This paper explores strongly non-zero points on elliptic curves and their role in elliptic pseudoprimes, providing probabilistic insights into their existence for random points and curves.
Contribution
It introduces the concept of strongly non-zero points and applies it to analyze various types of elliptic pseudoprimes, offering new probabilistic results.
Findings
01
Probabilistic existence results for strong elliptic pseudoprimes
02
Introduction of strongly non-zero points as a tool in elliptic pseudoprime analysis
03
Insights into the distribution of elliptic pseudoprimes for random points and curves
Abstract
We examine the notion of strongly non-zero points and use it as a tool in the study of several types of elliptic pseudoprimes. Moreover, we give give some probabilistic results about the existence of strong elliptic pseudoprimes for a randomly chosen point on a randomly chosen elliptic curve.
Equations86
E/k:y2+a1xy+a3y=x3+a2x2+a4x+a6
E/k:y2+a1xy+a3y=x3+a2x2+a4x+a6
E/k:y2z+a1xyz+a3yz2=x3+a2x2z+a4xz2+a6z3,
E/k:y2z+a1xyz+a3yz2=x3+a2x2z+a4xz2+a6z3,
E/k:y2=x3+Ax+B
E/k:y2=x3+Ax+B
L(E,s)=p∏1−app−s+1E(p)p1−2s1
L(E,s)=p∏1−app−s+1E(p)p1−2s1
1E(p)={10if E has good reduction at potherwise
1E(p)={10if E has good reduction at potherwise
a1
a1
ape
E/k:y2+a1xy+a3y=x3+a2x2+a4x+a6
E/k:y2+a1xy+a3y=x3+a2x2+a4x+a6
E(Z/NZ)≃E(Z/p1e1Z)⊕⋯⊕E(Z/pkekZ).
E(Z/NZ)≃E(Z/p1e1Z)⊕⋯⊕E(Z/pkekZ).
#E(Z/pieiZ)=piei−1#Ei(Fpi)
#E(Z/pieiZ)=piei−1#Ei(Fpi)
(N+1)P≡O(modN)
(N+1)P≡O(modN)
(N+1)P≡OmodN.
(N+1)P≡OmodN.
(N+1−aN)P≡OmodN.
(N+1−aN)P≡OmodN.
E(Z/NZ)≅p∣N⨁E(Z/pνp(N)Z).
E(Z/NZ)≅p∣N⨁E(Z/pνp(N)Z).
gcd(pνp(N),z+kpνp(N))=gcd(pνp(N),z).
gcd(pνp(N),z+kpνp(N))=gcd(pνp(N),z).
gcd(pνp(N),z)∣gcd(N,z)=1
gcd(pνp(N),z)∣gcd(N,z)=1
σm,n(Q)=(xmodpn:ymodpn:zmodpn)
σm,n(Q)=(xmodpn:ymodpn:zmodpn)
kP=kyQ+kP′=kyQ+O=kyQ=Q
kP=kyQ+kP′=kyQ+O=kyQ=Q
kP′=kP−kyQ=Q−Q=O
kP′=kP−kyQ=Q−Q=O
E(Z/pnZ)≅i⨁Z/paiZ⊕G
E(Z/pnZ)≅i⨁Z/paiZ⊕G
E(Z/pn−1Z)≅i⨁Z/pai−biZ⊕G
E(Z/pn−1Z)≅i⨁Z/pai−biZ⊕G
E(Z/pnZ)
E(Z/pnZ)
E(Z/pn−1Z)
ψ:(y,z)↦(y,zmodpaj−1)
ψ:(y,z)↦(y,zmodpaj−1)
ψ(P)=ψ(h,g′)=(h,g)=P′
ψ(P)=ψ(h,g′)=(h,g)=P′
p⋅(pn−1−pn−2)=pn−1(p−1)
p⋅(pn−1−pn−2)=pn−1(p−1)
E(Z/nZ)≅p∣n⨁E(Z/pνp(n)Z)
E(Z/nZ)≅p∣n⨁E(Z/pνp(n)Z)
Ppi={Qpi if Qpi is a strongly non-zero point Tpi where Tpi is a strongly non-zero point and order(Qpi)∣order(Tpi)
Ppi={Qpi if Qpi is a strongly non-zero point Tpi where Tpi is a strongly non-zero point and order(Qpi)∣order(Tpi)
|Q|\Big{|}|P^{\prime}|\Big{|}N+1
|Q|\Big{|}|P^{\prime}|\Big{|}N+1
J(x,pa):=#E(Z/paZ)#{P∈E(Z/paZ):ν2(order(P))=x},
J(x,pa):=#E(Z/paZ)#{P∈E(Z/paZ):ν2(order(P))=x},
H(x,N):=#E(Z/NZ)#{P∈E(Z/NZ):ν2(order(Pi))=x for all 1≤i≤k}=i=1∏kJ(x,piai)
H(x,N):=#E(Z/NZ)#{P∈E(Z/NZ):ν2(order(Pi))=x for all 1≤i≤k}=i=1∏kJ(x,piai)
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Full text
Strongly Non-zero Points and Elliptic Pseudoprimes
We examine the notion of strongly non-zero points and use it as a tool in the study of several types of elliptic pseudoprimes introduced in [13], [31] and [4]. Moreover, we give give some probabilistic results about the existence of strong elliptic pseudoprimes for a randomly chosen point on a randomly chosen elliptic curve.
The notion of testing a number for primality has long been an interesting problem in mathematics. Possibly the most well-known primality test is based on Fermat's Little Theorem: if p is a prime number and b is an integer not divisible by p, then bp−1≡1(modp). However, the converse does not hold: there are composite numbers N and positive integers 1<b<N for which bN−1≡1(modN). We refer the reader to the survey article by C. Pomerance [25] for a nice introduction to primality testing. Clasically, a natural number N is a pseudoprime to the base b if N is composite and bN−1≡1modN. If N is a pseudoprime for all b with gcd(b,N)=1 then N is called Carmichael number. In [17], Korselt characterized these numbers as follows: N is a Carmichael number if and only if N is square-free and p−1∣N−1 for every prime p∣N. In 1986, the long-standing conjecture that there are infinitely many Carmichael numbers was proven by Alford, Granville, and Pomerance [2].
Since the 1980's, elliptic curves have been used in algorithmic number theory to give deterministic algorithms that are faster than earlier algorithms that did not use elliptic curves. We refer the reader to [18] for historical remarks on elliptic curve primality testing. The general framework of elliptic curve primality testing is based on the following fundamental theorem of Goldwasser and Kilian [11].
Theorem 1.1**.**
[11]**
Let E/Q be an elliptic curve, and let M and N be positive integers with M>(N1/4+1)2 and N is coprime to Δ(E). Suppose there is a point P∈E/Q such that MP is zeromodN and (M/p)P is strongly non-zeromodN for every prime p∣M. Then N is prime.
Although the original algorithm of Goldwasser-Kilian is no longer used, their result is used as a framework for the ``AKS" primality test, developed by Agrawal, Kayal, and Saxena in [3], which is the only known algorithm that determines the primality or compositeness of any integer in deterministic polynomial time.
In 1992, Gordon introduced the notion of an elliptic pseudoprime [13] as a natural extension of the definition of a pseudoprime from groups arising from elliptic curves with complex multiplication.
Definition 1.2**.**
[13]
Let E/Q be an elliptic curve with complex multiplication by an order in Q(−d) and let P∈E(Q) have infinite order. A composite number N is called an elliptic pseudoprime if (N−d)=−1, N is coprime to Δ(E), and N satisfies (N+1)P≡O(modN).
We will use the notation ``G-pseudoprime" to denote Gordon's notion of an elliptic pseudoprime. In [30], Silverman extends Gordon's notion of elliptic pseudoprimes by allowing any elliptic curve E/Q, not just elliptic curves with complex multiplication, as well as any P∈E(Z/NZ).
Definition 1.3**.**
[30]
Let N∈Z, let E/Q be an elliptic curve, and let P∈E(Z/NZ). Write the L-series of E/Q as L(E/Q,s)=∑nnsan. Then N is an elliptic pseudoprime for (E,P) if N has at least two distinct prime factors, E has good reduction at every prime p dividing N, and (N+1−aN)P≡O(modN).
We will use the notation ``S-pseudoprime" to denote Silverman's notion of an elliptic pseudoprime.
In this paper we study elliptic G- and S- pseudoprimes for strongly non-zero points on the elliptic curve E(Z/NZ) (Section 3). Moreover, we give bounds on the number of points on a given elliptic curve for which an odd integer N is a strong elliptic G-pseudoprime and probabilistic results for a given odd integer N being a strong elliptic G- pseudoprime for a randomly chosen point on a randomly chosen elliptic curve (Section 4). We prove similar results for strong elliptic S-pseudoprimes. Prior to these results we give a brief introduction to elliptic curves and elliptic pseudoprimes (Section 2)
2. Preliminaries
2.1. Elliptic Curves
We introduce some elementary features of elliptic curves which are relevant to the topics presented in this paper. We refer the reader to [31] and [32] for detailed introduction to elliptic curves. Let k be a field and let k denote its algebraic closure. An elliptic curveE over a field k is a non-singular 111an algebraic curve is said to be non-singular if there is not point on the curve at which all partial derivatives vanish. curve with an affine equation of the form
[TABLE]
where a1,a2,a3,a4,a6∈k. An equation of the above form (1) is called a generalized Weierstrass equation.
Recall that the points in projective space P2(k) correspond to the equivalence classes in k3−{(0,0,0)} under the equivalence relation (x,y,z)∼(ux,uy,uz) with u∈k×. The equivalence class containing (x,y,z) is denoted by [x:y:z]. The projective equation corresponding to the affine equation (1) is the homogeneous equation
[TABLE]
where a1,a2,a3,a4,a6∈k.
The point [0:1:0] is called the point at infinity and is denoted by O. The projective points of E over k form an abelian group with O as the identity.
If char(k)=2,3, then the equation of E can be written as
[TABLE]
where A,B∈k.
An elliptic curve E/k:y2z=x3+Axz2+Bz3 is non-singular if and only if its discriminant, 4A3+27B2, is nonzero. Associated to E/Q is the L-function L(E,s), which is defined as the Euler product
[TABLE]
where
[TABLE]
and ap=p+1−#E(Z/pZ) whether or not E has good reduction at p. Alternatively expressing L(E,s) as the Dirichlet series L(E,s)=∑nnsan, the map sending a positive integer n to the coefficient an is a multiplicative function with
[TABLE]
See [8, Chapter 8.3] and [31, Appendix C, Section 16] for more on L-series of elliptic curves.
An elliptic curve E/Z/NZ is the set of solutions [x:y:z] (requiring that gcd(x,y,z,N)=1) in projective space over Z/NZ to a Weierstrass equation
[TABLE]
where the discriminant Δ has no prime factor in common with N. There is a group law on E(Z/NZ) given by explicit formulae which can be computed (see [32]). For a given elliptic curve E/Q:y2=x3+Ax+B where A,B,N∈Z with N positive odd integer such that gcd(N,4A3+27B2)=1 there is a group homomorphism from E/Q to E(Z/NZ) by representing the points in E/Q as triples [x:y:z]∈P2(k).
If the prime factorization of N is N=p1e1⋯pkek then E(Z/NZ) is isomorphic as a group to the direct product of elliptic curve groups
[TABLE]
In particular, if we let Ei be the reduction of E modulo pi, then Ei is an elliptic curve over the field Fpi. It is known that
[TABLE]
We refer the reader to [18, 32] for details about elliptic curves over Z/NZ.
2.2. Elliptic Pseudoprimes
n this section we give some background on elliptic pseudoprimes in general. For other articles that study elliptic pseudoprimes and related notions see [13, 12, 9, 10, 21, 30].
Definition 2.1**.**
[13]
Let E/Q be an elliptic curve with complex multiplication in Q(−d), let P be a point in E of infinite order, and let N be a composite number with gcd(N,6Δ)=1. Then, N is an elliptic pseudoprime for (E,P) if (N−d)=−1 and
[TABLE]
In [30], Silverman extends Gordon's aforementioned notion of elliptic pseudoprimes by allowing any elliptic curve E/Q, not just elliptic curves with complex multiplication, as well as any P∈E(Z/NZ).
Definition 2.2**.**
[30]
Let N∈Z, let E/Q be an elliptic curve, and let P∈E(Z/NZ). Write the L-series of E/Q as L(E/Q,s)=∑nnsan. Then N is an elliptic pseudoprime for (E,P) if N has at least two distinct prime factors, E has good reduction at every prime p dividing N, and (N+1−aN)P≡O(modN).
It is not hard to check that for (most) N, (N−d)=−1 and N is square-free if and only if aN=0. Thus, (n+1−aN)P=(n+1)P, so (most) elliptic pseudoprimes in Gordon's sense are also pseudoprimes in Silverman's sense.
Definition 2.3**.**
[13]
Let E/Q be an elliptic curve. A composite number N with gcd(N,6Δ)=1 is an elliptic G-pseudoprime for the curve E/Q with complex multiplication by the field K=Q(−d) and a point P∈E(Q) of infinite order if (N−d)=−1 and
Let E/Q be an elliptic curve with complex multiplication. Suppose N is a composite number with gcd(N,6Δ)=1. Write N+1=2st where t is odd. Then N is called a strong elliptic G-pseudoprime for a curve E with complex multiplication by K=Q(−d) and a point P∈E(Q) with infinite order if (N−d)=−1 and either
(i)
tP≡OmodN, or
2. (ii)
(2rt)P≡(x:0:1)modN for some 0≤r≤s−1 and some x∈Z/NZ.
Definition 2.5**.**
[13]
Let E/Q be an elliptic curve. A composite number N is an elliptic (strong) G-Carmichael number for E if it is a (strong) G-pseudoprime for E at all points P∈E(Z/NZ).
Definition 2.6**.**
[30]
Let E/Q be an elliptic curve and it's associated L-series be L(E,s)=∑n≥1an/ns. A composite number N is an elliptic S-pseudoprime for E/Q and a point P∈E(Z/NZ) if N has at least two distinct prime factors, E has good reduction at every prime p∣N, and
[TABLE]
In [4], the authors extend the notion of a strong elliptic G-pseudoprime by considering non-CM curves.
Definition 2.7**.**
[4]
Let E/Q be an elliptic curve and its associated L-series be L(E,s)=∑n≥1an/ns. Let N be an integer, and let P be a point in E(Z/NZ). Write N+1−aN=2st, where t is odd. Then, N is a strong elliptic S-pseudoprime for (E,P) if N has at least two distinct prime factors, E/Q has good reduction at every prime p∣N, and one of the following holds:
(i)
tP≡OmodN, or
2. (ii)
(2rt)P≡(x:0:1)modN for some 0≤r≤s−1 and some x∈Z/NZ.
From these definitions of S-pseudoprimes for a specific point P on a curve E, it is natural to extend the idea of Carmichael numbers for the group (Z/NZ)× to Carmichael numbers for the group E(Z/NZ).
Let E/Q be an elliptic curve. A composite number N is a (strong) elliptic S-Carmichael number for E/Q if it is a (strong) elliptic S-pseudoprime for E/Q at all points P∈E(Z/NZ).
3. Strongly Nonzero Points and Elliptic Pseudoprimes
In this section we use the notion of strongly non-zero points and use it as a tool for examining G- and S- elliptic Carmichael numbers.
Definition 3.1**.**
Let P=(x:y:z) be a projective point on an elliptic curve E/Q, where x,y,z∈Z, and let N be a nonzero integer. If z=0modN then the point P is said to be zeromodN; otherwise, P is non-zeromodN. If gcd(z,N)=1 then the point P is said to be strongly non-zeromodN.
Note that if P is strongly non-zeromodN, then P is non-zeromodp for every prime p∣N. When N is prime, the notions of nonzero and strongly non-zero coincide.
Lemma 3.2**.**
Let Q be a strongly non-zero point on the elliptic curve E(Z/NZ).
Consider the group decomposition
[TABLE]
where νp(N) denotes the p-adic valuation of N. Let Qp∈E(Z/pνp(N)Z) denote the point corresponding to Q for a prime p∣N. Then Qp is a strongly non-zero pointmodpνp(N) for all p∣N.
Proof.
Since Q is strongly non-zero point, we may write Q=(x:y:z) with z=1.
Then Qp=(xmodpνp(N):ymodpνp(N):zmodpνp(N)). Note that for any integer k>0,
[TABLE]
Also, since pνp(N)∣N,
[TABLE]
Thus gcd(pνp(N),zmodpνp(N))=1, which implies that Qp is strongly non-zero pointmodpνp(N).
∎
Corollary 3.3**.**
Let Q be a point in E(Z/NZ), and let Qp as defined above. Then Q is a zero pointmodN if and only if there exists a prime p∣N such that Qp is a zero pointmodN.
Throughout the rest of the section we consider the case when E(Z/NZ) has strongly non-zero pointsmodN.
Proposition 3.4**.**
Let E(Z/pmZ) be an elliptic curve and Q∈E(Z/pmZ) a point. Let σm,n:E(Z/pmZ)→E(Z/pnZ), m≥n be the homomorphism given by
[TABLE]
Then σm,n(Q) is a non-zero point in E(Z/pnZ) if and only if Q is a non-zero point in E(Z/pmZ).
Proof.
Write Q=(x:y:z). Then σm,n(Q)=(xmodpn:ymodpn:zmodpn). Then for any integer k, p∣(z−kpn) if and only if p∣z. Since p is prime, for any integer i>0, if gcd(pi,z)>1, then p∣z. It follows that gcd(pn,zmodpn)>1 if and only if gcd(pm,zmodpn)>1.
∎
Corollary 3.5**.**
If Q is a non-zero point on the elliptic curve E(Z/pmZ), then ∣Q∣=pk for some integer k<m.
Proof.
Let σm,1:E(Z/pmZ)→E(Z/pZ) be the homomorphism as in Lemma 3.4. Note that the only non-zero point in E(Z/pZ) is the identity O.
By Lemma 3.4, ker(σm,1) is the set of all non-zero points in E(Z/pmZ). Also, from Em−1/Em≅ker(σm,m−1) and ker(σf,f−1)≅Z/pZ we have that ∣ker(σm,1)∣=pm−1. This implies that that ∣Q∣∣pm−1. Thus ∣Q∣=pk for some integer 0≤k<m.
∎
Lemma 3.6**.**
Let Q be a non-zero point on the elliptic curve E(Z/pnZ) and k coprime to p. Then there exists a strongly non-zero point P∈E(Z/pnZ) such that kP=Q if and only if there exists a strongly nonzero point P′∈E(Z/pnZ) with ∣P′∣ dividing k.
Proof.
Let Q, E(Z/pnZ) and k be given. Let P′∈E(Z/pnZ) a strongly non-zero point such that ∣P′∣ divides k. Since gcd(k,pn)=1, there exists a positive integer y such that ky≡1modpn. Let P=yQ+P′. Thus by Corollary 3.5, P is a strongly non-zero point. Note that
[TABLE]
Conversely, assume that P with kP=Q is a a strongly nonzero point. Let y be a positive integer such that ky=1modpn. Let P′=P−yQ. By Corollary 3.5,
P′ is a strongly non-zero point. Note that
[TABLE]
Therefore ∣P′∣∣k.
∎
Lemma 3.7**.**
Let Q be a non-zero point in E(Z/pnZ) and let σn,n−1:E(Z/pnZ)→E(Z/pn−1Z) be the natural homomorphism. Let k be an integer and P′∈E(Z/pn−1Z) be a strongly non-zero point such that kP′=σn,n−1(Q) and p∤k. Then there exists a point P∈E(Z/pnZ) such that kP=Q.
Proof.
Note that ∣ker(σn,n−1)∣=p. It follows that ker(σn,n−1)≅Z/pZ. We can write
[TABLE]
where G does not contain any elements of order p. Since ker(σn,n−1)≅Z/pZ is a normal subgroup of E(Z/pnZ), it follows that
[TABLE]
where bj=1 for exactly one index j and bi=0 for all other indices i=j. Let j be the index such that bj=1. Then we can write
[TABLE]
where H≅⨁i=jZ/paiZ⊕G . Let ψ:H⊕Z/pajZ→H⊕Z/paj−1Z be given by
[TABLE]
where y∈H, z∈Z/pajZ.
Let Q∈E(Z/pnZ) be a non-zero point, and let Q∈H⊕Z/pajZ. Then ψ(Q) is a non-zero point. Assume that there exists a strongly non-zero point P′∈E(Z/pn−1Z) such that kP′=σn,n−1(Q). Write Q≅(r,s) with r∈H and s∈Z/pajZ. Similarly write P′≅(h,g) with h∈H and g∈Z/paj−1Z. By assumption, kh=r and kg≡smodpaj−1. Consider the polynomial f(x)=kx−s. Since k=0modp, f(x) does not have any double rootsmodpaj−1. Then by Hensel's lemma there exists a number g′∈Z/pajZ with g′≡gmodpaj−1 such that f(g′)=0modpaj. It follows that kg′−s=0modpaj. Thus k(h,g′)=(r,s). Choose P such that P≅(h,g′) with h∈H and g′∈Z/paj−1Z yields kP=Q.
Note that
[TABLE]
Thus by Lemma 3.4P is a strongly non-zero point.
∎
Theorem 3.8**.**
Let p be an odd prime and Q be a non-zero point in E(Z/pnZ). There exists an integer k and a strongly non-zero point P∈E(Z/pnZ) such that kP=Q if and only if one of the following holds:
(a)
E(Z/pZ)* is not anomalous.*
(b)
E(Z/pnZ)≅Z/pnZ.
(c)
E(Z/pnZ)≅Z/pZ⊕Z/pn−1Z* and Q≅(Q1,Q2) with Q1∈Z/pZ, Q2∈Z/pn−1Z, where Q2 is not a generator of Z/pn−1Z*
Proof.
The cases when E is not anomalous will be proven by induction on n. Note that this is trivially satisfied for n=1 because there are no non-zero points and since the order of the curve is coprime to p, k is coprime to p.
Suppose that the statements holds up to n−1. Let Q be a non-zero point in E(Z/pnZ), and σn,n−1 be as defined above. Then σn,n−1(Q)∈E(Z/pn−1Z) is a non-zero point, so by the inductive hypothesis we have k,P′ such that kP′=σn,n−1(Q) with k coprime to p and P′ a strongly non-zero point. Then the claim follows by Lemma 3.7.
In the case E(Z/pZ) is anomalous at p we have two cases:
Case (1):
E(Z/pnZ)≅Z/pnZ. Consider the natural homomorphism σn,1:E(Z/pnZ)→E(Z/pZ). Since σn,1 is surjective, for any generator P of E(Z/pnZ), σn,1(P)=O. Thus there are no non-zero points that are generators of E(Z/pnZ). Therefore there is a strongly non-zero point P which is a generator of E(Z/pnZ). Thus for all points Q, there exists a strongly non-zero point P with kP=Q for some integer k.
2. Case (2):
E(Z/pnZ)≅Z/pZ⊕Z/pn−1Z. It is well known (CITE SOMETHING) that E1/En≅Z/pn−1Z and it follows that for any point P≅(P1,P2) in E(Z/pnZ) where P1∈Z/pZ and P2∈Z/pn−1Z, P is a non-zero point if and only if P1 is the identity. We want to show a non-zero point Q≅(0,Q2) can be written as kP for some integer k and some strongly non-zero point P if and only if Q2 is not a generator of Z/pn−1Z.
(⇒) Assume that Q≅(0,Q2) where Q2∈Z/pn−1Z can be written as kP for some integer k and some strongly non-zero point P≅(P1,P2) with P1∈Z/pZ and P2∈Z/pn−1Z. Since P is strongly non-zero, P1=0. However, since kP1=0 and P1∈Z/pZ, order(P1)=p, so p∣k, which implies that p∣kP2=Q2. Therefore Q2 is not a generator of Z/pn−1Z.
Conversely, assume Q≅(0,Q2) where Q2∈Z/pn−1Z and Q2 is not a generator. Then Q2=p⋅r for some r∈Z/pn−1Z, and thus
Q=kP for k=p and P≅(1,r).
∎
Note that the last case in Theorem 3.8 only applies for non-zero points that are not generators of the subgroup Z/pn−1Z of E(Z/pnZ). The following holds for all non-zero points in E(Z/pnZ).
Lemma 3.9**.**
Let E(Z/pnZ) be an elliptic curve and Q∈E(Z/pnZ) be a non-zero point. Then there exists a strongly non-zero point P∈E(Z/pnZ) such that ∣Q∣ divides ∣P∣.
Proof.
We will consider the following cases
Case (1):
Q and E satisfy one of the conditions from Theorem 3.8. In this case |Q|\Big{|}|P| since kP=Q.
2. Case (2):
E(Z/pnZ)≅Z/pZ⊕Z/pn−1Z and Q=(0,Q2) with Q2∈Z/pn−1Z, where Q2 is a generator of Z/pn−1Z. In the case when n=1, this case is trivially true because Q=O∈E(Z/pnZ), so ∣Q∣=1. When n>1, note that the order of any point in E(Z/pnZ) divides pn−1. There are
[TABLE]
elements with order exactly pn−1. Thus there are more than pn−1 elements with order pn−1. Since there are only pn−1 non-zero points, there is a strongly non-zero point P with ∣P∣=pn−1 and thus for any point Q, ∣Q∣ divides ∣P∣.
∎
Lemma 3.10**.**
If Q is a non-zero point in E(Z/nZ), then there exists a strongly non-zero point P such that ∣Q∣ divides ∣P∣.
Proof.
Let Q∈E(Z/nZ) be a non-zero point. Recall that
[TABLE]
Thus each point T∈E(Z/nZ) can be written as T≅(Tp1,Tp2,...Tpr) where Tpi denotes the point corresponding to T in the subgroup E(Z/piνpi(n)Z), and p1,p2,…,pr are the distinct prime divisors of n. Due to the direct sum, we have that ∣Q∣=lcm{∣Qpi∣:1≤i≤r}.
For each 1≤i≤r, let
[TABLE]
By Corollary 3.3, P is a strongly non-zero point. Note that |Q|\Big{|}|P| since |{Q_{p_{i}}}|\Big{|}|P_{p_{i}}| for all 1≤i≤r by construction.
∎
Corollary 3.11**.**
Let E/Q be an elliptic curve. A composite number N is an elliptic G-Carmichael number for the curve E if and only if N is a elliptic G-pseudoprime for all strongly non-zero points P∈E(Z/NZ). Similarly, N is an elliptic S-Carmichael number for the curve E(Z/NZ) if and only if N is a S-pseudoprime for all strongly non-zero points P∈E(Z/NZ).
Proof.
We will prove the statement for elliptic G-Carmichael numbers. The proof for elliptic S-Carmichael numbers is similar. Suppose N is an elliptic G-Carmichael number for a curve E i.e. N is an elliptic G-pseudoprime for all strongly non-zero points P∈E(Z/NZ).
Conversely, assume that N is an elliptic G-pseudoprime for all strongly non-zero points P∈E(Z/NZ). Then for all strongly non-zero points P∈E(Z/NZ), the order |P|\Big{|}N+1. By Lemma 3.10, for any non-zero point Q, there exists a strongly non-zero point P′ such that
[TABLE]
Thus N is an elliptic G-pseudoprime for all points P∈E(Z/NZ) i.e N is an elliptic G-Carmichael number.
∎
Corollary 3.12**.**
Let E/Q be an elliptic curve, N be a composite integer, and t be any integer. Then ϵN,p(E)∣t if and only if for all strongly non-zero points P∈E(Z/NZ), |P|\Big{|}t.
Proof.
From [4], we have \epsilon_{N,p}\left(E\right)\Big{|}t if and only if for all points P∈E(Z/NZ), tP=O. By Corollary 3.11,
this is true if and only if for all strongly non-zero points P∈E(Z/NZ), tP=O.
∎
Theorem 3.13**.**
Let E/Q be an elliptic curve. There is no composite number N such that N is a strong eliiptic G-pseudoprime for all strongly non-zero points P∈E(Z/NZ).
Proof.
We prove the claim of the theorem by considering several cases.
Case (1):
N contains a square, i.e. pe∣∣N for a prime p and an integer e>1.
We know that ∣E(Z/peZ)∣=pe−1∣E(Z/pZ)∣. Note that E(Z/peZ) contains a point of order p. By Lemma 3.9, there exists a strongly non-zero point P∈E(Z/peZ) such that ∣X∣∣∣P∣, so p\Big{|}|P|. In particular, ∣P∣∤N+1, so (N+1)P=O. Therefore N is not a strong elliptic G-pseudoprime for the point P∈E(Z/peZ).
In the following two cases let p be a prime with p∣N and ∣E(Z/pZ)∣=p+1. Note that such a prime p must exist from our definition of a G-pseudoprime. Also assume N is squarefree.
2. Case (2):
There exists a prime q=p such that ∣E(Z/qZ)∣ is not a power of 2. By the first Sylow theorem, there exists a point Q∈E(Z/qZ) of odd order and there exists a point P∈E(Z/pZ) of even order. Note that the points P and Q are both strongly non-zero points. Write E(Z/NZ)=E(Z/pZ)⊕E(Z/qZ)⊕H for some group H. Take the point X=(P,Q,h) for any strongly non-zero element h∈H. If (N+1)X=O, then n is not a strong G-pseudoprime at X. Otherwise, (letting N+1=2st, where t is odd) we must have tQ=O in E(Z/qZ) since Q has odd order. But tP=O∈E(Z/pZ) because P has even order, so tX=O∈E(Z/NZ). Because tQ=Omodq, tX is not strongly nonzero and thus 2rtX cannot have the form (x:0:1) for some x∈Z/NZ. Therefore N is not a strong G-pseudoprime at X.
3. Case (3):
For all primes q∣N with q=p, ∣E(Z/qZ)∣ is a power of 2. If ∣E(Z/pZ)∣ is not a power of two, by the first Sylow theorem there exists a point P of odd order >1 in ∣E(Z/pZ)∣. Then we can construct a point X as in Case 2 with P and a point Q of even order from ∣E(Z/qZ)∣ for some q∣N. For the rest of the section assume ∣E(Z/pZ)∣ is a power of 2.
Since by Definition 2.4, all prime factors of N must be ≥5, we have that ∣E(Z/pZ)∣=p+1≥8.
Recall that the structure of an elliptic curve over a finite field is the product of two cyclic groups. Therefore one of the cyclic groups must contain at least 8>2 elements and divide a power of 2. It follows that we can find of point P of order 4 in E(Z/pZ).
Let q∣N be a prime, q=p. Since
∣E(Z/qZ)∣ is a power of 2 there exists a point Q∈E(Z/qZ) of order 2. Write E(Z/NZ)=E(Z/pZ)⊕E(Z/qZ)⊕H for some group H. Take the strongly nonzero point X=(P,Q,h) for any strongly nonzero h∈H. Then 2tX=O since 4∣∣P∣, but 2tX is not strongly nonzero since 2Q=O. Thus 2rtX cannot have the form (x:0:1) for some x∈Z/NZ. Therefore N is not a strong G-pseudoprime at X.
∎
Theorem 3.14**.**
Let E/Q be an elliptic curve. Then an odd composite number N is a strong S-pseudoprime for all strongly non-zero points P∈E(Z/NZ) if and only if E has good reduction at p for every prime p∣N and either
(i)
ϵN,p(E)∣t* for all primes p∣N or*
2. (ii)
ϵN,p(E)∣2t* and E(Z/pZ)≅Z/2Z⊕Z/2Z or Z/2Z for all primes p∣N.*
Proof.
[4] show condition (i) is equivalent to N being a strong S-Carmichael number and therefore for all strongly non-zero points P∈E(Z/NZ), N is a strong S-pseudoprime.
We will prove N is not a strong S-Carmichael number for a curve E and N is a strong S-pseudoprime at all strongly nonzero points P∈E if and only if condition (ii) is met. For notational purposes let P≅(Pp1,Pp2...) represent the decomposition of the point P∈E(Z/NZ) into ⨁p∣NE(Z/piνpi(N)Z) with Ppi∈E(Z/piνpi(N)Z).
Let ϵN,p(E)∣2t and E(Z/pZ)≅Z/2Z⊕Z/2Z or Z/2Z for all primes p∣N. Notice N cannot be a strong S-Carmichael number since there exists a point in E(Z/pνp(N)Z) of order divisible by 2 and therefore ϵN,p(E)∤t. For any strongly non-zero point P≅(Pp1,Pp2…), consider Ppi∈E(Z/piνpi(N)Z). Let σ:E(Z/piνpi(N)Z)→E(Z/piZ) be the natural homomorphism. Since Ppi is strongly nonzero, σ(Ppi) is strongly nonzero and thus ∣σ(Ppi)∣=2. Thus σ(tPpi)=tσ(Ppi)=σ(Ppi)=O and so tPpi is a strongly non-zero point for all pi∣N. Thus tP is a strongly non-zero point in E(Z/NZ). Since ϵN,p(E)∣2t for all p∣N, we have 2tP=O. Therefore tP must be a strongly non-zero point of order 2. Therefore N is a strong S-pseudoprime for P.
Conversely, let N be a strong S-pseudoprime for all strongly nonzero points in E(Z/NZ) and N not be a strong S-Carmichael number for E. Then there exists a point Q∈E(Z/NZ) such that tQ=O. By Lemma 3.10, there exists some strongly non-zero point P with order(Q)∣order(P), thus tP=O. Then, by assumption that N is a strong S-pseudoprime for all strongly nonzero points P∈E(Z/NZ), 2rtP=(x:0:1) for some 0≤r<s and some x∈Z/NZ. Fix some strongly nonzero point P∈E(Z/NZ).
Assume that r>0 and let T=2rtP. Note that Tpi=2rtPpi∈E(Z/piνpi(N)Z) is a strongly nonzero point of order 2 in E(Z/piνpi(N)Z) for all pi∣N and 2T=O∈E(Z/NZ). Construct the strongly nonzero point Y≅(Tp1,Pp2,…,Ppi,…). Notice 2r+1tY=O, 2rtY=O, and 2rtY is a non-zero point since 2Tp1=O in E(Z/p1νp1(N)Z), thus N is not a strong elliptic S-pseudoprime for the strongly non-zero point Y, a contradiction. Therefore r=0.
Assume for the sake of contradiction there exists a strongly non-zero point X such that tX=O. Construct the strongly nonzero point Y′≅(Xp1,Pp2,…,Ppi,…). Notice tY′=O since tPp2=O. Since 2itXp1=O for all i≥0, 2itY′ is not a strongly non-zero point for all i≥0. Thus N is not strong elliptic S-pseudoprime at the point Y′.
Therefore for all strongly non-zero points P∈E(Z/NZ), tP=O.
Thus for every strongly non-zero point P≅(Pp1,Pp2..), 2tP=O and so ϵN,p∣2t . We also conclude that ν2(∣Ppi∣)=1. Let σ:E(Z/piνpi(N)Z)→E(Z/piZ) be the natural homomorphism. Since ker(σ)=Z/pνpi−1Z and pi is odd,
ν2(∣σ(Ppi)∣)=ν2(∣Ppi∣)=1. Since every nonzero point in X∈E(Z/piZ can be lifted to a strongly nonzero point X′∈E(Z/NZ) such that σ(X′)=X, ν2(X)=1.
Thus, there are no non-zero points in E(Z/pZ) have odd order >1 or order 4 thus every non-zero point has order 2. Therefore E(Z/pZ)≅Z/2Z⊕Z/2Z or E(Z/pZ)≅Z/2Z.
∎
4. Point-wise Probabilities for Strong Elliptic Pseudoprimes
It is known that no composite number can be a strong G-pseudoprime for all points on a given elliptic curve (see [10]), so we now ask: for how many of the points on a given elliptic curve can a given composite number be a strong G-pseudoprime? Similarly, no composite number can be a strong S-pseudoprime for all points on all elliptic curves, which motivates the following question: given a fixed composite number N, what is the probability that N is a strong elliptic S-pseudoprime for a randomly chosen point on a randomly chosen elliptic curve?
Theorem 4.1**.**
A composite number N is a strong elliptic G-pseudoprime for at most 5/8 of the points in E(Z/NZ).
Notation**.**
Let E/Q be an elliptic curve, and let N be a positive integer such that E has good reduction at p for every prime p∣N. For a positive integer x and a prime power pa, define
[TABLE]
where ν2 denotes 2-adic valuation.
Let N=p1a1⋯pkak be the prime factorization of N, so we may write E(Z/NZ)≅E(Z/p1a1Z)⊕⋯⊕E(Z/pkakZ). For each P∈E(Z/NZ), we can consider P as isomorphic to (P1,…,Pk), where Pi∈E(Z/piaiZ). Define
[TABLE]
where order(Pi) denotes the order of Pi as an element of E(Z/piaiZ).
Proposition 4.2**.**
Let N=p1α1...pkαk and M=N/pkαk. Define G(E,N)=∑x≥0H(x,N). Then G(E,N)≤G(E,M).
Proof.
[TABLE]
∎
Lemma 4.3**.**
Let E/Q be an elliptic curve with good reduction at a prime p>2. Then for any x≥0 and any a∈N, J(x,pa)=J(x,p).
Proof.
We prove the claim of the theorem by considering several cases.
Case (1):
E(Z/pkαkZ)≅Z/pkαk−1Z⊕E(Z/pkZ).
Take any point P≅(P1,P2) in E(Z/pkαkZ)≅Z/pkαk−1Z⊕E(Z/pkZ). Note that the order(P)=lcm(order(P1),order(P2)). 2∤pkαk−1, so ν2(order(P))=ν2(order(P2)).
2. Case (2):
E(Z/pkαkZ)≅Z/pkαkZ.
Since pk is anomalous, E(Z/pkZ)≅Z/pkZ. Since pk is odd, all of the points in E(Z/pkZ) have odd order, and all of the points in E(Z/pkαkZ) have odd order.
∎
Corollary 4.4**.**
Let N=p1a1⋯pkak with pi=2, and define M=p1p2⋯pk. Then for all x≥0, H(x,N)=H(x,M).
The statement follows from Lemma 4.3 and the definition of H(x,N) in 6. As a result, we may now assume without loss of generality that ai=1 for all i.
Lemma 4.5**.**
Consider the group G≅Z/2stZ⊕Z/2rwZ, where t and w are odd and 2st∣2rw. The proportion of points P∈G such that ν2(∣P∣)=k is
(i)
1/2r+s* if k=0,*
2. (ii)
3(22k−2)/2r+s* if 1≤k≤s,*
3. (iii)
2s+k−1/2r+s* if s+1≤k≤r, and*
4. (iv)
[math]* for k>r.*
Proof.
First let us deal with the proportion of points P∈G of odd order, i.e. when ν2(∣P∣)=0. Using the isomorphism, we can consider P∈G as the pair of points (P1,P2), where P1∈Z/2stZ and P2∈Z/2rwZ. We can consider P1 to be an integer modulo 2st in the set {0,1,2,…,2st−1}.
Claim 1. The order of P1 is odd if and only if 2s∣P1.
Proof of Claim 1. Suppose that P1 has odd order d. Then dP1≡0mod2st. In particular, 2st∣dP1. Since d is odd, 2s∣P1.
Conversely, suppose 2s∣P1. Let d be the order of such an element P1. Then dP1≡0mod2st, i.e. 2st∣dP1. If d were even, then we still have that 2st∣(d/2)P1, since 2s∣P1, contradicting the minimality of d. Therefore d must be odd, concluding the proof of Claim 1.
Therefore to count the points of odd order in Z/2stZ, it suffices to count the elements P1 in the set {0,1,2,…,2st−1} such that 2s∣P. These are exactly the elements {0,2s,2⋅2s,…,(t−1)⋅2s}, of which there are t. Because an element of odd order in G must correspond to elements of odd order in both Z/2stZ and Z/2rwZ, we can see that there are tw points of odd order, including the identity. Dividing by ∣G∣=2r+stw gives us part (i) of the lemma.
We can also extend this to counting points P1 of order d such that ν2(d)=k for some 1≤k≤s:
Claim 2. Suppose that the order of P1∈Z/2stZ is d. Then ν2(d)=k if and only if 2s−k∣∣P1.
Proof of Claim 2. Suppose that ν2(d)=k. As in the previous claim, we have dP1≡0mod2st, so 2st∣dP1, so 2s∣dP1. By the minimality of d, 2st∤(d/2)P1. Therefore 2s∣∣dP1. Since we know that 2k∣∣d, we must have that 2s−k∣∣P1.
Suppose instead that 2s−k∣∣P1. Let the order of P1 be d. Then 2st∣dP1, so 2kt∣d⋅P1/2s−k. Since P1/2s−k is odd, we must have that 2k∣d. Furthermore, we cannot have that 2k+1∣d, otherwise 2st∣(d/2)P1, contradicting the minimality of d. Therefore ν2(d)=k, concluding the proof of Claim 2.
From Claim 2, we see that to count the points P1∈Z/2stZ with order d such that ν2(d)=k for some 1≤k≤s, it suffices to count the number of multiples of 2s−k in the set {0,1,2,…,2st−1} which are not multiples of 2s−k+1. There are exactly 2st/2s−k−2st/2s−k+1=2k−1t of these. Furthermore, there are exactly 2k points P1 such that ν2(order(P1))≤k.
Let k be an integer such that 0≤k≤s. Note that
[TABLE]
This simplifies to the following
[TABLE]
Dividing this final expression by the order of the group ∣G∣=2r+stw gives us part (ii) of the lemma.
We are interested in counting the number of points P such that
[TABLE]
when s<k≤r. Because there are no points P1∈Z/2stZ such that ν2(order(P1))=k, we have
[TABLE]
Dividing the above expression by ∣G∣=2r+stw gives part (iii) of the lemma. Observe that the order of any element P=(P1,P2)∈G has an order which is the LCM of the orders of P1∈Z/2stZ and P2∈Z/2rwZ. Furthermore, since d1:=order(P1)∣2st and d2:=order(P2)∣2rw, combined with the fact that 2st∣2rw⇒s≤r, we have that lcm(d1,d2)∣2r, so ν2(order(P))≤r, which gives us part (iv) of the lemma.
∎
Definition 4.6**.**
Consider the group G≅Z/2stZ⊕Z/2rwZ, where t and w are odd and 2st∣2rw. Define the vector h(s,r) in R∞ such that the ith coordinate of h(s,r) is the proportion of points P∈G such that ν2(P)=i.
The proof of the following theorem involves a large amount of casework and computation and it is included in the Appendix section.
Theorem 4.7**.**
Suppose s1≤r1 and s2≤r2 and r1≥1. Then h(s1,r1)⋅h(s2,r2) is maximized when r1=r2=s1=s2=1.
Lemma 4.8**.**
Let p be a prime, α≥2, and E(Z/pαZ) be an elliptic curve. The proportion of points in E(Z/pαZ) with order divisible by p is at least pα−1pα−1−1.
Proof.
We prove the claim of the theorem by considering several cases.
Case (1):
p is anomalous for E and E(Z/pαZ)≅Z/pαZ
Every element has order pk for some 0≤k≤α. The only element with order 1 is the identity, so the proportion of points in E with order divisible by p is pαpα−1.
2. Case (2):
: E(Z/pαZ)≅Z/pα−1Z⊕E(Z/pZ)
If P≅(P1,P2) is in Z/pα−1Z⊕E(Z/pZ), and if the order of P1 is divisible by p, then the order of P is divisible by P. The proportion of points P=(P1,P2) in Z/pα−1Z⊕E(Z/pZ) with p dividing the order of P1 is at least pα−1pα−1−1.
(of Theorem 4.1)
We prove the claim of the theorem by considering several cases.
Case (1):
Suppose N is not squarefree.
By Lemma 4.2, the maximum proportion of points that N can be a strong G-pseudoprime for will occur when N=pα. Suppose N=pα and E(Z/NZ)≅E(Z/pαZ) with α>1. By Lemma 4.8, the proportion of points in E(Z/pαZ) with order divisible by p is at least pα−1pα−1−1. Since p∤N+1, if P has order divisible by p, then (N+1)P≡O and N is not a strong G-pseudoprime for (E,P). So the proportion of points in E(Z/NZ) for which N is a strong elliptic G-pseudoprime is at most p1<85.
2. Case (2):
Suppose N is squarefree. Since (N−d)=−1, there exists some prime p such that (p−d)=−1 thus ∣E(Z/pZ)∣=p+1. Since N is composite and squarefree, there exists a prime q∣N, q=p.
Suppose E(Z/pZ)≅Z/2s1t1Z⊕Z/2r1w1Z where t1 and w1 are odd and 2s1t1∣2r1w1 and E(Z/qZ)≅Z/2s2t2Z⊕Z/2r2w2Z where t2 and w2 are odd and 2s2t2∣2r2w2. N is a strong G-pseudoprime at a point P=(P1,P2), where P1∈E(Z/pZ) and P2∈E(Z/qZ), only if ν2(P1)=ν2(P2). The percentage of points that satisfy this is h(s1,r1)⋅h(s2,r2), with r1≥1 since ∣E(Z/pZ)∣ is even. By Theorem 4.7, this percentage is at most h(1,1)⋅h(1,1)=5/8 of the points in E(Z/NZ).
∎
Lemma 4.9**.**
Let p be an odd prime, and let E/Q:y2=x3+Ax+B be an elliptic curve that has good reduction at p. Write E(Z/pZ)≅Z/2stZ⊕Z/2rwZ, where t,w>0 are odd integers and 2st∣2rw. Then
•
s=r=0* if and only if x3+Ax+B is irreducible modp*
•
s=0* and r≥1 if and only if x3+Ax+B has one root modp*
•
r≥s≥1* if and only if x3+Ax+B has three roots modp*
Proof.
The points of order 2 on E(Z/pZ) are exactly the roots of x3+Ax+B mod p. Note this only works for p prime - this statement fails spectacularly for composite numbers. If there are no roots, then the P-Sylow theorems implies that ∣E(Z/pZ)∣ is odd since there are no points of order 2. Hence ap is odd. If there is one root, there is one point of order 2, so exactly one of r or s must be nonzero. But by assumption r≥s, so s=0 and r≥1. If there are three roots, there are three points of order 2, so both r and s must be at least 1. The converse of each statement in the theorem also holds since every point of order 2 is a root.
∎
Lemma 4.10**.**
Let E/Q be an elliptic curve with good reduction at an odd prime p. Write E(Z/pZ)≅Z/2stZ⊕Z/2rwZ, where t,w>0 are odd integers and 2st∣2rw. Then
•
s=r=0* with probability 3pp+1*
•
s=0* and r≥1 with probability 21*
•
r≥s≥1* with probability 6pp−2.*
Proof.
There are (3p)=6p(p−1)(p−2) such curves with 3 roots. There are p2 quadratic polynomials in Fp[x], and (2p)+p quadratic polynomials with roots in Fp. So there are p(p2−(2p)−p) such curves with 1 root. There are p3−p2−(3p)−p(p2−(2p)−p) such curves with no roots, and s=r=0. There are p3 cubic polynomials, and p2 cubic polynomials with repeated roots. So there are p3−p2 possible curves E(Z/pZ) with good reduction at p. The lemma follows from lemma 4.9 and the counting in the paragraph.
∎
Theorem 4.11**.**
Let N=p1α1...pkαk with 2∤N and p,q∣N. The probability a random point P≅(P1,...,Pk) has ν2(order(Pi)) all equal for a random curve E(Z/NZ)≅E(Z/p1α1Z)⊕...⊕E(Z/pkαkZ) is at most 32pq17pq+2p+2q+4.
Proof.
Let G(E,N) be the proportion of points P≅(P1,...,Pk) in E(Z/NZ)≅E(Z/p1α1Z)⊕...⊕E(Z/pkαkZ) such that ν2∣Pi∣ are all equal. Let E(Z/pZ)≅Z/2sitiZ⊕Z/2riwiZ and E(Z/qZ)≅Z/2sjtjZ⊕Z/2rjwjZ. Let ∣E∣ be the number of elliptic curves E(Z/NZ) with good reduction. Let ∣E′∣ be the number of elliptic curves E(Z/pZ)⊕E(Z/qZ) with good reduction at p and q. By Lemma 4.10 we have
•
r1=r2=s1=s2=0 with probability 9pq(p+1)(q+1)
•
r1=s1=s2=0 and r2≥1 with probability 6p(p+1)
•
r2=s2=s1=0 and r1≥1 with probability 6q(q+1)
•
s1=r1=0 and r2≥s2≥1 with probability 18pq(p+1)(q−2)
•
s2=r2=0 and r1≥s1≥1 with probability 18pq(q+1)(p−2)
•
s1=s2=0, r1≥1, and r2≥1 with probability 41
•
s1=0, r1≥1, and r2≥s2≥1 with probability 12p(p−2)
•
s2=0, r2≥1, and r1≥s1≥1 with probability 12q(q−2)
•
r1≥s1≥1 and r2≥s2≥1 with probability 36pq(p−2)(q−2)
By Lemma 4.2 and Lemma 4.3, we have that G(E,N)≤h(s1,r1)⋅h(s2,r2). Then
[TABLE]
∎
Corollary 4.12**.**
Let N=p1α1...pkαk with 2∤N and p and q the largest primes dividing N. The probability N is a strong S-pseudoprime for a random point P≅(P1,...,Pk) on a random curve E(Z/NZ)≅E(Z/p1α1Z)⊕...⊕E(Z/pkαkZ) is at most 32pq17pq+2p+2q+4.
4.1. Strongly Non-zero Point-wise Probabilities
In this section we prove similar probabilistic results for strong elliptic G-pseudoprime (strong elliptic S-pseudoprime) and strongly non-zero points on a given elliptic curve. As in Section 3, we will ignore the case where there are no strongly non-zero points. The proof of following theorem will be given at the end of this section. First we will show several results needed to prove the theorem.
Theorem 4.13**.**
Let E(Z/NZ) be an elliptic curve. A composite number N is a strong elliptic G-pseudoprime for at most 9/11 of the strongly non-zero points in E(Z/NZ).
The following lemma is a direct consequence of Lemma 4.5.
Lemma 4.14**.**
Suppose G≅Z/2stZ⊕Z/2rwZ where t and w are odd and 2st∣2rw. The percentage of strongly non-zero points P∈G such that ν2(order(P))=x is 2r+stw−1tw−1 for x=0, 2r+stw−13(22x−2)tw for 1≤x≤s, 2r+stw−12s+x−1tw for s+1≤x≤r, and 0 for x>r.
Definition 4.15**.**
Define the vector h′(s,r,t,w) to be the vector whose ith coordinate is the percentage of strongly non-zero points P∈G≅Z/2stZ⊕Z/2rwZ where t and w are odd and 2st∣2rw, such that ν2(P)=i.
The proof of the following theorem a large amount of casework and is placed in the Appendix section.
Theorem 4.16**.**
Suppose s1≤r1 and s2≤r2 and r1≥1 and 22s⋅22r⋅t2⋅w2>1. Then h′(s1,r1,t1,w1)⋅h′(s2,r2,t2,w2)≤h′(1,1,t1,w1)h′(1,1,t2,w2)
Finally, we give the proof of Theorem 4.13 stated at the beginning of this section.
Proof.
We prove the claim of the theorem by considering several cases.
Case (1):
Suppose N is not squarefree. By Lemma 4.2, the maximum proportion of strongly non-zero points that N can be a strong G-pseudoprime for will occur when N=pα. Suppose N=pα and E(Z/NZ)≅E(Z/pαZ) with α>1.
From the structure theorem for abelian groups, at least pαpα−1 of the strongly non-zero points in E(Z/pαZ) have order p. Since p∤N+1, if P has order p, then (N+1)P≡O and N is not a strong G-pseudoprime for (E,P). So N can be a strong G-pseudoprime for at most pα−11<119 of the strongly non-zero points in E(Z/NZ).
2. Case (2):
Suppose N is squarefree. Since (N−d)=−1, there exists some prime p dividing N such that (p−d)=−1 thus ∣E(Z/pZ)∣=p+1. Since N is composite and squarefree there exists a prime q∣N, q=p.
Suppose E(Z/pZ)≅Z/2s1t1Z⊕Z/2r1w1Z where t1 and w1 are odd and 2s1t1∣2r1w1 and E(Z/qZ)≅Z/2s2t2Z⊕Z/2r2w2Z where t2 and w2 are odd and 2s2t2∣2r2w2. N is a strong G-pseudoprime at a point P=(P1,P2), only if ν2(P1)=ν2(P2). The percentage of strongly non-zero points that satisfy this is h′(s1,r1,t1,w1)⋅h′(s2,r2,t2,w2), with r1≥1 since ∣E(Z/pZ)∣ is even. By Theorem 4.16, one can see that this percentage is at most 119.
∎
This proof of the following theorem follows directly along the lines of the proof of Theorem 4.11.
Theorem 4.17**.**
Let N=p1α1...pkαk with 2∤N and p,q∣N. The probability that a random strongly non-zero point P≅(P1,...,Pk) has ν2(order(Pi)) all equal for a random elliptic curve E(Z/NZ)≅E(Z/p1α1Z)⊕...⊕E(Z/pkαkZ) is at most 120pq78pq−5p−5q+12.
Corollary 4.18**.**
Let N=p1α1...pkαk with 2∤N and p and q the largest primes dividing N. The probability that N is a strong S-pseudoprime for a random strongly non-zero point P≅(P1,...,Pk) on a random curve E(Z/NZ)≅E(Z/p1α1Z)⊕...⊕E(Z/pkαkZ) is at most 120pq78pq−5p−5q+12.
Bibliography32
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[1] A. Abatzoglou, A. Silverberg, A. Sutherland and A. Wong, Deterministic elliptic curve primality proving for a special sequence of numbers , The Open Book Series , Vol. 1:1 (2013), 1–20.
2[2] W.R. Alford, A. Granville and C. Pomerance, There are infinitely many Carmichael numbers , Annals of Mathematics , Vol. 140 (1994), 703–722.
3[3] M. Agrawal, N. Kayal, N. Saxena, Primes is in P 𝑃 P , Annals of Mathematics , Vol. 160 (2004), 781–793.
4[4] L. Babinkostova, A. Hernandez-Espiet and H.J. Kim, On Types of Elliptic Pseudoprimes (ar Xiv:1710.05264).
5[5] D.J. Bernstion, P roving primality in essentially quartic random time, Mathematics of Computation , Vol. 76 (2007), 389-403.
6[6] K. A. Broughan, The gcd-sum function , Journal of Integer Sequences , Vol 4 (2001)
7[7] N. A. Carella, Sum of Divisors Function Inequality , (ar Xiv:0912.1866).
8[8] F. Diamond and J.Shurman, A First Course in Modular Forms , Graduate Texts in Mathematics , Vol. 228 , Springer-Verlag New York, 1st ed., (2005).