Finding elliptic curves with a subgroup of prescribed size

Assuming the Generalized Riemann Hypothesis, we design a deterministic algorithm that, given a prime p and positive integer m=o(sqrt(p)/(log p)^4), outputs an elliptic curve E over the finite field F_p for which the cardinality of E(F_p) is divisible by m. The running time of the algorithm is mp^(1/2+o(1)), and this leads to more efficient constructions of rational functions over F_p whose image is small relative to p. We also give an unconditional version of the algorithm that works for almost all primes p, and give a probabilistic algorithm with subexponential time complexity.

1. Introduction 1.1. Motivation. Let F q denote the finite field with q elements. For an elliptic curve E/F q , we denote by E(F q ) the group of F q -rational points on E, which we recall is a finite abelian group; see [3,17,39] for background on elliptic curves and basic terminology. We wish to consider the problem of explicitly constructing an elliptic curve E/F q for which #E(F q ) ≡ 0 (mod m), for a given integer m. This problem naturally falls into the category of questions concerning the construction of elliptic curves E/F q for which #E(F q ) has a prescribed arithmetic structure. For example, motivated by cryptographic applications, many authors have considered the problem of finding elliptic curves over finite fields for which #E(F q ) is prime; see [36] for an efficient probabilistic algorithm, conditional under the Generalized Riemann Hypothesis (GRH).
A second motivation comes from one of the classical questions of the theory of finite fields: constructing rational functions with a small image set. It has been shown that results of this type are of interest for certain cryptographic attacks; see [8,9,21,22], for example.
If m divides q − 1 then it is easy to see that the image of the function X m has cardinality (q − 1)/m + 1, which is the best possible for a non-constant rational function. If m divides q + 1 then Dickson polynomials [5,12,13] achieve an image of similar cardinality. But when gcd(m, q 2 −1) = 1 neither of these constructions gives a function whose image is significantly smaller than F q . However, as observed by Cheon and Kim [9] (see also [21,Section 3.6]), if m divides #E(F q ) then the m-division polynomials of an elliptic curve E over F q can be used to construct a rational function over F q whose degree is approximately m 2 and whose image has cardinality approximately q/m. A remarkable feature of this result is that no arithmetic conditions on q are required.
As a possible third motivation, we note that elliptic curves over F q whose cardinalities are divisible by a given integer m that also divides q − 1 play an important role in the construction of Anbar and Giulietti [2, Theorem 1], which has applications to finite geometry and coding theory.
Here we address the natural question of computationally efficient constructions of elliptic curves E/F q with #E(F q ) divisible by m and design several algorithms to find such a curve.
1.2. Naive approach. Probabilistically, for m = o(q) one can easily find an elliptic curve E/F q with #E(F q ) divisible by m in time O q (m) by simply choosing curves at random. Here we use the O q notation to indicate that we are ignoring factors of the form q o(1) . That is, for A > 0 we write O q (A) for a quantity bounded by Aq o (1) . Note that this deviates slightly from the more common convention that O(A) stands for a a quantity bounded by A(log(A + 1)) O(1) .
For example, when q is prime to 6 we can simply choose random a, b ∈ F q with 4a 3 + 27b 2 = 0, and then use Schoof's polynomial-time algorithm [34] to determine the number of F q -rational points on the elliptic curve E a,b defined by the Weierstrass equation If m divides #E a,b (F q ) then we are done, and otherwise we may try again with another choice of a and b. Given that the distribution of #E a,b (F q ) over the central part of the Hasse interval is not too far from uniform, we heuristically expect to find a suitable curve after O q (m) such trials. When q is prime this approach can be made rigorous via the result of Lenstra [25, Proposition 1.9] on the asymptotic uniformity of the number of Weierstrass equations that define isogenous elliptic curves; see Lemma 10 below. However, for large values of m, say m ∼ q c for some c ∈ (0, 1), this algorithm is inefficient.
Here we give more efficient solutions to a slightly modified problem. Given some real M ≥ 1, we seek a pair (m, E) of an integer m and a curve E over F q such that Note that a naive approach to our modified problem involves Using probabilistic subexponential-time factoring algorithms such as those given in [28,32], this leads to an algorithm with the expected running time of the form exp (log q) 1/2+o (1) . Note that for this approach to succeed one also has to show that there is a non-negligible proportion of integers N in the interval [q + 1 − √ q, q + 1 − √ q] (or some similar interval) that actually have a divisor m ∈ [M, 2M], and for which this divisor can be found efficiently; if N has many prime factors determining whether it has such a divisor m may be difficult. This can be achieved using an argument similar to that used in our proof of Theorem 1 below.
1.3. Our results. First, we use some ideas from [23], based on an algorithm of Lenstra, Pila, and Pomerance [26,27] to show that a more efficient algorithm exists. Although the ideas work for arbitrary finite fields, we limit ourselves to the case of prime q = p. In fact, the only missing ingredient to extend our result to arbitrary q is a generalization of Lenstra's result on the distribution of #E a,b (F q ) given in Lemma 10 below. However, there is no doubt that this result holds for all finite fields, so we at least have a heuristic result in the general case. The tools used in the proof of Theorem 1 allows us to replace the exponent (log p) 2/5+o (1) with a more precise expression involving explicit constants and double logarithms. However, we avoid this in order to simplify the exposition and minimize the technical details.
We also consider deterministic algorithms to solve the original problem of constructing an elliptic curve E/F q with #E(F q ) divisible by a given integer m. As a brute force approach, one can modify the probabilistic approach above by simply enumerating elliptic curves E/F q and computing #E(F q ) in each case using Schoof's algorithm, but as explained in §2.2 below, this yields an algorithm that runs in O q (q) time.
Here we give an algorithm that, assuming the GRH, is more efficient than the brute force approach when q = p is prime and m = o(p 1/2 ).
We assume henceforth that p always denotes a prime greater than 3.
Theorem 2. Assume the GRH. There is a deterministic algorithm that, given a prime p and an integer m = o(p 1/2 ), ouputs an elliptic Furthermore, there is an unconditional algorithm that achieves the same complexity for almost all primes p.

2.1.
Isomorphism and isogeny classes of elliptic curves. Let us fix an algebraic closure F p of F p . The F p -isomorphism class of the elliptic curve E a,b defined in (1) is uniquely determined by its j-invariant j(E a,b ) = 1728 4a 3 4a 3 + 27b 2 , see [39]. Moreover, every j ∈ F q is the j-invariant of some E a,b /F p ; for j ∈ {0, 1728} we may take a = 3j(1728 − j) and b = 2j(1728 − j) 2 , and for j = 0 (resp. 1728) we use a = 0, b = 1 (resp. a = 1, b = 0).
Each F p -isomorphism class of elliptic curves over F p may be decomposed into a a finite number of F p -isomorphism classes.
For j ∈ {0, 1728} there are exactly two F p -isomorphism classes in the F p -isomorphism class determined by j, and they are quadratic twists (meaning that they are isomorphic over Provided that a ∈ F p is not a quadratic or cubic residue, the set {E a n ,0 : n ∈ Z/6Z} contains representatives for all the F p -isomorphism classes of elliptic curves with j-invariant 0; these F p -isomorphism classes need not be distinct, it depends on the residue class of p mod 12, but there are at most 6 of them. Similarly, if b ∈ F p is not a quadratic residue, then {E 0,b n : n ∈ Z/4Z} contains representatives for all the F p -isomorphism classes of elliptic curves with j-invariant 1728, of which there are at most 4. It is easy to find d ∈ F × p \F ×2 p probabilistically by applying Euler's criterion d (p−1)/2 ≡ −1 mod p to randomly chosen d ∈ F p , but one can obtain such a d deterministically by simply enumerating d ∈ [1, p − 1] in order. Under the GRH this takes O p (1) time; the famous result of Burgess [7] gives the unconditional bound O p (p 1/(4 √ e) ).
By a well-known theorem of Hasse, the number of F p -rational points on an elliptic curve E/F p is of the form p + 1 − t, where t is an integer with absolute value at most 2 √ p equal to the trace of Frobenius. By a theorem of Tate, elliptic curves over a finite field have the same trace of Frobenius if and only if they are isogenous. Thus the Hasse bound implies that there are just O( √ p) distinct isogeny classes of elliptic curves over F p .

2.2.
Brute force approach. The most straight-forward way to construct E a,b /F p with #E(F p ) divisible by m is to simply enumerate pairs (a, b) ∈ F 2 q with 4a 2 + 27b 3 = 0 and compute #E a,b (F p ) using Schoof's algorithm [34]. This yields an algorithm that runs in O p (p 2 ) time, but if we instead enumerate F p -isomorphism classes, of which there are only 2p + O(1), we obtain an O p (p) bound. This is accomplished by enumerating j-invariants j ∈ F p and then enumerating representatives of the (at most 6) distinct F p -isomorphism classes with the same j-invariant.
It is natural to suggest that an even better approach is possible via the enumeration of isogeny classes, of which there are just O( √ p). Unfortunately we do not know an efficient way to enumerate representatives of these isogeny classes. However, the alternative approach we propose in § 2.4 is able to achieve an O p ( √ p) running time. In essence, we choose an isogeny class by choosing a trace of Frobenius t ∈ [−2 √ p, 2 √ p] for which m divides p + 1 − t and for which we can efficiently construct a representative curve E a,b /F p ; here we rely on the CM method for constructing elliptic curves over finite fields.

2.3.
Constructing elliptic curves with the CM method. The theory of complex multiplication (CM) provides a standard method for constructing elliptic curves over finite fields whose group of rational points has a prescribed trace of Frobenius t (and hence a prescribed number of rational points), which we now briefly recall; we refer the reader to [10] for additional background.
Suppose E/F p is an elliptic curve over F p with #E(F p ) = p + 1 − t, and assume p > 3. If t is nonzero then E is an ordinary elliptic curve, and its endomorphism ring is isomorphic to the quadratic order O of discriminant D = t 2 − 4p < 0 in the ring of integers O K of the imaginary quadratic field K = Q( √ D). The elliptic curve E is said to have complex multiplication (CM) by the order O. The prime p and the integer t necessarily satisfy the norm equation We recall that there is a one-to-one correspondence between the set of F p -isomorphism classes of elliptic curves E/F p with CM by O and elements of the ideal class group cl(O); the cardinality of both sets is equal to the class number h(D).
By the main theorem of complex multiplication, the ideal class group cl(O) is isomorphic to the Galois group Gal(K O /K), where K O denotes the ring class field of the order O. The field extension K O /K can be explicitly constructed as K O = K(j), where j denotes the j-invariant of an elliptic curve E/C with CM by O. The minimal polynomial of j over K is the Hilbert class polynomial H D (X); its degree is necessarily equal to the class number h(D) and, remarkably, its coefficients lie in Z (not just in O K ). Every root of H D (X) is the j-invariant of an elliptic curve E/C with CM by O, and every elliptic curve over C with CM by O arises in this way.
The Deuring lifting theorem [24, implies that if p is a prime that splits completely in K O , equivalently, a prime satisfying the norm equation 4p = t 2 − v 2 D for some integers t and v, then this correspondence also holds over F p . The polynomial H D ∈ Z[X] then splits completely into linear factors over F p , and its roots are precisely the j-invariants of the elliptic curves E/F p that have CM by O, all of which have trace of Frobenius t and p + 1 − t rational points. We note that not every curve with trace of Frobenius t has CM by O, but every such curve has CM by an order that lies in the ring of integers of the field Q( √ D), and this field is uniquely determined by p and t. Thus given an integer t and a prime p for which 4p = t 2 − v 2 D, we can construct an elliptic curve E/F p with #E(F p ) = p + 1 − t by first computing the Hilbert class polynomial H D (X) and then finding a root j of H D mod p. The root j determines the F p -isomorphism class of an elliptic curve E, and we can distinguish its F p isomorphism class (and an explicit equation E a,b ) by checking which of the finite set of representatives E a,b with j(E a,b ) = j has the desired trace of Frobenius t. This can be done by simply computing p + 1 − #E a,b (F p ), but see [33] for a more efficient method.
This method of constructing elliptic curves E/F p with a prescribed trace of Frobenius is known as the CM method. It's key limitation is that when |D| is large it may be infeasible to explicitly compute H D (X); the degree of H D is the class number h(D), which is bounded by O(|D| 1/2 log |D|), see [38], and the logarithm of the absolute value of its largest coefficient is bounded by O(|D| 1/2 (log |D|) 2 ), see [41,Lemma 8]. Thus the total size of H D is O(|D|(log |D|) 3 ) bits. Under the GRH one can improve the logarithmic factors in all of these bounds, but in any case the best bound we have on the total size of H D (X) is |D| 1+o(1) bits, and one heuristically expects a lower bound of the same form. As a practical matter, the largest value of |D| for which H D (X) has been explicitly computed is on the order of 10 13 , see [41], although there are more sophisticated methods that have made it feasible to apply the CM method to discriminants with |D| as large as 10 16 ; see [15,42].
For the purposes of constructing a deterministic algorithm, we restrict ourselves to the complex analytic method of [14], which is not as fast as the probabilistic algorithms used to achieve these results, but is able to achieve a time complexity of |D| 1+o(1) without relying on randomization (or assuming the GRH); see Lemma 14.
2.4. An alternative approach. We now sketch an alternative approach to constructing an elliptic curve E/F p with E(F p ) divisible by m, using the CM method. We enumerate isogeny classes of elliptic curves over F p according to their trace of Frobenius t, and once we have found t such that p + 1 − t is divisible by m, we may apply the CM method to construct an elliptic curve E/F p with trace t. The time to construct E with the CM method is O p (|D|), where D is the discriminant of the imaginary quadratic field Q( t 2 − 4p). So long as m is not too large, there are many possible choices for t; in order to minimize the running time we want to choose t so that t 2 − 4p has a large square divisor, which makes |D| smaller.
Thus we are faced with finding an integer t ∈ [−2 √ p, 2 √ p] such that p + 1 − t ≡ 0 (mod m) and t 2 − 4p has a large square divisor v 2 . Then the discriminant D = disc Q( (t 2 − 4p)/v 2 ) is relatively small in absolute value, allowing the Hilbert class polynomial H D (X) to be computed more quickly than in the typical case. In order to construct a curve in the isogeny class defined by t we also need to find a root of H D (X), which has degree h(D) = O p (|D| 1/2 ). This can be done in time O p (p 1/2 + h(D)) using the deterministic algorithm of [4]; see Lemma 12. If v is the largest square factor of t 2 − 4p, then the discriminant of Q( (t 2 − 4p)/v 2 ) is either D = (t 2 − 4p)/v 2 or D = 4(t 2 − 4p)/v 2 ; the latter case occurs only when v is divisible by 2, so after removing a factor of 2 from v if necessary, we may assume t 2 − 4p = v 2 D. This implies v | (t 2 − 4p), and for prime v this means that p must be a quadratic residue modulo v. So the algorithm starts by selecting an appropriate prime v. Since we require v to lie in a certain interval, this is precisely where the GRH comes into play.
We now present concrete technical details.

Bounds of character sums. Let Λ(v) denote the usual von Mangoldt function defined by
if v is not a prime power.
We start with the following bound on sums of Legendre symbols, which can be found in [30,Chapter 13]; see also [20,Corollary 5.29].

Lemma 4. For any real
Note that the sum in Lemma 4 differs slightly from the traditional sum with the Legendre symbols (v/p). However, it is easy to see that (p/v) is multiplicative character modulo 4p.

Corollary 5. For any sufficiently large
The following statement is well-known and follows immediately from the Pólya-Vinogradov inequality, see [20,Theorem 12.5].
Proof. Let V be the set of primes v ∈ [V, 2V ] and let P be the set of primes p ∈ [T, 2T ] such that Note that P and V are disjoint. Hence, for every p ∈ P So, for the double sum On the other hand, we have Using the Cauchy inequality and expanding the summation to all integers k ∈ [T, 2T ] we derive Now squaring out and changing the order of summations, we obtain Finally, estimating the inner sum trivially for v 1 = v 2 and using the Pólya-Vinogradov inequality for v 1 = v 2 (see [20,Theorem 12.5]), we derive Comparing (2) and (3), and using the prime number theorem, we obtain the desired result.
We note that by using the Burgess bound (see [20,Theorem 12.6]), in the proof of Lemma 6 one can obtain a series of other estimates.

Smooth numbers.
We recall that a real y > 1, a positive integer n is said to be y-smooth if its prime divisors are all less then or equal to y. The Dickman-de Bruijn function ρ(u) is defined recursively by As usual, we denote by ψ(x, y) the number of y-smooth n ≤ x. We need the following classical asymptotic formula for ψ(x, y), which can be found in [43, Chapter III.5, Corollary 9.3].

Arithmetic functions and smooth multiples in intervals.
Let τ (k) denote the number of positive divisors of an integer k ≥ 1.
We need a bound on the average value of the divisor function τ (k) in short intervals. In particular, we use the following special case of a much more general estimate of Shiu [35,Theorem 1]; further extensions are due to Nair and Tenenbaum [31].
Lemma 8. For any fixed real ε, λ > 0, and sufficiently large real z ≥ w ≥ z ε , we have where the implied constant depends only on ε and λ.
The following statement is one of the main ingredients of the proof of Theorem 1.
Proof. Let M be the set of y-smooth integers m ∈ [x, 2x]. It follows from Lemma 7 and well known results on the growth of ρ(u) (see [43,Section III.5.4]), that For each m ∈ M we consider the products k = mr where r runs through z 1/2 /m + O(1) integers of the interval [z/m, z/m + z 1/2 /m]. Let ϑ(k) be the number of such representations. Clearly, Hence, using (4), we derive On the other hand, since we obviously have ϑ(k) ≤ τ (k), we obtain from Lemma 8 with λ = 2 the bound Thus if K is the set of k ∈ [z, z + z 1/2 ] with ϑ(k) > 0, then by the Cauchy inequality we have  Using (5) and (6), we then derive Now E be the set of k ∈ [z, z + z 1/2 ] with τ (k) > u u+o(u) (log z) 3 . Using Lemma 8 with λ = 2 again, we obtain #E u u+o(u) (log z) 3 2 = O z 1/2 (log z) 3 .
which concludes the proof.

3.4.
Class numbers and the distribution of the number of F qrational points on elliptic curves. We require a result of Lenstra that relates the number of elliptic curves E a,b /F p with trace of Frobenius t to the Hurwitz-Kronecker class number H(t 2 − 4p); see [25,Proposition 1.9]. Here we formulate this result in a form convenient for our applications. Lemma 11. There is a probabilistic algorithm that, given an integer n and a real number y > 2, finds all prime factors ℓ ≤ y of n in expected time exp (log y) 2/3+o(1) (log n) O(1) , as y → ∞.

4.2.
Finding roots of polynomials. We also need the following factorisation algorithm from [4].

Lemma 12.
There is a deterministic algorithm that, given a squarefree polynomial f ∈ F p [X] of degree d that splits completely into linear factors in F p [X], finds a root of f in O p (d + p 1/2 ) time.
The algorithm of Lemma 12 improves that of Shoup [37] when d grows as a power of p, which is exactly the case we need.

4.3.
Counting F q -rational points on elliptic curves. We recall the classical result of Schoof [34], which is quite sufficient for our purposes.
Lemma 13. There is a deterministic algorithm that, given an elliptic curve E/F q , outputs the cardinality N = #E(F q ) in (log q) O(1) time.

4.4.
Computing Hilbert class polynomials. Here, for computing Hilbert class polynomials deterministically, we rely on the complex analytic approach of Enge [14], which relies on floating point approximations of complex numbers, combined with a rigorous bound on the precision needed to control rounding errors due to Streng; see [40, Remark 1.1].

Lemma 14.
There is a deterministic algorithm that, given an imaginary quadratic discriminant D, outputs H D (x) in |D| 1+o(1) time.

Proof of Theorem 1. Let
We choose a pair (a, b) ∈ F 2 p uniformly at random, and if 4a 3 +27b 2 = 0, we compute the cardinality N = #E a,b (F p ) in (log p) O(1) time, via Lemma 13. We then use the probabilistic algorithm of Lemma 11 to find all the prime divisors ℓ ≤ y of N in expected time, and we can easily determine the largest power of each of the primes ℓ that divides N within the same time bound, using repeated divisions by ℓ.
One can check that for the above choice of y the conditions of Lemma 9 are satisfied with x = M and z = p. Hence, by Lemmas 9 and 10, after an expected we find a pair (a, b) ∈ F 2 q for which N = #E a,b (F p ) has a y-smooth factor m ∈ [M, 2M] and also has τ (k) ≤ u u+o(u) (log p) 3 integer divisors. By exhaustively checking every y-smooth divisor of N (constructed as products of powers of prime divisors ℓ ≤ y of N), for any given N we can deterministically find such an m (or determine that none exists) in time T 3 = u u+o(u) (log p) O(1) = exp u 1+o (1) . This leads to a total expected running time of Recalling the choice of y, we conclude the proof.

5.2.
Proof of Theorem 2. We let V = p 1/4 /m 1/2 . Combining Corollary 5 with the deterministic primality test of [1], we see that in time V p o(1) we can find a prime v ∈ [V, 2V ] for which p is a quadratic residue. Thus the congruence 4p ≡ x 2 (mod v) has a solution that can also be found in time V p o(1) using brute force search. Via Hensel lifting, we can now find a solution s to the congruence (1) ; see [18].
Any admissible value of t must satisfy the congruences t ≡ s (mod v 2 ) and t ≡ p + 1 (mod m).
Using the Chinese remainder theorem, in time p o(1) we can find an integer a with 0 ≤ a ≤ mv 2 − 1, such that the above system of congruences is equivalent to the single congruence t ≡ a (mod mv 2 ). Since mv 2 ≤ 4mV 2 = 4p 1/2 , there is a t ∈ [−2p 1/2 , 2p 1/2 ] that satisfies this congruence (either a or a − mv 2 must lie in the desired interval). We now bound the complexity of constructing an elliptic curve E/F p with #E(F p ) = p + 1 − t for our chosen value of t.
Let us write t 2 − 4p = u 2 D, for an integer u and a fundamental discriminant D < 0. Then u ≥ v ≥ V , and therefore |D| ≤ 4p/V 2 . By primes, as described in Lemma 6. After this the proof is identical to that of Theorem 2.
which after the choice y = exp((log p) 2/3 )) leads to roughly the same expected running time exp (log p) 1/3+o(1) as the number field sieve, the heuristically fastest integer factorisation algorithm; see [11] for more details.
As an analog of Theorem 1, one can also consider the case where the integer m is fixed and the prime p is allowed to vary over an interval [P, 2P ], for some real P > m 1+ε and a fixed ε > 0. If we pick a multiple N of m that lies in the interval we can apply the algorithm of Bröker and Stevenhagen [6] to construct an elliptic curve E/F p for which #E(F p ) = N is a multiple of m; the bounds on N ensure that p ∈ [P, 2P ]. The heuristic expected running time of this probablistic algorithm is (2 where ω(N) denotes the number of distinct prime divisors of N. We have a fair amount of freedom in the choice of N and can easily choose N so that we have ω(N) = ω(m) + 1; this allows us to write the time bound as (2 ω(m) log P ) O (1) . For almost all integers m we have ω(m) = O(log log P ), in which case we obtain a heuristic polynomialtime algorithm. The algorithms of Theorems 2 and 3 can easily be extended to produce elliptic curves E with #E(F p ) in a given residue class modulo m. We now present several facts that shed some light on the frequency of pairs (m, p) with p ≡ ±1 (mod m).
For any fixed m this is essentially a result about the distribution of primes in arithmetic progressions. In particular, the standard proof of Linnik's theorem on the smallest prime in an arithmetic progression implies that there is an absolute constant K > 0 such that for any integer m ≥ 2, for all T ≥ m K there exists a prime p ∈ [T, 2T ] in any admissible residue class modulo m; see [20,Theorem 18.6]. It would be interesting to see what the currently strongest approaches to estimates of the Linnink constant L of Heath-Brown [19] (with L ≤ 5.5), and of T. Xylouris [44] (with L ≤ 5.18), give for the above constant K.
We also note that, by a result of Mikawa [29], for any sufficiently large M, for all but o(M) integers m ∈ [M, 2M], for any K > 32/17 and T > M K there exists a prime p ∈ [T, 2T ] with p ≡ 1 (mod m) (and also with p ≡ −1 (mod m)). The classical Bombieri-Vinogradov Theorem [20,Theorem 17.1] gives similar results for K > 2.
Finally, we note that several results of Ford [16] can also provide some information on the existence and distribution of pairs (m, p) with p ≡ ±1 (mod m). For example, a combination of [16,Corollary 2] and [16,Theorem 6] implies that as both M and T /M tend to infinity, there are only o(T / log T ) primes p ∈ [T, 2T ] such that p − 1 has a divisor m ∈ [M, 2M]. On the other hand, by a slight modification of [16,Theorem 7], for any β > α > 0, there are at least cT / log T primes p ∈ [T, 2T ] such that p − 1 has a divisor m ∈ [T α , T β ]. supported in part by ARC grant DP130100237 and A. V. Sutherland received financial support from NSF grant DMS-1115455.