We present a kind of groups suitable for cryptographic applications: the trace-zero subvariety. The construction is based on Weil descent from curves of genus one or two over extension fields F_pⁿ, n=3 (or 5). On the Jacobian of the curve the group can be seen as a prime order subgroup, however, considering the construction as Weil descent reveals that the security is equivalent to that of groups based on low-genus hyperelliptic curves over prime fields. The advantage is that the complexity to compute scalar multiples is lower in most cases as one can make use of the Frobenius endomorphism of the initial curve. Thus the trace-zero subvariety can be used efficiently in protocols based on the discrete logarithm problem.