n is a constant multiple of g n . By multiplying f by a suitable

constant, we may assume that

Therefore, f

◦

f ◦ n = g n .

Let S ∈ E [ n ]andlet P ∈ E ( K ). Then

g ( P + S ) n = f ( n ( P + S )) = f ( nP )= g ( P ) n .

Therefore, g ( P + S ) /g ( P ) ∈ μ n .Infact, g ( P + S ) /g ( P ) is independent of P .

The proof of this is slightly technical: In the Zariski topology, g ( P + S ) /g ( P )

is a continuous function of P and E is connected. Therefore, the map to the

finite discrete set μ n must be constant.

Define the Weil pairing by

e n ( S, T )= g ( P + S )

.

(11.6)

g ( P )

Since g is determined up to a scalar multiple by its divisor, this definition is

independent of the choice of g . Note that (11.6) is independent of the choice

of the auxiliary point P . The main properties of e n are given in the following

theorem, which was stated in Section 3.3.

THEOREM 11.7

Let E be an elliptic curve defined over a field K and let n be a positive integer.

A ssu m e that the characteristicof K does not divide n .Thenthe W eilpairing

e n : E [ n ]

×

E [ n ]

→

μ n

satisfi es the follow ing properties:

1. e n isbilinear in each variable. T hismeansthat

e n ( S 1 + S 2 ,T )= e n ( S 1 ,T ) e n ( S 2 ,T )

and

e n ( S, T 1 + T 2 )= e n ( S, T 1 ) e n ( S, T 2 )

for all S, S 1 ,S 2 ,T,T 1 ,T 2 ∈ E [ n ] .

2. e n is nondegeneratein each variable. T hismeansthat if e n ( S, T )=1

for all T

∈

E [ n ] then S =

∞ and also that if e n ( S, T )=1 for all

S ∈ E [ n ] then T = ∞ .

3. e n ( T,T )=1 for all T

∈

E [ n ] .

4. e n ( T,S )= e n ( S, T ) − 1 for all S, T ∈ E [ n ] .