arxiv: v1 [math.gr] 15 Oct 2017

Transcription

1 ON TYPES OF ELLIPTIC PSEUDOPRIMES L. BABINKOSTOVA, A. HERNÁNDEZ-ESPIET, AND H. KIM arxiv: v [math.gr] 5 Oct 07 Abstract. We generalize Silverman s [9] notions of elliptic pseudoprimes and elliptic Carmichael numbers to analogues of Euler-Jacobi and strong pseudoprimes. We inspect the relationships among Euler elliptic Carmichael numbers, strong elliptic Carmichael numbers, products of anomalous primes and elliptic Korselt numbers of Type I, the former two of which we introduce and the latter two of which are respectively introduced by Mazur [] and Silverman [9]. In particular, we expand upon the work of Babinkostova et al. [] on the density of certain elliptic Korselt numbers of Type I which are products of anomalous primes, proving a conjecture stated in [].. Introduction The problem of efficiently distinguishing the prime numbers from the composite numbers has been a fundamental problem for a long time. One of the first primality tests in modern number theory came from Fermat Little Theorem: if p is a prime number and a is an integer, then a p a (mod p. However, the converse is not true, as there are many composite numbers N for which a N a (mod Nfor every a. These numbers are known as Fermat pseudoprimes for the base a. Analogous to the Fermt test, Gordon defined necessary but not sufficient test for primality using elliptic curves ([7], [8]. It is well known that given an elliptic curve E/Q with complex multiplication in Q( d and a prime p such that ( d p =, the order of E(F p is p +. In particular, (p + P would be the identity O of E(F p for every P E(F p. However, similarly to Fermat pseudoprimes, the converse need not be true. For a given composite number N for which E has good reduction at all primes dividing N and given a point P E(Q of infinite order, [8] defines N to be an elliptic pseudoprime if (N+P O (mod N. He also defines Euler elliptic pseudoprimes and strong elliptic pseudoprimes, analogous to Euler-Jacobi and strong pseudoprimes, both of which are founded upon conditions which are stronger than the one for elliptic pseudoprimes. Silverman [9] later generalizes Gordon s definition of elliptic pseudoprimes to include arbitrary elliptic curves over Q. Additionally, under his new definition of elliptic pseudoprimes he defines elliptic Carmichael numbers, analogous to Carmichael numbers. Silverman also finds criteria for when a number would be an elliptic Carmichael number, similar to the Korselt criterion for classical Carmichael numbers. For this he defined the notions of elliptic 00 Mathematics Subject Classification. 4H5, 4K, Y0, N5, G07, G0, B99. Key words and phrases. Elliptic curves, Pseudoprimes, Strong Elliptic Pseudoprimes, Euler Elliptic Pseudoprimes. Supported by the National Science Foundation under the Grant number DMS S Corresponding Author: liljanababinkostova@boisestate.edu.

2 Korselt numbers of Type I and elliptic Korselt numbers of Type II. He proved that elliptic Korselt numbers of Type I are always elliptic Carmichael numbers, but that the converse is not always true. On the other hand, Silverman [9] proved that a number is an elliptic Korselt number of Type II if and only if it is an elliptic Carmichael number. [] proves that any product of distinct anomalous primes is an elliptic Korselt number of Type I. In the present study we generalize Gordon s definitions of Euler elliptic pseudoprimes and strong Elliptic pseudoprimes using Silverman s notion of elliptic pseudoprimes. Using these new definitions, we then define Euler elliptic Carmichael numbers as well as strong elliptic Carmichael numbers. In particular, we identify Korselt criteria for Euler elliptic Carmichael numbers and strong elliptic Carmichael numbers. Using these criteria, we show that strong elliptic Carmichael numbers are generally Euler elliptic Carmichael numbers when applicable. We also present conditions under which elliptic Korselt numbers of Type I are equivalent to strong elliptic Carmichael numbers, as well as conditions for when elliptic Korselt numbers of Type I are equivalent to Euler elliptic Carmichael numbers.. eliminaries ( a.. Notation. For an integer a and a prime p, the Legendre symbol is defined as p ( a 0 if p a = if p a and a x p (mod p for some x Z/pZ otherwise. For an integer a and a positive odd integer N, the Jacobi symbol ( a N is an extension of the Legendre symbol; if the prime factorization of N is N = p e pe k k, then ( ( ( ek a a a = e. N p For an integer N and a prime p, the p-adic order, ord p (N, is the largest nonnegative integer e such that p e divides N if N 0 and is otherwise. Given that e = ord p (N, we also write p e N... Elliptic Curves. We introduce some elementary features of elliptic curves which are relevant to the topics presented in this paper. We refer the reader to [0] and [] for more detailed explanations on elliptic curves. Letk beafieldandletk beitsalgebraicclosure. AnellipticcurveE overkisanon-singular algebraic curve defined by a minimal Weierstrass equation E : y +a xy +a 3 y = x 3 +a x +a 4 x+a 6 where a,a,a 3,a 4,a 5,a 6 k. If the characteristic of k is neither nor 3, then the defining equation of E can be put, after a linear change of variables, in the Weierstrass normal form: p k E : y = x 3 +Ax+B. It is still possible, however, for the defining equation of E to be in the Weierstrass normal form even if k has characteristic 3. Associated to an elliptic curve E/k is a discriminant. If E is in the Weierstrass normal form, then = 6(4A 3 +7B. Moreover, must be nonzero for E to be non-singular; on the other hand, if = 0, then the algebraic curve is singular and is hence not an elliptic

3 curve. In this case, the projective points of the elliptic curve over k form an Abelian group. In particular, if the defining equation of E is homogenized, i.e. it is regarded as E : y z +a xyz +a 3 yz = x 3 +a x z +a 4 xz +a 6 z 3, then the identity of the group is the point O = [0 : : 0] in P (k. Furthermore, all of [ the other points are in the affine plane A (k with respect to z, i.e. they are of the form x : y : ] P (k. z z The points of order of E(k are exactly those of the form (x,y = [x : y : ] where y + a x + a 3 = 0. If the defining equation of E is in Weierstrass normal form, then this condition becomes y = 0. Moreover, 0 = y = x 3 +Ax+B. Let l/k be a finite field extension. The set E(l, which is defined as E(k P (l, is a subgroup of E(k. Moreover, E(l is a finite group if k is a finite field. Let q be some prime power. Hasse s Theorem shows that #E(F q = q +, where is an integer satisfying q. In addition, E(F q can be generated by at most two elements. Now let E be an elliptic curve over Q and let p be a prime. A change of variables can modify the equation defining E to have integer coefficients, so assume that the equation defining E has integer coefficients. As long as is not divisible by p, one can reduce E modulo p to obtain the elliptic curve group E(Z/pZ = E(F p. If is divisible by p, then E has good reduction at p. Given that E/Q has good reduction at every prime dividing an integer N, Silverman [9, Remark ] explains a way to view E(Z/NZ as a group. Let the prime factorization of N be N = p e p e k k with distinct primes p,...,p k. Silverman identifies a natural isomorphism by the Chinese Remainder Theorem: E(Z/NZ E(Z/p e Z E(Z/pe k k Z. In particular, the identity point O of E(Z/NZ is the unique point of E(Z/NZ which reduces to O modulo p e i i for each i. Associated to E/Q is the L-function L(E,s, which can be defined as the Euler product L(E,s = a p p p s + E (pp s where E (p = { if E has good reduction at p 0 otherwise and a p = p + #E(Z/pZ whether or not E has good reduction at p. Alternatively expressing L(E,s as the Dirichlet series L(E,s = a n n n s, the map sending a positive integer n to the coefficient a n is a multiplicative function with a = a p e = a p a p e E (ppa p e for all e. See [5, Chapter 8.3] and [0, Appendix C, Section 6] for more on L-series of elliptic curves. Again, let E be an elliptic curve over Q. Since E(Q is an Abelian group, it has an endomorphism ring End(E. In particular, End(E is isomorphic either to Z or to an order 3

4 in an imaginary quadratic field, say Q( d where d is a positive squarefree integer. In the latter case, E is said to have complex multiplication in Q( d. Let E/Q be an elliptic curve with complex multiplication in Q( d and let N > 0 be an integer whose prime factors are all greater than 3 and such that the Jacobi symbol ( d N is. In this case, there is some prime p such that the p-adic order ord p (N is odd and ( d p =. By [, oposition 4.3 and Theorem 0.7], a p 0 (mod p. Moreover, a p p by Hasse s Theorem, so a p = 0 because p > 3. Since ord p (N is odd, a p ordp(n = 0 and since n a n is a multiplicative function, a N = Elliptic Pseudoprimes. By Fermat s Little Theorem, a p a (mod p for any prime p andany a Z/pZ. Correspondingly, acomposite integer N is calledafermat pseudoprime with respect to a nonzero base a Z/NZ if a N a (mod N. In this case, N is called a pseudoprime because it displays a behavior that it would if it were prime. In [7, 8] Gordon introduces elliptic pseudoprimes, much like Fermat pseudoprimes. While the notion of an elliptic pseudoprime in [7, 8] is given with respect to an elliptic curve E/Q and a point P E(Q of infinite order, we will also apply these definitions to points P E(Z/NZ. Definition.. [8] Let E/Qbeanelliptic curve withcomplex multiplication in Q( d, let P be a point in E of infinite order, and let N be a composite number with gcd(n,6 =. Then, N is an elliptic pseudoprime for (E,P if ( d N = and (N +P O (mod N. Again, N is a pseudoprime in this case because it displays a behavior that it would if it were prime. Indeed, if N is a prime, then a N = 0 as shown in Section.. Thus, #E(Z/NZ = N +, so (p + P O (mod p for all P E(Z/pZ. N is therefore guaranteed to be composite if (N + P O (mod N, but N may or may not be prime if (N + P O (mod N. For more details on computing multiples of points of elliptic curves modulo N, see [, Chapter 3.] or Appendix A. In [7, 8], Gordon defines also the notion of Euler elliptic pseudoprimes and strong elliptic pseudoprimes, analogously to Euler-Jacobi pseudoprimes and strong pseudoprimes, respectively. Let p be an odd prime and let a Z/pZ be nonzero. Since a p (mod p and since Z/pZ is a field, a p ± (mod p. An odd composite integer N is called an Euler pseudoprime with respect to a nonzero base a Z/NZ if a N ± (mod N. In fact, Euler shows that a p ( a p (mod p. This criterion is the basis to the Solovay-Strassen test []. An odd composite integer N is called an Euler-Jacobi pseudoprime with respect to a nonzero base a Z/NZ if a N ( a N (mod N. Strong pseudoprimes are adversaries to the Miller-Rabin primality test [3, 6]. For an odd prime p, express p as p = s t where s,t Z with t odd. For any nonzero a Z/pZ, one of the following holds: (i a t (mod p or (ii a rt (mod p for some integer r with 0 r < s. More generally, a p k+ = 0 and a p k = ( p k for k 0 given that a p = 0 4

5 As such, an odd composite number N is a strong pseudoprime for a nonzero base a Z/pZ if, when expressing N = s t with t odd, (i a t (mod N or (ii a rt (mod N for some integer r with 0 r < s. Just as in the definition of elliptic pseudoprimes, N + takes the place of N in the definition for Euler elliptic pseudoprime and strong elliptic pseudoprime. Definition.. [8] Let E/Q be an elliptic curve with complex multiplication in Q( d, let P beapoint in E of infinite order and let N be a composite number with gcd(n,6 =. Given that N is an elliptic pseudoprime for (E,P, N is an Euler elliptic pseudoprime for (E,P if ( { N + O (mod N if P = Q for some Q E(Z/NZ P a -torsion point modulo N otherwise. For a prime p, recall that the points of order in E(Z/pZ are exactly the points of the form (x,y = [x : y : ] where y + a x + a 3 0 (mod p. Recall that such points are exactly the points of the form (x,0 = [x : 0 : ] if E is in Weierstrass normal form. If P is not a double point modulo N and if ( N+ P is not O or of the form [x : y : ] where y+a x+a 3 0 (mod N, then N must be composite. We therefore not consider such an N to be an Euler elliptic pseudoprime, even if ( N+ P O (mod N. In other words, by a -torsion point modulo N, we consider the point O or a point of the form [x : y : ] where y +a x+a 3 0 (mod N. For a prime p, the points of order in E(Z/pZ are exactly the points of the form (x,0 = [x : 0 : ]. If P is not a double modulo N and if ( N+ P is not O or of the form [x : 0 : ], then N must be composite. We will therefore not consider such an N to be an Euler elliptic pseudoprime, even if (( N+ P O (mod N. In other words, by a -torsion point modulo N, we will mean O or a point of the form [x : 0 : ]. In [8], Gordon does not quite define Euler elliptic psuedoprimes as above. If p is a prime and if #E(Z/pZ = p+, then by [7, Lemma 4.8] we have that E(Z/pZ Z/(p+Z or Z/((p+/Z Z/Z, with the latter case happening only if p 3 (mod 4. Gordon thus puts the additional restriction that N (mod 4 and requires that ( N+ P is a -torsion point modulo N which is not O in the case that P Q for all Q E(Z/NZ. Nevertheless, we will allow for N 3 (mod 4 when defining Euler elliptic pseudoprimes. Definition.3. Let E/Q be an elliptic curve with complex multiplication by an order in Q( d, let P be a point in E of infinite order, and let N be a composite number with gcd(n,6 =. Further let s and t be integers satisfying N+ = s t, where t is odd. Given that N is an elliptic pseudoprime for (E,P, N is a strong elliptic pseudoprime for (E,P if (i tp = O (mod N or (ii ( r tp is a point of order modulo N, for some r with 0 r < s. Similarly as before, we will say that a point P E(Z/NZ is a point of order modulo N if and only if P is of the form [x : y : ] where y+a x+a 3 0 (mod N. Equivalently, by the Chinese Remainder Theorem, P reduces to a point [x : y : ] modulo p e such that y +a x +a 3 0 (mod p e for every p e N. 5

6 Example.4. The following example is a corrected version of the example given in [4] and it shows that strong elliptic pseudoprimes do not need to be Euler elliptic pseudoprimes. N = = and let E be the curve E : y = x x 98000, given in [8, Table ], and with complex multiplication in Q( 7, and let P = (84,884 E. Note that N (mod 4 and =. ( 7 N (N +P O (mod N, so N is an elliptic pseudoprime for (E,P. Müller in fact uses this example to show that not all strong elliptic pseudoprimes are Euler elliptic pseudoprimes. While she states that ( N + P ( , 0 (mod N, the point ( , 0 is not in E(Z/NZ. In fact, ( N + P ( , 0 (mod N. Since N+ is odd, N is a strong elliptic pseudoprime for (E,P. On the other hand, there is a point Q = ( , on E(Z/NZ such that Q (84,448 P (mod N. Thus, N is not an Euler elliptic pseudoprime. For more errors that we note in [4], see Appendix B. Similarly, Euler elliptic pseudoprimes are not necessarily strong elliptic pseudoprimes. Example.5. Let N = 7739 = 7 09, E : y = x 3 056x+335 and P = (33,. As listed in [8, Table ], E has complex multiplication in Q( and ( N =. Moreover, N + = 7740 = 935. Compute 935P O (mod 7 and 935P (0,0 (mod 09, so N is not a strong elliptic pseudoprime. However, N is an Euler elliptic pseudoprime because ( N + P ( 935P O (mod N. 3. Euler elliptic pseudoprimes and Strong elliptic pseudoprimes In [9], Silverman extends Gordon s aforementioned notion of elliptic pseudoprimes by allowing any elliptic curve E/Q, not just elliptic curves with complex multiplication. 6

7 Definition 3.. [9] Let N Z, let E/Q be an elliptic curve, and let P E(Z/NZ. Write the L-series of E/Q as L(E/Q,s = a n n n s. Call N an elliptic pseudoprime for (E,P if N has at least two distinct prime factors, E has good reduction at every prime p dividing N, and (N + a N P O (mod N. We similarly extend Gordon s notions of Euler elliptic pseudoprimes and strong elliptic pseudoprimes, by allowing general elliptic curves over Q and using N + a N in place of N +. Definition 3.. Let N Z, let E/Q be an elliptic curve, and let P E(Z/NZ. Write the L-series of E/Q as L(E/Q,s = a n n n s and suppose that N + a N is even. Then, N is an Euler elliptic pseudoprime for (E,P if N has at least two distinct prime factors, E has good reduction at every prime p dividing N, and ( { N + an O (mod N if P = Q for some Q E(Z/NZ P a -torsion point modulo N otherwise. Remark 3.3. Since the definition of Euler elliptic pseudoprime requires the inspection of the multiple ( N+ a N P, it makes little sense to discuss whether N is an Euler elliptic pseudoprime if N + a N is odd. Definition 3.4. Let N Z, let E/Q be an elliptic curve given by a minimal Weierstrass equation, and let P E(Z/NZ. Write the L-series of E/Q as L(E/Q,s = a n n n s. Let s and t be integers satisfying N + a N = s t, where t is odd. Then, N is a strong elliptic pseudoprime for (E,P if N has at least two distinct prime factors, E has good reduction at every prime p dividing N, and (i tp O (mod N or, given that N + a N is even, (ii ( r tp is a point of order modulo N for some r with 0 r < s. If N + a N is odd in the above definition, then condition (ii above becomes vacuous as s = 0. Just as Silverman s definition of elliptic pseudoprimes extend Gordon s definition of elliptic pseudoprimes, these definitions of strong and Euler elliptic pseudoprimes extend Gordon s definitions of strong and Euler elliptic pseudoprimes. As such, we can refer to these definitions of elliptic, strong elliptic, and Euler elliptic pseudoprimes without ambiguity. A Carmichael number N is a composite number which is a Fermat pseudoprime for all nonzero bases a Z/NZ. Silverman [9] not only extends Gordon s [7, 8] definition of elliptic pseudoprime, but also introduces the notion of elliptic Carmichael numbers, akin to Carmichael numbers in the classical sense. Definition 3.5. Let N Z and let E/Q be an elliptic curve. If N is an elliptic pseudoprime for (E,P for every point P E(Z/NZ, then N is an elliptic Carmichael number for E. We likewise define Euler elliptic Carmichael numbers and strong elliptic Carmichael numbers as follows: Definition 3.6. Let N Z and let E/Q be an elliptic curve. If N is an Euler elliptic pseudoprimefor(e,pforevery point P E(Z/NZ, thenn isaneuler elliptic Carmichael number for E. 7

8 Definition 3.7. Let N Z and let E/Q be an elliptic curve. If N is a strong elliptic pseudoprime for (E,P for every point P E(Z/NZ, then N is a strong elliptic Carmichael number for E. 4. Korselt Criteria for Euler elliptic Carmichael numbers and strong elliptic Carmichael numbers The following, by Korselt [0], gives a necessary and sufficient condition for a composite number to be a Carmichael number. Theorem 4.. A composite number N is a Carmichael number if and only if (i N is squarefree and (ii for every prime p dividing N, (p (N. Silverman [9] introduces two notions of elliptic Korselt numbers. Any number satisfying the following elliptic Korselt criterion must be an elliptic Carmichael number, but the converse is not generally true. Definition 4.. Let N Z, and let E/Q be an elliptic curve. Then, N is an elliptic Korselt number for E of type I if N has at least two distinct prime factors and, for every prime p dividing N, (i E has good reduction at p, (ii p+ a p divides N + a { N, and if a p (mod p (iii ord p (a N ord p (N 0 if a p (mod p. oposition 4.3 ([9], oposition. Let N Z be an odd integer and let E/Q be an eliptic curve. If N is an elliptic Korselt number for E of type I, then N is an elliptic Carmichael number for E. Silverman s second elliptic Korselt criterion gives a necessary and sufficient condition for an integer to be an elliptic Carmichael number for an elliptic curve. In doing so, we will use the following notation, as he does in [9, Page 8], for the exponent of a group: Definition 4.4. For a group G, denote ǫ(g as the exponent of G, i.e. the least positive integer such that g ǫ(g = for all g G. Equivalently, ǫ(g is the least common multiple of the orders of all of the elements of G. For an elliptic curve E/Q, an integer N, and a prime p dividing N at which E has good reduction, write ǫ N,p (E = ǫ ( E ( Z/p ordp(n Z. Definition 4.5. Let N Z and let E/Q be an elliptic curve. We say that N is an elliptic Korselt number for E of type II if N has at least two distinct prime factors and if, for every prime p dividing N, (i E has good reduction at p and (ii ǫ N,p (E divides N + a N. oposition 4.6 ([9], oposition. Let N > be an odd integer, and let E/Q be an elliptic curve. Then, N is an elliptic Carmichael number for E if and only if N is an elliptic Korselt number for E of type II. 8

9 opositions 4.8 and 4.9 below give necessary and sufficient Korselt criteria for Euler elliptic Carmichael numbers and strong elliptic Carmichael numbers. We first prove Lemma 4.7 to emphasize that all elements of an Abelian group of odd order are doubles. Lemma 4.7. Let G be an Abelian group of odd order. For all g G, there is a g G such that g = g. oof. Let g G and say that G decomposes into cyclic groups as follows for odd positive integers n,...,n k : G Z/n Z Z/n k Z. Furthermore, suppose that g corresponds to (c,...,c k in Z/n Z Z/n k Z, where c i Z/n i Z for each integer i with i k. Note that c i = (( n i + ci. Therefore, g = g where g corresponds to (( ( n + nk + c,..., c k in Z/n Z Z/n k Z The proposition below shows the equivalent condition for Euler elliptic Carmichael numbers. oposition 4.8. Let N Z be an integer with at least two distinct prime factors, let E/Q be an elliptic curve, and suppose that N + a N is even. Then, N is an Euler elliptic Carmichael number if and only if, for every prime p dividing N, (i E has good reduction at p and (ii ǫ N,p (E divides N+ a N. oof. Suppose that E has goodreduction at p and that ǫ N,p (E divides N+ a N for all prime powers p e N. For all P E(Z/NZ, ( N+ a N P O (mod p e, so ( N+ a N P O (mod N. Conversely, suppose that N is an Euler elliptic Carmichael number for E. In particular, E has good reduction at every prime dividing N. For each prime power p e N, there is an element of E(Z/p e Z of order ǫ N,p (E. Via the Chinese Remainder Theorem, let P be a point of E(Z/NZ such that P has order ǫ N,p (E modulo p e for all prime powers p e N. If ǫ N,p (E is odd for every prime p dividing N, then P Q (mod N for some Q E(Z/NZ by Lemma 4.7. Therefore, ( N+ a N P O (mod N, so ǫn,p (E must divide N+ a N for all primes p dividing N. Now assume that there are prime powers p e N such that ǫ N,p (E is even. In this case, P is not a double modulo p e whenever ǫ N,p (E is even, so P is not a double modulo N. Since N is an Euler elliptic Carmichael number for E, ( N+ a N P is a -torsion point modulo N. If ( N+ a N P O (mod N, then ǫn,p (E N+ a N for all primes p dividing N, which is the desired result. Suppose for contradiction that ( N+ a N P has order modulo N. Let P be a point of E(Z/NZ which satisfies { P P (mod p e if p e N with ǫ N,p (E even P (mod p e if p e N with ǫ N,p (E odd. 9

10 Note that P is a double modulo p e for every prime power p e N as all points of E(Z/p e Z are doubles if ǫ N,p (E is odd. Therefore, ( N+ a N P O (mod N, but ( ( N + an N P + an P O (mod p e for every prime power p e N such that ǫ N,p (E is odd. There is thus no prime p dividing N for which ǫ N,p (E is odd. Fix a prime power p e N. Now let P be a point of E(Z/NZ which satisfies { P P (mod p e if p = p,e = e P (mod p e if p e N with p p. Since N has at least two distinct prime factors and ǫ N,p (E is even for all primes p dividing N, P is not a double in E(Z/NZ. Therefore, ( N+ a N P is a -torsion point. However, ( (( N + an N P + an P O (mod p e, but ( (( N + an N P + an P O (mod p e for all prime powers p e N different from p e, which is a contradiction. Hence, ( N+ a N P does not have order modulo N, i.e. ǫ N,p (E N+ a N for all primes p dividing N. Similarly, the proposition below gives an equivalent condition for strong elliptic Carmichael numbers. oposition 4.9. Let N Z be an odd integer with at least two distinct prime factors, let E/Q be an elliptic curve, and let s and t be integers satisfying N + a N = s t where t is odd. Then, N is a strong elliptic Carmichael number if and only if, for every prime p dividing N, (i E has good reduction at p and (ii ǫ N,p (E divides t. oof. Suppose that E has good reduction at p and that ǫ N,p (E divides t for all prime powers p e N. Since ǫ N,p (E is the exponent of E(Z/p ordp(n Z, tp O (mod p e for every P E(Z/NZ. By the Chinese Remainder Theorem, tp O (mod N, so N is a strong elliptic Carmichael number. Conversely, suppose that N is a strong elliptic Carmichael number for E. In particular, E has good reduction at every prime dividing N. There is an element of E(Z/p ordp(n Z of order ǫ N,p (E. Via the Chinese Remainder Theorem, let P be a point of E(Z/NZ such that P has order ǫ N,p (E modulo p e for all p e N. Suppose for contradiction that ǫ N,p (E t for some prime p dividing N. Consequently, tp O (mod N. Since N must be a strong elliptic pseudoprime for (E,P, there is some integer r satisfying 0 r < s for which ( r tp is a point of order modulo N. There is also some p e N such that tp O (mod p e. In fact, this must hold for all p e N; otherwise, ( r tp O (mod p e, so ( r tp would not be a point of order modulo p e. 0

11 Choose some p e N. Let P be a point of E(Z/NZ which satisfies { P P (mod p e if p = p,e = e P (mod p e if p e N with p p. Note that tp is nonzero modulo p e for all p e N with p p. We show that there is no integer r satisfying 0 r < s for which ( r tp is a point of order modulo p e for all p e N. In the case where r = r, ( r tp is O modulo p e and is of order modulo p e for all p e N with p p. If r > r, then ( r tp O (mod N. On the other hand, if r < r, then ( r tp has order greater than modulo p e for all p e N with p p. There is thus no such r as desired, so N is not a strong elliptic pseudoprime for (E,P, which is a contradiction. Hence, ǫ N,p (E divides t for all primes p dividing N as desired. Remark 4.0. LetN beacompositenumberwhichiseithernotaneulerellipticcarmichael number or not a strong elliptic Carmichael number. In the above propositions, we guarantee the existence of a point P E(Z/NZ for which N is not an Euler elliptic Carmichael number/a strong elliptic Carmichael number for (E, P. This does not, however, guarantee a point P E(Z/NZ for which N is an Euler elliptic Carmichael number/a strong elliptic Carmichael number for (E,P and such that P O (mod p e for all prime powers p e N. We cannot guarantee in general because there might not exist any P E(Z/NZ for which P O (mod p e for all prime powers p e N. In particular, if 3 divides N and if E : y = x 3 +Ax+B where A B (mod 3, then E(Z/3Z is the trivial group. We might also not be able to guarantee this when ǫ N,p (E is at most for every prime p dividing N. For instance, let N = = 3 7 and consider the curve E : y = x 3 +4x+6. We have a 3 = 0,a 7 = 4, so a N = 0 and ǫ N,3 (E = ǫ N,7 (E =. Note that N+ a N =, so N is not an Euler elliptic Carmichael number and is not a strong elliptic Carmichael number for E. However, for all points P E(Z/NZ such that P O (mod p e for all prime powers p e N, ( N+ a N P P (mod N, which is a point of order modulo N. Therefore, N is both an Euler elliptic pseudoprime and a strong elliptic pseudoprime for (E, P. On the other hand, if ǫ N,p (E > for all primes p dividing N, then there is a point P E(Z/NZ such that P O (mod p e for all prime powers p e N. With P and P defined to be points of E(Z/NZ as in the proofs of propositions 4.8 and 4.9, we have P,P O (mod p e for all prime powers p e N. For a prime p, we show that ǫ(e(z/pz >. By Hasse s Theorem, #E(Z/pZ p+ p = ( p > (3 = 4. Therefore, #E(Z/pZ must either be divisible by an odd prime or be a power of which is greater than4. Since E(Z/pZ is generated by at most elements, the exponent ǫ(e(z/pz of E(Z/pZ is greater than. To summarize, if all of the prime factors of N are at least, and if N is not an Euler elliptic Carmichael number/a strong elliptic Carmichael number, then there is some P E(Z/NZ which reduces to a nonzero point modulo p e for every prime power p e N. Example 4.. There exist Euler elliptic Carmichael numbers under Gordon s conditions, i.e. that E has complex multiplication in Q( d, gcd(n,6 =, and ( d N =. Let E be the curve E : y = x , which has complex multiplication in Q( 3 and let

12 N = 69 = 9. We have that ( d N =, ǫn,9 (E = 30 and ǫ N, (E = 5. Moreover, since N+ a N = 3060, ǫ N,p (E N+ a N for p = 9,. On the other hand, there are no strong elliptic Carmichael numbers in Gordon s sense. Corollary 4.. Let E/Q be an elliptic curve with complex multiplication in Q( d, let N be a composite number with gcd(n,6 = and ( d N =. Then, N is not a strong elliptic Carmichael number. oof. Since ( ( d N =, there is some prime p dividing N for which d =. In p particular, a p = 0, so #E(Z/pZ = p +. The exponent ǫ N,p (E of E(Z/p ordp(n Z is therefore even, which implies that ǫ N,p (E t as t is odd. However, strong elliptic Carmichael numbers exist in general. We first define the notion of anomalous primes, introduced by Mazur []. Definition 4.3. Let E/Q be an elliptic curve and let p be a prime number at which E has good reduction. In this case, p is said to be an anomalous prime for E if #E(Z/pZ = p. Corollary 4.4. Let E/Q be an elliptic curve and let N = p p k where p,...,p k > 3 are distinct anomalous primes for E. Then, N is a strong elliptic Carmichael number for E. oof. For each i, a pi =, so a N = as well. Moreover, #E(Z/p i Z = p i, so ǫ N,pi (E = p i. N is odd, so N + a N = N is odd and #E(Z/p i Z N. Furthermore, strong elliptic Carmichael numbers are Euler elliptic Carmichael numbers in general where applicable. Corollary 4.5. Let E/Q be an elliptic curve and let N be a strong elliptic Carmichael number. If N + a N is even, then N is also an Euler elliptic Carmichael number. oof. For all primes p dividing N, E has good reduction at p and ǫ N,p (E divides t, the largest odd factor of N + a N by oposition 4.8. Therefore, ǫ N,p (E divides N+ a N so N is an Euler elliptic Carmichael number by oposition 4.9, 5. Relationship between Euler elliptic Carmichael numbers, strong elliptic Carmichael numbers and Elliptic Korselt numbers of Type I By oposition 4.3, elliptic Korselt numbers for E/Q of Type I are elliptic Carmichael numbers, but elliptic Carmichael numbers are generally not elliptic Korselt numbers for E/Q of Type I. The same holds true for Euler elliptic Carmichael numbers and strong elliptic Carmichael numbers, so we consider the relationships of Euler elliptic Carmichael numbers and strong elliptic Carmichael numbers to elliptic Korselt numbers of Type I. Example 5.. As in [9, Example 9], let E be the elliptic curve E : y = x 3 +7x+3 and N = 7563 = 43 64, which is a Type I Korselt number for E. We have a 43 =, a 64 = 5, ǫ N,43 (E = 4 and ǫ N,657 (E = 657, so a N = 30. Note that ( N+ a N = 3797, but 4 does not divide Therefore, N is neither an Euler elliptic Carmichael number nor a strong elliptic Carmichael number for E. oposition 5. below summarizes when elliptic Korselt numbers of Type I are Euler elliptic Carmichael numbers.

13 oposition 5.. Let E/Q be an elliptic curve and let N be an elliptic Korselt number of Type I for E. Suppose that N + a N is even. Then, N is an Euler elliptic Carmichael number for E if and only if, for every prime p dividing N, (i (p+ a p ( N+ a N or (ii E(Z/pZ has exactly three elements of order. oof. Whenever p is a fixed prime dividing N, express the cyclic group decomposition of E(Z/pZ as E(Z/pZ Z/δZ Z/ǫZ where δ ǫ. In particular, p+ a p = #E(Z/pZ = δǫ and ǫ is the exponent of E(Z/pZ. Suppose that N is not only an elliptic Korselt number of type I but also an Euler elliptic Carmichael number for E. Let p be a prime dividing N and further suppose that (p+ a p ( N+ a N. We show that E(Z/pZ has exactly three elements of order. Since N is an elliptic Korselt number of type I for E, (p+ a p (N+ a N. Therefore, ord (p+ a p = ord (N + a N. Suppose for contradiction that p + a p 0 (mod p, i.e. a p (mod p. If a p =, then #E(Z/pZ = p+ a p = p, so ǫ = p. Since N is odd and since p divides (N+ a N, p must divide ( N+ a N, which is a contradiction. Thus, ap. If p 7, then a p (mod p is equivalent to a p = as a p p by Hasse s Theorem, so p 5. One can easily check that #E(Z/pZ = p + a p = p. On the other hand, #E(Z/pZ = δǫ and δ ǫ, so δ = and ǫ = p. In particular, ǫ = p + a p. Recall that ǫ N,p (E is the exponent of E(Z/p ordp(n Z, so ǫ divides ǫ N,p (E. Since N is an Euler elliptic Carmichael number for E, ǫ N,p (E ( N+ a N. However, ǫ = p + ap, so (p + a p ( N+ a N, which is a contradiction. Hence, p+ a p 0 (mod p, so p+ a p is indivisible by p. Now suppose for contradiction that δ is odd. Since δǫ = p + a p, ord (ǫ = ord (p + a p. Moreover, by [0, The discussion leading up to oposition 6], ǫ N,p (E = p e ǫ for some nonnegative integer e because p does not divide p + a p. In particular, ord (ǫ = ord (ǫ N,p (E. Since ǫ N,p (E ( N+ a N, ord (p + a p = ord (ǫ = ord(ǫ N,p (E < ord (N + a N, which contradicts that ord (p+ a p = ord (N + a N. Hence, δ is even. Since δ is even and δ divides ǫ, ǫ must be even. In particular, the -torsion subgroup of E(Z/pZ is isomorphic to Z/Z Z/Z. There are therefore exactly three points of order in E(Z/pZ as desired. Conversely, suppose that N is an elliptic Korselt number of Type I such that (i or (ii holds for every prime p dividing N. Since N is an elliptic Korselt number of Type I, an argument in [9, Equations (4.4 and (4.6] shows that p ordp(n (p+ a p (N + a N. [9, Remark 4] further gives an exact sequence ( 0 pz/p ordp(n Z E(Z/p ordp(n Z E(Z/pZ 0. Suppose that p+ a p is not divisible by p. In this case, E(Z/p ordp(n Z Z/p ordp(n Z E(Z/pZ, so ǫ N,p (E = p ordp(n ǫ, where ǫ is the exponent of E(Z/pZ as before. We show that ǫ ( N+ a N. If (p + ap ( N+ a N (, then ǫ N+ an because ǫ (p+ a p. On the other hand, if E(Z/pZ has exactly three elements of order, then 3

14 the -torsion subgroup of E(Z/pZ is isomorphic( to Z/Z Z/Z. In particular, δ is even. Since δǫ = #E(Z/pZ = p + a p, ǫ divides p+ ap. Either way, ǫ divides ( N+ a N as desired. Recall that p ordp(n (N + a N, so p ordp(n ( N+ a N. Therefore, ǫ N,p (E ( N+ a N. Now suppose that p + a p is divisible by p. By [9, oposition 6], p + a p = p or p. Since δ ǫ and δǫ = p + a p, δ = and ǫ = p + a p. Therefore, E(Z/pZ does not have exactly three elements of order, so (p + a p ( N+ a N. Recall that p ordp(n (p+ a p (N + a N and since p is odd, p ordp(n (p+ a p ( N+ a N. [9, oposition 6] shows that ǫ N,p (E p ordp(n (p + a p, so ǫ N,p (E ( N+ a N as desired. The following summarizes when elliptic Korselt numbers of Type I are strong elliptic Carmichael numbers. Corollary 5.3. Let E/Q be an elliptic curve and let N be an elliptic Korselt number of Type I for E. Then, N is a strong elliptic Carmichael number for E if and only if p+ a p is odd for all primes p dividing N. oof. If p + a p is odd for all primes p dividing N, then ǫ N,p (E is also odd because ǫ N,p (E (p + a p. Moreover, (p + a p (N + a N because N is an elliptic Korselt number of Type I for E, so ǫ N,p (E divides the largest odd factor of N + a N. By oposition 4.9, N is a strong elliptic Carmichael number for E. If p+ a p is even for some prime p dividing N, then ǫ N,p (E is also even because some element of E(Z/pZ must have even order. Therefore, ǫ N,p (E cannot divide the largest odd factor of N + a N, so N is not a strong elliptic Carmichael number for E by oposition operties of Elliptic Korselt Numbers of Type I In [, oposition 4.3] the authors show that products of distinct anomalous primes for an elliptic curve E/Q are elliptic Korselt numbers of Type I for E. Here we deal with the question how often is an elliptic Korselt number of Type I also the product of distinct anomalous primes and prove the following conjecture from []. Conjecture 6.. For M 7, let 5 p,q M be distinct primes chosen uniformly at random, and letn = pq. LetE(Z/NZ be an ellipticcurve, also chosenuniformlyatrandom, with good reduction at p and q such that #E(Z/pZ = p+ a p and #E(Z/qZ = q+ both divide N + a N. Then lim [#E(Z/NZ = N + a N] =. M Note that given p,q 7, N = pq is an elliptic Korselt number of Type I if and only if #E(Z/pZ and #E(Z/qZ divide N + a N by [, oposition 4.]. 6.. Bounds on the number of elliptic curves modulo p of prescibed order. We use Deuring s theorem [6] (see also [], for the number of elliptic curves modulo p having 4

15 prescribed ( ( order. Write a nonzero integer as = 0 f where 0 is square free. Let L s, 0 be the L-function ( ( ( n 0 L s, = 0 n s n= and let ψ(f be the multiplicative function defined by ( p p k if p ψ(p k = if ( if p+ p k p p 0 ( p 0 p 0 = 0 =. = The Kronecker class number H( is ( ( H( = π L, ψ(f. 0 The number of elliptic curves modulo p having prescribed order is described in terms of H. Lemma 6.. Let p be a prime. The number of isomorphism classes of elliptic curves E modulo p such that #E(Z/pZ = p+ t is H(t 4p. We will use upper and lower bounds for H( to prove Conjecture6.. Let ϕ be the Euler totient function. Using [9, Theorem 38], one can show that ( f ψ(f = O ( (loglogf. ϕ(f ( Since 0 is square free, 0 is a primitive Dirichlet character. The following is a classical ( ( result on the upper bound of L, 0 : ( ( Lemma 6.3. L, = O(log 0. 0 oof. By [5, Exercise 5.5.7], ( ( L, = 0 n x ( n 0 n ( 0 / log 0 +O x for any x. Letting x = 0 /, we have that ( ( ( L, = n ( 0 0 / log 0 +O 0 n 0 / n / 0 n +O(log 0 n / 0 = O(log 0. 5

16 Moreover, Siegel s Theorem [8] yields that ( ( ( L, = Ω 0 0 ǫ for every ǫ > 0. Assuming the generalized Riemann hypothesis, this result can be strengthened as ( ( ( L, = Ω. 0 loglog 0 As we summarize below, H( is nearly on the order of /. Lemma 6.4. For all ǫ > 0, In particular, for all ǫ > 0, / ǫ H( / log (loglog. / ǫ H( /+ǫ. Corollary 6.5. Let p and q be distinct primes, let N = pq and let a p and be integers with a p p and q. The probability that a randomly chosen elliptic curve E(Z/NZ satisfies #E(Z/pZ = p+ a p and #E(Z/qZ = q + is ( (4p a p /+ǫ (4q a q /+ǫ and O Ω pq ( (4p a p / ǫ (4q a q / ǫ for all ǫ > 0. In particular, the probability is ( (4q a q / ǫ O p / ǫ q and ( O pq (pq / ǫ oof. For a prime p, the number of automorphisms on an elliptic curve E(Z/pZ is bounded above by 6. Furthermore, the number of elliptic curves in an isomorphism class with representative E is (p /#AutE. There are thus Θ(p elliptic curves in each isomorphism class. There are also p p elliptic curves modulo p with goodreduction at p. By the Chinese Remainder Theorem, there are θ(p q elliptic curves modulo N with good reduction at p and q. By Lemma 6., the number of isomorphism classes of elliptic curves with order p+ a p is H(4p a p. The desired result holds by Lemma The proportion of choices for p,q,e such that p and q are anomalous primes for E. Next, we compute the probability that p and q are anomalous for E given that p and. also read [4, Chapter ] 6

17 q are random distinct primes 5 p,q M and given that E(Z/NZ is any random curve. Recall that N = pq. By the end of section 6.3, we aim to show that [a p or is not and (p+ a p,(q+ divide (N + a N ] = o([a p, = ] with respect to M. The idea behind Corollary 6.8 essentially shows that this is enough to prove the conjecture. Lemma 6.6. Let 5 p,q M be randomly chosen distinct primes and let N = pq. Let E(Z/NZ be an elliptic curve with good reduction at p and q. The probability that a p = = is ( Ω M +ǫ for all ǫ > 0. oof. By the ime Number Theorem, the number of primes below ( M is approximately M. The number of possible pairs of distinct p and q is thus Θ M, so logm (logm ( [p = p 0,q = q 0 and a p = = ] = Ω. p /+ǫ q /+ǫ M We estimate [a p = = ] p /+ǫ q /+ǫ M ( p,q distinct primes 5 p,q M M M M M p,q distinct primes 5 p,q M p,q primes with 5 p<q M p,q primes with 5 p<q M q prime 5 q M M q prime 5 q M 7 p prime 5 p q p /+ǫ q /+ǫ p /+ǫ q /+ǫ p /+ǫ q /+ǫ q /+ǫ p /+ǫ q /+ǫ p prime 5 p q p /+ǫ.

18 The k-th prime number is approximately klogk. Therefore, for all ǫ,ǫ > 0, (3 Combining ( and (3 yields p prime 5 p q p /+ǫ [a p = = ] M q prime 5 q M q logq k= q logq (klogk /+ǫ k /+ǫ+ǫ k= q logq x= x dx /+ǫ+ǫ q x / ǫ ǫ logq q / ǫ ǫ ǫ. q / ǫ ǫ ǫ q /+ǫ = M By replacing ǫ+ǫ +ǫ with ǫ, we effectively have [a p = = ] M q prime 5 q M for all ǫ > 0. oceeding as in (3, we bound [a p = = ] as [a p = = ] M +ǫ for all ǫ > 0. q ǫ q prime 5 q M q ǫ+ǫ +ǫ. Remark 6.7. Corollary 6.5 and Lemma 6.6 can be easily extended in the case in which N is the product of three or more distinct primes The proportion of choices for p,q,e such that p and q are not anomalous primes for E. In this section, we find an upper bound to the probability [a p or is not and (p+ a p,(q+ (N + a N ]. Lemma 6.7 identifies the upper bound by dividing the event a p or is not and (p+ a p,(q + (N + a N into several possibilities. One can then express the probability as a sum in which each summand corresponds to these possibilities. Lemmas 6.8 through 6.5 bound the summands. Lemma 6.8. Let p and q be primes with 5 p < q and let a p and be integers satisfying a p p, q and (q + (pq + a p. (i Given that a p and are not both, must not be. (ii cannot be 0. 8

19 oof. (i Suppose for contradiction that =. Here, q ( a p, but a p + a p + p + q. Since q 7, q is greater than + q. Therefore, a p = 0, which contradicts that a p and are not both. Hence, cannot be. (ii Suppose forcontradiction that = 0. In particular, (q+ (pq+. Moreover, q+ divides pq+p, so q+ must divide (pq+p (pq+ = p, but 0 < p < q+. Hence, is not zero. Lemma 6.9. Let p, a p, q, and be integers. The divisibility conditions (p+ a p,(q + (pq + a p hold if and only if (p+ a p ( a p q +qa p and (q + ( a p p+p. oof. Supposethat(p+ a p dividespq+ a p,i.e. thatpq+ a p 0 (mod p+ a p. Compute 0 (pq+ a p q(p+ a p a p q +qa p (mod p+ a p, so (p + a p ( a p q + qa p. One can reverse this computation to show that (p + a p ( a p q + qa p implies that (p + a p (pq + a p. Similarly, (q + ( a p p+p if and only if (q + ( a p p+p. With Lemma 6.9 in mind, we will now talk about the divisibility conditions interchangeably with (p+ a p,(q + (pq + a p (p+ a p ( a p q +qa p and (q + ( a p p+p. Lemma 6.0. Let q and be integers. Suppose that p 0 and a p0 are integers such that (q + ( a p0 p 0 +p 0. If p and a p are also integers such that (q + ( a p p+p, then for some integers k and α. Moreover, a p = a p0 +k(q + +( α and p = p 0 +k(q + α ( a p0 p 0 +p 0 ( a p p+p = k(q +. oof. Since q+ divides both a p0 p 0 +p 0 and a p p+p, q+ must divide ( a p0 p 0 +p 0 ( a p p+p = (a p a p0 +( (p p 0, i.e. there is some integer k such that Let x = a p a p0 and y = p p 0, so that k(q + = (a p a p0 +( (p p 0. k(q + = x+( y. 9

20 With k fixed, this is a linear diophantine equation in two variables. One solution to this is x = y = k(q +. Moreover, and are relatively prime, so all of the solutions take the form where α is an integer. x = k(q + +( α and y = k(q + α Lemma 6.. Let q be a prime number which is at least 7 and let 0, be an integer satisfying q. The number of distinct integer values of a p p+p q + where p is a prime such that 5 p < q and a p is an integer such that a p p is O(. oof. Given that such p 0 and a p0 exist, let p 0 be a prime such that 5 p 0 < q and a p0 be an integer such that a p0 p 0 and (q + ( a p0 p 0 +p 0. Suppose that p is also a prime such that 5 p < q and that a p is an integer such that a p p and (q + ( a p p+p. By Lemma 6.0, there are some integers k and α such that a p = a p0 +k(q + +( α and p = p 0 +k(q + α. Compute ( a p0 p 0 +p 0 ( a p p+p = k(q+. Thus, each value of k corresponds to its own integer value of a p p+p q +. Suppose that k. We arrive at a contradiction that a p > q. Since p is a prime number less than q, so 0 < p 0 +k(q + α < q, (4 p 0 k(q + < α < p 0 k(q + +q. Adding a p0 +k(q + +α to all three parts of the above inequality, we have Thus, a p0 +α p 0 < a p0 +k(q + +α α < a p0 +α p 0 +q. (5 a p0 +α p 0 < a p < a p0 +α p 0 +q. Note that 3(q + > q because q 7. Since k >, k(q + > (q + > 4q. Moreover, since 0 < p 0 < q and since is an integer, p 0 and p 0 q are both at most q. 0

21 In the case that > 0, (4 yields p 0 + k(q + = p 0 +k(q + If k > 0 as well, then k(q+ aq > 0, so > α > p 0 +k(q + q α > p 0 q + k(q + > q +4q = 3q. Since a p0 < p 0 < q < q, (5 implies that which is the desired contradiciton. If k < 0 instead, then k(q+ aq < 0, so This time, (5 yields but this is a contradiction as well. Now assume that < 0. By (4, q = q +3q q < a p0 +α p 0 < a p, α < p 0 q + k(q + p 0 + k(q + = p 0 +k(q + If k > 0, then k(q+ aq Therefore, (5 gives us If k < 0, then k(q+ aq Again, (5 implies that < q 4q = 3q. a p < a p0 +α p 0 +q < q 3q 0+q = q, < 0, so α < p 0 q + k(q + < α < p 0 +k(q + q < q 4q = 3q. a p < a p0 +α p 0 +q < q 3q 0+q = q. > 0, so α > p 0 + k(q + > q +4q = 3q. a p > a p0 +α p 0 > q +3q q = q. = p 0 q + k(q+. = p 0 q + k(q+. In all cases, a p > q as desired. Hence, k cannot be greater than, so the number of possible distinct values of k and, by extension, the number of possible distinct integer values of a p p+p q + is O(.

22 Lemma 6.. Let n be a positive integer. The number of divisors d(n of n satisfies for all ǫ > 0. d(n = o(n ǫ oof. See [, Theorem 3., (3 in page 96]. Lemma 6.3. Fix q to be a prime number which is at least 7 and fix 0, to be an integer satisfying 9 < q. Also let p be a prime such that 5 p < q and let a p be an integer satisfying a p p. Given that a p p+p q + is a fixed integer l 0, the number of distinct pairs of such (p,a p which also satisfy (p+ a p ( a p q +qa p is o(q ǫ for all ǫ > 0. oof. Suppose that p 0 is a prime such that 5 p 0 < q and that a p0 is an integer satisfying a p0 p 0 such that l 0 = a p 0 p 0 +p 0 q + and (p 0 + a p0 ( a p0 q+qa p0. Further suppose that p is also a prime such that 5 p < q and that a p is an integer satisfying a p p such that l 0 = a p p+p q + and (p+ a p ( a p qa p. By Lemma 6.0, there are integers k and α such that a p = a p0 +k(q + +( α and p = p 0 +k(q + α. However, k = 0 because a p0 p 0 +p 0 = a p p+p. q + q + In particular, α is O(q because 0 < p < q. Compute and p+ a p = (p 0 α+ (a p0 +( α = p 0 + a p0 α a p q +qa p = a p q( a p = (a p0 +( α q( (a p0 +( α = a p0 ( α q +qa p0 +q( α = a p0 q +qa p0 +(q ( α. Let d = p 0 + a p0 and let n = a p0 q+qa p0 so that d n. Moreover, p+ a p = d α, a p q+qa p = n+(q ( α, and (d α (n+(q ( α. Note that n d n+(q ( α d α

23 is an integer. Compute n d n+(q ( α d α = n(d α d(n+(q ( α d(d α = nα d(q ( α d(d α = nα (q a d q( α, d α so (d α ( n (q a d q( α. Thus, d α ( gcd(d α,α n d (q (. Since gcd(d α,α = gcd(d,α, d α ( gcd(d,α n d (q (. Whenever α satisfies the above divisibility condition, there is some d dividing n d (q ( such that or equivalently d α gcd(d,α = d, d α = d gcd(d,α. There is similarly some g dividing d such that α = d d g. Since d = p 0 + a p0 and 5 p 0, d is nonzero. We show that n (q a d q( is nonzero as well. Note that p 0 < 3(p 0 + a p0 and + a p0 p 0 because p 0 5. By the triangle inequality, n = a p 0 q +qa p0 d p 0 + a p0 + a p 0 +q +q a p0 p 0 + a p0 = + a p 0 +q(+ a p0 p 0 + a p0 + a p 0 +p 0 q p 0 + a p0 < 3(+ a p 0 +p 0 q. p 0 Moreover, + a p0 +4 p 0 q < p 0q because p 0 q 5 7 = 85, so n < 3( p 0 q +p 0q d = 9 q. p 0 3

24 On the other hand, q > 6q 4a q because q 7, so q > q, or equivalently, > a q. Thus, q > q. Since a q > 9, n < 9 d q q < (q = (q (. Therefore, n (q a d q( is nonzero as desired. Note that n,d, and n (q a d q( are all fixed with respect to q,,p 0, and a p0. They have bounds n = O(q p, d = O(p and n (q a d q( = O(q p. Therefore, d = O(q and n (q a d q( = O(q. By Lemma 6., there are O(q ǫ and O(q ǫ possible values of d and g for all ǫ > 0 respectively, so there are thus O(q 3ǫ possible values of α. Consequently, there are O(q 3ǫ possible combinations of (p,a p. By replacing ǫ with ǫ/3, there are O(q ǫ possible combinations of (p,a p for all ǫ > 0. Lemma 6.4. Fix q to be a prime number which is at least 7 and fix to be an integer satisfying q. oof. (i Fix a p to be an integer. There are O( integers p with 5 p < q satisfying (q + ( a p p+p. (ii Fix p to be an integer with 0 < p < q. Given that = O(, there are O( integers a p with a p p satisfying (q + ( a p p+p. (i Note that q + and a p are fixed. Furthermore, a p p+p = a p p(. Say that p 0 and p are two integers with 5 p,p 0 < q satisfying In particular, (q + ( a p p+p,( a p p 0 +p ( a p p+p ( a p p 0 +p 0 ( a p p( ( a p p 0 ( (p 0 p( (mod q +, or equivalently, (q+ (p 0 p(. Since, gcd(q+, = gcd(q, =. Therefore, (q+ (p 0 p. However, q+ = θ(q, but 5 p,p 0 < q, so there are O( possible values of p satisfying (q + ( a p p+p. (ii Note that q + and p + p are fixed. Suppose that a p and a p0 are both integers with a p, a p0 p and In particular, (q + ( a p p+p,( a p0 p+p ( a p p+p ( a p0 p+p 4

25 q+ (a p0 a p (mod q +, so divides (a gcd(q+, p 0 a p. Since is O(, so is gcd(q +,, which q+ a divides. Thus, q is θ(q. However, a gcd(q+, p, a p0 p < q, so there are O( possible values of a p as desired. Lemma 6.5. Fix 5 p 3 to be a prime number and fix a p to be an integer satisfying a p p. oof. (i There are O( possible values of satisfying a p p+p = 0. (ii Fix an integer such that a p p+p 0. There are O( integers q with q satisfying (q + ( a p p+p. (i Note that a p p 0 because p 5. If a p p+p = 0, then p a p p =. Since p = O(, a p = O( as well. There are thus O( possible values that can take. (ii Again, since p = O(, a p = O( as well. Therefore, a p p+p = O(, but q + = θ(q. There are thus O( possible values of q satisfying (q + ( a p p+p and by extension, O( integers q with q satisfying the divisibility condition. Lemma 6.6. [, Corollary 4.8] Let E/Q be an elliptic curve and let N = pq be an elliptic Korselt number of Type I for E such that p < q. One of the following holds: (i p 3 (ii p and q are anomalous for E. (iii p q 6. Lemma 6.7. Let 5 p,q M be randomly chosen distinct primes and let N = pq. Let E(Z/NZ be an elliptic curve with good reduction at p and q. The probability that (p+ a p,(q + (N + a N and a p and are not both is ( O M 5/4 ǫ for all ǫ > 0. oof. Fix M 7. Whenever applicable, let p and q be primes with 5 p,q M, let a p and be integers such that a p p and q, and let a N = a p. Let T be the set { p,q prime, 5 p,q M, a T = (q,,p,a p Z 4 p p, } q,. a p or, (p+ a p,(q+ (N + a N 5