$E$ in this note is an elliptic curve defined over an algebraically closed field $k$.
1. The definition of Weil's pairing. From the previous note, we know that there exists an isomorphism $\phi$ between $E$ and $Pic^0(E)$, defined by $P \mapsto [P]-[\infty]$. And we know that any principal divisor on $E$ has degree 0. It is natural to ask, when is a divisor of degree 0 is a principal divisor?
Assume that $D:=\sum_{i=1}^n [P_i]-\sum_{i=1}^n [Q_i]\in Div(E)$, where $P_i, Q_i$ are not necessarily distinct. Then $D$ is a principal divisor iff $D\equiv 0$ in $Pic^0(E)$. Via the inverse map $\phi^{-1}$, we get $D\mapsto \sum_{i} P_i - \sum_{i} Q_i$. So $D=0$ in $Pic^0(E)$ iff $\sum_{i} P_i - \sum_{i}Q_i =0$ in $E$.
Now, if we write $D=\sum_{P\in E}n_P[P]\in Div(E)$, then we define $sum(D):=\sum_{P\in E}n_PP$. Note that the later sum is a point in $E$. By our earlier discussion, we get an important
Theorem 1.1. If $D\in Div(E)$ is a divisor, then $D$ is principal iff $\deg(D)=0$ and $sum(D)=\infty$.
Now, let $m$ be a positive integer such that $(m,char(k))=1$, we define $E[m]:=\{P\in E|mP=\infty\}$. It follows from Chapter III of Washington's book that $E[m]\cong \mathbb{Z}_m\oplus \mathbb{Z}_m$. Then for any $T\in E[m]$, we define the divisor $D_T$ as follows
$$D_T:=\sum_{Q\in E, mQ=T}([Q])-\sum_{P\in E[m]}[P]$$
Remark. It can be seen that $[m]: E\to E$ defined by $P\mapsto mP$ is a separable isogeny of $E$, so by our Remark 2, Section 4 of the previous note, $\deg [m]=\#[m]^{-1}(\infty)=E[m]=\#[m]^{-1}(P)=m^2$, for any point $P\in E$. That means the ramification index at all point respected to $[m]$ is just 1. So in this case, the pull-back map of divisors is defined as $[m]^*[P]=\sum_{Q\in E, mQ=P}[Q]$. And it can be seen that in fact, $D_T$ defined above is $[m]^*([T]-[\infty])$ because
$$[m]^*([T]-[\infty])=\sum_{Q\in E, mQ=T}[Q]-\sum_{P\in E, mP=\infty}[P]=\sum_{Q\in E, mQ=T}([Q])-\sum_{P\in E[m]}[P]$$
We will prove that
Lemma 1.1. $D_T$ defined above is a principal divisor.
Proof. Due to the remark, we can see, $\#[m]^{-1}(\infty)=E[m]=\#[m]^{-1}(T)$. This implies there exists a point $Q$ such that $mQ=T$ (because $\#E[m]=m^2$). Then it can be seen for any point $P\in E[m]$, $m(P+Q)=\infty+T=T$. Also, for any $P_1,P_2\in E[m], P_1\ne P_2$, then $P_1+Q\ne P_2+Q$. This yields $[m]^{-1}(T)=\{P+Q|P\in E[m]\}$. And we can now rewrite $D_T$ as
$$D_T=\sum_{P\in E[m]}([P+Q])-[P])$$
It can be seen that $\deg D_T=0$, and $\sum(D_T)=\sum_{P\in E[m]}(P+Q-P)= m^2Q= mT = \infty$. By Theorem 1.1, $D_T$ is a principal divisor. (Q.E.D)
Now, it follows that there exists a rational function $g_T$ in $k(E)$ such that $div(g_T)=D_T$. For $S\in E[m]$, the Weil's pairing is defined as follows
$$e_m(S,T):=\frac{g_T(S+X)}{g_T(X)}$$
for any point $X\in E$ such that $g_T(S+X), g_T(X)\in k^*$. We will prove that
Lemma 1.2. $e_m(S,T)$ is well-defined, i.e. it does not depend on the choice of $X$.
Proof. We actually want to show that $\frac{g_T(S+X)}{g_T(X)}$ is a constant function. That is equivalent to say $div(g(X+S))-div(g(X))=0$. Let $h_T(X):=g_T(S+X)$, it is equivalent to prove that $div(h_T)=div(g_T)$. It can be seen that $g_T$ has zeros at $P+Q$, for some $Q\in E$ such that $mQ=T$, and $P\in E[m]$. This yields the zeros of $h_T$ are $P+Q-S$. Also, poles of $g_T$ are of the form $P$, where $P\in E[m]$. This yields poles of $h_T$ are actually $P-S$. So we get
$$div(h_T)-div(g_T)=\sum_{P\in E[m]}([P-S+Q]-[P-S])-\sum_{P\in E[m]}([P+Q]-[P])$$
But then, we can see that $S\in E[m]$, so $\{P-S|P\in E[m]\}=E[m]$. This yields $div(h_T)-div(g_T)=0$. This yields $h_T/g_T$ is a constant. (Q.E.D)
We will show next that in fact, $e_m(S,T)\in \mu_m$, where $\mu_m$ is the group of $m$-th root of unity in $k^\times$.
Lemma 1.3. $e_m(S,T)\in \mu_m$.
Proof. It can be seen that $m([T]-[\infty])$ is a principal divisor by Theorem 1.1. This implies there exists a function $f_T\in k(E)$ such that $div(f_T) = m([T]-[\infty])$. We already show that there exists a point $Q\in E$, such that $mQ=P$. And we can see
$$div(f_T\circ [m])=m\sum_{P\in E[m]}([P+Q]-[P])$$
since $f_T$ has zeros at $T$ with order $m$, so $f_T\circ [m]$ has zeros at $[m]^{-1}(T)=\{P+Q|P\in E[m]\}$, and each is of order $m$. Similarly for the poles. But then, the right hand side is just $mD_T=mdiv(g_T)=div(g_T^m)$. This yields $g_T^m=\lambda f_T\circ[m]$, for some $\lambda\in k^\times$. By possibly change $f_T$ by $\lambda f_T$, we can assume $g_T^m=f_T\circ [m]$. That means, for all points $X\in E$, we have $g_T^m(X)=f_T(mX)$, and for $S\in E[m]$, we have $g_T(X+S)^m=f_T(mX+mS)=f_T(mX)$. Hence, $\frac{g_T^m(X+S)}{g_T^m(X)}=1$. This implies $e_m(S,T)$ is a $m$-th root of unity. (Q.E.D)
So, we have proved if $m$ is any positive integer such that $(m,char(k))=1$, then there exists a well-defined map
$$e_m: E[m]\times E[m]\to \mu_m$$
where $\mu_m$ is the multiplicative group of $k^\times$ consisting of all $m$-th root of unity. The next section will be devoted to prove the properties of Weil's pairing.
2. Properties of Weil's pairing.
Proposition 2.1 (Bilinear). The Weil's pairing defined above is bilinear, i.e. for all $S_1, S_2, T_1, T_2\in E[m]$, we have $e_m(S_1+S_2,T)=e_m(S_1,T)e_m(S_2,T)$ and $e_m(S,T_1+T_2)=e_m(S,T_1)e_m(S,T_2)$.
Proof. If we denote $\tau_S(P):=P+S$, for all $P\in E$, i.e. $\tau_S$ is a translation with respect to $S$. Then it can be seen that $e_m(S_1+S_2, T)=\frac{g_T(S_1+S_2+X)}{g_T(X)}$ and $e_m(S_1, T)e_m(S_2,T)=\frac{g_T(S_1+X)}{g_T(X)}\frac{g_T(S_2+X)}{g_T(X)}$. Then $e_m(S_1+S_2,T)=e_m(S_1,T)e_m(S_2,T)$ iff $\frac{g_T(S_1+S_2+X)}{g_T(S_1+X)}=\frac{g_T(S_2+X)}{g_T(X)}=e_m(S_2,T)$. But this follows since $e_m(S_2,T)$ does not depend on the choice of $X$. If we replace $X$ by $S_1+X$, we get $e_m(S_2,T)=\frac{g_T(S_2+S_1+X)}{g_T(S_1+X)}$. And the conclusion follows.
The second property is more difficult. If we let $T_3:=T_1+T_2$, then by Theorem 1.1, we get $[T_1]+[T_2]-[T_3]-[\infty]=div(h)$ for some function $h\in k(E)$. We also have by definition
$$div(g_{T_1})=[m]^*([T_1]-[\infty]), div(g_{T_2})=[m]^*([T_2]-[\infty])$$
$$div(g_{T_3})=[m]^*([T_3]-[\infty])=[m]^*([T_1]+[T_2]-div(h)-2[\infty])=$$
$$=[m]^*([T_1]-[\infty]+[T_2]-[\infty]+div(h))=div(g_1)+div(g_2)+div(h\circ [m])=$$
$$=div(g_1.g_2.(h\circ[m])$$
So, in particular, we get $g_{T_3}=g_1.g_2.(h\circ[m])$. Hence,
$$e_m(S,T_1+T_2)=e_m(S,T_3)=\frac{g_{T_3}(S+X)}{g_{T_3}(X)}=$$
$$=\frac{g_1(S+X)g_2(S+X)h(mS+mX)}{g_1(X)g_2(X)h(mX)}$$
But then, since $mS=\infty$, we have $\frac{h(mS+mX)}{h(mX)}=1$. This yields by our previous calculation $e_m(S, T_1+T_2)=e_m(S,T_1)e_m(S,T_2)$. (Q.E.D)
Proposition 2.2 (Alternating). For any $T\in E[m]$, we have $e_m(T,T)=1$. And one can easily deduce $e_m(S,T)=e_m(T,S)^{-1}$ for all $S,T\in E[m]$.
Proof. Because $E[m]\cong \mathbb{Z}_m\oplus \mathbb{Z}_m$, and the bilinear property, it is sufficient for us to prove $e_m(T,T)=1$, for $T$ is a point with the order exactly $m$. Let $h_i(X):=g_T(X+iT')$, because $div(g_T)=\sum_{P\in E[m]}[P+Q]-[P]$, where $Q\in E, mQ=T$. Let $h_i(X)=g(X+iQ)$, for some $0\le i\le m-1$. Then it can be seen
$$div(h_i)=\sum_{P\in E[m]}([P+Q-iQ]-[P-iQ])=\sum_{P\in E[m]}[P+(1-i)Q]-[P-iQ]$$
Because $mQ=T$, this yields
$$div(\prod_{i=0}^{m-1}h_i)=\sum_{i=0}^{m-1}div(h_i)=\sum_{P\in E[m]}([P-Q]-[P+(m-1)Q])=$$
$$=\sum_{P\in E[m]}[P-Q]-\sum_{P\in E[m]}[P-T-Q]$$
But then, the later divisor is just 0, because $T\in E[m]$. This yields $\prod_{i=0}^{m-1}h_i=1$, i.e, it is a constant. This yields
$$1=g_T(X)\prod_{i=1}^{m-1}g_T(X+iQ)=\prod_{i=0}^{m-1}g_T(X+iQ)=\prod_{i=1}^{m}g_T(X+iT)=\prod_{i=1}^{m-1}g_T(X+iQ)g_T(X+T)$$
Note that the third identity follows when we replace $X$ by $X+Q$, and the last identity follows since $mQ=T$. In particular, we get $g_T(X+T)=g_T(X)$. This implies $e_m(T,T)=1$. The second statement easily follows from Proposition 2.1 and the first statement. (Q.E.D)
Proposition 2.3 (Non-degenerate). The Weil's pairing is non-degenerate, i.e. if $e_m(S,T)=1$ for all points $S\in E[m]$, then $T=\infty$.
Proof.
Remark 2.4. We will contemporarily accept this fact, which will be proved later: if $g\in k(E)$ such that $g\circ \tau_S=g$ for all $S\in E[m]$, i.e. $g$ is invariant under the translation then $g=h\circ [m]$, for some $h\in k(E)$.
Due to the assumption, $g_T$ now is invariant under the translation map $\tau_S$, for all $S\in E[m]$. This yields $g_T$ is of the form $h\circ [m]$, for some $h\in k(E)$. Due to the proof of Proposition 2.1, we get $g_T^m=f_T\circ [m]$, i.e. $(h\circ[m])^n=f_T\circ [m]$. This yields for all point $P\in E$, $h(mP)...h(mP)=f_T(mP)$. Since $[m]$ is surjective, we have $h^m=f_T$. But then, the divisor of $f_T$ is $m([T]-[\infty])$. This yields $div(h)=[T]-[\infty]$. Due to Theorem 1.1, we have $T-\infty=\infty$, i.e. $T=\infty$.
So, it remains to prove Remark 2.4. We first begin with an important lemma
Lemma 2.5. If $\alpha$ is a separable isogeny from $E_1$ to $E_2$, then the map $\ker (\alpha) \to Aut(k(E_1)/\phi^*(k(E_2)))$ define by $T\mapsto \tau_T^*$ is a group isomorphism.
Proof. It can be seen first that for any $T\in E_1$, the translation $\tau_T^*: k(E_1)\to k(E_1)$ define by $g\mapsto g\circ \tau_T$ defines an automorphism of field, since its inverse is $\tau_{-T}^*$.
For any $T\in \ker\alpha$, and for all $f\in k(E_2)$, we have $\tau_T^*(\alpha^* f)=f\circ \alpha\circ \tau_T$. So for any point $P\in E_1$, we have $f\circ \alpha\circ \tau_T(P)=f\circ\alpha(P+T)=f\circ\alpha(P)$, since $\alpha(P+T)=\alpha(P)+\alpha(T)=\alpha(P)$. This yields $\tau_T^*(\alpha^* f)=\alpha^* f$, i.e. $\tau_T^*$ fixes the subfield $\phi^*(k(E_2))$ of $k(E_1)$.
Now, it is a group homomorphism since for $T,S\in \ker\alpha$, we have $T+S\mapsto \tau_{T+S}^*=\tau_T^*\circ \tau_S^*$. Now, it follows from Galois theory and our Remark 2 in the previous note that $\#Aut(k(E_1)/\phi^*(k(E_2)))=\deg \alpha =\#\ker \alpha<\infty$. So, we just need to prove the map is injective. But it is obvious, since if $\tau_T^*=\tau_\infty^*$, then for sure $T=\infty$ (Q.E.D)
Now, if we let $\alpha=[m]$ and $E_1=E_2=E$, then $\ker\alpha = E[m]$. Now, $g$ is fixed under the translation $\tau_S$, for all $S\in E[m]$ yields $g\in [m]^*(k(E))$, i.e. there exists $h\in k(E)$ such that $g=[m]^*h=h\circ [m]$. So, the proof of Remark 2.4 follows. (Q.E.D)
Proposition 2.6 (Compatible). Let $\varphi$ be any endomorphism of $E$, then for any $S, T\in E[m]$, we have $e_m(\varphi(S),\varphi(T))=e_m(S,T)^{\deg\varphi}$.
Proof. Let $\deg\varphi =d$. We want to prove for all point $P\in E$,
$$\frac{g_{\varphi(T)}(\varphi(P)+\varphi(S))}{g_{\varphi(T)}(\varphi(S))}=\bigg(\frac{g_T(P+S)}{g_T(P)}\bigg)^d$$
If we denote $\tau_S$ the translation by $S$ (i.e. $P\mapsto P+S$), the statement is equivalent to
\begin{align}
\frac{g_{\varphi(T)}\circ \tau_{\varphi(S)}\circ\varphi}{g_{\varphi(T)}\circ\varphi}=\bigg(\frac{g_T\circ\tau_S}{g_T}\bigg)^d (1)
\end{align}
One can see $\tau_{\varphi(S)}\circ\varphi(P)=\varphi(P+S)=\varphi\circ\tau_S(P)$. Therefore
$$\frac{g_{T\varphi(T)}\circ\tau_{\varphi(S)}\circ\varphi}{g_{\varphi(T)}\circ\varphi}=\frac{g_{\varphi(T)}\circ\varphi\circ\tau_S}{g_{\varphi(T)}\circ\varphi}$$
And for the RHS of (1), because $(g_T\circ\tau_S)^d=g_T^d\circ\tau_S$, we have (1) is equivalent to
$$\frac{g_{\varphi(T)}\circ\varphi\circ\tau_S}{g_{\varphi(T)}\circ\varphi}=\frac{g_T^d\circ\tau_S}{g_T^d}\Leftrightarrow\frac{g_{\varphi(T)}\circ\varphi\circ\tau_S}{g_T^d\circ\tau_S}=\frac{g_{\varphi(T)}\circ\varphi}{g_T^d}\circ\tau_S=\frac{g_{\varphi(T)}\circ\varphi}{g_T^d}$$
That means, we have to prove that $\frac{g_{\varphi(T)}\circ\varphi}{g_T^d}$ is invariant under the translation of any $S\in E[m]$. We need the following
Lemma 2.7. If $r=s\circ[m]$ (i.e. $r=[m]^*s$), where $s\in k(E)$, then $r$ is invariant under the translation of any $S\in E[m]$.
Proof. For any $S\in E[m]$, we have $r(P+S)=s\circ [m](P+S)=s(mP+mS)=s\circ[m](P)=r(P)$, for all $P\in E$. (Q.E.D)
Hence, it is sufficient for us to prove that $F:=\frac{g_{\varphi(T)}\circ\varphi}{g_T^d}=[m]^*[s]$ for some $s\in k(E)$. Let us compute the divisor of $F$, where $div(g_T)=[m]^*([T]-[\infty])$, we have
$$div(F)=(\varphi^*[m]^*)([\varphi(T)]-[\infty])-d[m]^*([T]-[\infty])=[m]^*(\varphi^*([\varphi(T)]-[\infty])-d([T]-[\infty]))$$
And hence, it is sufficient for us to prove that $D:=(\varphi^*([\varphi(T)]-[\infty])-d([T]-[\infty]))$ is a principal divisor. By definition, we have
$$\varphi^*([\varphi(T)]-[\infty])=\sum_{R\in \ker\varphi}e_R([T+R]-[R])$$
where $e_R$ is the ramification index at $R$. Hence, $\deg D=0$, because $\sum_{R\in \ker\varphi}e_R=\sum_{R\in\varphi^{-1}(\infty)}e_R=d$. And by the similar reason, the sum of $D$ is
$$\sum_{R\in \ker\varphi}e_R(T+R-R)-d(T-\infty)=\infty$$
That means, $D$ is a principal divisor, by Theorem 1.1. This implies $F=[m]^*s$, for some $s\in k(E)$. And hence, the statement now follows. (Q.E.D)
Proposition 2.8 (Galois invariant). If $E$ is defined over $k$ (may not be algebraically closed), then for all $\sigma\in Gal(\bar{k}/k)$, we have $e_m(S^\sigma,T^\sigma)=e_m(S,T)^\sigma$.
Proof. It just follows if we consider the action of $\sigma$ on $g$. (Q.E.D)
No comments:
Post a Comment