Weil Pairing

In mathematics, the Weil pairing is a pairing (bilinear form, though with multiplicative notation) on the points of order dividing ''n'' of an elliptic curve ''E'', taking values in ''n''th roots of unity. More generally there is a similar Weil pairing between points of order ''n'' of an abelian variety and its dual. It was introduced by André Weil (1940) for Jacobians of curves, who gave an abstract algebraic definition; the corresponding results for elliptic functions were known, and can be expressed simply by use of the Weierstrass sigma function.

Formulation

Choose an elliptic curve ''E'' defined over a field ''K'', and an integer ''n'' > 0 (we require ''n'' to be coprime to char(''K'') if char(''K'') > 0) such that ''K'' contains a primitive nth root of unity. Then the ''n''-torsion on $E(\overline)$ is known to be a Cartesian product of two cyclic groups of order ''n''. The Weil pairing produces an ''n''-th root of unity

:$w(P,Q) \in \mu_n$

by means of Kummer theory, for any two points P,Q \in E(K) /math>, where E(K) \ and $\mu_n = \$.

A down-to-earth construction of the Weil pairing is as follows. Choose a function ''F'' in the function field of ''E'' over the algebraic closure of ''K'' with divisor

: \mathrm(F)= \sum_ +k\cdot Q- \sum_ \cdot Q

So ''F'' has a simple zero at each point ''P'' + ''kQ'', and a simple pole at each point ''kQ'' if these points are all distinct. Then ''F'' is well-defined up to multiplication by a constant. If ''G'' is the translation of ''F'' by ''Q'', then by construction ''G'' has the same divisor, so the function ''G/F'' is constant.

Therefore if we define

:$w(P,Q):=\frac$

we shall have an ''n''-th root of unity (as translating ''n'' times must give 1) other than 1. With this definition it can be shown that ''w'' is alternating and bilinear, giving rise to a non-degenerate pairing on the ''n''-torsion.

The Weil pairing does not extend to a pairing on all the torsion points (the direct limit of ''n''-torsion points) because the pairings for different ''n'' are not the same. However
they do fit together to give a pairing ''T''_ℓ(''E'') × ''T''_ℓ(''E'') → ''T''_ℓ(μ) on the Tate module ''T''_ℓ(''E'') of the elliptic curve ''E'' (the inverse limit of the ℓ^''n''-torsion points) to the Tate module ''T''_ℓ(μ) of the multiplicative group (the inverse limit of ℓ^''n'' roots of unity).

Generalisation to abelian varieties

For abelian varieties over an algebraically closed field ''K'', the Weil pairing is a nondegenerate pairing

:A \times A^\vee \longrightarrow \mu_n

for all ''n'' prime to the characteristic of '' K''. James Milne, ''Abelian Varieties'', available at www.jmilne.org/math/ Here $A^\vee$ denotes the dual abelian variety of ''A''. This is the so-called ''Weil pairing'' for higher dimensions. If ''A'' is equipped with a polarisation

:$\lambda: A \longrightarrow A^\vee$,
then composition gives a (possibly degenerate) pairing

:A \times A \longrightarrow \mu_n.

If ''C'' is a projective, nonsingular curve of genus ≥ 0 over ''k'', and ''J'' its Jacobian, then the theta-divisor of ''J'' induces a principal polarisation of ''J'', which in this particular case happens to be an isomorphism (see autoduality of Jacobians). Hence, composing the Weil pairing for ''J'' with the polarisation gives a nondegenerate pairing

: J times J \longrightarrow \mu_n

for all ''n'' prime to the characteristic of ''k''.

As in the case of elliptic curves, explicit formulae for this pairing can be given in terms of divisors of ''C''.

Applications

The pairing is used in number theory and algebraic geometry, and has also been applied in elliptic curve cryptography and identity based encryption.

See also

* Tate pairing
*Pairing-based cryptography
* Boneh–Franklin scheme
* Homomorphic Signatures for Network Coding

References

*

External links

''The Weil pairing on elliptic curves over C'' (PDF)

{{DEFAULTSORT:Weil Pairing
Elliptic curves
Abelian varieties
Pairing-based cryptography