THE WEIL PAIRING ON ELLIPTIC CURVES

THE WEIL PAIRING ON ELLIPTIC CURVES Background Non-Singular Curves. Let k be a number field, that is, a finite extension of Q; denote Q as its separable algebraic closure. The absolute Galois group G k = GalQ/k = lim GalF/k is the K projective limit of Galois groups associated with finite, normal separable extensions F/k. Let I k[x 1, x 2,..., x n ] be an ideal, and define the sets { } XQ = P A n Q fp = 0 for all f I { } IX = f Q[x 1, x 2,..., x n ] fp = 0 for all P XQ I k Q. Since G F G k acts on Q, we define XF = XQ G F = XQ A n F, namely the F -rational points, as the points fixed by this action. We think of X as a functor which takes fields F to algebraic sets XF, and say that X is an affine variety over k if IX Q[x 1, x 2,..., x n ] is a prime ideal. Proposition 1. Let X be an affine variety over k, and define the integral domain OX = Q[x 1, x 2,..., x n ]/IX. Then the map XQ mspec OX which sends P = a 1, a 2,..., a n to m P = x 1 a 1, x 2 a 2,..., x n a n is an isomorphism. Proof. The map is well-defined O/m P Q is a field. Conversely, let m be a maximal ideal of O. Fix a surjection O O/m Q, and denote a i Q as the image of x i O. It is easy to check that m = m P for P = a 1, a 2,..., a n. We define O = OX as the global sections of X or the coordinate ring of X. Often, we abuse notation and write X = Spec O. If we denote K = QX as its quotient field, we define the dimension of X as the transcendence degree of K over Q. We say that X is a curve if dimx = 1. Theorem 2. Let X be a curve over k, and write the ideal I = f 1, f 2,..., f m K[x 1, x 2,..., x n ] so that dimx = n m = 1. The following are equivalent: i. For each P XQ, the m n matrix f 1 f 1 f 1 P P P x 1 x 2 x n f 2 f 2 f 2 P P P Jac P X = x 1 x 2 x n...... f m f m f m P P P x 1 x 2 x n 1

yields an exact sequence: {0} T P X A n Q Jac P X A m Q {0}. That is, the Jacobian matrix Jac P X has rank m while the tangent space has dimension dim Q TP X = dimx. ii. The Zariski cotangent space has dimension dim Q m/m 2 = dimx for each maximal ideal m mspec O. iii. For each P XQ, denote O P as the localization of O at m P. Then m P O P is a principal ideal. iv. For each P XQ, O P is a discrete valuation ring. v. For each P XQ, O P is integrally closed. vi. O is a Dedekind Domain. This is essentially a a restatement of Proposition 9.2 on pages 94-95 in Atiyah-Macdonald. If any of these equivalent statements holds true, we say that X is a non-singular curve. Proof. i ii. We have a perfect i.e., bilinear and nondegenerate pairing mp /m 2 P TP X Q defined by f, b1, b 2,..., b n n f P b i. x i Hence dim Q mp /m 2 P = dimq TP X = n m = dimx. ii iii. As m = m P is a maximal ideal, Nakayama s Lemma states that we can find ϖ m P where ϖ / m 2 P. Consider the injective map O/m P m P /m 2 P defined by x ϖ x. Clearly this is surjective if and only if m P O P = ϖ O P is principal. Recall now that dim Q O/mP = 1. iii = iv. Say that m P O P = ϖ O P as a principal ideal. In order to show that O P is a discrete valuation ring, it suffices to show that any nonzero x O P is in the form x = ϖ m y for some m Z and y O P. Consider the radical of the ideal generated by x: { } x = y O P y n x O P for some nonnegative integer n. As O P has a unique nonzero prime ideal, we must have x = m P O P. But then there is largest nonnegative integer m such that t m 1 / x O P yet ϖ m x O P. Hence y = x/ϖ m O P but y / m P. iv = v. Say that O P is a discrete valuation ring. Say that x K is a root of a polynomial equation x n + a 1 x n 1 + + a n = 0 for some a i O P. Assume by way of contradiction that x / O P. Then v P x < 0, so that v P 1/x > 0, hence y = 1/x is an element of O P. Upon dividing by x n 1 we have the relation x = a 1 + a 2 y + + a n y n 1 O P. This contradiction shows that O P is indeed integrally closed. v = iii. Say that O P is integrally closed. We must construct an element ϖ O P such that m P O P = ϖ O P. Fix a nonzero x m P. By considering the radical x and noting that m P O P is a finitely generated O P -module, we see that there exists some m Z such that m m P O P x O P yet m m 1 P O P x O P. Choose y m m 1 P such that y / x O P, and let ϖ = x/y be an element in K. Consider the module 1/ϖ m P O P O P ; we will show equality. As y / O P, we have 1/ϖ / O P, so that 1/ϖ is not integral over O P. Then 1/ϖ m P O P cannot be a finitely generated O P -module, 2 i=1

we have 1/ϖ m P O P m P. As there is an element of 1/varpi m P O P which is not in m P, we must have equality: 1/ϖ m P O P = O P. Hence m P O P = ϖ O P as desired. v vi. A Dedekind domain is a Noetherian integral domain of dimension 1 that is integrally closed. But the localization O P is integrally closed for each maximal ideal m P if and only if O is integrally closed. Consult Theorem 5.13 on page 63 of Atiyah-Macdonald. Examples. Choose {a 1, a 2, a 3, a 4, a 6 } k, and consider the polynomial fx, y = y 2 + a 1 x y + a 3 y x 3 + a 2 x 2 + a 4 x + a 6. Then X : fx, y = 0 is a curve over K. Define the K-rational numbers b 2 = a 2 1 + 4 a 2 b 4 = 2 a 4 + a 1 a 3 b 6 = a 2 3 + 4 a 6 b 8 = a 2 1 a 6 + 4 a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4 Then X is non-singular if and only if 0. c 4 = b 2 2 24 b 4 c 6 = b 3 2 + 36 b 2 b 4 216 b 6 = b 2 2 b 8 8 b 3 4 27 b 2 6 + 9 b 2 b 4 b 6 Choose {a 0, a 1, a 2, a 3, a 4 } k, and consider the quartic polynomial fx = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0. Then X : y 2 = fx is a curve over k. If X has a k-rational point P = x 0, y 0, then it is birationally equivalent over k to the cubic curve v 2 = u 3 + A u + B in terms of A = a2 2 + 3 a 1 a 3 12 a 0 a 4 3 B = 2 a3 2 9 a 1 a 2 a 3 + 27 a 0 a 2 3 + 27 a2 1 a 4 72 a 0 a 2 a 4. 27 Then X is nonsingular if and only if 16 discf = 16 4 A 3 + 27 B 2 = 0. The Riemann-Roch Theorem Let X be a non-singular curve over k = C. From now on, we will identity X with Xk, and embed X C. We ll explain how to choose such an embedding later. Meromorphic Functions. Let k = C denote the complex numbers. Let X C be a compact Riemann surface. We will denote O as the ring of holomorphic i.e., analytic functions on X, and K as the field of meromorphic functions on X. Let me explain. Say that f : U C is a function defined on an open subset U X. Using the embedding X R R which sends x + i y x, y, we say that f is smooth if fz = ux, y + i vx, y in terms of smooth functions u, v : U R, where z = x + i y. We may denote the set of all such by C U. By considering the identities f z = 1 f 2 x i f = 1 u y 2 x + v + i 1 v y 2 x u y f z = 1 f 2 x + i f = 1 u y 2 x v y 3 + i 1 v 2 x + u y

we see that the Cauchy-Riemann Equations imply that fz is holomorphic or antiholomorphic, respectively on U if and only if f/ z = 0 or f/ z = 0, respectively. Note that fz is holomorphic if and only if f z is antiholomorphic. Denote OU as the collection of such holomorphic functions on U. Since this is an integral domain, we may denote K U as its function field; this is the collection of meromorphic functions on U. The following diagram may be useful: We will denote O = OX and K = K X. {0} OU K U C U Meromorphic Differentials. Continue to let U X be an open subset. Denote Ω 0 C U, the collection of differential 0-forms on U, as the set of smooth functions f on U. Similarly, denote Ω 1 C U, the collection of differential 1-forms on U, as the set of sums ω = f dx + g dy = f i g 2 dz + f + i g 2 where f and g are smooth functions on U. Hence we have a canonical decomposition Ω 1 C U = Ω 1,0 C U Ω 0,1 C U as the direct sum of 1-forms in the form ω = f dz or ω = f d z, respectively where f is a smooth function on U. In particular, ω Ω 1,0 C U or ω Ω 0,1 C U, respectively if and only if g = i f or g = i f, which happens if and only if ω z = i ωz. As complex conjugation acts on the set Ω 1 C U of differential 1-forms via ωz ω z, we see that we may identify Ω 1 C U = Ω 1,0 C U and Ω 1 C U + = Ω 0,1 C U as the eigenspaces corresponding to the eigenvalues i, respectively. We have a differential map d : Ω 0 C U Ω 1 C U defined by f df = f f dz + z z d z. We say that a 1-form ω is a holomorphic differential or antiholomorphic differential, respectively if ω = f dz or ω = f d z, respectively for some holomorphic or antiholomorphic, respectively function f on U. Denote ΩU as the collection of holomorphic differentials on U. Similarly, we say that a 1-form ω is a meromorphic differential or antimeromorphic differential, respectively if ω = f/g dz or ω = f/g d z, respectively for some holomorphic or antiholomorphic, respectively functions f and g on U. Denote Ω K U as the collection of meromorphic differentials on U. The following diagram may be useful: {0} ΩU Ω K U Ω 1,0 C U Note that ΩX is the collection of holomorphic differentials on X. Homology Groups. Let H 1 X, Z denote the free abelian group of closed loops γ in X. It is wellknown that H 1 X, Z Z 2g for some nonnegative integer g; we call g the genus of X. Complex conjugation γ γ acts on these closed loops, so we may consider eigenspaces corresponding to the eigenvalues 1 either reversing or preserving direction generated by this involution: H 1 X, Z = H 1 X, Z H 1 X, Z + where H 1 X, Z Z g. Upon tensoring with C, we have the homology group H 1 X, C C 2g, with eigenspaces H 1 X, C C g. We have a nondegenerate, bilinear pairing H 1 X, C ΩX C, n i γ i, ω n i ω. i i γ i Note here that ω must be a holomorphic differential on X, so that each loop γ i H 1 X, Z. This implies the following results: 4 d z

Proposition 3. Let OX be the collection of such holomorphic functions on X, ΩX be the collection of holomorphic differentials on X, and H 1 X, Z Z 2g be the free abelian group of closed loops γ in X. ΩX Hom C H1 X, C, C C g. As the map O ΩX defined by f f dz is an isomorphism, we see that ΩX is an O-module of rank 1, but a complex vector space of dimension g. Examples. The unit sphere is given by S 2 R = { } u, v, w R 3 u 2 + v 2 + w 2 = 1. Stereographic Projection is the map π : C S 2 R defined by 2 Rez πz = z 2 + 1, 2 Imz z 2 + 1, z 2 1 z 2 with inverse π 1 u, v, w = u + i v + 1 1 w. Of course, the inverse sends the north pole u, v, w = 0, 0, 1 to z =, so we actually find a birational equivalence between X = P 1 C = C { } and S 2 R. We consider X a compact Riemann surface although it cannot really be imbedded in the complex plane. Consider the differential 1-form ω = dz. This is clearly a holomorphic differential on A 1 C = C, but upon making the substitution w = 1 z = ω = dz = dw w 2 we see that ω is not holomophic on X = P 1 C. In fact, X has no nonzero holomorphic differentials only meromorphic ones! so its genus must be g = 0. Fix complex numbers g 2, g 3 such that g2 3 27 g2 3. We define a meromorphic map : C C implicitly via the relation z = z dx 4 x 3 g 2 x g 3 = z 2 = 4 z 3 g 2 z g 3. This is the Weierstrass pae-function. Hence the map z z, z induces a short exact sequence {0} Λ C EC {0} in terms of a lattice Λ = Z[ω 1, ω 2 ], generated by integrating around the poles of the cubic polynomial, and the complex points on the elliptic curve E : y 2 = 4 x 3 g 2 x g 3. We have the compact Riemann surface { } X = z = m ω 1 + n ω 2 C 0 m 1 and 0 n 1 C Λ EC. The collection of meromorphic functions on X C is K = C z, z. Note that the differential ω = dz = d = dx y = 2 dy 12 x 2 g 2 5

is not only meromorphic on C, it is actually holomorphic. As this is the only such differential, we see that ΩX C consists of constant multiples of ω = dx/y. In particular, g = 1. Divisors. Denote DivX as the collection of divisors; these are formal sums a = P n P P over the points P X, where all but finitely many of the integers n P are zero. The degree of a divisor is the integer dega = P n P. There is a partial ordering on DivX: given another divisor b = P m P P, we say a b when n P m P for all points P. The map K /k DivX which sends f P ord P f P is injective. In fact, we have the following short exact sequence: {1} K /k DivX PicX {0}. Similarly, any nonzero memomorphic differential ω = f dz for some meromorphic function f O, so define divω = divf = P ord P f P. As ΩX O, we say c = divω 0 is a canonical divisor for any nonzero meromorphic differential ω 0. We have the following commutative diagram, where the rows and columns are exact: {1} {0} {0} {1} K /k div Div 0 X JacX {0} = {1} K /k div DivX PicX {0} deg deg {1} {1} div DivX/Div 0 X NSX {0} {1} {0} {0} The quotient group JacX = Div 0 X/Divk of degree 0 divisors modulo principal divisors is the Jacobian of X; the quotient group PicX = DivX/Divk of divisors modulo principal divisors is the Picard group or the divisor class group of X; and the quotient group N SX = PicX/JacX is the Néron-Severi group of X. Riemann-Roch Theorem. For any divisor a = P n P P, we wish to consider the following two complex vector spaces: { } H 0 a = f k la = dim divf a {0} C H 0 a { } = dega = n P H 1 a = ω Ω K X {0} divω a P X {0} δa = dim C H 1 a Note the change in the signs for the ordering! The main question here concerns the relationship between H 0 a, H 1 a, and H 1 X, Z. We have the following results: Proposition 4. Any divisor a can be written as a difference a = b p for divisors such that b, p 0. Since a a+p = b, we have H 0 a H 0 b. One shows by induction 6 =

that la lb degb + 1. In particular, H 0 a is a finite dimensional complex vector space. For each canonical divisor c = divω 0, the map ω ω/ω 0 shows that H 1 a H 0 c a = δa = lc a. In particular H 1 a is also a finite dimensional complex vector space. Say a = 0 is the zero divisor. Then H 0 0 = C consists of the constant functions, while H 1 0 = ΩX consists of the holomorphic differentials. In particular, H 0 c H 1 0 C g. In the 1850 s, Bernhard Riemann proved the inequality la dega + 1 g. student, Gustav Roch, showed more precisely: In 1864, his Remarks. Theorem 5 Riemann-Roch. for any canonical divisor c. la dega lc a = la dega δa = 1 g. The paper appears in Crelle s Journal as Über die Anzahl der willkürlichen Constanten in algebraischen Functionen. This is usually called the Riemann-Roch Theorem. Sadly, both Riemann and Roch died two years later in Italy of tuberculosis: Riemann aged 39, and Roch aged 26. In 1874, Max Noether and Alexander von Brill gave a refinement of Roch s result, and were the first to call it the Riemann-Roch Theorem. In 1929, F. K. Schmidt generalized the Roch s result to algebraic curves. Subsequent generalizations were given by Friedrich Hirzebruch, Jean-Pierre Serre, and Alexander Grothendieck. Classification via the Genus Let me give some applications. Now we can let k = Q be an algebraically closed field, O be a Dedekind domain, and K be its quotient field. We will let X = Spec O be our nonsingular curve. Recall that for any divisor a = P n P P we have the identity dim k H 0 a dega dim k H 0 c a = 1 g where H 0 a = { f K divf + a 0 }. We see two facts right away regarding a canonical divisor c = divω 0 : g = dim k H 0 c, which we see by choosing a = 0. degc = 2 g 2, which we see by choosing a = c. We will show that, in some cases, we can classify X depending on the genus g. 7

Genus 0. We show that g = 0 if and only if X P 1 k. Proposition 6. If X P 1 k, then JacX {0} whereas PicX NSX Z. Proof. Choose O = k[x] as the polynomial ring in one variable, so that its quotient field K = kx consists of those rational functions in one variable. Each nonzero prime ideal m P O is in the form m P = x a for some P = a k, so we have a one-to-one correspondence mspec O k. We define A 1 k = Spec O as the affine line over k. In order to make this a projective line, we add in the point at infinity: P 1 k = A 1 k {P }. Fix a nonnegative integer d, and consider the divisor b = d P of the point at infinity. We show that H 0 b = { f K divf + b 0 } consists of those polynomials of degree at most d. As the divisor of x K is P 0 P we see that ord P f d for any polynomial f = d i=0 a i x i. Hence f H 0 b. Conversely, let f H 0 b. Write f = g/h for some polynomials g, h O. If h has degree greater than 0, then it contains a nontrivial zero in k, so that f has a pole at some point in k. Hence h must be a constant. If g has degree greater than d then ord P g < d. Hence g has degree at most d. This shows in particular the equality lb = degb + 1. We show that any divisor a = P n P P can be expressed as a sum a = b + divf. Since affine points P = x a for some a k, we may choose fx = a k x an P, so that divf = P ord P f P = P n P P P = a d P for d = dega. Proposition 7. g = 0 if and only if X P 1 k. Proof. Let b = 2 g P be the divisor of degree 2 g associated with the point at infinity. We have seen that dim k H 0 a = degb + 1 in this case, so the Riemann-Roch Theorem states that g = dim k H 0 c b. But degc b = 2 so that H 0 c b = {0}, showing that g = 0. Conversely assume that g = 0. We will construct a birational map X P 1 k. Let b = P as the divisor of a point in X. Then degc b < 0 so that H 0 c b = {0}. The Riemann-Roch Theorem states that lb = 2. Fix a nonconstant function f H 0 b. For each a k, we note that ord P f a 0 for P P and ord P f a 1, so divf a = P a P for some point P a in X. As O/P k, define a map f : X P 1 k which sends a prime ideal P to the projective point fp = f mod P : 1. Note that fp a = a : 1 and fp = 1 : 0. As this map is one-to-one and onto, we see that X P 1 k. Base Points. Given a divisor a DivX, define a complete linear system as the set a { } = b DivX b 0 and a = b + divf for some f k. Note that deg a = degb is independent of the choice of b a. It is easy to see that this fits into the following exact sequence: {1} k H 0 a {0} a {0} = div {1} k A n k {0} P n 1 k {0} where n = la. This relates affine vector spaces with projective vector spaces. In particular, the complete linear system c P g 1 k has deg c = 2 g 1. We say that a point P X is a base point if b P for all b c. 8

Proposition 8. X P 1 k whenever X has a base point. If g 1, then X is base point free. Proof. Say that P is one such base point. If f H 0 c is a nonzero function, then div1/f + c = b P so that div1/f + c P 0. Hence H 0 c H 0 c P, so the Riemann-Roch Theorem states that dim k H 0 P = 1 g + deg P + dim k H 0 c P 2. Let f H 0 P be a nonconstant function. Following the same argument as above, divf a = P a P, so that the map f : X P 1 k is the desired isomorphism. Genus 1. Assume that k has characteristic different from 2 or 3. Proposition 9. g = 1 if and only if X Ek for some E : y 2 = x 3 + A x + B with 4 A 3 + 27 B 2 0. Proof. Assume that g = 1. Fix a positive integer d, and consider the divisor b = d P. Then degc b = d < 0, so that H 0 c b = {0}. The Riemann-Roch Theorem states that dim k H 0 b = 1 g + degb + dim k H 0 c b = d. Let {1, u} and {1, u, v} be bases for H 0 2 P and H 0 3 P, respectively. Since the set {1, u, v, u 2, u v, v 2, u 3 } of seven functions is contained in a vector space H 0 6 P of dimension 6, we must have a linear combination in the form a 1 + a 2 u + a 3 v + a 4 u 2 + a 5 u v + a 6 v 2 + a 7 u 3 = 0 for some a i k. Note that {1, u, v, u 2, u v} is a basis for H 0 5 P so we must have a 6, a 7 0. Upon making the substitutions x = 3 a 2 5 4a 4 a 6 12 a 6 a 7 u y = 108 a 6 a 7 a3 + a 5 u + 2 a 6 v A = 27 a 4 5 + 8 a 4 a 2 5 a 6 16 a 2 4 a 2 6 24 a 3 a 5 a 6 a 7 + 48 a 2 a 2 6 a 7 B = 54 a 6 5 12 a 4 a 4 5 a 6 + 48 a 2 4 a 2 5 a 2 6 64 a 3 4 a 3 6 + 36 a 3 a 3 5 a 6 a 7 144 a 3 a 4 a 5 a 2 6 a 7 72 a 2 a 2 5 a 2 6 a 7 + 288 a 2 a 4 a 3 6 a 7 + 216 a 2 3 a 2 6 a 2 7 864 a 1 a 3 6 a 2 7 we find the identity y 2 = x 3 + A x + B. Denote this curve by E. We construct a birational map X Ek. Choose a, b k satisfying b 2 = a 3 + A a + B. Since {1, x} and {1, x, y} are bases for H 0 2 P and H 0 3 P, respectively, we have divx a = P a,b + P a, b 2 P and divy b = P a,b + P a,b + P a,b 3 P. As O/P k, consider that map f : X P 2 k which sends a prime ideal P to the projective point fp = x mod P : y mod P : 1. Note that fp a,b = a : b : 1 and fp = 0 : 1 : 0. As this map is one-to-one and onto, we see that X Ek. Elliptic Curves. As before, assume that k has characteristic different from 2 or 3. Fix A, B k such that 4 A 3 + 27 B 2 0. Let X P 2 k denote the collection of k-rational points on y 2 = x 3 + A x + B. We say that X is an elliptic curve. We will show that X is an abelian group with respect to some operation. 9

Theorem 10. Assume that g = 1. Then X JacX. In particular, X is an abelian group. Proof. This is the content of Proposition 3.4 in Chapter III.3.5 in Silverman s The Arithmetic of Elliptic Curves : we will construct a birational map κ : X JacX. Fix a point P X and send κ : X JacX by P P P. To see why this map is surjective, choose a Div 0 X and set b = a + P. Since degc b < 0, the Riemann-Roch Theorem states that dim k H 0 b = 1 g + degb + dim k H 0 c b = 1. Let f H 0 b be nonzero; as this space is 1-dimensional we must have divf = P b for some unique point P. Hence a = P P divf for some unique P X. We explain how the group law on elliptic curves can be derived from the Riemann Roch Theorem. Fix a point P X and denote O = 0 : 1 : 0. Given two points P, Q X draw a line in P 2 k going through them. Rather explicitly, if P = p 1 : p 2 : p 0 and Q = q 1 : q 2 : q 0, then the line is in the form fx 1, x 2, x 0 = 0 in terms of the linear polynomial p 1 p 2 p 0 fx 1, x 2, x 0 = q 1 q 2 q 0 x 1 x 2 x 0. It is easy to see that divf = P + Q + P Q 3 O for some point P Q. Now consider the line going through P Q and P ; this is in the form gx 1, x 2, x 0 = 0 for some linear polynomial. Again, it is easy to see that divg = P Q + P Q + P 3 O for some point P Q. Hence we find that P Q P = P P + Q P divf/g. Hence the map X JacX defined by P P P yields an associative group law. Note that P is the identity, which we often choose as P = O. Theorem 11. Let X be an elliptic curve, and let D = m i=1 n i P i be a divisor on E. Then D = divf for some rational function f : X P 1 if and only if both m i=1 n i = 0 in Z and m i=1 [n i] P i = O in X. The notation [n]p = P P P is the sum of P a repeated n times in X. Proof. This is the content of Corollary 3.5 in Chapter III.3.5 in Silverman s The Arithmetic of Elliptic Curves : We have seen that the map κ : X JacX which sends P P O is an isomorphism. Assume that D = divf. Then i n i = deg D = deg divf = 0, and i [n i]p i = i [n i] P O = κ 1 D = κ 1 divf. Tate Pairing and Weil Pairing Group Law. Now let k be any number field, and choose {a 1, a 2, a 3, a 4, a 6 } k. The set E : fx, y = 0 in terms of the polynomial fx, y = y 2 + a 1 x y + a 3 y x 3 + a 2 x 2 + a 4 x + a 6 10

is a curve over k. Define the k-rational numbers b 2 = a 2 1 + 4 a 2 b 4 = 2 a 4 + a 1 a 3 b 6 = a 2 3 + 4 a 6 b 8 = a 2 1 a 6 + 4 a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4 c 4 = b 2 2 24 b 4 c 6 = b 3 2 + 36 b 2 b 4 216 b 6 = b 2 2 b 8 8 b 3 4 27 b 2 6 + 9 b 2 b 4 b 6 Then E is non-singular if and only if 0. In this case, E is an elliptic curve. We review the group law : Ek Ek Ek defined above: Given two points P = p 1 : p 2 : p 0 and Q = q 1 : q 2 : q 0 in Ek draw a line fx 1, x 2, x 0 = 0 in P 2 k going through them in terms of the linear polynomial p 1 p 2 p 0 fx 1, x 2, x 0 = q 1 q 2 q 0 = divf = P + Q + P Q 3 O. x 1 x 2 x 0 Now consider the line going through P Q and O; this is in the form gx 1, x 2, x 0 = 0 for some linear polynomial, where divg = P Q + P Q 2 O for some point P Q Ek. Isogenies. Let E and E be two elliptic curves defined over k. An isogeny is a rational map φ : EQ E Q defined over k such that φo = O. Since φ : E E induces a map φ : QE QE which sends f f φ, we define the degree of φ as the degree of the extension QE/φ QE. Theorem 12. Let φ : E E be an nonconstant isogeny of degree m between elliptic curves over k. φ is a group homomorphism, that is, φp Q = φp φq as a sum in E Q for any P, Q EQ. The map kerφ Gal QE/φ QE which sends T to the function τ T g : P gp T is an isomorphism. In particular, kerφ = m. There exists a unique dual isogeny φ : E E such that the composition φ φ = [m] : E E E sends P [m] P on E. Proof. This first statement the content of Theorem 4.8 in Chapter III.4 of Silverman s The Arithmetic of Elliptic Curves : It follows from a diagram chase. EQ φ E Q P Q φp Q = φp φq κ 1 JacE κ 2 1 φ JacE P Q O = P + Q 2 O φp Q O = φp + φq 2 O For the second statement, we begin by showing the map is well-defined. Each T kerφ maps to that automorphism τt which sends a function g QE to that function τ T g : P gp T. 11

If g φ QE, then g = f φ for some f QE, so that τt g is that function which sends P EQ to τt g P = f φp φt = f φp O = gp. Hence τt acts trivially on φ QE. Clearly the map T τt is a well-defined injection. Conversely, degφ = φ 1 Q for some Q E Q. Fix P φ 1 Q. Then the map τ P : φ 1 O φ 1 Q which sends T P T is a one-to-one correspondence, so that Gal QE/φ QE = degφ = φ 1 Q = φ 1 O = kerφ. For the third statement, consider the extension QE/[m] QE with Galois group ker [m]. Since [m] T = O for any T kerφ by Lagrange s Theorem, we see that kerφ ker [m]. In particular, we have the following tower of fields: [m] QE φ QE QE This shows that the map [m] : E E is in the form [m] = φ φ for some rational map φ : E E. Note that we have the following diagram: E Q φ EQ Q [m] P κ 2 JacE φ κ 1 1 JacE Q O T kerφ P T T for any P EQ such that φp = Q. In particular, φ φ P = φq = [m] P so that φo = φ φo = [m] O = O. If φ is any other dual isogeny, then φ φ φ = [m] [m] = [0] on E, so that φ φ = [0] must be constant. This shows that φ is the unique rational map with φ φ = [m] and φo = O, so φ must be an isogeny. Examples. Consider an elliptic curve E : y 2 + a 1 x y + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 where a i k. Given a point P = x : y : 1 in Ek, we have [m] P = O if and only of ψ m P = 0 in terms of the division polynomials 1 for m = 1, 2 y + a 1 x + a 3 = 4 x 3 + b 2 x 2 + 2 b 4 x + b 6 for m = 2, ψ m P = 3 x 4 + b 2 x 3 + 3 b 4 + 3 b 6 x + b 8 for m = 3, ψ 2 P [ 2 x 6 + b 2 x 5 + 5 b 4 x 4 +10 b 6 x 3 + 10 b 8 x 2 + b 2 b 8 b 4 b 6 x + b 4 b 8 b 2 6 ] for m = 4. Other division polynomials can be generated by the recursive relation ψ m+n P ψ m n P ψ 1 P 2 = ψ m+1 P ψ m 1 P ψ n P 2 ψ n+1 P ψ n 1 P ψ m P 2 12

for any integers m and n. In fact, the multiplication-by-m map [m] : Ek Ek sends P to [m]p = φ m P /ψ m P 2 : ω m P /ψ m P 3 : 1 in terms of the polynomials x for m = 1, φ m P = x 4 b 4 x 2 2 b 6 x b 8 for m = 2, φ 1 P ψ m P 2 ψ m+1 P ψ m 1 P for m 2. y for m = 1, ω m P = a 1 φ 2 P ψ 2 P 2 a 3 ψ 2 P 4 + ψ 4 P 2 ψ 2 P a 1 φ m P ψ m P 2 + a 3 ψ m P 3 2 + ψ m 1P 2 ψ m+2 P + ψ m 2 P ψ m+1 P 2 2 ψ 2 P for m = 2, for m 2. In particular, deg ψ m P 2 = m 2 1, so that the multiplication-by-m map is an isogeny of degree m 2. In fact, ker [m] Z m Z m and [m] = [m]. Consider the elliptic curves E : y 2 = x 3 + a x 2 + b x E : Y 2 = X 3 + A X 2 + B X where A = 2 a B = a 2 4 b where a, b, A, B k satisfy b B 0. It is easy to check that T = 0 : 0 : 1 is a k-rational point of order 2, that is, [2]T = O. Then we have a maps φ : E E and φ : E E which send φ : x 1 : x 2 : x 0 x 2 2 x 0 : x 2 b x 2 0 x2 1 : x2 1 x 0 φ : X 1 : X 2 : X 0 2 X2 2 X 0 : X 2 B X0 2 X2 1 : 8 X2 1 X 0 It is easy to check that kerφ = { 0 : 0 : 1, 0 : 1 : 0 } Z 2 and that φ φ = [2] is the multiplication-by-2 map. Hence both φ and φ are 2-isogenies. Let A EQ C/Λ be any finite subgroup such that G k acts trivially. Then we can find an isogeny φ : E E such that kerφ A. One can construct E explicitly using the cohomology group H 1 G k, A. Usually, one focuses on subgroups in the form A Z m Z m or A Z n, but we can certainly consider others such as A Z m Z n. Weil Pairing. For any isogeny φ : E E and its dual φ : E E, the kernels E[φ] = kerφ and E [ φ] = ker φ are intimately related. Theorem 13. Let φ : E E be a nonconstant isogeny of degree m between elliptic curves over k. Denote E[φ] = kerφ Ek and E [ φ] = ker φ E k as the kernels of the isogeny and its dual. Then there exists a pairing satisfying the following properties: e φ : kerφ ker φ µ m 13

Bilinearity: For all S kerφ and T ker φ, we have e φ S 1 S 2, T = e φ S 1, T e φ S 2, T e φ S, T 1 T 2 = e φ S, T 1 e φ S, T 2 Non-Degenerate: e φ S, T = 1 for all S kerφ, then T = O. Galois Invariant: σ e φ S, T = e φ σs, σt for all σ Gk. Compatibility: If ψ : E E is another isogeny, then e ψ φ P, Q = e ψ φp, Q for all P kerψ φ and Q ker ψ. Proof. We follow Section III.8 on pages 92 99 and Exercise 3.15 on page 108 of Joseph Silverman s The Arithmetic of Elliptic Curves. Let T ker φ E [m]. According to Theorem 11, there are functions f T QE and g T QE satisfying divf T = m T m O divg T = φ T O = T kerφ P T T where P φ 1 T E[m]. Since divg m T = divf T φ, we may assume without loss of generality that f T φ = g m T. For any S kerφ, consider the map EQ P 1 Q which sends X g T X S/g T X. Since g T X S m = f T φx φs = ft φx = gt X m, we see that this map takes on only finitely may values and hence must be constant. We define the Weil pairing e φ : kerφ ker φ µ m as the mth root of unity e φ S, T = g T X S/g T X. We show Bilinearity. For the first factor we have e φ S 1 S 2, T = g T X S 1 S 2 g T X = g T X S 1 S 2 g T X S 2 = e φ S 1, T e φ S 2, T. gt X S 2 g T X = g T X S 1 g T X gt X S 2 g T X For the second factor, fix T 1, T 2 ker φ. Using Theorem 11 again, we can find functions f 1, f 2, f 3 QE and g 1, g 2, g 3 QE satisfying divf 1 = m T 1 m O divf 2 = m T 2 m O divf 3 = m T 1 T 2 m O divg 1 = φ T 1 O divg 2 = φ T 2 O divg 3 = φ T 1 T 2 O = f 1 φ = g1 m f 2 φ = g2 m f 3 φ = g3 m Similarly, we can find a function h QE such that divh = T 1 T 2 T 1 T 2 + O, and so f3 f m 3 div = m divh = = h m g3 = = h φ m. f 1 f 2 f 1 f 2 g 1 g 2 14

Hence g 3 = c g 1 g 2 h φ for some constant c Q. This gives e φ S, T 1 T 2 = g 3X S g 3 X = g 1X S g 1 X = g 1X S g 1 X g2x S g 2 X = e φ S, T 1 e φ S, T 2. g2x S g 2 X h φx O h φx h φx φs h φx We show Non-Degeneracy. Say that e φ S, T = 1 for all S kerφ. Then g T X S = g T X for all X EQ. Following the ideas in Theorem 12, we see that g T φ QE, so that g T = h T φ for some h T QE. Since h T φ m = g m T = f T φ, we find that f T = h m T, and so divh T = T O. According to Theorem 10, we must have T = O. Galois Invariance is clear. We show Compability using the following diagram: EQ φ E Q ψ E Q kerψ φ φ φ φ kerψ φ ψ ker φ ψ kerφ ker ψ Say that ψ : E E is an isogeny of degree n. For each Q ker ψ ker ψ φ, there are functions d Q, f Q QE, g Q QE, and h Q QE satisfying divd Q = n Q n O divf Q = m n Q m n O divg Q = ψ Q O divh Q = ψ φ Q O = d Q ψ = g n Q f Q ψ φ = h mn Q f Q = d m Q g Q φ = h Q We define the pairings e ψ : kerψ ker ψ µ mn and e ψ φ : kerψ φ ker ψ µ mn via e ψ S, Q = g Q X S/g Q X and e ψ φ P, Q = h Q Y P /h Q Y, respectively. If we write X = φy, then g Q X φp e ψ φp, Q = = g Q φy φp = h QY P = e ψ φ P, Q. g Q X g Q φy h Q Y This completes the proof. Examples. Consider the elliptic curve E : y 2 + a 1 x y + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 Say φ = [2] is the multiplication-by-2 map. Recall that the 2-division polynomial is ψ 2 x = 2 y + a 1 x + a 3 = 4 x 3 + b 2 x 2 + 2 b 4 x + b 6. If we denote e as one of the roots of 15

this polynomial, then T = e : a 1 e a 3 : 1 as a point of order m = 2. We denote the functions f T P = x e g T P = 4 e2 + b 2 e + b 4 + 4 e x 2 x 2 = ft [2] P = g T P 2. 2 2 y + a 1 x + a 3 Consider the elliptic curves E : y 2 = x 3 + a x 2 + b x E : Y 2 = X 3 + A X 2 + B X where A = 2 a B = a 2 4 b where a, b, A, B k satisfy b B 0. Then we have a maps φ : E E and φ : E E which send φ : x 1 : x 2 : x 0 x 2 2 x 0 : x 2 b x 2 0 x2 1 : x2 1 x 0 φ : X 1 : X 2 : X 0 2 X2 2 X 0 : X 2 B X0 2 X2 1 : 8 X2 1 X 0 where φ φ = [2] is the multiplication-by-2 map. Note that kerφ = { T, O } is the kernel, there T = 0 : 0 : 1 is a k-rational point of order 2, that is, [2]T = O. We denote the functions f T Q = X g T P = y = ft φ P = g T P 2. x There is an easy way to interpret the Weil pairing. Consider the multiplication-by-m map [m] : E E. Since E[m] Z m Z m over Q, we can choose a basis {T 1, T 2 }. Then define e m : E[m] E[m] µ m via S = [a]t 1 [b]t 2, and T = [c]t 1 [d]t 2 to ζm ad bc. The only downside to making this definition is one would have to prove that E[m] Z m Z m! Tate Pairing. We discuss how a specific example of an isogeny gives information about the elliptic curve. Theorem 14. Say that E is an elliptic curve over k as above. Denote the 2-division polynomial as ψ 2 x = 2 y+a 1 x+a 3 = 4 x 3 + b 2 x 2 + 2 b 4 x + b 6. This has distinct roots e 1, e 2, e 3 Q, and so E : Y 2 = X e 1 X e 2 X e 3. Moreover, E[2] = { T EQ [2] T = 0 } { } = e 1 : 0 : 1, e 2 : 0 : 1, e 3 : 0 : 1, 0 : 1 : 0 Z 2 Z 2. Assume that E[2] Ek. Consider the map defined by e 2 : Ek 2 Ek k E[2] k, P, T 2 { 1 if T = O, X e otherwise; where P = X : Y : 1 and T = e : 0 : 1. This is a perfect pairing i.e., 16

Non-Degeneracy: If e 2 P, T = 1 for all T E[2] then P 2 Ek. Bilinearity: For all P, Q Ek and T E[2] we have e 2 P Q, T = e 2 P, T e 2 Q, T, e 2 P, T 1 T 2 = e 2 P, T 1 e 2 P, T 2. Proof. Choose P = p 1 : p 2 : p 0 Ek, and say that e 2 P, T = 1 for all T E[2]. To show P 2 Ek it suffices to exhibit P Ek such that P = [2]P. If P = O we may choose P = O as well, so assume p 0 0. Upon considering T = e : 0 : 1, we see that f i = p1 p 0 e i k for i = 1, 2, 3; we choose the signs so that p 2 p 0 = f 1 f 2 f 3. It is easy to check that the desired k-rational point is P e1 e 3 e 2 e 3 = f 1 f 3 f 2 f 3 + e e 1 e 2 e 1 e 3 e 2 e 3 3 : f 1 f 2 f 1 f 3 f 2 f 3 : 1. We show e 2 P Q, T = e 2 P, T e 2 Q, T. If T = O there is nothing to show since e 2 P, T = e 2 Q, T = e 2 P Q, T = 1 so assume that T = e : 0 : 1. Choose two points P = p 1 : p 2 : p 0 and Q = q 1 : q 2 : q 0 in Ek. Draw a line through them, say a x 1 + b x 2 + c x 0 = 0, and assume that it intersects E at a third point R = r 1 : r 2 : r 0. The projective curve E is defined by the homogeneous polynomial F x 1, x 2, x 0 = x 2 2 x 0 x 1 e 1 x 0 x 1 e 2 x 0 x 1 e 3 x 0 so the intersection with the line a x 1 + b x 2 + c x 0 = 0 admits the factorization p 0 q 0 r 0 F x 1, x 2, x 0 = p 1 x 0 p 0 x 1 q 1 x 0 q 0 x 1 r 1 x 0 r 0 x 1. When x 1 : x 2 : x 0 = b e : a e c : b is the point where the lines a x 0 + b x 1 + c x 0 = 0 and x 1 e x 0 = 0 intersect, we have the equality b 3 p1 q1 r1 e e e = F b e, a e c, b = a e + c 2 b. p 0 q 0 r 0 This implies the congruence e 2 P, T e 2 Q, T e 2 R, T 1 mod k 2. We conclude that e 2 P Q, T = e 2 P, T e 2 Q, T. We show e 2 P, T 1 T 2 = e 2 P, T 1 e 2 P, T 2. If T 1 = T 2 then e 2 P, T 1 T 2 = e 2 P, O = 1 e 2 P, T 1 2 = e 2 P, T 1 e 2 P, T 2. If T 1 T 2, we may assume T 1 = e 1 : 0 : 1 and T 2 = e 2 : 0 : 1. If either T 1 or T 2 is O there is nothing to show. Then T 1 T 2 = e 3 : 0 : 1. The identity 2 p1 p1 p1 p2 e 1 e 2 e 3 = p 0 p 0 p 0 p 0 implies the congruence e 2 P, T 1 e 2 P, T 2 e 2 P, T 1 T 2 1 mod k 2. e 2 P, T 1 T 2 = e 2 P, T 1 e 2 P, T 2. We conclude that Remarks. This sometimes called the Tate pairing. This is not quite a perfect pairing: non-degeneracy holds on the right, but not on the left. 17

Since e 2 P, T is bilinear, it is easy to compute its value when P E[2]. For example, write T i = e i : 0 : 1 so that we find: e 2 T i, T i 1 = e i e i 1, e 2 T i, T i+1 = e i e i+1 = e 2 T i, T i = e 2 T i, T i 1 e 2 T i, T i+1 = e i e i 1 e i e i+1. If k is a number field, the image in k / k 2 is actually finite. One uses this to conclude that Ek/2 Ek is finite as well. This was first shown for k = Q by Mordell. Say that we can write Ek Ek tors Z r for some finite group Ek tors Z m Z n and some nonnegative integer r; this nonnegative integer is called the rank of E over k. Then we can write Ek 2 Ek Ek tors 2 Ek tors Z r 2, Ek tors 2 Ek tors = {1} if m and n are odd, Z 2 if m is even but n is odd, Z 2 Z 2 if both m and n are even. The Theorem above concerns the case where m and n are both even. Hence we can determine the rank r if we can determine the image of this pairing. There is a more general construction for each positive integer m: e m : Ek k E[m] m Ek k m assuming E[m] Ek. This pairing is used quite often in cryptography, especially when k = F p is a finite field of order p 1 mod m Z so that E[m] Z m Z m. It is not a coincidence that the Tate pairing is defined via f T Q = X e. In general, say that φ : E E is a nonconstant isogeny of degree m. We have seen that for each T E [ φ], there are functions f T QE and g T QE such that divf T = m T m O divg T = φ T O = f T φ = g m T. You can actually choose f T and g T to have coefficients in k. This yields a perfect pairing E k φ Ek ker φ k k m, P, T ft P mod k m. One can derive this pairing from the Weil pairing. We will see in general that the Weil pairing e φ : kerφ ker φ µ m yields a cup product on Galois cohomology: H i G k, E[φ] H j G k, E [ φ] H i+j G k, µ m. Indeed, there is a short exact sequence {O} E[φ] EQ 18 φ E Q {O}

so Galois cohomology gives the diagram E k φ Ek δ ker φ k k m H 1 G k, E[φ] H 0 G k, E [ φ] H 1 G k, µ m 19