Cryptography Reference
In-Depth Information
n
is a constant multiple of
g
n
. By multiplying
f
by a suitable
constant, we may assume that
Therefore,
f
◦
f ◦ n
=
g
n
.
Let
S ∈ E
[
n
]andlet
P ∈ E
(
K
). Then
g
(
P
+
S
)
n
=
f
(
n
(
P
+
S
)) =
f
(
nP
)=
g
(
P
)
n
.
Therefore,
g
(
P
+
S
)
/g
(
P
)
∈ μ
n
.Infact,
g
(
P
+
S
)
/g
(
P
) is independent of
P
.
The proof of this is slightly technical: In the Zariski topology,
g
(
P
+
S
)
/g
(
P
)
is a continuous function of
P
and
E
is connected. Therefore, the map to the
finite discrete set
μ
n
must be constant.
Define the
Weil pairing
by
e
n
(
S, T
)=
g
(
P
+
S
)
.
(11.6)
g
(
P
)
Since
g
is determined up to a scalar multiple by its divisor, this definition is
independent of the choice of
g
. Note that (11.6) is independent of the choice
of the auxiliary point
P
. The main properties of
e
n
are given in the following
theorem, which was stated in Section 3.3.
THEOREM 11.7
Let
E
be an elliptic curve defined over a field
K
and let
n
be a positive integer.
A ssu m e that the characteristicof
K
does not divide
n
.Thenthe W eilpairing
e
n
:
E
[
n
]
×
E
[
n
]
→
μ
n
satisfi es the follow ing properties:
1.
e
n
isbilinear in each variable. T hismeansthat
e
n
(
S
1
+
S
2
,T
)=
e
n
(
S
1
,T
)
e
n
(
S
2
,T
)
and
e
n
(
S, T
1
+
T
2
)=
e
n
(
S, T
1
)
e
n
(
S, T
2
)
for all
S, S
1
,S
2
,T,T
1
,T
2
∈ E
[
n
]
.
2.
e
n
is nondegeneratein each variable. T hismeansthat if
e
n
(
S, T
)=1
for all
T
∈
E
[
n
]
then
S
=
∞
and also that if
e
n
(
S, T
)=1
for all
S ∈ E
[
n
]
then
T
=
∞
.
3.
e
n
(
T,T
)=1
for all
T
∈
E
[
n
]
.
4.
e
n
(
T,S
)=
e
n
(
S, T
)
−
1
for all
S, T ∈ E
[
n
]
.
Search WWH ::
Custom Search