arXiv:1005.3871v1 [math.NT] 21 May 2010 ojcue htas that conjectured . (1.2) es hnvrteodro h ru a i rm . t prime in big cost a less has with group security the of of level order high the fields. whenever a finite keys, general, over curves in public-ke elliptic guarantee, to of approach tems structure an algebraic cryptography, the indepen on curve Miller based elliptic and 1985 Koblitz since in attention posed much received has fields finite eeadi h eul h letters the sequel, the in and Here n (1.1) utpiain(M,addnt by denote and (CM), multiplication ento) ti ayt e htif that see to easy is It definition). iha xlctconstant explicit an with etbududrteGnrlsdReanHptei GH sdet due is 1.3 (GRH) Theorem [22, Hypothesis Riemann Zywina to Generalised the due under is bound bound best upper unconditional best The pl iv ehd ogtucniinlo odtoa pe boun [1]. upper curves conditional elliptic or all con over unconditional Koblitz’s average get on case, to th true classical methods of be sieve the analogue to apply in shown the was As as but regarded curves. open, be elliptic can for (1.2) conjecture formula asymptotic The E Let elliptic of points of group the of size and structure the of study The e od n phrases. and words Key 2000 Date ( p := ) E uy1 2018. 1, July : ahmtc ujc Classification. Subject Mathematics SUORM EUTOSO LITCCURVES ELLIPTIC OF REDUCTIONS oeo h ieauefrtecasclpedpie 6 7 othis to 17] [6, pseudoprimes classical the for literature the of some ubrof number ubro primes of number Abstract. ae h rbe ffidn pe onsfor bounds upper finding of w problem applications, the cryptography paper by Motivated pseudoprimes). curve n o ahprime each for and ea litccredfie over defined curve elliptic an be | E ( F p ) | compositive ti nitrsigpolmt td h smttcbhvo of behavior asymptotic the study to problem interesting an is it , Let x E ∞ → π p E twin osrIaicssee ru re felpi uvsoe nt fie finite over curves elliptic of order group sieve, Rosser-Iwaniec’s p ea litccreover curve elliptic an be 6 fgo euto,let reduction, good of C n ( x , x E E twin := ) ( uhthat such p uhthat such ) π 1. eedn nyon only depending .DVD&J WU J. & DAVID C. E twin

 Introduction p p ( , C E 6 x b 13,14H52. 11N36, q n E ) twin ( E x F ∼ and b Q ( 1 n p p ) : E h euto of reduction the ) ihconductor with (log ,then 0, = ( C ≡ n p n ) ℓ E E twin F E b ≡ ( eoepienmes olt [11] Koblitz numbers. prime denote p ( (mod Q x p p b ) x ihu ope multiplication, complex without E,b sprime is ) = ) (mod 2 , ( x n E | E and ) E π n ( ( se[,(.) o t precise its for (2.5)] [5, (see F p E E twin ) and )), p ( ) p | π )(locle elliptic called (also ))

Let . N ( E,b pseu x

E . ) E n ihu complex without and ( drs nthis in address e ≪ π x Q modulo E,b e setting. new pseu ,generalising ), E E,b hs cryptosys- Those ( o all for 1 ( cryptography y x x sfor ds ethe be ) etr sstill is jecture ethe be ) esz fthe of size he wnprime twin e n a also can One uvsover curves etypro- dently p ai & David o ,adthe and ], Writing . π E twin x > ( lds, x 1. ). 2 C. DAVID & J. WU

Wu [5, Theorem 2]. For E an elliptic curve over Q without CM, and for any ε> 0, those bounds are

twin x (24CE + ε) (unconditionally), twin (log x) log2 x (1.3) πE (x) 6  twin x (10CE + ε) (under the GRH),  (log x)2 where logk denotes thek-fold logarithm function. Let b > 2 be an integer. We say that a composite positive integer n is a pseudo- prime to base b if the congruence (1.4) bn b (mod n) ≡ holds. In practice, primality testing algorithms are not fast when one wants to test many numbers in a short amount of time, and pseudoprime testing can provide a quick pre-selection procedure to get rid of most of the pretenders. The distribution of pseudoprimes was studied by many authors, including [6, 17]. Motivated by applications in cryptography, the question of the distribution of pseudoprimes in certain sequences of positive integers has received some interest (see [3, 7, 14, 15, 18]). In particular Cojocaru, Luca & Shparlinski [3] have investigated distribution of pseudoprimes in n (p) . Define { E }p primes Q (x) := p 6 x : bnE (p) b (mod n (p)) . E,b ≡ E According to Fermat’s little theorem,  if nE(p) is a prime such that nE(p) ∤ b, then

(1.4) holds with n = nE(p). Thus twin (1.5) πE (x) 6 QE,b(x) for all x > 2. Cojocaru, Luca & Shparlinski [3, Theorems 1 and 2] proved that for any fixed base b > 2 and elliptic curve E without CM, the estimates x(log x)2 3 (unconditionally) (log x) log x (1.6) Q (x)  2 E,b E,b 2 ≪ x(log2 x)  (under the GRH) (log x)2  hold for all x > 10, where the implied constant depends on E and b. ∗ The first aim of this paper is to improve (1.6).

∗We noticed that there are two inaccuracies in Cojocaru, Luca & Shparlinski’s proof of (1.6): With the notation of [3], we have tb(ℓ) (nE(p) 1) instead of tb(ℓ) nE(p) (see [3, page 519]). Thus the inequality (see [3, page 520]) | − |

# 6 Π(x; ℓρ(tb(ℓ))) T y<ℓ6z X does not hold. Secondly the statements of Lemmas 3, 4, 6 and 7 of [3] are not true when (m,ME) = 6 1 (see Section 2 for the definition of ME). Then, the proofs of Lemma 9 and 10 hold only for (m,ME) = 1. This is not sufficient for the proof bounding # since tb(ℓ) is not necessarily T coprime with ME. PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 3

Theorem 1.1. Let E be an elliptic curve over Q without CM and b > 2 be an integer. For any ε> 0, we have x log x (48eγ + ε) 3 (unconditionally) (log x) log x (1.7) Q (x) 6  2 E,b x log x (28eγ + ε) 2 (under the GRH)  (log x)2 >  for all x x0(E,b,ε), where γ is the Euler constant. pseu Denoting by π(x) the number of primes not exceeding x, and by πb (x) the number of pseudoprimes to base b not exceeding x, then it is known that (see [6, 17]) pseu (1.8) πb (x)= o(π(x)) as x . Precisely Pomerance [17, Theorem 2] proved that † →∞ x (1.9) πpseu(x) 6 b L(x) for x > x0(b), where p (1.10) L(x) := e(log x)(log3 x)/ log2 x. pseu As analogue of πb (x) for elliptic curve, we introduce pseu πE,b (x) := p 6 x : nE(p) is pseudoprime to base b . Clearly  twin pseu QE,b(x)= πE (x)+ πE,b (x). In view of (1.8), it seems reasonable to conjecture pseu twin (1.11) πE,b (x)= o πE (x) as x . →∞ pseu In order to establish analogue of (1.9) for πE,b (x), we need a supplementary hypothesis. Hypothesis 1.2. Let E be an elliptic curve over Q. There is a positive constant δ such that (1.12) M (n) := 1 nδ E ≪E 6 p x,nXE(p)=n holds uniformly for n > 1 and x > 1, where the implied constant can depend on the elliptic curve E.

By the Hasse bound p +1 nE(p) 6 2√p, it is easy to see that | − | (1.13) nE(p)/16 6 p 6 16nE(p) for all p. Thus the relation nE(p)= n and the Hasse bound imply that p n 6 9√n. 1 | − | Therefore (1.12) holds trivially with δ = 2 and an absolute implicit constant. It is †In [17], the definition of pseudoprime to base b is slightly stronger: bn−1 1 (mod n) in place of bn b (mod n). It is easy to adapt Pomerance’s proof of [17, Theorem 2] to≡ obtain (1.9), as we do in≡ this paper for the context of elliptic curves pseudoprimes. See Section 5 for more details. 4 C. DAVID & J. WU conjectured that (1.12) should hold for any δ > 0 (see [12, Question 4.11]). Kowalski proved that this conjecture is true for elliptic curves with CM [12, Proposition 5.3] and on average for elliptic curves without CM [12, Lemma 4.10]. The next theorem shows that we can obtain a better conditional upper bound for pseu twin πE,b (x) than πE (x), which can be regarded as analogue of (1.9) for elliptic curves without CM. Theorem 1.3. Let E be an elliptic curve over Q without CM and b > 2 be an 1 integer. If we assume the GRH and Hypothesis 1.2 with δ < 24 , we have x (1.14) πpseu(x) 6 E,b L(x)1/40 for all x > x0(E, b, δ). In view of Koblitz’s conjecture (1.2), the result of Theorem 1.3 then encourages our belief in Conjecture (1.11). By combining (1.14) and the second part of (1.3), we immediately get the following result. Corollary 1.4. Let E be an elliptic curve over Q without CM and b > 2 be an 1 integer. If we assume the GRH and hypothesis 1.2 with δ < 24 , for any ε > 0 we have x (1.15) Q (x) 6 (10Ctwin + ε) E,b E (log x)2 for all x > x0(E,b,δ,ε). We can also consider the same problem for elliptic curves with CM. In this case, we easily obtain an unconditional result by using the bound (1.9) of Pomerance for pseudoprimes and a result of Kowalski [12] about the second moment of ME(n) for elliptic curves with CM. Theorem 1.5. Let E be an elliptic curve over Q with CM and b > 2 be an integer. Then we have x (1.16) πpseu(x) 6 E,b L(x)1/4 for all x > x0(E, b). It seems be interesting to prove that (1.17) πpseu(x) , as x . E,b →∞ →∞ We hope to come back to this question in the future. Acknowledgments. This first author was supported by the Natural Sciences and Engineering Research Council of Canada (Discovery Grant 155635-2008) and by a grant to the Institute for Advanced Study from the Minerva Research Foundation during the academic year 2009-2010. The second author wishes to thank the Centre de Recherches Math´ematiques (CRM) in Montr´eal for hospitality and support during the preparation of this article. PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 5

2. Chebotarev density theorem In order to prove Theorems 1.1 and 1.3, we need to know some information on the distribution of the sequence nE(p) p primes in arithmetic progressions. The aim of this section is to give such results{ with} the help of the Chebotarev density theorem. Our main result of this section is Theorem 2.3 below. We conserve all notation of [5, Sections 2 and 3]. In particular, for an elliptic curve E without complex multiplication defined over the rationals, let E[n] be the group of n-torsion points of E, and let let Ln be the field extension obtained from Q by adding the coordinates of the n-torsion points of E. This is a Galois extension of Q, and we denote G(n) := Gal(Ln/Q). Since E[n](Q¯ ) Z/nZ Z/nZ, choosing a basis for the n-torsion and looking at the action of the≃ Galois automorphisms× on the n-torsion, we get an injective homomorphism .(ρ : G(n) ֒ GL (Z/nZ n → 2 If p ∤ nNE, then p is unramified in Ln/Q. Let p be an unramified prime, and let σp be the Artin symbol of Ln/Q at the prime p. For such a prime p, ρn(σp) is a conjugacy class of matrices of GL2(Z/nZ). Since the Frobenius endomorphism p p 2 (x, y) (x ,y ) of E over Fp satisfies the polynomial x aE(p)x + p, it is not difficult7→ to see that − tr(ρ (σ )) a (p) (mod n) and det(ρ (σ )) p (mod n). n p ≡ E n p ≡

To study the sequence nE(p) p primes, we will use the Chebotarev Density Theorem to count the number of{ primes} p such that n (p)= p +1 a (p) det(ρ (σ ))+1 tr(ρ (σ )) r (mod n) E − E ≡ n p − n p ≡ for integers r, n with n > 2. We then define C (n)= g G(n) : det(g)+1 tr(g) r (mod n) . r { ∈ − ≡ } Then, the Cr(n) are unions of conjugacy classes in G(n). We also denote C(n) := C0(n). For any prime ℓ such that (ℓ, ME) = 1, G(ℓ)=GL2(Z/ℓZ), and it is easy to compute that ℓ(ℓ2 2) for r 0 (mod ℓ) − ≡ 2 (2.1) Cr(ℓ) = ℓ(ℓ ℓ 1) for r 1 (mod ℓ) | | − − ≡  ℓ(ℓ2 ℓ 2) for r 0, 1 (mod ℓ) − − 6≡  and then  ℓ2 2 − for r 0 (mod ℓ) (ℓ 1)2(ℓ + 1) ≡  −2 Cr(ℓ)  ℓ ℓ 1 (2.2) =  r ℓ | |  −2 − for 1 (mod ) G(ℓ) (ℓ 1) (ℓ + 1) ≡ | |  − ℓ2 ℓ 2 − − for r 0, 1 (mod ℓ). (ℓ 1)2(ℓ + 1) 6≡  −   6 C. DAVID & J. WU

It was shown by Serre [19] that the Galois groups G(n) GL (Z/nZ) are large, ⊆ 2 and that there exists a positive integer ME depending only on the elliptic curve E such that

(2.3) If (n, ME) = 1, then G(n)=GL2(Z/nZ); (2.4) If (n, M )=(n, m) = 1, then G(mn) G(m) G(n); E ≃ × (2.5) If M m, then G(m) GL (Z/mZ) is the full inverse image of E | ⊆ 2 G(M ) GL (Z/M Z) under the projection map. E ⊆ 2 E Let π (x, L /Q) := p 6 x : p ∤ nN and ρ (σ ) C (n) . Cr(n) n |{ E n p ∈ r }| The following proposition (with a better error term) was proved in [5, Theorem 3.9] for the conjugacy class C(n) = C0(n) G(n) when n is squarefree, and can be easily generalised to general n and r. ⊆ Proposition 2.1. Let E be an elliptic curve over Q without CM. Let r > 0 be an integer, and let n = dm be any positive integer with (d, ME)=1 and m ME∞. ‡ (i) Then, | k Cr(m) Cr(ℓ ) 2 − πCr(n)(x, Ln/Q)= | | | k| Li(x)+OE x exp An log x G(m) GL2(Z/ℓ Z) −  ℓk d  | | Yk | |  n p o uniformly for log x n12 log n, where the implied constants depend only on the elliptic curve E and ≫A is a positive absolute constant. (ii) Assuming the GRH for the Dedekind zeta functions of the number fields Ln/Q, we have k Cr(m) Cr(ℓ ) 3 1/2 πCr (n)(x, Ln/Q)= | | | k| Li(x)+ OE n x log (nx) . G(m) GL2(Z/ℓ Z) | |  ℓk d | | Yk  Proof. To prove (i) and (ii), one applies the effective Cheboratev Density Theorem due to Lagarias and Odlyzko [13] and slightly improved by Serre in [20], as stated in [5, Theorem 3.1] with the appropriate bounds for the discriminants of number fields [20, Proposition 6], and the bound of Stark [21] for the exceptional zero of Dedekind L-functions for (i). We refer the reader to [5] for more details.  Remark 1. There are many cases where we can improve the error term in Proposition 2.1 (ii) by applying a strategy first used in [20] and [16] to reduce to the case of an extension where Artin’s conjecture holds. The error term then becomes 3/2 1/2 OE n x log (nx) .

This can be done if r = 0 (as in [5, Theorem 3.9]), or if (n, ME) = 1 for any r. To apply the strategy of [20] and [16] and obtain this improved error term, one needs to insure that Cr(n) B(n) = , where B(n) is the Borel subgroup of GL2(Z/nZ). For example, this is the∩ case6 if E∅ is a Serre curve, and most elliptic curves are Serre curves as it was shown by Jones [10].

‡The notation d n∞ means that p d p n and the notation pk n means that pk n and pk+1 ∤ n. | | ⇒ | k | PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 7

We now need upper and lower bounds on the size of the main term of Proposition 2.1, which are computed in the next lemma.

Lemma 2.2. Let E be an elliptic curve over Q without CM. For all primes ℓ ∤ ME and integers k > 1, we have the bounds 1 ℓ 2 C (ℓk) 1 (2.6) − 6 | r | 6 ϕ(ℓk) · ℓ 1 GL (Z/ℓkZ) ϕ(ℓk) − | 2 | when r 0 (mod ℓ), and the bounds 6≡ 1 ℓ 2 C (ℓk) 1 1 (2.7) − 6 | r | 6 1+ ϕ(ℓk) · ℓ 1 GL (Z/ℓkZ) ϕ(ℓk) (ℓ3 1)(ℓ2 1) − | 2 |  − −  when r 0 (mod ℓ). ≡ Furthermore, for m M ∞ such that C (m) =0, we have that | E | r | 6 1 C (m) 1 (2.8) | r | ϕ(m) ≪E G(m) ≪E ϕ(m) | | with constants depending only on the elliptic curve E. In particular, the upper bound in (2.8) holds without the hypothesis C (m) =0. | r | 6 k Proof. Fix ℓ ∤ ME and k > 1. To count the number of elements in Cr(ℓ ), we count k the matricesg ˜ GL2(Z/ℓ Z) which are the inverse images of a matrix g Cr(ℓ) ∈ k ∈ under the projection map from GL2(Z/ℓ Z) to GL2(Z/ℓZ), and which satisfy det(˜g)+1 tr(˜g) r (mod n). − ≡ Let a b a˜ ˜b g = , g˜ = . c d c˜ d˜     If b 0 (mod ℓ), then ˜b is invertible, and we have to count the number ofa, ˜ ˜b, c,˜ d˜ lifting6≡ a,b,c,d such that a˜d˜ (˜a + d˜) r +1 c˜ − − (mod ℓk), ≡ ˜b 3(k 1) and there are ℓ − such lifts. Similarly if c 0 (mod ℓ). If a 1 (mod ℓ), thena ˜ 1 is invertible,6≡ and we have to count the number of 6≡ − a,˜ ˜b, c,˜ d˜ lifting a,b,c,d such that ar˜ + ˜bc˜ 1+˜a d˜ − (mod ℓk), ≡ a˜ 1 − 3(k 1) and there are ℓ − such lifts. Similarly if d 1 (mod ℓ). This proves (2.6) as the 6≡ identity matrix does not belong to Cr(ℓ) when r 0 (mod ℓ). Then, the number k 3(k 6≡1) of lifts of any matrix from Cr(ℓ) to Cr(ℓ ) is ℓ − , and the number of lifts from k 4(k 1) GL2(Z/ℓZ) to GL2(Z/ℓ Z) is ℓ − , which gives k 3(k 1) C (ℓ ) ℓ − C (ℓ) | r | = | r | , GL (Z/ℓkZ) ℓ4(k 1) GL (Z/ℓZ) | 2 | − | 2 | and the result follows by using (2.2). 8 C. DAVID & J. WU

Finally, we have to count the number of lifts

1+ k1ℓ k2ℓ k ℓ 1+ k ℓ  3 4  2 k k 1 of the identity matrix such that ℓ (k1k4 k2k3) r (mod ℓ ), where 0 6 ki <ℓ − . We assume that k > 2. If r 0 (mod ℓ2),− there are≡ no lifts, and there are ℓ4 lifts if 2 6≡ r 0 (mod ℓ ). Let v = mini vℓ(ki), where vℓ(n) is the ℓ-adic evaluation of n, and ≡ v k 1 v 2+v write ki = ℓ ki′ with 0 6 ki′ <ℓ − − . If r 0 (mod ℓ ), there is no solution with 6≡ 2+v k1,k2,k3,k4 such that v = mini vℓ(ki). Suppose that r 0 (mod ℓ ). Then we need to solve ≡ 2+v 2+v k k 2 v ℓ (k′ k′ k′ k′ ) ℓ r′ (mod ℓ ) (k′ k′ k′ k′ ) r′ (mod ℓ − − ). 1 4 − 2 3 ≡ ⇐⇒ 1 4 − 2 3 ≡ Without loss of generality, vℓ(k1′ ) = 0, and

r′ + k2′ k3′ k 2 v k4′ (mod ℓ − − ), ≡ k1′ 3(k 1 v) and there are ℓℓ − − solutions k1′ ,k2′ ,k3′ ,k4′ . The number of lifts of the identity matrix is then bounded by k 2 k 2 − − 3 3(k 1 v) 3(k 1) 3v 3(k 1) ℓ (2.9) ℓ ℓ − − = ℓℓ − ℓ− 6 ℓℓ − ℓ3 1· v=0 v=0 X X − We now prove (2.7). Using (2.9) and the first formula of (2.1), it follows that k 1 k 4 3 ℓ − C (ℓ ) C (ℓ) ℓ /(ℓ 1) | r | 6 | r | + − GL (Z/ℓkZ) GL (Z/ℓZ) GL (Z/ℓZ) | 2 | 2 2 (ℓ3 1)(ℓ2 1)+1 = − − (ℓ 1)(ℓ2 1)(ℓ3 1)· − − − For the lower bound, we have k 1 k 2 ℓ − C (ℓ ) C (ℓ) 1 ℓ(ℓ 2) 1 ℓ 2 | r | > | r | − = − − > − GL (Z/ℓkZ) GL (Z/ℓZ) ℓ(ℓ 1)(ℓ2 1) (ℓ 1)2 · | 2 | 2 − − − min(vp(m),vp(ME )) We now prove (2.8). Let m′ = p m p , where vp(m) is the p- adic evaluation of m. By (2.5), G(m)| is the full inverse image of G(m ) under Q ′ the projection map from GL (Z/mZ) to GL (Z/m′Z). Fix g C (m′), and we now 2 2 ∈ r count the number of liftsg ˜ in Cr(m). By the Chinese Remainder Theorem, it suffices ′ vp(m ) vp(m) to count the number of lifts from Cr(p ) to Cr(p ) for each p m. In general, e | e fix 1 6 e 6 k, fix g GL2(Z/p Z) such that det(g)+1 tr(g) r (mod p ), and we ∈ k − ≡ k count the number of liftsg ˜ GL2(Z/p Z) such that det(˜g)+1 tr(˜g) r (mod p ). If g is not congruent to the∈ identity matrix modulo p, then the− same≡ argument as above shows that there are 3(k e) (2.10) p − lifts of g. If g is congruent to the identity matrix modulo p, we have to count the number of matrices 1+ k pe k pe g˜ = 1 2 k pe 1+ k pe  3 4  PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 9

2e k k e such that p (k k k k ) r (mod p ), where 0 6 k

2e+v k (2.11) p (k′ k′ k′ k′ ) r (mod p ). 1 4 − 2 3 ≡ 4(k e v) k If 2e + v > k, (2.11) has p − − solutions when r 0 (mod p ) and no solutions otherwise. If 2e + v

k e 1 k e 1 − − − − 3 4 e 3(k e v) 4(k e v) 3(k e) e p 4e p p p − − + p − − 6 p − p + p p3 1 p4 1 (2.12) v=0 v=0 2eX+vk − − 3(k e) 4e+1 6 p − p . Then, applying (2.12), we have that

′ ′ 3(vp(m) vp(m )) 4vp(m )+1 Cr(m) Cr(m′) p − p | | 6 | | ′ 4(vp(m) vp(m )) G(m) G(m′) p − p m | | | | Y| ′ ′ Cr(m′) 1 vp(m ) 1 4vp(m )+1 = | | p − p (p 1) G(m′) ϕ(m) − p m | | Y| C (m′) 1 | r | ≪E G(m ) ϕ(m)· | ′ | Finally we suppose that C (m) = 0 and prove the lower bound in (2.8). Denoting | r | 6 by Cr(m′) the subset of Cr(m′) consisting of matrices not equivalent to the identity 6≡ matrix modulo p (Cr(m′) is not empty since Cr(m) = 0), and applying (2.10), we have that 6≡ | | 6 ′ 3(vp(m) vp(m )) Cr(m) Cr(m′) p − | | > | 6≡| ′ 4(vp(m) vp(m )) G(m) G(m′) p − p m | | | | | Y ′ vp(m ) 1 (p 1)p Cr(m′) 6≡ = k 1 − | | p − (p 1) p G(m′) pk m p m Yk − Y| | | 1 , ≫E ϕ(m) and the lower bound in (2.8) follows from the last two inequalities.  Theorem 2.3. Let E be an elliptic curve over Q without CM. Let r > 0 be an integer, and let n = dm be any positive integer with (d, M )=1 and m M ∞. E | E 10 C. DAVID & J. WU

(i) We have that

Li(x) 2 p 6 x : n (p) r (mod n) + x exp An− log x |{ E ≡ }| ≪E ϕ(n) − n p o uniformly for log x n12 log n, where the implied constants depend only on the elliptic curve E and ≫A is a positive absolute constant. (ii) Assuming the GRH for the Dedekind zeta functions of the number fields Ln/Q, we have that Li(x) p 6 x : n (p) r (mod n) + n3x1/2 log (nx). |{ E ≡ }| ≪E ϕ(n)

(iii) Assuming the GRH for the Dedekind zeta functions of the number fields Ln/Q, we have that Li(x) p 6 x : n (p) r (mod n) |{ E ≡ }| ≪E ϕ(n) holds uniformly for n 6 x1/8/ log x, where the implied constant depends only on the elliptic curve E. 1/8 Further if r = 0 or (n, ME)=1, then the condition n 6 x / log x in the third assertion can be relaxed to n 6 x1/5/ log x and the term n3x1/2 log(nx) in the second can be replaced by n3/2x1/2 log(nx). Proof. It follows from the estimates of Lemma 2.2 that k Cr(m) Cr(ℓ ) 1 1 1 | | | k| E = , G(m) GL2(Z/ℓ Z) ≪ ϕ(d) ϕ(m) ϕ(n)  ℓk d  | | Yk | | and first two statements are obtained by using this upper bound in the estimates of Proposition 2.1 for π (x, L /Q)= p 6 x : n (p)= p +1 a (p) r (mod n) . Cr(n) n |{ E − E ≡ }| We now prove (iii). If Cr(m) = 0, Proposition 2.1 implies trivially the required inequality, and we suppose| that | C (m) = 0. Clearly, it is sufficient to show that | r | 6 k 1 Cr(m) Cr(ℓ ) 1 (2.13) E | | | k| E ϕ(n) log n ≪ G(m) GL2(Z/ℓ Z) ≪ ϕ(n)· 2  ℓk d  | | Yk | | It follows from Lemma 2.2 that 1 ℓ 2 C (ℓk) 1 6 r (2.14) − | k| , ϕ(d) ℓ 1 GL2(Z/ℓ Z) ≪ ϕ(d) ℓ d ℓk d Y| − Yk | | and the lower bound of (2.13) follows from (2.14), (2.8) and the estimate ℓ 2 ℓ 2 1 − > − ℓ 1 ℓ 1 ≫ log n· ℓ d ℓ n 2 Y| − Y| − This completes the proof of the Theorem.  PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 11

3. Rosser-Iwaniec’s linear sieve formulas We state in this section the Rosser-Iwaniec linear sieve [9, Theorem 1], which will be used in the proof of Theorem 1.1. It is worth indicating that the Selberg linear sieve [8, Theorem 8.4] cannot be applied for our purpose since the condition (Ω2(1, L)) of Selberg’s linear sieve (see [8, page 228]) is not satisfied by the function wy(ℓ). But the corresponding condition (Ω1) of the Rosser-Iwaniec’s sieve is satisfied by the wy(ℓ) (see (4.5) below). Let be a finite sequence of integers and a set of prime numbers. As usual, we writeA the sieve function P S( , , z) := a :(a, P (z))=1 , A P |{ ∈A }| where (3.1) P (z) := p. p

Lemma 3.1. Under the hypotheses (A0), (3.2) and (Ω1), we have −γ S( , , z) 6 XV (z) F (s)+ E +2ε R( ,M,N), A P { } A 1 2 K 8 K s 1/3 where 0 <ε< , s := (log MN)/ log z, E εs e + ε− e − (log MN)− and 8 ≪ 2eγ w(p) F (s)= (0

The second error term R( ,M,N) has the form A R( ,M,N) := a b r( , mn), A m n A m

4. Proof of Theorem 1.1 As in [3], introduce L := ℓ 6 yYℓ 1, bnE (p) b (mod n (p)) . T { E ≡ E } Clearly (4.1) Q (x) 6 (x, y, z) + (x, y, z) . E,b |S | |T | First we estimate (x, y, z) . |S | Lemma 4.1. Let E be an elliptic curve over Q without CM and b > 2 be an integer. For any ε, there is a constant y0 = y0(E,b,ε) such that (i) We have x log y (4.2) (x, y, z) 6 (eγ + ε) |S | (log x) log z 1/24 uniformly for y0 6 y 6 z 6 (log x) / log2 x. (ii) If we assume the GRH, we have x log y (4.3) (x, y, z) 6 (eγ + ε) |S | (log x) log z 1/10 4 uniformly for y0 6 y 6 z 6 x /(log x) . Proof. We shall sieve A := n (p): p 6 x { E } by P := p : p > y . y { } By definition, (x, y, z) = S(A , P , z) for all 1 6 y 6 z 6 x. |S | y Without loss of generality, we can suppose that y0 > ME + b. Thus we have (d, ME) = 1 for all d (Py). Using Proposition 2.1 (with the improved error term discussed in the remark∈ B following the proposition under the GRH) and (2.2), we get that w (d) (4.4) A = y X + r(A ,d) | d| d PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 13 for all d (P ), with ∈ B y X = Li(x), ℓ(ℓ2 2) w (ℓ)= − (ℓ P ), y (ℓ 1)(ℓ2 1) ∈ y (4.5) − − Ad−2√log x 1/12 x e− (d 6 (log x) / log2 x), r(A ,d) E | |≪ (d3/2x1/2 log(dx) (under the GRH), where A> 0 is a positive absolute constant. In order to apply Lemma 3.1, we must show that wy(ℓ) satisfies conditions (A0) and (Ω1). The former is obvious, and we now check the latter. Writing 1 w (p) − (4.6) V (z) := 1 y , y − p p z1 > 2. On the other hand, by using the theorem, it follows that w (p) V (z)= 1 1 1 − p p

1/24 (log x) / log2 x (unconditionally), (4.11) z 6 (x1/10/(log x)4 (under GRH).

On the other hand, in view of (4.7), we have for any z>y,

V (z) 1 log y (4.12) V (z)= 1 = 1+ O y V (y) log y log z · 1    Inserting (4.10) and (4.12) into (4.9), we obtain the required results. 

In order to estimate (x, y, z) , we need to prove a preliminary result. For integers |T | b > 2 and d > 1, denote by ordd(b) the multiplicative order of b modulo d (i.e. the smallest positive integer k with bk 1 (mod d)). ≡ Lemma 4.2. For all t > 1, we have 1 1 (4.13) b 1/2 , > ℓordℓ(b) ≪ t Xℓ t 1 1 (4.14) ℓord (b) ≪b t1/3 · > ℓ ℓordXℓ(b) t Proof. Let 0 <η< 1 be a parameter to be choosen later. We have log(bm 1) log b (4.15) 1 6 1 6 − 6 m. log 2 log 2 ℓ ℓ (bm 1) ordXℓ(b)=m | X− Thus

1 1 log b η = 1 6 b,η u . ordℓ(b) m log 2 ≪ ℓ6u m6uη ℓ6u m6uη η ordXℓ(b)<ℓ X ordXℓ(b)=m X A simple partial summation leads to

1 ∞ 1 1 1 = d b,η 1 η ℓordℓ(b) u ordℓ(b) ≪ t · ℓ>t t ℓ6u − η Z  η  ordXℓ(b)<ℓ ordXℓ(b)<ℓ On the other hand, we have trivially 1 1 1 1+η η η ℓordℓ(b) ≪ ℓ ≪ t · ℓ>t ℓ>t η ordXℓ(b)>ℓ X

1 Combining these estimates and taking η = 2 , we obtain (4.13). PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 15

Similarly we have 1 1 1 6 , ℓord (b) ℓord (b) b,η t(1 η)/(1+η) ℓ 1/(1+η) ℓ ≪ − ℓordℓ(b)>t ℓ>t η η ordXℓ(b)<ℓ ordXℓ(b)<ℓ 1 1 = ℓordℓ(b) ℓordℓ(b) ℓordℓ(b)>t k>1 ℓordℓ(b)>t X η X k−1 η X k η ordℓ(b)>ℓ 2 ℓ 6ordℓ(b)<2 ℓ 1 1 ≪ 2k ℓ1+η > −k 1/(1+η) Xk 1 ℓ>(2 Xt) 1 ≪η tη/(1+η) · 1  The inequality (4.14) follows from these estimates with the choice of η = 2 . We now estimate (x, y, z) . |T | Lemma 4.3. Let E be an elliptic curve over Q without CM and b > 2 be an integer. Then there is a constant y0 = y0(E, b) and a positive absolute constant A such that (i) We have

log2 z 4 (4.16) (x, y, z) Li(x) + x exp Az− log x |T |≪E,b y1/2 − n o uniformly for p

1/24 (4.17) y0 6 y < z 6 (log x) / log2 x. (ii) If we assume the GRH, we have log z (4.18) (x, y, z) Li(x) 2 + z7x1/2 |T |≪E,b y1/2 uniformly for

(4.19) y0 6 y < z. The implied constants depend on E and b only. Proof. If n (p) is a pseudoprime to base b and d n (p) with (d, b) = 1, then E | E n (p) 1 n (p) 1 n (p) 1 d n (p) b(b E − 1) d (b E − 1) b E − 1 (mod d). | E | − ⇒ | − ⇒ ≡ Using Fermat’s little theorem, it follows that (4.20) n (p) 0 (mod d), n (p) 1(modord (b)), (d, ord (b))=1. E ≡ E ≡ d d By the Chinese remainder theorem, there is an integer r 1,...,dord (b) such b,d ∈{ d } that nE(p) rb,d (mod dordd(b)). Clearly for≡ each p (x, y, z), there is a prime ℓ such that ∈ T (4.21) y 6 ℓ

Applying (4.20) with d = ℓ, we have (x, y, z) 6 1 |T | y<ℓ6z p6x X n (p) r X(mod ℓord (b)) E ≡ b,ℓ ℓ = π (x, L /Q). Crb,ℓ ℓordℓ(b) 6 y<ℓXz Then, using (i) and (ii) of Theorem 2.3 with the bound ϕ(n) n/ log2 n, we have that ≫ 1 (4.22) (x, y, z) E Li(x)(log2 z) + R , T |T |≪ 6 ℓordℓ(b) y<ℓXz where 4 1/24 x exp Aℓ− log x (z 6 (log x) / log x) − 2 y<ℓ6z R :=  X n p o T  6 1/2 2  ℓ x log(ℓ x) (under the GRH) (4.23) 6 y<ℓXz   4 1/24 x exp Az− log x (z 6 (log x) / log x), − 2 ≪ z7x1/2n p o (under the GRH).   The required results follow from (4.22), (4.23) and (4.13) of Lemma 4.2. Taking, in Lemmas 4.1 and 4.3 (log x)2 log x (unconditionally), y = 2 3 2 ((log x) log2 x (under the GRH), (log x)1/24/ log x (unconditionally), z = 2 (x1/14/ log x (under the GRH), which satisfy (4.11) and (4.17), and using the bounds of those lemmas in (4.1), this proves Theorem 1.1.

5. Proof of Theorem 1.3 We shall adapt Pomerance’s method [17] to prove Theorem 1.3. We divise the primes p 6 x such that nE(p) is pseudoprimes to base b into four possibly overlapping classes: n (p) 6 x/L(x); • E there is ℓ n (p) with ord (b) 6 L(x) and ℓ > L(x)3; • | E ℓ there is ℓ nE(p) with ordℓ(b) > L(x); • | 3 nE(p) > x/L(x), for all ℓ nE(p), we have ℓ 6 L(x) ; • | pseu and denote by S1,...,S4 the corresponding contribution to πE,b (x), respectively. PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 17

A. Estimate for S1 In view of (1.13), it follows that x (5.1) S 6 1 1 ≪ L(x)· 6 p 16Xx/L(x)

B. Estimate for S2 Clearly

S2 6 1. ℓ>L(x)3 p6x X6 ℓ XnE(p) ordℓ(b) L(x) | Using (iii) of Theorem 2.3 with r = 0 and (4.15), we deduce that the contribution 3 1/5 of L(x) <ℓ 6 x / log x to S2 is Li(x) x x 1 ≪E ϕ(ℓ) ≪E L(x)3 ≪E,b L(x)· 3 1/5 6 L(x) <ℓX6x / log x ordℓ(Xb) L(x) ordℓ(b)6L(x)

1 Furthermore, using Hypothesis 1.2 with δ < 5 , we have

1 6 1 x1/5/ log x<ℓ p6x x1/5/ log x<ℓ62x m62x/ℓ p6x X ℓ Xn (p) X X n X(p)=mℓ ordℓ(b)6L(x) | E ordℓ(b)6L(x) E (mℓ)δ ≪E 1/5 6 x / logXx<ℓ62x mX2x/ℓ ordℓ(b)6L(x) x1+δ ≪E ℓ 1/5 x / logXx<ℓ62x ordℓ(b)6L(x) x4/5+δL(x)3, ≪E,b using (4.15). Combining these estimates yields x (5.2) S 2 ≪E,b L(x)·

C. Estimate for S3 If p is counted in S3, then there is ℓ nE(p) with ordℓ(b) > L(x) (which implies ℓ > L(x) > b). Applying (4.20) with d =| ℓ, there is an integer r 1,...,ℓord (b) b,ℓ ∈{ ℓ } such that nE(p) rb,ℓ (mod dordd(b)). Since nE(p) 6 p +1+2√p 6 4p 6 4x, we ≡ must have ℓordℓ(b) 6 4x. Thus

(5.3) S3 6 1.

ℓordℓ(b)64x p6x ord (Xb)>L(x) nE (p) rb,ℓX(mod ℓordℓ(b)) ℓ ≡ 18 C. DAVID & J. WU

1/8 If ℓordℓ(b) 6 x / log x, then by Theorem 2.3(iii)

Li(x) 1 , ≪E ϕ(ℓord (b)) p6x ℓ n (p) r X(mod ℓord (b)) E ≡ b,ℓ ℓ

and using again the bound ϕ(n) n/ log2 n, the contribution of those ℓ to S3 is bounded by ≫

Li(x) Li(x) log2 x 1 E ϕ(ℓordℓ(b)) ≪ L(x) ℓ 1/8 6 1/8 ℓordℓ(b)X6x / log x ℓordℓ(b)Xx / log x ordℓ(b)>L(x) 2 Li(x)(log2 x) ≪E L(x) ·

1 With the help of Hypothesis 1.2 with δ < 24 and (4.14) of Lemma 4.2, the contri- 1/8 bution of x / log x<ℓordℓ(b) 6 4x to S3 is bounded by

1 1/8 6 x / log x<ℓordℓ(b)64x 06m64x/ℓordℓ(b) p x X X nE (p)=rb,ℓX+mℓordℓ(b) (r + mℓord (b))δ ≪E b,ℓ ℓ 1/8 6 6 x / log x<ℓXordℓ(b)64x 0 m 4Xx/ℓordℓ(b) x1+δ ≪E ℓord (b) 1/8 ℓ x / log x<ℓXordℓ(b)64x 1+δ 1/24 x − log x. ≪E

Inserting these estimates into (5.3), we find that

x (5.4) S 3 ≪E L(x)·

D. Estimate for S4 In order to adapt the proof of [17] to the more general definition (1.4) of pseudo- primes (which includes the case where b and n are not coprime), we write nE(p)= nE′ (p)nE′′ (p) with nE′ (p) b∞ and (nE′′ (p), b) = 1. Denote by S4′ and S4′′ the contribu- 2/3 | 2/3 tion of nE′ (p) > x and nE′ (p) 6 x to S4, respectively. PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 19

1 By the Hasse bound (formulated as the statement of Hypothesis 1.2 with δ = 2 ), we have

S4′ 6 1 x2/3

1/3 If p is counted in S4′′, then nE′′ (p) > x /L(x) and all prime factors of nE′′ (p) are 3 1/18 1/17 6 L(x) . Thus nE′′ (p) must have a divisor d with x < d 6 x and (d, b) = 1. Thus, by the comment following (4.20), n (p) r (mod dord (b)) for some residue E ≡ b,d d rb,d, and by Theorem 2.3, we have

S4′′ 6 1 x1/18

With the help of the following inequality (see [17, Theorem 1]) t 1 6 (t > t0(b), m > 1), d6t L(t) ordXd(b)=m p a simple partial integration allows us to deduce that

1/17 1 x 1 1 = d 1 1/37 , d x1/18 t ≪ L(x) x1/18

1/37 and S′′ x(log x)L(x)− . Thus 4 ≪E x x log x x (5.5) S = S′ + S′′ + 6 4 4 4 ≪E,b L(x) L(x)1/37 L(x)1/38 · The statement of Theorem 1.3 then follows from (5.1), (5.2), (5.4) and (5.5). 20 C. DAVID & J. WU

6. Proof of Theorem 1.5 First write pseu πE,b (x)= 1 p6x nE (p) is pseudoprimeX to base b

6 ME(n). n64x n is pseudoprimeX to base b By using the Cauchy-Schwarz inequality, it follows that

1/2 1/2 pseu pseu 2 (6.1) πE,b (x) 6 πb (4x) ME(n) . n64x    X  To bound the second sum on the right-hand side of (6.1), we use a result of Kowalski [12] who proved that for a curve E with complex multiplication and for any ε> 0, x (6.2) M (n)2 . E ≪ (log x)1 ε n64x − X We remark that in [12], there are no curves with complex multiplication defined over Q as the field of complex multiplication must be included in the field of definition of the elliptic curve. Then, (6.2) is first proven for the sequence nE(p) = #E(Fp) associated to E, where p runs over the primes of the CM field{ [12, Theorem 5.4].} This first result can then be used to deduce the upper bound (6.2) by separating the rational primes into ordinary and supersingular primes of E, and by using [12, Theorem 5.4] to obtain (6.2) (see [12, Proposition 7.4]). Theorem 1.5 then follows by replacing (6.2) and (1.9) in (6.1).

References [1] A. Balog, A. C. Cojocaru & C. David, Average conjecture for elliptic curves, Amer. J. of Math., to appear. [2] A. C. Cojocaru, Reductions of an elliptic curve with almost prime orders, Acta Arith. 119 (2005), no. 3, 265–289. [3] A. C. Cojocaru, F. Luca & I. E. Shparlinski, Pseudoprime reductions of elliptic curves, Math. Proc. Cambridge Philos. Soc. 146 (2009), no. 3, 513–522. [4] R. Crandall & C. Pomerance, Prime numbers. A computational perspective, Second edition. Springer, New York, 2005. xvi+597 pp. [5] C. David & J. Wu, Almost prime values of the order of elliptic curves over finite fields, Forum Math., to appear. [6] P. Erd˝os, On pseudoprimes and Carmichael numbers, Publ. Math. Debrecen 4 (1956), 201– 206. [7] D.M. Gordon and C. Pomerance, The distribution of Lucas and elliptic pseudoprimes, Math. Comp. 57 (1991), 825–838. [8] H. Halberstam & H.-E. Richert, Sieve Methods, Academic Press, London 1974. [9] H. Iwaniec, A new form of the error term in the linear sieve, Acta Arith. 37 (1980), 307–320. [10] N. Jones, Almost all elliptic curves are Serre curves, Transactions of the Amer. Math. Soc., to appear. PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 21

[11] N. Koblitz, Primality of the number of points on an elliptic curve over a finite field, Pacific J. Math. 131 (1988), No. 1, 157–165. [12] E. Kowalski, Analytic problems for elliptic curves, J. Ramanujan Math. Soc. 21 (2006), no. 1, 19–114. [13] J. Lagarias & A. Odlyzko, Effective versions of the Chebotarev Density Theorem, in: Alge- braic Number Fields (A. Fr¨ohlich edit.), New York, Academic Press (1977), 409-464. [14] F. Luca & Igor E. Shparlinski, Pseudoprime values of the Fibonacci sequence, polynomials and the Euler function, Indag. Math. (N.S.) 17 (2006), no. 4, 611–625. [15] F. Luca & Igor E. Shparlinski, Pseudoprime Cullen and Woodall numbers, Colloq. Math. 107 (2007), no. 1, 35–43. [16] M.-R. Murty, V.-K. Murty & N. Saradha, Modular forms and the Chebotarev density theorem, Amer. J. Math. 110 (1988), 253–281. [17] C. Pomerance, On the distribution of pseudoprimes, Math. Computation 37 (1981), no. 156, 587–593. [18] A. J. van der Poorten & A. Rotkiewicz, On strong pseudoprimes in arithmetic progressions, J. Austral. Math. Soc. Ser. A 29 (1980), no. 3, 316–321. [19] J.-P. Serre, Propri´et´es galoisiennes des points d’ordre fini des courbes elliptiques, Invent. Math. 15 (1972), no. 4, 259–331. [20] J.-P. Serre, Quelques applications du th´eor`eme de densit´ede Chebotarev, Inst. Hautes Etudes Sci. Publ. Math. 54 (1981), 123–201. [21] H. M. Stark, Some effective cases of the Brauer-Siegel theorem, Invent. Math. 23 (1974), 135–152. [22] D. Zywina, The large sieve and Galois representations, preprint. arXiv:0812.2222.

Department of Mathematics and Statistics, Concordia University, 1455 de Mai- sonneuve West, Montreal,´ QC, H3G 1M8, Canada E-mail address: [email protected]

Institut Elie Cartan Nancy, CNRS, Universite´ Henri Poincare´ (Nancy 1), INRIA, Boulevard des Aiguillettes, B.P. 239, 54506 Vandœuvre-les-Nancy,` France E-mail address: [email protected]