\documentclass[11pt]{article}

\usepackage{fullpage}
\usepackage{epic}
\usepackage{eepic}
\usepackage{psfig}

%\newcommand{\proof}[1]{
%{\noindent {\it Proof.} {#1} \rule{2mm}{2mm} \vskip \belowdisplayskip}
%}


%\newtheorem{lemma}{Lemma}[section]
%\newtheorem{theorem}[lemma]{Theorem}
%\newtheorem{claim}[lemma]{Claim}
%\newtheorem{definition}[lemma]{Definition}
%\newtheorem{corollary}[lemma]{Corollary}

%Theorems and likes 
\newtheorem{assumption}{Assumption}[section]
\newtheorem{theorem}{Theorem}[section]
\newtheorem{fact}{Fact}[section]
\newtheorem{claim}{Claim}[section]
\newtheorem{lemma}{Lemma}[section]
\newtheorem{definition}{Definition}[section]
\newtheorem{corollary}{Corollary}[section]


\newcommand{\bproof}{\noindent{\it Proof}}
%\newcommand{\eproof}{\hspace*{\fill}$\Box$~~~~~\bigskip}
\newcommand{\eproof}{\hspace*{\fill}\rule{2mm}{2mm}~~~~~\bigskip}
\newenvironment{proof}{\bproof: }{\eproof}

% symbols and notation
\newcommand{\defeq}{\stackrel{\rm def}{=}}

% Additional Math Notations (Arun Iyer)
\newcommand{\nchoosek}[2]{\left(\begin{array}{c}#1\\#2\end{array}\right)}
\DeclareSymbolFont{AMSb}{U}{msb}{m}{n}
\DeclareMathSymbol{\N}{\mathbin}{AMSb}{"4E}
\DeclareMathSymbol{\Z}{\mathbin}{AMSb}{"5A}
\DeclareMathSymbol{\R}{\mathbin}{AMSb}{"52}
\DeclareMathSymbol{\Q}{\mathbin}{AMSb}{"51}
\DeclareMathSymbol{\I}{\mathbin}{AMSb}{"49}
\DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\setlength{\oddsidemargin}{0in}
\setlength{\topmargin}{0in}
\setlength{\textwidth}{6in}
\setlength{\textheight}{8in}

\begin{document}

\setlength{\fboxrule}{.5mm}\setlength{\fboxsep}{1.2mm}
\newlength{\boxlength}\setlength{\boxlength}{\textwidth}
\addtolength{\boxlength}{-4mm}
\begin{center}\framebox{\parbox{\boxlength}{\bf
CS 681: Computational Number Theory and Algebra \hfill 
Lecture 37: Elliptic Curves (Continued)
\\
Lecturer: Manindra Agrawal
\hfill
Notes by: Arun Iyer
%\\
\begin{flushright}
%date
November 24, 2005.
\end{flushright}
}}\end{center}
\vspace{5mm}

\section{Last Lecture Recap}
Let $\psi(x,y) = \left( \begin{array}{ccc} 
\frac{p(x)}{q(x)} & , & y \frac{u(x)}{v(x)}
\end{array} \right)$ be an endomorphism on $E(\overline{F_p})$.
\begin{definition}
Degree of the endomorphism $\psi$, deg($\psi$), is defined as max(deg(p),deg(q)).
\end{definition}
\begin{definition}
Endomorphism $\psi$ is said to be separable if $p^{\prime}q - pq^{\prime}$ is not identically zero.
\end{definition}
The following theorem was then proved in the last lecture,
\begin{theorem}
Let $\psi(x,y) = \left( \begin{array}{cc} 
\frac{p(x)}{q(x)} & y \frac{u(x)}{v(x)}
\end{array} \right)$ be any separable endomorphism. Then,
\begin{displaymath}
|ker(\psi)| = deg(\psi)
\end{displaymath}
\end{theorem}
Let $E[n] \subseteq E(\overline{F_p})$ be the set of points P in $E(\overline{F_p})$ such that $nP = 0$. Then, it was shown that,
\begin{displaymath}
E[n] \cong \Z_n \oplus \Z_n, \quad p\not|\;\;n
\end{displaymath}

\section{The Weil Pairing}
Let $\eta$ be a primitive $n^{th}$ root of unity ($\eta \in \overline{F_p}$), there is a function 
\begin{displaymath}
e_n : E[n] \times E[n] \rightarrow \{1,\eta,\ldots,\eta^{n-1}\}
\end{displaymath}
called \textbf{the Weil Pairing} such that,
\begin{enumerate}
\item $e_n$ is bilinear. This means that 
\begin{displaymath}
e_n(P+S,Q) = e_n(P,Q)e_n(S,Q)
\end{displaymath}
and
\begin{displaymath}
e_n(P,S+Q) = e_n(P,S)e_n(P,Q)
\end{displaymath}
$\forall P,Q,S \in E[n]$
\item If $e_n(P,Q) = 1$ for all $Q$, then $P = \bigcirc$. Similarly, if $e_n(P,Q) = 1$ for all $P$, then $Q = \bigcirc$
\item $e_n(P,P) = 1, \forall P \in E[n]$
\item $e_n(P,Q) = e_n^{-1}(Q,P)$
\item For any automorphism $\phi$ of $\overline{F_p}$, if $\phi(A) = A$ and $\phi(B) = B$, then $\phi(e_n(P,Q)) = e_n(\phi(P),\phi(Q))$
\item For any endomorphism $\psi$ of $E(\overline{F_p})$, $e_n(\psi(P),\psi(Q)) = e_n(P,Q)^{deg(\psi)}$
\end{enumerate}

\section{Hasse's Theorem}
\begin{theorem}
Let $E$ be an elliptic curve over the finite field $F_p$. Then the order of $E(F_p)$ satisfies,
\begin{displaymath}
|p+1-\#E(F_p)| \leq 2\sqrt{p}
\end{displaymath}
\end{theorem}
\begin{proof}
Consider the action of endomorphism $\psi$ on $E[n]$ ($p\not|n$ and $E[n] \cong \Z_n \oplus \Z_n$). There exists two points $T_1,T_2 \in E[n]$ such that,
\begin{displaymath}
E[n]:(\Z_n)T_1+(\Z_n)T_2
\end{displaymath}
Let $\alpha T_1 + \beta T_2 \in E[n]$.\\
$\psi(\alpha T_1 + \beta T_2) = \alpha \psi(T_1) + \beta \psi(T_2)$\\
Let $\psi(T_1) = aT_1 + bT_2$ and $\psi(T_2) = cT_1 + dT_2$\\
If we view $\alpha T_1 + \beta T_2$ as vector $\left[ \begin{array}{c}
\alpha \\ \beta
\end{array} \right]$, then
\begin{displaymath}
\psi \left[ \begin{array}{c}
\alpha \\ \beta
\end{array} \right] = \left[ \begin{array}{cc}
a & b\\ c & d
\end{array} \right] \left[ \begin{array}{c}
\alpha \\ \beta
\end{array} \right] (mod\;n)
\end{displaymath}
Let
\begin{displaymath}
M_n^{\psi} = \left[ \begin{array}{cc}
a & b\\ c & d
\end{array} \right]
\end{displaymath}
We have from the Weil Pairing Property 6,
\begin{center}
\begin{tabular}{lclp{0.15\textwidth}}
$e_n(T_1,T_2)^{deg(\psi)}$ & $=$ & $e_n(\psi(T_1),\psi(T_2))$ & \\
 & $=$ & $e_n(aT_1+bT_2,cT_1+bT_2)$ & \\
 & $=$ & $e_n(aT_1,cT_1)e_n(aT_1,dT_2)e_n(bT_2,cT_1)e_n(bT_2,dT_2)$ & [Property (1)] \\
 & $=$ & $e_n(T_1,T_1)^{ac}e_n(T_1,T_2)^{ad}e_n(T_2,T_1)^{bc}e_n(T_2,T_2)^{bd}$ & [Property (1)] \\
 & $=$ & $e_n(T_1,T_2)^{ad-bc}$ & [Property (3) and (4)]
\end{tabular}
\end{center}
Therefore,
\begin{equation}
\label{eqn1}
deg(\psi) = (ad-bc) = |M_n^{\psi}| (mod \; n)
\end{equation}
Letting $\psi = \phi_p-1$, we get,
\begin{center}
$|M_n^{\phi_p}| = p (mod\;n)$\\
$|M_n^{1}| = 1 (mod\;n)$
\end{center}
Now, $M_n^{r\phi_p+s} = M_n^{r\phi_p} - M_n^{s} = rM_n^{\phi_p}-sI$ for $(r,s)=1$
\begin{claim}
\label{detclaim}
Given $M$ and $N$ are two $2\times2$ matrices, then
\begin{displaymath}
|\alpha M + \beta N| = \alpha^2 |M| + \beta^2 |N| + \alpha\beta(|M+N| - |M| - |N|)
\end{displaymath}
\end{claim}
Using claim \ref{detclaim},
\begin{center}
\begin{tabular}{lcl}
$|rM_n^{\phi_p} - sI|$ & $=$ & $r^2p + s^2 - rs(|M_n^{\phi_p}-I|-p-1)$ \\
 & $=$ & $r^2p + s^2 - rs(|E(F_p)|-p-1)$
\end{tabular}
\end{center}
Let $|E(F_p)| = p+1+a$.\\Therefore, $|rM_n^{\phi_p} - sI| = r^2p + s^2 - rsa$.\\
>From equation \ref{eqn1},
\begin{displaymath}
deg(r\phi_p-s) = |rM_n^{\phi_p} - sI| = r^2p + s^2 - rsa (mod\;n)
\end{displaymath}
However,
\begin{center}
\begin{tabular}{llclp{0.5\textwidth}}
 & $deg(r\phi_p-s)$ & $\geq$ & $0$ & \\
$\Rightarrow$ & $r^2p + s^2 - rsa$ & $\geq$ & $0$ & \\
$\Rightarrow$ & $x^2p - ax + 1$ & $\geq$ & $0$ & where x = $\frac{r}{s}$ i.e $x \in \Q$\\
$\Rightarrow$ & $x^2p - ax + 1$ & $\geq$ & $0$ & for all $x$ reals, since $\Q$ is dense in $\R$\\
$\Rightarrow$ & $a^2 - 4p$ & $\leq$ & $0$ & \\
$\Rightarrow$ & $a$ & $\leq$ & $2\sqrt{p}$ & \\
$\Rightarrow$ & $|p+1 - \#E(F_p)|$ & $\leq$ & $2\sqrt{p}$ & \\
\end{tabular}
\end{center}
Hence proved.
\end{proof}
\end{document}