Cryptography Reference
In-Depth Information
on
E
,where
1
=
−
8
p
2
y
x
1
=2
p
2
p
−
x
2
p
+
x
,
(
x
+2
p
)
2
.
Another calculation shows that
s
)
.
Let
g ∈ G
be such tha
t
g
(
√
2
p
)
=
−
√
2
p
.Then
φ
g
φ
(
x
1
,y
1
)=(
−
t,
−
is the transformation
obtained by changing
√
2
p
to
−
√
2
p
in the formulas for
φ
. Therefore,
φ
g
(
x, y
)=(
−t, −s
)=
φ
(
x
1
,y
1
)
.
We obtain
φ
−
1
φ
g
(
x, y
)=(
x, y
)+(
−
2
p,
0)
.
G
satisfies
g
√
2
p
=+
√
2
p
.Then
φ
g
=
φ
,so
Now suppose
g
∈
φ
−
1
φ
g
(
x, y
)=(
x, y
)
.
Putting everything together, we see that the pair (
C, φ
) is of the type con-
sidered above. We obtai
n
an element of
H
1
(
G, E
[2]) that can be regarded as
an element of
H
1
(
G, E
(
Q
)). The cocycle
τ
φ
is given by
τ
φ
(
g
)=
T
g
=
∞
if
g
√
2
p
=
+
√
2
p
if
g
√
2
p
=
−
√
2
p
(
−
2
p,
0)
The cohomology class of
τ
φ
is nontrivial in
H
1
(
G, E
(
Q
)), and hence also in
H
1
(
G, E
[2]), because
C
has no rational points. Note that
τ
φ
is a homomor-
phism from
G
to
E
[2]. This corresponds to the fact that
G
acts trivially on
E
[2] in the present case, so
H
1
(
G, E
[2]) =
Hom
(
G, E
[2]). The kernel of
τ
is
the subgroup of
G
of index 2 that fixes
Q
(
√
2
p
).
In general, if
E
is given by
y
2
=(
x
Q
,
then a 2-descent yields curves
C
a,b,c
, as in Section 8.2. These curves yield
elements o
f
H
1
(
G, E
[2]). The curves that have rational points give cocycles
in
Z
(
G, E
(
Q
)) that are coboundaries. We also saw in the descent procedure
that a rational point on a curve
C
a,b,c
comes from a rational point on
E
.This
discussion is summarized by the exact sequence
−
e
1
)(
x
−
e
2
)(
x
−
e
3
)with
e
1
,e
2
,e
3
∈
0
→ E
(
Q
)
/
2
E
(
Q
)
→ H
1
(
G, E
[2])
→ H
1
(
G, E
(
Q
))[2]
→
0
.
All of the preceding applies when
Q
is replaced by a
p
-adic field
Q
p
with
p
≤∞
. We have an exact sequence
0
→ E
(
Q
p
)
/
2
E
(
Q
p
)
→ H
1
(
G
p
,E
[2])
→ H
1
(
G
p
,E
(
Q
p
))[2]
→
0
,
where
G
p
=Gal(
Q
p
/
Q
p
)
.
Search WWH ::
Custom Search