|
In 1998 Gerhard Frey firstly proposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography using the discrete logarithm problem as cryptographic primitive. Trace zero varieties feature a better scalar multiplication performance than elliptic curves. This allows a fast arithmetic in this groups, which can speed up the calculations with a factor 3 compared with elliptic curves and hence speed up the cryptosystem. Another advantage is that for a groups of cryptographically relevant size, the order of the group can simply be calculated using the characteristic polynomial of the Frobenius endomorphism. This is not the case, for example, in elliptic curve cryptography when the group of points of an elliptic curve over a prime field is used for cryptographic purpose. However to represent an element of the trace zero variety more bits are needed compared with elements of elliptic or hyperelliptic curves. Another disadvantage, is the fact, that it is possible to reduce the security of the TZV of 1/6th of the bit length using cover attack. == Mathematical background == A hyperelliptic curve ''C'' of genus ''g'' over a prime field where ''q'' = ''p''''n'' (''p'' prime) of odd characteristic is defined as : where ''f'' monic, deg(''f'') = 2''g'' + 1 and deg(''h'') ≤ g. The curve has at least one -rational Weierstraßpoint. The Jacobian variety of ''C'' is for all finite extension isomorphic to the ideal class group . With the ''Mumford's representation'' it is possible to represent the elements of with a pair of polynomials ''(v )'', where ''u'', ''v'' ∈ . The ''Frobenius endomorphism'' σ is used on an element ''(v )'' of to raise the power of each coefficient of that element to ''q'': σ(''(v )'') = (vq(x) ). The characteristic polynomial of this endomorphism has the following form: : where ai in (unicode:ℤ) With the ''Hasse–Weil theorem'' it is possible to receive the group order of any extension field by using the complex roots τi of χ(''T''): : Let ''D'' be an element of the of ''C'', then it is possible to define an endomorphism of , the so-called ''trace of D'': : Based on this endomorphism one can reduce the Jacobian variety to a subgroup ''G'' with the property, that every element is of trace zero: : ''G'' is the kernel of the trace endomorphism and thus ''G'' is a group, the so-called trace zero (sub)variety (TZV) of . The intersection of ''G'' and is produced by the ''n''-torsion elements of . If the greatest common divisor the intersection is empty and one can compute the group order of ''G'': : The actual group used in cryptographic applications is a subgroup ''G0'' of ''G'' of a large prime order ''l''. This group may be ''G'' itself.〔G. Frey and T. Lange: "Mathematical background of public key cryptography"〕〔T. Lange: "Trace zero subvariety for cryptosystems"〕 There exist three different cases of cryptograpghical relevance for TZV:〔R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"〕 *''g'' = 1, ''n'' = 3 *''g'' = 1, ''n'' = 5 *''g'' = 2, ''n'' = 3 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Trace Zero Cryptography」の詳細全文を読む スポンサード リンク
|