Sesquilinear pairings on elliptic curves

Katherine E. Stange

Abstract.

Let $E$ be an elliptic curve with complex multiplication by a ring $R$ , where $R$ is an order in an imaginary quadratic field or quaternion algebra. We define sesquilinear pairings ( $R$ -linear in one variable and $R$ -conjugate linear in the other), taking values in an $R$ -module, generalizing the Weil and Tate-Lichtenbaum pairings.

Key words and phrases:

Elliptic curves, Weil pairing, Tate-Lichtenbaum pairing, complex multiplication

2020 Mathematics Subject Classification:

Primary: 11G05, 14H52

This work has been supported by NSF-CAREER CNS-1652238 and NSF DMS-2401580.

1. Introduction

The Weil and Tate-Lichtenbaum pairings are bilinear pairings on an elliptic curve $E$ with values in the multiplicative group $\mathbb{G}_{m}$ . In the situation of complex multiplication, the points of the elliptic curve form more than just a $\mathbb{Z}$ -module, but also an $R$ -module, for some ring $R$ which is an order in either an imaginary quadratic field or a quaternion algebra, both of which come equipped with an involution which we call conjugation. It is natural then to hope for a pairing with some type of $R$ -linearity. In this paper, we generalize these classical pairings to take values in an $R$ -module, so that the pairings can become sesquilinear, or conjugate linear in the following sense. If $R$ is commutative, an $R$ -sesquilinear pairing is a bilinear pairing $\langle\cdot,\cdot\rangle$ on a pair of $R$ -modules, taking values in another $R$ -module, that satisfies

\langle\alpha x,\beta y\rangle={\alpha}{\overline{\beta}}\langle x,y\rangle,\text{ for all }\alpha,\beta\in R.

In the case that $R$ is non-commutative, we also consider a twisted version; see Section 4. For the remainder of the introduction, we assume $R$ is commutative; small adjustments are needed in the non-commutative case.

The Weil and Tate-Lichtenbaum pairings can be taken to act on divisor classes in $\operatorname{Pic}^{0}(E)$ . By considering instead $\operatorname{Pic}_{R}^{0}(E):=R\otimes_{\mathbb{Z}}\operatorname{Pic}^{0}(E)$ , we have an $R$ -module structure on divisor classes. To accommodate the values of the pairing, considering $\mathbb{G}_{m}$ as a $\mathbb{Z}$ -module in multiplicative notation, we can extend scalars to $R$ , writing $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ . (This multiplicative tensor notation is not without its pitfalls; see the end of the introduction for further discussion.) Write $M[\alpha]$ for the $\alpha$ -torsion in an $R$ -module $M$ . For each $\alpha\in R$ , we obtain Galois invariant sesquilinear pairings

	$\displaystyle{W}_{\alpha}$	$\displaystyle:\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]\times\operatorname{Pic}_{R}^{0}(E)[\alpha]\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}],$
	$\displaystyle{T}_{\alpha}$	$\displaystyle:\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]\times\operatorname{Pic}_{R}^{0}(E)/[\alpha]\operatorname{Pic}_{R}^{0}(E)\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}/(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{\overline{\alpha}},$

generalizing the classical Weil and Tate-Lichtenbaum pairings (these do not restrict to the classical pairings, but restrict to a sesquilinearization of such; see Proposition 4.4 and the discussion afterward). The pairing $W_{\alpha}$ is also conjugate skew-Hermitian in the sense that

W_{\alpha}(D_{P},D_{Q})=\overline{W_{\overline{\alpha}}(D_{Q},D_{P})}^{-1}.

These are defined by essentially imitating the definition of the classical pairings, including extending Weil reciprocity to $R$ -divisors.

However, this formal exercise is most interesting when applied to a curve with endomorphism ring containing a copy of $R$ . Consider an exact sequence

given by

\epsilon:\sum_{i}\alpha_{i}(P_{i})\mapsto\sum_{i}[\alpha_{i}]P_{i}.

By restricting the pairing to the left-hand $E$ in the exact sequence, we obtain Galois invariant pairings

	$\displaystyle\widehat{W}_{\alpha}$	$\displaystyle:E[\overline{\alpha}]\times E[\alpha]\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[{\alpha}],$
	$\displaystyle\widehat{T}_{\alpha}$	$\displaystyle:E[\overline{\alpha}]\times E/[\alpha]E\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}/(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{{\alpha}},$

which are sesquilinear, if $R$ is commutative, in the sense that for all $\gamma,\delta\in R$ and $P\in E[\overline{\alpha}]$ , $Q\in E$ ,

\widehat{T}_{\alpha}([\gamma]P,[\delta]Q)=\widehat{T}_{\alpha}(P,Q)^{\overline{\gamma}\delta},

and similarly for $\widehat{W}_{\alpha}$ . When $R$ is non-commutative, a similar construction is possible, but sesquilinearity in one entry is twisted by an action of $\overline{\alpha}$ (Section 4).

In the case that $\alpha=n\in\mathbb{Z}$ , these pairings can be interpreted as a ‘sesquilinearization’ of the usual Weil and Tate-Lichtenbaum pairings. For example if

t_{n}:E[n]\times E/[n]E\rightarrow\mathbb{G}_{m}/\mathbb{G}_{m}^{n}

represents the usual Tate-Lichtenbaum pairing, and $R=\mathbb{Z}[\tau]$ , then

\widehat{T}_{n}(P,Q)=\left(t_{n}(P,Q)^{2N(\tau)}t_{n}([-\overline{\tau}]P,Q)^{Tr(\tau)}\right)\left(t_{n}([\overline{\tau}-{\tau}]P,Q)\right)^{\tau}.

In the general case, one can only express $\widehat{T}_{\alpha}$ in terms of $t_{n}$ if one computes certain preimages (See Remark 4.5).

We show that these new pairings are non-degenerate in most cases. The pairings are amenable to computation, for example for cryptographic purposes (see Algorithm 5.7).

Both the Tate-Lichtenbaum pairing and Weil pairing have a wide variety of interpretations in terms of cohomology, intersection pairings, Cartier duality, etc. In this paper we take an elementary approach in terms of divisors. However, the new pairings were discovered while revisiting an interpretation of these pairings in terms of the monodromy of the Poincaré biextension studied in the author’s PhD thesis [19]. A companion paper will explain these new pairings in that context, and their relationship with elliptic nets and height pairings.

Notations. Greek letters ( $\alpha,\beta,\ldots$ ) generally refer to elements of the ring $R$ , with the exception of $\sigma$ , which is an element of a Galois group, and $\eta$ and $\epsilon$ , which are maps in Section 5. Roman letters in lower case ( $f,g,\ldots$ ) will generally refer to elements of $\mathbb{G}_{m}$ and capital roman letters (besides $R$ and $E$ ) typically refer to points of an elliptic curve $E$ . We use the exponent $\otimes_{\mathbb{Z}}R$ for the extension of scalars from $\mathbb{Z}$ to $R$ when viewing an abelian group in multiplicative notation as a $\mathbb{Z}$ -module, as in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ . Simple tensors are written $g^{\otimes\alpha}$ , but we will suppress the $\otimes$ , writing $g^{\alpha}$ . Note, however, that we will continue to view this as a left $R$ -module. Regular exponents will be reserved for the module action of $R$ and $\mathbb{Z}$ when in a multiplicative notational mode. In particular, we have the slightly counter-intuitive¹¹1We opted for this slight dissonance over the available alternatives, which were a switch to additive notation in the multiplicative group, or the use of notation ${}^{\beta}(^{\alpha}x)=\,^{\beta\alpha}x$ .

(x^{\alpha})^{\beta}=x^{\beta\alpha}.

For this reason we write $(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\alpha}$ for the image of the multiplicative left $R$ -module $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ under the action of the $R$ -submodule $R\alpha$ , or equivalently, under $R\alpha R$ . We refer to this as the set of $\alpha$ -powers of $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ . (If $\alpha\in\mathbb{Z}$ , or more generally the centre of $R$ , we can simplify the notation from $(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\alpha}$ to $(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{\alpha}$ .)

We denote the algebraic closure of a field $K$ by $\overline{K}$ . We denote the action of an endomorphism $\alpha\in R$ on $P\in E$ by $[\alpha]P$ . For an $R$ -module $M$ , write $M[\alpha]:=\{m\in M:\alpha m=0\}$ . When $R$ is commutative, this is again an $R$ -module.

Acknowledgements. The author is grateful to Damien Robert for rekindling her interest through his recent work [15],[16], his interest in the author’s thesis, and several generous discussions, which inspired this work. The author also thanks Joseph Macula, Joseph H. Silverman, and Drew Sutherland for feedback on an earlier draft.

2. Classical pairings

2.1. The Weil pairing

This section follows Miller [12] and Silverman [17, Chap III, §8]. For the more general Weil pairing, see [8], [17, Exercise III.3.15].

Definition 2.1 (Weil pairing: first definition).

Let $m>1$ be an integer. Let $E$ be an elliptic curve defined over a field $K$ which contains the field of definition of $E[m]$ , and with characteristic coprime to $m$ in the case of positive characteristic. Suppose that $P,Q\in E[m]$ . Choose divisors $D_{P}$ and $D_{Q}$ of disjoint support such that

D_{P}\sim(P)-(\mathcal{O}),\qquad D_{Q}\sim(Q)-(\mathcal{O}).

Then $mD_{P}\sim mD_{Q}\sim 0$ , hence there are functions $f_{P}$ and $f_{Q}$ such that

\operatorname{div}(f_{P})=mD_{P},\qquad\operatorname{div}(f_{Q})=mD_{Q}.

The Weil pairing

e_{m}:E[m]\times E[m]\rightarrow\mu_{m}

is defined by

e_{m}(P,Q)=\frac{f_{P}(D_{Q})}{f_{Q}(D_{P})}.

For example, we can choose $D_{P}$ and $D_{Q}$ disjoint as follows: first choose some $T$ such that $T\not\in\{\mathcal{O},-P,Q,Q-P\}$ . Then set $D_{P}=(P+T)-(T)$ and $D_{Q}=(Q)-(\mathcal{O})$ . Set the notation $f_{m,X}$ for the rational function with divisor $m(X)-m(\mathcal{O})$ . Then,

e_{m}(P,Q)=\frac{f_{P}(D_{Q})}{f_{Q}(D_{P})}=\frac{f_{P}(Q)f_{Q}(T)}{f_{P}(\mathcal{O})f_{Q}(P+T)}=\frac{f_{m,P}(Q-T)f_{m,Q}(T)}{f_{m,P}(-T)f_{m,Q}(P+T)}.

Definition 2.2 (Weil pairing: second definition).

Let $\phi:E\rightarrow E^{\prime}$ be an isogeny between elliptic curves defined over a perfect field $K$ which contains the field of definition of $\ker(\phi)$ and $\ker(\widehat{\phi})$ , and with characteristic coprime to $\deg\phi$ in the case of positive characteristic. Suppose that $P\in\ker\widehat{\phi}$ , and $Q\in\ker{\phi}$ . Let $g_{P}$ be a rational function with principal divisor

\operatorname{div}(g_{P})=\phi^{*}((P)-(\mathcal{O})).

(In the case that $\phi=[m]$ , this implies $g_{P}^{m}=f_{m,P}\circ[m]$ .) The Weil pairing

e_{\phi}:\ker\widehat{\phi}\times\ker\phi\rightarrow\mu_{m}

where $m$ is any positive integer with $\ker\phi\subseteq E[m]$ , and $\mu_{m}$ denotes the $m$ -th roots of unity, is defined by

e_{\phi}(P,Q)=\frac{g_{P}(X+Q)}{g_{P}(X)},

where $X$ is any auxiliary point chosen disjoint from the supports of $g_{P}$ and $g_{P}\circ t_{Q}$ (the function $g_{P}$ precomposed with translation by $Q$ ).

The above definition generalizes naturally to a pairing associated to an isogeny; taking the isogeny to be the multiplication-by-m map $[m]$ recovers the $m$ -Weil pairing.

The standard properties are as follows.

Proposition 2.3.

Suppose $m$ is coprime to $\operatorname{char}(K)$ in the case of positive characteristic. Definitions 2.1 and 2.2 are well-defined, equal, and have the following properties (restricting to the case $\phi=[m]$ for the first definition):

(1)

Bilinearity: for $P,P_{1},P_{2}\in\ker\widehat{\phi}$ and $Q,Q_{1},Q_{2}\in\ker\phi$ ,

	$\displaystyle e_{\phi}(P_{1}+P_{2},Q)$	$\displaystyle=e_{\phi}(P_{1},Q)e_{\phi}(P_{2},Q),$
	$\displaystyle e_{\phi}(P,Q_{1}+Q_{2})$	$\displaystyle=e_{\phi}(P,Q_{1})e_{\phi}(P,Q_{2}).$

(2)

Alternating: for $P\in E[m]$ ,

$e_{m}(P,P)=1.$
(3)

Skew-symmetry: for $P\in\ker\widehat{\phi}$ and $Q\in\ker\phi$ ,

$e_{\phi}(P,Q)=e_{\widehat{\phi}}(Q,P)^{-1}.$
(4)

Non-degeneracy: for nonzero $P\in E[m](\overline{K})$ , there exists $Q\in E[m](\overline{K})$ such that

$e_{m}(P,Q)\neq 1.$
(5)

Coherence: for $P\in\ker\widehat{\phi}\circ\widehat{\psi}$ , and $Q\in\ker\phi$ ,

$e_{\psi\circ\phi}(P,Q)=e_{\phi}(\widehat{\psi}P,Q).$

and for $P\in\ker\widehat{\psi}$ , and $Q\in\ker\psi\circ\phi$ ,

$e_{\psi\circ\phi}(P,Q)=e_{\psi}(P,\phi Q).$
(6)

Compatibility: For $m$ -torsion points $P$ and $Q$ ,

$e_{m}(\widehat{\phi}P,Q)=e_{m}(P,\phi Q).$
(7)

Galois invariance: for $P,Q\in E[m]$ , and $\sigma\in\operatorname{Gal}(\overline{K}/K)$ ,

$e_{m}(P,Q)^{\sigma}=e_{m}(P^{\sigma},Q^{\sigma}).$

Proof.

For example, see [19, Chapter 16], [15], [2, Sec 3.1]. ∎

For elliptic curves over $\mathbb{C}$ , the Weil pairing can be interpreted as a determinant, or an intersection pairing; see [6]. The Weil pairing also arises from the Cartier duality of the kernels of an isogeny and its dual; see Mumford [14, IV.§20, p.183-5] and Milne [13, §11,16].

2.2. The Tate-Lichtenbaum pairing

Another pairing intimately related to the Weil pairing is the Tate-Lichtenbaum pairing. This pairing was first defined by Tate [20] for abelian varieties over $p$ -adic number fields in 1958. In 1959, Lichtenbaum defined a pairing on Jacobian varieties and showed that it coincided with the pairing of Tate [10]. The pairing was introduced to cryptography by Frey and Rück [4]. Descriptions can be found in Silverman [17, VIII.2, X.1] and Duquesne-Frey [3]. For our version here, see for example [5].

Definition 2.4.

Let $m>1$ be an integer. Let $E$ be an elliptic curve defined over a field $K$ . Suppose that $P\in E(K)[m]$ . Choose divisors $D_{P}$ and $D_{Q}$ of disjoint support such that

D_{P}\sim(P)-(\mathcal{O}),\qquad D_{Q}\sim(Q)-(\mathcal{O}).

Then $mD_{P}\sim 0$ , hence there is a function $f_{P}$ such that

\operatorname{div}(f_{P})=mD_{P}.

The Tate-Lichtenbaum pairing

t_{m}:E(K)[m]\times E(K)/mE(K)\rightarrow K^{*}/(K^{*})^{m}

is defined by

t_{m}(P,Q)=f_{P}(D_{Q}).

Proposition 2.5.

Definition 2.4 is well-defined, and has the following properties:

(1)

Bilinearity: for $P,P^{\prime}\in E(K)[m]$ and $Q,Q^{\prime}\in E(K)$

	$\displaystyle t_{m}(P+P^{\prime},Q)$	$\displaystyle=t_{m}(P,Q)t_{m}(P^{\prime},Q),$
	$\displaystyle t_{m}(P,Q+Q^{\prime})$	$\displaystyle=t_{m}(P,Q)t_{m}(P,Q^{\prime}).$

(2)

Non-degeneracy: Let $K$ be a finite field containing the $m$ -th roots of unity $\mu_{m}$ . For nonzero $P\in E(K)[m]$ , there exists $Q\in E(K)$ such that

$t_{m}(P,Q)\neq 1.$

Furthermore, for $Q\in E(K)\backslash mE(K)$ , there exists $P\in E(K)[m]$ such that

$t_{m}(P,Q)\neq 1.$
(3)

Compatibility: For an $m$ -torsion point $P\in E$ , an isogeny $\phi:E\rightarrow E^{\prime}$ , and a point $Q\in E^{\prime}$ ,

$t_{m}(\widehat{\phi}P,Q)=t_{m}(P,\phi Q).$
(4)

Galois invariance: for $P,Q\in E[m]$ , and $\sigma\in\operatorname{Gal}(\overline{K}/K)$ ,

$t_{m}(P,Q)^{\sigma}=t_{m}(P^{\sigma},Q^{\sigma}).$

Proof.

See for example [19, Chapter 16], [15] and [2, Sec 3.2]. ∎

Remark 2.6.

For purposes such as cryptography, where we wish to compare values of the Tate-Lichtenbaum pairing, it is typical to apply a final exponentiation by $(q-1)/m$ in order to obtain values in $\mu_{m}$ .

Including this final exponentiation, there is a more general notion of Tate pairing associated to a $K$ -rational isogeny $\phi:E\rightarrow E^{\prime}$ when $K=\mathbb{F}_{q}$ , that is,

t_{\phi}:\ker\widehat{\phi}(K)\times E^{\prime}(K)/\phi E(K)\rightarrow\mu_{m},

where $m$ is any positive integer so that $\ker\phi\subseteq E[m]\subseteq E[q-1]$ . This generalizes the definition above when $\phi=[m]$ , and can be given by

t_{\phi}(P,Q)=e_{\phi}(\pi_{q}(T)-T,P),

where $T$ is an arbitrarily chosen $\phi$ -preimage of $Q$ , $\pi_{q}$ is the $q$ -power Frobenius, and $e_{\phi}$ is the Weil pairing. It has the property that its values agree with those of $t_{m}^{\frac{q-1}{m}}$ on the common codomain; in other words, it is a restriction. See [1], [15] and [2, Sec 3.2]; see also [8].

3. The calculus of $R$ -divisors

Let $R$ be an order in an imaginary quadratic field or quaternion algebra. Such a ring $R$ comes equipped with an involution which we term conjugation, denoted $\alpha\mapsto\overline{\alpha}$ . In the quaternion algebra case, this is order reversing: $\overline{\alpha\beta}=\overline{\beta}\overline{\alpha}$ .

Let $E$ be an elliptic curve with divisor group $\operatorname{Div}(E)$ . We extend common notions from $\operatorname{Div}(E)$ to $R\otimes_{\mathbb{Z}}\operatorname{Div}(E)$ . We emphasize that in this section we make no assumption that $E$ has complex multiplication.

In what follows we choose an integral basis: write $R=\mathbb{Z}[\tau_{i}]:=\sum_{i}\tau_{i}\mathbb{Z}$ , where $\tau_{0}=1$ and we let $i$ range in $\{0,1\}$ or $\{0,1,2,3\}$ according to the rank $r\in\{2,4\}$ of $R$ . When we sum over $i$ the range will be understood in context.

3.1. $R$ -divisors

We define $\operatorname{Div}_{R}(E):=R\otimes_{\mathbb{Z}}\operatorname{Div}(E)$ to be the $R$ -module generated by all symbols $(P)$ , where $P$ is a point of $E$ , i.e. finite formal $R$ -linear combinations $\sum_{P}\alpha_{P}(P)$ of such symbols, which we call $R$ -divisors. (We will frequently suppress the $\otimes$ for notational simplicity.) Then $\operatorname{Div}_{R}(E)$ is an $R$ -module under the action $\alpha\cdot(\beta\otimes D)=\alpha\beta\otimes D$ . A divisor $\sum_{P}\alpha_{P}(P)$ is of degree $0$ if $\sum_{P}\alpha_{P}=0$ in $R$ ; these form a sub- $R$ -module $\operatorname{Div}^{0}_{R}(E)\cong R\otimes_{\mathbb{Z}}\operatorname{Div}^{0}(E)$ .

In the presence of a preferred integral basis $\tau_{i}$ for $R$ , we can write a sum over $i$ :

\sum_{P}\left(\sum_{i}m_{i,P}\tau_{i}\right)(P)=\sum_{i}\tau_{i}\left(\sum_{P}m_{i,P}(P)\right).

We say that a divisor of degree zero

D=\sum_{i}\tau_{i}D_{i},\quad D_{i}\in\operatorname{Div}(E),

is principal if $D_{i}$ , $i=0,\ldots,r-1$ , are all principal in $\operatorname{Div}(E)$ . We see that the principal divisors form a sub- $R$ -module and we define $\operatorname{Pic}_{R}(E)$ and $\operatorname{Pic}_{R}^{0}(E)$ to be the $R$ -module quotient of $\operatorname{Div}_{R}(E)$ and $\operatorname{Div}_{R}^{0}(E)$ by the principal divisors. Observe that being principal in $\operatorname{Pic}_{R}^{0}(E)$ is independent of basis, and that $\operatorname{Pic}_{R}(E)\cong R\otimes_{\mathbb{Z}}\operatorname{Pic}(E)$ , $\operatorname{Pic}_{R}^{0}(E)\cong R\otimes_{\mathbb{Z}}\operatorname{Pic}^{0}(E)$ .

If $f=\prod f_{i}^{\tau_{i}}\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ , we define

\operatorname{div}(f)=\sum_{i}\tau_{i}\operatorname{div}(f_{i}).

Thus principal divisors are those which are divisors of $f\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ .

We define the usual push-foward and pull-back operations on divisors by extending $R$ -linearly. Suppose $\phi:E\rightarrow E^{\prime}$ . Then

\phi^{*}\left(\sum_{i}\tau_{i}D_{i}\right)=\sum_{i}\tau_{i}\phi^{*}D_{i},\quad\phi_{*}\left(\sum_{i}\tau_{i}D_{i}\right)=\sum_{i}\tau_{i}\phi_{*}D_{i}.

These inherit the usual desired properties:

(1)

$\phi_{*}\phi^{*}D=(\deg\phi)D$
(2)

$\phi^{*}\operatorname{div}(f)=\operatorname{div}(\phi^{*}f)$ , $\phi_{*}\operatorname{div}(f)=\operatorname{div}(\phi_{*}f)$
(3)

$(\phi\circ\psi)_{*}=\phi_{*}\psi_{*}$ , $(\phi\circ\psi)^{*}=\psi^{*}\phi^{*}$

where we define $\phi_{*}\prod f_{i}^{\tau_{i}}=\prod(\phi_{*}f_{i})^{\tau_{i}}$ and $\phi^{*}\prod f_{i}^{\tau_{i}}=\prod(\phi^{*}f_{i})^{\tau_{i}}$ .

We also have a Galois action: $\left(\sum_{i}\tau_{i}D_{i}\right)^{\sigma}=\sum_{i}\tau_{i}D_{i}^{\sigma}$ for $\sigma\in\operatorname{Gal}(\overline{K}/K)$ .

For a divisor $D=\sum n_{P}(P)\in\operatorname{Div}(E)$ , $n_{P}\in\mathbb{Z}$ , we define

D^{\Sigma}:=\sum[n_{P}]P\in E.

Viewing $E$ as a $\mathbb{Z}$ -module, we obtain an $R$ -module $R\otimes_{\mathbb{Z}}E$ . Then we have an $R$ -module isomorphism

\operatorname{Pic}_{R}^{0}(E)\cong R\otimes_{\mathbb{Z}}E,\quad\sum\tau_{i}D_{i}\mapsto\sum\tau_{i}\otimes D_{i}^{\Sigma}.

To show this is an isomorphism, we need to check that it is injective (surjectivity is clear). If $D=\sum_{i}\tau_{i}D_{i}\mapsto\mathcal{O}$ then $D_{i}^{\Sigma}=\mathcal{O}$ for all $i$ , so $D$ is principal. In fact, an inverse is given by

\sum\tau_{i}\otimes P_{i}\mapsto\sum_{i}\tau_{i}((P_{i})-(\mathcal{O})).

3.2. Evaluation of functions at divisors

Let $\mathbb{G}_{m}$ be the multiplicative group. Then $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ is an $R$ -module whose action is written multiplicatively as $\alpha\cdot x=x^{\otimes\alpha}=x^{\alpha}$ . As a reminder, the action is still a left action, so

\left({\prod g_{i}^{\tau_{i}}}\right)^{\alpha}=\prod g_{i}^{{\alpha\tau_{i}}}

It also has a conjugation which will be useful:

\overline{\prod g_{i}^{\tau_{i}}}:=\prod g_{i}^{\overline{\tau_{i}}}.

Similarly, $(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ has a left $R$ -module structure and conjugation. Therefore, for $f\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ , we let

(1)

\operatorname{div}(f^{\alpha})={\alpha}\cdot\operatorname{div}(f),

so that $\operatorname{div}$ becomes an $R$ -module homomorphism.

We define evaluation of $f=\prod f_{i}^{\tau_{i}}\in k(E)^{\otimes_{\mathbb{Z}}R}$ at $D\in\operatorname{Div}(E)$ as $f(D)=\prod f_{i}(D)^{\tau_{i}}$ , and extend to $D\in\operatorname{Div}_{R}(E)$ by defining

f(\alpha\cdot D)=f(D)^{\overline{\alpha}}.

This definition requires that the supports of $D$ and $\operatorname{div}(f)$ are disjoint. Observe the vinculum²²2Thank you to my brother and Wikipedia for teaching me this term for an $\backslash\text{overline}$ ., which reflects the duality between $f$ and $D$ . Among other things, it allows for the two left $R$ -actions to communicate in the non-commutative setting:

f(\alpha\beta\cdot D)=f(\beta\cdot D)^{\overline{\alpha}}=f(D)^{\overline{\beta}\overline{\alpha}}=f(D)^{\overline{\alpha\beta}}.

3.3. Weil reciprocity

A variation of Weil reciprocity ([9, Chapter VI, Corollary to Theorem 10]) holds for us:

Theorem 3.1.

Let $f,g\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ . Then

f(\operatorname{div}(g))=\overline{g(\operatorname{div}(f))}.

Proof.

The proof relies on Weil reciprocity for $\operatorname{Div}(E)$ . Suppose $f=\prod_{i}f_{i}^{\tau_{i}}$ and $g=\prod_{j}g_{j}^{\tau_{j}}$ . We have

	$\displaystyle f(\operatorname{div}(g))$	$\displaystyle=\prod_{i}f_{i}(\operatorname{div}(g))^{\tau_{i}}=\prod_{ij}f_{i}(\operatorname{div}(g_{j}))^{\overline{\tau_{j}}\tau_{i}}=\prod_{ij}g_{j}(\operatorname{div}(f_{i}))^{\overline{\tau_{j}}\tau_{i}}$
		$\displaystyle=\overline{\prod_{ij}g_{j}(\operatorname{div}(f_{i}))^{\overline{\tau_{i}}\tau_{j}}}=\overline{\prod_{j}g_{j}(\operatorname{div}(f))^{\tau_{j}}}=\overline{g(\operatorname{div}(f))}.$

∎

4. Sesquilinear pairings

If $R$ is commutative, an $R$ -sesquilinear pairing is a bilinear pairing $\langle\cdot,\cdot\rangle$ on a pair of $R$ -modules, taking values in another $R$ -module, that satisfies

\langle\alpha x,\beta y\rangle={\alpha}{\overline{\beta}}\cdot\langle x,y\rangle,\text{ for all }\alpha,\beta\in R.

For the non-commutative case, we need to add a type of twisting. Recall that $R$ is a maximal order in a division algebra. Thus we can set the notation $R_{\gamma}:=\gamma^{-1}R\gamma\cap R$ , a subring of $R$ . For $\gamma\in R$ and $\delta\in R_{\gamma}$ , let $\delta^{(\gamma)}$ be defined as that element of $R$ which satisfies $\delta^{(\gamma)}\gamma=\gamma\delta$ . For us, a $\gamma$ -twisted $R$ -sesquilinear pairing is a bilinear pairing $\langle\cdot,\cdot\rangle$ on a pair of modules, the first an $R_{\gamma}$ -module and the second an $R$ -module, taking values in another $R$ -module, that satisfies

\langle\alpha x,\beta y\rangle={\overline{\beta}}\;{{\alpha}^{(\overline{\gamma})}}\cdot\langle x,y\rangle,\text{ for all }\alpha\in R_{\gamma},\beta\in R.

Observe that for rank $2$ , commutativity implies $\delta^{(\gamma)}=\delta$ and $R_{\gamma}=R$ , so the $\gamma$ -twisting is vacuous, and we recover sesquilinear pairings in the traditional sense.

4.1. Generalization of Tate-Lichtenbaum pairing

For each $\alpha\in R$ , we define an $\alpha$ -twisted $R$ -sesquilinear pairing generalizing the Tate-Lichtenbaum pairing:

T_{\alpha}:\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]\times\operatorname{Pic}_{R}^{0}(E)/R\alpha\operatorname{Pic}_{R}^{0}(E)\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}/(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}},

T_{\alpha}(D_{P},D_{Q})=f_{P}(D_{Q})\quad\text{ where }\quad\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P},

where $D_{P}$ and $D_{Q}$ are chosen to have disjoint support. Observe that $\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]$ is an $R$ -module when $R$ is commutative, but in general we can only assume it is an $R_{\overline{\alpha}}$ -module. Also, we use $R\alpha\operatorname{Pic}_{R}^{0}(E)$ since $\alpha\operatorname{Pic}_{R}^{0}(E)$ may not be an $R$ -module in the non-commutative case.

To satisfy the condition on supports, observe that for any divisor $D\in\operatorname{Pic}_{R}^{0}(E)$ , there exist points $P_{0},\ldots,P_{r-1}\in E$ so that

(2)

D\sim\sum_{i}\tau_{i}((P_{i}+S)-(S))

for any auxiliary point $S\in E$ . In particular, if $P_{0},\ldots,P_{r-1}$ are such that $D_{P}\sim\sum_{i}\tau_{i}((P_{i})-(\mathcal{O}))$ , and

\overline{\alpha}\tau_{i}=\sum_{j}\alpha_{ji}\tau_{j},

then we can take $f_{P}=\prod_{i}f_{i}^{\tau_{i}}\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ , where

(3)

\operatorname{div}(f_{i})=\sum_{j=0}^{r-1}\alpha_{ij}(P_{j})-\left(\sum_{j=0}^{r-1}\alpha_{ij}\right)(\mathcal{O}),

and then by a judicious choice of $D_{Q}$ (choosing $S$ in the linearly equivalent form (2)), we can satisfy the condition on disjoint supports.

Remark 4.1.

The equations (3) allow for a Miller-style algorithm to compute this pairing [11] [7, §26.3.1]. This is polynomial time in the coefficients of the minimal polynomial of $\alpha$ . For example, if $R$ has basis $1$ and $\tau$ , and $D_{P}=\left((P_{0})-(\mathcal{O})\right)+\tau\cdot\left((P_{1})-(\mathcal{O})\right)$ , and

\overline{\alpha}=a+c\tau,\quad\overline{\alpha}\tau=b+d\tau,\quad a,b,c,d\in\mathbb{Z},

then $f_{P}=f_{0}f_{1}^{\tau}\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ , where

(4)

\operatorname{div}(f_{0})=a(P_{0})+b(P_{1})-(a+b)(\mathcal{O}),\quad\operatorname{div}(f_{1})=c(P_{0})+d(P_{1})-(c+d)(\mathcal{O}).

More details are given for the CM case in Algorithm 5.7.

Theorem 4.2.

The pairing defined above is well-defined, bilinear, and satisfies

(1)

Twisted sesquilinearity: For $\gamma\in R_{\overline{\alpha}}$ and $\delta\in R$ ,

${T}_{\alpha}(\gamma\cdot D_{P},\delta\cdot D_{Q})={T}_{\alpha}(D_{P},D_{Q})^{{\overline{\delta}}\;{\gamma}^{(\overline{\alpha})}}.$
(2)

Compatibility: Let $\phi:E\rightarrow E^{\prime}$ . Then

$T_{\alpha}(\phi_{*}D_{P},\phi_{*}D_{Q})=T_{\alpha}(D_{P},D_{Q})^{\deg\phi}.$

(3)

Coherence: Suppose $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\beta\alpha}]$ , and $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)/R\beta\alpha\operatorname{Pic}_{R}^{0}(E)$ . Then

T_{\beta\alpha}(D_{P},D_{Q})\bmod{(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}}=T_{\alpha}(\overline{\beta}\cdot D_{P},D_{Q}\bmod R\alpha\operatorname{Pic}_{R}^{0}(E)).

Suppose $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\beta}]$ , and $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)/R\beta\alpha\operatorname{Pic}_{R}^{0}(E)$ . Then

T_{\beta\alpha}(D_{P},D_{Q})\bmod{(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\beta}}}=T_{\beta}(D_{P},\alpha\cdot D_{Q}\bmod R\beta\operatorname{Pic}_{R}^{0}(E)).

(4)

Galois invariance: Suppose $E$ is defined over a field $K$ . Let $\sigma\in\operatorname{Gal}(\overline{K}/K)$ . Then

$T_{\alpha}(D_{P},D_{Q})^{\sigma}=T_{\alpha}(D_{P}^{\sigma},D_{Q}^{\sigma}).$

Proof.

Choice of representative $D_{Q}$ in the divisor class: Suppose $D_{Q}\sim D_{Q}^{\prime}$ . Then for some $g\in(K(E)^{*})^{\otimes_{\mathbb{Z}}R}$ , having divisor $\operatorname{div}(g)=D_{Q}-D_{Q}^{\prime}$ , and using Weil reciprocity³³3There’s a subtlety here. Observe that $\overline{(g^{\beta})^{\alpha}}=\overline{g^{\alpha\beta}}=g^{\overline{\alpha\beta}}=g^{\overline{\beta}\;\overline{\alpha}}=g^{\overline{\alpha}^{(\overline{\beta})}\overline{\beta}}=(g^{\overline{\beta}})^{\overline{\alpha}^{(\overline{\beta})}}$ , so that it is only in the case that $R$ is commutative that $\overline{g^{\alpha}}=\overline{g}^{\overline{\alpha}}$ . However, it is still true that $\overline{g^{\alpha}}\in(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}$ . (Theorem 3.1),

f_{P}(D_{Q})f_{P}(D_{Q}^{\prime})^{-1}=f_{P}(\operatorname{div}(g))=\overline{g(\operatorname{div}(f_{P}))}=\overline{g(\overline{\alpha}\cdot D_{P})}=\overline{g(D_{P})^{{\alpha}}}\in(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}.

Choice of $D_{Q}$ modulo $R\alpha\operatorname{Pic}_{R}^{0}(E)$ :

f_{P}(D_{Q}+\gamma\alpha\cdot D^{\prime})=f_{P}(D_{Q})f_{P}(D^{\prime})^{\overline{\alpha}\;\overline{\gamma}}.

Choice of representative $D_{P}$ in the divisor class: Suppose $D_{P}\sim D_{P}^{\prime}$ . Notice that if we let $\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P}$ and $\operatorname{div}(f_{P}^{\prime})=\overline{\alpha}\cdot D_{P}^{\prime}$ , then

\operatorname{div}(f_{P}^{\prime})=\operatorname{div}(f_{P})+\overline{\alpha}\cdot(D_{P}-D_{P}^{\prime}).

Hence $f_{P}^{\prime}=f_{P}g^{\overline{\alpha}}$ where $\operatorname{div}(g)=D_{P}-D_{P}^{\prime}$ , which is principal by assumption. Then

f_{P}^{\prime}(D_{Q})=f_{P}(D_{Q})g(D_{Q})^{\overline{\alpha}}.

Choice of $f_{P}$ : Any two choices of $f_{P}$ differ by a constant scalar, but $D_{Q}$ has degree $0$ by assumption, so the constant cancels in the formula $f_{P}(D_{Q})$ .

Bilinearity: Let $D_{P}$ , $D_{P}^{\prime}\in\operatorname{Div}^{0}_{R}(E)[\overline{\alpha}]$ and $\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P}$ , $\operatorname{div}(f_{P}^{\prime})=\overline{\alpha}\cdot D_{P}^{\prime}$ . Then

{T}_{\alpha}(D_{P}+D_{P}^{\prime},D_{Q})=f_{P}(D_{Q})f_{P}^{\prime}(D_{Q})={T}_{\alpha}(D_{P},D_{Q}){T}_{\alpha}(D_{P}^{\prime},D_{Q}).

In the other factor,

{T}_{\alpha}(D_{P},D_{Q}+D_{Q}^{\prime})=f_{P}(D_{Q}+D_{Q}^{\prime})=f_{P}(D_{Q})f_{P}(D_{Q}^{\prime})={T}_{\alpha}(D_{P},D_{Q}){T}_{\alpha}(D_{P},D_{Q}^{\prime}).

Twisted sesquilinearity: Suppose $f_{P}$ has divisor $\overline{\alpha}\cdot D_{P}$ . In evaluating $T_{\alpha}(\gamma\cdot D_{P},\delta\cdot D_{Q})$ , we evaluate the function with divisor $\overline{\alpha}\cdot\gamma\cdot D_{P}=\gamma^{(\overline{\alpha})}\cdot\overline{\alpha}\cdot D_{P}$ at the divisor $\delta\cdot D_{Q}$ . Since $\operatorname{div}(f_{P}^{{\mu}})=\mu\cdot\operatorname{div}(f_{P})$ by (1), this becomes

f_{P}(\delta\cdot D_{Q})^{{\gamma}^{(\overline{\alpha})}}=f_{P}(D_{Q})^{\overline{\delta}\;{\gamma}^{(\overline{\alpha})}}.

Compatibility: Observe that $\overline{\alpha}\cdot\phi_{*}D_{P}=\phi_{*}(\overline{\alpha}\cdot D_{P})$ . Therefore, in the computation of $T_{\alpha}(\phi_{*}D_{P},\phi_{*}D_{Q})$ , we evaluate $\phi_{*}f_{P}$ at $\phi_{*}D_{Q}$ . We have

\phi_{*}f_{P}(\phi_{*}D_{Q})=f_{P}(\phi^{*}\phi_{*}D_{Q})=f_{P}(D_{Q})^{\deg\phi},

where the last equality depends upon the fact that $\phi^{*}\phi_{*}D\sim(\deg\phi)D$ for $D\in\operatorname{Pic}^{0}_{R}(E)$ .

Coherence: Both statements follow immediately from the definitions.

Galois invariance: This is immediate, since by our definition of the actions of $R$ on the various entities involved, we have $(\gamma\cdot D)^{\sigma}=\gamma\cdot D^{\sigma}$ for any $\gamma\in R$ . ∎

Remark 4.3.

In cryptographic applications, we typically restrict to inputs defined over a field $\mathbb{F}_{q}$ . If $R$ is commutative, to obtain canonical representatives of the codomain, it may be useful to post-compose with a map

(\mathbb{F}_{q}^{*})^{\otimes_{\mathbb{Z}}R}/((\mathbb{F}_{q}^{*})^{\otimes_{\mathbb{Z}}R})^{\overline{\alpha}}\rightarrow\mu_{\overline{\alpha}}:=\{u\in\mu_{N(\alpha)}^{\otimes_{\mathbb{Z}}R}\subseteq(\mathbb{F}_{q}^{*})^{\otimes_{\mathbb{Z}}R}:u^{\overline{\alpha}}=1\},

given by

x\mapsto x^{(q-1)\overline{\alpha}^{-1}}.

Proposition 4.4.

Let $n\in\mathbb{Z}$ . For positive integers $n$ , let

t_{n}:E[n]\times E/[n]E\rightarrow\mathbb{G}_{m}/\mathbb{G}_{m}^{n}

denote the usual Tate-Lichtenbaum pairing as in Section 2.2. Let $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[n]$ and $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)$ . Suppose

D_{P}\sim\sum_{i}\tau_{i}\cdot\left((P_{i})-(\mathcal{O})\right),\quad D_{Q}\sim\sum_{i}\tau_{i}\cdot\left((Q_{i})-(\mathcal{O})\right).

Then

T_{n}(D_{P},D_{Q})=\prod_{i,j=0}^{r-1}t_{n}(P_{i},Q_{j})^{\overline{\tau_{j}}\tau_{i}}.

Furthermore, when both of the following quantities are defined, we have

{T}_{N(\alpha)}(D_{P},D_{Q})\equiv{T}_{\alpha}(D_{P},D_{Q})^{\alpha}\pmod{(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}}

Proof.

By a linear equivalence, assume that

D_{P}=\sum_{i}\tau_{i}\cdot\left((P_{i})-(\mathcal{O})\right),\quad D_{Q}=\sum_{j}\tau_{j}\cdot\left((Q_{j}+S)-(S)\right).

where $S$ is chosen to avoid intersections of supports. We have from (3), we have $f_{P}=\prod_{i}f_{i}^{\tau_{i}}$ where

\operatorname{div}(f_{i})=n(P_{i})-n(\mathcal{O}).

We obtain

T_{n}(D_{P},D_{Q})=\prod_{j}\left(\prod_{i}f_{i}((Q_{j}+S)-(S))^{\tau_{i}}\right)^{\overline{\tau_{j}}}.

That shows the first statement. For the second, suppose $\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P}$ . Then for any divisor $D_{Q}$ with sufficiently disjoint support,

(f_{P}^{{\alpha}})(D_{Q})=f_{P}(D_{Q})^{{\alpha}}.

On the left, we see this is by definition a representative of $T_{n}(D_{P},D_{Q})$ in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}/(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{n}$ , since $\operatorname{div}(f_{P}^{\alpha})=\alpha\cdot\operatorname{div}(f_{P})=nD_{P}$ . However, looking at the right, this is also a representative of $T_{\alpha}(D_{P},D_{Q})^{\alpha}$ in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}/(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}$ . ∎

In particular, in the rank $2$ case,

\overline{\tau}=Tr(\tau)-\tau,\quad\overline{\tau}\tau=N(\tau),

which gives

(5)

{T}_{n}(D_{P},D_{Q})=\left(t_{n}(P_{0},Q_{0})t_{n}(P_{1},Q_{1})^{N(\tau)}t_{n}(P_{0},Q_{1})^{Tr(\tau)}\right)\left(t_{n}(P_{1},Q_{0})t_{n}(P_{0},Q_{1})^{-1}\right)^{\tau}.

Let $\langle x,y\rangle$ be a bilinear pairing on $\mathbb{Z}[\tau]$ . Then

\displaystyle\langle x_{1}+\tau x_{2},y_{1}+\tau y_{2}\rangle

\displaystyle:=\langle x_{1},y_{1}\rangle+N(\tau)\langle x_{2},y_{2}\rangle+Tr(\tau)\langle x_{1},y_{2}\rangle+\tau\left(\langle x_{2},y_{1}\rangle-\langle x_{1},y_{2}\rangle\right)

defines a sesquilinear pairing (conjugate linear in second entry). This explains the formula (5), and in fact we could define the pairing $T_{n}(D_{P},D_{Q})$ from $t_{n}(P_{i},Q_{i})$ directly by using Proposition 4.4 as a definition.

Remark 4.5.

There does not seem to be an analogous construction for $T_{\alpha}(D_{P},D_{Q})$ in terms of $t_{n}(P_{i},Q_{i})$ . The best we can do requires computing some preimages under multiplication maps. Specifically, by coherence,

T_{\alpha}(D_{P},\overline{\alpha}\cdot D_{S})=T_{n}(D_{P},D_{S}).

To use this for calculation, letting $r=2$ for simplicity, suppose $D_{S}=(S_{0})-(\mathcal{O})+\tau\cdot\left((S_{1})-(\mathcal{O})\right)$ . Then suppose $\overline{\alpha}=a+c\tau,\overline{\alpha}\tau=b+d\tau$ , $a,b,c,d\in\mathbb{Z}$ . Then

	$\displaystyle\overline{\alpha}\cdot D_{S}$	$\displaystyle=a(S_{0})+b(S_{1})-(a+b)(\mathcal{O})+\tau\cdot\left(c(S_{0})+d(S_{1})-(c+d)(\mathcal{O})\right)$
		$\displaystyle\sim([a]S_{0}+[b]S_{1})-(\mathcal{O})+\tau\cdot\left(([c]S_{0}+[d]S_{1})-(\mathcal{O})\right).$

Thus, we can give an expression for $T_{\alpha}(D_{P},D_{Q})$ in terms of the classical Tate-Lichtenbaum pairing applied to combinations of $P_{0},P_{1},S_{0},S_{1}$ provided the $S_{i}$ solve

[a]S_{0}+[b]S_{1}=Q_{0},\quad[c]S_{0}+[b]S_{1}=Q_{1}.

A principal ideal ring is one in which all right and left ideals are principal.

Lemma 4.6.

Let $R$ be a ring with an involution called conjugation, $I$ be a principal two-sided ideal of $R$ , and suppose that $R/I$ is a finite principal ideal ring. Let $t:A\times B\rightarrow R/I$ be a sesquilinear form on $R$ -modules (conjugate linear in one variable). Suppose that $t$ is non-degenerate. Then if $a\in A$ has annihilator $I$ , then $t(a,\cdot)$ is surjective. Furthermore, if $b\in B$ has annihilator $I$ , then $t(\cdot,b)$ is surjective.

Proof.

Since $R^{\prime}:=R/I$ is a principal ideal ring, we claim that there is no proper $R$ -submodule of $R^{\prime}$ with annihilator $I$ . Indeed, every submodule $R^{\prime\prime}$ of $R^{\prime}$ is cyclic as an $R^{\prime}$ module, hence of the form $R^{\prime\prime}\cong R^{\prime}/J$ for some ideal $J$ which is the annihilator of $R^{\prime\prime}$ . By a cardinality argument, if $R^{\prime\prime}$ is a proper submodule of $R^{\prime}$ , then $J$ is non-trivial and the annihilator of $R^{\prime\prime}$ as an $R$ -module is strictly larger than $I$ .

Now let $a\in A$ have annihilator $I$ . Then $t(a,B)$ is an $R$ -module with annihilator equal to the intersection of the annihilators of all elements $t(a,b)\in R/I$ , $b\in B$ . If this intersection is equal to $I$ , then we have surjectivity, by the preceding argument. If not, then there exists some element $r\in R$ which does not annihilate $a$ , but does annihilate $t(a,B)$ . These two properties, respectively, have the consequences that there exists $b\in B$ such that $t(ra,b)\neq 0$ by non-degeneracy, but simultaneously that $t(a,\overline{r}b)=0$ . This contradiction completes the argument that $t(a,\cdot)$ is surjective. The argument that $t(\cdot,b)$ is surjective is similar. ∎

Theorem 4.7.

Let $K$ be a finite field over which the endomorphisms of $R$ are defined. Let $\alpha\in R$ be coprime to $char(K)$ and the discriminant of $R$ . Let $n=N(\alpha)$ . Suppose $K$ contains the $n$ -th roots of unity. Then

T_{\alpha}:\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}](K)\times\operatorname{Pic}_{R}^{0}(E)(K)/R\alpha\operatorname{Pic}_{R}^{0}(E)(K)\rightarrow(K^{*})^{\otimes_{\mathbb{Z}}R}/((K^{*})^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}

is non-degenerate. Furthermore, if $D_{P}$ has annihilator $R\overline{\alpha}R$ , then $T_{\alpha}(D_{P},\cdot)$ is surjective; and if $D_{Q}$ has annihilator $R\alpha R$ , then $T_{\alpha}(\cdot,D_{Q})$ is surjective.

Proof.

First, a few preliminaries. Using the fact that $K^{*}$ is cyclic of order divisible by $\overline{\alpha}$ , the target $(K^{*})^{\otimes_{\mathbb{Z}}R}/((K^{*})^{\otimes_{\mathbb{Z}}R})^{R\overline{\alpha}}\cong R/R\overline{\alpha}R$ as $R$ -modules, and this is finite. We wish to apply Lemma 4.6.

If $R$ is an imaginary quadratic order, then its quotient $R/\overline{\alpha}R$ is a principal ideal ring (since $\overline{\alpha}$ is coprime to the discriminant).

If $R$ is an order in a quaternion algebra, then $R\otimes\mathbb{Q}_{p}\cong M_{2}(\mathbb{Q}_{p})$ for $p$ not dividing the discriminant of $R$ . This implies, in particular, that $R/p^{k}R\cong M_{2}(\mathbb{Z}/p^{k}\mathbb{Z})$ , which is a principal ideal ring. By assumption, $\overline{\alpha}$ is coprime to the discriminant. For any prime $\overline{\alpha}$ , the ring $R/R\overline{\alpha}R$ is a quotient of such a ring, hence a principal ideal ring. In general, $R/R\overline{\alpha}R$ is a product of principal ideal rings, hence a principal ideal ring.

So by Lemma 4.6, it suffices to check non-degeneracy. Consider first the non-degeneracy of $T_{n}$ , $n\in\mathbb{Z}$ . Let $D_{P}$ be given. We show non-degeneracy on the left by finding $D_{Q}$ so that $T_{n}(D_{P},D_{Q})$ is non-trivial. By Proposition 4.4, and the non-degeneracy of the traditional Tate pairing $t_{n}$ , we can choose $D_{Q}$ so that $T_{n}(D_{P},D_{Q})$ is non-trivial (e.g., provided $P_{0}\neq\mathcal{O}$ , choose $Q_{i}$ , $i>0$ to be $\mathcal{O}$ to simplify the condition). This depends upon the following fact: the image of $T_{n}$ is taken modulo $n$ -th powers, hence a non- $n$ -th power entry in one position of $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ implies the element represents a non-trivial coset. Hence $T_{n}$ is left-non-degenerate. An exactly similar argument shows $T_{n}$ is right-non-degenerate.

Now we consider general $\alpha$ , with $n=N(\alpha)$ . Suppose $\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P}$ . Then for any divisor $D_{Q}$ with sufficiently disjoint support, as observed in the proof of Proposition 4.4,

(6)

(f_{P}^{{\alpha}})(D_{Q})=f_{P}(D_{Q})^{{\alpha}}.

By non-degeneracy of $T_{n}$ , fixing non-trivial $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}](K)\subseteq\operatorname{Pic}_{R}^{0}(E)[n](K)$ , one may choose $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)(K)$ so that $T_{n}(D_{P},D_{Q})$ is not an $n$ -th power. The expression (6) is a representative of $T_{n}(D_{P},D_{Q})$ , so is not an $n$ -th power. Therefore $f_{P}(D_{Q})$ cannot be an $\overline{\alpha}$ -power in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ . However, this is a representative of $T_{\alpha}(D_{P},D_{Q})$ . Therefore we have shown left non-degeneracy.

On the right, fix a non-trivial $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)(K)/R\alpha\operatorname{Pic}_{R}^{0}(E)(K)$ . Choose $\beta\in\mathbb{Z}[\alpha]$ coprime to $\alpha$ such that $m:=\alpha\beta\in\mathbb{Z}$ and $m$ divides $n$ . By coprimality, we may choose a lift $\beta\cdot D_{Q}^{\prime}\in\operatorname{Pic}_{R}^{0}(E)(K)/Rm\operatorname{Pic}_{R}^{0}(E)(K)$ of $D_{Q}$ . We know there exists some $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[m](K)$ so that $T_{m}(D_{P},{D_{Q}^{\prime}})$ is non-trivial, using the earlier case (since $m$ divides $n$ ). Consider the two quantities

T_{\alpha}(D_{P},D_{Q}),\quad T_{m}(D_{P},{D_{Q}^{\prime}}).

Suppose $\operatorname{div}(f_{P})=mD_{P}=\overline{\alpha}\cdot\overline{\beta}\cdot D_{P}$ . Then the quantity $f_{P}(D_{Q}^{\prime})\in(K^{*})^{\otimes_{\mathbb{Z}}R}$ is a representative of both of the two quantities just displayed, in their respective domains. Since $T_{m}(D_{P},D_{Q}^{\prime})$ is not an $m$ -th power in $(K^{*})^{\otimes_{\mathbb{Z}}R}$ , we observe that $T_{\alpha}(D_{P},D_{Q})=T_{\alpha}(D_{P},D_{Q}^{\prime})^{\overline{\beta}}$ is not a $m$ -th power, so $T_{\alpha}(D_{P},D_{Q}^{\prime})$ is not an $\overline{\alpha}$ power. By coprimality, $T_{\alpha}(D_{P},D_{Q})=T_{\alpha}(D_{P},D_{Q}^{\prime})^{\overline{\beta}}$ is not an $\overline{\alpha}$ power. ∎

4.2. Generalization of Weil pairing

Let $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}]=\{x\in\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}:x^{\overline{\alpha}}=1^{\otimes 0}\}$ , which⁴⁴4Keep in mind the multiplicative nature of our notation: $1^{\otimes\tau}=1^{\otimes 1}=1^{\otimes 0}=x^{\otimes 0}$ , all representing the identity element of the $R$ -module. we might call the $\overline{\alpha}$ -th roots of unity in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ . We can define a generalization of the Weil pairing

W_{\alpha}:\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]\times\operatorname{Pic}^{0}_{R}(E)[{\alpha}]\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}],\quad W_{\alpha}(D_{P},D_{Q})=f_{P}(D_{Q})\overline{f_{Q}(D_{P})}^{-1},

where $\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P}$ and $\operatorname{div}(f_{Q})={\alpha}\cdot D_{Q}$ , where the pairs ( $f_{P}$ , $D_{Q}$ ) and ( $f_{Q}$ , $D_{P}$ ) have disjoint support; we reuse the notation from the definition of $T_{\alpha}$ (Section 4.1).

Remark 4.8.

Comparing to $T_{\alpha}$ , we may wish to write

W_{\alpha}(D_{P},D_{Q})\stackrel{{\scriptstyle?}}{{=}}T_{\alpha}(D_{P},D_{Q}){\overline{T_{\overline{\alpha}}(D_{Q},D_{P})}}^{-1},

but a priori, this is not well-defined, because the validity of the equality depends on the correct choice of representative for the coset of $T_{\alpha}(D_{P},D_{Q})$ or $T_{\overline{\alpha}}(D_{Q},D_{P})$ .

Theorem 4.9.

The definition above is well-defined, bilinear, and satisfies:

(1)

Restricted Sesquilinearity: For $\gamma,\delta$ such that $\gamma^{(\alpha)}=\gamma$ and $\delta^{(\overline{\alpha})}=\delta$ , we have

${W}_{\alpha}(\gamma\cdot D_{P},\delta\cdot D_{Q})={W}_{\alpha}(D_{P},D_{Q})^{\overline{\delta}\gamma}.$
(2)

Conjugate skew-Hermitianity:

$W_{\alpha}(D_{P},D_{Q})=\overline{W_{\overline{\alpha}}(D_{Q},D_{P})}^{-1}.$
(3)

Compatibility: Let $\phi:E\rightarrow E^{\prime}$ . Then

$W_{\alpha}(\phi_{*}D_{P},\phi_{*}D_{Q})=W_{\alpha}(D_{P},D_{Q})^{\deg\phi}.$

(4)

Coherence: For $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\beta\alpha}]$ , $D_{Q}\in\operatorname{Pic}^{0}_{R}(E)[{\beta\alpha}]$ ,

W_{\beta\alpha}(D_{P},D_{Q})=W_{\alpha}(\overline{\beta}\cdot D_{P},D_{Q})\in\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}],\quad W_{\beta\alpha}(D_{P},D_{Q})=W_{\beta}(D_{P},{\alpha}\cdot D_{Q})\in\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\beta}].

(5)

Galois invariance: Suppose $E$ is defined over a field $K$ . Let $\sigma\in\operatorname{Gal}(\overline{K}/K)$ ; then

$W_{\alpha}(D_{P},D_{Q})^{\sigma}=W_{\alpha}(D_{P}^{\sigma},D_{Q}^{\sigma}).$

Proof.

We begin with well-definition. Suppose $D_{Q}\sim D_{Q}^{\prime}$ and $D_{P}\sim D_{P}^{\prime}$ , and let $\operatorname{div}(g_{1})=D_{Q}-D_{Q}^{\prime}$ and $\operatorname{div}(g_{2})=D_{P}-D_{P}^{\prime}$ . From Weil reciprocity,

\frac{\overline{f_{Q}(D_{P})}}{\overline{f_{Q}^{\prime}(D_{P})}}=\overline{\left(\frac{f_{Q}}{f_{Q}^{\prime}}\right)(D_{P})}=\overline{g_{1}(D_{P})^{\alpha}}=\overline{g_{1}(\overline{\alpha}\cdot D_{P})}=\frac{f_{P}(D_{Q})}{f_{P}(D_{Q}^{\prime})}.

Therefore, $W_{\alpha}(D_{P},D_{Q})=W_{\alpha}(D_{P},D_{Q}^{\prime})$ . By a symmetrical argument, $W_{\alpha}(D_{P},D_{Q})=W_{\alpha}(D_{P}^{\prime},D_{Q}^{\prime})$ . Note that a scalar change of $f_{P}$ or $f_{Q}$ will cancel. Thus $W_{\alpha}$ is well-defined taking values in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}$ . The proof of bilinearity is as for $T_{\alpha}$ in Theorem 4.2. From the definition, observe that $W_{\alpha}(D_{P},0)=W_{\alpha}(0,D_{Q})=1$ . In particular, bilinearity implies the image is in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}]$ .

The argument for sesquilinearity of $T_{\alpha}$ in the proof of Theorem 4.2 works equally well here, as does the argument for compatibility. Conjugate skew-Hermitianity is exactly from the definition of $W_{\alpha}$ . For coherence, recall that $\overline{\alpha\beta}=\overline{\beta}\overline{\alpha}$ and apply the definitions. Galois invariance follows as in Theorem 4.2. ∎

Theorem 4.10.

Suppose $E$ has CM by $[\alpha]$ . Suppose $R$ is an imaginary quadratic order. Let $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]$ . Fixing $D_{P}$ as a representative in its class, let $g_{P}$ be a function with divisor $\operatorname{div}(g_{P})=[\alpha]^{*}D_{P}$ . Suppose $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)[\alpha]$ . It is possible to choose the representative $D_{Q}$ so that $[\alpha]_{*}D_{Q}=0$ ; do so. Then

{W}_{\alpha}(D_{P},D_{Q})=\frac{g_{P}(D_{Q}+X)}{g_{P}(X)},

where $X$ is any element of $\operatorname{Pic}_{R}^{0}(E)$ such that $X$ and $D_{Q}+X$ are not in the support of $g_{P}$ .

Proof.

In the case $E$ has CM by $\alpha\in R$ , $E^{\otimes_{\mathbb{Z}}R}$ is a $\mathbb{Z}[\alpha]$ -module in two ways. To distinguish them, write $[\alpha](P^{\otimes\beta}):=([\alpha]P)^{\otimes\beta}$ versus $(P^{\otimes\beta})^{\alpha}=P^{\otimes\alpha\beta}$ . Fix $f_{P}$ to have divisor $\overline{\alpha}\cdot D_{P}$ . Then the condition on a function $g_{P}$ that $g_{P}^{\overline{\alpha}}=f_{P}\circ[\alpha]$ up to scaling is equivalent to $g_{P}^{\overline{\alpha}}=[\alpha]^{*}f_{P}$ up to scaling, which is equivalent to $\operatorname{div}(g_{P})=[\alpha]^{*}D_{P}$ because

\operatorname{div}(g_{P}^{\overline{\alpha}})=\overline{\alpha}\cdot\operatorname{div}(g_{P}),\quad\operatorname{div}([\alpha]^{*}f_{P})=[\alpha]^{*}{\overline{\alpha}}\cdot D_{P}={\overline{\alpha}}\cdot[\alpha]^{*}D_{P}.

We now give a formula for a function $g_{P}$ and show it has the equivalent properties above, so it must be an elliptic function with divisor $[\overline{\alpha}]^{*}D_{P}$ . Choose an auxiliary point $D_{T}\in\operatorname{Div}_{R}^{0}(E)$ with support disjoint from that of $f_{P}$ but such that $[\alpha+1]_{*}D_{T}=0$ . Define for all divisors $D_{X}$ ,

H_{D_{X}}:=[{\alpha}]_{*}D_{X}-[{\alpha}-1]_{*}D_{T}+D_{T}-{\alpha}\cdot(D_{X}-D_{T})\in\operatorname{Pic}_{R}^{0}(E).

This is principal by construction, so we write $H_{D_{X}}=\operatorname{div}(h_{D_{X}})$ . In order to specify $g_{P}$ up to scaling, it suffices to give its values on $\operatorname{Pic}_{R}^{0}(E)$ . Let $D_{X}$ be an arbitrary divisor. Set

g_{P}(D_{X}):=f_{P}(D_{X})\overline{h_{D_{X}}(D_{P})}.

Then

	$\displaystyle g_{P}(D_{X})^{\overline{\alpha}}=$	$\displaystyle f_{P}({\alpha}\cdot D_{X}){\overline{h_{D_{X}}(\overline{\alpha}\cdot D_{P})}}$
	$\displaystyle=$	$\displaystyle f_{P}({\alpha}\cdot D_{X}+\operatorname{div}(h_{D_{X}}))$
	$\displaystyle=$	$\displaystyle f_{P}({\alpha}\cdot D_{T}+[{\alpha}]_{}D_{X}-[{\alpha}+1]_{}D_{T}+D_{T})$
	$\displaystyle=$	$\displaystyle f_{P}([{\alpha}]_{}D_{X}-[{\alpha}+1]_{}D_{T})f_{P}(D_{T})^{{\alpha}+1}$
	$\displaystyle=$	$\displaystyle f_{P}([{\alpha}]_{*}D_{X})f_{P}(D_{T})^{{\alpha}+1}.$

Replace $g_{P}$ with a scalar multiple so that we obtain $g_{P}^{\overline{\alpha}}=f_{P}\circ[\alpha]$ . This provides us with a formula for $g_{P}$ .

Now, we observe that since $\alpha\cdot D_{Q}$ is principal, $[\alpha]_{*}D_{Q}$ is principal. But then we can translate $D_{Q}$ by a principal divisor (every principal divisor in the image of a pushforward $[\alpha]_{*}$ has a principal preimage, since such principal divisors are supported on points in the image of $[\alpha]$ ) so that $[\alpha]_{*}D_{Q}=0$ . This allows us to make the choice stipulated by the theorem statement. Then, using $[\alpha]_{*}D_{Q}=0$ , the divisor

\operatorname{div}(h_{D_{X}})-\operatorname{div}(h_{D_{X}+D_{Q}})=\alpha\cdot D_{Q}-[\alpha]_{*}D_{Q}=\alpha\cdot D_{Q}

is the divisor of a function $f_{Q}$ . We may now compute

	$\displaystyle\frac{g_{P}(D_{X}+D_{Q})}{g_{P}(D_{X})}$	$\displaystyle=\frac{f_{P}(D_{X}+D_{Q})\overline{h_{D_{X}+D_{Q}}(D_{P})}}{f_{P}(D_{X})\overline{h_{D_{X}}(D_{P})}}$
		$\displaystyle={f_{P}(D_{Q})}{\overline{f_{Q}(D_{P})}^{-1}}$
		$\displaystyle={W}_{\alpha}(D_{P},D_{Q}).$

∎

Analogously to Proposition 4.4, for $W_{n}$ , we can give an expression in terms of the classical Weil pairing.

Proposition 4.11.

The following hold.

(1)

Let $n\in\mathbb{Z}$ . Let

$e_{n}:E[n]\times E[n]\rightarrow\mu_{n}$

denote the usual Weil pairing as in Section 2.1. Let $D_{P},D_{Q}\in\operatorname{Pic}_{R}^{0}(E)[n]$ . Suppose

$D_{P}\sim\sum\tau_{i}\cdot\left((P_{i})-(\mathcal{O})\right),\quad D_{Q}\sim\sum\tau_{i}\cdot\left((Q_{i})-(\mathcal{O})\right).$

Then

$W_{n}(D_{P},D_{Q})=\prod_{i,j=0}^{r-1}e_{n}(P_{i},Q_{j})^{\overline{\tau_{j}}\tau_{i}}.$
(2)

Now suppose $R$ is an imaginary quadratic order, and $\alpha\in R$ . Suppose

$e_{\alpha}:E[\overline{\alpha}]\times E[\alpha]\rightarrow\mu_{N(\alpha)}$

denote the usual Weil pairing as in Section 2.1. Let $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}]$ , $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)[\alpha]$ . Suppose

$D_{P}\sim\sum\tau_{i}\cdot\left((P_{i})-(\mathcal{O})\right),\quad D_{Q}\sim\sum\tau_{i}\cdot\left((Q_{i})-(\mathcal{O})\right).$

Then

$W_{\alpha}(D_{P},D_{Q})=\prod_{i,j=0}^{1}e_{\alpha}(P_{i},Q_{j})^{\overline{\tau_{j}}\tau_{i}}.$
(3)

Finally, when both of the following quantities are defined, and when $R$ is an imaginary quadratic order, with $\alpha\in R$ , then

${W}_{N(\alpha)}(D_{P},D_{Q})={W}_{\alpha}(D_{P},D_{Q})^{\alpha}.$

Proof.

By a linear equivalence, assume that

D_{P}=\sum_{i}\tau_{i}\cdot\left((P_{i})-(\mathcal{O})\right),\quad D_{Q}=\sum_{j}\tau_{j}\cdot\left((Q_{j}+S)-(S)\right).

where $S$ is chosen to avoid intersections of supports. We have from (3), we have $f_{P}=\prod_{i}f_{i,P}^{\tau_{i}}$ , $f_{Q}=\prod_{i}f_{j,Q}^{\tau j}$ where

\operatorname{div}(f_{i,P})=n(P_{i})-n(\mathcal{O}),\quad\operatorname{div}(f_{j,Q})=n(Q_{j}+S)-n(S).

We obtain⁵⁵5In counterpoint to the footnote in the proof of Theorem 4.2, we do have $\overline{g^{\alpha}}=g^{\overline{\alpha}}$ when $g\in\mathbb{G}_{m}^{\otimes 1}$ .

	$\displaystyle W_{n}(D_{P},D_{Q})$	$\displaystyle=f_{P}\left(\sum_{j}\tau_{j}((Q_{j}+S)-(S))\right)\overline{f_{Q}\left(\sum_{i}\tau_{i}((P_{i})-(\mathcal{O}))\right)}^{-1}$
		$\displaystyle=\prod_{j}f_{P}((Q_{j}+S)-(S))^{\overline{\tau_{j}}}\overline{\prod_{i}f_{Q}((P_{i})-(\mathcal{O}))^{\overline{\tau_{i}}}}^{-1}$
		$\displaystyle=\prod_{j}\left(\prod_{i}f_{i,P}((Q_{j}+S)-(S))^{\tau_{i}}\right)^{\overline{\tau_{j}}}\overline{\prod_{i}\left(\prod_{j}f_{j,Q}((P_{i})-(\mathcal{O}))^{\tau_{j}}\right)^{\overline{\tau_{i}}}}^{-1}$
		$\displaystyle=\prod_{j}\prod_{i}f_{i,P}((Q_{j}+S)-(S))^{\overline{\tau_{j}}\tau_{i}}\overline{f_{j,Q}((P_{i})-(\mathcal{O}))^{\overline{\tau_{i}}\tau_{j}}}^{-1}$
		$\displaystyle=\prod_{j}\prod_{i}f_{i,P}((Q_{j}+S)-(S))^{\overline{\tau_{j}}\tau_{i}}\left(f_{j,Q}((P_{i})-(\mathcal{O}))^{\overline{\tau_{j}}{\tau_{i}}}\right)^{-1}$

That shows the first statement. For the second and third, suppose $\operatorname{div}(f_{P})=\overline{\alpha}\cdot D_{P}$ and $\operatorname{div}(f_{Q})=\alpha\cdot D_{Q}$ .

For the second statement, we use the alternate definitions of $e_{\alpha}$ and $W_{\alpha}$ in terms of $g_{P}$ (Definition 2.2 and Theorem 4.10). Using the notation $g_{P}$ and $X$ from Theorem 4.10, we write $g_{P}=\prod_{i}g_{i,P}^{\tau_{i}}$ , $D_{P}=\sum_{i}\tau_{i}D_{i,P}$ (so that $\operatorname{div}(g_{i,P})=D_{i,P}$ ), $D_{Q}=\sum_{j}\tau_{j}D_{j,Q}$ and $X=\sum_{j}\tau_{j}X_{j}$ . Then, much as in the computation above,

W_{\alpha}(D_{P},D_{Q})=\frac{g_{P}(D_{Q}+X)}{g_{P}(X)}=\prod_{i,j}\left(\frac{g_{i,P}(D_{j,Q}+X_{j})^{\overline{\tau_{j}}\tau_{i}}}{g_{i,P}(X_{j})^{\overline{\tau_{j}}\tau_{i}}}\right)=\prod_{i,j}e_{\alpha}(D_{i,P},D_{j,Q})^{\overline{\tau_{j}}\tau_{i}}.

For the final (third) statement, observe that for any divisor $D_{Q}$ with sufficiently disjoint support,

\frac{(f_{P}^{{\alpha}})(D_{Q})}{\overline{(f_{Q}^{\overline{\alpha}})(D_{P})}}=\left(\frac{f_{P}(D_{Q})}{\overline{f_{Q}(D_{P})}}\right)^{{\alpha}}.

On the left, this is a representative of $W_{n}(D_{P},D_{Q})$ in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[n]$ , since $\operatorname{div}(f_{P}^{\alpha})=\alpha\cdot\operatorname{div}(f_{P})=nD_{P}$ and $\operatorname{div}(f_{Q}^{\overline{\alpha}})=\overline{\alpha}\cdot\operatorname{div}(f_{Q})=nD_{Q}$ . However, looking at the right, this is also a representative of $W_{\alpha}(D_{P},D_{Q})^{\alpha}$ in $\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}]$ . ∎

Remark 4.12.

Because of the footnote in the proof of Theorem 4.2, the last displayed equation of the proof above does not necessarily hold when $R$ is a quaternion algebra. Furthermore, if one is interested in the second statement of the theorem, in the case of $R$ a quaternion algebra, one could use the definition in Theorem 4.10 as the primary definition of the Weil pairing, but then one may wish to reprove Theorem 4.9; we have not attempted this.

When $E$ has CM by $\alpha\in R$ , and $R$ is an imaginary quadratic order, then there is an alternate definition along the lines of the second definition in Section 2.1. Observe that for any field $K$ containing the $n$ -th roots of unity, where $n=N(\alpha)$ , we have $(K^{*})^{\otimes_{\mathbb{Z}}R}[\overline{\alpha}]\cong(R/nR)[\overline{\alpha}]\cong R/R\overline{\alpha}R$ .

Theorem 4.13.

Let $\alpha\in R$ have norm $n=N(\alpha)$ . Let $\overline{K}$ be an algebraically closed field with characteristic coprime to $n$ . Suppose $n$ is also coprime to the discriminant of $R$ . The pairing

{W}_{\alpha}:\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}](\overline{K})\times\operatorname{Pic}_{R}^{0}(E)[\alpha](\overline{K})\rightarrow(R/nR)[\overline{\alpha}]

is non-degenerate.

Proof.

As in the proof of Theorem 4.7, for $W_{n}$ it suffices to use Proposition 4.11 and the non-degeneracy of $e_{n}$ (Proposition 2.3). Now consider the general case. Fix $D_{P}\in\operatorname{Pic}_{R}^{0}(E)[\overline{\alpha}](\overline{K})$ . Suppose $W_{\alpha}(D_{P},D_{Q})=1$ for all $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)[\alpha](\overline{K})$ . Then for all $D_{Q}\in\operatorname{Pic}_{R}^{0}(E)[N(\alpha)](\overline{K})$ , we have $\overline{\alpha}\cdot D_{Q}\in\operatorname{Pic}_{R}^{0}(E)[\alpha](\overline{K})$ , and therefore $W_{N(\alpha)}(D_{P},D_{Q})=W_{\alpha}(D_{P},\overline{\alpha}\cdot D_{Q})=1$ . So we have $D_{P}\sim 0$ by the first case. ∎

5. Curves with complex multiplication

Thus far the pairings we have constructed are somewhat abstract, being defined even for elliptic curves having no complex multiplication. In this section, we ‘transport’ these pairings to curves with complex multiplication by subrings of $R$ , and see that the pairings interact with the endomorphisms.

If we have an $R$ -module homomorphism into $\operatorname{Pic}_{R}^{0}(E)$ , this transports a pairing and its properties from the target to the source.

5.1. Transport via CM subrings

Suppose $S\subseteq R$ is a subring, and suppose that $E$ has CM by $S$ . Fix a map $[\cdot]:S\rightarrow\operatorname{End}(E)$ , $\gamma\mapsto[\gamma]$ .

Then for $\gamma\in S$ , $[\gamma]_{*}$ acts on $\operatorname{Pic}^{0}(E)$ . Then there is a surjective $R$ -module homomorphism

\operatorname{Pic}_{R}^{0}(E)\cong R\otimes_{\mathbb{Z}}\operatorname{Pic}^{0}(E)\rightarrow R\otimes_{S}\operatorname{Pic}^{0}(E).

which in particular takes

\gamma\cdot D\rightarrow\gamma\cdot D\sim[\gamma]_{*}D

for all $\gamma\in S$ . This gives rise to an exact sequence of $R$ -modules defining $\operatorname{Pic}_{R,S}^{0}(E)$ as follows:

(7)

Thus we can transport pairings to $\operatorname{Pic}_{R,S}^{0}(E)$ . When $R=S$ , we can identify $\operatorname{Pic}_{R,S}^{0}(E)$ with $E^{r-1}$ via

E^{r-1}\rightarrow\operatorname{Pic}_{R,S}^{0}(E),\quad(P_{1},\ldots,P_{r-1})\mapsto\left(\sum[-\tau_{i}]P_{i}\right)-(\mathcal{O})+\sum\tau_{i}\left((P_{i})-(\mathcal{O})\right).

(This is not canonical; there’s a choice of automorphism of $E^{r-1}$ .) Thus we obtain pairings on $E^{r-1}$ .

5.2. Imaginary quadratic case

Suppose $E$ defined over $K$ has CM by $R$ , an order in an imaginary quadratic field. To fix a map $R\rightarrow\operatorname{End}(E)$ , denoted $\gamma\rightarrow[\gamma]$ , we first fix an injection $\iota:R\rightarrow\overline{K}$ , and then we can take that which is normalized as in [18, II.1.1], i.e. $[\gamma]^{*}\omega=\iota(\gamma)\omega$ for the invariant differential $\omega$ of $E$ and $\gamma\in R$ . The situation of the last subsection becomes

(8)

given by $R$ -module homomorphism

\epsilon:\operatorname{Pic}^{0}_{R}(E)\rightarrow E,\quad\sum\alpha_{i}(P_{i})\mapsto\sum[\alpha_{i}]P_{i}.

The kernel is an $R$ -module, identified with $E$ via

\eta:E\rightarrow\operatorname{Pic}_{R}^{0}(E),\quad P\mapsto([-\tau]P)-(\mathcal{O})+\tau((P)-(\mathcal{O})).

but note that the $R$ -module action on this $E$ is twisted:

(9)

\eta([\alpha]P)=\overline{\alpha}\cdot\eta(P),

because if $\alpha=a+c\tau$ and $\alpha\tau=b+d\tau$ , then $\overline{\alpha}=d-c\tau$ and $\overline{\alpha}\tau=-b+a\tau$ , so

\eta([\alpha]P)=([-\tau\alpha]P)-(\mathcal{O})+\tau(([\alpha]P)-(\mathcal{O}))\sim(d([-\tau]P)-b(P)+\tau(-c([-\tau]P)+a(P)))=\overline{\alpha}\cdot\eta(P).

Observe that $\eta$ is not actually dependent on the choice of $\tau$ ; a map fitting the exact sequence is unique up to automorphism of $E$ . Notice $\eta$ respects the action of any isogeny $\phi:E\rightarrow E^{\prime}$ which itself respects CM by $R$ , i.e., if $\phi\circ[\tau]=[\tau]\circ\phi$ , then

\eta(\phi P)=\phi_{*}\eta(P).

Finally, we discuss the Galois action. Let $\sigma\in\operatorname{Gal}(\overline{K}/K)$ . Recall that the exact sequence (8) depends upon the normalized choice of map $R\rightarrow\operatorname{End}(E)$ and the injection $\iota$ . Write $\eta_{E}$ and $\eta_{E^{\sigma}}$ to distinguish. When we conjugate $E$ to $E^{\sigma}$ , making these normalized choices, there is an isomorphism $\operatorname{End}(E)\cong\operatorname{End}(E^{\sigma})$ given by $([\alpha]_{E})^{\sigma}=[\alpha^{\sigma}]_{E^{\sigma}}$ (this follows as in [18, II.2.2(a)]). Then the following commutes:

(10)

where the notation $R^{\sigma}$ indicates that we use the injection $\iota\circ\sigma:R\rightarrow K$ in defining $\eta_{E^{\sigma}}$ , i.e. we initially replace $R$ with $R^{\sigma}$ so that

\eta_{E^{\sigma}}:E^{\sigma}\rightarrow\operatorname{Pic}_{R^{\sigma}}^{0}(E),\quad P\mapsto([-\tau^{\sigma}]P)-(\mathcal{O})+\tau^{\sigma}((P)-(\mathcal{O})).

This preserves the Galois action on $\operatorname{Pic}_{R}^{0}$ as given before:

(\gamma\cdot\eta_{E}(P))^{\sigma}=\eta_{E}([\overline{\gamma}]_{E}P)^{\sigma}=\eta_{E^{\sigma}}([\overline{\gamma}^{\sigma}]_{E^{\sigma}}P^{\sigma})={\gamma}\cdot\eta_{E^{\sigma}}(P^{\sigma})=\gamma\cdot(\eta_{E}(P))^{\sigma}.

5.3. Imaginary quadratic pairings

Define

\widehat{W}_{\alpha}:E[\overline{\alpha}]\times E[\alpha]\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\alpha],\quad\widehat{W}_{\alpha}(P,Q)=W_{\overline{\alpha}}({\eta}(P),\eta(Q)),

where $\eta$ is as in the previous section.

Theorem 5.1.

The pairing defined above is well-defined, bilinear, and satisfies

(1)

Restricted Sesquilinearity: For $\gamma,\delta$ such that $\gamma^{(\alpha)}=\gamma$ and $\delta^{(\overline{\alpha})}=\delta$ , we have

$\widehat{W}_{\alpha}([\gamma]P,[\delta]Q)=\widehat{W}_{\alpha}(P,Q)^{\delta\overline{\gamma}}.$
(2)

Conjugate skew-Hermitianity:

$\widehat{W}_{\alpha}(P,Q)=\overline{\widehat{W}_{\overline{\alpha}}(Q,P)}^{-1}.$
(3)

Compatibility: Let $\phi:E\rightarrow E^{\prime}$ be an isogeny between curves with CM by $R$ and satisfy $[\alpha]\circ\phi=\phi\circ[\alpha]$ . Then for $P\in E[\overline{\alpha}]$ and $Q\in E[\alpha]$ ,

$\widehat{W}_{\alpha}(\phi P,\phi Q)=\widehat{W}_{\alpha}(P,Q)^{\deg\phi}.$

(4)

Coherence: For $P\in E[\overline{\alpha\beta}]$ , $Q\in E[{\alpha\beta}]$ ,

\widehat{W}_{\alpha\beta}(P,Q)=\widehat{W}_{\alpha}([\overline{\beta}]P,Q)\in\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\alpha],\quad\widehat{W}_{\alpha\beta}(P,Q)=\widehat{W}_{\beta}(P,[{\alpha}]Q)\in\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}[\beta].

(5)

Galois invariance: Suppose $E$ is defined over a field $K$ , and suppose there is an injection $\iota:R\rightarrow\overline{K}$ ; indicate this in the notation for the pairing as discussed above. For $\sigma\in\operatorname{Gal}(\overline{K}/K)$ ,

$\widehat{W}^{\iota}_{\alpha}(P,Q)^{\sigma}=\widehat{W}^{\iota\circ\sigma}_{\alpha}(P^{\sigma},Q^{\sigma}).$

Proof.

We see immediately that this pairing is sesquilinear, skew-Hermitian, coherent and compatible, since $\eta$ is a twisted $R$ -module homomorphism. Recalling that $\eta([\alpha]P)=\overline{\alpha}\cdot\eta(P)$ , we have to place the vincula carefully. Galois invariance of $\widehat{W}_{\alpha}$ follows from Galois invariance of $W_{\alpha}$ , with reference to the discussion at the end of the last section. ∎

Theorem 5.2.

Let $\alpha\in R$ . Let $K$ be a finite field with algebraic closure $\overline{K}$ and characteristic coprime to $N(\alpha)$ . Suppose also that $n=N(\alpha)$ is coprime to the discriminant of $R$ . The pairing

\widehat{W}_{\alpha}:E[\overline{\alpha}](\overline{K})\times E[\alpha](\overline{K})\rightarrow(R/nR)[\alpha],\quad\widehat{W}_{\alpha}(P,Q)=W_{\overline{\alpha}}({\eta}(P),\eta(Q)).

is non-degenerate.

Proof.

Note that $(\overline{K}^{*})^{\otimes_{\mathbb{Z}}R}[\alpha]\cong R/nR[\alpha]$ , as in the proof of Theorem 4.13. Using the alternate definition of $\widehat{W}_{\alpha}$ in Theorem 4.10, non-degeneracy is a consequence of the fact that the map

E[\alpha]\rightarrow\operatorname{Aut}[\overline{K}(E)/[\alpha]^{*}\overline{K}(E)],\qquad S\mapsto t_{S}^{*}

is an isomorphism [17, Thm III.4.10(b)] ( $t_{S}$ denoting translation-by- $S$ ).

In particular, fix $P\in E[\overline{\alpha}](\overline{K})$ and assume that $\widehat{W}_{\alpha}(P,Q)=1$ for all $Q\in E[\alpha](\overline{K})$ . Then, using the notation of Theorem 4.10 and its proof, $g_{P}(\eta(X+Q))=g_{P}(\eta(X))$ for all $Q\in E[\alpha](\overline{K})$ , where $X\in E(\overline{K})$ need only satisfy appropriate conditions on supports. So $t_{Q}^{*}$ fixes $g_{P}\circ\eta\in(\overline{K}(E)^{*})^{\otimes_{\mathbb{Z}}R}$ . Therefore, $g_{P}\circ\eta=h\circ[{\alpha}]$ for some $h\in(\overline{K}(E)^{*})^{\otimes_{\mathbb{Z}}R}$ . Hence

h^{\overline{\alpha}}\circ[\alpha]=(h\circ[{\alpha}])^{\overline{\alpha}}=g_{P}^{\overline{\alpha}}\circ\eta=f_{P}\circ[{\alpha}]\circ\eta=f_{P}\circ\eta\circ[\alpha],

implying that $f_{P}\circ\eta=h^{\overline{\alpha}}$ . Taking divisors,

\overline{\alpha}\cdot\operatorname{div}(h)=\operatorname{div}(f_{P}\circ\eta)=\operatorname{div}((f_{P}\circ[-\tau])f_{P}^{\overline{\tau}})=[-\tau]^{*}\operatorname{div}(f_{P})+\overline{\tau}\cdot\operatorname{div}(f_{P})=\overline{\alpha}\cdot\left([-\tau]^{*}D_{P}+\overline{\tau}D_{P}\right).

From this, we determine that $[-\tau]^{*}D_{P}+\overline{\tau}D_{P}$ is principal. Recall that $D_{P}=\eta(P)=([-\tau]P)-(\mathcal{O})+\tau\left((P)-(\mathcal{O})\right)$ . Thus, momentarily writing $D^{\prime}=(P)-(\mathcal{O})$ ,

\displaystyle[-\tau]^{*}D_{P}+\overline{\tau}D_{P}

\displaystyle=[-\tau]^{*}[-\tau]_{*}D^{\prime}+N(\tau)D^{\prime}+Tr(\tau)[-\tau]_{*}D^{\prime}+\tau\left([-\tau]^{*}D^{\prime}-[-\tau]_{*}D^{\prime}\right).

From principality, we conclude that, in particular,

[2N(\tau)-Tr(\tau)\tau]P=\mathcal{O},\quad[\tau-\overline{\tau}]P=\mathcal{O}.

The norms of these coefficients are $-N(\tau)\Delta_{R}$ and $\Delta_{R}$ . Recalling that $P\in E[\overline{\alpha}]$ , and that $\overline{\alpha}$ and $\Delta_{R}$ are coprime, we can conclude that $P=\mathcal{O}$ . ∎

We can describe $\widehat{W}_{\alpha}$ in terms of the usual $\alpha$ -Weil pairing, following immediately from Proposition 4.11.

Theorem 5.3.

Let $e_{\alpha}$ be the $\alpha$ -Weil pairing as described in Section 2.1. Then

\widehat{W}_{\alpha}(P,Q)=\left(e_{\overline{\alpha}}(P,Q)^{2N(\tau)}e_{\overline{\alpha}}([-\overline{\tau}]P,Q)^{Tr(\tau)}\right)\left(e_{\overline{\alpha}}([\overline{\tau}-{\tau}]P,Q)\right)^{\tau}.

Furthermore, when both of the following quantities are defined,

\widehat{W}_{N(\alpha)}(P,Q)=\widehat{W}_{\alpha}(P,Q)^{\overline{\alpha}}.

Using the notation of the last subsection, define

\widehat{T}_{\alpha}:E[\overline{\alpha}]\times E/[\alpha]E\rightarrow\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R}/(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{\alpha},\quad\widehat{T}_{\alpha}(P,Q)=T_{\overline{\alpha}}({\eta}(P),\eta(Q)).

Theorem 5.4.

The pairing defined above is well-defined, bilinear, and satisfies

(1)

Sesquilinearity: For $P\in E[\overline{\alpha}]$ and $Q\in E$ ,

$\widehat{T}_{\alpha}([\gamma]P,[\delta]Q)=\widehat{T}_{\alpha}(P,Q)^{{\overline{\gamma}}{\delta}}.$
(2)

Compatibility: Let $\phi:E\rightarrow E^{\prime}$ be an isogeny between curves with CM by $R$ and satisfy $[\alpha]\circ\phi=\phi\circ[\alpha]$ . Then for $P\in E[\overline{\alpha}]$ and $Q\in E$ ,

$\widehat{T}_{\alpha}(\phi P,\phi Q)=\widehat{T}_{\alpha}(P,Q)^{\deg\phi}.$

(3)

Coherence: Suppose $P\in E[\overline{\alpha\beta}]$ , and $Q\in E/[\alpha\beta]E$ . Then

\widehat{T}_{\alpha\beta}(P,Q)\bmod{(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{\alpha}}=\widehat{T}_{\alpha}([\overline{\beta}]P,Q\bmod[{\alpha}]E).

Suppose $P\in E[\overline{\beta}]$ , and $Q\in E/[\alpha\beta]E$ . Then

\widehat{T}_{\alpha\beta}(P,Q)\bmod{(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{\beta}}=\widehat{T}_{\beta}(P,[{\alpha}]Q\bmod[{\beta}]E).

(4)

Galois invariance: Suppose $E$ is defined over a field $K$ , and suppose there is an injection $\iota:R\rightarrow\overline{K}$ ; indicate this in the notation for the pairing as discussed above. For $\sigma\in\operatorname{Gal}(\overline{K}/K)$ ,

$\widehat{T}^{\iota}_{\alpha}(P,Q)^{\sigma}=\widehat{T}^{\iota\circ\sigma}_{\alpha}(P^{\sigma},Q^{\sigma}).$

Proof.

The proof is as for Theorem 5.1. ∎

We can describe $\widehat{T}_{n}$ in terms of the usual $n$ -Tate-Lichtenbaum pairing by Proposition 4.4.

Theorem 5.5.

Let $t_{n}$ be the $n$ -Tate-Lichtenbaum pairing as described in Section 2.2.

\widehat{T}_{n}(P,Q)=\left(t_{n}(P,Q)^{2N(\tau)}t_{n}([-\overline{\tau}]P,Q)^{Tr(\tau)}\right)\left(t_{n}([\overline{\tau}-{\tau}]P,Q)\right)^{\tau}.

Furthermore, provided both of the following quantities are defined,

\widehat{T}_{N(\alpha)}(P,Q)=\widehat{T}_{\alpha}(P,Q)^{\overline{\alpha}}\pmod{(\mathbb{G}_{m}^{\otimes_{\mathbb{Z}}R})^{\alpha}}

Our final result is about non-degeneracy.

Proposition 5.6.

Let $K$ be a finite field, and let $E$ be an elliptic curve defined over $K$ . Let $\alpha\in R$ be coprime to $char(K)$ and the discriminant of $R$ . Let $N=N(\alpha)$ . Suppose $K$ contains the $N$ -th roots of unity, and $E[N]=E[N](K)$ . Then

\widehat{T}_{\alpha}:E[\overline{\alpha}](K)\times E(K)/[\alpha]E(K)\rightarrow(K^{*})^{\otimes_{\mathbb{Z}}R}/((K^{*})^{\otimes_{\mathbb{Z}}R})^{\alpha},

is non-degenerate. Furthermore, if $P$ has annihilator $\overline{\alpha}R$ , then $T_{\alpha}(P,\cdot)$ is surjective; and if $Q$ has annihilator $\alpha R$ , then $T_{\alpha}(\cdot,Q)$ is surjective.

Proof.

First, the target is isomorphic to the finite $R$ -module $R/{\alpha}R$ , which is a principal ideal ring (using the coprimality to the discriminant). So we can apply Lemma 4.6, and need only show the non-degeneracy.

Recall that $R=\mathbb{Z}[\tau]$ for some $\tau$ and by the hypotheses on $\alpha$ , $N$ is coprime to $\tau-\overline{\tau}$ . First we prove an auxiliary result about $\widehat{T}_{N}$ . Let $P\in E[N](K)$ . Choose $Q\in E(K)$ so that $t_{N}([\overline{\tau}-\tau]P,Q)$ has order $N$ (this must exist since $P$ has order $N$ , and $N$ is coprime to $\overline{\tau}-\tau$ ). Then by Theorem 5.5,

\displaystyle\widehat{T}_{N}(P,Q)

\displaystyle=\left(t_{N}(P,Q)^{2N(\tau)}t_{N}([-\overline{\tau}]P,P)^{Tr(\tau)}\right)(t_{N}([\overline{\tau}-\tau]P,Q))^{\tau}.

Thus $\widehat{T}_{N}$ is non-degenerate on the left. On the other hand, choosing $Q$ first, then since $\tau-\overline{\tau}$ is coprime to $N$ , there exists $P$ making this non-trivial also. Hence we have both left and right non-degeneracy.

Next, we consider general $\alpha$ . Let $P\in E[\overline{\alpha}](K)$ . Then we can let $\operatorname{div}(f_{\alpha,P})={\alpha}\cdot\eta(P)$ . Let $\operatorname{div}(f_{N,P})=N\cdot\eta(P)=\overline{\alpha}\alpha\cdot\eta(P)$ . Then

f_{N,P}(\eta(Q))=f_{\alpha,P}(\eta(Q))^{\overline{\alpha}}.

This is a representative of $\widehat{T}_{N}(P,Q)$ , and for an appropriate choice of $Q$ modulo $[N]E(K)$ , is not an $N$ -th power (by the first case above). Taking this $Q$ modulo $[\alpha]E(K)$ , $f_{\alpha,P}(\eta(Q))$ , a representative of $\widehat{T}_{\alpha}(P,Q)$ , is not an $\alpha$ power, i.e. non-trivial.

On the other hand, choose $\beta\in R$ coprime to $\alpha$ with $m:=\alpha\beta\in\mathbb{Z}$ and $m$ divides $N$ . Fix non-trivial $Q\in E(K)$ modulo $[\alpha]E(K)$ . We can choose a lift of the form $[\beta]Q^{\prime}$ modulo $[m]E(K)$ for some $Q^{\prime}\in E(K)$ . Consider the quantity

f_{m,P}(\eta(Q^{\prime})),\quad\operatorname{div}(f_{m,P})=m\eta(P).

Then there is some $P\in E[m](K)$ so that the quantity above, as a representative of $\widehat{T}_{m}(P,Q^{\prime})$ , is not an $m$ -th power (as $m$ divides $N$ , this follows from the first part of the proof). But the quantity is also a representative of $\widehat{T}_{\alpha}(P,Q)=\widehat{T}_{\alpha}(P,Q^{\prime})^{\beta}$ , which is still not an $m$ -th power. So $\widehat{T}_{\alpha}(P,Q^{\prime})$ is not an $\alpha$ power. And so $\widehat{T}_{\alpha}(P,Q)$ is not an $\alpha$ power. ∎

5.4. Computation.

We end by giving an explicit formula for $\widehat{T}_{\alpha}(P,Q)$ amenable to computation. This algorithm can be adapted to compute $\widehat{W}_{\alpha}(P,Q)$ also.

Algorithm 5.7.

Recall Remark 4.1. Suppose $a+c\tau=\alpha$ , $b+d\tau=\alpha\tau$ , $a,b,c,d\in\mathbb{Z}$ , which implies $d-c\tau=\overline{\alpha}$ , $-b+a\tau=\overline{\alpha}\tau$ . We take $P\in E[\overline{\alpha}]$ , $D_{P}=\eta(P)$ , $\operatorname{div}(f_{P})=\alpha\cdot D_{P}$ , $f_{P}=f_{P,1}f_{P,2}^{\tau}$ . The following divisors are principal:

\operatorname{div}(f_{P,1})=a([-\tau]P)+b(P)-(a+b)(\mathcal{O}),\quad\operatorname{div}(f_{P,2})=c([-\tau]P)+d(P)-(c+d)(\mathcal{O}).

Choose an auxiliary point $S$ and define $D_{Q}=D_{Q,1}+\tau\cdot D_{Q,2}$ where

D_{Q,1}=([-\tau]Q+[-\tau]S)-([-\tau]S),\quad D_{Q,2}=(Q+S)-(S).

Note that $D_{Q}\sim\eta(Q)$ . Then, choosing $S$ so that the necessary supports are disjoint (i.e. the support of $\operatorname{div}(f_{P,i})$ and $D_{Q,j}$ are disjoint for each pair $i$ , $j$ ), the pairing is defined as

\widehat{T}_{\alpha}(P,Q):=f_{P}(D_{Q})=f_{P,1}(D_{Q,1})f_{P,2}(D_{Q,1})^{\tau}\left(f_{P,1}(D_{Q,2})f_{P,2}(D_{Q,2})^{\tau}\right)^{\overline{\tau}}

which can also be expressed as

\left(f_{P,1}(D_{Q,1})f_{P,1}(D_{Q,2})^{Tr(\tau)}f_{P,2}(D_{Q,2})^{N(\tau)}\right)\left(f_{P,2}(D_{Q,1})f_{P,1}(D_{Q,2})^{-1}\right)^{\tau}.

To turn this into an efficient algorithm, observe that we can compute $f_{P,i}(D)$ for any divisor $D$ supported on a constant number of points, in $O(\log\max\{a,b,c,d\})$ steps, as follows. Define

\operatorname{div}(h_{P,n})=n(P)-([n]P)-(n-1)(\mathcal{O}).

We can compute $h_{P,n}(D)$ using a double-and-add algorithm [11] [7, §26.3.1], evaluating at $D$ at each step. Then observe that

\operatorname{div}(f_{P,1})=\operatorname{div}(h_{[-\tau]P,a})+\operatorname{div}(h_{P,b})+\operatorname{div}(g),\quad\operatorname{div}(g)=([-a\tau]P)+([b]P)-2(\mathcal{O})

Thus, compute $g(D)$ (the straight line through $[-a\tau]P$ and $[b]P$ in Weierstrass coordinates), and multiply together to compute $f_{P,1}(D)=h_{[-\tau]P,a}(D)h_{P,b}(D)g(D)$ . Computing $f_{P,2}(D)$ is similar.

6. Examples

Consider the curve $y^{2}=x^{3}-x$ over the prime field $\mathbb{F}_{q}$ , $q=401$ . This curve has complex multiplication by $\mathbb{Z}[i]$ . Let $\alpha=1-2i$ . A basis for the $5$ -torsion is $P=(204,283)\in E[\overline{\alpha}]$ , $Q=(56,137)\in E[\alpha]$ . Also, $[i]P=(197,46)$ , $[i]Q=(345,334)$ . Note that $Q$ generates $E/[\alpha]E$ and $P$ generates $E[\overline{\alpha}]$ , each of size $5$ . We will compute $\widehat{T}_{\alpha}(P,Q)$ in a variety of ways.

Method 1. Let us compute the pairing using Algorithm 5.7. We have, for $a=d=1$ , $b=2$ , $c=-2$ , that

a+ci=\alpha,\quad b+di=\alpha\tau,\quad d-ci=\overline{\alpha},\quad-b+ai=\overline{\alpha}\tau.

Therefore we define

\operatorname{div}(f_{P,1})=([-i]P)+2(P)-3(\mathcal{O}),\quad\operatorname{div}(f_{P,2})=-2([-i]P)+(P)+(\mathcal{O}).

Recall that $[2]P=[i]P$ , since $[\overline{\alpha}]P=\mathcal{O}$ . Using the notation $L(T,U)$ for the line through $T$ and $U$ , having divisor $(T)+(U)-(T+U)-(\mathcal{O})$ and $V(T)$ for the vertical line through $T$ , having divisor $(T)+(-T)-2(\mathcal{O})$ , we have from the expression above that

f_{P,1}=L(P,P).

Therefore, using the standard Weierstrass model and its addition formulæ,

f_{P,1}(X,Y)=(Y-\lambda_{1}X+\lambda_{1}x(P)-y(P))(X-x(2P)),\quad\lambda_{1}=\frac{3x(P)^{2}-1}{2y(P)}.

This becomes

f_{P,1}(X,Y)=-47X+Y+82.

Now for the second function

\operatorname{div}(f_{P,2})=-2([-i]P)+(P)+\mathcal{O}

we have

f_{P,2}=\left(\frac{L(-iP,-iP)}{V(-2iP)}\right)^{-1}=\frac{V(-2iP)}{L(-iP,-iP)}.

That is,

f_{P,2}(X,Y)=\frac{(X-x(-2iP)}{(Y-\lambda_{2}X+\lambda_{2}x(-iP)-y(-iP))},\quad\lambda_{2}=\frac{3x(-iP)^{2}-1}{2y(-iP)}.

This becomes

f_{P,2}(X,Y)=\frac{X+197}{-138X+Y-36}.

Let $h=3$ , a multiplicative generator for $\mathbb{F}_{q}$ . Using an auxiliary point such as $R=(0,0)$ and the formula from Algorithm 5.7, we obtain

\widehat{T}_{\alpha}(P,Q)=175(-5)^{i}=h^{158+248i}\equiv h^{3+3i}.

Using instead an auxiliary point such as $R=(1,0)$ , we obtain

\widehat{T}_{\alpha}(P,Q)=186\cdot 144^{i}=h^{134+106i}\equiv h^{4+i}\equiv h^{3+3i}.

This illustrates the independence of the choice of $R$ .

To take this into $\mu_{5}^{\otimes R}$ , for the purposes of comparing with the next method, we raise to the $(q-1)/5=80$ . Let $g=72=h^{80}$ , a generator for $\mu_{5}$ . We obtain a type of reduced pairing (albeit slightly different than that of Remark 2.6):

\widehat{T}^{red}_{\alpha}(P,Q):=\widehat{T}_{\alpha}(P,Q)^{\frac{q-1}{5}}=g^{3+3i}\equiv g^{2}.

Method 2. Now we will compute it by using both parts of Theorem 5.5, relating it to $\widehat{T}_{5}$ . We have the reduced Tate-Lichtenbaum pairing $t_{n}^{red}=t_{n}^{(q-1)/n}$ as implemented in many mathematical software systems,

t^{red}_{5}(P,Q)=g,\quad t^{red}_{5}([2i]P,Q)=g^{4},\quad t^{red}_{5}(P,P)=1,\quad t^{red}_{5}([2i]P,P)=1,\quad t^{red}_{5}(Q,Q)=1,\quad t^{red}_{5}([2i]Q,Q)=1.

Therefore,

\widehat{T}^{red}_{5}(P,Q)=g^{2-i},\quad\widehat{T}^{red}_{5}(P,P)=g^{0},\quad\widehat{T}^{red}_{5}(Q,Q)=g^{0}.

Since $P$ is an $\alpha$ -multiple, we expect $\widehat{T}_{5}(P,\cdot)$ to be $\overline{\alpha}$ powers. Note that $\overline{\alpha}^{-1}\equiv 3\pmod{\alpha}$ . Therefore, modulo $\alpha$ , we have

\widehat{T}^{red}_{\alpha}(P,Q)=(g^{2-i})^{3}=g^{1+2i}=g^{2}.

Finally, we repeat the first part of the computation above using a single generator for the $R$ -module $E[5]$ . Observe that $E[5]=\mathcal{O}S$ , where $S=P+Q$ . In particular, $P=(3+4i)S$ and $Q=(3+i)S$ . We have

\widehat{T}^{red}_{5}(S,S)=g^{4},\quad\widehat{T}^{red}_{5}(S,P)=g^{2-4i},\quad\widehat{T}^{red}_{5}(S,Q)=g^{2-i}.

We can verify that in fact

\widehat{T}^{red}_{5}(P,Q)=\widehat{T}^{red}_{5}([3+4i]S,[3+i]S)=\widehat{T}^{red}_{5}(S,S)^{(3-4i)(3+i)}=\widehat{T}^{red}_{5}(S,S)^{8+6i}=(g^{4})^{3+i}=g^{2-i}.

agreeing with the previous work.

References

[1] Peter Bruin. The Tate pairing for Abelian varieties over finite fields. J. Théor. Nombres Bordeaux, 23(2):323–328, 2011.
[2] Wouter Castryck, Marc Houben, Simon-Philipp Merz, Marzio Mula, Sam van Buuren, and Frederik Vercauteren. Weak instances of class group action based cryptography via self-pairings. In Advances in cryptology—CRYPTO 2023. Part III, volume 14083 of Lecture Notes in Comput. Sci., pages 762–792. Springer, Cham, [2023] ©2023.
[3] Sylvain Duquesne and Gerhard Frey. Background on pairings. In Handbook of elliptic and hyperelliptic curve cryptography, Discrete Math. Appl. (Boca Raton), pages 115–124. Chapman & Hall/CRC, Boca Raton, FL, 2006.
[4] Gerhard Frey and Hans-Georg Rück. A remark concerning $m$ -divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp., 62(206):865–874, 1994.
[5] Steven D. Galbraith. Pairings. In Advances in elliptic curve cryptography, volume 317 of London Math. Soc. Lecture Note Ser., pages 183–213. Cambridge Univ. Press, Cambridge, 2005.
[6] Steven D. Galbraith. The Weil pairing on elliptic curves over $\mathbb{C}$ . 2005.
[7] Steven D. Galbraith. Mathematics of public key cryptography. Cambridge University Press, Cambridge, 2012.
[8] Theodoulos Garefalakis. The generalized Weil pairing and the discrete logarithm problem on elliptic curves. In LATIN 2002: Theoretical informatics (Cancun), volume 2286 of Lecture Notes in Comput. Sci., pages 118–130. Springer, Berlin, 2002.
[9] Serge Lang. Abelian varieties. Springer-Verlag, New York-Berlin, 1983. Reprint of the 1959 original.
[10] Stephen Lichtenbaum. Duality theorems for curves over $p$ -adic fields. Invent. Math., 7:120–136, 1969.
[11] Victor S. Miller. Short programs for functions on elliptic curves. Unpublished manuscript, 1986.
[12] Victor S. Miller. The Weil pairing, and its efficient calculation. J. Cryptology, 17(4):235–261, 2004.
[13] J. S. Milne. Abelian varieties. In Arithmetic geometry (Storrs, Conn., 1984), pages 103–150. Springer, New York, 1986.
[14] David Mumford. Abelian varieties. Tata Institute of Fundamental Research Studies in Mathematics, No. 5. Published for the Tata Institute of Fundamental Research, Bombay, 1970.
[15] Damien Robert. The geometric interpretation of the Tate pairing and its applications. Cryptology ePrint Archive, Paper 2023/177, 2023. https://eprint.iacr.org/2023/177.
[16] Damien Robert. Fast pairings via biextensions and cubical arithmetic. Cryptology ePrint Archive, Paper 2024/517, 2024. https://eprint.iacr.org/2024/517.
[17] Joseph H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1992. Corrected reprint of the 1986 original.
[18] Joseph H. Silverman. Advanced topics in the arithmetic of elliptic curves, volume 151 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1994.
[19] Katherine E. Stange. Elliptic nets and elliptic curves. PhD thesis, Brown University, May 2008.
[20] J. Tate. $WC$ -groups over ${\mathbf{p}}$ -adic fields, volume 13 of Séminaire Bourbaki; 10e année: 1957/1958. Textes des conférences; Exposés 152 à 168; 2e éd. corrigée, Exposé 156. Secrétariat mathématique, Paris, 1958.

Sesquilinear pairings on elliptic curves

Abstract.

Key words and phrases:

2020 Mathematics Subject Classification:

1. Introduction

2. Classical pairings

2.1. The Weil pairing

Definition 2.1 (Weil pairing: first definition).

Definition 2.2 (Weil pairing: second definition).

Proposition 2.3.

Proof.

2.2. The Tate-Lichtenbaum pairing

Definition 2.4.

Proposition 2.5.

Proof.

Remark 2.6.

3. The calculus of RR-divisors

3.1. RR-divisors

3.2. Evaluation of functions at divisors

3.3. Weil reciprocity

Theorem 3.1.

Proof.

4. Sesquilinear pairings

4.1. Generalization of Tate-Lichtenbaum pairing

Remark 4.1.

Theorem 4.2.

Proof.

Remark 4.3.

Proposition 4.4.

Proof.

Remark 4.5.

Lemma 4.6.

Proof.

Theorem 4.7.

Proof.

4.2. Generalization of Weil pairing

Remark 4.8.

Theorem 4.9.

Proof.

Theorem 4.10.

Proof.

Proposition 4.11.

Proof.

Remark 4.12.

Theorem 4.13.

Proof.

5. Curves with complex multiplication

5.1. Transport via CM subrings

5.2. Imaginary quadratic case

5.3. Imaginary quadratic pairings

Theorem 5.1.

Proof.

Theorem 5.2.

Proof.

Theorem 5.3.

Theorem 5.4.

Proof.

Theorem 5.5.

Proposition 5.6.

Proof.

5.4. Computation.

Algorithm 5.7.

6. Examples

References

3. The calculus of $R$ -divisors

3.1. $R$ -divisors