Cryptography Reference
In-Depth Information
If
r
1
=
s
1
=
r
2
=
s
2
=0,then
U
(
P
)
= 0. Therefore,
P
and
w
(
P
)donot
occur in (
U, y
V
0
) and they do not occur in
D
1
+
D
2
.
If some
r
i
or
s
i
is positive, we can rename the points and divisors so that
r
1
>
0, and
r
1
= Max(
r
1
,s
1
,r
2
,s
2
). Then
s
1
= 0. Henceforth, we assume
this is the case.
If
r
2
=
s
2
=0,then
d
(
P
)
= 0. The order of
U
at
P
is the order of
U
1
at
P
,
which is
r
1
.Since(
y−V
0
)
d
has order at least
r
1
at
P
,sodoes
y−V
0
. Therefore,
(
U, y − V
0
)contains
r
1
([
P
]
−
[
∞
]). Since (
U, y − V
0
) is semi-reduced, it does
not contain [
w
(
P
)]
−
[
∞
] (except when
P
=
w
(
P
)). Therefore,
D
1
+
D
2
and
(
U, y − V
0
) agree at the terms involving [
P
]
−
[
∞
]and[
wP
]
−
[
∞
].
If
r
2
>
0and
b
=0,then
U
1
and
U
2
have simple zeros as polynomials (and
double zeros as functions on
C
)at
a
by Proposition 13.2. Also,
V
1
+
V
2
has
a zero at
a
,sothegcd
d
has a simple zero at
a
. Therefore,
U
=
U
1
U
2
/d
2
has
no zero at
a
, so the divisor corresponding to (
U, V
) does not contain
P
.Since
U
1
(
a
)=
U
2
(
a
) = 0, the divisors
D
1
and
D
2
both contain
P
=(
a,
0) =
w
(
P
).
By Proposition 13.2, they each contain [
P
]
−
−
[
∞
] with coe
cient 1. Therefore,
D
1
+
D
2
contains 2 ([
P
]
]), which is principal and can be removed. The
resulting divisor does not contain
P
. Therefore, (
U, y − V
0
) and the semi-
reduction of
D
1
+
D
2
agree at terms containing
P
.
From now on, assume that
b
=0. If
r
2
>
0, then
s
2
=0. Since
V
1
(
a
)=
V
2
(
a
)=
b
=0,wehave
V
1
+
V
2
=0at
P
. Therefore,
d
(
P
)
= 0. Therefore, the
order of
U
at
P
is
r
1
+
r
2
. As pointed out previously, the order of (
y −V
0
)
d
at
P
is at least
r
1
+
r
2
, so the order of
y − V
0
at
P
is at least
r
1
+
r
2
. Therefore,
(
U, y
−
[
∞
−
V
0
)contains(
r
1
+
r
2
)([
P
]
−
[
∞
]), which matches
D
1
+
D
2
.Since
(
U, y
V
0
) is semi-reduced, it has no terms with
w
(
P
). Neither does
D
1
+
D
2
.
Finally, suppose
s
2
>
0. Then
r
2
=0. Then
y
−
−
V
1
has order at least
r
1
at
P
and
y
−
V
2
has order at least
s
2
at
w
(
P
). Therefore,
V
2
(
a
)=
−
b
,so
V
2
is a
multiple of
U
2
, which has order
s
2
at
P
, the order of
y
+
V
2
at
P
is at least
s
2
. Therefore, the order at
P
of
V
1
+
V
2
=(
V
1
− y
)+(
y
+
V
2
)isatleast
min(
r
1
,s
2
)=
s
2
, by the choice of
r
1
. It follows that
d
,whichisthegcdof
U
1
,
U
2
,and
V
1
+
V
2
, has order exactly
s
2
at
P
, since this minimum is attained
for
U
2
. The order of
U
at
P
is therefore
r
1
+
s
2
−
2
s
2
=
r
1
− s
2
.Weknow
that (
y − V
0
)
d
has order at least
r
1
at
P
. Similarly, it has order at least
s
2
at
w
(
P
). Therefore,
y − V
0
has order at least
r
1
− s
2
at
P
.If
r
1
− s
2
>
0,
then (
U, y
y
−
V
2
takes the value 2
b
=0at
P
.Since(
y
+
V
2
)(
y
−
V
2
)=
f
−
−
V
0
)contains(
r
1
−
s
2
)([
P
]
−
[
∞
]). Since it is semi-reduced, it
does not contain [
w
(
P
)]
−
[
∞
]. If
r
1
−
s
2
=0,then
U
(
P
)
=0,so(
U, y
−
V
0
)
contains neither
P
nor
w
(
P
). Therefore, (
U, y
−
V
0
) agrees at
P
and
w
(
P
)
with
D
1
+
D
2
−
s
2
([
P
]+[
w
(
P
)]
−
2[
∞
]), hence agrees with the semi-reduction
of
D
1
+
D
2
.
We have therefore proved that (
U, y−V
0
) and the semi-reduction of
D
1
+
D
2
agree at all terms, so they are equal. Since (
U, y − V
)=gcd(
U, y − V
0
), this
completes the proof that the divisor represented by (
U, V
) is in the divisor
class of
D
1
+
D
2
.
Notethatwehaveprovedthat
y − V
0
vanishes at least to the order of
Search WWH ::
Custom Search