Elementary Number Theory and Primality Tests

Chapter 1
The Fundamental Theorem of

Arithmetic
1.1 Prime numbers
If a, b Z we say that a divides b (or is a divisor of b) and we write a [ b, if
b = ac
for some c Z.
Thus 2 [ 0 but 0 2.
Denition 1.1 The number p N is said to be prime if p has just 2 divisors in N,
namely 1 and itself.
Note that our denition excludes 0 (which has an innity of divisors in N) and
1 (which has just one).
Writing out the prime numbers in increasing order, we obtain the sequence of
primes
2, 3, 5, 7, 11, 13, 17, 19, . . .
which has fascinated mathematicians since the ancient Greeks, and which is the
main object of our study.
Denition 1.2 We denote the nth prime by p
n
.
Thus p
5
= 11, p
100
= 541.
It is convenient to introduce a kind of inverse function to p
n
.
Denition 1.3 If x R we denote by (x) the number of primes x:
(x) = |p x : p prime|.
Thus
(1.3) = 0, (3.7) = 2.
Evidently (x) is monotone increasing, but discontinuous with jumps at each
prime x = p.
11
374 12
Theorem 1.1 (Euclids First Theorem) The number of primes is innite.
Proof Suppose there were only a nite number of primes, say
p
1
, p
2
, . . . , p
n
.
Let
N = p
1
p
2
p
n
+ 1.
Evidently none of the primes p
1
, . . . , p
n
divides N.
Lemma 1.1 Every natural number n > 1 has at least one prime divisor.
Proof of Lemma The smallest divisor d > 1 of n must be prime. For otherwise
d would have a divisor e with 1 < e < d; and e would be a divisor of n smaller
than d.
By the lemma, N has a prime factor p, which differs from p
1
, . . . , p
n
.
Our argument not only shows that there are an innity of primes; it shows that
p
n
< 2
2
n
;
a very feeble bound, but our own. To see this, we argue by induction. Our proof
shows that
p
n+1
p
1
p
2
p
n
+ 1.
But now, by our inductive hypothesis,
p
1
< 2
2
1
, p
2
< 2
2
2
, . . . , p
n
< 2
2
n
.
It follows that
p
n+1
2
2
1
+2
2
++2
n
But
2
1
+ 2
2
+ + 2
n
= 2
n+1
1 < 2
n+1
.
Hence
p
n+1
< 2
2
n+1
.
It follows by induction that
p
n
< 2
2
n
,
for all n 1, the result being trivial for n = 1.
This is not a very strong result, as we said. It shows, for example, that the 5th
prime, in fact 11, is
< 2
2
5
= 2
32
= 4294967296.
In general, any bound for p
n
gives a bound for (x) in the opposite direction,
and vice versa; for
p
n
x (x) n.
374 13
In the present case, for example, we deduce that
(2
2
y
) [y] > y 1
and so, setting x = 2
2
y
,
(x) log
2
log
2
x 1 > log log x 1.
for x > 1. (We follow the usual convention that if no base is given then log x
denotes the logarithm of x to base e.)
The Prime Number Theorem(which we shall make no attempt to prove) asserts
that
p
n
nlog n,
or, equivalently,
(x)
x
log x
.
This states, roughly speaking, that the probability of n being prime is about
1/ log n. Note that this includes even numbers; the probability of an odd number
n being prime is about 2/ log n. Thus roughly 1 in 6 odd numbers around 10
6
are
prime; while roughly 1 in 12 around 10
12
are prime.
(The Prime Number Theorem is the central result of analytic number theory
since its proof involves complex function theory. Our concerns, by contrast, lie
within algebraic number theory.)
There are several alternative proofs of Euclids Theorem. We shall give one
below. But rst we must establish the Fundamental Theorem of Arithmetic (the
Unique Factorisation Theorem) which gives prime numbers their central r ole in
number theory; and for that we need Euclids Algorithm.
1.2 Euclids Algorithm
Proposition 1.1 Suppose m, n N, m ,= 0. Then there exist unique q.r N
such that
n = qm +r, 0 r < m.
Proof For uniqueness, suppose
n = qm +r = q
m +r
,
where r < r
, say. Then
(q
q)m = r
r.
The number of the right is < m, while the number on the left has absolute value
m, unless q
= q, and so also r
= r.
We prove existence by induction on n. The result is trivial if n < m, with
q = 0, r = n. Suppose n m. By our inductive hypothesis, since n m < n,
n m = q
m +r,
374 14
where 0 r < m. But then
n = qm +r,
with q = q
+ 1.
Remark: One might ask why we feel the need to justify division with remainder
(as above), while accepting, for example, proof by induction. This is not an easy
question to answer.
Kronecker said, God gave the integers. The rest is Mans. Virtually all
number theorists agree with Kronecker in practice, even if they do not accept his
theology. In other words, they believe that the integers exist, and have certain
obvious properties.
Certainly, if pressed, one might go back to Peanos Axioms, which are a stan-
dard formalisation of the natural numbers. (These axioms include, incidentally,
proof by induction.) Certainly any properties of the integers that we assume could
easily be derived from Peanos Axioms.
However, as I heard an eminent mathematician (Louis Mordell) once say, If
you deduced from Peanos Axioms that 1+1 = 3, which would you consider most
likely, that Peanos Axioms were wrong, or that you were mistaken in believing
that 1 + 1 = 2?
Proposition 1.2 Suppose m, n N. Then there exists a unique number d N
such that
d [ m, d [ n,
and furthermore, if e N then
e [ m, e [ n =e [ d.
Denition 1.4 We call this number d the greatest common divisor of m and n,
and we write
d = gcd(m, n).
Proof Euclids Algorithm is a simple technique for determining the greatest
common divisor gcd(m, n) of two natural numbers m, n N. It proves inci-
dentally as the Proposition asserts that any two numbers do indeed have a
greatest common divisor (or highest common factor).
First we divide the larger, say n, by the smaller. Let the quotient be q
1
and let
the remainder (all we are really interested in) be r
1
:
n = mq
1
+r
1
.
Now divide m by r
1
(which must be less than m):
m = r
1
q
2
+r
2
.
374 15
We continue in this way until the remainder becomes 0:
n = mq
1
+r
1
,
m = r
1
q
2
+r
2
,
r
1
= r
2
q
3
+r
3
,
. . .
r
t1
= r
t2
q
t1
+r
t
,
r
t
= r
t1
q
t
.
The remainder must vanish after at most m steps, for each remainder is strictly
smaller than the previous one:
m > r
1
> r
2
>
Now we claim that the last non-zero remainder, d = r
t
say, has the required
property:
d = gcd(m, n) = r
t
.
In the rst place, working up from the bottom,
d = r
t
[ r
t1
,
d [ r
t
and d [ r
t1
=d [ r
t2
,
d [ r
t1
and d [ r
t2
=d [ r
t3
,
. . .
d [ r
3
and d [ r
2
=d [ r
1
,
d [ r
2
and d [ r
1
=d [ m,
d [ r
1
and d [ m =d [ n.
Thus
d [ m, n;
so d is certainly a divisor of m and n.
On the other hand, suppose e is a divisor of m and n:
e [ m, n.
Then, working downwards, we nd successively that
e [ m and e [ n =e [ r
1
,
e [ r
1
and e [ m =e [ r
2
,
e [ r
2
and e [ r
1
=e [ r
3
,
. . .
e [ r
t2
and e [ r
t1
=e [ r
t
.
Thus
e [ r
t
= d.
374 16
We conclude that our last non-zero remainder r
t
is number we are looking for:
gcd(m, n) = r
t
.
It is easy to overlook the power and subtlety of the Euclidean Algorithm. The
algorithm also gives us the following result.
Theorem 1.2 Suppose m, n N. Let
gcd(m, n) = d.
Then there exist integers x, y Z such that
mx +ny = d.
Proof The Proposition asserts that d can be expressed as a linear combination
(with integer coefcients) of m and n. We shall prove the result by working
backwards from the end of the algorithm, showing successively that d is a linear
combination of r
s
and r
s+1
, and so, since r
s+1
is a linear combination of r
s1
and
r
s
, d is also a linear combination of r
s1
and r
s
.
To start with,
d = r
t
.
From the previous line in the Algorithm,
r
t2
= q
t
r
t1
+r
t
.
Thus
d = r
t
= r
t2
q
t
r
t1
.
But now, from the previous line,
r
t3
= q
t1
r
t2
+r
t1
.
Thus
r
t1
= rt 3 q
t1
r
t2
.
Hence
d = r
t2
q
t
rt 1
= r
t2
q
t
(r
t3
q
t1
r
t2
)
= q
t
r
t3
+ (1 +q
t
q
t1
)r
t2
.
Continuing in this way, suppose we have shown that
d = a
s
r
s
+b
s
r
s+1
.
Since
r
s1
= q
s+1
r
s
+r
s+1
,
374 17
it follows that
d = a
s
r
s
+b
s
(r
s1
q
s+1
r
s
)
= b
s
r
s1
+ (a
s
b
s
q
s+1
)r
s
.
Thus
d = a
s1
r
s1
+b
s1
r
s
,
with
a
s1
= b
s
, b
s1
= a
s
b
s
q
s+1
.
Finally, at the top of the algorithm,
d = a
0
r
0
+b
0
r
1
= a
0
r
0
+b
0
(mq
1
r
0
)
= b
0
m + (a
0
b
0
q
1
)r
0
= b
0
m + (a
0
b
0
q
1
)(n q
0
m)
= (b
0
a
0
q
0
+b
0
q
0
q
1
)m + (a
0
b
0
q
0
)n,
which is of the required form.
Example: Suppose m = 39, n = 99. Following Euclids Algorithm,
99 = 2 39 + 21,
39 = 1 21 + 18,
21 = 1 18 + 3,
18 = 6 3.
Thus
gcd(39, 99) = 3.
Also
3 = 21 18
= 21 (39 21)
= 39 + 2 21
= 39 + 2(99 2 39)
= 2 99 5 39.
Thus the Diophantine equation
99x + 39y = 3
has the solution
x = 2, y = 5.
(By a Diophantine equation we simply mean a polynomial equation to which we
are seeking integer solutions.)
374 18
This solution is not unique; we could, for example, add 39 to x and subtract
99 from y. We can nd the general solution by subtracting the particular solution
we have just found to give a homogeneous linear equation. Thus if x
, y
Z also
satises the equation then X = x
x, Y = y
y satises the homogeneous

equation
99X + 39Y = 0,
ie
33X + 13Y = 0,
the general solution to which is
X = 13t, Y = 33t
for t Z. The general solution to this diophantine equation is therefore
x = 2 + 13t, y = 5 33t (t Z).
It is clear that the Euclidean Algorithmgives a complete solution to the general
linear diophantine equation
ax +by = c.
This equation has no solution unless
gcd(a, b) [ c,
in which case it has an innity of solutions. For if (x, y) is a solution to the
equation
ax +by = d,
and c = dc
then (c
x, c
y) satises
ax +by = c,
and we can nd the general solution as before.
Corollary 1.1 Suppose m, n Z. Then the equation
mx +ny = 1
has a solution x, y Z if and only if gcd(m, n) = 1.
It is worth noting that we can improve the efciency of Euclids Algorithm by
allowing negative remainders. For then we can divide with remainder m/2 in
absolute value, ie
n = qm +r,
374 19
with m/2 r < m/2. The Algorithm proceeds as before; but now we have
m [r
0
/2[ [r
1
/2
2
[ . . . ,
so the Algorithm concludes after at most log
2
m steps.
This shows that the algorithm is in class P, ie it can be completed in polyno-
mial (in fact linear) time in terms of the lengths of the input numbers m, n the
length of n, ie the number of bits required to express n in binary form, being
[log
2
n] + 1.
Algorithms in class P (or polynomial time algorithms) are considered easy or
tractable, while problems which cannot be solved in polynomial time are consid-
ered hard or intractable. RSAencryption the standard techniqhe for encrypting
condential information rests on the belief and it should be emphasized that
this is a belief and not a proof that factorisation of a large number is intractable.
Example: Taking m = 39, n = 99, as before, the Algorithm now goes
99 = 3 39 18,
39 = 2 18 + 3,
18 = 6 3,
giving (of course)
gcd(39, 99) = 3,
as before.
1.3 Ideals
We used the Euclidean Algorithm above to show that if gcd(a, b) = 1 then there
we can nd u, v Z such that
au +bv = 1.
There is a much quicker way of proving that such u, v exist, without explicitly
computing them.
Recall that an ideal in a commutative ring A is a non-empty subset a A
such that
1. a, b a =a +b a;
2. a a, c A =ac a.
As an example, the multiples of an element a A form an ideal
a) = ac : c A.
Such an ideal is said to be principal.
374 110
Proposition 1.3 Every ideal a Z is principal.
Proof If a = 0 (by convention we denote the ideal 0 by 0) the result is trivial:
a = 0). We may suppose therefor that a ,= 0.
Then a must contain integers n > 0 (since n a = n a). Let d be the
least such integer. Then
a = d).
For suppose a a. Dividing a by d,
a = qd +r,
where
0 r < d.
But
r = a + (q)d a.
Hence r = 0; for otherwise r would contradict the minimality of d. Thus
a = qd,
ie every element a a is a multiple of d.
Now suppose a, b Z. Consider the set of integers
I = au +bv : u, v Z.
It is readily veried that I is an ideal.
According to the Proposition above, this ideal is principal, say
I = d).
But now
a I =d [ a, b I =d [ b.
On the other hand,
e [ a, e [ b =e [ au +bv
=e [ d.
It follows that
d = gcd(a, b);
and we have shown that the diophantine equation
au +bv = d
always has a solution.
In particular, if gcd(a, b) = 1 we can u, v Z such that
au +bv = 1.
374 111
This proof is much shorter than the one using the Euclidean Algorithm; but it
suffers from the disadvantage that it provides no way of computing
d = gcd(a, b),
and no way of solving the equation
au +bv = d.
In effect, we have taken d as the least of an innite set of positive integers, using
the fact that the natural numbers N are well-ordered, ie every subset S N has a
least element.
1.4 The Fundamental Theorem of Arithmetic
Proposition 1.4 (Euclids Lemma) Suppose p N is a prime number; and sup-
pose a, b Z. Then
p [ ab =p [ a or p [ b.
Proof Suppose p [ ab, p a. We must show that p [ b. Evidently
gcd(p, a) = 1.
Hence, by Corollary 1.1, there exist x, y Z such that
px +ay = 1.
Multiplying this equation by b,
pxb +aby = b.
But p [ pxb and p [ aby (since p [ ab). Hence
p [ b.
Theorem 1.3 Suppose n N, n > 0. Then n is expressible as a product of prime

numbers,
n = p
1
p
2
p
r
,
and this expression is unique up to order.
Remark: We follow the convention that an empty product has value 1, just as an
empty sum has value 0. Thus the theorem holds for n = 1 as the product of no
primes.
374 112
Proof We prove existence by induction on n, the result begin trivial (by the
remark above) when n = 1. We know that n has at least one prime factor p, by
Lemma 1.1, say
n = pm.
Since m = n/p < n, we may apply our inductive hypothesis to m,
m = q
1
q
2
q
s
.
Hence
n = pq
1
q
2
q
s
.
Now suppose
n = p
1
p
2
p
r
= m = q
1
q
2
q
s
.
Since p
1
[ n, it follows by repeated application of Euclids Lemma that
p
1
[ q
j
for some j. But then it follows from the denition of a prime number that
p
1
= q
j
.
Again, we argue by induction on n. Since
n/p
1
= p
2
p
r
= q
1
q
j
q
s
(where the hat indicates that the factor is omitted), and since n/p
1
< n, we
deduce that the factors p
2
, . . . , p
r
are the same as q
1
, . . . , q
j
, . . . , q
s
, in some order.
Hence r = s, and the primes p
1
, , p
r
and q
1
, . . . , q
s
are the same in some order.
We can base another proof of Euclids Theorem (that there exist an innity of
primes) on the fact that if there were only a nite number of primes there would
not be enough products to go round.
Thus suppose there were just m primes
p
1
, . . . , p
m
.
Let N N. By the Fundamental Theorem, each n N would be expressible in
the form
n = p
e
1
1
p
e
m
m
.
(Actually, we are only using the existence part of the Fundamental Theorem; we
do not need the uniqueness part.)
For each i (1 i m),
p
e
i
i
[ n =p
e
i
i
n
=p
e
i
i
N
=2
e
i
N
=e
i
log
2
N.
374 113
Thus there are at most log
2
N +1 choices for each exponent e
i
, and so the number
of numbers n N expressible in this form is
(log
2
N + 1)
m
.
So our hypothesis implies that
(log
2
N + 1)
m
N
for all N.
But in fact, to the contrary,
X > (log
2
X + 1)
m
=
_
log X
log 2
+ 1
_
m
for all sufciently large X. To see this, set X = e
x
. We have to show that
e
x
>
_
x
log 2
+ 1
_
m
.
Since
x
log 2
+ 1 < 2x
if x 3, it is sufcient to show that
e
x
> (2x)
m
for sufciently large x. But
e
x
>
x
m+1
(m + 1)!
if x > 0, since the expression on the right is one of the terms in the power-series
expansion of e
x
. Thus the inequality holds if
x
m+1
(m + 1)!
> (2x)
m
,
ie if
x > 2
m
(m + 1)!.
We have shown therefore that m primes are insufcient to express all n N
if
N e
2
m
(m+1)!
.
Thus our hypothesis is untenable; and Euclids theorem is proved.
Our proof gives the bound
p
n
e
2
m
(m+1)!
.
374 114
which is even worse than the bound we derived from Euclids proof. (For it is
easy to see by induction that
(m + 1)! > e
m
for m 2. Thus our bound is worse than e
e
n
, compared with 2
2
n
by Euclids
method.)
We can improve the bound considerably by taking out the square factor in n.
Thus each number n N (n > 0) is uniquely expressible in the form
n = d
2
p
1
. . . p
r
,
where the primes p
1
, . . . , p
r
are distinct. In particular, if there are only m primes
then each n is expressible in the form
n = d
2
p
e
1
1
p
e
m
m
,
where now each exponent e
i
is either 0 or 1.
Consider the numbers n N. Since
d
N,
the number of numbers of the above form is
N2
m
.
Thus we shall reach a contradiction when
N2
m
N,
ie
N 2
2m
.
This gives us the bound
p
n
2
2n
,
better than 2
2
n
, but still a long way from the truth.
1.5 The Fundamental Theorem, recast
We suppose throughout this section that A is an integral domain. (Recall that an
integral domain is a commutative ring with 1 having no zero divisors, ie if a, b A
then
ab = 0 =a = 0 or b = 0.)
We want to examine whether or not the Fundamental Theorem holds in A
we shall nd that it holds in some commutative rings and not in others. But to
make sense of the question we need to re-cast our denition of a prime.
Looking back at Z, we see that we could have dened primality in two ways
(excluding p = 1 in both cases):
374 115
1. p is prime if it has no proper factors, ie
p = ab =a = 1 or b = 1.
2. p is prime if
p [ ab =p [ a or p [ b.
The two denitions are of course equivalent in the ring Z. However, in a
general ring the second denition is stronger: that is, an element satisfying it must
satisfy the rst denition, but the converse is not necessarily true. We shall take
the second denition as our starting-point.
But rst we must deal with one other point. In dening primality in Z we
actually restricted ourselves to the semi-ring N, dened by the order in Z:
N = n Z : n 0.
However, a general ring Ahas no natural order, and no such semi-ring, so we must
consider all elements a A.
In the case of Z this would mean considering p as a prime on the same
footing as p. But now, for the Fundamental Theorem to make sense, we would
have to regard the primes p as essentially the same.
The solution in the general ring is that to regard two primes as equivalent if
each is a multiple of the other, the two multiples necessarily being units.
Denition 1.5 An element A is said to be a unit if it is invertible, ie if there is
an element A such that
= 1.
We denote the set of units in A by A
.
For example,
Z
= 1.
Proposition 1.5 The units in A form a multiplicative group A
.
Proof This is immediate. Multiplication is associative, from the denition of a
ring; and =
1
is a unit, since it has inverse .
Now we can dene primality.
Denition 1.6 Suppose a A is not a unit, and a ,= 0. Then
1. a is said to be irreducible if
a = bc =b or c is a unit.
2. a is said to be prime if
a [ bc =a [ b or p [ b.
374 116
Proposition 1.6 If a A is prime then it is irreducible.
Proof Suppose
a = bc.
Then
a [ b or a [ c.
We may suppose without loss of generality that a [ b. Then
a [ b, b [ a =a = b,
where is a unit; and
a = bc = b =c = .
Denition 1.7 The elements a, b A are said to be equivalent, written

a b,
if
b = a
for some unit .
In effect, the group of units A
acts on A and two elements are equivalent if

each is a transform of the other under this action.
Now we can re-state the Fundamental Theorem in terms which make sense in
any integral domain.
Denition 1.8 The integral domain A is said to be a unique factorisation domain
if each non-unit a A, a ,= 0 is expressible in the form
a = p
1
p
r
,
where p
1
, . . . , p
r
are prime, and if this expression is unique up to order and equiv-
alence of primes.
In other words, if
a = q
1
q
s
is another expression of the same form, then r = s and we can nd a permutation
of 1, 2, . . . , r and units
1
,
2
, . . . ,
r
such that
q
i
=
i
p
(i)
for i = 1, 2, . . . , r.
Thus a unique factorisation domain (UFD) is an integral domain in which the
Fundamental Theorem of Arithmetic is valid.
374 117
1.6 Principal ideals domains
Denition 1.9 The integral domain A is said to be a principal ideal domain if
every ideal a A is principal, ie
a = a) = ac : c A
for some a A.
Example: By Proposition 1.3, Z is a principal ideal domain.
Our proof of the Fundamental Theorem can be divided into two steps this
is clearer in the alternative version outlined in Section 1.3 rst we showed that
that Z is a principal ideal domain, and then we deduced from this that Z is a unique
factorisation domain.
As our next result shows this argument is generally available; it is the tech-
nique we shall apply to show that the Fundamental Theorem holds in a variety of
integral domains.
Proposition 1.7 A principal ideal domain is a unique factorisation domain.
Proof Suppose A is a principal ideal domain.
Lemma 1.2 A non-unit a A, a ,= 0 is prime if and only if it is irreducible, ie
a = bc = a is a unit or b is a unit.
Proof of Lemma By Proposition 1.6, a prime is always irreducible.
The converse is in effect Euclids Lemma. Thus suppose
p [ ab but p a.
Consider the ideal p, a) generated by p and a. By hypothesis this is principal, say
p, a) = d).
Since p is irreducible,
d [ p =d = or d = p,
where is a unit. But
d = p, d [ a =p [ a,
contrary to hypothesis. Thus d is a unit, ie
p, a) = A.
In particular we can nd u, v A such that
pu +av = 1.
374 118
Multiplying by b,
pub +abv = b.
But now
p [ ab =p [ b.
Now suppose a is neither a unit nor 0; and suppose that a is not expressible as
a product of primes. Then a is reducible, by the Lemma above: say
a = a
1
b
1
,
where a
1
, b
1
are non-units. One at least of a
1
, b
1
is not expressible as a product of
primes; we may assume without loss of generality that this is true of a
1
.
It follows by the same argument that
a
1
= a
2
b
2
,
where a
2
, b
2
are non-units, and a
2
is not expressible as a product of primes.
Continuing in this way,
a = a
1
b
1
, a
1
= a
2
b
2
, a
2
= a
3
b
3
, . . . .
Now consider the ideal
a = a
1
, a
2
, a
3
, . . . ).
By hypothesis this ideal is principal, say
a = d).
Since d a,
d a
1
, . . . , a
r
) = a
r
)
for some r. But then
a
r+1
d) = a
r
).
Thus
a
r
[ a
r+1
, a
r+1
[ a
r
=a
r
= a
r+1
=b
r+1
= ,
where is a unit, contrary to construction.
Thus the assumption that a is not expressible as a product of primes is unten-
able;
a = p
1
p
r
.
To prove uniqueness, we argue by induction on r, where r the smallest number
such that a is expressible as a product of r primes.
Suppose
a = p
1
p
r
= q
1
q
s
.
Then
p
1
[ q
1
q
s
=p
1
[ q
j
374 119
for some j. Since q
j
is irreducible, by Proposition 1.6, it follows that
q
j
= p
1
,
where is a unit.
We may suppose, after re-ordering the qs that j = 1. Thus
p
1
q
1
.
If r = 1 then
a = p
1
= p
1
q
2
q
s
=1 = q
2
q
s
.
If s > 1 this implies that q
2
, . . . , q
s
are all units, which is absurd. Hence s = 1,
and we are done.
If r > 1 then
q
1
= p
1
=p
2
p
3
p
r
= (q
2
)q
3
q
s
(absorbing the unit into q
2
). The result now follows by our inductive hypothesis.
1.7 Polynomial rings

If Ais a commutative ring (with 1) then we denote by A[x] the ring of polynomials
p(x) = a
n
x
n
+ +a
0
(a
0
, . . . , a
n
A).
Note that these polynomials should be regarded as formal expressions rather
than maps p : A A; for if A is nite two different polynomials may well dene
the same map.
We identify ainA with the constant polynomial f(x) = a. Thus
A A[x].
Proposition 1.8 If A is an integral domain then so is A[x].
Proof Suppose
f(x) = a
m
x
m
+ +a
0
, g(x) = b
n
x
n
+ +b
0
,
where a
m
,= 0, b
n
,= 0. Then
f(x)g(x) = (a
m
b
n
)x
m+n
+ +a
0
b
0
;
and the leading coefcient a
m
b
n
,= 0.
374 120
Proposition 1.9 The units in A[x] are just the units of A:
(A[x])
= A
.
Proof It is clear that a A is a unit (ie invertible) in A[x] if and only if it is a
unit in A.
On the other hand, no non-constant polynomial F(x) A[x] can be invertible,
since
deg F(x)G(x) deg F(x)
if G(x) ,= 0.
If A is a eld then we can divide one polynomial by another, obtaining a
remainder with lower degree than the divisor. Thus degree plays the r ole in k[x]
played by size in Z.
Proposition 1.10 Suppose k is a eld; and suppose f(x), g(x) k[x], with
g(x) ,= 0. Then there exist unique polynomials q(x), r(x) k[x] such that
f(x) = g(x)q(x) +r(x),
where
deg r(x) < deg g(x).
Proof We prove the existence of q(x), r(x) by induction on deg f(x).
Suppose
f(x) = a
m
x
m
+ +a
0
, g(x) = b
n
x
n
+ +b
0
,
where a
m
,= 0, b
n
,= 0.
If m < n then we can take q(x) = 0, r(x) = f(x). We may suppose therefore
that m n. In that case, let
f
1
(x) = f(x) (a
m
/b
n
)x
mn
g(x).
Then
deg f
1
(x) < deg f(x).
Hence, by the inductive hypothesis,
f
1
(x) = g(x)q
1
(x) +r(x),
where
deg r(x) < deg g(x);
and then
f(x) = g(x)q(x) +r(x),
with
q(x) = (a
m
/b
n
)x
mn
+q
1
(x).
374 121
For uniqueness, suppose
f(x) = g(x)q
1
(x) +r
1
(x) = g(x)q
2
(x) +r
2
(x).
On subtraction,
g(x)q(x) = r(x),
where
q(x) = q
2
(x) q
1
(x), r(x) = r
1
(x) r
2
(x).
But now, if q(x) ,= 0,
deg(g(x)q(x)) deg g(x), deg r(x) < deg g(x).
This is a contradiction. Hence
q(x) = 0,
ie
q
1
(x) = q
2
(), r
1
(x) = r
2
().
Proposition 1.11 If k is a eld then k[x] is a principal ideal domain.

Proof As with Z we can prove this result in two ways: constructively, using the
Euclidean Algorithm; or non-constructively, using ideals. This time we take the
second approach.
Suppose
a k[x]
is an ideal. If a = 0 the result is trivial; so we may assume that a ,= 0.
Let
d(x) a
be a polynomial in a of minimal degree. Then
a = d(x)).
For suppose f(x) a. Divide f(x) by d(x):
f(x) = d(x)q(x) +r(x),
where deg r(x) < deg d(x). Then
r(x) = f(x) d(x)q(x) a
since f(x), d(x) a. Hence, by the minimality of deg d(x),
r(x) = 0,
ie
f(x) = d(x)q(x).
By Proposition 1.7 this gives the result we really want.

374 122
Corollary 1.2 If k is a eld then k[x] is a unique factorisation domain.
Every non-zero polynomial f(x) k[x] is equivalent to a unique monic poly-
nomial, namely that obtained by dividing by its leading term. Thus each prime,
or irreducible, polynomial p(x) k[x] has a unique monic representative; and we
can restate the above Corollary in a simpler form.
Corollary 1.3 Each monic polynomial
f(x) = x
n
+a
n1
x
n1
+ +a
0
can be uniquely expressed (up to order) as a product of irreducible monic polyno-
mials:
f(x) = p
1
(x) p
r
(x).
1.8 Postscript
We end this Chapter with a result that we dont really need, but which we have
come so close to it would be a pity to omit.
Suppose A is an integral domain. Let K be the eld of fractions of A. (Recall
that K consists of the formal expressions
a
b
,
with a, b A, b ,= 0; where we set
a
b
=
c
d
if ad = bc.
The map
a
a
1
: A K
is injective, allowing us to identify A with a subring of K.)
The canonical injection
A K
evidently extends to an injection
A[x] K[x].
Thus we can regard f(x) A[x] as a polynomial over K.
Proposition 1.12 If A is a unique factorisation domain then so is A[x].
Proof First we must determine the primes in A[x].
Lemma 1.3 The element p A is prime in A[x] if and only if it is prime in A.
374 123
Proof of Lemma It is evident that
p prime in A[x] =p prime in A.
Conversely, suppose p is prime in A; We must show that if F(x), G(x) A[x]
then
p [ F(x)G(x) =p [ F(x) or p [ G(x).
In other words,
p F(x), p G(x) =p F(x)G(x).
Suppose
F(x) = a
m
x
m
+ +a
0
, G(x) = b
n
x
n
+ +b
0
;
and suppose
p F(x), p G(x).
Let a
r
, b
s
be the highest coefcients of f(x), g(x) not divisible by p. Then the
coefcient of x
r+s
in f(x)g(x) is
a
0
b
r+s
+a
1
b
r+s1
+ +a
r
b
s
+ +a
r+s
b
0
a
r
b
s
mod p,
since all the terms except a
r
b
s
are divisible by p. Hence
p [ a
r
b
s
=p mod a
r
or p mod b
s
,
contrary to hypothesis. In other words,
p F(x)G(x).
Lemma 1.4 Suppose f(x) K[x]. Then f(x) is expressible in the form
f(x) = F(x),
where K and
F(x) = a
n
x
n
+ +a
0
A[x]
with
gcd(a
0
, . . . , a
n
) = 1;
and the expression is unique up to multiplication by a unit, ie if
f(x) = F(x) = G(x),
where G(x) has the same property then
G(x) = F(x), =
for some unit A.
374 124
Proof of Lemma Suppose
f(x) =
n
x
n
+ +
0
.
Let
i
=
a
i
b
i
,
where a
i
, b
i
A; and let
b =
b
i
.
Then
bf(x) = b
n
x
n
+ +b
0
A[x].
Now let
d = gcd(b
0
, . . . , b
n
).
Then
f(x) = (b/d)(c
n
x
n
+ +c
0
)
is of the required form, since
gcd(c
0
, . . . , c
n
) = 1.
To prove uniqueness, suppose
f(x) = F(x) = G(x).
Then
G(x) = F(x),
where = /.
In a unique factorisation domain A we can express any K in the form
=
a
b
,
with gcd(a, b) = 1, since we can divide a and b by any common factor.
Thus
aF(x) = bG(x).
Let p be a prime factor of b. Then
p [ aF(x) =p [ F(x),
contrary to our hypothesis on the coefcients of F(x). Thus b has no prime factors,
ie b is a unit; and similarly a is a unit, and so is a unit.
Lemma 1.5 A non-constant polynomial
F(x) = a
n
x
n
+ +a
0
A[x]
is prime in A[x] if and only if
374 125
1. F(x) is prime (ie irreducible) in K(x); and
2. gcd(a
0
, . . . , a
n
) = 1.
Proof of Lemma Suppose F(x) is prime in A[x]. Then certainly
gcd(a
0
, . . . , a
n
) = 1,
otherwise F(x) would be reducible.
Suppose F(x) factors in K[x]; say
F(x) = g(x)h(x).
By Proposition 1.4,
g(x) = G(x), h(x) = H(x),
where G(x), H(x) have no factors in A. Thus
F(x) = G(x)H(x),
where K. Let = a/b, where a, b A and gcd(a, b) = 1. Then
bF(x) = aG(x)H(x).
Suppose p is a prime factor of b. Then
p [ G(x) or p [ H(x),
neither of which is tenable. Hence b has no prime factors, ie b is a unit. But now
F(x) = ab
1
G(x)H(x);
and so F(x) factors in A[x].
Conversely, suppose F(x) has the two given properties. We have to show that
F(x) is prime in A[x].
Suppose
F(x) [ G(x)H(x)
in A[x].
If F(x) is constant then
F(x) = a 1
by the second property, so
F(x) [ G(x) and F(x) [ H(x).
We may suppose therefore that deg F(x) 1. Since K[x] is a unique factori-
sation domain (Corollary to Proposition 1.11),
F(x) [ G(x) or F(x) [ H(x)
374 126
in K[x]. We may suppose without loss of generality that
F(x) [ G(x)
in K[x], say
G(x) = F(x)h(x),
where h(x) K[x].
By Lemma 1.4 we can express h(x) in the form
h(x) = H(x),
where the coefcients of H(x) are factor-free. Writing
=
a
b
,
with gcd(a, b) = 1, we have
bG(x) = aF(x)H(x).
Suppose p is a prime factor of b. Then
p [ a or p [ F(x) or p [ H(x),
none of which is tenable. Hence b has no prime factors, ie b is a unit. Thus
F(x) [ G(x)
in A[x].
Now suppose
F(x) = a
n
x
n
+ a
0
A[x]
is not a unit in A[x].
If F(x) is constant, say F(x) = a, then the factorisation of a into primes in A
is a factorisation into primes in A[x], by Lemma 1.3. Thus we may assume that
deg F(x) 1.
Since K[x] is a unique factorisation domain (Corollary to Proposition 1.11),
F(x) can be factorised in K[x]:
F(x) = a
n
p
1
(x) p
s
(x),
where p
1
(x), . . . , p
s
(x) are irreducible monic polynomials in K[x]. By Lem-
mas 1.4 and 1.5 each p
i
(x) is expressible in the form
p
i
(x) =
i
P
i
(x),
where P
i
(x) is prime in A[x].
Thus
F(x) = P
1
(x) P
r
(x),
374 127
where
= a
n
1

r
K.
Let
=
a
b
,
where gcd(a, b) = 1. Then
bF(x) = aP
1
(x) P
r
(x).
Let p be a prime factor of b. Then
p [ P
i
(x)
for some i, contrary to the denition of P
i
(x). Hence b has no prime factors, ie b
is a unit.
If a is a unit then we can absorb = a/b into P
1
(x):
F(x) = Q(x)P
2
(x) P
r
(x),
where Q(x) = (a/b)P
1
(x).
If a is not a unit then
ab
1
= p
1
p
s
,
where p
1
, . . . , p
s
are prime in A (and so in A[x] by Lemma 1.3); and
F(x) = p
1
p
s
P
1
(x) P
r
(x),
as required.
Finally, to prove uniqueness, we may suppose that deg F(x) 1, since the
result is immediate if F(x) = a is constant.
Suppose
F(x) = p
1
p
s
P
1
(x) P
r
(x) = q
1
q
s
Q
1
(x) Q
r
(x).
Each P
i
(x), Q
j
(x) is prime in K[x] by Lemma 1.5. Since K[x] is a unique
factorisation domain (Corollary to Proposition 1.11) it follows that r = r
and
that after re-ordering,
Q
i
(x) = P
i
(x),
where K
. Let
= a/b
with gcd(a, b) = 1. Then
aP
i
(x) = bQ
i
(x).
If p is a prime factor of b then
p [ bQ
i
(x) =p [ Q
i
(x),
374 128
contrary to the denition of Q
i
(x). Thus b has no prime factors, and is therefore a
unit. Similarly a is a unit. Hence
Q
i
(x) =
i
P
i
(x),
where
i
A is a unit.
Setting
=
i
,
we have
p
1
p
s
= q
1
q
s
.
Since A is a unique factorisation domain, s = s
and after re-ordering,

q
j
=
j
p
j
,
where
j
A is a unit.
We conclude that the prime factors of F(x) are unique up to order and equiv-
alence (multiplication by units), ie A[x] is a unique factorisation domain.
Example: There is unique factorisation in Z[x], since Z is a principal ideal domain
by Proposition 1.3 and so a unique factorisation domain by Proposition 1.7.
Note that Z[x] is not a principal ideal domain, since eg the ideal
a = 2, x),
consisting of all polynomials
F(x) = a
n
x
n
+ +a
0
with a
0
even, is not principals:
a ,= G(x)).
For if it were, its generator G(x) would have to be constant, since a contains
non-zero constants, and
deg G(x)H(x) deg G(x)
if H(x) ,= 0. But if G(x) = d then
a Z = 2) =d = 2,
ie a consists of all polynomials with even coefcients. Since x a is not of this
form we conclude that a is not principal.
Chapter 2
Number elds
2.1 Algebraic numbers
Denition 2.1 A number C is said to be algebraic if it satises a polynomial
equation
f(x) = x
n
+a
1
x
n1
+ +a
n
= 0
with rational coefcients a
i
Q.
For example,
2 and i/2 are algebraic.

A complex number is said to be transcendental if it is not algebraic. Both e
and are transcendental. It is in general extremely difcult to prove a number
transcendental, and there are many open problems in this area, eg it is not known
if
e
is transcendental.
Proposition 2.1 The algebraic numbers form a eld

Q C.
Proof If satises the equation f(x) = 0 then satises f(x) = 0, while
1/ satises x
n
f(1/x) = 0 (where n is the degree of f(x)). It follows that
and 1/ are both algebraic. Thus it is sufcient to show that if , are algebraic
then so are +, .
Suppose satises the equation
f(x) x
m
+a
1
x
m1
+ +a
m
= 0,
and the equation
g(x) x
n
+b
1
x
n1
+ +b
n
= 0.
Consider the vector space
V =
i
j
: 0 i < m, 0 j < n)
over Q spanned by the mn elements
i
j
. Evidently
+, V.
21
374 22
But if V then the mn + 1 elements
1, ,
2
, . . . ,
mn
are necessarily linearly dependent (over Q), since dimV mn. In other words
satises a polynomial equation of degree mn. Thus each element V is
algebraic. In particular + and are algebraic.
2.2 Minimal polynomials and conjugates
Recall that a polynomial p(x) is said to be monic if its leading coefcient the
coefcient of the highest power of x is 1:
p(x) = x
n
+a
1
x
n1
+ +a
n
.
Proposition 2.2 Each algebraic number

Q satises a unique monic polyno-
mial m(x) of minimal degree.
Proof Suppose satises two monic polynomials m
1
(x), m
2
(x) of minimal
degree d. Then also satises the polynomial
p(x) = m
1
(x) m
2
(x)
of degree < d; and if p(x) ,= 0 then we can make it monic by dividing by its
leading coefcient. This would contradict the minimality of m
1
(x). Hence
m
1
(x) = m
2
(x).
Denition 2.2 The monic polynomial m(x) satised by

Q is called the min-
imal polynomial of . The degree of the algebraic number is the degree of its
minimal polynomial m(x).
Proposition 2.3 The minimal polynomial m(x) of

Q is irreducible.
Proof Suppose to the contrary
m(x) = f(x)g(x)
where f(x), g(x) are of lower degrees than m(x). But then must be a root of
one of f(x), g(x).
Denition 2.3 Two algebraic numbers , are said to be conjugate if they have
the same minimal polynomial.
Proposition 2.4 An algebraic number of degree d has just d conjugates.
374 23
Proof If the minimal poynomial of is
m(x) = x
d
+a
1
x
d1
+ +a
d
,
then by denition the conjugates of are the d roots
1
= ,
2
, . . . ,
d
of m(x):
m(x) = (x
1
)(x
2
) (x
d
).
These conjugates are distinct, since an irreducible polynomial m(x) over Q is
necessarily separable, ie it cannot have a repeated root. For if were a repeated
root of m(x), ie
(x )
2
[ m(x)
then
(x ) [ m
(x),
and so
(x ) [ d(x) = gcd(m(x), m
(x)).
But
d(x) [ m(x)
and
1 deg(d(x)) d 1,
contradicting the irreducibility of m(x).
2.3 Algebraic number elds
Proposition 2.5 Every subeld K C contains the rationals Q:
Q K C.
Proof By denition, 1 K. Hence
n = 1 + + 1 K
for each integer n > 0.
By denition, K is an additive subgroup of C. Hence 1 K; and so
n = (1)n K
for each integer n > 0. Thus
Z K.
Finally, since K is a eld, each rational number
r =
n
d
K
where n, d Z with d ,= 0.
We can consider any subeld K C as a vector space over Q.
374 24
Denition 2.4 An number eld (or more precisely, an algebraic number eld) is
a subeld K C which is of nite dimension as a vector space over Q. If
dim
Q
= d
then K is said to be a number eld of degree d.
Proposition 2.6 There is a smallest number eld K containing the algebraic
numbers
1
, . . . ,
r
.
Proof Every intersection (nite or innite) of subelds of C is a subeld of C;
so there is a smallest subeld K containing the given algebraic numbers, namely
the intersection of all subelds containing these numbers. We have to show that
this eld is a number eld, ie of nite dimension over Q.
Lemma 2.1 Suppose K C is a nite-dimensional vector space over Q. Then
K is a number eld if and only if it is closed under multiplication.
Proof of Lemma If K is a number eld then it is certainly closed under multi-
plication.
Conversely, if this is so then K is closed under addition and multiplication; so
we only have to show that it is closed under division by non-zero elements.
Suppose V, ,= 0. Consider the map
x x : V V.
This is a linear map over Q; and it is injective since
x = 0 =x = 0.
Since V is nite-dimensional it follows that the map is surjective; in particular,
x =
for some x V , ie
x = 1 V.
Moreover
x = 1
for some x V , ie is invertible. Hence V is a eld.
Now suppose
i
is of degree d
i
(ie satises a polynomial equation of degree
d
i
over Q). Consider the vector space (over Q)
V =
i
1
1

i
r
r
: 0 i
1
< d
1
, , 0 i
r
< d
r
).
It is readily veried that
i
V V,
374 25
and so
V V V,
ie V is closed under multiplication.
It follows that V is a eld; and since any eld containing
1
, . . . ,
r
must
contain these products, V is the smallest eld containing
1
, . . . ,
r
. Moreover V
is a number eld since
dim
Q
V d
1
d
r
.
Denition 2.5 We denote the smallest eld containing

1
, . . . ,
r
Cby Q(
1
, . . . ,
r
).
Proposition 2.7 If is an algebraic number of degree d then each element
Q() is uniquely expressible in the form
a
0
+a
1
+ +a
d1
d1
(a
0
, a
1
, . . . , a
d1
Q).
Proof It follows as in the proof of Proposition 2.6 that these elements do con-
stitute the eld Q(). And if two of the elements were equal then would satisfy
an equation of degree < d, which could be made monic by dividing by the leading
coefcient.
A number eld of the form K = Q(), ie generated by a single algebraic
number , is said to be simple. Our next result shows that, surprisingly, every
number eld is simple. The proof is more subtle than might appear at rst sight.
Proposition 2.8 Every number eld K can be generated by a single algebraic
number:
K = Q().
Proof It is evident that
K = Q(
1
, . . . ,
r
);
for if we successively adjoin algebraic numbers
i+1
K Q(
1
, . . . ,
r
)
then
dimQ(
1
) < dimQ(
1
,
2
) dimQ(
1
,
2
,
3
) <
and so K must be attained after at most dim
Q
K adjunctions.
Thus it is sufent to prove the result when r = 2, ie to show that, for any two
algebraic numbers , ,
Q(, ) = Q().
Let p(x) be the minimal polynomial of , and q(x) the minimal polynomial
of . Suppose
1
= , . . . ,
m
are the conjugates of and
1
= , . . . ,
n
the
conjugates of . Let
= +a,
374 26
where a Q is chosen so that the mn numbers
i
+a
j
are all distinct. This is certainly possible, since
i
+a
j
=
i
+a
j
a =

i

i
.
Thus a has to avoid at most mn(mn 1)/2 values.
Since
= a,
and
p() = 0,
satises the equation
p( ax) = 0.
This is a polynomial equation over the eld k = Q().
But also satises the equation
q(x) = 0.
It follows that satises the equation
d(x) = gcd(p( ax), q(x)) = 0.
Now
(x ) [ d(x)
since is a root of both polynomials. Also, since
d(x) [ q(x) = (x
1
) (x
n
),
d(x) must be the product of certain of the factors (x
j
). Suppose (x
j
) is
one such factor. Then
j
is a root of p( ax), ie
p( a
j
) = 0.
Thus
a
j
=
i
for some i. Hence
=
i
+a
j
.
But this implies that i = 1, j = 1, since we chose a so that the elements
i
+a
j
were all distinct.
374 27
Thus
d(x) = (x ).
But if u(x), v(x) k[x] then we can compute gcd(u(x), v(x)) by the eu-
clidean algorithm without leaving the eld k, ie
u(x), v(x) k[x] =gcd(u(x), v(x)) k[x].
In particular, in our case
x k = Q().
But this means that
Q();
and so also
= a Q().
Thus
, Q() =Q(, ) Q() Q(, ).
Hence
Q(, ) = Q().
2.4 Algebraic integers

Denition 2.6 A number C is said to be an algebraic integer if it satises a
polynomial equation
f(x) = x
n
+a
1
x
n1
+ +a
n
= 0
with integral coefcients a
i
Z. We denote the set of algebraic integers by

Z.
Proposition 2.9 The algebraic integers form a ring

Z with
Z

Z

Q.
Proof Evidently
Z

Z,
since n Z satises the equation
x n = 0.
We have to show that
,

Z = +,

Z.
374 28
Lemma 2.2 The number C is an algebraic integer if and only if there exists
a nitely-generated (but non-zero) additive subgroup S C such that
S S.

Z; and suppose the minimal polynomial of is
m(x) = x
d
+a
1
x
d1
+ +a
d
,
where a
1
, . . . , a
d
Z. Let S be the abelian group generated by 1, , . . . ,
d1
:
S = 1, , . . . ,
d1
).
Then it is readily veried that
S S.
Conversely, suppose S is such a subgroup.
If is a root of the monic polynomial f(x) then is a root of the monic
polynomial f(x). It follows that if is an algebraic integer then so is . Thus
it is sufcient to show that if , are algebraic integers then so are +, .
Suppose satises the equation
f(x) x
m
+a
1
x
m1
+ +a
m
= 0 (a
1
, . . . , a
m
Z),
and the equation
g(x) x
n
+b
1
x
n1
+ +b
n
= 0 (b
1
, . . . , b
n
Z).
Consider the abelian group (or Z-module)
M =
i
j
: 0 i < m, 0 j < n)
generated by the mn elements
i
j
. Evidently
+, V.
As a nitely-generated torsion-free abelian group, M is isomorphic to Z
d
for
some d. Moreover M is noetherian, ie every increasing sequence of subgroups of
M is stationary: if
S
1
S
2
S
3
M
then for some N,
S
N
= S
N+1
= S
N+2
= .
Suppose M. Consider the increasing sequence of subgroups
1) 1, ) 1, ,
2
) .
This sequence must become stationary; that is to say, for some N
N
1, , . . . ,
N1
).
In other words, satises an equation of the form
N
= a
1
N1
+a
2
N2
+ .
Thus every M is an algebraic integer. In particular + and are algebraic
integers.
374 29
Proposition 2.10 A rational number c Q is an algebraic integer if and only if
it is a rational integer:
Z Q = Z.
Proof Suppose c = m/n, where gcd(m, n) = 1; and suppose c satises the
equation
x
d
+a
1
x
d1
+ +a
d
= 0 (a
i
Z).
Then
m
d
+a
1
m
d1
n + +a
d
n
d
= 0.
Since n divides every term after the rst, it follows that n [ m
d
. But that is
incompatible with gcd(m, n) = 1, unless n = 1, ie c Z.
Proposition 2.11 Every algebraic number is expressible in the form
=

n
,
where is an algebraic integer, and n Z.
Proof Let the minimal polynomial of be
m(x) = x
d
+a
1
x
d1
+ +a
d
,
where a
1
, . . . , a
d
Q. Let the lcm of the denominators of the a
i
be n. Then
b
i
= na
i
Z (1 i d).
Now satises the equation
nx
d
+b
1
x
d1
+ +b
d
= 0.
It follows that
= n
satises the equation
x
d
+b
1
x
d1
+ (nb
2
)x
d2
+ + (n
d1
b
d
= 0.
Thus is an integer, as required.
The following result goes in the opposite direction.
Proposition 2.12 Suppose is an algebraic integer. Then we can nd an alge-
braic integer ,= 0 such that
Z.
374 210
Proof Let the minimal polynomial of be
m(x) = x
d
+a
1
x
d1
+ +a
d
,
where a
1
, . . . , a
d
Z. Recall that the conjugates of ,
1
= , . . . ,
d
are the roots of the minimal equation.
Each of these conjugates is an algebraic integer, since its minimal equation
m(x) has integer coefcients. Hence
=
2

d
is an algebraic integer; and
=
1
2

d
= a
d
Z.
2.5 Units
Denition 2.7 A number C is said to be a unit if both and 1/ are alge-
braic integers.
Any root of unity, ie any number satisfying x
n
= 1 for some n, is a unit.
But these are not the only units; for example,
2 1 is a unit.
The units form a multiplicative subgroup of

Q
.
2.6 The Integral Basis Theorem
Proposition 2.13 Suppose A is a number ring. Then we can nd
1
, . . . ,
d
A
such that each A is uniquely expressible in the form
= c
1
1
+c
d
d
with c
1
, . . . , c
d
Z.
In other words, as an additive group
A
= Z
d
.
We may say that
1
, . . . ,
d
is a Z-basis for A.
Proof Suppose A is the ring of integers in the number eld K. By Proposi-
tion 2.8,
K = Q().
374 211
By Proposition 2.12,
=

m
,
where

Z, m Z. Since
Q() = Q(),
we may suppose that is an integer.
Let
m(x) = x
d
+a
1
x
d1
+ +a
d
be the minimal polynomial of ; and let
1
= , . . . ,
d
be the roots of this polynomial, ie the conjugates of .
Note that these conjugates satisfy exactly the same set of polynomials over Q;
for
p() = 0 m(x) [ p(x) p(
i
) = 0.
Now suppose A. Then
= b
0
+b
1
+ b
d1
d1
,
where b
0
, . . . , b
d1
Q, say
= f()
with f(x) Q[x].
Let
i
= b
0
+b
1
i
+ b
d1
d1
i
for i = 1, . . . , d.
Each
i
satises the same set of polynomials over Q as . for
p() = 0 p(f()) = 0 p(f(
i
)) = 0 p(
i
) = 0.
In particular, each
i
has the same minimal polynomial as , and so each
i
is an
integer.
We may regard the formulae for the
i
as linear equations for the coefcients
b
0
, . . . , b
d1
:
b
0
+
1
b
1
+
d1
b
d1
=
1
,
. . .
b
0
+
d
b
1
+
d1
d
b
d1
=
d
.
We can write this as a matrix equation
D
_
_
_
_
b
0
.
.
.
b
d1
_
_
_
_
=
_
_
_
_
1
.
.
.
d
_
_
_
_
374 212
where D is the matrix
D =
_
_
_
_
1
1
. . .
d1
1
.
.
. . . . . . .
.
.
.
1
d
. . .
d1
d
.
_
_
_
_
By a familiar argument,
det
_
_
_
_
1 x
1
. . . x
d1
1
.
.
. . . . . . .
.
.
.
1 x
d
. . . x
d1
d
_
_
_
_
=
i<j
(x
i
x
j
).
(The determinant vanishes whenever x
i
= x
j
since then two rows are equal.
Hence (x
i
x
j
) is a factor for each pair i, j; from which the result follows on
comparing degrees and leading coefcients.)
Thus
det D =
i<j
(
i
j
).
In particular, det D is an integer.
On solving the equations for b
0
, . . . , b
d1
by Cramers rule, we deduce that
b
i
=

i
det D
,
where
i
is a co-factor of the matrix D, and so a polynomial in
1
, . . . ,
d
with
coefcients in Z, and therefore an algebraic integer.
By Proposition 2.12, we can nd an integer such that
det D = n Z,
where we may suppose that n > 0. Thus each b
i
is expressible in the form
b
i
=

i
n
,
where
i

Z Q = Z.
In other words, each A is expressible in the form
= c
o
0
+ +c
d1
d1
,
where
i
=

i
n
and
c
i
Z (0 i < d).
The elements
c
o
0
+ +c
d1
d1
(c
i
Z)
form a nitely-generated and torsion-free abelian group C, of rank d; and A is
a subgroup of C of nite index. We need the following standard result from the
theory of nitely-generated abelian groups.
374 213
Lemma 2.3 If
S Z
d
is a subgroup of nite index then
S

= Z
d
Proof of Lemma We have to construct a Z-basis for S. We argue by induction
on d.
Choose an element
e = (e
1
, . . . , e
d
) S
with least positive last coordinate e
d
. Suppose
s = (s
1
, . . . , s
d
) S.
Then
s
d
= qe,
or we could nd an element of S with smaller last coordinate. Thus
s qe = (t
1
, . . . , t
d1
, 0).
Hence
S = Ze T,
where
T = S Z
d1
(identifying Z
d1
with the subgroup of Z
d
formed by the d-tuples with last coor-
dinate 0).
The result follows on applying the inductive hypothesis to T.
The Proposition follows on applying the Lemma to
A C

= Z
d
.
2.7 Unique factorisation in number rings

As we saw in Chapter 1, a principal ideal domain is a unique factorisation domain.
The converse is not true; there is unique factorisation in Z[x], but the ideal 2, x)
is not principal. Our main aim in this Section is to show that the converse does
hold for number rings A:
A principal ideal domain A unique factorisation domain.
We suppose throughout the Section that A is a number ring, ie the ring of
integers in a number eld K.
374 214
Proposition 2.14 Suppose a A is a non-zero ideal. Then the quotient-ring
A/a
is nite.
Proof Take a, ,= 0. By Proposition 1.8, we can nd A, ,= 0 such
that
a = Z.
We may suppose that a > 0. Then
a) ) a.
Thus
mod a = mod a.
By Proposition 2.13, A has an integral basis
1
, . . . ,
d
, ie each A is
(uniquely) expressible in the form
= c
1
1
+ +c
d
d
with c
1
, . . . , c
d
Z. It follows that is congruent moda to one of the numbers
r
1
1
+r
d
d
(0 r
i
< a).
Thus
|A/a)| = a
d
.
Hence
|A/a| a
d
.
Proposition 2.15 The number ring Ais a unique factorisation domain if and only
if it is a principal ideal domain.
Proof We know from Chapter 1 that
A principal ideal domain =A unique factorisation domain.
We have to proce the converse.
Let us suppose therefore that the number ring A is a unique factorisation do-
main.
Lemma 2.4 Suppose
=
e
1
1

e
r
r
, =
f
1
1

f
r
r
.
Let
=
min(e
1
,f
1
)
1

min(e
r
,f
r
)
r
.
Then
= gcd(, )
in the sense that
[ , [ and
[ , [ =
[ .
374 215
Proof of Lemma This follows at once from unique factorisation.
Lemma 2.5 If
1

2
mod
then
gcd(,
1
) = gcd(,
2
).
Proof of Lemma It is readily veried that if
1
=
2
+
then
[ ,
1
[ ,
2
.
We say that , are coprime if

gcd(, ) = 1.
It follows from the Lemma that we may speak of a congruence class

mod
being coprime to .
Lemma 2.6 The congruence classes mod coprime to form a multiplicative
group
(A/))
.
Proof of Lemma We have
gcd(,
1
2
) = 1 gcd(,
1
) = 1, gcd(,
2
) = 1.
Thus (A/))
is closed under multiplication; and if is coprime to then the

map

: (A/))
(A/))
is injective, and so surjective since A/) is nite. Hence (A/))
is a group.
Lemma 2.7 Suppose

gcd(, ) = .
Then we can nd u, v A such that
u +v = .
374 216
Proof of Lemma We may suppose, on dividing by , that
gcd(, ) = 1,
and so
(A/))
.
Since this group is nite,
n
= 1
for some n > 0. In other words,
n
1 mod ,
ie
n
= 1 +,
ie
u +v = 1
with u = , v =
n1
.
We can extend the denition of gcd to any set (nite or innite) of numbers
i
A (i I).
and by repeated application of the last Lemma we can nd
i
(all but a nite
number equal to 0) such that
iI
i
= gcd
iI
(
i
).
Applying this to the ideal a, let
= gcd
a
().
Then
=
i
a;
and so
a = ).
Chapter 3
Quadratic Number Fields
3.1 The elds Q(
m)
Denition 3.1 A quadratic eld is a number eld of degree 2.
Recall that this means the eld k has dimension 2 as a vector space over Q:
dim
Q
k = 2.
Denition 3.2 The integer m Z is said to be square-free if
m = r
2
s =r = 1.
Thus
1, 2, 3, 5, 6, 7, 10, 11, 13, . . .
are square-free.
Proposition 3.1 Each quadratic eld is of the form Q(
m) for a unique square-

free integer m ,= 1.
Recall that Q(
m) consists of the numbers

x +y
m (x, y Q).
Proof Suppose k is a quadratic eld. Let k Q. Then
2
, , 1 are linearly
dependent over Q, since dim
Q
k = 2. In other words, satises a quadratic
equation
a
0
2
+a
1
+a
2
= 0
with a
0
, a
1
, a
2
Q. We may assume that a
0
, a
1
, a
2
Z. Then
=
a
1
+
_
a
2
1
4a
0
a
2
2a
0
31
374 32
Thus
_
a
2
1
4a
0
a
2
= 2a
0
+a
1
k.
Let
a
2
1
4a
0
a
2
= r
2
m
where m is square-free. Then
m =
1
r
_
a
2
1
4a
0
a
2
k.
Thus
Q Q(
m) k.
Since dim
Q
k = 2,
k = Q(
m).
To see that different square-free integers m
1
, m
2
give rise to different quadratic
elds, suppose
m
1
Q(
m
2
),
say
m
1
= x +y
m
2
(x, y Q)
Squaring,
m
1
= x
2
+m
2
y
2
+ 2xy
m
2
.
Thus either x = 0 or y = 0 or
m
2
Q,
all of which are absurd.
When we speak of the quadratic eld Q(
m) it is understood that m is a
square-free integer ,= 1.
Denition 3.3 The quadratic eld Q(
m) is said to be real if m > 0, and imag-

inary if m < 0.
This is a natural denition since it means that Q(
m) is real if and only if

Q(
m) R.
3.2 Conjugates and norms
Proposition 3.2 The map
x +y
m x y
m
is an automorphism of Q(
m); and it is the only such automorphism apart from

the identity map.
374 33
Proof The map clearly preserves addition. It also preserves multiplication, since
(x +y
m)(u +v
m = (xu +yvm) + (xv +yu)
m,
and so
(x y
m)(u v
m = (xu +yvm) (xv +yu)
m.
Since the map is evidently bijective, it is an automorphism.
Conversely, if is an automorphism of Q(
m) then preserves the elements

of Q; in fact if Q(
m) then
() = Q.
Thus
(
m)
2
= (m) = m =(
m) =
m,
giving the identity automorphism and the automorphism above.
Denition 3.4 If
= x +y
m (x, y Q)
then we write
= x y
m (x, y Q)
and we call the conjugate of .
Note that if Q(
m) is imaginary (ie m < 0) then the conjugate coincides

with the usual complex conjugate.
Denition 3.5 We dene the norm || of Q(
m) by
|| = .
Thus if
= x +y
m (x, y Q)
then
|| = (x +y
m)(x y
m) = x
2
my
2
.
Proposition 3.3 1. || Q;
2. |(| = 0 = 0;
3. || = ||||;
4. If a Q then |a| = a
2
;
5. If m < 0 then || 0.
Proof All is clear except perhaps the third part, where
|| = ()()
= ()(
)
= ( )(
)
= ||||.
374 34
3.3 Integers
Proposition 3.4 Suppose k = Q(
m), where m ,= 1 is square-free.

1. If m , 1 mod 4 then the integers in k are the numbers
a +b
m,
where a, b Z.
2. If m 1 mod 4 then the integers in k are the numbers
a
2
+
b
2
m,
where a, b Z and
a b mod 2,
ie a, b are either both even or both odd.
Proof Suppose
= a +b
m ( b Q)
is an integer. Recall that an algebraic number is an integer if and only if its
minimal polynomial has integer coefcients. If y = 0 the minimal polynomial of
is x a. Thus = a is in integer if and only if a Z (as we know of course
since

Z Q = Z).
If y ,= 0 then the minimal polynomial of is
(x a)
2
mb
2
= x
2
2ax + (a
2
mb
2
).
Thus is an integer if and only if
2a Z and a
2
mb
2
Z.
Suppose 2a = A, ie
a =
A
2
.
Then
4a
2
Z, a
2
mb
2
Z =4mb
2
Z
=4b
2
Z
=2b Z
since m is square-free. Thus
b =
B
2
,
where B Z.
374 35
Now
a
2
mb
2
=
A
2
mB
2
4
Z,
ie
A
2
mB
2
0 mod 4.
If A is even then
2 [ A =4 [ A
2
=4 [ mB
2
=2 [ B
2
=2 [ B;
and similarly
2 [ B =4 [ B
2
=4 [ A
2
=2 [ A.
Thus A, B are either both even, in which case a, b Z, or both odd, in which case
A
2
, B
2
1 mod 4,
so that
1 m 0 mod 4,
ie
m 1 mod 4.
Conversely if m 1 mod 4 then
A, B odd =A
2
mB
2
0 mod 4
=a
2
mb
2
Z.
It is sometimes convenient to express the result in the following form.

Corollary 3.1 Let
=
_
_
_
m if m , 1 mod 4,
1+
m
2
if m 1 mod 4.
Then the integers in Q(
m) form the ring Z[].

Examples:
1. The integers in the gaussian eld Q(i) are the gaussian integers
a +bi (a, b Z)
374 36
2. The integers in Q(
2) are the numbers

a +b
2 (a, b Z).
3. The integers in Q(
3) are the numbers

a +b (a, b Z)
where
=
1 +
3
2
.
Proposition 3.5 If Q(
m) is an integer then
|| Z.
Proof If is an integer then so is its conjugate (since , satisfy the same
polynomial equations over Q). Hence
||

Z Q = Z.
3.4 Units
Proposition 3.6 An integer Q(
m) is a unit if and only if

|| = 1.
Proof Suppose is a unit, say
= 1.
Then
|||| = |1| = 1.
Hence
|| = 1.
Conversely, suppose
|| = 1,
ie
= 1.
Then
1
=
is an integer, ie is a unit.
374 37
Proposition 3.7 An imaginary quadratic number eld contains only a nite num-
ber of units.
1. The units in Q(i) are 1, i;
2. The units in Q(
3) are 1, ,
2
, where = (1 +
3)/2.
3. In all other cases the imaginary quadratic number eld Q(
m) (where
m < 0) has just two units, 1.
Proof We know of course that 1 are always units.
Suppose
= a +b
m
is a unit. Then
N)) = a
2
+ (m)b
2
= 1
by Proposition 3.6. In particular
(m)b
2
1.
If m 3 mod 4 then a, b Z; and so b = 0 unless m = 1 in which case
b = 1 is a solution, giving a = 0, ie = i.
If m 1 mod 4 then b may be a half-integer, ie b = B/2, and
(m)b
2
= (m)B
2
/4 > 1
if B ,= 0, unless m = 3 and B = 1, in which case A = 1. Thus we get four
additional units in Q(
3), namely ,
2
.
Proposition 3.8 Every real quadratic number eld Q(
m) (where m > 0) con-

tains an innity of units. More precisely, there is a unique unit > 1 such that the
units are the numbers
n
(n Z)
Proof The following exercise in the pigeon-hole principle is due to Kronecker.
Lemma 3.1 Suppose R. There are an innity of integers m, n with m > 0
such that
[m n[ <
1
n
.
Proof of Lemma Let x denote the fractional part of x R. Thus
x = x [x],
where [x] is the integer part of x.
Suppose N is a positive integer. Let us divide [0, 1) into N equal parts:
[0, 1/N), [1/N, 2/N), . . . , [(N 1)/N, 1).
374 38
Consider how the N + 1 fractional parts
0, , 2, . . . , N
fall into these N divisions.
Two of the fractional parts say r and s, where r < s must fall
into the same division. But then
[s r[ < 1/N,
ie
[(s [s]) (r [r])[ < N.
Let
m = s r, n = [s] [r].
Then
[m n[ < 1/N 1/m.
Lemma 3.2 There are an innity of a, b Z such that

[a
2
b
2
m[ < 2
m + 1.
Proof of Lemma We apply Kroneckers Lemma above with =
m. There are
an innity of integers a, b > 0 such that
[a b
m[ < 1/b.
But then
a < b
m + 1,
and so
a +b
m < 2b
m + 1
Hence
[a
2
b
2
m[ = (a +b
m)[a b
m[
< (2b
m + 1)/b
2
m + 1.
It follows from this lemma that there are an innity of integer solutions of
a
2
b
2
m = d
for some
d < 2
m + 1.
But then there must be an innity of these solutions (a, b) with the same re-
mainders modd.
374 39
Lemma 3.3 Suppose
1
= a
1
+b
1
m,
2
= a
2
+b
2
m,
where
a
2
1
b
2
1
= d = a
2
2
b
2
2
and
a
1
a
2
mod d, b
1
b
2
mod d.
Then
2
is an algebraic integer.
a
2
= a
1
+mr, b
2
= b
1
+ms.
Then
2
=
1
+d,
where
= r +s
m.
Hence
2
=

1

2
2

2
=

1

2
d
=

1
(
1
+d
)
d
=

1

1
d
+

=
d
d
+
= 1 +,
which is an integer.
Now suppose (a
1
, b
1
), (a
2
, b
2
) are two such solutions. Then
=

1
2
is an integer, and
|| =
|
1
|
|
2
|
=
d
d
= 1.
Hence is a unit, by Proposition 3.6.
374 310
Since there are an innity of integers satisfying these conditions, we obtain
an innity of units if we x
1
and let
2
vary. In particular there must be a unit
,= 1.
Just one of the four units
,
1
must lie in the range (1, ). (The others are distributes one each in the ranges
(, 1), (1, 0) and (0, 1).)
Suppose then that
= a +b
m > 1.
Then
[
1
[ < 1,
and so
=
1
(1, 1),
ie
1 < a b
m < 1.
Adding these two inequalities,
0 < 2a,
ie
a > 0.
On the other hand,
> =b > 0.
It follows that there can only be a nite number of units in any range
1 < c.
In particular, if > 1 is a unit, then there is a smallest unit in the range
1 < .
Evidently is the least unit in the range
1 < .
Now suppose is a unit ,= 1. As we observed, one of the four units ,
1
must lie in the range (1, ). We can take this in place of , ie we may assume that
> 1.
374 311
Since
n
,
r
<
r+1
for some r 1. Hence
1
r
< .
Since is the smallest unit > 1, this implies that
1
= 1,
ie
=
r
.
3.5 Unique factorisation

Suppose A is an integral domain. Recall that if A is a principal ideal domain, ie
each ideal / A can be generated by a single element a,
a = a),
then A is a unique factorisation domain, ie each a A is uniquely expressible
up to order, and equivalence of primes in the form
a =
e
1
1

e
r
r
,
where is a unit, and
1
, . . . ,
r
are inequivalent primes.
We also showed that if A is the ring of integers in an algebraic number eld k
then the converse is also true, ie
A principal ideal domain A unique factorisation domain .
Proposition 3.9 The ring of integers Z[] in the quadratic eld Q(
m is a prin-
cipal ideal domain (and so a unique factorisation domain) if
m = 11, 7, 3, 2, 1, 2, 3, 5, 13.
Proof We take
[||[
as a measure of the size of Z[].
Lemma 3.4 Suppose , Z[[, with ,= 0. Then there exist , Z[] such
that
= +
with
[||[ < [||[.
In other words, we can divide by , and get a remainder smaller than .
374 312
Proof of Lemma Let
= x +y
m
where x, y Q.
Suppose rst that m , 1 mod 4. We can nd integers a, b such that
[x a[, [y b[
1
2
.
Let
= a +b
m.
Then Z[]; and
= (x a) + (y b)
m.
Thus
|
| = (x a)
2
m(y b)
2
.
If now m < 0 then
0 |
|
1 +m
4
,
yielding
[|
|[ < 1
if m = 2 or 1; while if m > 0 then
m
4
|
|
1
4
,
yielding
[|
|[ < 1
if m = 2 or 3.
On the other hand, if m 1 mod 4 then we can choose a, b to be integers or
half-integers. Thus we can choose b so that
|y b|
1
4
;
and then we can choose a so that
|x a|
1
2
.
(Note that a must be an integer or half-integer according as b is an integer or
half-integer; so we can only choose a to within an integer.)
If m < 0 this gives
0 |
|
4 +m
16
,
374 313
yielding
[|
|[ < 1
if m = 11, 7 or 3; while if m > 0 then
m
16
|
|
1
4
,
yielding
[|
|[ < 1
if m = 5 or 13.
Thus in all the cases listed we can nd Z[] such that
[|
|[ < 1
Multiplying by ,
[| |[ < [||[,
which gives the required result on setting
= ,
ie
= +.
Now suppose a ,= 0 is an ideal in Z[]. Let a ( ,= 0) be an element

minimising [||[. (Such an element certainly exists, since [||[ is a positive
integer.)
Now suppose a. By the lemma we can nd , Z[] such that
= +
with
[||[ < [||[.
But
= a.
Thus by the minimality of [||[,
|| = 0 = = 0
= =
= ).
Hence
a = ).
Remarks:
374 314
1. We do not claim that these are the only cases in which Q(
m) or rather
the ring of integers in this eld is a unique factorisation domain. There
are certainly other m for which it is known to hold; and in fact is not known
if the number of such m is nite or innite. But the result is easily estab-
lished for the m listed above.
2. On the other hand, unique factorisation fails in many quadratic elds. For
example, if m = 5 then
6 = 2 3 = (1 +
5)(1
5)
Now 2 is irreducible in Z[
5], since
a
2
+ 5b
2
= 2
has no solution in integers. Thus if there were unique factorisation then
2 [ 1 +
5 or 2 [ 1
5,
both of which are absurd.
As an example of a real quadratic eld in which unique factorisation fails,
consider m = 10. We have
6 = 2 3 = (4 +
10)(4
10)
The prime 2 is again irreducible; for
a
2
10b
2
= 2
has no solution in integers, since neither 2 is a quadratic residue mod
10. (The quadratic residues mod10 are 0, 1, 4, 5.) Thus if there were
unique factorisation we would have
2 [ 4 +
10 or 2 [ 4
10,
3.6 The splitting of rational primes
Throughout n this section we shall assume that the integers Z[] in Q(
m) form
a principal ideal domain (and so a unique factorisation domain).
Proposition 3.10 Let p N be a rational prime. Then p either remains a prime
in Z[], or else
p = ,
where is a prime in Z[]. In other words, p has either one or two prime factors;
and if it has two then these are conjugage.
374 315
Proof Suppose
p =
1

r
.
Then
|
1
| |
r
| = |p| = p
2
.
Since |
i
| is an integer ,= 1, it follows that either r = 1, ie p remains a prime, or
else r = 2 with
|
1
| = p, |
2
| = p.
In this case, writing for
1
,
p = || = .
We say that p splits in Q(
m) in the latter case, ie if p divides into two prime

factors in Z[]. We say that p ramies if these two prime factors are equal, ie if
p =
2
,
Corollary 3.2 The rational prime p N splits if and only if there is an integer
Z[] with
|| = p.
Proposition 3.11 Suppose p N is an odd prime with p m. Then p splits in
Q(
m) if and only if m is a quadratic residue modp, ie if and only if

x
2
m mod p
for some x Z.
Proof Suppose
x
2
m mod p.
Then
(x
m)(x +
m) = pq
for some q Z.
If now p is prime in Z[] (where it is assumed, we recall, that there is unique
factorisation). Then
p [ x
m or p [ x +
m,
both of which are absurd, since for example
p [ x
m =x
m = p(a +b
m)
=pb = 1,
where b is (at worst) a half-integer.
It remains to consider two cases, p [ m and p = 2.
374 316
Proposition 3.12 If the rational prime p [ m then p ramies in Q(
m).
Proof We have
(
m)
2
= m = pq,
for some q Z. If p remains prime then
p [
m =|p| [ |
m|
=p
2
[ m,
which is impossible, since m is square-free.
Hence
p = ,
and
m =
for some Z[]. Note that cannot contain as a factor, since this would
imply that
p = [
m,
which as we have seen is impossible.
Taking conjugates
m = .
Thus
[
m.
Since the factorisation of
m is (by assumption) unique,

,
ie p ramies.
Proposition 3.13 The rational prime 2 remains prime in Z[] if and only if
m 5 mod 8.
Moreover, 2 ramies unless
m 1 mod 4.
Proof We have dealt with the case where 2 [ m, so we may assume that m is
odd.
Suppose rst that
m 3 mod 4.
In this case
(1
m)(1 +
m) = 1 m = 2q.
374 317
If 2 does not split then
2 [ 1
m or 2 [ 1 +
m,
Thus
2 = ,
where
= a +b
m (a, b Z),
say. But then
= a b
m = + 2b
m.
Since [ 2 is follows that
[ ;
and similarly
[ .
Thus
= ,
where is a unit; and so 2 ramies.
Now suppose
m 1 mod 4.
Suppose 2 splits, say
a
2
mb
2
= 2,
where a, b are integers or half-integers. If a, b Z then
a
2
mb
2
0, 1 mod 4,
since a
2
, b
2
0 or 1 mod 4.
Thus a, b must be half-integers, say a = A/2, b = B/2, where A, B are odd
integers. In this case,
A
2
mB
2
= 8.
Hence
A
2
mB
2
0 mod 8
But
A
2
B
2
1 mod 8,
and so
A
2
mB
2
1 m mod 8.
Thus the equation is insoluble if
m 5 mod 8,
ie 2 remains prime in this case.
374 318
Finally, if
m 1 mod 8
then
1
m
2

1 +
m
2
=
1 m
4
= 2q.
If 2 does not split then
2 [
1
m
2
or 2 [
1 +
m
2
,
Suppose
2 = ,
where
=
A +B
m
2
,
with A, B odd; and
=
A B
m
2
= B
m.
Thus
[ = [ B
m
=|| [ |B
m|
=2 [ B
2
m,
which is impossible since B, m are both odd. Hence 2 is unramied in this case.
3.7 Quadratic residues

Denition 3.6 Suppose p is an odd rational prime; and suppose a Z. Then the
Legendre symbol is dened by
_
a
p
_
=
_
_
0 if p [ a
1 if p a and a is a quadratic residue modp
1 if a is a quadratic non-residue modp
Proposition 3.14 Suppose p is an odd rational prime; and suppose a, b Z.
Then
_
a
p
__
b
p
_
=
_
ab
p
_
.
374 319
Proof The resul is trivial if p [ a or p [ b; so we may suppose that p a, b.
Consider the group-homomorphism
: (Z/p)
(Z/p)
: x x
2
.
Since
ker = 1
it follows from the First Isomorphism Theorem that
[im[ =
p 1
2
,
and so
(Z/p)
/ im
= C
2
= 1.
The result follows, since
im = a (Z/p)
:
_
a
p
_
= 1.
Proposition 3.15 Suppose p is an odd rational prime; and suppose a Z. Then

a
(p1)/2
_
a
p
_
mod p.
Proof The resul is trivial if p [ a; so we may suppose that p a.
By Lagranges Theorem (or Fermats Little Theorem)
a
p1
1 mod p.
Thus
_
a
(p1)/2
_
2
1 mod p;
and so
a
(p1)/2
1 mod p.
Suppose a is a quadratic residue, say
a b
2
mod p.
Then
a
p1
2
b
p1
1 mod p.
Thus
_
a
p
_
= 1 =a
p1
2
1 mod p.
374 320
As we saw in the proof of Proposition 3.14, exactly half, ie
p1
2
of the numbers
1, 2, . . . , p 1 are quadratic residues. On the other hand, the equation
x
p1
2
1 = 0
over the eld T
p
= Z/(p) has at most
p1
2
roots. It follows that
_
a
p
_
= 1 a
p1
2
1 mod p;
and so
_
a
p
_
a
p1
2
mod p;
Corollary 3.3 If p N is an odd rational prime then

_
1
p
_
=
_
_
_
1 if p 1 mod 4,
1 if p 3 mod 4.
Proof By the Proposition,
_
1
p
_
(1)
p1
2
mod p.
If
p 1 mod 4,
say
p = 4m + 1,
then
p 1
2
= 2m;
while if
p 3 mod 4,
say
p = 4m + 3,
374 321
then
p 1
2
= 2m + 1.
It is sometimes convenient to take the remainder r a mod p in the range
p
2
< r <
p
2
.
We may say that a has negative remainder modp if
p
2
< r < 0.
Thus 13 has negative remainder mod7, since
13 1 mod 7.
Proposition 3.16 Suppose p N is an odd rational prime; and suppose p a.
Then
_
a
p
_
= (1)
,
where is the number of numbers among
1, 2a, . . . ,
p 1
2
a
with negative remainders.
Suppose, for example, p = 11, a = 7. Then
7 4, 14 3, 21 1, 28 5, 35 2 mod 11.
Thus
= 3.
Proof Suppose
1 r
p 1
2
.
Then just one of the numbers
a, 2a, . . .
p 1
2
a
has remainder r.
For suppose
ia r mod p, ja r mod p.
Then
(i +j)a 0 mod p =p [ i +j
374 322
which is impossible since
1 i +j p 1.
It follows (by the Pigeon-Hole Principle) that just one of the congruences
ia r mod p (1 i
p 1
2
)
is soluble for each r.
Multiplying together these congruences,
a 2a
p 1
2
a (1)
1 2
p 1
2
mod p,
ie
a
p1
2
1 2
p 1
2
(1)
1 2
p 1
2
mod p,
and so
a
p1
2
(1)
mod p.
Since
_
a
p
_
a
p1
2
mod p
by Proposition 3.15, we conclude that
_
a
p
_
(1)
mod p.
Proposition 3.17 If p N is an odd rational prime then

_
2
p
_
=
_
_
_
1 if p 1 mod 8,
1 if p 3 mod 8.
Proof Consider the numbers
2, 4, . . . , p 1.
The number 2i will have negative remainder if
p
2
< 2i < p,
ie
p
4
< i <
p
2
.
374 323
Thus the in Proposition 3.16 is given by
=
_
p
2
_
_
p
4
_
.
We consider p mod 8. If
p 1 mod 8,
say
p = 8m + 1,
then
_
p
2
_
= 4m,
_
p
4
_
= 2m,
and so
= 2m.
If
p 3 mod 8,
say
p = 8m + 3,
then
_
p
2
_
= 4m + 1,
_
p
4
_
= 2m,
and so
= 2m + 1.
If
p 5 mod 8,
say
p = 8m + 5,
then
_
p
2
_
= 4m + 2,
_
p
4
_
= 2m + 1,
374 324
and so
= 2m + 1.
If
p 7 mod 8,
say
p = 8m + 7,
then
_
p
2
_
= 4m + 3,
_
p
4
_
= 2m + 1,
and so
= 2m + 2.

_
2
p
_
=
_
_
_
1 if p 1 or 3 mod 8,
1 if p 5 or 7 mod 8.
Proof This follows from the Proposition and the Corollary to Proposition 3.15,
since
_
2
p
_
=
_
1
p
__
2
p
_
,
by Proposition 3.14.
_
3
p
_
=
_
_
_
1 if p 1 mod 12,
1 if p 5 mod 12.
Proof If
0 < i <
p
2
then
0 < 3i <
3p
2
.
374 325
Thus 3i has negative remainder if
p
2
< 3i < p,
ie
p
6
< i <
p
3
.
Thus
=
_
p
3
_
_
p
6
_
.
If
p 1 mod 6,
say
p = 6m + 1,
then
_
p
3
_
= 2m,
_
p
6
_
= m,
and so
= m.
If
p 5 mod 6,
say
p = 6m + 5,
then
_
p
3
_
= 2m + 1,
_
p
6
_
= m,
and so
= m + 1.
The result follows.
374 326
_
3
p
_
=
_
_
_
1 if p 1 mod 6,
1 if p 5 mod 6.
Proof This follows from the Proposition and the Corollary to Proposition 3.15,
since
_
3
p
_
=
_
1
p
__
3
p
_
,
_
5
p
_
=
_
_
_
1 if p 1 mod 10,
1 if p 3 mod 10.
Proof If
0 < i <
p
2
then
0 < 5i <
5p
2
.
Thus 5i has negative remainder if
p
2
< 5i < p or
3p
2
< i < 2p,
ie
p
10
< i <
p
5
or
3p
10
< i <
2p
5
.
Thus
=
_
p
5
_
_
p
10
_
+
_
2p
5
_
_
3p
10
_
.
If
p 1 mod 12,
say
p = 10m + 1,
then
_
p
5
_
= 2m,
_
p
10
_
= m,
_
2p
5
_
= 4m,
_
3p
10
_
= 3m,
and so
= 2m.
The other cases are left to the reader.
374 327
3.8 Gauss Law of Quadratic Reciprocity
Proposition 3.16 provides an algorithm for computing the Legendre symbol, as
illustrated in Propositions 3.173.19, perfectly adequate for our purposes. How-
ever, Euler discovered and Gauss proved a remarkable result which makes com-
putation of the symbol childishly simple. This result The Law of Quadratic
Reciprocity has been called the most beautiful result in Number Theory, so it
would be a pity not to mention it, even though as we said we do not really
need it.
Proposition 3.20 Suppose p, q N are two distinct odd rational primes. Then
_
q
p
__
p
q
_
=
_
_
_
1 if p q 3 mod 4,
1 otherwise.
Another way of putting this is to say that
_
q
p
__
p
q
_
= (1)
p1
2
q1
2
.
Proof Let
S = 1, 2, . . . ,
p 1
2
, T = 1, 2, . . . ,
q 1
2
.
We shall choose remainders modp from the set
p
2
< i <
p
2
= S 0 S,
and remainders modq from the set
q
2
< i <
q
2
= T 0 T.
By Gauss Lemma (Proposition 3.16),
_
q
p
_
= (1)
,
_
p
q
_
= (1)
,
where
= |i S : qi mod p S|, = |i T : pi mod q T|.
By qi mod p S we mean that there exists a j (necessarily unique) such
that
qi pj S.
But now we observe that, in this last formula,
0 < i <
p
2
=0 < j <
q
2
.
374 328
Figure 3.1: p = 11, q = 7
The basic idea of the proof is to associate to each such contribution to the
point (i, j) S T. Thus
= |(i, j) S T :
p
2
< qi pj < 0|;
and similarly
= |(i, j) S T : 0 < qi pj <
q
2
|,
where we have reversed the order of the inequality on the right so that both for-
mulae are expressed in terms of (qi pj).
Let us write [R] for the number of integer points in the region R R
2
. Then
= [R
1
], = [R
2
],
where
R
1
= (x, y) R :
p
2
< qxpy < 0, R
2
= (x, y) R : 0 < qxpy <
q
2
,
and R denotes the rectangle
R = (x, y) : 0 < x <
p
2
, 0 < y <
p
2
.
The line
qx py = 0
is a diagonal of the rectangle R, and R
1
, R
2
are strips above and below the diago-
nal (Fig 3.8).
This leaves two triangular regions in R,
R
3
= (x, y) R : qx py <
p
2
, R
4
= (x, y) R : qx py >
q
2
.
We shall show that, surprisingly perhaps, reection in a central point sends the
integer points in these two regions into each other, so that
[R
3
] = [R
4
].
Since
R = R
1
R
2
R
3
R
4
,
it will follow that
[R
1
] + [R
2
] + [R
3
] + [R
4
] = [R] =
p 1
2
q 1
2
,
374 329
ie
+ + [R
3
] + [R
4
] =
p 1
2
q 1
2
.
But if now [R
3
] = [R
4
] then it will follow that
+
p 1
2
q 1
2
mod 2,
which is exactly what we have to prove.
It remains to dene our central reection. Note that reection in the centre
(
p
4
,
q
4
) of the rectangle R will not serve, since this does not send integer points into
integer points. For that, we must reect in a point whose coordinates are integers
or half-integers.
We choose this point by shrinking the rectangle R to a rectangle bounded
by integer points, ie the rectangle
R
= 1 x
p 1
2
, 1 y
q 1
2
.
Now we take P to be the centre of this rectangle, ie
P = (
p + 1
4
,
q + 1
4
).
The reection is then given by
(x, y) (X, Y ) = (
p + 1
x,
q + 1
y).
It is clear that reection in P will send the integer points of R into themselves.
But it is not clear that it will send the integer points in R
3
into those in R
4
, and
vice versa. To see that, let us shrink these triangles as we shrank the rectangle. If
x, y Z then
qx py <
p
2
=qx py
p + 1
2
;
and similarly
qx py >
q
2
=qx py
q + 1
2
.
Now reection in P does send the two lines
qx py =
p + 1
2
, qx py =
q + 1
2
into each other; for
qX pY = q(p + 1 x) p(q + 1 y) = (q p) (qx py),
and so
qx py =
p + 1
2
qX pY = (q p) +
p + 1
2
=
q + 1
2
.
374 330
We conclude that
[R
3
] = [R
4
].
Hence
[R] = [R
1
] + [R
2
] + [R
3
] + [R
4
] + mod 2,
and so
+ [R] =
p 1
2
q 1
2
.
Example: Take p = 37, q = 47. Then

_
37
47
_
=
_
47
37
_
since 37 1 mod 4
=
_
10
37
_
=
_
2
37
__
5
37
_
=
_
5
37
_
since 37 3 mod 8
=
_
37
5
_
since 5 1 mod 4
=
_
2
5
_
= (1) = 1.
Thus 37 is a quadratic residue mod47.
We could have avoided using the result for
_
2
p
_
:
_
10
37
_
=
_
27
37
_
=
_
1
37
__
3
37
_
3
= (1)
18
_
37
3
_
=
_
1
3
_
= 1.
3.9 Some quadratic elds
We end by applying the results we have established to a small number of quadratic
elds.
374 331
3.9.1 The gaussian eld Q(i)
Proposition 3.21 1. The integers in Q(i) are the gaussian integers
a +bi (a, b Z)
2. The units in Z[i] are the numbers
1, i.
3. The ring of integers Z[i] is a principal ideal domain (and so a unique fac-
torisation domain).
4. The prime 2 ramies in Z[i]:
2 = i(1 +i)
2
.
The odd prime p splits in Z[i] if and only if
p 1 mod 4,
in which case it splits into two conjugate but inequivalent primes:
p = .
Proof This follows from Propositions 3.4, 3.7, 3.9, 3.113.13, and the Corollary
to Proposition 3.15.
Factorisation in the gaussian eld Q(i) gives interesting information on the
expression of a number as a sum of two squares.
Proposition 3.22 An integer n > 0 is expressible as a sum of two squares,
n = a
2
+b
2
(a, b Z)
if and only if each prime p 3 mod 4 occurs to an even power in n.
Proof Suppose
n = a
2
+b
2
= (a +bi)(a bi).
Let
a +bi =
e
1
1

e
r
r
.
Taking norms,
n = |a +bi| = |
1
|
e
1
|
r
|
e
r
.
Suppose
p 3 mod 4.
Then p remains prime in Z[i], by Proposition 3.21.
374 332
Suppose
p
e
| a +ib,
ie
p
e
[ a +ib but p
e+1
a +ib.
Then
p
e
| a ib,
since
a +ib = p
e
=a ib = p
e
,
on taking conjugates. Hence
p
2e
| n = (a +ib)(a ib),
ie p appears in n with even exponent.
We have shown, incidentally, that if p 3 mod 4 then
p
2e
| n = a
2
+b
2
=p
e
[ a, p
e
[ b.
In other words, each expression of n as a sum of two squares
n = a
2
+b
2
is of the form
n = (p
e
a
)
2
+ (p
e
b
)
2
,
where
n
p
2e
= a
2
+b
2
.
We have shown that each prime p 3 mod 4 must occur with even exponent
in n. Conversely, suppose that this is so.
Each prime p 1 mod 4 splits in Z[i], by Proposition 3.21, say
p =
p
p
.
Also, 2 ramies in Z[i]:
2 = i(1 +i)
2
.
Now suppose
n = 2
e
2
3
e
3
5
e
5
,
where e
3
, e
7
, e
1
1, e
1
9, . . . are all even, say
p 3 mod 4 =e
p
= 2f
p
.
374 333
Let
=
2
5
,
where
p
=
_
_
(1 +i)
e
2
if p = 2,
e
p
p
if p 1 mod 4,
p
f
p
if p 3 mod 4.
Then
|
p
| = p
e
p
in all cases, and so
|| =
p
|
p
| =
p
p
e
p
= n.
Thus if
= a +bi
then
n = a
2
+b
2
.
Its worth noting that this argument actually gives the number of ways of ex-
pressing n as a sum of two squares, ie the number of solutions of
n = a
2
+b
2
(a, b Z).
For the number of solutions is the number of integers Z[i] such that
n = |(|) = .
Observe that when p 1 mod 3 in the argument above we could equally well
have taken
p
=
r

s
for any r, s 0 with
r +s = e
p
.
There are just
e
p
+ 1
ways of choosing
p
in this way.
It follows from unique factorisation that the choice of the
p
for p 1 mod 4
determines up to a unit, ie the general solution is
= (1 +i)
e
2
p1 mod 4
p3 mod 4
p
f
p
.
Since there are four units, 1, i, we conclude that the number of ways of ex-
pressing n as a sum of two sqares is
4
p1 mod 4
(e
p
+ 1).
374 334
Note that in this calculation, each solution
n = a
2
+b
2
with
0 < a < b
gives rise to 8 solutions:
n = (a)
2
+ (b)
2
, n = (b)
2
+ (a)
2
.
To these must be added solutions with a = 0 or with a = b. The former occurs
only if n = m
2
, giving 4 additional solutions:
n = 0
2
+ (m)
2
= (m)
2
+ 0
2
;
while the latter occurs only if n = 2m
2
, again giving 4 additional solutions:
n = (m)
2
+ (m)
2
.
We conclude that the number of solutions with a, b 0 is
_
_
_
1
2
p1 mod 4
(e
p
+ 1) if n ,= m
2
, 2m
2
1
2
_
p1 mod 4
(e
p
+ 1) + 1
_
if n = m
2
or 2m
2
.
This is of course assuming that
p 3 mod 4 =2 [ e
p
,
without which there are no solutions.
In particular, each prime p 1 mod 4 is uniquely expressible as a sum of two
squares
n = a
2
+b
2
(0 < a < b),
eg
53 = 2
2
+ 7
2
.
As another example,
108 = 2
2
3
3
cannot be expressed as a sum of two squares, since e
3
= 3 is odd.
3.9.2 The eld Q(
3)
Proposition 3.23 1. The integers in Q(
3) are the numbers

a +b
3 (a, b Z)
374 335
2. The units in Z[
3] are the numbers
n
(n Z),
where
= 2 +
3.
3. The ring of integers Z[
3] is a principal ideal domain (and so a unique

factorisation domain).
4. The primes 2 and 3 ramify in Z[
3]:
2 =
1
(1 +
3)
2
, 3 = (
3)
2
.
The odd prime p ,= 3 splits in Z[
3] if and only if
p 1 mod 12,
p = .
Proof This follows from Propositions 3.4, 3.8, 3.9, 3.113.13, and Proposi-
tion 3.18.
3.9.3 The eld Q(
5)
Proposition 3.24 1. The integers in Q(
5) are the numbers

a +b (a, b Z),
where
=
1 +
5
2
.
2. The units in Z[
5] are the numbers
n
(n Z).
3. The ring of integers Z[] is a principal ideal domain (and so a unique fac-
torisation domain).
4. The prime 5 ramies in Z[]:
5 = (
5)
2
.
The prime p ,= 5 splits in Z[] if and only if
p 1 mod 10,
p = .
Proof This follows from Propositions 3.4, 3.8, 3.9, 3.113.13, and Proposi-
tion 3.19.
Chapter 4
Mersenne and Fermat numbers
4.1 Mersenne numbers
Proposition 4.1 If
n = a
m
1 (a, m > 1)
is prime then
1. a = 2;
2. m is prime.
Proof In the rst place,
(a 1) [ (a
m
1);
so if a > 2 then n is certainly not prime.
Suppose m = rs, where r, s > 1. Evidently
(x 1) [ (x
s
1)
in Z[x]; explicitly
x
s
1 = (x 1)(x
s1
+x
s2
+x
s3
+ + 1).
Subsitituting x = a
r
,
(a
r
1) [ (a
rs
1) = a
m
1.
Thus if a
m
1 is prime then m has no proper factors, ie m is prime.
Denition 4.1 The numbers
M
p
= 2
p
1,
where p is prime, are called Mersenne numbers.
41
374 42
The numbers
M
2
= 3, M
3
= 7, M
5
= 31, M
7
= 127
are all prime. However,
M
11
= 2047 = 23 89.
(It should be emphasized that Mersenne never claimed the Mersenne numbers
were all prime. He listed the numbers M
p
for p 257, indicating which were
prime, in his view. His list contained several errors.)
The following heuristic argument suggests that there are probably an innity
of Mersenne primes. (Websters Dictionary denes heuristic as: providing aid
or direction in the solution of a problem but otherwise unjustied or incapable of
justication.)
By the Prime Number Theorem, the probability that a large number n is prime
is
1
log n
.
In this estimate we are including even numbers. Thus the probability that an odd
number n is prime is
2
log n
.
Thus the probability that M
p
is prime is
2
p log 2
.
So the expected number of Mersenne primes is
2
log 2
1
p
n
where p
n
is the nth prime.
But again by the Prime Number Theorem
p
n
nlog n.
Thus the expected number of Mersenne primes is
2
log 2
1
nlog n
= ,
since
1
nlog n
diverges, eg by comparison with
_
X
1
x log x
= log log X +C.
374 43
4.1.1 The Lucas-Lehmer test
Mersenne numbers are important because there is a simple test, announced by
Lucas and proved rigorously by Lehmer, for determining whether or not M
p
is
prime. (There are many necessary tests for primality, eg if p is prime then
2
p
2 mod p.
What is rare is to nd a necessary and sufcient test for the primality of numbers
in a given class, and one which is moreover relatively easy to implement.) For this
reason, all recent record primes have been Mersenne primes.
We shall give two slightly different versions of the Lucas-Lehmer test. The
rst is only valid if p 3 mod 4, while the second applies to all Mersenne num-
bers. The two tests are very similar, and equally easy to implement. We are giving
the rst only because the proof of its validity is rather simpler. So it should be
viewed as an introduction to the second, and true, Lucas-Lehmer test.
Both proofs are based on arithmetic in quadratic elds: the rst in Q(
5), and
the second in Q(
3); and both are based on the following result.

Proposition 4.2 Suppose is an integer in the eld Q(
m); and suppose P is

an odd prime with P m. Then
_
if
_
P
m
_
= 1,
if
_
P
m
_
= 1.
Proof Suppose
= a +b
m,
where a, b are integers if m , 1 mod 4, and half-integers if m 1 mod 4.
In fact these cases do not really differ; for 2 is invertible modP, so we may
consider a as an integer modP if 2a Z. Thus
P
a
P
+
_
P
1
_
a
P1
b
m +
_
P
2
_
a
P2
bm + +b
P
m
P1
2
m mod P.
Now
P [
_
P
r
_
if 1 r P 1. Hence
P
a
P
+b
P
m
P1
2
m mod P
By Fermats Little Theorem,
a
P
a mod P, b
P
b mod P.
374 44
Also
m
P1
2
_
m
P
_
mod P,
by Proposition 3.15. Thus
P
a +b
_
P
m
_
m mod P,
ie
_
m
P
_
= 1 =
P
mod P,
_
m
P
_
= 1 =
P
mod P.
Corollary 4.1 For all integers in Q(
m,
P
2
mod P.
We may regard this as the analogue of Fermats Little Theorem
a
P
a mod P
for quadratic elds.
There is another way of establishing this result, which we shall sketch briey.
It depends on considering the ring
A = Z[]/(P).
formed by the remainders
mod P
of integers in Q(
m).
There are P
2
elements in this ring, since each Z[] is congruent modP
to just one of the numbers
a +b
m
where a, b Z and
0 a, b < P.
There are no nilpotent elements in the ring A if P m; for if = a + b
m
then
P [
2
=P [ 2ab, P [ a
2
+b
2
m
=P [ a, b.
Thus
2
0 mod P = 0 mod P,
374 45
from which it follows that, if n > 0,
n
0 mod P = 0 mod P,
A ring without non-zero nilpotent elements is said to be semi-simple. It is not
hard to show that a nite semi-simple commutative ring is a direct sum of elds.
Now there is just one eld (up to isomorphism) containing p
e
elements for
each prime power p
e
, namely the galois eld GF(p
e
). It follows that either
1. Z[]/(P)
= GF(P
2
); or
2. Z[]/(P)
= GF(P) GF(P).
The non-zero elements in GF(p
e
) form a multiplicative group GF(p
e
)
with
p
e
1 elements. It follows from Legendres Theorem that
a ,= 0 =a
p
e
1
= 1
in GF(p
e
). Hence
a
p
e
= a
for all a GF(p
e
).
Thus in the rst case,
P
2

for all Z[]/(P); while in the second case we even have
P

for all Z[]/(P), since this holds in each of the constituent elds.
In the rst case we can go further. The galois eld GF(p
e
) is of characteristic
p, ie
pa = a + a = 0,
for all ainGF(p
e
). Also, the map
a a
p
is an automorphism of GF(p
e
). (This follows by essentially the same argument
that we used above to show that
P
or above.)
In particular, the map

P
mod P
is an automorphism of our eld
Z[]/(P).
On the other hand, the map

374 46
is also an automorphism of Z[]/(P), since
P [ =P [ .
Moreover, this is the only automorphism of Z[]/(P) apart from the identity map,
since any automorphism must send
m mod P
m mod P.
The automorphism

P
mod P
is not the identity map, since the equation
x
P
x = 0
has at mos P solutions in the eld Z[]/(P). We conclude that
P
mod P.
If Z[] is a principal ideal domain the second case arises if and only if P splits,
which by Proposition 3.14 occurs when
_
m
P
_
= 1.
Explicitly, if
P =
1
2
,
then
Z[]/(P)
= Z[]/(
1
) Z[]/(
2
)
= GF(P) GF(P).
Proposition 4.3 Suppose p 3 mod 4. Let the sequence r
n
be dened by
r
1
= 3, r
n+1
= r
2
n
2.
Then M
p
is prime if and only if
M
p
[ r
p1
.
Proof We work in the eld Q(
5). By Proposition 3.4, the integers in this eld

are the numbers
a +b (a, b Z)
where
=
1 +
5
2
.
By Proposition 3.9, there is unique factorisation in the ring of integers Z[].
374 47
Lemma 4.1 If r
n
is the sequence dened in the Proposition then
r
n
=
2
n
+
2
n
for each n 1.
Proof of Lemma Let us set
s
n
=
2
n
+
2
n
for n 0. Then
s
2
n
=
_
2
n
+
2
n
_
2
=
2
n+1
+ 2 +
2
n+1
= s
n+1
+ 2,
ie
s
n+1
= s
2
n
2.
Also
s
0
= +
1
=
=
5,
and so
s
1
= s
2
0
2 = 3.
We conclude that
r
n
= s
n
=
2
n
+
2
n
for all n 1.
Let us suppose rst that M
p
is prime. Let us write P = M
p
.
Lemma 4.2 We have
_
5
P
_
= 1.
Proof of Lemma Since
2
4
1 mod 5
it follows that
2
p
2
3
mod 5
3 mod 5.
374 48
Hence
P = 2
p
1 2 mod 5;
and so, by Proposition 3.19,
_
5
P
_
= 1.
It follows from this Lemma and Proposition 4.2 that
P
mod P
for all Z[]. In particular,
P
mod P.
Hence
P+1
mod P
|| mod P 1 mod P.
In other words,
2
p
1 mod P.
Thus
2
p
+ 1 0 mod P.
Dividing by
2
p1
,
2
p1
+
2
p1
0 mod P,
ie
r
p1
0 mod P.
Conversely, suppose P is a prime factor of M
p
. Then
M
p
[ r
p1
=r
p1
0 mod P
=
2
p1
+
2
p1
0 mod P
=
2
p
+ 1 0 mod P
=
2
p
1 mod P.
But this implies that the order of mod P is 2
p+1
. For
2
p+1
= (
2
p
)
2
1 mod P,
so if the order of mod P is d then
d [ 2
p+1
=d = 2
e
374 49
for some e p + 1; and if e p then
2
p
1 mod P.
On the other hand, by the Corollary to Proposition 4.2,
P
2
mod P =
P
2
1
1 mod P.
Hence
2
p+1
[ P
2
1 = (P + 1)(P 1).
Now
gcd(P + 1, P 1) = 2.
It follows that
2
p
[ P + 1 or 2
p
[ P 1.
The latter is impossible since
2
p
> M
p
P > P 1;
while
2
p
[ P + 1 =2
p
P + 1 =M
p
= 2
p
1 P =P = M
p
.
Now for the true Lucas-Lehmer test. As we shall see, the proof is a little
harder, which is why we gave the earlier version.
Proposition 4.4 Let the sequence r
n
be dened by
r
1
= 4, r
n+1
= r
2
n
2.
Then M
p
M
p
[ r
p1
.
Proof We work in the eld Q(
3). By Proposition 3.4, the integers in this eld

are the numbers
a +b
3 (a, b Z).
By Proposition 3.9, there is unique factorisation in the ring of integers Z[
3].
We set
= 1 +
3, = 2 +
3.
Lemma 4.3 The units in Z[
3] are the numbers
n
(n N).
374 410
Proof of Lemma It is sufcient, by Proposition 3.8, to show that is the smallest
unit > 1. And from the proof of that Proposition, we need only consider units of
the form
a +b
3
with a, b 0.
Thus the only possible units in the range (1, ) are
3 and 1+
3 = , neither
of which is in fact a unit, since
|
3| = 3, || = 2,
whereas a unit must have norm 1, by Proposition 3.6.
Lemma 4.4 If r
n
is the sequence dened in the Proposition then
r
n
=
2
n1
+
2
n1
for each n 1.
Proof of Lemma Let us set
s
n
=
2
n1
+
2
n1
for n 1. Then
s
2
n
=
_
2
n1
+
2
n1
_
2
=
2
n
+ 2 +
2
n
= s
n+1
+ 2,
ie
s
n+1
= s
2
n
2.
Also
s
1
= +
1
= +
= 4.
We conclude that
r
n
= s
n
=
2
n1
+
2
n1
for all n 1.
Suppose rst that P = M
p
is prime.
Lemma 4.5 We have
_
3
P
_
= 1.
374 411
M
p
= 2
p
1
(1)
p
1 mod 3
1 1 mod 3
1 mod 3;
while
M
p
1 mod 4.
By the Chinese Remainder Theorem there is just one remainder mod12 with
these remainders mod3 and mod4; and that is 7 5 mod 12. For any odd
prime p,
M
p
7 mod 12
Hence
_
3
P
_
= 1.
by Proposition 3.18,
It follows from this Lemma and Proposition 4.2 that
P
mod P
for all Z[
3]. In particular,
P
mod P.
Hence
P+1
mod P
|| mod P 1 mod P.
In other words,
2
p
1 mod P.
It follows that
2
p1
mod P.
We want to show that in fact
2
p1
1 mod P.
This is where things get a little trickier than in the rst version of the Lucas-
Lehmer test. In effect, we need a number with negative norm. To this end we
introduce
= 1 +
3.
Lemma 4.6 1. || = 2.
374 412
2.
2
= 2.
Proof of Lemma This is a matter of simple verication:
|| = 1 3 = 2,
while
2
= (1 +
3)
2
= 4 + 2
3
= 2.
By Proposition /refMersenneLemma,
P
mod P,
and so
P+1
2 mod P,
ie
2
p
2 mod P.
By the Lemma, this can be written
(2)
2
p1
2 mod P,
ie
2
2
p1
2
p1
2 mod P,
But by Proposition 3.14,
2
P1
2
= 2
2
p1
1
_
2
P
_
mod P
1 mod P,
by Proposition 3.17, since
P = 2
p
1 1 mod 8.
Thus
2
2
p1
2 mod P
374 413
and so
2
2
p1
2 mod P.
Hence
2
p1
1 mod P.
Thus
2
p1
+ 1 0 mod P.
Dividing by
2
p2
,
2
p2
+
2
p2
0 mod P,
ie
r
p1
0 mod P.
Conversely, suppose P is a prime factor of M
p
. Then
M
p
[ r
p1
=r
p1
0 mod P
=
2
p2
+
2
p2
0 mod P
=
2
p1
+ 1 0 mod P
=
2
p1
1 mod P.
But (by the argument we used in the proof of the rst Lucas-Lehmer test) this
implies that the order of mod P is 2
p
.
On the other hand, by the Corollary to Proposition 4.2,
P
2
mod P =
P
2
1
1 mod P.
Hence
2
p
[ P
2
1 = (P + 1)(P 1).
Now
gcd(P + 1, P 1) = 2.
It follows that
2
p1
[ P + 1 or 2
p1
[ P 1.
In either case,
2
p1
P + 1 =P 2
p1
1 =
M
p
1
2
=P
M
p
3
=
M
p
P
< 3.
Since M
p
is odd, this implies that
P = M
p
,
ie M
p
is prime.
374 414
4.1.2 Perfect numbers
Mersenne numbers are also of interest because of their intimate connection with
perfect numbers.
Denition 4.2 For n N, n > 0 we denote the number of divisors of n by d(n),
and the sum of these divisors by (n).
Example: Since 12 has divisors 1, 2, 3, 4, 6, 12,
d(12) = 6, (12) = 28.
Denition 4.3 The number n N is said to be perfect if
(n) = 2n,
ie if n is the sum of its proper divisors.
Example: The number 6 is perfect, since
6 = 1 + 2 + 3.
Proposition 4.5 If
M
p
= 2
p
1
is a Mersenne prime then
2
p1
(2
p
1)
is perfect.
Conversely, every even perfect number is of this form.
Proof In number theory, a function f(n) dened on n N : n > 0 is said to
be multiplicative if
gcd(m, n) = 1 =f(mn) = f(m)f(n).
If the function f(n) is multiplicative, and
n = p
e
1
1
p
e
r
r
then
f(n) = f(p
e
1
1
) f(p
e
r
r
).
Thus the function f(n) is completely determined by its value f(p
e
) for prime
powers.
374 415
Lemma 4.7 The functions d(n) and (n) are both multiplicative.
Proof of Lemma Suppose gcd(m, n) = 1; and suppose
d [ mn.
Then d is uniquely expressible in the form
d = d
1
d
2
(d
1
[ m, d
2
[ n).
In fact
d
1
= gcd(d, m), d
2
= gcd(d, n).
It follows that
d(mn) = d(m)d(n);
and
(mn) =
d|mn
d
=
d
1
|m
d
1
d
2
|n
d
2
= (m)(n).
Now suppose
n = 2
p1
M
p
where M
p
is prime. Since M
p
is odd,
gcd(2
p1
, M
p
) = 1.
Hence
(n) = (2
p1
)(M
p
).
If P is prime then evidently
(P) = 1 +P.
On the other hand,
(P
e
) = 1 +P +P
2
+ +P
e
=
P
e+1
1
P 1
.
In particular,
(2
e
) = 2
e+1
1.
Thus
(2
p1
) = 2
p
1 = M
p
,
374 416
while
(M
p
) = M
p
+ 1 = 2
p
.
We conclude that
(n) = 2
p
M
p
= 2n.
Conversely, suppose n is an even perfect number. We can write n (uniquely)
in the form
n = 2
e
m
where m is odd. Since 2
e
and m are coprime,
(n) = (2
e
)(m) = (2
e+1
1)(m).
On the other hand, if n is perfect then
(n) = 2n = 2
e+1
m.
Thus
2
e+1
1
2
e+1
=
m
(m)
.
The numerator and denominator on the left are coprime. Hence
m = d(2
e+1
1), (m) = d2
e+1
,
for some d N.
If d > 1 then m has at least the factors 1, d, m. Thus
(m) 1 +d +m = 1 +d2
e+1
,
contradicting the value for (m) we derived earlier.
It follows that d = 1. But then
(m) = 2
e+1
= m + 1.
Thus the only factors of m are 1 and m, ie
m = 2
e+1
1 = M
e+1
is prime. Setting e + 1 = p, we conclude that
n = 2
p1
M
p
,
where M
p
is prime.
It is an unsolved problem whether or not there are any odd perfect numbers.
The rst 4 even perfect numbers are
2
1
M
2
= 6, 2
2
M
3
= 28, 2
4
M
5
= 496, 2
6
M
7
= 8128.
(In fact these are the rst 4 perfect numbers, since it is known that any odd perfect
number must have at least 300 digits!)
374 417
4.2 Fermat numbers
Proposition 4.6 If
n = a
m
+ 1 (a, m > 1)
is prime then
1. a2 is even;
2. m = 2
e
.
Proof If a is odd then n is even and > 2, and so not prime.
Suppose m has an odd factor, say
m = rs,
where r is odd. Since x
r
+ 1 = 0 when x = 1, it follows by the Remainder
Theorem that
(x + 1) [ (x
r
+ 1).
Explicitly,
x
r
+ 1 = (x + 1)(x
r1
x
r2
+ x + 1).
Substituting x = y
s
,
(y
s
+ 1) [ (y
m
+ 1)
in Z[x]. Setting y = a,
(a
s
+ 1) [ (a
rs
+ 1) = (a
m
+ 1).
In particular, a
m
+ 1 is not prime.
Thus if a
m
+ 1 is prime then m cannot have any odd factors. In other words,
m = 2
e
.
Denition 4.4 The numbers

F
n
= 2
2
n
+ 1 (n = 0, 1, 2, . . . )
are called Fermat numbers.
Fermat hypothesized he didnt claim to have a proof that all the numbers
F
0
, F
1
, F
2
, . . .
are prime. In fact this is true for
F
0
= 3, F
1
= 5, F
2
= 17, F
3
= 257, F
4
= 65537.
374 418
However, Euler showed in 1747 that
F
5
= 2
32
+ 1 = 4294967297
is composite. In fact, no Fermat prime beyond F
4
has been found.
The heuristic argument we used above to suggest that the number of Mersenne
primes is probably innite now suggests that the number of Fermat primes is
probably nite.
For by the Prime Number Theorem, the probability of F
n
being prime is
2/ log F
n
2 2
n
.
Thus the expected number of Fermat primes is
2
2
n
= 4 < .
This argument assumes that the Fermat numbers are independent, as far as
primality is concerned. It might be argued that our next result shows that this is
not so. However, the Fermat numbers are so sparse that this does not really affect
our heuristic argument.
Proposition 4.7 The Fermat numbers are coprime, ie
gcd(F
m
, F
n
) = 1
if m ,= n.
Proof Suppose
gcd(F
m
, F
n
) > 1.
Then we can nd a prime p (which must be odd) such that
p [ F
m
, p [ F
n
.
Now the numbers 1, 2, . . . , p 1 form a group (Z/p)
under multiplication
modp. Since p [ F
m
,
2
2
m
1 mod p.
It follows that the order of 2 mod p (ie the order of 2 in (Z/p)
) is exactly 2
m+1
.
For certainly
2
2
m+1
= (2
2
m
)
2
1 mod p;
and so the order of 2 divides 2
m+1
, ie it is 2
e
for some e m + 1. But if e m
then
2
2
m
1 mod p,
whereas we just saw that the left hand side was 1 mod p. We conclude that
the order must be 2
m+1
.
374 419
But by the same token, the order is also 2
n+1
. This is a contradiction, unless
m = n.
We can use this result to give a second proof of Euclids Theorem that there
are an innity of primes.
Proof Each Fermat number F
n
has at least one prime divisor, say q
n
. But by the
last Proposition, the primes
q
0
, q
1
, q
2
, . . .
are all distinct.
We end with a kind of pale imitation of the Lucas-Lehmer test, but nowapplied
to Fermat numbers.
Proposition 4.8 The Fermat number
F
n
= 2
2
n
+ 1
3
F
n
1
2
1 mod F
n
.
Proof Suppose P = F
n
is prime.
Lemma 4.8 We have
F
n
5 mod 12.
Proof of Lemma Evidently
F
n
1 mod 4;
while
F
n
(1)
2
n
+ 1 mod 3
2 mod 3.
By the Chinese Remainder Theorem these two congruences determine F
n
mod
12; and observation shows that
F
n
5 mod 12.
It follows from this Lemma, and Proposition 3.18, that

_
3
P
_
= 1.
Hence
3
P1
2
1 mod P
374 420
Conversely, suppose
3
F
n
1
2
1 mod F
n
;
and suppose P is a prime factor of F
n
. Then
3
F
n
1
2
1 mod P,
ie
3
2
2
n
1
1 mod P.
It follows (as in the proof of the Lucas-Lehmer theorems) that the order of 3 mod
P is
2
2
n
.
But by Fermats Little Theorem,
3
P1
1 mod P.
Hence
2
2
n
[ P 1,
ie
F
n
1 [ P 1.
Since P [ F
n
this implies that
F
n
= P,
ie F
n
is prime.
This test is more-or-less useless, even for quite small n, since it will take an
inordinate time to compute the power, even working modulo F
n
. However, it does
give a short proof which we leave to the reader that F
5
is composite.
It may be worth noting why this test is simpler than its Mersenne analogue.
In the case of Mersenne primes P = M
p
we had to introduce quadratic elds
because the analogue of Fermats Little Theorem,
P
2
1
1 mod P,
then allowed us to nd elements of order P +1 = 2
p
. In the case of Fermat primes
P = F
n
Fermats Little Theorem
a
P1
= a
2
2
n
1 mod P
sufces.
Chapter 5
Primality
5.1 The Fermat test
Suppose p is an odd prime; and suppose gcd(a, p) = 1, ie p a. Then
a
p1
1 mod p
by Fermats Little Theorem.
Denition 5.1 Suppose n is an odd number > 1. Then we say that n is a pseudo-
prime to base a (or an a-pseudoprime) if
a
n1
1 mod n.
Fermats Little Theorem can be restated as
Proposition 5.1 If n is an odd prime then it is a pseudoprime to all bases a co-
prime to n.
This provides a necessary test for primality, which we may call the Fermat
test.
It is reasonable to suppose that if we perform the test repeatedly with coprime
bases then the results will be independent; so each success will increase the prob-
ability that n is prime while a failure of course will prove that n is composite.
Unfortunately, there is a aw in this argument. The test may succeed for all
bases coprime to n even if n is composite.
5.2 Carmichael numbers
Denition 5.2 Suppose n is an odd number > 1. Then we say that n is a Carmichael
number if n is not a prime, but is a pseudoprime to all bases a coprime to n, ie
gcd(a, n) = 1 =a
n1
1 mod n.
51
374 52
Recall the denition of Eulers function (n): for n 1,
(n) = |1 i n : gcd(i, n) = 1|,
ie (n) is the number of congruence classes modn coprime to n:
Thus
(1) = 1, (2) = 1, (3) = 2, (4) = 2, (5) = 4, (6) = 2, . . . .
Eulers function is multiplicative in the number-theoretic sense:
gcd(m, n) = 1 =(mn) = (m)(n).
For according to the Chinese Remainder Theorem, each pair of remainders a mod
m, b mod n determines a unique remainder c mod mn; and it is easy to see that
gcd(c, mn) = 1 gcd(a, m) = 1 and gcd(b, n) = 1.
If p is a prime then
(p
e
) = p
e1
(p 1).
For i is coprime to p
e
unless p [ i. Thus all the numbers i [1, p
e
] are coprime to
p
e
except for the p
e1
multiples of p. Hence
(p
e
) = p
e
p
e1
= p
e1
(p 1).
Putting together these results, we see that if
n = p
e
1
1
p
e
r
r
then
(n) = p
e
1
1
1
(p
1
1) p
e
r
1
r
(p
r
1).
The congruence classes mod n forma ring Z/(n) with n elements
0,
1, . . . , n 1.
The invertible elements (or units) in this ring form a multiplicative group
(Z/n)
.
The importance of Eulers function for us is that this group contains (n)
elements:
|(Z/n)
| = (n).
This follows from the fact that a is invertible modn if and only if gcd(a, n) = 1.
For certainly a cannot be invertible if gcd(a, n) = d > 1: if
ab 1 mod n
then
d [ a, d [ n =d [ 1.
374 53
Conversely, suppose gcd(a, n) = 1. Consider the map
x ax : Z/(n) Z/(n).
This map is injective, since
ax = 0 =n [ ax =n [ x = x = 0.
It is therefore surjective; and in particular
a x = ax = 1
for some x, ie a is invertible.
But now it follows from Lagranges Theorem on the order of elements in nite
groups that
a
(n)
1 mod n
for all a coprime to n. (We may regard this as an extension of Fermats Little
Theorem to composite moduli.)
Proposition 5.2 The integer n > 1 is a Carmichael number if and only if
1. n is square-free, ie
n = p
1
p
r
where p
1
, . . . , p
r
are distinct primes; and
2. For each i (1 i r),
p
i
1[n 1.
Proof Suppose rst that n has these properties; and suppose that gcd(a, n) = 1.
Then gcd(a, p
i
) = 1 for each i, and so
a
p
i
1
1 mod p
i
,
by Fermats Little Theorem. Hence
a
n1
1 mod p
i
since p
i
1[n 1.
Since this holds for all i,
a
n1
1 mod n.
Thus n is a Carmichael number.
Suppose conversely that n is a Carmichael number. First we show that n is
square-free.
Lemma 5.1 Suppose A is an abelian group; and suppose p [ |A|, where p is a
prime. Then A contains an element of order p.
374 54
Proof of Lemma We argue by induction on |A|. The result follows by La-
granges Theorem if |A| = p.
If |A| > p, take any element a A, a ,= 0. Suppose a is of order e. If p [ e,
say
e = pr
then a
r
is of order p.
If p e, let B be the quotient-group
B = A/a).
Since
p [ |B| = |A|/e
it follows from the inductive hypothesis that B has an element, a say, of order p.
Then the order of a is a multiple of p, say pr, and a
r
has order p, as before.
Remark: In fact this result holds for any nite group G: if p [ |G| then Gcontains
an element of order p. This follows from Sylows Theorem.
In the abelian case the result also follows immediately from the Structure The-
orem for Finite Abelian Groups, which states that such a group A is a product of
cyclic groups of prime-power order:
A = Z/(p
e
1
1
) Z/(p
e
r
r
).
If p [ |A| then p = p
i
for some i; and p
e1
is an element of order p in Z/(p
e
).
Returning to the proof of the Proposition, if a prime, say p = p
1
, occurs as a
square or higher power in n, then
p[(n).
Hence, by the Lemma, there is an element a of order p in (Z/n)
. Since
a
n1
1 mod n,
it follows that
p [ n 1,
which cannot be true since p [ n.
Thus
n = p
1
p
r
,
where p
1
, . . . , p
r
are distinct primes.
Recall that the exponent e of a nite group G is the smallest number e > 0
such that
g
e
= 1
for all g G. By Lagranges Theorem,
e [ |G|.
374 55
Lemma 5.2 If p is a prime then the exponent of the group (Z/p)
is p 1.
Proof of Lemma Suppose G = (Z/p)
has exponent e. Then the p 1 elements

a G are all roots of the polynomial equation
x
e
1 = 0
over the eld
T
p
= Z/(p).
But a polynomial equation of degree d has at most d roots. hence
p 1 e.
Since e[p 1 it follows that
e = p 1.
Remark: It is not hard to show that an abelian group of exponent e must contain
an element of order e. It follows that the group (Z/p)
is cyclic. (The generators

of this group are called primitive roots modp.) However, the Lemma above is
sufcient for our purposes.
Returning to the proof of the Proposition, suppose a is coprime to p
i
. By the
Chinese Remainder Theorem we can nd b such that
b a mod p
i
, b 1 mod p
j
(j ,= i).
Then b is coprime to n. Hence
b
n1
1 mod n,
since n is a Carmichael number. Thus
a
n1
b
n1
1 mod p
i
so if e is the exponent of the group (Z/p)
then
e [ n 1.
Hence, by the Lemma,
p
i
1 [ n 1.
Example: Let
n = 3 11 17 = 561.
Then
n 1 = 560 = 2
4
5 7.
Since
3 1, 11 1, 17 1 [ n 1 = 560,
n = 561 is a Carmichael number.
It was generally believed that there were only a nite number of Carmichael
numbers, until Pomerance et al proved in 1993 that there are in fact an innite
number.
374 56
5.3 The Miller-Rabin test
Proposition 5.3 Suppose p is an odd prime. Let
p 1 = 2
e
m,
where m is odd. Suppose gcd(a, n) = 1. Then either
a
m
1 mod n
or else
a
2
i
m
1 mod n
for some i with 0 i e 1.
Proof By Fermats Little Theorem,
a
p1
1 mod p.
Thus
_
a
p1
2
_
2
1 mod p.
Hence
a
p1
2
1 mod p.
We know how to distinguish these two cases:
a
p1
2
_
a
p
_
mod p,
But now suppose
a
p1
2
1 mod p,
which as we have seen is the case if a is a quadratic residue modp; and suppose
p 1 mod 4. Then
_
a
p1
4
_
2
1 mod p;
and so
a
p1
4
1 mod p.
Repeating this argument, we either reach a point where we cannot divide the
exponent by 2, ie the exponent has been reduced to m and
a
m
1 mod n;
or else
a
2
i
m
1 mod n
for some i [0, e 1].
374 57
Denition 5.3 Suppose n is an odd integer > 1. Let
n 1 = 2
e
m,
where mis odd. Suppose gcd(a, n) = 1. Then n is said to be a strong pseudoprime
to base a if either
a
m
1 mod n
or else
a
2
i
m
1 mod n
for some i with 0 i e 1.
We can re-state the last Proposition as
Proposition 5.4 An odd prime p is a strong pseudoprime to each base a with
gcd(a, p) = 1.
Proposition 5.5 Suppose n is an odd integer > 1. If n is a strong pseudoprime to
each base a with gcd(a, n) = 1 then n is prime.
Proof Suppose n is composite. Then either n is a prime-power,
n = p
e
(e > 1),
or else n has two distinct prime factors, p and q.
Let us deal with the second case rst. Suppose gcd(a, n) = 1. Let the orders
of a modulo p, q, n be r, s, t, respectively. Then
r [ t, s [ t,
since p [ n, q [ n.
We are actually interested only in the powers of 2 dividing these orders. Let
us set
v
2
(u) = e
if
2
e
| u,
ie 2
e
is the highest power of 2 dividing u. Then
v
2
(r) v
2
(t), v
2
(s) v
2
(t),
since r [ t, s [ t.
Lemma 5.3 Suppose n is a pseudoprime to base a, ie
a
n1
1 mod n.
Then
v
2
(t) v
2
(n 1).
374 58
a
n1
1 mod n =t [ n 1
=v
2
(t) v
2
(n 1).
Lemma 5.4 Suppose p is an odd prime; and suppose gcd(a, p) = 1. Let the order
of a mod p be r. Then
v
2
(r)
_
_
< v
2
(p 1) if
_
p
a
_
= 1,
= v
2
(p 1) if
_
p
a
_
= 1.
Proof of Lemma By Proposition 3.14,
a
p1
2
_
p
a
_
mod p.
Thus if
_
p
a
_
= 1
then
r [
p 1
2
=v
2
(r) v
2
_
p 1
2
_
= v
2
(p 1) 1.
On the other hand if
_
p
a
_
= 1
then
a
p1
1 mod p, a
p1
2
, 1 mod p.
Thus
r [ p 1, r
p 1
2
.
It follows that
v
2
(r) = v
2
(p 1).
By the Chinese Remainder Theorem we can nd a coprime to n such that

_
p
a
_
= 1,
_
q
a
_
= 1,
ie a is a quadratic residue modq, and a quadratic non-residue modp.
By the last Lemma,
0 v
2
(s) < v
2
(r) = v
2
(p 1) v
2
(t).
374 59
Now suppose a is a strong pseudoprime to base n. Let
n 1 = 2
e
m,
where m is odd. If
a
m
1 mod n
then a has odd order modn, ie
v
2
(t) = 0.
Hence a has odd order modp, ie
v
2
(r) = 0.
But that is impossible, since
v
2
(r) = v
2
(p 1) > 0.
Thus
a
2
i
m
1 mod n
for some i [0, e). Hence
a
2
i
m
1 mod p, a
2
i
m
1 mod q.
Lemma 5.5 Suppose
a
2
i
m
1 mod n,
where m is odd. Let the order of a mod n be t. Then
v
2
(t) = i + 1.
a
2
i+1
m
=
_
a
2
i
m
_
2
1 mod n.
Hence
t [ 2
i+1
m, t 2
i
m.
It follows that
v
2
(t) = i + 1.
Applying this Lemma with moduli p, q, n,

v
2
(r) = v
2
(s) = v
2
(t) = i + 1.
But that is a contradiction, since
v
2
(s) < v
2
(p 1) = v
2
(r).
We conclude that n is not a strong pseudoprime to base a.
374 510
5.4 The Jacobi symbol
If p is an odd prime and gcd(a, p) = 1 then then
a
p1
2
_
a
p
_
mod p,
We cannot use this as a test of primality as it stands, since the Legendre symbol
has only been dened when p is prime. Jacobis extension of the Legendre symbol
overcomes this problem.
Denition 5.4 Suppose n N is odd. Let
n = p
1
p
r
,
where p
1
, . . . , p
r
are primes (not necessarily distinct). Then we set
_
a
n
_
=
_
a
p
1
_

_
a
p
r
_
.
Remarks:
1. Note that Jacobis symbol does extends the Legendre symbol; if n is prime
the two coincide.
2. Note too that
_
a
n
_
= 0
if a, n are not coprime.
3. Suppose
n = p
e
1
1
p
e
r
r
.
Then a is a quadratic residue modn if and only if it is a quadratic residue
modp
e
i
i
for i = 1, . . . , r.
This implies that a is a quadratic residue modp
i
for each i; and so
_
a
n
_
= 1.
But the converse does not hold;
_
a
n
_
= 1
does not imply that a is a quadratic residue modn.
374 511
For example,
_
8
15
_
=
_
8
3
__
8
5
_
=
_
2
3
__
3
5
_
= 1 1 = 1,
while 8 is not a quadratic residue mod15 since it is not a quadratic residue
mod3.
Many of the basic properties of the Legendre symbol carry over to the Jacobi
symbol, as the next few Propositions show.
Proposition 5.6 1. If m, n N are both odd then
_
a
mn
_
=
_
a
m
__
a
n
_
.
2. For all a, b,
_
ab
n
_
=
_
a
n
__
b
n
_
.
Proof The rst result follows at once from the denition. The second follows
from the corresponding result for the Legendre symbol.
Proposition 5.7 If
a b mod n
then
_
a
n
_
=
_
b
n
_
.
Proof This follows from the corresponding result for the Legendre symbol,
since
a b mod n =a b mod p
i
for each p
i
[ n.
Proposition 5.8 Suppose m, n N are odd. Then
_
n
m
_
=
_
_
_
m
n
_
if m 1 mod 4 or n 1 mod 4,
-
_
m
n
_
if m n 3 mod 4.
374 512
Proof If m, n are not coprime then both sides are 0; so we may assume that
gcd(m, n) = 1. We have to show that
_
m
n
__
n
m
_
= (1)
m1
2

n1
2
.
Suppose
m = p
1
p
r
, n = q
1
q
s
(where the primes in each case are not necessarily distinct). By Proposition 5.6,
_
m
n
__
n
m
_
=
i,j
_
p
i
q
j
__
p
i
q
j
_
=
i,j
(1)
p
i
1
2

q
j
1
2
,
by the Quadratic Reciprocity Theorem (Proposition 3.20).
Thus we have to prove that
m1
2
n 1
2

i,j
p
i
1
2
q
j
1
2
mod 2,
ie
(m1)(n 1)
i,j
(p
i
1)(q
j
1) mod 8.
Lemma 5.6 If a, b Z are odd then
ab 1 (a 1) + (b 1) mod 4.
Proof of Lemma Since a, b are odd,
(a 1)(b 1) mod4,
ie
ab + 1 a +b mod 4,
from which the result follows.
It follows by repeated application of the Lemma that
a
1
a
t
1
i
(a
i
1) mod 4.
In particular,
m1 (p
1
1) + + (p
r
1) mod 4.
374 513
Since n 1 is even, this implies that
(m1)(n 1) (p
1
1)(n 1) + + (p
r
1)(n 1) mod 8.
Again, by the Lemma,
n 1 (q
1
1) + + (q
s
1) mod 4;
and therefore, since p
i
1 is even,
(p
i
1)(n 1) (p
i
1)(q
1
1) + + (p
i
1)(q
s
1) mod 8.
Putting these results together,
(m1)(n 1)
i,j
(p
i
1)(q
j
1) mod 8,
as required.
Proposition 5.9 Suppose n N is odd. Then
_
1
n
_
=
_
_
_
1 if n 1 mod 4,
1 if n 3 mod 4.
Proof Suppose
n = p
1
p
r
q
1
q
s
,
where
p
i
1 mod 4, q
j
3 mod 4.
Then
_
1
p
i
_
= 1,
_
1
q
j
_
= 1,
and so
_
1
n
_
= (1)
s
.
On the other hand,
n 1
r
3
s
mod 4
_
_
_
1 mod 4 if s is even,
3 mod 4 if s is odd.
Proposition 5.10 Suppose n N is odd. Then

_
2
n
_
=
_
_
_
1 if n 1 mod 8,
1 if n 3 mod 8.
374 514
Proof Suppose
n = p
1
p
r
q
1
q
s
,
where
p
i
1 mod 8, q
j
3 mod 8.
Then
_
2
p
i
_
= 1,
_
2
q
j
_
= 1,
and so
_
2
n
_
= (1)
s
.
On the other hand,
n (1)
r
(3)
s
mod 8
_
_
_
1 mod 8 if s is even,
3 mod 8 if s is odd.
5.5 A weaker test

Recall that if p is prime then
a
1
2
(p1)
_
p
a
_
.
We are now in a position to convert this into a test for primality.
Proposition 5.11 Suppose n N is odd. Then n is prime if and only if
a
1
2
(n1)
_
n
a
_
mod n
for all a coprime to n.
Proof If n is prime then it certainly has the given property.
Suppose conversely that n has this property. We show rst that n must be
square-free. For suppose
p
2
[ n,
where p is an odd prime.
Let the exponent of (Z/n)
be e. Then
p [ (n);
and so
p [ e
374 515
by Lemma 5.1 to Proposition 5.2. On the other hand,
e [ n 1
since
a
n1
=
_
a
n1
2
_
2
1 mod n.
Thus p [ n 1 and p [ n, which is absurd.
Thus n is square-free, say
n = p
1
p
r
,
where p
1
, . . . , p
r
are distinct odd primes.
Our argument runs along the same lines as the proof of Proposition 5.4. Let
n 1 = 2
e
m, p
i
1 = 2
e
i
m
i
;
and let us re-arrange the p
i
so that
e
1
= max(e
1
, . . . , e
r
),
ie
v
2
(p
1
1) v
2
(p
i
1)
for 1 i r.
By the Chinese Remainder Theorem, we can nd a coprime to n such that
_
a
p
1
_
= 1,
_
a
p
2
_
= 1,
_
a
p
r
_
= 1.
Thus
_
a
n
_
=
_
a
p
1
_

_
a
p
r
_
= 1;
and so
a
n1
2
1 mod n.
Hence
a
n1
2
1 mod p
i
for 1 i r.
Let the order of a mod n be d; and let the orders of a mod p
i
be d
i
. Then
v
2
(d) = v
2
(d
1
) = = v
2
(d
r
) = v
2
(n 1),
by Lemma 5.5 to Proposition 5.4.
On the other hand,
_
a
p
1
_
= 1 =v
2
(d
1
) = e
1
,
374 516
by Lemma 5.4 to Proposition 5.4; while by the same Lemma,
_
a
p
i
_
= 1 =v
2
(d
i
) < e
i
for 2 i r.
But this is a contradiction, since eg
e
1
e
2
=v
2
(d
1
) > v
2
(d
2
).
At rst sight this seems to offer an additional test for primality, which could
be incorporated into the Miller-Rabin test at the rst stage; having determined
whether
a
n1
2
1 mod n,
we could compute
_
a
n
_
and see if this gives the same value.
However, the following result shows that this would be a waste of time; the
two values are certain to coincide.
Proposition 5.12 Suppose n is an odd integer > 1. If n is a strong pseudoprime
to base a then
a
1
2
(n1)
=
_
a
n
_
.
Proof Let
n 1 = 2
e
m,
where m is odd.
Suppose rst that
a
m
1 mod n.
Then
a
m
1 mod n =a
1
2
(n1)
= a
2
e1
m
= (a
m
)
2
e1
1 mod n.
On the other hand, a has odd order modn. Hence a has odd order modp for
each prime p [ n. It follows from Lemma 5.4 to Proposition 5.4 that
_
a
p
_
= 1.
Since that is true for all p [ n,
_
a
n
_
=
p
_
a
p
_
= 1.
374 517
Now suppose that
a
2
i
m
1 mod n,
where 0 i e 1. Then
a
1
2
(n1)
= a
2
e1
m
_
_
_
1 if i < e 1
1 if i = e 1.
Now
a
2
i
m
1 mod n =a
2
i
m
1 mod p
for each p [ n. Let the order of a mod p be r. Then
v
2
(r) = i + 1
by Lemma 5.5 to Proposition 5.4.
Suppose rst that i < e 1. In that case
v
2
(r) = i + 1 < e = v
2
(p 1).
Hence
_
a
p
_
= 1
by Lemma 5.4 to Proposition 5.4. Since this holds for all p [ n,
_
a
n
_
= 1.
Thus the result holds in this case.
Finally, suppose i = e 1. Then
a
1
2
(n1)
= a
2
e1
m
= a
2
i
m
1 mod n.
If
_
a
p
_
= 1
then by Lemma 5.4 to Proposition 5.4
v
2
(p 1) = i + 1 = e =p 1 mod 2
e
, p , 1 mod 2
e+1
=p 1 + 2
e
mod 2
e+1
.
On the other hand, if
_
a
p
_
= 1
then by the same Lemma
v
2
(p 1) > i + 1 = e =p 1 mod 2
e+1
.
374 518
Suppose n has r prime factors p with
_
a
p
_
= 1.
Then
n (1 + 2
e
)
r
mod 2
e+1
_
_
_
1 mod 2
e+1
if r is even,
1 + 2
e
mod 2
e+1
if r is odd.
But
2
e
| n 1,
and so
n , 1 mod 2
e+1
.
Thus r is odd, and so
_
a
n
_
= (1)
r
= 1.
So the result holds also in this last case.
However, although the weaker test is of no practical value, it does have some
theoretical signicance because of the following result.
Proposition 5.13 Suppose n is an odd integer > 1. Then the congruence classes
a (Z/n)
: a
n1
2
=
_
a
n
_
form a subgroup of (Z/n)
.
Proof This follows at once from the multiplicative property of the Jacobi sym-
bol, as spelled out in Proposition 5.6(ii).
By Proposition 5.11, this subgroup is proper if and only if n is composite. But
it has been shown (by E. Bach) that if the Extended Riemann Hypothesis (ERH)
holds, and
S (Z/n)
is a proper subgroup then there is an a / S with

0 < a < 2(log n)
2
.
This implies that if the ERH holds then our weaker test, and so a fortiori the
Miller-Rabin test, must complete in polynomial time; for we need only determine
whether n is a strong a-pseudoprime for a in the above range.

Elementary Number Theory and Primality Tests

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Elementary Number Theory and Primality Tests

Uploaded by

Copyright:

Available Formats

Chapter 1

The Fundamental Theorem of

y satises the homogeneous

Theorem 1.3 Suppose n N, n > 0. Then n is expressible as a product of prime

Denition 1.7 The elements a, b A are said to be equivalent, written

acts on A and two elements are equivalent if

1.7 Polynomial rings

Proposition 1.11 If k is a eld then k[x] is a principal ideal domain.

By Proposition 1.7 this gives the result we really want.

and after re-ordering,

2 and i/2 are algebraic.

Denition 2.2 The monic polynomial m(x) satised by

Denition 2.5 We denote the smallest eld containing

2.4 Algebraic integers

2.7 Unique factorisation in number rings

We say that , are coprime if

is closed under multiplication; and if is coprime to then the

is injective, and so surjective since A/) is nite. Hence (A/))

Lemma 2.7 Suppose

m) for a unique square-

m) consists of the numbers

m) is said to be real if m > 0, and imag-

m) is real if and only if

m); and it is the only such automorphism apart from

m = (xu +yvm) + (xv +yu)

m = (xu +yvm) (xv +yu)

m) then preserves the elements

m) is imaginary (ie m < 0) then the conjugate coincides

m), where m ,= 1 is square-free.

It is sometimes convenient to express the result in the following form.

m) form the ring Z[].

2) are the numbers

3) are the numbers

m) is a unit if and only if

m) (where m > 0) con-

Lemma 3.2 There are an innity of a, b Z such that

3.5 Unique factorisation

Now suppose a ,= 0 is an ideal in Z[]. Let a ( ,= 0) be an element

We say that p splits in Q(

m) in the latter case, ie if p divides into two prime

m) if and only if m is a quadratic residue modp, ie if and only if

m is (by assumption) unique,

3.7 Quadratic residues

Proposition 3.15 Suppose p is an odd rational prime; and suppose a Z. Then

Corollary 3.3 If p N is an odd rational prime then

It is sometimes convenient to take the remainder r a mod p in the range

Proposition 3.17 If p N is an odd rational prime then

Corollary 3.4 If p N is an odd rational prime then

Example: Take p = 37, q = 47. Then

3) are the numbers

3] are the numbers

3] is a principal ideal domain (and so a unique

5) are the numbers

5] are the numbers

3); and both are based on the following result.

m); and suppose P is

Corollary 4.1 For all integers in Q(

5). By Proposition 3.4, the integers in this eld

It follows from this Lemma and Proposition 4.2 that

3). By Proposition 3.4, the integers in this eld

3] are the numbers

Denition 4.4 The numbers

It follows from this Lemma, and Proposition 3.18, that

has exponent e. Then the p 1 elements