Weil pairing
In mathematics, the Weil pairing is a pairing (bilinear form, though with multiplicative notation) on the points of order dividing n of an elliptic curve E, taking values in nth roots of unity. More generally there is a similar Weil pairing between points of order n of an abelian variety and its dual. It was introduced by André Weil (1940) for Jacobians of curves, who gave an abstract algebraic definition; the corresponding results for elliptic functions were known, and can be expressed simply by use of the Weierstrass sigma function.
Formulation
Choose an elliptic curve E defined over a field K, and an integer n > 0 (we require n to be prime to char(K) if char(K) > 0) such that K contains a primitive nth root of unity. Then the n-torsion on is known to be a Cartesian product of two cyclic groups of order n. The Weil pairing produces an n-th root of unity
by means of Kummer theory, for any two points , where and .
A down-to-earth construction of the Weil pairing is as follows. Choose a function F in the function field of E over the algebraic closure of K with divisor
So F has a simple zero at each point P + kQ, and a simple pole at each point kQ if these points are all distinct. Then F is well-defined up to multiplication by a constant. If G is the translation of F by Q, then by construction G has the same divisor, so the function G/F is constant.
Therefore if we define
we shall have an n-th root of unity (as translating n times must give 1) other than 1. With this definition it can be shown that w is alternating and bilinear,[1] giving rise to a non-degenerate pairing on the n-torsion.
The Weil pairing does not extend to a pairing on all the torsion points (the direct limit of n-torsion points) because the pairings for different n are not the same. However they do fit together to give a pairing Tℓ(E) × Tℓ(E) → Tℓ(μ) on the Tate module Tℓ(E) of the elliptic curve E (the inverse limit of the ℓn-torsion points) to the Tate module Tℓ(μ) of the multiplicative group (the inverse limit of ℓn roots of unity).
Generalisation to abelian varieties
For abelian varieties over an algebraically closed field K, the Weil pairing is a nondegenerate pairing
for all n prime to the characteristic of K.[2] Here denotes the dual abelian variety of A. This is the so-called Weil pairing for higher dimensions. If A is equipped with a polarisation
- ,
then composition gives a (possibly degenerate) pairing
If C is a projective, nonsingular curve of genus ≥ 0 over k, and J its Jacobian, then the theta-divisor of J induces a principal polarisation of J, which in this particular case happens to be an isomorphism (see autoduality of Jacobians). Hence, composing the Weil pairing for J with the polarisation gives a nondegenerate pairing
for all n prime to the characteristic of k.
As in the case of elliptic curves, explicit formulae for this pairing can be given in terms of divisors of C.
Applications
The pairing is used in number theory and algebraic geometry, and has also been applied in elliptic curve cryptography and identity based encryption.
See also
- Tate pairing
- Pairing-based cryptography
- Boneh–Franklin scheme
- Homomorphic Signatures for Network Coding
References
- ^ Silverman, Joseph (1986). The Arithmetic of Elliptic Curves. New York: Springer-Verlag. ISBN 0-387-96203-4.
- ^ James Milne, Abelian Varieties, available at www.jmilne.org/math/
- Weil, André (1940), "Sur les fonctions algébriques à corps de constantes fini", Les Comptes rendus de l'Académie des sciences, 210: 592–594, MR 0002863