1. The Weil Pairing Presented by J.liu

2. Outline Primitive Definition Theorems Computation of the pairings

3. Primitive (1) E is an elliptic curve over K and n is an integer not divisible by char(K) E[n] is a torsion subgroup of E(K), that is E[n] = {P  E(  )| nP =  }  E(K). Where we make a assumption that  n = {x |x n = 1, x  }  K. Let T  E[n], then there exist a function f such that div(f) = n[T]-n[  ] Note that f has zero at T with order n and has pole at  with order -n.

4. Primitive (2) ∞ T E[n] T” T” is a coset of E[n 2 ] classify by E[n] nn E[n 2 ] E[n] with order n 4 with order n 2 Every coset has order n 2 and there are n 2 cosets If nT”=nT’= T then T”+E[n] = T’+E[n]

5. Primitive (3) Choose T’  E[n 2 ] such that nT’ = T then there exists a function g such that div(g) =  ([T’+R]-[R]) for all R  E[n]. Note that g is independent on the T”. div(g) =  [T”]-  [R], where nT” = T and R  E[n] We have div(f 。 n) = n  ([T’+R])-n  [R] = div(g n ) Note that f 。 n has zeros at T” with order n and has poles at R with order –n, for all nT” = T and for all R  E[n].

6. Primitive (4) From div(f 。 n) = div(g n ), we have f 。 n = c(g n ). Let S  E[n] and P  E[κ], then g(P+S) n = f(n(P+S)) = f(nP) = g(P) n. Therefore, g(P+S)/g(P)  n. In fact, g(P+S)/g(P) is independent of P. (by Zariski topology?)

7. Definition Define the Weil pairing by e n (S, T) = g(P+S)/g(P) This definition is independent of the choose of g, and independent of the auxiliary points P. Note: e n (S, T) 計算過程為 : 先針對 T 計算 f 函數， 次而由 f 決定 g ，在此決定過程中 g 將有許多不同 的選擇，但是這些選擇並不會影響到 e n (S, T) 的 結果，因此與 g 無關。另外輔助點 P 也不影響計 算結果，這些將在後續的定理與計算中看到。 另外在此省略 Weil pairing 的性質證明。 (bilinear,…)

8. Theorem When n is large, the computation of Weil pairing is very difficult by the definition. Let S, T  E[n] and define D s, D t as following: deg(D s ) = deg(D t ) = 0 and sum(D s ) = S, sum(D t ) = T and such that D s and D t have no points in common. div(f s ) = nD s and div(f T ) = nD T. Then e n (S, T) = f T (D S )/ f S (D T ) Where f(Σa i [P i ]) = Π i f(P i ) a i.

9. Compute the Weil pairing A nature choice of divisors is D S = [S]-[∞], D T = [T+R]-[R] Then we can compute

10. Example Let be the elliptic curve over F 7 define by y 2 = x 3 +2. Then E(F 7 )[3]  Z 3 ⊕ Z 3 In fact, that is all of E(F 7 ). Let’s compute e 3 ((0, 3), (5, 1)) 1.Let D (0, 3) = [(0, 3)]-[∞], D (5, 1) = [(3, 6)]-[(6, 1)] Where (3, 6) = (5, 1) + (6,1) 2.We need two functions f (0, 3) and f (5, 1), such that div(f (0, 3) ) = 3D (0, 3) and div(f (5, 1) ) = 3D (5, 1)

11. Example 3.All the tangent lines of the points P on E(F 7 ) have divisors 3[P]-3[∞]. 4.Then div(y-3) = 3[(0, 3)]-3[∞] = 3D (0, 3), div(4x- y+1) = 3[(3, 6)]-3[∞] and div(5x-y-1) = 3[(6, 1)]-3[∞]. Then div((4x-y+1)/(5x-y-1)) = 3[(3, 6)]-3[∞]- (3[(6, 1)]-3[∞]) = 3[(3, 6)]-3[(6, 1)] = 3D (5, 1)

12. Example

13. Miller’s algorithm As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points P  E[n] and R  E and evaluating f(Q 1 )/f(Q 2 ) Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.

14. Basic idea Define D j = j[P+R]-j[R]-[jP]+[∞]. –Note that, we can’t define D j = j[P+R]-j[R]. We can find a function f j such that div(f j ) = D j. Miller’s Algo. can compute f j+k (Q 1 )/f j+k (Q 2 ) by f j (Q 1 )/f j (Q 2 ) and f k (Q 1 )/f k (Q 2 ) as following: –Let ax+by+c = 0 be the line through jP and kP. –Let x+d = 0 be the vertical line through (j+k)P.

16. Miller’s algorithm (1) Define v j = f j (Q 1 )/f j (Q 2 ) then we have v j+k = v j ×v k ×(L 1 /L 2 (Q 1 ))/(L 1 /L 2 (Q 2 )) where, L 1 is the line through jP and kP L 2 is the vertical line through (j+k)P and -(j+K)P Used the successive doubling to get v n. Start with i=n, j=0, k=1, v 0 =1, v 1 =f 1 (Q 1 )/f 1 (Q 2 ), where div(f 1 ) = [P+R]-[P]- [R]+[∞].

17. Miller’s algorithm (2) 1.If i is even then compute v 2k =v j 2 ×(G(Q 1,Q 2 )) i = i/2, k = 2k, j = j save (v j, v k ). 2.If i is odd then compute v j+k =v j ×v k ×… i = i-1, k = k, j = j+k save (v j, v k ). 3.If i≠0 then go to 1. else output v j

18. Example: compute v 13 1.i = 13, j = 0, k = 1, (v 0, v 1 ).[1101] 2.i = 12, j = 1, k = 1, (v 1, v 1 ).[1100] 3.i = 6, j = 1, k = 2, (v 1, v 2 ).[110] 4.i = 3, j = 1, k = 4, (v 1, v 4 ).[11] 5.i = 2, j = 5, k = 4, (v 5, v 4 ).[10] 6.i = 1, j = 5, k = 8, (v 5, v 8 ).[1] 7.i = 0, j = 13, k = 8, (v 13, v 8 ).[0] Note: there are 5 point adding operations, that is ((numbers of 1)-1)×2+numbers of 0+(0 or 1){0 for right-most bit is 1}

19. Example E: y 2 =x 3 -x+1 over F 11, n = 5, P = (3,6) with order 5. Let’s compute 5. D P =[(3, 6)]-[∞], D Q =[(1,1)]-[0,1]=[Q 1 ]-[Q 2 ], where R = (0,1) then P+R = (1,1). We use the algorithm to compute f P (D Q ), where div(f P ) = 5D P. We have T = ∞, then D 0 = D 1 = 0. Therefore, f 0 =f 1 =1.