Cryptosystems Based on Tropical Congruent Transformation of Symmetric Matrices

Abstract

Recently, public-key cryptography based on tropical semi-rings have been proposed. However, the majority of them are damaged. The main reason is that they use a public matrix to construct commutative matrix semi-rings. New public-key cryptosystems are proposed in this paper. They are based on tropical congruent transformation of symmetric matrix by circular matrix. The NP-hard problem of solving a tropical system of nonlinear equations underlies the cryptosystem’s security. Since a known matrix cannot express the used commutative subsemi-rings of circular matrices and there is no tropical matrix addition operation and power of matrix, the cryptosystems can withstand known attacks, including the KU attack, RM attack, and IK attack. The length of the public key and private key of the new cryptosystems is half that of those described in the literature.

1. Introduction

The integer factorization problem and the discrete logarithm problem are the two primary computing problems used in modern public-key encryption. For instance, the discrete logarithm problem provides the basis for the Diffie–Hellman key exchange protocol and ElGamal encryption [1,2]. On a quantum computer, Shor devised a quantum algorithm that can solve the discrete logarithm problem and the integer factorization problem in polynomial time [3]. Therefore, creating additional novel cryptosystems is a current study area for cryptography [4]. Traditional cryptosystems rely on a variety of commutative rings, including integer ring, residue class ring, and finite field. Numerous cryptologists seek out additional algebraic structures in an effort to create fresh public key cryptosystems [5]. More specifically, we generally hope to design some cryptosystems based on NP-hard problems of new algebraic structures (a problem is NP-hard if there exists some NP-complete problem that reduces to it in polynomial time).

One of the first cryptosystems based on semi-groups and semi-rings was proposed by Maze, Monico, and Rosenthal [6,7]. However, Steinwandt et al. eventually managed to crack it [8]. A cryptosystem based on semi-module over factor semi-ring was proposed by Atani [9]. Durcheva built cryptographic protocols using some idempotent semi-rings [10]. Ahmed et al. [11] cryptanalyzed these schemes in detail. By demonstrating that it is NP-hard to solve the tropical system of nonlinear equations, Grigoriev and Shpilrain [12] proposed employing tropical semi-rings to create public-key cryptosystems. Because tropical schemes do not require any number multiplications because addition is the norm in tropical multiplication, employing tropical algebras as platforms offers unequalled efficiency. However, even if an element is a matrix over a tropical algebra, its tropical powers still show some patterns. Kotov and Ushakov [13] set up a reasonably successful attack on one of Grigoriev and Shpilrain’s schemes by taking advantage of this weakness.

The initial approach was enhanced by Grigoreiv and Shpilrain, who also suggested public key cryptosystems using the semi-direct product of tropical semi-rings [14]. However, Rudy and Monico [15] and Isaac and Kahrobei [16] have recently proposed some attacks on the upgraded schemes.

Symmetric matrices and congruent transformations of matrices have many important conclusions and applications in classical algebra [17,18,19]. But in tropical algebra, there are no similar results. For example, a tropical symmetric matrix is generally not congruent with a diagonal matrix. This paper suggests a public-key encryption and key exchange protocol based on the congruent transformation of a symmetric tropical matrix by a tropical circular matrix. These cryptosystems can withstand all known attacks, including the KU attack, RM attack, and IK attack, because the employed commutative semiring cannot be embodied by known matrices, and the addition operation of the matrix and the power of the matrix are not used in our cryptosystems. If the computational congruent transformation problem and decisional congruent transformation problem are hard, our cryptosystems are secure. By using symmetric matrices and congruent transformation, the length of the public key and private key of our cryptosystem is half that reported in [12,14].

The remainder of the paper is structured as follows. In Section 2, we concentrate on a few definitions that are fundamental concepts in tropical matrix algebra. In Section 3, we present the new public-key cryptosystems based on congruent transformation of symmetric tropical matrix by tropical circular matrix. Then, in Section 4, we examine the protocol’s security and parameter choice. Section 5 provides the conclusion and recommendations for additional research.

2. Preliminaries

Let $S$ be a non-empty set with operations “+” and “$\cdot$”. Then $S$ is called a semi-ring if the following conditions hold:

(1)

$(S,+)$ is a commutative semi-group with zero element 0;

(2)

$(S,\cdot )$ is a semi-group with an identity element $1\ne 0$ and $x\cdot 1=1\cdot x=x$ $\mathrm{for} \mathrm{all} x\in S$;

(3)

the left and right distribution laws for addition are satisfied by multiplication;

(4)

for all $x\in S$, $x\cdot 0=0\cdot x=0$.

If the multiplication operation is commutative, then S is called a commutative semi-ring. Integer tropical commutative semi-ring is the set $\mathcal{Z}=\mathbb{Z}\cup \{\infty \}$ with addition operation and multiplication operation as follows:

$$\mathrm{for} \mathrm{all} a,b\in \mathbb{Z},a\oplus b=\min (a,b),\hspace{0.17em}a\otimes b=a+b.$$

$$\infty \mathrm{is} \mathrm{a} \mathrm{element} \mathrm{satisfying} \mathrm{the} \mathrm{equations}: \infty \oplus a=a,\hspace{0.17em}\hspace{0.17em} \infty \otimes a=\infty . \mathrm{for} \mathrm{all} a\in S.$$

Then $(\mathcal{Z},\oplus ,\otimes )$ is a commutative semi-ring. Its zero element and identity element are $\infty$ and 0, respectively [12]. Let $M_k(\mathcal{Z})$ be the set of all $k\times k$ matrices over $\mathcal{Z}$. We can also define the tropical matrix addition operation and multiplication operation.

$$\begin{array}{l}\mathrm{for} \mathrm{all} P={\left(p_{ij}\right)}_{k\times k},Q={\left(q_{ij}\right)}_{k\times k}\in M_k(\mathcal{Z}),\\ P\oplus Q={\left(p_{ij}\oplus q_{ij}\right)}_{k\times k},P\otimes Q={\left({\displaystyle \sum _{l=1}^n{p}_{il}\otimes q_{lj}}\right)}_{k\times k}\end{array}$$

A matrix $A$ is called a t-circular matrix if it has the following form,

$$A=\left(\begin{array}{ccccc}{a}_0& a_{k-1}+t& a_{k-2}+t& \cdots & a_1+t\\ a_1& a_0& a_{k-1}+t& \cdots & a_2+t\\ a_2& a_1& a_0& \cdots & a_3+t\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ a_{k-1}& a_{k-2}& a_{k-3}& \cdots & a_0\end{array}\right).$$

We denote $A$ by ${[a_0,a_1,\cdots ,a_{k-1}]}_{k,t}$ (or ${[a_0,a_1,\cdots ,a_{k-1}]}_t$). Let

$$C_{k,t}=\{P\in M_k(\mathcal{Z})|P\hspace{0.17em}\mathrm{is} \mathrm{a} \mathrm{circular} \mathrm{matrix}\}.$$

It is easy to verify that $C_{k,t}$ is a commutative sub-semiring of $M_k(\mathcal{Z})$.

For a matrix $A$, the transpose of $A$ is denoted by $A^T$. If $A^T=A$, then $A$ is called a symmetric matrix. For matrices $A,B\in M_k(\mathcal{Z})$, if there exists a matrix $P\in M_k(\mathcal{Z})$ such that $P^T\otimes A\otimes P=B$, then $A,B$ are congruent. Let

$$S_k=\{Y\in M_k(\mathcal{Z})|Y\hspace{0.17em}\mathrm{is} \mathrm{symmetric}\}.$$

If Y is a symmetric matrix and $P\in M_k(\mathcal{Z})$, then $P^T\otimes Y\otimes P$ is also symmetric.

Let P₁ and P₂ be two computational problems. P₁ is said to polytime reduce to P₂, written P₁ ${\le }_p$ P₂, if there is an algorithm that solves P₁ which uses, as a subroutine, an algorithm for solving P₂, and which runs in polynomial time if the algorithm for P₂ does. If P₁ ${\le }_p$ P₂ and P₂ ${\le }_p$ P₁, then P₁ and P₂ are said to be computationally equivalent.

Let $\mathcal{Z}[x_1,x_2,\cdots ,x_n]$ be the n-ary polynomial semiring over $\mathcal{Z}$. Let

$$p_1\left(x_1,x_2,\cdots ,x_n\right),p_2\left(x_1,x_2,\cdots ,x_n\right),\cdots ,p_m\left(x_1,x_2,\cdots ,x_n\right)\in \mathcal{Z}[x_1,x_2,\cdots ,x_n].$$

If $\mathrm{deg}{p}_i\ge 2$, $(i=1,2,\cdots m)$, then the following tropical system is called a tropical system of nonlinear equations,

$$\{\begin{array}{l}{p}_1\left(x_1,x_2,\cdots ,x_n\right)=0\\ p_2\left(x_1,x_2,\cdots ,x_n\right)=0\\ \cdots \cdots \\ p_m\left(x_1,x_2,\cdots ,x_n\right)=0.\end{array}$$

As we know, the problem of solving a tropical system of nonlinear equations is NP-hard [12].

In what follows, we sometimes denote $A\otimes B$ as $AB$ for simplicity, and $k, t$ is two positive integers.

3. Cryptosystems Based on Congruent Transformation of Symmetric Matrix

3.1. Key Establishment Protocol Based on Congruent Transformation Problem

Definition 1.

Let$Y\in S_k$and$P\in C_{k,t}$. Suppose that$X=P^{T}YP$. The congruent transformation problem (CTP) is to find a matrix$P\in C_{k,t}$such that$X=P^{T}YP$, given the matrices$X$and$Y$.

Protocol 1.

Let$Y\in S_k$. $k$and$Y$are public.

(1)

Alice selects randomly a matrix $P\in C_{k,t}$ and computes $U=P^{T}YP$. She sends the matrix $U$ to Bob.

(2)

Bob selects randomly a matrix $Q\in C_{k,t}$ and computes $V=Q^{T}YQ$. He sends the matrix $V$ to Alice.

(3)

Alice and Bob compute $K_a=P^{T}VP$ and $K_b=Q^{T}UQ$, respectively. The shared secret key $K=K_a=K_b$.

Since the $C_{k,t}$ is the commutative subsemi-ring of $M_k(\mathcal{Z})$, we have $PQ=QP$ and $P^T{Q}^T=Q^T{P}^T$. Then

$$K_a=P^{T}VP=P^T(Q^{T}YQ)P=(P^T{Q}^T)Y(QP)=(Q^T{P}^T)Y(PQ)=Q^T(P^{T}YP)Q=Q^{T}UQ=K_b.$$

Definition 2.

Let$P,Q\in C_{k,t}$and$Y\in S_k$. Suppose that$U=P^{T}YP$and$V=Q^{T}YQ$. The computational congruent transformation problem (CCTP) is to find a matrix$K\in M_k(\mathcal{Z})$satisfying$K=P^T{Q}^{T}YQP$, given$U,V$and$Y$.

Proposition 1.

CCTP${\le }_p$CTP.

Theorem 1.

Finding the shared secret key from the public information of Protocol 1 is equivalent to solving CCTP.

The conclusions of Proposition 1 and Theorem 1 are obvious, so we omit the proofs of them. In Appendix A, we provide a toy example of Protocol 1.

3.2. Public-Key Encryption Cryptosystem Based on Congruent Transformation Problem

Cryptosystem 1.

(1)

Key generation.

Let $Y\in S_k$. $k, t$ and $Y$ are public. Suppose that $P\in C_{k,t}$ and $U=P^{T}YP$. User’s public key is $U$. User’s private key is $P$.

(2)

Encryption.

Alice wants to send a message $M\in M_k(\mathbb{Z})$ to the user.

• (i)

  Alice chooses randomly $Q\in C_{k,t}$ and computes $V=Q^{T}YQ$.

  (ii)

  Alice computes $W=M+Q^{T}UQ$, where “+” is the addition of the standard integer matrix.

  (iii)

  Alice sends the ciphertext $(V,W)$ to the user.

(3)

Decryption.

After receiving the ciphertext $(V,W)$, the user attempts to decrypt it.

• (i)

  Using the secret key $P$, the user computes $T=P^{T}VP$.

  (ii)

  The user computes $W-T$, where “$-$” is the subtraction of the standard integer matrix.

Note that

$$\begin{array}{lll}W-T\hfill & =\hfill & M+Q^{T}UQ-P^{T}VP\hfill \\ \hfill & =\hfill & M+Q^T(P^{T}YP)Q-P^T(Q^{T}YQ)P\hfill \\ \hfill & =\hfill & M+Q^T{P}^{T}YPQ-P^T{Q}^{T}YQP\hfill \\ \hfill & =\hfill & M+P^T{Q}^{T}YQP-P^T{Q}^{T}YQP\hfill \\ \hfill & =\hfill & M.\hfill \end{array}$$

So the user gets the plaintext $M$.

Definition 3.

Let$P,Q\in C_{k,t}$and$Y,E\in S_k$. Suppose that$U=P^{T}YP$and$V=Q^{T}YQ$. The decisional congruent transformation problem (DCTP) is to decide whether$E=P^T{Q}^{T}YQP$, given the matrices$U,V,E$and$Y$.

Proposition 2.

DCTP${\le }_p$CCTP.

Proposition 2 is obvious, so we omit its proof.

Theorem 2.

DCTP is computationally equivalent to the problem of deciding the validity of the ciphertexts of Cryptosystem 1.

Proof of Theorem 2.

Suppose that there is an algorithm ${\mathcal{A}}_1$ that can decide whether the decryption of Cryptosystem 1 is correct.

$${\mathcal{A}}_1\left(Y,U,(V,W),M\right)=\{\begin{array}{l}1, \mathrm{if} M \mathrm{is} \mathrm{the} \mathrm{decryption} \mathrm{of} (V,W); \\ 0, \mathrm{otherwise}.\end{array}$$

Then, we use ${\mathcal{A}}_1$ to solve the decisional congruent transformation problem. Suppose we are given $Y$, $U(=P^{T}YP)$, $V(=Q^{T}YQ)$, $E$ and we want to determine if $E=P^T{Q}^{T}YQP$ or not. Take $U$ as the public key and $V$ as the first part of the ciphertext. Moreover, take $W=E$ as the second part of the ciphertext and $M=0_k$ which is zero matrix in $M_k(\mathcal{Z})$. Input all of these into ${\mathcal{A}}_1$. (Note that $P$ is the secret key.) We have

$${\mathcal{A}}_1\left(Y,U,(V,E),0_k\right)=\{\begin{array}{l}1, \mathrm{if} 0_k \mathrm{is} \mathrm{the} \mathrm{decryption} \mathrm{of} (V,E); \\ 0, \mathrm{otherwise}.\end{array}$$

0_k is the decryption of $(V,E)$ if and only if $E-P^T{Q}^{T}YQP=0_k$. So ${\mathcal{A}}_1$ outputs 1 exactly when $E=P^T{Q}^{T}YQP$. The decisional congruent transformation problem is resolved in this way.

Conversely, suppose that there is an algorithm ${\mathcal{A}}_2$ that can solve the decisional congruent transformation problem. That is,

$${\mathcal{A}}_2\left(Y,U,V,E\right)=\{\begin{array}{l}1, \mathrm{if} E=P^T{Q}^{T}YQP; \\ 0, \mathrm{otherwise},\end{array}$$

where $U=P^{T}YP$, $V=Q^{T}YQ$. Then we use ${\mathcal{A}}_2$ to decide whether $M$ is the decryption of the ciphertext $(V,W)$. After inputting Y, $U$, $V$, $W-M$, we have

$${\mathcal{A}}_2\left(Y,U,V,W-M\right)=\{\begin{array}{l}1, \mathrm{if} W-M=P^T{Q}^{T}YQP; \\ 0, \mathrm{otherwise},\end{array}$$

where $U=P^{T}YP$, $V=Q^{T}YQ$ and $Y$, $U$ is the public key. Since $W-M=P^T{Q}^{T}YQP$ if and only if $M=W-P^T{Q}^{T}YQP$, ${\mathcal{A}}_2$ outputs 1 if and only if $M$ is the correct plaintext. □

Theorem 3.

CCTP is computationally equivalent to the problem of decrypting the ciphertexts of Cryptosystem 1.

Proof of Theorem 3.

Suppose that there is an algorithm ${\mathcal{A}}_3$ that can decrypt the ciphertexts of Cryptosystem 1. Input $U=P^{T}YP$ and $V=Q^{T}YQ$. Take any matrix in $M_k(\mathcal{Z})$ as $W$. Then, ${\mathcal{A}}_3$ outputs $M=W-P^{T}VP=W-P^T{Q}^{T}YQP$. Therefore, $W-M$ yields the solution $P^T{Q}^{T}YQP$ to the computational congruent transformation problem.

Conversely, suppose that there is an algorithm ${\mathcal{A}}_4$ that can solve the computational congruent transformation problem. If the ciphertext is $(V,W)$, then we input $U=P^{T}YP$ and $V=Q^{T}YQ$. Then, ${\mathcal{A}}_4$ outputs $P^T{Q}^{T}YQP$. Since

$$M=W-P^{T}VP=W-P^T{Q}^{T}YQP$$

we get the plaintext $M$. □

4. Security Analysis and Parameter Selection

According to Theorems 1–3, Protocol 1 and Cryptosystem 1 can be attacked using a successful algorithm for resolving the congruent transformation problem.

Proposition 3.

CTP can be reduced to the problem of solving tropical system of nonlinear equations in polynomial time.

Proof of Proposition 3.

Let $Y\in S_k$ and $P\in C_{k,t}$. Suppose $X=P^{T}YP$. Now, we want to find a matrix $P\in C_{k,t}$ such that $X=P^{T}YP$, given the matrices $X$ and $Y$.

Let $P={[x_0,x_1,\cdots ,x_{k-1}]}_t$. Then

$${[x_0,x_1,\cdots ,x_{k-1}]}_t^T\cdot Y\cdot {[x_0,x_1,\cdots ,x_{k-1}]}_t=X.$$

Since $X$ and $Y$ are known, we get a tropical system of nonlinear equations about $x_0,x_1,\cdots ,x_{k-1}$ with $k$ unknowns and $k(k+1)/2$ equations. Note that N is also symmetric. □

As is well known, it is typically NP-hard to solve tropical systems of nonlinear equations [12]. We provide an exponentially complex problem-solving approach for congruent transformations.

Proposition 4.

There is an algorithm of solving CTP with computational complexity$O(k^{3}k!)$.

Proof of Proposition 4.

Through Proposition 3, we can get a tropical system of nonlinear equations about $x_0,x_1,\cdots ,x_{k-1}$ with $k$ unknowns and $k(k+1)/2$ equations. Every term of the equations is in the form of $x_i{x}_j$ ($i,j=0,1,\cdots ,k-1$). Denote

$$z_1=x_0^2,z_2=x_0{x}_1,\cdots ,z_{k(k+1)/2}=x_{k-1}^2$$

Subsequently, a tropical system of linear equations is obtained with $k(k+1)/2$ unknowns $z_i$ and $k(k+1)/2$ equations. We can obtain a tropical system of nonlinear equations by solving the tropical system of linear equations of $z_i$ as follows,

$$x_0^2=z_1,x_0{x}_1=z_2,\cdots ,x_{k-1}^2=z_{k(k+1)/2}.$$

Since the multiplication in tropical algebra is the ordinary addition, it is actually a system of linear equations over an integer ring. However, we have $k$ unknowns and $k(k+1)/2$ equations. The linear equation system typically has no solution. However, if $k$ equations of these $k(k+1)/2$ equations have a solution, it may be possible to find $x_0,x_1,\cdots ,x_{k-1}$ such that

$${[x_0,x_1,\cdots ,x_{k-1}]}_t^T\cdot Y\cdot {[x_0,x_1,\cdots ,x_{k-1}]}_t=X.$$

The complexity of solving a tropical system of linear equations with $k(k+1)/2$ unknowns $z_i$ and $k(k+1)/2$ equations is $O({(k(k+1)/2)}^2)$. Since there are $k$ equations with $x_i(i=0,1,2,\cdots ,k-1)$ in the system

$$x_0^2=z_0,x_0{x}_1=z_1,\cdots ,x_{k-1}^2=z_{k(k+1)/2}.$$

There are more than $k!$ options available when choosing $k$ equations from $k(k+1)/2$ equations. When there are $k$ equations and $k$ unknowns, the complexity of solving integer linear equations is $O(k^3)$. As a result, $O(k^{3}k!)$ is the computational complexity of the aforementioned algorithm. □

In Appendix B, an example of CTP with small parameters is demonstrated.

The commutative subsemiring in our cryptosystems is that of t-circular matrices. This is different from [12,14]. They used a known matrix $M$ and then adopted the commutative subsemi-ring $\mathcal{Z}[M]=\{p(M)|p(x)\in \mathcal{Z}[x]\}$. Kotov and Ushakov [13] created an effective technique (KU Attack Algorithm) to attack the key exchange protocol in [12] because the secret matrix may be represented as a polynomial of $M$. Let

$$T_1={\displaystyle \sum _{i=0}^d{x}_i{P}_1^i}, T_2={\displaystyle \sum _{i=0}^d{y}_i{P}_2^i}$$

where $x_i,y_j\in \mathcal{Z}$, and d is the upper bound for the degrees of polynomials. $T_{1}Y{T}_2=X$ gives ${\displaystyle \sum _{i=0}^d{x}_i{y}_j{P}_1^i}Y{P}_2^j=X$. This gives

$$\min (x_i+y_j+A_{rs}^{ij})=0, \mathrm{for} \mathrm{all} 1\le r,s\le k$$

where $A^{ij}=P_1^{i}Y{P}_2^j-X$. Algorithm 1 is a precise description of a KU attack.

Algorithm 1: (KU Attack)

Input: $P_1,P_2$, $X\left(=p_1(P_1)Y{p}_2(P_2)\right)$. Output: $x_1,\cdots ,x_d,y_1,\cdots ,y_d$, such that $T_{1}Y{T}_2=X$,where $T_1={\displaystyle \sum _{i=0}^d{x}_i{P}_1^i}$, $T_2={\displaystyle \sum _{i=0}^d{y}_i{P}_2^i}$. (1) Compute $m_{ij}=\underset{i,j}{\min }(A_{rs}^{ij})$ and $B_{ij}=\left\{(r,s)|A_{rs}^{ij}=m_{ij}\right\}$; (2) Among minimal covers of $\left\{1,2,3,\cdots ,k\right\}\times \left\{1,2,3,\cdots ,k\right\}$ by $B_{ij}$, which are all minimal subsets $D\subseteq \left\{0,1,2,\cdots ,d\right\}\times \left\{0,1,2,\cdots ,d\right\}$ such that $\underset{(i,j)\in C}{\cup }{B}_{ij}=\left\{1,2,3,\cdots ,k\right\}\times \left\{1,2,3,\cdots ,k\right\}$ find the cover satisfying the following conditions $\{\begin{array}{l}-m_{ij}=x_i+y_j, \mathrm{if} (i,j)\in D;\\ -m_{ij}>x_i+y_j, \mathrm{if} (i,j)\cancel{\in }D.\end{array}$

Our cryptosystems can withstand KU attack because the employed commutative subsemi-rings of circular matrices cannot be represented by a known matrix.

The initial approach was enhanced by Grigoreiv and Shpilrain [14], who also suggested public key cryptosystems based on the semidirect product of tropical matrices. However, the addition of the tropical matrix is included in the first part of the semidirect product multiplication. As a result, the powers of semidirect product multiplication have partial order preservation. By this characteristic, Rudy and Monico [15] created a straightforward binary search algorithm (RM Attack), which they used to break the cryptosystem of [14]. The RM attack is described in pseudocode in Algorithm 2.

Algorithm 2: (RM Attack)

Input: $M,H,A\in M_k(\mathcal{Z})$, where ${(M,H)}^n=\left(A,H^n\right)$, for an integer n ($1\le n\le r$). Output: n. (1) Let $p=1$ and $q=r$; (2) Run the subsequent loop when $p\le q$. (i) $m=p+(q-p)/2$ (ii) Compute ${(M,H)}^m=\left(S,T\right)$. If $S<A$, $q=m-1$; If $S>A$, $p=m+1$; If $S=A$, output $n=m$.

In our cryptosystems, there is no tropical matrix addition operation and the partial order cannot be used. Thus, our cryptosystems can resist RM attack.

Isaac and Kahrobaei [16] proposed another cryptanalysis of the cryptosystems in [13]. They use the public matrices to derive a user’s private key by finding the almost linear period of tropical matrix. Let $\left\{H^n\right|n\in {\mathbb{Z}}^{+}\}$ is a sequence of matrices. If there exist positive integers p, d and a constant c such that for all $n>d$ indices $i,j$ the equation $H_{ij}^{n+p}=c+H_{ij}^n$ holds, then d is called the defect of the sequence of matrices and p is called the almost linear period of the sequence of matrices. The IK attack is described in pseudocode in Algorithm 3.

Algorithm 3: (IK Attack)

Input: $M,H,A\in M_k(\mathcal{Z})$, where ${(M,H)}^n=\left(A,H^n\right)$, for an integer n ($1\le n\le r$). Output: n. (1) Construct a sequence of matrices $\left\{M_n\right|n\in {\mathbb{Z}}^{+}\}$, where $M_1=M,M_n=M_{n-1}\circ H\oplus M$; (2) Find the defect d and almost linear period p of $\left\{M_n\right|n\in {\mathbb{Z}}^{+}\}$ by the sequence of matrices $\left\{D_n\right|n\in {\mathbb{Z}}^{+}\}$, where $D_n=M_n-M_{n-1}$; (3) Enumerate r from 1 to p-1 such that $A-M_{d+1}-{\displaystyle \sum _{i=1}^r{D}_{d+i}}$ is x times ${\displaystyle \sum _{i=d+1}^{d+p}{D}_i}$; (4) Output $n=d+xp+r$.

In our cryptosystems, there is not any power of matrix. This class of attack does not work for our cryptosystems.

We evaluate the security of our proposed cryptosystem [12,14], and other pertinent cryptosystems.

Table 1. Comparison of several tropical cryptosystems.

Cryptosystems	Problems	KU Attack	IK Attack	RM Attack
Grigoriev et al. [12]	Two-side abelian action problem	×	√	√
Grigoriev et al. [14]	Semidirect product problem	√	×	×
Our cryptosystem	Congruent transformation problem	√	√	√

√ means that the cryptosystem can withstand the corresponding attack, and × means it does not.

presents the comparing findings.

Note that the length of public key and private key of our cryptosystem is half that described in [12,14] by using symmetric matrices and congruent transformation. Let secret key $P={[a_0,a_1,\cdots ,a_{n-1}]}_t$. It is clear that $(a_0,a_1,\cdots ,a_{n-1})$ can be taken as the secret key. If $a_i\in [0,2^s)$, then the length of a secret key is less than $n\log s$ bits. Public key $U=P^{T}YP$ is a symmetric matrix. We can take the upper triangular part of $U$ as the public key. The length of a public key is less than $k(k+1)\log (3s)/2$ bits.

Let $t\in (0,2^{10})$ and the entries of matrices are the integer in $[0,2^{20})$. The highest limits of the size of the secret key and public key for various values are shown in

Table 2. Performance evaluation under various k.

k	Length of sk (kB)	Length of pk (kB)	Complexity of Solving CTP
20	0.049	1.538	$O(2^{74})$
30	0.073	3.406	$O(2^{122})$
40	0.098	6.006	$O(2^{175})$
50	0.122	9.338	$O(2^{231})$
60	0.146	13.403	$O(2^{290})$
70	0.171	18.201	$O(2^{351})$
80	0.195	23.730	$O(2^{414})$

sk denotes secrete key, and pk denotes public key.

. The experimental results show that the time of the operation $P^{T}YP$ is about 1ms (Experimental platform: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz). We suggest $k\ge 50$ to avoid potential heuristic attacks similar to KU attacks. The larger k can ensure that the cryptosystem is more secure. However, in a resource-constrained environment, the public key and private key should not be too large. Therefore, the size of k depends on the occasion of use.

5. Conclusions and Further Research

This article suggests brand-new public-key cryptosystems based on tropical congruent transformation of a symmetric matrix by a circular matrix. The NP-hard problem of solving tropical systems of nonlinear equations underlies the security of cryptosystems. Since a known matrix cannot express the used commutative subsemi-rings of circular matrices and there is no tropical matrix addition operation and power of matrix, the cryptosystems can withstand known attacks, including the KU attack, RM attack, and IK attack.

If we regard $P^{T}YP$ as $Y^P$, then CTP corresponds to discrete logarithm problem, CCTP correlates to CDH problem, and DCTP correlates to DDH problem. Theoretically, any public key cryptosystem based on CDH problem (or DDH problem) can be transformed into the scheme based on CCTP (or DCTP) of tropical matrix semi-ring. We can construct identity authentication and digital signature methods based on CCTP or DCTP.