We can prove that this is an isomorphism:
Proposition VI.4.6. Let E/k be an elliptic curve over k with a prime number m |
|E(k)|, coprime to q. If m2 - |E(l)| (i.e. there are no l-rational points of order m2), then
E(l)[m]∼=E(l)/mE(l).
Proof. Because of (VI.7), we only have to show that (VI.8) is injective. So letP ∈E(l) be a generator ofE(l)[m] and letQ=rP, R=tP ∈E(l)[m] with 0≤t≤r ≤m−1.
Assume thatQand R lie in the same residue class under (VI.8), i.e. it existsS ∈E(l) withQ−R=mS. But this means that mS= (r−t)P ∈E(l)[m], which is eitherOE or a point of orderm, implying that eitherS =OE orS has orderm2. Since the latter case would yield a contradiction, we see thatr =t, i.e. Q=R.
As for the Weil pairing, we can prove in certain situations that the Tate pairing is non-trivial on independent points.
Proposition VI.4.7. LetE/kbe an elliptic curve defined overkwith a prime number m | |E(k)|. Assume that the embedding degree of E and m is s > 1, and that m2
-|E(l)| (i.e. E has no l-rational points of order m2). If OE 6= P ∈ E(k)[m] and R∈E(l)[m]\E(k), then e(P, R)6= 1.
Proof. Recall from proposition VI.4.6 that
E(l)[m]∼=E(l)/mE(l).
Now, sinceeis non-degenerate, there exists a pointQ∈E(l)[m] of precise orderm(as mis prime) such that e(P, Q)6= 1, and so Q /∈E(k) by lemma VI.4.2. The latter fact means thatP andQ are independent, i.e. {P, Q} is a (Zm-vector space) basis ofE[m]
(over the algebraic closureK ofk). So every R∈E(l)[m] is of the formR=aP +bQ for some a, b ∈ Z that are uniquely determined modulo m. On the other hand, P generates E(k)[m], so if R /∈E(k)[m], then b 6≡0 (mod m). In total, we have shown that for every pointR∈E(l)[m]\E(k), we have
e(P, R) =e(P, Q)b6= 1.
VI.5. IMPLEMENTATION OF PAIRINGS 141 VI.5.1 Elliptic Curve Case
The recent algorithms to compute the Weil and the Tate-Lichtenbaum pairing reduce the problem to finding a functionf ∈K(E) such that div(f) =m(P)−m(OE) for a pointP ∈E[m] and evaluatingf(DQ) for the divisorDQ= (Q+S)−(S) whereQ∈E and S ∈ E \ {OE, P,−Q, P −Q}. Because of the relation between the Weil and the Tate-Lichtenbaum pairing (cf. remark VI.4.1), it is obvious that, in the general case, the calculation of the Tate-Lichtenbaum pairing is much faster than the calculation of the Weil pairing. With this in mind, we will only explain how to compute the Tate-Lichtenbaum pairing. The Weil pairing can then be computed by a double computation of the Tate-Lichtenbaum pairing with a final division.
The idea to compute the above functionf efficiently is due to Victor Miller’s paper [Mil04] that has been published in 2004. First of all, letl=k(µm) denote the smallest field that contains both k and all the m-th roots of unity. We want to construct f from the function 1 ∈ l(E) where E/k is the elliptic curve in question. For this, we pick points P, Q ∈ E(l) with P having order dividing m, together with a random point S ∈E\ {OE, P,−Q, P −Q}. Now for i= 1, . . . , m, we will construct functions fi∈l(E)∗ with
div(fi) =i(P)−([i]P)−(i−1)(OE)
(this is possible by corollary IV.1.9). Recall that by corollary III.1.5, the functionsfi are unique up to multiplication with constants, but since we are only interested in the evaluation of thosefi’s atDQ, this is of no interest by remark III.5.2. It is immediately clear thatfm is the function we are looking for, as
div(fm) =m(P)−m(OE) = div(f).
Lemma VI.5.1. 1. We can choosef1= 1.
2. If [i]P = (xi, yi) for i < m, then algorithm 1 efficiently computes the point [i+j]P = (xi+j, yi+j) and the lines L =y−λi,jx−νi,j, through [i]P and [j]P, and V =x−xi+j through [i+j]P and OE. With this notation, we can choose
fi+j =fi·fj· L V.
Proof. 1. This is trivial by the paragraph above the lemma.
2. By definition of the group law onE, we have
div(L) = ([i]P) + ([j]P) + (−[i+j]P)−3(OE) and
div(V) = (−[i+j]P) + ([i+j]P)−2(OE)
(see also [Was03, Ch. 11, proposition 1, p. 342]), i.e.
div L
V
= ([i]P) + ([j]P)−([i+j]P)−(OE).
From this, we obtain div
fifj
L V
=i(P)−([i]P)−(i−1)(OE) +j(P)−([j]P)−(j−1)(OE) + div
L V
= (i+j)(P)−([i+j]P)−((i+j)−1)(OE)
= div(fi+j).
We are done by the paragraph above the lemma.
Before we give the actual algorithm that computes the Tate pairing, we come back to the homomorphic property of evaluating functions at divisors. This simply tells us in our case that
fi+j(DQ) =fi(DQ)fj(DQ)L(DQ)
V(DQ) = fi+j(Q+S) fi+j(S) .
Now, the idea of the following algorithm (algorithm 5) is as follows. Firstly, we represent mto the base 2, i.e.
m=mn−12n−1+· · ·+m12 +m0,
wheremi∈ {0,1}fori= 0, . . . , n−1 andmn−1= 1. Obviously, we haven=blog2(m)c.
By using the above formula with j = i, we can compute f2r for all r = 1, . . . , n−1.
Having those values, we can easily computefm by using the formula again.
All of the above is summarized in the following algorithm, and by using the homo-morphic property of evaluating functions at divisors, we will evaluate the intermediate results at DQ in each step. We do a small runtime analysis of this algorithm. The
“for”-loop is executed log2(m) times, i.e. we are doublingT that many times. The ad-dition step ofT andP is executedH(m)−1 times, whereH(m) is theHamming weight ofm, i.e. the number of nonzero coefficients inm=mn−12n−1+· · ·+m12 +m0. Since the computation of the linesL and V in each step of the algorithm takes polynomial time, it is clear that Miller’s algorithm runs in polynomial time.
VI.5.2 Hyperelliptic Curve Case
In this section, we want to generalize the idea of Miller’s algorithm of the previous section to the case of imaginary quadratic hyperelliptic curves. So, letC/kbe an imag-inary quadratic hyperelliptic curve defined overkof genusgwith our usual conventions (cf. chapter V). Furthermore, we pickx = [D]∈Pic0(l(C))[m] with div(f) =mD for f ∈l(C)∗(choosen as in (TLP-1)) andy= [E]+mPic0(l(C))∈Pic0(l(C))/mPic0(l(C))
VI.5. IMPLEMENTATION OF PAIRINGS 143 Algorithm 5Miller’s Algorithm
INPUT: PointsP, Q∈E(l) whereP has order dividingm.
OUTPUT: The (reduced) Tate pairinge(P, Q).
1: S ∈RE(l)\ {OE, P,−Q, P −Q}
2: Q0 ←Q+S,T ←P and f ←1
3: for n=blog2(m)c −1 down to 0do
4: Compute linesL andV for doublingT
5: T ←[2]T
6: f ←f2L(QV(Q00)V)L(S)(S) 7: if mn= 1 then
8: Compute linesL and V for adding T and P
9: T ←T +P
10: f ←fL(QV(Q00)V)L(S)(S) 11: n←n−1
12: return fqs−1m
(cf. (TLP-2)), which we want to pair with the reduced Tate pairing (cf. remark VI.4.4), i.e. we want to compute a functionf ∈l(C)∗ with div(f) =mD for some representa-tiveDofx (recall that the Tate pairing was independent of the choices off, DandE).
In order to compute the pairing in the same manner as in the elliptic case, we need to choose special representatives ofx andy. Recall that Cantor’s algorithm can compute positive reduced divisorsDx and Ey of degreeg such that
x= [Dx−g(P∞)] and y= [Ey−g(P∞)] +mPic0(l(C)),
whereP∞is the unique extension tol(C) of the infinite placep∞ ofl(x) (see also proof of proposition V.2.38). By the construction in Cantor’s algorithm, we know that Ey and Dx are coprime since E and Dare coprime by definition of the Tate pairing. We also need the same type of representation for [i]x for all i = 1, . . . , m, and Cantor’s algorithm gives us positive reduced divisorsDi of degreeg such that
[i]x= [Di−g(P∞)].
Now since [i]x+ [j]x= [i+j]x fori+j≤m, we have
Di−g(P∞) +Dj−g(P∞)−(Di+j−g(P∞))∈Princ(l(C)) for i+j≤m, i.e. there exist functionshi,j ∈l(C)∗ such that
div(hi,j) =Di+Dj−Di+j−g(P∞) fori+j≤m.
Furthermore, we use the conventionD0:=g(P∞). We are almost done finding suitable representatives, we only need a different representative for y. To find it, we introduce algorithm 6:
Proof of algorithm 6. In lines 4 and 5, we use Cantor’s algorithm to computeB2 and
Algorithm 6Relative Prime Representation (RPR) INPUT: Positive divisorsA, B of degree g.
OUTPUT: Divisors B1, B2 with [B1−B2] = [B −g(P∞)] and B1 +B2 coprime to A+ (P∞).
1: repeat
2: Choose P ∈RPl(C)/l of degree 1
3: Choose n∈RNsuch thatn≤ |Pic0(l(C))|
4: Compute B2 ≥0 of degreeg with [B2−g(P∞)] = [n(P)−n(P∞)]
5: Compute C≥0 of degree gwith [C−g(P∞)] = [0]
6: B1 ←B−C+B2
7: until B1+B2 coprime to A+ (P∞)
8: return (B1, B2)
C. Because of line 6, we have [B1−B2] = [B−C] = [B−g(P∞)]. Since we choose our ground fieldl big enough, it is clear that there always exists a place P with integer n such thatB1+B2 is coprime to A+ (P∞). In fact, this condition will only fail in very rare cases as it is shown in [ACD+06, Ch. 16, lemma 16.3, p. 391].
Remark VI.5.2. By corollary V.1.11, it is certainly easier to find such a representative ofy if the genus of C is even. Since we only want to deal with the most general case, we leave the proof to the reader. For genus 2, it is proved in [ACD+06, Ch. 16.3, p.
398].
Now, we can apply this algorithm to A = Dx and B = Ey, yielding divisors B1 and B2 ≥ 0 with y = [B1−B2] +mPic0(l(C)) and such that B1 +B2 is coprime to Dx + (P∞). The functions fi we used in Miller’s algorithm look very similar in the hyperelliptic case. For 1≤i≤m, we choosefi ∈l(C)∗ such that
div(fi) =iDx−Di−(i−1)g(P∞), where the right side is clearly a principal divisor as
[i(Dx−g(P∞))] = [Di−g(P∞)].
With this definition and the independence of the Tate pairing of the choices of f, D andE, we are now looking for fm, since
div(fm) =mDx−Dm−(m−1)g(P∞)
=m(Dx−g(P∞))−g(P∞) +g(P∞).
Following the idea of the previous section, we writem to the base 2, i.e.
m=mn−12n−1+· · ·+m12 +m0,
wheremi ∈ {0,1} fori= 0, . . . , n−1,mn−1 = 1 and n=blog2(m)c. Also, we need to prove a similar version of lemma VI.5.1, namely:
VI.6. DISTORTION MAPS AND MODIFIED PAIRINGS 145