Trace Zero Cryptography

Trace Zero Cryptography

In the year 1998 Gerhard Frey firstly purposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography using the discrete logarithm problem as cryptographical primitive.

Mathematical background

A hyperelliptic curve "C" of genus "g" over a prime field mathbb{F}_q where "q = pn" ("p" prime) of odd characteristic is defined as

C:~y^2 + h(x)y = f(x),

where "f" monic, deg("f") = 2"g"+1 and deg("h") ≤ g. The curve has at least one mathbb{F}_q-rational Weierstraßpoint.

The Jacobian variety J_C(mathbb{F}_{q^n}) of "C" is for all finite extension mathbb{F}_{q^n} isomorphic to the ideal class group operatorname{Cl}(C/mathbb{F}_{q^n}). With the "Mumford's representation" it is possible to represent the elements of J_C(mathbb{F}_{q^n}) with a pair of polynomials " [u, v] ", where "u", "v" ∈ mathbb{F}_{q^n} [x] .

The "Frobenius endomorphism" σ is used on an element " [u, v] " of J_C(mathbb{F}_{q^n}) to raise the power of each coefficient of that element to "q": $sigma(" [u, v] ") = ["u"q(x), vq(x)] . The characteristic polynomial of this endomorphism has the following form:

chi(T) = T^{2g} + a_1T^{2g-1} + dots + a_gT^g + dots + a_1q^{g-1}T + q^g, where ai in Unicode|ℤ

With the "Hasse-Weil theorem" it is possible to receive the group order of any extension field mathbb{F}_{q^n} by using the complex roots τi of χ("T"):


J_C(mathbb{F}_{q^n})| = prod_{i=1}^{2g} (1 - au_i^n)

Let "D" be an element of the J_C(mathbb{F}_{q^n}) of "C", then it is possible to define an endomorphism of J_C(mathbb{F}_{q^n}), the so called extit{trace of D}:

operatorname{Tr}(D) = sum_{i=0}^{n-1} sigma^i(D) = D + sigma(D) + dots + sigma^{n-1}(D)

Based on this endomorphism one can reduce the Jacobian variety to a subgroup "G" with the property, that every element is of trace zero:

G = { D in J_C(mathbb{F}_{q^n})~|~ ext{Tr}(D) = extbf{ extit{0 }, ~~~( extbf{ extit{0 ext{ neutral element in } J_C(mathbb{F}_{q^n})

"G" is the kernel of the trace endomorphism and thus "G" is a group, the so called trace zero (sub)variety (TZV) of J_C(mathbb{F}_{q^n}).

The intersection of "G" and J_C(mathbb{F}_{q}) is produced by the n-torsion elements of J_C(mathbb{F}_{q}). If the greatest common divisor gcd(n, |J_C(mathbb{F}_q)|) = 1 the intersection is empty and one can compute the group order of "G":


G| = dfrac{|J_C(mathbb{F}_q) = dfrac{prod_{i=1}^{2g} (1 - au_i^n)}{ prod_{i=1}^{2g} (1 - au_i)}

The actual group used in cryptographic applications is a subgroup "G0" of "G" of a large prime order "l". This group may be "G" itself. [G. Frey and T. Lange: "Mathematical background of public key cryptography"] [T. Lange: "Trace zero subvariety for cryptosystems"]

There exist three different cases of cryptograpghical relevance for TZV [R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"] :
*"g" = 1, "n" = 3
*"g" = 1, "n" = 5
*"g" = 2, "n" = 3

Arithmetic

The arithmetic used in the TZV group "G0" based on the arithmetic for the whole group J_C(mathbb{F}_{q^n}), But it is possible to use the "Frobenius endomorphism" σ to speed up the scalar multiplication. This can be archived if "G0" is generated by "D" of order "l" then "σ(D) = sD", for some integers "s". For the given cases of TZV "s" can be computed as follows, where "a"i come from the characteristic polynomial of the Frobenius endomorphism :

* For "g" = 1, "n" = 3: s = dfrac {q-1} {1 - a_1} mod{ell}

* For "g" = 1, "n" = 5: s = dfrac {q^2-q-a_1^2q+a_1q+1} {q-2a_1q+a_1^3-a_1^2+a_1-1} mod{ell}

* For "g" = 2, "n" = 3: s = - dfrac {q^2-a_2+a_1} {a_1q-a_2+1} mod{ell}

Knowing this, it is possible to replace any scalar multiplication "mD (|m| ≤ l/2)" with:

m_0D + m_1sigma(D) + dots + m_{n-1}sigma^{n-1}(D), ~~~~ ext{where }m_i = O(ell^{1/(n-1)}) = O(q^g)

With this trick the multiple scalar product can be reduced to about 1/("n"-1)th of doublings necessary for calculating "mD", if the implied constants are small enough. [R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"] [T. Lange: "Trace zero subvariety for cryptosystems"]

Security

The security of cryptographic systems based on trace zero subvarieties according of the results of the papers [T. Lange: "Trace zero subvariety for cryptosystems"] [R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"] comparable to the security of hyper-elliptic curves of low genus "g' " over mathbb{F}_{p'}, where "p' " ~ ("n"-1)("g/g' ") for "|G|" ~128 bits.

For the cases where "n" = 3, "g" = 2 and "n" = 5, "g" = 1 it is possible to reduce the security for at most 6 bits, where "|G|" ~ 2256, because one can not be sure that "G" is contained in a Jacobian of a curve of genus 6. The security of curves of genus 4 for similar fields are far less secure.

An attack on a trace zero crypto-system

The attack published in [C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"] shows, that the DLP in trace zero groups of genus 2 over finite fields of characteristic diverse than 2 or 3 and a field extension of degree 3 can be transformed into a DLP in a class group of degree 0 with genus of at most 6 over the base field. In this new class group the DLP can be attacked with the index calculus methods. This leads to a reduction of the bit length 1/6th.

Résumé

The first advantage to mention is, that the trace zero varieties feature a better scalar multiplication performance than elliptic curves. This allows a fast arithmetic in this groups, which can speed up the calculations with a factor 3 compared with elliptic curves.

Also is it easily possible to construct groups of cryptographically relevant size and the order of the group can simply be calculated using the characteristic polynomial of the Frobenius endomorphism.Alternatively, one can find cryptographically secure groups by searching a family of randomly chosen curves. [A. V. Sutherland: "A generic approach to searching for Jacobians"] .

However to represent an element of the trace zero variety more bits are needed compared with elements of elliptic or hyperelliptic curves.

Another point to keep in mind, is the fact, that it is possible to reduce the security of the TZV of 1/6th of the bit length using the described attack.

Notes

References

* G. Frey and T. Lange: "Mathematical background of public key cryptography", Technical report, 2005
* R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications", Technical report, 2007
* T. Lange: "Trace zero subvariety for cryptosystems", Technical report, 2003
* C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"
* M. Wienecke: "Cryptography on Trace-Zero Varieties", ITS-Seminar paper, http://www.crypto.rub.de/its_seminar_ws0708.html, 2008
* A. V. Sutherland: "101 useful trace zero varieties", http://www-math.mit.edu/~drew/TraceZeroVarieties.html, 2007
* A. V. Sutherland: "A generic approach to searching for Jacobians", http://arxiv.org/abs/0708.3168v2, 2007.


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Mathematics and Physical Sciences — ▪ 2003 Introduction Mathematics       Mathematics in 2002 was marked by two discoveries in number theory. The first may have practical implications; the second satisfied a 150 year old curiosity.       Computer scientist Manindra Agrawal of the… …   Universalium

  • Sécurité matérielle des cartes à puce — La sécurité matérielle des cartes à puce et des autres microcontrôleurs est l un des éléments clefs de la sécurité des informations sensibles qu ils manipulent. La littérature scientifique a produit un grand nombre de publications visant à… …   Wikipédia en Français

  • Quantum entanglement — Quantum mechanics Uncertainty principle …   Wikipedia

  • Matrix (mathematics) — Specific elements of a matrix are often denoted by a variable with two subscripts. For instance, a2,1 represents the element at the second row and first column of a matrix A. In mathematics, a matrix (plural matrices, or less commonly matrixes)… …   Wikipedia

  • List of computing and IT abbreviations — This is a list of computing and IT acronyms and abbreviations. Contents: 0–9 A B C D E F G H I J K L M N O P Q R S T U V W X Y …   Wikipedia

  • Dorian M. Goldfeld — Born January 21, 1947 (1947 01 21) (age 64) Marburg, Germany Nationality …   Wikipedia

  • Courbe Elliptique — Une sélection de courbes cubiques réelles définies par l équation y2 = x3 + ax + b.. La région montrée est [ 3,3]². La courbe pour a=b=0 n est pas elliptique. En mathématiques, une courbe elliptique est un cas particulier de courbe algébrique,… …   Wikipédia en Français

  • Courbes Elliptiques — Courbe elliptique Une sélection de courbes cubiques réelles définies par l équation y2 = x3 + ax + b.. La région montrée est [ 3,3]². La courbe pour a=b=0 n est pas elliptique. En mathématiques, une courbe elliptique est un cas particulier de… …   Wikipédia en Français

  • Courbes elliptiques — Courbe elliptique Une sélection de courbes cubiques réelles définies par l équation y2 = x3 + ax + b.. La région montrée est [ 3,3]². La courbe pour a=b=0 n est pas elliptique. En mathématiques, une courbe elliptique est un cas particulier de… …   Wikipédia en Français

  • Battle of the Coral Sea — Part of the Pacific Theater of World War II …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”