A Weil pairing on the $p$-torsion of ordinary elliptic curves over the dual numbers of $K$

Juliana V. Belding
DOI: https://doi.org/10.48550/arXiv.math/0703906
2007-03-30
Abstract:For an elliptic curve $E$ over any field $K$, the Weil pairing $e_n$ is a bilinear map on $n$-torsion. For $K$ of characteristic $p>0$, the map $e_n$ is degenerate if and only if $n$ is divisible by $p$. In this paper, we consider $E$ over the dual numbers $K[\epsilon]$ and define a non-degenerate ``Weil pairing on $p$-torsion" which shares many of the same properties of the Weil pairing. We also show that the discrete logarithm attacks on $p$-torsion subgroups of Semaev and Rück may be viewed as Weil-pairing-based attacks, just like the MOV attack. Finally, we describe an attack on the discrete logarithm problem on anomalous curves, analogous to that of Smart, using a lift of $E$ over the dual numbers of the finite field of $p$ elements.
Number Theory
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the problem of the degeneration of the Weil pairing on the \(p\)-torsion subgroup of an elliptic curve over a finite field of characteristic \(p\). Specifically: 1. **Background problem**: - For an elliptic curve \(E\) defined over an arbitrary field \(K\), the Weil pairing \(e_{n}\) is a bilinear, non - degenerate mapping on the \(n\)-torsion subgroup. - When the characteristic \(p>0\) of \(K\) and \(n\) is divisible by \(p\), the Weil pairing \(e_{n}\) is degenerate. This is because there are no non - trivial \(p\)-th roots of unity in \(K\), and \(E[p]\cong\mathbb{Z}/p\mathbb{Z}\), resulting in \(e_{p}(P, Q) = 1\) for all \(P, Q\in E[p]\). 2. **Core problem of the paper**: - By considering the lift of the elliptic curve \(E\) over the ring of dual numbers \(K[\epsilon]\), the paper defines a new non - degenerate "Weil pairing on the \(p\)-torsion subgroup", which solves the above - mentioned degeneration problem. - This new pairing retains many properties of the traditional Weil pairing and can be used to explain and understand discrete logarithm attacks on the \(p\)-torsion subgroup (such as Semaev and Rück's attacks), which are essentially attacks based on the Weil pairing, similar to the MOV attack. 3. **Specific objectives**: - Define and prove the properties of the non - degenerate Weil pairing \(e_{p}\) on the \(p\)-torsion subgroup. - Show how to use this pairing to solve the discrete logarithm problem (DLP) on the \(p\)-torsion subgroup. - Explore the behavior of this pairing under elliptic curve isogeny mappings. - Propose another application: using elliptic curves over dual numbers to attack the discrete logarithm problem on anomalous curves. In summary, the paper aims to overcome the degeneration problem of the traditional Weil pairing in a field of characteristic \(p\) by introducing elliptic curves over the ring of dual numbers and redefining the Weil pairing on the \(p\)-torsion subgroup, and provides a new perspective to understand and handle related discrete logarithm attacks.