K . Therefore, μ n is a cyclic group of order n .Anygenerator ζ of μ n is called

a primitive n th root of unity . This is equivalent to saying that ζ k =1if

and only if n divides k .

THEOREM 3.9

Let E be an elliptic curve defined over a field K and let n be a positive integer.

A ssu m e thatthe characteristicof K does not divide n .Thenthere isapairing

e n : E [ n ]

×

E [ n ]

→

μ n ,

called the Weil pairing ,that satisfi es the follow ing properties:

1. e n isbilinear in each variable. T hismeansthat

e n ( S 1 + S 2 ,T )= e n ( S 1 ,T ) e n ( S 2 ,T )

and

e n ( S, T 1 + T 2 )= e n ( S, T 1 ) e n ( S, T 2 )

for all S, S 1 ,S 2 ,T,T 1 ,T 2 ∈ E [ n ] .

2. e n is nondegeneratein each variable. T hismeansthat if e n ( S, T )=1

for all T ∈ E [ n ] then S = ∞ and also that if e n ( S, T )=1 for all

S ∈ E [ n ] then T = ∞ .

3. e n ( T,T )=1 for all T ∈ E [ n ] .

4. e n ( T,S )= e n ( S, T ) − 1 for all S, T ∈ E [ n ] .

5. e n ( σS, σT )= σ ( e n ( S, T )) for allautom orphism s σ of K su ch that σ is

the identity m ap on the coe cientsof E (if E isinWe erstra ss form ,

thismeansthat σ ( A )= A and σ ( B )= B ).

6. e n ( α ( S ) ,α ( T )) = e n ( S, T ) deg( α ) for all separable endom orphism s α of

E .If he coe cientsof E liein a finitefie d F q ,then the statem ent

also holds w hen α isthe Frobenius endom orphism φ q .(Ac ually, the

statem ent holds for allendom orphism s α , separableornot.See[38].)

The proof of the theorem will be given in Chapter 11. In the present section,

we'll derive some consequences.

COROLLARY 3.10

Let {T 1 ,T 2 } be a basisof E [ n ] .Then e n ( T 1 ,T 2 ) isaprimitive n throotof

unity.

Suppose e n ( T 1 ,T 2 )= ζ with ζ d

PROOF

=1. Then e n ( T 1 ,dT 2 )=1.

Also, e n ( T 2 ,dT 2 )= e n ( T 2 ,T 2 ) d

= 1 (by (1) and (3)). Let S ∈ E [ n ]. Then