Cryptanalysis of Tropical Encryption Scheme Based on Double Key Exchange
Xin Jiang, Huawei Huang* and Geyang Pan
School of Mathematical Sciences, Guizhou Normal University, Guiyang 550025, China
E-mail: 1719084872@qq.com; hwhuang7809@163.com; 1085167081@qq.com
*Corresponding Author
Received 01 December 2022; Accepted 13 February 2023; Publication 28 April 2023
A tropical encryption scheme is analyzed in this paper, which uses double key exchange protocol (KEP). The key exchange protocol is divided into two stages: The first stage of the key exchange uses matrix power function in a tropical semiring; the obtained shared key at the first phase of the key exchange serves as an input for the second phase. This paper proves that the common secret key of the first key exchange phase can be obtained by solving linear equations, and when the order of the matrix is 50, the time to solve the shared key is less than 1 second. Finally, the common secret key of the second phase can be obtained through KU attack and common secret key of the first key exchange. So the protocol isn’t secure.
Keywords: Tropical semiring, key-exchange protocol, tropical linear equations, KU attack.
Modern public key cryptosystems mainly rely on factorization problem [1] and discrete logarithm problem [2, 3]. Shor [4] proposed a quantum algorithm that can solve the above two problems in multiple times on a quantum computer. Therefore, new cryptosystem in the future need to resist quantum attacks. Many cryptologists have designed many different cryptosystems based on different algebraic structures, such as matrix groups [5–8], braid groups [9, 10], inner automorphism groups [11], and ring structures [12], but these schemes have been cracked [13–16]. In 2007, Maze, Monico and Rosenthal proposed the first kind of cryptosystem based on semigroups and semirings [17], which was cracked by Steinwant et al. Atani [18] and Durcheva [19] constructed cryptographic protocols based on semimodules over semirings and idempotent semirings respectively.
Imre Simon discovered the well-known Tropical semiring [20]. The operations and in this structure are defined as min(or max) and addition. In recent years, because of the multiplication of tropical semiring is common addition, which greatly improves the computational efficiency, so it is extensively used in various cryptographic schemes. Grigoriev and Shpilrain proved that the problem of solving the systems of min-plus polynomial equations in tropical algebra is NP-hard. And they suggested using tropical semiring to design various key-exchange schemes [21, 22]. The higher powers of tropical matrix shows some patterns, thus Kotov and Ushakov [23] proposed a fairly successful attack on the protocols presented in [21]. In reference [22], the first part of the key has partial order relationship, thus Rudy and Monico [24] exploited simple binary search to break the protocol. (Other successful attacks include [25, 26].) Any Muanalifah, Sergei Sergeev [27] proposed three types of key exchange protocols by using Jones matrix and Line de la Puentela Puente matrix. In addition, Huang, Li published a cryptosystem using multiple exponentiation problem of tropical matrices [28]. Huang, Li and Deng applied tropical circular matrices to construct cryptographic protocols [29].
In this paper, we analyze a tropical encryption scheme based on double key exchange proposed in [30]. Attackers can get the shared key in the first stage of key exchange protocol by solving the tropical linear equations, instead of solving difficult problems in [30]. Then, with the shared key obtained in the first stage as input, the shared key in the second stage can be obtained by KU attack [23].
In this section, we recall some fundamental concepts that are required for understanding the paper.
Definition 2.1 [31] (Semiring) A semiring is a nonempty set R on which operations of addition and multiplication have been defined to satisfy the following conditions.
(1) is a commutative monoid with identity element 0;
(2) is a monoid with identity element ;
(3) Multiplication distributes over addition from either side;
(4) for all ;
(5) .
If is commutative, then the semiring is called a commutative semiring.
Definition 2.2 [20] (Tropical semiring) The nonnegative integer tropical commutative semiring is the set with two binary compositions and as follows:
and 0 satisfied the following equations:
It can be easily seen that is a commutative semiring with addition identity and multiplication identity 0.
Let be the set of all matrices over W. We can define and as follows:
Definition 2.3 [30] (Tropical polynomial) An expression is called tropical (min) polynomial as follows:
If is a polynomial and , then we can also define in the following method:
It is clear that if , are tropical polynomials, and , then
Definition 2.4 [30] (Tropical matrix power function ) Let the entries of the base matrix be chosen from a (semi)group G and the entries of the matrices X and Y be chosen from the tropical semiring W. Then tropical matrix power function is a mapping
(denoted:) or a mapping
(denoted: ).
The elements of matrix S are computed according to the formula:
(1) |
and elements of matrix P are computed according to the formula:
(2) |
It is worth noting that the operations after the second equal sign in (1) and (2) are the operations on classicial algebra.
Definition 2.5 [29] (circulant matrix) If a matrix A has the following form,
then it is called a circulant matrix.
Lemma 2.1 [30] If matrice and Z are circulant matrices, then matrices and are also circulant matrices.
Lemma 2.2 Let are circulant matrices, then .
In this section, we describe the tropical encryption scheme based on double key exchange proposed in [30]. Let W be a tropical semiring as above, S is the set of circulant matrices over the W and N is the set of the natural numbers. Alice and Bob publicly agree on circulant matrices , where , and randomly choose matrix M whose entries form N (, M has the same order).
First key exchange protocol phase:
(1) Alice chooses two circulant matrices (of the same order as the matrices , M) as her private keys. She computes her public key and sends it to Bob;
(2) Bob chooses two circulant matrices (of the same order as the matrices , M) as his private keys. He computes his public key and sends it to Alice;
(3) Alice computes the common secret key: ;
(4) Bob computes the common secret key: .
It is easy to prove that
then Alice and Bob finally obtain shared key (or ).
Second key exchange protocol phase: At this stage, the shared secret key obtained is used as the input of the second key exchange phase.
(1) Alice generates random tropical polynomials , and computes her public key
and sends it to Bob.
(2) Bob generates random tropical polynomials , and computes his public key
and sends it to Alice.
(3) Alice computes common secret key: ;
(4) Bob computes common secret key: ;
It is easy to examine that Alice and Bob get common secret key, that is, .
Encryption phase:
(1) Bob computes the ciphertext , where is bitwise sum modulo 2 of all entries of matrices B and T, T is plaintext encoded in binary form and has the same order of previously selected matrices , M, and sends C to Alice.
Decryption phase:
(1) Alice decrypts C using her decryption key A as follows:
We can clearly see that the security of the encryption scheme completely depends on key matrices in the key exchange protocol. Firstly, we discuss the first key exchange protocol.
Theorem 4.1 Let be as above. Suppose circulant matrix X satisfying condition: , then shared key can be calculated.
Proof: Now suppose circulant matrix X satisfying , then
It is also known from Lemma 2.1 and Lemma 2.2 that
From Theorem 4.1, an attacker can break the first stage of key exchange protocol, which only needs to solve tropical linear equations. However, it is easy to solve the tropical linear equations, so the attacker can obtain the shared key in the short time. It is easily seen that when select of matrices, solutions can be found in time,refer to monograph [32, 33] for more details. Next, we use this method to attack the example in the references [30, section 4].
Example 4.1 Suppose
(1) Alice selects two circulant matrices as her private keys:
(2) Alice’s public key:
(3) Bob selects two circulant matrices as her private keys:
(4) Bob’s public key:
(5) Shared key:
Attack: Suppose
then
The following tropical linear equations can be obtained from ;
Compute shared key:
The attacker in the second phase of the key exchange protocol can use attack method in [23]. Now, let’s describe this attack.
Let matrices X and Y satisfy the following conditions:
with unknown coefficients . Therefore, to break the protocol, we need to find such that , where . Then, for each . Where . Next, compute
In the end, attackers find a cover of the set , and satisfy
is solvable. Refer to the literature [23] for more details about this attack.
The range for entries of matrices is . Table 1 provides the time required to solve X under different orders of the matrix. When the order of the matrix is 50, solving the linear equations needs times, but the attacker only need one solution. It can be clearly seen from Table 1 that obtaining a solution does not exceed 1 second, so the attacker can obtain the shared key in the first phase in a relatively short time. (Experimental platform: Intel(R) Core (TM) i3-1115G4@ 3.00GHz).
Table 1 Average time to solve X
Order of Matrices | Range for Entries of Matrices | Time to Solve X (sec) |
20 | 0.001111388 | |
30 | 0.003949738 | |
40 | 0.010951591 | |
50 | 0.021650982 |
This paper analyzes the security of tropical encryption scheme based on double key exchange [30] and describes an attack, and the method mainly obtains the shared key of communication parties by solving the linear equations on the tropical semiring. This paper proves that attacker only needs to solve the linear equations to obtain the shared key in the first phase of key exchange protocol, and does not need to solve the difficult problem described in [30]. Table 1 shows that when the order of the matrix is 50, the attacker can obtain the shared key in the second phase in less than 1 second. Then, the shared key in the second stage can be obtained by adopting the KU attack [23]. Thus, the encryption scheme proposed in [30] is cracked.
Future works worth studying include the following:
(1) Try to select other types of matrices to design key exchange protocols based on the difficult problems in literature [30].
(2) Try to study the double-key cryptosystem more deeply.
(3) Combine existing attack methods to analyze other cryptographic systems.
This work is supported by the Science and Technology Foundation of Guizhou Province (QIANKEHEJICHU-ZK [2021] Ordinary313) and the National Natural Science Foundation of China (No. 61462016).
[1] Rivest R L, Shamir A and Adleman L M. A method for obtaining digital signatures and public-key cryptosystems. Commun, ACM, 21, 120–126, 1978.
[2] Diffie W, Hellman M E, “New directions in cryptography”. IEEE Transactions on Information Teory, 22(6), 644–654, 1976.
[3] ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory, 31, 469–472, 1985.
[4] Shor P. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput, 26, 1484–1509, 1997.
[5] Baumslag G, Fine B and Xu X. Cryptosystems using linear groups. Appl. Algebra Eng. Commun. Comput, 17, 205–217, 2006.
[6] Kahrobaei D, Koupparis C and Shpilrain V. Public key exchange using matrices over group rings. Groups-Complex. Cryptol, 5, 97–115, 2013.
[7] Rososhek S K. New practical algebraic public-key cryptosystem and some related algebraic and computational aspects. Appl. Math, 4, 1043–1049, 2013.
[8] Rososhek S K. Modified matrix modular cryptosystems. Br. J. Math. Comput. Sci, 5, 613–636, 2015.
[9] Anshel I, Anshel M and Goldfeld D. An algebraic method for public-key cryptography. Math. Res. Lett, 6, 287–291, 1999.
[10] Garber D. Braid group cryptography. In Braids: Introductory Lectures on Braids, Configurations and Their Applications; World Scientific: Singapore, 329–403, 2010.
[11] Paeng S H, Ha K C, Kim J H, Chee S and Park C. New public key cryptosystem using finite non Abelian groups. In Proceedings of the 21st Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001, Springer: Berlin/Heidelberg, Germany, 470–485, 2001.
[12] Hoffstein J, Pipher J, Silverman J H. NTRU: A ring-based public key cryptosystem. In Proceedings of the International Algorithmic Number Theory Symposium, Portland, OR, USA, 21–25 June 1998; Springer: Berlin/Heidelberg, Germany, 267–288, 1998.
[13] Eftekhari M. Cryptanalysis of some protocols using matrices over group rings. In Proceedings of the 9th International Conference on Cryptology in Africa, Dakar, Senegal, 24–26 May 2017; Springer: Cham, Switzerland, 223–229, 2017.
[14] Steinwandt R. Loopholes in two public key cryptosystems using the modular group. In Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2001, Cheju Island, Korea, 13–15 February 2001; Springer: Berlin/Heidelberg, Germany, 180–189, 2001.
[15] Hofheinz D, Steinwandt R. A practical attack on some braid group based cryptographic primitives. In Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, 6–8 January 2003; Springer: Berlin/Heidelberg, Germany, 187–198, 2003.
[16] Gentry C, Szydlo M. Cryptanalysis of the revised NTRU signature scheme. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, 28 April–2 May 2002; Springer: Berlin/Heidelberg, Germany, 299–320, 2002.
[17] Maze G, Monico C and Rosenthal J. Public Key Cryptography based on semigroup Actions. Adv. Math. Commun, 1, 489–507, 2007.
[18] Atani R E, Atani S E, and Mirzakuchaki S. “Public key cryptography based on semimodules over quotient semirings,” International Mathematical Forum, 2(52), 2561–2570, 2007.
[19] Durcheva M. “Public key cryptosystem based on two sided action of different Exotic semirings,” International Mathe-matical Forum, 2(52), 2561–2570, 2007.
[20] David S, Bernd S. Tropical Mathematics. Mathematics Magazine, 82(3), 163–173, 2004.
[21] Grigoriev D, Shpilrain V. Tropical cryptography, Communications in Algebra, 42(6): 2624–2632, 2014.
[22] Grigoriev D, Shpilrain V. Tropical cryptography II: Extensions by homomorphis-ms. Communications in Algebra, 47(10): 4224–4229, 2019.
[23] Kotov M, Ushakov A. Analysis of a key exchange protocol based on tropical matrix algebra. Journal of Mathematical Cryptology, 12(3): 137–141, 2018.
[24] Rudy D, Monico C. Remarks on a Tropical Key Exchange System. J. Math. Cryptol, 15, 280–283, 2021.
[25] Isaac S, Kahrobaei D. A closer look at the tropical cryptography. International Journal of Computer Mathematics: Computer Systems Theory, 6 (2):137–42, 2021.
[26] Muanalifah A, Sergeev S. On the tropical discrete logarithm problem and security of a protocol based on tropical semidirect product. Communications in Algebra 49:1–19, 2021.
[27] Muanalifah A, Sergeev S N. Modifying the Tropical Version of Stickel’s Key Exchange Protocol. Applications of Mathematics, 65(6). 727–753, 2020.
[28] Huang H, Li C. Tropical Cryptography Based on Multiple Exponentiation Problem of Matrices. Security and Communication Networks, 1–9, 2022.
[29] Huang H, Li C and Deng L. Public-Key Cryptography Based on Tropical Circular Matrices. Applied Sciences, 12. 7401, 2022.
[30] Durcheva M. TrES: Tropical Encryption Scheme Based on Double Key Exchange. European Journal of Information Technologies and Computer Science, 10(24018), 2736–5492, 2022.
[31] Golan J S. Semirings and their Applications. Dordrecht: Kluwer Academic Publishers, Chapter 1–18, 1999.
[32] Butkovi¡ C P. Max-linear Systems: Theory and Algorithms. Springer, London, Springer Monographs in Mathematics, Chapter 3, 2010.
[33] Litvinov G L, Rodionov A Y and Sergeev S N. et al. Universal algorithms for solving the matrix Bellman equations over semirings. Soft Comput 17, 1767–1785, 2013.
Xin Jiang received his BS from the Anshun University, Anshun, China in 2020. He is currently a graduate student in the School of Mathematical Sciences of Guizhou Normal University in Guiyang, China. His recent research interests include algebra and cryptography.
Huawei Huang received his BS from the Jiangxi Normal University, Nanchang, China in 2001, MS from the Jiangxi Normal University, Nanchang, China in 2004 and PhD from the Xidian University, Xi’an, China in 2008. He is currently an Associate Professor in the School of Mathematical Sciences, Guizhou Normal University, Guiyang, China. His recent research interests include algebra and cryptography.
Geyang Pan received his BS from the Lingnan Normal University, Zhanjiang, China in 2021. He is currently a graduate student in the School of Mathematical Sciences of Guizhou Normal University in Guiyang, China. His recent research interests include algebra and cryptography.
Journal of Cyber Security and Mobility, Vol. 12_2, 205–220.
doi: 10.13052/jcsm2245-1439.1224
© 2023 River Publishers