Cryptography Reference
In-Depth Information
satisfying the conditions of Lemma 11.6. Therefore,
P
1
and
P
2
must be con-
stant. But
X
(
t
)=
P
1
/P
2
is nonconstant, so we have a contradiction. This
completes the proof of Lemma 11.5.
As pointed out above, Lemma 11.5 completes the proof of Lemma 11.3.
11.2 The Weil Pairing
The goal of this section is to construct the Weil pairing and prove its basic
properties that were stated in Section 3.3. Recall that
n
is an integer not
divisible by the characteristic of the field
K
,andthat
E
is an elliptic curve
such that
E
[
n
]
⊆
E
(
K
)
.
We want to construct a pairing
e
n
:
E
[
n
]
× E
[
n
]
→ μ
n
,
where
μ
n
is the set of
n
th roots of unity in
K
(asweshowedinSection3.3,
the assumption
E
[
n
]
⊆ E
(
K
) forces
μ
n
⊂ K
).
Let
T ∈ E
[
n
]. By Theorem 11.2, there exists a function
f
such that
div(
f
)=
n
[
T
]
−
n
[
∞
]
.
(11.5)
Choose
T
∈
E
[
n
2
] such that
nT
=
T
. We'll use Theorem 11.2 to show that
there exists a function
g
such that
div(
g
)=
R
([
T
+
R
]
−
[
R
])
.
∈
E
[
n
]
We need to verify that the sum of the points in the divisor is
∞
. This follows
from the fact that there are
n
2
points
R
in
E
[
n
]. The points
R
in
[
T
+
R
]
and
[
R
] cancel, so the sum is
n
2
T
=
nT
=
∞
. Note that
g
does not depend
on the choice of
T
since any two choices for
T
differ by an element
R ∈ E
[
n
].
Therefore, we could have written
div(
g
)=
nT
=
T
[
T
]
−
[
R
]
.
nR
=
∞
n
denote the function that starts with a point, multiplies it by
n
,
then applies
f
.Thepoints
P
=
T
+
R
with
R
Let
f
◦
∈
E
[
n
] are those points
P
with
nP
=
T
. It follows from (11.5) that
div(
f ◦ n
)=
n
R
[
T
+
R
]
− n
R
[
R
]
=div(
g
n
)
.
Search WWH ::
Custom Search