Weil pairing
In mathematics, the Weil pairing is a pairing (bilinear form, though with multiplicative notation) on the points of order dividing n of an elliptic curve E, taking values in nth roots of unity. More generally there is a similar Weil pairing between points of order n of an abelian variety and its dual. It was introduced by André Weil (1940) for Jacobians of curves, who gave an abstract algebraic definition; the corresponding results for elliptic functions were known, and can be expressed simply by use of the Weierstrass sigma function.
Formulation[]
Choose an elliptic curve E defined over a field K, and an integer n > 0 (we require n to be coprime to char(K) if char(K) > 0) such that K contains a primitive nth root of unity. Then the n-torsion on is known to be a Cartesian product of two cyclic groups of order n. The Weil pairing produces an n-th root of unity
by means of Kummer theory, for any two points , where and .
A down-to-earth construction of the Weil pairing is as follows. Choose a function F in the function field of E over the algebraic closure of K with divisor
So F has a simple zero at each point P + kQ, and a simple pole at each point kQ if these points are all distinct. Then F is well-defined up to multiplication by a constant. If G is the translation of F by Q, then by construction G has the same divisor, so the function G/F is constant.
Therefore if we define
we shall have an n-th root of unity (as translating n times must give 1) other than 1. With this definition it can be shown that w is alternating and bilinear,[1] giving rise to a non-degenerate pairing on the n-torsion.
The Weil pairing does not extend to a pairing on all the torsion points (the direct limit of n-torsion points) because the pairings for different n are not the same. However they do fit together to give a pairing Tℓ(E) × Tℓ(E) → Tℓ(μ) on the Tate module Tℓ(E) of the elliptic curve E (the inverse limit of the ℓn-torsion points) to the Tate module Tℓ(μ) of the multiplicative group (the inverse limit of ℓn roots of unity).
Generalisation to abelian varieties[]
For abelian varieties over an algebraically closed field K, the Weil pairing is a nondegenerate pairing
for all n prime to the characteristic of K.[2] Here denotes the dual abelian variety of A. This is the so-called Weil pairing for higher dimensions. If A is equipped with a polarisation
- ,
then composition gives a (possibly degenerate) pairing
If C is a projective, nonsingular curve of genus ≥ 0 over k, and J its Jacobian, then the theta-divisor of J induces a principal polarisation of J, which in this particular case happens to be an isomorphism (see autoduality of Jacobians). Hence, composing the Weil pairing for J with the polarisation gives a nondegenerate pairing
for all n prime to the characteristic of k.
As in the case of elliptic curves, explicit formulae for this pairing can be given in terms of divisors of C.
Applications[]
The pairing is used in number theory and algebraic geometry, and has also been applied in elliptic curve cryptography and identity based encryption.
See also[]
- Tate pairing
- Pairing-based cryptography
- Boneh–Franklin scheme
- Homomorphic Signatures for Network Coding
References[]
- ^ Silverman, Joseph (1986). The Arithmetic of Elliptic Curves. New York: Springer-Verlag. ISBN 0-387-96203-4.
- ^ James Milne, Abelian Varieties, available at www.jmilne.org/math/
- Weil, André (1940), "Sur les fonctions algébriques à corps de constantes fini", Les Comptes rendus de l'Académie des sciences, 210: 592–594, MR 0002863
External links[]
- Elliptic curves
- Abelian varieties
- Pairing-based cryptography