THE WEIL PAIRING ON ELLIPTIC CURVES

Background Non-Singular Curves. Let k be a number field, that is, a finite extension of Q; denote Q as its (separable) algebraic closure. The absolute Galois group G = Gal( /k) = lim Gal(F/k) is the k Q ←−K projective limit of Galois groups associated with finite, normal (separable) extensions F/k. Let I ⊆ k[x1, x2, . . . , xn] be an ideal, and define the sets   n X(Q) = P ∈ A (Q) f(P ) = 0 for all f ∈ I

 

I(X) = f ∈ Q[x1, x2, . . . , xn] f(P ) = 0 for all P ∈ X(Q) ⊇ I ⊗k Q.

G n Since GF ⊆ Gk acts on Q, we define X(F ) = X(Q) F = X(Q) ∪ A (F ), namely the F -rational points, as the points fixed by this action. We think of X as a functor which takes fields F to (algebraic) sets X(F ), and say that X is an affine variety over k if I(X) ⊆ Q[x1, x2, . . . , xn] is a prime ideal.

Proposition 1. Let X be an affine variety over k, and define the integral domain O(X) = Q[x1, x2, . . . , xn]/I(X). Then the map X(Q) → mSpec O(X) which sends P = (a1, a2, . . . , an) to mP = hx1 − a1, x2 − a2, . . . , xn − ani is an isomorphism.

Proof. The map is well-defined O/mP ' Q is a field. Conversely, let m be a maximal ideal of O. Fix a surjection O  O/m ' Q, and denote ai ∈ Q as the image of xi ∈ O. It is easy to check that m = mP for P = (a1, a2, . . . , an). 

We define O = O(X) as the global sections of X or the coordinate ring of X. Often, we abuse notation and write X = Spec O. If we denote K = Q(X) as its quotient field, we define the dimension of X as the transcendence degree of K over Q. We say that X is a curve if dim(X) = 1.

Theorem 2. Let X be a curve over k, and write the ideal I = hf1, f2, . . . , fmi ⊆ K[x1, x2, . . . , xn] so that dim(X) = n − m = 1. The following are equivalent:

i. For each P ∈ X(Q), the m × n matrix  ∂f ∂f ∂f  1 (P ) 1 (P ) ··· 1 (P )  ∂x1 ∂x2 ∂xn     ∂f2 ∂f2 ∂f2   (P ) (P ) ··· (P )  ∂x1 ∂x2 ∂xn  JacP (X) =    . . .   . . .. .   . . . .    ∂fm ∂fm ∂fm  (P ) (P ) ··· (P ) ∂x1 ∂x2 ∂xn 1 yields an exact sequence:

n JacP (X) m {0} −−−−→ TP (X) −−−−→ A (Q) −−−−−→ A (Q) −−−−→{0}. That is, the Jacobian matrix JacP (X) has rank m while the tangent space has dimension dim T (X)
= dim(X). Q P

ii. The Zariski cotangent space has dimension dim m/m2
= dim(X) for each Q maximal ideal m ∈ mSpec O.

iii. For each P ∈ X(Q), denote OP as the localization of O at mP . Then mP OP is a principal ideal.

iv. For each P ∈ X(Q), OP is a discrete valuation ring.

v. For each P ∈ X(Q), OP is integrally closed.

vi. O is a Dedekind Domain.

This is essentially a a restatement of Proposition 9.2 on pages 94-95 in Atiyah-Macdonald. If any of these equivalent statements holds true, we say that X is a non-singular curve. Proof. (i) ⇐⇒ (ii). We have a perfect (i.e., bilinear and nondegenerate) pairing n X ∂f m /m2
× T (X) → defined by f, (b , b , . . . , b )
7→ (P ) b . P P P Q 1 2 n ∂x i i=1 i Hence dim m /m2
= dim T (X)
= n − m = dim(X). Q P P Q P (ii) ⇐⇒ (iii). As m = mP is a maximal ideal, Nakayama’s Lemma states that we can find 2 2 $ ∈ mP where $∈ / mP . Consider the injective map O/mP → mP /mP defined by x 7→ $ x. Clearly this is surjective if and only if m O = $ O is principal. Recall now that dim O/m
= 1. P P P Q P (iii) =⇒ (iv). Say that mP OP = $ OP as a principal ideal. In order to show that OP is a m discrete valuation ring, it suffices to show that any nonzero x ∈ OP is in the form x = $ y for × some m ∈ Z and y ∈ OP . Consider the radical of the ideal generated by x:   p n hxi = y ∈ OP y ∈ x OP for some nonnegative integer n .

p As OP has a unique nonzero prime ideal, we must have hxi = mP OP . But then there is largest m−1 m m nonnegative integer m such that t ∈/ x OP yet $ ∈ x OP . Hence y = x/$ ∈ OP but y∈ / mP . (iv) =⇒ (v). Say that OP is a discrete valuation ring. Say that x ∈ K is a root of a polynomial n n−1 equation x + a1 x + ··· + an = 0 for some ai ∈ OP . Assume by way of contradiction that x∈ / OP . Then vP (x) < 0, so that vP (1/x) > 0, hence y = 1/x is an element of OP . Upon dividing n−1 n−1
by x we have the relation x = − a1 + a2 y + ··· + an y ∈ OP . This contradiction shows that OP is indeed integrally closed. (v) =⇒ (iii). Say that OP is integrally closed. We must construct an element $ ∈ OP such that p mP OP = $ OP . Fix a nonzero x ∈ mP . By considering the radical hxi and noting that mP OP m is a finitely generated OP -module, we see that there exists some m ∈ Z such that mP OP ⊆ x OP m−1 m−1 yet mP OP 6⊆ x OP . Choose y ∈ mP such that y∈ / x OP , and let $ = x/y be an element in K. Consider the module (1/$) mP OP ⊆ OP ; we will show equality. As y∈ / OP , we have 1/$∈ / OP , so that 1/$ is not integral over OP . Then (1/$) mP OP cannot be a finitely generated OP -module, 2 we have (1/$) mP OP 6⊆ mP . As there is an element of (1/varpi) mP OP which is not in mP , we must have equality: (1/$) mP OP = OP . Hence mP OP = $ OP as desired. (v) ⇐⇒ (vi). A Dedekind domain is a Noetherian integral domain of dimension 1 that is integrally closed. But the localization OP is integrally closed for each maximal ideal mP if and only if O is integrally closed. (Consult Theorem 5.13 on page 63 of Atiyah-Macdonald.)  Examples.

• Choose {a1, a2, a3, a4, a6} ⊆ k, and consider the polynomial 2
3 2
f(x, y) = y + a1 x y + a3 y − x + a2 x + a4 x + a6 . Then X : f(x, y) = 0 is a curve over K. Define the K-rational numbers 2 b2 = a + 4 a2 1 2 c4 = b2 − 24 b4 b4 = 2 a4 + a1 a3 3 c6 = −b + 36 b2 b4 − 216 b6 2 2 b6 = a3 + 4 a6 2 3 2 ∆ = −b b8 − 8 b − 27 b + 9 b2 b4 b6 2 2 2 2 4 6 b8 = a1 a6 + 4 a2 a6 − a1 a3 a4 + a2 a3 − a4 Then X is non-singular if and only if ∆ 6= 0.

• Choose {a0, a1, a2, a3, a4} ⊆ k, and consider the quartic polynomial 4 3 2 f(x) = a4 x + a3 x + a2 x + a1 x + a0. 2 Then X : y = f(x) is a curve over k. If X has a k-rational point P∞ = (x0, y0), then it is birationally equivalent over k to the cubic curve v2 = u3 + A u + B in terms of −a2 + 3 a a − 12 a a A = 2 1 3 0 4 3 2 a3 − 9 a a a + 27 a a2 + 27 a2 a − 72 a a a B = 2 1 2 3 0 3 1 4 0 2 4 . 27 Then X is nonsingular if and only if 16 disc(f) = −16 4 A3 + 27 B2
= ∆ 6= 0.

The Riemann-Roch Theorem Let X be a non-singular curve over k = C. From now on, we will identity X with X(k), and embed X,→ C. We’ll explain how to choose such an embedding later. Meromorphic Functions. Let k = C denote the complex numbers. Let X ⊆ C be a compact Riemann surface. We will denote O as the ring of holomorphic (i.e., analytic) functions on X, and K as the field of meromorphic functions on X. Let me explain. Say that f : U → C is a function defined on an open subset U ⊆ X. Using the embedding X,→ R × R which sends x + i y 7→ (x, y), we say that f is smooth if f(z) = u(x, y) + i v(x, y) in terms of smooth functions u, v : U → R, where z = x + i y. We may denote the set of all such by C ∞(U). By considering the identities ∂f 1 ∂f ∂f  1 ∂u ∂v  1  ∂v ∂u = − i = + + i − ∂z 2 ∂x ∂y 2 ∂x ∂y 2 ∂x ∂y

∂f 1 ∂f ∂f  1 ∂u ∂v  1  ∂v ∂u = + i = − + i + ∂z¯ 2 ∂x ∂y 2 ∂x ∂y 2 ∂x ∂y 3 we see that the Cauchy-Riemann Equations imply that f(z) is holomorphic (or antiholomorphic, respectively) on U if and only if ∂f/∂z¯ = 0 (or ∂f/∂z = 0, respectively). Note that f(z) is holo- morphic if and only if f(¯z) is antiholomorphic. Denote O(U) as the collection of such holomorphic functions on U. Since this is an integral domain, we may denote K (U) as its function field; this is the collection of meromorphic functions on U. The following diagram may be useful: {0} −−−−→ O(U) −−−−→ K (U) −−−−→ C ∞(U) We will denote O = O(X) and K = K (X).

Meromorphic Differentials. Continue to let U ⊆ X be an open subset. Denote Ω0 C ∞(U), the collection of differential 0-forms on U, as the set of smooth functions f on U. Similarly, denote Ω1 C∞(U), the collection of differential 1-forms on U, as the set of sums f − i g f + i g ω = f dx + g dy = dz + dz¯ 2 2 where f and g are smooth functions on U. Hence we have a canonical decomposition Ω1 C ∞(U) = Ω1,0 C ∞(U) ⊕ Ω0,1 C ∞(U) as the direct sum of 1-forms in the form ω = f dz (or ω = f dz¯, respec- tively) where f is a smooth function on U. In particular, ω ∈ Ω1,0 C ∞(U) (or ω ∈ Ω0,1 C ∞(U), respectively) if and only if g = i f (or g = −i f), which happens if and only if ω(¯z) = −i ω(z). As complex conjugation acts on the set Ω1 C ∞(U) of differential 1-forms via ω(z) 7→ ω(¯z), we see that we may identify Ω1 C ∞(U)− = Ω1,0 C ∞(U) and Ω1 C ∞(U)+ = Ω0,1 C ∞(U) as the eigenspaces corresponding to the eigenvalues ∓i, respectively. We have a differential map d :Ω0 C ∞(U) → Ω1 C ∞(U) defined by ∂f ∂f f 7→ df = dz + dz.¯ ∂z ∂z¯ We say that a 1-form ω is a holomorphic differential (or antiholomorphic differential, respectively) if ω = f dz (or ω = f dz¯ ∈, respectively) for some holomorphic (or antiholomorphic, respectively) function f on U. Denote Ω(U) as the collection of holomorphic differentials on U. Similarly, we say that a 1-form ω is a meromorphic differential (or antimeromorphic differential, respectively) if ω = (f/g) dz (or ω = (f/g) dz¯ ∈, respectively) for some holomorphic (or antiholomorphic, respectively) functions f and g on U. Denote Ω K (U) as the collection of meromorphic differentials on U. The following diagram may be useful: {0} −−−−→ Ω(U) −−−−→ Ω K (U) −−−−→ Ω1,0 C ∞(U) Note that Ω(X) is the collection of holomorphic differentials on X.

Homology Groups. Let H1(X, Z) denote the free abelian group of closed loops γ in X. It is well- 2g known that H1(X, Z) ' Z for some nonnegative integer g; we call g the genus of X. Complex conjugation γ 7→ γ acts on these closed loops, so we may consider eigenspaces corresponding to the eigenvalues ∓1 (either reversing or preserving direction) generated by this involution: − + ∓ g H1(X, Z) = H1(X, Z) ⊕ H1(X, Z) where H1(X, Z) ' Z . 2g ∓ Upon tensoring with C, we have the homology group H1(X, C) ' C , with eigenspaces H1(X, C) ' g C . We have a nondegenerate, bilinear pairing ! I − X X H1(X, C) × Ω(X) → C, ni γi, ω 7→ ni ω. i i γi − Note here that ω must be a holomorphic differential on X, so that each loop γi ∈ H1(X, Z) . This implies the following results: 4 Proposition 3. Let O(X) be the collection of such holomorphic functions on X, 2g Ω(X) be the collection of holomorphic differentials on X, and H1(X, Z) ' Z be the free abelian group of closed loops γ in X.

−
g • Ω(X) ' HomC H1(X, C) , C ' C .

• As the map O → Ω(X) defined by f 7→ f dz is an isomorphism, we see that Ω(X) is an O-module of rank 1, but a complex vector space of dimension g.

Examples.

• The unit sphere is given by   2 3 2 2 2 S (R) = (u, v, w) ∈ R u + v + w = 1 .

2 Stereographic Projection is the map π : C → S (R) defined by  2 Re(z) 2 Im(z) |z|2 − 1 u + i v π(z) = , , with inverse π−1(u, v, w) = . |z|2 + 1 |z|2 + 1 |z|2 + 1 1 − w Of course, the inverse sends the “north pole” (u, v, w) = (0, 0, 1) to z = ∞, so we actually 1 2 find a birational equivalence between X = P (C) = C ∪ {∞} and S (R). We consider X a compact Riemann surface – although it cannot really be imbedded in the complex plane. Consider the differential 1-form ω = dz. This is clearly a holomorphic differential on 1 A (C) = C, but upon making the substitution 1 dw w = =⇒ ω = dz = − z w2 1 we see that ω is not holomophic on X = P (C). In fact, X has no nonzero holomorphic differentials – only meromorphic ones! – so its genus must be g = 0.

3 2 • Fix complex numbers g2, g3 such that g2 6= 27 g3. We define a meromorphic map ℘ : C → C implicitly via the relation Z ℘(z) dx 0 2 3 z = =⇒ ℘ (z) = 4 ℘(z) − g2 ℘(z) − g3. p 3 ∞ 4 x − g2 x − g3 (This is the Weierstrass pae-function.) Hence the map z 7→ ℘(z), ℘0(z)
induces a short exact sequence {0} −−−−→ Λ −−−−→ C −−−−→ E(C) −−−−→{0}

in terms of a lattice Λ = Z[ω1, ω2], generated by integrating around the poles of the cubic 2 3 polynomial, and the complex points on the elliptic curve E : y = 4 x − g2 x − g3. We have the compact Riemann surface   C X = z = m ω1 + n ω2 ∈ C 0 ≤ m ≤ 1 and 0 ≤ n ≤ 1 ' ' E(C). Λ 0
The collection of meromorphic functions on X ⊆ C is K = C ℘(z), ℘ (z) . Note that the differential d℘ dx 2 dy ω = dz = 0 = = 2 ℘ y 12 x − g2 5 is not only meromorphic on C, it is actually holomorphic. As this is the only such differential, we see that Ω(X) ' C consists of constant multiples of ω = dx/y. In particular, g = 1. P Divisors. Denote Div(X) as the collection of divisors; these are formal sums a = P nP (P ) over the points P ∈ X, where all but finitely many of the integers nP are zero. The degree of a divisor P is the integer deg(a) = P nP . There is a partial ordering on Div(X): given another divisor P × × b = mP (P ), we say a ≤ b when nP ≤ mP for all points P . The map K /k → Div(X) which P P sends f 7→ P ordP (f)(P ) is injective. In fact, we have the following short exact sequence: {1} −−−−→ K×/k× −−−−→ Div(X) −−−−→ Pic(X) −−−−→{0}. Similarly, any nonzero memomorphic differential ω = f dz for some meromorphic function f ∈ O, P so define div(ω) = div(f) = P ordP (f)(P ). As Ω(X) 'O, we say c = div(ω0) is a canonical divisor for any nonzero meromorphic differential ω0. We have the following commutative diagram, where the rows and columns are exact: {1}{0}{0}       y y y {1} −−−−→ K×/k× −−−−→div Div0(X) −−−−→ Jac(X) −−−−→{0}    =   y y y {1} −−−−→ K×/k× −−−−→div Div(X) −−−−→ Pic(X) −−−−→{0}       y ydeg ydeg {1} −−−−→ {1} −−−−→div Div(X)/Div0(X) −−−−→= NS(X) −−−−→{0}       y y y {1}{0}{0} The quotient group Jac(X) = Div0(X)/Div(k) of degree 0 divisors modulo principal divisors is the Jacobian of X; the quotient group Pic(X) = Div(X)/Div(k) of divisors modulo principal divisors is the Picard group or the (divisor) class group of X; and the quotient group NS(X) = Pic(X)/Jac(X) is the N´eron-Severi group of X. P Riemann-Roch Theorem. For any divisor a = P nP (P ), we wish to consider the following two complex vector spaces:     0 0 × l(a) = dim H (a) H (a) = f ∈ k div(f) ≥ −a ∪ {0}   C   X =⇒ deg(a) = nP   P ∈X 1   H (a) = ω ∈ Ω K (X) − {0} div(ω) ≥ a ∪ {0}  1 δ(a) = dimC H (a) (Note the change in the signs for the ordering!) The main question here concerns the relationship 0 1 between H (a), H (a), and H1(X, Z). We have the following results:

Proposition 4.

• Any divisor a can be written as a difference a = b − p for divisors such that b, p ≥ 0. Since a ≤ a+p = b, we have H0(a) ⊆ H0(b). One shows by induction 6 that l(a) ≤ l(b) ≤ deg(b) + 1. In particular, H0(a) is a finite dimensional complex vector space.

• For each canonical divisor c = div(ω0), the map ω 7→ ω/ω0 shows that H1(a) ' H0c − a
=⇒ δ(a) = l(c − a). In particular H1(a) is also a finite dimensional complex vector space.

0 • Say a = 0 is the zero divisor. Then H (0) = C consists of the constant functions, while H1(0) = Ω(X) consists of the holomorphic differentials. In particular, 0 1 g H (c) ' H (0) ' C .

In the 1850’s, Bernhard Riemann proved the inequality l(a) ≥ deg(a) + 1 − g. In 1864, his student, Gustav Roch, showed more precisely:

Theorem 5 (Riemann-Roch). l(a) − deg(a) − l(c − a) = l(a) − deg(a) − δ(a) = 1 − g. for any canonical divisor c.

Remarks.

• The paper appears in Crelle’s Journal as “Uber¨ die Anzahl der willk¨urlichen Constanten in algebraischen Functionen”. This is usually called the Riemann-Roch Theorem. Sadly, both Riemann and Roch died two years later in Italy of tuberculosis: Riemann aged 39, and Roch aged 26.

• In 1874, Max Noether and Alexander von Brill gave a refinement of Roch’s result, and were the first to call it the “Riemann-Roch” Theorem. In 1929, F. K. Schmidt generalized the Roch’s result to algebraic curves. Subsequent generalizations were given by Friedrich Hirzebruch, Jean-Pierre Serre, and Alexander Grothendieck.

Classification via the Genus Let me give some applications. Now we can let k = Q be an algebraically closed field, O be a Dedekind domain, and K be its quotient field. We will let X = Spec O be our nonsingular curve. P Recall that for any divisor a = P nP (P ) we have the identity 0 0 dimk H (a) − deg(a) − dimk H (c − a) = 1 − g 0  where H (a) = f ∈ K div(f) + a ≥ 0 . We see two facts right away regarding a canonical divisor c = div(ω0):

0 • g = dimk H (c), which we see by choosing a = 0.

• deg(c) = 2 g − 2, which we see by choosing a = c. We will show that, in some cases, we can classify X depending on the genus g. 7 1 Genus 0. We show that g = 0 if and only if X ' P (k).

1 Proposition 6. If X ' P (k), then Jac(X) '{0} whereas Pic(X) ' NS(X) ' Z.

Proof. Choose O = k[x] as the polynomial ring in one variable, so that its quotient field K = k(x) consists of those rational functions in one variable. Each nonzero prime ideal mP ⊆ O is in the form mP = hx − ai for some P = a ∈ k, so we have a one-to-one correspondence mSpec O' k. We 1 define A (k) = Spec O as the affine line over k. In order to make this a projective line, we add in 1 1 the point at infinity: P (k) = A (k) ∪ {P∞}. Fix a nonnegative integer d, and consider the divisor b = d (P∞) of the point at infinity. We 0  show that H (b) = f ∈ K div(f) + b ≥ 0 consists of those polynomials of degree at most d. As Pd i the divisor of x ∈ K is (P0) − (P∞) we see that ordP∞ (f) ≥ −d for any polynomial f = i=0 ai x . Hence f ∈ H0(b). Conversely, let f ∈ H0(b). Write f = g/h for some polynomials g, h ∈ O. If h has degree greater than 0, then it contains a nontrivial zero in k, so that f has a pole at some point in k. Hence h must be a constant. If g has degree greater than d then ordP∞ (g) < −d. Hence g has degree at most d. This shows in particular the equality l(b) = deg(b) + 1. P We show that any divisor a = P nP (P ) can be expressed as a sum a = b + div(f). Since Q nP affine points P = (x − a) for some a ∈ k, we may choose f(x) = a∈k(x − a) , so that div(f) = P P
P ordP (f)(P ) = P nP (P ) − (P∞) = a − d (P∞) for d = deg(a). 

1 Proposition 7. g = 0 if and only if X ' P (k).

Proof. Let b = 2 g (P∞) be the divisor of degree 2 g associated with the point at infinity. We 0 have seen that dimk H (a) = deg(b) + 1 in this case, so the Riemann-Roch Theorem states that 0 0 g = dimk H (c − b). But deg(c − b) = −2 so that H (c − b) = {0}, showing that g = 0. 1 Conversely assume that g = 0. We will construct a birational map X → P (k). Let b = (P∞) as the divisor of a point in X. Then deg(c − b) < 0 so that H0(c − b) = {0}. The Riemann-Roch Theorem states that l(b) = 2. Fix a nonconstant function f ∈ H0(b). For each a ∈ k, we note that ordP (f − a) ≥ 0 for P 6= P∞ and ordP∞ (f − a) ≥ −1, so div(f − a) = (Pa) − (P∞) for some point 1 Pa in X. As O/P ' k, define a map f : X → P (k) which sends a prime ideal P to the projective
point f(P ) = f mod P : 1 . Note that f(Pa) = (a : 1) and f(P∞) = (1 : 0). As this map is 1 one-to-one and onto, we see that X ' P (k).  Base Points. Given a divisor a ∈ Div(X), define a complete linear system as the set   × a = b ∈ Div(X) b ≥ 0 and a = b + div(f) for some f ∈ k .

Note that deg a = deg(b) is independent of the choice of b ∈ a . It is easy to see that this fits into the following exact sequence: div {1} −−−−→ k× −−−−→ H0(a) − {0} −−−−→ a −−−−→ {0}    =   y y' y' × n n−1 {1} −−−−→ k −−−−→ A (k) − {0} −−−−→ P (k) −−−−→{0} where n = l(a). This relates affine vector spaces with projective vector spaces. g−1 In particular, the complete linear system c ' P (k) has deg c = 2 (g − 1). We say that a point P∞ ∈ X is a base point if b ≥ (P∞) for all b ∈ c . 8 Proposition 8. 1 • X ' P (k) whenever X has a base point. • If g ≥ 1, then X is base point free.

0 Proof. Say that P∞ is one such base point. If f ∈ H (c) is a nonzero function, then div(1/f) + c =
0 0
b ≥ (P∞) so that div(1/f) + c − (P∞) ≥ 0. Hence H (c) ⊆ H c − (P∞) , so the Riemann-Roch Theorem states that 0

0
dimk H (P∞) = 1 − g + deg (P∞) + dimk H c − (P∞) ≥ 2. 0
Let f ∈ H (P∞) be a nonconstant function. Following the same argument as above, div(f −a) = 1 (Pa) − (P∞), so that the map f : X → P (k) is the desired isomorphism.  Genus 1. Assume that k has characteristic different from 2 or 3.

Proposition 9. g = 1 if and only if X ' E(k) for some E : y2 = x3 + A x + B with 4 A3 + 27 B2 6= 0.

Proof. Assume that g = 1. Fix a positive integer d, and consider the divisor b = d (P∞). Then deg(c − b) = −d < 0, so that H0(c − b) = {0}. The Riemann-Roch Theorem states that 0 0 dimk H (b) = 1 − g + deg(b) + dimk H (c − b) = d. 0
0
Let {1, u} and {1, u, v} be bases for H 2 (P∞) and H 3 (P∞) , respectively. Since the set 2 2 3 0
{1, u, v, u , u v, v , u } of seven functions is contained in a vector space H 6 (P∞) of dimension 6, we must have a linear combination in the form 2 2 3 a1 + a2 u + a3 v + a4 u + a5 u v + a6 v + a7 u = 0 2 0
for some ai ∈ k. Note that {1, u, v, u , u v} is a basis for H 5 (P∞) so we must have a6, a7 6= 0. Upon making the substitutions 2
x = 3 a5 − 4a4 a6 − 12 a6 a7 u
y = 108 a6 a7 a3 + a5 u + 2 a6 v 4 2 2 2 2
A = 27 −a5 + 8 a4 a5 a6 − 16 a4 a6 − 24 a3 a5 a6 a7 + 48 a2 a6 a7 6 4 2 2 2 3 3 3 B = 54 a5 − 12 a4 a5 a6 + 48 a4 a5 a6 − 64 a4 a6 + 36 a3 a5 a6 a7 2 2 2 3 2 2 2 3 2
− 144 a3 a4 a5 a6 a7 − 72 a2 a5 a6 a7 + 288 a2 a4 a6 a7 + 216 a3 a6 a7 − 864 a1 a6 a7 we find the identity y2 = x3 + A x + B. Denote this curve by E. We construct a birational map X → E(k). Choose a, b ∈ k satisfying b2 = a3 + A a + B. Since 0
0
{1, x} and {1, x, y} are bases for H 2 (P∞) and H 3 (P∞) , respectively, we have div(x − a) = 0 00 (Pa,b) + (Pa,−b) − 2 (P∞) and div(y − b) = (Pa,b) + (Pa,b) + (Pa,b) − 3 (P∞). As O/P ' k, consider 2 that map f : X → P (k) which sends a prime ideal P to the projective point f(P ) = x mod P : y mod P : 1). Note that f(Pa,b) = (a : b : 1) and f(P∞) = (0 : 1 : 0). As this map is one-to-one and onto, we see that X ' E(k).  Elliptic Curves. As before, assume that k has characteristic different from 2 or 3. Fix A, B ∈ k 3 2 2 2 such that 4 A + 27 B 6= 0. Let X ⊆ P (k) denote the collection of k-rational points on y = x3 + A x + B. We say that X is an elliptic curve. We will show that X is an abelian group with respect to some operation ⊕. 9 Theorem 10. Assume that g = 1. Then X ' Jac(X). In particular, X is an abelian group.

Proof. This is the content of Proposition 3.4 in Chapter III.3.5 in Silverman’s “The Arithmetic of Elliptic Curves”: we will construct a birational map κ : X → Jac(X). Fix a point P∞ ∈ X and 0 send κ : X → Jac(X) by P 7→ (P ) − (P∞). To see why this map is surjective, choose a ∈ Div (X) and set b = a + (P∞). Since deg(c − b) < 0, the Riemann-Roch Theorem states that

0 0 dimk H (b) = 1 − g + deg(b) + dimk H (c − b) = 1.

Let f ∈ H0(b) be nonzero; as this space is 1-dimensional we must have div(f) = (P ) − b for some
unique point P . Hence a = (P ) − (P∞) − div(f) for some unique P ∈ X. 

We explain how the group law on elliptic curves can be derived from the Riemann Roch Theorem. 2 Fix a point P∞ ∈ X and denote O = (0 : 1 : 0). Given two points P,Q ∈ X draw a line in P (k) going through them. Rather explicitly, if P = (p1 : p2 : p0) and Q = (q1 : q2 : q0), then the line is in the form f(x1, x2, x0) = 0 in terms of the linear polynomial

p1 p2 p0

f(x1, x2, x0) = q1 q2 q0 .

x1 x2 x0 It is easy to see that div(f) = (P ) + (Q) + (P ∗ Q) − 3 (O) for some point P ∗ Q. Now consider the line going through P ∗ Q and P∞; this is in the form g(x1, x2, x0) = 0 for some linear polynomial. Again, it is easy to see that div(g) = (P ∗ Q) + (P ⊕ Q) + (P∞) − 3 (O) for some point P ⊕ Q. Hence we find that


(P ⊕ Q) − (P∞) = (P ) − (P∞) + (Q) − (P∞) − div(f/g).

Hence the map X → Jac(X) defined by P 7→ (P ) − (P∞) yields an associative group law ⊕. Note that P∞ is the identity, which we often choose as P∞ = O.

Pm Theorem 11. Let X be an elliptic curve, and let D = i=1 ni (Pi) be a divisor 1 on E. Then D = div(f) for some rational function f : X → P if and only if both Pm Lm i=1 ni = 0 in Z and i=1[ni] Pi = O in X.

The notation “[n]P = P ⊕ P ⊕ · · · ⊕ P ” is the sum of P a repeated n times in X.

Proof. This is the content of Corollary 3.5 in Chapter III.3.5 in Silverman’s “The Arithmetic of Elliptic Curves”: We have seen that the map κ : X 7→ Jac(X) which sends P 7→ (P ) − (O) P is an isomorphism. Assume that D = div(f). Then i ni = deg D = deg div(f) = 0, and L L
−1 −1 i[ni]Pi = i[ni] P − O = κ (D) = κ div(f). 

Tate Pairing and Weil Pairing

Group Law. Now let k be any number field, and choose {a1, a2, a3, a4, a6} ⊆ k. The set E : f(x, y) = 0 in terms of the polynomial

2
3 2
f(x, y) = y + a1 x y + a3 y − x + a2 x + a4 x + a6 10 is a curve over k. Define the k-rational numbers 2 b2 = a + 4 a2 1 2 c4 = b2 − 24 b4 b4 = 2 a4 + a1 a3 3 c6 = −b + 36 b2 b4 − 216 b6 2 2 b6 = a3 + 4 a6 2 3 2 ∆ = −b b8 − 8 b − 27 b + 9 b2 b4 b6 2 2 2 2 4 6 b8 = a1 a6 + 4 a2 a6 − a1 a3 a4 + a2 a3 − a4 Then E is non-singular if and only if ∆ 6= 0. In this case, E is an elliptic curve. We review the group law ⊕ : E(k) × E(k) → E(k) defined above: Given two points P = (p1 : 2 p2 : p0) and Q = (q1 : q2 : q0) in E(k) draw a line f(x1, x2, x0) = 0 in P (k) going through them in terms of the linear polynomial

p1 p2 p0

f(x1, x2, x0) = q1 q2 q0 =⇒ div(f) = (P ) + (Q) + (P ∗ Q) − 3 (O).

x1 x2 x0

Now consider the line going through P ∗ Q and O; this is in the form g(x1, x2, x0) = 0 for some linear polynomial, where div(g) = (P ∗ Q) + (P ⊕ Q) − 2 (O) for some point P ⊕ Q ∈ E(k).

Isogenies. Let E and E0 be two elliptic curves defined over k. An isogeny is a rational map 0 0 φ : E(Q) → E (Q) defined over k such that φ(O) = O. Since φ : E → E induces a map ∗ 0 φ : Q(E ) → Q(E) which sends f 7→ f ◦ φ, we define the degree of φ as the degree of the extension ∗ 0 Q(E)/φ Q(E ).

Theorem 12. Let φ : E → E0 be an nonconstant isogeny of degree m between elliptic curves over k.

• φ is a group homomorphism, that is, φ(P ⊕ Q) = φ(P ) ⊕ φ(Q) as a sum in 0 E (Q) for any P,Q ∈ E(Q).

∗ 0
∗ • The map ker(φ) → Gal Q(E)/φ Q(E ) which sends T to the function τ g : T P 7→ g(P ⊕ T ) is an isomorphism. In particular, ker(φ) = m.

• There exists a unique dual isogeny φb : E0 → E such that the composition φb ◦ φ = [m]: E → E0 → E sends P 7→ [m] P on E.

Proof. This first statement the content of Theorem 4.8 in Chapter III.4 of Silverman’s “The Arith- metic of Elliptic Curves”: It follows from a diagram chase.

φ 0 E(Q) / E (Q) P ⊕ Q / φ(P ⊕ Q) = φ(P ) ⊕ φ(Q) O _ O

−1 κ1 κ2 
_  φ∗ (P ⊕ Q) − (O) φ(P ⊕ Q) − (O) Jac(E) / Jac(E0) / = (P ) + (Q) − 2 (O) = φ(P )
+ φ(Q)
− 2 (O)

For the second statement, we begin by showing the map is well-defined. Each T ∈ ker(φ) maps ∗ ∗ to that automorphism τT which sends a function g ∈ Q(E) to that function τT g : P 7→ g(P ⊕ T ). 11 ∗ 0 0 ∗ If g ∈ φ Q(E ), then g = f ◦ φ for some f ∈ Q(E ), so that τT g is that function which sends ∗


∗ P ∈ E(Q) to τT g (P ) = f φ(P ) ⊕ φ(T ) = f φ(P ) ⊕ O = g(P ). Hence τT acts trivially on ∗ 0 ∗ −1 φ Q(E ). Clearly the map T 7→ τT is a well-defined injection. Conversely, deg(φ) = φ (Q) for 0 −1 −1 −1 some Q ∈ E (Q). Fix P ∈ φ (Q). Then the map τP : φ (O) → φ (Q) which sends T 7→ P ⊕ T is a one-to-one correspondence, so that

∗ 0
−1 −1 Gal Q(E)/φ Q(E ) = deg(φ) = φ (Q) = φ (O) = ker(φ) .

∗ For the third statement, consider the extension Q(E)/[m] Q(E) with Galois group ker [m]. Since [m] T = O for any T ∈ ker(φ) by Lagrange’s Theorem, we see that ker(φ) ⊆ ker [m]. In particular, we have the following tower of fields:

∗ ∗ 0 [m] Q(E) φ Q(E ) Q(E)

This shows that the map [m]: E → E is in the form [m] = φb◦ φ for some rational map φb : E0 → E. Note that we have the following diagram:

0 φb E (Q) / E(Q) Q / [m] P O _ O

−1 κ2 κ1

 ∗  _ 0 φ P
Jac(E ) / Jac(E) (Q) − (O) / T ∈ker(φ) (P ⊕ T ) − (T )

for any P ∈ E(Q) such that φ(P ) = Q. In particular, φb ◦ φ (P ) = φb(Q) = [m] P so that
0 0
φb(O) = φb φ(O) = [m] O = O. If φb is any other dual isogeny, then φb − φb ◦ φ = [m] − [m] = [0] on E, so that φb0 − φb = [0] must be constant. This shows that φb is the unique rational map with φb ◦ φ = [m] and φb(O) = O, so φb must be an isogeny. 

Examples.

2 3 2 • Consider an elliptic curve E : y +a1 x y +a3 y = x +a2 x +a4 x+a6 where ai ∈ k. Given a point P = (x : y : 1) in E(k), we have [m] P = O if and only of ψm(P ) = 0 in terms of the division polynomials  1 for m = 1,  √  3 2 2 y + a1 x + a3 = 4 x + b2 x + 2 b4 x + b6 for m = 2,  4 3 ψm(P ) = 3 x + b2 x + 3 b4 + 3 b6 x + b8 for m = 3,    6 5 4 ψ2(P ) 2 x + b2 x + 5 b4 x  3 2 2   +10 b6 x + 10 b8 x + (b2 b8 − b4 b6) x + (b4 b8 − b6) for m = 4.

Other division polynomials can be generated by the recursive relation

2 2 2 ψm+n(P ) ψm−n(P ) ψ1(P ) = ψm+1(P ) ψm−1(P ) ψn(P ) − ψn+1(P ) ψn−1(P ) ψm(P ) 12 for any integers m and n. In fact, the “multiplication-by-m” map [m]: E(k) → E(k) sends 2 3
P to [m]P = φm(P )/ψm(P ) : ωm(P )/ψm(P ) : 1 in terms of the polynomials x for m = 1,   4 2 φm(P ) = x − b4 x − 2 b6 x − b8 for m = 2,   2 φ1(P ) ψm(P ) − ψm+1(P ) ψm−1(P ) for m ≥ 2.  y for m = 1,    2 4 −a1 φ2(P ) ψ2(P ) − a3 ψ2(P ) + ψ4(P )  for m = 2,  2 ψ2(P ) ωm(P ) = 2 3  a1 φm(P ) ψm(P ) + a3 ψm(P ) −  2  2 2  ψm−1(P ) ψm+2(P ) + ψm−2(P ) ψm+1(P )  + for m ≥ 2. 2 ψ2(P ) 2
2 In particular, deg ψm(P ) = m − 1, so that the “multiplication-by-m” map is an isogeny 2 of degree m . In fact, ker [m] ' Zm × Zm and [cm] = [m].

• Consider the elliptic curves E : y2 = x3 + a x2 + b x A = −2 a where E0 : Y 2 = X3 + AX2 + BX B = a2 − 4 b where a, b, A, B ∈ k satisfy b B 6= 0. It is easy to check that T = (0 : 0 : 1) is a k-rational point of order 2, that is, [2]T = O. Then we have a maps φ : E → E0 and φb : E0 → E which send 2 2 2 2
φ :(x1 : x2 : x0) 7→ x2 x0 : x2 (b x0 − x1): x1 x0 2 2 2 2
φb :(X1 : X2 : X0) 7→ 2 X2 X0 : X2 (BX0 − X1 ) : 8 X1 X0  It is easy to check that ker(φ) = (0 : 0 : 1), (0 : 1 : 0) ' Z2 and that φb ◦ φ = [2] is the “multiplication-by-2” map. Hence both φ and φb are 2-isogenies.

• Let A ⊆ E(Q) ,→ C/Λ be any finite subgroup such that Gk acts trivially. Then we can find an isogeny φ : E → E0 such that ker(φ) ' A. One can construct E0 explicitly using the 1
cohomology group H Gk,A . Usually, one focuses on subgroups in the form A ' Zm ×Zm or A ' Zn, but we can certainly consider others such as A ' Zm × Zn.

Weil Pairing. For any isogeny φ : E → E0 and its dual φb : E0 → E, the kernels E[φ] = ker(φ) and E0[φb] = ker(φb) are intimately related.

Theorem 13. Let φ : E → E0 be a nonconstant isogeny of degree m between elliptic curves over k. Denote E[φ] = ker(φ) ⊆ E(k) and E0[φb] = ker(φb) ⊆ E0(k) as the kernels of the isogeny and its dual. Then there exists a pairing

eφ : ker(φ) × ker(φb) → µm satisfying the following properties: 13 • Bilinearity: For all S ∈ ker(φ) and T ∈ ker(φb), we have

eφ(S1 ⊕ S2,T ) = eφ(S1,T ) · eφ(S2,T )

eφ(S, T1 ⊕ T2) = eφ(S, T1) · eφ(S, T2)

• Non-Degenerate: eφ(S, T ) = 1 for all S ∈ ker(φ), then T = O.

• Galois Invariant: σ eφ(S, T ) = eφ σ(S), σ(T ) for all σ ∈ Gk.

0 00
• Compatibility: If ψ : E → E is another isogeny, then eψ◦φ(P,Q) = eψ φ(P ),Q for all P ∈ ker(ψ ◦ φ) and Q ∈ ker(ψb).

Proof. We follow Section III.8 on pages 92–99 and Exercise 3.15 on page 108 of Joseph Silverman’s “The Arithmetic of Elliptic Curves”. Let T ∈ ker(φb) ⊆ E0[m]. According to Theorem 11, there are 0 functions fT ∈ Q(E ) and gT ∈ Q(E) satisfying

div(fT ) = m (T ) − m (O)

∗
X 0 0
−1 div(gT ) = φ (T ) − (O) = (P ⊕ T ) − (T ) where P ∈ φ (T ) ⊆ E[m]. T 0∈ker(φ)

m m Since div(gT ) = div(fT ◦ φ), we may assume without loss of generality that fT ◦ φ = gT . For 1 any S ∈ ker(φ), consider the map E(Q) → P (Q) which sends X 7→ gT (X ⊕ S)/gT (X). Since m

m gT (X ⊕S) = fT φ(X)⊕φ(S) = fT φ(X) = gT (X) , we see that this map takes on only finitely may values – and hence must be constant. We define the Weil pairing eφ : ker(φ) × ker(φb) → µm as the mth root of unity eφ(S, T ) = gT (X ⊕ S)/gT (X). We show (Bilinearity). For the first factor we have

gT (X ⊕ S1 ⊕ S2) eφ(S1 ⊕ S2,T ) = gT (X) g (X ⊕ S ⊕ S ) g (X ⊕ S ) g (X ⊕ S ) g (X ⊕ S ) = T 1 2 · T 2 = T 1 · T 2 gT (X ⊕ S2) gT (X) gT (X) gT (X)

= eφ(S1,T ) · eφ(S2,T ).

For the second factor, fix T1,T2 ∈ ker(φb). Using Theorem 11 again, we can find functions f1, f2, f3 ∈ 0 Q(E ) and g1, g2, g3 ∈ Q(E) satisfying ∗
m div(f1) = m (T1) − m (O) div(g1) = φ (T1) − (O) f1 ◦ φ = g1 ∗
m div(f2) = m (T2) − m (O) div(g2) = φ (T2) − (O) =⇒ f2 ◦ φ = g2 ∗
m div(f3) = m (T1 ⊕ T2) − m (O) div(g3) = φ (T1 ⊕ T2) − (O) f3 ◦ φ = g3

0 Similarly, we can find a function h ∈ Q(E ) such that div(h) = (T1 ⊕ T2) − (T1) − (T2) + (O), and so  f  f  g m div 3 = m div(h) =⇒ 3 = hm =⇒ 3 = h ◦ φ
m. f1 f2 f1 f2 g1 g2 14
Hence g3 = c · g1 g2 h ◦ φ for some constant c ∈ Q. This gives
g3(X ⊕ S) g1(X ⊕ S) g2(X ⊕ S) h φ(X) ⊕ φ(S) eφ(S, T1 ⊕ T2) = = · ·
g3(X) g1(X) g2(X) h φ(X)
g1(X ⊕ S) g2(X ⊕ S) h φ(X) ⊕ O = · ·
g1(X) g2(X) h φ(X)

= eφ(S, T1) · eφ(S, T2).

We show (Non-Degeneracy). Say that eφ(S, T ) = 1 for all S ∈ ker(φ). Then gT (X ⊕ S) = gT (X) ∗ 0 for all X ∈ E(Q). Following the ideas in Theorem 12, we see that gT ∈ φ Q(E ), so that gT = 0
m m m hT ◦ φ for some hT ∈ Q(E ). Since hT ◦ φ = gT = fT ◦ φ, we find that fT = hT , and so div(hT ) = (T ) − (O). According to Theorem 10, we must have T = O. (Galois Invariance) is clear. We show (Compability) using the following diagram:

φ ψ * 0 * 00 E(Q) E (Q) E (Q) O i O j O φb ψb ? φ ?
? ker(ψ ◦ φ) / φ ker(ψ ◦ φ) ker(φb ◦ ψb) O O

? ? ker(φ) ker(ψb)

Say that ψ : E0 → E00 is an isogeny of degree n. For each Q ∈ ker(ψb) ⊆ ker(ψ[◦ φ), there are 00 0 functions dQ, fQ ∈ Q(E ), gQ ∈ Q(E ), and hQ ∈ Q(E) satisfying n div(dQ) = n (Q) − n (O) dQ ◦ ψ = gQ mn div(fQ) = m n (Q) − m n (O) fQ ◦ ψ ◦ φ = hQ =⇒ ∗
m div(gQ) = ψ (Q) − (O) fQ = dQ ∗
div(hQ) = (ψ ◦ φ) (Q) − (O) gQ ◦ φ = hQ

We define the pairings eψ : ker(ψ) × ker(ψb) → µmn and eψ◦φ : ker(ψ ◦ φ) × ker(ψb) → µmn via eψ(S, Q) = gQ(X ⊕ S)/gQ(X) and eψ◦φ(P,Q) = hQ(Y ⊕ P )/hQ(Y ), respectively. If we write X = φ(Y ), then


gQ X ⊕ φ(P ) gQ φ(Y ) ⊕ φ(P ) hQ(Y ⊕ P ) eψ φ(P ),Q = =
= = eψ◦φ(P,Q). gQ(X) gQ φ(Y ) hQ(Y ) This completes the proof.  Examples.

• Consider the elliptic curve 2 3 2 E : y + a1 x y + a3 y = x + a2 x + a4 x + a6 Say φ = [2] is the “multiplication-by-2”√ map. Recall that the 2-division polynomial is 3 2 ψ2(x) = 2 y + a1 x + a3 = 4 x + b2 x + 2 b4 x + b6. If we denote e as one of the roots of 15 this polynomial, then T = (e : −a1 e − a3 : 1) as a point of order m = 2. We denote the functions

fT (P ) = x − e   2 2
2 4 e + b2 e + b4 + 4 e x − 2 x =⇒ fT ◦ [2] (P ) = gT (P ) . gT (P ) =  2 (2 y + a1 x + a3)

• Consider the elliptic curves E : y2 = x3 + a x2 + b x A = −2 a where E0 : Y 2 = X3 + AX2 + BX B = a2 − 4 b

where a, b, A, B ∈ k satisfy b B 6= 0. Then we have a maps φ : E → E0 and φb : E0 → E which send 2 2 2 2
φ :(x1 : x2 : x0) 7→ x2 x0 : x2 (b x0 − x1): x1 x0 2 2 2 2
φb :(X1 : X2 : X0) 7→ 2 X2 X0 : X2 (BX0 − X1 ) : 8 X1 X0  where φb◦φ = [2] is the “multiplication-by-2” map. Note that ker(φ) = T,O is the kernel, there T = (0 : 0 : 1) is a k-rational point of order 2, that is, [2]T = O. We denote the functions  fT (Q) = X y =⇒ f ◦ φ
(P ) = g (P )2. g (P ) = T T T x 

• There is an easy way to interpret the Weil pairing. Consider the “multiplication-by-m” map [m]: E → E. Since E[m] ' Zm × Zm over Q, we can choose a basis {T1,T2}. Then ad−bc define em : E[m] × E[m] → µm via S = [a]T1 ⊕ [b]T2, and T = [c]T1 ⊕ [d]T2 to ζm . The only downside to making this definition is one would have to prove that E[m] ' Zm × Zm! Tate Pairing. We discuss how a specific example of an isogeny gives information about the elliptic curve.

Theorem 14. Say that E is an elliptic curve over k as above. √ 3 2 • Denote the 2-division polynomial as ψ2(x) = 2 y+a1 x+a3 = 4 x + b2 x + 2 b4 x + b6. 2 This has distinct roots e1, e2, e3 ∈ Q, and so E : Y = (X−e1)(X−e2)(X−e3). Moreover,  E[2] = T ∈ E(Q) [2] T = 0   = (e1 : 0 : 1), (e2 : 0 : 1), (e3 : 0 : 1), (0 : 1 : 0) ' Z2 × Z2.

• Assume that E[2] ⊆ E(k). Consider the map defined by ( E(k) k× 1 if T = O, e2 : × E[2] → , (P,T ) 7→ 2 E(k) (k×)2 X − e otherwise; where P = (X : Y : 1) and T = (e : 0 : 1). This is a “perfect” pairing i.e., 16 – Non-Degeneracy: If e2(P,T ) = 1 for all T ∈ E[2] then P ∈ 2 E(k).

– Bilinearity: For all P,Q ∈ E(k) and T ∈ E[2] we have

e2(P ⊕ Q, T ) = e2(P,T ) · e2(Q, T ),

e2(P,T1 ⊕ T2) = e2(P,T1) · e2(P,T2).

Proof. Choose P = (p1 : p2 : p0) ∈ E(k), and say that e2(P,T ) = 1 for all T ∈ E[2]. To show P ∈ 2 E(k) it suffices to exhibit P 0 ∈ E(k) such that P = [2]P 0. If P = O we may choose P 0 = O q as well, so assume p 6= 0. Upon considering T = (e : 0 : 1), we see that f = p1 − e ∈ k for 0 i p0 i i = 1, 2, 3; we choose the signs so that p2 = f f f . It is easy to check that the desired k-rational p0 1 2 3 point is   0 (e1 − e3)(e2 − e3) (e1 − e2)(e1 − e3)(e2 − e3) P = + e3 : : 1 . (f1 − f3)(f2 − f3) (f1 − f2)(f1 − f3)(f2 − f3)

We show e2(P ⊕ Q, T ) = e2(P,T ) · e2(Q, T ). If T = O there is nothing to show since e2(P,T ) = e2(Q, T ) = e2(P ⊕ Q, T ) = 1 so assume that T = (e : 0 : 1). Choose two points P = (p1 : p2 : p0) and Q = (q1 : q2 : q0) in E(k). Draw a line through them, say a x1 + b x2 + c x0 = 0, and assume that it intersects E at a third point R = (r1 : r2 : r0). The projective curve E is defined by 2 the homogeneous polynomial F (x1, x2, x0) = x2 x0 − (x1 − e1 x0)(x1 − e2 x0)(x1 − e3 x0) so the intersection with the line a x1 + b x2 + c x0 = 0 admits the factorization

p0 q0 r0 · F (x1, x2, x0) = (p1 x0 − p0 x1)(q1 x0 − q0 x1)(r1 x0 − r0 x1) .

When (x1 : x2 : x0) = (b e : −a e − c : b) is the point where the lines a x0 + b x1 + c x0 = 0 and x1 − e x0 = 0 intersect, we have the equality p  q  r  b3 1 − e 1 − e 1 − e = F (b e, −a e − c, b) = (a e + c)2 b. p0 q0 r0

× 2 This implies the congruence e2(P,T ) · e2(Q, T ) · e2(R,T ) ≡ 1 mod (k ) . We conclude that e2(P ⊕ Q, T ) = e2(P,T ) · e2(Q, T ). We show e2(P,T1 ⊕ T2) = e2(P,T1) · e2(P,T2). If T1 = T2 then

2 e2(P,T1 ⊕ T2) = e2(P, O) = 1 ≡ e2(P,T1) = e2(P,T1) · e2(P,T2).

If T1 6= T2, we may assume T1 = (e1 : 0 : 1) and T2 = (e2 : 0 : 1). (If either T1 or T2 is O there is nothing to show.) Then T1 ⊕ T2 = (e3 : 0 : 1). The identity        2 p1 p1 p1 p2 − e1 − e2 − e3 = p0 p0 p0 p0

× 2 implies the congruence e2(P,T1) · e2(P,T2) · e2(P,T1 ⊕ T2) ≡ 1 mod (k ) . We conclude that e2(P,T1 ⊕ T2) = e2(P,T1) · e2(P,T2). 

Remarks.

• This sometimes called the Tate pairing. This is not quite a perfect pairing: non-degeneracy holds on the right, but not on the left. 17 • Since e2(P,T ) is bilinear, it is easy to compute its value when P ∈ E[2]. For example, write Ti = (ei : 0 : 1) so that we find:

e2(Ti,Ti−1) = ei − ei−1, e2(Ti,Ti) = e2(Ti,Ti−1) · e2(Ti,Ti+1) =⇒ e2(Ti,Ti+1) = ei − ei+1 = (ei − ei−1)(ei − ei+1).

• If k is a number field, the image in k×/k×
2 is actually finite. One uses this to conclude that E(k)/2 E(k) is finite as well. This was first shown for k = Q by Mordell. Say that r we can write E(k) ' E(k)tors × Z for some finite group E(k)tors ' Zm × Zn and some nonnegative integer r; this nonnegative integer is called the rank of E over k. Then we can write

{1} if m and n are odd,  E(k) E(k) E(k)  ' tors × Zr, tors = Z if m is even but n is odd, 2 E(k) 2 E(k) 2 2 E(k) 2 tors tors  Z2 × Z2 if both m and n are even.

The Theorem above concerns the case where m and n are both even. Hence we can deter- mine the rank r if we can determine the image of this pairing.

• There is a more general construction for each positive integer m:

E(k) k× e : × E[m] → assuming E[m] ⊆ E(k). m m E(k) (k×)m

This pairing is used quite often in cryptography, especially when k = Fp is a finite field of order p ≡ 1 (mod m Z) so that E[m] ' Zm × Zm.

• It is not a coincidence that the Tate pairing is defined via fT (Q) = X − e. In general, say that φ : E → E0 is a nonconstant isogeny of degree m. We have seen that for each 0 0 T ∈ E [φb], there are functions fT ∈ Q(E ) and gT ∈ Q(E) such that

div(fT ) = m (T ) − m (O) m =⇒ fT ◦ φ = g . ∗
T div(gT ) = φ (T ) − (O)

You can actually choose fT and gT to have coefficients in k. This yields a perfect pairing

0 × E (k) k
× m × ker(φb) −→ , P,T 7→ fT (P ) mod (k ) . φE(k)
(k×)m

• One can derive this pairing from the Weil pairing. We will see in general that the Weil pairing eφ : ker(φ) × ker(φb) → µm yields a cup product on Galois cohomology:

i
j 0
i+j
H Gk,E[φ] × H Gk,E [φb] −−−−→ H Gk, µm . Indeed, there is a short exact sequence

φ 0 {O} −−−−→ E[φ] −−−−→ E(Q) −−−−→ E (Q) −−−−→{O} 18 so Galois cohomology gives the diagram E0(k) k× × ker(φb) / φE(k)
(k×)m  _ δ  1
0 0
1
H Gk,E[φ] × H Gk,E [φb] / H Gk, µm

19