Cryptography from the tropical Hessian pencil

Tropical polynomials and tropical curves

A tropical polynomial in n variables x1⁢…⁢xn is a tropical sum of monomials:

Then to every tropical polynomial f we can associate its hypersurface Vf⊂𝕋n defined as the set of points where the maximum is attained at least twice. A tropical hypersurface in 𝕋n is a union of convex polyhedra of dimension n-1, each one having integer slope i.e. being parallel to a hyperplane in ℝn defined over ℤ. For every facet P, there are two monomials in f that are equal and greater than any other monomial of f over P (see [13, 12]). When f is homogeneous its hypersurface can be considered as a tropical projective variety in ℙn-1⁢(𝕋).

For n=2 the tropical hypersurface simplifies to a plane tropical curve in 𝕋2 and its facets are just affine segments. An unbounded segment is also called a tentacle.

Tropical lines

The tropical lines are defined by the polynomials a⁢X+b⁢Y+c:=max⁡(a+X,b+Y,c). A tropical line is uniquely defined by the juncture of its three tentacles, the root point such that a+X=b+Y=c. As in euclidean geometry, two points in a general configuration define a unique tropical line, as shown in Figure 1. (It is still true in the specific configuration where the two points lie on the same tentacle, provided we fix the appropriate one as the root.)

Figure 1

Tropical lines. First row: In the general configuration, two points in 𝕋2 define a unique tropical line passing through them both. Second row: When both points lie on the same tentacle, fixing the appropriate one as the root also defines a unique tropical line.

Tropical Hesse curves

The direct tropicalization of the Hessian pencil equation yields the tropical polynomial:

The tropical Hesse curve is the set of points where the maximum is reached more than once. Introducing the inhomogeneous coordinates in the projective plane (X=z-x,Y=z-y) and K=μ-λ, we designate the tropical Hesse curve given by the tropical polynomial FK⁢(X,Y)=max⁡(3⁢X,3⁢Y,0,K+X+Y) by HK (Figure 2). The tropical Hesse curves has three tentacles originating in the three vertices of coordinates (K,K), which we pick as O the origin, (-K,0) and (0,-K), respectively. It has three facets: the line segments joining any pair of these vertices with slopes (2,1), (1,-1) and (1,2), respectively (counterclockwise); the curve is symmetric around the axis X=Y.

Figure 2

Left: The tropical Hesse curve HK. Right: The regular subdivision of the tropical Hesse curve, with the scaled tropical Hesse curve (red) showing mapping between crossing segments of the curve and its regular subdivision: tentacles cross boundary edges of the subdivision; internal segments cross internal edges of the subdivision.

Tropical intersections and tropical elliptic curves

We use basic facts in tropical intersection theory [13] to adapt the geometrical presentation of tropical elliptic curve group law from [4] to the case of the tropical Hesse curve. Let A⊂{i,j,k∈ℕ:i+j+k=d} be called the support of the polynomial

defining a plane tropical curve. The convex hull of points (i,j,k,ai⁢j⁢k) is a 3-dimensional polytope, the lower faces of which project bijectively, under omission of the last coordinate, onto the planar convex hull of A, thus defining a regular subdivision Δ of A. The segments of Vf arise from the interior edges of Δ, and the tentacles arise from its boundary edges [16]. Figure 2, right, shows the regular subdivision of the tropical Hesse curve. The weight of a facet of the tropical curve is the lattice length of its dual edge in the regular subdivision(i.e. the number of lattice points on the edge, including extremities, minus 1). The degree of the curve is d as defined in the support of its polynomial.

Then the balancing condition holds: for any vertex V in the tropical curve Vf with adjacent edges E1,…,Ep, let wi,vi be the weight and unit vectors of edge Ei; then w1⁢v1+…+wn⁢vn=0, where 0=(0,0) of ℙ2⁢(𝕋). For a vertex having exactly three adjacent edges, the multiplicity is defined as the common quantity

and following [4] a tropical curve is called smooth if all its vertices are 3-valent and have multiplicity 1, and a tropical elliptic curve is a smooth tropical curve of degree 3 and genus 1 (number of cycles). More generally, the intersection of two segments of a plane tropical curves, with respective weight w1,w2 and unit vectors v1,v2, has multiplicity w1w2|det(v1,v2)| (see [16]).

Inspection of Figure 2 (right) show that the weight of the Hesse curve’s tentacles are 3, and the weight of the bounded segments are 1 and the balancing condition checks for all three vertices. The degree is 3 and its genus is 1. All vertices are 3-valent, their multiplicity, however, is e.g. for the origin O:

and the tropical Hesse curve is not smooth. The cycle CK of the tropical curve HK is obtained simply by removing the three tentacles, its equation is given by max⁡(3⁢X,3⁢Y,0)=K+X+Y.

Geometrical presentation of the group law

On a tropical elliptic curve the group law introduced in [4], by analogy with the traditional group law on elliptic curves, has a geometrical presentation. We restrict our attention to the cycle C of the tropical elliptic curve, see Figure 3, with O∈C an origin: addition of P,Q∈C is computed by finding first the intersection S of the tropical line defined by P,Q with the cycle C, and then defining P+Q as the intersection of the tropical line defined by S,O with C. Doubling of P∈C is computed by finding first the intersection S of the tropical line intersecting C with multiplicity 2 at P, with C, and then defining 2⁢P as the intersection of the tropical line defined by S,O with C.

For a general point P, a tropical line intersecting C at P with multiplicity 2 does not necessarily exist. On the tropical Hesse curve, however, intersection of the tropical line rooted in any P∈CK and CK has multiplicity 2, hence doubling is well defined over CK even though the curve is not smooth.

Figure 3

Left: Point addition in the tropical Hesse curve group law; a first step determines S from P and Q, a second step yields P+Q from S and the origin O. Right: Point doubling in the tropical Hesse curve group law; a first step determines S from P,a second step yields 2⁢P from S and the origin O.

Addition formulas

In [10, 15] Kajiwara and Nobe derive duplication and addition formula for the group law on the tropical Hesse curve using the process of ultradiscretization of the level-three theta functions on the (non-tropical) Hesse cubic curve. Here instead we calculate coordinates of points directly from the geometrical presentation above to obtain short formulas amenable to fast implementations. Let us divide the cycle CK and its interior into six faces, respectively:

In the first step of the addition, the intersection of CK and the tropical line determined by P,Q∈CK is determined. To do so we distinguish six cases according to which face the root of the tropical line lies in, as shown on Figure 4. In each of these configurations, for a root on a given face, the two points to add could be any pair combination of the three intersection points. We then produce in Table 1 three formulas for each configuration giving the third point from the coordinates of the two others, naming them by convention A on the unbounded north-east ray of the tropical line, B on the horizontal ray and C on the vertical one. This third point and the origin O then determine the second tropical line which intersects again CK at the sought for addition point, which we also call A, B, or C according to the first step.

Figure 4

The six configurations of the group addition on the tropical Hesse curve according to the face the root of the tropical line P,Q lies in: Face 1 to 6, left to right, top to bottom.

Doubling formulas

In order to produce the doubling formulas, we consider the tropical line to be rooted on the point in CK to be doubled and using the same partition of the curve in six faces as above to derive the formulas.

Note that exactly two points on the tropical Hesse curve have the same image by doubling, with the exception of the origin O. Table 2 displays formulas for the doubling of point P and for Q the other point in the preimage of [2]⁢P. Let us denote by [12]0⁢P and [12]1⁢P the preimages of P by the group law doubling; then [12]0⁢P and [12]1⁢P lie on opposite faces of the tropical Hesse curve in the following pairings (F1,F4),(F2,F5),(F3,F6).

The formulas coincide with the ones obtained through ultradiscretization in [10, 14, 15] but involve a smaller number of elementary computations (additions and comparisons). Hence their implementation over either ℝ with standard floating point precision or over ℤ with large integers can be made very efficient. Experiments with unoptimized Python implementation of the double-and-add algorithm for elliptic point multiplications using the above tables show that, over a range of exponent’s length from 10 bits to 1.024 bits, point multiplication costs in average 2.3 integral multiplications and 0.7 integral comparisons per exponent’s bit which obviously compare favorably with analogues on the non-tropical Hesse cubic [6, 9].

3.1 Metrics on the tropical Hesse curve

The tropical Hesse curve’s cycle CK is obviously homeomorphic to the circle S1 as a topological space. Furthermore, calling V1,V2 the vertices starting from the origin O counterclockwise, and E0,E1,E2 the successive edges, these may be assigned a length defined by |Ei||vi|, where vertical bars denote the Euclidean metric and vi is the primitive integer vector along the considered edge. The total length of the cycle is then

The explicitation of the homomorphism for tropical elliptic curves in [4] to the case of the tropical Hesse curve is

where it is enough to specify the images of the vertices. Even though the tropical Hesse curve is not a tropical elliptic curve – it is not smooth –, the proofs in [4] are still valid for λ as defined above. We can define a signed distance on CK, namely d⁢(P,Q)=ℓ⁢(CK)×(λ⁢(P)-λ⁢(Q)) which verifies

where + denotes the group law addition.

3.2 DLP on integral points

Let us now consider the standard cryptographic setting in ECC where Alice and Bob agree on a public elliptic curve, here an integral point (Xpub,Ypub) or equivalently the uniquely associated tropical Hesse curve such that (Xpub,Ypub)∈CK, and a public integral point P∈CK on this curve’s cycle – which could simply be (Xpub,Ypub). Alice and Bob choose a random secret a,b, respectively, and Alice sends Bob [a]⁢P, Bob sends Alice [b]⁢P so that both can compute the shared secret [a⁢b]⁢P=[b⁢a]⁢P using the group law on the curve. The shared secret is evidently compromised if Eve is able to recover a from [a]⁢P and P, or to recover [a⁢b]⁢P from P,[a]⁢P,[b]⁢P.

The explicit homomorphism and the signed distance defined in the previous section afford simple analysis of this cryptographic setting on the tropical Hesse curve. Starting with P0=O, let us enumerate all integral points on the cycle CK counterclockwise P0,P1,…,P3⁢K-1. There are 3⁢K such points on the cycle and the formulas for λ and d show that the group law addition reduces to a counterclockwise shift modulo 3⁢K. There is one point, O, or order 1, two points V1 and V2 of order 3, and the order of all other points divide K. The metric leads to the relation Pn⁢m⁢(mod⁡3⁢K)=[n]⁢Pm which given public knowledge of Pm and interception of Pj=[n]⁢Pm, allows derivation of n=j⁢m-1⁢(mod⁡3⁢K).

3.3 Doubling leads to chaos

Although the previous analysis shows that the standard group law is inadequate for cryptographic purposes, the doubling operation shows sensitivity to initial conditions and ergodicity [10]. Although the discretized doubling on integral points of the tropical Hesse curve is a permutation and thus cannot be chaotic, we can extend it to a larger subset of points with coordinates in ℚ, namely the set F of points which coordinates are fractions with denominator of the form 2n for n∈ℕ. The set F is stable under the doubling point of the group law and, more importantly, under the halving operation yielding the two halves [2-1]0⁢M and [2-1]1⁢M.

The algebraic entropy [2] of the doubling map, a quantity measuring the complexity of the map defined by limn→∞⁡log⁡(dn)/n, where dn is the degree of the rational map of the n-th iterate, is here log⁡(2) and positive. Figure 5 shows that the cycle CK is filled with points in the halving orbit of P, a point not a vertex.

Figure 5

Left: On the cycle C22+101/128 of the tropical Hesse curve, 256 iterations of the halving map, showing almost equal distribution on all faces, respectively 42, 43, 43, 42, 43, and 43 points on faces 1 to 6. Right: x coordinates of the first1,000 doubling iterations of point (8+1/128,15+51/128).

4.1 The tropical Hesse chaotic map

For a cryptographic application of the conjunction of both algebraic group properties and chaotic characteristics of the tropical Hessian pencil reviewed in the previous sections, we fix a tropical Hesse curve CK and consider the following map on its cycle:

which sends a point Pi of the cycle to one of its two halves according to the key bit k. The Pi points coordinates are dyadic rationals, and together with the tropical elliptic addition constitute a group. Lyapunov exponent calculations show, in Figure 6, that the map behavior is chaotic in the early iterations and then stabilizes much like a random time series.

Figure 6

Left diagram: Evolution of the (log) stretching factor in the early iterations of the tropical Hessian doubling/halving chaotic map. Right diagram: Comparative evolutions of the tropical Hessian map, black circles, and a random timeseries, blue triangles. (Graphs generated in R using the lyap_k function of the tseriesChaos package from 2,000 halvingsof C170,370/131,072.)

We consider the iteration of this chaotic map according to successive bits k0⁢k1⁢…⁢kn-1 of a secret key k, and define

where Pi+1=[2-1]ki⁢Pi, as our keyed chaotic map.

4.2 A keyed cipher construction

The construction proposed is iterative and leverages the group structure on the tropical Hesse curve cycle. The message block M and the secret key S have the same bit size n. Note that M and S are mapped each to a point on the upper edge of the public CK tropical Hesse curve (K a dyadic rational), which we denote by M0 and S0, respectively.

The cipher round

is iterated r times, with r a public parameter of the cipher, to produce the ciphertext Mr. The addition is the group addition on the tropical elliptic curve. In the rest of this section we denote this cipher construction by THC⁢(K,r).

4.3 Correlation and diffusion properties

The THC⁢(K,r) cipher construction operates on a single block of the message and can be used in other block cipher architectures chaining successive message blocks and secret keys. We ran measuring experiments of this single step, however, in order to assess the diffusion properties within a single message block. At each round a secret key is mixed in the message before applying the keyed chaotic map, a step which is similar to the Single-Key Even-Mansour Scheme described by Dunkelman, Keller and Shamir [5].

As seen in Figure 7, for typical values of the parameters, the cipher construction shows good decorrelation between plaintext bits and ciphertext bits. Bits 0 to 127 of the 128-bit long messages are along the horizontal axis, and the number of times the said message bit is changed after ten rounds over 1,000 runs on random messages is plotted on the vertical axis. The closer the score is to half of the runs, here 500, the closer to random is the correlation between plaintext and ciphertext.

Figure 7

Boxplot graph of individual bit correlations between plaintext and ciphertext for THC(2128+1,10): horizontal axis,bit position in ciphertext; vertical axis, cumulated bit differences over 1000 runs; the closer to half, here 500 the better. Thedisplay shows artifacts on a few of the high bits and few mid-bits as a result of the choice of mapping of messages and keysto the tropical Hesse Curve.

In order to study the diffusion properties, we run the cipher construction on messages that differ on a single bit only while keeping the same secret key. We then compute the Hamming distance, the number of different bits, of the ciphertexts of these single-bit differing plaintexts.

Figure 8

Boxplot graph of Hamming distances, in bits, between plaintext and ciphertext showing how bit by bit changes are propagated from plaintext to ciphertext according to position: left, 16-bit keys and plaintexts; right, 32-bit keys and plaintexts.

Figure 8 shows the results of running five rounds on 16-bit and 32-bit long messages, and comparing the ciphertext with the sixteen others obtained by changing one bit at each position in the original message. Each round produces an output ciphertext larger than the input message: here ciphertexts are 543-bit long of which an average of 28.67 % are changed when a single bit of the message is switched. Note that the diffusion is larger when the bit changed is higher in the message (most significant bits). By construction the diffusion stays local and with larger key sizes, the ciphertexts are longer, hence the ratio of changed bits decreases: it is 16,4 % for a 32-bit key size yielding 1,055-bit long ciphertexts from 32-bit long plaintext messages.