has order 5. Let™s compute P, P 5 . Therefore, in the de¬nition of the Tate-

Lichtenbaum pairing, we have P = Q = (3, 6). Let

DP = [(3, 6)] ’ [∞], DQ = [(1, 1)] ’ [(0, 1)] = [Q1 ] ’ [Q2 ].

The divisor DQ was constructed by adding (0, 1) to Q to obtain (1, 1). This

was done so that DP and DQ have no points in common. We now use the

algorithm to compute fP (DQ ), where

div(fP ) = 5DP .

In Equation (11.7), we have R = ∞, so D0 = D1 = 0. Therefore, we take

f0 = f1 = 1. The algorithm proceeds as follows.

1. Start with i = 5, j = 0, k = 1, v0 = 1, v1 = 1.

2. Since i = 5 is odd, compute vj+k = v1 , which is already known to be 1.

Update the values of i, j, k to obtain i = 4, j = 1, k = 1, v1 = 1, v1 = 1.

3. Since i = 4 is even, compute the line tangent to E at kP = P . This

is 4x ’ y + 5 = 0. The vertical line through 2kP = 2P is x + 1 = 0.

Therefore, Equation (11.9) becomes

4x ’ y + 5

v2 = v1 · = 1 · 1 = 1.

2

x+1 DQ

Here we performed the calculation

(4x ’ y + 5)|(1,1) 8

(4x ’ y + 5)|DQ = = =2

(4x ’ y + 5)|(0,1) 4

and similarly (x + 1)|DQ = 2. Update to obtain i = 2, j = 1, k = 2, v1 =

1, v2 = 1.

4. Since i = 2 is even, use the computation of 4P = 2P + 2P to obtain

x+y+2

v4 = v2 · v2 · = 1 · 1 · 2 = 2.

x’3 DQ

Update to obtain i = 1, j = 1, k = 4, v1 = 1, v4 = 2.

© 2008 by Taylor & Francis Group, LLC

364 CHAPTER 11 DIVISORS

5. Since i = 1 is odd, use the computation of 5P = P + 4P to obtain

v5 = v1 · v4 · (x ’ 3)|DQ = 1 · 2 · (2/3) ≡ 5 (mod 11).

Therefore, the Tate-Lichtenbaum pairing of P with P is

= v5 = 5 (mod (F— )5 ),

P, P 5 11

and the modi¬ed Tate-Lichtenbaum pairing is

(11’1)/5

≡3

„5 (P, P ) = P, P (mod 11).

5

Note that, in contrast to the Weil pairing, the Tate-Lichtenbaum pairing of a

point with itself can be nontrivial.

11.5 Genus One Curves and Elliptic Curves

Let C be a nonsingular algebraic curve de¬ned over a ¬eld K. The curve C

is given as the roots in P2 of a polynomial, or as the intersection of surfaces

K

in P3 , for example, and is assumed not to be the union of two smaller such

K

curves. We can de¬ne divisors and divisors of functions on C in the same way

as we did for elliptic curves. Let

D1 = ai [Pi ], D2 = bi [Pi ]

be divisors on C. We say that

D1 ≥ D2 ⇐’ ai ≥ bi for all i.

We say that

D1 ∼ D2 ⇐’ D1 ’ D2 = div(f ) for some function f.

For a divisor D, de¬ne

L(D) = {functions f | div(f ) + D ≥ 0} ∪ {0}.

Then L(D) is a vector space over K. De¬ne

(D) = dim L(D).

For example, let D = 3[P ] ’ 2[Q]. A function f in the linear space L(D) has

at most a triple pole at P and at least a double zero at Q. Also, f cannot

have any poles other than at P , but it can have zeros other than at Q.

PROPOSITION 11.14

Let C be a nonsingular algebraic curve de¬ned over a ¬eld K, and let D, D1 ,

and D2 be divisors on C.

© 2008 by Taylor & Francis Group, LLC

365

SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

1. If deg D < 0, then L(D) = 0.

2. If D1 ∼ D2 then L(D1 ) L(D2 ).

3. L(0) = K.

4. (D) < ∞.

5. If deg(D) = 0 then (D) = 0 or 1.

PROOF Proposition 11.1 holds for all curves (see [38]), not just elliptic

curves, and we™ll use it in this more general context throughout the present

proof. For example, we need that deg(div(f )) = 0 for functions f that are

not identically 0.

If L = 0, then there exists f = 0 with

div(f ) + D ≥ 0,

which implies that

deg(D) = deg(div(f ) + D) ≥ 0.

This proves (1).

If D1 ∼ D2 , then D1 = D2 + div(g) for some g. The map

L(D1 ) ’ L(D2 )

f ’ fg

is easily seen to be an isomorphism. This proves (2).

If 0 = f ∈ L(0), then div(f ) ≥ 0. Since deg(div(f )) = 0, we must have

div(f ) = 0, which means that f has no zeros or poles. The analogue of

Proposition 11.1 says that f must be a constant. Therefore,

L(0) = K

and (0) = 1. This proves (3) and also proves (4) for D = 0.

We can get from 0 to an arbitrary divisor by adding or subtracting one point

at a time. We™ll show that each such modi¬cation changes the dimension by

at most one. Therefore, the end result will be a ¬nite dimensional vector

space.

Suppose that D1 , D2 are two divisors with D2 = D1 + [P ] for some point

P . Then

L(D1 ) ⊆ L(D2 ).

Suppose there exist g, h ∈ L(D2 ) with g, h ∈ L(D1 ). Let ’n be the coe¬cient

of [P ] in D2 . Then both g and h must have order n at P . (The order of g

© 2008 by Taylor & Francis Group, LLC

366 CHAPTER 11 DIVISORS

must be at least n. If it is larger, then g ∈ L(D1 ). Similarly for h.) Let u be

a uniformizer at P . Write

g = un g1 , h = u n h1

with g1 (P ) = c = 0, ∞ and h1 (P ) = d = 0, ∞. Then

dg ’ ch = un (dg1 ’ ch1 ),

and (dg1 ’ ch1 )(P ) = 0. Therefore, dg ’ ch has order greater than n at P , so

dg ’ ch ∈ L(D1 ).

Therefore any two such elements g, h ∈ L(D2 ) are linearly dependent mod

L(D1 ). It follows that

(D1 ) ¤ (D2 ) ¤ (D1 ) + 1.

As pointed out above, this implies (4).

To prove (5), assume deg(D) = 0. If L(D) = 0, we™re done. Otherwise,

there exists 0 = f ∈ L(D). Then

div(f ) + D ≥ 0 and deg(div(f ) + D) = 0 + 0 = 0.

Therefore,

div(f ) + D = 0.

Since D ∼ div(f ) + D = 0, we have

L(D) L(0) = K,

by (2) and (3). Therefore, (D) = 1. This proves (5).

A very fundamental result concerning divisors is the following.

THEOREM 11.15 (Riemann-Roch)

Given an algebraic curve C, there exists an integer g (called the genus of C)

and a divisor K (called a canonical divisor) such that

(D) ’ (K ’ D) = deg(D) ’ g + 1

for all divisors D.

For a proof, see [42] or [49]. The divisor K is the divisor of a di¬erential on

C.

COROLLARY 11.16

deg(K) = 2g ’ 2.

© 2008 by Taylor & Francis Group, LLC

367

SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

PROOF Letting D = 0 and D = K in the Riemann-Roch theorem, then

using (3) in Proposition 11.14, yields

(K) = deg(K) ’ g + 2.

(K) = g, and

Therefore,

deg(K) = 2g ’ 2,

as desired.

COROLLARY 11.17

If deg(D) > 2g ’ 2, then (D) = deg(D) ’ g + 1.

PROOF Since deg(K ’ D) < 0, Proposition 11.14 (1) says that (K ’ D) =

0. The Riemann-Roch theorem therefore yields the result.

COROLLARY 11.18

Let P, Q be points on C. If g ≥ 1 and [P ] ’ [Q] ∼ 0, then P = Q.

PROOF By assumption, [P ] ’ [Q] = div(f ) for some f . Assume [P ] = [Q].

Since f n has a pole of order n at Q, and since functions with di¬erent orders

of poles at Q are linearly independent, the set

{1, f, f 2 , . . . , f 2g’1 }

spans a subspace of L((2g ’ 1)[Q]) of dimension 2g. Therefore,

2g ¤ ((2g ’ 1)[Q]) = (2g ’ 1) ’ g + 1 = g,

by Corollary 11.17. Since g ≥ 1, this is a contradiction. Therefore, P = Q.

Our goal is to show that a curve C of genus one is isomorphic over K to

an elliptic curve given by a generalized Weierstrass equation. The following

will be used to construct the functions needed to map from C to the elliptic

curve.

COROLLARY 11.19

If C has genus g = 1 and deg(D) > 0, then

(D) = deg(D).

PROOF This is simply a restatement of Corollary 11.17 in the case g = 1.

© 2008 by Taylor & Francis Group, LLC

368 CHAPTER 11 DIVISORS

Choose a point P ∈ C(K). If P ∈ C(K), then it is possible to perform

the following construction using only numbers from K rather than from K.

This corresponds to the situation in Chapter 2, where we used rational points

to put certain curves into Weierstrass form. However, we™ll content ourselves

with working over K.

Corollary 11.19 says that

for all n ≥ 1.

(n[P ]) = n

Since K ⊆ L([P ]), which has dimension 1, we have

L([P ]) = K.

Since (2[P ]) = 2 > ([P ]), there exists a function f ∈ L(2[P ]) having a

double pole at P and no other poles. Since (3[P ]) = 3 > (2[P ]), there exists

a function g ∈ L(3[P ]) with a triple pole at P and no other poles. Since

functions with di¬erent order poles at P are linearly independent, we can use

f and g to give bases for several of the spaces L(n[P ]):

L([P ]) = span(1)

L(2[P ]) = span(1, f )

L(3[P ]) = span(1, f, g)

L(4[P ]) = span(1, f, g, f 2 )

L(5[P ]) = span(1, f, g, f 2 , f g).

We can write down 7 functions in the 6-dimensional space L(6[P ]), namely

1, f, g, f 2 , f g, f 3 , g 2 .

These must be linearly dependent, so there exist a0 , a1 , a2 , a3 , a4 , a6 ∈ K with

g 2 + a1 f g + a3 g = a0 f 3 + a2 f 2 + a4 f + a6 . (11.10)

Note that the coe¬cient of g 2 must be nonzero, hence can be assumed to

be 1, since the remaining functions have distinct orders of poles at P and

are therefore linearly independent. Similarly, a0 = 0. By multiplying f by a

suitable constant, we may assume that

a0 = 1.

Let E be the elliptic curve de¬ned by

y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 .

We have a map

ψ : C(K) ’ E(K)

Q ’ (f (Q), g(Q))

P ’ ∞.

© 2008 by Taylor & Francis Group, LLC

369

SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

PROPOSITION 11.20

ψ is a bijection.

PROOF Suppose Q1 = Q2 are such that ψ(Q1 ) = ψ(Q2 ), hence

f (Q1 ) = f (Q2 ) = a and g(Q1 ) = g(Q2 ) = b

for some a, b. Since f ’ a has a double pole at P and g ’ b has a triple pole

at P ,

div(f ’ a) = [Q1 ] + [Q2 ] ’ 2[P ]

div(g ’ b) = [Q1 ] + [Q2 ] + [R] ’ 3[P ]

for some R. Subtracting yields

[R] ’ [P ] = div((g ’ b)/(f ’ a)) ∼ 0.

By Corollary 11.18, this means that R = P . Therefore,

div(g ’ b) = [Q1 ] + [Q2 ] ’ 2[P ],

so g has only a double pole at P . This contradiction proves that ψ is an

injection.

To prove surjectivity, let (a, b) ∈ E(K). We want to ¬nd P with ψ(P ) =

(a, b). Since f ’ a has a double pole at P and since the divisor of a function

has degree 0, there are (not necessarily distinct) points Q1 , Q2 ∈ C(K) such

that

div(f ’ a) = [Q1 ] + [Q2 ] ’ 2[P ].

For a given x-coordinate a, there are two possible y-coordinates b and b for

points on E. If g(Qi ) = b for some i = 1, 2, we have ψ(Qi ) = (a, b) and we™re

done. Therefore, suppose

g(Q1 ) = g(Q2 ) = b .

Then ψ(Q1 ) = ψ(Q2 ) = (a, b ). Since ψ is injective, Q1 = Q2 , so

div(f ’ a) = 2[Q1 ] ’ 2[P ].

Let u be a uniformizing parameter at Q1 . Then

f ’ a = u2 f1 , g ’ b = ug1

with f1 (Q1 ) = 0, ∞ and g1 (Q1 ) = ∞ (possibly g1 (Q1 ) = 0). Substituting into

(11.10) and using the fact that (a, b ) ∈ E yields

(ug1 )(2b + a1 a + a3 ) = u2 h

© 2008 by Taylor & Francis Group, LLC

370 CHAPTER 11 DIVISORS

for some function h. Dividing by u and evaluating at Q1 shows that

g1 (Q1 ) = 0 or 2b + a1 a + a3 = 0.

If g1 (Q1 ) = 0, then g ’ b has at least a double root at Q1 , so

div(g ’ b ) = 2[Q1 ] + [R] ’ 3[P ]

for some R. Therefore,

div((g ’ b )/(f ’ a)) = [R] ’ [P ].

By Corollary 11.18, R = P . This means that g ’ b has only a double pole at

P , which is a contradiction. Therefore, g1 (Q1 ) = 0, so

‚2

(y + a1 ay + a3 y ’ a3 ’ a2 a2 ’ a4 a ’ a6 )

0 = 2b + a1 a + a3 = .

‚y y=b

This means that b is a double root, so b = b . Therefore, ψ(Q1 ) = (a, b ) =

(a, b). Therefore, ψ is surjective.

It is possible to show that not only ψ, but also ψ ’1 , is given by rational

functions. See [109, p. 64]. Since C is assumed to be nonsingular, this implies

that the equation for E is nonsingular, so E is actually an elliptic curve.

It is also possible to show that elliptic curves always have genus one. There-

fore, over algebraically closed ¬elds, genus one curves, with a base point P

speci¬ed, are the same as elliptic curves, with P being the origin for the group

law. Over nonalgebraically closed ¬elds, the situation is more complicated. A

genus one curve C such that C(K) is nonempty is an elliptic curve, but there

are genus one curves C such that C(K) is empty (see Section 8.8). These

curves are not elliptic curves over K, but become elliptic curves over certain

extensions of K.

11.6 Equivalence of the De¬nitions of the Pair-

ings

In Sections 11.2 and 11.4, we gave two de¬nitions of the Weil pairing. In this

section, we show that these de¬nitions are equivalent. Similarly, in Sections

3.4 and 11.3, we gave two de¬nitions of the Tate-Lichtenbaum pairing. We

show these are equivalent.

© 2008 by Taylor & Francis Group, LLC

371

SECTION 11.6 EQUIVALENCE OF THE DEFINITIONS OF THE PAIRINGS

11.6.1 The Weil Pairing

In this section we give the proof of Theorem 11.12, which says that the two

de¬nitions of the Weil pairing are equivalent. We let en denote the pairing

de¬ned in Section 11.2 and show that it equals the alternative de¬nition.

PROOF The following proof is based on a calculation of Weil [131, pp.

240-241].

Let V, W ∈ E[n2 ]. Let

div(fnV ) = n[nV ] ’ n[∞], gnV = fnV —¦ n,

n

be as in the de¬nition of the Weil pairing. De¬ne

fnV +nW (X) gnV +nW (X)

c(nV, vW ) = , d(V, W ) = ,

fnV (X)fnW (X ’ nV ) gnV (X)gnW (X ’ V )

where the right-hand sides are functions of the variable point X on E. The

fact that the notation does not include X on the left-hand sides is justi¬ed

by the following.

LEMMA 11.21

c(nV, nW ) and d(V, W ) are constants, and

d(V, W )n = c(nV, nW ).

PROOF Using the expressions for div(fnX ), div(gX ) on page 349, we see

that div(c(nV, nW )) = 0 and div(d(V, W )) = 0. Therefore, they are constants.

Since gnV = fnV —¦ n, we have

n

fnV +nW (nX)

d(V, W )n = = c(nV, nW ),

fnV (nX)fnW (nX ’ nV )

because c(nV, nW ) is independent of X.

The next few results relate the Weil pairing to c and d. The points U, V, W

represent elements of E[n2 ].

LEMMA 11.22

d(V, W + nU ) = d(V, W ) and d(V + nU, W ) = d(V, W )en (nU, nW ).

PROOF Since n(W + nU ) = nW , the functions gn(W +nU ) and gnW are

equal. Therefore,

gnV +nW (X)

d(V, W + nU ) = = d(V, W ).

gnV (X)gnW (X ’ V )

© 2008 by Taylor & Francis Group, LLC

372 CHAPTER 11 DIVISORS

Similarly,

gnV +nW (X)

d(V + nU, W ) =

gnV (X)gnW (X ’ V ’ nU )

gnW (X ’ V )

gnV +nW (X)

=

gnV (X)gnW (X ’ V ) gnW (X ’ V ’ nU )

= d(V, W )en (nU, nW ),

where the last equality uses the de¬nition of the Weil pairing (Equation

(11.6)).

LEMMA 11.23

d(U, V ) d(V, W )d(U + W, V )

= .

d(V, U ) d(V, U + W )d(W, V )

PROOF The de¬nition of d applied twice yields

gnU +(nV +nW ) (X) = d(U, V + W )gnU (X)gnV +nW (X ’ U )

= d(U, V + W )gnU (X)d(V, W )gnV (X ’ U )gnW (X ’ U ’ V ).

Similarly,

g(nU +nV )+nW (X) = d(U + V, W )gnU +nV (X)gnW (X ’ U ’ V )

= d(U + V, W )d(U, V )gnU (X)gnV (X ’ U )gnW (X ’ U ’ V ).

Since gnU +(nV +nW ) = g(nU +nV )+nW , we can cancel like terms and obtain

d(U, V + W )d(V, W ) = d(U + V, W )d(U, V ). (11.11)

Interchange U and V in (11.11) and divide to obtain

d(U, V + W )d(V, W )

d(U, V )

= . (11.12)

d(V, U ) d(V, U + W )d(U, W )

Now switch V and W in 11.11, solve for d(U, W ), and substitute in (11.12) to

obtain the result.

LEMMA 11.24

Let S, T ∈ E[n]. Then

c(S, T )

en (S, T ) = .

c(T, S)

PROOF Choose U, V ∈ E[n2 ] so that nU = S, nV = T . The left-hand

side of the formula in the previous lemma does not depend on W . Therefore

© 2008 by Taylor & Francis Group, LLC

373

SECTION 11.6 EQUIVALENCE OF THE DEFINITIONS OF THE PAIRINGS

we can evaluate the right-hand side at W = jU for 0 ¤ j < n and multiply

the results to obtain

n’1

n

d(U, V )

c(nU, nV ) d(V, jU )d(U + jU, V )

= = .

c(nV, nU ) d(V, U ) d(V, U + jU )d(jU, V )

j=0

All the factors in this product cancel except some of those for j = 0 and

j = n ’ 1. We obtain

d(V, ∞)d(nU, V )

c(S, T )

= .

c(T, S) d(V, nU )d(∞, V )

In the ¬rst equation of Lemma 11.22, set W = ∞ to obtain d(V, nU ) =

d(V, ∞). In the second equation of Lemma 11.22, set V = ∞ and then set

W = V to obtain d(nU, V ) = d(∞, V )e(nU, nV ). This yields the result.

We now proceed with the proof of the theorem. The de¬nition of c shows

that

fT (X)fS (X ’ T )

c(S, T )

en (S, T ) = = , (11.13)

fS (X)fT (X ’ S)

c(T, S)

which is independent of X. Let

DS = [S] ’ [∞], DT = [X0 ] ’ [X0 ’ T ],

where X0 is chosen so that DS and DT are disjoint divisors. Let FS (X) =

fS (X) and FT (X) = 1/fT (X0 ’ X). Then

div(FS ) = n[S] ’ n[∞] = nDS , div(FT ) = n[X0 ] ’ n[X0 ’ T ] = nDT .

Therefore, (11.13) yields

FT (DS )

en (S, T ) = .

FS (DT )

This shows that the theorem is true for the choice of divisors DS and DT .

We now need to consider arbitrary choices. Let DS be any divisor of degree

0 such that sum(DS ) = S and let DT be any divisor of degree 0 such that

sum(DT ) = T . Then DS = div(h1 ) + DS and DT = div(h2 ) + DT for some

functions h1 , h2 . Let FS = hn FS and FT = hn FT . Then nDS = div(FS ) and

1 2

nDT = div(FT ). First, assume that the divisors DS and DS are disjoint from

DT and DT . Then

h2 (DS )n FT (DS ) h2 (div(h1 ))n h2 (DS )n FT (div(h1 ))FT (DS )

FT (DS )

= = .

h1 (DT )n FS (DT ) h1 (div(h2 ))n h1 (DT )n FS (div(h2 ))FS (DT )

FS (DT )

© 2008 by Taylor & Francis Group, LLC

374 CHAPTER 11 DIVISORS

By Weil reciprocity (Lemma 11.11), h2 (div(h1 )) = h1 (div(h2 )). Also, Weil

reciprocity yields

h2 (DS )n = h2 (nDS ) = h2 (div(FS )) = FS (div(h2 ))

and similarly h1 (DT )n = FT (div(h1 )). Therefore, we obtain

FT (DS ) F (D )

= T S = en (S, T ).

FS (DT ) FS (DT )

If DS and DS are not necessarily disjoint from DT and DT , we can proceed

in two steps. First, let

DS = [X1 + S] ’ [X1 ], DT = [Y1 + T ] ’ [Y1 ],

where X1 and Y1 are chosen so that DS and DS are disjoint from DT and

DT and so that DS and DS are disjoint from DT and DT . The preceding

argument shows that

FT (DS ) F (D ) F (D )

= T S = T S = en (S, T ).

FS (DT ) FS (DT ) FS (DT )

This completes the proof.

For other proofs, see [69, Section 6.4] and [51].

11.6.2 The Tate-Lichtenbaum Pairing

In Section 3.4, we de¬ned the (modi¬ed) Tate-Lichtenbaum pairing in terms

of the Weil pairing. In Section 11.3, we gave an alternative de¬nition in terms

of divisors.

THEOREM 11.25

The pairings „n de¬ned in Theorem 3.17 and Theorem 11.8 are equal.

PROOF Let the notation be as in Theorem 3.17. In particular, Q ∈ E(Fq )

and nR = Q. Choose a function g such that

div(g) = n[R] ’ [Q] ’ (n ’ 1)[∞].

Let g φ denote the function obtained by applying φ to all the coe¬cients of the

rational function de¬ning g, so φ(g(X)) = g φ (φX) for all points X ∈ E(Fq ).

Since φ(Q) = Q,

div(g φ ) = n[φ(R)] ’ [Q] ’ (n ’ 1)[∞].

© 2008 by Taylor & Francis Group, LLC

375

SECTION 11.7 NONDEGENERACY OF THE TATE-LICHTENBAUM PAIRING

Therefore,

div(g/g φ ) = n[R] ’ n[φ(R)].

Let P ∈ E(Fq )[n]. By Lemma 11.9, we may choose a divisor DP of degree

0 such that sum(DP ) = P , such that DP is disjoint from ∞, Q, and R, and

such that φ(DP ) = DP (this means that φ permutes the points in DP ).

Let div(f ) = nDP . We assume that f is chosen as in Lemma 11.10, so

f (φ(R)) = φ(f (R)). In Theorem 11.12, let S = P , T = R ’ φR, DS = DP ,

DT = [R] ’ [φR], FS = f , and FT = g/g φ . Then

(g/g φ )(DP )

„n (P, Q) = en (P, R ’ φ(R)) =

f ([R] ’ [φ(R)])

q’1

f (R) g(DP ) f (R)

=φ = ,

g(DP ) f (R) g(DP )

since φ raises elements of Fq to the qth power. But

f (R)n f (∞)

= f (div(g)) = g(div(f )) = g(DP )n ,

n

f (Q) f (∞)

where the second equality is Weil reciprocity. Therefore,

n

f (R) f (Q)

f (∞)n .

=

g(DP ) f (∞)

Raising this to the power (q ’ 1)/n yields

q’1 (q’1)/n

f (R) f (Q)

f (∞)q’1 .

„n (P, Q) = =

g(DP ) f (∞)

But f (∞) ∈ Fq since f φ = f and φ(∞) = ∞. Therefore, f (∞)q’1 = 1.

De¬ne the divisor DQ = [Q] ’ [∞]. We obtain

„n (P, Q) = f (DQ )(q’1)/n ,

as desired. Since we have shown in the proof of Theorem 11.8 that the value

of „n is independent of the choice of divisors, this completes the proof.

11.7 Nondegeneracy of the Tate-Lichtenbaum

Pairing

In this section we prove that the Tate-Lichtenbaum pairing is nondegen-

erate. The proof here is partly based on a paper of Schaefer [96]. First, we

make a few remarks on pairings in general.

© 2008 by Taylor & Francis Group, LLC

376 CHAPTER 11 DIVISORS

Let n ≥ 1 and let A and B be two ¬nite abelian groups (written additively)

such that na = 0 for all a ∈ A and nb = 0 for all b ∈ B. Let , : B — A ’ µn

be a bilinear pairing. If we ¬x a ∈ A, then

ψa : b ’’ b, a

gives a homomorphism from B to µn . Let Hom(B, µn ) denote the set of

all group homomorphisms from B to µn . We can make Hom(B, µn ) into an

abelian group by de¬ning the product of ±, β ∈ Hom(B, µn ) by (± · β)(b) =

±(b) · β(b) for all b ∈ B.

LEMMA 11.26

If B is a ¬nite group (written additively) such that nb = 0 for all b ∈ B, then

#Hom(B, µn ) = #B.

First, suppose B = Zm , with m | n. If ± ∈ Hom(B, µn ), then

PROOF

±(1)m = ±(1 + · · · + 1) = ±(0) = 1.

So ±(1) is one of the m elements in µm ⊆ µn . Since 1 generates Zm , the

value of ±(1) determines ±(b) for all b. Moreover, any choice of ±(1) ∈ µm

determines a well-de¬ned homomorphism by b ’ ±(1)b . Therefore, there is a

bijection between Hom(Zm , µn ) and µm , so #Hom(Zm , µn ) = m = #B.

Now consider an arbitrary ¬nite abelian group B. By Theorem B.3 (Ap-

pendix B), B Zm1 • · · · • Zms . Since nb = 0 for all b ∈ B, we must have

mi |n for all i. There is a map

¦ : Hom(Zm1 , µn ) • · · · • Hom(Zm1 , µn ) ’’ Hom (Zm1 • · · · • Zms , µn ) ,

(11.14)

where the isomorphism maps the s-tuple (±1 , ±2 , . . . , ±s ) to the homomor-

phism given by

(b1 , b2 , . . . , bs ) ’’ ±1 (b1 )±2 (b2 ) · · · ±s (bs ).

The map

± ’’ (±1 , ±2 , . . . , ±2 ),

where ±i (bi ) = ±(0, 0, . . . , bi , . . . , 0), is the inverse of ¦, so ¦ is a bijection.

Since the group on the left side of (11.14) has order m1 m2 · · · ms = #B, we

obtain the lemma.

Part (b) of the next lemma makes our task easier since it allows us to deduce

nondegeneracy in one argument from nondegeneracy in the other.

© 2008 by Taylor & Francis Group, LLC

377

SECTION 11.7 NONDEGENERACY OF THE TATE-LICHTENBAUM PAIRING

LEMMA 11.27

Assume that the pairing , : B — A ’ µn is nondegenerate in A (that is, if

b, a = 1 for all b ∈ B, then a = 0).

(a) The map A ’ Hom(B, µn ) given by a ’ ψa is injective.

(b) If #A = #B, then the pairing is also nondegenerate in B.

PROOF Suppose ψa is the trivial homomorphism. This means that b, a =

ψa (b) = 1 for all b ∈ B. The nondegeneracy in A implies that a = 0. This

proves (a).

Let

B1 = {b ∈ B | b, a = 1 for all a ∈ A}.

Then each a ∈ A gives a well-de¬ned homomorphism βa : B/B1 ’ µn

given by βa (b mod B1 ) = b, a . If βa is the trivial homomorphism, then

b, a = 1 for all b ∈ B, which means that a = 0. Therefore, A injects

into Hom(B/B1 , µn ), which has order #B/#B1 , by Lemma 11.26. Since

#A = #B, we must have #B1 = 1. But B1 = 0 is exactly what it means for

the pairing to be nondegenerate in B. This proves (b).

A converse of part (b) of Lemma 11.27 holds.

LEMMA 11.28

Suppose , : B — A ’ µn is nondegenerate in both A and B. Then #A =

#B. In fact, A Hom(B, µn ) and B Hom(A, µn ).

PROOF By Lemma 11.27, we have an injection from A to Hom(B, µn ),

so #A ¤ #Hom(B, µn ) = #B. Reversing the roles of A and B, we have

#B ¤ #Hom(A, µn ) = #A. Therefore, #A = #B, and the injections are

isomorphisms.

LEMMA 11.29

Let M be a ¬nite abelian group and let ± : M ’ M be a homomorphism.

Then

#Ker ± = #M/#±(M ).

PROOF By Theorem B.6 (in Appendix B),

#M = (#Ker ±)(#±(M )).

The result follows.

The following technical lemma is the key to proving the nondegeneracy of

the Tate-Lichtenbaum pairing.

© 2008 by Taylor & Francis Group, LLC

378 CHAPTER 11 DIVISORS

LEMMA 11.30

Let A and B be ¬nite abelian groups (written additively) such that nx = 0

for all x ∈ A and for all x ∈ B. Suppose that there is a nondegenerate (in

both arguments) bilinear pairing

: B — A ’ µn ,

,

where µn is the group of nth roots of unity (in some ¬eld). Let C be a subgroup

of B. De¬ne

ψ : A ’’ µn

c∈C

a ’’ (· · · , c, a , · · · ) .

Then

#ψ(A) = #C.

PROOF The pairing is nondegenerate, so A Hom(B, µn ). Clearly,

Ker ψ = {a ∈ A | c, a = 1 for all c ∈ C}.

Identifying A with the set of homomorphisms from B to µn , we see that

Ker ψ = {f ∈ Hom(B, µn ) | f (C) = 1}.

But a homomorphism that sends C to 1 is exactly the same as a homo-

morphism from B/C to µn . The set of such homomorphisms has order

#(B/C) = #B/#C. Therefore (see Theorem B.6 in Appendix B)

#ψ(A) = #A/#Ker ψ = #A/#(B/C) = #C,

since #A = #B. This proves the lemma.

We can now apply the above to the elliptic curve E. Let

ψ : E[n] ’’ µn

P ∈E(Fq )[n]

Q ’’ (· · · , en (P, Q), · · · ) .

LEMMA 11.31

Let φ = φq be the qth power Frobenius endomorphism of E. Then Ker ψ =

(φ ’ 1)E[n].

© 2008 by Taylor & Francis Group, LLC

379

EXERCISES

Let Q ∈ E[n]. Then

PROOF

ψ(φQ) = (· · · , en (P, φQ), · · · )

= (· · · , en (φP, φQ), · · · ) (since φP = P for P ∈ E(Fq )[n])

= · · · , en (P, Q)φ , · · · (by part (5) of Theorem 11.7)

= (· · · , en (P, Q), · · · ) (since µn ‚ Fq )

= ψ(Q).

Therefore, ψ((φ ’ 1)Q) = 1, so (φ ’ 1)E[n] ⊆ Ker ψ. By Lemma 11.30, with

A = B = E[n] and C = E(Fq )[n], we have #ψ(E[n]) = #E(Fq )[n]. Let

Ker (φ ’ 1)|E[n] denote the kernel of the restriction of φ ’ 1 to E[n]. Then

#E(Fq )[n] = #Ker (φ ’ 1)|E[n] (since Ker(φ ’ 1) = E(Fq ))

= #E[n]/#((φ ’ 1)E[n]) (by Lemma 11.29)

≥ #E[n]/#(Ker ψ) (since (φ ’ 1)E[n] ⊆ Ker ψ)

= #ψ(E[n]) = #E(Fq )[n].

Therefore, we must have equality everywhere. In particular, Ker ψ = (φ ’

1)E[n].

We can now prove that the Tate-Lichtenbaum pairing is nondegenerate. Let

Q ∈ E(Fq ). Write Q = nR with R ∈ E(Fq ). Suppose that

„n (P, Q) = en (P, R ’ φR) = 1 for all P ∈ E(Fq )[n].

Then R ’ φR ∈ Ker ψ = (φ ’ 1)E[n]. This means that there exists T ∈ E[n]

such that R ’ φR = φT ’ T , hence φ(R + T ) = R + T . Since the points

¬xed by φ have coordinates in Fq , this implies that R + T ∈ E(Fq ). Since

Q = nR = n(R + T ), we have Q ∈ nE(Fq ). Therefore,

„n : E(Fq )[n] — E(Fq )/nE(Fq ) ’’ µn

is nondegenerate in the second variable. Since the groups E(Fq )[n] and

E(Fq )/nE(Fq ) have the same order (by Lemma 11.29 with ± = n), Lemma

11.27 implies that the pairing is also nondegenerate in the ¬rst variable. This

completes the proof of the nondegeneracy of the Tate-Lichtenbaum pairing.

Exercises

11.1 Let E be the elliptic curve y 2 = x3 ’ x over Q.

(a) Show that f (x, y) = (y 4 + 1)/(x2 + 1)3 has no zeros or poles in

E(Q).

© 2008 by Taylor & Francis Group, LLC

380 CHAPTER 11 DIVISORS

(b) Show that g(x, y) = y 4 /(x2 + 1)3 has no poles in E(Q) but does

have zeros in E(Q).

(c) Find the divisors of f and g (over Q).

11.2 Let E be an elliptic curve over a ¬eld K and let m, n be positive integers

that are not divisible by the characteristic of K. Let S ∈ E[mn] and

T ∈ E[n]. Show that

emn (S, T ) = en (mS, T ).

11.3 Suppose f is a function on an algebraic curve C such that div(f ) =

[P ] ’ [Q] for points P and Q. Show that f gives a bijection of C with

P1 .

11.4 Show that part (3) of Proposition 11.1 follows from part (2). (Hint: Let

P0 be any point and look at the function f ’ f (P0 ).)

© 2008 by Taylor & Francis Group, LLC