Jump to content

Trace zero cryptography

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Mwie (talk | contribs) at 19:49, 10 March 2008 (Mathbackground added - This contribution is a result of the seminar 'Cryptography and Security in 'Alternative Cryptology' at the chair for communication security at the Ruhr-University Bochum, German). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

In the year 1998 Gerhard Frey firstly purposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography

Mathematical backgroud

A hyperelliptic curve C of genus g over a prime field where q = pn (p prime) of odd characteristic is defined as

where f monic, deg(f) = 2g+1 and deg(h) ≤ g. The curve has at least one -rational Weierstraßpoint.

The Jacobian variety of C is for all finite extension isomorphic to the ideal class group . With the Mumford's representation it is possible to represent the elements of with a pair of polynomials [u, v], where u, v.

The Frobenius endomorphism σ is used on an element [u, v] of to raise the power of each coefficient of that element to q: $sigma([u, v]) = [uq(x), vq(x)]. The characteristic polynomial of this endomorphism has the following form:

where ai in ℤ

With the Hasse-Weil theorem it is possible to receive the group order of any extension field by using the complex roots τi of χ(T):

Let D be an element of the of C, then it is possible to define an endomorphism of , the so called \textit{trace of D}:

Based on this endomorphism one can reduce the Jacobian variety to a subgroup G with the property, that every element is of trace zero:

G is the kernel of the trace endomorphism and thus G is a group, the so called trace zero (sub)variety (TZV) of .

The intersection of G and is produced by the n-torsion elements of . If the greatest common divisor the intersection is empty and one can compute the group order of G:

[1] [2] [3] [4]

There exist three different cases of cryptograpghical relevance for TZV:

  • g = 1, n = 3
  • g = 1, n = 5
  • g = 2, n = 3

References

  1. ^ G. Frey and T. Lange: "Mathematical background of public key cryptography", Technical report, 2005
  2. ^ R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications", Technical report, 2007
  3. ^ T. Lange: "Trace zero subvariety for cryptosystems", Technical report, 2003
  4. ^ C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"