A variant of the large sieve inequality with explicit constants

Definition 1.1

Let p, q be a pair of primes and let Δ < 0 be an integer. The primes p, q are defined to be CM-primes with respect to Δ if there exist integers f and t such that

Let E : y² = x³ + ax + b be an elliptic curve defined over 𝔽_p. Let us denote by E(𝔽_p) the group of points on E over 𝔽_p, and let ∣E(𝔽_p)∣ be the order of E(𝔽_p). If CM-primes p and q with respect to Δ and integers f, t are given, then an ordinary elliptic curve E(𝔽_p) of cardinality ∣E(𝔽_p)∣ = p + 1 − t can be constructed using complex multiplication method [12], [13]. The group E(𝔽_p) can be used to implement public key cryptographic systems, based on intractability of the discrete logarithm problem (DLP). To make the DLP in E(𝔽_p) intractable, it is essential to generate a large prime p, and a curve E defined over 𝔽_p, such that ∣E(𝔽_p)∣ has a large prime factor q.

In [9] a polynomial time algorithm for constructing primes of the form (7) is given. The main idea of the algorithm is as follows. Let D < 0 be a square-free integer. Fix K = Q(D) with the corresponding ring of integers 𝓞_K = {a + bω : a, b ∈ ℤ}, where ω=1+D2, if D ≡ 1 (mod 4), or ω = D, if D ≡ 2,3 (mod 4). Let α denote the complex conjugate of α. By N_K/ℚ(α) = αα we denote the norm of an element α ∈ 𝓞_K. In the first procedure, the algorithm finds α ∈ 𝓞_K such that N_K/ℚ(α) = q is a prime. Given α, the second procedure generates β ∈ 𝓞_K such that β ≡ 1 (mod (α)) and N_K/ℚ(β) = p is a prime. For sufficiently large p, q and 0 < ε < 25 the algorithm finds primes (7) satisfying (log p)/(log q) ≪ 5/(2 − 5ε) [9]. However, it is interesting to known whether the order of magnitude of the generated primes coincide with practical expectations. In order to do this, it is necessary to compute the numerical value of the constants occurring in the theorem that author utilized to analysis the complexity of the algorithm [9]. In [14] explicit numerical estimates for the generalized Chebyshev functions is given. The result presented there can be used for estimating explicitly the computational complexity of the first procedure above and obtaining the exact order of magnitude of the prime p of the form (7). In order to analyze the second procedure explicitly it is necessary to compute the numerical value of the constant occurring in the variant of the Bombieri-Vinogradov theorem presented in [7]. To do this, bounding of a character sum [4] analogous to (6) is required. The aim of this paper is to prove the corresponding estimation with exact numerical value of the constants in the case of imaginary quadratic number fields.

Let 𝔮 be an integral ideal of 𝓞_K. By N𝔮 we denote the norm of 𝔮 with respect to ℚ, and by Φ(𝔮) we denote the generalized Euler’s function. The modulus of a complex number α will be denoted by ∣α∣. Let χ be a multiplicative character modulo 𝔮. Let x > 1 be an arbitrary but fixed number. We define

We prove the following theorem.

Theorem 1.2

FixQ > 1. We have

wheref(x,a,Q)=(2.14(xNa)14+c0|D|14Q12)4,

and ∑^*denotes summation over primitive multiplicative characters (mod 𝔮), and thec(α) are any complex numbers.

Proof

In Section 2.□

Lemma 2.1

Letσbe a primitive additive character modulo 𝔮 and let beχa primitive multiplicative character modulo 𝔮. For any integerβ ∈ 𝓞_Kwe have

Proof

See [4, Lemma 2, p. 190].□

Lemma 2.2

Letσbe a primitive additive character modulo 𝔮 and letχbe a primitive multiplicative character modulo 𝔮. We have

Proof

See [4, Corollary, p. 190].□

Theorem 2.3

wheref(x,a,Q)=(2.14(xNa)14+c0|D|14Q12)4,

and ∑′ denotes summation over primitive additive characters (mod 𝔮), and thec(α) are any complex number.

Proof

In Section 3.□

Now, we prove Theorem 1.2.

Proof

If (𝔞,𝔮) ≠ 1 the proof of the Theorem is immediate. We can assume that (𝔞,𝔮) = 1. Multiplying (2.1) by c(α) and summing over α ∈ ℜ, α ≡ 0 (mod 𝔞), we obtain

By Lemma 2.2 we have

where ∑^* denotes summation over primitive multiplicative characters (mod 𝔮). By (9),

Since σ is a primitive character, σ(αξ) runs through all the primitive characters modulo 𝔮 as ξ runs through the relative prime residues modulo 𝔮. Indeed, if σ(αξ₁) = σ(αξ₂), then σ(α(ξ₁ − ξ₂)) = 1 for α ∈ ℜ. So σ(η) = 1 for all η divisible by the ideal (ξ₁ − ξ₂, 𝔮). But this is only possible if ξ₁ ≡ ξ₂ (mod 𝔮). Hence,

where ∑′ denotes summation over primitive multiplicative characters (mod 𝔮). By the above,

Theorem 2.3 shows that

where f(x, 𝔞, Q) is defined in Theorem 2.3. This finishes the proof.□

Lemma 3.1

LetK = Q(D)be an imaginary quadratic field with the corresponding ring of integers 𝓞_K, and letDbe the fundamental discriminant of the fieldK. Let 𝔞 be an integral ideal ofK. There exist the basisα₁, α₂of 𝔞 such that

Proof

Let α ∈ 𝔞, α = α₁x+ α₂y, where α₁, α₂ is an integral basis of 𝔞 ordered in such a way that the number Δ(α₁, α₂) lies in the upper half-plane, where x, y ∈ ℤ. Then

is a primitive positive quadratic form over ℤ with discriminant D [16, see Proposition 5.2]. Let X ∈ H(K) be the ideal class containing 𝔞. Hence F belong to the corresponding the equivalence class of primitive positive definite binary quadratic forms. In this class there is a reduced form G equivalent to F [16, see Proposition 5.1]. Let 𝔟 ∈ X be an ideal equivalent to 𝔞 corresponding to G. Let β₁, β₂ be an basis of 𝔟, and let β = β₁x+ β₂y, where β ∈ 𝔟, x, y ∈ ℤ. Then

where N𝔟 divides N_K/ℚ(β_i), i = 1, 2. By [17, see Theorem 3, p. 69] we obtain

where Γ is the gamma function. (Compare the above estimation to Hermite’s constant γ₂ = 43 (see [17], p. 71)). Hence,

Since 𝔞, 𝔟 ∈ X, there is δ ∈ K such that 𝔞 = δ 𝔟 = (δβ₁, δβ₂). Thus, there is a basis α′₁, α′₂ of 𝔞, where α′₁ = δβ₁, α′₂ = δβ₂ such that

and consequently

This finishes the proof.□

Now, we prove Theorem 2.3.

Proof

Let 𝔞 be an integral ideal of K. Lemma 3.1 shows that there exist the basis α₁, α₂ of 𝔞 such that

Let α ∈ ℜ and α ∈ 𝔞. Then α is uniquely expressible in the form α = m₁α₁ + m₂α₂, where m₁, m₂ ∈ ℤ. From (8)

We have

so by (14), (20) and (21) we obtain

Let 𝔮 be an integral ideal of K, and let 𝔟 be any ideal prime to 𝔮 lying in the same ideal class as 𝔮𝔡. There exist ρ ∈ K such that

Suppose that γ_j ∈ 𝓞_K, (γ_j, 𝔮) = 1 run through a complete residue system (mod 𝔮). The number of residue classes relatively prime to 𝔮 is equal to Φ(q), so j = 1, …, Φ(q). By [3, Lemma 1, p. 253] the numbers ργ_j run through a complete system of numbers which are pairwise incongruent (mod 𝔡⁻¹), and

Let σ(α) be an additive character modulo 𝔮. By [4, Lemma 1, p. 186] all primitive additive characters σ (mod 𝔮) have the form

We define

By [15, Th. 102, p. 118] the numbers

form a basis for the ideal (𝔞𝔡)⁻¹, and by (20)

The numbers β₁, β₂ forms the basis of K, so we can write

Since β¯1=−α2Δ(α1,α2) and β¯2=α1Δ(α1,α2), by (12) we obtain

for ξ ∈ 𝓡. Hence, with the notation

we have

where |mi|≤2.28(Na)−12x,i=1,2, and c(m₁, m₂) = c′(ξ) for ξ = m₁α₁ + m₂α₂, ξ ∈ 𝔞, ξ ∈ ℜ. Now, we estimate the above sum. To do this fix two integral ideals 𝔮, 𝔮′of K such that (𝔮, 𝔞) = (𝔮′, 𝔞) = 1. Let

where (γ, 𝔮) = (γ′, 𝔮′) = 1, and γ ≢ γ′ (mod 𝔮) if 𝔮 = 𝔮′. We estimate

where ∥x∥ denotes the distance from a real number x to the nearest integer. To do this, we write s_j − s′_j = t_j + l_j, where l_j ∈ ℤ and −12<tj≤12,j=1,2. Then

where δ = l₁β₁ + l₂β₂. We show that at least one t_j ≠ 0, j = 1,2. Suppose, contrary to our claim, that t₁ = t₂ = 0. Then ργ ≡ ρ′γ′ (mod (𝔞𝔡)⁻¹). If 𝔮 = 𝔮′, then ρ = ρ′ and (ρ)𝔞𝔡(γ − γ′) ∈ 𝓞_K. This gives γ ≡ γ′ (mod 𝔮), contrary to our assumption. If 𝔮 ≠ 𝔮′, by (24) we have

From (32) we obtain

where 𝔠, 𝔠′ are integral ideals of K. This gives 𝔮 ∣ 𝔮′ and 𝔮′ ∣ 𝔮. This contradicts our assumption. Consequently,

Hence,

where i = 2 if j = 1, and i = 1 if j = 2. Consequently,

By [2, Theorem 1] we obtain

where

This finishes the proof.□