Cryptography Reference
In-Depth Information
on
E
is invariant under
G
(in the sense that
X
G
) and so can be
considered as “defined on
E/G
”. To simplify some calculations sketched below it turns
out to be more convenient to subtract the constant
Q
∈
G
−{
O
E
}
=
X
◦
τ
Q
for all
Q
∈
x
(
Q
)from
X
. (Note that
x
(
Q
)
=
x
Q
.) Let
t
∞
=−
x/y
be a uniformiser on
E
at
O
E
(one could also take
t
∞
=
x/y
,
but this makes the signs more messy). The function
x
can be written as
t
−
2
a
1
t
−
1
∞
−
∞
−
a
2
−
a
4
)
t
2
a
3
t
∞
−
(for more details about the expansions of
x
,
y
and
ω
E
in terms
of power series see Section IV.1 of Silverman [
505
]).Itfollowsthat
X
(
a
1
a
3
+
∞
−···
t
−
2
a
1
t
−
1
=
∞
−
∞
−···
and so
v
O
E
(
X
)
2.
One can also show that
y
=−
t
−
3
a
1
t
−
2
a
2
t
−
1
=−
∞
−
∞
−
∞
−···
.
The function
Y
(
P
)
=
Q
∈
G
y
(
P
+
=−
Q
) is invariant under
G
and has
v
O
E
(
Y
)
3. One can therefore show
k
k
(see Section 12.3 of Washington [
560
]) that the subfield
(
x,y
) is the function
field of an elliptic curve
E
(Washington [
560
] does this in Lemma 12.17 using the Hurwitz
genus formula). The map
φ
:(
x,y
)
(
X,Y
)of
(
X,Y
) is therefore an isogeny of elliptic curves. By
considering the expansions in terms of
t
∞
one can show that the equation for the image
curve is
Y
2
→
X
3
A
2
X
2
+
A
1
XY
+
A
3
Y
=
+
+
A
4
X
+
A
6
where the coefficients
A
i
are as
in the statement of the Theorem.
Now, let
ω
E
=
2
t
−
3
a
1
t
−
2
dx/
(2
y
+
a
1
x
+
a
3
). One has
dx
=
(
−
∞
+
∞
+···
)
dt
∞
and
2
t
−
3
a
1
t
−
2
2
y
+
a
1
x
+
a
3
=−
∞
−
∞
+···
and
so
ω
E
=
(1
−
a
1
t
∞
+···
)
dt
∞
.
Similarly,
φ
∗
(
ω
E
)
d
(
t
−
2
a
1
t
−
1
2
t
−
3
=
d
(
X
◦
φ
)
/
(2
Y
◦
φ
+
A
1
X
◦
φ
+
A
3
)
=
∞
+
∞
+···
)
/
(
−
∞
+···
)
=
)
dt
∞
. It follows that the isogeny is separable and that
φ
∗
(
ω
E
)
(1
+···
=
fω
E
for some
0 and div(
φ
∗
(
ω
E
))
φ
∗
(div(
ω
E
))
function
f
. Further, div(
ω
E
)
=
=
=
0 (by Lemma
8.5.36
,
since
φ
is unramified
1
) and so div(
f
)
=
0. It follows from the power series expansions that
f
=
1 as required.
Write the isogeny as
φ
(
x,y
)
=
(
φ
1
(
x
)
,yφ
2
(
x
)
+
φ
3
(
x
)). By Theorem
9.7.5
the isogeny
is determined by
φ
1
(
x
) (for the case char(
2 see Exercise
9.7.6
). Essentially, one only
has to prove Velu's formula for
φ
1
(
x
); we do this now. First, change the definition of
X
to
X
(
P
)
k
)
=
x
P
+
Q
−
x
Q
=
x
P
+
Q
∈
G
−{
O
E
}
where
P
is a “generic point” (i.e.,
P
=
(
x
P
,y
P
) where
x
P
and
y
P
are variables) on the
elliptic curve and
Q
∈
G
−{
O
E
}
.Let
F
(
x,y
) be as in the statement of the theorem and
let
y
=
l
(
x
) be the equation of the line through
P
and
Q
(so that
l
(
x
)
=
λ
(
x
−
x
Q
)
+
y
Q
where
λ
=
(
y
P
−
y
Q
)
/
(
x
P
−
x
Q
)). Define
F
1
(
x
)
=
F
(
x,l
(
x
))
=
(
x
−
x
Q
)(
x
−
x
P
)(
x
−
x
P
+
Q
)
.
Further
∂F
1
∂x
(
Q
)
=
(
x
Q
−
x
P
)(
x
Q
−
x
P
+
Q
)
and
∂F
1
∂x
=
∂F
∂x
+
∂F
∂y
∂l
∂x
=
F
x
+
F
y
·
λ.
1
This was already discussed in Section
9.6
. One can directly see that separable isogenies are unramified since if
φ
(
P
1
)
=
P
2
then the set of preimages under
φ
of
P
2
is
{
P
1
+
Q
:
Q
∈
ker(
φ
)
}
.
