Home Tropical cryptography III: Digital signatures
Article Open Access

Tropical cryptography III: Digital signatures

  • Jiale Chen , Dima Grigoriev and Vladimir Shpilrain EMAIL logo
Published/Copyright: September 27, 2024
Download Article (PDF)
Become an author with De Gruyter Brill
Submit Manuscript Author Information
Journal of Mathematical Cryptology
From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

We use tropical algebras as platforms for a very efficient digital signature protocol. Security relies on computational hardness of factoring one-variable tropical polynomials; this problem is known to be NP-hard. We also offer countermeasures against recent attacks by Panny and by Brown and Monico.

Keywords: tropical algebra; digital signature; factoring polynomials
MSC 2010: 15A80; 94A60

1 Introduction

In our prevoius studies [1,2], we employed tropical algebras as platforms for cryptographic schemes by mimicking some well-known classical schemes, as well as newer schemes like [3,4], in the “tropical” setting. What it means is that we replaced the usual operations of addition and multiplication by the operations min ( x , y ) and x + y , respectively.

An obvious advantage of using tropical algebras as platforms is unparalleled efficiency because in tropical schemes, one does not have to perform any multiplications of numbers since tropical multiplication is the usual addition, see Section 2. On the other hand, “tropical powers” of an element may exhibit some patterns, even if such an element is a matrix over a tropical algebra. This weakness was exploited by Kotov and Ushakov [5] to arrange a fairly successful attack on one of the schemes in the study by Grigoriev and Shpilrain [1].

In this article, we offer a digital signature scheme that uses tropical algebra of one-variable polynomials. Security of the public key in this scheme is based on computational hardness of factoring one-variable tropical polynomials. This problem is known to be NP-hard [6].

Since the first version [7] of our article was put online in September 2023, Panny [8] and Brown and Monico [9] offered several forgery attacks on our scheme. Brown and Monico also offered easy patches against both Panny’s attacks but mentioned that they had not found any way to prevent one forgery attack of their own.

In this updated version of our original preprint [7], we take into account suggestions of Brown and Monico (both from the study by Brown and Monico [9] and from informal communication) to thwart all these attacks, although to avoid the attack in Section 4.6 of [9], we had to modify our scheme in a more substantial way, see Section 8.

Finally, we note that in the study by Géraud-Stewart et al. [10], the authors offered an interactive version, in the spirit of Fiat and Shamir [11], of our protocol in the study by Chen et al. [7]. This tool typically adds an extra level of security to any ZKP protocol. However, we prefer to stick to a noninteractive version here.

2 Preliminaries

We start by giving some necessary information on tropical algebras here; for more details, we refer the reader to the monograph [12].

Consider a tropical semiring S , also known as the min-plus algebra due to the following definition. This semiring is defined as a linearly ordered set (e.g., a subset of reals) that contains 0 and is closed under addition, with two operations as follows:

x y = min ( x , y ) x y = x + y .

It is straightforward to see that these operations satisfy the following properties:

Associativity:

x ( y z ) = ( x y ) z x ( y z ) = ( x y ) z .

Commutativity:

x y = y x x y = y x .

Distributivity:

( x y ) z = ( x z ) ( y z ) .

There are some “counterintuitive” properties as well:

x x = x x 0 = x x 0 could be either 0 or x .

There is also a special “ ε -element” ε = such that, for any x S ,

ε x = x ε x = ε .

2.1 Tropical polynomials

A (tropical) monomial in S looks like a usual linear function, and a tropical polynomial is the minimum of a finite number of such functions, and therefore a concave, piecewise linear function. The rules for the order in which tropical operations are performed are the same as in the classical case, see the following example. Still, we often use parenthesis to make a tropical polynomial easier to read.

Example 1

Here is an example of a tropical monomial: x x y z z . The (tropical) degree of this monomial is 5. We note that sometimes, people use the alternative notation x 2 for x x , etc.

An example of a tropical polynomial is: p ( x , y , z ) = 5 x y z x x 2 z 17 = ( 5 x y z ) ( x x ) ( 2 z ) 17 . This polynomial has (tropical) degree 3, by the highest degree of its monomials.

We note that, just as in the classical case, a tropical polynomial is canonically represented by an ordered set of tropical monomials (together with finite coefficients), where the order that we use here is deglex.

We also note that some tropical polynomials may look “weird”:

Example 2

Consider the polynomial p ( x ) = ( 0 x ) ( 0 x x ) . All coefficients in this polynomial are 0, and yet it is not the same as the polynomial q ( x ) = 0 .

Indeed, q ( x ) r ( x ) = r ( x ) for any polynomial r ( x ) . On the other hand, if, say, r ( x ) = 2 x , then p ( x ) r ( x ) = ( 2 x x ) ( 2 x x x ) r ( x ) .

In the following example, we show in detail how two tropical polynomials are multiplied and how similar terms are collected.

Example 3

Let p ( x ) = ( 2 x ) ( 3 x x ) and q ( x ) = 5 ( 1 x ) . Then p ( x ) q ( x ) = [ ( 2 x ) 5 ] [ ( 2 x ) ( 1 x ) ] [ ( 3 x x ) 5 ] [ ( 3 x x ) ( 1 x ) ] = ( 7 x ) ( 3 x x ) ( 8 x x ) ( 4 x x x ) = ( 7 x ) ( 3 x x ) ( 4 x x x ) .

In this article, our focus is on one-variable tropical polynomials, although one can use multivariate tropical polynomials instead.

3 Digital signature scheme description

Let T be the tropical algebra of one-variable polynomials over Z , the ring of integers.

The signature scheme is as follows.

Private: Two polynomials X , Y T whose degrees sum up to 2 d , with all coefficients in the range [ 0 , r ] , where d and r are parameters of the scheme.

Public:

  1. Polynomial M = X Y .

  2. A hash function H (e.g., SHA-512) and a (deterministic) procedure for converting values of H to one-variable polynomials from the tropical algebra T (Section 4.2).

Signing a message m :

  1. Apply a hash function H to m . Convert H ( m ) to a polynomial P of degree d from the algebra T using a deterministic public procedure.

  2. Select two random private polynomials U , V T such that deg ( U ) = deg ( Y ) , deg ( V ) = deg ( X ) , with all coefficients of U and V in the range [ 0 , r ] . Denote N = U V .

  3. The signature is the 4-tuple of polynomials ( P , P X U , P Y V , N ) .

Verification:

  1. The verifier computes the hash H ( m ) and converts H ( m ) to a polynomial P of degree d from the algebra T using a deterministic public procedure. This is done to verify that P is the correct hash of the message.

  2. The verifier checks that the degrees of the polynomials P X U and P Y V (the second and third polynomials in the signature) are both equal to 3 d , and the degree of the polynomial N is equal to 2 d . If not, then the signature is not accepted.

  3. The verifier checks that neither P X U nor P Y V is a constant multiple (in the tropical sense) of P M or P N . If it is, then the signature is not accepted.

  4. The verifier checks that all coefficients in the polynomials P X U and P Y V are in the range [ 0 , 3 r ] , and all coefficients in the polynomial N are in the range [ 0 , 2 r ] . If not, then the signature is not accepted.

  5. The verifier computes W = ( P X U ) ( P Y V ) . The signature is accepted if and only if W = P P M N .

Correctness is obvious since W = ( P X U ) ( P Y V ) = P P ( X Y ) ( U V ) = P P M N .

Remark 1

Step V2 in the verification algorithm is needed to prevent trivial forgery, e.g., signing by the triple of polynomials ( P M , P N , N ) , in which case ( P M ) ( P N ) = P P M N .

Remark 2

Here is how one can check whether one given tropical polynomial, call it R ( x ) , is a constant multiple (in the tropical sense) of another given tropical polynomial (of the same degree), call it S ( x ) .

Let r i Z denote the coefficient at the monomial x i in R ( x ) , and s i Z denote the coefficient at the monomial x i in S ( x ) . If R ( x ) = c S ( x ) for some c Z , then r i = s i + c for every i . Here, “+” means the “classical” addition in Z .

Therefore, to check if R ( x ) is a constant multiple of S ( x ) , one checks if ( r i s i ) is the same integer for every i .

4 Key generation and suggested parameters

The suggested value of d is 150.

The degree of the polynomial X is selected uniformly at random from integers in the interval [ 3 4 d , 5 4 d ] . The degrees of other private polynomials are then determined from the conditions deg ( X ) + deg ( Y ) = 2 d , deg ( V ) = deg ( X ) , deg ( U ) = deg ( Y ) .

All coefficients of monomials in the polynomials X , Y , U , V are selected uniformly at random from integers in the range [ 0 , r ] , where r = 127 . We emphasize that, in contrast with the “classical” case, if the coefficient at a monomial is 0, this does not mean that this monomial is “absent” from the polynomial.

4.1 Safe keys

Similar to the situation with the RSA modulus n = p q where the private primes p and q should be “safe primes” (i.e., p 1 and q 1 should not have small divisors other than 2), in our situation, the private polynomials X , Y , U , V should not have any nonconstant divisors (in the tropical sense). Otherwise, the forgery attack from [8] may apply.

It is not immediately clear how to efficiently generate irreducible tropical polynomials of a given degree. One simple way to do this with high probability is zeroing the first and last coefficients of X and Y . There is an argument in the study by Kim and Roush [6] suggesting that a generic polynomial whose first and last coefficients are 0 is irreducible.

However, in contrast with the classical situation, even if X and Y are irreducible tropical polynomials, this does not necessarily imply that the only factors of M = X Y are X and Y , although with high probability M will not have any factors of low degree if the degrees of both X and Y are high. This will make a brute force factorization of M computationally hard.

In any case, questions related to factoring one-variable tropical polynomials need to be explored more to provide for a reliable way of generating safe keys for our scheme.

4.2 Converting H ( m ) to a tropical polynomial over Z

We suggest using a hash functions from the SHA-3 family, specifically SHA3-512. We assume the security properties of SHA3-512, including collision resistance and preimage resistance. We also assume that there is a standard way to convert H ( m ) to a bit string of length 512. Then a bit string can be converted to a tropical polynomial P = P ( x ) over Z using the following ad hoc (deterministic) procedure.

Let B = H ( m ) be a bit string of length 512. We will convert B to a one-variable tropical polynomial P of degree d = 150 over Z . We therefore have to select 151 coefficients for monomials in P , and we want to have these coefficients in the range [0, 127]. With 7 bits for each coefficient, we need 151 7 = 1057 bits in total.

  1. Concatenate three copies of the bit string B to obtain a bit string of length 1,536.

  2. Going left to right, convert 7-bit block # j to an integer and use it as the coefficient at the monomial x j .

  3. After we use 7 151 = 1,057 bits, all monomials in the polynomial P = P ( x ) will obtain a coefficient.

4.3 Multiplying two tropical polynomials

Let R ( x ) and S ( x ) be two one-variable tropical polynomials of degree d and g , respectively. We want to compute R ( x ) S ( x ) .

Note that a one-variable tropical monomial, together with a coefficient, can be represented by a pair of integers ( k , l ) , where k is the coefficient and l is the degree. Our goal is therefore to compute the coefficient at every monomial of degree from 0 to d + g in the product R ( x ) S ( x ) .

Suppose we want to compute the coefficient at the monomial of degree m , 0 m d + g . Then we go over all coefficients r i at the monomials of degrees i m in the polynomial R ( x ) and add (in the “classical” sense) r i to s j , where s j is the coefficient at the monomial of degree j = m i in the polynomial S ( x ) .

Having computed all such sums r i + s j , we find the minimum among them, and this is the coefficient at the monomial of degree m in the polynomial R ( x ) S ( x ) .

5 What is the hard problem here?

The (computationally) hard problem that we employ in our construction is factoring one-variable tropical polynomials. This problem is known to be NP-hard [6].

Since recovering the private tropical polynomials X and Y from the public polynomial M = X Y is exactly the factoring problem, we see that inverting our candidate one-way function f ( X , Y ) = X Y is NP-hard.

However, the private tropical polynomials X and Y are involved also in the signature. For example, from the polynomial W = P X U , the adversary can recover X U because the polynomial P is public. The polynomial U is private, so it looks like the adversary is still facing the factoring problem. However, the adversary now knows two products involving the polynomial X , namely, X Y and X U . Therefore, we have a somewhat different problem here: finding a common divisor of two given polynomials.

This problem is easy for “classical” one-variable polynomials over Z . In particular, any classical one-variable polynomial over Z has a unique factorization (up to constant multiples) as a product of irreducible polynomials. In contrast, a one-variable tropical polynomial can have an exponential number of incomparable factorizations [6]. Furthermore, it was shown by Kim and Roush [6] that two one-variable tropical polynomials may not have a unique g.c.d. All this makes it appear likely that the problem of finding the g.c.d. of two (or more) given one-variable tropical polynomials is computationally hard. No polynomial-time algorithm for solving this problem is known. More about this is presented in Section 6.

6 Possible attacks

The most straightforward attack is trying to factor the tropical polynomial M = X Y as a product of two tropical polynomials X and Y . As we have pointed out earlier, this problem is known to be NP-hard [6]. In our situation, there is an additional restriction on the degrees of X and Y , to pass Step V2 of the verification procedure.

If one reduces the equation M = X Y to a system of equations in the coefficients of X and Y , then one gets a system of 2 d + 1 quadratic (tropical) equations in 2 ( d + 1 ) unknowns. With d large enough, such a system is unapproachable; in fact, solving a system of quadratic tropical equations is known to be NP-hard [13]. The size of the key space for X and Y with suggested parameters is 12 8 300 = 2 2100 , so the brute force search is infeasible.

It is unclear whether accumulating (from different signatures) many tropical polynomials of the form M i = X U i , with different (still unknown) polynomials U i can help recover X . With each new M i , the attacker gets (on average) d + 1 new unknowns (these are coefficients of U i ) and 2 d + 1 new equations. There is a well-known trick of reducing a system of quadratic equations to a system of linear equations by replacing each product of two unknowns by a new unknown. However, the number of pairs of unknowns increases roughly by d 2 with each new U i . Therefore, a system of linear equations like that will be grossly underdetermined, resulting in a huge number of solutions for the new unknowns, thus making solving the original system (in the old unknowns) hard, especially given the restrictions on the old unknowns tacitly imposed by Step V4 of the verification procedure.

As we have mentioned in Section 1, Panny [8] and Brown and Monico [9] offered several forgery attacks on the original version [7] of our scheme. The only serious attack of those is the factorization attack from Section 4.6 of [9], which prompted us to make some changes not only in the key generation procedure but also in the scheme itself, see our Section 8.

7 Performance and signature size

For our computer simulations, we used Apple MacBook Pro, M1 CPU (8 Cores), 16 GB RAM computer. Python code implementing the original version of the scheme [7] is available [14].

We note that a one-variable tropical monomial, together with a coefficient, can be represented by a pair of integers ( k , l ) , where k is the coefficient and l is the degree of the monomial. Then a one-variable tropical polynomial of degree, say, 150, is represented by 151 such pairs of integers, by the number of monomials. If k is selected uniformly at random from integers in the range [ 0 , 127 ] , then the size of such a representation is about 2,000 bits on average. Indeed, 151 coefficient of the average size of 6 bits give about 900 bits. Then, the degrees of the monomials are integers from 0 to 150. These take up ( k = 1 7 k ( 2 k 2 k 1 + 1 ) ) + 8 ( 150–127 ) 1,000 bits. Thus, it takes about 2,000 bits on average to represent a single tropical polynomial with suggested parameters.

Since a private key is composed of two such polynomials, this means that the size of the (long-term) private key in our scheme is about 4,000 bits (or 500 bytes) on average.

The public key is a polynomial of degree 300. Coefficients in this polynomial are in the range [ 0 , 254 ] . By using the same argument as in the previous paragraph, we estimate the size of such polynomial to be about 4,500 bits (or 562 bytes) on average.

The signature is a 4-tuple of polynomials, one of them has degree 150, two of them have degree 450, and one has degree 300. Therefore, the signature size is about 16,000 bits (or 2,000 bytes) on average.

In the following table, we have summarized performance data for several parameter sets, in the case where all private polynomials X , Y , U , V have the same degree. Most columns are self-explanatory; the last two columns show memory usage during verification and during the whole process of signing and verification.

Performance metrics for various parameter values
Degree of private polynomials Range for coefficients in private polynomials Verification time (s) Signature size (kbytes) Public key size (kbytes) Private key size (kbytes) Memory usage, verification (Mbytes) Memory usage, whole process (Mbytes)
100 [0.127] < 0.1 1.3 0.37 0.33 0.4 0.4
150 [0.127] 0.15 2 0.56 0.5 0.37 0.5
200 [0.127] 0.25 2.6 0.74 0.67 0.47 0.6

8 Alternative signature scheme

To completely avoid the division attack in Section 4.6 of the study by Brown and Monico [9], we offer here a similar but different signature scheme where tropical addition plays a more prominent role.

The private and public keys are the same as in the scheme in our Section 3. The only difference is that here the hash H ( m ) is converted to a tropical polynomial of degree 2 d , not d .

Signing a message m :

  1. Apply a hash function H to m . Convert H ( m ) to a polynomial P of degree d from the tropical algebra T using a deterministic public procedure.

  2. Select two random private polynomials U , V T such that deg ( U ) = deg ( Y ) , deg ( V ) = deg ( X ) , with all coefficients of U and V in the range [ 0 , r ] . Denote N = U V .

  3. Select a random public polynomial E of degree 3 d , with all coefficients in the range [ 0 , 3 r ] .

  4. The signature is the following 6-tuple of polynomials: ( P , P ( X U ) , P ( Y V ) , P [ ( X U ) ( Y V ) ] E , N , E ) .

Verification:

  1. The verifier computes the hash H ( m ) and converts H ( m ) to a polynomial P of degree 2 d from the algebra T using a deterministic public procedure. This is done to verify that P is the correct hash of the message.

  2. The verifier checks that the degrees of the polynomials P ( X U ) and P ( Y V ) (the second and third polynomials in the signature) are both equal to 2 d , the degree of the polynomial N is equal to 2 d as well, and the degrees of the remaining two polynomials are equal to 3 d . If not, then the signature is not accepted.

  3. The verifier checks that all coefficients in the polynomials P ( X U ) and P ( Y V ) are in the range [ 0 , 2 r ] , all coefficients in the polynomial N are in the range [ 0 , 2 r ] as well, and all coefficients in the remaining two polynomials are in the range [ 0 , 3 r ] . If not, then the signature is not accepted.

  4. The verifier checks that neither P ( X U ) nor P ( Y V ) is a constant multiple (in the tropical sense) of P M or P N . If it is, then the signature is not accepted.

  5. Denote R = P [ ( X U ) ( Y V ) ] . The verifier checks that

    P [ ( P ( X U ) ) ( P ( Y V ) ) ] E = ( P P ) ( R E ) .

  6. If not, then the signature is not accepted.

  7. The verifier computes W = ( P ( X U ) ) ( P ( Y V ) ) = ( P P ) ( P [ ( X U ) ( Y V ) ] ) ( X U Y V ) . The signature is accepted if and only if W E = ( P P ) ( R E ) ( M N ) .

Correctness follows from W E = ( P P ) ( P [ ( X U ) ( Y V ) ] ) ( X U Y V ) E = ( P P ) ( R E ) ( M N ) .

8.1 Key generation

Key generation here follows Section 4, except that the hash H ( m ) should now be converted to a tropical polynomial of degree 2 d , not d . A simple way to do the latter is just to tropically multiply a polynomial of degree d constructed as in Section 4.2, by itself.

8.2 Brown-Monico attack

The attack in Section 4.6 of [9] is based on (tropically) dividing a public polynomial by another public polynomial. The result of such division is not unique, but it recovers the correct ratio with non-negligible probability.

Introducing tropical addition in the signature is intended as a countermeasure to this attack. Recovering B from ( A B ) and A is highly nonunique, so the probability of correctly recovering, say, ( X U ) or ( Y V ) from the polynomials in the signature has a lesser chance of being non-negligible.

8.3 Performance and signature size

Speed of computation is not really different here from what it is for the scheme in Section 3, see the table in Section 7.

The signature size though is about 50% larger, so with d = 150 , r = 127 it is about 3 kbytes.

9 Conclusions

  • We propose two digital signature schemes whose security is based on an NP-hard problem not previously employed in cryptography. This continues our line of research on possible use of min-plus semirings as platforms for cryptographic primitives.

  • A particular NP-hard problem that we employ in this article is factoring (one-variable) tropical polynomials.

  • Computation in our schemes is very efficient, which is characteristic to cryptographic schemes based on min-plus semirings. The signature size is not particularly small though.

  • Panny [8] and Brown and Monico [9] offered heuristic forgery attacks on our first scheme, which motivated us to come up with the second scheme to thwart all these and similar attacks.

Acknowledgements

We are grateful to Dan Brown and Chris Monico for pointing out a couple of weaknesses in the original version of our scheme and for discussions/suggestions on safe keys.

  1. Funding information: None declared.

  2. Author contributions: All authors have accepted responsibility for the entire content of this manuscript and approved its submission.

  3. Conflict of interest: Prof. Vladimir Shpilrain is a member of the Editorial Board of the Journal of Mathematical Cryptology but was not involved in the review process of this article.

References

[1] Grigoriev D, Shpilrain V. Tropical cryptography. Comm Algebra. 2014;42:2624–32. 10.1080/00927872.2013.766827Search in Google Scholar

[2] Grigoriev D, Shpilrain V. Tropical cryptography II: extensions by homomorphisms. Comm Algebra. 2019;47:4224–9. 10.1080/00927872.2019.1581213Search in Google Scholar

[3] Habeeb M, Kahrobaei D, Koupparis C, Shpilrain V. Public key exchange using semidirect product of (semi)groups. In: ACNS 2013, Lecture Notes in Computer Science. Vol. 7954. 2013. p. 475–86. 10.1007/978-3-642-38980-1_30Search in Google Scholar

[4] Kahrobaei D, Shpilrain V. Using semidirect product of (semi)groups in public key cryptography. In: CiE 2016, Lecture Notes in Computer Science. Vol. 9709. 2016. p. 132–41. 10.1007/978-3-319-40189-8_14Search in Google Scholar

[5] Kotov M, Ushakov A. Analysis of a key exchange protocol based on tropical matrix algebra. J Math Cryptology. 2018;12:137–41. 10.1515/jmc-2016-0064Search in Google Scholar

[6] Kim KH, Roush FW. Factorization of polynomials in one variable over the tropical semiring. https://arxiv.org/pdf/math/0501167.pdf. Search in Google Scholar

[7] Chen J, Grigoriev D, Shpilrain V. Tropical cryptography III: digital signatures. https://eprint.iacr.org/archive/versions/2023/1475. 10.1515/jmc-2024-0005Search in Google Scholar

[8] Panny L. Forging tropical signatures. https://eprint.iacr.org/2023/1748/. Search in Google Scholar

[9] Brown DRL, Monico C. More forging (and patching) of tropical signatures. https://eprint.iacr.org/2023/1837. Search in Google Scholar

[10] Géraud-Stewart R, Naccache D, Yifrach-Stav O. Fiat-Shamir goes tropical. https://eprint.iacr.org/2023/1954. Search in Google Scholar

[11] Fiat A, Shamir A. How to prove yourself: Practical solutions to identification and signature problems. In: Proceedings on Advances in Cryptology - CRYPTO’86. Springer; 1987. p. 186–94. 10.1007/3-540-47721-7_12Search in Google Scholar

[12] Butkovic P. Max-linear systems: theory and algorithms. London: Springer-Verlag; 2010. 10.1007/978-1-84996-299-5Search in Google Scholar

[13] Theobald T. On the frontiers of polynomial computations in tropical geometry. J Symbolic Comput. 2006;41:1360–75. 10.1016/j.jsc.2005.11.006Search in Google Scholar

[14] Python code for the tropical digital signature scheme. https://shpilrain.ccny.cuny.edu/tropicalDS.txt. Search in Google Scholar
Received: 2024-02-01
Revised: 2024-05-03
Accepted: 2024-07-30
Published Online: 2024-09-27

© 2024 the author(s), published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

  1. Regular Article
  2. The dihedral hidden subgroup problem
  3. Characterizing the upper bound on the transparency order of (n, m)-functions
  4. Tropical cryptography III: Digital signatures
  5. A security analysis of two classes of RSA-like cryptosystems
  6. On the quantum security of high-dimensional RSA protocol
  7. On implementation of Stickel's key exchange protocol over max-min and max-T semirings
  8. Revocable policy-based chameleon hash using lattices
  9. Revisiting linearly extended discrete functions
  10. Special Issue based on CIFRIS23
  11. Special issue based on the CIFRIS 2023 conference
  12. On linear codes with random multiplier vectors and the maximum trace dimension property
  13. Group structure of elliptic curves over /Nℤ
  14. mRLWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography
  15. On the Black-Box impossibility of multi-designated verifiers signature schemes from ring signature schemes
  16. Searchable encryption with randomized ciphertext and randomized keyword search
  17. Differential experiments using parallel alternative operations
  18. On a generalization of the Deligne–Lusztig curve of Suzuki type and application to AG codes
  19. Automatic boomerang attacks search on Rijndael
  20. Efficiency of SIDH-based signatures (yes, SIDH)
  21. Cryptanalysis of a privacy-preserving authentication scheme based on private set intersection
https://doi.org/10.1515/jmc-2024-0005
Keywords for this article
tropical algebra; digital signature; factoring polynomials
Creative Commons
BY 4.0

Articles in the same Issue

  1. Regular Article
  2. The dihedral hidden subgroup problem
  3. Characterizing the upper bound on the transparency order of (n, m)-functions
  4. Tropical cryptography III: Digital signatures
  5. A security analysis of two classes of RSA-like cryptosystems
  6. On the quantum security of high-dimensional RSA protocol
  7. On implementation of Stickel's key exchange protocol over max-min and max-T semirings
  8. Revocable policy-based chameleon hash using lattices
  9. Revisiting linearly extended discrete functions
  10. Special Issue based on CIFRIS23
  11. Special issue based on the CIFRIS 2023 conference
  12. On linear codes with random multiplier vectors and the maximum trace dimension property
  13. Group structure of elliptic curves over /Nℤ
  14. mRLWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography
  15. On the Black-Box impossibility of multi-designated verifiers signature schemes from ring signature schemes
  16. Searchable encryption with randomized ciphertext and randomized keyword search
  17. Differential experiments using parallel alternative operations
  18. On a generalization of the Deligne–Lusztig curve of Suzuki type and application to AG codes
  19. Automatic boomerang attacks search on Rijndael
  20. Efficiency of SIDH-based signatures (yes, SIDH)
  21. Cryptanalysis of a privacy-preserving authentication scheme based on private set intersection
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 22.11.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jmc-2024-0005/html
Scroll to top button