Trace Zero Cryptography

In the year 1998 Gerhard Frey firstly purposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography using the discrete logarithm problem as cryptographical primitive.

Mathematical background

A hyperelliptic curve "C" of genus "g" over a prime field $mathbb\{F\}\_q$ where "q = pⁿ" ("p" prime) of odd characteristic is defined as

$C:~y^2\; +\; h(x)y\; =\; f(x),$

where "f" monic, deg("f") = 2"g"+1 and deg("h") ≤ g. The curve has at least one $mathbb\{F\}\_q$-rational Weierstraßpoint.

The Jacobian variety $J\_C(mathbb\{F\}\_\{q^n\})$ of "C" is for all finite extension $mathbb\{F\}\_\{q^n\}$ isomorphic to the ideal class group $operatorname\{Cl\}(C/mathbb\{F\}\_\{q^n\})$. With the "Mumford's representation" it is possible to represent the elements of $J\_C(mathbb\{F\}\_\{q^n\})$ with a pair of polynomials " [u, v] ", where "u", "v" ∈ $mathbb\{F\}\_\{q^n\}\; [x]$.

The "Frobenius endomorphism" σ is used on an element " [u, v] " of $J\_C(mathbb\{F\}\_\{q^n\})$ to raise the power of each coefficient of that element to "q": $sigma(" [u, v] ") = ["u"^q(x), v^q(x)] . The characteristic polynomial of this endomorphism has the following form:

$chi(T)\; =\; T^\{2g\}\; +\; a\_1T^\{2g-1\}\; +\; dots\; +\; a\_gT^g\; +\; dots\; +\; a\_1q^\{g-1\}T\; +\; q^g,$ where a_i in Unicode|ℤ

With the "Hasse-Weil theorem" it is possible to receive the group order of any extension field $mathbb\{F\}\_\{q^n\}$ by using the complex roots τ_i of χ("T"):

$$
J_C(mathbb{F}_{q^n})| = prod_{i=1}^{2g} (1 - au_i^n)

Let "D" be an element of the $J\_C(mathbb\{F\}\_\{q^n\})$ of "C", then it is possible to define an endomorphism of $J\_C(mathbb\{F\}\_\{q^n\})$, the so called extit{trace of D}:

$operatorname\{Tr\}(D)\; =\; sum\_\{i=0\}^\{n-1\}\; sigma^i(D)\; =\; D\; +\; sigma(D)\; +\; dots\; +\; sigma^\{n-1\}(D)$

Based on this endomorphism one can reduce the Jacobian variety to a subgroup "G" with the property, that every element is of trace zero:

$G\; =\; \{\; D\; in\; J\_C(mathbb\{F\}\_\{q^n\})~|~\; ext\{Tr\}(D)\; =\; extbf\{\; extit\{0\; \},\; ~~~(\; extbf\{\; extit\{0\; ext\{\; neutral\; element\; in\; \}\; J\_C(mathbb\{F\}\_\{q^n\})$

"G" is the kernel of the trace endomorphism and thus "G" is a group, the so called trace zero (sub)variety (TZV) of $J\_C(mathbb\{F\}\_\{q^n\})$.

The intersection of "G" and $J\_C(mathbb\{F\}\_\{q\})$ is produced by the n-torsion elements of $J\_C(mathbb\{F\}\_\{q\})$. If the greatest common divisor $gcd(n,\; |J\_C(mathbb\{F\}\_q)|)\; =\; 1$ the intersection is empty and one can compute the group order of "G":

$$
G| = dfrac{|J_C(mathbb{F}_q) = dfrac{prod_{i=1}^{2g} (1 - au_i^n)}{ prod_{i=1}^{2g} (1 - au_i)}

The actual group used in cryptographic applications is a subgroup "G₀" of "G" of a large prime order "l". This group may be "G" itself. [G. Frey and T. Lange: "Mathematical background of public key cryptography"] [T. Lange: "Trace zero subvariety for cryptosystems"]

There exist three different cases of cryptograpghical relevance for TZV [R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"] :
*"g" = 1, "n" = 3
*"g" = 1, "n" = 5
*"g" = 2, "n" = 3

Arithmetic

The arithmetic used in the TZV group "G₀" based on the arithmetic for the whole group $J\_C(mathbb\{F\}\_\{q^n\})$, But it is possible to use the "Frobenius endomorphism" σ to speed up the scalar multiplication. This can be archived if "G₀" is generated by "D" of order "l" then "σ(D) = sD", for some integers "s". For the given cases of TZV "s" can be computed as follows, where "a"_i come from the characteristic polynomial of the Frobenius endomorphism :

* For "g" = 1, "n" = 3:

* For "g" = 1, "n" = 5:

* For "g" = 2, "n" = 3:

Knowing this, it is possible to replace any scalar multiplication "mD (|m| ≤ l/2)" with:

$m\_0D\; +\; m\_1sigma(D)\; +\; dots\; +\; m\_\{n-1\}sigma^\{n-1\}(D),\; ~~~~\; ext\{where\; \}m\_i\; =\; O(ell^\{1/(n-1)\})\; =\; O(q^g)$

With this trick the multiple scalar product can be reduced to about 1/("n"-1)^{th of doublings necessary for calculating "mD", if the implied constants are small enough. [R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"] [T. Lange: "Trace zero subvariety for cryptosystems"]}

Security

The security of cryptographic systems based on trace zero subvarieties according of the results of the papers [T. Lange: "Trace zero subvariety for cryptosystems"] [R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"] comparable to the security of hyper-elliptic curves of low genus "g' " over $mathbb\{F\}\_\{p\text{'}\}$, where "p' " ~ ("n"-1)("g/g' ") for "|G|" ~128 bits.

For the cases where "n" = 3, "g" = 2 and "n" = 5, "g" = 1 it is possible to reduce the security for at most 6 bits, where "|G|" ~ 2²⁵⁶, because one can not be sure that "G" is contained in a Jacobian of a curve of genus 6. The security of curves of genus 4 for similar fields are far less secure.

An attack on a trace zero crypto-system

The attack published in [C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"] shows, that the DLP in trace zero groups of genus 2 over finite fields of characteristic diverse than 2 or 3 and a field extension of degree 3 can be transformed into a DLP in a class group of degree 0 with genus of at most 6 over the base field. In this new class group the DLP can be attacked with the index calculus methods. This leads to a reduction of the bit length ¹/₆^th.

Résumé

The first advantage to mention is, that the trace zero varieties feature a better scalar multiplication performance than elliptic curves. This allows a fast arithmetic in this groups, which can speed up the calculations with a factor 3 compared with elliptic curves.

Also is it easily possible to construct groups of cryptographically relevant size and the order of the group can simply be calculated using the characteristic polynomial of the Frobenius endomorphism.Alternatively, one can find cryptographically secure groups by searching a family of randomly chosen curves. [A. V. Sutherland: "A generic approach to searching for Jacobians"] .

However to represent an element of the trace zero variety more bits are needed compared with elements of elliptic or hyperelliptic curves.

Another point to keep in mind, is the fact, that it is possible to reduce the security of the TZV of ¹/₆^th of the bit length using the described attack.

Notes

References

* G. Frey and T. Lange: "Mathematical background of public key cryptography", Technical report, 2005
* R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications", Technical report, 2007
* T. Lange: "Trace zero subvariety for cryptosystems", Technical report, 2003
* C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"
* M. Wienecke: "Cryptography on Trace-Zero Varieties", ITS-Seminar paper, http://www.crypto.rub.de/its_seminar_ws0708.html, 2008
* A. V. Sutherland: "101 useful trace zero varieties", http://www-math.mit.edu/~drew/TraceZeroVarieties.html, 2007
* A. V. Sutherland: "A generic approach to searching for Jacobians", http://arxiv.org/abs/0708.3168v2, 2007.