It turns out that

where $P,Q$ are points of trace zero and $e$ is any Galois-invariant bilinear map. In particular, the Tate pairing is Galois-invariant because $f_P({\mathcal{A}}_Q)$ has coefficients in the ground field (where we view the coordinates of $P,Q$ as variables).

Let $E/{\mathbb{F}}_p,p>3$ be an elliptic curve and let $q$ be a prime such that

Then $q$ divides $p^r-1$ but not $p^i-1$ for $i=1,...,r-1$.

Let $U$ be the subgroup of ${\mathbb{F}}_{p^r}^{\ast }$ of the $q$th roots of unity.

Let $T$ be the subgroup of $E[q]$ of points of trace zero over ${\mathbb{F}}_p$.

Let $e:E[q]\times E[q]\to U$ be a Galois-invariant bilinear map.

Theorem: $e$ is degenerate on $T\times T$.

Proof: For $i=0,...,r-1$ let ${\sigma }_i:{\mathbb{F}}_{p^r}\to {\mathbb{F}}_{p^r}$ be the Galois map defined by ${\sigma }_i(x)=x^{p^i}$.

Observe that for all $i=0,...,r-1$ we have that ${\sigma }_i(T)=T$. Hence $T$ is an eigenspace for ${\sigma }_i$.

Furthermore, for $P\in T$ we have ${\sigma }_i(P)=p^{i}P$. To see this, let ${\lambda }_1,{\lambda }_2$ be the eigenvalues of ${\sigma }_i$ acting on $E[q]$. By Weil’s Theorem, we have that ${\lambda }_1{\lambda }_2=p^i$. Observe that $E({\mathbb{F}}_p)$ is an eigenspace of ${\sigma }_i$ with eigenvalue one. Therefore the other eigenvalue must be equal to $p^i$.

Let $P,Q\in T$. Then

(The last equality holds since $e(P,Q)\in {\mathbb{F}}_{p^r}$.)

So for $i=0,...,r-1$ we have ${\sigma }_i(e(P,Q))={\sigma }_{2imodr}(e(P,Q))$.

Hence ${\sigma }_1(e(P,Q))={\sigma }_2(e(P,Q))$ which implies that $e(P,Q)={\sigma }_1(e(P,Q))$ since $x\mapsto x^p$ is one-to-one on ${\mathbb{F}}_{p^r}$ for $r<p-1$.

But this means $e(P,Q)={\sigma }_1(e(P,Q))=...={\sigma }_{r-1}(e(P,Q))$ and hence $e(P,Q)\in {\mathbb{F}}_p$, which implies we must have $e(P,Q)=1$.

Proof due to Dan Boneh.