On implementation of Stickel's key exchange protocol over max-min and max-T semirings

Sulaiman Alhussaini; Sergeĭ Sergeev

doi:10.1515/jmc-2024-0014

Artikel Open Access

On implementation of Stickel's key exchange protocol over max-min and max-T semirings

Sulaiman Alhussaini und Sergeĭ Sergeev

Veröffentlicht/Copyright: 26. November 2024

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen Erkunden Sie dieses Fachgebiet

Aus der Zeitschrift Journal of Mathematical Cryptology Band 18 Heft 1

Abstract

Given that the tropical Stickel protocol and its variants are all vulnerable to the generalized Kotov–Ushakov attack, we suggest employing the max-min semiring and, more generally, max- T semiring where the multiplication is based on a T -norm, as a framework to implement the Stickel protocol. While the Stickel protocol over max-min semiring or max- T semiring remains susceptible to a form of Kotov–Ushakov attack, we demonstrate that it exhibits significantly increased resistance against this attack when compared to the tropical (max-plus) implementation.

Keywords: public key cryptography; cryptographic attack; Stickel protocol; fuzzy algebra; fuzzy relation equations

MSC 2010: 94A60; 08A72; 15A80

1 Introduction

A key exchange protocol is the process in which two parties (commonly called Alice and Bob) exchange messages in order to jointly compute a shared secret key that cannot be directly intercepted by an eavesdropper (Eve). In public key cryptography, it is common to use various structures in algebra and geometry (such as elliptic curves) to implement such key exchange protocols. The most popular protocol is that of Diffie and Hellman [1], and Stickel’s protocol [2], whose unusual implementation is discussed in our study, is essentially a two-sided variation of Diffie-Hellman’s protocol.

Tropical cryptography was first proposed by Grigoriev and Shpilrain [3] as an alternative framework for cryptographic protocols such as Stickel’s since it enjoys several advantages such as efficiency and resistance to some general attacks. In particular, Grigoriev and Shpilrain developed a tropical version of the original Stickel key exchange protocol, the original version of which was vulnerable to common linear algebraic attacks. Their motivation came from the non-invertible nature of matrices in tropical algebra, making the tropical implementation resistant to attacks resembling the ones faced by the original Stickel protocol. It can also be observed that the tropical implementation of cryptographic protocols is faster to execute (since the arithmetic operations can be executed faster). The tropical Stickel protocol was then attacked by Kotov and Ushakov [4]. The Kotov–Ushakov attack was generalized in the study by Muanalifah and Sergeev [5] where it was shown how to apply the same idea to other implementations of Stickel’s protocol based on matrix commutativity. Also, Grigoriev and Shpilrain [6] proposed two protocols based on tropical semi-direct product, but one of them was shown to be invalid by Isaac and Kahrobaei [7] and the other was successfully attacked by the same authors as well as by Muanalifah and Sergeev [8] and Rudy and Monico [9]. This highlights the challenges in implementing a secure protocol in the tropical framework.

The main idea of the present study is to consider implementations of Stickel’s protocol over max- T semirings where T : [ 0 , 1 ] 2 ↦ [ 0 , 1 ] is an arbitrary T − norm and to evaluate its resistance against the Kotov–Ushakov attack comparing it to the tropical version. Although the Kotov–Ushakov attack can be formulated over a general enough class of max- T semirings, we will present the numerical experiments only over the max-min semiring, leaving experimentation with other max- T semiring to the future research.

We are using the term “max- T semiring” here following, e.g., ([10, Section 7] and [11]). However, max- T semirings can be considered as a rather old concept as, in particular, the systems A ⊗ x = b over such semirings have been studied for many decades as (systems of) fuzzy relation equations, see previous studies [12–14] (among many other works). The theory and practice of solving these systems will be useful to us when implementing the Kotov–Ushakov attack. Note that max- T semirings can also be considered as closely related (or part of) BL-algebras and MV-algebras [15].

This work is organized as follows: Section 2 gives the preliminaries and basic definitions, particularly concerning the max-min semiring and, more generally, max- T semirings. In Section 3, we introduce two implementations of the Stickel protocol over an arbitrary semiring, assessing their applicability, validity, and the behavior of the shared key for the case of max-min semiring. In Section 4, we analyze the security of this new implementation and its resilience compared to tropical counterparts. Finally, in Section 5, we evaluate the resistance of the proposed protocols through a series of numerical experiments. Our codes have been uploaded to GitHub^[1].

2 Preliminaries

In this section, we present the standard definitions for the matrix algebra over the max-min semiring. We will use [ n ] and [ m ] to denote { 1 , … , n } and { 1 , … , m } , respectively.

Definition 2.1

(Max-Min semiring and associated matrix algebra). The max-min (fuzzy) semiring is defined as R max , min = ( R ∪ { − ∞ } ∪ { ∞ } , ⊕ , ⊗ ) , with these two operations defined by a ⊕ b ≔ max { a , b } and a ⊗ b ≔ min { a , b } . These operations can also be extended to vectors and matrices to form matrix algebra over the max-min semiring. In particular, the operation A ⊗ α = α ⊗ A , where α ∈ R max , min , A ∈ R max , min m × n , and ( A ) i j = a i j for i ∈ [ m ] and j ∈ [ n ] , is defined by

( A ⊗ α ) i j = ( α ⊗ A ) i j = α ⊗ a i j ∀ i ∈ [ m ] and ∀ j ∈ [ n ] .

The max-min addition A ⊕ B of two matrices A ∈ R max , min m × n and B ∈ R max , min m × n , where ( A ) i j = a i j and ( B ) i j = b i j for i ∈ [ m ] and j ∈ [ n ] , is defined by

( A ⊕ B ) i j = a i j ⊕ b i j ∀ i ∈ [ m ] and ∀ j ∈ [ n ] .

The max-min multiplication of two matrices is also similar to the “traditional” algebra. Namely, we define A ⊗ B for two matrices, where A ∈ R max , min m × p and B ∈ R max , min p × n , as follows:

( A ⊗ B ) i j = ⊕ k = 1 p a i k ⊗ b k j = ( a i 1 ⊗ b 1 j ⊕ a i 2 ⊗ b 2 j ⊕ … ⊕ a i p ⊗ b p j ) ∀ i ∈ [ m ] and ∀ j ∈ [ n ] .

Definition 2.2

(Max-min matrix powers). For A ∈ R max , min n × n , the n th max-min power of A is denoted by A ⊗ n , and is equal to

A ⊗ n = A ⊗ A ⊗ … ⊗ A ︸ n times .

By definition, any max-min square matrix to the power 0 equals the max-min identity.

Definition 2.3

(Max-min identity). The max-min identity matrix I ∈ R max , min n × n is of the form ( I ) i j = δ i j where

δ i j = ∞ if i = j , − ∞ otherwise .

We subsequently define the matrix polynomials over the max-min semiring.

Definition 2.4

(Matrix polynomials). Matrix polynomial is a function of the form

A ↦ p ( A ) = ⊕ k = 0 d a k ⊗ A ⊗ k .

Here A is a square matrix of any dimension.

Note that any two matrix polynomials of the same matrix commute in the max-min algebra, as in the classical and tropical cases. Consequently, max-min polynomials can be utilized to create a version of Stickel protocol, exploiting this commutativity property to form a shared secret key.

We also present the modified s -circulants which also could be used as a commutativity tool to construct another implementation of Stickel’s protocol.

Definition 2.5

(Upper s -circulants [16], see also [17]). Let A ∈ R max , min n × n . We say that A is an upper- s -circulant, or A ∈ C n s , if it is of the form

c 0 c n − 1 ⊗ s c n − 2 ⊗ s ⋯ c 1 ⊗ s c 1 c 0 c n − 1 ⊗ s ⋯ c 2 ⊗ s c 2 c 1 c 0 ⋯ c 3 ⊗ s ⋮ ⋮ ⋮ ⋱ ⋯ c n − 1 c n − 2 c n − 3 ⋯ c 0 ,

where c 0 , c 1 , c 2 … , c n − 1 , s ∈ R max , min .

Definition 2.6

(Max- T semiring) The max- T semiring is defined as the unit interval ℬ = [ 0 , 1 ] equipped with the tropical addition a ⊕ b = max ( a , b ) and the T -norm multiplication a ⊗ b = T ( a , b ) where T : ℬ 2 → ℬ is a T -norm (Definition 2.7). These arithmetics are then naturally extended to matrices and vectors as in Definition 2.1.

Definition 2.7

( T -norm, e.g., [14]) A T-norm is a binary operation on the unit interval that satisfies the following axioms for all a , b , d ∈ [ 0 , 1 ] :

T ( a , 1 ) = a (boundary condition).
b ≤ d implies T ( a , b ) ≤ T ( a , d ) (monotonicity).
T ( a , b ) = T ( b , a ) (commutativity).
T ( a , T ( b , d ) ) = T ( T ( a , b ) , d ) (associativity).

Remark 2.1

(On max- T semirings) The max-min semiring introduced earlier is isomorphic to the max- T semiring with T = min , but it is more natural for computations since one can choose to work with integer numbers only. The identity matrix for any max- T semiring is the same as the usual identity matrix (with all 1’s on the diagonal and all 0’s off the diagonal). The definitions of matrix powers, matrix polynomials, and modified circulants all naturally extend to the matrix algebra over max- T semiring.

3 Stickel protocol over max-min and other semirings

In this section, we introduce the Stickel key exchange protocol over the max-min semiring using polynomials (Protocol 1) and modified circulants (Protocol 2), and examine their applicability.

Protocol 1

(Max-min Stickel protocol)

Alice and Bob agree on public matrices A , B , M ∈ R max , min n × n .
Alice chooses two random max-min polynomials p 1 ( x ) and p 2 ( x ) and sends U = p 1 ( A ) ⊗ M ⊗ p 2 ( B ) to Bob.
Bob chooses two random max-min polynomials q 1 ( x ) and q 2 ( x ) and sends V = q 1 ( A ) ⊗ M ⊗ q 2 ( B ) to Alice.
Alice computes her secret key using Bob’s message V , and she has K a = p 1 ( A ) ⊗ V ⊗ p 2 ( B ) .
Bob also computes his secret key using Alice’s message U , and he obtains K b = q 1 ( A ) ⊗ U ⊗ q 2 ( B ) .

Note that K a = p 1 ( A ) ⊗ V ⊗ p 2 ( B ) = p 1 ( A ) ⊗ q 1 ( A ) ⊗ M ⊗ q 2 ( B ) ⊗ p 2 ( B ) = q 1 ( A ) ⊗ p 1 ( A ) ⊗ M ⊗ p 2 ( B ) ⊗ q 2 ( B ) = q 1 ( A ) ⊗ U ⊗ q 2 ( B ) = K b , which means that the two parties end up with the same key due to the commutativity of polynomials of the same matrix in the max-min semiring, resembling classical algebra.

Initially, one might assume that this protocol is vulnerable to exhaustive search attacks because max-min operations do not generate new numbers, making the shared key seemingly easy to guess. However, we argue otherwise. By considering a wide range for both matrix entries and polynomial coefficients, along with a sufficiently large polynomial degree, the protocol yields an extensive array of possibilities, thereby mitigating susceptibility to brute-force attacks.

The following experiment (Figure 1) shows the average number of unique elements in the shared key. The dimension of the matrices is 10 with entries and polynomial coefficients chosen randomly from [ − 10,000 , 10,000 ] and 100 trials were performed for each polynomial degree. Note that for high polynomial degrees, there are on average eight distinct elements in the shared key. Considering the size of the matrix, there exists a large number of arrangements for these elements within the matrix. Hence, exhaustive search for the key would not be feasible.

Figure 1

Key randomness for Protocol 1.

Protocol 2

(Max-min Stickel protocol based on modified circulants)

Alice and Bob agree on s , t ∈ R max , min and a publicly known matrix M ∈ R max , min n × n \ ( C n s ∪ C n t ) .
Alice generates two matrices A 1 ∈ C n s and B 1 ∈ C n t and sends U = A 1 ⊗ M ⊗ B 1 to Bob.
Bob generates two matrices A 2 ∈ C n s and B 2 ∈ C n t and sends V = A 2 ⊗ M ⊗ B 2 to Alice.
Alice calculates K a = A 1 ⊗ V ⊗ B 1 .
Bob calculates K b = A 2 ⊗ U ⊗ B 2 .

Similarly, note that K a = A 1 ⊗ V ⊗ B 1 = A 1 ⊗ A 2 ⊗ M ⊗ B 2 ⊗ B 1 = A 2 ⊗ A 1 ⊗ M ⊗ B 1 ⊗ B 2 = A 2 ⊗ U ⊗ B 2 = K b , which means that the two parties end up with the same key due the commutative nature of modified circulants.

We also demonstrate the behavior of the shared key as the matrix dimension increases (Figure 2), assessing whether there is adequate variability to prevent brute-force attacks.

Figure 2

Key randomness for Protocol 2.

The average number of unique elements within the matrix increases with matrix dimension. This similarly results in a vast array of possible arrangements for these elements, making simple exhaustive search attacks unfeasible.

Remark 3.1

Both matrix polynomials and upper s -circulants (for a fixed element s ) form a commutative semiring with (obvious) identity and zero. For lower s -circulants over the tropical semiring, a proof of this fact can be found in the study by Amutha and Perumal [17] and it can be modified to apply to upper s -circulants over any semiring. For the reader’s convenience we include a self-contained proof in Appendix A. We acknowledge that this proof is based on the arguments from Collett’s MSc dissertation [18].

Due to the commutativity of matrix polynomials and modified circulants, both Protocol 1 and Protocol 2 can be implemented using matrix algebra over any semiring, including any max- T semiring.

4 Security analysis of the proposed protocols

In this section, we introduce a max-min/max- T analogue of the Kotov–Ushakov attack over the max-min semiring and its heuristic version (in the max-min case only), and demonstrate the substantially greater difficulty in compromising the max-min protocols relative to their tropical equivalents.

Similar to the original tropical Kotov–Ushakov attack [4] (or the tropical generalized Kotov–Ushakov attack [5]), in order to attack Protocol 1 or Protocol 2, our objective is to find the polynomial coefficients or the circulant parameters x α , y β ∀ α , β ∈ { 0 , … D } , where D is the maximum polynomial degree for the case of Protocol 1, or the matrix dimension ( D = n − 1 ) for the case of Protocol 2. In particular, we define

(1) X = ⊕ α ∈ { 0 , … D } ( x α ⊗ A α ) , Y = ⊕ β ∈ { 0 , … D } ( y β ⊗ B β ) ,

where A α and B β represent the powers of the public matrices A and B , respectively, in the context of Protocol 1, or serve as generators of modified circulants for Protocol 2 which takes the following form for A α in the max-min case, and B β follows similarly

( A α ) i j = ∞ if α ≡ ( i − j ) ( mod n ) and i ≥ j , s if α ≡ ( i − j ) ( mod n ) and i < j , − ∞ otherwise.

Note that for max- T semiring, we need to define

( A α ) i j = 1 if α ≡ ( i − j ) ( mod n ) and i ≥ j , s if α ≡ ( i − j ) ( mod n ) and i < j , 0 otherwise.

We know from the protocols that X ⊗ M ⊗ Y = U , and if we substitute (1) for X and Y , we obtain

U = ⊕ α ∈ { 0 , … D } ( x α ⊗ A α ) ⊗ M ⊗ ⊕ β ∈ { 0 , … D } ( y β ⊗ B β ) .

Then, combining the two summations and rearranging the coefficients, we obtain

(2) U = ⊕ α , β ∈ { 0 , … D } x α ⊗ y β ⊗ ( A α ⊗ M ⊗ B β ) .

We then denote x α ⊗ y β = z α β and R α β = ( A α ⊗ M ⊗ B β ) to rewrite equation (2) as follows:

(3) U = ⊕ α , β ∈ { 0 , … D } z α β ⊗ R α β .

This is of the form of max-min/max- T linear system “ A ⊗ x = b ” where the entries of R α β are the coefficients of the system, and z α β are the unknowns.

Thus, we need to scan all solutions to equation (3) and pick a solution that satisfies z α β = x α ⊗ y β for some x α , y β ∀ α , β ∈ { 0 , 1 , … , D } . The next proposition for the complete set of solutions of equation (3) where we “forget” about this important constraint on variables z α β is very well-known in fuzzy relations theory.

Proposition 4.1

(e.g., [13,14]) Over the max-min semiring, system (3) has a finite set of minimal solutions and just one maximal solution, which is the greatest solution. With the number of minimal solutions denoted by r, the whole solution set is represented as

S = ⋃ i = 1 r { x : d ( i ) ≤ x ≤ c } ,

where d ( i ) denotes the ith minimal solution and c is the greatest solution of (3).

According to Di Nola et al. [12], this Proposition also extends to max- T semirings where T is a continuous T -norm. Note that, as shown by Di Nola et al. [12], the lower semi-continuity of T -norm guarantees the existence of the greatest solution while in the case of upper semi-continuity of T , the set of minimal solutions can be fully described and it can be shown that any solution is lower-bounded by a minimal solution. In particular, Proposition 4.1 holds also for the tropical case where the T -norm is defined as the usual product, and in this case, the minimal solutions can be found by zeroing out some components of the greatest solution.

In order to break Stickel’s protocol over max- T semiring, assuming that Proposition 4.1 holds we need to compute the greatest solution c (for the max-min case using Lemma 3.2 in the study by Gavalec [19]) and all minimal solutions d ( i ) ’s (for the max-min case using Section 3.3 in the study by Zahariev [20] or Chapter 3 in the study by Peeva and Kyosev [21]), and test the boxes { x : d ( i ) ≤ x ≤ c } for all i until we find a vector z that satisfies z α β = x α ⊗ y β for some x α , y β ∈ N ∀ α , β ∈ { 0 , 1 , … , D } . The following algorithm captures these processes.

Attack 1

(Max-min/max- T generalized Kotov–Ushakov attack)

(1) Compute the maximum solution c of equation (3). In the max-min case,
c α β = min γ , δ ∈ [ n ] ( U γ δ : R γ δ α β > U γ δ ) ∀ α , β ∈ { 0 , … , D } .
(2) Compute all minimal solutions d ( i ) of equation (3).
Find a minimal solution d ( i ) with components d α β ( i ) for which the system
(4) d α β ( i ) ≤ x α ⊗ y β ≤ c α β ∀ α , β ∈ { 0 , … , D }
is solvable.

In the max-min case, system (4) can be transformed into a problem of mixed-integer linear programming, following an observation by DeSchutter et al. [22]. In particular, min ( x α , y β ) ≤ c α β means either x α , y β or both are less than or equal to c α β , which can be expressed as x α − ( 1 − w α β ) L ≤ c α β and y β − ( 1 − k α β ) L ≤ c α β with L being a sufficiently large number, and w α β + k α β = 1 such that w α β , k α β ∈ { 0 , 1 } . Obviously, min ( x α , y β ) ≥ d α β ( i ) can be equivalently written as x α ≥ d α β ( i ) , y β ≥ d α β ( i ) .

Thus, system (4) can equivalently be written as

(5) x α ≥ d α β ( i ) , y β ≥ d α β ( i ) , x α − ( 1 − w α β ) L ≤ c α β , y β − ( 1 − k α β ) L ≤ c α β , w α β + k α β = 1 , w α β , k α β ∈ { 0 , 1 } .

The value of the parameter L should be carefully chosen to ensure that it is sufficiently large so that the maximum entry in system (5) remains significantly lower, thereby avoiding potential failures in solving the system. Alternatively, L can be treated as a tunable parameter, and its value can be adjusted as necessary to achieve a correct and efficient solution to the system.

We now prove that Attack 1 works, due to it producing X and Y that satisfy X ⊗ M ⊗ Y = U .

Proposition 4.2

Let U be the message that Alice sent to Bob in Protocol 1 or Protocol 2. Then, Attack 1 yields

X = ⊕ α ∈ { 0 , … D } ( x α ⊗ A α ) , Y = ⊕ β ∈ { 0 , … D } ( y β ⊗ B β ) ,

such that X and Y satisfy X ⊗ M ⊗ Y = U .

Proof

Since U = X ⊗ M ⊗ Y , there is a vector z that solves equation (3) with z α β = x α ⊗ y β for some x α and y β such that X = ⊕ α ∈ { 0 , … D } ( x α ⊗ A α ) and Y = ⊕ β ∈ { 0 , … D } ( y β ⊗ B β ) . We now need to show that the method described in Attack 1 does find such vector. Since the attack, due to Proposition 4.1, searches for all possible solutions of equation (3), it is guaranteed that it finds a solution that solves system (4) (or equivalently system (5)) because we know that there exist coefficients x α and y β such that ⊕ α , β x α ⊗ y β ⊗ R α β = U , and these coefficients can be used to construct X and Y .□

Since Attack 1 is computationally very heavy, it might not be practical, especially when Alice and Bob use very high polynomial degrees or matrix dimensions (see in the numerical experiments below). An attacker then would consider a heuristic version of the attack. One possible heuristic, which we are presenting only for the max-min case, would be as shown in Attack 2, where the attacker checks for a vector that solves system (4) (or equivalently system (5)) in just one box, where the lowest corner of the box is the lower bound r suggested by Gavalec [19, Lemma 5.2] (i.e., r ≤ z for any solution z of equation (3)) , and similarly the highest corner of the box is the greatest solution of equation (3). The attack succeeds if a solution is found, and fails if otherwise.

Attack 2

(Heuristic version of Attack 1 in the max-min case)

Compute the greatest solution c of equation (3).
Compute the lower bound r for solutions of equation (3) suggested by Gavalec [19, Lemma 5.2].
Solve the system
r α β ≤ min ( x α , y β ) ≤ c α β ∀ α , β ∈ { 0 , … , D } .

5 Implementations and numerical experiments

We now implement the attacks on Protocols 1 and 2, analyzing their behavior and execution time. We also compare the resistance of the two proposed max-min protocols with their tropical counterparts.

In our series of experiments, we investigate the behavior of Attack 1 in which we count the number of enumerated minimal solutions, and how many of them were tested to recover the shared key. We also measure the time taken by this attack to break the protocol. It appears that the number of enumerated and tested minimal solutions is much higher than the tropical case (as reported by Kotov and Ushakov experiment [4]). Furthermore, as the degree of polynomial or the matrix dimension increases, the number of minimal solutions skyrockets, leading to significantly prolonged attack times, often spanning several hours already for low dimensions. Such instances tend to occur more frequently as the degree increases, likely attributed to the high number of minimal solutions driven by the increase in key randomness. We expect that the max-min protocols require significantly more time to compromise compared to their tropical counterparts, primarily due to the increased number of enumerated and tested minimal solutions, in addition to having to solve a harder optimization problem (we have to solve a linear programming problem in the case of tropical Stickel protocol, compared with mixed-integer linear programming for the max-min case).

We used a ten-dimensional matrix and a polynomial degree from 2 to 10 for the case of Protocol 1, and a matrix dimension from 2 to 10 for the case of Protocol 2, and both matrix entries and polynomial coefficients are in [ − 10,000 , 10,000 ] . The results of this experiment (the number of minimal solutions and the execution time are shown in Tables 1 and 2). The code was executed on MATLAB R2023b running on Windows 11 64-bit, equipped with an Intel(R) Core(TM) i7-9750H CPU@2.60GHz and 16.0 GB RAM.

Table 1

Performance of Attack 1 on the protocol based on polynomials

Degree	2	3	4	5	6	7	8	9	10
Number of minimal solutions	5	11	54	664	439	3,198	12,493	20,834	27,342
Number of tested minimal solutions	1	1	54	1	43	1,261	1	199	373
Time taken (s)	0.01	0.04	0.34	2.9	52.4	986	1,545	12,204	14,924

Table 2

Performance of Attack 1 on the protocol based on circulants

Dimension	2	3	4	5	6	7	8	9	10
Number of minimal solutions	4	6	16	3,125	5,040	6,480	22,400	32,256	40,000
Number of tested minimal solutions	1	4	12	31	1	1	709	5,351	6,321
Time taken (s)	0.01	0.03	0.1	11.4	32.5	47.1	1,121	10,362	14,073

To compare these results with the efficiency of Kotov–Ushakov attack in the tropical case, we demonstrate here the results of our numerical experiments (Figure 3) presented previously by Alhussaini et al. [23].

Figure 3

Time taken for Kotov–Ushakov attack to break tropical Stickel protocol based on polynomials (left) and modified circulants (right) [23].

Figure 4 shows the success rate and time spent by Attack 2 on Protocol 1 (which is a heuristic version of the Kotov–Ushakov attack). Unfortunately, this attack performs very poorly against Protocol 2, with success rate dropping to 0% already for very low dimensions. Obviously, this heuristic is much faster than Attack 1 since it avoids enumerating all minimal solutions.

Figure 4

Success rate and time of Attack 2 on Protocol 1.

Another advantage for max-min protocols over the tropical ones is that the max-min protocols demonstrate greater resilience against the two-sided discrete logarithm attacks. This is attributed to the rarity of a single monomial dominating in the polynomial, unlike the tropical version where such dominance is much more common. To assess the frequency of single monomial dominance in both max-min and tropical cases, we conducted a simple numerical experiment where we sampled the matrix entries and polynomial coefficients from [ − 1,000 , 1,000 ] and noticed that a single monomial represents a 10th degree polynomial 83% of the times, compared with 0% for the max-min case.

6 Conclusion

In this work, we have suggested to implement Stickel protocol over max- T semirings, starting with the most familiar max-min (fuzzy) semiring and considering two versions of it, based on polynomials and based on modified circulants. We also formulated a max-min/max- T analogue of Kotov–Ushakov attack which, like in the case of the original Kotov–Ushakov attack, enumerates all minimal solutions and, among the solution set that a minimal solution defines, tries to find a solution that has the required structure.

It may be concerning that the max-min semiring does not produce new numbers and therefore, the keys generated by Alice and Bob have only a small number of different entries. While this tends to be the case (especially when compared with the tropical versions of the same protocols), the number of different entries is significant and in general does not allow for a quick brute-force attack. Potentially, an implementation using a different T -norm can improve it further.

The max-min implementation seems more resistant to the existing attacking techniques such as the Kotov–Ushakov attack mostly because of the much bigger number of minimal solutions, which skyrockets as the degree of polynomial or the dimension of the circulant increases.

The attack method presented in this study represents the “default” approach for addressing the hard underlying problem posed by the targeted protocols: finding a special solution among all possible solutions to a system of the form “ A ⊗ x = b .” As argued in Proposition 4.2, this method is guaranteed to succeed. Additionally, we introduced an alternative attack that attempts to directly identify this special solution without exhaustively scanning all possible solutions. However, this approach demonstrated a limited success rate, especially in the case of modified circulants. Even in the case of polynomials, the success rate is not overwhelming and the time taken is higher compared to the similar heuristic techniques in the tropical case [23].

We believe that there are alternative approaches that could more efficiently target the suggested protocols, avoiding the direct engagement with the underlying hard problem of minimal solutions enumeration. These strategies, while potentially not guaranteed to always succeed, could offer significant improvements. We leave the exploration of such methods to future research.

The future research could also focus on picking some interesting classes of T -norms to provide more secure platforms for the Stickel (and possibly other) protocols or on further improvement of the Kotov–Ushakov attack on this protocol over various semirings.

Acknowledgement

The authors are grateful to the anonymous referees for careful reading and comments which helped to improve our article.

Funding information: Authors state no funding involved.
Author contributions: Both authors have accepted responsibility for the entire content of this manuscript and approved its submission.
Conflict of interest: The authors state no conflict of interest.

Appendx

A.1 Upper s -circulant matrices commute [18]

Let A be an upper s -circulant matrix with parameters c 0 , c 1 , c 2 … , c n − 1 and let B be an upper- s -circulant matrix with parameters d 0 , d 1 , d 2 … , d n − 1 , then we have

A = c 0 c n − 1 ⊗ s c n − 2 ⊗ s ⋯ c 1 ⊗ s c 1 c 0 c n − 1 ⊗ s ⋯ c 2 ⊗ s c 2 c 1 c 0 ⋯ c 3 ⊗ s ⋮ ⋮ ⋮ ⋱ ⋮ c n − 1 c n − 2 c n − 3 ⋯ c 0 B = d 0 d n − 1 ⊗ s d n − 2 ⊗ s ⋯ d 1 ⊗ s d 1 d 0 d n − 1 ⊗ s ⋯ d 2 ⊗ s d 2 d 1 d 0 ⋯ d 3 ⊗ s ⋮ ⋮ ⋮ ⋱ ⋮ d n − 1 d n − 2 d n − 3 ⋯ d 0 and A ⊗ B = e 11 e 12 e 13 ⋯ e 1 n e 21 e 22 e 23 ⋯ e 2 n e 31 e 32 e 33 ⋯ e 3 n ⋮ ⋮ ⋮ ⋱ ⋮ e n 1 e n 2 e n 3 ⋯ e n n ,

where

e 11 = ( c 0 ⊗ d 0 ) ⊕ ( c n − 1 ⊗ s ⊗ d 1 ) ⊕ ( c n − 2 ⊗ s ⊗ d 2 ) ⊕ ⋯ ⊕ ( c 1 ⊗ s ⊗ d n − 1 ) e 21 = ( c 1 ⊗ d 0 ) ⊕ ( c 0 ⊗ d 1 ) ⊕ ( c n − 1 ⊗ s ⊗ d 2 ) ⊕ ⋯ ⊕ ( c 2 ⊗ s ⊗ d n − 1 ) e 31 = ( c 2 ⊗ d 0 ) ⊕ ( c 1 ⊗ d 1 ) ⊕ ( c 0 ⊗ d 2 ) ⊕ ⋯ ⊕ ( c 3 ⊗ s ⊗ d n − 1 ) ⋮ e n 1 = ( c n − 1 ⊗ d 0 ) ⊕ ( c n − 2 ⊗ d 1 ) ⊕ ( c n − 3 ⊗ d 2 ) ⊕ ⋯ ⊕ ( c 0 ⊗ d n − 1 ) e 12 = ( c 0 ⊗ d n − 1 ⊗ s ) ⊕ ( c n − 1 ⊗ s ⊗ d 0 ) ⊕ ( c n − 2 ⊗ s ⊗ d 1 ) ⊕ ⋯ ⊕ ( c 1 ⊗ s ⊗ d n − 2 ) e 22 = ( c 1 ⊗ d n − 1 ⊗ s ) ⊕ ( c 0 ⊗ d 0 ) ⊕ ( c n − 1 ⊗ s ⊗ d 1 ) ⊕ ⋯ ⊕ ( c 2 ⊗ s ⊗ d n − 2 ) e 32 = ( c 2 ⊗ d n − 1 ⊗ s ) ⊕ ( c 1 ⊗ d 0 ) ⊕ ( c 0 ⊗ d 1 ) ⊕ ⋯ ⊕ ( c 3 ⊗ s ⊗ d n − 2 ) ⋮ e n 2 = ( c n − 1 ⊗ d n − 1 ⊗ s ) ⊕ ( c n − 2 ⊗ d 0 ) ⊕ ( c n − 3 ⊗ d 1 ) ⊕ ⋯ ⊕ ( c 0 ⊗ d n − 2 ) e 13 = ( c 0 ⊗ d n − 2 ⊗ s ) ⊕ ( c n − 1 ⊗ s ⊗ d n − 1 ⊗ s ) ⊕ ( c n − 2 ⊗ s ⊗ d 0 ) ⊕ ⋯ ⊕ ( c 1 ⊗ s ⊗ d n − 3 ) e 23 = ( c 1 ⊗ d n − 2 ⊗ s ) ⊕ ( c 0 ⊗ d n − 1 ⊗ s ) ⊕ ( c n − 1 ⊗ s ⊗ d 0 ) ⊕ ⋯ ⊕ ( c 2 ⊗ s ⊗ d n − 3 ) e 33 = ( c 2 ⊗ d n − 2 ⊗ s ) ⊕ ( c 1 ⊗ d n − 1 ⊗ s ) ⊕ ( c 0 ⊗ d 0 ) ⊕ ⋯ ⊕ ( c 3 ⊗ s ⊗ d n − 3 ) ⋮ e n 3 = ( c n − 1 ⊗ d n − 2 ⊗ s ) ⊕ ( c n − 2 ⊗ d n − 1 ⊗ s ) ⊕ ( c n − 3 ⊗ d 0 ) ⊕ ⋯ ⊕ ( c 0 ⊗ d n − 3 ) e 1 n = ( c 0 ⊗ d 1 ⊗ s ) ⊕ ( c n − 1 ⊗ s ⊗ d 2 ⊗ s ) ⊕ ( c n − 2 ⊗ s ⊗ d 3 ⊗ s ) ⊕ ⋯ ⊕ ( c 1 ⊗ s ⊗ d 0 ) e 2 n = ( c 1 ⊗ d 1 ⊗ s ) ⊕ ( c 0 ⊗ d 2 ⊗ s ) ⊕ ( c n − 1 ⊗ s ⊗ d 3 ⊗ s ) ⊕ ⋯ ⊕ ( c 2 ⊗ s ⊗ d 0 ) e 3 n = ( c 2 ⊗ d 1 ⊗ s ) ⊕ ( c 1 ⊗ d 2 ⊗ s ) ⊕ ( c 0 ⊗ d 3 ⊗ s ) ⊕ ⋯ ⊕ ( c 3 ⊗ s ⊗ d 0 ) ⋮ e n n = ( c n − 1 ⊗ d 1 ⊗ s ) ⊕ ( c n − 2 ⊗ d 2 ⊗ s ) ⊕ ( c n − 3 ⊗ d 3 ⊗ s ) ⊕ ⋯ ⊕ ( c 0 ⊗ d 0 ) .

We can simplify these equations, remembering that the subscripts are always integers, therefore, if i , j ∈ Z and 0 ≤ i , j ≤ n − 1 , we can rewrite these as

e 11 = ⊕ i + j = 0 ( c i ⊗ d j ) ⊕ ⊕ i + j = n ( s ⊗ c i ⊗ d j ) e 21 = ⊕ i + j = 1 ( c i ⊗ d j ) ⊕ ⊕ i + j = n + 1 ( s ⊗ c i ⊗ d j ) e 31 = ⊕ i + j = 2 ( c i ⊗ d j ) ⊕ ⊕ i + j = n + 2 ( s ⊗ c i ⊗ d j ) ⋮ e n 1 = ⊕ i + j = n − 1 ( c i ⊗ d j ) e 12 = ⊕ i + j = n − 1 ( s ⊗ c i ⊗ d j )

e 22 = ⊕ i + j = 0 ( c i ⊗ d j ) ⊕ ⊕ i + j = n ( s ⊗ c i ⊗ d j ) e 32 = ⊕ i + j = 1 ( c i ⊗ d j ) ⊕ ⊕ i + j = n + 1 ( s ⊗ c i ⊗ d j ) ⋮ e n 2 = ⊕ i + j = n − 2 ( c i ⊗ d j ) ⊕ ⊕ i + j = 2 n − 2 ( s ⊗ c i ⊗ d j ) e 13 = ⊕ i + j = n − 2 ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n − 2 ( s ⊗ 2 ⊗ c i ⊗ d j ) e 23 = ⊕ i + j = n − 1 ( s ⊗ c i ⊗ d j ) e 33 = ⊕ i + j = 0 ( c i ⊗ d j ) ⊕ ⊕ i + j = n ( s ⊗ c i ⊗ d j ) e n 3 = ⊕ ( c i ⊗ d j ) ⊕ ⊕ i + j = 2 n − 3 ( c i ⊗ d j ) e 1 n = ⊕ i + j = 1 ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = n + 1 ( s ⊗ 2 ⊗ c i ⊗ d j ) e 2 n = ⊕ i + j = 2 ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = n + 2 ( s ⊗ 2 ⊗ c i ⊗ d j ) e 3 n = ⊕ i + j = 3 ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = n + 3 ( s ⊗ 2 ⊗ c i ⊗ d j ) ⋮ e n n = ⊕ i + j = 0 ( c i ⊗ d j ) ⊕ ⊕ i + j = n ( s ⊗ c i ⊗ d j ) .

Therefore, in general we have

e p q = ⊕ i + j = p − q ( c i ⊗ d j ) ⊕ ⊕ i + j = n + p − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + p − q ( s ⊗ 2 ⊗ c i ⊗ d j ) , 1 ≤ p , q ≤ n .

Here and below we will assume 0 ≤ i , j ≤ n − 1 . We now consider B ⊗ A

B ⊗ A = f 11 f 12 f 13 ⋯ f 1 n f 21 f 22 f 23 ⋯ f 2 n f 31 f 32 f 33 ⋯ f 3 n ⋮ ⋮ ⋮ ⋱ ⋯ f n 1 f n 2 f n 3 ⋯ f n n .

In a similar manner, we find a general formula for f p q as

f p q = ⊕ i + j = p − q ( d i ⊗ c j ) ⊕ ⊕ i + j = n + p − q ( s ⊗ d i ⊗ c j ) ⊕ ⊕ i + j = 2 n + p − q ( s ⊗ 2 ⊗ d i ⊗ c j ) , 1 ≤ p , q ≤ n .

We note the solutions to i + j = r for some r , where i , j are integers inclusively between 1 and n − 1 and r is an integer inclusively between 1 and 2 n − 2 , are symmetric. For example i + j = 1 has solutions ( 1 , 0 ) and ( 0 , 1 ) . This implies that

e p q = ⊕ i + j = p − q ( c i ⊗ d j ) ⊕ ⊕ i + j = n + p − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + p − q ( s ⊗ 2 ⊗ c i ⊗ d j ) = ⊕ i + j = p − q ( d i ⊗ c j ) ⊕ ⊕ i + j = n + p − q ( s ⊗ d i ⊗ c j ) ⊕ ⊕ i + j = 2 n + p − q ( s ⊗ 2 ⊗ d i ⊗ c j ) = f p q 1 ≤ p , q ≤ n .

As e p q = f p q for all p and q , we obtain

A ⊗ B = e 11 e 12 e 13 ⋯ e 1 n e 21 e 22 e 23 ⋯ e 2 n e 31 e 32 e 33 ⋯ e 3 n ⋮ ⋮ ⋮ ⋱ ⋯ e n 1 e n 2 e n 3 ⋯ e n n = f 11 f 12 f 13 ⋯ f 1 n f 21 f 22 f 23 ⋯ f 2 n f 31 f 32 f 33 ⋯ f 3 n ⋮ ⋮ ⋮ ⋱ ⋯ f n 1 f n 2 f n 3 ⋯ f n n = B ⊗ A .

Thus, any two upper s -circulant matrices commute.

A.2 Upper s -circulant matrices are a semiring [18]

Recall that

e p q = ⊕ i + j = p − q ( c i ⊗ d j ) ⊕ ⊕ i + j = n + p − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + p − q ( s ⊗ 2 ⊗ c i ⊗ d j ) , 1 ≤ p , q ≤ n .

We observe that e p q = e ( p + 1 ) ( q + 1 ) as

e ( p + 1 ) ( q + 1 ) = ⊕ i + j = ( p + 1 ) − ( q + 1 ) ( c i ⊗ d j ) ⊕ ⊕ i + j = n + ( p + 1 ) − ( q + 1 ) ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + ( p + 1 ) − ( q + 1 ) ( s ⊗ 2 ⊗ c i ⊗ d j ) = ⊕ i + j = ( p − q ) ( c i ⊗ d j ) ⊕ ⊕ i + j = n + p − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + p − q ( s ⊗ 2 ⊗ c i ⊗ d j ) = e p q .

So, we have

e p q = e ( p + 1 ) ( q + 1 ) for 1 ≤ p , q ≤ n .

As we have shown that all entries on the same diagonal of A ⊗ B are equal to each other, in order to show that it is an upper s -circulant matrix, it remains to show that the first column and the first row are as they should be in an upper s -circulant matrix. For example, we need to show that e 12 = e n 1 ⊗ s and e 13 = e ( n − 1 ) 1 ⊗ s . We do not need to consider e 00 . In general we need to show that

e 1 q = s ⊗ e ( n + 2 − q ) 1 for 2 ≤ q ≤ n .

Using our general formula, we see that

e 1 q = ⊕ i + j = 1 − q ( c i ⊗ d j ) ⊕ ⊕ i + j = n + 1 − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + 1 − q ( s ⊗ 2 ⊗ c i ⊗ d j ) = ⊕ i + j = n + 1 − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + 1 − q ( s ⊗ 2 ⊗ c i ⊗ d j ) = s ⊗ ( ⊕ i + j = n + 1 − q ( c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + 1 − q ( s ⊗ c i ⊗ d j ) ) , 2 ≤ q ≤ n .

We also have

s ⊗ e ( n − q + 2 ) 1 = s ⊗ ( ⊕ i + j = ( n + 2 − q ) − 1 ( c i ⊗ d j ) ⊕ ⊕ i + j = n + ( n + 2 − q ) − 1 ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + ( n + 2 − q ) − 1 ( s ⊗ 2 ⊗ c i ⊗ d j ) ) , 2 ≤ q ≤ n , = s ⊗ ( ⊕ i + j = n + 1 − q ( c i ⊗ d j ) ⊕ ⊕ i + j = 2 n + 1 − q ( s ⊗ c i ⊗ d j ) ⊕ ⊕ i + j = 3 n − q + 1 ( s ⊗ 2 c i ⊗ d j ) ) = s ⊗ ( ⊕ i + j = n + 1 − q ( c i ⊗ d j ) ⊕ ⊕ i + j = 2 n − q − 1 ( s ⊗ c i ⊗ d j ) ) = e 1 q for 2 ≤ q ≤ n .

Therefore, we have shown that

e 1 q = s ⊗ e ( n + 2 − q ) 1 for 2 ≤ q ≤ n .

Using the above equations we can see that A ⊗ B = B ⊗ A is indeed an upper s -circulant. We are left to show that A ⊕ B ∈ C n s to prove that the set of upper s -circulant matrices is indeed a (commutative) semiring. This follows since

A ⊕ B = c 0 c n − 1 ⊗ s c n − 2 ⊗ s ⋯ c 1 ⊗ s c 1 c 0 c n − 1 ⊗ s ⋯ c 2 ⊗ s c 2 c 1 c 0 ⋯ c 3 ⊗ s ⋮ ⋮ ⋮ ⋱ ⋯ c n − 1 c n − 2 c n − 3 ⋯ c 0 ⊕ d 0 d n − 1 ⊗ s d n − 2 ⊗ s ⋯ d 1 ⊗ s d 1 d 0 d n − 1 ⊗ s ⋯ d 2 ⊗ s d 2 d 1 d 0 ⋯ d 3 ⊗ s ⋮ ⋮ ⋮ ⋱ ⋯ d n − 1 d n − 2 d n − 3 ⋯ d 0 = c 0 ⊕ d 0 ( c n − 1 ⊕ d n − 1 ) ⊗ s ( c n − 2 ⊕ d n − 2 ) ⊗ s ⋯ ( c 1 ⊕ d 1 ) ⊗ s c 1 ⊕ d 1 c 0 ⊕ d 0 ( c n − 1 ⊕ d n − 1 ) ⊗ s ⋯ ( c 2 ⊕ d 2 ) ⊗ s c 2 ⊕ d 2 c 1 ⊕ d 1 c 0 ⊕ d 0 ⋯ ( c 3 ⊕ d 3 ) ⊗ s ⋮ ⋮ ⋮ ⋱ ⋯ c n − 1 ⊕ d n − 1 c n − 2 ⊕ d n − 2 c n − 3 ⊕ d n − 3 ⋯ c 0 ⊕ d 0

This is an upper s -circulant matrix with entries ( c 0 ⊕ d 0 ) , ( c 1 ⊕ d 1 ) , … , ( c n − 1 ⊕ d n − 1 ) . Hence, A ⊕ B ∈ C n s and due to the commutative property of ⊕ , we also have that B ⊕ A ∈ C n s . Hence, C n s is indeed a commutative semiring.

References

[1] Diffie W, Hellman M. New directions in cryptography. IEEE Trans Inform Theory. 1976;22(6):644–54. 10.1109/TIT.1976.1055638Suche in Google Scholar

[2] Stickel E. A new method for exchanging secret keys. In: Third International Conference on Information Technology and Applications (ICITA’05). Vol. 2; 2005. p. 426–30. 10.1109/ICITA.2005.33Suche in Google Scholar

[3] Grigoriev D, Shpilrain V. Tropical cryptography. Commun Algebra. 2013;42:2624–32. https://api.semanticscholar.org/CorpusID:6744219. 10.1080/00927872.2013.766827Suche in Google Scholar

[4] Kotov M, Ushakov A. Analysis of a key exchange protocol based on tropical matrix algebra. J Math Cryptol. 2018;12(3):137–41. https://doi.org/10.1515/jmc-2016-0064, [cited 2023-11-26]. Suche in Google Scholar

[5] Muanalifah A, Sergeev S. Modifying the tropical version of Stickel’s key exchange protocol. Appl Math. 2020 Dec;65:727–53. 10.21136/AM.2020.0325-19Suche in Google Scholar

[6] Grigoriev D, Shpilrain V. Tropical cryptography II: Extensions by homomorphisms. Commun Algebra. 2019;47(10):4224–9. 10.1080/00927872.2019.1581213. Suche in Google Scholar

[7] Isaac S, Kahrobaei D. A closer look at the tropical cryptography. Int J Comput Math Comput Syst Theory. 2021;6(2):137–42. 10.1080/23799927.2020.1862303. Suche in Google Scholar

[8] Muanalifah A, Sergeev S. On the tropical discrete logarithm problem and security of a protocol based on tropical semidirect product. Commun Algebra. 2022;50(2):861–79. 10.1080/00927872.2021.1975125. Suche in Google Scholar

[9] Rudy D, Monico C. Remarks on a tropical key exchange system. J Math Cryptol. 2020;15(1):280–3. 10.1515/jmc-2019-0061Suche in Google Scholar

[10] Nitica V, Sergeev S. Tropical convexity over max-min semiring. In: Litvinov GL, Sergeev SN, editors. Tropical and idempotent mathematics and applications. Vol. 616 of Contemporary Mathematics. Providence, RI, USA: American Mathematical Society; 2014. p. 241–60. 10.1090/conm/616/12301Suche in Google Scholar

[11] Gavalec M, Němcová Z, Sergeev S. Tropical linear algebra with the Łukasiewicz T-norm. Fuzzy Sets Syst. 2015;276:131–48. Theme: Logic and Algebra. https://www.sciencedirect.com/science/article/pii/S0165011414005119. 10.1016/j.fss.2014.11.008Suche in Google Scholar

[12] Di Nola A, Pedrycz W, Sessa S. Fuzzy relation equations under LSC and USC T-norms and their Boolean solutions. Stochastica. 1987;11(2–3):151–83. Suche in Google Scholar

[13] Higashi M, Klir GJ. Resolution of finite fuzzy relation equations. Fuzzy Sets Syst. 1984;13:65–82. 10.1016/0165-0114(84)90026-5Suche in Google Scholar

[14] Klir GJ, Yuan B. Fuzzy sets fuzzy logic. Theory and Applications. Saddle River, NJ, United States: Prentice Hall; 1995. Suche in Google Scholar

[15] Di Nola A, Lettieri A. Finite BL algebras. Discrete Math. 2003;269:93–112. 10.1016/S0012-365X(02)00754-9Suche in Google Scholar

[16] Huang H, Li C, Deng L. Public-key cryptography based on tropical circular matrices. Appl Sci. 2022;12(15):7401. https://www.mdpi.com/2076-3417/12/15/7401. 10.3390/app12157401Suche in Google Scholar

[17] Amutha B, Perumal R. Key exchange protocols based on tropical circulant and anti-circulant matrices. AIMS Math. 2023;8(7):17304–34. 10.3934/math.2023885Suche in Google Scholar

[18] Collett C. Public key cryptography in max-plus algebra. MSc Dissertation. Birmingham, UK: University of Birmingham; School of Mathematics; 2023. Suche in Google Scholar

[19] Gavalec M. Solvability and unique solvability of max-min fuzzy equations. Fuzzy Sets Syst. 2001;124(3):385–93. Fuzzy logic. https://www.sciencedirect.com/science/article/pii/S0165011401001087. 10.1016/S0165-0114(01)00108-7Suche in Google Scholar

[20] Zahariev Z. Solving max-min fuzzy linear systems of equations. Algorithm and software. Annual of “Informatics” section Union of Scientists in Bulgaria. 2013;6:1–16. http://e-university.tu-sofia.bg/e-publ/files/12485_SUB-Informatics-2013-6-001-016.pdf. Suche in Google Scholar

[21] Peeva K, Kyosev Y. Fuzzy relational calculus - theory, applications and software (with CD-ROM). Advances in fuzzy systems - applications and theory. Vol. 22. Singapore: World Scientific Publishing Company; 2004. 10.1142/5683Suche in Google Scholar

[22] De Schutter B, Heemels WPMH, Bemporad A. On the equivalence of linear complementarity problems. Operat Res Let. 2002;30(4):211–22. 10.1016/S0167-6377(02)00159-1Suche in Google Scholar

[23] Alhussaini S, Collett C, Sergeev S. Generalized Kotov–Ushakov attack on tropical Stickel protocol based on modified tropical circulant matrices; 2023. https://eprint.iacr.org/2023/1904. Cryptology ePrint Archive, Paper 2023/1904. https://eprint.iacr.org/2023/1904. Suche in Google Scholar

Received: 2024-04-04

Revised: 2024-07-09

Accepted: 2024-09-16

Published Online: 2024-11-26

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2024-0014

Schlagwörter für diesen Artikel

public key cryptography; cryptographic attack; Stickel protocol; fuzzy algebra; fuzzy relation equations

Creative Commons

BY 4.0