In the projective plane the Hessian pencil is given by the equation
Its properties are well known (see  for an extensive review) and Hesse curves, which constitute the Hessian pencil, have recently been popular among number theorists in relation to applied elliptic curve cryptography [17, 9]. Hessian parametrization of elliptic curves in particular has been shown to improve resistance to side-channel attacks .
Following , the replacement of the field with the tropical semiring , equipped with the addition and multiplication (together with the natural conventions to handle the special value ), provides an original source of cryptographic schemes with very fast implementations  in some cases. In addition these implementations remain practical in a parameter space well beyond the original values suggested in  and analyzed in . As an alternative to the tropical matrix algebra used there, we turn to tropical geometry in the projective space and investigate the tropical analogue of the Hessian pencil.
Tropical polynomials and tropical curves
A tropical polynomial in n variables is a tropical sum of monomials:
Then to every tropical polynomial f we can associate its hypersurface defined as the set of points where the maximum is attained at least twice. A tropical hypersurface in is a union of convex polyhedra of dimension , each one having integer slope i.e. being parallel to a hyperplane in defined over . For every facet P, there are two monomials in f that are equal and greater than any other monomial of f over P (see [13, 12]). When f is homogeneous its hypersurface can be considered as a tropical projective variety in .
For the tropical hypersurface simplifies to a plane tropical curve in and its facets are just affine segments. An unbounded segment is also called a tentacle.
The tropical lines are defined by the polynomials . A tropical line is uniquely defined by the juncture of its three tentacles, the root point such that . As in euclidean geometry, two points in a general configuration define a unique tropical line, as shown in Figure 1. (It is still true in the specific configuration where the two points lie on the same tentacle, provided we fix the appropriate one as the root.)
Tropical Hesse curves
The direct tropicalization of the Hessian pencil equation yields the tropical polynomial:
The tropical Hesse curve is the set of points where the maximum is reached more than once. Introducing the inhomogeneous coordinates in the projective plane and , we designate the tropical Hesse curve given by the tropical polynomial by (Figure 2). The tropical Hesse curves has three tentacles originating in the three vertices of coordinates , which we pick as O the origin, and , respectively. It has three facets: the line segments joining any pair of these vertices with slopes , and , respectively (counterclockwise); the curve is symmetric around the axis .
2 Group law on the tropical Hesse curve
Tropical intersections and tropical elliptic curves
We use basic facts in tropical intersection theory  to adapt the geometrical presentation of tropical elliptic curve group law from  to the case of the tropical Hesse curve. Let be called the support of the polynomial
defining a plane tropical curve. The convex hull of points is a 3-dimensional polytope, the lower faces of which project bijectively, under omission of the last coordinate, onto the planar convex hull of A, thus defining a regular subdivision Δ of A. The segments of arise from the interior edges of Δ, and the tentacles arise from its boundary edges . Figure 2, right, shows the regular subdivision of the tropical Hesse curve. The weight of a facet of the tropical curve is the lattice length of its dual edge in the regular subdivision(i.e. the number of lattice points on the edge, including extremities, minus 1). The degree of the curve is d as defined in the support of its polynomial.
Then the balancing condition holds: for any vertex V in the tropical curve with adjacent edges , let be the weight and unit vectors of edge ; then , where of . For a vertex having exactly three adjacent edges, the multiplicity is defined as the common quantity
and following  a tropical curve is called smooth if all its vertices are 3-valent and have multiplicity 1, and a tropical elliptic curve is a smooth tropical curve of degree 3 and genus 1 (number of cycles). More generally, the intersection of two segments of a plane tropical curves, with respective weight and unit vectors , has multiplicity (see ).
Inspection of Figure 2 (right) show that the weight of the Hesse curve’s tentacles are 3, and the weight of the bounded segments are 1 and the balancing condition checks for all three vertices. The degree is 3 and its genus is 1. All vertices are 3-valent, their multiplicity, however, is e.g. for the origin O:
and the tropical Hesse curve is not smooth. The cycle of the tropical curve is obtained simply by removing the three tentacles, its equation is given by .
Geometrical presentation of the group law
On a tropical elliptic curve the group law introduced in , by analogy with the traditional group law on elliptic curves, has a geometrical presentation. We restrict our attention to the cycle C of the tropical elliptic curve, see Figure 3, with an origin: addition of is computed by finding first the intersection S of the tropical line defined by with the cycle C, and then defining as the intersection of the tropical line defined by with C. Doubling of is computed by finding first the intersection S of the tropical line intersecting C with multiplicity 2 at P, with C, and then defining as the intersection of the tropical line defined by with C.
For a general point P, a tropical line intersecting C at P with multiplicity 2 does not necessarily exist. On the tropical Hesse curve, however, intersection of the tropical line rooted in any and has multiplicity 2, hence doubling is well defined over even though the curve is not smooth.
Computations of determinants for each case of P lying on the three edges of , and remembering that weights of edges on a tropical line are 1 as are weights of the bounded segments of the tropical Hesse curve, yield when P lies on the upper segment emanating from O, the lower segment emanating from O, the segment opposed to O, respectively. ∎
In [10, 15] Kajiwara and Nobe derive duplication and addition formula for the group law on the tropical Hesse curve using the process of ultradiscretization of the level-three theta functions on the (non-tropical) Hesse cubic curve. Here instead we calculate coordinates of points directly from the geometrical presentation above to obtain short formulas amenable to fast implementations. Let us divide the cycle and its interior into six faces, respectively:
In the first step of the addition, the intersection of and the tropical line determined by is determined. To do so we distinguish six cases according to which face the root of the tropical line lies in, as shown on Figure 4. In each of these configurations, for a root on a given face, the two points to add could be any pair combination of the three intersection points. We then produce in Table 1 three formulas for each configuration giving the third point from the coordinates of the two others, naming them by convention A on the unbounded north-east ray of the tropical line, B on the horizontal ray and C on the vertical one. This third point and the origin O then determine the second tropical line which intersects again at the sought for addition point, which we also call A, B, or C according to the first step.
In order to produce the doubling formulas, we consider the tropical line to be rooted on the point in to be doubled and using the same partition of the curve in six faces as above to derive the formulas.
Note that exactly two points on the tropical Hesse curve have the same image by doubling, with the exception of the origin O. Table 2 displays formulas for the doubling of point P and for Q the other point in the preimage of . Let us denote by and the preimages of P by the group law doubling; then and lie on opposite faces of the tropical Hesse curve in the following pairings .
The formulas coincide with the ones obtained through ultradiscretization in [10, 14, 15] but involve a smaller number of elementary computations (additions and comparisons). Hence their implementation over either with standard floating point precision or over with large integers can be made very efficient. Experiments with unoptimized Python implementation of the double-and-add algorithm for elliptic point multiplications using the above tables show that, over a range of exponent’s length from 10 bits to 1.024 bits, point multiplication costs in average 2.3 integral multiplications and 0.7 integral comparisons per exponent’s bit which obviously compare favorably with analogues on the non-tropical Hesse cubic [6, 9].
3 Analysis of the discrete logarithm problem
3.1 Metrics on the tropical Hesse curve
The tropical Hesse curve’s cycle is obviously homeomorphic to the circle as a topological space. Furthermore, calling the vertices starting from the origin O counterclockwise, and the successive edges, these may be assigned a length defined by , where vertical bars denote the Euclidean metric and is the primitive integer vector along the considered edge. The total length of the cycle is then
The explicitation of the homomorphism for tropical elliptic curves in  to the case of the tropical Hesse curve is
where it is enough to specify the images of the vertices. Even though the tropical Hesse curve is not a tropical elliptic curve – it is not smooth –, the proofs in  are still valid for λ as defined above. We can define a signed distance on , namely which verifies
where denotes the group law addition.
3.2 DLP on integral points
Let us now consider the standard cryptographic setting in ECC where Alice and Bob agree on a public elliptic curve, here an integral point or equivalently the uniquely associated tropical Hesse curve such that , and a public integral point on this curve’s cycle – which could simply be . Alice and Bob choose a random secret , respectively, and Alice sends Bob , Bob sends Alice so that both can compute the shared secret using the group law on the curve. The shared secret is evidently compromised if Eve is able to recover a from and P, or to recover from .
The explicit homomorphism and the signed distance defined in the previous section afford simple analysis of this cryptographic setting on the tropical Hesse curve. Starting with , let us enumerate all integral points on the cycle counterclockwise . There are such points on the cycle and the formulas for λ and d show that the group law addition reduces to a counterclockwise shift modulo . There is one point, O, or order 1, two points and of order 3, and the order of all other points divide K. The metric leads to the relation which given public knowledge of and interception of , allows derivation of .
3.3 Doubling leads to chaos
Although the previous analysis shows that the standard group law is inadequate for cryptographic purposes, the doubling operation shows sensitivity to initial conditions and ergodicity . Although the discretized doubling on integral points of the tropical Hesse curve is a permutation and thus cannot be chaotic, we can extend it to a larger subset of points with coordinates in , namely the set F of points which coordinates are fractions with denominator of the form for . The set F is stable under the doubling point of the group law and, more importantly, under the halving operation yielding the two halves and .
The algebraic entropy  of the doubling map, a quantity measuring the complexity of the map defined by , where is the degree of the rational map of the n-th iterate, is here and positive. Figure 5 shows that the cycle is filled with points in the halving orbit of P, a point not a vertex.
4 A keyed hash function based on the tropical Hessian pencil
4.1 The tropical Hesse chaotic map
For a cryptographic application of the conjunction of both algebraic group properties and chaotic characteristics of the tropical Hessian pencil reviewed in the previous sections, we fix a tropical Hesse curve and consider the following map on its cycle:
which sends a point of the cycle to one of its two halves according to the key bit k. The points coordinates are dyadic rationals, and together with the tropical elliptic addition constitute a group. Lyapunov exponent calculations show, in Figure 6, that the map behavior is chaotic in the early iterations and then stabilizes much like a random time series.
We consider the iteration of this chaotic map according to successive bits of a secret key k, and define
where , as our keyed chaotic map.
4.2 A keyed cipher construction
The construction proposed is iterative and leverages the group structure on the tropical Hesse curve cycle. The message block M and the secret key S have the same bit size n. Note that M and S are mapped each to a point on the upper edge of the public tropical Hesse curve (K a dyadic rational), which we denote by and , respectively.
The cipher round
is iterated r times, with r a public parameter of the cipher, to produce the ciphertext . The addition is the group addition on the tropical elliptic curve. In the rest of this section we denote this cipher construction by .
4.3 Correlation and diffusion properties
The cipher construction operates on a single block of the message and can be used in other block cipher architectures chaining successive message blocks and secret keys. We ran measuring experiments of this single step, however, in order to assess the diffusion properties within a single message block. At each round a secret key is mixed in the message before applying the keyed chaotic map, a step which is similar to the Single-Key Even-Mansour Scheme described by Dunkelman, Keller and Shamir .
As seen in Figure 7, for typical values of the parameters, the cipher construction shows good decorrelation between plaintext bits and ciphertext bits. Bits 0 to 127 of the 128-bit long messages are along the horizontal axis, and the number of times the said message bit is changed after ten rounds over 1,000 runs on random messages is plotted on the vertical axis. The closer the score is to half of the runs, here 500, the closer to random is the correlation between plaintext and ciphertext.
In order to study the diffusion properties, we run the cipher construction on messages that differ on a single bit only while keeping the same secret key. We then compute the Hamming distance, the number of different bits, of the ciphertexts of these single-bit differing plaintexts.
Figure 8 shows the results of running five rounds on 16-bit and 32-bit long messages, and comparing the ciphertext with the sixteen others obtained by changing one bit at each position in the original message. Each round produces an output ciphertext larger than the input message: here ciphertexts are 543-bit long of which an average of 28.67 % are changed when a single bit of the message is switched. Note that the diffusion is larger when the bit changed is higher in the message (most significant bits). By construction the diffusion stays local and with larger key sizes, the ciphertexts are longer, hence the ratio of changed bits decreases: it is 16,4 % for a 32-bit key size yielding 1,055-bit long ciphertexts from 32-bit long plaintext messages.
Properties of elliptic curve geometry naturally carry over to tropical geometry where tropical variety analogues can be defined for notions of degrees, intersections, Jacobians, metrics and group law. Looking at the specific instance of the Hesse cubic curve, a well-studied form of elliptic curve with interesting properties for cryptographic usage, it appears that these properties are lost in the linearization of the group law induced by the tropicalization of the Hessian pencil.
The tropical Hesse group law doubling map , however, and more generally the maps , , give rise to piecewise linear discrete dynamical systems exhibiting solvable chaos  behavior. These maps are good candidates components for S-box implementations with the added benefit of very fast formula implementations since they reduce to few basic additions and comparisons in the tropical semiring.
M. Artebani and I. Dolgachev, The Hesse pencil of plane cubic curves, preprint (2006), https://arxiv.org/abs/math/0611590.
P. M. Bellon and C.-M. Viallet, Algebraic entropy, Comm. Math. Phys. 204 (1999), no. 2, 425–437.
J. Chauvet and E. Mahe, Key agreement under tropical parallels, Groups Complex. Cryptol. 7 (2015), no. 2, 195–198.
M. Dehli Vigeland, The group law on a tropical elliptic curve, preprint (2004), https://arxiv.org/abs/math/0411485.
O. Dunkelman, N. Keller and A. Shamir, Minimalism in cryptography: The even-mansour scheme revisited, Technical Report 2011/541, IACR Cryptology ePrint Archive, 2011, http://dblp.org/rec/journals/iacr/DunkelmanKS11a.
R. R. Farashahi and M. Joye, Efficient arithmetic on Hessian curves, Public Key Cryptography, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 243–260.
B. Grammaticos, A. Ramani and C. Viallet, Solvable chaos, Phys. Lett. A 336 (2005), no. 2–3, 152–158.
D. Grigoriev and V. Shpilrain, Tropical cryptography, Comm. Algebra 42 (2014), no. 6, 2624–2632.
M. Joye and J.-J. Quisquater, Hessian elliptic curves and side-channel attacks, Proceedings of Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci. 2162, Springer, Berlin (2001), 402–410.
K. Kajiwara, M. Kaneko, A. Nobe and T. Tsuda, Ultradiscretization of a solvable two-dimensional chaotic map associated with the hesse cubic curve, Kyushu J. Math. 63 (2009), no. 2, 315–338.
M. Kotov and A. Ushakov, Analysis of a key exchange protocol based on tropical matrix algebra, Technical Report 2015/852, Cryptology ePrint Archive, 2015, http://eprint.iacr.org/.
D. Maclagan and B. Sturmfels, Introduction to Tropical Geometry, Grad. Stud. Math. 161, American Mathematical Society, Providence, 2015.
G. Mikhalkin, Tropical geometry and its applications, preprint (2006), https://arxiv.org/abs/math/0601041.
A. Nobe, A tropical analogue of the Hessian group, preprint (2011), https://arxiv.org/abs/1104.0999.
A. Nobe, The group law on the tropical Hesse pencil, preprint (2011), http://arxiv.org/abs/1111.0131.
J. Richter-Gebert, B. Sturmfels and T. Theobald, First steps in tropical geometry, preprint (2003), https://arxiv.org/abs/math/0306366.
N. Smart, The Hessian form of an elliptic curve, Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci. 2162, Springer, Berlin (2001), 118–125.