1

Number Theory Summary

Divisibility and primes

The set Z = { . . . ,−2,−1, 0, 1, 2, . . . } of integers, with its arithmetic operationsof addition and multiplication, is the fundamental object of study in numbertheory. The structure of Z under addition is certainly easy to understand; it isan infinite cyclic group. The multiplicative structure of Z lies somewhat deeper.We have unique factorization of nonzero integers into primes - this is called theFundamental Theorem of Arithmetic. The structure of Z under multiplicationis then transparent given the primes, but the finer properties of the primesthemselves are quite mysterious.

A ring is an abelian group, with the group operation called addition and writ-ten additively with +, on which there is another binary operation called multipli-cation which is written multiplicatively with a dot or without any sign. The mul-tiplication is required to be associative, but does not need to be commutative.Addition and multiplication are related by distributivity; multiplication dis-tributes over addition by the laws a(b+c) = (ab)+(ac) and (a+b)c = (ac)+(bc).

From the algebraic point of view, Z appears as a fundamental example of acommutative ring with multiplicative neutral element and without zero divisors.The latter property formalizes the observation that if m,n ∈ Z and mn = 0,then m = 0 or n = 0. So though division is not in general possible in Zwithout leaving its confines, nonzero common factors may be canceled, whichis convenient when solving equations. Commutative rings with a multiplicativeneutral element different from zero and without zero divisors are called factorialrings or integral domains. An integral domain in which every nonzero elementhas a multiplicative inverse is called a field.

The set N0 ⊂ Z of nonnegative integers 0, 1, 2, 3, . . ., has an important prop-erty that is the basis for the principle of mathematical induction. The propertymay be formulated in various ways, but we use the one called Fermat’s principleof infinite descent: If A ⊆ N0 is a set of nonnegative integers so that for everya ∈ A there is some b ∈ A with b < a, then A = ∅.

Division with remainder. Suppose that m is a positive integer and n a non-negative integer. Then there exist integers q and r with 0 ≤ r < m, for whichn = mq + r. The integer q is called the quotient and r the remainder.

Proof. Given any positive integer m, let Am be the set of nonnegative integersn for which division by m with remainder fails. Clearly n ∈ Am implies n ≥ mfor otherwise n = m·0 + n with 0 ≤ n < m. But then n −m is a nonnegativeinteger. And division of n−m by m with remainder must fail, for n−m = mq+rimplies n = m(q+1)+r. Since n−m < n, Fermat’s principle of infinite descentimplies that Am = ∅.

2

Given two integers m and n we say that m divides n, which we write as m|n,if there is a third integer k such that n = km. Since n = km and m = jl impliesn = (kj)l, we see that l|m and m|n implies l|n. Moreover if m|n then m|cnfor any integer c, since n = km implies cn = (ck)m. And if m|n and m|o thenm|(n± o) since n = km and o = lm gives n± o = (k ± l)m.

The statement 0|n holds only if n = 0. Because this case is unimportant,and might sometimes require an exception, it is often excluded. If this case isexcluded, in particular, m|n is equivalent to n/m being an integer.

The units in Z are the integers u satisfying u|1. Clearly these are ±1. Twoelements a and b in Z are associates if a = ub with u a unit. If m|n without mand n being associates, we say that m strictly divides n. The nonzero elementsin Z come in pairs n,−n of associates. We note that if both m|n and n|m thenn = km = k(ln) = (kl)n. Here m = n = 0, or kl = 1 so k is a unit. Hence mand n are associates.

An ideal a in Z is a nonempty subset of Z such that a, b ∈ a and n ∈ Zimplies a+ b ∈ a and na ∈ a. It is clear that {0} and Z are ideals. Moreover, ifn is an integer, then nZ is an ideal. Such ideals generated by a single elementare called principal ideals. Division with remainder implies that in Z all idealsare principal.

The zero ideal is clearly principal. If a 6= {0} is an ideal in Z and a ∈ a,then −a ∈ a, so a contains a smallest positive element m. Suppose that n is anyelement of a. We shall prove that m|n, so that a = mZ. If n = 0 the statementis clear, and if −n is a multiple of m, so is n. Thus we may assume that n isnonnegative. Divide n by m with remainder, so n = qm+ r where 0 ≤ r < m.Since m,n ∈ a, we also have r = n− qm ∈ a because a is an ideal. Because mis the smallest positive element in a, it follows that r = 0 and hence m|n. Thusevery ideal in Z is principal.

A nonzero element a ∈ Z is an irreducible element if it is not a unit and iffor any factorization a = bc, one of b and c is a unit. The irreducibles in Z areprecisely the elements ±p where p runs through the prime numbers. A nonzeroelement a ∈ Z is a prime element if it is not a unit and if a|bc implies a|b ora|c. We see by induction that if a is a prime element and a|b1b2· · ·bs then a|bifor some i with 1 ≤ i ≤ s. Any prime element is an irreducible element, for ifa = bc with a a prime element, then a divides one of b or c, say without of lossof generality that a|b. Then b = ak so a = akc and thus 1 = kc, hence c is aunit.

Fundamental Theorem of Arithmetic. Any nonzero integer that is not aunit is a product of irreducibles, unique up to order and associates.

Proof. Any element in Z which is neither zero nor a unit has a factorization intoirreducibles. For assume that a is such an element that has no factorization intoirreducibles. Then a has some factorization a = bc where neither b nor c is aunit, otherwise a would itself be an irreducible. Moreover at least one of theelements b and c has no factorization into irreducibles. Then we can find aninfinite sequence (ci)

∞0 of elements in Z such that c0 = a and ci = bi+1ci+1 where

bi+1 is never a unit. Now assume that (ci) is any infinite sequence of nonzero

3

elements with ci = bi+1ci+1. The principal ideals ciZ form an ascending chainunder inclusion, and hence

c =

∞⋃i=0

ciZ

is an ideal. Since every ideal of Z is principal, there is some integer m suchthat c = mZ. Because m ∈ c, there is some i such that m ∈ ciZ. Thenci+1Z ⊆ c = ciZ and so ci|ci+1. On the other hand ci+1|ci by the assumptions onthe sequence (ci). Hence ci and ci+1 are associates, so bi+1 is a unit. We concludethat any element in Z which is neither zero nor a unit has a factorization.

If an integer n has a factorization into prime elements then this factorizationis the unique factorization of that integer into irreducibles up to order andassociates. For if p1· · ·pr = q1· · ·qs where p1, . . ., pr are prime elements andq1, . . ., qs are irreducibles, then pr|qk for some k. Since qk is irreducible andpr is not a unit, pr and qk are associates. We divide by pr on both sides ofp1· · ·pr = q1· · ·qs leaving a unit qk/pr on the right-hand side, which we multiplyinto one of the other factors. Then we reindex the factors on the right-hand sideleaving p1· · ·pr−1 = q′1· · ·q′s−1. Clearly we can continue the process, concludingthat the pi are pairwise associated to the qj . This is the uniqueness statement.

We have so far obtained existence of factorizations into irreducibles anduniqueness of factorizations into prime elements in Z. We will now prove thatevery irreducible in Z is a prime element.

Let a be an irreducible in Z such that a|bc. We shall show that a|b or a|cand hence that a is a prime element. If a|b we are finished, so we may assumethat a-b in which case a and b have no common factor, since a is irreducible.Consider now the ideal a = aZ + bZ. Since every ideal in Z is principal, thereexists some integer m such that a = mZ. Clearly m|a and m|b and so m is aunit, hence a = Z. So the equation ax + by = 1 has a solution in integers xand y. Multiplying through by c gives acx+ bcy = c. Since the left-hand side isdivisible by a we obtain a|c and so a is a prime element. Hence every nonzeroelement in Z that is not a unit has a factorization into primes, unique up toorder and associates.

The Fundamental Theorem of Arithmetic was first precisely formulated andproved by Gauss in the Disquisitiones Arithmeticae. The result that a primedividing the product of two integers divides at least one of them occurs in theElements of Euclid.

The concepts of divisibility, unit, associates, ideal, principal ideal, irreducibleelement, and prime element that played important roles in the proof of the Fun-damental Theorem of Arithmetic carry over without change to any integraldomain. The key fact that made the proof work is that every ideal in Z is prin-cipal. An integral domain in which every ideal is principal is called a principalideal domain (abbreviated PID). An integral domain in which every nonzeroelement that is not a unit is a product of irreducibles, unique up to order andassociates, is called a unique factorization domain (abbreviated UFD). We havethus proved the important result that any PID is a UFD.

4

That Z is a PID came from division with remainder, which is a result that isspecial to the integers. But for some integral domains there exists a substitute.An integral domain R is said to have a gauge g : R \ {0} → N if a|b impliesg(a) ≤ g(b) and if for any a ∈ R and b ∈ R \ {0} there exist elements q, r ∈ Rsuch that a = bq+ r with r = 0 or g(r) < g(b). An integral domain that carriesa gauge is called a Euclidean domain. Every Euclidean domain R is a principalideal domain. For if b is a nonzero ideal in R then there exists some nonzeroelement b ∈ b for which g(b) is minimal. For any element a ∈ R, there existselements q, r ∈ R with a = bq+r and r = 0 or g(r) < g(b). The latter possibilityis impossible by the choice of b, so r = 0 and thus a = bq. Hence b = (b) and soR is a PID.

If k is a field and a(x), b(x) ∈ k[x] with b(x) 6≡ 0, there exist polynomialsq(x) and r(x) over k with a(x) = b(x)q(x) + r(x) and deg(r) < deg(b). Toprove this we may clearly assume that deg(a) ≥ deg(b). Then the method ofundetermined coefficients applied with q(x) a polynomial over k of degree atmost deg(a)− deg(b) and r(x) a polynomial over k of degree at most deg(b)− 1leads to a linear system of deg(a) + 1 equations over k and deg(a) − deg(b) +1 + deg(b) = deg(a) + 1 unknowns. The system is square and choosing a(x) ≡ 0we find the unique solution q(x) ≡ 0 and r(x) ≡ 0 by b(x) 6≡ 0, so the systemhas a solution for any choice of a(x). Since a polynomial that divides anotherpolynomial has degree no larger than the other polynomial, the degree is agauge and k[x] is a principal ideal domain. Thus any polynomial over k factorsuniquely up to order and scalar factors into a product of polynomials irreducibleover k. For the units in k[x] are the nonzero elements of k.

The ring Z[√−1] = Z + Z

√−1 = Z + Zi of Gaussian integers is also a

Euclidean domain. We may choose g(α) = αα as gauge. For given α and β 6= 0Gaussian integers, there is a Gaussian integer σ with∣∣∣∣Re

(α

β

)− Re(σ)

∣∣∣∣ ≤ 1/2 and

∣∣∣∣Im(αβ)− Im(σ)

∣∣∣∣ ≤ 1/2.

Choosing ρ = α− βσ we see that

g(ρ) = |α− βσ|2 = |β|2∣∣∣∣αβ − σ

∣∣∣∣2 ≤ g(β)((1/2)2 + (1/2)2

)< g(β).

If moreover α = βγ is an equation in Gaussian integers, g(α) = αα = βγβγ =ββγγ = g(β)g(γ) shows that β|α implies that g(β) ≤ g(α), so g is a gauge.Hence the Gaussian integers constitute a PID and thus a UFD.

Unique factorization into primes yields a complete description of all thepositive divisors of a positive integer. Any positive integer a has a factorization

a = pα11 pα2

2 · · ·pαrr

into powers of distinct primes, where the product is empty if a = 1. If d isa positive integer with d|a, and p is a prime with p|d, then p|a. Since p is a

5

prime, this yields p|pi and hence p = pi for some i with 1 ≤ i ≤ r. So the primefactorization of d is of the form

d = pδ11 pδ22 · · ·pδrr

where the δi are nonnegative integers. Since d|a we have a = dc where c is alsoa divisor of a and hence of the form

c = pγ11 pγ22 · · ·pγrr

where the γi are nonnegative integers. Now

pα11 pα2

2 · · ·pαrr = a = dc = pγ1+δ11 pγ2+δ22 · · ·pγr+δrr

and since a prime cannot divide a product of primes unless it is one of thefactors, we see that γi + δi = αi for all i with 1 ≤ i ≤ r. Hence the divisors of

a = pα11 pα2

2 · · ·pαrr

are precisely the integers of the form

d = pδ11 pδ22 · · ·pδrr

with 0 ≤ δi ≤ αi for all i with 1 ≤ i ≤ r.A positive integer s is squarefree if it is not divisible by any square k2 ≥ 4.

The notation pα||n signifies that pα|n, but that pα+1-n, which means that pα isthe exact power to which p divides n. In this notation, an integer s is squarefreeif and only if p|s implies that p||s.

We end our discussion of unique factorization into primes with Euclid’s proofthat there are infinitely many primes. Let p1, p2, . . . , pr be any finite collection ofprimes. Consider the nonzero integer n = p1p2· · ·pr+1. It is not a unit and so itis divisible by some prime q. But if q is contained in the collection p1, p2, . . . , prthen q|p1p2· · ·pr, which would imply that q|1, an impossibility. For a few arith-metic progressions the same argument may be used to show the existence ofinfinitely many primes in the progression, in particular for the arithmetic pro-gression 3, 7, 11, 15, . . . of integers of the form 4m− 1. Let p1, p2, . . . , pr be anyfinite collection of primes from the latter progression. Consider the nonzerointeger n = 4p1p2· · ·pr − 1. It is odd and it is not a unit and so it is divisibleby some odd prime. Any product of integers of the form 4m+ 1 is itself of thisform, so n must be divisible by some prime q of the form 4m − 1. But if q iscontained in the collection p1, p2, . . . , pr then q|p1p2· · ·pr, which would implythat q|(−1), an impossibility.

6

Greatest common divisors

A greatest common divisor of integers a1, a2, . . . , an is an integer d such thatd|a1, d|a2, . . . , d|an, and if c is any integer such that c|a1, c|a2, . . . , c|an then c|d.We shall show that a greatest common divisor always exists. If all the ai arezero, their greatest common divisor is zero. If not all the ai are zero, we mayremove all those ai that are zero without changing the set of greatest commondivisors. For every integer divides zero. We factor

ai = ui∏j

pαijj

into powers of distinct primes pj and units ui. The description of the divisorsof an integer in terms of its prime factorization then implies that

d =∏j

pmin {α1j ,α2j ,...,αnj}j

is a greatest common divisor of the ai that is unique up to associates.We introduce the notation gcd(a1, a2, . . . , an) for the nonnegative greatest

common divisor of integers a1, a2, . . . , an. The integers a1, a2, . . . , an are coprimeif gcd(a1, a2, . . . , an) = 1, and are pairwise coprime if gcd(ai, aj) = 1 for anyi, j with 1 ≤ i < j ≤ n. Note that the integers 4, 5, 6 are coprime, but notpairwise coprime. Relatively prime is a synonym for coprime.

The formula gcd(ca1, ca2, . . . , can) = |c|gcd(a1, a2, . . . , an) follows directlyfrom the definition of the greatest common divisor.

A least common multiple of integers a1, a2, . . . , an is an integer m such thata1|m, a2|m, . . . , an|m, and if c is any integer such that a1|c, a2|c, . . . , an|c thenm|c. Since any multiple of zero is zero, the least common multiple is zero if anyof the integers ai are zero. Hence we may assume that all the ai are nonzero.We factor

ai = ui∏j

pαijj

into powers of distinct prime elements pi and units ui. The description of thedivisors of an integer in terms of its prime factorization then implies that

m =∏j

pmax {α1j ,α2j ,...,αnj}j

is a least common multiple of the ai that is unique up to associates.We introduce the notation lcm[a1, a2, . . . , an] for the nonnegative least com-

mon multiple of the integers a1, a2, . . . , an. The formula lcm[ca1, ca2, . . . , can] =|c|lcm[a1, a2, . . . , an] follows directly from the definition of the least commonmultiple. The formula gcd(a, b)lcm[a, b] = |ab| follows from the description ofgreatest common divisors and least common multiples in terms of prime factor-izations. The analogue of this formula for three or more integers is not valid.

7

Since every ideal in Z is principal, for arbitrary integers a1, a2, . . . , an thereexists an integer d such that

dZ = a1Z + a2Z + · · ·+ anZ.

Clearly ai ∈ dZ for each i with 1 ≤ i ≤ n, and so d|ai. On the other hand, if c|aifor 1 ≤ i ≤ n, then c divides every element in dZ, and c|d in particular. Hence dis a greatest common divisor of the ai. Thus the greatest common divisors arethose integers d minimal in the partial order of divisibility for which the linearDiophantine equation

a1x1 + a2x2 + · · ·+ anxn = d

has a solution in integers xi. Moreover the equation

a1x1 + a2x2 + · · ·+ anxn = b

has a solution in integers if and only if d|b for some greatest common divisor dof the coefficients a1, a2, . . . , an.

Finding all the divisors of a large integer without a huge number of trialdivisions generally requires knowing its prime factorization. This can be a chal-lenging problem, and the development of efficient factoring algorithms has drawnmuch attention. It is a remarkable fact that prime factorization can be short-circuited when finding a greatest common divisor of two integers. A procedurecalled the Euclidean Algorithm allows us to compute gcd(a, b) for integers a andb with great speed. The Euclidean algorithm is based on division with remain-der. Assume without loss of generality that a > b > 0 and define sequences{ak}, {bk}, {qk} and {rk} by the requirements that a1 = a and b1 = b, thatak+1 = bk and bk+1 = rk, and that qk is the quotient and rk is the remainderon division of ak by bk. Hence

ak = qkbk + rk

where 0 ≤ rk < bk. The algorithm must terminate since rk is nonnegative andrk+1 = bk < rk. We note that the common divisors of ak and bk coincide withthe common divisors of bk and rk. But ak+1 = bk and bk+1 = rk so the commondivisors of ak and bk coincide with the common divisors of ak+1 and bk+1. Hencethe common divisors of ak and bk are the same as the common divisors of a andb. The algorithm terminates when rm = 0, and then am = qmbm. The commondivisors of am and bm are clearly the divisors of bm. Hence bm is a greatestcommon divisor of a and b. As an example we compute a greatest commondivisor of 411 and 171 by the Euclidean algorithm:

411 = 2·171 + 69

171 = 2·69 + 33

69 = 2·33 + 3

33 = 11·3 + 0.

8

Hence gcd(411, 171) = 3. We note that the maximal number of steps of the Eu-clidean algorithm is O(log(b)). A good deal of work has been done on improve-ments and extensions of the Euclidean algorithm, and on their computationalcomplexity.

The version of the Euclidean algorithm given by Euclid differs slightly fromthe version we use today, for it was based on repeated subtraction rather thanrepeated division with remainder. The basic insight underlying his version ofthe algorithm is that gcd(a, b) = gcd(a− b, b).

The Euclidean algorithm can be used to solve the linear Diophantine equa-tion

ax+ by = c

in integers x and y. In order to have a nontrivial equation, we assume thata and b are nonzero. We run the Euclidean algorithm to find gcd(a, b), andthen check whether gcd(a, b)|c. If the answer is no, the equation has no solutionin integers. If the answer is yes, we first use the information produced by theEuclidean algorithm to solve the equation

az + bw = gcd(a, b)

in integers. We work backwards from the next to last equation produced bythe Euclidean algorithm, expressing gcd(a, b) as an integer linear combinationof ak and bk in each step. When we have obtained integers z0 and w0 that solveaz + bw = gcd(a, b), we define x0 = (c/(a, b))z0 and y0 = (c/(a, b))w0. Then

ax0 + by0 = a(c/gcd(a, b))z0 + b(c/gcd(a, b))w0

= (c/gcd(a, b))(az0 + bw0) = (c/gcd(a, b))gcd(a, b) = c

so we have a particular solution of ax + by = c. To find the general solution,put x = x0 + X and y = y0 + Y and substitute into the equation. This yieldsaX + bY = 0 and hence

a

gcd(a, b)X = − b

gcd(a, b)Y.

Since a/gcd(a, b) and b/gcd(a, b) are mutually prime, we see that (a/gcd(a, b))|Yand (b/gcd(a, b))|X. Hence X = t(b/gcd(a, b)) and Y = −t(a/gcd(a, b)) wheret is an integer parameter. The general solution is

x = x0 + tb

gcd(a, b)and y = y0 − t

a

gcd(a, b)

where t runs through the integers.As an example we find the general solution to the Diophantine equation

411x+ 171y = 21. We already know that gcd(411, 171) = 3, so the equation hasinteger solutions since 3|21. Now

3 = 69− 2·33

= 69− 2·(171− 2·69) = (−2)·171 + 5·69

= (−2)·171 + 5·(411− 2·171) = 411·5 + (−12)·171

9

so z0 = 5 and w0 = −12 solves the equation 411z + 171w = 3. Since x0 =(21/gcd(411, 171))5 = 35 and y0 = (21/gcd(411, 171))(−12) = −84, the generalsolution is x = 35 + 137t and y = −84− 57t as t runs through the integers.

The Euclidean algorithm can be used to find the greatest common divisorgcd(a1, a2, . . . , an) of more than two integers by applying the formula

gcd(b1, b2, . . . , bk) = gcd(b1, gcd(b2, . . . , bk))

repeatedly. This formula is easily deduced from the description of the divisorsof integers in terms of their prime factorizations.

Congruences

Consider Z as a ring, and let m be a positive integer. The quotient Z/mZby the ideal mZ is a finite ring, with elements 1 + mZ, 2 + mZ, . . .,m + mZ.These elements, considered as subsets of Z, are called residue classes modulom, because all integers in one residue class leaves the same remainder (residue)r (with 0 ≤ r < m) upon divison by m. The residue class of a modulo m maybe denoted a when the modulus is known from the context. Gauss introduced aconvenient notation for calculations with representatives of residue classes. Wesay that a and b are congruent modulo m, written as a ≡ b (mod m), if m|(a−b).

It is equivalent that a and b leave the same remainder r (with 0 ≤ r < m)upon division by m, that is to say, that they are representatives of the sameresidue class modulo m. The integer m is called the modulus of the congruence.Congruence is an equivalence relation, with a ≡ a (mod m), a ≡ b (mod m)implies b ≡ a (mod m), and a ≡ b (mod m) and b ≡ c (mod m) implies a ≡ c(mod m). If a ≡ b (mod m) and c ≡ d (mod m), then

a± c ≡ b± d (mod m) and ac ≡ bd (mod m).

This is just another way of stating that the operations + and · are well-definedin Z/mZ.

There are also some relations between congruences to different moduli. If a ≡b (mod m) and d|m, then a ≡ b (mod d). Another way to state this observationis that if d|m, then there is a well-defined epimorphism σ : Z/mZ→ Z/dZ givenby σ(a + mZ) = a + dZ. Suppose that a ≡ b (mod m), and put c = gcd(a, b)and d = gcd(c,m). Then a = ca′, b = cb′, c = dc′ and m = dm′ for someintegers a′, b′, c′,m′, so dc′(a′ − b′) = c(a′ − b′) = a − b = km = kdm′. Thisyields c′|km′ and hence c′|k by the Fundamental Theorem of Arithmetic, sincegcd(c′,m′) = 1. Then

a

gcd(a, b)≡ b

gcd(a, b)

(mod

m

gcd(m, gcd(a, b))

)on canceling the common factor.

10

Chinese Remainder Theorem. If m1, . . . ,mr are pairwise coprime positiveintegers and b1, . . . , br are integers, then the simultaneous congruences

n ≡ b1 (mod m1)

n ≡ b2 (mod m2)

...

n ≡ br (mod mr)

have a unique solution n ≡ n0 (mod m1m2· · ·mr).

Proof. By induction, it is enough to establish the case r = 2. The linear Dio-phantine equation m1x+m2y = 1 has a solution (x0, y0), because gcd(m1,m2) =1. Note that m2x0 ≡ 1 (mod m1) and m1y0 ≡ 1 (mod m2), and define n0 =b1m2x0 + b2m1y0. Then

n0 ≡ b1m2x0 ≡ b1 (mod m1)

andn0 ≡ b2m1y0 ≡ b2 (mod m2),

so the two simultaneous congruences have a common solution. This solutionis unique modulo m1m2. For if n ≡ b1 (mod m1) and n ≡ b2 (mod m2) whilen′ ≡ b1 (mod m1) and n′ ≡ b2 (mod m2), then n− n′ ≡ b1 − b1 ≡ 0 (mod m1)and n − n′ ≡ b2 − b2 ≡ 0 (mod m2). But m1|(n − n′) and m2|(n − n′) andgcd(m1,m2) = 1 imply m1m2|(n− n′) by the Fundamental Theorem of Arith-metic.

The Chinese remainder theorem is thus termed because the method of cal-culation underlying the proof was first set forth in a handbook by the Chinesemathematician Sun Zi. He was such an obscure figure that even the century ofhis birth is not definitely known, but he may have lived about 1600 years ago.

Every element a in the ring Z/mZ is either a zero divisor or has a multi-plicative inverse. If gcd(m, a) = c ≥ 2, then a b = dm = d 0 = 0 with b = m/cand d = a/c. If gcd(m, a) = 1 on the other hand, then the linear Diophantineequation ax + my = 1 has some solution (x0, y0). But ax0 + my0 = 1 impliesthat ax0 ≡ 1 (mod m), or a x0 = 1 in Z/mZ. In particular Z/pZ is a field forevery prime p. Up to isomorphism it is the only field with p elements. For if F isanother such field, there is a homomorphism ϑ : Z/pZ→ F defined by ϑ(1) = 1.Any nonzero homomorphism between fields is a monomorphism. Since the twofields both have p elements, ϑ is also an epimorphism.

An element of Z/mZ that has a multiplicative inverse is called a reducedresidue class. The set (Z/mZ)× of reduced residue classes forms a group undermultiplication, for if a and b are both coprime with m, then so is ab. Note that1 is the unit element. Define φ(m) to be the order of this group, that is to say

φ(m) = |(Z/mZ)×| =∑

1≤a≤mgcd(m,a)=1

1.

11

It is a basic result in group theory that the order of an element of a finite groupdivides the order of the group, hence

aφ(m) ≡ 1 (mod m)

if gcd(m, a) = 1. This congruence is due to Euler, and φ is called the Eulerphi-function, or the Euler totient in the older literature. In the special casewhen the modulus is a prime, we obtain φ(p) = p − 1 because Z/pZ is a fieldfor p prime. Then the congruence

xp ≡ x (mod p)

holds for all integers x, for any prime p. For either p divides x or else p and xare coprime. The last congruence is known as the little theorem of Fermat.

Suppose that m1 and m2 are positive integers. Any integer a that is coprimewith m1m2 is coprime with m1 and with m2. Thus there are epimorphismsσ1 : (Z/m1m2Z)× → (Z/m1Z)× given by σ1(a + m1m2Z) = a + m1Z andσ2 : (Z/m1m2Z)× → (Z/m2Z)× given by σ2(a + m1m2Z) = a + m2Z. Thenthere is an epimorphism σ1⊕σ2 : (Z/m1m2Z)× → (Z/m1Z)×⊕(Z/m2Z)× givenby (σ1 ⊕ σ2)(a+m1m2Z) = σ1(a+m1Z)⊕ σ1(a+m2Z). This epimorphism ismono if m1 and m2 are coprime, for then (σ1⊕σ2)(a+m1m2Z) = 1 is equivalentto the simultaneous congruences

a ≡ 1 (mod m1)

a ≡ 1 (mod m2),

and these have only one solution a ≡ 1 modulo m1m2, by the Chinese remaindertheorem. Thus

φ(m1m2) = |(Z/m1m2Z)×| = |(Z/m1Z)× ⊕ (Z/m2Z)×|= |(Z/m1Z)×||(Z/m2Z)×| = φ(m1)φ(m2)

if m1 and m2 are coprime. The relation φ(m1m2) = φ(m1)φ(m2) for m1 andm2 coprime reduces the calculation of φ to the case of prime powers. This yields

φ(pα11 · · ·pαrr ) = (p1 − 1)· · ·(pr − 1)pα1−1

1 · · ·pαr−1r ,

because φ(pα) = pα − pα−1 if p is prime. For there are pα−1 integers a in theinterval from 1 to pα that are divisible by p.

The product of the elements of a finite abelian group equals the product ofthose elements that have order equal to one or two. For the others cancel inpairs, since they do not equal their inverses. Applying this observation to thegroup (Z/pZ)× for p prime, and noting that the congruence x2 ≡ 1 (mod p) hasonly the solutions x ≡ ±1 modulo p when p is prime, we obtain the congruence

(p− 1)! ≡ −1 (mod p).

The result is named after J. Wilson, who rediscovered it in the eighteenth cen-tury but did not prove it. The Arab scholar Ibn al-Haytham (Alhacen) had

12

made use of it more than half a millennium before. It was first proved by J. L.Lagrange in 1773.

The linear congruence ax ≡ b (mod m) in one unknown is equivalent to thelinear Diophantine equation ax + my = b, and so does not call for particularcomment. But if P ∈ Z[x] is a polynomial over the integers, we may considerthe more general polynomial congruence P (x) ≡ 0 (mod m) for m a positiveinteger. This may be considered as a polynomial equation in the ring Z/mZ.There is then a very substantial contrast between the case when m is composite,and the case when m is prime. In the former case, Z/mZ has zero divisors, whichgreatly complicate the treatment of equations in the ring. But if m is prime,then this ring is a field, and the situation is much more transparent.

We consider a polynomial congruence modulo a prime p. By means of thelittle theorem of Fermat, the degree may always be reduced until one obtains acongruence with deg(P ) ≤ p − 1. One is also free to reduce the coefficients ofP modulo p without changing the set of solutions.

Lagrange’s theorem. The number of mutually incongruent solutions of a non-trivial polynomial congruence modulo a prime is at most equal to the degree ofthe polynomial.

Proof. Suppose that p is a prime, P (x) a polynomial over the field Z/pZ and x1an arbitrary element of Z/pZ. Then P (x) ≡ Q(x)(x − x1) + r (mod p) whereQ(x) is a polynomial over Z/pZ with degree one smaller than P (x) and r isan element in Z/pZ. Supposing that x1 is a solution of P (x) ≡ 0 modulo p,we see that r ≡ 0 and so P (x) ≡ Q(x)(x − x1) modulo p. If Q(x) has a zeromodulo p, we may repeat the procedure. But clearly we cannot split off morethan deg(P ) linear factors, since the degree decreases by one in each step andP (x) was assumed not identically zero modulo p.

Primitive roots

If the multiplicative group (Z/mZ)× of reduced residue classes modulo m iscyclic, then any integer g for which g+mZ is a generator of this group, is calleda primitive root modulo m. In that case, if a is any integer coprime with m, thengj ≡ a (mod m) for some integer j. In particular, the powers g, g2, . . . , gφ(m)

are all distinct modulo m. Furthermore gk is a primitive root modulo m if andonly if k and φ(m) are coprime. Thus if there exists a primitive root modulom, there are φ(φ(m)) distinct ones modulo φ(m).

Existence of primitive roots. There exists a primitive root modulo m ≥ 2 ifand only if m = 2, 4, pα or 2pα for some odd prime p.

Proof. There exists a primitive root modulo p for any prime p. For it is aconsequence of the structure theorem for finitely generated abelian groups that(Z/pZ)× ∼= Cd1⊕Cd2⊕· · ·⊕Cdr where Cd denotes the cyclic group of order d, andd1, . . . , dr are positive integers with d1|d2| · · · |dr. Then clearly every element ofZ/pZ has order equal to a divisor of dr, so adr = 1 for a and p coprime, and

13

the polynomial xdr − 1 has at least d1d2· · ·dr distinct roots modulo p. But italso has at most dr distinct roots modulo p by the theorem of Lagrange, hencer = 1 and (Z/pZ)× is cyclic.

There is also a primitive root modulo any power pα of an odd prime p. Letg be a primitive root modulo p and h an integer with

h 6≡ gp − gp

(mod p),

and put r = g + hp. We will show that r is a primitive root modulo pα forevery α ≥ 2. Denote by e the order of r as an element of the group Z/pαZ.We know that e divides |Z/pαZ| = φ(pα) and the task at hand is to show thate = φ(pα) = (p − 1)pα−1. Then r has the maximal number of distinct powersmodulo pα and is thus a primitive root. Now rp−1 ≡ 1 (mod p) by Fermat’slittle theorem, while r is a primitive root modulo p since g is. Thus e has to bea multiple of p− 1. Hence it will be sufficient to show that

r(p−1)pα−2

6≡ 1 (mod pα),

and this is where most of the work lies.Note that rp ≡ gp + hppp ≡ gp (mod p) by the Binomial theorem, since the

exponent is prime. Thus

rp − r ≡ gp − g − hp ≡ p(gp − gp− h)6≡ 0 (mod p2)

and so rp−1 = 1 + kp with k not divisible by p. Expanding (1 + kpj)p for j ≥ 1by the Binomial theorem, the first two terms are 1 and kpj+1 while the otherterms are either divisible by p2j+1 or ppj . Thus all these terms are divisible bypj+2 since p ≥ 3 is an odd prime, and

(1 + kpj)p ≡ 1 + kpj+1 (mod pj+2)

follows. In particular,

(rp−1)p ≡ 1 + kp2 (mod p3)

holds. Thus(rp−1)p

s

≡ 1 + kps+1 (mod ps+2)

holds for s = 1, and assuming it to hold for some s, the congruence

(1 + kps+1)p ≡ 1 + kps+2 (mod ps+3)

obtained by choosing j = s+ 1 above, yields

(rp−1)ps+1

≡ (1 + kps+1)p ≡ 1 + kps+2 (mod ps+3).

Hence(rp−1)p

s

≡ 1 + kps+1 (mod ps+2)

14

holds for all s by induction. Then

r(p−1)pα−2

≡ 1 + kpα−1 6≡ 1 (mod pα),

by substituting s = α− 2.Evidently 1 is a primitive root modulo 2 and 3 is a primitive root modulo

22. But a2 ≡ 1 (mod 23) for any odd integer a, and if

a2α−2

≡ 1 (mod 2α),

then for α ≥ 3 we have

a2α−1

≡ (1 + b2α)2 ≡ 1 + b2α+1 + b222α ≡ 1 (mod 2α+1)

with b some integer. Hence

a2α−2

≡ 1 (mod 2α)

holds for α ≥ 3 by induction. Since the order of a is strictly smaller than φ(2α)for each odd integer, there is no primitive root modulo 2α when α ≥ 3.

The Chinese remainder theorem implies that if m = pα11 · · ·p

α`` is the factor-

ization of m into prime powers, then

(Z/mZ)× ∼= G1 ⊕ · · · ⊕G`

where Gi is isomorphic to (Z/pαiZ)×. Since any subgroup of a cyclic group iscyclic, we see that 2α with α ≥ 3 cannot occur in the prime factorization ofm. Moreover, a direct sum of cyclic groups is cyclic if and only if all but onesummand is trivial. Since (Z/pαZ)× is trivial only when pα = 2, we see thatm = 2pα with p an odd prime are the only moduli that have primitive roots,beyond those that we have already found.

Supposing g to be a primitive root modulo m and a to be an integer coprimewith m, the congruence

ge ≡ a (mod m)

has a unique solution e in the interval 0 ≤ eφ(m)−1. This unique exponent e iscalled the index of a to base g and is denoted by indg(a) (where m is assumedknown from context.) The index of a depends only on the residue class of amodulo m. The formula

indg(ab) ≡ indg(a) + indg(b) (mod φ(m))

reduces multiplication modulo m to addition modulo φ(m), and also permitsthe calculation of powers, and of k-th roots when k and φ(m) are coprime.This technique of calculation is called the index calculus. Clearly the index isanalogous to the logarithm.

15

Quadratic residues

The Legendre symbol (n|p) modulo an odd prime p may be defined by thecongruence (

n

p

)≡ n(p−1)/2 (mod p)

and the inequality

−p− 1

2≤(n

p

)≤ p− 1

2,

for all integers n 6≡ 0 (mod p). Fermat’s little theorem implies that the Legendresymbol takes the values ±1. Note that since there exists a primitive root modulop, there exists some n with (n|p) = −1. In particular, the homomorphismσ : (Z/pZ)× → {±1} given by n + pZ 7→ (n|p) is not epi, so the kernel of thishomomorphism has index equal to 2. Evidently the sum of all the Legendresymbols modulo any fixed odd prime p is zero.

An integer n coprime with m is called a quadratic residue modulo m if thecongruence

x2 ≡ n (mod m)

has a solution. If not, n is called a quadratic nonresidue modulo m. Integers nwith gcd(m,n) ≥ 2 are neither quadratic residues nor nonresidues modulo m.

Though the above definition of the Legendre symbol is essentially the oneLegendre used, today it is customary to define (n|p) to equal 1 if n is a quadraticresidue modulo p and −1 if n is a quadratic nonresidue modulo p. Euler’scriterion implies that the two definitions are equivalent. In the algebraical spiritthat governs this Summary, we adopt Legendre’s definition. For (n|p) = −1 ifand only if the order of n as an element of the group (Z/pZ)× is maximal. It isobvious that the product of two quadratic residues modulo p is itself a quadraticresidue modulo p, but the next result shows that more is true.

Euler’s Criterion. An integer n coprime with an odd prime p is a quadraticresidue modulo p if and only if (n|p) = 1.

Proof. The integers 1, 22, . . . , (p− 1)2 are the quadratic residues modulo p, butwith repetitions modulo p. If a pair of these integers, say k2 and m2, arecongruent modulo p, then (m−k)(m+k) ≡ m2−k2 ≡ 0 (mod p). Thus m ≡ ±k(mod p) since p is a prime, and so there are exactly (p−1)/2 quadratic residuesmodulo p. If n is a quadratic residue modulo p, then there is some integer m sothat

n(p−1)/2 ≡ (m2)(p−1)/2 ≡ mp−1 ≡ 1 (mod p),

and thus (n|p) = 1. Evidently every quadratic residue is a root of the polynomialy(p−1)/2− 1 modulo p. But this polynomial has at most (p− 1)/2 roots modulop by Lagrange’s theorem, so no quadratic nonresidue is a root of it. Hence n aquadratic nonresidue implies that (n|p) = −1.

16

It follows from Euler’s criterion that the quadratic residue classes moduloan odd prime p form a subgroup of (Z/pZ)× of index equal to 2. In particular,if the two congruences x2 ≡ m (mod p) and x2 ≡ n (mod p) have no solutions,then the congruence x2 ≡ mn (mod p) necessarily has a solution, and this isnot at all obvious.

The Law of Quadratic Reciprocity. The relation(p

q

)(q

p

)= (−1)

p−12

q−12

between Legendre symbols holds for all distinct odd primes p and q.

Proof. For every odd positive integer n denote by Nn the number of solutionsin (Z/qZ)n of the equation x21 − x22 + x23 − · · ·+ x2n = 1. Making the change ofvariable x1 = y + x2 yields y2 + x23 − · · ·+ x2n − 1 = 2yx2. For each y 6= 0 andany choice of x3, . . . , xn there is a unique corresponding value of x2 which alsodetermines x1. This yields a total of (q−1)qn−2 solutions. Together with y = 0the original equation is equivalent to the system

x1 = x2 and x23 − · · ·+ x2n = 1,

and so there are qNn−2 solutions for y = 0. Thus Nn = (q − 1)qn−2 + qNn−2and so

Nn = (q − 1)qn−2 + qNn−2 = (q − 1)qn−2 + q((q − 1)qn−4 + qNn−4)

= (q − 1)qn−2 + (q − 1)qn−3 + q2Nn−4 = · · ·= (q − 1)qn−2 + · · ·+ (q − 1)qn−1−k + qkNn−2k.

Choosing k = (n− 1)/2 yields

Nn = (q − 1)qn−2 + · · ·+ (q − 1)q(n−3)/2 + q(n−1)/2N1

= qn−1 + q(n−1)/2(N1 − 1) = qn−1 + q(n−1)/2,

and thus Np ≡ 1 + (q|p) (mod p) on taking n = p and using the definition ofthe Legendre symbol.

We obtain the law of quadratic reciprocity by computing Np in another way.Let N(x2 = t) denote the number of solutions of x2 = t in Z/qZ. Then

Np =∑

t1+···+tp=1

N(x21 = t1)N(x22 = −t2)N(x22 = t3)· · ·N(x2p = tp)

where t1, t2, . . . , tp range over Z/qZ, and so

Np =∑

t1+···+tp=1

(1 +

(t1q

))(1 +

(−t2q

))(1 +

(t3q

))· · ·(

1 +

(tpq

)),

17

for x2 = t has two solutions if t is a quadratic residue class modulo q, onesolution if t = 0 and no solutions if t is a quadratic nonresidue class. Multi-plying out the product under the last summation sign, only the terms 1 and(t1|q)(−t2|q)(t3|q)· · ·(tp|q) in the inner sum contribute to the outer sum. Forif some but not not all the factors of the form (±tj |q) are present in a term,then at least one tj will run unrestrictedly over Z/qZ, and summing over thistj yields zero, since the sum of the Legendre symbol over a complete collectionof residue classes modulo q is zero. Thus

Np = qp−1 +∑

t1+···+tp=1

(t1q

)(−t2q

)(t3q

)· · ·(tpq

)

since t1 + t2 + · · ·+ tp = 1 has qp−1 solutions. Now

Np = qp−1 +

((−1)(p−1)/2

q

) ∑t1+···+tp=1

(t1· · ·tpq

).

Each tuple (u1, . . . , up) with u1 + · · · + up = 1 belongs to an equivalence classunder permutation, and all members of this equivalence class are also solutionsof t1 + · · ·tp = 1 and the value of the term (t1· · ·tp|q) is the same for all ofthem. If all uj are equal, that is to say if uj = p−1, then this equivalence classis a singleton, but otherwise the number of elements in the equivalence class isdivisible by p. For this number is of the form p!/k1!· · ·kr! where k1, . . . , kr arethe numbers of elements of (u1, . . . , up) that are identical in groups. Thus∑

t1+···+tp=1

(t1· · ·tpq

)≡(p−p

q

)(mod p),

and so

Np ≡ 1 +

((−1)(p−1)/2

q

)(p−p

q

)≡ 1 +

((−1)(p−1)/2

)(q−1)/2(pq

)−p≡ 1 + (−1)(p−1)(q−1)/4

(p

q

)(mod p).

Now comparison with the other congruence

Np ≡ 1 +

(q

p

)(mod p)

yields the law of quadratic reciprocity.

This is the central result on quadratic congruences. It was first conjecturedby Euler, and first proved by Gauss. The proof presented here was found recentlyby W. Castryck.

There are many proofs of the quadratic reciprocity law. Gauss found eightproofs, some based on the following criterion for quadratic residuacy.

18

Gauss’ Lemma. Let p be an odd prime and n an integer not divisible by p.Denote by µ the number of the integers n, 2n, . . . , (p− 1)n/2 that are congruentto some integer in the interval [−(p− 1)/2,−1]. Then (n|p) = (−1)µ.

Proof. The integers n, 2n, . . . , (p − 1)n/2 are pairwise incongruent modulo pand each is congruent to one of the integers −(p− 1)/2, . . . ,−1, 1, . . . , (p− 1)/2modulo p. Moreover, jn ≡ −kn (mod p) implies that (j + k)n ≡ 0 (mod p),which is impossible. Thus

n·2n· · ·(p− 1)n/2 ≡ (−1)µ1·2· · ·(p− 1)/2 (mod p)

and so (n|p) ≡ n(p−1)/2 ≡ (−1)µ (mod p) on canceling the common factor1·2· · ·(p− 1)/2.

The quadratic reciprocity law allows us to determine if n is a quadraticresidue modulo p if n is an odd positive integer. The case of odd negativeintegers is also easily handled since (−1|p) = (−1)(p−1)/2 by our definition ofthe Legendre symbol. This leaves the case of even integers. Choosing n = 2in Gauss’ lemma, we must find the number µ of even integers 2, 4, . . . , p − 1congruent modulo p to integers in the interval [−(p − 1)/2,−1). But this isobviously equal to the number of even integers in the interval [(p+ 1)/2, p− 1].Counting the number of integers k for which (p+ 1)/2 ≤ 2k ≤ p− 1 yields

µ =p− 1

2−[p+ 1

4

]if (p+ 1)/4 is not an integer, and

µ =p− 1

2−[p+ 1

4

]+ 1

otherwise. Considering the possibilities for µ as p ranges through the oddresidue classes modulo 8, one sees that µ ≡ (p2 − 1)/8 (mod 2), and so (2|p) =

(−1)(p2−1)/8. The formulas for (−1|p) and (2|p) are called the supplementary

laws, for together with the law of quadratic reciprocity, they permit the efficientcalculation of (n|p) for any integer n.

The Jacobi symbol (n|m) generalizes the Legendre symbol to odd positiveinteger moduli m. Supposing m to have the prime factorization

m = pα11 · · ·pαrr ,

and gcd(m,n) = 1, the Jacobi symbol is defined by( nm

)=

(n

p1

)α1

· · ·(n

pr

)αrin terms of Legendre symbols. Supposing n also to be an odd positive integer,with prime factorization

n = qβ1

1 · · ·qβss ,

19

we have( nm

)=

(n

p1

)α1

· · ·(n

pr

)α1

=

(q1p1

)α1β1

· · ·(qkpj

)αjβk. . .

(qspr

)αrβsand similarly

(mn

)=

(p1q1

)α1β1

· · ·(pjqk

)αjβk. . .

(prqs

)αrβs.

Thus( nm

)(mn

)= · · ·

((qkpj

)(pjqk

))αjβk· · · = · · ·

((−1)

pj−1

2

qk−1

2

)αjβk· · ·

if gcd(m,n) = 1, by the Law of Quadratic Reciprocity. Now (pj − 1)m ≡ 0(mod 4) for odd primes pj and integers m ≥ 2, so

pα11 · · ·pαrr ≡ (1 + (p1 − 1))α1 · · ·(1 + (pr − 1))αr

≡ 1 + (p1 − 1)α1 + · · ·+ (pr − 1)αr (mod 4)

by the Binomial Theorem. Since this also holds for the qk and βk we obtain

(m− 1)(n− 1)

4≡ 1

4

r∑j=1

(pj − 1)αj

( s∑k=1

(qk − 1)βk

)(mod 2)

and thus ( nm

)(mn

)= (−1)

m−12

n−12

if m and n are odd coprime integers. This relation generalizes the Law ofQuadratic Reciprocity to Jacobi symbols. The supplementary laws also gener-alize to odd positive moduli by similar calculations.

If n is an integer and m an odd positive integer with (n|m) = −1, there mustbe some prime p|m with (n|p) = −1, so n is a quadratic nonresidue modulo p.But then n is also a quadratic nonresidue modulo m. There is no implicationin the other direction, as we see by an example. The calculation(

3

7

)=

(3

7

)(1

3

)=

(3

7

)(7

3

)= −1,

shows that 3 is a quadratic nonresidue modulo 7. Clearly 3 is also a quadraticnonresidue modulo 72, but (3|72) = (3|7)2 = 1. Thus both quadratic residuesand nonresidues may have a positive Jacobi symbol.

It is not possible to carry over both the relationship with quadratic residuacyand the reciprocity law when generalizing the Legendre symbol to general oddpositive moduli. One or the other has to be sacrificed, and it is generally feltthat it is most useful to keep the reciprocity law.

20

An integer D is called a fundamental discriminant if either D is squarefreeand D ≡ 1 (mod 4) or else 4|D with D/4 squarefree and D/4 ≡ 2 or 3 (mod 4).This terminology comes from algebraic number theory. When D is a fundamen-tal discriminant, and only then, we shall generalize the Jacobi symbol further,to the Kronecker symbol (D|m) for m a positive integer that may be even. Notethat we do not require D and m to be coprime in the Kronecker symbol.

The Kronecker symbol is defined by(D

m

)=

(D

p1

)α1

· · ·(D

pr

)αrif m = pα1

1 · · ·pαrr is a positive integer. Here (D|pj) is the Legendre symbol if pjis an odd prime that does not divide D. We set (D|pj) = 0 if pj |D, and(

D

pj

)= (−1)

D2−18

if pj = 2.The multiplicativity property (D|mn) = (D|m)(D|n) is a direct consequence

of the definition. It is also clear that (D|m) = 0 whenever gcd(D,m) ≥ 2.The fundamental discriminant D is a period of the Kronecker symbol. Note

that if gcd(D,m) ≥ 2, then gcd(D,m + D) ≥ 2, so we may suppose D and mcoprime. Write m = 2αm′ with m′ odd if D ≡ 1 (mod 4). Then(

D

m

)=

(D

2

)α(D/|D|m′

)(|D|m′

)= (−1)α

D2−18

(sgn(D)

m′

)(m′

|D|

)(−1)

m′−12|D|−1

2

=

(2

|D|

)α(m′

|D|

)(sgn(D)

m′

)(−1

m′

) |D|−12

=

(m

|D|

)(sgn(D)(−1)

|D|−12

m′

)=

(m

|D|

)by quadratic reciprocity, the supplementary laws for the Jacobi symbol, and

sgn(D)(−1)|D|−1

2 = (−1)D−1

2 .

If D = 4D′ with D′ ≡ 3 (mod 4) then(D

m

)=

(m

|D′|

)(−1

m

)for m odd by the same kind of calculation. The second factor is periodic withperiod 4. If D = 8D′ with D′ ≡ 1 (mod 2) then(

D

m

)=

(m

|D′|

)(2(−1)

D′−12

m

)The second factor is one of (±2|m) and is therefore periodic with period 8. SoD is a period of (D|m) in all three cases.

21

Sums of two squares

A positive integer b is a sum of two squares if there exists integers k and m,not necessarily positive, such that b = k2 + m2. The Brahmagupta-Fibonacciidentity

(x2 + y2)(u2 + v2) = (xu+ yv)2 + (yu− xv)2

shows that the product of two sums of two squares is itself a sum of two squares.Since any square is congruent to 0 or 1 modulo 4, it is clear that no primecongruent to 3 modulo 4 can be a sum of two squares. The prime 2 = 12 + 12

is a sum of two squares, which leaves the primes congruent to 1 modulo 4 to beaccounted for.

Fermat’s two squares theorem. Every prime p congruent to 1 modulo 4 isa sum of two squares.

Proof. The involution (x, y, z)f7→ (−x, z, y) on the finite set

S = {(x, y, z) ∈ Z3 | x2 + 4yz = p , y > 0 , z > 0}

has no fixpoint since x = 0 is impossible. In particular f(T ) = S \ T where

T = {(x, y, z) ∈ S | x > 0}.

Furthermore f(U) = S \ U where

U = {(x, y, z) ∈ S | x− y + z > 0}.

For there are no elements in S with x − y + z = 0 since this would give p =x2 + 4yz = (y − z)2 + 4yz = (y + z)2. Now f is a bijection and so

f(T \ U) = f(T ) \ f(U) = (S \ T ) \ (S \ U) = U \ T

shows that T \ U and U \ T have the same number of elements. Since T =(T \ U) ∪ (T ∩ U) and U = (U \ T ) ∪ (T ∩ U) it follows that T and U have thesame number of elements.

The mapping (x, y, z) 7→ (2y − x, y, x − y + z) is an involution on U , since(2y − x)2 + 4y(x− y + z) = 4y2 − 4xy + x2 + 4xy − 4y2 + 4yz = x2 + 4yz = p.The condition for (x, y, z) to be a fixpoint of this involution is that x = y. Thisgives x2 + 4xz = p, and since p is a prime, x = ±1,±p are the only possibilities.Now x = ±p is excluded because x2 + 4yz = p with y > 0 and z > 0. If x = −1then y = −1 and z = (1−p)/4, and this contradicts the condition x−y+z > 0.This leaves (x, y, z) = (1, 1, (p − 1)/4), which is a fixpoint because (p − 1)/4is an integer. So the involution has precisely one fixpoint, thus the number ofelements of U is odd, hence the number of elements of T is also odd.

The mapping (x, y, z) 7→ (x, z, y) is an involution on T . Since the numberof elements of T is odd, this involution has an odd number of fixpoints, thusat least one, so there exists some element (x, y, z) ∈ T with y = z. But thenp = x2 + 4yz = x2 + (2z)2 so p is a sum of two squares.

22

The two-squares theorem is one of the most famous in number theory. Itwas first stated by A. Girard in 1625, and Fermat claimed a proof in a letter toM. Mersenne dated Christmas Day 1640. In a letter to P. de Carcavi he statedthat he obtained the proof by means of his method of infinite descent. The firstpublished proof is due to Euler, also using descent. The above proof is due toHeath-Brown.

Since p2 = p2 + 02 for the primes p congruent to 3 modulo 4, all products ofpowers of 2, powers of primes congruent to 1 modulo 4 and powers of squaresp2 of primes p congruent to 3 modulo 4 are sums of two squares. On the otherhand, if a sum of two squares b is divisible by some odd prime p to an odd power,then p is congruent to 1 modulo 4. For if u2 + v2 = pkm with p an odd prime,k odd and p prime to m, we may assume that p is prime to uv. Otherwise p2 isa common factor of u2 and v2 and may be divided out, repeatedly if necessary,leaving a relation of the same form with a smaller exponent k that is still anodd number, and with p prime to uv. Then v has a multiplicative inverse vmodulo p, and (uv)2 is congruent to −1 modulo p. Now

(−1)(p−1)/2 ≡ ((uv)2)(p−1)/2 ≡ (uv)p−1 ≡ 1 (mod p)

by the little theorem of Fermat, and so (p − 1)/2 must be even. At this pointwe have obtained a characterization in multiplicative terms: The sums of twosquares are multiplicatively generated by 2, the primes p ≡ 1 (mod 4), and thesquares p2 of primes p ≡ 3 (mod 4).

We shall now determine the number of representations r(n) of a positiveinteger n as a sum of two squares, by investigating the ring of Gaussian integersZ[i] = Z + Zi where i2 = −1. Observing the factorization

k2 +m2 = (k +mi)(k −mi),

we define the norm

N(k +mi) = (k +mi)(k +mi) = k2 +m2

of a Gaussian integer, and note that this coincides with the gauge that we usedto show that the ring of Gaussian integers is a Euclidean domain.

Denoting Gaussian integers by Greek letters, we have

N(αβ) = αβαβ = ααββ = N(α)N(β)

so that α|β implies N(α)|N(β). In particular N(υ) = ±1 if υ is a unit. But ifN(υ) = ±1, then υ(±υ) = 1 so that υ is a unit. Solving k2 +m2 = N(k+mi) =±1 in rational integers k and m, we obtain the units υ = ±1,±i.

Every Gaussian integer α divides some rational integer by α|αα, so in par-ticular every Gaussian prime π divides some rational integer, say π|n withn = pa11 · · ·parr . Since the rational integers are contained among the Gaussianintegers, and the ring of Gaussian integers is a UFD, we conclude that there issome rational prime p with π|p. If q is another rational prime, then there are in-tegers x and y for which px+ qy = 1, and thus π|q would imply that π|1, which

23

is impossible. So every Gaussian prime is found as a divisor of some uniquerational prime. If a nonzero Gaussian integer α has a factorization α = βγ intoGaussian integers β and γ, neither of which is a unit, then N(β) = N(β)N(γ),where neither N(β) nor N(γ) is a unit in Z. So if α is a composite Gaussianinteger, N(α) is a composite rational integer, and N(α) prime in Z is a sufficientcondition for α to be prime in the Gaussian integers.

We have a factorization 2 = (1 + i)(1− i) = (−i)(1 + i)2, and N(1 + i) = 2is prime, so 1 + i is a Gaussian prime, and the only one up to associates thatdivides 2. We say that 2 ramifies in the Gaussian integers since its factorizationinto Gaussian primes has a repeated factor.

Any prime p ≡ 1 (mod 4) has a representation p = k2 + m2 as a sum oftwo squares, and hence a factorization p = (k +mi)(k −mi) with N(k +mi) =N(k−mi) = k2 +m2 = p prime, so k+mi and k−mi are Gaussian primes, andthe only ones up to associates that divide p. These two primes are not associates,so every rational prime p ≡ 1 (mod 4) splits into two distinct Gaussian primes.But if π is a Gaussian prime that divides a rational prime p ≡ 3 (mod 4), thenαπ = p with some Gaussian integer α shows that N(α)N(π) = p2, so N(π) = 1or N(π) = p or N(π) = p2. The first possibility is excluded since π is not a unit,and the second is impossible since p ≡ 3 (mod 4) is not a sum of two squares.The third possibility implies that α is a unit and thus π and p are associates.We conclude that the rational primes p ≡ 3 (mod 4) remain prime in the ring ofGaussian integers, and say that they stay inert when passing from the rationalto the Gaussian integers.

We have used Fermat’s two squares theorem, as well as the fact that Z[i]is a UFD, in determining the Gaussian primes. By means of an argument ofDedekind, we may dispense with the two squares theorem while leaning moreheavily on the fact that Z[i] is a UFD. This yields an independent proof of thetwo squares theorem.

If p ≡ 1 (mod 4) is a prime, then the number of integers 1, 2, . . . , (p − 1)/2is even, and these integers are pairwise congruent to the integers (p − 1)/2 +1, (p− 1)/2 + 2, . . ., p− 1 modulo p. Thus

−1 ≡ (p− 1)! ≡(p− 1

2

)!(−1)(p−1)/2

(p− 1

2

)! ≡

[(p− 1

2

)!

]2(mod p)

by Wilson’s theorem, so p|(k2 + 1) for some integer k. Factoring k2 + 1 =(k + i)(k − i) we see that p cannot be a Gaussian prime, for p would have todivide k + i or k − i since Z[i] is a UFD, but

k

p± 1

pi

are not Gaussian integers. Thus p = αβ with α and β Gaussian integers,neither of them a unit. And then p2 = N(p) = N(α)N(β) so p = N(α) = αα.Furthermore this factorization exhibits p as a sum of two squares, and theFermat two squares theorem is proved again.

24

To determine the number r(n) of representations of n as a sum of two squares,it is enough to count the Gaussian divisors δ|n that satisfy δδ = n. We write

n = 2a0pa11 · · ·parr qc11 · · ·qcss

as a product of prime powers, where a0 is a nonnegative integer, the primesp1, . . . , pr are congruent to 1 modulo 4 and a1, . . . , ar are positive integers, andthe primes qk are congruent to 3 modulo 4 and c1, . . . , cs are positive integers.Either one or both of the nonnegative integers r and s may be zero. The abovefactorization over the rational integers yields a factorization

n = (1 + i)a0(1− i)a0πa11 πa11 · · ·πarr πarr qc11 · · ·qcss

over the Gaussian primes. Here πj , πj are distinct Gaussian primes into whichpj splits. The general Gaussian divisor δ|n is of the form

δ = υ(1 + i)a′0(1− i)a

′′0 π

a′11 π

a′′11 · · ·π

a′rr π

a′′rr q

c′11 · · ·q

c′ss

where υ is a unit, a′j and a′′j are nonnegative integers with a′j ≤ aj and a′′j ≤ aj ,and c′j and c′′j are nonnegative integers with c′j ≤ cj and c′′j ≤ cj . Since 1+ i and1− i are associates, only the value of a′0 + a′′0 is significant for the factorizationof δ up to associates. In determining the form of the general divisor, we rely onthe fact that Z[i] is a UFD.

We now count Gaussian divisors δ|n for which the complementary divisor n/δequals the conjugate δ. Since υυ = 1 for each unit ε, there are four possibilitiesfor υ. We must have a′0 = a0, so there is only 1 possibility for a′0. Seeing thataj − a′j = a′′j and aj − a′′j = a′j hold by comparing exponents, there are aj + 1possibilities for the pair a′j , a

′′j . Similarly c1 − c′k = c′k must hold, so there is

1 possibility for ck if ck = 2bk is even, and none otherwise. Thus we obtain aformula

r(n) = 4(a1 + 1)· · ·(ar + 1) ·{

1 if c1 ≡ · · · ≡ cs ≡ 0 (mod 2)0 otherwise

for the number of representations of n as a sum of two squares.The formula shows that r(n)/4 is a multiplicative function, and that r(2a)/4 =

1 while r(pa)/4 = a+1 if p ≡ 1 (mod 4) and r(qc)/4 = 1−1+· · ·+(−1)c if p ≡ 3(mod 4). The arithmetic function χ(n) that equals zero on the even integers, 1on the integers congruent to 1 modulo 4, and −1 on the integers congruent to3 modulo 4, is multiplicative. This is in fact the unique nonprincipal Dirichletcharacter modulo 4. It has the property that∑

d|2aχ(d) = 1 ,

∑d|pa

χ(d) = a+ 1 ,∑d|qc

χ(d) = 1− 1 + · · ·+ (−1)c

if p ≡ 1 (mod 4) and q ≡ 3 (mod 4). This yields Jacobi’s formula

r(n) = 4∑d|n

χ(d) = 4∑d|n

d≡1(4)

1− 4∑d|n

d≡3(4)

1,

or r = 4 ∗ χ, which he deduced from his theory of theta functions.

25

Number fields

A field extension K/k consists of a field K together with some choice of subfieldk of K. The dimension of K considered as a vector space over k is called thedegree of K/k and is denoted by nK/k, or by nK if k = Q. Another notation[K : k] for the degree is also in common use. An extension of finite degreeis just called a finite extension. Degree is multiplicative in towers L/K/k ofextensions, i. e. nL/k = nL/K ·nK/k. This is clear if L/K or K/k is of infinitedegree. If K/k and L/K are finite extensions, then K has a basis ωi over k ofnK/k elements and L has a basis ψj over K of nL/K elements. Then ωiψj is abasis of L over k of nL/K ·nK/k elements.

Suppose that K/k is a field extension, and A ⊆ K an arbitrary set. Thenthe extension of k by A is the intersection field

k(A) =⋂F

of all fields F with K/F/k and A ⊆ F . An extension of k by a single element αis called a simple extension and is denoted by k(α). If M/k is a field extensionand M/K/k and M/L/k are towers of extensions, then the field KL = k(K∪L)is called the compositum of K and L.

An element β of an extension K/k is algebraic over k if β is a root of anonconstant polynomial in k[x]. Complex numbers algebraic over Q are calledalgebraic numbers. The polynomials p(x) ∈ k[x] vanishing on β form an idealI. Since k[x] is a PID, this ideal is generated by a polynomial m(x) over kwhich we may require to be monic. It is then unique, by consideration of thedifference of two such polynomials. It is termed the minimal polynomial ofβ over k, because it is the monic polynomial over k of minimal degree thatvanishes on β. The minimal polynomial is irreducible over k, for otherwise oneof its factors would vanish on β but not be in I = (m(x)) by consideration ofdegrees, a contradiction. For β 6= 0 the equation m(β) = 0 may be rewritten as

1

β= − 1

anβn−1 − a1

anβn−2 − · · · − an−1

an,

where m(x) = xn+a1xn−1+· · ·+an−1x+an is the minimal polynomial of β over

k. Note that an 6= 0 because m(x) is irreducible and β 6= 0. Thus 1/β ∈ k[β] forevery β 6= 0 that is algebraic over k. Clearly k[β] ⊆ k[α] if β ∈ k[α], so k[α] isa field if α is algebraic over k. But by its very definition, k(α) does not containany proper subfield containing both k and α, and so k[α] = k(α). The elements1, α, . . . , αdeg(m(x))−1 span k(α) over k by m(α) = 0, while these elements arelinearly independent over k by the minimal degree property of m(x). Thusnk(α)/k = deg(m(x)).

A number field is a finite extension of Q. The arithmetic of number fieldsis the central concern of algebraic number theory. Clearly any finite extensionK/k of a number field is itself a number field, and this more general relativecase is also of great interest. We make repeated use of two properties of numberfields that follow from the fact that they contain Q: They have infinitely many

26

elements and 1 + 1 + · · · + 1 6= 0 for any positive number of terms in the sum.Neither of these properties hold in all fields, and fields with the latter propertyare said to have characteristic zero.

For every finite extension K/k of a number field of degree n = nK/k thereexists some element α ∈ K such that α, . . . , αn is a basis for K over k. Forlet ω1, · · · , ωn be a basis for K over k and set α = xω1 + · · · + xnωn. Weshall choose x ∈ k so that α, . . . , αn are linearly independent over k. Assumeγ1α + · · · + γnα

n = 0 with γ1, . . . , γn ∈ k. Each product of powers of basiselements ω1, . . . , ωn is a k-linear combination of these basis elements. Thus

γ1α+ · · ·+ γnαn = γ1(xω1 + · · ·+ xnωn) + · · ·+ γn(xω1 + · · ·+ xnωn)n

= (γ1x+ · · · )ω1 + · · · = p1(x)ω1 + · · ·

where p1(x) ∈ k[x] is a polynomial whose lowest degree term is γ1x, since thecharacteristic of k is zero. This polynomial must be nonzero for all but finitelymany x ∈ k unless γ1 = 0. We are not going to choose x among these finitelymany exceptional values, and conclude that γ1 = 0. Now ω2

1 is a k-linearcombination of the basis elements, with at least one coefficient different fromzero. Say that ω2

1 = βjωj + · · · with βj 6= 0. Then

0·ω1 + γ2ω2 + · · ·+ γnωn = (γ2βjx2 + · · · )ωj + · · · = p2(x)ωj + · · ·

where p2(x) ∈ k[x] is a polynomial whose lowest degree term is γ2βjx2. This

polynomial must be nonzero for all but finitely many x ∈ k unless γ2 = 0.We are not going to choose x among these finitely many exceptional values,and conclude that γ2 = 0. Note that the exceptional values of x in this roundmay be different from those in the last round. Continuing like this we obtainγ1 = · · · = γn = 0 unless x lies in a finite set of exceptional values. But k isinfinite, and we choose x ∈ k outside the finite set of exceptional values.

From now on we make use of the Fundamental Theorem of Algebra, byadopting the standing assumption that all our number fields are subfields of C.Nothing is lost thereby, for every number field is isomorphic to a subfield ofC. The result that every nonconstant complex polynomial factors into complexlinear factors is easy to prove by simple complex analysis, and enables us toavoid the concept of algebraic closure.

The minimal polynomial m(x) of an element α algebraic over a number fieldk has simple roots. For m(x) and m′(x) have no nontrivial common factor ink[x], since m(x) is irreducible over k and m′(x) is not the zero polynomial. Theroots of the minimal polynomial of α over k are called the algebraic conjugatesof α over k and are denoted by α(1) = α, α(2), . . . , α(n) where n = nk(α)/k =deg(m(x)). We have already seen that any finite extension K/k of a numberfield is a simple extension K = k(α). If m(x) is the minimal polynomial ofα over k, the quotient ring k[x]/(m(x)) is a field and the isomorphism ϕ :k[x]/(m(x))→ k[α] = k(α) = K given by p(x)+(m(x)) 7→ p(α) shows that K/kmay be specified up to isomorphism simply by prescribing a suitable irreduciblepolynomial over k.

27

In general a single finite extension of a number field k ⊂ C may be realizedinside C in several different ways. Define monomorphisms fj : k[x]/(m(x))→ Cby p(x) + (m(x)) 7→ p(α(j)) for 1 ≤ j ≤ n = nK/k = deg(m(x)). The nmonomorphisms σj : K → C given by σj = fj ◦ ϕ−1 are called the embeddingsof K/k into C. Since σj(a) = fj(ϕ

−1(a)) = fj(a + (m(x))) = a for a ∈ k, theembeddings fix k pointwise. Suppose that σ : K → C is a monomorphism thatfixes k pointwise, and put β = ϕ(x+(m(x))). Then 0 = (σ◦ϕ)(m(x)+(m(x))) =σ(m(β)) = m(σ(β)) and so σ(β) is one of the conjugates α(1), . . . , α(n). Thecalculation (σ ◦ϕ)(p(x)+(m(x))) = σ(p(β)) = p(σ(β)) shows that σ ◦ϕ is equalto one of the fj .

It is time to pull together the information that we have gathered. Every finiteextensionK/k of a number field k ⊂ C comes with nK/k distinct embeddings σj :K → C that fix k pointwise. Their images are subfields of C, called conjugatefields, each of which is isomorphic to K over k. Though the embeddings aredistinct, their images may not be distinct. The number field Q(

√2) has two

distinct embeddings a + b√

2 7→ a + b√

2 and a + b√

2 7→ a − b√

2 into C,but their images are the same field Q(

√2). For us the most important case of

embeddings will be embeddings of a number field K/Q.For a tower L/K/k of extensions of number fields, every embedding σ :

K → C over k extends to nL/K embeddings σ : L → C over k. There is someelement α ∈ L with L = K(α) and α has a minimal polynomial m(x) overK. Extend σ to a monomorphism from K[x] into C[x] by σ(x) = x and defineσ = f ◦ ϕ−1 where f : K[x]/(m(x))→ C is given by p(x) + ((m(x)) 7→ σ(p)(α)and ϕ : K[x]/(m(x)) → L is given by p(x) + (m(x)) 7→ p(α). Then σ(c) =f(c + (m(x))) = σ(c)(α) = σ(c) for c ∈ K. Thus each embedding of K over khas an extension to an embedding of L over k. Composing such an embeddingwith the nL/K embeddings of L over K, we obtain nK/L distinct embeddingsof L over k extending the single embedding of K over k, since the embeddingsover K equal the identity on K. Since there are nK/k embeddings of K over k,we have accounted for the nL/k = nL/K ·nK/k embeddings of L over k, so thereare exactly nL/K embeddings of L over k extending an embedding of K over k.

A number field K = Q(α) is said to be totally real if the image of everyembedding of K into C lies in R. It is clearly equivalent that α and all itsconjugates be real. The field Q(

√2) is totally real, while the field Q( 3

√2) is

contained in R but not totally real, since the minimal polynomial m(x) = x3−2has complex roots. For a finite extension K/k of a totally real number field, itmakes sense to distinguish among the embeddings of K according to whethertheir images are contained in R or not. There will be r1 real embeddings and aneven number 2r2 of non-real, commonly called complex, embeddings that comein complex conjugate pairs σj , σj . Clearly r1 + 2r2 = nK/k. The extension iscalled totally real if r2 = 0 and totally complex if r1 = 0. In the latter case thedegree of K/k must be even. As examples, we note that r1 = 2 and r2 = 0 forQ(√

2), that r1 = 0 and r2 = 1 for Q(√−1), and that r1 = r2 = 1 for Q( 3

√2).

It will be convenient to order the embeddings so that the first r1 ones are real,and the last 2r2 ones are complex and listed in such a way that σj+r2 = σj forr1 + 1 ≤ j ≤ r1 + r2.

28

Consider a finite extension K/k of a number field, and the n = nK/k em-beddings σj : K → C over k. As usual we regard all fields involved as subfieldsof C, as we may by the Fundamental Theorem of Algebra. There is at least oneembedding σj with σj(K) = K, namely the identity map. But there may wellbe other such embeddings, called automorphisms of K over k. In any case, theembeddings with this property form a group, termed the automorphism groupof the extension. This group had its origin in the theory of polynomial equa-tions, but it also has great significance for the arithmetic of number fields, andit is from this angle that we shall view it.

The extension Q(√

2,√−3)/Q has four embeddings generated by the as-

signments√

2 7→ ±√

2 and√−3 7→ ±

√−3 of conjugates of the generators

of the extension, all of which preserve Q(√

2,√−3). There are no more, for

the degree of the extension is 4 by the multiplicativity of degrees in the towerQ(√

2,√−3)/Q(

√2)/Q and the fact that

√−3 /∈ Q(

√2). Thus the automor-

phism group is isomorphic to (Z/2Z)× (Z/2Z). This group is called the KleinViergruppe, and has no element of order greater than two. The fifth root ofunity ζ5 = exp(2πi/5) generates a cyclotomic extension (extension by roots ofunity) Q(ζ5)/Q and the assignments ζ5 7→ ζj5 for j = 1, . . . , 4 yield four distinctembeddings, all of which preserve Q(ζ5). There are no more, for the minimalpolynomial of ζ5 is the fourth degree polynomial m(x) = x4 + x3 + x2 + x+ 1.Since the embedding generated by the assignment ζ5 7→ ζ25 is a generator forthe automorphism group, we see that it is isomorphic to Z/4Z, which has ele-ments of order four. Two extensions K/k and L/k are said to be isomorphicif there is an isomorphism ϕ : K → L with ϕ|k = id|k. Note that the ex-tensions Q(

√2,√−3)/Q and Q(ζ5)/Q are non-isomorphic since they have non-

isomorphic automorphism groups. We could not draw this conclusion merelyby consideration of degrees.

An extension K/k of number fields is normal if all the embeddings of K overk have the same image. Normal extensions are rather special; note that if k istotally real and K/k a finite normal extension, then K/k must be either totallyreal or totally complex. Every extension K/k of number fields is contained in aunique minimal normal extension L/k given by

L = k

n⋃j=1

σj(K)

where σ1, . . . , σn are the embeddings of K over k. The extension K/k is calledthe normal closure of K/k. Any finite extension K/k of a number field is asimple extension K = k(α). Clearly the extension is normal if and only if itcontains all the roots of the minimal polynomial m(x) of α over k. In particularthe normal closure of K/k is obtained by adjoining to k all the roots of m(x),and every finite normal extension K/k is obtained by adjoining all the rootsof some irreducible polynomial over k. It is in fact more common to define anextension K/k to be normal if every irreducible polynomial in k[x] that has aroot in K splits completely into linear factors over K.

29

If K/k is an extension with automorphism group G and H a subgroup of G,the field

KH =⋂σ∈H

ker(σ − id)

is called the fixed field of H. We have a mapping H 7→ KH taking subgroups Hof the automorphism group to intermediate fields F with K/F/k. For any inter-mediate field F the automorphism group of K/F may be viewed as a subgroupof the automorphism group K/k, since any automorphism of K that restricts tothe identity on F naturally also restricts to the identity on k. Thus we have twomaps, one taking subgroups of the automorphism group to intermediate fieldsof the extension, and the other taking intermediate fields to subgroups.

The automorphism group of an extension K/k of number fields has specialproperties if the extension is normal. In this case the automorphism group ofK over k is called the Galois group and is denoted by Gal(K/k).

Fundamental Theorem of Galois Theory. Let K/k be a finite normal ex-tension of a number field. The maps H 7→ KH and F 7→ Gal(K/F ) are inverses.

Proof. Let F be an arbitrary intermediate field of K/k and put H = Gal(K/F ).Then K/F is a normal extension, for every embedding of K over F is an em-bedding of K over k, and the latter embeddings all have the same image by thenormality of K/k. The extension K/KH has |H| automorphisms, since KH isthe fixed field of H. Then nK/KH ≥ |H|, for nK/KH equals the total number

of embeddings of K over KH , and every automorphism is an embedding. But|H| = nK/F since K/F is normal, hence nK/KH ≥ nK/F , so KH = F .

Let H be an arbitrary subgroup of Gal(K/k) and put F = KH . Then H isa subgroup of Gal(K/F ). There is an element α ∈ K such that K = F (α), andthe coefficients of the polynomial

f(x) =∏σ∈H

(x− σ(α))

are elementary symmetric functions in the σ(α) for σ ∈ H. The polynomial isin F [x] because these coefficients are fixed by the homomorphisms η ∈ H. Then

|H| = deg(f) ≥ nK/F = |Gal(K/F )|,

since f(α) = 0 and K/F is normal, so H = Gal(K/F ).

This result is a special case of the full theorem, due to the restriction on theground field k that it be a number field. In the general case, one must requirethe property of separability, which we can and do avoid here. For inseparabilitycannot occur for extensions of fields of characteristic zero. The mappings H 7→KH and F 7→ Gal(K/F ) are called the Galois correspondence. They reverseinclusions, in that if H1 is a proper subgroup of H2, then KH2 is a propersubfield of KH1 , while if F1 is a proper subfield of F2, then Gal(K/F2) is aproper subgroup of Gal(K/F1).

30

Often the Galois correspondence is used to draw conclusions about the in-termediate fields from knowledge of the subgroups of the Galois group. Forexample, suppose that K/k is a normal extension of number fields. It is obviousthat Gal(K/k) has only finitely many subgroups, immediately implying by theGalois correspondence the decidedly less obvious conclusion that K/k has onlyfinitely many intermediate fields.

A complement to the Fundamental Theorem of Galois Theory identifies thoseintermediate fields of a finite normal extension K/k of a number field that arenormal over the ground field: The fixed field KH is normal over k if and only ifH is a normal subgroup of Gal(K/k). Put F = KH and note that F is normalover k if and only if F is preserved by all embeddings of F over k. Each suchembedding is the restriction of an automorphism of K over k, since K containsthe conjugates over k of every element of F . Thus F/k is normal if and only ifσ(F ) = F for all σ ∈ Gal(K/k). Now

σ(F )σHσ−1

= (σ−1σ(F ))σH = FσH = σ(FH) = σ(F )

so σ(F ) is the fixed field of σHσ−1. Hence F/k is normal if and only if σHσ−1 =H for all σ ∈ Gal(K/k), i. e. if and only if H is a normal subgroup of Gal(K/k).

Given an element α of an extension K/k of number fields, the mappingMα : K → K given by γ 7→ αγ is a linear operator on K as a vector space overk. The norm of α is defined as NK/k(α) = det(Mα). The norm is a mappingNK/k : K → k possessing the crucial multiplicativity property NK/k(αβ) =NK/k(α)NK/k(β) because (αβ)γ = α(βγ). When k = Q, we write NK for thenorm, and observe that it is rational.

The norm of an element α of an extension K/k of number fields can beexpressed in terms of its embeddings. The characteristic polynomial fα(x) =det(x id−Mα) of Mα is monic and has coefficients in k. Note that

NK/k(α) = (−1)nK/kfα(0)

since the determinant has nK/k rows. The characteristic polynomial of Mα iscalled the field polynomial of α. It depends on the extension K/k and not juston α as an algebraic number. Supposing L/K to be a finite extension, α alsohas a field polynomial gα(x) relative to L/k and it turns out that

gα(x) = fα(x)nL/K .

Express multiplication by α relative to some ordered basis (ω1, . . . , ωn) for Kover k by

αωi = ai1ω1 + · · ·+ ainωn , 1 ≤ i ≤ n , n = nK/k.

Denote the representing matrix by A = [aih]. Also choose an ordered basis(ψ1, . . . , ψl) for L over K and express multiplication by α relative to the orderedbasis (ω1ψ1, ω2ψ1, . . . , ωnψ1, ω1ψ2, . . . , ωnψl) for L over k by

αωiψj = ai1ω1ψj + · · ·+ ainωnψj , 1 ≤ j ≤ l , l = nL/K .

31

Reading off the representing matrix B, we see that B is a block matrix withl copies of A along the main diagonal, and zeros elsewhere. Thus det(B) =det(A)l and so gα is the l-th power of fα. Note that if fα is a field polynomialfor α, then fα(α) = 0. For (α id −Mα)γ = αγ − αγ = 0, so x id −Mα is thezero operator when x = α.

Choosing K = k(α), the field polynomial fα(x) is a monic polynomial ofdegree nK/k with coefficients in k, and vanishes in α. The minimal polynomialm(x) of α over k is also a monic polynomial of degree nK/k with coefficients ink, vanishing in α, and is moreover irreducible over k. But then fα(x) = m(x)and

NL/k(α) = (−1)nL/kgα(0) = (−1)nL/km(0)nL/K

= (−1)nL/k((−1)nK/kα(1)· · ·α(n))nL/K = (α(1)· · ·α(n))l.

Now NL/k(α) = η1(α)· · ·ηln(α) where η1, . . . , ηln are the embeddings of L overk. For each embedding of K over k extends to l embeddings of L over k, andthe image of α under the various embeddings of K over k are the algebraicconjugates of α over k.

For the embeddings σ1, . . . , σn of K over k choose extensions σ1, . . . , σn toembeddings of L over k. Denote by θ1, . . . , θl the embeddings of L over K. Thenthe embeddings of L over k are σ1 ◦ θ1, . . . , σn ◦ θl, so

NL/k(β) = (σ1 ◦ θ1)(β) · · · (σn ◦ θl)(β)

= σ1(θ1(β)· · ·θl(β))· · ·σn(θ1(β)· · ·θl(β))

= σ1(NL/K(β))· · ·σn(NL/K(β)) = NK/k(NL/K(β))

and thus NL/k = NK/k ◦NL/K in a tower L/K/k of extensions of number fields.

Given an element α of an extension K/k of number fields, the trace of α isdefined as trK/k(α) = tr(Mα). The trace has properties somewhat analogous tothose of the norm. Proceeding as above we obtain

trK/k(α) = l(α(1) + · · ·+ α(n)),

so that trL/k(α) = η1(α) + · · · + ηln(α). Thus the trace equals the sum of theembeddings. Moreover

trL/k(β) = (σ1 ◦ θ1)(β) + · · ·+ (σn ◦ θl)(β)

= σ1(θ1(β) + · · ·+ θl(β)) + · · ·+ σn(θ1(β) + · · ·+ θl(β))

= σ1(trL/K(β)) + · · ·+ σn(trL/K(β)) = trK/k(trL/K(β))

and thus trL/k = trK/k ◦ trL/K in a tower of extensions of number fields.

The expression trK/k(αβ) defines a nondegenerate bilinear form onK consid-ered as a vector space over k. Bilinearity is obvious by the linearity of the trace,and if α 6= 0 choose β = α−1 to see that trK/k(αβ) = trK/k(1) = nK/k 6= 0.

32

Algebraic integers

A complex number is an algebraic integer if it is a root of a monic polynomialwhose coefficients lie in Z. An algebraic integer α that is a rational number isa rational integer. For if α = b/c with b and c coprime rational integers, theequation (b/c)n+a1(b/c)n−1 + · · ·+an−1(b/c) +an = 0 with a1, . . . , an rationalintegers implies bn + a1b

n−1c + · · · + an−1bcn−1 + anc

n = 0. Thus c|bn, whichimplies c = ±1 since b and c are coprime.

Suppose that α is an algebraic integer and let f(x) be the unique monicpolynomial of least degree with coefficients in Z for which f(α) = 0. Clearly f(x)is irreducible over Z by consideration of degree. Then it is also irreducible overQ by Gauss’ Lemma from polynomial algebra. The minimal polynomial m(x) ofα over Q divides f(x) in Q[x], so f(x) = m(x) by the irreduciblity. We concludethat the minimal polynomial over Q of an algebraic integer has coefficients inZ. This has the very important consequence that the algebraic conjugates of analgebraic integer are themselves algebraic integers. Consequently embeddingsover Q take algebraic integers to algebraic integers.

Denote the set of algebraic integers in a number field K by OK . We aregoing to show that OK is a subring of K and that K is the field of fractionsof OK . For the first statement it will be enough to show that if α and β arealgebraic integers, so is α+β and αβ. The abelian group of Z[α] under additionis finitely generated since α is an algebraic integer, and similarly Z[β] is alsofinitely generated under addition. All powers of α+β and αβ lie in Z[α, β], whichis finitely generated under addition because α and β commute. The rest of theargument runs in parallel in the two cases, so we proceed with γ = α+ β. Thepowers of γ generate an abelian group A under addition, which is a subgroup ofZ[α, β] under addition. A subgroup of a finitely generated abelian group is itselffinitely generated, so A is finitely generated. Multiplication by γ preserves A,so γ is an eigenvalue of a matrix with integer entries, hence an algebraic integer.That K is the field of fractions of OK is a consequence of the stronger statementthat any element α ∈ K is of the form α = β/a0 where β is an algebraic integerin K and a0 is a rational integer. Let a0α

n+a1αn−1 +a2α

n−2 + · · ·+an = 0 bea nontrivial equation for α over Z. Then (a0α)n+a1(a0α)n−1 +a2a0(a0α)n−2 +· · ·+ ana

n−10 = 0, and thus β = a0α is an algebraic integer.

Any number field K has a basis over Q consisting of algebraic integers.For if ω1, . . . , ωn is any basis, we may write ωj = ψj/cj for 1 ≤ j ≤ n withψj an algebraic integer and cj a rational integer. But then ψ1, . . . , ψn is abasis consisting of algebraic integers. In fact a stronger statement holds: Anynumber field K has a basis ω1, . . . , ωn consisting of algebraic integers such thatOK = Zω1 + · · ·+ Zωn. Such a basis is called an integral basis for K. To provethe existence of an integral basis, we make use of the discriminant.

For a basis ω1, · · · , ωn of an extension K/k, the discriminant of the basis is

∆K/k(ω1, . . . , ωn) = det([σi(ωj)]1≤i,j≤n)2

where σ1, . . . , σn are the embeddings of K over k. The discriminant is indepen-dent of the ordering of the basis and of the ordering of the embeddings, because

33

a reordering interchanges the columns or rows of the determinant, just changingits sign, but the discriminant is the square of the determinant. Supposing Ato be an invertible n by n matrix over k, and (ω1, · · · , ωn) and (ψ1, · · · , ψn)ordered bases for K over k related by [ψ1, · · · , ψn]t = A[ω1, · · · , ωn]t. Then thediscriminants of the bases are related by

∆K/k(ψ1, . . . , ψn) = det(A)2∆K/k(ω1, . . . , ωn).

The discriminant of a basis over k is a nonzero element of k. To see this, changethe basis to one of the form 1, α, . . . , αn−1, for which the discriminant is thesquare of a necessarily nonzero Vandermonde determinant in the pairwise dis-tinct elements σ1(α), . . . , σn(α). This exhibits the discriminant as a symmetricpolynomial in the algebraic conjugates of α over k, so the discriminant is apolynomial over Q in the coefficients of the minimal polynomial of α over k,and these are in k. We may express the discriminant

∆K/k(ω1, . . . , ωn) = det([σi(ωj)]1≤i,j≤n) det([σl(ωm)]1≤l,m≤n)

= det([σi(ωj)]1≤i,j≤n[σl(ωm)]1≤l,m≤n)

= det([σj(ωi)]1≤i,j≤n[σj(ωm)]1≤j,m≤n)

= det([σ1(ωi)σ1(ωm) + · · ·+ σn(ωi)σn(ωm)]1≤i,m≤n)

= det([σ1(ωiωm) + · · ·+ σn(ωiωm)]1≤i,m≤n)

= det([trK/k(ωiωm)]1≤i,m≤n)

of a basis ω1, . . . , ωn of an extension K/k of number fields in terms of the traceform trK/k(αβ). This is another way to see that the value of the discriminantis in k.

Suppose ω1, . . . , ωn is a basis for K over Q consisting of algebraic integers.Since embeddings take algebraic integers to algebraic integers, the discriminant∆K/Q(ω1, . . . , ωn) is the square of a sum of products of algebraic integers, thusitself an algebraic integer. But it is also a nonzero rational number, so it mustbe a nonzero integer. Now choose such a basis for which |∆K/Q(ω1, . . . , ωn)|is minimal. We claim that ω1, . . . , ωn is an integral basis. Let α ∈ OK bearbitrary and α = c1ω1 + · · ·+ cnωn over Q. We must show that c1, . . . , cn ∈ Z,and it is clearly sufficient to consider c1. Write c1 = c+ δ where c is a rationalinteger and 0 < δ ≤ 1, and define a new basis ψ, ω2, . . . , ωn for K over Q byψ = α− cω1. Clearly ψ is an algebraic integer. Now

|∆K/Q(ω1, . . . , ωn)| ≤ |∆K/Q(ψ, ω2, . . . , ωn)|= |∆K/Q(δω1 + c2ω2 + · · ·+ cnωn, ω2, . . . , ωn)|= |∆K/Q(δω1, . . . , ωn)| = δ2|∆K/Q(ω1, . . . , ωn)|

implies that δ = 1 and thus c1 is a rational integer.The coordinates x(α) and y(α) of an element α ∈ K relative to two different

ordered bases, considered as column matrices, are related by y(α) = Ax(α)where A is a nonsingular rational matrix. If the bases are integral bases, then

34

multiplication by A must take arbitrary vectors with coordinates in Z to vectorswith coordinates in Z. Thus the entries of A are rational integers, and the sameargument in the other direction shows that A−1 has rational integer entries.But then det(A) det(A−1) = det(AA−1) = det(I) = 1 implies that det(A) = ±1since det(A−1) is an integer. Thus the discriminants of all integral bases of K arethe same. Their common value is denoted by dK and is termed the discriminantof the number field K. Supposing that ϕ : L→ K is an isomorphism of numberfields K and L over Q, and σj are the embeddings of K, then σj ◦ ϕ are theembeddings of L. Thus the discriminant ∆ that realizes the minimum valueof |∆| over all bases consisting of algebraic integers is the same for the twofields, so dK = dL if K and L are isomorphic over Q. The discriminant is aninvariant of number fields that can be used to distinguish them, but is also ofgreat importance in other contexts.

The ring of algebraic integers OK of a number field K is of course an integraldomain, and the concepts of divisibility, units, associates, irreducibles and primeelements discussed earlier apply to OK . To obtain a supply of examples wedetermine the ring of algebraic integers in each number field of degree two.Every such field is obtained by adjoining to Q a root of a quadratic polynomialwith coefficients in Z. For this reason these fields are called quadratic numberfields. The formula for the roots of a quadratic polynomial shows that sucha root may be expressed rationally in terms of the square root of a rationalinteger. So the fields in question are of the form Q(

√d) with d ∈ Z, and we

may without loss of generality assume that d 6= 0, 1 and that d is squarefree.Assuming that α = a+ b

√d with a, b ∈ Q is an algebraic integer, only the case

b 6= 0 is interesting. Then α2 = a2 + 2ab√d + db2 = a2 + 2aα − 2a2 + db2

so m(x) = x2 − 2ax + a2 − db2 is the unique monic minimal polynomial of α.Thus 2a, a2 − db2 ∈ Z by assumption. If a is an integer, then so is b since dis squarefree. If a = c/2 for some odd integer c, we obtain (2a)2 ≡ 1 (mod 4).Then d(2b)2 ≡ 1 (mod 4), so 2b must be an odd integer, for d is squarefree.Thus (2b)2 ≡ 1 (mod 4), which is equivalent to d ≡ 1 (mod 4). Hence

OQ(√d) = Z + Z

1 +√d

2,

for 2a and 2b are either both even or both odd integers. The above argumentalso shows that if d ≡ 2 (mod 4) or d ≡ 3 (mod 4), then the ring of algebraicintegers of Q(

√d) is Z+Z

√d, since 2a and 2b must be even integers. As −1 ≡ 3

(mod 4), we see that the ring of algebraic integers in Q(√−1) coincides with

the familiar Gaussian integers. We now calculate the discriminants of quadraticfields. The embeddings of Q(

√d) are the identity and a+b

√d 7→ a−b

√d. Thus

dK =

∣∣∣∣∣ 1 1+√d

2

1 1−√d

2

∣∣∣∣∣2

= d and dK =

∣∣∣∣ 1√d

1 −√d

∣∣∣∣2 = 4d

for d ≡ 1 (mod 4) and d ≡ 2 or 3 (mod 4) respectively. Since the discriminantsare different for different values of d, distinct quadratic fields are non-isomorphicover Q.

35

The discriminants of quadratic number fields are all congruent to either 0 or1 modulo 4. This is no coincidence, for it is a result of L. Stickelberger that thediscriminant of any number field K satisfies a congruence dK ≡ 0 or 1 (mod 4).Let ω1, . . . , ωn be an integral basis for K and write dK = ∆K/Q(ω1, . . . , ωn) =(A + B)2 − 4AB where A is the sum of the products in the determinant of[σi(ωj)]1≤i,j≤n corresponding to even permutations and B is the sum of theproducts corresponding to odd permutations. Clearly A+B and AB are alge-braic integers since they are polynomials in the embeddings σi(ωj) with rationalinteger coefficients. But in fact these polynomials are symmetric functions inthe σi(ωj) and thus rational numbers. For the σi may be extended to embed-dings of the normal closure L of K and the symmetric functions of σi(ωj) arepreserved by the full Galois group of the normal extension L/Q, so they arerational numbers by the Fundamental Theorem of Galois Theory. Since A+Band AB are rational integers, the Stickelberger criterion follows.

The norm NK(α) of an algebraic integer α in a number field K is a rationalinteger, since it is both a rational number and an algebraic integer. For it equalsthe product σ1(α)· · ·σn(α) where σ1, . . . , σn are the embeddings of K over Q,thus it is a product of algebraic integers. In particular the important inequality|NK(α)| ≥ 1 holds if α 6= 0 is an algebraic integer.

A q-th root of unity is any complex number ζ with ζq = 1 for some positiveinteger q. If ζ is a q-th root of unity but not a q′-th root of unity for any q′ < q,then it is a primitive q-th root of unity. The q-th roots of unity are ζ = e(m/q)with 1 ≤ m ≤ q, and there are q of them. The primitive q-th roots of unity aregiven by the same formula, but with the condition gcd(q,m) = 1, and there areφ(q) of those.

If all the roots of a monic polynomial in Z[x] lie on the unit circle, theymust be roots of unity. For if p(x) is such a polynomial and m a positiveinteger, the coefficients of the monic polynomial qm(x) whose roots are the m-th powers of the roots of p(x) are symmetric functions of the roots of p(x) andthus rational integers since the elementary symmetric functions of the roots ofp(x) are obviously rational integers. Because all the powers of the roots of p(x)have absolute value 1 by assumption, there exists a constant C so that anycoefficient a of any of the polynomials qm(x) for m = 1, 2, 3, . . . satisfies thebound |a| ≤ C. So there are only finitely many such polynomials, hence thereis some repetition qm(x) = qn(x) with m < n. Thus the m-th power of any rootζ of p(x) is equal to the n-th power of some root η of p(x). Moreover there issome root η2 with ηm = η2

n and so

ζm2

= (ζm)m = (ηn)m = (ηm)n = (η2n)n = η2

n2

.

By induction there are roots ηk for k = 1, 2, 3, . . . such that ζmk

= ηknk . Since

there are only finitely many roots, there is some repetition ηk = ηl with k < lin the sequence, and then

ζml

= ηlnl = ηk

nl = (ηknk)n

l−k= (ζm

k

)nl−k

= ζmknl−k

so ζ is a root of unity.

36

The field Q(ζq) with ζq = e(1/q) is called a cyclotomic field. Note thatQ(ζmq ) ⊆ Q(ζq) and Q(ζq) = Q(ζqx+myq ) = Q((ζmq )y) ⊆ Q(ζmq ) for some integersx and y if gcd(q,m) = 1. So Q(ζmq ) = Q(ζq) for gcd(q,m) = 1. Put G =Gal(Q(ζq)/Q) and let σ ∈ G. If ζ is a q-th root of unity, then σ(ζ)q = σ(ζq) =σ(1) = 1, thus σ(ζ) is a q-th root of unity. We conclude that the extensionQ(ζq)/Q is normal. The so-called cyclotomic polynomial

Φq(x) =∏

1≤m≤qgcd(q,m)=1

(x− ζmq )

has rational coefficients, for the coefficients are symmetric functions of the prim-itive q-th roots of unity, thus preserved by all σ ∈ G, hence they are in Q by theFundamental Theorem of Galois Theory. Since any root of unity is visibly an al-gebraic integer, the coefficients of the polynomials Φq(x) are algebraic integers,hence they are rational integers. Let f(x) ∈ Z[x] be a monic polynomial withf(ζq) = 0. Choose m with gcd(q,m) = 1 and note that there exist arbitrarilylarge primes p ≡ m (mod q). For any such m and p we have

f(ζq)p = (ζNq + a1ζ

N−1q + · · ·+ aN )p = (ζpq )N + ap1(ζpq )N−1 + · · ·+ apN + pS1

by expanding out using the multinomial theorem. Here S1 is a sum of integermultiples of powers of ζq. For every multinomial coefficient different from 1 ofprime order p is divisible by p. Furthermore

f(ζq)p = (ζpq )N + a1(ζpq )N−1 + · · ·+ aN + pS2 = f(ζpq ) + pS2 = f(ζmq ) + pS2

with S2 a sum of integer multiples of powers of ζq, by the small theorem ofFermat and the assumption on m and p. Now f(ζq) = 0 implies that f(ζmq ) =−pS2 with S2 an algebraic integer depending on p. Then

|NK(f(ζmq ))| = |NK(−pS2)| = pnK |NK(S2)| ≥ pnK

if f(ζmq ) 6= 0, which is impossible since the prime p can be taken arbitrarilylarge. So ζmq is a root of f(x) for every m with gcd(q,m) = 1, thus Φq(x)|f(x)and so Φq is the minimal polynomial of ζq.

The degree of the extension Q(ζq) is φ(q) since it equals the degree of Φq.This information enables us to determine the Galois group G of the cyclotomicextension. Any automorphism σ ∈ G takes ζq to some root of Φq, say

σ(ζq) = ζe(σ)q

with gcd(q, e(σ)) = 1. Here the exponent e(σ) is well defined modulo q soσ 7→ e(σ) gives a map from G into (Z/qZ)×. Now

(η ◦ σ)(ζq) = η(ζe(σ)q ) = η(ζq)e(σ) = ζe(η)e(σ)q and (η ◦ σ)(ζq) = ζe(η◦σ)q

so this map is a homomorphism. The map is mono, for σ(ζq) = ζq impliesσ(ζmq ) = ζmq and thus σ is the identity. So G ∼= (Z/qZ)× since both groups haveorder φ(q).

37

It is now possible to gain some preliminary information about units in alge-braic number fields. Suppose that K is a number field, and υ a unit in K offinite order, so that υm = 1. Clearly υ is a root of unity, and if ζ is a root ofunity in K with ζm = 1, then ζm−1 is an algebraic integer and ζ·ζm−1 = 1 so ζis a unit in K of finite order. Every root of unity ζ is a primitive root of unityto some modulus q and of these there are φ(q). The degree of Q(ζ) is φ(q) and

φ(q) = q∏p|q

(1− 1

p

)≥ q

∏p≤q

(1− 1

p

)� q

log(q)

by a result of Mertens, so there are only a finite number of roots of unity in anynumber field K. Their number is an important invariant of K and is denotedby wK . Note that wK = 2 if K is totally real, since ±1 are the only real rootsof unity.

The units of finite order form a finite subgroup of the group of all units, con-sisting of roots of unity. This group is actually cyclic, for if ζ1 = exp(2πia1/q1)and ζ2 = exp(2πia2/q2) are elements, with gcd(a1, q1) = gcd(a2, q2) = 1,we can solve the linear Diophantine equation a1q2x + a2q1y = c with c =gcd(a1q2, a1q2)) in integers x and y. Then ζ = ζx1 ζ

y2 = exp(2πic/q1q2) is also

an element of the group, and ζ1 = ζe1 and ζ2 = ζe2 with e1 = a1q2/c ande2 = a2q1/c. But if a finite group is not cyclic, there has to be two elementsthat are not both powers of some third element.

To find the units of infinite order in an algebraic number field is a moredifficult problem. If υ is a unit in K, then υα = 1 for some algebraic integerα in K, so NK(υ)NK(α) = NK(υα) = NK(1) = 1. As the norms are ratio-nal integers, we see that NK(υ) = ±1 is a necessary condition for υ to be aunit. But this condition is also sufficient, for NK(υ) = υσ2(υ)· · ·σn(υ) whereσ1 = id, σ2, . . . , σn are the embeddings, and the σj(υ) are algebraic integers.Thus υ·(σ2(υ)· · ·σn(υ)NK(υ)) = 1 exhibits υ as a unit. Supposing ω1, . . . , ωnto be an integral basis for K, we may write down an associated norm formP (x1, . . . , xn) = NK(x1ω1 + · · · + xnωn), which is a homogenous polynomialof degree nK in nK variables with rational integer coefficients. Norm formsare not unique by any means, since they depend on some arbitrary choice ofintegral basis. But any two norm forms P and Q for the same number field arerelated by Q(x) = P (Ax) for some matrix A with rational integer entries anddet(A) = ±1, since any two integral bases for the number field are similarly re-lated. The two forms P and Q are said to be equivalent, and properly equivalentif det(A) = 1. The determination of the units of a number field is equivalentto solving the two Diophantine equations P (x1, . . . , xn) = ±1 over Z for somenorm form P for the number field, and this can be a difficult problem.

As an example we find the units of quadratic number fields K = Q(√d) with

d < 0. The embeddings are the identity and a+ b√d 7→ a− b

√d, so the norm is

NK(a+ b√d) = (a+ b

√d)(a− b

√d) = a2 − db2.

If d ≡ 2 or 3 (mod 4) the condition for υ = x+ y√d to be a unit is

x2 − dy2 = ±1.

38

For d = −1 the equation has the four solutions

(x, y) = (±1, 0), (0,±1)

yielding four unitsυ = ±1,±i

among the Gaussian integers in Q(√−1). If d ≤ −2 the only solutions are

(x, y) = (±1, 0), giving the two units υ = ±1.If d ≡ 1 (mod 4) the algebraic integers α in Q(

√d) may expressed as

α =x

2+y

2

√d

with x and y rational integers satisfying x ≡ y (mod 2). Then

υ =x

2+y

2

√d

is a unit ifx2 − dy2 = ±4 and x ≡ y (mod 2)

For d = −3 the equation has the six solutions

(x, y) = (±2, 0), (±1,±1),

yielding six units

υ = ±1,±1

2±√−3

2,

in Q(√−3). If d ≤ −7 the only solutions are (x, y) = (±1, 0), giving the two

units υ = ±1.A quadratic number field K is called an imaginary quadratic field if the

discriminant dK is negative. It is called a real quadratic field if the discriminantdK is positive. We have determined the units in all imaginary quadratic fields:They are ±1 except for Q(

√−1), for which they are ±1,±i, and Q(

√−3) for

which they are ±1,± exp(2πi/3),± exp(4πi/3). For the real quadratic fields, thesituation is more complicated. In particular norm forms are indefinite. We shallexhibit one example, and then comment on the general case of real quadraticfields. For the field Q(

√3) the condition to determine the units is

x2 − 3y2 = ±1,

yielding among others the unit υ = 2 +√

3. This is of course a unit of infiniteorder since it is not a root of unity. So υm are all distinct units for m ∈ Z, and−υm likewise since −1 is also a unit. It can be shown that υ is the smallestunit larger than 1, called the fundamental unit of Q(

√3). Every real quadratic

field Q(√d) has a fundamental unit εd, defined as the least unit υ > 1, in terms

of which every unit is expressed as (±1)εmd for some m ∈ Z and a choice ofsign. The fundamental unit is an important invariant of real quadratic fields,and it fluctuates widely and erratically in size as a function of d. This behavioris related to an unsolved problem of Gauss about binary quadratic forms.

39

Factorization of ideals

The ring of integers of an algebraic number field need not be a unique factoriza-tion domain. The field K = Q(

√−5) affords an example, for 6 has two distinct

factorizations6 = 2·3 = (1 +

√−5)(1−

√−5)

into irreducibles. The irreducibility of the factors is easily established by meansof the norm NK(a+b

√−5) = a2 +5b2. For if α is a nontrivial factor of 1±

√−5,

then NK(α) is a nontrivial factor of NK(1±√−5) = 6, implying NK(α) = 2 or

NK(α) = 3, which is clearly impossible. If α is a nontrivial factor of 2 or 3,then NK(α) is a nontrivial factor of 4 or 9, so again NK(α) = 2 or NK(α) = 3.

If the ring of algebraic integers OK could be extended to a larger ring inwhich 2, 3, 1±

√−5 have unique factorizations into irreducibles, then the above

example of nonunique factorization could be interpreted as the result of groupingirreducibles in a finer factorization together in different ways. Dedekind realizedthat by introducing ideals the benefit of such an extension may be obtainedwithout stepping outside the confines of OK . Observe that if 2 = αβ and1 + i

√−5 = αγ in a larger ring, where α is a highest common factor of 2 and

1 +√−5 in that ring, then α may be specified up to associates by the ideal

(2, 1 +√−5) = 2OK + (1 +

√−5)OK

without reference to the larger ring. We now throw away the crutch of thinkingin terms of a larger ring, and resolve to discuss factorization in terms of ideals.

An ideal in a commutative ring R with 1 is a nonempty set I ⊆ R such thatif a, b ∈ I and s, t ∈ R then sa+ tb ∈ I. The ideal

(a1, . . . , am) = a1R+ · · ·+ amR

is generated by a1, . . . , am and an ideal (a) = aR is called a principal ideal. Thezero ideal (0) and the whole ring R = (1) are principal ideals. A proper ideal isany ideal different from these two. A maximal ideal is an ideal M * R so thatif M ⊆ I * R for some ideal I, then I = M . A prime ideal is an ideal P * Rso that if ab ∈ P then a ∈ P or b ∈ P . If IJ ⊆ P with I and J ideals and P aprime ideal, then I ⊆ P or J ⊆ P . For if I * P we can choose some a ∈ I \ P .Then for arbitrary b ∈ J we obtain ab ∈ IJ ⊆ P , so b ∈ J since P is prime.

Any intersection of ideals is an ideal. The sum I + J of two ideals is theintersection of all ideals containing I and J , and thus

I + J = {a+ b | a ∈ I and b ∈ J}.

The product IJ is the intersection of all ideals that contain the products ab witha ∈ I and b ∈ J . The typical element c of IJ is of the form

c = a1b1 + · · ·+ ambm

with a1, . . . , am ∈ I and b1, . . . , bm ∈ J . Obviously a product of ideals iscontained in the intersection of the same ideals.

40

Two elements s, t ∈ R are congruent modulo an ideal I if s− t ∈ I, and wewrite s ≡ t (mod I). Congruence modulo an ideal is a straight generalizationof congruence modulo an integer q, the latter being the same as congruencemodulo the principal ideal (q). Congruence modulo an ideal is an equivalencerelation, with equivalence classes s = s + I = {s + a | a ∈ I} that are calledresidue classes modulo I. The operations s+ t = s+ t and s·t = st of additionand multiplication of residue classes are well defined. With these operations theresidue classes form a ring R/I called the quotient ring of R modulo I.

It turns out that R/I is a field if and only if I is a maximal ideal, and R/I isan integral domain if and only if I is a prime ideal. In particular any maximalideal is a prime ideal. Suppose first that I is a maximal ideal. Let 0 6= a ∈ R/Iand note that (a) + I = R since I is maximal. There is some b ∈ R so thatab ≡ 1 (mod I), and thus a·b = 1, so R/I is a field. Assume that R/I is afield and I ⊆ J for some ideal J . Then J/I is an ideal in R/I so J/I = (0)or J/I = (1) because R/I is a field. Thus J = I or J = R, and I must be amaximal ideal. Suppose that I is a prime ideal, and let a, b ∈ R/I with a·b = 0.Then ab ∈ I so a ∈ I or b ∈ I, meaning that a = 0 or b = 0 in R/I, which musttherefore be an integral domain. Assuming that R/I is an integral domain andab ∈ I, then a·b = 0 in R/I. Thus a = 0 or b = 0 so a ∈ I or b ∈ I which meansthat I is a prime ideal.

We are going to establish special properties of the ideals in rings OK of alge-braic integers of number fields K. These efforts will culminate in the statementthat any nonzero ideal in OK has a factorization as a product of prime ideals inOK that is unique up to order of the factors. In number theory the zero ideal isseldom of any importance, and we adopt the convention that ideal shall meannonzero ideal unless the opposite is stated.

An ideal a in OK is a subgroup of the additive group of OK . The latteris a free abelian group of finite rank n = nK as seen from the existence of anintegral basis for OK . Thus a is a free abelian group of rank at most n. Choosesome nonzero algebraic integer α ∈ a and an integral basis ω1, . . . , ωn for OK .Then the principal ideal

αOK = Zαω1 + · · ·+ Zαωn

is contained in a and is a free abelian group of rank n. So the additive group ofa has rank n and there are elements α1, . . . , αn ∈ a for which

a = Zα1 + · · ·+ Zαn.

Such a collection α1, . . . , αn is called an ideal basis for a. Note that since a isfinitely generated over Z, it is certainly finitely generated over OK . A ring allof whose ideals are finitely generated is called Noetherian. We have establishedthat OK is Noetherian for any number field K.

Any nonzero ideal in OK contains a nonzero rational integer, for the minimalequation of a nonzero element α ∈ OK may be rewritten to express its constantterm as an element of (α). We now show that OK/a is finite for any nonzeroideal in OK . Since there is some positive rational integer m ∈ a and (m) ⊆ a, it

41

will be enough to show that OK/(m) is finite. If ω1, . . . , ωn is an integral basisfor OK and α ∈ OK is arbitrary, the calculation

α ≡ a1ω1 + · · ·+ anωn ≡ (q1m+ r1)ω1 + · · ·+ (qnm+ rn)ωn

≡ r1ω + · · ·+ rnωn +m(q1ω1 + · · ·+ qnωn)

≡ r1ω + · · ·+ rnωn (mod (m))

shows that OK has mn residue classes modulo (m).Any nonzero prime ideal p in OK is a maximal ideal. For OK/p is a finite

integral domain. The powers of an arbitrary element r 6= 0 of a finite ringcannot all be distinct, so there must be two equal powers of r with differentexponents. If the ring is an integral domain, a common factor may be canceledbetween the two equal powers to show that rj = 1 for some positive integerj. But then r·rj−1 = 1 implies that the finite integral domain is a field. ThusOK/p is a field, and p is a maximal ideal.

Every nonzero ideal of OK contains a product of prime ideals. Otherwise theset of nonzero ideals containing no product of prime ideals would be nonempty.An arbitrary ascending infinite chain a1 ⊆ a2 ⊆ · · · of such ideals under inclusionbecomes stationary. For |OK/a1| ≥ |OK/a2| ≥ · · · is a decreasing sequence ofpositive integers. Thus by Zorn’s Lemma there is an ideal a containing noproduct of prime ideals that is not properly contained in another such ideal.Obviously a cannot be a prime ideal, so there exist α, β ∈ OK with αβ ∈ a butα, β /∈ a. The ideals (α) + a and (β) + a strictly contain a so each contains aproduct of prime ideals. Then their product b = ((α) + a)((β) + a) contains aproduct of prime ideals. But b ⊆ a, contradicting the statement that a containsno product of prime ideals.

To develop the theory of divisibility for ideals it is convenient, though byno means indispensable, to make use of fractional ideals. A fractional ideal Fof K is a set F ⊆ K for which there exists some α ∈ K× such that αF is anonzero ordinary ideal of OK . Fractional ideals generalize nonzero ideals ofOK , and we shall reserve the term ideal for ideals in the sense of ring theory. Insome books the term integral ideal is used for ideals to distinguish them fromfractional ideals. As an example of a fractional ideal we note 7Z/3 in Q. Afractional ideal of the form αOK with α ∈ K× is called a principal fractionalideal. Fractional ideals may be multiplied together in the same way as ideals toyield new fractional ideals. For a product of ideals is an ideal and if F1 and F2

are fractional ideals with α1F1 and α2F2 ideals, then α1α2F1F2 = (α1F1)(α2F2)is an ideal. Every fractional ideal F has an inverse

F−1 = {α ∈ K | αF ⊆ OK}

which is a fractional ideal. The inverse is closed under addition, and undermultiplication by elements of OK . Since there exists some α ∈ K× with αFa necessarily nonzero ideal of OK , clearly F−1 contains a nonzero element. Ifβ ∈ F then βF−1 ⊆ βFF−1 ⊆ OK , so F−1 is a fractional ideal. Note that theinverse of a nonzero ideal is a fractional ideal that contains the element 1.

42

If p is a prime ideal, then pp−1 = OK . For p ⊆ pp−1 ⊆ OK and p is amaximal ideal, so pp−1 = OK or pp−1 = p. If the latter case holds, αp ⊆ p forall α ∈ p−1. Let α1, . . . , αn be an ideal basis for p and write

ααi =

n∑j=1

aijαj , A = [aij ] , aij ∈ Z

for 1 ≤ i ≤ n. Then α is a root of det(xid−A) = 0 so α is an algebraic integer,and p−1 is an ideal. Since OK ⊆ p−1, this implies that p−1 = OK . But this isfalse. For any nonzero α ∈ p there exists a collection p1, . . . , pm of prime ideals,with m minimal, for which

p1· · ·pm ⊆ αOK ⊆ p.

Then p1 ⊆ p after reindexing. Otherwise there are αj ∈ pj \ p for 1 ≤ j ≤ m,but α1· · ·αm ∈ p, which contradicts the statement that p is a prime ideal. Thusp1 = p since p1 is a prime ideal. Now p2· · ·pm * αOK by the minimality of m,so there is some β ∈ p2· · ·pm with β /∈ αOK . Then α−1β /∈ OK , but on theother hand α−1β ∈ p−1. For βp ⊆ αOK since βp ⊆ p2· · ·pmp1, so α−1βp ⊆ OK .

We define a relation a|b of divisibility between nonzero ideals of OK byb = ac for some nonzero ideal c. Then p|ab implies p|a or p|b if p is a primeideal, in analogy with the definition of prime elements in an integral domain.For ab = pc ⊆ pOK = p implies that a ⊆ p or b ⊆ p, say the former. Thenap−1 ⊆ pp−1 = OK , so ap−1 is an ideal with a = (ap−1)p, thus p|a.

Unique factorization into prime ideals. Every nonzero ideal of OK is aproduct of prime ideals that is unique up to order of the factors.

Proof. The ideal (1) factors as the empty product. Assume the set of nonzeroideals that do not factor into prime ideals to be nonempty. An arbitrary as-cending infinite chain a1 ⊆ a2 ⊆ · · · of such ideals under inclusion becomesstationary. For |OK/a1| ≥ |OK/a2| ≥ · · · is a decreasing sequence of positiveintegers. Thus there is an ideal a that does not factor into prime ideals that isnot properly contained in another such ideal. There is a maximal ideal, hencea prime ideal, p ⊇ a. Then a ⊆ ap−1 ⊆ pp−1 = OK . Obviously p 6= a, soap−1 6= OK . Then ap−1 has a factorization into prime ideals since every idealproperly containing a has such a factorization. But then a = aOK = (ap−1)palso has such a factorization, a contradiction.

It remains to prove uniqueness of factorization into prime ideals. Supposethat

p1· · ·ps = q1· · ·qtare two factorizations into prime ideals. Then there is some j with 1 ≤ j ≤ tsuch that ps|qj . So qj ⊆ ps, but both ideals are maximal, therefore ps = qj .Multiplying through by p−1s cancels the factor ps on both sides, and we are leftwith the same kind of equal factorizations, with s− 1 and t− 1 prime ideals onthe two sides. Continuing like this shows that s = t and that the prime ideals inone of the factorizations equal the prime ideals in the other in some order.

43

Every nonzero ideal a of OK has an inverse a−1 under multiplication offractional ideals. For there is a factorization

a = p1· · ·ps

into prime ideals, anda = p−11 · · ·p−1s

is an inverse, as one sees by multiplying the two products together and usingpjp−1j = OK .Suppose a and b are nonzero ideals of OK . If a|b, then b = ac ⊆ aOK = a.

While if b ⊆ a, then a−1b ⊆ a−1a = OK , so a−1b is an ideal with a(a−1b) = b.Thus a|b and b ⊆ a are equivalent for nonzero ideals. This observation has thesuccinct formulation ‘to divide is to contain.’

If a and b are nonzero ideals, and p1, . . . , ps the distinct prime ideals thatdivide one or the other of them, we may write

a = pa11 · · ·pass , b = pb11 · · ·pbss

with a1, . . . , as, b1, . . . , bs nonnegative integers. Then one shows that a|b if andonly if aj ≤ bj for 1 ≤ j ≤ s just as in the case of rational integers.

There is an important result that is central to some proofs of the theoremon factorization into prime ideals, which for us is rather a consequence: Forevery nonzero ideal a of OK , there is some α ∈ OK with a|(α). Briefly, everyideal divides some principal ideal. It is obviously enough to show that everynonzero prime ideal divides some principal ideal. If p is prime ideal, choosesome nonzero β ∈ p. Then (β) ⊆ p so (β)p−1 ⊆ pp−1 = OK , thus (β)p−1 is anideal with ((β)p−1)p = (β), which implies p|(β).

Every fractional ideal a has an inverse, for if α ∈ K× with αa = b an ideal,we have a−1 = (α)b−1. Thus the fractional ideals of OK form a group, which wedenote by JK . Since a = (m)(β)−1b with α = β/m, β an algebraic integer andm a positive rational integer, factorization of ideals into prime ideals impliesthat fractional ideals are of the form

a = pa11 · · ·pass

where p1, . . . , ps are prime ideals and a1, . . . , as ∈ Z. Thus JK is the free abeliangroup generated by the prime ideals of OK under multiplication. This grouphas a subgroup PK isomorphic with K× consisting of the principal fractionalideals.

The norm of a nonzero ideal of OK is

N(a)def= |OK/a|.

This is also called the absolute norm. Recall that we already showed that OK/ais finite if a is a nonzero ideal of OK . The most important property of the normon ideals is that it is totally multiplicative: If a and b are nonzero ideals, thenN(ab) = N(a)N(b). To prove this we establish a generalization of the ChineseRemainder Theorem.

44

Chinese Remainder Theorem for ideals. Suppose that R is a commutativering with 1 and that I1, . . . , Im are ideals with Ii+Ij = R whenever i 6= j. Then

R/I ∼= (R/I1)× · · · × (R/Im)

with I = I1· · ·Im.

Proof. The homomorphism

ϑ : R→ (R/I1)× · · · × (R/Im)

given bya 7→ (a+ I1, . . . , a+ Im)

has kernel ker(ϑ) = I1 ∩ · · · ∩ Im. We need to show that ϑ is epi and thatI1· · ·Im = I1 ∩ · · · ∩ Im. Now ∏

j 6=i

(Ii + Ij) = R

by Ii + Ij = R for 1 ≤ i 6= j ≤ m. Thus

Ii +∏j 6=i

Ij = R

because all the terms in the expansion of the product of the (Ii + Ij)-s exceptone are contained in Ii. Then there exist ai ∈ Ii and

bi ∈∏j 6=i

Ij ⊆⋂j 6=i

Ij

such that ai + bi = 1. Supposing

(c1 + I1, . . . , cm + Im) ∈ (R/I1)× · · · × (R/Im)

to be arbitrary, we have

ϑ(b1c1 + · · ·+ bmcm) = (b1c1 + · · ·+ bmcm + I1, . . . , b1c1 + · · ·+ bmcm + Im)

= (c1 + I1, . . . , cm + Im)

since ai ∈ Ii implies bi − 1 ∈ Ii, and bi ∈ Ij for j 6= i by the obvious inclusionbetween products and intersections of ideals. Thus ϑ is an epimorphism.

To establish the non-obvious inclusion

I1 ∩ · · · ∩ Im ⊆ I1· · ·Im

we use the condition that Ii + Ij = R whenever i 6= j, proceeding by induction.Suppose that m = 2, and choose a1 ∈ I1 and a2 ∈ I2 such that a1 + a2 = 1.If a ∈ I1 ∩ I2, then a = aa1 + aa2 ∈ I1I2. Now assume that the inclusion hasbeen proved for some m ≥ 2. Then I1 ∩ · · · ∩ Im = I1· · ·Im, so I1 ∩ · · · ∩ Im+1 =(I1· · ·Im) ∩ Im+1. But I1· · ·Im + Im+1 = R was established above, so we canchoose a1 ∈ I1· · ·Im and a2 ∈ Im+1 such that a1+a2 = 1. If a ∈ (I1· · ·Im)∩Im+1,then a = aa1 + aa2 ∈ (I1· · ·Im)Im+1. Since the other inclusion is obvious, weobtain I1· · ·Im = I1 ∩ · · · ∩ Im.

45

We have

N(a) = |OK/a| = |(OK/pa11 )⊕ · · · ⊕ (OK/pass )|= |OK/pa11 |· · ·|OK/pass | = N(pa11 )· · ·N(pass )

by the factorization a = pa11 · · ·pass into powers of distinct prime ideals, and theChinese Remainder Theorem. For

paii + pbjj = OK

if pi and pj are distinct prime ideals, otherwise they would be divisible by acommon prime ideal p, an impossibility.

We now show that |OK/pa| = |OK/p|a to conclude that N(pa) = N(p)a.This implies the total multiplicativity of the absolute norm. If a ≥ 2 thenpa−1/pa is a subgroup of OK/pa, and OK/pa−1 ∼= (OK/pa)/(pa−1/pa). Soby induction it will be sufficient to establish that |pa−1/pa| = |OK/p|. Sincepa 6= pa−1 there is some α ∈ pa−1 \ pa. The inclusions pa ⊆ (α) + pa ⊆ pa−1

imply that (α)+pa = pa−1 since p is a prime ideal. The map ϑ : OK → pa−1/pa

given by β 7→ αβ + pa is an epimorphism of abelian groups. For

ϑ(β + γ) = α(β + γ) + pa = αγpa + αγ + pa = ϑ(β) + ϑ(γ)

and im(ϑ) = ((α) + pa) + pa = pa−1/pa. Furthermore β ∈ ker(ϑ) if and only ifαβ ∈ pa, which is equivalent to pa|(α)(β). While α ∈ pa−1 \ pa is equivalent topa−1||(α), and thus to p|(β) by the theorem on unique factorization into primeideals. Thus ker(ϑ) = p so that pa−1/pa = im(ϑ) ∼= OK/p.

We now show that if α is a nonzero element ofOK , thenN((α)) = |NK/Q(α)|.That is to say, the absolute norm of a principal ideal equals the absolute valueof the norm of any generator. Let B = (ω1, . . . , ωn) be an ordered integral basisfor OK . The linear operator Mα used to define the norm NK/Q(α) may berepresented relative to B by a matrix A with rational integer entries, and

NK/Q(α) = det(Mα) = det(A).

Moreover OK/(α) = OK/MαOK ∼= Zn/im(ϑ) where the homomorphism ϑ :Zn → Zn is given by ϑ(x) = Ax. The image of ϑ consists of those b ∈ Zn forwhichAx = b is solvable in integers, and they can be determined by means of theadjugate matrix. We have det(A)x = adj(A)Ax = adj(A)b, so the condition onb is that adj(A)b ≡ 0 (mod det(A)). Then |Zn/im(ϕ)| = |det(A)| since thereis a single solution modulo det(A), and

N((α)) = |OK/(α)| = |Zn/im(ϑ)| = |det(A)| = |NK/Q(α)|.

We define the absolute norm of the zero ideal to be zero so as to make therelationship between the two kinds of norm hold for all principal ideals.

The material about norms is vitally important to us, because the very defi-nition of the Dedekind zeta function hinges on it.

46

Finite fields

At this point we require some information about finite fields. By congruentialarithmetic we already know that Z/pZ is a field with p elements. Denote itsisomorphism class by Fp. We shall soon see that Fp is the only field with pelements.

If a field F does not contain a subfield isomorphic to Q, then there must existsome positive integer m so that 1+ · · ·+1 = 0 with m summands. For otherwisethe field contains a subring isomorphic to Z, whose field of fractions is isomorphicto Q. The smallest such m is called the characteristic of the field and is denotedby char(F ). We write char(F ) = 0 if F contains a subfield isomorphic to Q. IfF has positive characteristic, the characteristic is a prime number p. For m hasa factorization into primes, thus 0 = 1 + · · ·+ 1 = (1 + · · ·+ 1) · · · (1 + · · ·+ 1)where the first sum of 1-s in F has m terms, and each of the other sums has aprime number of terms. But at least one of these sums must be zero, since F isa field. If F has characteristic p, the ring homomorphism ϑ : Z→ F defined byϑ(n) = n·1 has kernel ker(ϑ) = pZ. Thus im(ϑ) is isomorphic to Z/pZ as a ring.But then F contains a subfield isomorphic to Fp. So if F itself has p elements,it is isomorphic to Fp.

Every finite subgroup G of the multiplicative group F× of a field is cyclic.For the structure theorem for finitely generated abelian groups implies thatG ∼= (Z/d1Z) ⊕ · · · ⊕ (Z/dsZ) with d1| · · · |ds. Then xds = 1 for all x ∈ G, sothis equation has at least |G| roots in F , hence ds ≥ |G|. But then ds = |G|and d1 = · · · = ds−1 = 1, so G is cyclic.

Up to isomorphism every field is an extension of Q or Fp for some prime p.In particular every finite field F is a finite extension of Fp where p = char(F ).Suppose F/E is any finite extension of finite fields. Since F× is cyclic, it hasa generator α, and clearly F = E(α). So finite extensions of finite fields aresimple. But the only special property of the field extensions that we used inour proof of the Fundamental Theorem of Galois Theory for finite extensionsof number fields was that they are simple. Hence the Fundamental Theorem ofGalois Theory holds for finite extensions of finite fields.

The map σp : F → F given by σp(x) = xp is an endomorphism. This is clearfor multiplication and follows for addition by the Binomial Theorem

(x+ y)p = xp +

(p

1

)xp−1y + · · ·+

(p

p− 1

)xyn−1 + yp

since the binomial coefficients(p

1

),

(p

2

), . . . ,

(p

p− 1

)are divisible by p. The map σp is called the Frobenius endomorphism. Clearlyσp(1) = 1. Every nonzero homomorphism between fields is a monomorphism,and since F has finitely many elements, σp is also an epimorphism, thus anautomorphism.

47

An extension F/E of finite fields has a basis of nF/E elements over E, so

|F | = |E|nF/E .

Choosing E = Fp in particular, we see that |F | = pn with n = nF/Fp . Since E×

has order |E| − 1, we have x|E| = x for all x ∈ E. Thus σmp with m = nE/Fp isan automorphism of F over E. Supposing α to be a generator of F×, we have

(σmp )k(α) = αpkm

.

But α has order pn − 1, so all these images of α are distinct for 1 ≤ k ≤ nF/E .

This yields as many distinct automorphisms (σmp )k of F over E as the degreeof F/E, so the extension F/E is normal. Thus the Fundamental Theoremof Galois Theory applies to any extension F/E of finite fields. We also seethat Gal(F/E) = 〈σmp 〉 ∼= Z/nF/EZ so the Galois group of an extension offinite fields is cyclic, with a canonical generator given in terms of the Frobeniusendomorphism.

We now prove that Fp has at most one extension of each degree up to iso-morphism. If E = Fp(α) and F = Fp(β) are finite extensions of Fp, then thefield Fp(α, β) may be constructed by means of the minimal polynomial of β overE, and E and F are both subfields of the finite field Fp(α, β). The Galois groupof the extension Fp(α, β)/Fp is isomorphic to Z/nZ where n is the degree of theextension. The latter group has a single subgroup of order d for each d|n andno other subgroups, so the extension Fp(α, β)/Fp has a single intermediate fieldof degree d for each d|n by the Fundamental Theorem of Galois Theory. ThusE and F are equal if they have the same number of elements, and finite fieldswith the same number of elements must be isomorphic.

It remains to show that there exists a finite field with pn elements for everyinteger n ≥ 1. For this purpose it will be enough to establish the existence ofan irreducible polynomial over Fp of each degree n. Define Np(n) to be thenumber of monic irreducible polynomials of degree n over Fp. Following Gausswe calculate Np(n), and show that it is always positive. This will complete ourbrief account of finite fields.

We begin by establishing the result

gcd(xa − 1, xb − 1) = xgcd(a,b) − 1

from polynomial algebra. The formula is trivial if a = b = 1 or a = b, so wemay assume that a < b and prove it by induction on b. We have

gcd(xa − 1, xb − 1) = gcd(xa − 1, xb−a(xa − 1) + xb−a − 1)

= gcd(xa − 1, xb−a − 1) = xgcd(a,b−a) − 1

= xgcd(a,b) − 1

by the induction hypothesis, since b− a < b.Fix the prime p and let Vd,p(x) denote the product of the monic irreducible

polynomials over Fp of degree d. Let f(x) be one of these polynomials and

48

assume that d|n. Let α be a root of α. Since there are pd − 1 elements of

Fp(α)×, we have αpd

= α, and thus f(x) divides xpd − x. Now

gcd(xp

d

− x, xpn

− x)

= x·gcd(xp

d−1 − 1, xpn−1 − 1

)= x

(xgcd(p

d−1,pn−1) − 1)

= x(xp

gcd(d,n)−1 − 1)

= xpd

− x

on applying the above result in polynomial algebra twice. We conclude that ifd|n, then every monic irreducible polynomial over Fp of degree d divides xp

n−1.On the other hand, none of these irreducible polynomials divide xp

n − x toa higher power than the first. For

d

dx

(xp

n

− x)

= pnxpn−1 − 1

so that xpn − 1 has no multiple zeros in any field of characteristic p. For the

derivative is constant, and equal to −1, in any such field.If f(x) is an irreducible divisor of xp

n − x of degree d and α a root of f(x),then αp

n

= α. An arbitrary element β of Fp(α) is a polynomial in α withcoefficients in Fp, and so σnp (β) = β since σp is an automorphism over Fp and

αpn

= α. Thus every element β of Fp(α) is a root of xpn − x. On the other

hand Fp(α) has pd elements, so

(xpd

− x)|(xpn

− x),

because xpd − x is the product of the linear factors x − β with β ∈ Fp(α).

Consequently d|n by the above result from polynomial algebra.The above conclusions imply that

xpn

− x =∏d|n

Vd,p(x)

and a comparison of degrees yields

pn =∑d|n

dNp(d).

Then

Np(n) =1

n

∑d|n

µ(nd

)pd

by Mobius inversion. And ∣∣∣∣Np(n)− pn

n

∣∣∣∣ ≤ pn/2

n(p− 1)

since d|n and d 6= n implies d ≤ n/2. In particular Np(n) > 0 for all primes pand positive integers n.

49

Decomposition and ramification

We consider the decomposition of prime ideals in extensions K/k of numberfields. If p is a nonzero prime ideal of Ok, the extension pOK in OK generatedby p may not be a prime ideal, but it can be factored as a product

pOK =

g∏j=1

Pejj

of powers of prime ideals Pj of OK . We say that the Pj lie over p in K/k. ThePj in the factorization are precisely those prime ideals P for which P∩Ok = p.For if P∩Ok = p then pOk ⊆ P, so P divides pOK , and must be one of the Pj .While Pj ∩Ok ⊇ pOK ∩Ok = p, so Pj ∩Ok = p since p is a maximal ideal. Inparticular a prime ideal P in OK cannot lie over more than one prime ideal inOk, and in fact every nonzero prime ideal P of OK lies over exactly one nonzeroprime ideal in Ok. For the ideal P∩Ok is nonzero, since it contains the positiveinteger N(P). And it is a prime ideal in Ok, for if α, β ∈ Ok with αβ ∈ P∩Ok,then αβ ∈ P implies α ∈ P or β ∈ P since P is a prime ideal. Moreover, thereis at least one nonzero prime ideal P of OK over every nonzero prime ideal p ofOk. For pOK 6= OK since equality would yield OK = p−1pOK = p−1OK , andp−1 contains an element of k that is not an algebraic integer, as we saw duringthe discussion of the inverse of a prime ideal.

The finite field OK/Pj may be viewed as an extension of Ok/p, for themap α + p 7→ α + Pj is well defined by the inclusions p ⊆ pOK ⊆ Pj , and itis obviously a homomorphism, thus a monomorphism since Ok/p and OK/Pj

are fields. The degree of OK/Pj over Ok/p is denoted fj and is called theresidue class degree of Pj over p. We shall allow ourselves to use the notationdeg(p) for the residue class degree of p over the rational prime that p lies over.The exponent ej is called the ramification index of Pj over p. If at least oneramification index is larger than one, the prime ideal p is said to be ramified inthe extension, otherwise it is unramified. An unramified prime ideal p remainsinert in the extension if pOK is a prime ideal, otherwise it splits. It splitscompletely if all the residue class degrees equal one.

The residue class rings OK/pOK and OK/Pejj are vector spaces over the

finite field Ok/p. We establish the second statement; the first goes in the sameway. The multiplication

(α+ p)(β + Pejj ) = αβ + P

ejj , α ∈ Ok , β ∈ OK

is well defined. For if α− α′ ∈ p and β − β′ ∈ Pejj , then

αβ − α′β′ = α(β − β′) + (α− α′)β′ ∈ Pejj

since Pejj contains pOK .

Now

OK/pOK = OK/g∏j=1

Pejj∼=

g⊕j=1

(OK/P

ejj

)

50

by the Chinese Remainder Theorem for ideals, so

dim(OK/pOK) =

g∑j=1

dim(OK/P

ejj

),

where the dimensions are over Ok/p. From our discussion of the absolute normwe have

|OK/Pejj | = |OK/Pj |ej = |Ok/p|ejfj ,

and thusdim

(OK/P

ejj

)= ejfj .

We shall show that dim(OK/pOK) = n = nK/k, but this requires a little morework. Firstly any n+1 elements of OK/pOK are linearly dependent over Ok/p.For any n+ 1 elements β1, . . . , βn+1 ∈ OK there are α1, . . . , αn+1 ∈ Ok, not allzero, such that

α1β1 + · · ·+ αn+1βn+1 = 0.

The ideal a = (α1, . . . , αn+1) in Ok is nonzero, so the inverse a−1 exists anda−1a = Ok. Thus there exists some γ ∈ a−1 with γa * p, which implies thatγαj /∈ p for some j with 1 ≤ j ≤ n+ 1. Then

(γα1 + p)(β1 + pOK) + · · ·+ (γαn+1 + p)(βn+1 + pOK) = pOKwith not all γαj + p zero in Ok/pOk, and the linear dependence is proved.

Next we show that if β1+pOK , . . . , βm+pOK spanOK/pOK overOk/p, thenβ1, . . . , βm span K over k. For this purpose it is convenient to make use of theconcept of module. An R-module M is an abelian group under addition actedon multiplicatively by a ring R such that r(a+ b) = ra+ rb, (r+ s)a = ra+ sa,(rs)a = r(sa) and 1·a = a for a, b ∈ M and r, s ∈ R. We consider only thecase where the ring R is commutative with 1, though the module concept isalso extremely important for noncommutative rings. From our point of viewthe most illuminating examples of modules over a ring are its ideals, i. e. themodules over the ring that are contained in the ring.

Define a Ok-module M by M = Okβ1 + · · · + Okβm, and a factor moduleN = OK/M , noting that M is a submodule of the Ok-module OK . We alreadyknow from the discussion leading up to unique factorization of ideals into primeideals that OK is finitely generated over Z, so it is certainly finitely generatedover Ok. Any factor module of a finitely generated module is finitely generated,since the images of a set of generators under the quotient map are a set ofgenerators, and thus N is finitely generated over Ok. We now make use of theassumption on β1, . . . , βm, obtaining

M + pOK = Okβ1 + · · ·+Okβm + pOK= (Ok + p)(β1 + pOK) + · · ·+ (Ok + p)(β1 + pOK) + pOK = OK

and thus N = pN . This implies that if α1, · · · , αl generate N , then

αj =

l∑i=1

aijαj

51

with aij ∈ p. Defining a matrix A = I − [aij ]1≤i,j≤l we have A[α1. . .αl]t = 0,

and

0 = adj(A)A[α1. . .αl]t = det(A)I[α1. . .αl]

t = [det(A)α1. . . det(A)αl]t,

with adj(A) the adjugate matrix of A. Thus det(A)N = 0 and det(A)OK ⊆M .Now

det(A) = det(I − [aij ]1≤i,j≤l) ≡ 1 (mod p)

because all terms in the expansion of det(A) are in p with the exception of theterm corresponding to the entries on the main diagonal of the l× l matrix I, sodet(A) 6= 0. Then

K = det(A)K = det(A)OKk ⊆ (Okβ1 + · · ·+Okβn)k = kβ1 + · · ·+ kβm,

so β1, . . . , βm span K over k. Hence dim(OK/pOK) = nK/k and the fundamen-tal identity

n = e1f1 + · · ·+ egfg

follows. This identity implies a very important bound: The number of primeideals of OK lying above any prime ideal of Ok is bounded by nK/k. We couldhowever have obtained this bound with less work if we had not sought the fullidentity.

If K/k is an extension of number fields, p a prime ideal of Ok and P a primeideal of OK , we denote by e(P|p) and f(P|p) respectively the ramificationindex and residue class degree of P in K/k. Suppose that L/K/k is a tower ofextensions of number fields, p a prime ideal of Ok, P a prime ideal of OK lyingabove p, and Q a prime ideal of OL lying above P. Then the tower laws

e(Q|p) = e(Q|P)e(P|p)

f(Q|p) = f(Q|P)f(P|p)

hold. For the first law, P divides pOK to the e(P|p)-th power and Q dividesPOL to the e(Q|P)-th power, so Q divides pOL to at least the e(Q|P)e(P|p)-thpower. Writing

pOK = Pe(P|p)N

with P - N, we see that

Q | NOL =⇒ Q ∩ OK ⊇ NOL ∩ OK =⇒ P ⊇ N =⇒ P | N.

Thus Q divides pOL to at most the e(Q|P)e(P|p)-th power. The second lawfollows from the multiplicativity of degree in towers of extensions, applied to(L/Q)/(K/P)/(k/p).

For the rest of this section we make a standing assumption that K/k is anormal extension of number fields. Then the decomposition theory of primeideals simplifies a good deal. The key fact is that for a normal extension theGalois group acts transitively on the prime ideals lying above a fixed primeideal.

52

If A is an ideal of OK and σ ∈ G = Gal(K/k), then σA is also an ideal ofOK , for σ is an epimorphism. Moreover OK/σA = σOK/σA ∼= OK/A since σis an isomorphism. So the elements of the Galois group take prime ideals toprime ideals, for A is a prime ideal if and only if OK/A is an integral domain.We show that the Galois group of K/k acts transitively on the prime idealsof OK lying above a prime ideal in Ok. If P lies above p and σ ∈ G, then(σP) ∩ Ok = σ(P ∩ Ok) = σp = p, for σ restricts to the identity on Ok. Thusthe Galois group acts on the set of prime ideals lying above p. It remains toshow that the action is transitive. Suppose P0 and P1 are distinct prime idealslying above p but that P0 is not an image of P1 under the action of the Galoisgroup on prime ideals. By the Chinese Remainder Theorem for ideals, thereexists some α ∈ OK such that α ≡ 0 (mod P0) and α ≡ 1 (mod σP1) forσ ∈ G. Now

NK/k(α) =∏σ∈G

σ(α) ≡ 0 (mod P0)

while NK/k(α) ∈ Ok, so that NK/k(α) ∈ P0 ∩ Ok = p. Then NK/k(α) ∈ P1

since P1 lies above p. But this implies that σ(α) ∈ P1 for some σ ∈ G sinceP1 is a prime ideal, which leads to a contradiction, for α ∈ σ−1P1 while α ≡ 1(mod σ−1P1).

Since the Galois group acts transitively on the prime ideals Pj lying abovep, the quotients OK/Pj are isomorphic, thus the residue class degrees fj areequal, say fj = f for all j. Furthermore

g∏j=1

Pejj = pOK = σ(p)OK = σ(pOK) = σ

g∏j=1

Pejj

=

g∏j=1

σ(Pj)ej

for each σ ∈ G, since σ restricts to the identity on Ok. Then uniqueness offactorization into powers of prime ideals implies that the ramification indices ejare equal, say ej = e, since G acts transitively on the prime ideals lying abovep. So finally we see that

n = efg

when K/k is a normal extension of number fields.Consider a normal extension K/k of number fields, with Galois group G =

Gal(K/k), and a nonzero prime ideal P of OK . Then

ZPdef= {σ ∈ G | σP = P}

is the decomposition group of P in the extension K/k. Considering the actionof G on the set of prime ideals lying above P∩Ok, the orbit-stabilizer theoremshows that |ZP| = ef , for by the transitivity there is only a single orbit, whichhas g elements. Moreover

ϕ ∈ ZσP ⇐⇒ ϕσP = σP ⇐⇒ σ−1ϕσP = P ⇐⇒ σ−1ϕσ ∈ ZP,

so ZσP = σZPσ−1 for σ ∈ G. The ideal σP is said to be conjugate to the ideal

P. Recall that OK/P may be regarded as an extension of Ok/p. Since each

53

automorphism σ in ZP preserves P, it induces an automorphism σ of OK/P.This automorphism fixes Ok/p pointwise since σ fixes k pointwise. Thus σ isan element of the Galois group Gal((OK/P)/(Ok/p)).

Theorem of Frobenius. The mapping

ZP → Gal((OK/P)/(Ok/p))

given by σ 7→ σ is an epimorphism.

Proof. Since

˜(σ + τ)(α+ P) = (σ + τ)α+ P = σα+ P + τα+ P = σ(α+ P) + τ(α+ P)

and

(στ)(α+ P) = στα+ P = στα+ σP + P = σ(τα+ P) + P = στ(α+ P),

the mapping σ 7→ σ is a homomorphism. It remains to show that it is onto.Finite extensions of finite fields are simple, so there exists some element

β + P ∈ OK/P so that OK/P = (Ok/p)(β + P). If F is the fixed field of GP,K/F is normal since K/k was assumed normal. Thus all the conjugates of βover F are in K, so the minimal polynomial m(x) of β over F factors as

m(x) =∏σ∈ZP

(x− σβ).

Reducing this polynomial modulo P we obtain

m(x) =∏σ∈ZP

(x− σ(β + P)),

and note that the coefficients of m(x) are in F/(P ∩ F ).Now ZP is transitive on the prime ideals above P ∩ F while the elements

of ZP fix P, so P is the only prime ideal of OK extending P ∩ F . ThusnK/F = e(P|P ∩ F )f(P|P ∩ F ). Moreover g equals the number of distinctprime ideals Pj dividing pOK . If σ, τ ∈ G then

σZPj= τZPj

⇐⇒ σ−1τZPj= ZPj

⇐⇒ σ−1τPj = Pj ⇐⇒ σPj = τPj

for each of these prime ideals Pj . So g equals the index of GP in G and thusg = nF/k by Galois theory. But then nK/k = nK/FnF/k and nK/k = efg impliesthat nK/F = ef , so the tower laws show that e(P ∩ F |p)f(P ∩ F |p) = 1. Inparticular F/(P ∩ F ) = k/p, and so m(x) has coefficients in k/p.

The minimal polynomial of β + P over k/p divides m(x), so each conjugateof β + P over k/p is of the form σ(β + P) = σβ + P for some σ ∈ ZP. But theelements of Gal((OK/P)/(Ok/p)) are determined by their action on β + P. Soeach such element is of the form σ for some σ ∈ GP.

54

The kernelTP

def= ker(σ 7→ σ)

of the epimorphism is called the inertia group of P in the extension K/k. Re-duction modulo P gives a canonical isomorphism

ZP/TP → Gal((OK/P)/(Ok/p)).

Consider a tower L/K/k of normal extensions of number fields. Any elementσ ∈ Gal(L/k) restricts to an element of Gal(K/k). For σ(K) = K since K/k isnormal. Suppose that σ ∈ ZQ with Q a prime ideal of OL lying above a primeideal P of OK . Then POL ⊆ Q, so σPOL ⊆ σQ = Q. But σPOL = POLsince P is the only prime ideal lying under Q, so the restriction of σ to K fixesP. The restriction homomorphism ZQ → ZP for Q a prime ideal lying abovea prime ideal P is an epimorphism. For if τ ∈ Gal(K/k) with τP = P, chooseσ ∈ Gal(L/k) as one of the automorphisms of L over k that extend τ . ThenσQ = Q′ where Q′ is one of the prime ideals lying above τP = P. FurthermoreGal(L/K) is transitive on the prime ideals lying above P, so there is someω ∈ Gal(L/K) with ωQ′ = Q. Then ωσQ = ωQ′ = Q so ωσ ∈ ZQ, whilethe restriction of ωσ to K equals the restriction τ of σ to K since ω equals theidentity on K.

Suppose that σ ∈ TQ with Q a prime ideal of OL lying above a prime idealP of OK . Then σ is the identity on OL/Q, so σα−α ∈ Q for all α ∈ OL. Nowif β ∈ OK then σβ ∈ OK , so σβ − β ∈ Q ∩ OK = P. Thus the element σ inTQ restricts to an element in TP. The restriction homomorphism TQ → TP ismoreover an epimorphism. For if τ ∈ TP, choose an ωσ ∈ ZQ that extends τ asabove. Then

I = {τα− α ∈ OK | α ∈ OK} ⊆ P

andI ⊆ J = {ωσβ − β ∈ OL | β ∈ OL}.

Furthermore IOL = J , so I = JOL ⊆ POL ⊆ Q. Then ωσβ − β ∈ Q forβ ∈ OL, so ωσ is the identity on OL/Q. This implies that the restrictionhomomorphism is an epimorphism, for τ is the restriction of ωσ.

This concludes our scanty account of Hilbert theory - the theory of thedecomposition of prime ideals in finite normal extensions of number fields.

55

The different

The Dedekind complement of a fractional ideal b of K relative to Ok is

b′ = {α ∈ K | trK/k(αβ) ∈ Ok for β ∈ b}.

It is also often called the codifferent. We will show that it is again a fractionalideal. The fractional ideal b has an ideal basis β1, . . . , βn over Ok. Express eachα ∈ b′ as a linear combination

α = b1β1 + · · ·+ bnβn

in terms of the ideal basis of b, with coefficients bj in k. Then

trK/k(αβj) = b1trK/k(β1βj) + · · ·+ bntrK/k(βnβj),

and considered as a linear system of equations for b1, . . . , bn this has coefficientdeterminant

δ = det([trK/k(βiβj)]1≤i,j≤n) = ∆K/k(β1, . . . , βn) 6= 0.

Clearly the determinant of the system is an element of Ok, and the trK/k(αβj)likewise, thus

δα = δb1β1 + · · ·+ δbnβn ∈ OK .

The Dedekind complement is closed under addition and under multiplicationwith elements of OK , so δb′ is an ideal of OK , which means that b′ is a fractionalideal.

Next we show that bb′ = O′K . Suppose α ∈ OK , β ∈ b and γ ∈ b′ to bearbitrary, then we have αβ ∈ OK and so trK/k(α(βγ)) = trK/k((αβ)γ) ∈ Ok.This implies that βγ ∈ O′K and thus bb′ ⊆ O′K . In the other direction, supposeα ∈ O′K , β ∈ b and γ ∈ b−1 to be arbitrary, then we have βγ ∈ bb−1 = OKand so trK/k(β(γα)) = trK/k((βγ)α) ∈ Ok. This implies that γα ∈ b′ and thusb−1O′K ⊆ b′.

Since bb′ = O′K = b′b′′ we may cancel the common factor to conclude thatb′′ = b. This will come in useful when proving the functional equation of theDedekind zeta function.

The idealdK/k

def= (O′K)−1,

where the Dedekind complement is taken with respect to Ok, is called the dif-ferent of K/k. Though by its definition it is merely a fractional ideal, it actuallyis an ideal of OK . For 1 ∈ O′K by the definition of the Dedekind complement,but the inverse of a fractional ideal containing 1 is an ideal, by the definition ofthe inverse. We may express the Dedekind complement in terms of the differentby the formula

b′ = b−1d−1K/k,

where b is a fractional ideal of K and b′ is taken with respect to trK/k and Ok.This follows from the relationship bb′ = O′K .

56

The equivalences

α ∈ d−1L/k ⇐⇒ trL/k(αOL) ⊆ Ok ⇐⇒ trK/k(trL/K(αOL)) ⊆ Ok⇐⇒ trK/k(trL/K(αOL)OK) ⊆ Ok ⇐⇒ trL/K(αOL) ⊆ O′K⇐⇒ trL/K(αOL)dK/k ⊆ OK ⇐⇒ trL/K(αdK/kOL) ⊆ OK⇐⇒ αdK/k ⊆ O′L

hold for L/K/k a tower of extensions of number fields, and they imply thatd−1L/kdK/k = d−1L/K . Thus dL/k = dL/KdK/k, which is known as the tower different

theorem. This may be expressed in terms of a product of ideals in OK byinterpreting dK/k as the extension dK/kOK .

The trace form trK/k(αβ) is a nondegenerate bilinear form, so any basisω1, . . . , ωn of K over k has a complementary basis ω′1, . . . , ω

′n, satisfying

trK/k(ωiω′j) =

{1 if i = j

0 otherwise,

with respect to trK/k. Considering an extension K/Q, if ω1, . . . , ωn is an integralbasis for K, then

∆K/Q(ω1, . . . , ωn)∆K/Q(ω′1, . . . , ω′n)

= (det([σi(ωj)]1≤i,j≤n) det([σl(ω′m)]1≤l,m≤n))2

= (det([σj(ωi)]1≤i,j≤n) det([σj(ω′m)]1≤j,m≤n))2

= det([σ1(ωi)σ1(ω′m) + · · ·+ σn(ωi)σn(ω′m)]1≤i,m≤n)2

= det([tr(ωiω′m)]1≤i,m≤n)2 = det(In×n)2 = 1.

We note that ω′1, . . . , ω′n is an ideal basis over Ok for the fractional ideal O′K .

Supposing that a is an ideal of OK with an ideal basis α1, . . . , αn, andω1, . . . , ωn an integral basis for K, there is a rational integer matrix A such that

[α1. . .αn]t = A[ω1. . .ωn]t

Now repeat the same argument that was used to show that N((α)) = |NK/Q(α)|,to conclude that N(a) = |det(A)|. Then

∆K/Q(α1, . . . , αn) = det(A)2∆K/Q(ω1, . . . , ωn) = N(a)2dK ,

and this formula extends to ideal bases of fractional ideals by homogeneity.Applying it to the fractional ideal O′K yields

d−1K = ∆K/Q(ω1, . . . , ωn)−1 = ∆K/Q(ω∗1 , . . . , ω∗n)

= N(O′K)2∆K/Q(ω1, . . . , ωn) = N(d−1K/Q)2dK = N(dK/Q)−2dK

and so |dK | = N(dK/Q). This formula is interesting because it expresses thediscriminant, or at least its absolute value, in terms of something that does

57

not depend on a choice of integral basis for K. At the moment we only have adefinition of the discriminant in the case K/Q and not in the case K/k of relativeextensions. For the case of relative extensions, the analogue of an integral basisdoes not exist in general, and there are other problems in extending the earlierdefinition. So instead we define the discriminant dK/k of a relative extensionK/k as an ideal of Ok by the formula

dK/k = NK/k(dK/k).

Note that if k = Q, then dK/Q = (dK), and more generally we may view thediscriminant as an element of Ok up to associates if Ok is a principal idealdomain.

The different dK/k gives quite precise information about the ramification ofprime ideals of Ok in an extension K/k of number fields: The Dedekind differenttheorem states that if P is a prime ideal upstairs, p is the prime ideal lying belowP, and Pe is the exact power of P dividing pOK , then Pe−1|dK/k, with Pe−1

the exact power dividing dK/k if and only if e and N(P) are coprime. Thisvery powerful theorem has the Dedekind discriminant theorem as an immediatecorollary: A prime ideal p inOk ramifies in K/k if and only if p|dK/k. This resultwould be convenient to apply when discussing convergence of the Euler productsthat define the Artin L-functions, because it implies that in any extension onlya finite number of prime ideals ramify. The factors in the Euler products aremore complicated in the ramified case than in the unramified case. However, wecan do without it, and a proof together with the necessary preparations seemsexcessively long for this summary, so we forgo it. We must however prove theabsolute case K/Q of the Dedekind discriminant theorem, otherwise our proofof Minkowski’s theorem would be incomplete.

An algebra A is a vector space with an associative and distributive multi-plication. The multiplication need not be commutative. An element a ∈ A isnilpotent if am = 0 for some positive integer m.

Dedekind discriminant theorem - absolute case. A rational prime rami-fies in OK if and only if it divides the discriminant dK .

Proof. Consider the finite dimensional algebra A = OK/pOK over Fp. We claimthat p ramifies in OK if and only if A has a nontrivial nilpotent. For if

pOK = Pe11 · · ·Peg

g ,

then

A ∼= (OK/Pe11 )× · · · × (OK/Peg

g )

by the Chinese Remainder Theorem. If e1 = · · · = eg = 1 then as a ring A isisomorphic to a direct product of fields, but fields have no nontrivial nilpotents.While if ej > 1 for some j there is some α ∈ Pj with α /∈ P

ejj , and then α+P

ejj

is a nontrivial nilpotent in OK/Pejj . This gives a nontrivial nilpotent in A by

setting all other factors in the direct product equal to zero.

58

Let (ω1, · · · , ωn) be some integral basis forOK and (ω1, · · · , ωn) its reductionmodulo pOK . Then (ω1, · · · , ωn) is a basis for A over Fp. But the ordered basis(ω1, · · · , ωn) is related to any ordered basis (a1, . . . , an) by a nonsingular matrixover Fp, and thus the discriminants of these two bases differ by a factor that isa nonzero square in Fp. So

dK = ∆(ω1, · · · , ωn) ≡ ∆(ω1, · · · , ωn) ≡ D2∆(a1, . . . , an) (mod p)

with 0 6= D2 ∈ Fp, since ωj ≡ ωj (mod p). Note that we are using the expressionfor the discriminant as the square of the determinant of a matrix of tracestr(aiaj).

Next we must relate nilpotents to the discriminant. Just as for field exten-sions, multiplication in an algebra A yields for each fixed a ∈ A a linear mapMa : A → A given by b 7→ ab. We consider its trace tr(Ma), which is an ele-ment of Fp. If a is nilpotent, then tr(Ma) is zero, for when a is nilpotent thecharacteristic polynomial of Ma is xm where m is the dimension of A over Fp.We write tr(a) = tr(Ma). If a1 is a nontrivial nilpotent of A it can be extendedto a basis (a1, . . . , an) for A over Fp. Then each product a1aj is nilpotent bycommutativity and so tr(a1aj) = 0 for 1 ≤ j ≤ n. The first row of the tracematrix [tr(aiaj)]1≤i,j≤n is zero, so ∆(a1, . . . , an) = 0.

Suppose that p ramifies in OK . Then we may take a1 to be a nontrivialnilpotent, which by the congruence for dK implies that p|dK .

Suppose that p does not ramify in OK . Then A is a product of finite fieldsFj , and we may choose an ordered basis (a1, . . . , an) for A over Fp which is aunion of bases for these fields over Fp. If ai and aj lie in different fields, then

tr(aiaj) = tr(Maiaj ) = tr(MaiMaj ) = tr(0) = 0

because the image of the linear operator Maj lies in the kernel of the linearoperator Mai . If ai and aj lie in the same field Fj , the trace tr(aiaj) is thetrace of the element aiaj in Fj over Fp. This is a trace in a finite extension offinite fields, with a primitive element α. Then we can calculate the determinantof the trace matrix in Fj/Fp by passing to the power basis generated by αand compute the trace matrix [tr(αl−1αm−1)] by means of the formula for theVandermonde determinant to see that it is nonzero in Fp. Up to a nonzerofactor in Fp the discriminant ∆(a1, . . . , an) equals the square of the product ofthese determinants of trace matrices for the various fields Fj , and is thus itselfnonzero modulo p. Then p-dK follows as above.

This proof was taken from lecture notes on Algebraic Numbers by Ehud deShalit.

The law of decomposition of prime ideals in an extension K/k is a completedescription of how the extensions to OK of the prime ideals in Ok factor intoprime ideals, including the ramification indices and residue class degrees. Weprove a theorem of J. W. R. Dedekind and E. E. Kummer that is very helpfulin determining the law of decomposition of rational primes in number fields.

59

Dedekind-Kummer theorem. Let K be a number field, OK = Z[α], andm(x) the minimal polynomial of α over Z. Assume that

m(x) ≡ m1(x)e1 · · ·mg(x)eg

modulo a prime p, where m1(x), · · · ,mg(x) are monic polynomials over Z, ir-reducible modulo p, and pairwise distinct over Z/(p). Then

pOK = Pe11 · · ·Peg

g

where Pj = (p,mj(α)) is a prime ideal of OK with residue class degree fj =deg(mj) for 1 ≤ j ≤ g.

Proof. Consider the homomorphisms

Z[α]← Z[x]→ Z[x]/(mj(x))→ (Z/(p))[x]/(mj(x))

given by evaluation, quotienting modulo an ideal, and reduction modulo p,respectively. Here mj(x) ∈ (Z/(p))[x] is the polynomial obtained by reduc-ing the coefficients of mj(x) modulo p. If β ∈ OK is represented as β =f(α) = g(α) with f(x), g(x) ∈ Z[x], then f(x) ≡ g(x) (mod m(x)) and thusf(x) ≡ g(x) (mod mj(x)). This yields a well defined epimorphism hj : OK →(Z/(p))[x]/(mj(x)). Putting Pj = ker(hj) we obtain an isomorphism

OK/Pj → (Z/(p))[x]/(mj(x)),

so Pj is a prime ideal, since the image is a field. Clearly this prime ideal liesabove (p), and the residue class degree is fj = [OK/Pj : Z/(p)] = deg(mj) =deg(mj).

Next we determine the prime ideals Pj . Since

hj(p) = p+ (p) + (mj(x)) = (mj(x))

andhj(mj(α)) = mj(x) + (mj(x)) = (mj(x))

we see that p ∈ ker(hj) and mj(α) ∈ ker(hj), so (p,mj(α)) ⊆ Pj . If on theother hand β ∈ Pj then β = f(α) with some f(x) ∈ Z[x]. Reducing f(x)

modulo p yields a polynomial f(x) ∈ (Z/(p))[x] with f(x) ∈ (mj(x)) since

f(α) ∈ Pj . Since f(x) is divisible by mj(x) we have f(x) = mj(x)g(x) withsome polynomial g(x) ∈ Z[x]. Then the coefficients of f(x) − mj(x)g(x) aredivisible by p, so f(α) − mj(α)g(α) ∈ pZ[α] and thus β ∈ (p,mj(α)) so thatPj ⊆ (p,mj(α)).

The prime ideals Pj are pairwise distinct, for the quotients (Z/(p))[x]/(mj(x))are pairwise distinct since the irreducible monic polynomials mj(x) are pairwisedistinct modulo p. Supposing that P is a prime ideal of OK with P|pOK , thefinite field OK/P is an extension of Z/(p), so there exists some monic polyno-mial l(x) ∈ Z[x] with irreducible reduction l(x) modulo p, for which there is anepimorphism h : OK → (Z/(p))[x]/(l(x)) well defined by

Z[α]← Z[x]→ Z[x]/(l(x))→ (Z/(p))[x]/(l(x))

60

as above, with P = ker(h). Then P = m(α) + P 7→ m(x) + (l(x)), so m(x) ∈(l(x)). Due to irreducibility modulo p this implies that l(x) = mj(x) for some1 ≤ j ≤ g, so P = Pj . We conclude that

pOK = Pd11 · · ·Pdg

g

where d1, . . . , dg are nonnegative integers. Substituting x = α into the con-gruence m(x) ≡ m1(x)e1 · · ·mg(x)eg (mod p) yields m1(α)e1 · · ·mg(α)eg ∈ pOK .Furthermore Pj = (p,mj(α)) implies P

ejj ⊆ (p,mj(α)ej ) so

Pe11 · · ·Peg

g ⊆ (p,m1(α)e1 · · ·mg(α)eg ) ⊆ pOK = Pd11 · · ·Pdg

g .

But to contain is to divide, so dj ≤ ej for 1 ≤ j ≤ g. Now

d1f1 + · · ·+ dgfg = nK = deg(m) = e1f1 + · · ·+ egfg

by the fundamental formula relating degree, ramification indices, and residueclass degrees. Since all the residue class degrees fj are positive, we concludethat dj = ej for 1 ≤ j ≤ g.

This result has the limitation that the ring of integers of a number field isnot always of the form Z[α]. The first counterexample was given by Dedekind.

We shall now find the law of decomposition of rational primes in quadraticnumber fields K. If p|dK then p ramifies as the square of a prime ideal ofOK , by the Dedekind discriminant theorem and consideration of degree. Thiscorresponds to (dK |p) = 0 in terms of the Legendre symbol, or the Kroneckersymbol if p = 2. If p - dK and dK is even, p must be odd. In this casewe may use the Dedekind-Kummer theorem with α =

√dK/2 and m(x) =

x2−dK/4. If dK/4 is a quadratic residue modulo p, m(x) ≡ m1(x)m2(x) modulop with m1(x) and m2(x) monic linear factors. Thus p splits completely into twodistinct prime ideals if (dK |p) = 1. If dK/4 is a quadratic nonresidue modulo p,m(x) is an irreducible quadratic polynomial modulo p. Thus p remains inert if(dK |p) = −1. If p - dK and dk is odd, we may use the theorem of Kummer withα = (1 +

√dK/2 and m(x) = x2 − x + (1 − dK)/4. If p is odd, 2 is invertible

modulo p som(x) ≡ 0 ⇐⇒ (x+ 1/2)2 ≡ dK/4

is solvable modulo p if and only if dK is a quadratic residue modulo p. If it isa quadratic residue modulo p, m(x) ≡ m1(x)m2(x) modulo p with m1(x) andm2(x) monic linear factors. Thus p splits completely into two distinct primeideals if (dK |p) = 1. If dK/4 is a quadratic nonresidue modulo p, m(x) is anirreducible quadratic polynomial modulo p. So p remains inert if (dK |p) = −1.If p = 2 then

m(x) ≡ 0 ⇐⇒ 1− dK4

≡ 0

modulo 2. Thus m(x) = x(x+1) if (1−dK)/4 is even, so 2 splits completely intotwo distinct prime ideals if (dK |2) = 1. While m(x) is an irreducible quadratic

61

polynomial modulo 2 if (1 − dk)/4 is odd, so 2 remains inert if (dK |2) = −1.The criterion for p = 2 is formulated in terms of the Kronecker symbol modulo2.

The conclusion is that p ramifies, splits completely, or remains inert in thering of integers of a quadratic number field K according as to whether (dK |p) =0, (dK |p) = 1 or (dK |p) = −1 respectively.

Frobenius coset and Artin map

Assume that K/k is a normal extension of number fields. Recall that the Galoisgroup of any extension of finite fields is cyclic and has a canonical generatorσmp where σp is the Frobenius endomorphism and m is the degree of the groundfield of the extension over Fp. Pulling this generator in Gal((OK/P)/(Ok/p))back to ZP/TP by the canonical isomorphism

ZP/TP → Gal((OK/P)/(Ok/p))

yields a uniquely determined coset of TP in ZP. We fix some notation andterminology for this coset. It will be denoted FrobP and called the Frobeniuscoset. Any element of this coset will be denoted by σP and called a Frobeniuselement. When TP is trivial there is only a single Frobenius element, and inthat situation we will denote by FrobP or σP the unique Frobenius element.When TP is trivial, the notation [

K/k

P

]is commonly used for the Frobenius element, but we shall not use it.

The Frobenius coset is a generator of the cyclic group ZP/TP. We wouldprefer FrobP to be a unique element in ZP (and thus in the Galois group), ratherthan a coset. So when is TP trivial? Since the order of Gal((OK/P)/(Ok/p))equals the residue class degree f and the order of ZP equals ef , it is clear thatthe order of TP equals the ramification index e of P over p. Recalling thatK/k was assumed normal, so the ramification indices are equal, we see thatFrobP is an element rather than a coset in ZP if and only if p does not ramifyin the extension. But because we need the Frobenius coset when defining thefactors corresponding to ramified prime ideals in the Euler products of ArtinL-functions, we cannot limit ourselves to the case when TP is trivial.

Since N(p) = |Ok/p| = pm any Frobenius element σP satisfies the congru-ence

σP(α) ≡ αN(p) (mod P)

for all α ∈ OK . But if ω is an element of Gal(K/k) with

ω(α) ≡ αN(p) (mod P)

for all α ∈ OK , thenωP ≡ PN(p) ≡ 0 (mod P),

62

and so ωP = P since ω takes prime ideals to prime ideals. Thus ω ∈ ZP, andso

ω(α+ P) = ω(α) + P = αN(p) + P = σP(α) + P = σP(α+ P)

for all α ∈ OK , for some Frobenius element σP. Thus ω = σP and so ω is alsoa Frobenius element. Thus the congruence

σP(α) ≡ αN(p) (mod P)

uniquely determines the Frobenius coset in the Galois group.Again recalling that K/k was supposed normal, we know that if P0 and P1

lie above p, there is some σ ∈ Gal(K/k) such that P0 = σP1. Then

σP0(α) ≡ αN(p) (mod P0)

impliesσ−1σP0

σ(β) ≡ βN(p) (mod P1)

if α = σβ. Thus FrobP1= σ−1FrobP0

σ by the uniqueness of the Frobeniuscoset. So the two Frobenius cosets are conjugate in the Galois group.

Suppose that L/K/k is a tower of extensions of number fields, with L/k anormal extension, and Q a prime ideal of OL lying over a prime ideal P of OKlying above a prime ideal p of Ok. If σQ is a Frobenius element relative to theextension L/k, then

σf(P/p)Q

is a Frobenius element of Q relative to the extension L/K. For

σf(P/p)Q (α) ≡ αN(p)f(P/p) ≡ αN(P) (mod Q)

so the statement follows by the uniqueness of the Frobenius coset.Let L/K/k and Q,P, p be as above, and assume in addition that K/k is

normal. Then the restriction to K of any Frobenius element σQ relative to L/kis equal to some Frobenius element σP relative to K/k. Denote the restrictionby σ, which is an element of Gal(K/k) by the assumed normality. Now

σ(α) ≡ αN(p) (mod Q)

for all α ∈ OK ⊆ OL. But this implies that

σ(α) ≡ αN(p) (mod P)

for all α ∈ OK , so the statement follows by the uniqueness of the Frobeniuscoset.

The Frobenius coset carries information about the splitting of prime idealsin extensions. Suppose that K/k is a normal extension of number fields and Pa prime ideal of OK lying above a prime ideal p of Ok. The ramification indexis e = |Frob(P)| and the residue class degree f is equal to the order of FrobP.Moreover efg = n shows that FrobP also determines g. In particular p splits

63

completely if and only if FrobP = {1}, while p remains inert if and only if FrobP

has order equal to nK/k.From here on we limit ourselves to the unramified case. Consider two normal

extensions K/k and L/k and their compositum KL/k. The extension KL/k isnormal, for any embedding σ(KL) of the compositum KL is the compositumσ(K)σ(L) of the embeddings of K and L induced by restriction. The Galoisgroup Gal(KL/k) injects into the direct product Gal(K/k) × Gal(L/k) by re-striction, and we may identify Gal(KL/k) with its image in the direct product.Let R be a prime ideal in OKL lying above the prime ideal P of OK and theprime ideal Q of OL. Then FrobR = FrobP×FrobQ, for the restriction of FrobR

to K equals FrobP and to L equals FrobQ, as above.A prime ideal p splits completely in a normal extension if and only if the

Frobenius element of any prime ideal lying above p equals the identity. Thusthe above result implies that if a prime ideal splits completely in two finitenormal extensions of the same number field, then it splits completely in theircompositum. This result proves useful for a rather remarkable application ofthe Dedekind zeta function.

We now consider how the Frobenius element relates to the prime ideal pdownstairs when the latter is unramified in K/k. We have already seen that inthis case the Frobenius elements of prime ideals lying above p form a conjugacyclass in the Galois group of K/k. Since the conjugacy classes of an abeliangroup are singletons, the Frobenius element depends only on the prime idealdownstairs if the prime ideal does not ramify and the Galois group is abelian.In this case we denote the Frobenius element by(

K/k

p

)and call it the Artin symbol. The congruence(

K/k

p

)(α) ≡ αN(p) (mod P)

holds for α ∈ OK and each prime ideal P lying above p. Thus(K/k

p

)(α) ≡ αN(p) (mod pOK)

if p is a prime ideal in Ok that does not ramify in the abelian extension K/k.A fractional ideal

a = pa11 · · ·passof Ok factored into powers of distinct prime ideals is said to be coprime with aprime ideal p of Ok if p does not occur in the factorization. Note that p−1 is notcoprime with p. This concept extends to a being coprime with a set S of primeideals in the obvious way. A set S of prime ideals in Ok is called an exceptionalset for the extension K/k if all prime ideals of Ok that ramify in the extensionK/k are contained in S. The Dedekind discriminant theorem implies that only

64

a finite number of prime ideals ramify in an extension of number fields, so S maybe assumed finite. The set of fractional ideals of Ok coprime with an exceptionalset S for the extension K/k constitutes a subgroup JSk of the group of fractionalideals Jk of Ok. If a normal extension K/k of number fields is abelian, i. e. theGalois group of the extension is commutative, the Artin symbol(

K/k

a

)=

(K/k

pa11 · · ·pass

)=

(K/k

p1

)a1· · ·(K/k

ps

)ason fractional ideals a in JSk is well-defined, with a factored as above. This yieldsa homomorphism (

K/k)

: JSk → Gal(K/k),

which is called the Artin map. The determination of the kernel and image of theArtin map is the content of a central theorem of algebraic number theory calledthe Artin Reciprocity Law. Unfortunately a complete proof requires intricatearguments with cyclotomic extensions, and is a good deal more demanding thananything we do in this Summary. The theorem plays an indispensable part forsome results in the analytic theory of number fields.

For simple examples of Artin maps, consider quadratic extensions K/Q. Weknow that if p is a rational prime not contained in an exceptional set for theextension, there are only two cases: Either (p) splits completely, if (dK |p) = 1,or remains inert if (dk|p) = −1. The Artin map is given by

(n) 7→(dK|n|

)on integral ideals in JSK . Here the Galois group of K/Q is identified with themultiplicative group ±1.

Recall that the Galois group of the extension Q(√

2,√−3)/Q is isomorphic to

the direct product (Z/2Z)×(Z/2Z). That M = Q(√

2,√−3) is the compositum

of K = Q(√

2) and L = Q(√−3) implies that(

M/Qp

)=

(dKp

)×(dLp

)=

(8

p

)×(−3

p

)for rational primes p 6= 2, 3.

The cyclotomic extension Q(ζ5)/Q affords another example. It has a cyclicGalois group of order four, and the discriminant equals 125. The value of theArtin map (

Q(ζ5)/Qn

)for rational integers n 6≡ 0 (mod 5) is determined by the assignment ζ5 7→ ζn5 .For the Artin symbol is determined by the congruence(

Q(ζ5)/Qp

)(α) ≡ αp (mod pOQ(ζ5))

for rational primes p 6= 5, and ζ5 generates the extension.

65

This concludes the summary of elementary and algebraic number theory.The reader may well have found the outline of elementary number theory toodesiccated, as well as rather hurried and sparse.

The eighth edition of The Higher Arithmetic by H. Davenport, edited andwith additional material by J. H. Davenport, is highly recommended as an in-troduction to the central topics of classical number theory. The standard com-prehensive treatment is the sixth edition of An Introduction to the Theory ofNumbers by G. H. Hardy and Edward M. Wright, revised by D. R. Heath-Brownand J. H. Silverman, and with a preface by Andrew Wiles and a new chapterby Silverman. Introduction to Number Theory by Hua Loo Keng, translatedinto English by Peter Shiu and supplemented with notes by Wang Yuan, is alsovery good and contains a wealth of material. The second edition of A Clas-sical Introduction to Modern Number Theory by Kenneth Ireland and MichaelRosen is an excellent exposition of elementary number theory with a selection offurther topics from algebraic number theory and Diophantine analysis. Unlikethe other treatments of elementary number theory mentioned, this one requiressome knowledge of abstract algebra.

The outline of algebraic number theory is very sketchy. It only covers back-ground material for the chapter on the analytic theory of number fields in myA Course in Analytic Number Theory, and has scarcely any examples.

Algebraic number theory by A. Frohlich and M. J. Taylor is a graduate-levelintroduction with a generous selection of examples. Number Fields by DanielMarcus has many exercises. Algebraic Number Theory by Jurgen Neukirch,translated into English by Norbert Schappacher, is both more comprehensiveand more demanding, and serves as a modern reference. It covers the ideal-theoretic and valuation-theoretic approaches to algebraic number theory indepth, and has extensive treatments of class field theory and of analytic meth-ods. Algebraic Number Theory by S. Lang is another excellent reference.

Lectures on the Theory of Algebraic Numbers by Erich Hecke, translatedinto English by George U. Brauer and Jay R. Goldman with the assistance ofR. Kotzen, is a classic treatise on algebraic number theory along ideal-theoreticlines that is well worth a few comments. Up until analytic methods appear inthe last three chapters, only knowledge of polynomial algebra is required to readthis book. Even the theory of finitely generated abelian groups is developed abinitio. Hecke’s treatise has been commended by Atle Selberg, Harold M. Starkand Andre Weil as an excellent exposition. Even today, ninety years after it firstappeared, it is still of interest, especially the last three chapters dealing withanalytic methods. But it is not suitable as a reference, partly because there isno index.

The proceedings Algebraic Number Theory of the 1965 instructional confer-ence at Brighton, edited by J. W. S. Cassels and A. Frohlich, is a more modernclassic. It is a collection of notes of lectures by distinguished algebraists andnumber theorists, mainly on topics related to the valuation-theoretic approachto algebraic number theory and class field theory. Also included is the thesis ofTate applying valuation theory and abstract harmonic analysis to the functionalequations of L-functions.

66

List of Notations

a conventional notation for an ideal, page 40

b′ Dedekind complement of a fractional ideal b, page 55

char(F ) the characteristic of a field F , page 46

deg(p) residue class degree of p over Q, page 49

dK/k the different ideal, page 55

d conventional notation for a divisor, page 4

ej ramification index, page 49

Fp finite field with p elements up to isomorphism, page 46

FrobP Frobenius coset or element, page 61

fj residue class degree, page 49

Gal(K/k) Galois group of K over k, page 29

gcd(a, b) greatest common divisor of a and b, page 6

g conventional notation for a primitive root, page 12

indg(a) index of a to base g, page 14

JK the group of fractional ideals of OK , page 43

JSK the group of fractional ideals coprime with S, page 64

N(a) the norm of an ideal a, page 43

k(α) simple extension of k by α, page 25

KL compositum of K and L, page 25

lcm[a, b] least common multiple of a and b, page 6

L/K/k tower of field extensions, page 27

K/k conventional notation for a field extension, page 25

m conventional notation for a modulus in a congruence, page 9

m(x) minimal polynomial of an algebraic element, page 25

N the set of positive integers 1, 2, . . ., page 1

N0 the set of nonnegative integers 0, 1, 2, . . ., page 1

67

68 List of Notations

nK/k degree of K over k, page 25

NK/k(α) the norm of α in K over k, page 30

nK degree of K over Q, page 25

NK(α) the norm of α in K over Q, page 30

OK the ring of algebraic integers in K, page 32

P conventional notation for a prime ideal, page 41

p conventional notation for a prime ideal, page 41

p conventional notation for a prime, page 2

PK the group of principal fractional ideals of OK , page 43

q conventional notation for a modulus in a congruence, page 9

r1 the number of real embeddings, page 27

r2 the number of conjugate pairs of complex embeddings, page 27

S an exceptional set of prime ideals, page 63

s conventional notation for a squarefree integer, page 5

trK/k(α) the trace of α in K over k, page 31

wK the number of units of OK of finite order, page 37

Z the ring of integers . . . ,−2,−1, 0, 1, 2, . . ., page 1

TP inertia group, page 54

ZP decomposition group, page 52

φ(m) number of residue classes modulo m coprime with m, page 10

Φq(x) the q-th cyclotomic polynomial, page 36

σp the Frobenius endomorphism, page 46

σP Frobenius element, page 61

εd fundamental unit of the ring of integers of Q(√d), page 38

(a, b) abbreviated form for greatest common divisor of a and b, page 6

[a, b] abbreviated form for least common multiple of a and b, page 6

[K : k] degree of K over k, page 25

≡ congruence relation a ≡ b (mod q) meaning q divides a− b, page 9

a residue class of a modulo m, page 9

Index

abelian extension, 64absolute norm, 43algebra over a field, 57algebraic

element, 25number, 25

algebraic conjugates, 26algebraic integer, 32Alhacen, 12Artin, E.

map, 64symbol, 63

associates, 2

basiscomplementary, 56

Brahmagupta-Fibonacci identity, 21

Carcavi, P. de, 22Castryck, W., 17character

DirichletLegendre symbol, 15

characteristic of a field, 46Chinese Remainder theorem, 9Chinese Remainder Theorem for ideals, 43codifferent, 55complement

Dedekind, 55complementary basis, 56compositum, 25congruence, 9, 40

linear, 12polynomial, 12

conjugate fields, 27conjugates

algebraic, 26coprime

fractional ideals, 63integers, 6

pairwise coprime integers, 6cyclotomic field, 36cyclotomic polynomial, 36

Davenport, H., 65decomposition

group, 52law of, 58of primes in quadratic fields, 61

Dedekind, J. W. R., 23, 60-Kummer theorem, 58complement, 55different theorem, 57discriminant theorem, 57

degree of an extension, 25different ideal, 55discriminant

fundamental, 20of a basis, 32of a relative extension, 57

divide, 2strictly, 2

division with remainder, 1divisor, 4

greatest common divisor, 6

embeddings of a number field, 27equation

linear Diophantine, 7, 8equivalence of norm forms, 37

proper, 37Euclid of Alexandria, 5

Euclidean Algorithm, 7Euclidean domain, 4Euler, L., 22

Euler phi function, 11Euler’s criterion, 15Euler’s theorem, 11totient, 11

exceptional set, 63

69

70 Index

extension of a field, 25

factorial ring, 1de Fermat, P.

little theorem of, 11method of infinite descent, 1two-squares theorem of, 22

field, 1algebraic number, 25characteristic of, 46finite, 46of characteristic zero, 26

field extension, 25abelian, 64degree of, 25finite, 25intermediate field of, 29normal, 28normal closure of, 28simple, 25totally real, 27

field polynomial, 30finite extension, 25finite field, 46fixed field, 29fractional ideal, 41Frobenius, F. G.

coset, 61element, 61endomorphism, 46, 61

functionarithmetic

Euler phi, 11fundamental discriminant, 20Fundamental Theorem of Arithmetic, 2Fundamental theorem of Galois theory, 29fundamental unit, 38

Galois, E.correspondence, 29group, 29

gauge, 4Gauss, J. K. F., 17

congruence notation, 9Gauss’ lemma, 18

Gaussian integers, 4, 22, 34, 38Girard, A., 22group

decomposition, 52inertia, 54

of fractional ideals, 43of principal fractional ideals, 43

Hardy, G. H., 65Heath-Brown, D. R., 22Hua, L. K., 65

Ibn-al-Haytham, 12ideal, 2, 39

basis, 40conjugate, 52different, 55fractional, 41integral, 41maximal, 39prime, 39principal, 39principal fractional, 41proper, 39

identityBrahmagupta-Fibonacci, 21

imaginary quadratic field, 38index, 14

calculus, 14inertia group, 54infinite descent, 1integer

algebraic, 32integral basis, 32integral domain, 1integral ideal, 41intermediate field, 29irreducible element, 2

Jacobi, C. G. J.formula, 24symbol, 18

Kronecker, L.symbol, 20

Kummer, E. E.Dedekind-Kummer theorem, 58

Lagrange, J. L., 12law of decomposition of prime ideals, 58Law of Quadratic Reciprocity, 16least common multiple, 6Legendre, A.-M.

symbol, 15lemma

Index 71

Gauss’, 18

maximal ideal, 39Mersenne, M., 22method

of infinite descent, 1minimal polynomial, 25modulus of a congruence, 9

nilpotent element, 57Noether, A. E.

Noetherian ring, 40norm

of an algebraic number, 30of an ideal, 43

norm form, 37normal closure, 28normal extension, 28notation

Gauss congruence, 9number field, 25

cyclotomic, 36imaginary quadratic, 38quadratic, 34real quadratic, 38

pairwise coprime integers, 6PID, 3polynomial

cyclotomic, 36field, 30minimal, 25

prime element, 2prime ideal, 39

ramifies in an extension, 49remains inert in an extension, 49splits completely in an extension, 49

primitive root, 12principal fractional ideal, 41principal ideal, 2, 39principal ideal domain, 3principle

of infinite descent, 1proper ideal, 39

quadratic number field, 34quadratic residue or nonresidue, 15quotient in division with remainder, 1quotient ring, 40

ramification index, 49

real quadratic field, 38relatively prime integers, 6remainder, 1residue class, 9

reduced, 10residue class degree, 49ring, 1root of unity, 35

de Shalit, E., 58simple extension, 25squarefree integer, 5Stickelberger, L., 35sums of two squares, 21

prime factorization of, 22Sun Zi, 10supplementary laws, 18

theoremChinese Remainder, 9Chinese Remainder for ideals, 43division with remainder, 1Euler’s, 11Euler’s criterion, 15Fermat’s little, 11Fundamental of Arithmetic, 2Fundamental of Galois Theory, 29Gauss’ lemma, 18Lagrange’s, 12Law of Quadratic Reciprocity, 16tower different, 56unique factorization of ideals, 42Wilson’s, 12

totally real number field, 27tower different theorem, 56tower of extensions, 27trace, 31

UFD, 3unique factorization domain, 3unique factorization of ideals, 42unit, 2, 36

Wilson, J., 12Wright, E. M., 65

zero divisors, 1