Weil pairing
Generated by GPT-5-miniExpansion Funnel Raw 48 → Dedup 13 → NER 11 → Enqueued 10
| Weil pairing | |
|---|---|
| Name | Weil pairing |
| Field | Algebraic geometry |
| Introduced by | André Weil |
| Year | 1940s |
Weil pairing The Weil pairing is a bilinear, alternating, nondegenerate pairing associated to torsion points on an abelian variety, originally developed by André Weil in the context of Jacobians of curves and Abelian varieties. It plays a central role in the arithmetic of elliptic curves, the theory of Galois representations, and the study of Tate modules, connecting classical results of Riemann and Riemann–Roch theorem to modern developments in algebraic geometry and number theory. The construction and properties of the Weil pairing underpin important algorithms used in public-key cryptography and in proofs of duality theorems such as Tate duality.
Definition and basic properties
For an abelian variety A over a field K and a positive integer n not divisible by the characteristic of K, the Weil pairing is a map on the n-torsion subgroup A[n] × A[n] → μ_n, where μ_n denotes the group of n-th roots of unity in an algebraic closure. Its defining properties include bilinearity, alternating symmetry, and nondegeneracy, which together imply that A[n] is self-dual as a Galois module via the pairing. The pairing is functorial for isogenies and compatible with the action of the absolute Galois group Gal(K̄/K), thereby linking it to Galois cohomology and the arithmetic of local fields such as p-adic numbers and finite fields. Fundamental consequences include relations with the Weil conjectures in the sense of interplay between Frobenius endomorphisms and torsion structures, and compatibility with polarizations arising from Poincaré line bundle constructions.
Construction on elliptic curves
On an elliptic curve E over a field K, the Weil pairing on E[n] is most commonly constructed via divisor theory and functions: for P, Q in E[n] one chooses divisors D_P and D_Q supported on translates of P and Q and then evaluates certain rational functions whose divisors are n·(P) − n·(O) to produce an element of μ_n. This approach uses tools from the theory of divisors on curves, the Riemann–Roch theorem, and the geometry of the Picard variety. Alternative descriptions employ the language of line bundles and the Poincaré line bundle on E × E, or interpret the pairing via the action of the dual abelian variety, linking to constructions by Mumford and the concept of a principal polarization. For elliptic curves defined over global fields like Q or quadratic extensions, the Weil pairing interacts with the modular curve parametrizations and with level structures used in the definition of modular forms and Hecke algebras.
Computation and algorithms
Efficient computation of the Weil pairing for cryptographic sizes relies on algorithmic variants of Miller's algorithm, which reduces evaluation of the relevant rational functions to a sequence of line evaluations and multiplicative accumulations. Miller's algorithm was adapted and optimized in implementations involving elliptic curves over finite fields for pairing-based protocols; improvements exploit projective coordinates, windowing techniques, and denominator elimination in characteristic two or characteristic p pairing-friendly curves used in standards by organizations such as NIST and in deployments influenced by research from Boneh and Franklin. Algorithmic complexity analyses reference fast arithmetic in extension fields, algorithms for scalar multiplication from Montgomery ladders, and methods for final exponentiation to land in μ_n. Practical considerations connect to parameter choices from work on pairing-friendly curve families like Barreto–Naehrig curves and optimizations that leverage Frobenius endomorphism techniques developed in the literature from Galbraith and collaborators.
Applications in number theory and cryptography
In number theory, the Weil pairing is instrumental in the proof of the Tate pairing and in formulating duality theorems for the cohomology of abelian varieties; it appears in descriptions of the structure of Selmer groups, in arguments about the image of Galois representations attached to torsion points, and in explicit reciprocity laws connected to class field theory and Iwasawa theory. In cryptography, pairings derived from the Weil pairing enable identity-based encryption, short signatures, and three-party key agreement protocols introduced in foundational work by Boneh and Franklin and advanced by subsequent contributions in the pairing-based cryptography community. Security analyses relate to the hardness of discrete logarithms in elliptic curve groups and to embedding degree considerations used in curve selection, with standards and cryptanalytic research published in venues associated with ACM and IEEE conferences.
Generalizations and cohomological interpretation
The Weil pairing generalizes to n-torsion subgroups of higher-dimensional abelian varieties and admits a cohomological reinterpretation via the cup product on étale cohomology groups H^1(A[n]) × H^1(A[n]) → H^2(μ_n) and through the machinery of Brauer group pairings. In this framework, dualities such as Poitou–Tate duality and Grothendieck duality clarify the role of the pairing in the interaction of local and global Galois cohomology, and categorical formulations connect it to the theory of derived categories and to the interpretation of polarizations as morphisms between an abelian variety and its dual. Extensions to other contexts include analogues in the theory of Drinfeld modules, applications to motives, and relationships with the study of torsion in Jacobians of higher genus curves as investigated in work by researchers affiliated with institutions like IHÉS and Princeton University.