The Weil Pairing, Part I: Function Theory on Complex Tori

“The Weil pairing, first introduced by André Weil in 1940, plays an important role in the theoretical study of the arithmetic of elliptic curves and Abelian varieties. It has also recently become extremely useful in cryptologic constructions related to those objects.”

— Victor S. Miller in his seminal 2004 paper¹ [Mil04]

This quote foreshadowed the emergence of what is today a fully fledged domain known as pairing-based cryptography. Despite its significance — and despite cryptographers’ general inclination to dissect every construct they encounter — elliptic curve pairings are often treated as a black box, largely due to their technical complexity.

I recently spent some time studying the Weil pairing and was encouraged to write up some notes. In this post (and its sequel) we explore its complex-analytic perspective, which will allow us to construct the pairing very explicitly; I believe this was Weil’s point of entry as well. The goal here is to show that, although the standard presentation of the Weil pairing seems technical or even opaque, it is actually the result of a fairly simple geometric idea. A more detailed overview is given at the end of the next section.

Throughout the rest of this post, it is assumed that the reader is familiar with the basic notions of elliptic curves and Riemann surfaces.

The Weil Pairing over Fields

Before specialising it to the complex-analytic setting, we will first have to review a standard definition of the Weil pairing over arbitrary fields, for which we need to recall some concepts: rational functions on an elliptic curve, their zeroes and poles, divisors, and linear equivalence.

Notation.
Without loss of generality, we will always assume that an elliptic curve $E$ is presented as the affine zero set $E^\mathrm{aff}$ of a Weierstrass equation over a field $K$, together with its identity element $O$ “at infinity”.

The definition of a rational function then reduces to:

Definition (rational function on elliptic curve).
A rational function on an elliptic curve $E$ is a function $f$ on a (dense open) subset of $E$, whose restriction to $E^\mathrm{aff}$ can be represented as a quotient

\[f(X,Y) = \frac{F(X,Y)}{G(X,Y)}\]

for a pair of polynomials $F,G \in K[X,Y]$, such that $G$ does not vanish identically on $E^\mathrm{aff}$.

Hilbert’s Nullstellensatz implies that $G$ vanishes identically on $E^\mathrm{aff}$ if and only if $G$ lies in the ideal generated by the Weierstrass equation defining $E$. Due to the presence of poles (coming from zeroes in $G$), the function $f$ typically does not extend to all of $E$.

The number of zeroes and poles of a rational function $f$ on a smooth projective curve like $E$ (or of a meromorphic function $f$ on a compact Riemann surface) turns out to be finite, and the collection of these points forms a powerful invariant of $f$ (as we’ll see later in this post), especially once we count them using their analogue of multiplicities. In both the algebraic and analytic settings, this analogue is called the order of $f$ at a point $P$. Looking at the complex-analytic case first provides an intuitive picture of zeroes and poles through local coordinates:

Definition (order of meromorphic function on a Riemann surface).
Let $f$ be a meromorphic function around point $z_0$ in $\mathbb{C}$. Then there exists an integer $k\in \mathbb{Z}$ such that $f$ has a Laurent expansion

\[f(z) = \sum_{n = k}^\infty a_n (z-z_0)^n\qquad \textrm{with}\qquad a_k \neq 0.\]

Equivalently, we can write

\[f(z) = ( z - z_0)^k u(z)\]

for some local holomorphic function $u(z)$ with $u(z_0) \neq 0$. This integer $ k$ is called the order of $f$ at $z_0$ and will be denoted by $\mathrm{ord}_{z_0}(f)$.

More generally, given a meromorphic function $f$ around a point $P$ on a Riemann surface, pick a local coordinate $z$ at $P$ (so $z(P) = 0$) and set \(\mathrm{ord}_{P}(f) \mathrel{\vcenter{:}}= \mathrm{ord}_{0} (f \circ z^{-1}),\) which is independent of the choice of $z$.

The algebraic version is:

Definition (order of rational function on a smooth curve).
Let $f$ be a rational function on a smooth curve $X$, and $P$ a (closed) point on $X$. Then for any local parameter $t$ at $P$ there exists an integer $k\in \mathbb{Z}$ such that

\[f = t^k \cdot u\]

for some rational function $u$ defined at $P$ but not vanishing at $P$. We set $\mathrm{ord}_{P}(f) \mathrel{\vcenter{:}}= k$.

Conceptually a local parameter exists because a smooth curve locally looks like a line — essentially a version of the implicit function theorem:

Proposition.
Let $X$ be a smooth affine curve defined by the vanishing of some polynomial $F(X,Y) \in K[X,Y]$, so for each point $P=(P_x,P_y)$ on $X$ at least one of $\partial F / \partial Y (P)$ or $\partial F / \partial X (P)$ is nonzero. We can obtain a local parameter as follows:

• If $\partial F / \partial Y (P) \neq 0$, then $X - P_x$ is a local parameter.
• If $\partial F / \partial X (P) \neq 0$, then $Y - P_y$ is a local parameter.
• At the point $O$ at infinity, $X / Y$ is a local parameter.

Example.
Let $E$ be an elliptic curve, defined by a short Weierstrass equation $Y^2 = X^3 + aX + b$ with nonzero discriminant. Recall that a nontrivial 2-torsion point has $Y$-coordinate zero, which implies that its $X$-coordinate is a solution to $X^3 + aX + b = 0$. Here $\partial F / \partial Y (P)$ vanishes so $Y$ is a local parameter. Away from those points, a point $P = (P_x, P_y)$ satisfies $P_y \neq 0$ so $\partial F / \partial Y (P) \neq 0$ and hence $X - P_x$ is a local parameter.

Instead of computing orders at $O$ manually, one can use the formula

\[\begin{equation} \mathrm{ord}_O (f) = - \sum_{P\in E^{\mathrm{aff}}} \mathrm{ord}_P(f) \label{order} \end{equation}\]

when working over a sufficiently large field.

Example.
Continuing the previous example, now consider vertical lines of the form $f(X,Y) = X - \alpha$. Then for $\alpha$ not a solution to $X^3 + aX + b = 0$, the line will intersect $E$ in two points (or zero if the field doesn’t contain the right roots) where the local parameter is $X - \alpha$, so the order of $f$ at those points is $1$. If on the other hand $\alpha$ is the $X$-coordinate of a 2-torsion point $P$, we can use the Weierstrass equation to rewrite

\[f(X,Y) = \frac{Y^2}{(X-\alpha')(X-\alpha'')}\]

where $\alpha’$ and $\alpha’’$ are the other zeroes of $X^3 + aX + b = 0$. Since the zeroes of this polynomial are distinct (due to the nonvanishing discriminant), the denominator doesn’t vanish at $P$. This equation then implies that $\mathrm{ord}_P (f) = 2$.

In either case, for the point $O$ we then find $\mathrm{ord}_O (f) = -2$ through \eqref{order} or direct computation.

The standard formalism for handling this multi-set (counting the orders) of points of $E$ is:

Definition (Weil divisors).
A (Weil) divisor on a smooth curve $X$ is an element of the free abelian group

\[\mathrm{Div}(X) \mathrel{\vcenter{:}}= \bigoplus_{P\in X} \mathbb{Z},\]

whose basis elements are thus indexed by the points of \(X\). Equivalently, a divisor $D$ can be written as a formal sum

\[D=\sum_{P\in X} n_P [P],\qquad \textrm{for various }n_P \in \mathbb{Z},\]

where $[P]$ denotes the basis element corresponding to the point $P$, and only finitely many of the $n_P$ are nonzero. The set of points \(P\) in \(X\) such that $n_P$ is nonzero is called the support of \(D\), denoted $\mathrm{supp}(D)$, and its degree is defined to be the integer \(\deg(D)\mathrel{\vcenter{:}}=\sum_{P \in X} n_{P}.\)

The multi-set of zeroes and poles of a rational function is then formalised as follows:

Definition (principal divisors). Given a rational function $f$ on $X$, its divisor

\[\mathrm{div}(f) = \sum_{P \in X} \mathrm{ord}_P(f) \, [P] \in \mathrm{Div}(X)\]

records at each point $P$ in $X$ the order \(\mathrm{ord}_f(P)\) of the zero (with a plus sign) or pole (with a minus sign) of $f$ at $P$, and is zero otherwise. A divisor of the form $\mathrm{div}(f)$ is called principal. If $ D = \sum_{P\in X} n_P [P]$ is a divisor whose support is disjoint from the support of $\mathrm{div}(f)$ (so that $f$ evaluates to a non-zero field element at each element in the support of $D$), we set

\[f(D)\mathrel{\vcenter{:}}= \prod_{P\in \mathrm{supp}(D)} f(P)^{n_P}.\]

Finally, given a pair of divisors $D,D’$ on $X$, we write $D \sim D’$ if their difference $D - D’$ is principal, and say that $D$ and $D’$ are linearly equivalent.

We will motivate the definition of linear equivalence in the next post. Using divisors rather than multi-sets is useful here because it allows one to employ formulas like

\[\mathrm{div}(fg) = \mathrm{div}(f) + \mathrm{div}(g).\]

Example.
Let $P$ be a nontrivial point on an elliptic curve $E$, with $X$-coordinate $\alpha$. Then the vertical line $v_P$ through $P$ has equation $v_P(X,Y) = X - \alpha$, and we’ve seen that

\[\mathrm{div}(v_P) = [P] + [-P] -2[O],\]

so the support of $\mathrm{div}(v_P)$ is the set $\{P, -P, O \}$ and its degree is $0$.

More generally, one can show that the line through two points $P,Q$ has divisor $[P] + [Q] + [-P - Q] -3[O]$.

In Weil’s original work [Weil40], arising from his proof of the Riemann hypothesis for curves over finite fields, in Miller’s paper [Mil04], and in many modern references (e.g., [Cos, Lan87, Was08, Sil09, Sut23]), the Weil pairing is then defined roughly as follows:

Definition (Weil pairing [Wei40]).
Let $E$ be an elliptic curve defined over a field $K$ with identity element $O$, and pick an integer $n>0$ which is coprime to the characteristic $\mathrm{char}(K)$ of $K$ if $\mathrm{char}(K)>0$, and consider the $n$-torsion subgroup $E(K)[n]$. The Weil pairing is an alternating, bilinear, non-degenerate, Galois-invariant, and surjective form

\[\mathrm{Weil}_{n}:E(K)[n]\times E(K)[n]\longrightarrow\mu_{n}\mathrel{\vcenter{:}}=\{x\in K:x^{n}=1\}.\]

It is constructed for a pair of points $P,Q\in E(K)[n]$ as follows: pick divisors $D_{P}\sim[P]-[O]$ and $D_{Q}\sim[Q]-[O]$ with disjoint support. Then there exist functions $f_{P},f_{Q}$ with $\mathrm{div}(f_{P})=nD_{P}$ and $\mathrm{div}(f_{Q})=nD_{Q}$, and we set

\[\mathrm{Weil}_{n}(P,Q)\mathrel{\vcenter{:}}=\frac{f_{P}(D_{Q})}{f_{Q}(D_{P})}.\]

To me, this definition is far from enlightening. The functions $f_{P}$ and $f_{Q}$ are only defined up to multiplication by constants, so using them for evaluations seems off.² Moreover, the choice of divisors $D_{P}$ and $D_{Q}$ (and the use of linear equivalence more generally) strongly suggest a deeper connection with the geometry of line bundles on $E$ that is left implicit. Some texts ([Was08, Sil09] and Wikipedia) provide a second definition, yet it is no more illuminating. What, then, is the conceptual picture behind these constructions?

At the moment I don’t have access to Weil’s original papers — and it’s generally discouraged to read them anyway because his language of algebraic geometry is too dated — but I want to start this investigation with sketching some of the relevant theory over the complex numbers $\mathbb{C}$. Focusing on $\mathbb{C}$ allows us to leverage analytic functions and lattices to construct the pairing very explicitly.³

When searching for the complex-analytic analogue of the Weil pairing I found that many texts simply state that the result is a skew-symmetric pairing or the exponential of one [Gal05, Sil09, KR17], without explaining why this holds. The only source I found that sketches a derivation is [Lan87, Appendix A], though the argument there is a bit terse; this post is devoted to giving a more detailed and more self-contained explanation, before extending that in the next post with line bundles.

My motivation here is that one of the first things I do when learning a new concept in algebraic geometry is to explore its geometric interpretation, and I find that this approach often clarifies many of the results that follow. For example, I would have struggled to understand the definition and properties of the Zariski (co)tangent space without having seen in differential geometry the description of the tangent space in terms of differentials. And earlier in this post, I tried to show how the notion of the order of a rational function at a point in a smooth curve parallels the corresponding, less technical notion for meromorphic functions on Riemann surfaces. However, this strategy only works when the definition at hand is close to its geometric origins.

In this case, it turns out that naively complexifying the definition of the Weil pairing does not provide much insight — and for good reason. In the next post, we’ll see that we should be looking at line bundles instead; evidently this pairing is really a product of 20th century geometry, rather than the 19th century developments in which much of the complex analytic theory of elliptic curves originated. Nevertheless, the resulting complex-analytic approach is quite elegant and will be expanded in the next post, and I thought it might be worthwhile to record it for readers who are also curious for a quick derivation of the Weil pairing over $\mathbb{C}$.

Concretely then, in the rest of this post we will:

1. Recall the analytic description of a complex elliptic curve, as a quotient of $\mathbb{C}$ by a lattice.

2. Explain why divisors like $nD_{P}$ and $nD_{Q}$ are principal in this setting, by using them to explicitly construct certain functions on $\mathbb{C}$ and showing that these functions descend to the sought-after functions $f_{P}$ and $f_{Q}$ on $E(\mathbb{C})$.

3. Subsequently demonstrate that over $\mathbb{C}$ the Weil pairing $\mathrm{Weil}_{n}(\cdot,\cdot)$ does not need such divisors or functions, because it reduces to the much simpler form

   \[(P,Q)\longmapsto\zeta^{\langle P,Q \rangle}\]

   for the primitive $n$-th root of unity $\zeta=e^{2\pi i/n}$ and a certain⁴ skew-symmetric pairing $\langle \cdot,\cdot \rangle$ coming from $\Lambda$.

The Complex Torus

We now make precise the first step mentioned above: describing complex elliptic curves as quotients of $\mathbb{C}$ by a lattice.

Definition (lattices).
Let $n$ be a positive integer. A subset $\Lambda \subset \mathbb{R}^n$ is called a (full-rank) lattice if it is a subgroup of $\mathbb{R}^n$ isomorphic to $\mathbb{Z}^{n}$.

More abstractly, a lattice in a finite-dimensional real vector space $V$ is a subgroup $\Lambda$ such that $\Lambda \otimes_\mathbb{Z} \mathbb{R} = V$.

Let’s start with the simplest case, namely $n=1$:

Example.
Any nonzero element $\omega$ in $\mathbb{R}$ generates a subgroup $\omega \mathbb{Z} = \{ \omega \cdot k \in \mathbb{R}: k\in \mathbb{Z} \}$ isomorphic to $\mathbb{Z}$, so a lattice $\Lambda \subset \mathbb{R}$ is always of the form $\omega \mathbb{Z}$ for some $\omega \in \mathbb{R}^\times$.

Proposition.
Let $\Lambda$ be a lattice in $\mathbb{R}$. The quotient space $\mathbb{R}/\Lambda$ can be realised topologically as a circle $S^1$.

Proof: Every element in the quotient $\mathbb{R} / \omega \mathbb{Z}$ has a unique representative in the half-open interval $[0, \omega)$; since the end-point $\omega$ is identified in this quotient with the start-point $0$, topologically this means that $\mathbb{R} / \Lambda$ is homeomorphic to a circle.

Identifying $\mathbb{C}^n \simeq \mathbb{R}^{2n}$, a lattice in an $n$-dimensional complex vector space is then a subgroup isomorphic to $\mathbb{Z}^{2n}$.

Example.
By definition a lattice $\Lambda \subset \mathbb{C}$ is a subgroup $\Lambda = \mathbb{Z} \omega_1 + \mathbb{Z} \omega_2 $ for a pair of elements $\omega_1,\omega_2 \in \mathbb{C}$ which are linearly independent over $\mathbb{R}$ (i.e., they do not lie on the same line through the origin).

Definition.
This pair $\omega_1, \omega_2$ is usually ordered so that their principal arguments satisfy $\mathrm{Arg}(\omega_1) < \mathrm{Arg}(\omega_2)$ (which is equivalent to $\Im(\omega_{1}/\omega_{2})<0$), and is called a fundamental pair of periods for the lattice.

By using a suitable isomorphism, one may always set $\omega_1 = 1$; the other point is then usually denoted by $\tau$.

Proposition.
Let $\Lambda$ be a lattice in $\mathbb{C}$. The quotient space $\mathbb{C}/\Lambda$ can be realised topologically as a torus $S^1 \times S^1$.

Proof: Since the fundamental periods form a basis for the two-dimensional real vector space $\mathbb{C}$, the set

\[\\\{ c_1 \omega_1 + c_2 \omega_2 : 0\leq c_1,c_2 < 1 \\\}\]

forms a fundamental domain (called the fundamental parallelepiped):

An elliptic curve $\mathbb{C}/\Lambda$ with its lattice $\Lambda$ generated by $\omega_{1} = 1$ and $\omega_{2} = 1/2 + 2i$, showing 16 points in its fundamental domain (source)

The two borders that satisfy $c_1 = 1$ and $c_2 = 1$, so

\[\\\{ \omega_1 + c_2 \omega_2 : 0\leq c_2 \leq 1 \\\} \qquad \textrm{ and }\qquad \\\{ c_1 \omega_1 + \omega_2 : 0\leq c_1 \leq 1 \\\},\]

are identified by the lattice with their opposites (which satisfy $c_1 = 0$ and $c_2 = 0$ respectively). Pictorally the identification with the torus can then be seen as follows:

After identifying the opposite sides of a rectangle, it becomes a torus (source)

More generally, for any $n\geq 1$ the quotient $\mathbb{R}^n / \Lambda$ is a compact Lie group isomorphic to a hypertorus \((S^1)^n\), and the projection map \(\mathbb{R}^n \rightarrow \mathbb{R}^n / \Lambda\) is a universal covering. For a lattice in $\mathbb{C}^n$, the projection is furthermore holomorphic and quotient is a compact complex Lie group.

An elliptic curve $E(K)$ over a field $K$ is typically defined (when $\mathrm{char}(K)$ is not $2$ or $3$) as the set of zeroes of a short Weierstrass equation $Y^{2}=X^{3}+aX+b$ (with nonzero discriminant $4 a^3 + 27 b^2$) over the plane $K^{2}$, together with a point $O$ at infinity. Focusing on the complex numbers has the advantage that $E(\mathbb{C})$ can be studied concretely as a complex torus $\mathbb{C}/\Lambda$, for some lattice $\Lambda \subset \mathbb{C}$, with $O$ the zero element and elliptic curve addition corresponding to ordinary addition on $\mathbb{C}$:

Theorem (the uniformization theorem for elliptic curves).
Let \(E(\mathbb{C})\) be an elliptic curve over the complex numbers. Then there exists a lattice $\Lambda \subset \mathbb{C}$ such that

\[\mathbb{C} / \Lambda \simeq E(\mathbb{C})\]

as complex Lie groups. This isomorphism extends to an equivalence of categories.

Again, the points of $E$ are usually identified with the fundamental domain obtained by picking a basis $\omega_1, \omega_2$ for the lattice $\Lambda$ and restricting to the parallelepiped with corners

\[0, \qquad \omega_1, \qquad \omega_2, \qquad \omega_1 + \omega_2.\]

Torsion points $E(\mathbb{C})[n]$ and their properties — such as the canonical identification $E(\mathbb{C})[n] \simeq (\Lambda/n)/\Lambda \simeq(\mathbb{Z}/n\mathbb{Z})^{2}$ — are straightforward to visualise; the first picture in the previous proof shows the 4-torsion subgroup of size $4^2$.

Principal Divisors

The complex analytic analogue of the rational functions $f_{P}$ and $f_{Q}$ on an elliptic curve are certain meromorphic functions on a complex torus (this is part of a larger principle).

Notation (Field of meromorphic functions).
We will denote the field of meromorphic functions on a compact Riemann surface $S$ by $K(S)$, and its subset of nonzero elements by $K(S)^\times$.

Rather than studying these functions directly on the torus $\mathbb{C}/\Lambda$, it is often more convenient (as we will soon see) to pull them back to $\mathbb{C}$ along the universal covering

\[\mathbb{C}\twoheadrightarrow\mathbb{C}/\Lambda\]

where we have access to a wider class of functions. Those meromorphic functions on $\mathbb{C}$ that descend to the torus are naturally characterised as follows:

Definition (Elliptic functions).
A meromorphic function on the complex plane $\mathbb{C}$ is called elliptic (or doubly-periodic) with respect to a lattice $\Lambda$ if

\[f(z+\lambda)=f(z)\qquad\textrm{for all }\lambda\in\Lambda.\]

Meromorphic functions on compact Riemann surfaces (and hence elliptic functions) form a remarkably rigid class:

Theorem (Liouville’s theorem in terms of divisors).
Meromorphic functions on compact Riemann surfaces are classified, up to scalar multiplication, by their divisors.

Proof: Let $S$ be a compact Riemann surface. Since $\mathrm{ord}_P(\cdot): K(S)^\times \rightarrow \mathbb{Z}$ is a homomorphism, the same is true for the coproduct of morphisms

\[\mathrm{div}(\cdot): K(S)^\times \longrightarrow \mathrm{Div}(S) = \bigoplus_{P\in S} \mathbb{Z},\qquad f\longmapsto \bigl(\mathrm{ord}_P(f)\bigr)_{P\in S}.\]

(To put it more plainly, if $f$ and $g$ have the same divisor, then we want to use that $f/g$ has the trivial divisor.) Thus it suffices to show that a nonzero meromorphic function on a compact Riemann surface without zeroes or poles is constant, which is exactly Liouville’s theorem.

Divisors are often simpler to handle than meromorphic functions, and this statement is frequently used to show that two meromorphic functions agree. On an elliptic curve, principal divisors can be described very explicitly:

Theorem (Abel’s theorem for elliptic curves).
Let $D$ be a divisor on an elliptic curve $E$ with identity $O$. Then $D=\sum_{P\in E}n_{P}[P]$ is principal if and only if

\[\deg(D)\mathrel{\vcenter{:}}=\sum_{P\in E}n_{P}=0\qquad\textrm{and}\qquad\sum_{P\in E}n_{P}P=O.\]

We will sketch the proof of the forward direction soon, and prove the converse in the next section.

Example. Let $D_{P}=[P]-[O]$ for a point $P$ in the $n$-torsion of $E$. Then both conditions hold for the divisor $nD_{P}$, so by this theorem there exists a meromorphic function $f_{P}$ on $\mathbb{C}/\Lambda$ with $\mathrm{div}(f_{P})=nD_{P}$.

Corollary. Let $Q,R$ be two points in an elliptic curve $E$. Then there is a linear equivalence of divisors

\[[Q]-[O]\sim[Q+R]-[R].\]

Both of the identities in this theorem have analogues for arbitrary compact Riemann surfaces. The generalisation of the first identity is:

Proposition (the degree of a principal divisor is zero).
Let $f$ be a nonzero meromorphic function on a compact Riemann surface $S$. Then $\deg\bigl(\mathrm{div}(f)\bigr)=0$.

The second statement extends differently, since compact Riemann surfaces do not possess a group structure in general.

Remark. The Weierstrass ℘-function has a double pole at the origin, so Abel’s theorem implies that it should have two zeroes as well; it turns out these are quite nontrivial to describe explicitly [EM81, DI08].

The forward direction of the theorem can be proven directly (for $\mathbb{C}/\Lambda$) as follows. Pull back a meromorphic function on $\mathbb{C}/\Lambda$ corresponding to $D$ along the covering $\mathbb{C}\twoheadrightarrow\mathbb{C}/\Lambda$ to obtain an elliptic function $f$ on $\mathbb{C}$. Let $\gamma$ denote the loop running over the sides of a fundamental parallelepiped (slightly shifted if a zero or pole lies on one of its sides). Then the residue theorem implies that the two identities reduce to showing

\[\frac{1}{2\pi i}\oint_{\gamma}\frac{f'(z)}{f(z)}\mathrm{d}z=0,\qquad\textrm{and}\qquad\frac{1}{2\pi i}\oint_{\gamma}z\frac{f'(z)}{f(z)}\mathrm{d}z\in\Lambda.\]

Weierstrass σ-functions

The converse of the theorem can be proved indirectly using a Riemann–Roch style induction. However, for computations we’d prefer a more explicit construction of the meromorphic function corresponding to a given divisor.

A natural first attempt at constructing an elliptic function on $\mathbb{C}$ might be to consider the infinite product⁵

\[\prod_{\lambda\in\Lambda}(z-\lambda),\]

and then note that it has to “shrink” substantially to have any chance of converging. Removing a large factor, Eisenstein examined the series

\[z\prod_{\lambda\in\Lambda^{\times}}\left(1-\frac{z}{\lambda}\right) = z \exp\left(\sum_{\lambda\in\Lambda^{\times}}\log(1-\frac{z}{\lambda})\right),\qquad\textrm{where }\Lambda^{\times}\mathrel{\vcenter{:}}=\Lambda \backslash \{0\},\]

and showed that it converges conditionally, but not absolutely [Eis47].⁶ Expanding the Newton–Mercator series

\[\log(1-\frac{z}{\lambda})=-\frac{z}{\lambda}-\frac{1}{2}\frac{z^{2}}{\lambda^{2}}-\frac{1}{3}\frac{z^{3}}{\lambda^{3}}-\cdots\]

appearing in the exponential, one sees that eliminating the first two terms is enough to obtain absolute convergence. This can be achieved immediately by inserting a suitable exponential factor:

Definition (Weierstrass σ-function [Wei93]).
Given a lattice $\Lambda$ in $\mathbb{C}$, the Weierstrass σ-function is the meromorphic function defined on $\mathbb{C}$ as

\[\sigma(z;\Lambda)=z\prod_{\lambda\in\Lambda^{\times}}\left(1-\frac{z}{\lambda}\right)\exp\left(\frac{z}{\lambda}+\frac{1}{2}\left(\frac{z}{\lambda}\right)^{2}\right).\]

It has a simple zero at each lattice point, and no poles since it converges absolutely. This proves

Proposition.
Let $\Lambda$ be a lattice in $\mathbb{C}$. Then for any finite set of points $\{ a_i \}_i$ in $\mathbb{C}$ and integers $\{ n_i \}_i$, the function

\[f(z)\mathrel{\vcenter{:}}= \prod_{i}\sigma(z-a_{i};\Lambda)^{n_{i}}\]

is meromorphic and has divisor $\mathrm{div}(f) = \sum_i n_i \sum_{\lambda \in \Lambda} [a_i + \lambda].$

Observe that a Weierstrass σ-function is odd, meaning that $\sigma(-z;\Lambda)=-\sigma(z;\Lambda)$, which follows from $-\Lambda^{\times} = \Lambda^{\times}$.

Example.
Let \(\Lambda= \langle \omega_{1}, \omega_{2} \rangle\) be the lattice generated by $\omega_{1} = 1$ and $\omega_{2} = 1/2 + 2i$. Consider the Weierstrass sigma function \(\sigma(z;\Lambda)\) on the square region \([-3.5, 3.5] \times [-3.5, 3.5]\) in the complex plane. On the horizontal line through the origin there are 7 zeroes at \(-3,-2,-1,0,1,2,3\), and there are two more rows of zeroes at the horiziontal lines through $\omega_{2}$ and $- \omega_{2}$:

Domain colouring plot of the Weierstrass σ-function with fundamental periods $\omega_{1} = 1$ and $\omega_{2} = 1/2 + 2i$ on the square region \([-3.5, 3.5] \times [-3.5, 3.5]\). (source code)

This is not an elliptic function (as the image of its plot already shows):⁷

Proposition (Quasi-periodicity of σ-functions).
For a fixed lattice $\Lambda$ there exists⁸ a linear map $\lambda\mapsto\eta_{\lambda}$, meaning $\eta_{\lambda+\lambda’}=\eta_{\lambda}+\eta_{\lambda’}$ for all $\lambda,\lambda’\in\Lambda$, such that

\[\sigma(z+\lambda; \Lambda)=-e^{\eta_{\lambda}(z+\lambda/2)}\sigma(z; \Lambda)\]

for all $\lambda\in\Lambda$.

This statement has a natural interpretation in terms of holomorphic line bundles, as we’ll see in the next post.

Proof sketch: The logarithmic derivative $\zeta(z; \Lambda)\mathrel{\vcenter{:}}=\sigma’(z; \Lambda)/\sigma(z; \Lambda)$ of the Weierstrass σ-function is the Weierstrass ζ-function, and the derivative of that is minus the Weierstrass ℘-function. Since the Weierstrass ℘-function is elliptic, it follows that $\zeta(z+\lambda; \Lambda)-\zeta(z; \Lambda)$ is a constant $\eta_{\lambda}$ for fixed $\lambda$. This equation also yields linearity:

\[\eta_{\lambda+\lambda'}=\zeta(z+\lambda+\lambda'; \Lambda)-\zeta(z; \Lambda)=\zeta(z+\lambda+\lambda'; \Lambda)-\zeta(z+\lambda; \Lambda)+\zeta(z+\lambda; \Lambda)-\zeta(z; \Lambda)=\eta_{\lambda'}+\eta_{\lambda}\]

for any $\lambda,\lambda’\in\Lambda$. Now integrating $\zeta(z+\lambda;\Lambda)=\zeta(z+\lambda;\Lambda)+\eta_{\lambda}$ w.r.t. $z$ yields

\[\mathrm{ln}\,\sigma(z+\lambda)=\mathrm{ln}\,\sigma(z)+\eta_{\lambda}z+c_{\lambda},\qquad\textrm{for some constant }c_{\lambda},\]

and hence $\sigma(z+\lambda)=e^{\eta_{\lambda}z}e^{c_{\lambda}}\sigma(z)$. The value $c_{\lambda}$ can be derived by plugging in $z=-\lambda/2$ and using that $\sigma$ is odd.

Nevertheless, we will use these non-elliptic functions to construct elliptic ones:

Theorem (Abel’s theorem for complex elliptic curves in terms of σ-functions).
Any elliptic function $f$ on $\mathbb{C}$ with zeroes $a_{i}$ and poles $b_{i}$ in $\mathbb{C}/\Lambda$ can be written as

\[f(z)=c\prod_{i=1}^{n}\frac{\sigma(z-\tilde{a}_{i}; \Lambda)}{\sigma(z-\tilde{b}_{i}; \Lambda)},\]

for some constant $c$ and choice of elements $\tilde{a}_i,\tilde{b}_i$ satisfying:

• $\tilde{a}_i\equiv a_i\mod{\Lambda}$, and

• $\tilde{b}_i\equiv b_i\mod{\Lambda}$, and

• $\sum_{i=1}^n {\tilde a_i} = \sum_{i=1}^n {\tilde b_i}$,⁹

and conversely such functions are elliptic.

Example.
Continuing from the previous example, again consider the lattice \(\Lambda= \langle \omega_{1}, \omega_{2} \rangle\) with $\omega_{1} = 1$ and $\omega_{2} = 1/2 + 2i$. The points

\[\tilde a_1 = \tilde a_2 = \omega_{1} / 2 + \omega_{2}/2,\qquad \tilde b_1 = 0\]

satisfy the conditions of the theorem. Therefore, the formula given there should yield an elliptic function with respect to \(\Lambda\). In other words, the function is expected to be periodic with respect to shifts by the fundamental parallelepiped with corners

\[0, \qquad \omega_{1}, \qquad \omega_{2}, \qquad \omega_{1} + \omega_{2},\]

which are marked by the pole at $\tilde b_1 = 0$. Inside the parallelepiped there will be a (double) zero at $\tilde a_1$ and and additional pole at $2 \tilde a_1$.

Domain colouring plot of this elliptic function with $\tilde a_1 = \tilde a_2 = \omega_{1}/2 + \omega_{2}/2, \tilde b_1 = 0, c = 1$, for fundamental periods $\omega_{1} = 1$ and $\omega_{2} = 1/2 + 2i$, on the square region \([-3.5, 3.5] \times [-3.5, 3.5]\). (source code)

Again, we are constructing functions on $E(\mathbb C)$ through the covering $\mathbb{C}\twoheadrightarrow\mathbb{C}/\Lambda$, which does not exist over arbitrary fields; although this theorem still holds in that generality, it is not possible to explicitly construct a function associated to a divisor this directly.

Proof: By Abel’s theorem, the number of zeroes and poles indeed agree, and we have $\sum_{i=1}^n a_i \equiv \sum_{i=1}^n b_i$ modulo $\Lambda$. Thus the existence of these $\tilde a_i,\tilde b_i$ follows. Now denote the right-hand-side for $c=1$ by $g(z)$; it is elliptic, since for any $\lambda$ in $\Lambda$ we have \begin{align} g(z + \lambda) &= \prod_{i=1}^n \frac{\sigma(z+\lambda-{\tilde a_i}; \Lambda)}{\sigma(z+\lambda-{\tilde b_i}; \Lambda)} \nonumber \\
&= \prod_{i=1}^n \frac{-e^{\eta_\lambda (z-{\tilde a_i} + \lambda / 2)} \sigma(z- {\tilde a_i}; \Lambda)}{-e^{\eta_{\lambda}(z-{\tilde b_i} + \lambda / 2)}\sigma ( z - {\tilde b_i} ; \Lambda) } \nonumber \\
& =g(z)\prod_{i=1}^n e^{\eta_{\lambda}({\tilde b_i}-{\tilde a_i})} \nonumber \\
& =g(z)e^{\eta_{\lambda}\sum_{i=1}^n ({\tilde b_i}-{\tilde a_i})}=g(z). \nonumber \end{align}

Since $f(z)$ and $g(z)$ are both elliptic functions and have the same divisor on $E(\mathbb C)$, Liouville’s theorem implies that they are equal, up to a constant.

The Weil Pairing over $\mathbb{C}$

We now follow the definition of the Weil pairing over fields as presented earlier, but specialised to $\mathbb{C}$.

Notation.
For simplicity, in this section we write $\sigma(z)$ rather than $\sigma(z; \Lambda)$.

Now for arbitrary points $P,Q,R$ in $E(\mathbb{C})[n]=(\Lambda/n)/\Lambda$ consider the divisors $D_{P}=[P]-[O]$ and $D_{Q}=[Q+R]-[R]$; we will assume that $P,Q,R$ are chosen so that their support is disjoint. For any choice of lifts $\tilde{P},\tilde{Q},\tilde{R}$ in $\mathbb{C}$, the functions

\[f_{P}(z)=\frac{\sigma(z-\tilde{P})^{n}}{\sigma(z)^{n-1}\sigma(z-n\tilde{P})}\qquad\textrm{and}\qquad f_{Q}(z)=\frac{\sigma(z-\tilde{Q}-\tilde{R})^{n}}{\sigma(z-\tilde{R})^{n-1}\sigma(z-\tilde{R}-n\tilde{Q})}\]

are elliptic on $\mathbb{C}$ by the previous theorem, and they have divisors $nD_{P}$ and $nD_{Q}$ when considered as functions on the complex torus. Setting $\mathrm{Weil}_n (P,Q) \mathrel{\vcenter{:}}= f_P (D_Q)/f_Q (D_P )$ as before, we find

Lemma.
The value \(\mathrm{Weil}_n (P,Q)\) is given by $ e^{\eta_{n {\tilde P}} {\tilde Q} - \eta_{n {\tilde Q}} {\tilde P} } $.

Proof: In evaluating points on $\mathbb{C} / \Lambda$ via σ-functions we have to choose lifts again; it seems plausible that choosing the same lifts $\tilde{P},\tilde{Q},\tilde{R}$ (and similarly for $O$ and $Q+R$) will lead to the simplest formulas. By definition then,

\[f_{P}(D_{Q})=\frac{\sigma(\tilde{Q}+\tilde{R}-\tilde{P})^{n}\sigma(\tilde{R})^{n-1}\sigma(\tilde{R}-n\tilde{P})}{\sigma(\tilde{Q}+\tilde{R})^{n-1}\sigma(\tilde{Q}+\tilde{R}-n\tilde{P})\sigma(\tilde{R}-\tilde{P})^{n}}\]

and

\[f_{Q}(D_{P})=\frac{\sigma(\tilde{P}-\tilde{Q}-\tilde{R})^{n}\sigma(-\tilde{R})^{n-1}\sigma(-\tilde{R}-n\tilde{Q})}{\sigma(\tilde{P}-\tilde{R})^{n-1}\sigma(\tilde{P}-\tilde{R}-n\tilde{Q})\sigma(-\tilde{Q}-\tilde{R})^{n}},\]

so \begin{align} \frac{f_P(D_Q)}{f_Q(D_P)} & =(-1)^{3n} (-1)^{n-1} \frac{\sigma({\tilde R}-n{\tilde P})\sigma({\tilde P}-{\tilde R}-n{\tilde Q})\sigma({\tilde Q}+{\tilde R})}{\sigma({\tilde Q}+{\tilde R}-n{\tilde P})\sigma({\tilde P}-{\tilde R})\sigma(-{\tilde R}-n{\tilde Q})} \nonumber \\
& =-\frac{\sigma(\tilde{R}-n\tilde{P})}{\sigma(-\tilde{R}-n\tilde{Q})}\frac{\sigma(\tilde{P}-\tilde{R}-n\tilde{Q})}{\sigma(\tilde{P}-\tilde{R})}\frac{\sigma(\tilde{Q}+\tilde{R})}{\sigma(\tilde{Q}+\tilde{R}-n\tilde{P})} \nonumber \\
& =-(-1)^{4}\frac{e^{-\eta_{n\tilde{P}}(\tilde{R}+n\tilde{P}/2)}\sigma(\tilde{R})}{e^{-\eta_{n\tilde{Q}}(-\tilde{R}+n\tilde{Q}/2)}\sigma(-\tilde{R})}\frac{e^{-\eta_{n\tilde{Q}}(\tilde{P}-\tilde{R}+n\tilde{Q}/2)}\sigma(\tilde{P}-\tilde{R})}{\sigma(\tilde{P}-\tilde{R})}\frac{\sigma(\tilde{Q}+\tilde{R})}{e^{-\eta_{n\tilde{P}}(\tilde{Q}+\tilde{R}+n\tilde{P}/2)}\sigma(\tilde{Q}+\tilde{R})} \nonumber \\
& =e^{-\eta_{n\tilde{P}}(\tilde{R}+n\tilde{P}/2)-\eta_{n\tilde{Q}}(\tilde{P}-\tilde{R}+n\tilde{Q}/2)+\eta_{n\tilde{Q}}(-\tilde{R}+n\tilde{Q}/2)+\eta_{n\tilde{P}}(\tilde{Q}+\tilde{R}+n\tilde{P}/2)} \nonumber \\
& =e^{\eta_{n\tilde{P}}\tilde{Q}-\eta_{n\tilde{Q}}\tilde{P}}. \nonumber \end{align}

Corollary.
Now write $\tilde{P}=a\omega_{1}/n+b\omega_{2}/n$ and $\tilde{Q}=c\omega_{1}/n+d\omega_{2}/n$, for some fundamental periods $\omega_{1},\omega_{2}$ with arguments $\Im(\omega_{2}/\omega_{1})>0$, and consider the primitive $n$-th root of unity $\zeta \mathrel{\vcenter{:}}= e^{2\pi i/n}$. Then

\[\mathrm{Weil}_n (P,Q)= e^{2\pi i(ad-bc)/n} = \zeta^{ad - bc}.\]

Notation.
When the fundamental periods \(\omega_1, \omega_2\) of a lattice $\Lambda \subset \mathbb{C}$ are fixed, one often writes $\eta_i \mathrel{\vcenter{:}}= \eta_{\omega_i}$ for $i\in \{ 1,2 \}$.

Proof: After using linearity of $\lambda\mapsto\eta_{\lambda}$ and expanding

\begin{align} (\eta_{n\tilde{P}}\tilde{Q}-\eta_{n\tilde{Q}}\tilde{P}) & =(a\eta_{1}+b\eta_{2})(c\omega_{1}+d\omega_{2})-(c\eta_{1}+d\eta_{2})(a\omega_{1}+b\omega_{2}) \nonumber \\
& =(ad-bc)(\eta_{1}\omega_{2}-\eta_{2}\omega_{1}), \nonumber \end{align}

this follows from Legendre’s relation.

Since the literature is sometimes unclear about the sign in Legendre’s relation, let us quickly prove it:

Proposition ([Leg25]).
Assume that the arguments of the fundamental periods $\omega_{1},\omega_{2}$ of a lattice satisfy $\Im(\omega_{2}/\omega_{1})>0$. Then

\[\eta_{1}\omega_{2}-\eta_{2}\omega_{1} = 2 \pi i .\]

Proof: This time we integrate the Weierstrass ζ-function over the sides of the fundamental parallelepiped, and then the residue theorem yields:

\begin{align} 2\pi i & =\oint_{\gamma}\zeta(z;\Lambda)\mathrm{d}z \nonumber \\
& =\int_{0}^{\omega_{1}}\bigl(\zeta(z;\Lambda)-\zeta(z+\omega_{2};\Lambda)\bigr)\mathrm{d}z+\int_{0}^{\omega_{2}}\bigl(\zeta(z+\omega_{1};\Lambda)-\zeta(z;\Lambda)\bigr)\mathrm{d}z \nonumber \\
& =\eta_{1}\omega_{2}-\eta_{2}\omega_{1}. \nonumber \end{align}

References

[Cos] Craig Costello, Pairings for Beginners. Available at: https://static1.squarespace.com/static/5fdbb09f31d71c1227082339/t/5ff394720493bd28278889c6/1609798774687/PairingsForBeginners.pdf

[DI08] W. Duke and Ö. Imamoḡlu. “The zeros of the Weierstrass ℘–function and hypergeometric series.” Mathematische Annalen 340.4 (2008): 897-905.

[Eis47] G. Eisenstein, . “Beiträge zu Theorie der elliptischen Functionen. VI. Genaue Untersuchungen der unendlichen Doppelproducte, aus welchen die elliptischen Functionen als Quotienten zusammengesetzt sind, und der mit ihnen zusammen.” Journal für die reine und angewandte Mathematik 35 (1847): 185-274.

[EM81] M. Eichler and D. Zagier. “On the Zeros of the Weierstrass ℘-Function.” Mathematische Annalen 258 (1981): 399-408.

[Gal05] Steven D. Galbraith. “The Weil pairing on elliptic curves over $\mathbb{C}$.” Cryptology ePrint Archive (2005). Available at: https://eprint.iacr.org/2005/323.pdf

[Lan87] Serge Lang, Elliptic Functions, 2nd edition, Springer GTM 112, New York, 1987.

[Leg25] A. M. Legendre. Traité des fonctions elliptiques et des intégrales Eulériennes, vol. I. 1825.

[Mil86] Victor S. Miller, “Short programs for functions on curves,” unpublished manuscript, 1986. Available at: https://crypto.stanford.edu/miller/miller.pdf

[Mil04] Victor S. Miller, “The Weil pairing, and its efficient calculation,” Journal of Cryptology 17 (2004), 235–261.

[RS17] Kenneth A. Ribet and William A. Stein. Lectures on Modular Forms and Hecke Operators. Available at: https://www.wstein.org/books/ribet-stein/main.pdf

[Sil09] Joseph H. Silverman. The Arithmetic of Elliptic Curves. Vol. 106. New York: Springer, 2009.

[Sut23] Andrew Sutherland (2023). 18.783 – Elliptic curves [Lecture notes]. Massachusetts Institute of Technology. Available at: https://math.mit.edu/classes/18.783/2023/

[Was08] Lawrence C. Washington. Elliptic curves: number theory and cryptography. Chapman and Hall/CRC, 2008.

[Wei40] André Weil, “Sur les fonctions algébriques à corps de constantes finis,” C. R. Acad. Sci. Paris 210 (1940), 592–594.

[Wei93] K. Weierstrass. “Formeln und Lehrsätze zum Gebrauche der elliptischen Functionen.” Formeln und Lehrsätze zum Gebrauche der elliptischen Functionen. Berlin, Heidelberg: Springer Berlin Heidelberg, 1893. 1-96.

1. The main result of this paper actually dates back to an unpublished manuscript from 1986: Short programs for functions on curves ↩︎

2. It works out here technically because the constants cancel out when evaluating a divisor of degree zero like $[P]-[O]$, but that is besides the point. ↩︎

3. In fact, on Wikipedia it has said since 2009:

   the corresponding results for elliptic functions were known, and can be expressed simply by use of the Weierstrass sigma function.

   Although we will indeed end up using Weierstrass σ-functions to show equivalence with the algebraic definition presented at the start of this post, the resulting formula is rather simple and there is no need to express the pairing in terms of functions, and I’m not sure why one would do that. ↩︎

4. More precisely, this is $n^2$ times the skew-symmetric pairing coming from the canonical principal polarisation; so in terms of that pairing $\langle \cdot ,\cdot \rangle$, it would be $(P,Q) \mapsto e^{2\pi i n \langle P, Q \rangle }$ instead. ↩︎

5. Instead starting from the analogous infinite sum leads to the Weierstrass ℘-function, which is closely related. ↩︎

6. Absolute convergence would mean that $\sum_{\lambda\in\Lambda^{\times}}\log(1-\frac{z}{\lambda})$ converges absolutely. For sufficiently small $a$ we have $\log(1-a)\sim-a$, so then $\sum_{\lambda\in\Lambda^{\times}}\frac{1}{|\lambda|}$ converges, but this is false for any lattice: the number of lattice points $\lambda$ with $|\lambda|\leq R$ grows like $cR^{2}$, hence \(\sum_{|\lambda|\leq R}\frac{1}{|\lambda|}\sim\int_{1}^{R}\frac{r^{2}}{r}\mathrm{d}r=\frac{R^{2}-1}{2}.\) ↩︎

7. Instead it’s an example of a theta function, as we’ll see in the next post. ↩︎

8. This is called the Weierstrass η-function. ↩︎

9. Although this condition is often forgotten (e.g. here), it seems to me that it can’t be omitted. ↩︎