we define the set of all tropical polynomials over Z in the indeterminate x. Let e tropical polynomial ⊕ operation and ⊗ operation in Z[x]are similar to the classical polynomial addition and multiplication; however, every "+" calculation has to be substituted by a ⊕ operation of Z, and every "·" calculation by a ⊗ operation of Z. It is easy to verify that Z[x] is a commutative semiring with respect to the tropical polynomial ⊕ and ⊗ operations.

Tropical Matrix Semiring over
Integer. M k (Z) denotes the set of all k × k matrices over Z. We can also define the tropical matrix ⊕ and ⊗ operations. To perform the A⊕B operation, the elements m ij of the resulting matrix M are set to be equal to a ij ⊕b ij . e tropical matrix ⊗ operation is similar to the usual matrix multiplication; however, every "+" calculation has to be substituted by a ⊕ operation of Z, and every "·" calculation by a ⊗ operation of Z. M k (Z) is a noncommutative semiring with respect to the tropical matrix ⊕ and ⊗ operations.
e role of the identity matrix I is played by the matrix that has "0" s on the diagonal and ∞ elsewhere. Similarly, a scalar matrix would be a matrix with an element λ ∈ S on the diagonal and ∞ elsewhere. Such a matrix commutes with any other square matrix (of the same size). Multiplying a matrix by a scalar amounts to multiplying it by the corresponding scalar matrix.
en, tropical diagonal matrices have something on the diagonal and ∞ elsewhere. Note that, in contrast to the "classical" situation, it is rather rare that a "tropical" matrix is invertible. More specifically, the only invertible tropical matrices are those that are obtained from a diagonal matrix by permuting rows and/or columns.
For a matrix N ∈ M k (Z), denote where N m means N ⊗ , . . . , ⊗ N (m times). It is clear that is a commutative subsemiring of M k (Z) with respect to the tropical matrix addition and multiplication.

Companion Matrix of Polynomial over Integer Ring Z.
Let f 0 , f 1 , . . . , f n− 1 be non-negative integers and f 0 > 0. e companion matrix of a monic polynomial Note that the entries of C are all non-negative. Denote It is easy to verify that Z + [C] is a commutative subsemiring of M n (Z).

Matrix Semigroup
. . , f n− 1 be non-negative integers and f 0 > 0. Let C be the companion matrix of the polynomial Consider an action * of the multiplicative semigroup Z + [C] on the Cartesian product (Z[N]) n as below: where H a ji i means H i ⊗ · · · ⊗ H i (a ji times). By the commutativity of Z[N], it is easy to prove that " * " is a semigroup action of Z + [C] on (Z[N]) n . In fact, a similar semigroup action was first defined by Maze in [11], where the action of Z[C] on the group direct product G n was considered.
e companion matrix of Security and Communication Networks

Multiple Exponentiation Problem of Tropical Matrices
(Note that N is unknown.) For simplicity, we abbreviate the problem to "ME problem." As we know, most results in ordinary algebra do not hold in tropical algebra. erefore, the certain properties of ordinary matrices like determinant, eigenvalues, and Cayley-Hamilton theorem cannot be used. But if H 1 ∈ 〈H 2 〉 or H 2 ∈ 〈H 1 〉, we can reduce the problem to discrete logarithm problem.
Suppose H 2 ∈〈〈H 1 〉. By solving a discrete logarithm problem in 〈H 1 〉, we can get a positive integer m such that H 2 � H m 1 . So, the equations (15) are equivalent to the following equations.
In this case, U 1 , U 2 ∈ 〈H 1 〉. By solving two discrete logarithm problems in 〈H 1 〉, we can get two positive integers t 1 , t 2 such that U 1 � H It is clear that we can obtain a 0 , a 1 by solving a system of linear equations. j � 0, 1, . . . , n − 1), then the ME problem can be reduced to discrete logarithm problem in polynomial time.

Proposition 2. If there exists a component
If H 1 ∉ 〈H 2 〉 and H 2 ∉ 〈H 1 〉, the problem of finding a 0 , a 1 from equation (14) cannot be reduced to discrete logarithm problem. In fact, in Example 4, the conditions are indeed satisfied.
In order to resist some other potential method of solving ME problem, we stress the condition that N is unknown. Since the matrix N is unknown, we cannot express H 1 and H 2 as the polynomials of N. (Even if N is known, we have not found any effective method to find a 0 and a 1 ).

Remark 1.
Assume that a 0 , a 1 ∈ [0, s − 1]. Hence, in the example the total number of steps to solve ME problem by brute-force attack is s 2 .
Generally, assume that A � n i�0 a i C i (a i ∈ [0, s − 1]). en, the total number of steps to solve ME problem by force attack is s n .

Public Key Cryptosystems Based on Tropical Matrix
In this section, we give a key exchange protocol similar to Diffie-Hellman protocol and a public key encryption scheme similar to ElGamal encryption scheme.

Key Exchange Protocol
e public parameters of the protocol are f(x), H → . Key change protocol based on tropical matrix is the following.

Protocol 4.1.1
(1) Alice selects at random n private integers a 0 , a 1 , . . . , a n− 1 in [0, s − 1] and computes A � a n− 1 C n− 1 + · · · + a 1 C + a 0 E � (a ij ) n×n . Bob selects at random n private integers and Bob computes where "·" is the matrix multiplication in Z + [C]. Since Z + [C] is commutative, we have A · B � B · A and K Alice � K Bob . So, Alice and Bob share a common secret key.
. e computational ME problem is to find the matrix vector K → such that K → � (AB) * H → , given f(x), H → , U → , and V → . For simplicity, we abbreviate the problem to "CME problem." Proposition 3. An algorithm that solves ME problem can be used to solve CME problem.

Scheme Key generation.
Let f 0 , f 1 , . . . , f n− 1 be non-negative integers and f 0 > 0. Let C be the companion matrix of the polynomial . e public parameters are f(x), H → . e key generation center chooses at random integers a 0 , a 1 , . . . , a n− 1 ∈ [0, s − 1] and computes A � a n− 1 C n− 1 + · · · + a 1 C + a 0 E � a ij n×n , e public key of Alice is U → . e private key of Alice is A (or (a 0 , a 1 , . . . , a n− 1 )). Encryption.
Bob wants to send a plaintext messages M �→ ∈ (M k Z)) n ( to Alice.

(1) Bob chooses at random integers
(2) Bob computes V → � B * H → as a part of ciphertext.

Decryption.
Alice receives the ciphertext ( V → , Q → ) and tries to decrypt it.
(1) Using her private key A, Alice computes where "-" is the ordinary integer matrix vector subtraction.
Alice gets the plaintext messages M �→ .
Definition 5 . Let f 0 , f 1 , . . . , f n− 1 be non-negative integers and f 0 > 0. Let C be the companion matrix of the polynomial �→ is the decryption of ( V → , Q → ) and outputs "no" otherwise. Let us use A 1 to solve the DME problem. Suppose you are given p, , and R → , and you want to decide whether or not . Input all of these into A 1 . Note that in the present setup, A is the secret key. e correct decryption of ( erefore, A 1 outputs "yes" exactly when is solves the decision DME problem. Conversely, suppose an algorithm A 2 can solve the DME problem. is means that if you give  1, 2, . . . , n) and N are all unknown. It is clear that this is a problem of solving systems of min-plus polynomial equations which is NP-hard [16]. Even if N is obtained by attacker. It seems also hard to find the private key matrix A from the public key U → (� A * H → ). As we know, KU attack can only decompose a tropical matrix into the product of two matrices such as U � S 1 S 2 . If n > 2, each component matrix of U → is the product of matrices more than two. In this case, KU attack will also not work. (4) Generalized KU attack. In order to remedy Grigoreiv-Shpilrain's protocols, Muanalifah and Sergeev suggested some modifications that use two types of matrices that are Jones matrices and Linde-de la Puente matrices [22]. But the authors also pointed out that their modifications cannot resist the generalized KU attack which can also decompose the public matrix into the product of two Jones matrices (Linde-de la Puente matrices) expressed as the linear form of the tropical basic elementary matrix. In our cryptosystems, if n > 2, then each component matrix of U → is the product of matrices more than two. In this case, the generalized KU attack will also not work for our cryptosystems. (5) RM attack. Grigoreiv and Shpilrain [18] improved the original scheme and proposed the public key cryptosystems based on semi-direct product of tropical matrix semiring. But the first component of semi-direct product multiplication contains the addition of tropical matrix. Because the addition operation of tropical matrix is idempotent, the powers of semi-direct product multiplication have partial order preservation. Using this property, Rudy and Monico designed a simple binary search algorithm and cracked the cryptosystem in [18]. In our cryptosystems, A * H → has not the addition operation of tropical matrix. So, our cryptosystems can resist this attack. (6) Quantum attack. ME problem is the generalization of the discrete logarithm problem. As we know, the discrete logarithm problem can be reduced in polynomial time to hidden subgroup problem which can be solved in polynomial time by the generalized Shor quantum algorithm [25]. If the semigroup action is derived from a module over ring, there exist the similar reduction algorithms for the corresponding semigroup action problem. When the semigroup action is induced by a semimodule over semiring that cannot be embedded in a module, no effective reduction algorithm has been found for the corresponding semigroup action problem. It is easy to verify that " * " is a semigroup action derived from the semimodule (Z[N]) n over the semiring Z + [C] and ME problem is indeed the corresponding semigroup action problem induced by the semimodule. Since the semimodule (Z[N]) n cannot be embedded in a module, ME problem cannot be reduced in polynomial time to hidden subgroup problem generally.
where d i0 , d i1 , . . . , d i9 are integers selected randomly in [0, 1024). en, the number of possible H i is 2 100 . Experiments show that it is easy to generate H 1 , H 2 , . . . , H n satisfying the above condition.
Generally, for N ∈ M k (Z), the monogenic subsemigroup 〈N〉 is infinite. But for many tropical matrices N ∈ M k (Z), there are non-negative integers l, m and integer e such that e ⊗ N l � N l+m . If l, m are the smallest nonnegative integers such that e ⊗ N l � N l+m , then l is called the pseudo-index of the matrix N and m is called the pseudo-period of the matrix N. If the pseudo-indexes and the pseudo-periods of N and H i (i � 1, 2, . . . , n) are all small, then there may be some potential heuristic attacks. e pseudo-index of tropical matrix increases with the increase of k. Our experiments show that it is feasible to generate N and H i (i � 1, 2, . . . , n) with pseudo-indexes more than k 2 (k < 30). In en, the entries of A, B are in [0, s − 1] and the entries of AB are less than n(s − 1) 2 . To resist some potential heuristic attacks, we recommend the parameters s, n, k satisfying k 2 ≥ n(s − 1) 2 .
If we use the "square-multiply" algorithm to compute the power of tropical matrix, then computing A * H → requires n 2 log s + n(n − 1) tropical matrix multiplications. e numbers of bit operations required for multiplying two tropical matrices of order k are O(k 3 ). So, the total number of bit operations required for calculating A * H → is O(k 3 n 2 log s). e size of secret key (a 0 , a 1 , . . . , a n− 1 ) is less than nlogs bits. Suppose the entries of the matrices N are in the range [0, T] and H i � 9 j�0 d ij ⊗ N 9 where d ij ∈ [0, d). en, the size of public key U → is less than n 2 k 2 log((s − 1)(d + 9T)) bits.
Select T � 100 and d � 1024. Table 2 provides the upper bounds of the size of secrete key and public key for different values of k, n, s such that s n ≈ 2 80 and k 2 ≈ n(s − 1) 2 . And in Table 2, we also compare the running time of the operation A * H → under different parameters (experimental platform: Intel(R) Core(TM) i7-4700MQ CPU @ 2.40 GHz).

Conclusion and Further Research
is paper proposes a new key exchange protocol and a new public key encryption scheme based on multiple exponentiation problem of tropical matrices which can resist all known attacks. Since the generating matrix N of the used commutative subsemirings Z[N] is hidden and the public key matrices are the product of more than two unknown matrices, the cryptosystems can resist KU attack and generalized KU attack. ere is no addition of tropical matrix in A * H → . e attack method proposed by Rudy and Monico does not work for ME problem. As a semigroup action problem derived from semimodules on semirings, ME problem cannot be reduced to hidden subgroup problem in polynomial time. Our cryptosystem can be considered as a potential postquantum cryptosystem.
e algebraic properties of pseudo-index and pseudoperiod of tropical matrix have not been clearly studied. We can only use enumeration method to find the pseudo-index and pseudo-period of tropical matrix and generate tropical matrices with pseudo-index less than 900. erefore, in order to prevent potential heuristic attacks, the dimension n of H → needs to be large (n > 30). However, this makes the operation efficiency of A * H → low. If we can generate effectively tropical matrices with large pseudo-index or large pseudo-period, we can choose small n to improve the operation efficiency.
Future works worth studying include the following (1) Study the properties of pseudo-index and pseudoperiod of tropical matrix. If a fast algorithm of generating tropical matrix with large pseudo-index (or pseudo-period) and small order can be found, then the smaller n and k can be chosen. is will improve the computational efficiency of our cryptosystem. (2) Use other commutative tropical matrix semirings instead of Z[N]. For example, we can design a public key cryptosystem based on ME problem of Jones matrix or Linde-de la Puente matrix. ME problem of commutative matrices over other semirings can also be considered. (3) ME problem of tropical matrices is a generalization of the discrete logarithm problem. If we regard A * H → as H →A , then ME problem corresponds to discrete logarithm problem, CME problem corresponds to CDH problem, and DME problem corresponds to DDH problem. We believe that other cryptographic applications based on ME problem are also feasible. For example, we can consider the digital signature schemes and identity authentication schemes and other cryptographic applications based on CME assumption or DME assumption, such as [26][27][28]. However, as we point out previously, the cryptographic system based on ME problem over tropical matrix has no high computational efficiency, since the number of matrices n and the order k of the matrix are large in order to ensure security. It may limit some possible application scenarios.

Schemes
Mathematical problems KU attack RM attack G-KU attack Grigoriev [16] Two-side matrix action problem × √ × Grigoriev [18] Semi-direct product problem √ × √ Muanalifah [22] Two-side matrix action problem √ √ × Our schemes Multiple exponentiation problem √ √ √ Note. that √ means that the scheme can resist the corresponding attack, while × does not.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.