Cryptography Reference
In-Depth Information
5.
e
n
(
σS, σT
)=
σ
(
e
n
(
S, T
))
for allautom orphism s
σ
of
K
su ch that
σ
is
the identity m ap on the coe cientsof
E
(if
E
isinWe erstra ss form ,
thismeansthat
σ
(
A
)=
A
and
σ
(
B
)=
B
).
6.
e
n
(
α
(
S
)
,α
(
T
)) =
e
n
(
S, T
)
deg(
α
)
for all separable endom orphism s
α
of
E
.If he coe cientsof
E
liein a finitefie d
F
q
,then the statem ent
also holds w hen
α
isthe Frobenius endom orphism
φ
q
.(Ac ually, the
statem ent holds for allendom orphism s
α
, separableornot.See[38].)
PROOF
(1) Since
e
n
is independent of the choice of
P
, we use (11.6) with
P
and with
P
+
S
1
to obtain
e
n
(
S
1
,T
)
e
n
(
S
2
,T
)=
g
(
P
+
S
1
)
g
(
P
+
S
1
+
S
2
)
g
(
P
+
S
1
)
=
g
(
P
+
S
1
+
S
2
)
g
(
P
)
=
e
n
(
S
1
+
S
2
,T
)
.
g
(
P
)
This proves linearity in the first variable.
Suppose
T
1
,T
2
,T
3
∈
3, let
f
i
,g
i
be
the functions used above to define
e
n
(
S, T
i
). By Theorem 11.2, there exists a
function
h
such that
E
[
n
]with
T
1
+
T
2
=
T
3
.For1
≤
i
≤
div(
h
)=[
T
3
]
−
[
T
1
]
−
[
T
2
]+[
∞
]
.
Equation (11.5) yields
div
f
3
f
1
f
2
=
n
div(
h
)=div(
h
n
)
.
K
×
such that
Therefore, there exists a constant
c
∈
f
3
=
cf
1
f
2
h
n
.
This implies that
g
3
=
c
1
/n
(
g
1
)(
g
2
)(
h
◦
n
)
.
The definition of
e
n
yields
e
n
(
S, T
1
+
T
2
)=
g
3
(
P
+
S
)
=
g
1
(
P
+
S
)
g
1
(
P
)
g
2
(
P
+
S
)
g
2
(
P
)
h
(
n
(
P
+
S
))
h
(
nP
)
g
3
(
P
)
=
e
n
(
S, T
1
)
e
n
(
S, T
2
)
,
since
nS
=
∞
,so
h
(
n
(
P
+
S
)) =
h
(
nP
). This proves linearity in the second
variable.
Search WWH ::
Custom Search