1. Introduction
A key exchange protocol is a process where two parties, commonly referred to as Alice and Bob, collaboratively generate a shared secret key using public information and messages exchanged over a public channel. The security of a protocol is determined by its ability to prevent an attacker from easily recovering the shared secret key using these public information and intercepted messages, typically by ensuring that the attacker must solve a problem that is computationally hard to succeed in practice. -hard problems or problems with exponential worst case complexity are natural candidates for these (although -hardness or exponential worst case complexity are not enough to guarantee the security of protocols). Such protocols often rely on various algebraic tools to achieve the desired security properties.
Polynomials over the tropical (max-plus) semiring are one of the recent tools utilized in key exchange protocols, appearing in the tropical implementation of the Stickel protocol proposed by Grigoriev and Shpilrain [
1]. This new implementation followed Shpilrain’s successful attack [
2] on the initial Stickel protocol [
3] and has become one of the most popular key exchange protocols utilizing tropical operations. The rationale behind suggesting a tropical implementation of the protocol was to avoid obvious attacks involving linear algebra and matrix inverses, which were effective against the original protocol. The Stickel protocol can be similarly implemented over any semiring, and its implementation over max–min and max-
T semirings (where the symbol
T stands for arbitrary
T-norm [
4]) is analyzed in [
5]. The survey in [
6] argues for broadening semiring choices beyond the tropical semiring and reviews the main hard problems in semiring-based cryptography.
Kotov and Ushakov [
7] later suggested an attack on the tropical Stickel protocol by transforming the underlying problem into finding a special solution to the protocol’s associated system of equations of the form
, the complete solution set to which can be described using solution to a certain covering problem. The attacker still faces a significant challenge: solving the problem to find a solution to the covering problem that satisfies certain conditions. To find such a cover, the attacker potentially needs to check all the minimal covers and find a cover that actually produces the required special solution to
. Therefore, this approach is less effective when Alice and Bob use high-degree polynomials, which can be efficiently managed by Alice and Bob with minimal computational resources due to the efficient nature of tropical operations. An analogue of the Kotov–Ushakov attack against the max–min and, more generally, max-
T implementations of the Stickel protocol can be similarly proposed [
5]. However, it encounters a similar challenge of finding a minimal solution with special properties, resulting in an exponential increase in the worst case execution time.
The main idea of this paper is to introduce alternative attack strategies that avoid solving the covering problem encountered in a conventional Kotov–Ushakov attack. Specifically, we propose an attack where we instead find a solution x that minimizes the protocol’s associated objective function using a heuristic optimization technique. We will compare this with a different approach where some of the known attacks are formulated as mixed integer linear programs, allowing the shared key to be recovered using an MILP solver.
This paper is organized as follows:
Section 2 covers preliminaries and basic definitions, particularly those related to the matrix algebra over the tropical and max–min semirings, as well as the targeted key exchange protocols based on these semirings. In
Section 3, we present our alternative attacks, provide numerical implementations demonstrating their performance, and compare them with a typical Kotov–Ushakov attack. In
Section 4 and
Section 5, we discuss how these proposed attacks can also target a recent implementation of Stickel protocol over a newly introduced semiring known as the “digital semiring” [
8] and a recently proposed tropical digital signature protocol [
9], respectively.
Section 6 is dedicated to conclusions and discussion. Our code implementations have been made available on GitHub:
https://github.com/suliman1n/Attacking-Tropical-Stickel-Protocol-by-MILP-and-Heuristic-Optimization-Techniques (accessed on 12 September 2025) and were developed using MATLAB R2023b.
2. Preliminaries
In this section, we are going to introduce the matrix algebra over the tropical and max–min semirings, followed by the Stickel protocol over these semirings and two versions of the Kotov–Ushakov attack. Note that we use the standard notation and for most common index sets.
Definition 1 (Matrix Algebra over Semirings [
10]).
We define the tropical semiring as and the max–min semiring as where the arithmetical operations are defined by and for all in the tropical case, and by and for all for the max-min case. When addressing both semirings at the same time or any semiring in general, we will use the symbol (also reminiscent of max-T semirings, of which the max–min semiring and the non-positive part of the tropical semiring are special cases).The arithmetic operations over any semiring are naturally extended to include matrices and vectors. In particular, the operation where and for and , is defined by The matrix addition of two matrices and , where and for and , is defined byThe matrix multiplication of two matrices is also similar to the “traditional” algebra. Namely, we define for two matrices, where and , as follows: The arithmetics of the max-plus and max-min semirings are summarized in
Table 1 below.
Note that, despite introducing this arithmetic, we will also quite often utilize the usual arithmetical operations to introduce concepts and explain arguments, mostly since the optimization methods that we are going to exploit are based on the usual arithmetic.
Definition 2 (Matrix Powers).
For , the n-th power of M is denoted by , and is equal to By definition, any square matrix to the power 0 is the identity.
Definition 3 (Identity Matrix).
The identity matrix is of the form where Note that the identity matrix can be defined also for a general semiring: one sets the diagonal entries equal to the semiring unity and the off-diagonal entries to the semiring zero [
10].
Subsequently, we define the matrix polynomials.
Definition 4 (Matrix Polynomials).
Matrix polynomial is a function of the formwhere for . Here, is a square matrix of any dimension n. Any two matrix polynomials of the same matrix over any semiring commute just like in the classical algebra [
10], and this fact was utilized by Grigoriev and Shpilrain [
1] to construct a tropical implementation of the Stickel protocol (Protocol 1). Quite obviously, this protocol can be implemented over any semiring (and in particular, over the max–min semiring).
Protocol 1 (Stickel Protocol over Semirings).
Alice and Bob agree on public matrices .
Alice chooses two random tropical polynomials, and , and sends to Bob.
Bob chooses two random tropical polynomials, and , and sends to Alice.
Alice computes her secret key using a public key V obtained from Bob, which is .
Bob also computes his secret key using Alice’s public key U, which is .
The two parties end up with an identical key in both protocols due to the commutativity of polynomials of the same matrix. Formally, we have .
An attack against Protocol 1 over the tropical semiring was published by Kotov and Ushakov [
7], and an analog of this attack against Protocol 1 over max–min semiring (and, more generally, max-
T semiring with continuous
T-norm) was discussed in [
5]. In the next section, we will compare their performance with the optimization methods proposed in the present paper. The presented attacks break Protocol 1 by solving the following problem
Problem 1. Given the public matrices U and W where for some unknown and , find and such that .
or the following problem for the attack presented in
Section 3.3Problem 2. Given the public matrices U and W where for some unknown and , find X and Y such that X commutes with A, Y commutes with B, and .
Solving these problems is sufficient but not necessary to compromise the protocol. For example, the attack presented in [
11] offers a more efficient approach against this particular version of the protocol. This attack applies under the two conditions detailed in [
12]. Consequently, variants of the Stickel protocol that employ broader classes of commuting matrices (beyond polynomials of some public matrices) or alternative semirings, other than the tropical semiring, may not be vulnerable to this attack. Currently, no such variant of the tropical Stickel protocol is known to us. In such generalized settings, solving the aforementioned problems may be the only viable approach for attacking the Stickel protocol, which is why we still consider them relevant. In [
13], the authors proposed a non-Stickel-type protocol based on a tropical multiple-exponentiation problem and showed that known attacks do not directly apply to this construction.
We now turn to the specific goal of the upcoming attacks. The objectives of the attacks is to find the polynomial coefficients
for all
where
D is the maximum polynomial degree used in the protocols, and hence construct
and
that satisfy
. Thus, the attacks aim to recover the shared secret key, by turning
into the form of a system of linear equations of the shape
and search for a solution that satisfies a special structure among all possible solutions. Thus, these attacks encounter the problem of finding all minimal solutions of a linear system of the shape
, which is easy to solve when Alice and Bob use low-degree polynomials, as demonstrated numerically in [
7,
14,
15] for the tropical case, or in [
5] for the max–min case. However, it becomes significantly more challenging for higher-degree polynomials due to the exponential increase in the number of the minimal solutions of the system. The full details of the Kotov–Ushakov attack are described below.
We are aiming to find two matrices
X and
Y, where they are expressed as
such that
D is sufficiently large to exceed the maximal degree of any polynomial that Alice and Bob might use. Then, we substitute these expressions into
to obtain
Combining the summations, we obtain
Rearranging those using the distributivity law will give
We then denote
and therefore we can write
If we additionally denote
, we have
We have arrived at a system of linear equations of the shape
with coefficients
and unknowns
.
We now need to scan all solutions to this system, and obtain the solution that satisfies for some . Thus, using the theory of solvability, we need to find the greatest solution, as well as all minimal solutions. For each minimal solution, we need to search for a vector in the interval between the minimal solution and the greatest solution that solves for some .
Note that, for the tropical case, a minimal solution can be found by finding a minimal cover (i.e., the minimal number of variables that satisfy all the equations in the system), and the other variables are set to . The following algorithm captures this process.
For the max–min case, we similarly need to compute the greatest solution
c (using Lemma 3.2 in [
16]) and all minimal solutions
’s (using
Section 3.3 in [
17] or Chapter 3 in [
18]), and search for the required solution. The following algorithm captures this process.
Note that system (
4) can be transformed into a problem of mixed-integer linear programming as shown in [
5].
These attacks succeed under the condition that the attacker is using
D that exceeds the greatest polynomial degrees used by Alice and Bob, because, in this case, these attacks produce
X and
Y that satisfy
. The proof can be found in [
5,
15]. However, they exhibit exponential growth in computational time relative to the used polynomial degree in the protocol. Numerical experiments showing the time taken by these attacks to compromise the tropical implementation of Protocol 1 can be found in [
7,
14,
15], and for the max–min implementation, see [
5].
Table 2 summarizes a representative subset of these runtime results.
The most computationally intensive component of the attacks described above is the enumeration of all minimal covers. This problem is fundamentally equivalent to the hypergraph traversal hitting sets enumeration, a widely studied topic in various fields such as combinatorics and optimization, To formalize this connection in the tropical case (Algorithm 1), we firstly present some relevant definitions.
Definition 5 (Hypergraph). A hypergraph consists of a vertex set V and a set of hyperedges , where each hyperedge is a subset of V.
Definition 6 (Hitting set (e.g., ref. [
19])).
A hitting set for a hypergraph is a subset such that for every . A hitting set is minimal if no proper subset of K is a hitting set. The enumeration process of all minimal covers of
by the computed sets
in Algorithm 1 is equivalent to the process of enumerating all minimal hitting sets of the hypergraph
where
. This is because we know that a minimal cover
in Algorithm 1 satisfies
. This is equivalent to
intersecting every hyperedge
(i.e.,
is a hitting set for
H). Minimality of
as a hitting set then follows since removing any
would leave some
unhit. Similarly, given
, we know that a minimal hitting set
intersects every
. By defining
, the union
covers
. Minimality of
as a cover follows since no smaller subset of
can cover
. This means there is a one-to-one correspondence between the enumerated minimal covers in Algorithm 1 and the minimal hitting sets of
H.
Algorithm 1 Tropical Kotov–Ushakov attack [7] |
Input: Public matrices , transmitted message U, maximum polynomial degree D Output: Coefficients . - 1:
- 2:
Among all minimal covers of by , that is, all minimal subsets such that
find a cover for which the system
is solvable. - 3:
return .
|
Algorithm 2 Max–min Kotov–Ushakov attack [5] |
Input: Public matrices , transmitted message U, maximum polynomial degree D. Output: Coefficients . - 1:
Compute the maximum solution c of system ( 2) as - 2:
Compute all minimal solutions of system ( 2). - 3:
Find a minimal solution with components for which the system
is solvable. - 4:
return .
|
From this perspective, we know that a hypergraph can have exponentially many minimal hitting sets, so a polynomial-time algorithm for the enumeration process in the above attacks is not possible, but it can be achieved in incremental quasi-polynomial time [
19]. This also implies the exponential worst case complexity of the Kotov–Ushakov attacks (Algorithms 1 and 2). Another closely related problem is finding the smallest hitting set, which is known to be NP-hard [
19], although the Kotov–Ushakov attacks are not aimed precisely at this problem. Nevertheless, their exponential worst-case complexity presents a major drawback. To address this, we next study the application of some well-known optimization techniques.
4. Attacking Stickel’s Protocol over Digital Semiring
A recent implementation of Stickel protocol (Protocol 1) was introduced by [
8], which employs a newly defined semiring referred to by the authors as the “digital semiring”. The authors claim that this new implementation of Stickel protocol resists the known attacks such as the Kotov–Ushakov attack. Let us discuss how the methods outlined in this paper as well as those in [
5] can be applied in this new situation.
The digital semiring of [
8], which we here denote by
, is defined over the set of natural numbers
with adjoined
, and is based on an unconventional order relation defined by
where
denotes the sum of digits of
. It is understood that the sum of digits of
is
, so this is the greatest element of the semiring. Based on this order relation, we then define the new addition
as the greatest element (also denoted as
) among
with respect to this order relation, and
as the smallest element (also denoted as
) among
with respect to this order relation.
For the practical purposes of software implementation, Alice and Bob are always limited by a big enough number
M, and therefore they would actually be using a semiring of the form
similarly defined using (
22) over the natural numbers not exceeding
M. However, it then can be shown that this semiring
is isomorphic to the semiring
, which is the set of natural numbers not exceeding
M for which the operations are defined by
and
. Indeed, the isomorphism is given by the mapping
, for which
where
, for natural
such that
, denotes the set of natural numbers whose sum of digits is equal to
i and which do not exceed
a, and
denotes the number of elements in this set.
Consequently, the attacks on the max–min semiring implementation of Stickel protocol discussed in this paper are equally applicable to the digital semiring implementation, due to the known limitations of Alice and Bob and the isomorphism given by (
23). This also includes the guaranteed attack described in [
5] (the max–min version of Kotov–Ushakov attack). Thus, the attacker only needs to take one additional step to exploit this isomorphism. A possible approach for such exploitation is to group the elements of the digital semiring by their digit sums, arranging the groups and the numbers within each group in ascending order. Each element in the digital semiring is then mapped to a corresponding element in the max–min semiring with the natural order from smallest to largest. The resulting algorithm has complexity at most
since we have to go through each number and compute the sum of its digits (which has complexity not exceeding
).
Figure 9 illustrates the computational time needed to execute it for different maximum values
M.
As shown in
Figure 9, the computational time required for this isomorphism mapping is relatively minor, but it obviously increases as Alice and Bob agree on higher ranges. However, it can be argued that they cannot extend these ranges indefinitely due to the risk of potential numerical instability. Thus, while attacking the Stickel protocol over the digital semiring involves this additional computational overhead, it is a one-time setup and does not affect the computational time during individual attack sessions since it should only be pre-computed once. Therefore, to keep the paper more concise, we have not included numerical experiments for attacking the Stickel protocol over the digital semiring, as these would be identical to the experiments on attacking the Stickel protocol over the max–min semiring described in the previous section and in [
5]. We also note that a different attack on the Stickel protocol over digital semiring has been recently published in [
24], which develops a branch and bound approach and exploits the structure of the circulant matrices involved in the protocol.
5. Forging the Tropical Signatures
A digital signature protocol based on the hardness of tropical polynomial factorization was proposed in [
9]. Several heuristics to attack this protocol have been proposed in [
25,
26]. These heuristics primarily focus on generating a valid forged signature from a previously legitimate signature. To counter these attacks, along with other trivial forgeries, a revised version of the protocol has also been introduced. In this section, we present new attacks that directly target the public key, which also apply to the revised version, as the public key is unchanged. In what follows, we present the protocol and how it can be attacked. To read this section, the basic knowledge of semiring algebra (see Definitions 1–4) will be required from the reader, but only the tropical semiring
will be used (see
Table 1 for a concise summary).
Protocol 2 (The tropical digital signatures [
9]).
Private Key: Two tropical polynomials , with integer coefficients from and the sum of their degrees is .
Public Key: r and d, and the multiplication of the two secret polynomials .
Signing:
Compute the hash of the message, and use it to form the tropical polynomial H using a known deterministic procedure.
Select random private polynomials such that and , with coefficients in , and let .
The signature is the tuple .
Verification:
Compute H as in the first step of signing, and verify it.
Verify that and .
Verify that neither nor is a tropical constant multiple of or .
Verify that coefficients of and are within and those of N are within .
Compute , and accept the signature if and only if .
The security of this protocol relies on the hardness of tropical polynomial factorization, which was shown to be NP-hard [
27]. This problem can be formulated as follows:
Problem 3 (Tropical Polynomial Factorization). Given a tropical polynomial , find X and Y.
At first glance, it might seem straightforward to factor
M using the tropical fundamental theorem of algebra [
28], which states that any tropical polynomial can be easily factored into exactly linear polynomials. Let us explore this theorem formally.
Theorem 1 (Tropical fundamental theorem of algebra [
28]).
Any tropical polynomial of degree ncan be efficiently factored into linear factors. Specifically, there exists a constant c and roots such thatThe roots are the points where the piecewise-linear function changes slope. This factorization provides a canonical form of as a function.
Note that the factorization from this theorem is a functional factorization, meaning holds for all t as a function. However, it does not necessarily preserve the original coefficient sequence of M. That is, the string of coefficients obtained from this factorization is a canonical (most reduced) form of the tropical polynomial. However, this canonical form, while equivalent to the original polynomial as a function, does not necessarily preserve the initial polynomial’s sequence of coefficients.
In contrast, a sequence-based factorization requires finding
X and
Y such that their polynomial multiplication matches the original coefficients of
M, where the coefficients
of
M are as follows:
Therefore, the security of Problem 3 relies on factoring M as a sequence (i.e., string of numbers), a problem shown to be NP-hard. Factoring M as a function does not generally preserve the original sequence, which most likely causes the original sequence recovery to fail. That is, a function-based factorization yield factors that satisfy the same maximum operations but do not necessarily reconstruct the original sequence of coefficients. In contrast, a sequence-based factorization requires that multiplying the factors exactly reproduces the original coefficients of M. As such, it is required for the attacks on Problem 3 to target a “sequence-based” factoring of M, where the multiplication of the factors exactly recovers the original coefficients of M.
Note that there are possibly many factorizations of M, meaning the original factors X and Y are not generally unique. Therefore, for the attacker’s purpose of producing a valid forged signature in Protocol 2, it is sufficient to find any factors that pass the verification process. This non-uniqueness in factorization can be exploited as a basis for some heuristic attacks. Thus, in the proposed attacks that follow, the attacker’s objective is to find and such that , with the additional constraints that their degrees sum to and their coefficients are from , so they can pass the verification process. Successfully finding and enables the attacker to impersonate the signer and hence produce a valid signature to any arbitrary message. Specifically, with H being the polynomial formed from an arbitrary hashed message, and choosing U and V with and , with coefficients in , the forged signature is verified correctly, as all of the above verification steps clearly hold, and it is highly unlikely that the second and third polynomials of this tuple will be shifted versions of the public polynomials or , respectively. We now propose two attacks utilizing this approach.
Note that M essentially represents a convolution of the two sequences X and Y, with max-plus operations. This allows the problem to be formulated as a one-sided linear system using matrices, by treating each product of the secret coefficients as a variable. However, the length of the original sequences is unknown. Consequently, the attack must iterate over possible lengths for until a suitable solution to the one-sided linear system is found.
Formally, we know that each coefficient
of
can be represented as
where
,
, and
denote the coefficients of the polynomials
M,
X, and
Y, respectively. Then, with
and
being the unknowns, this system can be equivalently written as the linear system
, where
A is a binary matrix that indicates which variables are present in the
k-th equation,
z is the vector of unknowns with each element
, and
b is the vector containing the known coefficients of
M. The following example shows an illustration of this representation.
Example 1 (One-sided linear system representation of polynomial multiplication).
For a polynomial M of degree 4, and polynomials X and Y each of degree 2, the polynomial multiplication can be represented as the following linear system: Thus, the attacker’s goal is to find a solution to this linear system. That is, a solution that satisfies for all and , for some and . Additional constraints must be imposed on and to ensure that the forged signature is verified correctly. These constraints are and , where r and d are public parameters of the protocol. Note that this system is not guaranteed to have a solution unless equals the original degree of the polynomial X, but this degree is secret. Consequently, the attacker must test multiple values of until a solution is found. However, it is possible that a solution can be found even when differs from the original degree of X due to the possible non-unique factorization of M. The attack is formally described below.
Figure 10 presents the performance of this attack when
, showing the success rate and computational time over 10 trails for multiple values of
d. Note that, for all numerical experiments, the degree of
X in the protocol instance is chosen as specified by the authors, i.e., randomly selected from the interval
. The degree of
Y is then determined accordingly, as the sum of the degrees of
X and
Y must equal
.
Algorithm 9 Kotov–Ushakov-based attack on Protocol 2 |
Input: Public key polynomial M, signature parameters , degree bound . Output: Recovered factors . - 1:
for
to
t
do - 2:
Set . - 3:
Construct binary matrix A and vector b for the linear system as in Example 1. - 4:
Compute the greatest solution and the sets for all and . - 5:
Among all minimal covers of by , that is, all minimal subsets such that
find a cover for which the system
is solvable. - 6:
If a solution is found, break the loop. If no solution is found, proceed to the next until a solution is found. - 7:
Construct the polynomials and using the derived and , respectively. - 8:
return .
|
While the attack achieves a considerable success rate, its efficiency is limited, even for short polynomial lengths, due to the large number of enumerated minimal covers. Therefore, it is impractical for the recommended protocol parameters ().
The attacker similarly aims to find
and
that recovers the original
M. In this attack, similar to the approach used in the attacks discussed in
Section 3.2 and
Section 3.3, the attacker transforms the disjunctive constraints in the formula for each
into a set of linear constraints by introducing Boolean variables
. This reformulation allows the problem to be solved as a mixed-integer linear program.
More precisely, since each coefficient
of
M satisfies
it can be equivalently expressed through the following subsystem of inequalities:
Here, T is a sufficiently large constant. This approach can be used to propose the following attack.
Figure 11 shows the performance of this attack with
, where it achieves a success rate comparable to the previous attack but with significantly greater efficiency, even for the recommended protocol parameters (
).
In practical terms, this success rate means that the attacker can successfully factor the public key in approximately half of all randomly generated instances. Consequently, if the protocol were deployed, the attacker could potentially impersonate half of the users and sign messages using their signatures. Recall that this success rate is explained by the existence of alternative factors
and
different from the original pair, which still satisfy the verification process and can be efficiently found via the MILP formulation.
Algorithm 10 MILP-based attack on Protocol 2 |
Input: Public key coefficients , signature parameters , degree bound , big constant T. Output: Recovered factors . - 1:
for
to
t
do - 2:
Set . - 3:
Solve the following system for all , and for all and such that using a MILP solver. - 4:
Construct the polynomials and using the derived and , respectively. - 5:
return .
|
6. Conclusions
In this paper, we proposed three new attacks against the tropical and max–min implementations of Stickel protocol. Our aim was to avoid the problem of minimal covers enumeration and the associated worst case exponential complexity encountered in the Kotov–Ushakov attacks. While we previously proposed an attack against these protocols [
5,
14] that avoided enumerating all minimal solutions by carefully selecting a single minimal solution, this method, although very successful for the tropical case, occasionally fails. Consequently, it is plausible that Alice and Bob could design the protocol’s public matrices to resist this attack, and this method still shows increasing complexity with the polynomial degree used, though not exponentially. Thus, the goal of the techniques implemented in Algorithms 3–8 was to achieve a success rate above
with the lowest possible execution time and reduced dependence on the polynomial degree, which is commonly the variable parameter controlled by Alice and Bob.
The first proposed attack (Algorithms 3 and 4) aims to find a solution x that minimizes an objective function of the shape instead of finding all minimal solutions of a system as in the typical Kotov–Ushakov attack. This attack employs the simulated annealing algorithm, a global optimization technique, to find such solution. It achieved a perfect success rate against the tropical Stickel protocol and a high success rate (above ) against the max–min Stickel protocol, both with very fast execution times. Additionally, the execution time showed only a minor increase as the polynomial degree increased. However, unlike the Kotov–Ushakov attack, this approach is sensitive to the size of public matrix entries and polynomial coefficients used in the protocol. While it remains usually effective even for large values, we are more likely to encounter some trials that take significantly longer than average to solve. Also, we cannot definitely say that simulated annealing outperforms other attacks in the max–min case since it is not achieving a perfect success rate in our experiments (or rather, we have to “sacrifice” the success rate in order for the attack to be complete within a reasonable timeframe).
The second proposed attack (Algorithms 5 and 6) aims to solve the system by transforming it into a mixed-integer linear system and then solving it using MILP solver. Unfortunately, this attack demonstrated slower execution times compared to the typical Kotov–Ushakov attack, and it remains heavily dependent on the polynomial degree used in the targeted protocols. Consequently, similar to the typical Kotov–Ushakov attack, Alice and Bob can resist this attack by increasing the polynomial degree.
The third proposed attack (Algorithms 7 and 8), which we call Shpilrain’s attack, aims to solve equations (
11) by formulating them as a mixed-integer linear program. Interestingly, this attack is completely independent from the used polynomial degree in the protocol, which makes it effective even if Alice and Bob use very high polynomial degrees. The attack has also demonstrated remarkably fast execution times, taking roughly 21 s for the tropical case with dimension 10 and polynomial degree 50. A significant limitation of this attack is its high memory requirement due to the need of encoding a large number of equations, namely on the order of
. Consequently, Alice and Bob could potentially defend against it by employing large matrix dimensions. However, it is worth noting that the typical Kotov–Ushakov attack would likely encounter similar challenges in such scenarios, specifically those related to the high number of minimal covers.
Let us also observe that Shpilrain’s attack also applies to the modifications of Stickel protocol based on Jones matrices and Linde-de la Puente matrices suggested in [
15]. Namely, the protocol based on Jones matrices is only replacing the tropical polynomials of
A and
B with tropical quasi-polynomials of the same matrices, so we can still find
X and
Y directly from (
11) (and its MILP reformulation). As for the Linde-de la Puente matrices, equations
and
have to be replaced with linear inequalities and equations that define Linde-de la Puente matrices. We are not including the numerical results here but the situation is similar to what is reported in
Figure 7.
Finally, it is notable that the findings presented in this paper likely indicate that the max-min and hence also “digital” implementations of the Stickel protocol overall tend to be more resistant to the attacks described in this paper and [
5] than the tropical implementation. This conclusion arises because two of the three proposed attacks in this paper, alongside the single cover heuristic [
14], demonstrate much greater effectiveness against the tropical case. Furthermore, the typical Kotov–Ushakov attack is more efficient against the tropical Stickel protocol compared to its analogue against the max–min Stickel protocol. Better implementation of Shpilrain’s attack and alternative ideas which would allow for solving Problems 1 and 2 with higher dimensional matrices are still to be considered. Also, the reasons behind the relatively good performance of simulated annealing in the tropical case and “satisfactory” performance in the max–min case are not clear to us and can be a topic of further research, as well as the conditions under which the simulated annealing based attacks are guaranteed to solve a problem within a reasonable timeframe.