Trace zero cryptography
In the year 1998 Gerhard Frey firstly purposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography
Mathematical backgroud
A hyperelliptic curve C of genus g over a prime field where q = pn (p prime) of odd characteristic is defined as
where f monic, deg(f) = 2g+1 and deg(h) ≤ g. The curve has at least one -rational Weierstraßpoint.
The Jacobian variety of C is for all finite extension isomorphic to the ideal class group . With the Mumford's representation it is possible to represent the elements of with a pair of polynomials [u, v], where u, v ∈ .
The Frobenius endomorphism σ is used on an element [u, v] of to raise the power of each coefficient of that element to q: $sigma([u, v]) = [uq(x), vq(x)]. The characteristic polynomial of this endomorphism has the following form:
where ai in ℤ
With the Hasse-Weil theorem it is possible to receive the group order of any extension field by using the complex roots τi of χ(T):
Let D be an element of the of C, then it is possible to define an endomorphism of , the so called \textit{trace of D}:
Based on this endomorphism one can reduce the Jacobian variety to a subgroup G with the property, that every element is of trace zero:
G is the kernel of the trace endomorphism and thus G is a group, the so called trace zero (sub)variety (TZV) of .
The intersection of G and is produced by the n-torsion elements of . If the greatest common divisor the intersection is empty and one can compute the group order of G:
There exist three different cases of cryptograpghical relevance for TZV:
- g = 1, n = 3
- g = 1, n = 5
- g = 2, n = 3
References
- ^ G. Frey and T. Lange: "Mathematical background of public key cryptography", Technical report, 2005
- ^ R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications", Technical report, 2007
- ^ T. Lange: "Trace zero subvariety for cryptosystems", Technical report, 2003
- ^ C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"