<<

. 2
( 2)



over F11 , and let n = 5. There are 10 points in E(F11 ). The point P = (3, 6)
has order 5. Let™s compute P, P 5 . Therefore, in the de¬nition of the Tate-
Lichtenbaum pairing, we have P = Q = (3, 6). Let

DP = [(3, 6)] ’ [∞], DQ = [(1, 1)] ’ [(0, 1)] = [Q1 ] ’ [Q2 ].

The divisor DQ was constructed by adding (0, 1) to Q to obtain (1, 1). This
was done so that DP and DQ have no points in common. We now use the
algorithm to compute fP (DQ ), where

div(fP ) = 5DP .

In Equation (11.7), we have R = ∞, so D0 = D1 = 0. Therefore, we take
f0 = f1 = 1. The algorithm proceeds as follows.
1. Start with i = 5, j = 0, k = 1, v0 = 1, v1 = 1.
2. Since i = 5 is odd, compute vj+k = v1 , which is already known to be 1.
Update the values of i, j, k to obtain i = 4, j = 1, k = 1, v1 = 1, v1 = 1.
3. Since i = 4 is even, compute the line tangent to E at kP = P . This
is 4x ’ y + 5 = 0. The vertical line through 2kP = 2P is x + 1 = 0.
Therefore, Equation (11.9) becomes

4x ’ y + 5
v2 = v1 · = 1 · 1 = 1.
2
x+1 DQ

Here we performed the calculation
(4x ’ y + 5)|(1,1) 8
(4x ’ y + 5)|DQ = = =2
(4x ’ y + 5)|(0,1) 4

and similarly (x + 1)|DQ = 2. Update to obtain i = 2, j = 1, k = 2, v1 =
1, v2 = 1.
4. Since i = 2 is even, use the computation of 4P = 2P + 2P to obtain

x+y+2
v4 = v2 · v2 · = 1 · 1 · 2 = 2.
x’3 DQ

Update to obtain i = 1, j = 1, k = 4, v1 = 1, v4 = 2.




© 2008 by Taylor & Francis Group, LLC
364 CHAPTER 11 DIVISORS

5. Since i = 1 is odd, use the computation of 5P = P + 4P to obtain
v5 = v1 · v4 · (x ’ 3)|DQ = 1 · 2 · (2/3) ≡ 5 (mod 11).

Therefore, the Tate-Lichtenbaum pairing of P with P is
= v5 = 5 (mod (F— )5 ),
P, P 5 11

and the modi¬ed Tate-Lichtenbaum pairing is
(11’1)/5
≡3
„5 (P, P ) = P, P (mod 11).
5

Note that, in contrast to the Weil pairing, the Tate-Lichtenbaum pairing of a
point with itself can be nontrivial.




11.5 Genus One Curves and Elliptic Curves
Let C be a nonsingular algebraic curve de¬ned over a ¬eld K. The curve C
is given as the roots in P2 of a polynomial, or as the intersection of surfaces
K
in P3 , for example, and is assumed not to be the union of two smaller such
K
curves. We can de¬ne divisors and divisors of functions on C in the same way
as we did for elliptic curves. Let
D1 = ai [Pi ], D2 = bi [Pi ]
be divisors on C. We say that
D1 ≥ D2 ⇐’ ai ≥ bi for all i.
We say that
D1 ∼ D2 ⇐’ D1 ’ D2 = div(f ) for some function f.
For a divisor D, de¬ne
L(D) = {functions f | div(f ) + D ≥ 0} ∪ {0}.
Then L(D) is a vector space over K. De¬ne
(D) = dim L(D).
For example, let D = 3[P ] ’ 2[Q]. A function f in the linear space L(D) has
at most a triple pole at P and at least a double zero at Q. Also, f cannot
have any poles other than at P , but it can have zeros other than at Q.


PROPOSITION 11.14
Let C be a nonsingular algebraic curve de¬ned over a ¬eld K, and let D, D1 ,
and D2 be divisors on C.




© 2008 by Taylor & Francis Group, LLC
365
SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

1. If deg D < 0, then L(D) = 0.

2. If D1 ∼ D2 then L(D1 ) L(D2 ).

3. L(0) = K.

4. (D) < ∞.

5. If deg(D) = 0 then (D) = 0 or 1.


PROOF Proposition 11.1 holds for all curves (see [38]), not just elliptic
curves, and we™ll use it in this more general context throughout the present
proof. For example, we need that deg(div(f )) = 0 for functions f that are
not identically 0.
If L = 0, then there exists f = 0 with

div(f ) + D ≥ 0,

which implies that

deg(D) = deg(div(f ) + D) ≥ 0.

This proves (1).
If D1 ∼ D2 , then D1 = D2 + div(g) for some g. The map

L(D1 ) ’ L(D2 )
f ’ fg

is easily seen to be an isomorphism. This proves (2).
If 0 = f ∈ L(0), then div(f ) ≥ 0. Since deg(div(f )) = 0, we must have
div(f ) = 0, which means that f has no zeros or poles. The analogue of
Proposition 11.1 says that f must be a constant. Therefore,

L(0) = K

and (0) = 1. This proves (3) and also proves (4) for D = 0.
We can get from 0 to an arbitrary divisor by adding or subtracting one point
at a time. We™ll show that each such modi¬cation changes the dimension by
at most one. Therefore, the end result will be a ¬nite dimensional vector
space.
Suppose that D1 , D2 are two divisors with D2 = D1 + [P ] for some point
P . Then
L(D1 ) ⊆ L(D2 ).
Suppose there exist g, h ∈ L(D2 ) with g, h ∈ L(D1 ). Let ’n be the coe¬cient
of [P ] in D2 . Then both g and h must have order n at P . (The order of g




© 2008 by Taylor & Francis Group, LLC
366 CHAPTER 11 DIVISORS

must be at least n. If it is larger, then g ∈ L(D1 ). Similarly for h.) Let u be
a uniformizer at P . Write

g = un g1 , h = u n h1

with g1 (P ) = c = 0, ∞ and h1 (P ) = d = 0, ∞. Then

dg ’ ch = un (dg1 ’ ch1 ),

and (dg1 ’ ch1 )(P ) = 0. Therefore, dg ’ ch has order greater than n at P , so

dg ’ ch ∈ L(D1 ).

Therefore any two such elements g, h ∈ L(D2 ) are linearly dependent mod
L(D1 ). It follows that

(D1 ) ¤ (D2 ) ¤ (D1 ) + 1.

As pointed out above, this implies (4).
To prove (5), assume deg(D) = 0. If L(D) = 0, we™re done. Otherwise,
there exists 0 = f ∈ L(D). Then

div(f ) + D ≥ 0 and deg(div(f ) + D) = 0 + 0 = 0.

Therefore,
div(f ) + D = 0.
Since D ∼ div(f ) + D = 0, we have

L(D) L(0) = K,

by (2) and (3). Therefore, (D) = 1. This proves (5).

A very fundamental result concerning divisors is the following.

THEOREM 11.15 (Riemann-Roch)
Given an algebraic curve C, there exists an integer g (called the genus of C)
and a divisor K (called a canonical divisor) such that

(D) ’ (K ’ D) = deg(D) ’ g + 1

for all divisors D.

For a proof, see [42] or [49]. The divisor K is the divisor of a di¬erential on
C.


COROLLARY 11.16

deg(K) = 2g ’ 2.




© 2008 by Taylor & Francis Group, LLC
367
SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

PROOF Letting D = 0 and D = K in the Riemann-Roch theorem, then
using (3) in Proposition 11.14, yields

(K) = deg(K) ’ g + 2.
(K) = g, and

Therefore,
deg(K) = 2g ’ 2,
as desired.

COROLLARY 11.17
If deg(D) > 2g ’ 2, then (D) = deg(D) ’ g + 1.


PROOF Since deg(K ’ D) < 0, Proposition 11.14 (1) says that (K ’ D) =
0. The Riemann-Roch theorem therefore yields the result.

COROLLARY 11.18
Let P, Q be points on C. If g ≥ 1 and [P ] ’ [Q] ∼ 0, then P = Q.

PROOF By assumption, [P ] ’ [Q] = div(f ) for some f . Assume [P ] = [Q].
Since f n has a pole of order n at Q, and since functions with di¬erent orders
of poles at Q are linearly independent, the set

{1, f, f 2 , . . . , f 2g’1 }

spans a subspace of L((2g ’ 1)[Q]) of dimension 2g. Therefore,

2g ¤ ((2g ’ 1)[Q]) = (2g ’ 1) ’ g + 1 = g,

by Corollary 11.17. Since g ≥ 1, this is a contradiction. Therefore, P = Q.


Our goal is to show that a curve C of genus one is isomorphic over K to
an elliptic curve given by a generalized Weierstrass equation. The following
will be used to construct the functions needed to map from C to the elliptic
curve.


COROLLARY 11.19
If C has genus g = 1 and deg(D) > 0, then

(D) = deg(D).

PROOF This is simply a restatement of Corollary 11.17 in the case g = 1.




© 2008 by Taylor & Francis Group, LLC
368 CHAPTER 11 DIVISORS

Choose a point P ∈ C(K). If P ∈ C(K), then it is possible to perform
the following construction using only numbers from K rather than from K.
This corresponds to the situation in Chapter 2, where we used rational points
to put certain curves into Weierstrass form. However, we™ll content ourselves
with working over K.
Corollary 11.19 says that
for all n ≥ 1.
(n[P ]) = n
Since K ⊆ L([P ]), which has dimension 1, we have
L([P ]) = K.
Since (2[P ]) = 2 > ([P ]), there exists a function f ∈ L(2[P ]) having a
double pole at P and no other poles. Since (3[P ]) = 3 > (2[P ]), there exists
a function g ∈ L(3[P ]) with a triple pole at P and no other poles. Since
functions with di¬erent order poles at P are linearly independent, we can use
f and g to give bases for several of the spaces L(n[P ]):
L([P ]) = span(1)
L(2[P ]) = span(1, f )
L(3[P ]) = span(1, f, g)
L(4[P ]) = span(1, f, g, f 2 )
L(5[P ]) = span(1, f, g, f 2 , f g).
We can write down 7 functions in the 6-dimensional space L(6[P ]), namely
1, f, g, f 2 , f g, f 3 , g 2 .
These must be linearly dependent, so there exist a0 , a1 , a2 , a3 , a4 , a6 ∈ K with
g 2 + a1 f g + a3 g = a0 f 3 + a2 f 2 + a4 f + a6 . (11.10)
Note that the coe¬cient of g 2 must be nonzero, hence can be assumed to
be 1, since the remaining functions have distinct orders of poles at P and
are therefore linearly independent. Similarly, a0 = 0. By multiplying f by a
suitable constant, we may assume that
a0 = 1.
Let E be the elliptic curve de¬ned by
y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 .
We have a map
ψ : C(K) ’ E(K)
Q ’ (f (Q), g(Q))
P ’ ∞.




© 2008 by Taylor & Francis Group, LLC
369
SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

PROPOSITION 11.20
ψ is a bijection.


PROOF Suppose Q1 = Q2 are such that ψ(Q1 ) = ψ(Q2 ), hence

f (Q1 ) = f (Q2 ) = a and g(Q1 ) = g(Q2 ) = b

for some a, b. Since f ’ a has a double pole at P and g ’ b has a triple pole
at P ,

div(f ’ a) = [Q1 ] + [Q2 ] ’ 2[P ]
div(g ’ b) = [Q1 ] + [Q2 ] + [R] ’ 3[P ]

for some R. Subtracting yields

[R] ’ [P ] = div((g ’ b)/(f ’ a)) ∼ 0.

By Corollary 11.18, this means that R = P . Therefore,

div(g ’ b) = [Q1 ] + [Q2 ] ’ 2[P ],

so g has only a double pole at P . This contradiction proves that ψ is an
injection.
To prove surjectivity, let (a, b) ∈ E(K). We want to ¬nd P with ψ(P ) =
(a, b). Since f ’ a has a double pole at P and since the divisor of a function
has degree 0, there are (not necessarily distinct) points Q1 , Q2 ∈ C(K) such
that
div(f ’ a) = [Q1 ] + [Q2 ] ’ 2[P ].
For a given x-coordinate a, there are two possible y-coordinates b and b for
points on E. If g(Qi ) = b for some i = 1, 2, we have ψ(Qi ) = (a, b) and we™re
done. Therefore, suppose

g(Q1 ) = g(Q2 ) = b .

Then ψ(Q1 ) = ψ(Q2 ) = (a, b ). Since ψ is injective, Q1 = Q2 , so

div(f ’ a) = 2[Q1 ] ’ 2[P ].

Let u be a uniformizing parameter at Q1 . Then

f ’ a = u2 f1 , g ’ b = ug1

with f1 (Q1 ) = 0, ∞ and g1 (Q1 ) = ∞ (possibly g1 (Q1 ) = 0). Substituting into
(11.10) and using the fact that (a, b ) ∈ E yields

(ug1 )(2b + a1 a + a3 ) = u2 h




© 2008 by Taylor & Francis Group, LLC
370 CHAPTER 11 DIVISORS

for some function h. Dividing by u and evaluating at Q1 shows that

g1 (Q1 ) = 0 or 2b + a1 a + a3 = 0.

If g1 (Q1 ) = 0, then g ’ b has at least a double root at Q1 , so

div(g ’ b ) = 2[Q1 ] + [R] ’ 3[P ]

for some R. Therefore,

div((g ’ b )/(f ’ a)) = [R] ’ [P ].

By Corollary 11.18, R = P . This means that g ’ b has only a double pole at
P , which is a contradiction. Therefore, g1 (Q1 ) = 0, so

‚2
(y + a1 ay + a3 y ’ a3 ’ a2 a2 ’ a4 a ’ a6 )
0 = 2b + a1 a + a3 = .
‚y y=b


This means that b is a double root, so b = b . Therefore, ψ(Q1 ) = (a, b ) =
(a, b). Therefore, ψ is surjective.

It is possible to show that not only ψ, but also ψ ’1 , is given by rational
functions. See [109, p. 64]. Since C is assumed to be nonsingular, this implies
that the equation for E is nonsingular, so E is actually an elliptic curve.
It is also possible to show that elliptic curves always have genus one. There-
fore, over algebraically closed ¬elds, genus one curves, with a base point P
speci¬ed, are the same as elliptic curves, with P being the origin for the group
law. Over nonalgebraically closed ¬elds, the situation is more complicated. A
genus one curve C such that C(K) is nonempty is an elliptic curve, but there
are genus one curves C such that C(K) is empty (see Section 8.8). These
curves are not elliptic curves over K, but become elliptic curves over certain
extensions of K.




11.6 Equivalence of the De¬nitions of the Pair-
ings
In Sections 11.2 and 11.4, we gave two de¬nitions of the Weil pairing. In this
section, we show that these de¬nitions are equivalent. Similarly, in Sections
3.4 and 11.3, we gave two de¬nitions of the Tate-Lichtenbaum pairing. We
show these are equivalent.




© 2008 by Taylor & Francis Group, LLC
371
SECTION 11.6 EQUIVALENCE OF THE DEFINITIONS OF THE PAIRINGS




11.6.1 The Weil Pairing
In this section we give the proof of Theorem 11.12, which says that the two
de¬nitions of the Weil pairing are equivalent. We let en denote the pairing
de¬ned in Section 11.2 and show that it equals the alternative de¬nition.


PROOF The following proof is based on a calculation of Weil [131, pp.
240-241].
Let V, W ∈ E[n2 ]. Let
div(fnV ) = n[nV ] ’ n[∞], gnV = fnV —¦ n,
n


be as in the de¬nition of the Weil pairing. De¬ne
fnV +nW (X) gnV +nW (X)
c(nV, vW ) = , d(V, W ) = ,
fnV (X)fnW (X ’ nV ) gnV (X)gnW (X ’ V )
where the right-hand sides are functions of the variable point X on E. The
fact that the notation does not include X on the left-hand sides is justi¬ed
by the following.


LEMMA 11.21
c(nV, nW ) and d(V, W ) are constants, and
d(V, W )n = c(nV, nW ).

PROOF Using the expressions for div(fnX ), div(gX ) on page 349, we see
that div(c(nV, nW )) = 0 and div(d(V, W )) = 0. Therefore, they are constants.
Since gnV = fnV —¦ n, we have
n

fnV +nW (nX)
d(V, W )n = = c(nV, nW ),
fnV (nX)fnW (nX ’ nV )
because c(nV, nW ) is independent of X.

The next few results relate the Weil pairing to c and d. The points U, V, W
represent elements of E[n2 ].

LEMMA 11.22
d(V, W + nU ) = d(V, W ) and d(V + nU, W ) = d(V, W )en (nU, nW ).

PROOF Since n(W + nU ) = nW , the functions gn(W +nU ) and gnW are
equal. Therefore,
gnV +nW (X)
d(V, W + nU ) = = d(V, W ).
gnV (X)gnW (X ’ V )




© 2008 by Taylor & Francis Group, LLC
372 CHAPTER 11 DIVISORS

Similarly,

gnV +nW (X)
d(V + nU, W ) =
gnV (X)gnW (X ’ V ’ nU )
gnW (X ’ V )
gnV +nW (X)
=
gnV (X)gnW (X ’ V ) gnW (X ’ V ’ nU )
= d(V, W )en (nU, nW ),

where the last equality uses the de¬nition of the Weil pairing (Equation
(11.6)).

LEMMA 11.23
d(U, V ) d(V, W )d(U + W, V )
= .
d(V, U ) d(V, U + W )d(W, V )

PROOF The de¬nition of d applied twice yields

gnU +(nV +nW ) (X) = d(U, V + W )gnU (X)gnV +nW (X ’ U )
= d(U, V + W )gnU (X)d(V, W )gnV (X ’ U )gnW (X ’ U ’ V ).

Similarly,

g(nU +nV )+nW (X) = d(U + V, W )gnU +nV (X)gnW (X ’ U ’ V )
= d(U + V, W )d(U, V )gnU (X)gnV (X ’ U )gnW (X ’ U ’ V ).

Since gnU +(nV +nW ) = g(nU +nV )+nW , we can cancel like terms and obtain

d(U, V + W )d(V, W ) = d(U + V, W )d(U, V ). (11.11)

Interchange U and V in (11.11) and divide to obtain

d(U, V + W )d(V, W )
d(U, V )
= . (11.12)
d(V, U ) d(V, U + W )d(U, W )

Now switch V and W in 11.11, solve for d(U, W ), and substitute in (11.12) to
obtain the result.


LEMMA 11.24
Let S, T ∈ E[n]. Then
c(S, T )
en (S, T ) = .
c(T, S)

PROOF Choose U, V ∈ E[n2 ] so that nU = S, nV = T . The left-hand
side of the formula in the previous lemma does not depend on W . Therefore




© 2008 by Taylor & Francis Group, LLC
373
SECTION 11.6 EQUIVALENCE OF THE DEFINITIONS OF THE PAIRINGS

we can evaluate the right-hand side at W = jU for 0 ¤ j < n and multiply
the results to obtain
n’1
n
d(U, V )
c(nU, nV ) d(V, jU )d(U + jU, V )
= = .
c(nV, nU ) d(V, U ) d(V, U + jU )d(jU, V )
j=0


All the factors in this product cancel except some of those for j = 0 and
j = n ’ 1. We obtain

d(V, ∞)d(nU, V )
c(S, T )
= .
c(T, S) d(V, nU )d(∞, V )

In the ¬rst equation of Lemma 11.22, set W = ∞ to obtain d(V, nU ) =
d(V, ∞). In the second equation of Lemma 11.22, set V = ∞ and then set
W = V to obtain d(nU, V ) = d(∞, V )e(nU, nV ). This yields the result.

We now proceed with the proof of the theorem. The de¬nition of c shows
that
fT (X)fS (X ’ T )
c(S, T )
en (S, T ) = = , (11.13)
fS (X)fT (X ’ S)
c(T, S)

which is independent of X. Let

DS = [S] ’ [∞], DT = [X0 ] ’ [X0 ’ T ],

where X0 is chosen so that DS and DT are disjoint divisors. Let FS (X) =
fS (X) and FT (X) = 1/fT (X0 ’ X). Then

div(FS ) = n[S] ’ n[∞] = nDS , div(FT ) = n[X0 ] ’ n[X0 ’ T ] = nDT .

Therefore, (11.13) yields

FT (DS )
en (S, T ) = .
FS (DT )

This shows that the theorem is true for the choice of divisors DS and DT .
We now need to consider arbitrary choices. Let DS be any divisor of degree
0 such that sum(DS ) = S and let DT be any divisor of degree 0 such that
sum(DT ) = T . Then DS = div(h1 ) + DS and DT = div(h2 ) + DT for some
functions h1 , h2 . Let FS = hn FS and FT = hn FT . Then nDS = div(FS ) and
1 2
nDT = div(FT ). First, assume that the divisors DS and DS are disjoint from
DT and DT . Then

h2 (DS )n FT (DS ) h2 (div(h1 ))n h2 (DS )n FT (div(h1 ))FT (DS )
FT (DS )
= = .
h1 (DT )n FS (DT ) h1 (div(h2 ))n h1 (DT )n FS (div(h2 ))FS (DT )
FS (DT )




© 2008 by Taylor & Francis Group, LLC
374 CHAPTER 11 DIVISORS

By Weil reciprocity (Lemma 11.11), h2 (div(h1 )) = h1 (div(h2 )). Also, Weil
reciprocity yields

h2 (DS )n = h2 (nDS ) = h2 (div(FS )) = FS (div(h2 ))

and similarly h1 (DT )n = FT (div(h1 )). Therefore, we obtain

FT (DS ) F (D )
= T S = en (S, T ).
FS (DT ) FS (DT )

If DS and DS are not necessarily disjoint from DT and DT , we can proceed
in two steps. First, let

DS = [X1 + S] ’ [X1 ], DT = [Y1 + T ] ’ [Y1 ],

where X1 and Y1 are chosen so that DS and DS are disjoint from DT and
DT and so that DS and DS are disjoint from DT and DT . The preceding
argument shows that
FT (DS ) F (D ) F (D )
= T S = T S = en (S, T ).
FS (DT ) FS (DT ) FS (DT )

This completes the proof.

For other proofs, see [69, Section 6.4] and [51].




11.6.2 The Tate-Lichtenbaum Pairing
In Section 3.4, we de¬ned the (modi¬ed) Tate-Lichtenbaum pairing in terms
of the Weil pairing. In Section 11.3, we gave an alternative de¬nition in terms
of divisors.


THEOREM 11.25
The pairings „n de¬ned in Theorem 3.17 and Theorem 11.8 are equal.

PROOF Let the notation be as in Theorem 3.17. In particular, Q ∈ E(Fq )
and nR = Q. Choose a function g such that

div(g) = n[R] ’ [Q] ’ (n ’ 1)[∞].

Let g φ denote the function obtained by applying φ to all the coe¬cients of the
rational function de¬ning g, so φ(g(X)) = g φ (φX) for all points X ∈ E(Fq ).
Since φ(Q) = Q,

div(g φ ) = n[φ(R)] ’ [Q] ’ (n ’ 1)[∞].




© 2008 by Taylor & Francis Group, LLC
375
SECTION 11.7 NONDEGENERACY OF THE TATE-LICHTENBAUM PAIRING

Therefore,
div(g/g φ ) = n[R] ’ n[φ(R)].
Let P ∈ E(Fq )[n]. By Lemma 11.9, we may choose a divisor DP of degree
0 such that sum(DP ) = P , such that DP is disjoint from ∞, Q, and R, and
such that φ(DP ) = DP (this means that φ permutes the points in DP ).
Let div(f ) = nDP . We assume that f is chosen as in Lemma 11.10, so
f (φ(R)) = φ(f (R)). In Theorem 11.12, let S = P , T = R ’ φR, DS = DP ,
DT = [R] ’ [φR], FS = f , and FT = g/g φ . Then

(g/g φ )(DP )
„n (P, Q) = en (P, R ’ φ(R)) =
f ([R] ’ [φ(R)])
q’1
f (R) g(DP ) f (R)
=φ = ,
g(DP ) f (R) g(DP )

since φ raises elements of Fq to the qth power. But

f (R)n f (∞)
= f (div(g)) = g(div(f )) = g(DP )n ,
n
f (Q) f (∞)
where the second equality is Weil reciprocity. Therefore,
n
f (R) f (Q)
f (∞)n .
=
g(DP ) f (∞)
Raising this to the power (q ’ 1)/n yields
q’1 (q’1)/n
f (R) f (Q)
f (∞)q’1 .
„n (P, Q) = =
g(DP ) f (∞)

But f (∞) ∈ Fq since f φ = f and φ(∞) = ∞. Therefore, f (∞)q’1 = 1.
De¬ne the divisor DQ = [Q] ’ [∞]. We obtain

„n (P, Q) = f (DQ )(q’1)/n ,

as desired. Since we have shown in the proof of Theorem 11.8 that the value
of „n is independent of the choice of divisors, this completes the proof.




11.7 Nondegeneracy of the Tate-Lichtenbaum
Pairing
In this section we prove that the Tate-Lichtenbaum pairing is nondegen-
erate. The proof here is partly based on a paper of Schaefer [96]. First, we
make a few remarks on pairings in general.




© 2008 by Taylor & Francis Group, LLC
376 CHAPTER 11 DIVISORS

Let n ≥ 1 and let A and B be two ¬nite abelian groups (written additively)
such that na = 0 for all a ∈ A and nb = 0 for all b ∈ B. Let , : B — A ’ µn
be a bilinear pairing. If we ¬x a ∈ A, then

ψa : b ’’ b, a

gives a homomorphism from B to µn . Let Hom(B, µn ) denote the set of
all group homomorphisms from B to µn . We can make Hom(B, µn ) into an
abelian group by de¬ning the product of ±, β ∈ Hom(B, µn ) by (± · β)(b) =
±(b) · β(b) for all b ∈ B.


LEMMA 11.26
If B is a ¬nite group (written additively) such that nb = 0 for all b ∈ B, then
#Hom(B, µn ) = #B.


First, suppose B = Zm , with m | n. If ± ∈ Hom(B, µn ), then
PROOF

±(1)m = ±(1 + · · · + 1) = ±(0) = 1.

So ±(1) is one of the m elements in µm ⊆ µn . Since 1 generates Zm , the
value of ±(1) determines ±(b) for all b. Moreover, any choice of ±(1) ∈ µm
determines a well-de¬ned homomorphism by b ’ ±(1)b . Therefore, there is a
bijection between Hom(Zm , µn ) and µm , so #Hom(Zm , µn ) = m = #B.
Now consider an arbitrary ¬nite abelian group B. By Theorem B.3 (Ap-
pendix B), B Zm1 • · · · • Zms . Since nb = 0 for all b ∈ B, we must have
mi |n for all i. There is a map

¦ : Hom(Zm1 , µn ) • · · · • Hom(Zm1 , µn ) ’’ Hom (Zm1 • · · · • Zms , µn ) ,
(11.14)

where the isomorphism maps the s-tuple (±1 , ±2 , . . . , ±s ) to the homomor-
phism given by

(b1 , b2 , . . . , bs ) ’’ ±1 (b1 )±2 (b2 ) · · · ±s (bs ).

The map
± ’’ (±1 , ±2 , . . . , ±2 ),
where ±i (bi ) = ±(0, 0, . . . , bi , . . . , 0), is the inverse of ¦, so ¦ is a bijection.
Since the group on the left side of (11.14) has order m1 m2 · · · ms = #B, we
obtain the lemma.

Part (b) of the next lemma makes our task easier since it allows us to deduce
nondegeneracy in one argument from nondegeneracy in the other.




© 2008 by Taylor & Francis Group, LLC
377
SECTION 11.7 NONDEGENERACY OF THE TATE-LICHTENBAUM PAIRING

LEMMA 11.27
Assume that the pairing , : B — A ’ µn is nondegenerate in A (that is, if
b, a = 1 for all b ∈ B, then a = 0).
(a) The map A ’ Hom(B, µn ) given by a ’ ψa is injective.
(b) If #A = #B, then the pairing is also nondegenerate in B.


PROOF Suppose ψa is the trivial homomorphism. This means that b, a =
ψa (b) = 1 for all b ∈ B. The nondegeneracy in A implies that a = 0. This
proves (a).
Let
B1 = {b ∈ B | b, a = 1 for all a ∈ A}.
Then each a ∈ A gives a well-de¬ned homomorphism βa : B/B1 ’ µn
given by βa (b mod B1 ) = b, a . If βa is the trivial homomorphism, then
b, a = 1 for all b ∈ B, which means that a = 0. Therefore, A injects
into Hom(B/B1 , µn ), which has order #B/#B1 , by Lemma 11.26. Since
#A = #B, we must have #B1 = 1. But B1 = 0 is exactly what it means for
the pairing to be nondegenerate in B. This proves (b).

A converse of part (b) of Lemma 11.27 holds.


LEMMA 11.28
Suppose , : B — A ’ µn is nondegenerate in both A and B. Then #A =
#B. In fact, A Hom(B, µn ) and B Hom(A, µn ).


PROOF By Lemma 11.27, we have an injection from A to Hom(B, µn ),
so #A ¤ #Hom(B, µn ) = #B. Reversing the roles of A and B, we have
#B ¤ #Hom(A, µn ) = #A. Therefore, #A = #B, and the injections are
isomorphisms.


LEMMA 11.29
Let M be a ¬nite abelian group and let ± : M ’ M be a homomorphism.
Then
#Ker ± = #M/#±(M ).


PROOF By Theorem B.6 (in Appendix B),

#M = (#Ker ±)(#±(M )).

The result follows.

The following technical lemma is the key to proving the nondegeneracy of
the Tate-Lichtenbaum pairing.




© 2008 by Taylor & Francis Group, LLC
378 CHAPTER 11 DIVISORS

LEMMA 11.30
Let A and B be ¬nite abelian groups (written additively) such that nx = 0
for all x ∈ A and for all x ∈ B. Suppose that there is a nondegenerate (in
both arguments) bilinear pairing

: B — A ’ µn ,
,

where µn is the group of nth roots of unity (in some ¬eld). Let C be a subgroup
of B. De¬ne

ψ : A ’’ µn
c∈C
a ’’ (· · · , c, a , · · · ) .

Then
#ψ(A) = #C.


PROOF The pairing is nondegenerate, so A Hom(B, µn ). Clearly,

Ker ψ = {a ∈ A | c, a = 1 for all c ∈ C}.

Identifying A with the set of homomorphisms from B to µn , we see that

Ker ψ = {f ∈ Hom(B, µn ) | f (C) = 1}.

But a homomorphism that sends C to 1 is exactly the same as a homo-
morphism from B/C to µn . The set of such homomorphisms has order
#(B/C) = #B/#C. Therefore (see Theorem B.6 in Appendix B)

#ψ(A) = #A/#Ker ψ = #A/#(B/C) = #C,

since #A = #B. This proves the lemma.

We can now apply the above to the elliptic curve E. Let

ψ : E[n] ’’ µn
P ∈E(Fq )[n]

Q ’’ (· · · , en (P, Q), · · · ) .


LEMMA 11.31
Let φ = φq be the qth power Frobenius endomorphism of E. Then Ker ψ =
(φ ’ 1)E[n].




© 2008 by Taylor & Francis Group, LLC
379
EXERCISES

Let Q ∈ E[n]. Then
PROOF
ψ(φQ) = (· · · , en (P, φQ), · · · )
= (· · · , en (φP, φQ), · · · ) (since φP = P for P ∈ E(Fq )[n])
= · · · , en (P, Q)φ , · · · (by part (5) of Theorem 11.7)
= (· · · , en (P, Q), · · · ) (since µn ‚ Fq )
= ψ(Q).
Therefore, ψ((φ ’ 1)Q) = 1, so (φ ’ 1)E[n] ⊆ Ker ψ. By Lemma 11.30, with
A = B = E[n] and C = E(Fq )[n], we have #ψ(E[n]) = #E(Fq )[n]. Let
Ker (φ ’ 1)|E[n] denote the kernel of the restriction of φ ’ 1 to E[n]. Then
#E(Fq )[n] = #Ker (φ ’ 1)|E[n] (since Ker(φ ’ 1) = E(Fq ))
= #E[n]/#((φ ’ 1)E[n]) (by Lemma 11.29)
≥ #E[n]/#(Ker ψ) (since (φ ’ 1)E[n] ⊆ Ker ψ)
= #ψ(E[n]) = #E(Fq )[n].
Therefore, we must have equality everywhere. In particular, Ker ψ = (φ ’
1)E[n].

We can now prove that the Tate-Lichtenbaum pairing is nondegenerate. Let
Q ∈ E(Fq ). Write Q = nR with R ∈ E(Fq ). Suppose that
„n (P, Q) = en (P, R ’ φR) = 1 for all P ∈ E(Fq )[n].
Then R ’ φR ∈ Ker ψ = (φ ’ 1)E[n]. This means that there exists T ∈ E[n]
such that R ’ φR = φT ’ T , hence φ(R + T ) = R + T . Since the points
¬xed by φ have coordinates in Fq , this implies that R + T ∈ E(Fq ). Since
Q = nR = n(R + T ), we have Q ∈ nE(Fq ). Therefore,
„n : E(Fq )[n] — E(Fq )/nE(Fq ) ’’ µn
is nondegenerate in the second variable. Since the groups E(Fq )[n] and
E(Fq )/nE(Fq ) have the same order (by Lemma 11.29 with ± = n), Lemma
11.27 implies that the pairing is also nondegenerate in the ¬rst variable. This
completes the proof of the nondegeneracy of the Tate-Lichtenbaum pairing.




Exercises
11.1 Let E be the elliptic curve y 2 = x3 ’ x over Q.
(a) Show that f (x, y) = (y 4 + 1)/(x2 + 1)3 has no zeros or poles in
E(Q).




© 2008 by Taylor & Francis Group, LLC
380 CHAPTER 11 DIVISORS

(b) Show that g(x, y) = y 4 /(x2 + 1)3 has no poles in E(Q) but does
have zeros in E(Q).
(c) Find the divisors of f and g (over Q).
11.2 Let E be an elliptic curve over a ¬eld K and let m, n be positive integers
that are not divisible by the characteristic of K. Let S ∈ E[mn] and
T ∈ E[n]. Show that

emn (S, T ) = en (mS, T ).

11.3 Suppose f is a function on an algebraic curve C such that div(f ) =
[P ] ’ [Q] for points P and Q. Show that f gives a bijection of C with
P1 .
11.4 Show that part (3) of Proposition 11.1 follows from part (2). (Hint: Let
P0 be any point and look at the function f ’ f (P0 ).)




© 2008 by Taylor & Francis Group, LLC

<<

. 2
( 2)