Designs, Codes and Cryptography

, Volume 75, Issue 2, pp 335–357

Point compression for the trace zero subgroup over a small degree extension field



Using Semaev’s summation polynomials, we derive a new equation for the \({\mathbb {F}_q}\)-rational points of the trace zero variety of an elliptic curve defined over \({\mathbb {F}_q}\). Using this equation, we produce an optimal-size representation for such points. Our representation is compatible with scalar multiplication. We give a point compression algorithm to compute the representation and a decompression algorithm to recover the original point (up to some small ambiguity). The algorithms are efficient for trace zero varieties coming from small degree extension fields. We give explicit equations and discuss in detail the practically relevant cases of cubic and quintic field extensions.


Elliptic curve cryptography Pairing-based cryptography Discrete logarithm problem Trace zero variety Efficient representation Point compression Summation polynomials 

Mathematics Subject Classification

14G50 11G25 14H52 11T71 14K15 


  1. 1.
    Avanzi R.M., Cesena E.: Trace zero varieties over fields of characteristic 2 for cryptographic applications. In: Proceedings of the First Symposium on Algebraic Geometry and Its Applications (SAGA ’07), pp. 188–215 (2007).Google Scholar
  2. 2.
    Barbulescu R., Bouvier C., Detrey J., Gaudry P., Jeljeli H., Thomé E., Videau M., Zimmermann P.: Discrete logarithm in GF(\(2^{809}\)) with FFS.
  3. 3.
    Barbulescu R., Gaudry P., Joux A., Thomé E.: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. (2013).
  4. 4.
    Bernstein D.J., Duif N., Lange T., Schwabe P., Yang B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012).Google Scholar
  5. 5.
    Blady G.: Die Weil-Restriktion elliptischer Kurven in der Kryptographie. Master’s thesis, Univerität GHS Essen, Dresden (2002).Google Scholar
  6. 6.
    Bos J.W., Costello C., Hisil H., Lauter K.: High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. (2013).
  7. 7.
    Bosma W., Cannon J., Playoust C.: The Magma algebra system. I. The user language. J. Symb. Comput. 24, 235–265 (1997).Google Scholar
  8. 8.
    Cesena E.: Trace zero varieties in pairing-based cryptography. Ph.D. thesis, Università degli studi Roma Tre, Roma. (2010).
  9. 9.
    Diem C.: The GHS attack in odd characteristic. Ramanujan Math. Soc. 18(1), 1–32 (2003).Google Scholar
  10. 10.
    Diem C.: An index calculus algorithm for plane curves of small degree. In: Hess F., Pauli S., Pohst M. (eds.) Algorithmic Number Theory (ANTS VII), LNCS, vol. 4076, pp. 543–557. Springer, Berlin (2006).Google Scholar
  11. 11.
    Diem C., Kochinke S.: Computing discrete logarithms with special linear systems. (2013).
  12. 12.
    Diem C., Scholten J.: An attack on a trace-zero cryptosystem.
  13. 13.
    Eagle P.N.J., Galbraith S.D., Ong J.: Point compression for Koblitz curves. Adv. Math. Commun. 5(1), 1–10 (2011).Google Scholar
  14. 14.
    Faz-Hernández A., Longa P., Sánchez A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV–GLS curves. (2013).
  15. 15.
    Frey G.: Applications of arithmetical geometry to cryptographic constructions. In: Proceedings of the 5th International Conference on Finite Fields and Applications, pp. 128–161. Springer, Berlin (1999).Google Scholar
  16. 16.
    Galbraith S.D., Lin X.: Computing pairings using \(x\)-coordinates only. Des. Codes Crytogr. 50(3), 305–324 (2009).Google Scholar
  17. 17.
    Galbraith S.D., Lin X., Scott M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptol. 24(3), 446–469 (2011).Google Scholar
  18. 18.
    Galbraith S.D., Smith B.A.: Discrete logarithms in generalized Jacobians. (2006).
  19. 19.
    Gallant R.P., Lambert R.J., Vanstone S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian J. (ed.) Advances in Cryptology: Proceedings of CRYPTO ’01. LNCS, vol. 2139, pp. 190–200. Springer, Berlin (2001).Google Scholar
  20. 20.
    Gaudry P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009).Google Scholar
  21. 21.
    Gaudry P., Hess F., Smart N.: Constructive and destructive facets of Weil descent. J. Cryptol. 15(1), 19–46 (2002).Google Scholar
  22. 22.
    Gerhard J., von zur Gathen J.: Modern Computer Algebra. Cambridge University Press, Cambridge (1999).Google Scholar
  23. 23.
    Göloğlu F., Granger R., McGuire G., Zumbrägel J.: On the function field sieve and the impact of higher splitting probabilities: application to discrete logarithms in \({\mathbb{F}}_{2^{1971}}\). (2013).
  24. 24.
    Göloğlu F., Granger R., McGuire, G., Zumbrägel J.: Solving a 6120-bit DLP on a desktop computer. (2013).
  25. 25.
    Gong G., Harn L.: Public-key cryptosystems based on cubic finite field extensions. IEEE Trans. Inf. Theory 45(7), 2601–2605 (1999).Google Scholar
  26. 26.
    Gorla E.: Torus-based cryptography. In: Jajodia S., Tilborg H. (eds.) Encyclopedia of Cryptography, 2nd edn., pp. 1306–1308. Springer, Berlin (2011).Google Scholar
  27. 27.
    Granger R., Vercauteren F.: On the discrete logarithm problem on algebraic tori. In: Shoup V. (ed.) Advances in Cryptology: Proceedings of CRYPTO ’05. LNCS, vol. 3621, pp. 66–85. Springer, Berlin (2005).Google Scholar
  28. 28.
    Joux A.: A new index calculus algorithm with complexity \({L}(1/4 + o(1))\) in very small characteristic. (2013).
  29. 29.
    Joux A., Vitse V.: Elliptic curve discrete logarithm problem over small degree extension fields. Application to the static Diffie–Hellman problem on \({E}(\mathbb{F}_{q^5})\). J. Cryptol. doi:10.1007/s00145-011-9116-z (2012).
  30. 30.
    Koblitz N.: CM-curves with good cryptographic properties. In: Feigenbaum J. (ed.) Advances in Cryptology: Proceedings of CRYPTO ’91. LNCS, vol. 576, pp. 179–287. Springer, Berlin (1991).Google Scholar
  31. 31.
    Lange T.: Efficient arithmetic on hyperelliptic curves. Ph.D. thesis, University of Essen, Essen (2001).Google Scholar
  32. 32.
    Lange T.: Trace zero subvarieties of genus 2 curves for cryptosystem. Ramanujan Math. Soc. 19(1), 15–33 (2004).Google Scholar
  33. 33.
    Lenstra A.K., Verheul E.R.: The XTR public key system. In: Bellare M. (ed.) Advances in Cryptology: Proceedings of CRYPTO ’00. LNCS, vol. 1880, pp. 1–19. Springer, Berlin (2000).Google Scholar
  34. 34.
    Longa P., Sica F.: Four-dimensional Gallant–Lambert–Vanstone scalar multiplication. In: Wang X., Sako K. (eds.) Advances in Cryptology: Proceedings of ASIACRYPT ’12. LNCS, vol. 7658, pp. 718–739. Springer, Berlin (2012).Google Scholar
  35. 35.
    Naumann N.: Weil-Restriktion abelscher Varietäten. Master’s thesis, Univerität GHS Essen, Dresden. (1999).
  36. 36.
    Oliveira T., López J., Aranha D.F., Rodríguez-Henríquez F.: Lambda coordinates for binary elliptic curves. (2013).
  37. 37.
    Rubin K., Silverberg A.: Supersingular abelian varieties in cryptology. In: Yung M. (ed.) Advances in Cryptology: Proceedings of CRYPTO ’02. LNCS, vol. 2442, pp. 336–353. Springer, Berlin (2002).Google Scholar
  38. 38.
    Rubin K., Silverberg A.: Torus-based cryptography. In: Boneh D. (ed.) Advances in Cryptology: Proceedings of CRYPTO ’03. LNCS, vol. 2729, pp. 349–365. Springer, Berlin (2003).Google Scholar
  39. 39.
    Rubin K., Silverberg A.: Using primitive subgroups to do more with fewer bits. In: Buell D. (ed.) Algorithmic Number Theory (ANTS VI). LNCS, vol. 3076, pp. 18–41. Springer, Berlin (2004).Google Scholar
  40. 40.
    Rubin K., Silverberg A.: Using abelian varieties to improve pairing-based cryptography. J. Cryptol. 22(3), 330–364 (2009).Google Scholar
  41. 41.
    Semaev I.: Summation polynomials of the discrete logarithm problem on elliptic curves. (2004).
  42. 42.
    Silverberg A.: Compression for trace zero subgroups of elliptic curves. Trends Math. 8, 93–100 (2005).Google Scholar
  43. 43.
    Smith P., Skinner C.: A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms. In: Pieprzyk J., Safavi-Naini R. (eds.) Advances in Cryptology: Proceedings of ASIACRYPT ’94. LNCS, vol. 917, pp. 357–364. Springer, Berlin (1995).Google Scholar
  44. 44.
    Weimerskirch A.: The application of the Mordell-Weil group to cryptographic systems. Master’s thesis, Worcester Polytechnic Institute, Worcester. (2001).

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Institut de mathématiquesUniversité de NeuchâtelNeuchâtelSwitzerland
  2. 2.Mathematisches InstitutUniversität BaselBaselSwitzerland

Personalised recommendations