THE WEIL PAIRING ON ELLIPTIC CURVES
Background
Non-Singular Curves. Let k be a number field, that is, a finite extension
(separable) algebraic closure. The absolute Galois group Gk = Gal(Q/k) =
projective limit of Galois groups associated with finite, normal (separable)
I ⊆ k[x1 , x2 , . . . , xn ] be an ideal, and define the sets
n
X(Q) = P ∈ A (Q) f (P ) = 0 for all f ∈ I
I(X) =
of Q; denote Q as its
limK Gal(F/k) is the
←−
extensions F/k. Let
f ∈ Q[x1 , x2 , . . . , xn ] f (P ) = 0 for all P ∈ X(Q) ⊇ I ⊗k Q.
Since GF ⊆ Gk acts on Q, we define X(F ) = X(Q)GF = X(Q) ∪ An (F ), namely the F -rational
points, as the points fixed by this action. We think of X as a functor which takes fields F to
(algebraic) sets X(F ), and say that X is an affine variety over k if I(X) ⊆ Q[x1 , x2 , . . . , xn ] is a
prime ideal.
Proposition 1. Let X be an affine variety over k, and define the integral domain
O(X) = Q[x1 , x2 , . . . , xn ]/I(X). Then the map X(Q) → mSpec O(X) which sends
P = (a1 , a2 , . . . , an ) to mP = hx1 − a1 , x2 − a2 , . . . , xn − an i is an isomorphism.
Proof. The map is well-defined O/mP ' Q is a field. Conversely, let m be a maximal ideal of O.
Fix a surjection O O/m ' Q, and denote ai ∈ Q as the image of xi ∈ O. It is easy to check that
m = mP for P = (a1 , a2 , . . . , an ).
We define O = O(X) as the global sections of X or the coordinate ring of X. Often, we abuse
notation and write X = Spec O. If we denote K = Q(X) as its quotient field, we define the
dimension of X as the transcendence degree of K over Q. We say that X is a curve if dim(X) = 1.
Theorem 2. Let X be a curve over k, and write the ideal I = hf1 , f2 , . . . , fm i ⊆
K[x1 , x2 , . . . , xn ] so that dim(X) = n − m = 1. The following are equivalent:
i. For each P ∈ X(Q), the m × n matrix

∂f1
∂f1
 ∂x1 (P ) ∂x2 (P ) · · ·

 ∂f2
∂f2

 ∂x (P ) ∂x (P ) · · ·
1
2
JacP (X) = 

.
..
..

..
.

.

 ∂fm
∂fm
(P )
(P ) · · ·
∂x1
∂x2
1

∂f1
(P ) 
∂xn


∂f2
(P ) 

∂xn


..


.


∂fm
(P )
∂xn
yields an exact sequence:
JacP (X)
{0} −−−−→ TP (X) −−−−→ An (Q) −−−−−→ Am (Q) −−−−→ {0}.
That is, the Jacobian matrix
JacP (X) has rank m while the tangent space has
dimension dimQ TP (X) = dim(X).
ii. The Zariski cotangent space has dimension dimQ m/m2 = dim(X) for each
maximal ideal m ∈ mSpec O.
iii. For each P ∈ X(Q), denote OP as the localization of O at mP . Then mP OP
is a principal ideal.
iv. For each P ∈ X(Q), OP is a discrete valuation ring.
v. For each P ∈ X(Q), OP is integrally closed.
vi. O is a Dedekind Domain.
This is essentially a a restatement of Proposition 9.2 on pages 94-95 in Atiyah-Macdonald. If
any of these equivalent statements holds true, we say that X is a non-singular curve.
Proof. (i) ⇐⇒ (ii). We have a perfect (i.e., bilinear and nondegenerate) pairing
mP /m2P
× TP (X) → Q
n
X
∂f
f, (b1 , b2 , . . . , bn ) 7→
(P ) bi .
∂xi
defined by
i=1
dimQ mP /m2P
= dimQ TP (X) = n − m = dim(X).
Hence
(ii) ⇐⇒ (iii). As m = mP is a maximal ideal, Nakayama’s Lemma states that we can find
$ ∈ mP where $ ∈
/ mP 2 . Consider the injective map O/mP → mP /m2P defined by x 7→ $ x. Clearly
this is surjective if and only if mP OP = $ OP is principal. Recall now that dimQ O/mP = 1.
(iii) =⇒ (iv). Say that mP OP = $ OP as a principal ideal. In order to show that OP is a
discrete valuation ring, it suffices to show that any nonzero x ∈ OP is in the form x = $m y for
some m ∈ Z and y ∈ OP× . Consider the radical of the ideal generated by x:
p
hxi = y ∈ OP y n ∈ x OP for some nonnegative integer n .
p
As OP has a unique nonzero prime ideal, we must have hxi = mP OP . But then there is largest
nonnegative integer m such that tm−1 ∈
/ x OP yet $m ∈ x OP . Hence y = x/$m ∈ OP but y ∈
/ mP .
(iv) =⇒ (v). Say that OP is a discrete valuation ring. Say that x ∈ K is a root of a polynomial
equation xn + a1 xn−1 + · · · + an = 0 for some ai ∈ OP . Assume by way of contradiction that
x∈
/ OP . Then vP (x) < 0, so that vP (1/x) > 0, hence y = 1/x
is an element of OP . Upon dividing
by xn−1 we have the relation x = − a1 + a2 y + · · · + an y n−1 ∈ OP . This contradiction shows that
OP is indeed integrally closed.
(v) =⇒ (iii). Say that OP is integrally closed. We must construct p
an element $ ∈ OP such that
mP OP = $ OP . Fix a nonzero x ∈ mP . By considering the radical hxi and noting that mP OP
is a finitely generated OP -module, we see that there exists some m ∈ Z such that mm
P OP ⊆ x OP
m−1
yet mm−1
O
⊆
6
x
O
.
Choose
y
∈
m
such
that
y
∈
/
x
O
,
and
let
$
=
x/y
be
an
element
in K.
P
P
P
P
P
Consider the module (1/$) mP OP ⊆ OP ; we will show equality. As y ∈
/ OP , we have 1/$ ∈
/ OP ,
so that 1/$ is not integral over OP . Then (1/$) mP OP cannot be a finitely generated OP -module,
2
we have (1/$) mP OP 6⊆ mP . As there is an element of (1/varpi) mP OP which is not in mP , we
must have equality: (1/$) mP OP = OP . Hence mP OP = $ OP as desired.
(v) ⇐⇒ (vi). A Dedekind domain is a Noetherian integral domain of dimension 1 that is
integrally closed. But the localization OP is integrally closed for each maximal ideal mP if and only
if O is integrally closed. (Consult Theorem 5.13 on page 63 of Atiyah-Macdonald.)
Examples.
• Choose {a1 , a2 , a3 , a4 , a6 } ⊆ k, and consider the polynomial
f (x, y) = y 2 + a1 x y + a3 y − x3 + a2 x2 + a4 x + a6 .
Then X : f (x, y) = 0 is a curve over K. Define the K-rational numbers
b2 = a21 + 4 a2
c4 = b22 − 24 b4
b4 = 2 a4 + a1 a3
b6 =
a23
b8 =
a21 a6
c6 = −b32 + 36 b2 b4 − 216 b6
+ 4 a6
+ 4 a2 a6 − a1 a3 a4 +
a2 a23
−
a24
∆ = −b22 b8 − 8 b34 − 27 b26 + 9 b2 b4 b6
Then X is non-singular if and only if ∆ 6= 0.
• Choose {a0 , a1 , a2 , a3 , a4 } ⊆ k, and consider the quartic polynomial
f (x) = a4 x4 + a3 x3 + a2 x2 + a1 x + a0 .
Then X : y 2 = f (x) is a curve over k. If X has a k-rational point P∞ = (x0 , y0 ), then it is
birationally equivalent over k to the cubic curve v 2 = u3 + A u + B in terms of
A=
−a22 + 3 a1 a3 − 12 a0 a4
3
2 a32 − 9 a1 a2 a3 + 27 a0 a23 + 27 a21 a4 − 72 a0 a2 a4
.
27
Then X is nonsingular if and only if 16 disc(f ) = −16 4 A3 + 27 B 2 = ∆ 6= 0.
B=
The Riemann-Roch Theorem
Let X be a non-singular curve over k = C. From now on, we will identity X with X(k), and
embed X ,→ C. We’ll explain how to choose such an embedding later.
Meromorphic Functions. Let k = C denote the complex numbers. Let X ⊆ C be a compact
Riemann surface. We will denote O as the ring of holomorphic (i.e., analytic) functions on X, and
K as the field of meromorphic functions on X. Let me explain.
Say that f : U → C is a function defined on an open subset U ⊆ X. Using the embedding
X ,→ R × R which sends x + i y 7→ (x, y), we say that f is smooth if f (z) = u(x, y) + i v(x, y) in
terms of smooth functions u, v : U → R, where z = x + i y. We may denote the set of all such by
C ∞ (U ). By considering the identities
1 ∂f
∂f
1 ∂u ∂v
1 ∂v
∂u
∂f
=
−i
=
+
+i
−
∂z
2 ∂x
∂y
2 ∂x ∂y
2 ∂x ∂y
∂f
1 ∂f
∂f
1 ∂u ∂v
1 ∂v
∂u
=
+i
−
+
=
+i
∂ z̄
2 ∂x
∂y
2 ∂x ∂y
2 ∂x ∂y
3
we see that the Cauchy-Riemann Equations imply that f (z) is holomorphic (or antiholomorphic,
respectively) on U if and only if ∂f /∂ z̄ = 0 (or ∂f /∂z = 0, respectively). Note that f (z) is holomorphic if and only if f (z̄) is antiholomorphic. Denote O(U ) as the collection of such holomorphic
functions on U . Since this is an integral domain, we may denote K (U ) as its function field; this is
the collection of meromorphic functions on U . The following diagram may be useful:
{0} −−−−→ O(U ) −−−−→ K (U ) −−−−→ C ∞ (U )
We will denote O = O(X) and K = K (X).
Meromorphic Differentials. Continue to let U ⊆ X be an open subset. Denote Ω0 C ∞ (U ), the
collection of differential 0-forms on U , as the set of smooth functions f on U . Similarly, denote
Ω1 C ∞ (U ), the collection of differential 1-forms on U , as the set of sums
f − ig
f + ig
dz +
dz̄
2
2
where f and g are smooth functions on U . Hence we have a canonical decomposition Ω1 C ∞ (U ) =
Ω1,0 C ∞ (U ) ⊕ Ω0,1 C ∞ (U ) as the direct sum of 1-forms in the form ω = f dz (or ω = f dz̄, respectively) where f is a smooth function on U . In particular, ω ∈ Ω1,0 C ∞ (U ) (or ω ∈ Ω0,1 C ∞ (U ),
respectively) if and only if g = i f (or g = −i f ), which happens if and only if ω(z̄) = −i ω(z).
As complex conjugation acts on the set Ω1 C ∞ (U ) of differential 1-forms via ω(z) 7→ ω(z̄), we see
that we may identify Ω1 C ∞ (U )− = Ω1,0 C ∞ (U ) and Ω1 C ∞ (U )+ = Ω0,1 C ∞ (U ) as the eigenspaces
corresponding to the eigenvalues ∓i, respectively.
We have a differential map d : Ω0 C ∞ (U ) → Ω1 C ∞ (U ) defined by
ω = f dx + g dy =
∂f
∂f
dz +
dz̄.
∂z
∂ z̄
We say that a 1-form ω is a holomorphic differential (or antiholomorphic differential, respectively)
if ω = f dz (or ω = f dz̄ ∈, respectively) for some holomorphic (or antiholomorphic, respectively)
function f on U . Denote Ω(U ) as the collection of holomorphic differentials on U . Similarly, we
say that a 1-form ω is a meromorphic differential (or antimeromorphic differential, respectively)
if ω = (f /g) dz (or ω = (f /g) dz̄ ∈, respectively) for some holomorphic (or antiholomorphic,
respectively) functions f and g on U . Denote Ω K (U ) as the collection of meromorphic differentials
on U . The following diagram may be useful:
f
7→
df =
{0} −−−−→ Ω(U ) −−−−→ Ω K (U ) −−−−→ Ω1,0 C ∞ (U )
Note that Ω(X) is the collection of holomorphic differentials on X.
Homology Groups. Let H1 (X, Z) denote the free abelian group of closed loops γ in X. It is wellknown that H1 (X, Z) ' Z2g for some nonnegative integer g; we call g the genus of X. Complex
conjugation γ 7→ γ acts on these closed loops, so we may consider eigenspaces corresponding to the
eigenvalues ∓1 (either reversing or preserving direction) generated by this involution:
H1 (X, Z) = H1 (X, Z)− ⊕ H1 (X, Z)+
where
H1 (X, Z)∓ ' Zg .
Upon tensoring with C, we have the homology group H1 (X, C) ' C2g , with eigenspaces H1 (X, C)∓ '
Cg . We have a nondegenerate, bilinear pairing
!
X
X I
−
H1 (X, C) × Ω(X) → C,
ni γi , ω 7→
ni
ω.
i
i
γi
Note here that ω must be a holomorphic differential on X, so that each loop γi ∈ H1 (X, Z)− . This
implies the following results:
4
Proposition 3. Let O(X) be the collection of such holomorphic functions on X,
Ω(X) be the collection of holomorphic differentials on X, and H1 (X, Z) ' Z2g be
the free abelian group of closed loops γ in X.
• Ω(X) ' HomC H1 (X, C)− , C ' Cg .
• As the map O → Ω(X) defined by f 7→ f dz is an isomorphism, we see that
Ω(X) is an O-module of rank 1, but a complex vector space of dimension g.
Examples.
• The unit sphere is given by
2
S (R) =
2
2
2
(u, v, w) ∈ R u + v + w = 1 .
3
Stereographic Projection is the map π : C → S 2 (R) defined by
u + iv
2 Re(z) 2 Im(z) |z|2 − 1
,
,
with inverse
π −1 (u, v, w) =
.
π(z) =
2
2
2
|z| + 1 |z| + 1 |z| + 1
1−w
Of course, the inverse sends the “north pole” (u, v, w) = (0, 0, 1) to z = ∞, so we actually
find a birational equivalence between X = P1 (C) = C ∪ {∞} and S 2 (R). We consider X a
compact Riemann surface – although it cannot really be imbedded in the complex plane.
Consider the differential 1-form ω = dz. This is clearly a holomorphic differential on
A1 (C) = C, but upon making the substitution
1
dw
=⇒
ω = dz = − 2
z
w
1
we see that ω is not holomophic on X = P (C). In fact, X has no nonzero holomorphic
differentials – only meromorphic ones! – so its genus must be g = 0.
w=
• Fix complex numbers g2 , g3 such that g23 6= 27 g32 . We define a meromorphic map ℘ : C → C
implicitly via the relation
Z ℘(z)
dx
p
z=
=⇒
℘0 (z)2 = 4 ℘(z)3 − g2 ℘(z) − g3 .
3
4 x − g2 x − g3
∞
(This is the Weierstrass pae-function.) Hence the map z 7→ ℘(z), ℘0 (z) induces a short
exact sequence
{0} −−−−→ Λ −−−−→ C −−−−→ E(C) −−−−→ {0}
in terms of a lattice Λ = Z[ω1 , ω2 ], generated by integrating around the poles of the cubic
polynomial, and the complex points on the elliptic curve E : y 2 = 4 x3 − g2 x − g3 . We have
the compact Riemann surface
C
X = z = m ω1 + n ω2 ∈ C 0 ≤ m ≤ 1 and 0 ≤ n ≤ 1 ' ' E(C).
Λ
The collection of meromorphic functions on X ⊆ C is K = C ℘(z), ℘0 (z) . Note that the
differential
d℘
dx
2 dy
ω = dz = 0 =
=
℘
y
12 x2 − g2
5
is not only meromorphic on C, it is actually holomorphic. As this is the only such differential,
we see that Ω(X) ' C consists of constant multiples of ω = dx/y. In particular, g = 1.
P
Divisors. Denote Div(X) as the collection of divisors; these are formal sums a = P nP (P ) over
the points P ∈ X, where P
all but finitely many of the integers nP are zero. The degree of a divisor
is the
integer
deg(a)
=
P nP . There is a partial ordering on Div(X): given another divisor
P
b = P mPP(P ), we say a ≤ b when nP ≤ mP for all points P . The map K × /k × → Div(X) which
sends f 7→ P ordP (f ) (P ) is injective. In fact, we have the following short exact sequence:
{1} −−−−→ K × /k × −−−−→ Div(X) −−−−→ Pic(X) −−−−→ {0}.
Similarly, any nonzero memomorphic
differential ω = f dz for some meromorphic function f ∈ O,
P
so define div(ω) = div(f ) = P ordP (f ) (P ). As Ω(X) ' O, we say c = div(ω0 ) is a canonical
divisor for any nonzero meromorphic differential ω0 . We have the following commutative diagram,
where the rows and columns are exact:
{1}
{0}
{0}






y
y
y
div
{1} −−−−→ K × /k × −−−−→

=
y
div
{1} −−−−→ K × /k × −−−−→


y
{1} −−−−→
{1}


y
{1}
Div0 (X)


y
−−−−→ Jac(X) −−−−→ {0}


y
Div(X)

deg
y
−−−−→ Pic(X) −−−−→ {0}

deg
y
div
=
−−−−→ Div(X)/Div0 (X) −−−−→ N S(X) −−−−→ {0}




y
y
{0}
{0}
The quotient group Jac(X) = Div0 (X)/Div(k) of degree 0 divisors modulo principal divisors is the
Jacobian of X; the quotient group Pic(X) = Div(X)/Div(k) of divisors modulo principal divisors is
the Picard group or the (divisor) class group of X; and the quotient group N S(X) = Pic(X)/Jac(X)
is the Néron-Severi group of X.
Riemann-Roch Theorem. For any divisor a =
two complex vector spaces:
0
×
H (a) = f ∈ k div(f ) ≥ −a ∪ {0}
1
H (a) =
P
P
nP (P ), we wish to consider the following








ω ∈ Ω K (X) − {0} div(ω) ≥ a ∪ {0}
=⇒









l(a) = dimC H 0 (a)
X
deg(a) =
nP
P ∈X
δ(a) = dimC H 1 (a)
(Note the change in the signs for the ordering!) The main question here concerns the relationship
between H 0 (a), H 1 (a), and H1 (X, Z). We have the following results:
Proposition 4.
• Any divisor a can be written as a difference a = b − p for divisors such that
b, p ≥ 0. Since a ≤ a+p = b, we have H 0 (a) ⊆ H 0 (b). One shows by induction
6
that
l(a) ≤ l(b) ≤ deg(b) + 1.
In particular, H 0 (a) is a finite dimensional complex vector space.
• For each canonical divisor c = div(ω0 ), the map ω 7→ ω/ω0 shows that
H 1 (a) ' H 0 c − a
=⇒
δ(a) = l(c − a).
In particular H 1 (a) is also a finite dimensional complex vector space.
• Say a = 0 is the zero divisor. Then H 0 (0) = C consists of the constant
functions, while H 1 (0) = Ω(X) consists of the holomorphic differentials. In
particular,
H 0 (c) ' H 1 (0) ' Cg .
In the 1850’s, Bernhard Riemann proved the inequality l(a) ≥ deg(a) + 1 − g. In 1864, his
student, Gustav Roch, showed more precisely:
Theorem 5 (Riemann-Roch).
l(a) − deg(a) − l(c − a) = l(a) − deg(a) − δ(a) = 1 − g.
for any canonical divisor c.
Remarks.
• The paper appears in Crelle’s Journal as “Über die Anzahl der willkürlichen Constanten
in algebraischen Functionen”. This is usually called the Riemann-Roch Theorem. Sadly,
both Riemann and Roch died two years later in Italy of tuberculosis: Riemann aged 39,
and Roch aged 26.
• In 1874, Max Noether and Alexander von Brill gave a refinement of Roch’s result, and
were the first to call it the “Riemann-Roch” Theorem. In 1929, F. K. Schmidt generalized
the Roch’s result to algebraic curves. Subsequent generalizations were given by Friedrich
Hirzebruch, Jean-Pierre Serre, and Alexander Grothendieck.
Classification via the Genus
Let me give some applications. Now we can let k = Q be an algebraically closed field, O be a
Dedekind domain, and K be itsPquotient field. We will let X = Spec O be our nonsingular curve.
Recall that for any divisor a = P nP (P ) we have the identity
dimk H 0 (a) − deg(a) − dimk H 0 (c − a) = 1 − g
where H 0 (a) = f ∈ K div(f ) + a ≥ 0 . We see two facts right away regarding a canonical divisor
c = div(ω0 ):
• g = dimk H 0 (c), which we see by choosing a = 0.
• deg(c) = 2 g − 2, which we see by choosing a = c.
We will show that, in some cases, we can classify X depending on the genus g.
7
Genus 0. We show that g = 0 if and only if X ' P1 (k).
Proposition 6. If X ' P1 (k), then Jac(X) ' {0} whereas Pic(X) ' N S(X) ' Z.
Proof. Choose O = k[x] as the polynomial ring in one variable, so that its quotient field K = k(x)
consists of those rational functions in one variable. Each nonzero prime ideal mP ⊆ O is in the
form mP = hx − ai for some P = a ∈ k, so we have a one-to-one correspondence mSpec O ' k. We
define A1 (k) = Spec O as the affine line over k. In order to make this a projective line, we add in
the point at infinity: P1 (k) = A1 (k) ∪ {P∞ }.
Fix a nonnegative integer d, and consider
the divisor b = d (P∞ ) of the point at infinity. We
show that H 0 (b) = f ∈ K div(f ) + b ≥ 0 consists of those polynomials of degree at most d. As
P
the divisor of x ∈ K is (P0 ) − (P∞ ) we see that ordP∞ (f ) ≥ −d for any polynomial f = di=0 ai xi .
Hence f ∈ H 0 (b). Conversely, let f ∈ H 0 (b). Write f = g/h for some polynomials g, h ∈ O. If h
has degree greater than 0, then it contains a nontrivial zero in k, so that f has a pole at some point
in k. Hence h must be a constant. If g has degree greater than d then ordP∞ (g) < −d. Hence g
has degree at most d. This shows in
Pparticular the equality l(b) = deg(b) + 1.
We show that any divisor a = P nP (P ) can be expressed as
Q a sum a = b + div(f ). Since
affine points P = (x − a) for some a ∈ k, we may choose f (x) = a∈k (x − a)nP , so that div(f ) =
P
P
P nP (P ) − (P∞ ) = a − d (P∞ ) for d = deg(a).
P ordP (f ) (P ) =
Proposition 7. g = 0 if and only if X ' P1 (k).
Proof. Let b = 2 g (P∞ ) be the divisor of degree 2 g associated with the point at infinity. We
have seen that dimk H 0 (a) = deg(b) + 1 in this case, so the Riemann-Roch Theorem states that
g = dimk H 0 (c − b). But deg(c − b) = −2 so that H 0 (c − b) = {0}, showing that g = 0.
Conversely assume that g = 0. We will construct a birational map X → P1 (k). Let b = (P∞ )
as the divisor of a point in X. Then deg(c − b) < 0 so that H 0 (c − b) = {0}. The Riemann-Roch
Theorem states that l(b) = 2. Fix a nonconstant function f ∈ H 0 (b). For each a ∈ k, we note that
ordP (f − a) ≥ 0 for P 6= P∞ and ordP∞ (f − a) ≥ −1, so div(f − a) = (Pa ) − (P∞ ) for some point
Pa in X. As O/P ' k, define a map f : X → P1 (k) which sends a prime ideal P to the projective
point f (P ) = f mod P : 1 . Note that f (Pa ) = (a : 1) and f (P∞ ) = (1 : 0). As this map is
one-to-one and onto, we see that X ' P1 (k).
Base Points. Given a divisor a ∈ Div(X), define a complete linear system as the set
a = b ∈ Div(X) b ≥ 0 and a = b + div(f ) for some f ∈ k × .
Note that dega = deg(b) is independent of the choice of b ∈ a. It is easy to see that this fits
into the following exact sequence:
div
a
{1} −−−−→ k × −−−−→ H 0 (a) − {0} −−−−→
−−−−→ {0}



=
'
'
y
y
y
{1} −−−−→ k × −−−−→ An (k) − {0} −−−−→ Pn−1 (k) −−−−→ {0}
where n = l(a). This relates affine vector spaces
with projective vector
spaces.
c = 2 (g − 1). We say that a
In particular, the complete linear system c ' Pg−1
(k)
has
deg
point P∞ ∈ X is a base point if b ≥ (P∞ ) for all b ∈ c.
8
Proposition 8.
• X ' P1 (k) whenever X has a base point.
• If g ≥ 1, then X is base point free.
Proof. Say that P∞ is one such base point.
If f ∈ H 0 (c) is a nonzero function,
then div(1/f ) + c =
b ≥ (P∞ ) so that div(1/f ) + c − (P∞ ) ≥ 0. Hence H 0 (c) ⊆ H 0 c − (P∞ ) , so the Riemann-Roch
Theorem states that
dimk H 0 (P∞ ) = 1 − g + deg (P∞ ) + dimk H 0 c − (P∞ ) ≥ 2.
Let f ∈ H 0 (P∞ ) be a nonconstant function. Following the same argument as above, div(f − a) =
(Pa ) − (P∞ ), so that the map f : X → P1 (k) is the desired isomorphism.
Genus 1. Assume that k has characteristic different from 2 or 3.
Proposition 9. g = 1 if and only if X ' E(k) for some E : y 2 = x3 + A x + B
with 4 A3 + 27 B 2 6= 0.
Proof. Assume that g = 1. Fix a positive integer d, and consider the divisor b = d (P∞ ). Then
deg(c − b) = −d < 0, so that H 0 (c − b) = {0}. The Riemann-Roch Theorem states that
dimk H 0 (b) = 1 − g + deg(b) + dimk H 0 (c − b) = d.
Let {1, u} and {1, u, v} be bases for H 0 2 (P∞ ) and H 0 3 (P∞ ) , respectively. Since the set
{1, u, v, u2 , u v, v 2 , u3 } of seven functions is contained in a vector space H 0 6 (P∞ ) of dimension
6, we must have a linear combination in the form
a1 + a2 u + a3 v + a4 u2 + a5 u v + a6 v 2 + a7 u3 = 0
for some ai ∈ k. Note that {1, u, v, u2 , u v} is a basis for H 0 5 (P∞ ) so we must have a6 , a7 6= 0.
Upon making the substitutions
x = 3 a25 − 4a4 a6 − 12 a6 a7 u
y = 108 a6 a7 a3 + a5 u + 2 a6 v
A = 27 −a45 + 8 a4 a25 a6 − 16 a24 a26 − 24 a3 a5 a6 a7 + 48 a2 a26 a7
B = 54 a65 − 12 a4 a45 a6 + 48 a24 a25 a26 − 64 a34 a36 + 36 a3 a35 a6 a7
− 144 a3 a4 a5 a26 a7 − 72 a2 a25 a26 a7 + 288 a2 a4 a36 a7 + 216 a23 a26 a27 − 864 a1 a36 a27
we find the identity y 2 = x3 + A x + B. Denote this curve by E.
We construct a birational map X → E(k). Choose a, b ∈ ksatisfying b2 = a3 + A a + B. Since
{1, x} and {1, x, y} are bases for H 0 2 (P∞ ) and H 0 3 (P∞ ) , respectively, we have div(x − a) =
0 ) + (P 00 ) − 3 (P ). As O/P ' k, consider
(Pa,b ) + (Pa,−b ) − 2 (P∞ ) and div(y − b) = (Pa,b ) + (Pa,b
∞
a,b
2
that map f : X → P (k) which sends a prime ideal P to the projective point f (P ) = x mod P : y
mod P : 1). Note that f (Pa,b ) = (a : b : 1) and f (P∞ ) = (0 : 1 : 0). As this map is one-to-one and
onto, we see that X ' E(k).
Elliptic Curves. As before, assume that k has characteristic different from 2 or 3. Fix A, B ∈ k
such that 4 A3 + 27 B 2 6= 0. Let X ⊆ P2 (k) denote the collection of k-rational points on y 2 =
x3 + A x + B. We say that X is an elliptic curve. We will show that X is an abelian group with
respect to some operation ⊕.
9
Theorem 10. Assume that g = 1. Then X ' Jac(X). In particular, X is an
abelian group.
Proof. This is the content of Proposition 3.4 in Chapter III.3.5 in Silverman’s “The Arithmetic of
Elliptic Curves”: we will construct a birational map κ : X → Jac(X). Fix a point P∞ ∈ X and
send κ : X → Jac(X) by P 7→ (P ) − (P∞ ). To see why this map is surjective, choose a ∈ Div0 (X)
and set b = a + (P∞ ). Since deg(c − b) < 0, the Riemann-Roch Theorem states that
dimk H 0 (b) = 1 − g + deg(b) + dimk H 0 (c − b) = 1.
Let f ∈ H 0 (b) be nonzero; as this space is 1-dimensional we must have div(f ) = (P ) − b for some
unique point P . Hence a = (P ) − (P∞ ) − div(f ) for some unique P ∈ X.
We explain how the group law on elliptic curves can be derived from the Riemann Roch Theorem.
Fix a point P∞ ∈ X and denote O = (0 : 1 : 0). Given two points P, Q ∈ X draw a line in P2 (k)
going through them. Rather explicitly, if P = (p1 : p2 : p0 ) and Q = (q1 : q2 : q0 ), then the line is
in the form f (x1 , x2 , x0 ) = 0 in terms of the linear polynomial
p1 p2 p0 f (x1 , x2 , x0 ) = q1 q2 q0 .
x1 x2 x0 It is easy to see that div(f ) = (P ) + (Q) + (P ∗ Q) − 3 (O) for some point P ∗ Q. Now consider the
line going through P ∗ Q and P∞ ; this is in the form g(x1 , x2 , x0 ) = 0 for some linear polynomial.
Again, it is easy to see that div(g) = (P ∗ Q) + (P ⊕ Q) + (P∞ ) − 3 (O) for some point P ⊕ Q.
Hence we find that
(P ⊕ Q) − (P∞ ) = (P ) − (P∞ ) + (Q) − (P∞ ) − div(f /g).
Hence the map X → Jac(X) defined by P 7→ (P ) − (P∞ ) yields an associative group law ⊕. Note
that P∞ is the identity, which we often choose as P∞ = O.
P
Theorem 11. Let X be an elliptic curve, and let D = m
i=1 ni (Pi ) be a divisor
on
E.
Then
D
=
div(f
)
for
some
rational
function
f
:
X
→
P1 if and only if both
Lm
Pm
i=1 [ni ] Pi = O in X.
i=1 ni = 0 in Z and
The notation “[n]P = P ⊕ P ⊕ · · · ⊕ P ” is the sum of P a repeated n times in X.
Proof. This is the content of Corollary 3.5 in Chapter III.3.5 in Silverman’s “The Arithmetic of
Elliptic Curves”: We have seen that the map κ : X 7→
P Jac(X) which sends P 7→ (P ) − (O)
is an isomorphism.
Assume
that D = div(f ). Then
i ni = deg D = deg div(f ) = 0, and
L
L
−1 (D) = κ−1 div(f ).
[n
]P
=
[n
]
P
−
O
=
κ
i
i
i
i
i
Tate Pairing and Weil Pairing
Group Law. Now let k be any number field, and choose {a1 , a2 , a3 , a4 , a6 } ⊆ k. The set E :
f (x, y) = 0 in terms of the polynomial
f (x, y) = y 2 + a1 x y + a3 y − x3 + a2 x2 + a4 x + a6
10
is a curve over k. Define the k-rational numbers
b2 = a21 + 4 a2
c4 = b22 − 24 b4
b4 = 2 a4 + a1 a3
c6 = −b32 + 36 b2 b4 − 216 b6
b6 = a23 + 4 a6
b8 =
a21 a6
+ 4 a2 a6 − a1 a3 a4 +
a2 a23
−
a24
∆ = −b22 b8 − 8 b34 − 27 b26 + 9 b2 b4 b6
Then E is non-singular if and only if ∆ 6= 0. In this case, E is an elliptic curve.
We review the group law ⊕ : E(k) × E(k) → E(k) defined above: Given two points P = (p1 :
p2 : p0 ) and Q = (q1 : q2 : q0 ) in E(k) draw a line f (x1 , x2 , x0 ) = 0 in P2 (k) going through them in
terms of the linear polynomial
p1 p2 p0 =⇒
div(f ) = (P ) + (Q) + (P ∗ Q) − 3 (O).
f (x1 , x2 , x0 ) = q1 q2 q0 x1 x2 x0 Now consider the line going through P ∗ Q and O; this is in the form g(x1 , x2 , x0 ) = 0 for some
linear polynomial, where div(g) = (P ∗ Q) + (P ⊕ Q) − 2 (O) for some point P ⊕ Q ∈ E(k).
Isogenies. Let E and E 0 be two elliptic curves defined over k. An isogeny is a rational map
φ : E(Q) → E 0 (Q) defined over k such that φ(O) = O. Since φ : E → E 0 induces a map
φ∗ : Q(E 0 ) → Q(E) which sends f 7→ f ◦ φ, we define the degree of φ as the degree of the extension
Q(E)/φ∗ Q(E 0 ).
Theorem 12. Let φ : E → E 0 be an nonconstant isogeny of degree m between
elliptic curves over k.
• φ is a group homomorphism, that is, φ(P ⊕ Q) = φ(P ) ⊕ φ(Q) as a sum in
E 0 (Q) for any P, Q ∈ E(Q).
• The map ker(φ) → Gal Q(E)/φ∗ Q(E 0 ) which sends
T to the function τT∗ g :
P 7→ g(P ⊕ T ) is an isomorphism. In particular, ker(φ) = m.
• There exists a unique dual isogeny φb : E 0 → E such that the composition
φb ◦ φ = [m] : E → E 0 → E sends P 7→ [m] P on E.
Proof. This first statement the content of Theorem 4.8 in Chapter III.4 of Silverman’s “The Arithmetic of Elliptic Curves”: It follows from a diagram chase.
E(Q)
φ
/ E 0 (Q)
O
P⊕
Q
_
/ φ(P ⊕ Q) = φ(P ) ⊕ φ(Q)
O
_
φ(P ⊕ Q) − (O)
/
= φ(P ) + φ(Q) − 2 (O)
κ2 −1
κ1
Jac(E)
φ∗
/ Jac(E 0 )
(P ⊕ Q) − (O)
= (P ) + (Q) − 2 (O)
For the second statement, we begin by showing the map is well-defined. Each T ∈ ker(φ) maps
to that automorphism τT∗ which sends a function g ∈ Q(E) to that function τT∗ g : P 7→ g(P ⊕ T ).
11
0
∗
If g ∈ φ∗ Q(E 0 ), then
which sends
g = f ◦ φ for some f ∈ Q(E ), so that
τT g is that function
∗
P ∈ E(Q) to τT g (P ) = f φ(P ) ⊕ φ(T ) = f φ(P ) ⊕ O = g(P ). Hence τT∗ acts trivially on
φ∗ Q(E 0 ). Clearly the map T 7→ τT∗ is a well-defined injection. Conversely, deg(φ) = φ−1 (Q) for
some Q ∈ E 0 (Q). Fix P ∈ φ−1 (Q). Then the map τP : φ−1 (O) → φ−1 (Q) which sends T 7→ P ⊕ T
is a one-to-one correspondence, so that
Gal Q(E)/φ∗ Q(E 0 ) = deg(φ) = φ−1 (Q) = φ−1 (O) = ker(φ).
For the third statement, consider the extension Q(E)/[m]∗ Q(E) with Galois group ker [m]. Since
[m] T = O for any T ∈ ker(φ) by Lagrange’s Theorem, we see that ker(φ) ⊆ ker [m]. In particular,
we have the following tower of fields:
[m]∗ Q(E)
φ∗ Q(E 0 )
Q(E)
This shows that the map [m] : E → E is in the form [m] = φb ◦ φ for some rational map φb : E 0 → E.
Note that we have the following diagram:
E 0 (Q)
b
φ
/ E(Q)
O
Q
_
/ [m] P
O
κ1 −1
κ2
Jac(E 0 )
φ∗
/ Jac(E)
(Q) − (O) /
P
T ∈ker(φ)
_
(P ⊕ T ) − (T )
b
for any P ∈ E(Q) such that φ(P ) = Q. In particular, φb ◦ φ (P ) = φ(Q)
= [m] P so that
0
0
b
b
b
b
b
φ(O) = φ φ(O) = [m] O = O. If φ is any other dual isogeny, then φ − φ ◦ φ = [m] − [m] = [0]
on E, so that φb0 − φb = [0] must be constant. This shows that φb is the unique rational map with
b
φb ◦ φ = [m] and φ(O)
= O, so φb must be an isogeny.
Examples.
• Consider an elliptic curve E : y 2 + a1 x y + a3 y = x3 + a2 x2 + a4 x + a6 where ai ∈ k. Given
a point P = (x : y : 1) in E(k), we have [m] P = O if and only of ψm (P ) = 0 in terms of
the division polynomials


1
for m = 1,



√


3
2

for m = 2,

2 y + a1 x + a3 = 4 x + b2 x + 2 b4 x + b6
ψm (P ) = 3 x4 + b2 x3 + 3 b4 + 3 b6 x + b8
for m = 3,





ψ2 (P ) 2 x6 + b2 x5 + 5 b4 x4




+10 b6 x3 + 10 b8 x2 + (b2 b8 − b4 b6 ) x + (b4 b8 − b26 ) for m = 4.
Other division polynomials can be generated by the recursive relation
ψm+n (P ) ψm−n (P ) ψ1 (P )2 = ψm+1 (P ) ψm−1 (P ) ψn (P )2 − ψn+1 (P ) ψn−1 (P ) ψm (P )2
12
for any integers m and n. In fact, the “multiplication-by-m”
map [m] : E(k) → E(k) sends
P to [m]P = φm (P )/ψm (P )2 : ωm (P )/ψm (P )3 : 1 in terms of the polynomials

x
for m = 1,



φm (P ) = x4 − b4 x2 − 2 b6 x − b8
for m = 2,



φ1 (P ) ψm (P )2 − ψm+1 (P ) ψm−1 (P ) for m ≥ 2.


y
for m = 1,







−a1 φ2 (P ) ψ2 (P )2 − a3 ψ2 (P )4 + ψ4 (P )


for m = 2,


2 ψ2 (P )
ωm (P ) =

2
3

 a1 φm (P ) ψm (P ) + a3 ψm (P )

−


2



ψm−1 (P )2 ψm+2 (P ) + ψm−2 (P ) ψm+1 (P )2



+
for m ≥ 2.
2 ψ2 (P )
In particular, deg ψm (P )2 = m2 − 1, so that the “multiplication-by-m” map is an isogeny
c = [m].
of degree m2 . In fact, ker [m] ' Zm × Zm and [m]
• Consider the elliptic curves
E : y 2 = x3 + a x2 + b x
A = −2 a
E0 : Y 2 = X 3 + A X 2 + B X
where
B = a2 − 4 b
where a, b, A, B ∈ k satisfy b B 6= 0. It is easy to check that T = (0 : 0 : 1) is a k-rational
point of order 2, that is, [2]T = O. Then we have a maps φ : E → E 0 and φb : E 0 → E which
send
φ : (x1 : x2 : x0 ) 7→
x22 x0 : x2 (b x20 − x21 ) : x21 x0
φb : (X1 : X2 : X0 ) 7→ 2 X22 X0 : X2 (B X02 − X12 ) : 8 X12 X0
It is easy to check that ker(φ) = (0 : 0 : 1), (0 : 1 : 0) ' Z2 and that φb ◦ φ = [2] is the
“multiplication-by-2” map. Hence both φ and φb are 2-isogenies.
• Let A ⊆ E(Q) ,→ C/Λ be any finite subgroup such that Gk acts trivially. Then we can find
an isogeny φ : E → E 0 suchthat ker(φ) ' A. One can construct E 0 explicitly using the
cohomology group H 1 Gk , A . Usually, one focuses on subgroups in the form A ' Zm ×Zm
or A ' Zn , but we can certainly consider others such as A ' Zm × Zn .
Weil Pairing. For any isogeny φ : E → E 0 and its dual φb : E 0 → E, the kernels E[φ] = ker(φ)
b = ker(φ)
b are intimately related.
and E 0 [φ]
Theorem 13. Let φ : E → E 0 be a nonconstant isogeny of degree m between
b = ker(φ)
b ⊆ E 0 (k) as
elliptic curves over k. Denote E[φ] = ker(φ) ⊆ E(k) and E 0 [φ]
the kernels of the isogeny and its dual. Then there exists a pairing
b → µm
eφ : ker(φ) × ker(φ)
satisfying the following properties:
13
b we have
• Bilinearity: For all S ∈ ker(φ) and T ∈ ker(φ),
eφ (S1 ⊕ S2 , T ) = eφ (S1 , T ) · eφ (S2 , T )
eφ (S, T1 ⊕ T2 ) = eφ (S, T1 ) · eφ (S, T2 )
• Non-Degenerate: eφ (S, T ) = 1 for all S ∈ ker(φ), then T = O.
• Galois Invariant: σ eφ (S, T ) = eφ σ(S), σ(T ) for all σ ∈ Gk .
• Compatibility: If ψ : E 0 → E 00 is another isogeny, then eψ◦φ (P, Q) = eψ φ(P ), Q
b
for all P ∈ ker(ψ ◦ φ) and Q ∈ ker(ψ).
Proof. We follow Section III.8 on pages 92–99 and Exercise 3.15 on page 108 of Joseph Silverman’s
b ⊆ E 0 [m]. According to Theorem 11, there are
“The Arithmetic of Elliptic Curves”. Let T ∈ ker(φ)
functions fT ∈ Q(E 0 ) and gT ∈ Q(E) satisfying
div(fT ) = m (T ) − m (O)
div(gT ) = φ∗ (T ) − (O) =
X
(P ⊕ T 0 ) − (T 0 )
where
P ∈ φ−1 (T ) ⊆ E[m].
T 0 ∈ker(φ)
Since div(gTm ) = div(fT ◦ φ), we may assume without loss of generality that fT ◦ φ = gTm . For
any S ∈ ker(φ), consider the map E(Q) →
P1 (Q) which sends X 7→ gT (X ⊕ S)/gT (X). Since
gT (X ⊕S)m = fT φ(X)⊕φ(S) = fT φ(X) = gT (X)m , we see that this map takes on only finitely
b → µm
may values – and hence must be constant. We define the Weil pairing eφ : ker(φ) × ker(φ)
as the mth root of unity eφ (S, T ) = gT (X ⊕ S)/gT (X).
We show (Bilinearity). For the first factor we have
eφ (S1 ⊕ S2 , T ) =
=
gT (X ⊕ S1 ⊕ S2 )
gT (X)
gT (X ⊕ S1 ⊕ S2 ) gT (X ⊕ S2 )
gT (X ⊕ S1 ) gT (X ⊕ S2 )
·
=
·
gT (X ⊕ S2 )
gT (X)
gT (X)
gT (X)
= eφ (S1 , T ) · eφ (S2 , T ).
b Using Theorem 11 again, we can find functions f1 , f2 , f3 ∈
For the second factor, fix T1 , T2 ∈ ker(φ).
0
Q(E ) and g1 , g2 , g3 ∈ Q(E) satisfying
div(g1 ) = φ∗ (T1 ) − (O)
div(f1 ) = m (T1 ) − m (O)
f1 ◦ φ = g1m
f2 ◦ φ = g2m
div(f2 ) = m (T2 ) − m (O)
div(g2 ) = φ∗ (T2 ) − (O)
=⇒
f3 ◦ φ = g3m
div(f3 ) = m (T1 ⊕ T2 ) − m (O)
div(g3 ) = φ∗ (T1 ⊕ T2 ) − (O)
Similarly, we can find a function h ∈ Q(E 0 ) such that div(h) = (T1 ⊕ T2 ) − (T1 ) − (T2 ) + (O), and
so
m
g3 m
f3
f3
m
=h
=⇒
= h◦φ .
div
= m div(h)
=⇒
f1 f2
f1 f2
g1 g2
14
Hence g3 = c · g1 g2 h ◦ φ for some constant c ∈ Q. This gives
g1 (X ⊕ S) g2 (X ⊕ S) h φ(X) ⊕ φ(S)
g3 (X ⊕ S)
=
·
·
eφ (S, T1 ⊕ T2 ) =
g3 (X)
g1 (X)
g2 (X)
h φ(X)
g1 (X ⊕ S) g2 (X ⊕ S) h φ(X) ⊕ O
=
·
·
g1 (X)
g2 (X)
h φ(X)
= eφ (S, T1 ) · eφ (S, T2 ).
We show (Non-Degeneracy). Say that eφ (S, T ) = 1 for all S ∈ ker(φ). Then gT (X ⊕ S) = gT (X)
for all X ∈ E(Q). Following the ideas in Theorem
12, we see that gT ∈ φ∗ Q(E 0 ), so that gT =
m
0
hT ◦ φ for some hT ∈ Q(E ). Since hT ◦ φ
= gTm = fT ◦ φ, we find that fT = hm
T , and so
div(hT ) = (T ) − (O). According to Theorem 10, we must have T = O.
(Galois Invariance) is clear.
We show (Compability) using the following diagram:
φ
E(Q) i
b
φ
?
ψ
E 0 (Q)
O
O
ker(ψ ◦ φ)
*
φ
O
j
*
E 00 (Q)
O
?
/ φ ker(ψ ◦ φ)
b
ψ
?
b
ker(φb ◦ ψ)
O
?
?
ker(φ)
b
ker(ψ)
b ⊆ ker(ψ[
Say that ψ : E 0 → E 00 is an isogeny of degree n. For each Q ∈ ker(ψ)
◦ φ), there are
00
0
functions dQ , fQ ∈ Q(E ), gQ ∈ Q(E ), and hQ ∈ Q(E) satisfying
n
dQ ◦ ψ = gQ
div(dQ ) = n (Q) − n (O)
div(fQ ) = m n (Q) − m n (O)
div(gQ ) = ψ ∗ (Q) − (O)
=⇒
div(hQ ) = (ψ ◦ φ)∗ (Q) − (O)
fQ ◦ ψ ◦ φ = hmn
Q
fQ = dm
Q
gQ ◦ φ = hQ
b → µmn and eψ◦φ : ker(ψ ◦ φ) × ker(ψ)
b → µmn via
We define the pairings eψ : ker(ψ) × ker(ψ)
eψ (S, Q) = gQ (X ⊕ S)/gQ (X) and eψ◦φ (P, Q) = hQ (Y ⊕ P )/hQ (Y ), respectively. If we write
X = φ(Y ), then
gQ X ⊕ φ(P )
gQ φ(Y ) ⊕ φ(P )
hQ (Y ⊕ P )
eψ φ(P ), Q =
=
=
= eψ◦φ (P, Q).
gQ (X)
hQ (Y )
gQ φ(Y )
This completes the proof.
Examples.
• Consider the elliptic curve
E:
y 2 + a1 x y + a3 y = x3 + a2 x2 + a4 x + a6
Say φ = [2] is the “multiplication-by-2”
map. Recall that the 2-division polynomial is
√
3
2
ψ2 (x) = 2 y + a1 x + a3 = 4 x + b2 x + 2 b4 x + b6 . If we denote e as one of the roots of
15
this polynomial, then T = (e : −a1 e − a3 : 1) as a point of order m = 2. We denote the
functions

fT (P ) = x − e

=⇒
fT ◦ [2] (P ) = gT (P )2 .
4 e2 + b2 e + b4 + 4 e x − 2 x2

gT (P ) =
2 (2 y + a1 x + a3 )
• Consider the elliptic curves
E : y 2 = x3 + a x2 + b x
A = −2 a
E0 : Y 2 = X 3 + A X 2 + B X
where
B = a2 − 4 b
where a, b, A, B ∈ k satisfy b B 6= 0. Then we have a maps φ : E → E 0 and φb : E 0 → E
which send
φ : (x1 : x2 : x0 ) →
7
x22 x0 : x2 (b x20 − x21 ) : x21 x0
φb : (X1 : X2 : X0 ) 7→ 2 X22 X0 : X2 (B X02 − X12 ) : 8 X12 X0
b = [2] is the “multiplication-by-2” map. Note that ker(φ) = T, O is the kernel,
where φ◦φ
there T = (0 : 0 : 1) is a k-rational point of order 2, that is, [2]T = O. We denote the
functions

fT (Q) = X 
=⇒
fT ◦ φ (P ) = gT (P )2 .
y
gT (P ) = 
x
• There is an easy way to interpret the Weil pairing. Consider the “multiplication-by-m”
map [m] : E → E. Since E[m] ' Zm × Zm over Q, we can choose a basis {T1 , T2 }. Then
ad−bc . The
define em : E[m] × E[m] → µm via S = [a]T1 ⊕ [b]T2 , and T = [c]T1 ⊕ [d]T2 to ζm
only downside to making this definition is one would have to prove that E[m] ' Zm × Zm !
Tate Pairing. We discuss how a specific example of an isogeny gives information about the elliptic
curve.
Theorem 14. Say that E is an elliptic curve over k as above.
√
• Denote the 2-division polynomial as ψ2 (x) = 2 y+a1 x+a3 = 4 x3 + b2 x2 + 2 b4 x + b6 .
This has distinct roots e1 , e2 , e3 ∈ Q, and so E : Y 2 = (X−e1 ) (X−e2 ) (X−e3 ).
Moreover,
E[2] = T ∈ E(Q) [2] T = 0
=
(e1 : 0 : 1), (e2 : 0 : 1), (e3 : 0 : 1), (0 : 1 : 0)
' Z2 × Z2 .
• Assume that E[2] ⊆ E(k). Consider the map defined by
(
1
if T = O,
E(k)
k×
e2 :
× E[2] → × 2 ,
(P, T ) 7→
2 E(k)
(k )
X − e otherwise;
where P = (X : Y : 1) and T = (e : 0 : 1). This is a “perfect” pairing i.e.,
16
– Non-Degeneracy: If e2 (P, T ) = 1 for all T ∈ E[2] then P ∈ 2 E(k).
– Bilinearity: For all P, Q ∈ E(k) and T ∈ E[2] we have
e2 (P ⊕ Q, T ) = e2 (P, T ) · e2 (Q, T ),
e2 (P, T1 ⊕ T2 ) = e2 (P, T1 ) · e2 (P, T2 ).
Proof. Choose P = (p1 : p2 : p0 ) ∈ E(k), and say that e2 (P, T ) = 1 for all T ∈ E[2]. To show
0
P ∈ 2 E(k) it suffices to exhibit P 0 ∈ E(k) such that P = [2]P 0 . If P = O we may
q choose P = O
as well, so assume p0 6= 0. Upon considering T = (e : 0 : 1), we see that fi = pp10 − ei ∈ k for
i = 1, 2, 3; we choose the signs so that pp20 = f1 f2 f3 . It is easy to check that the desired k-rational
point is
(e1 − e3 ) (e2 − e3 )
(e1 − e2 ) (e1 − e3 ) (e2 − e3 )
0
P =
+ e3 :
: 1 .
(f1 − f3 ) (f2 − f3 )
(f1 − f2 ) (f1 − f3 ) (f2 − f3 )
We show e2 (P ⊕ Q, T ) = e2 (P, T ) · e2 (Q, T ). If T = O there is nothing to show since e2 (P, T ) =
e2 (Q, T ) = e2 (P ⊕ Q, T ) = 1 so assume that T = (e : 0 : 1). Choose two points P = (p1 : p2 : p0 )
and Q = (q1 : q2 : q0 ) in E(k). Draw a line through them, say a x1 + b x2 + c x0 = 0, and assume
that it intersects E at a third point R = (r1 : r2 : r0 ). The projective curve E is defined by
the homogeneous polynomial F (x1 , x2 , x0 ) = x22 x0 − (x1 − e1 x0 ) (x1 − e2 x0 ) (x1 − e3 x0 ) so the
intersection with the line a x1 + b x2 + c x0 = 0 admits the factorization
p0 q0 r0 · F (x1 , x2 , x0 ) = (p1 x0 − p0 x1 ) (q1 x0 − q0 x1 ) (r1 x0 − r0 x1 ) .
When (x1 : x2 : x0 ) = (b e : −a e − c : b) is the point where the lines a x0 + b x1 + c x0 = 0 and
x1 − e x0 = 0 intersect, we have the equality
q1
r1
3 p1
b
−e
−e
− e = F (b e, −a e − c, b) = (a e + c)2 b.
p0
q0
r0
This implies the congruence e2 (P, T ) · e2 (Q, T ) · e2 (R, T ) ≡ 1 mod (k × )2 . We conclude that e2 (P ⊕
Q, T ) = e2 (P, T ) · e2 (Q, T ).
We show e2 (P, T1 ⊕ T2 ) = e2 (P, T1 ) · e2 (P, T2 ). If T1 = T2 then
e2 (P, T1 ⊕ T2 ) = e2 (P, O) = 1 ≡ e2 (P, T1 )2 = e2 (P, T1 ) · e2 (P, T2 ).
If T1 6= T2 , we may assume T1 = (e1 : 0 : 1) and T2 = (e2 : 0 : 1). (If either T1 or T2 is O there is
nothing to show.) Then T1 ⊕ T2 = (e3 : 0 : 1). The identity
2
p1
p1
p2
p1
− e1
− e2
− e3 =
p0
p0
p0
p0
implies the congruence e2 (P, T1 ) · e2 (P, T2 ) · e2 (P, T1 ⊕ T2 ) ≡ 1 mod (k × )2 . We conclude that
e2 (P, T1 ⊕ T2 ) = e2 (P, T1 ) · e2 (P, T2 ).
Remarks.
• This sometimes called the Tate pairing. This is not quite a perfect pairing: non-degeneracy
holds on the right, but not on the left.
17
• Since e2 (P, T ) is bilinear, it is easy to compute its value when P ∈ E[2]. For example, write
Ti = (ei : 0 : 1) so that we find:
e2 (Ti , Ti−1 ) = ei − ei−1 ,
e2 (Ti , Ti+1 ) = ei − ei+1
e2 (Ti , Ti ) = e2 (Ti , Ti−1 ) · e2 (Ti , Ti+1 )
=⇒
= (ei − ei−1 ) (ei − ei+1 ).
2
• If k is a number field, the image in k × / k × is actually finite. One uses this to conclude
that E(k)/2 E(k) is finite as well. This was first shown for k = Q by Mordell. Say that
we can write E(k) ' E(k)tors × Zr for some finite group E(k)tors ' Zm × Zn and some
nonnegative integer r; this nonnegative integer is called the rank of E over k. Then we can
write

{1}
if m and n are odd,



E(k)
E(k)
E(k)tors
tors
× Z2r ,
= Z2
'
if m is even but n is odd,
2 E(k)
2 E(k)tors
2 E(k)tors 


Z2 × Z2 if both m and n are even.
The Theorem above concerns the case where m and n are both even. Hence we can determine the rank r if we can determine the image of this pairing.
• There is a more general construction for each positive integer m:
em :
k×
E(k)
× E[m] → × m
m E(k)
(k )
assuming
E[m] ⊆ E(k).
This pairing is used quite often in cryptography, especially when k = Fp is a finite field of
order p ≡ 1 (mod m Z) so that E[m] ' Zm × Zm .
• It is not a coincidence that the Tate pairing is defined via fT (Q) = X − e. In general,
say that φ : E → E 0 is a nonconstant isogeny of degree m. We have seen that for each
b there are functions fT ∈ Q(E 0 ) and gT ∈ Q(E) such that
T ∈ E 0 [φ],
div(fT ) = m (T ) − m (O)
div(gT ) = φ∗ (T ) − (O)
=⇒
fT ◦ φ = gTm .
You can actually choose fT and gT to have coefficients in k. This yields a perfect pairing
×
E 0 (k)
b −→ k
× ker(φ)
,
(k × )m
φ E(k)
P, T →
7 fT (P ) mod (k × )m .
• One can derive this pairing from the Weil pairing. We will see in general that the Weil
b → µm yields a cup product on Galois cohomology:
pairing eφ : ker(φ) × ker(φ)
b −−−−→ H i+j Gk , µm .
H i Gk , E[φ] × H j Gk , E 0 [φ]
Indeed, there is a short exact sequence
φ
{O} −−−−→ E[φ] −−−−→ E(Q) −−−−→ E 0 (Q) −−−−→ {O}
18
so Galois cohomology gives the diagram
E 0 (k)
φ E(k)

×
b
ker(φ)
×
b
H 0 Gk , E 0 [φ]
k×
(k × )m
/
_
δ
H 1 Gk , E[φ]
19
/
H 1 Gk , µm