11.6.1 The Weil Pairing

In this section we give the proof of Theorem 11.12, which says that the two

definitions of the Weil pairing are equivalent. We let e n denote the pairing

defined in Section 11.2 and show that it equals the alternative definition.

PROOF

The following proof is based on a calculation of Weil [131, pp.

240-241].

Let V,W ∈ E [ n 2 ]. Let

div( f nV )= n [ nV ] − n [ ∞ ] , g nV = f nV ◦ n,

be as in the definition of the Weil pairing. Define

f nV + nW ( X )

g nV + nW ( X )

g nV ( X ) g nW ( X − V ) ,

where the right-hand sides are functions of the variable point X on E .The

fact that the notation does not include X on the left-hand sides is justified

by the following.

c ( nV, vW )=

f nV ( X ) f nW ( X − nV ) ,

d ( V,W )=

LEMMA 11.21

c ( nV, nW ) and d ( V,W ) are constants, an d

d ( V,W ) n = c ( nV, nW ) .

PROOF Using the expressions for div( f nX ) , div( g X ) on page 349, we see

that div( c ( nV, nW )) = 0 and div( d ( V,W )) = 0. Therefore, they are constants.

Since g nV

= f nV ◦

n ,wehave

f nV + nW ( nX )

d ( V,W ) n =

f nV ( nX ) f nW ( nX − nV ) = c ( nV, nW ) ,

because c ( nV, nW ) is independent of X .

The next few results relate the Weil pairing to c and d .Thepoints U, V, W

represent elements of E [ n 2 ].

LEMMA 11.22

d ( V,W + nU )= d ( V,W ) and d ( V + nU, W )= d ( V,W ) e n ( nU, nW ) .

PROOF Since n ( W + nU )= nW , the functions g n ( W + nU ) and g nW are

equal. Therefore,

g nV + nW ( X )

g nV ( X ) g nW ( X

d ( V,W + nU )=

V ) = d ( V,W ) .

−