Abstract
Recent work by Grigoriev and Shpilrain [8] suggests looking at the tropical semiring for cryptographic schemes. In this contribution we explore the tropical analogue of the Hessian pencil of plane cubic curves as a source of group-based cryptography. Using elementary tropical geometry on the tropical Hessian curves, we derive the addition and doubling formulas induced from their Jacobian and investigate the discrete logarithm problem in this group. We show that the DLP is solvable when restricted to integral points on the tropical Hesse curve, and hence inadequate for cryptographic applications. Consideration of point duplication, however, provides instances of solvable chaotic maps producing random sequences and thus a source of fast keyed hash functions.
1 Introduction
In the projective plane
Its properties are well known (see [1] for an extensive review) and Hesse curves, which constitute the Hessian pencil, have recently been popular among number theorists in relation to applied elliptic curve cryptography [17, 9]. Hessian parametrization of elliptic curves in particular has been shown to improve resistance to side-channel attacks [9].
Following [8], the replacement of the field
Tropical polynomials and tropical curves
A tropical polynomial in n variables
Then to every tropical polynomial f we can associate its hypersurface
For
Tropical lines
The tropical lines are defined by the polynomials
Tropical Hesse curves
The direct tropicalization of the Hessian pencil equation yields the tropical polynomial:
The tropical Hesse curve is the set of points where the maximum is reached more than once. Introducing the inhomogeneous coordinates in the projective plane
2 Group law on the tropical Hesse curve
Tropical intersections and tropical elliptic curves
We use basic facts in tropical intersection theory [13] to adapt the geometrical presentation of tropical elliptic curve group law from [4] to the case of the tropical Hesse curve. Let
defining a plane tropical curve. The convex hull of points
Then the balancing condition holds: for any vertex V in the tropical curve
and following [4] a tropical curve is called smooth if all its vertices are 3-valent and have multiplicity 1, and a tropical elliptic curve is a smooth tropical curve of degree 3 and genus 1 (number of cycles). More generally, the intersection of two segments of a plane tropical curves, with respective weight
Inspection of Figure 2 (right) show that the weight of the Hesse curve’s tentacles are 3, and the weight of the bounded segments are 1 and the balancing condition checks for all three vertices. The degree is 3 and its genus is 1. All vertices are 3-valent, their multiplicity, however, is e.g. for the origin O:
and the tropical Hesse curve is not smooth. The cycle
Geometrical presentation of the group law
On a tropical elliptic curve the group law introduced in [4], by analogy with the traditional group law on elliptic curves, has a geometrical presentation. We restrict our attention to the cycle C of the tropical elliptic curve, see Figure 3, with
For a general point P, a tropical line intersecting C at P with multiplicity 2 does not necessarily exist. On the tropical Hesse curve, however, intersection of the tropical line rooted in any
Proof.
Computations of determinants for each case of P lying on the three edges of
when P lies on the upper segment emanating from O, the lower segment emanating from O, the segment opposed to O, respectively. ∎
Addition formulas
In [10, 15] Kajiwara and Nobe derive duplication and addition formula for the group law on the tropical Hesse curve using the process of ultradiscretization of the level-three theta functions on the (non-tropical) Hesse cubic curve. Here instead we calculate coordinates of points directly from the geometrical presentation above to obtain short formulas amenable to fast implementations. Let us divide the cycle
In the first step of the addition, the intersection of
Doubling formulas
In order to produce the doubling formulas, we consider the tropical line to be rooted on the point in
Note that exactly two points on the tropical Hesse curve have the same image by doubling, with the exception of the origin O. Table 2 displays formulas for the doubling of point P and for Q the other point in the preimage of
The formulas coincide with the ones obtained through ultradiscretization in [10, 14, 15] but involve a smaller number of elementary computations (additions and comparisons). Hence their implementation over either
3 Analysis of the discrete logarithm problem
3.1 Metrics on the tropical Hesse curve
The tropical Hesse curve’s cycle
The explicitation of the homomorphism for tropical elliptic curves in [4] to the case of the tropical Hesse curve is
where it is enough to specify the images of the vertices. Even though the tropical Hesse curve is not a tropical elliptic curve – it is not smooth –, the proofs in [4] are still valid for λ as defined above. We can define a signed distance on
where
3.2 DLP on integral points
Let us now consider the standard cryptographic setting in ECC where Alice and Bob agree on a public elliptic curve, here an integral point
The explicit homomorphism and the signed distance defined in the previous section afford simple analysis of this cryptographic setting on the tropical Hesse curve. Starting with
3.3 Doubling leads to chaos
Although the previous analysis shows that the standard group law is inadequate for cryptographic purposes, the doubling operation shows sensitivity to initial conditions and ergodicity [10]. Although the discretized doubling on integral points of the tropical Hesse curve is a permutation and thus cannot be chaotic, we can extend it to a larger subset of points with coordinates in
The algebraic entropy [2] of the doubling map, a quantity measuring the complexity of the map defined by
4 A keyed hash function based on the tropical Hessian pencil
4.1 The tropical Hesse chaotic map
For a cryptographic application of the conjunction of both algebraic group properties and chaotic characteristics of the tropical Hessian pencil reviewed in the previous sections, we fix a tropical Hesse curve
which sends a point
We consider the iteration of this chaotic map according to successive bits
where
4.2 A keyed cipher construction
The construction proposed is iterative and leverages the group structure on the tropical Hesse curve cycle. The message block M and the secret key S have the same bit size n. Note that M and S are mapped each to a point on the upper edge of the public
The cipher round
is iterated r times, with r a public parameter of the cipher, to produce the ciphertext
4.3 Correlation and diffusion properties
The
As seen in Figure 7, for typical values of the parameters, the cipher construction shows good decorrelation between plaintext bits and ciphertext bits. Bits 0 to 127 of the 128-bit long messages are along the horizontal axis, and the number of times the said message bit is changed after ten rounds over 1,000 runs on random messages is plotted on the vertical axis. The closer the score is to half of the runs, here 500, the closer to random is the correlation between plaintext and ciphertext.
In order to study the diffusion properties, we run the cipher construction on messages that differ on a single bit only while keeping the same secret key. We then compute the Hamming distance, the number of different bits, of the ciphertexts of these single-bit differing plaintexts.
Figure 8 shows the results of running five rounds on 16-bit and 32-bit long messages, and comparing the ciphertext with the sixteen others obtained by changing one bit at each position in the original message. Each round produces an output ciphertext larger than the input message: here ciphertexts are 543-bit long of which an average of 28.67 % are changed when a single bit of the message is switched. Note that the diffusion is larger when the bit changed is higher in the message (most significant bits). By construction the diffusion stays local and with larger key sizes, the ciphertexts are longer, hence the ratio of changed bits decreases: it is 16,4 % for a 32-bit key size yielding 1,055-bit long ciphertexts from 32-bit long plaintext messages.
5 Conclusions
Properties of elliptic curve geometry naturally carry over to tropical geometry where tropical variety analogues can be defined for notions of degrees, intersections, Jacobians, metrics and group law. Looking at the specific instance of the Hesse cubic curve, a well-studied form of elliptic curve with interesting properties for cryptographic usage, it appears that these properties are lost in the linearization of the group law induced by the tropicalization of the Hessian pencil.
The tropical Hesse group law doubling map
References
[1] M. Artebani and I. Dolgachev, The Hesse pencil of plane cubic curves, preprint (2006), https://arxiv.org/abs/math/0611590. 10.4171/LEM/55-3-3Search in Google Scholar
[2] P. M. Bellon and C.-M. Viallet, Algebraic entropy, Comm. Math. Phys. 204 (1999), no. 2, 425–437. 10.1007/s002200050652Search in Google Scholar
[3] J. Chauvet and E. Mahe, Key agreement under tropical parallels, Groups Complex. Cryptol. 7 (2015), no. 2, 195–198. 10.1515/gcc-2015-0013Search in Google Scholar
[4] M. Dehli Vigeland, The group law on a tropical elliptic curve, preprint (2004), https://arxiv.org/abs/math/0411485. 10.7146/math.scand.a-15094Search in Google Scholar
[5] O. Dunkelman, N. Keller and A. Shamir, Minimalism in cryptography: The even-mansour scheme revisited, Technical Report 2011/541, IACR Cryptology ePrint Archive, 2011, http://dblp.org/rec/journals/iacr/DunkelmanKS11a. Search in Google Scholar
[6] R. R. Farashahi and M. Joye, Efficient arithmetic on Hessian curves, Public Key Cryptography, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 243–260. 10.1007/978-3-642-13013-7_15Search in Google Scholar
[7] B. Grammaticos, A. Ramani and C. Viallet, Solvable chaos, Phys. Lett. A 336 (2005), no. 2–3, 152–158. 10.1016/j.physleta.2005.01.026Search in Google Scholar
[8] D. Grigoriev and V. Shpilrain, Tropical cryptography, Comm. Algebra 42 (2014), no. 6, 2624–2632. 10.1080/00927872.2013.766827Search in Google Scholar
[9] M. Joye and J.-J. Quisquater, Hessian elliptic curves and side-channel attacks, Proceedings of Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci. 2162, Springer, Berlin (2001), 402–410. 10.1007/3-540-44709-1_33Search in Google Scholar
[10] K. Kajiwara, M. Kaneko, A. Nobe and T. Tsuda, Ultradiscretization of a solvable two-dimensional chaotic map associated with the hesse cubic curve, Kyushu J. Math. 63 (2009), no. 2, 315–338. 10.2206/kyushujm.63.315Search in Google Scholar
[11] M. Kotov and A. Ushakov, Analysis of a key exchange protocol based on tropical matrix algebra, Technical Report 2015/852, Cryptology ePrint Archive, 2015, http://eprint.iacr.org/. Search in Google Scholar
[12] D. Maclagan and B. Sturmfels, Introduction to Tropical Geometry, Grad. Stud. Math. 161, American Mathematical Society, Providence, 2015. 10.1090/gsm/161Search in Google Scholar
[13] G. Mikhalkin, Tropical geometry and its applications, preprint (2006), https://arxiv.org/abs/math/0601041. 10.4171/022-2/40Search in Google Scholar
[14] A. Nobe, A tropical analogue of the Hessian group, preprint (2011), https://arxiv.org/abs/1104.0999. Search in Google Scholar
[15] A. Nobe, The group law on the tropical Hesse pencil, preprint (2011), http://arxiv.org/abs/1111.0131. Search in Google Scholar
[16] J. Richter-Gebert, B. Sturmfels and T. Theobald, First steps in tropical geometry, preprint (2003), https://arxiv.org/abs/math/0306366. 10.1090/conm/377/06998Search in Google Scholar
[17] N. Smart, The Hessian form of an elliptic curve, Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci. 2162, Springer, Berlin (2001), 118–125. 10.1007/3-540-44709-1_11Search in Google Scholar
© 2017 Walter de Gruyter GmbH, Berlin/Boston