On the Solutions of Linear Systems over Additively Idempotent Semirings

Abstract

The aim of this article is to solve the system $XA=Y$, where $A=\left(a_{i,j}\right)\in M_{n\times m}\left(S\right)$, $Y\in S^m$ and X is an unknown vector of a size n, with S being an additively idempotent semiring. If the system has solutions, then we completely characterize its maximal one, and in the particular case where S is a generalized tropical semiring, a complete characterization of its solutions is provided as well as an explicit bound of the computational cost associated with its computation. Finally, we show how to apply this method to cryptanalyze two different key exchange protocols defined for a finite case and the tropical semiring, respectively.

1. Introduction

A semiring $(S,+,·,0,1)$ is an algebraic structure in which $(S,+)$ is a commutative monoid with an identity element 0 and $(S,·)$ is a monoid with an identity element 1, with both being internal operations connected by ring-like distributivity. The additive identity 0 is multiplicatively absorbing, and $0\ne 1$ (see, for example, the monograph [1] for an intensive treatment of this algebraic structure). Moreover, a semiring $(S,+,·,0,1)$ is said to be additively idempotent if $x+x=x$ for all $x\in S$. Historically, the first notion of a semiring was from Vandiver [2] in 1934, and interest in additively idempotent semirings arose in the $1950s$ through the observation that some problems in discrete optimization could be linearized over such structures (see, for example, [3]). The first work to make use of an algebra over an idempotent ring (apart from Boolean fields) was that of Kleene [4], where nerve nets were studied in the context of finite state machines. Since then, the study of additively idempotent semirings has led to multiple connections with such diverse fields as graph theory (path algebra), Hamilton–Jacobi theory, automata and language theory, discrete event system theory (where linear systems over additively idempotent semirings modelize discrete event systems of practical interest), and fuzzy logic. As some examples of connections with the latter, each fuzzy triangular norm (t-norm; see, for example, [5]) conducts an additively idempotent semiring, which is called a max-t semiring in the literature, and in [6,7,8], Nola et al. studied certain objects of algebra over semirings arising from fuzzy logic, such as MV-algebras or the Lukasiewicz transform. Moreover, there is currently vast research on matrices with idempotent coefficients and their applications (e.g., [3,9,10]).

As an example of an additively idempotent semiring, we will study the tropical semiring. Tropical algebra was the first section of tropical mathematics to appear, and although a systematic study of the tropical semiring began only after the works of Simon (see [11]), we should note that the $(\mathbb{R},min,+)$ semiring had appeared before in optimization problems (see, for example, Floyd’s algorithm for finding the shortest paths in a graph [12]).

Although the problem of solving linear systems was formulated right after the definition of a root for a tropical polynomial and was given by Viro [13], the first paper [14] actually devoted to tropical linear algebra appeared only as late as 2005. Moreover, this problem has already proved to be quite interesting from the algorithmic point of view as it is known to be in $NP\cap coNP$. Some examples of algorithms proposed for solving tropical linear systems can be found in [15,16,17]. At present, there are numerous applications of linear systems over tropical semirings in various areas of mathematics, engineering, and computer science. For instance, Noel, Grigoriev, Vakulenko, and Radulescu recently proposed a way to use algorithms for solving tropical linear systems to study stable states of reaction networks in biology [18,19]. As an application in fuzzy set theory, Gavalec, Němcová et al. recently proposed a way to convert the problems of max-Lukasiewicz linear algebra (i.e., linear algebra over a max-Lukasiewicz semiring), to the problems of tropical (max-plus) linear algebra [20] and take advantage of the well-developed theory and algorithms of the latter in order to develop a theory of the matrix powers and the eigenproblem over a max-Lukasiewicz semiring. Thus, problems of tropical linear algebra and tropical linear systems in particular are important in terms of both theoretical and practical implications.

When letting $(S,+,·)$ be an additively idempotent semiring, we want to solve the system $XA=Y$, where $A=\left(a_{i,j}\right)\in M_{n\times m}\left(S\right)$, $Y\in S^m$ and X is an unknown vector of a size n. We have to clarify that our notion of a solution differs from that of Viro in the sense that the maximum is achieved only once. If the system $XA=Y$ has solutions, then we can completely characterize its maximal one. Moreover, in the particular case where S is a generalized tropical semiring (see Definition 1.1.1), we are able to characterize completely its solutions and give an explicit bound of the computational cost associated with its computation. Finally, we give a cryptographic application by using our previous results in the case of S being finite and propose an attack to the key exchange protocol presented in [21] and, in the tropical semiring case, to cryptanalyze a quite recent protocol to key exchange in [22] as well.

2. Materials and Methods

In this section, we will introduce some basic background on semigroups and introduce some basic results which we will use throughout this paper.

Definition 1.

A semiring R is a non-empty set with two operations + and · such that $(S,+)$ is a commutative monoid, $(S,·)$ is a monoid, and the following distributive laws hold:

$$\begin{array}{cc}\hfill a(b+c)& \hfill =ab+ac,\hfill \\ \hfill (a+b)c& \hfill =ac+bc,\hfill \end{array}$$

where the symbol of the operation · is omitted.

We say that a semiring $(R,+,·)$ is additively idempotent if $a+a=a$ for all $a\in R$.

Definition 2.

Let R be a semiring and $(M,+)$ be a commutative semigroup with the identity $0_M$. M is a right semimodule over R if there is an external operation $·:M\times R\to M$ such that

$$\begin{array}{cc}\hfill (m·a)·b& =m·(a·b),\hfill \\ \hfill m·(a+b)& =m·a+m·b,\hfill \\ \hfill (m+n)·a& =m·a+n·a,\hfill \\ \hfill 0_M·a& =0_M,\hfill \end{array}$$

for all $a,b\in R$ and $m,n\in M$. We will denote $m·a$ as the simple concatenation $ma$.

Let $(R,+,·)$ be an additively idempotent semiring. Every such semiring is endowed with an order given by the first operation, which is defined as

$$a\le b \mathrm{if} \mathrm{and} \mathrm{only} \mathrm{if} a+b=b.$$

This order respects the operation in R and enables defining a partial order in $R^n$ for every positive integer n:

$$X=(x_1,\dots x_n)\ge Y=(y_1,\dots ,y_n) \mathrm{if} \mathrm{and} \mathrm{only} \mathrm{if} x_i\ge y_i\forall i=1,\dots ,n.$$

If R is a semiring, then we will denote with $Ma{t}_n\left(R\right)$ the semiring of square matrices of the order n for some positive integer n and whose entries are in R.

Lemma 1.

The previous order is compatible with the operations in $R^n$ as a right $Ma{t}_n\left(R\right)$ semimodule.

Proof. 

On one hand, if $X=(x_1,\dots ,x_n),Y=(y_1,\dots ,y_n)\in R^n$ are such that $X\ge Y$ and $C=(c_1,\dots c_n)\in R^n$, then we have $X\ge Y$ implying that $x_i\ge y_i\forall i\in \{1,\dots ,n\}$ and therefore $x_i+c_i\ge y_i+c_i\forall i\in \{1,\dots ,n\}$. Thus, $X+C\ge Y+C$.

On the other hand, if $A=\left(a_{i,j}\right)\in Ma{t}_n\left(R\right)$, and $X\ge Y$ (i.e., $x_i\ge y_i\forall i=1,\dots ,n$), then $x_i{a}_{i,j}\ge y_i{a}_{i,j}\forall i,j\in \{1,\dots ,n\}$ and thus ${\sum }_i{x}_i{a}_{i,j}\ge {\sum }_i{y}_i{a}_{i,j}\forall i,j\in \{1,\dots ,n\}$. Therefore, $XA\ge YA$. □

Let $XA=Y$ be the system of linear equations in R with indeterminates $x_1,\dots ,x_n$:

$$x_1\left(\begin{array}{c}{a}_{1,1}\\ a_{1,2}\\ ⋮\\ a_{1,m-1}\\ a_{1,m}\end{array}\right)+x_2\left(\begin{array}{c}{a}_{2,1}\\ a_{2,2}\\ ⋮\\ a_{2,m-1}\\ a_{2,m}\end{array}\right)+\cdots +x_n\left(\begin{array}{c}{a}_{n,1}\\ a_{n,2}\\ ⋮\\ a_{n,m-1}\\ a_{n,m}\end{array}\right)=\left(\begin{array}{c}{y}_1\\ y_2\\ ⋮\\ y_{m-1}\\ y_m\end{array}\right),$$

with $a_{i,j},y_j\in R$ for all $i=1,\dots ,n$$j=1,\dots ,m$. If we denote $A_i$ as the ith row of A, where $A_i=(a_{i,1},a_{i,2},\dots ,a_{i,m})$, then the system can be written as

$$x_1{A}_1+x_2{A}_2+\cdots +x_n{A}_n=Y.$$

Definition 3.

Let R be an additively idempotent semiring, and let $XA=Y$ be a linear system of equations. We say that $\widehat{X}$ is the maximal solution of the system if the two following conditions are satisfied:

1. 

$\widehat{X}\in R^n$ is a solution of the system (i.e., $\widehat{X}A=Y$);

2. 

If $Z\in R^n$ is any other solution of the system, then $Z+\widehat{X}=\widehat{X}$.

Note that the last condition is equivalent to $Z\le \widehat{X}$.

3. Results

3.1. The Maximal Solution of a Linear System

Our aim in this section is to provide a characterization of the maximal solution of a linear system on certain additively idempotent semirings which will allow us to characterize every solution of these types or systems, and then we will be able to derive an algorithm to compute them.

Theorem 1.

Given an additively idempotent semiring $(R,+,·)$, let $W_i=\{x\in R:x{A}_i+Y=Y\}$$\forall i=1,\dots ,n$. Suppose that these subsets have a maximum with respect to the order induced in R:

$$C_i=max{W}_i.$$

If $XA=Y$ has a solution, then $Z=(C_1,\dots C_n)$ is the maximal solution of the system.

Proof. 

If there is a solution $\widehat{X}=({\widehat{x}}_1,\dots ,{\widehat{x}}_n)$, then for all $k=1,\dots ,n$ we have that

$$\widehat{X}A=Y\Rightarrow {\widehat{x}}_1{A}_1+{\widehat{x}}_2{A}_2+\dots \widehat{x_k}{A}_k+\cdots +{\widehat{x}}_n{A}_n=Y\Rightarrow {\widehat{x}}_k{A}_k+Y=Y\Rightarrow {\widehat{x}}_k\in W_k,$$

(1)

where we used the following relation:

$$\begin{array}{cc}\hfill Y& =Y+Y,\hfill \\ \hfill & ={\widehat{x}}_1·A_1+{\widehat{x}}_2·A_2+\cdots +{\widehat{x}}_k·A_k+\cdots +{\widehat{x}}_n·A_n+Y,\hfill \\ \hfill & ={\widehat{x}}_1·A_1+{\widehat{x}}_2·A_2+\cdots +{\widehat{x}}_k·A_k+{\widehat{x}}_k·A_k+\cdots +{\widehat{x}}_n·A_n+Y,\hfill \\ \hfill & ={\widehat{x}}_k·A_k+{\widehat{x}}_1·A_1+{\widehat{x}}_2·A_2+\cdots +{\widehat{x}}_n·A_n+Y,\hfill \\ \hfill & ={\widehat{x}}_k·A_k+Y.\hfill \end{array}$$

Since ${\widehat{x}}_k\in W_k$ in Equation (1), we have $C_k\ge {\widehat{x}}_k$$\forall k=1,\dots ,n$. Hence, under the proof of Lemma 1, we have

$$Z\ge \widehat{X}\Rightarrow ZA\ge \widehat{X}A=Y.$$

(2)

In addition, as $max{W}_i\in W_i$, by the definition of $W_i$, we find that

$$C_i\in W_i\Rightarrow ZA\le Y,$$

and thus, $ZA=Y$ (i.e., Z is a solution). Furthermore, under the definition of the order in $R^n$, we find that this solution is maximal. □

In the finite case, where both the existence of a solution for the linear system and the computation of the maximal solution are guaranteed precisely by the finiteness condition, we have the following result.

Theorem 2.

Let R be an additively idempotent finite semiring, and let $XA=Y$ be a system of equations with $Y\in R^m$ and $A=\left(a_{i,j}\right)\in Ma{t}_{n\times m}\left(R\right)$. If the system has a solution, then $W_i=\{x\in R:x·A_i+Y=Y\}$ is finite and

$$X=(x_1,\dots ,x_n)\mathrm{such}\mathrm{that}{x}_i=\sum _{x\in W_i}x$$

is the maximal solution of the system.

Proof. 

To show this, it is enough to prove that the set $W_i=\{x\in R:x{A}_i+Y=Y\}$ has a maximum, which is

$$x_i=\underset{x\in W_i}{max}x=\sum _{x\in W_i}x$$

and then apply Theorem 1.

Given that $W_i$ is finite for every $i=1,\dots ,n$, we can assert that $x_i={\sum }_{x\in W_i}x$ for every $i=1,\dots ,n$ is well defined.

Now, if $h\in W_i$, then $h\le x_i$ for every $i=1,\dots ,n$, given that

$$x_i+h=\sum _{x\in W_i}x+h=\sum _{x\in W_i,x\ne h}x+h+h=\sum _{x\in W_i,x\ne h}x+h=\sum _{x\in W_i}x=x_i$$

Finally, if $a+y=b+y=y$, then $(a+b)+y=y$, which shows that $W_i$ is additively closed, and hence $x_i={\sum }_{x\in W_i}\in W_i$. □

3.2. Linear Systems on Tropical Semirings

As we showed in Theorem 1, we can characterize the maximal solution of a linear system over an additively idempotent semiring under some circumstances. Our aim in this section is to study the existence of solutions in the particular case of tropical semirings.

Definition 4.

Let $(R,+,·)$ be a semiring. We say that R is a generalized tropical semiring if 

$$a+b=a or a+b=b of all a,b\in R.$$

The following lemma is immediate from the preceding definition.

Lemma 2.

Every generalized tropical semiring is totally ordered with respect to the order induced by the addition.

Example 1.

$(\mathbb{N},max,·)$ is a semiring where $a+b=max\{a,b\}=aorb$, and thus it is a generalized tropical semiring. Analogously, $(\mathbb{R},max,+)$, $(\mathbb{Z},max,+)$ and $(\mathbb{Q},max,+)$ are also generalized tropical semirings, and they verify being a group with respect to the second operation.

The semiring $(\mathbb{N},+,·)$, where + and · denote the usual addition and product of natural numbers, respectively, is an example of a semiring which is not a generalized tropical semiring.

The previous example induces the following definition.

Definition 5.

Let $(S,+)$ be a semigroup with a total order which is compatible with the operation +. We define the tropicalized semiring of S as the semiring $Trop\left(S\right)=S\cup \{-\infty \}$, with the inner addition defined by max, given by the order in S, and the inner product defined by +, the inner operation of S, and extend these to ∞ in the following way:

1. 

$a+(-\infty )=-\infty +a=-\infty$$\forall a\in Trop\left(S\right)$.

2. 

$max\{a,-\infty \}=max\{-\infty ,a\}=a$$\forall a\in Trop\left(S\right)$.

Example 2.

Let us consider the semiring with two elements $T=\{0,1\}$ whose addition is given by $0+0=1+0=0+1=0$ and $1+1=1$ and the product defined by $a·b=0$ for $a,b\in T$. Then, $(T,+,·)$ is a generalized tropical semiring, but it is not a tropical semiring nor the tropicalized semiring of an ordered semigroup.

The following result is straightforward.

Lemma 3.

Let $(S,+)$ be a totally ordered semigroup, and let $\left(Trop\right(S),max,+)$ be its tropicalized semiring. Then, $\left(Trop\right(S),max,+)$ is a generalized tropical semiring.

Let us recall from [17] that the tropical semiring is given by the semiring $(\mathbb{R}\cup \{-\infty \},max,+)$. It can immediately be found that the tropical semiring is the tropicalized version of $\mathbb{R}$ with the usual operations.

Theorem 3.

Let $(R,+,·)$ be a generalized tropical semiring where $(R,·)$ is a group. If the linear system $X·A=Y$ has a solution $X=(x_1,\dots ,x_n)$, then it is of the form $x_i=max{W}_i$.

Proof. 

Firstly, we will prove that the sets $W_i=\{x\in R:x·A_i+Y=Y\}$ with $A_i={\left(a_{i,j}\right)}_{j=1\dots ,m}$, $i=1,\dots ,n$ have a maximum, and thus we can use Theorem 1.

If $x\in W_i$, then we have that $x·A_i+Y=Y$, where if we see the jth row, then we can obtain $x·a_{i,j}+y_j=y_j$. Therefore, we have

$$max\{x·a_{i,j},y_j\}=y_j\Rightarrow x·a_{i,j}\le y_j\Rightarrow x\le y_j·a_{i,j}^{-1},$$

and thus $x\in W_i$ if and only if $x\le y_j·a_{i,j}^{-1}$ for all $j\in \{1,\dots ,m\}$. This condition is verified if $x\le {min}_j\{y_j·a_{i,j}^{-1}\}$.

Now, if we denote $C_i={min}_j\{y_j·a_{i,j}^{-1}\}$, then we find that $C_i$ is an upper bound of $W_i$ because $x\in W_i\Rightarrow x\le C_i$. In addition, it belongs to the set $W_i$ due to the following identity:

$$C_i{a}_{i,j}=\underset{j}{min}\{y_j·a_{i,j}^{-1}\}{a}_{i,j}\le y_j{a}_{i,j}^{-1}{a}_{i,j}=y_j,$$

which holds for all $j\in \{1,\dots ,m\}$, where $C_i{a}_{i,j}+y_j=y_j$. We can conclude that $max{W}_i=C_i$. □

Moreover, as a consequence of the previous result, we obtain the following corollary.

Corollary 1.

Let $(R,+,·)$ be a generalized tropical semiring where $(R,·)$ is a group, $A=\left(a_{i,j}\right)\in Ma{t}_{n\times m}\left(R\right)$, and the column vector $Y=(y_1,\dots ,y_m)\in R^m$. If the linear system $XA=Y$ has at least one solution, then its maximal solution is of the form $(M_1,\dots ,M_n)$, where $M_i={min}_j\left\{y_j{a}_{i,j}^{-1}\right\}=max{W}_i$ for $i=1,\dots ,n$.

We can also point out that in case the semiring $(R,+,·)$ is such that $(R,·)$ is not a group, we can use the following theorem from [23].

Theorem 4.

A commutative semigroup can be embedded in a group if and only if it is cancellative.

Theorem 5.

Every generalized tropical semiring $(R,+,·)$ such that $(R,·)$ is cancellative can be embedded into a generalized tropical semiring having inverses with respect to ·.

Proof. 

Let $(R,+,·)$ be a generalized tropical semiring such that $(R,·)$ is cancellative. Then, under the preceding, it can be embedded into a group, which we will denote as $Q\left(R\right)$. Note that the elements of $Q\left(R\right)$ are of the form $a/b:=a{b}^{-1}$ with $a,b\in R$. Now, given that R is totally ordered, we can endow $Q\left(R\right)$ with a total order as follows:

$${\displaystyle \frac{a}{b}}\le {\displaystyle \frac{c}{d}}\iff ad\le bd\forall a,b,c,d\in R.$$

(3)

Now, we can define the addition in $Q\left(R\right)$ as

$${\displaystyle \frac{a}{b}}{+}_Q{\displaystyle \frac{c}{d}}=max\{{\displaystyle \frac{a}{b}},{\displaystyle \frac{c}{d}}\}.$$

(4)

Then, the properties which the operation max satisfy give us that $(Q\left(R\right),{+}_Q,·)$ is a generalized tropical semiring. Inverses exist with respect to the second operation, and the embedding $R\hookrightarrow Q\left(R\right)$ is a semiring homomorphism. □

Example 3.

We have that $(\mathbb{N}\cup \{-\infty \},max,·)$ is a generalized tropical semiring. Furthermore, $(\mathbb{N},·)$ is cancellative. With the previous result, we can embed $(\mathbb{N}\cup \{-\infty \},max,·)$ into a generalized tropical semiring with inverses which, under the preceding construction, can be $({\mathbb{Q}}_{>0}\cup \{-\infty \},max,·)$.

Now, we will show how to find every solution of the previous system.

Lemma 4.

Let R be a generalized tropical semiring, where $(R,·)$ is cancellative and $XA=Y$ is a linear system of equations which has a solution, for which $A=\left(a_{i,j}\right)\in Ma{t}_{n\times m}\left(R\right)$ and $Y=(y_1,\dots ,y_m)\in R^m$. Let $C_i=max{W}_i$. Then, $x\in W_i$ if and only if $x\le C_i$.

Proof. 

Let $x\le C_i$, and let $A_i$ be the ith row of A for $i=1,\dots ,n$. Then, $x{A}_i\le C_i{A}_i$, and thus $x{A}_i+Y\le C_i{A}_i+Y=Y$ Moreover, $Y\le x{A}_i+Y$, since

$$Y+(x{A}_i+Y)=(x{A}_i+Y)+Y=x{A}_i+(Y+Y)=x{A}_i+Y$$

and hence $x{A}_i+Y=Y$ and $x\in W_i$. □

Let R be a generalized tropical semiring, and let $XA=Y$ be a linear system of equations with $Y=\left(y_i\right)\in R^m$ and $A=\left(a_{i,j}\right)\in Ma{t}_{n\times m}\left(R\right)$. Let $W_i=\{x\in R:x·A_i+Y=Y\}$. Then, under the proof of Theorem 3, $W_i$ has a maximum which will be denoted by $C_i$ for all $i=1,\dots ,n$.

Theorem 6.

Let R be a generalized tropical semiring, and let $XA=Y$ be a system of equations with $Y=\left(y_i\right)\in R^m$ and $A=\left(a_{i,j}\right)\in Ma{t}_{n\times m}\left(R\right)$. $X=(x_1,x_2,\dots ,x_n)$ is a solution of the system if and only if

1. 

$x_i·a_{i,j}+y_j=y_j$, $\forall j=1,\dots ,m$,

2. 

$\forall j=1,\dots ,m$$\exists h\in \{1,\dots ,n\}$ such that $x_h·a_{h,j}=y_j$.

Proof. 

Let us assume first that $X=(x_1,x_2,\dots ,x_n)$ is a solution of the system. Then, the first condition was already proven in Equation (1). Let us now show the second condition. We have that

$$x_1·A_1+x_2·A_2+\cdots +x_n·A_n=Y.$$

For a fixed value j, we find that

$$x_1·a_{1,j}+x_2·a_{2,j}+\cdots +x_n·a_{n,j}=y_j.$$

Using the definition of generalized tropical semiring, we have that there exists $h\in \{1,\dots ,n\}$ such that $x_h{a}_{h,j}=y_j$.

Conversely, let us suppose now that X verifies both conditions. Then, we have

$$\sum _i{x}_i·a_{i,j}=x_1·a_{1,j}+\cdots +x_{h-1}·a_{h-1,j}+x_h·a_{h,j}+x_{h+1}·a_{h+1,j}+\cdots +x_n·a_{n,j}$$

Now, under condition 2, there exists $h\in \{1,\dots ,n\}$ such that $x_h{a}_{h,j}=y_j$, and thus we can rewrite the equation as

$$\sum _i{x}_i·a_{i,j}=\sum _{i\ne h}{x}_i·a_{i,j}+y_j$$

As $x_i{a}_{i,j}+y_j=y_j$ for all j, and as the semiring is additively idempotent, we finally obtain

$$\sum _i{x}_i·a_{i,j}=y_j$$

for all $j\in \{1,\dots ,m\}$. Thus, X is a solution of the system. □

Corollary 2.

Let $(R,+,·)$ be a generalized tropical semiring such that $(R,·)$ is a group. If the system $XA=Y$ has a solution, then $X=(x_1,x_2,\dots ,x_n)$ is a solution if and only if

1. 

$x_i\in W_i\forall i=1,\dots ,n$.

2. 

$\forall j=1,\dots ,m$$\exists h\in \{1,\dots ,n\}$ such that $x_h=C_h=y_j{a}_{h,j}^{-1}$

where $a_{h,j}^{-1}$ is the inverse of $a_{h,j}$ in a generalized tropical semiring having inverses with respect to · and which contains R.

Proof. 

It is enough to show that the conditions are equivalent to those of Theorem 6.

Firstly, note that the first condition and condition 1 of Theorem 6 are equivalent.

We will show now that if condition 1 is true, then condition 2 is equivalent to condition 2 of Theorem 6.

If 1 is satisfied, then $x_i\le C_i=max{W}_i$. In addition, if condition 2 of Theorem 6 is verified, then

$$x_h=y_j{a}_{h,j}^{-1}\ge \underset{p}{min}\left\{y_p{a}_{h,p}^{-1}\right\}=C_h\ge x_h.$$

using Corollary 1, and thus $x_h=C_h$. The converse is trivial. □

Remark 1.

Let R be a generalized tropical semiring as illustrated above, and let us consider the system $AX=Y$. $X=(x_1,x_2,\dots ,x_n)$ to be a solution of the system if and only if, for every equation, $j\in \{1,\dots ,m\}$ in the system: 

1. 

$a_{i,j}·x_i+y_j=y_j$;

2. 

$\exists h\in \{1,\dots ,n\}$ such that $a_{h,j}·x_h=y_j$.

Then, under the previous corollary, for every $j=1,\dots ,m$, there exists $h\in \{1,\dots ,n\}$ such that $C_h=y_j{a}_{h,j}^{-1}$, and in addition, $x_h=C_h$. As a result, there exits a non-empty set $Index\left(j\right)=\{i\in \{1,\dots ,n\}:C_i=y_i{a}_{i,j}^{-1}\}$. This induces the following result, which provides an algorithm to solve linear equations systems.

Theorem 7.

Let $(R,+,·)$ be a generalized tropical semiring such that $(R,·)$ is a group, and let $XA=Y$ be a system of equations with $Y\in R^m$ and $A=\left(a_{i,j}\right)\in Ma{t}_{n\times m}\left(R\right)$. Determining all of the solutions of the system has a computational cost of $o\left(nm\right)$.

Proof. 

We observe that the solution of the system is given by the vectors $X=(x_1,x_2,\dots ,x_n)$ with the following designations.

For every j, we can choose $h\in Index\left(j\right)$ such that $x_h=C_h$. The rest of the conditions ($x_p$$p=1,\dots ,n$, $p\ne h$) verify that $x_p\le C_p$.

To prove this, note that every $X=(x_1,\dots ,x_n)$ with this designation verifies that $x_i\le C_i$, and from Lemma 4, we have $x_i\in W_i$. Moreover, we observe that for every j, we have some $h\in Index\left(j\right)$ with $x_h=C_h=y_j{a}_{h,j}^{-1}$. Thus, under the preceding corollary, it is a solution.

On the other hand, if $X=(x_1,\dots ,x_n)$ is a solution, then it satisfies the conditions of the preceding corollary. Then, $x_i\in W_i$, and thus $x_i\le C_i=max{W}_h$. Moreover, for every $j=1,\dots ,m$, there exists h such that $x_h=C_h$. But then $x_h=y_h{a}_{h,j}^{-1}$, and hence $h\in Index\left(j\right)$.

As a result, to determine all of the solutions of the system, it is enough to compute $C_i=max{W}_i$ for every $i=1,\dots ,n$ and $Index\left(j\right)=\{i\in \{1,\dots ,n\}:C_i=y_i{a}_{i,j}^{-1}\}$ for every $j=1,\dots ,m$.

To calculate these, we can use the following algorithm.

We first compute the matrix $M\in Mat{\left(R\right)}_{n\times m}$, whose ith column $M_i$ is of the form

$$M_i={\left(y_j{a}_{i,j}^{-1}\right)}_{j=1,\dots ,m}=\left(\begin{array}{c}{y}_1{a}_{i,1}^{-1}\\ y_2{a}_{i,2}^{-1}\\ ⋮\\ y_m{a}_{i,m}^{-1}\end{array}\right)$$

for every $i=1,\dots ,n$

This results in the computation of $nm$ being inverse and $nm$ operations in the set R.

Then, we calculate $C_i=min{M}_i={min}_{j=1,\dots ,m}{y}_j{a}_{i,j}^{-1}$ for every $i=1,\dots ,n$, and simultaneously, we compute the set $Row\left(i\right)=\{j\in \{1,\dots ,m\};C_i=y_j{a}_{i,j}^{-1}\}$, which gives m comparisons for each column and thus $nm$ operations.

Next, we build $Index\left(j\right)=\{i\in \{1,\dots ,n\}:C_i=y_i{a}_{i,j}^{-1}\}$ using $Row\left(i\right)$ with the following process:

1. 

Take $Index\left(j\right)$ to be empty for every $j=1,\dots ,m$.

2. 

Examine $Row\left(i\right)$ for $i=1,\dots ,n$, and if $j\in Row\left(i\right)$, then add i to $Index\left(j\right)$.

This process requires examining $Row\left(i\right)$, and since $Row\left(i\right)\subseteq \{1,\dots ,m\}$, this procedure requires $o\left(m\right)$ comparisons for every $i=1,\dots ,n$. Hence, the cost is $o\left(nm\right)$.

Taking into account that the comparison of two elements is made through the addition of both elements in R, the total cost is $o\left(nm\right)$ basic operations in the ring $(R,+,·)$. □

Remark 2.

We recall that when the generalized tropical semiring R is such that $(R,·)$ is cancellative, which is less restrictive than being a group. Using Theorem 5, we can embed this semiring into a generalized tropical semiring S in the conditions of Corollary 2, and then we can solve any linear system as previously shown, obtaining each solution in S and then checking if any of them are in fact contained in R.

4. Discussion

Within the references, in [17], a method for solving a system of equations through normalization is presented. In [24], the structure of the solution of a system of equations over a tropical semiring was studied by using the rank over rows and columns, and subsequently, a generalized Cramer method was used to find the maximal solution over a tropical semiring.

Examples of systems of equations appear in both papers. In [17], a solution (though not necessarily maximal) was computed, and in [24], the authors provided the range of freedom of the solution. Now, using the preceding, we can show the complete set of solutions of those systems of equations.

To avoid misreading the operation over R as a usual ring and rather as a tropical semiring, the operation $(R,max,+)$ will be denoted as $(R,{+}_T,{·}_T)$.

Example 4.

In [24], the authors computed a solution of the system 

$$\left[\begin{array}{ccccc}-4& 7& 12& -3& 0\\ 3& 2& 8& 3& -1\\ -9& 1& 6& 0& 2\\ 2& 8& -5& 1& -3\end{array}\right]\left[\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\end{array}\right]=\left[\begin{array}{c}14\\ 10\\ 8\\ 11\end{array}\right].$$

Let us determine the complete set of solutions of the system as well as the maximal solution.

Firstly, we calculate $y_j{·}_T{a}_{i,j}^{-1}=y_j-a_{i,j}$, obtaining the matrix

$${(y_j-a_{i,j})}_{i,j}=\left[\begin{array}{ccccc}18& 7& 2& 17& 14\\ 7& 8& 2& 7& 11\\ 17& 7& 2& 8& 6\\ 8& 3& 16& 12& 14\end{array}\right].$$

Then, we have $C_i={min}_j\{y_j-a_{i,j}\}$ and the rows where these minima are reached.

$\mathbf{max}{\mathit{W}}_{\mathit{i}}$	Value	Row
$C_1$	7	$\left\{2\right\}$
$C_2$	3	$\left\{4\right\}$
$C_3$	2	$\{1,2,3\}$
$C_4$	7	$\left\{2\right\}$
$C_5$	6	$\left\{3\right\}$

Now, let us compute $Index\left(j\right)$.

	Columns
$Index\left(1\right)$	$\left\{3\right\}$
$Index\left(2\right)$	$\{1,3,4\}$
$Index\left(3\right)$	$\{3,5\}$
$Index\left(4\right)$	$\left\{2\right\}$

Thus, the solutions are

$$\begin{array}{cc}\hfill & \hfill v_1=(7,3,2,7,h_5)\hfill \\ \hfill & \hfill v_1=(7,3,2,h_4,6)\hfill \\ \hfill & \hfill v_1=(h_1,3,2,7,h_5)\hfill \\ \hfill & \hfill v_1=(h_1,3,2,h_4,6)\hfill \\ \hfill & \hfill v_1=(h_1,3,2,7,h_5)\hfill \\ \hfill & \hfill v_1=(h_1,3,2,7,6)\hfill \end{array}$$

with $h_i\le C_i$.

Moreover, we can observe that the maximal solution was $(7,3,2,7,6)$.

Example 5.

In [17], the authors computed the maximal solution of

$$\left[\begin{array}{ccccc}165& 57& 72& -7& 0\\ 141& 64& 48& 3& -1\\ 137& 101& 46& 0& 2\\ -243& 98& -206& 156& -5\end{array}\right]\left[\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\end{array}\right]=\left[\begin{array}{c}102\\ 78\\ 76\\ 160\end{array}\right]$$

Using our proposed method, we will compute all of the solutions, including the maximal one:

$${(y_j-a_{i,j})}_{i,j}=\left[\begin{array}{ccccc}-63& 45& 30& 109& 102\\ -63& 14& 30& 75& 79\\ -61& -25& 30& 76& 74\\ 403& 62& 366& 4& 165\end{array}\right]$$

Then, we have $C_i={min}_j\{y_j-a_{i,j}\}$ and the rows where those minima were reached.

$\mathbf{max}{\mathit{W}}_{\mathit{i}}$	Value	Row
$C_1$	$-63$	$\left\{3\right\}$
$C_2$	$-25$	$\left\{3\right\}$
$C_3$	30	$\{1,2,3\}$
$C_4$	4	$\left\{4\right\}$
$C_5$	74	$\left\{3\right\}$

Now, we compute $Index\left(j\right)$.

$\mathit{Index}\left(\mathit{j}\right)$	Columns
$Index\left(1\right)$	$\left\{3\right\}$
$Index\left(2\right)$	$\left\{3\right\}$
$Index\left(3\right)$	$\{1,2,3,5\}$
$Index\left(4\right)$	$\left\{4\right\}$

Thus the solutions are

$$\begin{array}{cc}\hfill & \hfill v_1=(-63,h_2,30,4,h_5)\hfill \\ \hfill & \hfill v_1=(h_1,-25,30,4,h_5)\hfill \\ \hfill & \hfill v_1=(h_1,h_2,30,4,h_5)\hfill \\ \hfill & \hfill v_1=(h_1,h_2,30,4,74)\hfill \end{array}$$

where $h_i\le C_i$.

In addition, the maximal solution was $(-63,-25,30,4,74)$, which matched the one obtained in the original paper.

Cryptographic Applications

In [21], the authors introduced a key exchange protocol over semirings and proposed the use of a finite additively idempotent semiring. Quite recently, and using a similar construction to find the shared key, in [22], the authors proposed the tropical semiring to obtain another group key exchange. We now show a general strategy which reduces the cryptanalysis to solve a linear system of equations, and in the case of additively idempotent semirings, the method which we introduced in this paper can then be used to find the keys used by both proposals rather easily from just the information which the parties make public.

In both cases, they used an additively idempotent semiring R and $M,T,N\in Ma{t}_n\left(R\right)$. Each party had a pair of polynomials over the center of R, $(p_a,q_a)$, $(p_b.q_b)$. In the case of the protocol introduced in [21], the parties agreed on a finite additively idempotent semiring. Then, they had $p_a\left(M\right)T{q}_a\left(N\right)$ and $p_b\left(M\right)T{q}_b\left(N\right)$, and the common shared key was $p_a\left(M\right)p_b\left(M\right)T{q}_b\left(N\right)q_a\left(N\right)$. In the case of [22], the parties agreed on the tropical semiring, and they used two private numbers $h_a,h_b\in \mathbb{N}$ and had $T_a={\sum }_{n=0}^{h_a-1}{p}_a{\left(M\right)}^{h_a-1-n}T{q}_a{\left(N\right)}^n$ and $T_b={\sum }_{n=0}^{h_b-1}{p}_b{\left(M\right)}^{h_b-1-n}T{q}_b{\left(N\right)}^n$, respectively. In this case, the shared key was ${\sum }_{n=0}^{h_b-1}{\sum }_{m=0}^{h_a-1}{p}_b{\left(M\right)}^{b-1-n}{p}_a{\left(M\right)}^{a-1-m}T{q}_a{\left(N\right)}^m{p}_b{\left(N\right)}^n$.

Notice that the protocol appearing in [22] is an extension of that given in [21], if we consider that $h_a=h_b=1$. Therefore, it is enough to simply study the second case.

Let us fix h to an upper bound for the degrees of $p_a,q_a$, and let u be a bound for the integer $h_a,h_b$. This is chosen by the attacker at the moment of starting the activity and depends on the computational capabilities. Then, we can rewrite $T_a$ as

$$T_a=\sum _{n=0}^{h_a-1}{p}_a{\left(M\right)}^{h_a-1-n}T{q}_a{\left(N\right)}^n=\sum _{n=0}^{h_a-1}{\left(\sum _{i=0}^h{p}_i{M}^i\right)}^{h_a-1-n}T{\left(\sum _{j=0}^h{q}_i{N}^j\right)}^n=\sum _{i,j=0}^{(h_a-1)·h}{c}_{ij}{M}^{i}T{N}^j$$

(5)

for certain values of $c_{ij}$, where $p_i,q_j$ are elements of the center of R. Note that these coefficients constitute a particular solution of the system

$$T_a=\sum _{i,j=0}^{(h_a-1)·h}{d}_{ij}{M}^{i}T{N}^j$$

(6)

Using the algorithm previously described, we can find a particular solution of the system $d_{i,j}\in Z\left[R\right]$. Then, we can build the function $F[X,Y,Z]={\sum }_{i,j=0}^{(u-1)h}{d}_{i,j}{X}^{i}Y{Z}^j$, which verifies that

$$F[M,T,N]=\sum _{i,j=0}^{(u-1)h}{d}_{i,j}{M}^{i}T{N}^j=A.$$

Then, we have

$$\begin{array}{cc}\hfill F[M,T_b,N]& =\sum _{i,j=0}^{(u-1)h}{d}_{i,j}{M}^i{T}_b{N}^j=\sum _{i,j=0}^{(u-1)h}{d}_{i,j}{M}^i\left(\sum _{n=0}^{(u-1)h}{C}^{u-1-n}T{D}^n\right)N^j=\hfill \\ \hfill & \sum _{i,j=0}^{(u-1)h}\sum _{n=0}^{(u-1)h}{d}_{i,j}{M}^i{C}^{u-1-n}T{D}^n{N}^j=\sum _{i,j=0}^{(u-1)h}\sum _{n=0}^{(u-1)h}{C}^{u-1-n}{d}_{i,j}{M}^{i}T{N}^j{D}^n=\hfill \\ \hfill & \sum _{n=0}^{(u-1)h}\sum _{i,j=0}^{(u-1)h}{C}^{u-1-n}{d}_{i,j}{M}^{i}T{N}^j{D}^n=\sum _{n=0}^{(u-1)h}{C}^{u-1-n}\left(\sum _{i,j=0}^{(u-1)h}{d}_{i,j}{M}^{i}T{N}^j\right)D^n=\hfill \\ \hfill & \sum _{n=0}^{(u-1)h}{C}^{u-1-n}{T}_a{D}^n=K\hfill \end{array}$$

(7)

which is the shared key after the parties run the protocol.

Now, let us check how this reasoning applies to the example proposed in [22], revealing the common key agreed upon by the parties. In this case, we make use of the following matrices:

$$M=\left(\begin{array}{cc}1012& 1011\\ 2\times 1011& 3\times 1012\end{array}\right)$$

$$N=\left(\begin{array}{cc}4\times 1012& 3\times 1011\\ 8\times 1011& 1012\end{array}\right)$$

$$T=\left(\begin{array}{cc}0& 5\times 1011\\ -\infty & 0\end{array}\right)$$

and one of the values that is made public by one of the parties is

$$T_a=\left(\begin{array}{cc}4\times {10}^{12}& 3.6\times {10}^{12}\\ 3.2\times {10}^{12}& 6\times {10}^{12}\end{array}\right)$$

Using the previous algorithm, we can find the polynomial:

$$\begin{array}{cccc}\hfill F[X,Y,Z]=3.1\times {10}^{12}\oplus X^{0}Y{Z}^0\otimes & 2.1\times {10}^{12}\oplus X^{0}Y{Z}^1\otimes \hfill & \hfill 0\oplus X^{0}Y{Z}^2\otimes & \\ \hfill -3\times {10}^{12}\oplus X^{0}Y{Z}^3\otimes & -6\times {10}^{12}\oplus X^{0}Y{Z}^4\otimes \hfill & \hfill -9\times {10}^{12}\oplus X^{0}Y{Z}^5\otimes & \\ \hfill -1.2\times {10}^{13}\oplus X^{0}Y{Z}^6\otimes & -1.5\times {10}^{13}\oplus X^{0}Y{Z}^7\otimes \hfill & \hfill -1.8\times {10}^{13}\oplus X^{0}Y{Z}^8\otimes \\ \hfill 0\oplus X^{1}Y{Z}^0\otimes & -1\times {10}^{12}\oplus X^{1}Y{Z}^1\otimes \hfill & \hfill -4\times {10}^{12}\oplus X^{1}Y{Z}^2\otimes & \\ \hfill -7\times {10}^{12}\oplus X^{1}Y{Z}^3\otimes & -1\times {10}^{13}\oplus X^{1}Y{Z}^4\otimes \hfill & \hfill -1.3\times {10}^{13}\oplus X^{1}Y{Z}^5\otimes & \\ \hfill -1.6\times {10}^{13}\oplus X^{1}Y{Z}^6\otimes & -1.9\times {10}^{13}\oplus X^{1}Y{Z}^7\otimes \hfill & \hfill -2.2\times {10}^{13}\oplus X^{1}Y{Z}^8\otimes \\ \hfill -4\times {10}^{12}\oplus X^{2}Y{Z}^0\otimes & -5\times {10}^{12}\oplus X^{2}Y{Z}^1\otimes \hfill & \hfill -8\times {10}^{12}\oplus X^{2}Y{Z}^2\otimes & \\ \hfill -1.1\times {10}^{13}\oplus X^{2}Y{Z}^3\otimes & -1.4\times {10}^{13}\oplus X^{2}Y{Z}^4\otimes \hfill & \hfill -1.7\times {10}^{13}\oplus X^{2}Y{Z}^5\otimes & \\ \hfill -2\times {10}^{13}\oplus X^{2}Y{Z}^6\otimes & -2.3\times {10}^{13}\oplus X^{2}Y{Z}^7\otimes \hfill & \hfill -2.6\times {10}^{13}\oplus X^{2}Y{Z}^8\otimes \\ \hfill -8\times {10}^{12}\oplus X^{3}Y{Z}^0\otimes & -9\times {10}^{12}\oplus X^{3}Y{Z}^1\otimes \hfill & \hfill -1.2\times {10}^{13}\oplus X^{3}Y{Z}^2\otimes & \\ \hfill -1.5\times {10}^{13}\oplus X^{3}Y{Z}^3\otimes & -1.8\times {10}^{13}\oplus X^{3}Y{Z}^4\otimes \hfill & \hfill -2.1\times {10}^{13}\oplus X^{3}Y{Z}^5\otimes & \\ \hfill -2.4\times {10}^{13}\oplus X^{3}Y{Z}^6\otimes & -2.7\times {10}^{13}\oplus X^{3}Y{Z}^7\otimes \hfill & \hfill -3\times {10}^{13}\oplus X^{3}Y{Z}^8\otimes \\ \hfill -1.2\times {10}^{13}\oplus X^{4}Y{Z}^0\otimes & -1.3\times {10}^{13}\oplus X^{4}Y{Z}^1\otimes \hfill & \hfill -1.6\times {10}^{13}\oplus X^{4}Y{Z}^2\otimes & \\ \hfill -1.9\times {10}^{13}\oplus X^{4}Y{Z}^3\otimes & -2.2\times {10}^{13}\oplus X^{4}Y{Z}^4\otimes \hfill & \hfill -2.5\times {10}^{13}\oplus X^{4}Y{Z}^5\otimes & \\ \hfill -2.8\times {10}^{13}\oplus X^{4}Y{Z}^6\otimes & -3.1\times {10}^{13}\oplus X^{4}Y{Z}^7\otimes \hfill & \hfill -3.4\times {10}^{13}\oplus X^{4}Y{Z}^8\otimes \\ \hfill -1.6\times {10}^{13}\oplus X^{5}Y{Z}^0\otimes & -1.7\times {10}^{13}\oplus X^{5}Y{Z}^1\otimes \hfill & \hfill -2\times {10}^{13}\oplus X^{5}Y{Z}^2\otimes & \\ \hfill -2.3\times {10}^{13}\oplus X^{5}Y{Z}^3\otimes & -2.6\times {10}^{13}\oplus X^{5}Y{Z}^4\otimes \hfill & \hfill -2.9\times {10}^{13}\oplus X^{5}Y{Z}^5\otimes & \\ \hfill -3.2\times {10}^{13}\oplus X^{5}Y{Z}^6\otimes & -3.5\times {10}^{13}\oplus X^{5}Y{Z}^7\otimes \hfill & \hfill -3.8\times {10}^{13}\oplus X^{5}Y{Z}^8\otimes \\ \hfill -2\times {10}^{13}\oplus X^{6}Y{Z}^0\otimes & -2.1\times {10}^{13}\oplus X^{6}Y{Z}^1\otimes \hfill & \hfill -2.4\times {10}^{13}\oplus X^{6}Y{Z}^2\otimes & \\ \hfill -2.7\times {10}^{13}\oplus X^{6}Y{Z}^3\otimes & -3\times {10}^{13}\oplus X^{6}Y{Z}^4\otimes \hfill & \hfill -3.3\times {10}^{13}\oplus X^{6}Y{Z}^5\otimes & \\ \hfill -3.6\times {10}^{13}\oplus X^{6}Y{Z}^6\otimes & -3.9\times {10}^{13}\oplus X^{6}Y{Z}^7\otimes \hfill & \hfill -4.2\times {10}^{13}\oplus X^{6}Y{Z}^8\otimes \\ \hfill -2.4\times {10}^{13}\oplus X^{7}Y{Z}^0\otimes & -2.5\times {10}^{13}\oplus X^{7}Y{Z}^1\otimes \hfill & \hfill -2.8\times {10}^{13}\oplus X^{7}Y{Z}^2\otimes & \\ \hfill -3.1\times {10}^{13}\oplus X^{7}Y{Z}^3\otimes & -3.4\times {10}^{13}\oplus X^{7}Y{Z}^4\otimes \hfill & \hfill -3.7\times {10}^{13}\oplus X^{7}Y{Z}^5\otimes & \\ \hfill -4\times {10}^{13}\oplus X^{7}Y{Z}^6\otimes & -4.3\times {10}^{13}\oplus X^{7}Y{Z}^7\otimes \hfill & \hfill -4.6\times {10}^{13}\oplus X^{7}Y{Z}^8\otimes \\ \hfill -2.8\times {10}^{13}\oplus X^{8}Y{Z}^0\otimes & -2.9\times {10}^{13}\oplus X^{8}Y{Z}^1\otimes \hfill & \hfill -3.2\times {10}^{13}\oplus X^{8}Y{Z}^2\otimes & \\ \hfill -3.5\times {10}^{13}\oplus X^{8}Y{Z}^3\otimes & -3.8\times {10}^{13}\oplus X^{8}Y{Z}^4\otimes \hfill & \hfill -4.1\times {10}^{13}\oplus X^{8}Y{Z}^5\otimes & \\ \hfill -4.4\times {10}^{13}\oplus X^{8}Y{Z}^6\otimes & -4.7\times {10}^{13}\oplus X^{8}Y{Z}^7\otimes \hfill & \hfill -5\times {10}^{13}\oplus X^{8}Y{Z}^8\end{array}$$

which satisfies $F[M,T,N]=T_a$, and $F[M,T_b,N]=K$ with K as the shared key.

In the use case proposed in [21], using a particular method, the authors of [25] were able to obtain a polynomial as demonstrated above, whose evaluation in the appropriate values provided the common key. Now, by using the above reasoning and the general algorithm to solve linear equation systems, for the finite case proposed in [21], we were able to obtain precisely the same polynomial provided in [25], which shows the cryptanalysis of this case.

We determined that finding an appropriate setting to give a key exchange protocol for the post-quantum era is currently an open problem. In 2017, NIST called for a contest to select new cryptographic primitives which allowed obtaining secure algorithms against the attack of a quantum computer. In 2023, four algorithms were selected: one for key encapsulation and three others for digital signatures. Extremely recently, two digital signatures and a key encapsulation method were officially standardized, but the problem of exchanging a secret collaboratively among two communicating parties through an insecure channel remains open. Thus, the alternatives presented in the two previously discussed cases are not appropriate.

5. Conclusions

In this paper, we characterized the maximal solution of a linear equation system defined over an additively idempotent semiring. This characterization gave us the possibility of obtaining general algorithms which could be run in polynomial time to obtain the complete set of solutions of such systems (in case there is at least one) in both the finite case and the tropical semiring case. In the latter case, we extending the existing results to find not only the maximal solution of a linear system but also every solution of the system. Moreover, we have shown how to apply these algorithms to cryptography and show how possible alternatives for a group key exchange protocol for the post-quantum era are vulnerable.