Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Groups Complexity Cryptology

Managing Editor: Shpilrain, Vladimir / Weil, Pascal

Editorial Board Member: Blackburn, Simon R. / Conder, Marston / Dehornoy, Patrick / Eick, Bettina / Fine, Benjamin / Gilman, Robert / Grigoriev, Dima / Ko, Ki Hyoung / Kreuzer, Martin / Mikhalev, Alexander V. / Myasnikov, Alexei / Roman'kov, Vitalii / Rosenberger, Gerhard / Sapir, Mark / Schäge, Sven / Thomas, Rick / Tsaban, Boaz / Capell, Enric Ventura

2 Issues per year

CiteScore 2016: 0.35

SCImago Journal Rank (SJR) 2016: 0.372
Source Normalized Impact per Paper (SNIP) 2016: 0.517

Mathematical Citation Quotient (MCQ) 2016: 0.23

See all formats and pricing
More options …

Cryptography from the tropical Hessian pencil

Jean-Marie Chauvet
  • Corresponding author
  • MassiveRand, 62, ave. Pierre Grenier, 92100 Boulogne-Billancourt, France
  • Email:
/ Eric Mahé
  • MassiveRand, 62, ave. Pierre Grenier, 92100 Boulogne-Billancourt, France
  • Email:
Published Online: 2017-04-19 | DOI: https://doi.org/10.1515/gcc-2017-0002


Recent work by Grigoriev and Shpilrain [8] suggests looking at the tropical semiring for cryptographic schemes. In this contribution we explore the tropical analogue of the Hessian pencil of plane cubic curves as a source of group-based cryptography. Using elementary tropical geometry on the tropical Hessian curves, we derive the addition and doubling formulas induced from their Jacobian and investigate the discrete logarithm problem in this group. We show that the DLP is solvable when restricted to integral points on the tropical Hesse curve, and hence inadequate for cryptographic applications. Consideration of point duplication, however, provides instances of solvable chaotic maps producing random sequences and thus a source of fast keyed hash functions.

Keywords: Tropical geometry; discrete dynamical systems; keyed hash function; elliptic curve cryptography

MSC 2010: 14H40; 14H52; 14K25; 37E05; 37F10

1 Introduction

In the projective plane 2() the Hessian pencil is given by the equation


Its properties are well known (see [1] for an extensive review) and Hesse curves, which constitute the Hessian pencil, have recently been popular among number theorists in relation to applied elliptic curve cryptography [17, 9]. Hessian parametrization of elliptic curves in particular has been shown to improve resistance to side-channel attacks [9].

Following [8], the replacement of the field with the tropical semiring 𝕋={-}, equipped with the addition x+y:=max(x,y) and multiplication xy:=x+y (together with the natural conventions to handle the special value -), provides an original source of cryptographic schemes with very fast implementations [3] in some cases. In addition these implementations remain practical in a parameter space well beyond the original values suggested in [8] and analyzed in [11]. As an alternative to the tropical matrix algebra used there, we turn to tropical geometry in the projective space 2(𝕋) and investigate the tropical analogue of the Hessian pencil.

Tropical polynomials and tropical curves

A tropical polynomial in n variables x1xn is a tropical sum of monomials:


Then to every tropical polynomial f we can associate its hypersurface Vf𝕋n defined as the set of points where the maximum is attained at least twice. A tropical hypersurface in 𝕋n is a union of convex polyhedra of dimension n-1, each one having integer slope i.e. being parallel to a hyperplane in n defined over . For every facet P, there are two monomials in f that are equal and greater than any other monomial of f over P (see [13, 12]). When f is homogeneous its hypersurface can be considered as a tropical projective variety in n-1(𝕋).

For n=2 the tropical hypersurface simplifies to a plane tropical curve in 𝕋2 and its facets are just affine segments. An unbounded segment is also called a tentacle.

Tropical lines

The tropical lines are defined by the polynomials aX+bY+c:=max(a+X,b+Y,c). A tropical line is uniquely defined by the juncture of its three tentacles, the root point such that a+X=b+Y=c. As in euclidean geometry, two points in a general configuration define a unique tropical line, as shown in Figure 1. (It is still true in the specific configuration where the two points lie on the same tentacle, provided we fix the appropriate one as the root.)

Figure 1

Tropical lines. First row: In the general configuration, two points in 𝕋2 define a unique tropical line passing through them both. Second row: When both points lie on the same tentacle, fixing the appropriate one as the root also defines a unique tropical line.

Tropical Hesse curves

The direct tropicalization of the Hessian pencil equation yields the tropical polynomial:


The tropical Hesse curve is the set of points where the maximum is reached more than once. Introducing the inhomogeneous coordinates in the projective plane (X=z-x,Y=z-y) and K=μ-λ, we designate the tropical Hesse curve given by the tropical polynomial FK(X,Y)=max(3X,3Y,0,K+X+Y) by HK (Figure 2). The tropical Hesse curves has three tentacles originating in the three vertices of coordinates (K,K), which we pick as O the origin, (-K,0) and (0,-K), respectively. It has three facets: the line segments joining any pair of these vertices with slopes (2,1), (1,-1) and (1,2), respectively (counterclockwise); the curve is symmetric around the axis X=Y.

Figure 2

Left: The tropical Hesse curve HK. Right: The regular subdivision of the tropical Hesse curve, with the scaled tropical Hesse curve (red) showing mapping between crossing segments of the curve and its regular subdivision: tentacles cross boundary edges of the subdivision; internal segments cross internal edges of the subdivision.

2 Group law on the tropical Hesse curve

Tropical intersections and tropical elliptic curves

We use basic facts in tropical intersection theory [13] to adapt the geometrical presentation of tropical elliptic curve group law from [4] to the case of the tropical Hesse curve. Let A{i,j,k:i+j+k=d} be called the support of the polynomial


defining a plane tropical curve. The convex hull of points (i,j,k,aijk) is a 3-dimensional polytope, the lower faces of which project bijectively, under omission of the last coordinate, onto the planar convex hull of A, thus defining a regular subdivision Δ of A. The segments of Vf arise from the interior edges of Δ, and the tentacles arise from its boundary edges [16]. Figure 2, right, shows the regular subdivision of the tropical Hesse curve. The weight of a facet of the tropical curve is the lattice length of its dual edge in the regular subdivision(i.e. the number of lattice points on the edge, including extremities, minus 1). The degree of the curve is d as defined in the support of its polynomial.

Then the balancing condition holds: for any vertex V in the tropical curve Vf with adjacent edges E1,,Ep, let wi,vi be the weight and unit vectors of edge Ei; then w1v1++wnvn=0, where 0=(0,0) of 2(𝕋). For a vertex having exactly three adjacent edges, the multiplicity is defined as the common quantity


and following [4] a tropical curve is called smooth if all its vertices are 3-valent and have multiplicity 1, and a tropical elliptic curve is a smooth tropical curve of degree 3 and genus 1 (number of cycles). More generally, the intersection of two segments of a plane tropical curves, with respective weight w1,w2 and unit vectors v1,v2, has multiplicity w1w2|det(v1,v2)| (see [16]).

Inspection of Figure 2 (right) show that the weight of the Hesse curve’s tentacles are 3, and the weight of the bounded segments are 1 and the balancing condition checks for all three vertices. The degree is 3 and its genus is 1. All vertices are 3-valent, their multiplicity, however, is e.g. for the origin O:


and the tropical Hesse curve is not smooth. The cycle CK of the tropical curve HK is obtained simply by removing the three tentacles, its equation is given by max(3X,3Y,0)=K+X+Y.

Geometrical presentation of the group law

On a tropical elliptic curve the group law introduced in [4], by analogy with the traditional group law on elliptic curves, has a geometrical presentation. We restrict our attention to the cycle C of the tropical elliptic curve, see Figure 3, with OC an origin: addition of P,QC is computed by finding first the intersection S of the tropical line defined by P,Q with the cycle C, and then defining P+Q as the intersection of the tropical line defined by S,O with C. Doubling of PC is computed by finding first the intersection S of the tropical line intersecting C with multiplicity 2 at P, with C, and then defining 2P as the intersection of the tropical line defined by S,O with C.

For a general point P, a tropical line intersecting C at P with multiplicity 2 does not necessarily exist. On the tropical Hesse curve, however, intersection of the tropical line rooted in any PCK and CK has multiplicity 2, hence doubling is well defined over CK even though the curve is not smooth.

Figure 3

Left: Point addition in the tropical Hesse curve group law; a first step determines S from P and Q, a second step yields P+Q from S and the origin O. Right: Point doubling in the tropical Hesse curve group law; a first step determines S from P,a second step yields 2P from S and the origin O.


Computations of determinants for each case of P lying on the three edges of CK, and remembering that weights of edges on a tropical line are 1 as are weights of the bounded segments of the tropical Hesse curve, yield


when P lies on the upper segment emanating from O, the lower segment emanating from O, the segment opposed to O, respectively. ∎

Addition formulas

In [10, 15] Kajiwara and Nobe derive duplication and addition formula for the group law on the tropical Hesse curve using the process of ultradiscretization of the level-three theta functions on the (non-tropical) Hesse cubic curve. Here instead we calculate coordinates of points directly from the geometrical presentation above to obtain short formulas amenable to fast implementations. Let us divide the cycle CK and its interior into six faces, respectively:


In the first step of the addition, the intersection of CK and the tropical line determined by P,QCK is determined. To do so we distinguish six cases according to which face the root of the tropical line lies in, as shown on Figure 4. In each of these configurations, for a root on a given face, the two points to add could be any pair combination of the three intersection points. We then produce in Table 1 three formulas for each configuration giving the third point from the coordinates of the two others, naming them by convention A on the unbounded north-east ray of the tropical line, B on the horizontal ray and C on the vertical one. This third point and the origin O then determine the second tropical line which intersects again CK at the sought for addition point, which we also call A, B, or C according to the first step.

Figure 4

The six configurations of the group addition on the tropical Hesse curve according to the face the root of the tropical line P,Q lies in: Face 1 to 6, left to right, top to bottom.

Table 1

Given P and Q on CK defining a tropical line with root r, P being one of A,B,C, and Q being one of A,B,C on this tropical line, the table provides coordinates of P+Q according to which face r lies in.

Doubling formulas

In order to produce the doubling formulas, we consider the tropical line to be rooted on the point in CK to be doubled and using the same partition of the curve in six faces as above to derive the formulas.

Table 2

Formulas for doubling of P and alternate preimage Q of the double of P.

Note that exactly two points on the tropical Hesse curve have the same image by doubling, with the exception of the origin O. Table 2 displays formulas for the doubling of point P and for Q the other point in the preimage of [2]P. Let us denote by [12]0P and [12]1P the preimages of P by the group law doubling; then [12]0P and [12]1P lie on opposite faces of the tropical Hesse curve in the following pairings (F1,F4),(F2,F5),(F3,F6).

The formulas coincide with the ones obtained through ultradiscretization in [10, 14, 15] but involve a smaller number of elementary computations (additions and comparisons). Hence their implementation over either with standard floating point precision or over with large integers can be made very efficient. Experiments with unoptimized Python implementation of the double-and-add algorithm for elliptic point multiplications using the above tables show that, over a range of exponent’s length from 10 bits to 1.024 bits, point multiplication costs in average 2.3 integral multiplications and 0.7 integral comparisons per exponent’s bit which obviously compare favorably with analogues on the non-tropical Hesse cubic [6, 9].

3 Analysis of the discrete logarithm problem

3.1 Metrics on the tropical Hesse curve

The tropical Hesse curve’s cycle CK is obviously homeomorphic to the circle S1 as a topological space. Furthermore, calling V1,V2 the vertices starting from the origin O counterclockwise, and E0,E1,E2 the successive edges, these may be assigned a length defined by |Ei||vi|, where vertical bars denote the Euclidean metric and vi is the primitive integer vector along the considered edge. The total length of the cycle is then


The explicitation of the homomorphism for tropical elliptic curves in [4] to the case of the tropical Hesse curve is


where it is enough to specify the images of the vertices. Even though the tropical Hesse curve is not a tropical elliptic curve – it is not smooth –, the proofs in [4] are still valid for λ as defined above. We can define a signed distance on CK, namely d(P,Q)=(CK)×(λ(P)-λ(Q)) which verifies

d(P,Q)+d(Q,R)=d(P,R)for all P,Q,RCK,d(O,P+Q)=d(O,P)+d(O,Q)for all P,QCK,λ(P+Q)=λ(P)+λ(Q)for all P,QCK,

where + denotes the group law addition.

3.2 DLP on integral points

Let us now consider the standard cryptographic setting in ECC where Alice and Bob agree on a public elliptic curve, here an integral point (Xpub,Ypub) or equivalently the uniquely associated tropical Hesse curve such that (Xpub,Ypub)CK, and a public integral point PCK on this curve’s cycle – which could simply be (Xpub,Ypub). Alice and Bob choose a random secret a,b, respectively, and Alice sends Bob [a]P, Bob sends Alice [b]P so that both can compute the shared secret [ab]P=[ba]P using the group law on the curve. The shared secret is evidently compromised if Eve is able to recover a from [a]P and P, or to recover [ab]P from P,[a]P,[b]P.

The explicit homomorphism and the signed distance defined in the previous section afford simple analysis of this cryptographic setting on the tropical Hesse curve. Starting with P0=O, let us enumerate all integral points on the cycle CK counterclockwise P0,P1,,P3K-1. There are 3K such points on the cycle and the formulas for λ and d show that the group law addition reduces to a counterclockwise shift modulo 3K. There is one point, O, or order 1, two points V1 and V2 of order 3, and the order of all other points divide K. The metric leads to the relation Pnm(mod3K)=[n]Pm which given public knowledge of Pm and interception of Pj=[n]Pm, allows derivation of n=jm-1(mod3K).

3.3 Doubling leads to chaos

Although the previous analysis shows that the standard group law is inadequate for cryptographic purposes, the doubling operation shows sensitivity to initial conditions and ergodicity [10]. Although the discretized doubling on integral points of the tropical Hesse curve is a permutation and thus cannot be chaotic, we can extend it to a larger subset of points with coordinates in , namely the set F of points which coordinates are fractions with denominator of the form 2n for n. The set F is stable under the doubling point of the group law and, more importantly, under the halving operation yielding the two halves [2-1]0M and [2-1]1M.

The algebraic entropy [2] of the doubling map, a quantity measuring the complexity of the map defined by limnlog(dn)/n, where dn is the degree of the rational map of the n-th iterate, is here log(2) and positive. Figure 5 shows that the cycle CK is filled with points in the halving orbit of P, a point not a vertex.

Figure 5

Left: On the cycle C22+101/128 of the tropical Hesse curve, 256 iterations of the halving map, showing almost equal distribution on all faces, respectively 42, 43, 43, 42, 43, and 43 points on faces 1 to 6. Right: x coordinates of the first1,000 doubling iterations of point (8+1/128,15+51/128).

4 A keyed hash function based on the tropical Hessian pencil

4.1 The tropical Hesse chaotic map

For a cryptographic application of the conjunction of both algebraic group properties and chaotic characteristics of the tropical Hessian pencil reviewed in the previous sections, we fix a tropical Hesse curve CK and consider the following map on its cycle:


which sends a point Pi of the cycle to one of its two halves according to the key bit k. The Pi points coordinates are dyadic rationals, and together with the tropical elliptic addition constitute a group. Lyapunov exponent calculations show, in Figure 6, that the map behavior is chaotic in the early iterations and then stabilizes much like a random time series.

Figure 6

Left diagram: Evolution of the (log) stretching factor in the early iterations of the tropical Hessian doubling/halving chaotic map. Right diagram: Comparative evolutions of the tropical Hessian map, black circles, and a random timeseries, blue triangles. (Graphs generated in R using the lyap_k function of the tseriesChaos package from 2,000 halvingsof C170,370/131,072.)

We consider the iteration of this chaotic map according to successive bits k0k1kn-1 of a secret key k, and define


where Pi+1=[2-1]kiPi, as our keyed chaotic map.

4.2 A keyed cipher construction

The construction proposed is iterative and leverages the group structure on the tropical Hesse curve cycle. The message block M and the secret key S have the same bit size n. Note that M and S are mapped each to a point on the upper edge of the public CK tropical Hesse curve (K a dyadic rational), which we denote by M0 and S0, respectively.

The cipher round


is iterated r times, with r a public parameter of the cipher, to produce the ciphertext Mr. The addition is the group addition on the tropical elliptic curve. In the rest of this section we denote this cipher construction by THC(K,r).

4.3 Correlation and diffusion properties

The THC(K,r) cipher construction operates on a single block of the message and can be used in other block cipher architectures chaining successive message blocks and secret keys. We ran measuring experiments of this single step, however, in order to assess the diffusion properties within a single message block. At each round a secret key is mixed in the message before applying the keyed chaotic map, a step which is similar to the Single-Key Even-Mansour Scheme described by Dunkelman, Keller and Shamir [5].

As seen in Figure 7, for typical values of the parameters, the cipher construction shows good decorrelation between plaintext bits and ciphertext bits. Bits 0 to 127 of the 128-bit long messages are along the horizontal axis, and the number of times the said message bit is changed after ten rounds over 1,000 runs on random messages is plotted on the vertical axis. The closer the score is to half of the runs, here 500, the closer to random is the correlation between plaintext and ciphertext.

Figure 7

Boxplot graph of individual bit correlations between plaintext and ciphertext for THC(2128+1,10): horizontal axis,bit position in ciphertext; vertical axis, cumulated bit differences over 1000 runs; the closer to half, here 500 the better. Thedisplay shows artifacts on a few of the high bits and few mid-bits as a result of the choice of mapping of messages and keysto the tropical Hesse Curve.

In order to study the diffusion properties, we run the cipher construction on messages that differ on a single bit only while keeping the same secret key. We then compute the Hamming distance, the number of different bits, of the ciphertexts of these single-bit differing plaintexts.

Figure 8

Boxplot graph of Hamming distances, in bits, between plaintext and ciphertext showing how bit by bit changes are propagated from plaintext to ciphertext according to position: left, 16-bit keys and plaintexts; right, 32-bit keys and plaintexts.

Figure 8 shows the results of running five rounds on 16-bit and 32-bit long messages, and comparing the ciphertext with the sixteen others obtained by changing one bit at each position in the original message. Each round produces an output ciphertext larger than the input message: here ciphertexts are 543-bit long of which an average of 28.67 % are changed when a single bit of the message is switched. Note that the diffusion is larger when the bit changed is higher in the message (most significant bits). By construction the diffusion stays local and with larger key sizes, the ciphertexts are longer, hence the ratio of changed bits decreases: it is 16,4 % for a 32-bit key size yielding 1,055-bit long ciphertexts from 32-bit long plaintext messages.

5 Conclusions

Properties of elliptic curve geometry naturally carry over to tropical geometry where tropical variety analogues can be defined for notions of degrees, intersections, Jacobians, metrics and group law. Looking at the specific instance of the Hesse cubic curve, a well-studied form of elliptic curve with interesting properties for cryptographic usage, it appears that these properties are lost in the linearization of the group law induced by the tropicalization of the Hessian pencil.

The tropical Hesse group law doubling map P[2n]P, however, and more generally the maps P[pn]P, p, give rise to piecewise linear discrete dynamical systems exhibiting solvable chaos [7] behavior. These maps are good candidates components for S-box implementations with the added benefit of very fast formula implementations since they reduce to few basic additions and comparisons in the tropical semiring.


  • [1]

    M. Artebani and I. Dolgachev, The Hesse pencil of plane cubic curves, preprint (2006), https://arxiv.org/abs/math/0611590.  

  • [2]

    P. M. Bellon and C.-M. Viallet, Algebraic entropy, Comm. Math. Phys. 204 (1999), no. 2, 425–437.  Google Scholar

  • [3]

    J. Chauvet and E. Mahe, Key agreement under tropical parallels, Groups Complex. Cryptol. 7 (2015), no. 2, 195–198.  Google Scholar

  • [4]

    M. Dehli Vigeland, The group law on a tropical elliptic curve, preprint (2004), https://arxiv.org/abs/math/0411485.  

  • [5]

    O. Dunkelman, N. Keller and A. Shamir, Minimalism in cryptography: The even-mansour scheme revisited, Technical Report 2011/541, IACR Cryptology ePrint Archive, 2011, http://dblp.org/rec/journals/iacr/DunkelmanKS11a.  

  • [6]

    R. R. Farashahi and M. Joye, Efficient arithmetic on Hessian curves, Public Key Cryptography, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 243–260.  Google Scholar

  • [7]

    B. Grammaticos, A. Ramani and C. Viallet, Solvable chaos, Phys. Lett. A 336 (2005), no. 2–3, 152–158.  Google Scholar

  • [8]

    D. Grigoriev and V. Shpilrain, Tropical cryptography, Comm. Algebra 42 (2014), no. 6, 2624–2632.  Google Scholar

  • [9]

    M. Joye and J.-J. Quisquater, Hessian elliptic curves and side-channel attacks, Proceedings of Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci. 2162, Springer, Berlin (2001), 402–410.  Google Scholar

  • [10]

    K. Kajiwara, M. Kaneko, A. Nobe and T. Tsuda, Ultradiscretization of a solvable two-dimensional chaotic map associated with the hesse cubic curve, Kyushu J. Math. 63 (2009), no. 2, 315–338.  Google Scholar

  • [11]

    M. Kotov and A. Ushakov, Analysis of a key exchange protocol based on tropical matrix algebra, Technical Report 2015/852, Cryptology ePrint Archive, 2015, http://eprint.iacr.org/.  

  • [12]

    D. Maclagan and B. Sturmfels, Introduction to Tropical Geometry, Grad. Stud. Math. 161, American Mathematical Society, Providence, 2015.  Google Scholar

  • [13]

    G. Mikhalkin, Tropical geometry and its applications, preprint (2006), https://arxiv.org/abs/math/0601041.  

  • [14]

    A. Nobe, A tropical analogue of the Hessian group, preprint (2011), https://arxiv.org/abs/1104.0999.  

  • [15]

    A. Nobe, The group law on the tropical Hesse pencil, preprint (2011), http://arxiv.org/abs/1111.0131.  

  • [16]

    J. Richter-Gebert, B. Sturmfels and T. Theobald, First steps in tropical geometry, preprint (2003), https://arxiv.org/abs/math/0306366.  

  • [17]

    N. Smart, The Hessian form of an elliptic curve, Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci. 2162, Springer, Berlin (2001), 118–125.  Google Scholar

About the article

Received: 2016-02-27

Published Online: 2017-04-19

Published in Print: 2017-05-01

Citation Information: Groups Complexity Cryptology, ISSN (Online) 1869-6104, ISSN (Print) 1867-1144, DOI: https://doi.org/10.1515/gcc-2017-0002.

Export Citation

© 2017 Walter de Gruyter GmbH, Berlin/Boston. Copyright Clearance Center

Comments (0)

Please log in or register to comment.
Log in