Number Theory: A Contemporary Introduction

Pete L. Clark

Contents
Chapter 1. The Fundamental Theorem and Some Applications
1. Foundations
2. The Fundamental Theorem (in Z)
3. Some examples of failure of unique factorization
4. Consequences of the fundamental theorem
5. Some Irrational Numbers
6. Primitive Roots

7
7
11
14
16
23
26

Chapter 2. Pythagorean Triples

1. Parameterization of Pythagorean Triples
2. An Application: Fermats Last Theorem for N = 4
3. Rational Points on Conics

29
29
33
35

Chapter 3. Quadratic Rings

1. Quadratic Fields and Quadratic Rings
2. Fermats Two Squares Theorem
3. Fermats Two Squares Theorem Lost
4. Fermats Two Squares Theorem (and More!) Regained
5. Composites of the Form x2 Dy 2

39
39
39
42
43
46

Chapter 4. Quadratic Reciprocity

1. Statement of Quadratic Reciprocity
2. The Legendre Symbol
3. Motivating Quadratic Reciprocity I: Bonus Theorems
4. Motivating Quadratic Reciprocity II: Direct and Inverse Problems
5. The Jacobi Symbol
6. Preliminaries on Congruences in Cyclotomic Rings
7. Proof of the Second Supplement
8. Proof of the Quadratic Reciprocity Law Modulo. . .
9. . . . the Computation of the Gauss Sum
10. Comments

49
50
50
53
57
59
60
61
63
64
66

Chapter 5. More Quadratic Reciprocity: from Zolotarev to Duke-Hopkins

1. Quadratic Reciprocity in a Finite Quotient Domain
2. The Kronecker Symbol
3. The Duke-Hopkins Reciprocity Law
4. The Proof
5. In Fact...

67
67
69
69
71
73

Chapter 6. The Mordell Equation

1. The Coprime Powers Trick in Z

75
75
3

CONTENTS

2.
3.
4.
5.

The Mordell Equation

The Coprime Powers Trick in a UFD
Beyond UFDs
Remarks and Acknowledgements

76
77
80
83

Chapter 7. The Pell Equation

1. Introduction
2. Example: The equation x2 2y 2 = 1
3. A result of Dirichlet
4. Existence of Nontrivial Solutions
5. The Main Theorem
6. A Caveat
7. Some Further Comments

85
85
86
89
90
91
92
93

Chapter 8. Arithmetic Functions

1. Introduction
2. Multiplicative Functions
3. Divisor Sums, Convolution and Mobius Inversion
4. Some Applications of Mobius Inversion

95
95
96
101
104

Chapter 9. Asymptotics of Arithmetic Functions

1. Introduction
2. Lower bounds on Eulers totient function
3. Upper bounds on Eulers function
4. The Truth About Eulers Function
5. Other Functions
6. Average orders

107
107
108
110
111
113
114

Chapter 10. The Primes: Innitude, Density and Substance

1. The Innitude of the Primes
2. Bounds
3. The Density of the Primes
4. Substance

119
119
124
125
127

Chapter 11. The Prime Number Theorem and the Riemann Hypothesis
1. Some History of the Prime Number Theorem
2. Coin-Flipping and the Riemann Hypothesis

131
131
134

Chapter 12. The Gauss Circle Problem and the Lattice Point Enumerator
1. Introduction
2. Better Bounds
3. Connections to average values

139
139
142
144

Chapter 13. Minkowskis Convex Body Theorem

1. The Convex Body Theorem
2. Diophantine Applications

147
147
154

Chapter 14. The Chevalley-Warning Theorem

1. The Chevalley-Warning Theorem
2. Two proofs of Warnings theorem
3. Some Later Work

161
161
163
168

CONTENTS

Chapter 15. Additive Combinatorics

1. The Erdos-Ginzburg-Ziv Theorem
2. The Combinatorial Nullstellensatz
3. The Cauchy-Davenport Theorem

171
171
175
177

Chapter 16. Dirichlet Series

1. Introduction
2. Some Dirichlet Series Identities
3. Euler Products
4. Absolute Convergence of Dirichlet Series
5. Conditional Convergence of Dirichlet Series
6. Dirichlet Series with Nonnegative Coecients
7. Characters and L-Series
8. An Explicit Statement of the Riemann Hypothesis
9. General Dirichlet Series

179
179
183
184
186
189
190
191
194
195

Chapter 17. Dirichlets Theorem on Primes in Arithmetic Progressions

1. Statement of Dirichlets Theorem
2. The Main Part of the Proof of Dirichlets Theorem
3. Nonvanishing of L(, 1)

197
197
198
203

Chapter 18. Rational Quadratic Forms and the Local-Global Principle

1. Rational Quadratic Forms
2. Legendres Theorem
3. Hilberts Reciprocity Law
4. The Local-Global Principle
5. Local Conditions for Isotropy of Quadratic Forms

205
207
209
212
214
217

Chapter 19. Representations of Integers by Quadratic Forms

1. The Davenport-Cassels Lemma
2. The Three Squares Theorem
3. Approximate Local-Global Principle
4. The 15 and 290 Theorems

219
220
222
226
228

Appendix A. Rings, Fields and Groups

1. Rings
2. Ring Homomorphisms
3. Integral Domains
4. Polynomial Rings
5. Commutative Groups
6. Ideals and Quotients

231
231
233
234
236
237
240

Appendix B. More on Commutative Groups

1. Reminder on Quotient Groups
2. Cyclic Groups
3. Products of Elements of Finite Order in a Commutative Group
4. Character Theory of Finite Abelian Groups
5. Proof of the Fundamental Theorem on Finite Commutative Groups
6. Wilsons Theorem in a Finite Commutative Group

245
245
246
247
249
256
259

Appendix C.

263

More on Polynomials

CONTENTS

1. Polynomial Rings
2. Finite Fields
Appendix.

Bibliography

263
264
267

CHAPTER 1

The Fundamental Theorem and Some Applications

1. Foundations
What is number theory?
This is a dicult question: number theory is an area, or collection of areas, of
pure mathematics that has been studied for over two thousand years. As such, it
means dierent things to dierent people. Nevertheless the question is not nearly
as subjective as What is truth? or What is beauty?: all of the things various
people call number theory are related, in fact deeply and increasingly so over time.
If you think about it, it is hard to give a satisfactory denition of any area of
mathematics that would make much sense to someone who has not taken one or
more courses in it. One might say that analysis is the study of limiting processes,
especially summation, dierentiation and integration; that algebra is the study of
algebraic structures like groups, rings and elds; and that topology is the study
of topological spaces and continuous maps between them. But these descriptions
function more by way of dramatis personae than actual explanations; less pretentiously, they indicate (some of) the objects studied in each of these elds, but they
do not really tell us which properties of these objects are of most interest and which
questions we are trying to answer about them. Such motivation is hard to provide
in the abstract much easier, and more fruitful, is to give examples of the types of
problems that mathematicians in these areas are or were working on. For instance,
in algebra one can point to the classication of nite simple groups, and in topology
the Poincare conjecture. Both of these are problems that had been open for long
periods of time and have been solved relatively recently, so one may reasonably
infer that these topics have been central to their respective subjects for some time.
What are the objects of number theory analogous to the above description? A
good one sentence answer is that number theory is the study of the integers, i.e.,
the positive and negative whole numbers.
Of course this is not really satisfactory: astrology, accounting and computer science, for instance, could plausibly be described in the same way. What properties
of the integers are we interested in?
The most succinct response seems to be that we are interested in the integers as a
ring: namely, as endowed with the two fundamental operations of addition + and
multiplication and especially the interactions between these two operations.

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

Let us elaborate. Consider rst the non-negative integers which, as is traditional, we will denote by N endowed with the operation +. This is a very simple
structure: we start with 0, the additive identity, and get every positive integer by
repeatedly adding 1.1 In some sense the natural numbers under addition are the
simplest nontrivial algebraic structure.
Note that subtraction is not in general dened on the natural numbers: we
would like to dene a b = c in case a = b + c, but of course there is not always
such a natural number c consider e.g. 3 5.
As you well know, there are two dierent responses to this: the rst is to formally extend the natural numbers so that additive inverses always exist. In other
words, for every positive integer n, we formally introduce a corresponding number
n with the property that n + (n) = 0. Although it is not a priori obvious that
such a construction works rather, the details and meaning of this construction
were a point of confusion even among leading mathematicians for a few thousand
years nowadays we understand that it works to give a consistent structure: the
integers Z, endowed with an associative addition operation +, which has an identity
0 and for which each integer n has a unique additive inverse n.
The second response is to record the relation between two natural numbers a
and b such that b a exists as a natural number. Of course this relation is just
that a b. This is quite a simple relation on N: indeed, for any pair of integers,
we have either a b or b a, and we have both exactly when a = b.2
Now for comparison consider the positive integers
Z+ = 1, 2, 3, . . .
under the operation of multiplication. This is a richer structure: whereas additively, there is a single building block 1 the multiplicative building blocks are
the prime numbers 2, 3, 5, 7, . . .. Of course the primes are familiar objects, but
the precise analogy with the additive case may not be as familiar, so let us spell
it out carefully: just as subtraction is not in general dened on N, division is not
in general dened on Z+ . On the one hand we can formally complete Z+ by
adjoining multiplicative inverses, getting this time the positive rational numbers
Q+ . However, again one can view the fact that a/b is not always a positive integer
as being intriguing rather than problematic, and we again consider the relation between two positive integers a and b that b/a be a positive integer: in other words,
that there exist a positive integer c such that b = a c. In such a circumstance
we say that a divides b, and write it as a|b.3 It is easy to see that the relation of
divisibility is more complicated than the relation since divisibility is not a total
ordering: e.g. 2 | 3 and also 3 | 2. What are we to make of this divisibility relation?
First, on a case-by-case basis, we do know how to determine whether a | b.
Proposition 1. (Division Theorem) For any positive integers n and d, there
exist unique non-negative integers q and r with 0 r < d and n = qd + r.
1Here I am alluding to the fact that in the natural numbers, addition can be dened in terms
of the successor operation s(n) = n + 1, as was done by the 19th century mathematical logician
Giuseppe Peano. No worries if you have never heard of the Peano axioms their importance lies
in the realm of mathematical logic rather than arithmetic itself.
2That is to say, the relation on N is a linear, or total, ordering.
3Careful: a|b b is an integer.
a

1. FOUNDATIONS

This is a very useful tool, but it does not tell us the structure of Z+ under the
divisibility relation. To address this, the primes inevitably come into play: there
is a unique minimal element of Z+ under divisibility, namely 1 (in other words, 1
divides every positive integer and is the only positive integer with this property): it
therefore plays the analogous role to 0 under on N. In N \ 0, the unique smallest
element is 1. In Z+ \ 1 the smallest elements are the primes p. Given that the
denition of a prime is precisely an integer greater than one divisible only by one
and itself, this is clear. The analogue to repeatedly adding 1 is taking repeated
powers of a single prime: e.g., 2, 22 , 23 , . . .. However, we certainly have more
than one prime in fact, as you probably know and we will recall soon enough,
there are innitely many primes and this makes things more complicated. This
suggests that maybe we should consider the divisibility relation one prime at a time.
So, for any prime p, let us dene a |p b to mean that ab is a rational number which,
when written in lowest terms, has denominator not divisible by p. For instance,
3 |2 5, since 35 , while not an integer, doesnt have a 2 in the denominator. For that
matter, 3 |p 5 for all primes p dierent from 3, and this suggests the following:
Proposition 2. For any a, b Z+ , a|b a |p b for all primes p.
Proof. Certainly if a|b, then a |p b for all primes p. For the converse, write
in lowest terms, say as B
A . Then a |p b i A is not divisible by p. But the only
positive integer which is not divisible by any primes is 1.

b
a

In summary, we nd that the multiplicative structure of Z+ is similar to the additive structure of N, except that instead of there being one generator, namely
1, such that every element can be obtained as some power of that generator, we
have innitely many generators the primes and every element can be obtained
(uniquely, as we shall see!) by taking each prime a non-negative integer number of
times (which must be zero for all but nitely many primes). This switch from one
generator to innitely many does not in itself cause much trouble: given
a = pa1 1 pann
and
b = pb11 pbnn
we nd that a | b i a |p b for all p i ai bi for all i. Similarly, it is no problem to
multiply the two integers: we just have
ab = pa1 1 +b1 pann +bn .
Thus we can treat positive integers under multiplication as vectors with innitely
many components, which are not fundamentally more complicated than vectors
with a single component.
The trouble begins when we mix the additive and multiplicative structures. If
we write integers in standard decimal notation, it is easy to add them, and if we
write integers in the above vector factored form, it is easy to multiply them.
But what is the prime factorization of 2137 + 3173 ? In practice, the problem of
given an integer n, nding its prime power factorization (1) is extremely computationally dicult, to the extent that most present-day security rests on this diculty.

10

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

It is remarkable how quickly we can nd ourselves in very deep waters by asking apparently innocuous questions that mix additive and multiplicative structure.
For instance, although in the multiplicative structure, each of the primes just rests
on its own axis as a generator, in the additive structure we can ask where the
primes occur with respect to the relation . We do not have anything approaching
a formula for pn , and the task of describing the distribution of the pn s inside N is
a branch of number theory in and of itself (we will see a taste of it later on). For
instance, consider the quantity g(n) = pn+1 pn , the nth prime gap. For n > 1,
the primes are all odd, so g(n) 2. Computationally one nds lots of instances
when g(n) is exactly 2, e.g. 5, 7, 11, 13, and so forth: an instance of g(n) = 2
equivalently, of a prime p such that p + 2 is also a prime is called a twin prime
pair. The trouble is that knowing the factorization of p tells us nothing4 about the
factorization of p + 2. Whether or not there are innitely many twin primes is a
big open problem in number theory.
It goes on like this: suppose we ask to represent numbers as a sum of two odd
primes. Then such a number must be even and at least 6, and experimenting, one
soon is led to guess that every even number at least 6 is a sum of two odd primes:
this is known as Goldbachs Conjecture, and is about 400 years old. It remains
unsolved. There are many, many such easily stated unsolved problems which mix
primes and addition: for instance, how many primes p are of the form n2 +1? Again,
it is a standard conjecture that there are innitely many, and it is wide open. Note
that if we asked instead how many primes were of the form n2 , we would have no
trouble answering the innocent addition of 1 gives us terrible problems.
Lest you think we are just torturing ourselves by asking such questions, let me
mention three amazing positive results:
Theorem 3. (Fermat, 12/25/1640) A prime p > 2 is of the form x2 + y 2 i
it is of the form 4k + 1.
This is, to my mind, the rst beautiful theorem of number theory. It says that
to check whether an odd prime satises the very complicated condition of being a
sum of two (integer, of course!) squares, all we need to do is divide it by four: if
its remainder is 1, then it is a sum of two squares; otherwise its remainder will be
3 and it will not be a sum of two squares.
Theorem 4. (Lagrange, 1770) Every positive integer is of the form x2 + y 2 +
z + w2 .
2

Theorem 5. (Dirichlet, 1837) Suppose a and b are coprime positive integers

(i.e., they are not both divisible by any integer n > 1). Then there are innitely
many primes of the form an + b.
Remark: In particular, taking a = 4, b = 1, see that there are innitely many
primes of the form 4k + 1, so in particular there are innitely many primes which
are a sum of two squares.
We will see proofs of Theorems 3 and 4 in this course. To be more precise, we
will give two dierent proofs of Theorem 3. The rst theorem uses the observation
4Well, nothing except that p + 2 is not divisible by 2 for all p > 2.

2. THE FUNDAMENTAL THEOREM (IN Z)

11

that x2 + y 2 can be factored in the ring Z[i] of Gaussian integers as (x + iy)(x iy)
and will be our jumping o point to the use of algebraic methods. There is an analogous proof of Theorem 4 using a noncommutative ring of integral quaternions.
This proof however has some technical complications which make it less appealing
for in-class presentation, so we do not discuss it in these notes.5 On the other
hand, we will give parallel proofs of Theorems 3 and 4 using geometric methods.
The proof of Theorem 5 is of a dierent degree of sophistication than any other
proofs in this course. We do present a complete proof at the end of these notes,
but I have not managed to persuade myself that our treatment is appropriate for a
one-semester undergraduate course in the subject.
Admission: In fact there is a branch of number theory which studies only the
addition operation on subsets of N: if A and B are two subsets of natural numbers,
then by A+B we mean the set of all numbers of the form a+b for a A and b B.
For a positive integer h, by hA we mean the set of all h-fold sums a1 + . . . + ah
of elements of A (repetitions allowed). There are plenty of interesting theorems
concerning these operations, and this is a branch of mathematics called additive
number theory. In truth, though, it is much more closely related to other branches
of mathematics like combinatorics, Fourier analysis and ergodic theory than to the
sort of number theory we will be exploring in this course.
2. The Fundamental Theorem (in Z)
2.1. Existence of prime factorizations.
We had better pay our debts by giving a proof of the uniqueness of the prime
power factorization. This is justly called the Fundamental Theorem of Arithmetic.
Let us rst nail down the existence of a prime power factorization, although as
mentioned above this is almost obvious:
Proposition 6. Every positive integer n is a product of primes pa1 1 par r
(when n = 1 this is the empty product).
Proof. By induction on n, the case of n = 1 being trivial. Assume n > 1 and
the result holds for all m < n. Among all divisors d > 1 of n, the least is necessarily
a prime, say p. So n = pm and apply the result inductively to m.

Important Remark: Note that the result seemed obvious, and we proved it by
induction. Formally speaking, just about any statement about the integers contain
an appeal to induction at some point, since induction or equivalently, the wellordering principle that any nonempty subset of integers has a smallest element is
(along with a few much more straightforward axioms) their characteristic property.
But induction proofs can be straightforward, tedious, or both. Often I will let you
ll in such induction proofs; I will either just say by induction or, according to
taste, present the argument in less formal noninductive terms. To be sure, sometimes an induction argument is nontrivial, and those will be given in detail.
A factorization n = pa1 1 par r is in standard form if p1 < . . . < pr . Any factorization can be put in standard form by correctly ordering the prime divisors.
5It was, in fact, the subject of a student project in the 2007 course.

12

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

2.2. The fundamental theorem and Euclids Lemma.

Theorem 7. The standard form factorization of a positive integer is unique.
This is just a mildly laundered version of the more common statement: the factorization of a positive integer into primes is unique up to the order of the factors.
Theorem 140 was rst stated and proved by Gauss in his Disquisitiones Arithmeticae. However, it is generally agreed that the result is essentially due to the
ancient (circa 300 BC) Greek mathematician Euclid of Alexandria. Euclid proved:
Theorem 8. Suppose p is prime and p | ab. Then p | a or p | b.
The point is that, assuming the very easy Proposition 6, Theorems 140 and 142 are
equivalent. From a strictly logical point of view two assertions are equivalent if they
are both true or both false or, if they range over a set of possible parameters then
they are true for exactly the same values of those parameters. Since a theorem in
mathematics is a true assertion, strictly speaking any two theorems are equivalent.
But in common use the statement Theorem A is equivalent to Theorem B carries
the connotation that it is much easier to deduce the truth of each theorem from
the other than to prove either theorem. This is the case here.
Theorem 140 = Theorem 142: Suppose for a contradiction that p | ab but

b
p does not divide either a or b. Writing out a = i pai i and b = j qj j , our as
a
sumptions are equivalent to pi = p = qj for all i, j. But then ab = pai i qj j , and
collecting this into standard form we get that no positive power of the prime p appears in the standard form factorization of ab. On the other hand, by assumption
p | ab so ab = p m, and then factoring m into primes we will get a standard form
factorization of ab in which p does apear to some positive power, contradicting the
uniqueness of the standard form prime factorization.
Theorem 142 = Theorem 140: Let us induct on the (minimal!) number r
of factors in a prime factorization of n. The case of r = 0 i.e., n = 1 is trivial.
Suppose the result holds for numbers with < r factors, and consider
n = pa1 1 par r = q1b1 qsbs .
b

Now p1 | n, so by Theorem 142, p1 divides some qj j , and this implies that p1 | qj .

Therefore we can cancel a common prime factor, reducing to the case where n has
a factorization with r 1 prime factors, and the induction hypothesis does the rest.
Therefore one way to prove Theorem 140 is to give Euclids proof of Theorem
142. Euclids proof goes by way of giving an explicit and ecient algorithm for
nding the greatest common divisor of a pair of positive integers. This Euclidean
algorithm can be put to a variety of uses in elementary number theory, so Euclids
proof is generally the one given in introductory courses. By making use of algebraic
ideas it is possible to streamline Euclids proof of Theorem 142 in a way which bypasses the algorithm: the idea is to show that the ring of integers has the property
of being a Principal Ideal Domain, which is for a general ring a stronger result
than the uniqueness of factorization into primes. In fact there is a third strategy,
which directly proves Theorem 140. This proof, due to Hasse [Has28], Lindemann

2. THE FUNDAMENTAL THEOREM (IN Z)

13

[Li33] and Zermelo [Z34], is not suciently widely known. It is an archetypical

instance of bypassing seemingly necessary machinery by sheer cleverness.
2.3. The HLZ proof of the uniqueness of factorization.
We claim that the standard form factorization of a positive integer is unique. Assume not; then the set of positive integers which have at least two dierent standard
form factorizations is nonempty, so has a least elment, say n, where:
(1)

n = p1 pr = q1 qs .

Here the pi s and qj s are prime numbers, not necessarily distinct from each other.
However,we must have p1 = qj for any j. Indeed, if we had such an equality, then
after relabelling the qj s we could assume p1 = q1 and then divide through by
p1 = q1 to get a smaller positive integer pn1 . By the assumed minimality of n, the
prime factorization of pn1 must be unique: i.e., r 1 = s 1 and pi = qi for all
2 i r. But then multiplying back by p1 = q1 we see that we didnt have two
dierent factorizations after all. (In fact this shows that for all i, j, pi = qj .)
In particular p1 = q1 . Without loss of generality, assume p1 < q1 . Then, if we
subtract p1 q2 qs from both sides of (1), we get
(2)

m := n p1 q2 qs = p1 (p2 pr q2 qs ) = (q1 p1 )(q2 qs ).

Evidently 0 < m < n, so by minimality of n, the prime factorization of m must be

unique. However, (2) gives two dierent factorizations of m, and we can use these
to get a contradiction. Specically, m = p1 (p2 pr q2 qs ) shows that p1 | m.
Therefore, when we factor m = (q1 p1 )(q2 qs ) into primes, at least one of the
prime factors must be p1 . But q2 , . . . , qj are already primes which are dierent from
p1 , so the only way we could get a p1 factor is if p1 | (q1 p1 ). But this implies
p1 | q1 , and since q1 is also prime this implies p1 = q1 . Contradiction!
2.4. Proof using ideals.
Now we turn things around by giving a direct proof of Euclids Lemma. We (still!)
do not follow Euclids original proof, which employs the Euclidean algorithm,
but rather a modernized version using ideals.
An ideal of Z is a nonempty subset I of Z such that a, b I implies a + b I and
a I, c Z implies ca I.6
For any integer d, the set (d) = {nd | n Z} of all multiples of d is an ideal.
Proposition 9. Any nonzero ideal I of Z is of the form (d), where d is the
least positive element of I.
Proof. Suppose not: then there exists an element n which is not a multiple
of d. Applying the Division Theorem (Proposition 264), we may write n = qd + r
with 0 < r < d. Since d I, qd I and hence r = n qd I. But r is positive
and smaller than d, a contradiction.

6We hope that the reader recognizes this as a special case of an ideal in a commutative ring.

14

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

Existence of gcds: Let a and b be two nonzero integers. An integer d is said to be

a greatest common divisor of a and b if
(GCD1) d | a and d | b.
(GCD2) If e | a and e | b then e | d.
Note well that this is (at least apparently) dierent from the denition of greatest
common divisor one learns in school: in the set of all common divisors of a and b,
d is dened to be a divisor which is divisible by every other divisor, not a divisor
which is numerically largest. In particular, unlike the school denition, it is not
obvious that greatest common divisors exist! However:
Proposition 10. For a, b Z, not both zero, the set Ia,b = {xa+yb | x, y Z}
is a nonzero ideal. Its positive generator d has the following property:
(3)

e|a & e|b e|d,

and is therefore a greatest common divisor of a and b.

Proof. It is easy to see that the set Ia,b is closed under addition and under
multiplication by all integers, so it is an ideal. By the previous result, it is generated
by its smallest positive element, say d = Xa + Y b.
Now, suppose e|d. Then, since a (d), (a) (d) and thus d|a (to contain is to
divide) and by transitivity e|a; similarly e|b. (In fact we made a bigger production
of this than was necessary: we could have said that d is a multiple of e, and a
and b are multiples of d, so of course a and b are multiples of e. This is the easy
direction.) Conversely, suppose that e|a and e|b (so e is a common divisor of a and
b). Then e | Xa + Y b = d. (Since d could be smaller than a and b e.g. a = 17,
b = 1010 , d = 1, this is the nontrivial implication.)

Corollary 11. If a and b are integers, not both zero, then for any integer m
there exist integers x and y such that
xa + yb = m gcd(a, b).
Proof. This follows immediately from the equality of ideals Ia,b = (gcd(a, b)):
the left hand side is an arbitrary element of Ia,b and the right hand side is an
arbitrary element of (gcd(a, b)).

An important special case is when gcd(a, b) = 1 we say a and b are relatively
prime. The corollary then asserts that for any integer m, we can nd integers x
and y such that xa + yb = m.
Indeed we can use this to prove Euclids Lemma (Theorem 142): if p | ab and
p does not divide a, then the greatest common divisor of p and a must be 1. Thus
there are integers x and y such that xa + yp = 1. Multiplying through by b we get
xab + ypb = b. Since p | xab and p | ypb, we conclude p | b. This completes the
proof of the Fundamental Theorem of Arithmetic.
3. Some examples of failure of unique factorization
The train of thought involved in proving the fundamental theorem is quite subtle.
The rst time one sees it, it is hard to believe that such complications are necessary:
is it not obvious that the factorization of integers into primes is unique?

3. SOME EXAMPLES OF FAILURE OF UNIQUE FACTORIZATION

15

It is not obvious, but rather familiar and true. The best way to perceive the
non-obviousness is to consider new and dierent contexts.
Example: let E denote the set of even integers.7 Because this is otherwise known
as the ideal (2) = 2Z, it has a lot of structure: it forms a group under addition,
and there is a well-dened multiplication operation satisfying all the properties of
a ring except one: namely, there is no 1, or multiplicative identity. (A ring without identity is sometimes wryly called a rng, so the title of this section is not a typo.)
Let us consider factorization in E: in general, an element x of some structure should
be prime if every factorization x = yz is trivial in some sense. However, in E,
since there is no 1, there are no trivial factorizations, and we can dene an element
x of E to be prime if it cannot be written as the product of two other elements of E.
Of course this is a new notion of prime: 2 is a conventional prime and also a prime
of E, but clearly none of the other conventional primes are E-prime. Moreover there
are E-primes which are not prime in the usual sense: e.g., 6 is E-prime. Indeed, it is
not hard to see that an element of E is an E-prime i it is divisible by 2 but not by 4.
Now consider
36 = 2 18 = 6 6.
Since 2, 18 and 6 are all divisible by 2 and not 4, they are E-primes, so 36 has two
dierent factorizations into E-primes.
This example begins to arouse our skepticism about unique factorization: it is
not, for instance, inherent in the nature of factorization that factorization into
primes must be unique. On the other hand, the rng E is quite articial: it is an
inconveniently small substructure of a better behaved ring Z. Later we will see
more distressing examples.
Example 2: Let R = R[cos , sin ] be the ring of real trigonometric polynomials: i.e., the ring whose elements are polynomial expressions in sin and cos with
real coecients. We view the elements as functions from R to R and add and multiply them pointwise.
Of course this ring is not isomorphic to the polynomial ring R[x, y], since we
have the Pythagorean identity cos2 + sin2 = 1. It is certainly plausible and can
be shown to be true that all polynomial relations between the sine and cosine are
consequences of this one relation, in the sense that R is isomorphic to the quotient
ring R[x, y]/(x2 + y 2 1).
Now consider the basic trigonometric identity
(4)

(cos )(cos ) = (1 + sin )(1 sin ).

It turns out that cos , 1 + sin and 1 sin are all irreducible elements in the ring
R . Moreover, the only units in R are the nonzero real numbers, so all three of
these elements are nonassociate, and therefore (34) exhibits two dierent factorizations into irreducible elements! Thus, in a sense, the failure of unique factorization
7This example is taken from Silvermans book. In turn Silverman took it, I think, from
Harold Starks introductory number theory text. Maybe it is actually due to Stark...

16

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

in R is the explanation for the subject of trigonometric identities!

To see how subtle the issue of unique factorization can be, consider now the ring
C = C[cos , sin ]
of trigonometric polynomials with complex coecients. But the classic Euler
identity
ei = cos + i sin
shows that ei is an element of C , and conversely, both the sine and cosine functions
are expressible in terms of ei :
(
)
1 i
1
cos =
e + i ,
2
e
(
)
1
1
sin =
ei i .
2i
e
i 1
it
Thus C = C[e , ei ]. Now the ring C[e ] is isomorphic to the polynomial ring
C[T ], so C is, up to isomorphism, obtained from C[T ] by adjoining T 1 . Recall
that C[t] is a principal ideal domain (PID). Finally, if R is any PID with fraction
eld K, and S is any ring such that R S K i.e., any ring obtained by
adjoining to R the multiplicative inverses of each of some set of nonzero elements
of R then it can be shown that S is also a PID, hence in particular a unique
factorization domain.
The foregoing discussion has been quite brief, with no pretense of presenting a
complete argument. For a more detailed discussion, I highly recommend [Tr88]. A
more sophisticated presentation can be found in [Cl09, Thm. 12].
4. Consequences of the fundamental theorem
The second proof of the fundamental theorem develops material which is very useful
in its own right. Let us look at some of it in more detail:
4.1. Applications of the prime power factorization.
There are certain functions of n which are most easily dened in terms of the
prime power factorization. This includes many so-called arithmetic functions
that we will discuss a bit later in the course. But here let us give some basic
examples. First, let us write the prime power factorization as

n=
pai i ,
i

where pi denotes the ith prime in sequence, and ai is a non-negative integer. This
looks like an innite product, but we impose the condition that ai = 0 for all but
nitely many i,8 so that past a certain point we are just multiplying by 1. The
convenience of this is that we do not need dierent notation for the primes dividing
some other integer.
Now suppose we have two such factored positive integers
8In fact, this representation is precisely analogous to the expression of (Z, ) = (N, +) of
problem G1).

4. CONSEQUENCES OF THE FUNDAMENTAL THEOREM

a=

17

pai i ,

b=

pbi i .

Then we can give a simple and useful formula for the gcd and the lcm. Namely,
the greatest common divisor of a and b is
min(a ,b )
i i
gcd(a, b) =
pi
,
i

where min(c, d) just gives the smaller of the two integers c and d (and, of course, the
common value c = d when they are equal). More generally, we have that, writing
out two integers a and b in factored form above, we have that a | b ai bi
for all i. In fact this is exactly the statement that a|b a|p b for all p that we
expressed earlier.
We often (e.g. now) nd ourselves wanting to make reference to the ai in the
prime power factorization of an integer a. The ai is the highest power of pi that
divides a. One often says that pai i exactly divides a, meaning that pai i |a and piai +1
does not. So let us dene, for any prime p, ordp (a) to be the highest power of p
that divides a: equivalently:
ordp (n)
n=
pi i .
i

Notice that ordp is reminiscent of a logarithm to the base p: in fact, thats exactly
what it is when n = pa is a power of p only: ordp (pa ) = a. However, for integers
n divisible by some prime q = p, logp (n) is nothing nice in fact, it is an irrational number whereas ordp (n) is by denition always a non-negative integer. In
some sense, the beauty of the functions ordp is that they allow us to localize our
attention at one prime at a time: every integer n can be written as pr m with
gcd(m, p) = 1, and the ordp just politely ignores the m: ordp (pr m) = ordp (pr ) = r.
This is really just notation, but it is quite useful: for instance, we can easily see
that for all p,
ordp (gcd(a, b)) = min(ordp (a), ordp (b));
this just says that the power of p which divides the gcd of a and b should be the
largest power of p which divides both a and b. And then a positive integer n is
determined by all of its ordp (n)s via the above equation.
Similarly, dene the least common multiple lcm(a, b) of positive integers a and
b to be a positive integer m with the property that a|e & b|e = m|e. Then
essentially the same reasoning gives us that
ordp (lcm(a, b)) = max(ordp (a), ordp (b)),
and then that
lcm(a, b) =

pmax(ordp (a),ordp (b)) .

We can equally well dene ordp on a negative integer n: it is again the largest
power i of p such that pi |n. Since multiplying by 1 doesnt change divisibility in

18

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

any way, we have that ordp (n) = ordp (n). Note however that ordp (0) is slightly
problematic every pi divides 0: 0 pi = 0 so if we are going to dene this at all
it would make sense to put ordp (0) = .
We do lose something by extending the ord functions to negative integers: namely,
since for all p, ordp (n) = ordp (n), the ord functions do not allow us to distinguish
between n and n. From a more abstract algebraic perspective, this is because
n and n generate the same ideal (are associates; more on this later), and we
make peace with the fact that dierent generators of the same ideal are more or
less equivalent when it comes to divisibility. However, in Z we do have a remedy:
we could dene a map ord1 : Z \ {0} 1 such that ord1 (n) = +1 if n > 0 and
1 if n < 0. Then 1 acts as a prime of order 2, in contrast to the other innite
order primes, and we get a corresponding unique factorization statement.9 But
although there is some sense to this, we will not adopt it formally here.
Proposition 12. For p a prime and m and n integers, we have:
a) ordp (mn) = ordp (m) + ordp (n).
b) ordp (m + n) min(ordp (m), ordp (n)).
c) If ordp (m) = ordp (n), ordp (m + n) = min(ordp (m), ordp (n)).
We leave these as exercises: suitably decoded, they are familiar facts about divisibility. Note that part a) says that ordp is some sort of homomorphism from Z \ {0}
to Z. However, Z \ {0} under multiplication is not our favorite kind of algebraic
structure: it lacks inverses, so is a monoid rather than a group. This perhaps suggests that we should try to extend it to a map on the nonzero rational numbers
Q (which, if you did problem G1), you will recognize as the group completion of
Z \ {0}; if not, no matter), and this is no sooner said than done:
For a nonzero rational number

a
b,

we dene
a
ordp ( ) = ordp (a) ordp (b).
b
In other words, powers of p dividing the numerator count positively; powers of
p dividing the denominator count negatively. There is something to check here,
namely that the denition does not depend upon the choice of representative of ab .
But it clearly doesnt:
ac
ordp ( ) = ordp (ac) ordp (bc)
bc
a
= ordp (a) + ordp (c) ordp (b) ordp (c) = ordp (a) ordp (b) = ordp ( ).
b
So we get a map
ordp : Q Z
which has all sorts of uses: among other things, we can use it to recognize whether
a rational number x is an integer: it will be i ordp (x) 0 for all primes p.

Example: Let us look at the partial sums Si of the harmonic series n=1 n1 . The
rst partial sum S1 = 1 thats a whole number. The second one is S2 = 1 + 12 = 32
which is not. Then S3 = 1 + 21 + 13 = 11
6 is not an integer either; neither is
9This perspective is due to J.H. Conway.

4. CONSEQUENCES OF THE FUNDAMENTAL THEOREM

19

25
.
S4 = 1 + 21 + 13 + 14 = 12
It is natural to ask whether any partial sum Sn for n 1 is an integer. Indeed,
this is a standard question in honors math classes because...well, frankly, because
its rather hard.10 But using properties of the ord function we can give a simple
proof. The rst step is to look carefully at the data and see if we can nd a pattern.
(This is, of course, something to do whenever you are presented with a problem
whose solution you do not immediately know. Modern presentations of mathematics including, alas, these notes, to a large extent often hide this experimentation
and discovery process.) What we see in the small partial sums is that not only are
they not integers, they are all not integers for the same reason: there is always a
power of 2 in the denominator.
So what wed like to show is that for all n 1, ord2 (Sn ) < 0. It is true for
n = 2; moreover we dont have to do the calculation for n = 3: since ord2 ( 31 ) =
0 = ord2 (S2 ), we must have ord2 (S2 + 13 ) = min(ord2 (S2 ), ord2 (S3 )) = 1. And
then we get 41 , which 2-order 2, which is dierent from ord2 (S3 ), so again, using
that when we add two rational numbers with dierent 2-orders, the 2-order of the
sum is the smaller of the 2 2-orders, we get that ord2 (S4 ) = 2. Excitedly testing
1
a few more values, we see that this pattern continues: ord2 (Sn ) and ord2 ( n+1
) are
always dierent; if only we can show that this always holds, this will prove the
result. In fact one can say even more: one can precisely what ord2 (Sn ) is as a
function of n and thus see in particular that it is always negative. I will leave the
nal observation and proof to you why should I steal your fun?

4.2. Linear Diophantine equations.

Recall that one of the two main things we agreed that number theory is about
was solving Diophantine equations, i.e., looking for solutions over Z and/or over
Q to polynomial equations. Certainly we saw some primes in the previous section;
now we solve the simplest class of Diophantine equations, namely the linear ones.
Historical remark: as I said before, nowadays when someone says Diophantine
equation, they mean that we are interested either in solutions over Z or solutions
over Q, or both. Diophantus himself considered positive rational solutions. Nowadays the restriction to positive numbers seems quite articial (and I must wonder
whether Diophantus massaged his equations so as to get positive rather than negative solutions); it also makes things quite a bit more dicult: it stands to reason
that since equations become easier to solve if we allow ourselves to divide numbers,
correspondingly they become more dicult if we do not allow subtraction!
This also means that the term Linear Diophantine equation is, strictly speaking, an anachronism. If you want to solve any number of linear equations with
coecients in Q, then since Q is a eld you are just doing linear algebra, which
works equally well over Q as it does over R or C. For instance, suppose we want to
solve the equation
ax + by = c
10When I rst got assigned this problem (my very rst semester at college), I found or
looked up? some quite elaborate solution which used, in particular, Bertrands Postulate
that for n > 1 there is always a prime p with n < p < 2n. (This was proven in the latter half of
the 19th century by Cebyshev. One of Paul Erd
os early mathematical triumphs was an elegant
new proof of this result.)

20

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

in rational numbers, where a and b are nonzero rational numbers and c is any
rational number. Well, its not much fun, is it? Let x be any rational number at
all, and solve for y:
c ax
y=
.
b
Speaking more geometrically, any line y = mx + b in the plane passing through one
rational point and with rational slope roughly speaking, with m and b rational
will have lots of rational solutions: one for every rational choice of x.
So for Diophantus, the rst interesting example was quadratic polynomial equations. Indeed, after this section, the quadratic case will occupy our interest for
perhaps the majority of the course.
However, over Z things are never so easy: for instance, the equation
3x + 3y = 1
clearly does not have an integer solution, since no matter what integers x and y we
choose, 3x + 3y will be divisible by y. More generally, if a and b have a common
divisor d > 1, then it is hopeless to try to solve
ax + by = 1.
But this is the only restriction, and indeed we saw this before: en route to proving
the fundamental theorem, we showed that for any integers a and b, not both zero,
then gcd(a, b) generates the ideal {xa + yb | x, y Z}, meaning that for any integer
m, the equation
ax + by = m gcd(a, b)
has solutions in x and y. In other words, we can solve
ax + by = n
if n is a multiple of the gcd of a and b. By the above, it is also true that we can only
solve the equation if n is a multiple of the gcd of x and y the succinct statement
is the equality of ideals Ia,b = (gcd(a, b)) so we have (and already had, really) the
following important result.
Theorem 13. For xed a, b Z, not both zero, and any m Z, the equation
ax + by = m
has a solution in integers (x, y) i gcd(a, b) | m.
In particular, if gcd(a, b) = 1, then we can solve the equation for any integer m.
The fundamental case is to solve
ax + by = 1,
because if we can nd such x and y, then just by multiplying through by m we can
solve the general equation.
This is a nice result, but it raises two further questions. First, we found one
solution. Now what can we say about all solutions?11 Second, given that we know
that solutions exist, how do we actually nd them?
11Diophantus was for the most part content with nding a single solution. The more penetrating inquiry into the set of all solutions was apparently rst made by Fermat.

4. CONSEQUENCES OF THE FUNDAMENTAL THEOREM

21

Example: We are claiming that 3x + 7y = 1 has an integer solution. What could it

be? Well, a little experimentation yields x = 2, y = 1. Is this the only solution?
Indeed not: we could add 7 to x and the sum would increase by 21, and then subtract 3 from y and the sum would decrease by 21. This leads us to write down the
family of solutions xn = 2 + 7n, yn = 1 3n. Are there any more? Well, we have
found one integral solutions whose x-coordinates are evenly spaced, 7 units apart
from each other. If there is any other solution 3X + 7Y = 1, there must be some
n such that 0 < X xn < 7. This would give a solution 3(X xn ) = 7(Y yn )
with 0 < X xn < 7. But this is absurd: the left hand side would therefore be
prime to 7, whereas the right hand side is divisible by 7. So we evidently found the
general solution.
The above argument does not, of course, use any special properties of 3 and 7:
with purely notational changes it carries over to a proof of the following result.
Theorem 14. For a and b coprime positive integers, the general integral solution to xa + yb = 1 is xn = x0 + nb, yn = y0 na, where x0 a + y0 b = 1 is any
particular solution guaranteed to exist by Theorem 13.
However, let us take the oppotunity to give a slightly dierent reformulation and
reproof of Theorem 14. We will work in slightly more generality: for xed, relatively
prime nonzero integers a and b and a variable integer N , consider all integral
solutions of the equation
(5)

ax + by = N

To borrow terminology from other areas of mathematics,12 (19) is linear and

inhomogeneous in x and y. What this means is that the left hand side is an
expression which is linear in x and y but the right-hand side is nonzero. There is
an associated homogeneous linear equation:
(6)

ax + by = 0

Here we are saying something quite basic in a fancy way: the real solutions of (6)
form a line through the origin in R2 , with slope m = a
b . But the set of integer
solutions to (6) also has a nice algebraic structure: if (x1 , y1 ), (x2 , y2 ) are any two
integer solutions and C is any integer, then since
a(x1 + x2 ) + b(y1 + y2 ) = (ax1 + by1 ) + (ax2 + by2 ) = 0 + 0 = 0,
a(Cx1 ) + b(Cy2 ) = C(ax1 + by1 ) = C 0 = 0,
both the sum (x1 , y1 ) + (x2 , y2 ) and the integer multiple C(x1 , y1 ) are solutions. To
be algebraically precise about it, the set of integer solutions to (6) forms a subgroup
of the additive group of the one-dimensional R-vector space of all real solutions.
Now we claim that it is easy to solve the homogeneous equation directly. The
Q-solutions are clearly {(x, a
b x) | x Q}. And, since a and b are relatively prime,
in order for x and a
x
to
both
be integers, it is necessary and sucient that x
b
itself be an integer and that it moreover be divisible by b. Therefore the general
integral solution to the homogeneous equation is {(nb, na) | n Z}.
12Especially, from the elementary theory of dierential equations.

22

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

Now we make the fundamental observation about solving inhomogeneous linear

equations in terms of the associated homogeneous linear equation. We claim that
if (x0 , y0 ) is any one solution to the inhomogeneous equation (19) and (xn , yn ) =
(nb, na) is the general solution to the associated homogeneous equation (6), then
the general solution to the inhomogeneous equation is (x0 , y0 ) + (xn , yn ). Lets
check this. On the one hand, we have
a(x0 + xn ) + b(y0 + yn ) = (ax0 + by0 ) + (axn + byn ) = N + 0 = N,
so these are indeed solutions to the inhomogeneous equation. On the other hand,
if (x, y) and (x , y ) are any two solutions to the inhomogeneous equation, then,
by a very similar computation, their dierence (x x , y y ) is a solution to the
homogeneous equation.
In other words the set of all solutions to the inhomogeneous equation is simply
a translate of the abelian group of all solutions to the homogeneous equation.
Thus, since the solutions tothe homogeneous equation are simply a set of points
along the line with distance a2 + b2 between consecutive solutions, the same holds
for all the inhomogeneous equations, independent of N .
Remark aside: At the cost of introducing some further fancy terminology, the
discussion can be summarized by saying that the solution set to the inhomogeneous equation is a principal homogeneous space for the commutative group
of solutions to the homogeneous equation. The general meaning of this is in terms
of group actions on sets: let G be a group, X a set, and : G X X an action
of G on X. (We are assuming familiarity with this algebraic concept only to make
the present digression. It will not be needed in the rest of the course.) Then we say
that X is a principal homogeneous space for G if the action is simply transitivie:
for all x, y X, there exists a unique element g of G such that g x = y.
To look back this homogeneous/inohomogeneous argument, what it doesnt give
us is any particular solution to the inhomogeneous equation. (Indeed, so far as
this abtract reasoning goes, such a solution might not exist: according to the definition we gave for principal homogeneous space, taking X = gives a principal
homogeneous space under any group G!) To get this in any given case we can
use Euclids algorithm, but in thinking about things in general it is useful to acknowledge a certain amount of fuzziness in the picture: we can only say where
any

particular solution will be located on the line to within an accuracy of d = a2 + b2 .

What is interesting is that we can use these seemingly very primitive geometric
ideas to extract useful information about a more dicult problem. Namely, let us
now suppose that a, b, N are all positive integers, and we seek to solve the linear
Diophantine equation
ax + by = N
in positive integers (x, y). Then the geometric picture shows right away that we
are interested in the intersection of the innite family of all integral solutions with
the rst quadrant of R2 . More precisely, we have a line segment LN which joins
(0, Nb ) to ( Na , 0), and we are asking whether there are integer solutions on LN .

5. SOME IRRATIONAL NUMBERS

23

Notice that the length of LN is

( )

( )2
( )
2
N
1
a2 + b2
N
1
d
N =
+
=N
+
=
N
=
N.
a
b
a2
b2
ab
ab
Thus when N is small, LN is a very small line segment, and since consecutive
integral solutions on the line are spaced d units apart, it is by no means guaranteed
that there are any integral solutions on LN . For instance, since ax + by a + b 2,
there is no positive integral solution to ax + by = 1. But since LN grows linearly
with N and d is independent of N , when N is suciently large we must have some
integral points on LN . In fact this must happen as soon as N > d.13 By similar
N
reasoning, the number of solutions must be extremely close to dn = ab
. Precisely:
Theorem 15. Let a, b Z+ be relatively prime, and let N Z+ .
a) If N > ab, then there exist positive integers x, y such that ax + by = N .
b) Let NN be the number of positive integral solutions (x, y) to ax + by = N . Then

N
N
1 NN + 1.
ab
ab

We leave the details of the proof of Theorem 15 to the interested reader.

It turns out that the lower bound on N in part a) is of the right order of magnitude, but is never sharp: for instance, if a = 2, b = 3, then the theorem asserts
2x + 3y = N has a positive integral solution if N > 6, whereas pure thought shows
that it suces to take N 2. The sharp lower bound is known (in terms of a and
b, of course) and is a result of J.J. Sylvester [Sy84].
5. Some Irrational Numbers
Proposition 16. The square root of 2 is irrational.

Proof. Suppose not: then there exist integers a and b = 0 such that 2 = ab ,
2
meaning that 2 = ab2 . We may assume that a and b have no common divisor if
they do, divide it out and in particular that a and b are not both even.
Now clear denominators:
a2 = 2b2 .
So 2 | a2 . It follows that 2 | a. Notice that this is a direct consequence of Euclids
Lemma if p | a2 , p | a or p | a. On the other hand, we can simply prove the
contrapositive: if a is odd, then a2 is odd. By the Division Theorem, a number
is odd i we can represent it as a = 2k + 1, and then we just check: (2k + 1)2 =
4k 2 + 4k + 1 = 2(2k 2 + 2k) + 1 is indeed again odd. So a = 2A, say. Plugging this
into the equation we get
(2A)2 = 4A2 = 2b2 , b2 = 2A2 ,
so 2 | b2 and, as above, 2 | b. Thus 2 divides both a and b: contradiction.

13To understand the reasoning here, imagine that you know that a certain bus comes once
every hour at a xed time i.e., at a certain number of minutes past each hour but you dont
know exactly what that xed time is. Nevertheless, if you wait for any full hour, you will be able
to catch the bus.

24

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

Comment: This is a truly classical proof. In G.H. Hardys A Mathematicians

Apology, an extended rumination on the nature and beauty of pure mathematics,
he gives just two examples of theorems: this theorem, and Euclids proof of the
innitude of primes. As he says, this is inevitably a proof by contradiction (unlike
Euclids proof, which constructs new primes in a perfectly explicit way). The original statement is logically more complicated than what
we actually prove in that
it takes for granted that there is some real number 2 characterized by being
positive and having square equal to 2 and then shows a property of this real
number, namely it not being a fraction. But the essence of the matter is that a
certain mathematical object does not exist namely a rational number ab such that
( ab )2 = 2. This was the rst impossibility proof in mathematics.
This is also one of the most historically important theorems in mathematics.
History tells us that the result was discovered by Pythagoras, or at least someone in
his school, and it was quite a shocking development (some sources say that the unnamed discoverer was feted, others that he was cast into the sea). It caused Greek
mathematicians to believe that geometric reasoning was more reliable than numerical, or quantitative reasoning, so that geometry became extremely well-developed
in Greek mathematics at the expense of algebra.

Can we prove that 3 is irrational in the same way(s)? The Euclids Lemma

argument gives the irrationality of p for any prime p: write p = ab in lowest

terms, square and simplify to get pb2 = a2 ; then p|a2 so p|a, so a = pA, and then
substituting we get pb2 = p2 A2 , b2 = pA2 , so p | b2 and nally p | b: contradiction.
It is interesting to notice that even without Euclids Lemma we can prove the
result by hand for any xed prime p. For instance, with p = 3 we would like to
prove: 3 | a2 = 3 | a. The contrapositive is that if a is not divisible by 3, neither
is a2 . Since any number which is not divisible by 3 is of the form 3k + 1 or 3k + 2,
we need only calculate:
(3k + 1)2 = 9k 2 + 6k + 1 = 3(3k 2 + 2k) + 1,
(3k + 2)2 = 9k 2 + 12k + 4 = 3(3k 2 + 4k + 1) + 1,
so in neither case did we get, upon squaring, a multiple of three. For any prime
p, then, we can show p|a2 = p|a by hand by squaring each of the expressions
pk + i, 0 < i < p and checking that we never get a multiple of p.
One can also look at this key step as a property of the ring Zp of integers modulo p:
if 0 = a Zp then 0 = a2 Zp . But aha! this is just saying that we dont want
any nonzero elements in our ring Zp which square to 0, so it will be true when Zp
is reduced (remember, this means that there are no nilpotent elements). When p is
prime Zp is an integral domain (even a eld) so there are not even any zero divisors,
but referring back to the algebra handout we proved more than this: for any n, Zn
is reduced i n is squarefree. Thus, although the full strength of p | ab = p | a
or p | b holds only for primes, the special case p | a2 = p | a is true not just for
primes but for any squarefree integer p. (Stop and think about this for a moment;
you can see it directly.) Thus the same argument in fact gives:

Proposition 17. For any squarefree integer n > 1, n is irrational.

What about the case of general n? Well, of course n2 is not only rational but is
an integer, namely n. Moreover, an arbitrary positive integer n can be factored to

5. SOME IRRATIONAL NUMBERS

25

get one of these two limiting cases: namely, any n can be uniquely decomposed as
n = sN 2 ,

2
where
s is squarefree. (Prove it!) Since sN = N s, we have that n is rational
i s is rational; by the above result, this only occurs if s = 1. Thus:

Theorem 18. For n Z+ , n is rational i n = N 2 is a perfect square.

Another way of stating this result is that n is either an integer or is irrational.

What about cube roots and

so forth? We can prove that 3 2 is irrational using
a similar argument: suppose 3 2 = ab , with gcd(a, b) = 1. Then we get
2b3 = a3 ,
so 2 | a3 , thus 2 | a. Put a = 2A, so b3 = 22 A3 and 2 | b3 . Thus 2 | b: contradiction.
Any integer can be written as the product
of a cube-free integer14 and a perfect

3
cube; with this one can prove that the n is irrational unless n = N 3 . For the sake
of variety, we prove the general result in a dierent way.

Theorem 19. Let k > 2 be a positive integer. Then k n is irrational unless

n = N k is a perfect kth power.
Proof. Suppose n is not a perfect kth power. Then there is a prime p | n such
that ordp (n) is not divisible by k. We use this prime to get a contradiction:
ak
= n, ak = nbk .
bk
Take ordp of both sides:
k ordp (a) = ordp (ak ) = ordp (nbk ) = k ordp (b) + ordp (n),
so ordp (n) = k(ordp (a) ordp (b)) and k | ordp (n): contradiction.

From a more algebraic perspective, there is yet a further generalization to be made.

A complex number is an algebraic number if there exists a polynomial
P (t) = an tn + . . . + a1 t + a0
with ai Z, an = 0, such that P () = 0. Similarly, is an algebraic integer if
there exists such a polynomial P with an = 1 (a monic polynomial). We write
Q for the set of algebraic numbers and Z for the set of algebraic integers.
Example: = 21 Q because satises the polynomial 2t 1; =
because satises the polynomial t5 2.

2 Z

Theorem 20. If Q Z, then Z.

Proof. Let = ab with gcd(a, b) = 1; suppose satises a monic polynomial:
( a )n
( a )n1
(a)
+ c0 = 0, ci Z.
+ cn1
+ . . . + c1
b
b
b
We can clear denominators by multiplying through by bn to get
an + bcn1 an1 + . . . + bn1 c1 a + bn c0 = 0,
14I.e., an integer n with ord (n) 2 for all primes p.
p

26

or
(7)

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

(
)
an = b cn1 an1 . . . bn2 c1 a bn1 c0 .

If b > 1, then some prime p divides b and then, since p divides the right hand
side of (34), it must divide the left hand side: p | an , so p | a. But, as usual, this
contradicts the fact that a and b were chosen to be relatively prime.

Example: Is 12 Z? Well, the polynomial 2t 1 is not monic, but maybe 12 satises
some other monic polynomial? By Theorem 20, the answer is no: otherwise 12 Z.
We
can deduce Theorem 4 from Theorem 5 by noticing that for any k and n,

k
n
is a root of the polynomial tk n so lies in Z. On the other hand, evidently

k
n is an integer i n is a perfect kth power, so when n is not a perfect kth power,

k
n Z \ Z, so by Theorem 20, k n Q.
In fact Theorem 20 is a special case of a familiar result from high school algebra.
Theorem 21. (Rational Roots Theorem) If
P (x) = an X + . . . + a1 x + a0
is a polynomial with integral coecients, then the only possible rational roots are
those of the form dc , where c | a0 , d | an .
6. Primitive Roots
Let N be a positive integer. An integer g is said to be a primitive root modulo
N if every element x of (Z/N Z) is of the form g i for some positive integer i.
Equivalently, the nite group (Z/N Z) is cyclic and g (mod N ) is a generator.
Wed like to nd primitive roots mod N , if possible. There are really two problems:
Question 1. For which N does there exist a primitive root modulo N ?
Question 2. Assuming there does exist a primitive root modulo N , how do we
nd one? How do we nd all of them?
We can and shall give a complete answer to Question 1. We already know that the
group of units of a nite eld is nite, and we know that Z/N Z is a eld if (and
only if) N is prime. Thus primitive roots exist modulo N when N is prime.
When N is not prime we might as well ask a more general question: what is the
structure of the unit group (Z/N Z) ? From our work on the Chinese Remainder
theorem, we know that if N = pa1 1 par r , there is an isomorphism of unit groups
r

(Z/N Z) = Z/(pa1 1 par r Z)

(Z/pai i Z) .
=
i=1

Thus it is enough to gure out the group structure when N = pa is a prime power.
Theorem 22. The nite abelian group (Z/pa Z) is cyclic whenever p is an
odd prime, or when p = 2 and a is 1 or 2. For a 3, we have
(Z/2a Z)
= Z2 Z2a2 .
Before proving Theorem 22, let us nail down the answer it gives to Question 1.

6. PRIMITIVE ROOTS

27

Corollary 23. Primitive roots exist modulo N in precisely the following cases:
(i) N = 1, 2 or 4.
(ii) N = pa is an odd prime power.
(iii) N = 2pa is twice an odd prime power.
Proof. Theorem 22 gives primitive roots in cases (i) and (ii). If p is odd, then
(Z/2pa Z)
= (Z/2Z) (Z/pa Z)
= (Z/pa Z)
since (Z/2Z) is the trivial group. Conversely, if N is not of the form (i), (ii) or
(iii) then N is divisible either by 8 or by two distinct odd primes p and q. In the
rst case, write N = 2a M with (2, M ) = 1 and a 3. Then
(Z/N Z)
= (Z/2a Z) (Z/M Z) ,
and (Z/N Z) , having the noncylic subgroup (Z/2a Z) , cannot itself be cyclic
[Handout A2.5, Corollary 6]. In the second case write N = pa q b M ; then
(Z/N Z)
= (Z/pa Z) (Z/q b Z) (Z/M Z) .
Both (Z/pa Z) and (Z/q a Z) have even order, hence their orders are not relatively
prime and the product group cannot be cyclic [Handout A2.5, Corollary 10].

Proof of Theorem 22: The idea for odd p is as follows: if g is a primitive root
mod p, then [Handout A2.5, Corollary 2] the order of g mod pa is divisible by p 1,
k
hence of the form pk (p 1) for some k a 1. Therefore g = g p has order
p 1 [Handout A2.5, Proposition 7]. We claim z = 1 + p has order pa1 ; since
gcd(pa1 , p 1) = 1, g z has order pa1 (p 1) [Handout A2.5, Example 4].
Lemma 24. Let p be an odd prime and z Z, z 1 (mod p).
a) We have ordp (z p 1) = ordp (z 1) + 1.
k
b) For all k Z+ , ordp (z p 1) = ordp (z 1) + k.
Proof. Write z = 1 + xp for some x Z, so ordp (z 1) = 1 + ordp (x). Then
( )
( )
(
)
p
p
p
p
p
2
(8) z 1 = (1 + xp) 1 =
(xp) +
(xp) + . . . +
(xp)p1 + (xp)p .
1
2
p1
For the rst term on the right hand side of (8), we have
( )
p
ordp (
xp) = 2 + ordp (x) = ordp (z 1) + 1.
1
The remaining terms have larger p-orders, so the p-order of z p 1 is ordp (z 1) + 1,
k
k1
whence part a). Since z p 1 = (z p )p 1, part b) follows by induction.

k1

Applying Lemma 24 to z = 1 + p gives ordp (z p

1) = k for all k Z+ . So
pa2
a
pa1
a
z
= 1 (mod p ) and z
1 (mod p ): z has order exactly pa1 in (Z/pa Z) .
Therefore, with notation as above, g z has order pa1 (p 1) = #(Z/pa Z) , so is a
primitive root mod pa .
Now for p = 2. Note that (Z/2Z) and (Z/4Z) have orders 1 and 2 respectively so are certainly cyclic, and we may take a 3. We claim that the subgroup
of (Z/2a Z) generated by 5 has order 2a2 and is disjoint from the subgroup generated by 1, of order 2. It follows that the group is isomorphic to Z2 Z2a2 .
When p = 2, Lemma 24 breaks down because the right hand side of (8) becomes

28

1. THE FUNDAMENTAL THEOREM AND SOME APPLICATIONS

just 4x + 4x2 = 4x(x + 1), whose 2-order is at least 3 + ord2 (x) if x is odd. So
instead we take x even. In fact we may just take x = 2, so z = 1 + 2x = 5,
ord2 (z 2 1) = ord2 (z 1) + ord2 (z + 1) = ord2 (z 1) + ord2 (6) = ord2 (z 1) + 1.
Again, inductively, we get
k

ord2 (z 2 1) = ord2 (z 1) + k,
or ord2 (52 1) = k + 2. Thus for a 2, 5 has order 2a2 in (Z/2a Z) . Moreover
5k + 1 2 (mod 4) for all k, so 5k = 1 (mod 2a ), so the subgroups generated by
the classes of 5 and of 1 are disjoint. This completes the proof of Theorem 22.
k

Question 2 remains: when there is a primitive root, then (ZN Z) is a cyclic

group, so has (n) generators, where n is its order. Since the order of (Z/N Z)
is n = (N ), if there is one primitive root there are in fact exactly ((N )) of
them, which is interesting. When N = p is a prime, we get that there are (p 1)
primitive roots. But how many is that?? We will turn to questions like this shortly.
Suppose now that N = p is prime, so we know that there are a fair number of
primitive roots modulo p, but how do we nd one? This is a much deeper question. Suppose for instance we ask whether 2 is a primitive root modulo p. Well, it
depends on p. Among odd primes less than 100, 2 is a primitive root modulo
3, 5, 11, 13, 19, 29, 37, 53, 59, 61, 67, 83
and is not a primitive root modulo
7, 17, 23, 31, 41, 43, 47, 71, 73, 79, 89, 97.
Extending the list, one nds that the chance that 2 is a primitive root modulo p
seems to dip below 12 and approach a number closer to 37%. E. Artin conjectured
that for any prime number a, a is a primitive root modulo (100C)% of the primes,
with
)
(
1
C=
= 0.3739558136 . . . ,
1
p(p 1)
p
and in particular that a is a primitive root modulo innitely many primes.
Work of Gupta-Murty15 [GM84] and Heath-Brown16 [HB86], shows that there
are at most two bad prime numbers a such that a is a primitive root modulo
only nitely many primes p. So, for instance, if 2 is not a primitive root modulo
innitely many primes and 3 is not either, than we can be sure that 5 is a primitive
root modulo innitely many primes!
There are further concrete questions of great interest: for instance, what can be
said about the smallest primitive root mod p? Or, suppose we are given p and
want to nd a primitive root of p very quickly: what do we do? An extremely large
literature exists on such matters.
15Two people: Rajiv Gupta and M.(aruti) Ram Murty.
16One person: D.(avid) Roger Heath-Brown.

CHAPTER 2

Pythagorean Triples
1. Parameterization of Pythagorean Triples
1.1. Introduction to Pythagorean triples.
By a Pythagorean triple we mean an ordered triple (x, y, z) Z3 such that
x2 + y 2 = z 2 .
The name comes from elementary geometry: if a right triangle has leg lengths x
and y and hypotenuse length z, then x2 + y 2 = z 2 . Of course here x, y, z are posi2
2
tive real numbers. For most integer values of x and
y, the integer x + y will not
2
2
be a perfect square, sothe positive real number x + y will be irrational: e.g.
x = y = 1 = z = 2. However, a few integer solutions to x2 + y 2 = z 2 are
familiar from high school algebra (and the SATs): e.g. (3, 4, 5), (5, 12, 13).
Remark: As soon as we have one solution, like (3, 4, 5), we can nd innitely many
more, however in a somewhat unsatisfying way. Namely, if (x, y, z) is a Pythagorean
triple and a is any integer, then also (ax, ay, az) is a Pythagorean triple:
(ax)2 + (ay)2 = a2 (x2 + y 2 ) = a2 z 2 = (az)2 .
This property of invariance under scaling is a characteristic feature of solutions
(x1 , . . . , xn ) to homogeneous polynomials P (t1 , . . . , tn ) in n-variables. We recall
what this means: a monomial is an expression of the form cta1 1 tann , and the degree
of the monomial is dened to be a1 + . . . + +an , i.e., the sum of the exponents. A
polynomial is said to be homogeneous of degree d if each of its monomial terms
has degree d, and simply homogeneous if it is homogeneous of some degree d. For
instance, the polynomial P (x, y, z) = x2 + y 2 z 2 is homogeneous of degree 2, and
indeed for any N the Fermat polynomial
PN (x, y, z) = xN + y N z N
is homogeneous of degree N . Moreover, every (nonconstant) homogeneous polynomial P (t1 , . . . , tn ) has zero constant term, hence P (0, . . . , 0) = 0. So (0, . . . , 0) is a
solution to any homogeneous polynomial, called the trivial solution.
Coming back to Pythagorean triples, these considerations show that for all a Z,
(3a, 4a, 5a) is a Pythagorean triple (again, familiar to anyone who has studied for
the SATs). For many purposes it is convenient to regard these rescaled solutions as
being equivalent to each other. To this end we dene a Pythagorean triple (a, b, c)
to be primitive if gcd(a, b, c) = 1. Then every nontrivial triple (a, b, c) is a positive
integer multiple of a unique primitive triple, namely ( ad , db , dc ) where d = gcd(a, b, c).
29

30

2. PYTHAGOREAN TRIPLES

Our goal is to nd all primitive Pythagorean triples. There are many ways to
do so. We prefer the following method, both for its simplicity and because it motivates the study of not just integral but rational solutions of polynomial equations.
Namely, consider the algebraic curve x2 + y 2 = 1 in R2 : i.e., the unit circle. Why?
Well, suppose (a, b, c) is a nontrivial Pythagorean triple, so a2 + b2 = c2 with c = 0
(if c = 0, then a2 + b2 = 0 = a = b = 0). So we may divide through by c, getting
( a )2 ( b ) 2
+
= 1.
c
c
Thus ( ac , cb ) is a rational point on the unit circle. Moreover, the process can be
essentially reversed: suppose that (r, s) Q2 is such that r2 + s2 = 1. Then,
writing r = ac and s = db (so cd = 0), we have
( a )2 ( b )2
+
= 1.
c
d
Multiplying through by (cd)2 , we get
(da)2 + (bc)2 = (bd)2 ,
so that (da, bc, bd) is a nontrivial Pythagorean triple. If we start with a primitive
Pythagorean triple (a, b, c), pass to the rational solution ( ac , cb ) and then clear denominators using the above formula, we get (ca, cb, c2 ). This is not the primitive
triple that we started with, but it is simply a rescaling: no big deal. At the end we
will nd the correct scaling that gives primitive triples on the nose.
1.2. Rational parameterization of the unit circle.
Fix any one rational point P = (x , y ) on the unit circle. The argument that
we are about to make works for any choice of P e.g. ( 35 , 45 ) but let me pass
along the wisdom of hindsight: the computations will be especially simple and clean
if we take P = (1, 0). So let us do so.
Now suppose P = (xP , yP ) is any other rational point on the unit circle. Then
there is a unique line joining P to P , which of course has rational coecients:
yP y
: y yP =
(x xP ) .
xP x
In particular, the slope of this line
yP y
mP =
,
xP x
is a rational number. This already places a limitation on the rational solutions,
since most lines passing through the xed point P have irrational slope. More
interesting is the converse: for any m Q, let
m : y = (y y ) = m(x x ) = m(x + 1),
be the line passing through P = (1, 0) with slope m. We claim that this line
intersects the unit circle in precisely one additional point Pm , and that this point
Pm also has rational coordinates. That is, we claim that the rational points on the
unit circle are precisely the point P = (1, 0) together with the set of points Pm
as m ranges through the rational numbers.

1. PARAMETERIZATION OF PYTHAGOREAN TRIPLES

31

Why is this so? With a bit of thought, we can argue for this in advance. Briey,
we plug the linear equation m into the quadratic x2 + y 2 = 1 thereby getting a
quadratic equation in x with rational coecients. Because we know that this equation has at least one rational solution namely 1, the coordinate of P the other
solution must be rational as well, as follows from contemplation of the quadratic
formula. On the other hand, such forethought is not really necessary in this case,
because we want to nd the solutions explicitly anyway. In other words, lets do it!
We have the system of equations
(9)

x2 + y 2 = 1

(10)

y = m(x + 1).

Substituting (35) into (34) gives

x2 + m2 (x + 1)2 = 1,
or
(1 + m2 )x2 + 2m2 x + m2 1 = 0.
Applying the quadratic formula, we get
x=

2m2

4m4 4(1 + m2 )(m2 1)

.
2(1 + m2 )

Under the radical sign we have

4m4 4(m2 + 1)(m2 1) = 4(m4 (m4 1)) = 4,

so that luckily1 4m2 4(1 + m2 )(m2 1) = 2, and

x=

2m2 2
m2 1
=
.
2
2(1 + m )
1 + m2

1
Notice that by taking the minus sign, we get the solution x = m
1+m2 = 1. Thats
great, because 1 is the x-coordinate of P , so that it had better be a solution.
The other solution is the one we really want:
2

xm =
and then we get
ym

1 m2
,
1 + m2

)
(
2m
1 m2
= 2
,
= m(1 + xm ) = m 1 +
1 + m2
m +1

so that nally

(
Pm =

1 m2
2m
,
1 + m2 1 + m2

1Not really, of course: see the last paragraph above.

)
.

32

2. PYTHAGOREAN TRIPLES

This is exactly what we wanted. Before returning to the problem of Pythagorean

triples, however, let us make one further observation:
(
)
1 m2
2m
= (1, 0) = P .
lim Pm =
lim
, lim
m
m 1 + m2 m 1 + m2
The geometric interpretation of this is simple: the tangent line to the unit circle
at (1, 0) is vertical, so as the slope of the line m approaches either + or ,
the second intersection point Pm approaches P and the secant lines approach
the tangent line. So in fact it is true that the rational points on the unit circle
correspond precisely to the set of all rational lines through P : here we get P itself
as the double intersection point of the tangent line. Thus, instead of P , a more
appropriate name would be P , although we do not insist on this in the sequel.
1.3. Scaling to get primitive solutions.
We wish to explicitly write down all primitive Pythagorean triples (a, b, c). As
above, this is accomplished up to scaling by clearing denominators in the general
rational solution Pm = (xm , ym ). Namely, put m = uv with gcd(u, v) = 1, so
(
) ( 2
)
1 u2 /v 2
2u/v
v u2
2uv
Pm =
,
=
,
.
1 + u2 /v 2 1 + u2 /v 2
v 2 + u2 v 2 + u2
Thus, multiplying through by v 2 + u2 , we get a family of integral solutions
(v 2 u2 , 2uv, v 2 + u2 ).
Are these solutions primitive? In other words, is gcd(v 2 u2 , 2uv, v 2 + u2 ) = 1?
Suppose that an odd prime p divides v 2 u2 and v 2 + u2 . Then p also divides
(v 2 u2 ) + (v 2 + u2 ) = 2v 2 and (v 2 + u2 ) (v 2 u2 ) = 2u2 . Since p is odd, we get
p | u2 and p | v 2 which implies p | u and p | v, contradiction. Similarly, if 4 | v 2 u2
and 4 | v 2 + u2 , then 4 | 2v 2 and 4 | 2u2 , so 2 | v 2 and 2 | u2 , so 2 divides both u
and v. Thus gcd(v 2 u2 , 2uv, v 2 + u2 ) is either 1 or 2.
Case 1: v and u have opposite parity. Then v 2 u2 is odd, so the gcd is 1. Notice
that in this case, the rst coordinate v 2 u2 is odd and the second coordinate 2uv
is even, so this cant be the complete list of all primitive Pythagorean triples: that
set is symmetric under interchanging x and y!
Case 2: u and v are both odd. Then v 2 u2 , 2uv, v 2 + u2 are all even, so the gcd
2
2
2
2
is 2. In this case ( v u
, uv, v +u
) is the primitive integral solution we seek.
2
2
This is the answer,2 but lets touch it up a bit. If x = 2k + 1 is odd, then
x2 = 4k 2 + 4k + 1 1 (mod 4). Thus, if u and v are both odd, not only is
2
2
is even and
v 2 u2 even, it is congruent to v 2 u2 1 1 = 0 (mod 4), so v u
2
uv is odd. Thus all the primitive triples arising in Case 2 are obtained by switching
the rst and second coordinates of a primitive triple in Case 1. To sum up:
Theorem 25. (Classication of Pythagorean Triples)
(
)
2
2m
a) The rational solutions to x2 + y 2 = 1 are {(1, 0) 1m
,
| m Q}.
2
2
1+m
1+m
b) (0, 0, 0) is a Pythagorean triple, called trivial. Every nontrivial Pythagorean
2Note that there is no Case 3: we assumed gcd(u, v) = 1, so they cant both be even.

2. AN APPLICATION: FERMATS LAST THEOREM FOR N = 4

33

triple is of the form (da, db, dc) for some d Z+ , where (a, b, c) is a Pythagorean
triple with gcd(a, b, c) = 1, called primitive.
c) In every primitive Pythagorean triple (a, b, c), exactly one of a and b are even
integers. Every primitive triple with a odd is of the form (v 2 u2 , 2uv, v 2 + u2 )
where u, v Z are relatively prime integers of opposite parity. Conversely, all such
pairs u, v yield a primitive Pythagorean triple with rst coordinate odd.
2. An Application: Fermats Last Theorem for N = 4
In this section we will prove Fermats Last Theorem for N = 4. In fact, following
Fermat, we establish something stronger, from which FLT(4) immediately follows.
Theorem 26. (Fermat) X 4 + Y 4 = Z 2 has no solutions with X, Y, Z Z \ {0}.
Proof. Step 1: Let (x, y, z) be a positive integral solution to X 4 + Y 4 = Z 2 .
We claim there is a positive integral solution (x , y , z ) with gcd(x , y ) = 1 and
z z. Indeed, if x and y are not relatively prime, they are both divisible by some
prime number p. Then p4 | X 4 + Y 4 = Z 2 , so p2 | Z. Therefore xp , yp , pz2 Z+ and
( )4 ( )4
( )2
x
y
1
1
z
+
= 4 (x4 + y 4 ) = 4 (z 2 ) =
,
p
p
p
p
p2
so ( xp , yp , pz2 ) is another positive integral solution, with z-coordinate smaller than
the one we started with. Therefore the process can be repeated, and since the
z-coordinate gets strictly smaller each time, it must eventually terminate with a
solution (x , y , z ) as in the statement.
Step 2: Given a positive integral solution (x, y, z) to X 4 +Y 4 = Z 2 with gcd(x, y) =
1, we will produce another positive integral solution (u, v, w) with w < z.
First, we may assume without loss of generality that x is odd and y is even.
They cannot both be even, since they are relatively prime; if instead x is even and
y is odd, then we can switch x and y; so what we need to check is that x and y
cannot both be odd. But then considering x4 + y 4 = z 2 modulo 4, we nd 2
= z2
2
2
2
2
(mod 4), which is impossible: 0 2 0 (mod 4), 1 3 1 (mod 4).
Now we bring in our complete solution of Pythagorean triples: since (x2 )2 +
2 2
(y ) = z 2 and x and y are relatively prime, (x, y, z 2 ) is a primitive Pythagorean
triple with rst coordinate odd. Therefore by Theorem 25 there exist relatively
prime integers m and n of opposite parity such that
(11)

x2 = m2 n2

y 2 = 2mn
z = m2 + n2 .
2
2
2
Now rewrite (27) as n + x = m . Since gcd(m, n) = 1, this is again a primitive
Pythagorean triple. Moreover, since x is odd, n must be even. So we can use our
parameterization again (!!) to write
x = r2 s2 ,
n = 2rs,
m = r2 + s2 ,
for coprime integers r, s of oposite parity. Now observe
( n ) 2mn
( y )2
y2
m
=
=
=
.
2
4
4
2

34

2. PYTHAGOREAN TRIPLES

Since m and n2 are coprime integers whose product is a perfect square, they must
both be perfect squares. Similarly,
2rs
n
rs =
= = ,
2
2
so r and s must both be squares. Let us put r = u2 , s = v 2 , m = w2 , and substitute
these quantities into m = r2 + s2 to get
u4 + v 4 = w 2 .
Here w 1, so

w w4 < w4 + n2 = m2 + n2 = z,
so that as promised, we found a new positive integral solution (u, v, w) with w < z.
Step 3: Steps 1 and 2 together lead to a contradiction, as follows: if we have any
positive integral solution (x, y, z) to X 4 + Y 4 = Z 2 , then by Step 1 we have one
(x , y , z ) with z z with gcd(x , y ) = 1. Then by Step 2 we have another positive
integral solution (u, v, w) with w < z z. Then by Step 1 we have another positive
integral solution (u , v , w ) with w w < z z with gcd(u , v ) = 1, and then
by Step 2 we get another solution whose nal coordinate is strictly smaller than
w. And so on. In other words, the assumption that there are any positive integer
solutions at all leads to the construction of an innite sequence of positive integer
solutions (xn , yn , zn ) with zn+1 < zn for all n. But thats impossible: there are no
innite strictly decreasing sequences of positive integers. Contradiction!

Lemma 27. Let A and B be coprime integers. Then:
a) If A and B have the same parity, gcd(A + B, A B) = 2.
b) If A and B have opposite parity, gcd(A + B, A B) = 1.
Exercise: Prove Lemma 27.
Here is a second proof, communicated to us by Barry Powell.
Proof. Seeking a contradiction, suppose the equation X 4 + Y 4 = Z 2 has
solutions (x, y, z) with z = 0. Among all such solutions, choose one with z 2 minimal.
For such a minimal solution we must have gcd(x, y) = 1: indeed, if a prime p divided
both x and y, then p4 | z 2 so p2 |z and we may take x = px , y = py , z = p2 z
to get a solution (x , y , z ) with (z )2 < z 2 . Moreover x and y must have opposite
parity: being coprime they cannot both be even; if both were odd then reducing
modulo 4 gives a contradiction. It is no loss of generality to assume that x is odd
and y is even, and it follows that z is odd.
We claim that gcd(z +y 2 , zy 2 ) = 1. Indeed, let d = gcd(z +y 2 , z y 2 ). Since y
is even and z is odd, z+y 2 is odd, hence d is odd. Suppose p is an odd prime dividing
d. Then p | (z + y 2 ) + (z y 2 ) = 2z, so p | z; moreover, p | (z + y 2 ) (z y 2 ) = 2y 2 ,
so p | y. Since x4 = z 2 y 4 , it follows that p | x, contradicting gcd(x, y) = 1.
By uniqueness of factorization there are coprime integers r and s such that
(12)

z y 2 = r4 , z + y 2 = s4 .

So (s2 + r2 )(s2 r2 ) = s4 r4 = 2y 2 with y even, hence r and s are both odd. Since
s2 , r2 are coprime integers of the same parity, by Lemma 27, gcd(s2 +r2 , s2 r2 ) = 2.
2
2
s2 +r 2
2
2
Since r, s are odd, so is s +r
2 , so gcd( 2 , s r ) = 1, and then by uniqueness
of factorization there are coprime integers a, b with
r2 + s2 = 2b2 , (r + s)(r s) = r2 s2 = a2 .

3. RATIONAL POINTS ON CONICS

35

rs
Again by Lemma 27, gcd(r + s, r s) = 2, so gcd( r+s
2 , 2 ) = 1 and thus there are
coprime integers u, v with

s r = 2u2 , s + r = 2v 2 .
It follows that
4(u4 + v 4 ) = (s r)2 + (s + r)2 = 2(s2 + r2 ) = 4b2 ,
and thus
u4 + v 4 = b2 .
Since x is odd, hence nonzero, and x4 + y 4 = z 2 , y 2 y 4 < z 2 , so
2b2 = s2 + r2 (s2 + r2 )(s2 r2 ) = 2y 2 < 2z 2 .
Note also that b = 0, since otherwise u = v = 0, contradicting the fact that they
are coprime. Therefore we have found a solution (u, v, b) to X 4 + Y 4 = Z 2 with
0 < b2 < z 2 , contradicting the minimality of z 2 .

Corollary 28. X 4 + Y 4 = Z 4 has no solutions with X, Y, Z Z \ {0}.
Proof. Suppose there are x, y, z Z \ {0} such that x4 + y 4 = z 4 . We may
assume x, y, z are all positive. Then, since Z 4 = (Z 2 )2 , the triple (x, y, z 2 ) is a
positive integer solution to X 4 + Y 4 = Z 2 , contradicting Theorem 26.

The strategy of the above proof is known as innite descent. Over the centuries
it has been rened and developed, and the modern theory of descent is one of
the mainstays of contemporary Diophantine geometry.
3. Rational Points on Conics
The method of drawing lines that we used to nd all rational points on the unit
circle has further applicability. Namely, we consider an arbitrary conic curve
aX 2 + bY 2 = cZ 2 ,

(13)
for a, b, c Q \ {0}.

Remark: More generally, one calls a plane conic any curve given by an equation
aX 2 + bXY + cXZ + dY 2 + eY Z + f Z 2 = 0.
for a, b, c, d, e, f Q, not all zero. But as one learns in linear algebra, by making
a linear change of variables, new coordinates can be found in which the equation
is diagonal, i.e., in the form (13), and one can easily relate integral/rational points
on one curve to those on the other. So by considering only diagonalized conics, we
are not losing out on any generality.
Now, as in the case a = b = c = 1, we have a bijective correspondence between
primitive integral solutions to aX 2 + bY 2 = cZ 2 and rational points on
(14)

ax2 + by 2 = c.

If we can nd any one rational point P = (x , y ) on (14) then our previous method
works: taking the set of all lines through P with rational slope, together with the
vertical line x = x and intersecting with the conic (14), we get all rational solutions.
In the exercises the reader is invited to try this in certain cases where there are

36

2. PYTHAGOREAN TRIPLES

obvious rational solutions. For instance, if a = c then an obvious rational solution is (1, 0). The reader is asked to carry this out in a particular case and also
to investigate the structure of the primitive integral solutions in the exercises.
But there need not be any rational solutions at all! An easy example of this is
x2 + y 2 = 1,
where indeed there are clearly no R-solutions. But this is not the only obstruction.
Consider for instance
3x2 + 3y 2 = 1,
whose real solutions form a circle of radius 13 . We claim that there are however
no rational points on this circle. Equivalently, there are no integral solutions to
3X 2 + 3Y 2 = Z 2 with gcd(x, y, z) = 1. For suppose there is such a primitive
integral solution (x, y, z). Then, since 3 | 3x2 + 3y 2 = z 2 , we have 3 | z. So we may
put z = 3z , getting 3x2 + 3y 2 = 9(z )2 , or
x2 + y 2 = 3z 2 .
Now reducing mod 3, we get
x2 + y 2 0 (mod 3).
Since the squares mod 3 are 0 and 1, the only solution mod 3 is x y 0 (mod 3),
but this means 3 | x, 3 | y, so that the solution (x, y, z) is not primitive after all: 3
is a common divisor.
This argument can be made to go through with 3 replaced by any prime p with p 3
(mod 4). Arguing as above, it suces to show that the congruence x2 + y 2 = 0
(mod p) has only the zero solution. But if it has a solution with, say, x = 0,
( )2
then x is a unit modulo p and then xy = 1 (mod p). We will see later that
for an odd prime p, the equation a2 1 (mod p) has a solution i p 1 (mod 4).
In fact, for an odd prime p 1 (mod 4), the curve
px2 + py 2 = 1
does always have rational solutions, although this is certainly not obvious. Overall
we need a method to decide whether the conic aX 2 + bY 2 = cZ 2 has any nontrivial
integral solutions. This is provided by the following elegant theorem of Legendre.
Theorem 29. Let a, b, c be nonzero integers, square, relatively prime in pairs,
and neither all positive nor all negative. Then
ax2 + by 2 + cz 2 = 0
has a solution in nonzero integers (x, y, z)
(i) There exists x Z such that ab x2
(ii) There exists y Z such that bc y 2
(iii) there exists z Z such that ca z 2

i all of the following hold:

(mod |c|).
(mod |a|).
(mod |b|).

In particular, since we can compute all of the squares modulo any integer n by a
direct, nite calculation, we can easily program a computer to determine whether
or not the equation has any nonzero integer solutions. Once we know whether
there are any integral solutions, we can search by brute force until we nd one.
The following result of Holzer puts an explicit upper bound on our search:

3. RATIONAL POINTS ON CONICS

37

Theorem 30. If the equation ax2 + by 2 + cz 2 =

0 has anysolutions in
nonzero
integers, it has such a solution (x, y, z) with |x| bc, |y| ac, |z| ab.
A short and elementary proof of Theorem 30 was given by L.J. Mordell [Mo69].
Mordells proof was somewhat terse in places, leading to certain claims of a gap in
his argument. In her nal project for the 2009 course, Laura Nunley closely examined [Mo69] and found that it is complete and correct. A more discursive writeup
of the argument appears in her 2010 UGA masters thesis [Nu10]. Nunleys thesis
also contains a detailed treatment of a beautiful generalization of Theorem 30 due
to Cochrane and Mitchell, which we will discuss later on.
Thus the study of homogeneous quadratic equations over Z (or, what comes to
the same, over Q) is admirably complete. The same cannot be said for polynomial
equations of higher degree, as we will soon see.

CHAPTER 3

Quadratic Rings
1. Quadratic Fields and Quadratic Rings

LetD be a squarefree integer not equal to 0 or

1. Then D is irrational, and
Q[ D], the subring of C obtained by adjoining D to Q, is a eld.
From an abstract
algebraic perspective, an explanation for this can be given as
follows: since D is irrational, the polynomial t2 D is irreducible over Q. Since
the ring Q[t] is a PID, the irreducible element t2 D generates a maximal
ideal
(t2 D), so that the quotient Q[t]/(t2 D) is a eld. Moreover, the map Q[ D]
Q[t]/(t2 D)
which is the identity on Q and sends D 7 t is anisomorphism of
rings, so Q[ D] is also
a eld. We may write Q[ D]
= {a + b D | a, b Q},
so that a basis for Q[ D] as a Q-vector space is 1, D. In particular Q[ D] is
two-dimensional as a Q-vector space: we accordingly say it is a quadratic eld.

It is also easy to check by hand that the ring Q[ D] is a eld. For this and
for many other things to come, the key identity is

(a + b D)(a b D) = a2 Db2 .
For rational numbers a and b which are not both zero, the rational number a2
Db2
a2
is also nonzero: equivalently there are no solutions to D = b2 , because D is
irrational. It follows that again, for a, b not both 0 we have
(
)
(
)

a
b
a+b D

D
= 1,
a2 Db2
a2 Db2

which gives a multiplicative inverse for a + b D in Q[ D].

We wish also to consider quadratic
rings, certain integral domains whose frac
tion eld is a quadratic eld Q( D). Eventually
we will want
a more precise and
inclusive denition, but for now we consider Z[ D] = {a + b D | a, b Z}.1

2. Fermats Two Squares Theorem

The rings Z[ D] occur naturally when we study Diophantine equations. E.g:

1This equality is a fact which is not dicult to check; it is not the denition of Z[

By way of comparison, we recommend that the reader check that the ring Z[
form Z + Z for any two xed elements , of Z[
generated as an abelian group.
39

D
].
2

D
]
2

D].
is not of the

In fact its additive group is not nitely

40

3. QUADRATIC RINGS

Question 3. Which prime numbers p can be expressed as a sum of two squares?

More precisely, for for which prime numbers p are there integers x and y such that
(15)

x2 + y 2 = p?

Evidently 2 is a sum of squares: 12 + 12 = 2. Henceforth we assume p > 2.

At the moment we have exactly one general technique2 for studying Diophantine
equations: congruences. So lets try to apply it here.
If we reduce x2 + y 2 = p modulo 4, we get that p is a sum of two squares
modulo 4. Since 02 22 0 (mod 4) and 12 32 1 (mod 4), the squares
modulo 4 are {0, 1}, and thus please stop and do the calculation yourself! the
sums of two squares modulo 4 are {0, 1, 2}. Especially, 3 is not a sum of two squares
modulo 4. We deduce:
Lemma 31. If an odd prime p is a sum of two squares, then p 1 (mod 4).
If we reduce the equation x2 + y 2 = p modulo p, we get x2 + y 2 0 (mod p).
Suppose (x, y) Z2 is a solution to (34). It cannot be that p | x, because then
we would also have p | y, and then p2 | x2 + y 2 = p, a contradiction. So both x
and y are nonzero modulo p (hence invertible in Z/pZ) and the congruence can be
rewritten as
( )2
x
1 (mod p).
y
That is, a necessary condition for (34) to have solutions is that 1 be a square
modulo p. It turns out though that this is not new information.
Proposition 32. Let p be an odd prime, and let x U (p) = (Z/pZ) . Then:
p1
a) x is a square in U (p) i x 2 = 1.
b) In particular, 1 is a square modulo p i p 1 (mod 4).
Proof. a) Write U (p) = (Z/pZ) , and consider the map
p1
: U (p) U (p), x 7 (
)x.
2
Let U (p)2 = {x2 | x U (p)} be the subgroup of squares. The assertion of part
a) is equivalent to: Ker = U (p)2 . We now demonstrate this: since x 7 x2 is a
homomorphism from the group U (p) of order p 1 to itself with kernel {1} of
2 p1
2
order 2, we have #U (p)2 = p1
= xp1 = 1 by
2 . Further, for x U (p), (x )
2
Lagranges Little Theorem, so U (p) Ker . On the other hand, every x Ker
p1
satises x 2 1 = 0, and a polynomial over a eld cannot have more roots than
2
its degree, so # Ker p1
2 . Therefore U (p) = Ker .
p1
b) Take x = 1 in part a): (1) 2 1 (mod p) i p1
2 is even i p 1 (mod 4).

Most of the point of the above proof is that it does not use the cyclicity of U (p);
however it still uses a good working familiarity with basic group theory.
2By a general technique, we mean a technique that can always be applied, not one that is
guaranteed always to succeed. In that stronger sense there are provably no general technique for
Diophantine equations!

2. FERMATS TWO SQUARES THEOREM

41

Exercise: Use the cyclicity of U (p) to give a quick proof of Proposition 32.
As it happens, in order to determine which primes are a sum of 2 squares we
only need half of the above result, and that half has a more elementary proof.
Lemma 33. (Fermats Lemma) For a prime p 1 (mod 4), there is an integer
x such that p | x2 + 1. Equivalently, 1 is a square modulo p.
Proof. A reduced residue system modulo p is a set S of p 1 integers

such that the reduction S of S modulo p is precisely the set (Z/pZ)

of nonzero
residues. By Wilsons Theorem, for any reduced residue system S, xS x 1
(mod p). The most obvious choice of a reduced residue system modulo p is of
course {1, . . . , p 1}. To prove this result we will use the second most obvious
choice, namely
S={

(p 1) (p 1)
(p 1)
,
+ 1, . . . , 1, 1, . . . ,
}.
2
2
2

Then
1

x (1)

p1
2

xS

If p 1 (mod 4), then

p1
2

is even, (1)

)
p1
(
!)2
2
p1
2

(mod p).

= 1, and 1 is a square modulo p. 

It follows from Fermats Lemma that (34) has no Z-solutions unless p 1 (mod 4).
What about the converse: if p 1 (mod 4), must p be a sum of two squares?
By Fermats Lemma, there is x Z such that x2 1 (mod p), i.e.,
there exists n Z such that pn = x2 + 1. Now factor the right hand side over Z[ 1]:

pn = (x + 1)(x 1).

Suppose that p is prime as an element of Z[ 1]. Thenit satises Euclids Lemma:

if p | , then p | or p | . Here, if p is prime in Z[ 1], then we get p | x i.
x
1
But this is absurd: what this means is that the quotient xi
p = p p i is an element

of Z[ 1], i.e., that both xp and p1 are integers. But obviously p1 is not an integer.
Therefore p is not prime, so3 there exists a nontrivial factorization
(16)

p = ,

where = a + b 1, = c + d 1 Z[ 1] are nonunit elements. Taking

complex conjugates of the above equation, we get
(17)

p = p = = .

Multiplying (35) and (27) we get

(18)

p2 = ()() = (a2 + b2 )(c2 + d2 ).

Now, since and are evidently nonzero, we have a2 + b2 , c2

+ d2 > 0. We
2
2
2
2
claim that indeed a + b = 1 and c + d = 1. Indeed,
if a + b 1 Z[

1]
a
b
with a2 + b2 = 1, then its multiplicative inverse in Q[ 1] is a2 +b
1 =
2 a2 +b2

2
2
a b 1 which again lies in Z[ 1]. In other words, a + b = 1 implies that
3A gap occurs in the argument here. It has been deliberately inserted for pedagogical reasons.
Please keep reading at least until the beginning of the next section!

42

3. QUADRATIC RINGS

a + b 1 is a unit in Z[ 1], contrary to our assumption. Having ruled out that

either a2 + b2 = 1 or c2 + d2 = 1, (28) now immediately implies
a2 + b2 = c2 + d2 = p.
But that is what we wanted: p is a sum of two squares! Thus we have (apparently...please read on!) proved the following theorem.
Theorem 34. (Fermats Two Squares Theorem) A prime number p can be
expressed as the sum of two integer squares if and only if p = 2 or p 1 (mod 4).
3. Fermats Two Squares Theorem Lost
The above proof of Theorem 34 was surprisingly quick and easy, especially compared to Fermats original one: not having the notion of factorization in domains
other than the integers, Fermats uses (as is typical of him) a more intricate argument by descent. In fact, the way we have presented the above argument, it is too
easy: there is a gap in the proof. The gap is rather subtle, and is analogous to a
notorious mistake made by the early 19th century mathematician Lame. Rather
than expose it directly, let us try to squeeze more out of it and see what goes wrong.
2
2
Namely,
instead of just working with x + y = p and the corresponding quadratic
ring Z[ 1], let consider the equation

(19)

x2 + Dy 2 = p,

where p is still a prime and D is a squarefree integer dierent from 0 or 1. We can

mimic the above argument in two steps as follows:
Step 1: By reducing modulo p, we get exactly as before that the existence of
an integral solution to (19) implies that D is a square modulo p.
Step 2: Conversely, assume that D is a square modulo p, i.e., there exists x Z
such that D x2 (mod p). Again this leads means there exists n Z such that
pn = x2 + D,

and thus leads to a factorization in Z[ D], namely

pn = (x + D)(x D).

Now if p were a prime element in Z[ D]

it would satisfy
Euclids Lemma, and
therefore since it divides
the
product
(x
+
D)(x

D), it must

divide one
of the factors: p | x D. But since xp p1 D is still not in Z[ D], this is

absurd: p is not a prime

element in Z[ D]. So it factors nontrivially:
p =
, for

, nonunits
in
Z[
D].
Let
us
now
dene,
for
any

=
a
+
b
D

Q(
D),

= a b D. When D < 0 this is the usual complex conjugation. When

D > 0 it is the conjugate in the sense of high school algebra (and also in Galois
theory). It is entirely straightforward to verify the identity
=
in either case, so that again by taking conjugates we get also
p = p = ,

4. FERMATS TWO SQUARES THEOREM (AND MORE!) REGAINED

43

and multiplying the two equations we get

p2 = ()() = (a2 Db2 )(c2 Db2 ).

Asabove, if a2 Db2 = 1, then the inverse of lies in Z[ D], so is a unit in

Z[ D], which we assumed it not to be. This time, the conclusion we get is
p = (a2 Db2 ).
In particular, if D < 0, the conclusion we get is that p is of the form a2 + |D|b2 if
and only if D is a square mod p.
Unfortunately we can easily see that this conclusion is very often wrong. Namely,
suppose D 3 and take p = 2.4 Then the condition that D is a square modulo
2 is quite vacuous: the only elements of Z/2Z are 0 = 02 and 1 = 12 , so every
integer is congruent to a square modulo 2. Thus the above argument implies there
are integers x and y such that
2 = x2 + |D|y 2 .
But this is absurd: if y = 0 it tells us that 2 is a square; whereas if y 1,
x2 + |D|y 2 |D| 3. In other words, 2 is certainly not of the form x2 + |D|y 2 .
So what went wrong?!?
4. Fermats Two Squares Theorem (and More!) Regained
It is time to come clean. We have been equivocating over the denition of a prime
element in an integral domain. Recall that we did not actually dene such a thing.
Rather, we dened an irreducible element in R to be a nonzero nonunit f such
that f = xy implies x or y is a unit. Then in the integers we proved Euclids
Lemma: if an irreducible element f of Z divides ab, then either f divides a or f
divides b. Of course this was not obvious: rather, it was all but equivalent to the
fundamental theorem of arithmetic.
Let us now review how this is the case. By denition, a domain R is a unique
factorization domain if it satises two properties: rst, that every nonzero nonunit
factor into irreducible elements, and second that this factorization be unique, up
to ordering of factors and associate elements.
Suppose R is a UFD. We claim that if f is an irreducible element of R, and f | ab,
then f | a or f | b. We already proved this for R = Z and the general argument
is the same: we leave to the reader the very important exercise of looking back at
the argument for R = Z and adapting it to the context of R a UFD.
We dene a prime element in a domain R to be a nonzero nonunit p which
satises the conclusion of Euclids Lemma: if p | ab, then p | a or p | b.
Proposition 35. Let R be an integral domain.
a) Any prime element is irreducible.
4Taking p = 2 should always raise alarm bells in your head: it is often said that 2 is the
oddest prime. In this case, please do look back the above argument to see that p = 2 was not
and did not need to be excluded from consideration.

44

3. QUADRATIC RINGS

b) R is a UFD if and only if it is a factorization domain in which every irreducible

element is prime.
Because this is pure algebra, we prefer to not discuss the proof here. It is a good
exercise for the reader. See also
http://www.math.uga.edu/pete/factorization.pdf
for a careful treatment of the theory of factorization in integral domains.
We can now recast the results of the previous two sections as follows.
First, the
proof which we gave assumed that either p is a prime element of Z[ D] or that p
is not
an irreducible element: i.e., it factors as p = with , nonunit elements of
Z[D]. What was missing was the third possibility: p is an irreducible element of
Z[ D] which
is not prime. Because of Proposition 35, this third possibility cannot
occur if Z[ D] is a UFD, so what we actually proved was:
Theorem 36. LetD be a squarefree integer dierent from 0 and 1. We assume that the ring Z[ D] is a UFD. Then, for a prime number p, TFAE:
(i) There exist x, y Z such that p = |x2 Dy 2 |.
(ii) There exists x Z such that D x2 (mod p).
Moreover, simply by noticing that for D < 2 we had that D is a square mod 2
but 2 is not of the form |x2 Dy 2 |, we also deduce:

Corollary 37. For no D < 2 is the ring Z[ D] a UFD.

To complete the proof of Theorem 34 it suces to show that at least Z[ 1] is a

UFD. Fortunately for us, it is. We show this in a way which is again a generalization
of one of our proofs of the fundamental theorem of arithmetic: namely, by showing
that
we can perform, in a certain appropriate sense, division with remainder in
Z[ 1]. The formalism for this is developed in the next section.
4.1. Euclidean norms.
A norm N : R N is called Euclidean if it satises the following property:
for all a R, b R \{0}, there exist q, r R such that a = qb + r and N (r) < N (b).
First let us see that this suces: we claim that any domain R endowed with a
Euclidean norm function is a principal ideal domain. Indeed, let I be any nonzero
ideal of such a domain R, and let a be any element of minimal nonzero norm. We
claim that in fact I = (b) = {rb | r R}. The proof is the same as for integers:
suppose that a I and apply the Euclidean property: there exist q, r R such
that a = qb + r with N (r) < N (b). But r = a qb and a, b I, so r I. If
r = 0 then N (r) = 0 and we have found an element with nonzero norm smaller
than N (a), contradiction. So we must have r = 0, i.e., a = qb (b).
Side remark: Note that in our terminology a norm N : R N is multiplicative,
and indeed in our present application we are working with such norms. However,
the multiplicativity property was not used in the proof. If R is a domain, let us
dene a generalized Euclidean norm on R to be a function N : R N such
that N (r) = 0 r = 0 and such that for all a R, b R \ {0}, there exist

4. FERMATS TWO SQUARES THEOREM (AND MORE!) REGAINED

45

q, r R with a = qb + r and N (r) < N (b). Then what we have actually shown is
that any domain which admits a generalized Euclidean norm is a PID.5
4.2. PIDs and UFDs.
One also knows that any PID is a UFD. This is true in general, but in the general case it is somewhat tricky to establish the existence of a factorization into
irreducibles. In the presence of a multiplicative norm function N : R N
i.e., a function such that N (x) = 0 x = 0, N (x) = 1 x R ,
N (xy) = N (x)N (y)x, y R this part of the argument becomes much easier to
establish, since for any nontrivial factorization x = yz we have N (y), N (z) < N (x).
Complete details are available in loc. cit.
4.3. Some Euclidean quadratic rings.

Finally, we will show that our norm function on Z[ 1] is Euclidean. At this

point it costs nothing
extra, and indeed is rather enlightening, toconsider the more
general case of Z[ D] endowed with the norm function N (a + b D) = |a2 Db2 |.
According to the characterization of (multiplicative) Euclidean
norms in the previ

ous subsection, what we must show is: for all Q( D), thereexists Z[ D]
with N ( ) < 1. A general element of is of the form
r + s D with r, s Q,
and we are trying to approximate it by an element x + y D with x, y Z.
Let us try something easy: take x (resp. y) to be an integer nearest to r (resp. s).
If z is any real number, there exists an integer n with |z n| 12 , and this bound
is sharp, attained for all real numbers with fractional part 12 .6 So let x, y Z be

such that |r x|, |s y| 12 . Is then = x + y D a good enough approximation

to = r + s D? Consider the following quick and dirty estimate:

(20)

N ( ) = |(r x)2 D(s y)2 | |r x|2 + |D||s y|2

Evidently

|D|+1
4

|D| + 1
.
4

< 1 i |D| < 3.

So D = 1 works i.e., the norm N on Z[ 1] is Euclidean, so Z[ 1] is a

UFD, which lls in the gap in our proof of Theorem 34.

Also D = 2 and D = 2 work: the rings Z[ 2] and Z[ 2] are UFDs.

It is natural to wonder whether the quick and dirty estimate can be improved.
We have already
seen that it cannot be for D < 2, since we already know that
for suchD, Z[ D] is not a UFD.This can be conrmed as follows: when D < 0,
N (a + b D) = a2 + Dy 2 = ||a + |D|i||2 ; that is, our norm function is simply the
square of the usual Euclidean length function evaluated on the complex number
5In fact further generalization is possible: in order for this simple argument to go through
it is not necessary for the codomain of the norm function to be the natural numbers, but only a
well-ordered set!
6Moreover when |z n| < 1 , the nearest integer is unique, whereas for half-integral real
2
numbers there are evidently two nearest integers. This does not matter to us: in this case take
either nearest integer, i.e., either z 12 or z + 12 .

46

3. QUADRATIC RINGS

a + |D|i. Moreover, in this case the ring Z[ D] lives naturally inside C as

a
lattice, whose fundamental parallelogram is simply a rectangle with sides 1 and
D. The problem now is to nd, for a given point z = a + bi C with a, b Q,
the closest lattice point. But it is geometrically clear that the points which are
furthest away from lattice points are precisely those which lie at the center of the
corresponding rectangles, e.g. 12 + 12 |D|i. This shows that nothing was lost in our
quick and dirty estimate.
The situation D <0 is quite dierent, most of all because the geometric picture is dierent: Z[ D] now lives inside R, but unlike in the previous case, it is
not discrete. Rather, (Exercise
X.X) it is dense: any interval (a, b) in R with a < b
contains some point Z[ D]. So it is not clear that the above coordinatewise
nearest integer approximation is the best possible approximation.
But even keeping the same approximating element as above, we lose ground
D+1
1
D
in the estimate |( 21 )2 D( 12 )2 | = | 14 D
4 | 4 . Rather, we want | 4 4 | < 1, or
|D 1| < 4, so D = 3 also works. Thus, Z[ 3] has a Euclidean norm, hence is a
UFD. In summary, we get the following bonus theorem:
Theorem 38. a) A prime p is of the form x2 + 2y 2 i 2 is a square modulo
p.
b) A prime p is of the form |x2 2y 2 | i 2 is a square modulo p.
c) A prime p is of the ofrm |x2 3y 2 | i 3 is a square modulo p.
Of course this brings attention to the fact that for an integer D, we do not know
how to characterize the set of primes p such that D is a square mod p, except in the
(easiest) case D = 1. The desire to answer this question is an excellent motivation
for the quadratic reciprocity law, coming up shortly.
5. Composites of the Form x2 Dy 2
Now that we have determined which primes are of the form x2 + y 2 , it is natural
to attempt to determine all nonzero integers which are sums of two squares.
An honest approach to this problem would begin by accumulating data and considering various special cases. Here we must unfortunately be somewhat more succinct.
Somewhat more generally, x D a squarefree integer as before, and put
SD = {n Z \ {0} | x, y Z, n = x2 Dy 2 },
the set of all nonzero integers of the form x2 Dy 2 . Becauseof the multiplicativity
of the norm function or more precisely, the function x + y D 7 x2 Dy 2 , which
takes on negative values when D > 0 the subset SD is closed under multiplication.
Remark: Certainly 1 SD : 1 = 12 D 02 . Therefore the multiplicative property can be rephrased by saying that SD is a submonoid of the monoid (Z \ {0}, ).
Now we know that the following positive integers are all sums of two squares:
1, 2, and prime p 1 (mod 4), and n2 for any integer n: n2 = (n)2 + 02 . Now let
n be any positive integer, and write p1 , . . . , pr for the distinct prime divisors of n

5. COMPOSITES OF THE FORM x2 Dy 2

47

which are congruent to 1 modulo 4, and q1 , . . . , qs for the distinct prime divisors of
n which are congruent to 1 modulo 4, so that
ns
mr n1
1
n = 2a pm
1 p r q1 qs ,

for a, m1 , . . . , mr , n1 , . . . , ns N. It follows that so long as n1 , . . . , ns are all even,

n is a product of sums of two squares and therefore itself a sum of two squares.
Finally, we wish to show that we have found all positive integers which are a sum
of two squares.7 Specically, what we wish to show is that if n Z+ is a sum of
two squares, then for any prime number p 1 (mod 4), then ordp (n) is even. For
this it suces to show the following
Lemma 39. Let p 1 (mod 4) be a prime number, and suppose that there
exist x, y Z such that p | x2 + y 2 , then p | x and p | y.
Before proving Lemma 39 let us show how it helps us. Indeed, suppose that a positive integer n is a sum of two squares: n = x2 +y 2 . Let p be any prime congruent to
1 (mod 4), and assume that p | n (otherwise ordp (n) = 0, which is even). Then
by Lemma 39 p | x and p | y, so that pn2 = ( xp )2 + ( yp )2 expresses pn2 as a sum of
two integral squares. But now we can repeat this process of repeated division by
p2 until we get an integer pn2k which is not divisible by p. Thus ordp (n) = 2k is even.
Proof of Lemma 39: It follows from the proof of the Two Squares Theorem
that if

p 1 (mod 4) is a prime number, then it remains irreducible in Z[ 1]. Let us

recall why: otherwise p = with N (), N () > 1, and then taking norms gives
p2 = N (p) = N () = N ()N (),

and thus N () = N () = p. Writing = a + b 1, we get p = N () = a2 + b2 ,

so p is a sumof two squares, contrary to Fermats Lemma.
Since Z[ 1] is a UFD, the irreducible element p
is a prime element,
hence

Euclids
Lemma applies.
We have p | x2 + y 2 = (x + y 1)(x y 1), so that
p | x + y 1 or p | x y 1. This implies that xp , yp Z, i.e., p | x and p | y.
In summary, we have shown:
Theorem 40. (Full Two Squares Theorem) A positive integer n is a sum of
two squares i ordp (n) is even for all primes p 1 (mod 4).

In that Lemma 39 uses (only) that

Z[ 1] is a UFD, similar reasoning applies to
other Euclidean quadratic rings Z[ D]. In particular, there is a direct analogue
of Theorem 40 for x2 + 2y 2 , which we will postpone until we determine for which
primes p 2 is a square modulo p. When D is positive, the distinction between
= a2 Db2 and N () = |a2 Db2 | becomes important: for instance as above
we obviously have 1 SD , but whether 1 SD is a surprisingly dicult problem:
to this day there is not a completely satisfactory solution.

In contrast, if Z[ D] is not a UFD, then even if we know which primes are of

the form x2 Dy 2 , we cannot use the above considerations to determine the set
SD . For example take D = 5. Certainly 2 = x2 + 5y 2 and 3 = x2 + 5y 2 , but
2 3 = 12 + 5 12 .
7Why would we think this? Again, trial and error experimentation is the honest answer.

CHAPTER 4

Quadratic Reciprocity
We now come to the most important result in our course: the law of quadratic
reciprocity, or, as Gauss called it, the aureum theorema (golden theorem).
Many beginning students of number theory have a hard time appreciating this
golden theorem. I nd this quite understandable, as many rst courses do not
properly prepare for the result by discussing enough of the earlier work which makes
quadratic reciprocity an inevitable discovery and its proof a cause for celebration.
Happily, our study of quadratic rings and the quadratic form x2 Dy 2 has provided
excellent motivation. There are also other motivations, involving (what we call here)
the direct and inverse problems regarding the Legendre symbol.
A faithful historical description of the QR law is especially complicated and
will not be attempted here; we conne ourselves to the following remarks. The
rst traces of QR can be found in Fermats Lemma that 1 is a square modulo
an odd prime p i p 1 (mod 4), so date back to the mid 1600s. Euler was
the rst to make conjectures equivalent to the QR law, in 1744. He was unable
to prove most of his conjectures despite a steady eort over a period of about 40
years. Adrien-Marie Legendre was the rst to make a serious attempt at a proof
of the QR law, in the late 1700s. His proofs are incomplete but contain much
valuable mathematics. He also introduced the Legendre symbol in 1798, which as
we will see, is a magical piece of notation with advantages akin to Leibnizs dx in
the study of dierential calculus and its generalizations. Karl Friedrich Gauss gave
the rst complete proof of the QR law in 1797, at the age of 19(!). His argument
used mathematical induction(!!). The proof appears in his groundbreaking work
Disquisitiones Arithmeticae which was written in 1798 and rst published in 1801.
The circle of ideas surrounding quadratic reciprocity is so rich that I have
found it dicult to linearize it into one written presentation. (In any classroom
presentation I have found it useful to begin each class on the subject with an
inscription of the QR Law on a side board.) In the present notes, the ordering is
as follows. In 1 we give a statement of the quadratic reciprocity law and its two
supplements in elementary language. Then in 2 we discuss the Legendre symbol,
restate QR in terms of it, and discuss (with proof) some algebraic properties of the
Legendre symbol which are so important that they should be considered part of the
quadratic reciprocity package. In 3 we return to our
unnished theorems about
representation of primes by |x2 Dy 2 | when Z[ D] is a PID: using quadratic
reciprocity, we can state and prove three bonus theorems which complement
Fermats Two Squares Theorem. In 4 we dene and discuss the direct and inverse
problems for the Legendre symbol and show how quadratic reciprocity is useful
for both of these, in particular for rapid computation of Legendre symbols. More
precisely, the computation would be rapid if we could somehow avoid having to

49

50

4. QUADRATIC RECIPROCITY

factor numbers quickly, and 5 explains how we can indeed avoid this by using an
extension of the Legendre symbol due to Jacobi.
1. Statement of Quadratic Reciprocity
Notational comment: when we write something like p a, b, c (mod n), what we
mean is that p a (mod n) or p b (mod n) or p c (mod n). (I dont see any
other vaguely plausible interpretation, but it doesnt hurt to be careful.)
Theorem 41. (Quadratic Reciprocity Law) Let p = q be odd primes. Then:
(i) If p 1 (mod 4) or q 1 (mod 4), p is a square mod q i q is a square mod p.
(ii) If p q 3 (mod 4), p is a square mod q i q is not a square mod p.
Theorem 42. (First Supplement to the Quadratic Reciprocity Law) If p is an
odd prime, then 1 is a square modulo p i p 1 (mod 4).
Theorem 43. (Second Supplement to the Quadratic Reciprocity Law) If p is
an odd prime, then 2 is a square modulo p i p 1, 7 (mod 8).
2. The Legendre Symbol
2.1. Dening the Legendre Symbol.
We now introduce a piece of notation created by Adrien-Marie Legendre in 1798.
There is no new idea here; it is merely notation, but is an example of how incredibly useful well-chosen notation can be.
For n an integer and p an odd prime, we dene the Legendre symbol

( )
0, if n 0 (mod p)
n
1, if n mod p is a nonzero square
:=

p
1, if n mod p is nonzero and not a square
( )
We must of course distinguish the Legendre symbol np from the rational number
n
p.

To help with this, I recommend that ( np ) be read n on p.1

Example 1: To compute ( 12
5 ), we must rst observe that 5 does not divide 12 and
then determine whether 12 is a nonzero square modulo 5. Since 12 2 (mod 5)
and the squares modulo 5 are 1, 4, the answer to the question Is 12 a nonzero
square modulo 5? is negative, so ( 12
5 ) = 1.
Example 2: To compute ( 101
97 ) note that 97 is prime! we observe that 97
does not divide 101. Since 101 4 22 (mod 97), the answer to the question Is
101 a nonzero square modulo 97? is positive, so ( 101
97 ) = 1.
97
Example 3: To compute ( 101
) note that 101 is prime! we observe that 101 certainly does not divide 97. However, at the moment we do not have a very ecient
way to determine whether 97 is a square modulo 101: our only method is to compute
all of the squares modulo 101. Some calculation reveals that 400 = 202 = 3101+7,
97
) = 1.
so 202 97 (mod 101). Thus 97 is indeed a square modulo 101, so ( 101
1There is in fact some relationship with n divided by p: if we divide n by p, getting
n = qp + r with 0 r < p, then the Legendre symbols ( n
) and ( pr ) are equal.
p

2. THE LEGENDRE SYMBOL

51

2.2. Restatement of Quadratic Reciprocity.

44. (Quadratic Reciprocity) Let p and q be distinct odd primes.
(Theorem
)( )
(p1)(q1)
p
q
4
=
(1)
.
(q ) p
p1
b) 1
= (1) 2 .
p
( )
p2 1
c) p2 = (1) 8 .

a)

2.3. Some elementary group theory related to the Legendre symbol.

Let p be an odd prime, and consider the group U (p) = (Z/pZ) ; since p is prime,
this is precisely the multiplicative group of nonzero elements of Z/pZ under multiplication: in particular, it is a nite commutative group of even order p 1.
In fact U (p) is a cyclic group: there exists some element g U (p) such that
every element x U (p) is of the form g i for a unique 0 i < p. In classical
number-theoretic language the element g (often viewed as an integer, 0 < g < p)
is a primitive root modulo p. This is nontrivial to prove. We do in fact give
the proof elsewhere in these notes, but in at least one version of the course, we are
covering quadratic reciprocity before the material on the Euler function which we
use in our proof of this fact. So we would like to give a more elementary discussion
of some weaker properties of U (p) that suce for our needs here.
Let (G, ) be a commutative group, and let n be a positive integer. The map
[n] : G G, x 7 xn
which sends each element to its nth power, is a homomorphism. We denote the
kernel of the map by G[n]; this is the subgroup of all elements of order dividing
n, often called the n-torsion subgroup of G. We put Gn = [n](G), the image of
the homomorphism, which is the subgroup of elements of G which are nth powers.
There is thus a canonical isomorphism

[n] : G/G[n] Gn .
Now further suppose that G is nite. Then
#Gn =

#G
.
#G[n]

Consider for a moment the case gcd(n, #G) = 1. Suppose g G[n]. Then the
order of g divides n, whereas by Lagranges theorem, the order of g divides #G, so
the order of G divides gcd(n, #G) = 1: so g = 1 and G[n] = {1}. Thus #Gn = #G
so Gn = G. So in this case every element of G is an nth power.
We remark in passing that the converse is also true: if gcd(n, #G) > 1, then
G[n] is nontrivial, so the subgroup Gn of nth powers is proper in G. We do not
need this general result, so we do not prove it here, but mention only that it can
be deduce from the classication theorem for nite commutative groups.
Now we specialize to the case G = U (p) = (Z/pZ) and n = 2. Then
G[2] = {x Z/pZ \ {0} | x2 = 1}.

52

4. QUADRATIC RECIPROCITY

We claim that G[2] = {1}. First, note that since p is odd, 1 1 (mod p), i.e.,
+1 and 1 are distinct elements in Z/pZ, and they clearly both square to 1, so
that G[2] contains at least the two element subgroup {1}. Conversely, as above
every element of G[2] is a root of the quadratic polynomial t2 1 in the eld Z/pZ.
But a polynomial of degree d over any eld (or integral domain) can have at most d
distinct roots: whenever p(a) = 0, applying the division algorithm to p(t) and t a
gives p(t) = q(t)(t a) + c, where c is a constant, and plugging in t = a gives c = 0.
Thus we can factor out t a and the degree decreases by 1. Therefore #G[2] 2,
and since we have already found two elements, we must have G[2] = {1}.
So G2 is an index two subgroup of G and the quotient G/G2 has order two. Like any
group of order 2, it is uniquely isomorphic to the group {1} under multiplication.
Thus we have dened a surjective group homomorphism
L : U (p) {1},
namely we take x U (p) to the coset xU (p)2 . So, L(x) = 1 if x is a square in
(Z/pZ) and L(x) = 1 otherwise. But this means that for all x Z/pZ \ {0},
L(x) = ( xp ). Thus we have recovered the Legendre symbol in terms of purely
algebraic considerations and also shown that
( ) ( )( )
xy
x
y
x, y U (p),
=
.
p
p
p
In fact we can give a (useful!) second description of the Legendre symbol using
power maps. (This discussion repeats the proof of Proposition 32, but we are
happy to do so.) To see this, consider the map
p1
[
] : U (p) U (p).
2
We claim that the kernel of this map is again the subgroup U (p)2 of squares, of order
p1
p1
2
2 p1
2
= xp1 = 1
2 . On the one hand, observe that U (p) U (p)[ 2 ]: indeed (x )
p1
by Lagranges Theorem. Conversely, the elements of U (p)[ 2 ] are roots of the
p1
polynomial t 2 1 in the eld Z/pZ, so there are at most p1
of them. Thus
2
p1
p1
2
2
U (p) = U (p)[ 2 ]. By similar reasoning we have U (p)
{1}, hence we can
view [ p1
]
as
a
homomorphism
2
p1
] : U (p) {1}.
2
Since the kernel of L is precisely the subgroup U (p)2 and there are only two possible values, it must be the case that L (x) = 1 for all x U (p) \ U (p)2 . In other
words, we have L (x) = ( xp ).
L = [

The following result is essentially a summary of the above work. We strongly

recommend that the reader take time out to convince herself of this.
45. The following hold for any a, b Z and any odd prime p.
)
(Proposition
a
a) p depends only on the residue class of a modulo p.
( )
p1
b) (Euler) ap a 2 (mod p).
( ) ( )( )
b
= ap
c) ab
p
p .

3. MOTIVATING QUADRATIC RECIPROCITY I: BONUS THEOREMS

53

Note that by taking a = 1 in Proposition 45b), we get

(
)
p1
1
= (1) 2 .
p
This is precisely the First Supplement to the quadratic reciprocity law, which we
have now proved twice (in the handout on Pythagorean triples we called it Fermats Lemma and proved it using Wilsons theorem).
2.4. A faster proof using the cyclicity of U (p).
If we happen to know that the unit group U (p) = (Z/pZ) is cyclic, we can give a
much more streamlined proof of Proposition 45. First note that part a) is obvious
from the denition. Moreover, if we assume part b), part c) follows immediately:
( )
( )( )
p1
p1 p1
a
ab
b
= (ab) 2 = a 2 b 2 =
.
p
p
p
So it remains to prove part b). But now suppose that g is a generator for the group
i(p1)
p1
U (p), so that we can write a = g i . Then a 2 = g 2 .
i
Case i: i is even. Then on the one hand a = (g 2 )2 is a square in U (p). On the
i(p1)
2
= 1 by Lagranges theorem.
other hand p 1 | i p1
2 , so that g
Case 2: i is odd. Then on the on the one hand a = g i is not a square in U (p): for
instance, we know that the subgroup of squares has exactly p1
2 elements, and we
p1
2k
found 2 distinct elements in Case 1 above: {g | 0 k < p1
2 }. On the other
hand, since i is odd, p 1 - i p1
2 , so that a
it must therefore be equal to 1.

p1
2

=g

i(p1)
2

= 1. Since its square is 1,

3. Motivating Quadratic Reciprocity I: Bonus Theorems

3.1. Some unnished theorems.
An excellent motivation for the quadratic reciprocity law is provided by our previous
study of the equation x2 Dy 2 = p. Recall we have proved:
Theorem
46. Let D be squarefree integer dierent from 0 and 1. Assume that
the ring Z[ D] is a UFD. Then, for a prime number p, TFAE:
(i) There exist x, y Z such that p = |x2 Dy 2 |.
(ii) There exists x Z such that D x2 (mod p).

Moreover we know that Z[ D] is a UFD when D {1, 2, 3}. The case D = 1

yielded Fermats two squares theorem given the additional knowledge that 1 is a
square modulo an odd prime p i p 1 (mod 4). To complete our bonus theorems we need answers to the following questions:
For which odd primes p is it the case that 2 is a square modulo p?
For which odd primes p is it the case that 2 is a square modulo p?
For which odd primes p is it the case that 3 is a square modulo p?
Comparing with the answer for D = 1, one might hope that the answer is in
terms of some congruence condition on p. Lets look at some data:

54

4. QUADRATIC RECIPROCITY

The odd primes p < 200 for which 2 is a square modulo p are:
3, 11, 17, 19, 41, 43, 59, 67, 73, 83, 89, 97, 107, 113, 131, 137, 139, 163, 179, 193.
Notice that these are precisely the primes p < 200 with p 1, 3 (mod 8).
For D = 2, 3 we will give some data and allow you a chance to nd the pattern.
The odd primes p < 200 for which 2 is a square modulo p are:
7, 17, 23, 31, 41, 47, 71, 73, 79, 89, 97, 103, 113, 127, 137, 151, 167, 191, 193, 199.
The odd primes p < 200 for which 3 is a square modulo p are:
3, 11, 13, 23, 37, 47, 59, 61, 71, 73, 83, 97, 107, 109, 131, 157, 167, 179, 181, 191, 193.
While we are at it, why not a bit more data?
The odd primes p < 200 for which 5 is a square modulo p are:
5, 11, 19, 29, 31, 41, 59, 61, 71, 79, 89, 101, 109, 131, 139, 149, 151, 179, 181, 191, 199.
The odd primes p < 200 for which 7 is a square modulo p are:
3, 7, 19, 29, 31, 37, 47, 53, 59, 83, 103, 109, 113, 131, 137, 139, 149, 167, 193, 197, 199.
3.2. With the help of quadratic reciprocity.
We already know that a prime p is of the form |x2 2y 2 | i ( p2 ) = 1, and the
second supplement tells us that this latter conditions holds i p 1,
7 (mod 8).
While we are here, lets deal with the
absolute value: it happens that Z[ 2] contains
an element of norm 1, namely 1 2:

N (1 2) = (1 2)(1 + 2) = 12 2 12 = 1.
From this and the multiplicaitivity of the norm map, it follows that if we can represent any integer n in the form x2 2y 2 , we can also represent it in the form
(x2 2y 2 ), and conversely. From this it follows that the absolute value is superuous and we get the following result.
Theorem 47. (First Bonus Theorem) A prime number p is of the form x2 2y 2
i p = 2 of p 1, 7 (mod 8).
Now lets look at the case of D = 2, i.e., the form x2 + 2y 2 . Since 2 = 02 + 2 12 , 2
is of of the form x2 + 2y 2 . Now assume that p is odd. We know that an odd prime
p is of the form x2 + 2y 2 i ( 2
p ) = 1. We dont have a single law for this, but the
multiplicativity of the Legendre symbol comes to our rescue. Indeed,
(
) (
)( )
2
1
2
=
,
p
p
p
so
(
)
(
) ( )
2
1
2
= 1
=
.
p
p
p
2
Case 1: ( 1
p ) = ( p ) = 1. By the rst and second supplements, this occurs i p 1
(mod 4) and p 1, 7 (mod 8), so i p 1 (mod 8).

3. MOTIVATING QUADRATIC RECIPROCITY I: BONUS THEOREMS

55

2
Case 2: ( 1
p ) = ( p ) = 1. By the rst and second supplements, this occurs i
p 3 (mod 4) and p 3, 5 (mod 8), so i p 3 (mod 8). Thus:

Theorem 48. (Second Bonus Theorem) A prime number p is of the form

x2 + 2y 2 i p = 2 or p 1, 3 (mod 8).
Now lets look at the case of D = 3, i.e., the form |x2 3y 2 |. We know that a prime
p is of this form i ( p3 ) = 1. Now we use QR itself, and there are two cases:
Case 1: If p 1 (mod 4), then ( p3 ) = 1 i p 1 (mod 3).
Case 2: If p 3 (mod 4), then ( p3 ) = 1 i p 1 (mod 3).
The congruence conditions can be consolidated by going mod 12. We get that
( p3 ) = 1 i p 1, 11 (mod 12). Again we can ask what happens when we try to
remove the absolute value. This time things work out somewhat dierently.
Theorem 49. (Third Bonus Theorem) For a prime p, the equation x2 3y 2 = p
has an integral solution i p 1 (mod 12). The equation 3y 2 x2 = p has an
integral solution i p = 2, p = 3 or p 11 (mod 12).
Proof. First we deal with the two exceptional cases. Suppose p = 2: reducing
x2 3y 2 = 2 modulo 3, we get x2 2 (mod 3), which we know has no solution.
Note that on the other hand 3(1)2 12 = 2, so 2 is of the form 3y 2 x2 . Now
suppose p = 3: reducing x2 3y 2 = 3 modulo 4, we get x2 3y 2 x2 + y 2 3
(mod 4), which (as we have seen before) has no integral solution. On the other
2
2
hand, 3 = 3(1)2 02 , so 3 is of the form
3y x .
Now suppose that p > 3. Since Z[ 3] is a PID, we know that p is of the form
p = |x2 3y 2 | i 3 is a square modulo p, i.e., i p = 3 or ( p3 ) = 1. By quadratic
reciprocity, this last condition can be expressed as a congruence modulo 4 3 = 12,
specically p 1 (mod 12). So if p 1, 11 (mod 12) then at least one of the
following holds:
(21)

p = x2 3y 2

or
(22)

p = 3y 2 x2 .

It turns out that for any prime p, exactly one of the two equations (21), (22) holds,
which is extremely convenient: it means that we can always show that one of the
equations holds by showing that the other one does not hold!
Indeed, if we reduce the equation p = x2 3y 2 modulo 3: we get p x2
(mod 3), i.e., ( p3 ) = 1, so p 1 (mod 3). So if p 11 (mod 12) then p is not of the
form x2 3y 2 so must be of the form 3y 2 x2 . Simiarly, if we reduce the equation
p = 3y 2 x2 modulo 3, we get p x2 1 (mod 3), so if p 1 (mod 3) then
22 has no solution, so it must be that p = x2 3y 2 does have a solution.

A very similar argument establishes the following more general result.

Theorem 50. Suppose q 3 (mod 4) is a prime such that Z[ q] is a PID.

Then the equation x2 qy 2 = p has a solution i p 1 (mod 4) and ( pq ) = 1.

56

4. QUADRATIC RECIPROCITY

3.3. Auxiliary congruences.

The restriction to q 3 (mod 4) in Theorem 50 may appear articial. But those

who have done their homework know better: in fact if Z[ q] is a PID, then we must

have q = 2 (which we have already discussed) or q 3 (mod 4). (Otherwise Z[ q]

is not integrally closed.) A closer look reveals that the distinction between primes
which are 1 (mod 4) and primes which are 3 (mod 4) is a central, albeit somewhat
mysterious part, of the natural behavior of quadratic forms.
One way to see this is in terms of what I shall call auxiliary congruences. Namely,
in our initial study of the equation |x2 Dy 2 | = p, we did not consider all possible
congruence obstructions (as e.g. in Legendres Theorem) but only condition that
we got upon reducing modulo p: namely that D is a square modulo p. Notice that
we could also reduce modulo D to get some further conditions: more on this in
a moment. But why didnt we reduce modulo D before? The simple
but strange
answer is that we simply didnt need to: it happened that when Z[ D] is a PID,
we were able to prove that the necessary condition that D be a square modulo p
was also sucient for p to be of the form |x2 Dy 2 | = p.
But this is rather surprising. Lets look closer, and to x ideas let us take p and q
distinct odd primes, and look at the equation
x2 + qy 2 = p.
p
Then reducing modulo p gives ( q
p ) = 1, whereas reducing modulo q gives ( q ) = 1.
How do these two conditions interact with each other? Lets examine the cases:
q
p
1 q
Case 1: p 1 (mod 4). Then ( q
p ) = ( p )( p ) = ( p ) = ( q ). So the conditions are redundant.

Example: Take q = 5. Then the congruence conditions tell us that if p 1

(mod 4) is of the form x2 + 5y 2 , we must have ( p5 ) = 1, i.e., p 1, 4 (mod 5).
Thus, every prime p 1 (mod 4) which is represented by x2
+ 5y 2 lies in one of the
two congruence classes p 1, 9 (mod 2)0. As we know, Z[ 5] is not a PID, so
nothing we have proved tells us anything about the converse, but the examples in
section X.X above show that for all p < 200, p 1, 9 (mod 20) = p = x2 +5y 2 .
It is easy to extend the compuations to check this for all primes up to say 106 . In
fact it is true, although we do not have the right techniques to prove it.
Example: Take q = 3. Then the congruence conditions tell us that if p 1
(mod 4) is of the form x2 + 3y 2 , then p 1 (mod 3). Again computations support
that every prime p 1 (mod 1)2 is of the form x2 + 3y 2 .
q
1 q
Case 2: p 3 (mod 4). Then ( q
p ) = ( p )( p ) = ( p ). To compare this to
p
the condition ( q ) = 1, we need to consider further cases.
q
p
Case 2a) Suppose also q 1 (mod 4). Then 1 = ( q
p ) = ( p ) = ( q ), i.e.,
p
p
( q ) = 1. This is inconsistent with ( q ) = 1, so we deduce that when q 1
(mod 4), p = x2 + qy 2 = p 1 (mod 4).

4. MOTIVATING QUADRATIC RECIPROCITY II: DIRECT AND INVERSE PROBLEMS 57

This is a new phenomenon for us. Note that when q = 5, in conjunction with
the above (unproved) result, we get the following
Theorem 51. An odd prime p is of the form x2 + 5y 2 i p 1, 9 (mod 2)0.
q
p
Case 2b): Suppose also q 3 (mod 4). Then 1 = ( q
p ) = ( p ) = ( q ). Thus the
two congruence conditions are consistent in this case.

Example: Lets reconsider q = 3. Nothing in our analysis ruled out a prime p 3

(mod 4) (except p = 3) being of the form x2 + 3y 2 : the only congruence condition
p
we found is the main one 1 = ( 3
p ) = 3 , i.e., p 1 (mod 3). In this case computations suggest that an odd prime p is of the form x2 + 3y 2 ip 1 (mod 3).
Note that this is exactly the result that we would have gotten if Z[ 3] were a UFD
except that then 2
would also be of the form x2 + 3y 2 , which was exactly what we
used to see that Z[ 3] isnt a UFD! It turns out that we can prove this result with
the techniques we have: an argument is sketched in the exercises.
These considerations have turned up more questions than answers. Our point is
that the distinction between primes p 1 (mod 4) and p 3 (mod 4) is something
that is embedded quite deeply into the behavior of quadratic rings and quadratic
equations. A proper understanding of this phenomenon goes under the heading
genus theory, which was treated by Gauss in his Disquisitiones Arithmeticae and
is intimately related to contemporary issues in number theory.
4. Motivating Quadratic Reciprocity II: Direct and Inverse Problems
4.1. The direct and inverse problems.
We wish to discuss reciprocal problems concerning quadratic residues,
which can
( )
n
be phrased in terms of whether we regard the Legendre symbol p as a function
of its numerator or as a function of its denominator.
Direct problems: Fix an odd prime p.
direct problem A: Determine all integers which are squares modulo p.
direct problm B: Determine whether a given integer n is a square modulo p.
By Proposition 45a), the answer only depends upon n modulo p, so for xed p
it is a nite problem: we know that exactly half of the elements of F
p are squares,
2 2
so for instance to compute all of them we could simply calculate 1 , 2 , . . . , (p 1)2
modulo p.2 However if p is large this will take a long
( ) time, and it is natural to
wonder whether there is a faster way of computing np for some specic n.
( )
inverse problem: Fix n Z. For which odd primes p is np = 1?
Example: The case n = 1 was needed to prove the two squares theorem. We
found that ( 1
p ) = 1 i p 1 (mod 4). Note that, although our original proof was
2In fact this gives every square twice; we will get every square once by computing the squares
)2 , as we saw in the Handout on Sums of Two Squares.
up to ( p1
2

58

4. QUADRATIC RECIPROCITY

more elementary, this follows immediately from Proposition 45b): ( 1

p ) = (1)

p1
2

In contrast to the direct problems, the inverse problem is apparently an innite

problem. Moreover, the inverse problem comes up naturally in applications: indeed solving the inverse problem for n = 2, 3 was exactly what we did in the last
section in order to complete our study of the forms x2 ny 2 .
4.2. With the help of quadratic reciprocity.
We now make two key observations. First: The Quadratic Reciprocity Law
allows us to reduce the inverse problem to the direct problem A.
Example: Take n = 5. For which odd primes p is 5 a square modulo p?
( )
( )
Answer: Since 5 is 1 (mod 4), p5 = p5 , and we know what the squares are
mod 5: 1. Thus the answer is that 5 is a square modulo p i p 1 (mod 5).
Example: Take n = 7. For which odd primes p is 7 a square modulo p?
Answer: Since 7 is 3 (mod 4), we need to distinguish
cases: p 1 (mod 4)
( ) ( two
)
p
7
and p 1 (mod 4). If p 1 (mod 4), then p = 7 , so we just want p to be
a square modulo 7. The squares mod 7 are 12 1, 22 4 and 32 2. We now
have both a congruence condition mod 7 and a congruence condition mod 4: by
the Chinese Remainder theorem, these conditions can be expressed by congruence
conditions mod 28: namely we want p 1, 9, 25 (mod 28).
Next we consider the case
4). This time since p and 7 are both
( p) 1 (mod
(p)
7
1 mod 4, QR tells us that p = 1 7 , so we want the nonsquares modulo 7,
or 3, 5, 6. Again we may combine these with the congruence p 1 (mod 4) by
going mod 28, to get p 3, 19, 27. So 7 is a square modulo p i
p 1, 3, 9, 19, 25, or 27

(mod 28).

The QR law leads to the following general solution of the inverse problem:
Corollary 52. Let q(be)any odd prime.
a) If q 1 (mod 4), then pq = 1 i p is congruent to a square modulo q (so lies
in one of

q1
2

residue classes( modulo

q).
)
q
b) If q 1 (mod 4), then p = 1 i p x2 (mod 4q) (so lies in one of q 1

out of the 2(q 1) reduced residue classes modulo 4q).

Corollary 52 was rst conjectured by Euler and is in fact equivalent to the QR law.
As we will not be using Corollary 52 in the sequel, we leave the proof as an exercise.
So much for the rst observation. Here is the second:
The QR law yields an efficient algorithm for Direct Problem B.
This is best explained by way of examples.

5. THE JACOBI SYMBOL

59

(7)
. Using QR we can invert the
Example: Suppose we want to compute 19
Legendre symbol, tacking on an extra factor of 1 because 7 19 1 (mod 4):
( )
( )
( )
( )
( )
7
19
5
7
2
=
=
=
=
.
19
7
7
5
5
We( have
) reduced to a problem we know: 2 is not a square mod 5, so the nal answer
7
is 19
= (1) = 1.
Example:

Example:

41
103

(
=

) ( )( ) ( )( )
21
3
7
41
41
=
=
=
41
41
41
3
7
(
)(
)
1
1
=
= 1 1 = 1.
3
7

103
41

) (
) ( ) ( )( )
79
101
22
2
11
=
=
=
=
101
79
79
79
79
( )
( )
( )
11
79
2
1
=
=
= (1) = 1.
79
11
11

Let us now stop and make an important observation: the quadratic reciprocity
law along with its rst and second supplements, together with parts
( ) a) and c) of

Proposition 45, allows for a computation of the Legendre symbol np in all cases.
Indeed, it is multiplicative in the numerator, so we may factor n as follows:
n = (1) 2a pb p1 pr m2 ,

where = 1, the primes p1 , . . . , pr are distinct and prime to p, and m is prime to

p. If b > 0 then the symbol evaluates to 0. Otherwise we have
( ) (
) ( )a ( )
n
pi
1
2
=
.
p
p
p
p
i
5. The Jacobi Symbol
Computing Legendre symbols via the method of the previous section is, for moderately small values of n and p, much faster and more pleasant to do by hand than
computing the list of all p1
2 quadratic residues mod p. However, when the numbers get larger a hidden cost of the previous calculation becomes important: the
calculation requires us to do several factorizations, and factorization is the ne plus
ultra of time-consuming number-theoretic calculations.
In fact it is not necessary to do any factorization at all, except to factor out the
largest power of 2, which is computationally trivial (especially if the number is
stored in binary form!). One can use a generalization of the Legendre symbol introduced in 1837 by Carl Gustav Jacob Jacobi (1804-1851).
For a an integer and b an odd positive integer, we dene the Jacobi symbol
( )
(a) ( a )
a
=

,
b
p1
pr

60

4. QUADRATIC RECIPROCITY

where b = p1 pr is the factorization of b into (not necessarily distinct!) primes.

( )
Warning: If a is a square modulo b, then ab = 1, but the converse does not
hold (you are asked to supply a counterexample in the homework). The Jacobi
symbol is instead a formal generalization of the Legendre symbol, as is summarized by the following two results:
53. Let a, a1 , a2 be integers and b, b1 , b2 be odd positive integers.
) ( a2 )
( Proposition
if
a
a) ( ab1 =
) (b ) ( 1 ) a2 (mod b).
b) (a1ba2 ) = (ab1 ) (ab2 ).
a
c) b1ab2 = ba1
b2 .
Theorem 54. (QR Law for the Jacobi Symbol) Let a be an integer and b an
odd positive integer.
( )
b1
a) 1
= (1) 2 .
b
( )
b2 1
b) 2b = (1) 8 .
c) If a is also odd and positive then
(a) ( b )
a1 b1
= (1) 2 2 .
b
a
The point is that the Jacobi symbol equals the Legendre symbol when the denominator is a prime, and is moreover completely determined by Proposition 53a) and
Theorem 54. Therefore one can compute Legendre symbols by a process of repeated inversion and reduction of the numerator modulo the denominator, without
worrying about whether the numerator or denominator is prime.
If
(aa
) and b each have no more than k digits, then computing the2 Jacobi symbol
b using the QR law requires no more than a constant times k steps, or more
succinctly, can be done in time O(k 2 ).3 In particular, when b = p is prime, the
algorithm takes O(log2 p) steps so is polynomial time (in the number of digits of
p), whereas computing all p1
2 quadratic residues takes time O(p).
p1

Using the Euler relation ( ap ) a 2 (mod p) to compute ( ap ) is also rather ecient, as one can takie advantage of a powering algorithm to rapidly compute
p1
exponents modulo p (the basic idea being simply to not compute the integer a 2
at all but rather to alternate raising a to successively larger powers and reducing
the result modulo p): this can be done in time O(log3 p). For more information on
this and many other topics related to number-theoretic algorithms, we recommend
Henri Cohens A Course in Computational Algebraic Number Theory.
6. Preliminaries on Congruences in Cyclotomic Rings
For a positive integer n, let n = e

2i
n

be a primitive nth root of unity, and let

Rn = Z[n ] = {a0 + a1 n + . . . + an1 nn1 | ai Z}.

3The notation O(f (x)) is used in algorithmic complexity theory and also in analytic number
theory to indicate a quantity which is bounded above by a constant times f (x).

7. PROOF OF THE SECOND SUPPLEMENT

61

Recall that an algebraic integer is a complex number which satises a monic

polynomial relation with Z-coecients: there exist n and a0 , . . . , an1 such that
n + an1 n1 + . . . + a1 + a0 .
We need the following purely algebraic fact:
Proposition 55. a) Every element of Rn is an algebraic integer.
b) Rn Q = Z.
Proof. a) [F, Prop. 7.2] Let z Rn . For 0 i n 1, zni is an element of
Rn hence may be written as
n1

zni =
aij nj
j=0

for some aij Z. Altogether we get an n n matrix A = (aij )0i,jn1 with

integer coecients. Let P (t) = det(tI A) be the characteristic polynomial of
A. Since A has integer entries, P (t) is monic with Z-coecients. Now, if we put
v = (1, n , n2 , . . . , nn1 )T i.e., we are viewing v as an n 1 matrix, or column
vector then the above equations are equivalent to the one matrix equation
Av = zv.
Thus the complex number z is an eigenvalue of the integer matrix A. Hence, by
basic linear algebra, P (z) = 0, so z is an algebraic integer.
b) By Theorem 20, an algebraic integer which is also a rational number is an
ordinary integer.

Let p be a prime number; for x, y Rn , we will write x y (mod p) to mean that
there exists a z Rn such that x y = pz. Otherwise put, this is congruence
modulo the principal ideal pRn of Rn .
Since Z Rn , if x and y are ordinary integers, the notation x y (mod p)
is ambiguous: interpreting it as a usual congruence in the integers, it means that
there exists an integer n such that x y = pn; and interpreting it as a congruence
in Rn , it means that x y = pz for some z Rn . The key technical point is that
these two notions of congruence are in fact the same:
Corollary 56. If x, y Z and z Rn are such that x y = pz, then z Z.
Proof. Indeed z =

xy
p

Rn Q = Z.

To prove the second supplement we will take n = 8. To prove the QR law we will
take n = p an odd prime. These choices will be constant throughout each of the
proofs so we will abbreviate = 8 (resp. p ) and R = R8 (resp. Rp ).
7. Proof of the Second Supplement
Put = 8 , a primitive eighth root of unity and R = R8 = Z[8 ]. We have:
0 = 8 1 = ( 4 + 1)( 4 1).
Since 4 = 1 (primitivity), we must have 4 + 1 = 0. Multiplying by 2 we get
2 + 2 = 0.
So

( + 1 )2 = 2 + 2 + 2 = 2.

62

4. QUADRATIC RECIPROCITY

Putting = + 1 , we have 2 = 2. Now we calculate

( )
p1
2
p1
2 p1
2
2
=2

= ( )
(mod pR).
p
The is by Eulers relation. Multiplying through by , we get:
( )
2
(23)
p
(mod p).
p
Lemma 57. (Schoolboy binomial theorem)
Let R be a commutative ring, p a prime number and x, y R. We have
(x + y)p xp + y p

(mod pR).

Proof. The binomial formula asserts that

( )
( )
(
)
p p1
p p2 2
p
p
p
(x + y) = x +
x y+
x y + ... +
x1 y p1 + y p ,
1
2
p1
( )
p!
where pi = i!(pi)!
. Now suppose 0 < i < p. Since p is prime, p! is divisible by p
and i! and (p i)!, being a product of positive integers all less than p, are not. So
each of the binomial coecients is divisible by p except the rst and the last. 
Therefore
p = ( + 1 )p p + p

(mod pR).

Case 1: p 1 (mod 8). Then p = , and hence p = 1 , so

p p + p + 1 =

(mod pR)

so (23) becomes

( )
2

(mod pR).
p
It is tempting to cancel the s, but we must be careful: pR need not be a prime
ideal of the ring R.4 But, sneakily, instead of dividing we multiply by , getting
( )
2
2
2 2
(mod pR),
p
which by Lemma 2 means that
22

( )
2
p

(mod p)

in the usual sense. Since 2 is a unit in Z/pZ, dividing both sides by 2 is permissible.
We do so, getting the desired conclusion in this case:
( )
2
1 (mod p).
p
Case 2: p 1 (mod 8) is very similar: this time p = 1 , but still p
p + p 1 + = (mod
( )pR). The remainder of the argument is the same, in
particular the conclusion: p2 1 (mod p).
4In fact, it can be shown not to be prime in the case p 1 (mod 8).

8. PROOF OF THE QUADRATIC RECIPROCITY LAW MODULO. . .

63

Case 3: p 3 (mod 8). Now we have

p p + p 3 + 3 4 1 + 4 ( + 1 )

(mod pR).

Thus we get this time

( )
2
(mod pR),
p
and again we multiply by to get a congruence modulo p and conclude
( )
2
= 1.
p

Case 4: p 5 (mod 8): Exercise (Case 4 is to Case 3 as Case 2 is to Case 1.)

8. Proof of the Quadratic Reciprocity Law Modulo. . .
The above proof is due in spirit to Euler. It is very ingenious, but how do we adapt
it to prove the Quadratic Reciprocity Law: e.g., what should play the role of ?
2i

Let us now take p to be an odd prime, = e p to be a primitive pth root of unity,

and R = Z[]. A good start would be to nd an explicit element of R with 2 = p.

This would mean in particular that Q( p) Q(), which is far from obvious.

2i
Indeed, it need not even be quite true. Take p = 3: since 3 = e 3 = ( 1 2 3 ), the

cyclotomic eld Q(3 ) is the same as the imaginary quadratic eld Q( 3). There
is an element Z[3 ] with 2 = 3 but not one with 2 = 3.
But take heart: nding a square root of p in Q(p ) isnt exactly what we wanted
anyway. Recall that a strange factor of 1 according to whether p 1 (mod 4)
is the hallmark of quadratic reiciprocity. So actually we are on the right track.
Now, like a deus ex machina comes the Gauss sum:5
p1 ( )

t
:=
t.
p
t=0
In other words, we sum up all the pth roots of unity, but we insert 1 signs in front
of them according to a very particular recipe. This looks a bit like a random walk
in the complex plane with p steps of unit length. A probabilist would guess that

the magnitude of the complex number is roughly p.6 Well, it is our lucky day:
Theorem 58. (Gauss)
2 = (1)

p1
2

p.
p1

That is, | | = p on the nose! The extra factor of (1) 2 is more than welcome,
p1
since it appears in the quadratic reciprocity law. In fact, we dene p = (1) 2 p,
and then it is entirely straightforward to check the following
5We make the convention that from now until the end of the handout, all sums extend over
0 i p 1.
6Much more on this, the philosophy of almost square root error, can be found in the
analytic number theory part of these notes.

64

4. QUADRATIC RECIPROCITY

Lemma 59. The quadratic reciprocity law is equivalent to the fact that for
distinct odd primes p and q, we have
( ) ( )
q
p
=
.
p
q


Proof. Exercise.
Remarkably, we can now push through a proof as in the last section:
( )
p
q1
2 q1
q1
2
2

= ( )
= (p )

(mod q),
q
and suddenly our way is clear: multiply by to get
( )
p
(24)
q
(mod q).
q
On the other hand, we have
(
)q
(t)
(t)
q
t

qt

p
p
t
t

(mod q).

Now, since q is prime to p and hence to the order of , the elements qt still run
through all distinct pth roots of unity as t runs from 0 to p 1. In other words, we
can make the change of variable t 7 q 1 t and then the sum becomes
( 1 ) ( )
( )
( q 1 t )
q
t
q
t
t
=
=
.
p
p
p
p
t
t
So we win: substituting this into (24) we get
( )
( )
q
p

(mod q),
p
q
and multiplying through by we get an ordinary congruence
( )
( )
q
p

p
p (mod q);
p
q
since p is prime to q, we may cancel to get
( ) ( )
q
p

(mod q),
p
q
and nally that

( ) ( )
q
p
=
.
p
q
9. . . . the Computation of the Gauss Sum

Of course, it remains to prove Theorem 58. We wish to show that if

(t)
t,
=
p
t
then
2 = p = (1)

p1
2

p.

9. . . . THE COMPUTATION OF THE GAUSS SUM

65

We do this by introducing a slightly more general sum: for any integer a, we dene
(t)
a :=
at .
p
t
If a 0 (mod p), then
a =

(t)
p

ap

(t)
p

Notice that q came up in the proof of the quadratic reciprocity law and we quickly
rewrote it in terms of . That argument still works here, to give:
( )
a
a =
.
p

Now we will evaluate the sum a a a in two dierent ways. First, if a = 0, then
)
(
)
( )(
p1
a
a
1
2
a a =
=
2 = (1) 2 2 .
p
p
p
On the other hand
0 =

(t)
p

0t

(t)

= 0,

since each nonzero quadratic residue mod p contributes +1, each quadratic nonresidue contributes 1, and we have an equal number of each. It follows that

p1
a a = (1) 2 (p 1) 2 .
a

We also have
a a =

(x) (y )
x

a(xy) .

Lemma 60.

a) If a 0 (mod
then t at = p;
p),
b) Otherwise t at = 0.
The proof is easy. So interchanging the summations we get

(x) (y )
a a =
a(xy) .
p
p
a
x
y
a
The inner sum is 0 for all x = y, and the outer sum is 0 when x = y = 0. For each
of the remaining p 1 values of x = y, we get a contribution to the sum of p, so

a a = (p 1)p.
a

Equating our two expressions for

a a a

(p 1)p = (1)

gives

p1
2

(p 1) 2 ,

which gives the desired result:

2 = (1)

p1
2

p = p .

66

4. QUADRATIC RECIPROCITY

10. Comments
Working through this proof feels a little bit like being an accountant who has been
assigned to carefully document a miracle. Nevertheless, every proof of QR I know
feels this way, sometimes to an even greater extent. At least in this proof the miracle can be bottled: there are many fruitful generalizations of Gauss sums, which
can be used to prove an amazing variety of results in mathematics, from number
theory to partial dierential equations (really!).
The proof just given is a modern formulation of Gauss sixth and last proof, in
which his polynomial identities have been replaced by more explicit reference to
algebraic integers. In particular I took the proof from the wonderful text of Ireland
and Rosen, with only very minor expository modications. In addition to being no
harder than any other proof of QR that I have ever seen, it has other merits:
rst,
it shows that the cyclotomic eld Q(p ) contains the quadratic eld Q( p ) in
fact, Galois theory shows that this is the unique quadratic eld contained in Q a
fact which comes up again and again in algebraic number theory. Second, the proof
can be adapted with relative ease to prove certain generalizations of the quadratic
reciprocity law to cubic and biquadratic residues (for this see Ireland and Rosen
again). These higher reciprocity laws were much sought by Gauss but found only
by his student Eisenstein (not the lmmaker).
Finally, the Gauss sum can be rewritten to look more like the Gaussians one
studies in continuous mathematics: you are asked in the homework to show that
2it2
=
e p .
t

CHAPTER 5

More Quadratic Reciprocity: from Zolotarev to

Duke-Hopkins
1. Quadratic Reciprocity in a Finite Quotient Domain
An FQ-domain is a commutative domain R with the property that for every
x R , R/(x) is nite. Evidently any eld is an FQ-domain, and conversely any nite domain is a eld. Here we will be interested in FQ-domains which are not elds.
Let R be a nite quotient domain, and let x R . We dene the norm |x| :=
#R/(x), and put |0| = 0. We claim that for x, y R , |xy| = |x||y|: indeed, this
follows from the short exact sequence
0

(x)
R/(xy) R/(x) 0
(xy)

and the fact that multiplication by x gives an isomorphism R/(y) (x)/(xy).

Example: If R is a domain with additive group isomorphic to Zn for some n 1,
then R is an FQ-domain. In particular, for any number eld K, the ring of integers
ZK is an FQ-domain.
Example: Let C/Fq be an integral, normal ane algebraic curve. Then the coordinate ring Fq [C] is an FQ-domain. In particular, the univariate polynomial ring
Fq [t] is an FQ-domain.
As usual, a prime (or prime element) in R is a nonzero element p such that
pR is a prime ideal. In a nite quotient domain, if p is a prime element, then R/(p)
is a nite eld: in particular the ideal (p) is maximal.
Remark: A theorem of Kaplansky states that a domain R is a UFD i every
nonzero prime ideal p of R contains a prime element. It is also known that a domain is a PID i every prime ideal is principal. From these two results it follows
that an FQ-domain is a UFD i it is a PID.
We say that a nonzero, nonunit x R is factorable if there exist primes p1 , , pr
such that x = p1 pr . An FQ-domain is a UFD i every nonzero nonunit is factorable, but even if R is not a UFD, then factorization of an element into primes
(as opposed to merely irreducibles) is necessarily unique up to associates.
We say x R is odd if |x| is an odd integer. Note that if 2 R then every nonzero x is odd, whereas if 2 = 0 in R then no element of x is odd.
67

68

5. MORE QUADRATIC RECIPROCITY: FROM ZOLOTAREV TO DUKE-HOPKINS

Let I be a nonzero ideal of the FQ-domain R. Then I contains a nonzero element x, we have a natural surjection R/(x) R/I, and since R/(x) is nite, so is
R/I. We may therefore extend the norm map to nonzero ideals by |I| = #R/I
and also put |(0)| = 0. Note that this generalizes the previous norm map in that
for all x R we have |(x)| = |x|. As above, we say an ideal I is odd if |I| is odd.
A nonzero proper ideal
r b of R is factorable if there exist prime ideals p1 , . . . , pr
of R such that b = i=1 pi . Note that if the element b is factorable, then so is
the principal ideal (b), but in general the converse does not hold. Because of this
we say that an element b is I-factorable if the ideal (p) factors into a product of
prime ideals.
( )
For a R and an odd prime ideal p, we dene the Legendre symbol ap :
it is 0 if a p, 1 if a
/ p and a x2 (mod p), and 1 if a
/ p and a x2 (mod p).
For an odd factorable ideal b = p1 pr of R we dene the Jacobi symbol
r ( )
(a)
a
=
.
b
b
i=1
Let r be a ring, and let a r . Then the map ma : r r by x 7 xa is a bijection
(its inverse is a1 ).
Now suppose moreover r is nite, of order n, so upon choosing a bijection of R
with {1, . . . , n}, we may identify a with an element of the symmetric group Sn , and
in particular a has a well-dened sign [ ar ] {1} The sign map : Sn {1} is
a homorphism into a commutative group, so for all , Sn , ( 1 ) = (). In

particular [ ar ] is independent of the choice of bijection r {1, . . . , n}.)

These two constructions are related, as follows: let R be an FQ-domain, b = p1 pr
a nonzero, proper factorable odd ideal of R, and a an element of R which is relatively prime to b in the sense [that ](a) + b = R. Then (the image of) a is a unit
in the nite ring R/(b) so that

a
R/b

is well-dened.

Theorem 61. (Zolotarevs First Lemma) Let R be an abstract number ring, b

an odd factorable ideal of R, and a an element of R which is relatively prime to b.
Then
[
] ( )
a
a
=
.
R/b
b
Proof. . . .

1.1. The Zolotarev Symbol.

Now let a and b be two relatively prime odd elements of the FQ-domain R. We will
dene three permutations , , of the nite set R/(a) R/(b).
Lemma)
Theorem 62. (Zolotarevs
] ( Second
[
)
a
= ab .
a) We have () = R/(b)
] ( )
[
b
= ab .
b) We have () = R/(a)
c) We have () = () ().

3. THE DUKE-HOPKINS RECIPROCITY LAW

69

For coprime odd a, b R, we dene the Zolotarev symbol

Z(a, b) = () {1}.
Theorem 63. (Abstract Quadratic Reciprocity) Let a, b be relatively prime, odd
I-factorable elements of an FQ-domain R. Then
(a) ( b )
= Z(a, b).
b
a
2. The Kronecker Symbol
( na )

The Jacobi symbol

is an extension of the Legendre symbol ( ap ) which is
r
dened for any positive odd integer n by ( a1 ) = 1 for all a Z; if n = i=1 pi , then
)
r (
(a)
a
=
.
n
pi
i=1
For an integer a, dene

a 0 (mod 2)
a 1, 7 (mod 8)
,

2
a 3, 5 (mod 8)

) 0 a=0
(
a
1 a>0
,
=

1
1 a < 0
}
(a) {
0 a = 1
=
.
1 a=1
0
With these additional rules there is a unique extension of the Jacobi symbol to
a symbol ( na ) dened for any n, a Z such that for all integers n, a, b, we have
n
a
b
( ab
) = ( na )( nb ). One also has ( ab
n ) = ( n )( n ), i.e., the symbol is bi-multiplicative.
This extension of the Jacobi symbol is known as the Kronecker symbol.
(a)

0
1
=

When n is not odd and positive, some authors (e.g. [DH05]) dene ( na ) only
when a 0, 1 (mod 4). It is not worth our time to discuss these two conventions,
but we note that all of our results involve only thisrestricted Kronecker symbol.
For odd n Z+ , dene n = (1) 2 n. Full quadratic reciprocity i.e.,
the usual QR law together with its First and Second Supplements is equivalent
to one elegant identity: for a Z and an odd positive n Z,
n1

(25)

(a)
n

(
=

n
a

)
.

3. The Duke-Hopkins Reciprocity Law

Let G be a nite commutative group (written multiplicatively) of order n. We
dene an action of (Z/nZ) on G, by
(a mod n) g := g a .

By Lagranges Theorem, g n = 1, so that g a = g a if a a (mod n) and a is

well dened. It is immediate that each a gives a homomorphism from G to G;

70

5. MORE QUADRATIC RECIPROCITY: FROM ZOLOTAREV TO DUKE-HOPKINS

moreover, since a (Z/nZ) , there exists b (Z/nZ) such that ab 1 (mod n),
and then a b = b a = IdG , so that each a is an automorphism of G.
As for any group action on a set, this determines a homomorphism from (Z/nZ)
to the group Sym(G) of permutations of G, the latter group being isomorphic to Sn ,
the symmetric group on n elements. Recall that there is a unique homomorphism
from Sn to the cyclic group Z2 given by the sign of the permutation. Therefore we
have a composite homomorphism
(Z/nZ) Sym(G) Z2
which we will denote by
a (mod n) 7

(a)

.
G
Example 2.1 (Zolotarev): Let p be an odd prime and G( = Z
) p is the cyclic group
a

of order p. The mapping (Z/pZ) Z2 given by a 7 Zp is nothing else than

the usual Legendre symbol a 7 ( ap ). Indeed, the group (Z/pZ) is cyclic of even
order, so admits a unique surjective homomorphism to the group Z2 = {1}: if
g is a primitive root mod p, we send g to 1 and hence every odd power of g to
1 and every even power of g to +1. This precisely describes the Legendre
( )symbol
a

a 7 ( p ). Thus it suces to see that for some a (Z/pZ) we have Zap = 1,

i.e., the sign of the permutation n Zp 7 na is 1. To see this, switch to additive
notation, viewing Zp as the isomorphic group (Z/pZ, +); the action in question is
now just multiplication by a nonzero element a. If g is a primitive root modulo p,
multiplication by g xes 0 and cyclically permutes all p 1 nonzero elements, so is
a cycle of even order and hence an odd permutation: thus ( Zgp ) = 1.
a
) is also bi-multiplicative.
The next result shows that the symbol ( G

Proposition 64. For i = 1, 2 let Gi be a nite commutative group of order ni

and a (Z/n1 n2 Z) . Then
) (
)(
)
(
a (mod n1 )
a (mod n2 )
a
=
.
G1 G2
G1
G2
Proof. If a (Z/n1 n2 Z) , then
a

a (g1 , g2 ) = (g1a , g2a ) = (g1

(mod n1 )

, g2

(mod n2 )

).

After identifying G1 (resp. G2 ) with the subset G1 eG2 (resp. eG1 G2 ) of G1 G2 ,

the permutation that a induces on G1 G2 is the product of the permutation that a
(mod n)1 induces on G1 with the permutation that a (mod n)2 induces on G2 . 
Let us now consider the action of 1 on Sym(G). Let r1 be the number of xed
points of 1. More concretely, 1 g = g 1 = g i g has order 1 or 2. Note
that r1 1 because of the identity element. The n r1 other elements of G are all
distinct from their multiplicative inverses, so there exists a positive integer r2 such
that n r1 = 2r2 .
Denition: We put G = (1)r2 |G|r1 = (1)r2 nr1 .
Lemma 65. For any nite commutative group G, we have G 0 or 1 (mod 4).

4. THE PROOF

71

Proof. Let n = |G|. If n is odd, then by Lagrange the only g with g 1 = g is

n1

2 n 1
the identity, so that r1 = 1 and r2 = n1
2 . In this case G = |G| = (1)
(mod 4). If n is even, then n r1 = 2r2 0 (mod 2), so r1 is even and hence is at
least 2, so G = (1)r2 nr1 0 (mod 4).

( )
So the Kronecker symbol Ga is always dened (even in the restricted sense).
Theorem 66. (Duke-Hopkins Reciprocity Law) For a nite commutative group
G and an integer a, we have
( a ) ( G )
=
.
G
a
The proof will be given in the next section.
Corollary 67. a) Suppose G has odd order n. Then for any a (Z/nZ) ,
we have
( a ) ( n )
=
.
G
a
b) Taking G = Zn we recover (34).
a
c) We have ( G
) = 1 for all a (Z/nZ) i n is a square.
Proof of Corollary 67: In the proof of Lemma 65 we saw that G = n ; part a)
a
then follows immediately from the reciprocity law. By part a), the symbol ( G
) can
be computed using any group of order n, so factor n into a product
p

p
of
not
1
r
r
a
necessarily distinct primes and apply Example 2.1: we get ( G
) = i=1 ( pai ) = ( na ).
This gives part b). Finally, using the Chinese Remainder Theorem it is easy to see
that there is some a such that ( na ) = 1 i n is not a square.
4. The Proof
Enumerate the elements of G as g1 , . . . , gn and the characters of G as 1 , . . . , n .
Let M be the n n matrix whose (i, j) entry is i (gj ).
Since any character X(G) has values on the unit circle in C, we have 1 = .
Therefore the number r1 of xed points of 1 on G is the same as the number
of characters such that = , i.e., real-valued characters. Thus the eect of
complex conjugation on the character matrix M is to x each row corresponding to
a real-valued character and to otherwise swap the ith row with the jth row where
j = i . In all r2 pairs of rows get swapped, so
det(M ) = det(M ) (1)r2 .
Moreover, with M = (M )t , we have
M M = nIn ,
so that
det(M ) det(M ) = nn ,
so
(26)

det(M )2 = (1)r2 nn = (1)r2 nr1 n2r2 = 2 G ,

72

5. MORE QUADRATIC RECIPROCITY: FROM ZOLOTAREV TO DUKE-HOPKINS

where =nr2 . (In particular det(M )2 is a positive integer. Note that det(M ) itself
lies in Q( G ), and is not rational if n is odd.) So for any a Z, we have
(
) ( )
det(M )2
G
(27)
=
.
a
a
The character matrix M has values in the cyclotomic eld Q(n ), which is a Galois
extension of Q, with Galois group isomorphic to (what a concidence!) (Z/nZ) , an
explicit isomorphism being given by making a (Z/nZ) correspond to the unique
automorphism a of Q(n ) satisfying a (n ) = na . (All of this is elementary Galois
theory except for the more number-theoretic fact that the cyclotomic polynomial n
is irreducible over Q.) In particular the group (Z/nZ) also acts by permutations
on the character group X(G), and indeed in exactly the same way it acts on G:
g G, (a )(g) = (g a ) = ((g))a = a (g),
so a = a . This has the following beautiful consequence:
For a (Z/nZ) , applying the Galois automorphism a to the character matrix
M induces a permutation of the rows which is the same as the permutation a
of G. In particular the signs are the same, so
(a)
(28)
det(a M ) = det(M )
.
G
Combining (35) and (28), we get that for all a (Z/nZ) ,
( a )

a ( G ) =
G .
G
Now, by the multiplicativity on both sides it is enough to prove Theorem 66 when
a = p is a prime not dividing n and when a = 1.
Proposition

68. Let p be a prime not dividing n. TFAE:

a) p ( G ) =
G .
b) p splits in Q( G ).

c) ( Gp ) = 1.
The proof of this a standard result in algebraic number theory is omitted for now.
We deduce that

G
p

)
=

(p)
G

Finally, when a = 1, 1 is simply complex conjugation, so

(
)
{
} ( )

1
G
G > 0
G
G = 1 ( G ) =
=
G ,

G G <0
G
1
so

1
G

(
=

This completes the proof of Theorem 66.

G
1

)
.

5. IN FACT...

73

5. In Fact...
...the real Duke-Hopkins reciprocity law is an assertion about a group G of order
n which is not necessarily commutative. In this case, the map g 7 g a need not be
an automorphism of G, so a more sophisticated approach is needed. Rather, one
considers the action of (Z/nZ) on the conjugacy classes {C1 , . . . , Cm } of G: if
g = xhx1 then g a = xha x1 , so this makes sense. We further dene r1 to be the
number of real conjugacy classes C = C 1 and assume that in our labelling
C1 , . . . , Cr1 are all real and dene r2 by the equation m = r1 + 2r2 . Then in place
of our G (notation which is not used in [DH05]), one has the discriminant
r1

d(G) = (1)r2 nr1

|Cj |1 .
j=1

The Duke-Hopkins reciprocity law asserts that for a (Z/nZ) ,

( a ) ( d(G) )
=
.
G
a
The proof is very similar, except the group X(G) of one-dimensional characters
gets replaced by the set {1 , . . . , m } of characters (i.e., trace functions) of the
irreducible complex representations of G. Perhaps surprisingly, the only part of
the proof which looks truly deeper is the claim that d(G) 0, 1 (mod 4) which is
required, according to the conventions of [DH05], for the Kronecker symbol ( d(G)
a )
can be dened. Duke and Hopkins suggest this as an analogue of Stickelbergers
theorem in algebraic number theory which asserts that the discriminant of any
number eld is an integer which is 0 or 1 modulo 4; moreover they adapt a 1928
proof of that theorem due to Issai Schur.

CHAPTER 6

The Mordell Equation

1. The Coprime Powers Trick in Z
We have by now seen several ways in which the fundamental theorem of arithmetic
can be used to solve Diophantine equations, and that suitably generalized, these
techniques often apply to more general unique factorization domains.
We will now consider another such technique, the coprime powers trick. In
the interest of linear exposition, we present the technique rst and then give an
application. However, the reader might prefer to skip ahead and see how it is used.
Proposition 69. (Coprime Powers Trick, v. 1)
Let n Z+ , let x, y, z Z be such that gcd(x, y) = 1 and xy = z n .
a) There exist a, b Z such that x = an , y = bn .
b) If n is odd, then there exist a, b Z such that x = an , y = bn .
Proof. If x, y Z, then x = y i ordp (x) = ordp (y) for all prime numbers
p. We exploit this as follows: for any prime p, take ordp of both sides of xy = z n
to get
ordp (x) + ordp (y) = n ordp (z).
Since x and y are relatively prime, at least one of ordp (x), ordp (y) is equal to 0,
and therefore they are both divisible by n. Now dene a, b Z+ as follows:
ordp (y)
ordp (x)
a=
p n .
p n , b=
p

Then for all primes p, ordp (a ) = n ordp (a) = ordp (x) and ordp (bn ) = n ordp (b) =
ordp (y). We conclude x = an , y = bn , establishing part a). Part b) follows upon
noticing that if n is odd, (1)n = 1, so we may write x = (a)n , y = (b)n . 
1.1. An application.
Theorem 70. The only integral solutions to
y 2 y = x3

(29)
are (0, 0) and (0, 1).

Proof. Suppose (x, y) Z2 satisfy equation (29), i.e., y(y 1) = x3 . As for

any two consecutive integers, y and y 1 are relatively prime. We can therefore
apply Proposition 69b) to conclude that there exist a, b Z such that
y = a3 , y 1 = b3 .
This gives
1 = y (y 1) = a3 b3 = (a b)(a2 + ab + b2 ),
75

76

6. THE MORDELL EQUATION

and the only way this can happen is for

a b = a2 + ab + b2 = 1.
Suppose rst that a b = 1, so b = a 1; then
1 = a2 + ab + b2 = a2 + a(a 1) + (a 1)2 = 3a2 3a + 1,
or
3a2 3a = 0.
The solutions of this quadratic are a = 0 and a = 1. If a = 0, then y = a3 = 0, and
x3 = 02 0 = 0: we get the solution (x, y) = (0, 0) to (29). If a = 1, then y = 1
and x3 = 12 1 = 0: we get the solution (x, y) = (0, 1).
Next suppose that a b = 1, so b = a + 1; then
1 = a2 + ab + b2 = a2 + a(a + 1) + (a + 1)2 = 3a2 + 3a + 1,
or
3a2 + 3a + 2 = 0,
a quadratic equation with discriminant 32 4 3 2 = 13 < 0; thus there are no
real solutions.

2. The Mordell Equation
We now turn to a family of Diophantine equations which has received persistent
attention over the centuries and remains of interest to this day. Namely, x an
integer k and consider
y 2 + k = x3 .

(30)

We wish to nd all integral solutions. If k = 0 we get the degenerate equation

y 2 = x3 . A moments thought shows that this equation has solution set {(x, y) =
(a2 , a3 ) | a N}. In particular there are innitely many solutions. The great
Philadelphian mathematician Louis J. Mordell showed that conversely, for each
nonzero k, (30) has only nitely many integer solutions. Because of this and other
results over the course of his long career, (30) is often called the Mordell Equation,
despite the fact that other distinguished mathematicians also worked on it. In
particular, the case of k = 2 was considered by Claude-Gaspar Bachet and Fermat
in the seventeenth century, and the following result is attributed to Fermat.
Theorem 71. (Fermat) The only integral solutions to
(31)

y 2 + 2 = x3

are (3, 5) and (3, 5).

Proof. We wish to argue similarly to the previous result,
but here the only

factorization in sight takes place over the quadratic ring Z[ 2], namely:

x3 = (y + 2)(y 2).
Looking back at the previous argument,
it seems
that whatwe would like to say is

that there are elements = a + b 2, = c + d 2 Z[ 2] such that

y + 2 = 3 , y 2 = 3 .
The
justication for this will be a version of the coprime powers trick in the ring
Z[ 2], but let us assume it just for a moment and see what comes of it.

3. THE COPRIME POWERS TRICK IN A UFD

77

By expanding out 3 we get

y + 2 = (a + b 2)3 = (a3 6ab2 ) + (3a2 b 2b3 ) 2,

and this means that
y = a3 6ab2 = a(a3 6b2 ),
1 = 3a2 b 2b3 = b(3a2 2b2 ).
Again this very much limits our options: we must have
b = 3a2 2b2 = 1
or
b = 3a2 2b2 = 1.
Taking the rst option b = 1 gives 3a2 = 2b2 + 1 = 3, so a = 1. Taking
(a, b) = (1, 1) leads to y = 1(13 6 12 ) = 5, so x3 = y 2 + 2 = 52 + 2 = 27,
so x = 3: we get the solution (x, y) = (3, 5). Taking (a, b) = (1, 1) leads to
y = 1((1)3 6 12 ) = 7, so x3 = y 2 + 2 = 72 + 2 = 51, which has no integral
solutions since 51 is not a perfect cube.
The second option b = 1 gives 3a2 = 2b2 + 1 = 3, so again a = 1.
Taking (a, b) = (1, 1) leads to y = 1(13 6 (1)2 ) = 5, and as above we
get x = 3 and the solution (x, y) = (3, 5). Taking (a, b) = (1, 1) leads to
y = 1((1)3 6 (1)2 ) = 7, which as above yields no solution.

The time has come to justify our assumption that there exist elements , as
above. The justication is in two parts:
rst, we need a version of the coprime
powers trick that applies to the domain Z[ 2]; and second we need to verify that
the hypotheses

are justied in our particular case: in particular, that the elements

y 2 of Z[ 2] are indeed coprime!
3. The Coprime Powers Trick in a UFD
3.1. Ord functions and coprime powers.
Let R be a UFD and x, y R. We say x, y are coprime if z | x, | z | y implies z R : equivalently, there is no prime element which divides both of them.
Proposition 72. (Coprime powers trick, v. 2) Let R be a UFD, n Z+ , and
let x, y, z R be coprime elements such that xy = z n .
a) There exist , R and units u, v R such that
x = un , y = v n .
b) If every unit in R is an nth power, then there exist , R such that
x = n , y = n .
In other words, if in a UFD the product of two relatively prime elements is a perfect
nth power, then each of them is a perfect nth power, up to a unit.
Before giving the proof, we set up a more general notion of ord functions. We
work in the context of an integral domain R which satises the ascending chain
condition on principal ideals (ACCP). In plainer terms we assume that there is no

78

6. THE MORDELL EQUATION

1
innite sequence {xi }
i=1 of elements of R such that xi+1 properly divides xi for
all i. This is a very mild condition: it is satised by any Noetherian ring and by
any UFD: c.f. [Factorization in Integral Domains].

Now let be a nonzero prime element of R, and let x R \ {0}. (ACCP) ensures
that there exists a largest non-negative integer n such that n | x, for otherwise
n | x for all n and { xn } is an innite sequence in which each element properly
divides the previous one. We put ord (x) to be this largest integer n. In other
words, ord (x) = n i n | x and n+1 - x. We formally set ord (0) = +, and
we extend ord to a function on the fraction eld K of R by multiplicativity:
( )
x
ord
:= ord (x) ord (y).
y
This generalizes the functions ordp on Z and Q, and the same properties hold.
Proposition 73. Let R be an (ACCP) domain with fraction eld K. Let be
a nonzero prime element of R and x, y K \ {0}. Then:
a) ord (xy) = ord (x) + ord (y).
b) ord (x + y) min(ord (x), ord (y)).
c) Equality holds in part b) if ord (x) = ord (y).
Proof. We will suppose for simplicity that x, y R \ {0}. The general case
follows by clearing denominators as usual. Put a = ord (x), b = ord (y). By
hypothesis, there exists x , y such that x = a x , y = b y and - x , y .
a) xy = a+b (x y ). Thus ord (xy) a + b. Conversely, suppose that a+b+1 | xy.
Then | x y , and, since is a prime element, this implis | x or | y , contradiction. Thus ord (xy) = a + b = ord (x) + ord (y).
b) Let c = min a, b, so x + y = c ( ac x + bc y , and thus c | x + y and
ord (x + y) c = min(ord (x), ord (y)).
c) Suppose without loss of generality that a < b, and write x + y = a (x + ba y ).
If a+1 | x + y = a x + b y , then | x + ba y . Since b a > 0, we have
| (x + ba y ) ( ba y ) = x , contradiction.

Suppose that and are associate nonzero prime elements, i.e., there exists a unit
u R such that = u. Then a moments thought shows that the ord functions
ord and ord coincide. This means that ord depends only on the principal ideal
p = () that the prime element generates. We could therefore redene the ord
function as ordp for a nonzero principal prime ideal p = () of R, but for our purposes it is convenient to just choose one generator of each such ideal p. Let P
be a maximal set of mutually nonassociate nonzero prime elements, i.e., such that
each nonzero prime ideal p contains exactly one element of P.
Now suppose that R is a UFD, and x R \ {0} is an element such that ord (x) = 0
for all P. Then x is not divisible by any irreducible elements, so is necessarily
a unit. In fact the same holds for elements x K \ {0}, since we can express x = ab
with a and b not both divisible by any prime element. (In other words, in a UFD we
can reduce fractions to lowest terms!) It follows that any x K \ {0} is determined
1We say that a properly divides b if a | b but a is not associate to b.

3. THE COPRIME POWERS TRICK IN A UFD

79

up to a unit by the integers ord (x) as ranges over elements of P. Indeed, put

y=
ord x .
P

Then we have

ord ( xy )

= 0 for all P, so that

x
y

= u is a unit in R, and x = yu.

After these preparations, the proof of Proposition 72 is straightforward: we have

xy = z n . For any prime element p, take ordp of both sides to get
ordp (x) + ordp (y) = n ordp (z).
But since x and y are assumed coprime, for any xed prime p, we have either
ordp (x) = 0 or ordp (y) = 0. Either way we get that n | ordp (x) and n | ordp (y)
(since n | 0 for all n). So the following are well-dened elements of R:
ordp (x)
x =
p n ,
pP

y =

ordp (y)
n

pP

where the product extends over a maximal set of pairwise nonassociate nonzero
ord (x)
prime elements of R. By construction, we have ordp ((x )n ) = n ordp (x ) = n np
=
n
ordp (x) for all p P, so the elements x and (x ) are associate: i.e., there exists
a unit u in R such that x = u(x )n . Exactly the same applies to y and y : there
exists a unit v R such that y = v(y )n .
3.2. Application to the Bachet-Fermat Equation.
To complete the proof of Theorem 71 we need to verify
that the hypotheses of
Proposition 72b)
apply:
namely,
that
every
unit
in
Z[
2] is a cube and that the

elements y + 2, y 2 are indeed relatively prime.

For the former, we are

fortunate in that, as for Z, the only units in R = Z[ 2] are 1, both of which

are indeed cubes in R.

For the latter, we suppose

that d Ris a common

divisor of y + 2 and
y 2. Then
also d | (y + 2) (y 2) = 2 2, i.e., there exists d R
with dd = 2 2. Taking norms of both sides we get

N (d)N (d ) = N (2 2) = 8,

so N (d) | 8. Moreover, there exists R such that d = y + 2, hence

N (d)N () = N (d) = N (y + 2) = y 2 + 2 = x3 ,
so N (d) | x3 . We claim that x must be odd. For if not, then reducing the equation
x3 = y 2 + 2 mod 8 gives y 2 6 (mod 8), but the only squares mod 8 are 0, 1, 4.
Thus x3 is odd and N (d) | gcd(x3 , 8) = 1 so d = 1 is a unit in R.
3.3. Application to the Mordell Equation with k = 1.
Theorem 74. The only integer solution to y 2 + 1 = x3 is (1, 0).

Proof. This time we factor the left hand side over the UFD R = Z[ 1]:

(y + 1)(y 1) = x3 .

80

6. THE MORDELL EQUATION

If a nonunit
d in
R divides bothy +
1 and y 1, then it divides
(y + 1)

(y
1) = 2 1 = (1 + 1)2 1. The element 1 + 1, having norm
N (1 + 1) = 2 a prime number, must be an irreducible (hence prime) element of
R. So 1 + i is the only possible common prime divisor. We compute

y 1 1 1
y 1 + (y 1) 1

=
2
1 + 1 1 1
which is an element of R i y is odd. But consider the equation y 2 + 1 = x3 modulo
4: if y is odd, then y 2 + 1 2 (mod 4),
but 2 is not a cube modulo 4. Therefore we
although
must have that y is even, so that y 1 are indeed coprime. Moreover,

the unit group of R is slightly larger in this case it is {1, 1} it is easily

checked that every unit is a cube in R. So Proposition 72b) applies here, giving
, R such that

y + 1 = 3 , y 1 = 3 .

Again we will put = a + b 1 and expand out 3 , getting

y + 1 = a3 3b2 a + (3a2 b b3 ) 1,
or
y = a(a2 3b2 ), 1 = b(3a2 b2 ).
So we have either 1 = b = 3a2 b2 , which leads to 3a2 = 2, which has
no integral
2
2
solution,
or
1
=
b
=
3a

b
,
which
leads
to
a
=
0,
so

1, y =

( 1)3 1 = 0, x = 1 and thus to (x, y) = (1, 0).


4. Beyond UFDs
The situation here is somewhat analogous to ourstudy of the equations x2 +Dy = p,
where the assumption that he quadratic ring Z[ D] is a UFD leads to a complete
solution of the problem. However there are also some dierences.
First, whereas in

the present situation we are using the assumption that Z[ k] is a UFD in order
to showthat y 2 + k = x3 has very few solutions, earlier we used the assumption
that Z[ D] is a UFD to show that the family of equations x2 + Dy 2 = p had
many solutions, namely for all primes p for which D is a
square mod p.
A more signicant dierence is that the assumption Z[ D] was necessary as
well as sucient for our argument to go through: we saw
that whenever D < 3 2
is not of the form x2 +Dy 2 . On the other hand, suppose Z[ k] is not a UFD: must
the coprime powers trick fail? It is not obvious, so let us study it more carefully.
We would like to axiomatize the coprime powers trick. There is an agreed upon
denition of coprimality of two elements x and y in a general domain R: if d | x
and d | y then d is a unit. However it turns out to be convenient to require a
stronger property than this, namely that the ideal x, y = {rx + sy | r, s R}
generated by x and y be the unit ideal R. More generally, for two ideals I, J of a
ring, the sum I + J = {i + j | i I, j J} is an ideal, and we say that I and J
are comaximal if I + J = R; equivalently, the only ideal which contains both I
and J is the improper ideal R. Since every proper ideal in a ring is contained in
a maximal, hence prime, ideal, the comaximality can be further reexpressed as the
property that there is no prime ideal p containing both I and J. (This will be the
formulation which is most convenient for our application.)
Notice that the condition that x and y be coprime can be rephrased as saying

4. BEYOND UFDS

81

that the only principal ideal (d) containing both x and y is the improper ideal
R = (1). So the notions of coprime and comaximal elements coincide in a principal
domain, but not in general.
Now, for a positive positive integer n, say that an integral domain R has property CM(n) if the comaximal powers trick is valid in degree n: namely, for all
x, y, z R with x, y = R and xy = z n , then there exist elements a, b R and
units u, v R such that x = uan , y = vbn . Exactly as above, if we also have
(R )n = (R ) i.e., every unit in R is an nth power then the units u and v can
be omitted. Now consider the following
+
Theorem
75. Let k Z be squarefree with k 1, 2 (mod 4). Suppose that
the ring Z[ k] has property CM(3). Then:
a) If there exists an integer a such that k = 3a2 1, then the only integer solutions
to the Mordell equation y 2 + k = x3 are (a2 + k, a(a2 3k)).
b) If there is no integer a as in part a), the Mordell equation y 2 + k = x3 has no
integral solutions.

Proof. [IR, Prop. 17.10.2] Suppose (x, y) is an integral solution to y 2 +k = x3 .

Reduction mod 4 shows that x is odd. Also gcd(k, x) = 1: otherwise there exists a
prime p dividing both k and x, so p |x3 k = y 2 and p | y 2 = p2 | x3 y 2 = k,
contradicting the squarefreeness of k. Now consider

(y + k)(y k) = x3 .

We wish to show
that y + k, y k
= R. If not,
there exists
a prime ideal
k

p.
Then
(y
+
k)

(y

k)
=
2
k p, hence
p of R with
y

also (2 k)2 = 4k p. Moreover p contains y 2 + k = x3 and since it is prime,

it contains x. But since x is odd and gcd(x, k) = 1, also gcd(x, 4k) = 1, so that
there exist m, n Z with 1 = xm + 4kn and thus 1 p. Moreover, either
k=1
(a case which we have already treated)
or
k
>
1
and
the
only
units
of
Z[
k] are

1. Therefore there exists = a + b k R such that

y + k = 3 = (a + b k)3 = a(a2 3kb2 ) + b(3a2 kb2 ) k.

So b = 1 and k = db2 = 3a2 1. The integer a determined by this equation is
unique up to sign. So y = a(a2 3k), and one easily computes x = a2 + k.


Since property CM(3) holds in the PIDs Z[ 1] and Z[ 2], whatever else Theorem 75 may be good for, it immediately implies Theorems 71 and 74. Moreover
its proof was shorter than the proofs of either of these theorems! The economy was
gained by consideration of not necessarily principal ideals.
Thus, if for a given k as in the statement of Theorem 75 we can nd more solutions to the Mordell Equation
than the ones enumerated in the conclusion of the

theorem we know that Z[ k] does not satisfy property CM(3). In the following
examples we simply made a brute force search over all x and y with |x| 106 .
(There is, of course, no guarantee that we will nd all solutions this way!)
Example:
The equation y 2 + 26 = x3 has solutions (x, y) = (3, 1), (35, 207), so

Z[ 26] does not have property CM(3).

82

6. THE MORDELL EQUATION

Example:
The equation y 2 + 53 = x3 has solutions (x, y) = (9, 26), (29, 156),

so Z[ 53] does not have CM(3).

Example: The equation y 2 + 109 = x3 has solutions (x, y) = (5, 4), (145, 1746).
It is not trivial to nd the solution (145, 1746)
to
by hand, so perhaps it is easier

observe that 5 is not of the form a2 + 109, Z[ 109], so by Theorem 75, Z[ 109]
does not have property CM(3).

In fact, whether a ring

Z[ k] (here we keep the assumptions on k of Theorem 75,
so
in particular Z[ k] is the full ring of algebraic integers of the quadratic eld
Q( k); this would not be the case if k 3 (mod 4)) has property CM(k) can
be determined algorithmically.
It depends on an all-important numerical invariant
called the class number of Z[ k].
For any integral domain R, we can dene an equivalence relation on the nonzero
ideals of R. Namely, we decree that I J i there exist a, b R \ {0} such that
(a)I = (b)J. Roughly speaking, we regard two ideals as being principal if and only
if they dier multiplicatively from a principal ideal. When there are only nitely
many equivalence classes, we dene the class number of R to be the number of
equivalence classes.2 For example, if every ideal of R is principal, then the class
number is equal to 1. Conversely, if the class number of R is equal to 1 and I is any
nonzero ideal of R, then there exist a, b such that aI = bR. Then b = b 1 aI, so
for some x I, ax = b. In particular a | b, and it is then easy to see that I = ( ab )R.
Thus the domains with class number one are precisely the principal ideal domains.
Now let K be a number
eld, and let ZK be the ring of integers in K. In particular this includes Z[ k] for k as above.
Theorem 76. Let ZK be the ring of integers in a number eld K. Then:
a) There are only nitely many equivalence classes of ideals of ZK , so there is a
well-dened class number, denoted h(K).
b) The ring ZK is a PID i it is a UFD i h(K) = 1.
c) Let n Z+ . If gcd(n, h(K)) = 1, then ZK has property CM(n).
At several points in this course we have irted with crossing the border into the
land of algebraic number theory, but that no such passport is required is one of our
ground rules. Because of this it is simply not possible to prove Theorem 76 here.
We can only say that the study of such properties of the ring ZK is a central topic
in the classical theory of algebraic numbers.
Moreover, algorithms for computing the class number have been a very active part
of algebraic number theory for more than one hundred years. Such algorithms are
available indeed, they have been implemented in many software packages the
question is only of the speed and memory needed to do the job. The case of (imaginary) quadratic elds is especially classical and relates to (positive
denite) binary
quadratic forms. So the following table of class numbers of Q( k) for squarefree
2As we have stated it, the denition makes sense for arbitrary domains and is equivalent to
the usual denition for number rings ZK . For more general domains and even some quadratic
rings there is another (less elementary) denition which is more useful.

5. REMARKS AND ACKNOWLEDGEMENTS

83

k, 1 k 200 is more than two hundred years old:

h(Q( k)) =
1 for k = 1, 2, 3, 7, 11, 19, 43, 67, 163
2 for k = 5, 6, 10, 13, 15, 22, 35, 37, 51, 58, 91, 115, 123, 187
3 for k = 23, 31, 59, 83, 107, 139
4 for k = 14, 17, 21, 30, 33, 34, 39, 42, 46, 55, 57, 70, 73, 78, 82, 85, 93, 97, 102, 130,
133, 142, 155, 177, 190, 193, 195
5 for k = 47, 79, 103, 127, 131, 179
6 for k = 26, 29, 38, 53, 61, 87, 106, 109, 118, 157
7 for k = 71, 151
8 for k = 41, 62, 65, 66, 69, 77, 94, 98, 105, 113, 114, 137, 138, 141, 145, 154, 158, 165, 178
9 for k = 199
10 for k = 74, 86, 122, 166, 181, 197 11 for k = 167
12 for k = 89, 110, 129, 170, 174, 182, 186
13 for k = 191
14 for k = 101, 134, 149, 173
16 for k = 146, 161, 185
20 for k = 194
So Theorem 75 applies to give a complete solution to the Mordell equation y 2 + k =
x3 for the following values of k:
1, 2, 5, 6, 10, 13, 14, 17, 21, 22, 30, 33, 34, 37, 41, 42, 46, 57, 58, 62, 65, 69, 70, 73, 74, 77, 78,
82, 85, 86, 93, 94, 97, 98, 101, 102, 106, 113, 114, 122, 130, 133, 134, 137, 138,
141, 142, 145, 146, 149, 154, 158, 161, 165, 166, 177, 178, 181, 185, 190, 193, 194, 197.
2
3
Example: The equation
y +47 = x has solutions (x, y) = (6, 13), (12, 41), (63, 500).
On the other hand Z[ 47] has class number 5 so does have property CM(3). Note
that 47 3 (mod 4).

Example: Z[ 29] has class number 6, but nevertheless y 2 + 29 = x3 has no integral solutions.3 Thus there is (much) more to this story than the coprime powers
trick. For more details, we can do no better than recommend [M, Ch. 26].
5. Remarks and Acknowledgements
Our rst inspiration for this material was the expository note [Conr-A]. Conrad
proves Theorems 70 and 71 as an application of unique factorization in Z and
Z[ 2]. Many more examples of successful (and one unsuccessful!) solution of
Mordells equation for various values of k are given in [Conr-B]. A range of techniques is showcased, including the coprime powers trick but also: elementary (but
somewhat intricate) congruence arguments and quadratic reciprocity.
Also useful for us were lecture notes of P. Stevenhagen [St-ANT]. Stevenhagens
treatment is analogous our discussion of quadratic rings. In particular, he rst
3How do we know? For instance, we can look it up on the internet:

http://www.research.att.com/njas/sequences/A054504

84

6. THE MORDELL EQUATION

proves Theorem 74. He then assumes that Z[ 19] satises CM(3) and deduces
that y 2 +19 = x3 has no integral solutions; nally he points out (x, y) = (18, 7). We
did not discuss this example in the text because it depends critically on the fact
that

Z[ 19] is not the full ring of integers in K = Q( 19): rather ZK = Z[ 1+ 219 ].

For rings like Z[ 19] the denition we gave of the class number is not the correct
one: we should count only equivalence classes of invertible ideals i.e., nonzero
ideals I for which there
exists J such that IJ is principal. In this amended sense
the class number of Z[ 19] is 3.
A generalization of Theorem 75 appears in 5.3 of lecture notes of Franz Lemmermeyer:
http://www.fen.bilkent.edu.tr/franz/ant/ant1-7.pdf
Lemmermeyer
nds all integer solutions to the equation y 2 + k = x3 whenever

3 - h(Q( k) and k 7 (mod 8).Again we have avoided this case so as not to

have to deal with the case where Z[ k]is not the full ring of integers.
It is interesting to look at the work which has been done on the Mordell equation since Mordells death in 1972. In 1973, London and Finkelstein [LF73] found
all solutions to Mordells equation for |k| 102 . The current state of the art is
another story entirely: a 1998 work of Gebel, Petho and Zimmer [GPZ] solves the
Mordell equation for |k| 104 and for about 90% of integers k with |k| 105 .

CHAPTER 7

The Pell Equation

1. Introduction
Let d be a nonzero integer. We wish to nd all integer solutions (x, y) to
x2 dy 2 = 1.

(32)
1.1. History.

Leonhard Euler called (32) Pells Equation after the English mathematician John
Pell (1611-1685). This terminology has persisted to the present day, despite the
fact that it is well known to be mistaken: Pells only contribution to the subject
was the publication of some partial results of Wallis and Brouncker. In fact the
correct names are the usual ones: the problem of solving the equation was rst
considered by Fermat, and a complete solution was given by Lagrange.
By any name, the equation is an important one for several reasons only some
of which will be touched upon here and its solution furnishes an ideal introduction to a whole branch of number theory, Diophantine Approximation.
1.2. First remarks on Pells equation.
We call a solution (x, y) to (32) trivial if xy = 0. We always have at least two
trivial solutions: (x, y) = (1, 0), which we shall call trivial. As for any plane
conic curve, as soon as there is one solution there are innitely many rational solutions (x, y) Q2 , and all arise as follows: draw all lines through a single point, say
(1, 0), with rational slope r, and calculate the second intersection point (xr , yr )
of this line with the quadratic equation (32).
The above procedure generates all rational solutions and thus contains all integer solutions, but guring out which of the rational solutions are integral is not
straightforward. This is a case where the question of integral solutions is essentially
dierent, and more interesting, than the question of rational solutions. Henceforth
when we speak of solutions (x, y) to (32) we shall mean integral solutions.
Let us quickly dispose of some uninteresting cases.
Proposition 77. If the Pell equation x2 dy 2 = 1 has nontrivial solutions,
then d is a positive integer which is not a perfect square.
Proof. (d = 1): The equation x2 + y 2 = 1 has four trivial solutions:
(1, 0), (0, 1).
(d < 1): Then x =
0 = x2 dy 2 2, so (32) has only the solutions (1, 0).
85

86

7. THE PELL EQUATION

(d = N 2 ): Then x2 dy 2 = (x + N y)(x N y) = 1, and this necessitates either:

x + Ny = x Ny = 1
in which case x = 1, y = 0; or
x + N y = x N y = 1,
in which case x = 1, y = 0: there are only trivial solutions.

From now on we assume that d is a positive integer which is not a square.

Any nontrivial solution must have xy = 0. Such solutions come in quadruples:
if (x, y) is any one solution, so is (x, y), (x, y) and (x, y). Let us therefore
agree to restrict our attention to positive solutions: x, y Z+ .
2. Example: The equation x2 2y 2 = 1
Let us take d = 2. The equation x2 2y 2 = 1 can be rewritten as
y2 =

x2 1
.
2

In other words, we are looking for positive integers x for which x 21 is an integer
square. First of all x2 1 must be even, so x must be odd. Trying x = 1 gives, of
course, the trivial solution (1, 0). Trying x = 3 we get
2

32 1
= 4 = 22 ,
2
so (3, 2) is a nontrivial solution. Trying successively x = 5, 7, 9 and so forth we nd
2
that it is rare for x 21 to be a square: the rst few values are 12, 24, 40, 60, 69, 112
and then nally with x = 17 we are in luck:
172 1
= 144 = 122 ,
2
so (17, 12) is another positive solution. Searching for further solutions is a task more
suitable for a computer. My laptop has no trouble nding some more solutions:
the next few are (99, 70), (577, 408), and (3363, 2378). Further study suggests that
(i) the equation x2 2y 2 has innitely many integral solutions, and (ii) the size of
the solutions is growing rapidly, perhaps even exponentially.
2.1. Return of abstract algebra. If weve been paying attention, there are
some clues here that we should be considering things from an algebraic perspective.
Namely, (i) we see that factorization of the left-hand side of the equation x2 dy 2 =
1 leads only to trivial solutions; and (ii) when d < 0, we reduce to a problem that
we have already solved: namely, nding all the units in the quadratic ring

Z[ d] = {a + b d | a, b Z}.

We brought up the problem of determining the units in real quadratic rings Z[ d],
but we did not solve it. We are coming to grips with this same problem here.

Namely, let = r + s d Q( d). We put

= r s d,

2. EXAMPLE: THE EQUATION x2 2y 2 = 1

87

and refer to as the conjugate

of . We may view conjugation as giving
a
homomorphism of elds from Q( d) to itself, that is an automorphism of Q( d).
A consequence
of this is that if P (t) is any polynomial with rational coecients
and Q( d), then P ( ) = P () .
We also dene a norm map

N : Q( d) Q, N () = ;

more explicitly, N (r + s d) = (r + s d)(r s d) =r2 ds2 . From this description

it is immediate that the norm maps elements of Z[ d] to integers.

Lemma 78. The norm map is multiplicative: for any , Q( d), we have
N () = N ()N ().
Proof. This is a straightforward, familiar computation. Alternately, we get a
more conceptual proof by using the homomorphism property of conjugation (which
is itself veried by a simple computation!):
N () = () = = ( )( ) = N ()N ().

Thus Z-solutions (x, y) to (32) correspond to norm one elements x+y d Z[ d]:

N (x + y d) = x2 dy 2 = 1.

Moreover, every norm one element Z[ d] is a unit: the equation = 1 shows

that the inverse of is the integral element .
2.2. The solution for d = 2.
Recall that the units of any ring form a group under multiplication. In our context
this means that if (x1 , y1 ) and (x2 , y2 ) are two solutions
to x2 dy 2 = 1, then we

can get another solution by multiplication in Z[ d]:

N ((x1 +y1 d)(x2 +y2 d)) = N (x1 +y1 d)N (x2 +y2 d) = (x21 dy12 )(x22 dy22 ) = 11 = 1;

multiplying out (x1 +y1 d)(x2 +y2 d) and collecting rational and irrational parts,
we get a new solution (x1 x2 + dy1 y2 , x1 y2 + x2 y1 ).
Let us try out this formula in the case d = 2 for (x1 , y1 ) = (x2 , y2 ) = (3, 2).
Our new solution is (3 3 + 2 2 2, 2 3 + 3 2) = (17, 12), nothing else than the second smallest positive solution! If we now apply the formula with (x1 , y1 ) = (17, 12)
and (x2 , y2 ) = (3, 2), we get the next smallest solution (99, 70).

Indeed,
for any positive integer n, we may write the nth power (3 + 2 2)n as
xn + yn d and know that (xn , yn ) is a solution to the Pell equation. One can
see from the formula for the product that it is a positivesolution. Moreover, the
solutions are all dierent because the real numbers (3 + 2 2)n are all distinct: the
only complex numbers z for which z n = z m for some m < n are the roots of unity,
and the only real roots of unity
are 1. Indeed, we get
(1, 0)
the trivial solution

by taking the 0th power of 3 + 2 2. Moreover, (3 + 2 2)1 =3 2 2 is a halfpositive solution, and taking negative integral powers of 3 + 2 2 we get innitely
many more such solutions.

88

7. THE PELL EQUATION

In total, every
solution to x2 dy 2 = 1 that we have found is of the form (xn , yn )
where xn + yn d = (3 + 2 2)n for some n Z.
Let us try to prove that these are all the integral solutions. It is enough to
show that every positive solution is
of the form (xn , yn ) for some positive integer n,
since every norm one element x + y d is obtained from an element with x, y Z+
by multiplying by 1 and/or taking the reciprocal.
a)
b)
c)
d)

2
2
Lemma 79. Let (x, y) be a nontrivial
integral solution to x dy = 1.
x and y are both positive x+ y d > 1.
d < 1.
x > 0 and y < 0 0 < x + y
x < 0 and y > 0 1 < x + y d
< 0.
x and y are both negative x + y d < 1.

Proof. Exercise.

We now observe that 3 + 2 2 is the

smallestpositive integral solution. Note that
for any positive integers x, y, x + y
d 1 + d. In fact, as x and y range over all
positive integers, we may view x + y d as a double sequence of real numbers, and
this double sequence tends to inthe sense that for any real number M there
are only nitely many terms x + y d M : indeed, since the inequality implies
2
x, y M there are at most
In the present case, one checks
that
M solutions.

among the elements x + y d < 3 + 2 2 < 6 with x, y Z+ , only 2 + 3 2 satises

x2 dy 2 = 1, so it is indeed the smallest positive solution.
not of the form (3 +
Now suppose we had a positive solution (x, y)which was
2 2)n . Choose the largest n N such that x + y d > (3 + 2 2)n ; then

= (x + y d) (3 + 2 2)n = (x + y d) (3 2 2)n .

Write = x + y d; then by multiplicativity (x , y ) is an integral solution of

the Pell equation. Moreover, by construction we have > 1, so by the Lemma
this meansthat (x , y ) is a positive solution. On
the other hand
we have that
< 3 + 2 2, since otherwise we would have x +
y 2 > (3 + 2 2)n+1 . But this
is a contradiction, since we noted above that 3 + 2 2 is the smallest solution with
x, y > 0. This completes the proof.
Thus we have solved the Pell equation for d = 2. To add icing, we can give
explicit formulas for the solutions. Namely, we know that every positive integral
solution (x, y) is of the form

xn + yn d = (3 + 2 2)n
for n Z+ . If we apply conjugation to this equation, then using the fact that it is
a eld homomorphism, we get

xn yn d = (3 2 2)n .

Let us put u = 3 + 2 2 and u = u1 = 3 2 2. Then, adding the two equations

and dividing by 2 we get
1
xn = (un + (u )n ),
2

3. A RESULT OF DIRICHLET

89

and similarly we can solve for yn to get

1
yn = (un (u )n ).
2 d
In fact, we can do even better: u = 0.17157 . . ., so that for all n Z+ , 21 (u )n
1
(u )n are less than 12 . Since xn and yn are integers (even though the
and 2
d
formula does not make this apparent!), this means that we can neglect the (u )n
term entirely and just round to the nearest integer. For a real number such that
12 is not an integer, there is a unique integer nearest to which we shall denote
by . We have proved:
Theorem 80. Every positive integer solution to x2 2y 2 = 1 is of the form

(3 + 2 2)n
xn =
,
2

(3 + 2 2)n

yn =
2 2
for some positive integer n.
Among other things, this explains why it was not so easy to nd solutions by hand:
the size of both the x and y coordinates grow exponentially! The reader is invited
to plug in a value of n for herself: for
e.g. n = 17 it is remarkable how close the
irrational numbers u17 /2 and u17 /(2 2) are to integers:
u17 /2 = 5168247530882.999999999999949;

u17 /(2 2) = 3654502875938.000000000000032.

A bit of reection reveals that this has a lot to do with the fact that xynn is necessarily

very close to 2. Indeed, by turning this observation on its head we shall solve the
Pell equation for general nonsquare d.
3. A result of Dirichlet
Lemma 81. (Dirichlet) For any irrational (real) number , there are innitely
many rational numbers xy (with gcd(x, y) = 1) such that
|x/y | <

1
.
y2

Proof. Since the lowest-term denominator of any rational number xy is unchanged by subtracting any integer n, by subtracting the integer part [] of we
may assume [0, 1). Now divide the half-open interval [0, 1) into n equal pieces:
[0, n1 ) [ n1 , n2 ) . . . [ n1
n , 1). Consider the fractional parts of 0, , 2, . . . , n. Since
we have n + 1 numbers in [0, 1) and only n subintervals, by the pigeonhole principle some two of them must lie in the same subinterval. That is, there exist
0 j < k n such that
1
|j [j] (k [k])| < .
n
Now take y = j k, x = [k] [j], so that the previous inequality becomes
|x y| <

1
.
n

90

7. THE PELL EQUATION

We may assume that gcd(x, y) = 1, since were there a common factor, we could
divide through by it and that would only improve the inequality. Moreover, since
0 < y < n, we have
x
1
1
| | <
< 2.
y
ny
y
This exhibits one solution. To see that there are innitely many, observe that
since is irrational, | xy | is always strictly greater than 0. But by choosing n
suciently large we can apply the argument to nd a rational number
|

x
y

such that

x
x
| < | |,

y
y

and hence there are innitely many.

Remark: The preceding argument is perhaps the single most famous application of
the pigeonhole principle. Indeed, in certain circles, the pigeonhole principle goes
by the name Dirichlets box principle because of its use in this argument.
4. Existence of Nontrivial Solutions
We are not ready to prove that for all positive nonsquare integers d, the Pell equation x2 dy 2 = 1 has a nontrivial solution. Well, almost. First we prove an
approximation to this result and then use it to prove the result itself.
Proposition 82. For some real number M , there exist innitely many pairs
of coprime positive integers (x, y) such that |x2 dy 2 | < M .

Proof. We will apply the Lemma of the preceding

section to = d: we get

an innite
sequence of coprime positive (since d is positive) integers (x, y) with

| xy d| < y12 . Multiplying through by y, the inequality is equivalent to

1
|x y d| < .
y
Since

|x2 dy 2 | = |x y d||x + y d|,

in order to bound the left-hand side we also need a bound on |x + y d|. There is
no reason to expect that it is especially small, but using the triangle inequality we
can get the following:

1
|x + dy| = |x dy + 2 dy| |x dy| + 2 dy < + 2 dy.
y
Thus

1
1 1
|x2 dy 2 | < ( )( + 2 dy) = 2 + 2 d 1 + 2 d = M.
y y
y


Theorem 83. For any positive nonsquare integer d, the equation x2 dy 2 = 1

has a nontrivial integral solution (x, y).

5. THE MAIN THEOREM

91

Proof. We begin by further exploiting the pigeonhole principle. Namely, since

we have innitely many solutions (x, y) to |x2 dy 2 | < M , there must exist some
integer m, |m| < M for which we have innitely many solutions to the equality
x2 dy 2 = m. And once again: we must have two dierent solutions, say (X1 , Y1 )
and (X2 , Y2 ) with X1 X2 (mod |m|) and Y1 Y2 (mod |m|) (since there are
only m2 dierent options altogether for (x (mod |m|), y (mod |m|)) and innitely
many solutions). Let us write

= X1 + Y1 d
and

= X2 + Y2 d;
we have N () = N () = m. Arst thought is to divide by to get an element
of norm 1; however, / Q( d) but does not necessarily have integral x and y
coordinates. However, it works after a small trick: consider instead

= X + Y d.
I claim that both X and Y are divisible by m. Indeed we just calculate, keeping in
mind that modulo m we can replace X2 with X1 and Y2 with Y1 :
X = X1 X2 dY1 Y2 X12 dY12 0

(mod |m|),

Y = X1 Y2 X2 Y1 X1 Y1 X1 Y1 0 (mod |m|).

Thus = m(x + y d) with x, y Z. Taking norms we get

m2 = N ()N ( ) = N ( ) = N (m(x + y d)) = m2 (x2 dy 2 ).

Since m = 0 (why?), this gives

x2 dy 2 = 1.
Moreover y = 0: if y = 0 then the irrational part of Y , namely X1 Y2 X2 Y1 , would
X2
1
be zero, i.e., X
Y1 = Y2 , but this is impossible since (X1 , Y1 ) = (X2 , Y2 ) are both
coprime pairs: they cannot dene the same rational number. We are done.

5. The Main Theorem
Now we nd all solutions of the Pell equation.
Theorem 84. Let d be a positive, nonsquare integer.
a) There exists a positive integral solution (x, y) to x2 dy 2 = 1.

b) There exists aunique positive integral solution (x1 , y1 ) with x1 + y1 d minimal.

Put u = x1 + y1 d. Then every positive integral solution is of the form
)
( n
) ( n
u
un
u + (u )n un (u )n

,
= ,
2
2
2 d
2 d
+
for a unique n Z .
c) Every solution to the Pell equation is of the form (xn , yn ) for n Z.
Proof. Above we showed the existence of a positive solution (x, y). It is easy
to see that for
any M > 0 there are only nitely many pairs of positive integers
such that
x
+
y
d M , so among all positive solutions, there must exist one with

x+y
d least. By taking positive integral powers of this fundamental solution
x1 + y1 d we get innitely many positive solutions, whose x and y coordinates can
be found explicitly as in 2. Moreover, the argument of 2 given there for d = 2

92

7. THE PELL EQUATION

works generally to show that every positive solution is of this form. The reader
is invited to look back over the details.

6. A Caveat
It is time to admit that solving the Pell equation
is generally taken to mean
explicitly nding the fundamental solution x1 + y1 d. As usual in this course, we
have concentrated on existence and not considered the question of how dicult it
would be in practice to nd the solution. Knowing that it exists
we can, in principle, nd it by trying all pairs (x, y) in order of increasing x + y d until we nd
one. When d = 2 this is immediate. If we try other values of d we will see that
sometimes it is no trouble at all:
For d = 3, the fundamental solution is (2, 1). For d = 6, it is (5, 2). Similarly
the fundamental solution can be found by hand for d 12; it is no worse than
(19, 6) for d = 10. However, for d = 13 it is (649, 180): a big jump!
If we continue to search we nd that the size of the fundamental solution seems to
obey no reasonable law: it does not grow in a steady way with d e.g. for d = 42
it is the tiny (13, 2) but sometimes it is very large: for d = 46 it is (24335, 3588),
and hold on to your hat! for d = 61 the fundamental solution is
(1766319049, 226153980).
And things get worse from here on in: one cannot count on a brute-force search for
d even of modest size (e.g. ve digits).
There are known algorithms which nd the fundamental solution relatively eciently. The most famous and elementary of them is as follows: one can nd
the
fundamental solution as a convergent in the continued fraction expansion of d,
and this is relatively fast it depends upon the period length. Alas, we shall not
touch the theory of continued fractions in this course.
Continued fractions are not the last word on solving the Pell Equation, however.
When d is truly large, other methods are required. Amazingly, a test case for this
can be found in the mathematics of antiquity: the so-called cattle problem of
Archimedes. Archimedes composed a lengthy poem (twenty-two Greek elegiac
distichs) which is in essence the hardest word problem in human history. The rst
part, upon careful study, reduces to solving a linear Diophantine equation (in several variables), which is essentially just linear algebra, and it turns out that there
is a positive integer solution. However, to get this far is merely competent, according to Archimedes. The second part of the problem poses a further constraint
which boils down to solving a Pell equation with d = 410286423278424. In 1867
C.F. Meyer set out to solve the problem using continued
fractions. However, he
computed 240 steps of the continued fraction expansion of d, whereas the period
length is in fact 203254. Only in 1880 was the problem solved, by A. Amthor. (The
gap between the problem and the solution 2000 years and change makes the
case of Fermats Last Theorem look fast!) Amthor used a dierent method. All of
this and much more is discussed in a recent article by Hendrik Lenstra [Le02].

7. SOME FURTHER COMMENTS

93

7. Some Further Comments

There is much more to be said on the subject. Just to further scratch the surface:
It is a purely
algebraic consequence of our main result that the unit group of
the ring Z[ d] (for d positive and nonsquare, as usual) is isomorphic to Z Z/2Z.
Indeed, in solving the Pell equation, we found that the group of all norm one units
is of this form, and it remains to account for units of norm 1. Sometimes there
are none e.g. when d is a prime which
is 3 (mod 4) and in this case the result is
clear. But in any case the map N : Z[ d] {1} has as its kernel the solutions
to the Pell equation, so if there are also units of norm 1 the units of norm 1 form
an index 2 subgroup. On the other hand units of nite order are necessarily
roots

of unity, of which there are no more than 1 in all of R, let alone Q( d). The result follows from these considerations; the proof of this is left as an optional exercise.
This is a special case of an extremely important and general result in algebraic
number theory. Namely, one can consider any algebraic number eld a nite degree eld extension K of Q and then the ring OK of all algebraic integers of K
that is, elements of K which satisfy
a monic polynomial with Z coecients. We
have been looking at the case K = Q( d), a real quadratic eld. Other relatively
familiar examples are the cyclotomic elds Q(N ) obtained by adjoining an N th
root of unity: one can show that this eld has degree (N ) over Q (equivalently,
the cyclotomic polynomial N is irreducible over Q).

Dirichlets unit theorem asserts that the units OK

form a nitely generated abelian
a
group, i.e., are isomorphic to Z F , where F is a nite group (which is in fact
the group of roots of unity of F ). Noting that the unit group is nite for imaginary
quadratic elds and innite for real quadratic elds, one sees that the rank a must
depend upon more than just the degree d = [K : Q] of the number eld: somehow
it depends upon how real the eld is. More precisely, let r be the number of eld
homomorphisms from K into R. Alternately, one can show that K is obtained by
adjoining a single algebraic number , i.e., K = Q[t]/(P (t)), where P is a polynomial of degree d = [K : Q]. Then r is nothing else than the number of real
roots of the dening (minimal) polynomial P (t). In particular r d, and d r,
the number of complex roots, is even. Then the precise form of Dirichlets Unit
Theorem asserts that a = r + dr
2 1, a quantity which is positive in every case
except for K = Q and K an imaginary quadratic eld! However the proof in the
general case requires dierent techniques.

However, the argument that we used to nd the general solution to the Pell equation is fascinating and important. On the face of it, it is very hard to believe that
the problem of nding good rational approximations to an irrational number (a
problem which is, lets face it, not initially so fascinating) can be used to solve
Diophantine equations: we managed to use a result involving real numbers and
inequalities to prove a result involving equalities and integers! This is nothing less
than an entirely new tool, lying close to the border between algebraic and analytic
number theory (and therefore helping to ensure a steady commerce between them).

94

7. THE PELL EQUATION

This subject is notoriously dicult but here is one easy result. Dene

10k! .
L=
n=0

We have a decimal expansion in which each lonely 1 is followed by a very long

N
=
succession of zeros. The rational numbers aorded by the partial sums pqN
N
k!
give excellent approximations: for any A, B > 0, one has
n=0 10
|L

pN
A
|< B
qN
qN

for all suciently large N . On the other hand, Liouville proved the following:
Theorem 85. Suppose satises a polynomial equation ad xd + . . . + a1 x + a0
with Z-coecients. Then there is A > 0 such that for all integers p and 0 = q,
p
A
| | > d .
q
q
That is, being algebraic of degree d imposes an upper limit on the goodness of
the approximation by rational numbers. An immediate and striking consequence is
that Liouvilles number L cannot satisfy an algebraic equation of any degree: that
is, it is a transcendental number. In fact, by this argument Liouville established
the existence of transcendental numbers for the rst time!
Liouvilles theorem was improved by many mathematicians, including Thue and
Siegel, and culminating in the following theorem of Klaus Roth:
Theorem 86. (Roth, 1955) Let be an algebraic real number (of any degree),
and let > 0 be given. Then there are at most nitely many rational numbers pq
satisfying
p
1
| | < 2+ .
q
q
For this result Roth won the Fields Medal in 1958.

CHAPTER 8

Arithmetic Functions
1. Introduction
Denition: An arithmetic function is a function f : Z+ C.
Truth be told, this denition is a bit embarrassing. It would mean that taking any
function from calculus whose domain contains [1, +) and restricting it to positive
e3x
integer values, we get an arithmetic function. For instance, cos2 x+(17
log(x+1)) is
an arithmetic function according to this denition, although it is, at best, dubious
whether this function holds any signicance in number theory.
If we were honest, the denition we would like to make is that an arithmetic function
is a real or complex-valued function dened for positive integer arguments which is
of some arithmetic signicance, but of course this is not a formal denition at all.
Probably it is best to give examples:
Example A: The prime counting function n 7 (n), the number of prime numbers p, 1 p n.
This is the example par excellence of an arithmetic function: approximately half
of number theory is devoted to understanding its behavior. This function really
deserves a whole unit all to itself, and it will get one: we put it aside for now and
consider some other examples.
Example 1: The function (n), which counts the number of distinct prime divisors of n.
Example 2: The function (n), which counts the number of integers k, 1 k n,
with gcd(k, n) = 1. Properly speaking this function is called the totient function, but its fame inevitably precedes it and modern times it is usually called just
the phi function or Eulers phi function. Since a congruence class k modulo
n is invertible in the ring Z/nZ i its representative k is relatively prime to n, an
equivalent denition is
(n) := #(Z/nZ) ,
the cardinality of the unit group of the nite ring Z/nZ.
Example 3: The function n 7 d(n), the number of positive divisors of n.
95

96

8. ARITHMETIC FUNCTIONS

Example 4: For any integer k, the function k (n), dened as

k (n) =
dk ,
d | n

the sum of the kth powers of the positive divisors of n. Note that 0 (n) = d(n).
Example 5: The Mobius function (n), dened as follows: (1) = 1, (n) = 0
if n is not squarefree; (p1 pr ) = (1)r , when p1 , . . . , pr are distinct primes.
Example 6: For a positive integer k, the function rk (n) which counts the number of representations of n as a sum of k integral squares:
rk (n) = #{(a1 , . . . , ak ) | a21 + . . . + a2k = n}.
These examples already suggest many others. Notably, all our examples but Example 5 are special cases of the following general construction: if we have on hand,
for any positive integer n, a nite set Sn of arithmetic objects, then we can dene
an arithmetic function by dening n 7 #Sn . This shows the link between number
theory and combinatorics. In fact the Mobius function is a yet more purely combinatorial gadget, whose purpose we shall learn presently. In general we have lots
of choices as to what sets Sn we want to count: the rst few examples are elementary in the sense that the sets counted are dened directly in terms of such things
as divisibility, primality, and coprimality: as we shall, see, they are also elementary in the sense that we can write down exact formulas for them. The example
rk (n) is more fundamentally Diophantine in character: we have a polynomial in
several variables here P (x1 , . . . , xk ) = x21 + . . . + x2k , and the sets we are conunting
are just the number of times the value n is taken by this polynomial. This could
clearly be much generalized, with the obvious proviso that there should be some
suitable restrictions so as to make the number of solutions nite in number (e.g.
we would not want to count the number of integer solutions to ax + by = N , for
that is innite; however we could restrict x and y to taking non-negative values).
Ideally we would like to express these Diophantine arithmetic functions like rk
in terms of more elementary arithmetic functions like the divisor sum functions k .
Very roughly, this is the arithmetic analogue of the analytical problem expressing
a real-valued function f (x) as a combination of simple functions like xk or cos(nx),
sin(nx). Of course in analysis most interesting functions are not just polynomials
(or trigonometric polynomials), at least not exactly: rather, one either needs to
consider approximations to f by elementary functions, or to express f as some sort
of limit (e.g. an innite sum) of elementary functions (or both, of course). A similar
philosophy applies here, with a notable exception: even the elementary functions
like d(n) and (n) are not really so elementary as they rst appear!
2. Multiplicative Functions
2.1. Denition and basic properties.
An important property shared by many arithmetically signicant functions is
multiplicativity.
Denition: An arithmetic function f is said to be multiplicative if:

2. MULTIPLICATIVE FUNCTIONS

97

(M1) f (1) = 0.
(M2) For all relatively prime positive integers n1 , n2 , f (n1 n2 ) = f (n1 ) f (n2 ).
Lemma 87. If f is multiplicative, then f (1) = 1.
Proof. Taking n1 = n2 = 1, we have, using (M2)
f (1) = f (1 1) = f (1) f (1) = f (1)2 .
Now by (M1), f (1) = 0, so that we may cancel f (1)s to get f (1) = 1.

Exercise: Suppose an arithmetic function f satises (M2) but not (M1). Show that
f 0: i.e., f (n) = 0 for all n Z+ .
The following is a nice characterization of multiplicative functions:
Proposition 88. For an arithmetic function f , the following are equivalent:
a) f is multiplicative;
b) f is not identically zero, and for all n = pa1 1 pakk (the standard form factork
ization of n), we have f (n) = i=1 f (pai i ).
Remark: Here we are using the convention that for n = 1, k = 0, and a product
extending over zero terms is automatically equal to 1 (just as a sum extending over
zero terms is automatically equal to 0). (If this is not to your taste, just insert in
part b) the condition that f (1) = 1!)
Proof. Exercise.

In other words, a multiplicative function f is completely determined by the values

it takes on all prime powers pk . Thus, in trying to understand a function known
to be multiplicative, one needs only to see what it is on prime power values of
n. Note that, conversely, any function f dened only on prime powers pk and
satisfying f (1) = 1 extends to a unique multiplicative function.
2.2. Completely multiplicative functions. If you have never seen this definition before, then something has been bothering you the whole time, and I will
now respond to this worry. Namely, wouldnt it make more sense to say that a
function f is multiplicative if f (n1 n2 ) = f (n1 ) f (n2 ) for all integers n1 and
n2 ?
In a purely algebraic sense the answer is yes: the stronger condition (together with
f (1) = 0) says precisely that f is a homomorphism from the monoid Z+ to the
monoid C . This is certainly a very nice property for f to have, and it has a name
as well: complete multiplicativity. But in practice complete multiplicativity is
too nice: only very special functions satisfy this property, whereas the class of multiplicative functions is large enough to contain many of our arithmeticly signicant
functions. For instance, neither k (for any k) nor is completely multiplicative,
but, as we are about to see, all of these functions are multiplicative.
2.3. Multiplicativity of the k s.
Theorem 89. The functions k (for all k N) are multiplicative.

98

8. ARITHMETIC FUNCTIONS

Proof. It is almost obvious that the Mobius function is multiplicative. Indeed

its value at a prime power pa is: 1 if a = 0, 1 if a = 1, and 0 if a 2. Now there
is a unique multiplicative function with these values, and it is easy to see that is
that function: we have (pa1 1 pakk ) = 0 unless ai = 1 for all i as we should and
otherwise (p1 pk ) = (1)k = (p1 ) (pk ). In other words, is essentially
multiplicative by construction.
Now let us see that k is multiplicative. Observe that since gcd(n1 , n2 ) = 1!
every divisor d of n1 n2 can be expressed uniquely as a product d1 d2 with
di | ni . So

k (n1 n2 ) =
dk =
dk2 ) = k (n1 )k (n2 ).
(d1 d2 )k = (
dk1 )(
d | n1 n2

d1 | n1 , d2 | n2

d1 | n 1

d2 | n 2


2.4. CRT and the multiplicativity of the totient. The multiplicativity
of is closely connected to the Chinese Remainder Theorem, as we now review.
Namely, for coprime n1 and n2 , consider the map : Z/(n1 n2 ) Z/(n1 ) Z/(n2 )
given by
k (mod n1 n2 ) 7 (k (mod n1 ), k (mod n2 )).
This map is a well-dened homomorphism of rings, since if k1 k2 (mod n)i ,
then k1 k2 (mod n)1 n2 . Because the source and target have the same, nite,
cardinality n1 n2 , in order for it to be an isomorphism it suces to show either
that it is injective or that it is surjective. Note that the standard, elementary
form of the Chinese Remainder Theorem addresses the surjectivity: given any pair
of congruence classes i (mod n1 )and j (mod n2 ) the standard proof provides an
explicit formula for a class p(i, j) (mod n1 n2 ) which maps via onto this pair of
classes. However, writing down this formula requires at least a certain amount of
cleverness, whereas it is trivial to show the injectivity: as usual, we need only show
that the kernel is 0. Well, if (k) = 0, then k is 0 mod n1 and 0 mod n2 , meaning
that n1 | k and n2 | k. In other words, k is a common multiple of n1 and n2 , so, as
weve shown, k is a multiple of the least common multiple of n1 and n2 . Since n1
and n2 are coprime, this means that n1 n2 | k, i.e., that k 0 (mod n1 n2 )!
Theorem 90. There is a canonical isomorphism of groups
(Z/(n1 n2 )) (Z/(n1 )) (Z/(n2 )) .
Proof. This follows from the isomorphism of rings discussed above, together
with two almost immediate facts of pure algebra. First, if : R S is an
isomorphism of rings, then the restriction of to the unit group R of R is an
isomorphism onto the unit group S of S. Second, if S = S1 S2 is a product of
rings, then S = S1 S2 , i.e., the units of the product is the product of the units.
We leave it to the reader to verify these two facts.

Corollary 91. The function is multiplicative.
Proof. Since (n) = #(Z/(n)) , this follows immediately.

Now let us use the philosophy of multiplicativity to give exact formulas for k (n)
and (n). In other words, we have reduced to the case of evaluating at prime
power values of n, but this is much easier. Indeed, the positive divisors of pa are

2. MULTIPLICATIVE FUNCTIONS

99

1, p, . . . , pa , so the sum of the kth powers of these divisors is a + 1 when k = 0

and is otherwise
k (pa ) = 1 + pk + p2k + . . . + pak =

1 (pk )a+1
1 p(a+1)k
=
.
1 pk
1 pk

Similarly, the only numbers 1 i pa which are not coprime to pa are the multiples
of p, of which there are pa1 : 1 p, 2 p, . . . pa1 p = pa . So
1
(pa ) = pa pa1 = pa1 (p 1) = pa (1 ).
p
Corollary 92. Suppose n = pa1 1 pakk . Then:
k
a) d(n) = i=1 (ai + 1).
k
(a+1)k
b) For k > 0, k (n) = i=1 1p
.
1pk
k
c) (n) = i=1 pa1 (p 1).
The last formula is often rewritten as

(n)
1
(33)
=
(1 ).
n
p
p | n

While we are here, we quote the following more general form of the CRT, which is
often useful:
Theorem 93. (Generalized Chinese Remainder Theorem) Let n1 , . . . , nr be
any r positive integers. Consider the natural map
: Z Z/n1 Z Z/n2 Z . . . Z/nr Z
which sends an integer k to (k (mod n1 ), . . . , k (mod nr )).
a) The kernel of is the ideal (lcm(n1 , . . . , nr )).
b) The following are equivalent:
(i) is surjective;
(ii) lcm(n1 , . . . , nr ) = n1 nr .
(iii) The integers n1 , . . . , nr are pairwise relatively prime.
The proof is a good exercise. In fact the result holds essentially verbatim for
elements x1 , . . . , xr in a PID R, and, in some form, in more general commutative
rings.
2.5. Additive functions. The function is not multiplicative: e.g. (1) = 0
and (2) = 1. However it satises a property which is just as good as multiplicativity: (n1 n2 ) = (n1 ) + (n2 ) when gcd(n1 , n2 ) = 1. Such functions are
called additive. Finally, we have the notion of complete additivity: f (n1 n2 ) =
f (n1 ) + f (n2 ) for all n1 , n2 Z+ ; i.e., f is a homomorphism from the positive
integers under multiplication to the complex numbers under addition. We have
seen some completely additive functions, namely, ordp for a prime p.
Proposition 94. Fix any real number a > 1 (e.g. a = e, a = 2). A function
f is additive (respectively, completely additive) i af is multiplicative (respectively,
completely multiplicative).
Proof. Exercise.

100

8. ARITHMETIC FUNCTIONS

2.6. Sums of squares. The functions rk are not multiplicative: to represent

1 as a sum of k squares we must take all but one of the xi equal to 0 and the other
equal to 1. This amounts to rk (1) = 2k > 1. However, we should not give up so
rk
easily! Put rk = 2k
. We can now quote a beautiful theorem, parts of which may
be proved later.
Theorem 95. The function rk is multiplicative i k = 1, 2, 4 or 8.
2.7. Perfect numbers. The ancient Greeks regarded a positive integer n
as perfect if it is equal to the sum of its proper divisors (aliquot parts). They
knew some examples, e.g. 6, 28, 496, 8128.
In modern language a perfect number is a solution n of the equation (n) n = n,
or (n) = 2n. Aha, but we have an exact formula for the function: perhaps we
can use it to write down all perfect numbers? The answer is a resounding sort of.
Best, as usual, is to examine some data to try to gure out what is going on.
Since our formula for takes into account the standard form factorization of n, we
should probably look at these factorizations of our sample perfect numbers. We
nd:
6=23
28 = 22 7
496 = 24 31
8128 = 26 127.
As exercises in pattern recognition go, this is a pretty easy one. We have a power of
2 multiplied by an odd prime. But not just any odd prime, mind you, an odd prime
which happens to be exactly one less than a power of 2. And not just any power of
2...anyway, we soon guess the pattern 2n1 2n 1. But were still not done: in our
rst four examples, n was 2, 3, 5, 7, all primes. Finally we have a precise conjecture
that our knowledge of can help us prove:
Proposition 96. (Euclid) Let p be a prime such that 2p 1 is also prime.
Then Np = 2p1 (2p 1) is a perfect number.
Proof. Since 2p 1 is odd, it is coprime to 2p1 . So
(Np ) = (2p1 (2p 1)) = (2p1 )(2p 1).
But these are both prime power arguments, so are easy to evaluate, as above. We
get (2p1 ) = 2p 1 and (2p 1) = 2p , so overall (Np ) = 2p (2p 1) = 2Np . 
This is a nice little calculation, but it raises more questions than it answers. The
rst question is: are there innitely many primes p such that 2p 1 is prime? Such
primes are called Mersenne primes after Father Marin Mersenne, a penpal of
Fermat. It would be appropriate to make any number of historical remarks about
Mersenne and/or his primes, but we refer the reader to Wikipedia for this. Suce it
to say that, in theory, it is a wide open problem to show that there exist innitely
many Mersenne primes, but in practice, we do keep nding successively larger
Mersenne primes (at a rate of several a year), meaning that new and ridiculously
large perfect numbers are being discovered all the time.
Ah, but the second question: is every perfect number of the form Np for a
Mersenne prime p? Euler was able to show that every even perfect number is of


3. DIVISOR SUMS, CONVOLUTION AND MOBIUS
INVERSION

101

this form. The argument is a well-known one (and is found in Silvermans book) so
we omit it here. Whether or not there exist any odd perfect numbers is one of the
notorious open problems of number theory. At least you should not go searching for
odd perfect numbers by hand: it is known that there are no odd perfect numbers
N < 10300 , and that any odd perfect number must satisfy a slew of restrictive
conditions (e.g. on the shape of its standard form factorization).
3. Divisor Sums, Convolution and M
obius Inversion
The proof of the multiplicativity of the functions k , easy though it was, actually establishes a more general result. Namely,
suppose that f is a multiplicative

function, and dene a new function F = d f as

F (n) =
F (d).
d | n

For instance, if we start with the function f (n) = nk , then F = k . Note that
f (n) = nk is (in fact completely) multiplicative. The generalization of the proof is
then the following

Proposition 97. If f is a multiplicative function, then so is F (n) = d | n f (d).

Proof. If n1 and n2 are coprime, then F (n1 n2 ) = d|n1 n2 F (d) =

f (d2 )) = F (n1 )F (n2 ).

f (d1 ))(
f (d1 )f (d2 ) = (
f (d1 d2 ) =
d1 |n1 , d2 |n2

d1 |n1 , d2 |n2

d1 |n1

d2 |n2


Exercise: Show by example that f completely multiplicative need not imply F
completely multiplicative.
It turns out that the operation f 7 F is of general interest; it gives rise to a
certain kind of duality among arithmetic functions. Slightly less vaguely, sometimes f is simple and F is more complicated, but sometimes the reverse takes place.
Denition: Dene the function by (1) = 1 and (n) = 0 for all n > 1. Note that
is multiplicative. Also write for the function n 7 n.

Proposition 98. a) For all n > 1, d | n (d) = 0.

b) For all n Z+ , d | n (n) = n.

In other words, the sum over the divisors of the Mobius function is , and the sum
over the divisors of is .

Proof. a) Write n = pa1 1 par r . Then d | (n) = (1 ,...,r ) (p11 prr ),

where the i are 0 or 1. Thus
( ) ( )
( )

r
r
r r
(d) = 1 r +

+ . . . + (1)
= (1 1)r = 0.
2
3
r
d | n

For part b) we take advantage of the fact that since is multiplicative, so is the
sum over its divisors. Therefore it is enough to verify the identity for a prime power

102

8. ARITHMETIC FUNCTIONS

pa , and as usual this is signicantly easier:

d |

(pa ) =

pa

i=0

(pi ) = 1 +

(pi pi1 ) = 1 + (pa 1) = pa ,

i=1

where we have cancelled out a telescoping sum.

This indicates that the Mobius function is

of some interest. We can go further by
asking the question: suppose that F = d f is multiplicative; must f be multiplicative?
Well, the rstquestion
is to what extent f is determined by its divisor sum function: if F = d f = d g = G, must f = g? If so, is there a nice formula which
gives f in terms of F ?
Some calculations:
f (1) = F (1);
for any prime p, F (p) = f (1) + f (p), so f (p) = F (p) F (1);
F (p2 ) = f (1) + f (p) + f (p2 ) = F (p) + f (p2 ), so f (p) = F (p2 ) F (p); indeed
f (pn ) = F (pn ) F (pn1 ).
For distinct primes p1 , p2 , we have F (p1 p2 ) = f (1) + f (p1 ) + f (p2 ) + f (p1 p2 )
= F (1) + F (p1 ) F (1) + F (p2 ) F (1) + f (p1 p2 ), so
f (p1 p2 ) = F (p1 p2 ) F (p1 ) F (p2 ) + F (1).
This is an enlightening calculation on several accounts; on the one hand, there is
some sort of inclusion-exclusion principle at work. On the other hand, and easier
to enunciate, we are recovering f in terms of F and :
Theorem
99. (M
obius Inversion Formula) For any arithmetic function f , let

F (n) = d|n f (d). Then for all n,

F (d)(n/d).
f (n) =
d|n

It is a good exercise to give a direct proof of this. However, playing on a familiar

theme, we will introduce a little more algebra
to get an easier proof. Namely, we
can usefully generalize the construction f 7 d f = F as follows:
Denition: For arithmetic functions f and g, we dene their convolution, or
Dirichlet product, as

n
(f g)(n) =
f (d)g( ).
d
d | n


3. DIVISOR SUMS, CONVOLUTION AND MOBIUS
INVERSION

103

Why is this relevant? Well, dene 1 as the function 1(n) = 1 for all n;1 then
F = f 1. We have also seen that
1 = ,

(34)

and the inversion formula we want is

(f 1) = f.
Thus we see that if only it is permissible to rewrite (f 1) = f (1 ), then the
inversion formula is an immediate consequence of Equation (34). In other words,
we need to show that convolution is associative. In fact we can prove more:
Proposition 100. The arithmetic functions form a commutative ring under
pointwise addition i.e., (f + g)(n) = f (n) + g(n) and convolution. The multiplicative identity is the function .
Proof. In other words, we are making the following assertions: for all arithmetic functions f , g, h:
(i) f g = g f .
(ii) (f g) h = f (g h).
(iii) f = f .
(iv) f (g + h) = f g + f h.
To show both (i) and (ii) it is convenient to rewrite the convolution in symmetric
form:

f g(n) =
f (d1 )g(d2 ).
d1 d2 =n

The sum extends over all pairs of positive integers d1 , d2 whose product is n. This
already makes the commutativity clear. As for the associativity, writing things out
one nds that both (f g) h and f (g h) are equal to

f (d1 )g(d2 )h(d3 ),

d1 d2 d3 =n

and hence they are equal to each other! For (iii), we have

f (d1 )(d2 );
(f )(n) =
d1 d2 =n

(d2 ) = 0 unless d2 = 1, so the sum reduces to f (n)(1) = f (n). The distributivity

is easy and left to the reader.


We can now show that F = d f multiplicative implies f is multiplicative. Indeed,

this follows from f = F , the multiplicativity of and the following:
Proposition 101. If f and g are multiplicative, so is f g.
Proof. Just do it: for coprime m and n, (f g)(m)(f g)(n) =

f (a1 )g(a2 ))(

f (b1 )g(b2 )) =
f (a1 )f (b1 )g(a2 )g(b2 ) =
(
a1 a2 =m

b1 b2 =n

a1 a2 b1 b2 =mn

f (x)g(y) = (f g)(mn).

xy=mn
1We now have three similar-looking but dierent functions oating around: , and 1. It may
help the reader to keep on hand a short cheat sheet with the denitions of all three functions.

104

8. ARITHMETIC FUNCTIONS


4. Some Applications of M
obius Inversion
4.1. Application: another proof of the multiplicativity of the totient.
Our rst application of Mobius inversion is to give a proof of the multiplicativity
of which is independent of the Chinese
Remainder Theorem. To do this, we will

give a direct proof of the identity d|n (d) = n. Note that it is equivalent to write
the left hand side as
n
( ),
d
d|n

since as d runs through all the divisors of n, so does nd .2 Now let us classify elements
of {1, . . . , n} according to their greatest common divisor with n. The greatest common divisor of any such element k is a divisor d of n, and these are exactly the
elements k such that kd is relatively prime to nd , or, in yet other words, the elements
dl with 1 l nd and gcd(l, nd ) = 1, of which there are ( nd ). This proves the identity! Now, we can apply Mobius inversion to conclude that = is multiplicative.
Here is a closely related approach. Consider the additive group of Z/nZ, a cyclic
group of order n. For a given positive integer d, how many order d elements does it
have? Well, by Lagranges Theorem we need d|n. An easier question is how many
elements there are of order dividing a given d (itself a divisor of n): these are just the
elements x Z/nZ for which dx = 0, i.e., the multiples of n/d, of which there are
clearly d. But Mobius Inversion lets us pass from the easier question to the harder
question:indeed, dene f (k) to be the number of elements of order k in Z/nZ; then
F (k) = d|k f (d) is the number of elements of order dividing k, so we just saw
that F (k) = k. Applying Mobius inversion, we get that f (k) = (I )(k) = (k).
On the other hand, it is not hard to see directly that f (k) = 0 if k does not divide
n and otherwise equals (k) e.g., using the fact that there is a unique subgroup
of order k for all k | n and this gives another proof that 1 = .
4.2. A formula for the cyclotomic polynomials. For a positive integer d,
let d (x) be the monic polynomial whose roots are the primitive dth roots of unity,
i.e., those complex numbers which have exact order d in the multiplicative group
C (meaning that z d = 1 and z n = 1 for any integer 0 < n < d). These primitive
roots are contained in the group of all dth roots of unity, which is cyclic of order
d, so by the above discussion there are exactly (d) of them: in other words, the
degree of the polynomial d is (d).3 It turns out that these important polynomials
have entirely integer coecients, although without a somewhat more sophisticated
algebraic background this may well not be so obvious. One might think that to
write down formulas for the d one would have to do a lot of arithmetic with
complex numbers, but that is not
at all the case. Very much in the spirit of the
group-theoretical interpretation of d|n (d) = n, we have

d (x) = xn 1,
d|n
2Alternately, this just says that f 1 = 1 f .
3For once, the ancients who xed the notation have planned ahead!


4. SOME APPLICATIONS OF MOBIUS
INVERSION

105

since, both the left and right-hand sides are monic polynomials whose roots consist
of each nth root of unity exactly once.
In fact it follows from this formula, by induction, that the d s have integral
coecients. But Mobius inversion gives us an explicit formula. The trick here is to
convert the divisor product into a divisor sum by taking logarithms:

log
d (x) =
log d (x) = log(xn 1).
d|n

d|n

Now applying Mobius inversion, we get

n
log n (x) =
log(xd 1)( )
d
d|n

= log (xd 1)(n/d) ,

d|n

so exponentiating back we get a formula which at rst looks too good to be true:

(xd 1)(n/d) .
n (x) =
d|n

But it is absolutely correct, and, as advertised, reduces the computation of the

cyclotomic polynomials to arithmetic (including division!) of polynomials with integer coecients.
Remark: Our trick of taking logs was done without much worry about rigor. It is
not literally true that log(xn 1) is an arithmetic function, since it is not dened for
x = 1. We can justify what we have done as follows: for xed n, since the d s and
xn 1 are a nite set of monic polynomials with integer coecients, there exists a
large positive integer N such that for all d dividing n and all x Z+ , d (x+N ) 1,
so that log(d (x + N )) and log(x + N )d 1 are well-dened arithmetic functions,
to which we apply MIF. This gives us the desired identity with x + N in place of
x, but being an identity of polynomials, we can substitute x N for x to get back
to the desired identity.
On the other hand, such ad hockery is not so aesthetically pleasing. The formula
we obtained suggests that MIF may be valid for functions f dened on Z+ but
with more general codomains than C. If R is a commutative ring, then the statement and proof of MIF go through verbatim for R-valued arithmetic functions
f : Z+ R. But this is not the right generalization for the present example: we
want a MIF for functions with values in the multiplicative group C(x) of nonzero
rational functions. In fact, for any commutative group A whose group law we
will write as addition, even though in our application it is called multiplication if
one considers A-valued arithmetic functions f : Z+ A, then there is in general
no convolution
product (since we cant multiply
elements of A), but nevertheless

F (n) = d|n f (d) makes sense, as does d|n F (d)(n/d), where for a A we interpret 0 a as being the additive identity element
0A , 1 a as a and 1 a as the
additive inverse a of a. Then one can check that d|n F (d)(n/d) = f (n) for all
f , just as before. We leave the proof as an exercise.

106

8. ARITHMETIC FUNCTIONS

4.3. Finite subgroups of unit groups of elds are cyclic.

Theorem 102. Let F be a eld and G F a nite subgroup of the multiplicative group of units of F . Then G is cyclic.
Proof. Suppose G has order n. Then, by Lagranges theorem, we at least
know that every element of G has order dividing n, and what we would like to
know is that it has an element of order exactly n. We recognize this as an MIF
situation, but this time MIF serves more as inspiration than a tool.
Namely, for any divisor d of n, let us dene Gd to be the set of elements of
G of order dividing d. Gd is easily seen to be a subgroup of G, and subgroups of
cyclic groups are cyclic, so if what we are trying to prove is true then Gd is a cyclic
group of order d. Certainly this is true for d = 1! So assume by induction that this
is true for all proper divisors d of n.
Now let f (d) be the number of elements of order d in G. We know f (d) = 0
unless d is a divisor of n. We also know that for any d there are at most d elements
in all of F of order d: the polynomial xd 1 can have at most d roots. Now
suppose d is a proper divisor of n: our induction hypothesis implies that there
are exactly d roots, namely the elements of Gd ; moreover, since we are assuming
that Gd is cyclic, of these d elements, exactly (d) of them have exact order d.
So f (d) = (d) for all proper divisors d of n. But this
means that the number of
elements of G whose order is a proper divisor of n is d|n (d) (n) = n (n),
which leaves us with n (n (n)) = (n) of elements of a group of order n whose
order is not any proper divisor of n. The only possibility is that these elements all
have order n, which is what we wanted to show.

4.4. Counting irreducible polynomials.
Here is a truly classic application of Mobius Inversion.
Theorem 103. For any prime number p and any n Z+ , the number of
polynomials P (x) Z/pZ[x] which are irreducible of degree n is

1 d ( n )
I(Z/pZ, n) =
p
.
n
d
d|n

The proof of Theorem 103 requires some preliminaries on polynomials over nite
elds. We give a complete treatment in Appendix C.

CHAPTER 9

Asymptotics of Arithmetic Functions

1. Introduction
Having entertained ourselves with some of the more elementary and then the more
combinatorial/algebraic aspects of arithmetic functions, we now grapple with what
is fundamentally an analytic number theory problem: for a given arithmetic function f , approximately how large is f (n) as a function of n?
It may at rst be surprising that this is a reasonable and, in fact, vital question to ask even for the elementary functions f for which we have found exact
formulas, e.g. d(n), (n), (n), (n) (and also r2 (n), which we have not yet taken
the time to write down a formula for but could have based upon our study of the
Gaussian integers). What we are running up against is nothing less than the multiplicative/additive dichotomy that we introduced at the beginning of the course: for
simple multiplicative functions f like d and , we found exact formulas. But these
formulas were not directly in terms of n, but rather made reference to the standard
form factorization pa1 1 par r . It is easy to see that the behavior of, say, (n) as a
function of n alone cannot be so simple. For instance, suppose N = 2p 1 is a
Mersenne prime. Then
(N ) = N 1.
But
N +1
(N + 1) = (2p ) = 2p 2p1 = 2p1 =
.
2
This is a bit disconcerting: N + 1 is the tiniest bit larger than N , but (N + 1) is
half the size of (N )!
Still we would like to say something about the size of (N ) for large N . For
instance, we saw that for a prime p there are precisely (p 1) primitive roots
modulo p, and we would like to know something about how many this is.
Ideal in such a situation would be to have an asymptotic formula for : that is, a
simple function g : Z+ (0, ) such that limn (n)
g(n) = 1. (In such a situation
we would write g.) But it is easy to see that this is too much to ask. Indeed,
as above we have (p) = p 1, so that restricted to prime values (p) p; on the
other hand, restricted to even values of n, (n) n2 , so there is too much variation
in for there to be a simple asymptotic expression.
This is typical for the classical arithmetic functions; indeed, some of them, like
the divisor function, have even worse behavior than . In other words, has more
than one kind of limiting behavior, and there is more than one relevant question to
ask. We may begin with the following:
107

108

9. ASYMPTOTICS OF ARITHMETIC FUNCTIONS

Question 4. a) Does (n) grow arbitrarily large as n does?

b) How small can (n)/n be for large n?
Part a) asks about the size of in an absolute sense, whereas part b) is asking
about in a relative sense. In particular, since there are (p) = p 1 elements of
(Z/pZ) , the quantity (p1)
p1 measures the chance that a randomly chosen nonzero
residue class is a primitive root modulo p. Note we ask how small because we
know how large (n)
n can be: arbitrarily close to 1, when n is a large prime.
2. Lower bounds on Eulers totient function
Anyone who works long enough with the function (for instance, in computing all
n such that (n) 10) will guess the following result:
Proposition 104. We have limn (n) = .
Equivalently: for any L Z+ , there are only nitely many n such that (n) L.
The idea of the proof is a simple and sensible one: if a positive integer n is large,
it is either divisible by a large prime p, or it is divisible by a large power a of a prime,
or both. To formalize this a bit, consider the set S(A, B) of positive integers n which
are divisible only by primes p A and such that ordp (n) B for all primes p. Then
S(A, B) is a nite
set: indeed it has at most (B + 1)A elements. (Also its largest
element is at most pA pB (A!)B , which is, unfortunately, pretty darned large.)
So if we assume that n is suciently large say larger than (L!)L then n is
divisible either by a prime p > L or by pL+1 for some prime p. It is easy to show
that if m | n, (m)|(n) and thus (m) (n). So in the rst case we have
(n) (p) = p 1 L,
and in the second case we have
(n) (pL+1 ) = pL (p 1) pL > L.
So weve shown that if n > (L!)L , then (n) L, which proves the result.
It was nice to get an explicit lower bound on , but the bound we got is completely useless in practice: to compute all n for which (n) 5 above argument
tells us that it suces to look at n up to 1205 = 24883200000. But this is ridiculous:
ad hoc arguments do much better. For instance, if n is divisible by a prime p 7,
then (n) is divisible by p 1 6, so we must have n = 2a 3b 5c . If c 2, then
25 | n so 20 = (25) (n). Similarly, if b 2, then 9 | n so 6 = (9) (n), and
if a 4, then 16 | n so 8 = (16) (n). So, if n = 5m, then (n) = 4(m) so
(m) = 1 and thus m = 1 or 2. If n = 3m, then (n) = 2(m), so (m) = 1 or 2,
so n = 3 1, 3 2, 3 4. Otherwise n is not divisible by 9 or by any prime p 5, so
that b 1 and a 3. This yields the possibilities n = 1, 2, 4, 8, 3, 6. In summary,
(n) 5 i
n = 1, 2, 3, 4, 5, 6, 8, 10, 12.
More practical lower bounds are coming up later.
However, it is interesting to note that essentially the same idea allows us to give
us a much better asymptotic lower bound on . Namely, we have the following

2. LOWER BOUNDS ON EULERS TOTIENT FUNCTION

109

pretty result which once again underscores the importance of keeping an eye out
for multiplicativity:
Theorem 105. Suppose f is a multiplicative arithmetic function such that
f (pa ) 0 as pa . Then f (n) 0 as n .
In other words if f is a multiplicative function such that for every > 0, |f (pm )| <
for all suciently large prime powers, it follows that |f (n)| < for all suciently
large n, prime power or otherwise.
Remark: As long as our multiplicative function f is never 0, an equivalent statement is that if f (pn ) for all prime powers than f (n) for all n. (Just
apply the theorem to g = f1 , which is multiplicative i f is.) So assuming the
theorem, we can just look at
(pa ) = pa1 (p 1) max(p 1, a 1),
and if pa is large, at least one of p and a is large. But actually we get more:
Corollary 106. For any xed , 0 < < 1, we have (n)/n .

n
Proof. We wish to show that f (n) := (n)
0 as n . Since both n
and (n) are multiplicative, so is their quotient f , so by the theorem it suces to
show that f approaches zero along prime powers. No problem:

f (pn ) =

pn
p
=
(p1 )n .
n1
p
(p 1)
p1

Here 1 < 0, so as p the rst factor approaches 1 and the second factor
approaches 0 (just as x 0 as x for negative ). On the other hand, if p
stays bounded and n then the expression tends to 0 exponentially fast.

Now let us prove Theorem 105. We again use the idea that for any L > 0, there
exists N = N (L) such that n > N implies N is divisible by a prime power pa > L.
First lets set things up: since f (pm ) 0 we have that f is bounded on prime
powers, say |f (pm )| C. Moreover, there exists a b such that |f (pm )| 1 for all
pm b; and nally, for every > 0 there exists L() such that pm > L() implies
|f (pm )| < . Now write n = pa1 1 par r , so that
f (n) = f (pa1 1 ) f (par r ).
Since there are at most b indices i such that pai i B, there are at most b factors in
the product which are at least 1 in absolute value, so that the product over these
bad indices has absolute value at most C b . Every other factor has absolute value
at most 1. Moreover, if n is suciently large with respect to L() (explicitly, if
n > L()!L() , as above), then the largest prime power divisor par r of n is greater
than L() and hence |f (par r )| < . This gives
|f (n)| = |f (pa1 1 par r )| C b .
Since C and b are xed and is arbitrary, this shows that f (n) 0 as n .
A nice feature of Theorem 105 is that it can be applied to other multiplicative
functions. For instance, it allows for a quick proof of the following useful upper
bound on the divisor function:

110

9. ASYMPTOTICS OF ARITHMETIC FUNCTIONS

Theorem 107. For every xed > 0, we have

lim

d(n)
= 0.
n


Proof. Exercise.

Note that Corollary 106 is equivalent to the following statement: for every 0 < <
1, there exists a positive constant C() such that for all n,
(n) C()n .
Still equivalent would be to have such a statement for all n N0 . This would
be very useful provided we actually knew an acceptable value of C() for some ,
possibly with an explicitly given and reasonably small N0 () of excluded values.
We quote without proof the following convenient result for = 21 :

Theorem 108. For all n > 6, (n) n.

So in other words, to nd all n for which (n) 10, according to this result we need
only look at n up to 100, which is fairly reasonable. Of course if you are interested
in very large values of you will want even stronger bounds. The truth is coming
up later: there is a remarkable explicit lower bound on (n).
3. Upper bounds on Eulers function
Proposition 109. For any > 0, there is an n such that (n)/n .
Proof. Recall that one of our formulas for (n), or rather for (pa1 1 par r ),
is really a formula for (n)/n:
(n)/n =

i=1

(1

1
).
pi

Just for fun, lets ip this over:

n
1
=
(1 );
(n) i=1
pi
r

now what
we need to show is that for any L > 0, we can choose primes p1 , . . . , pr
r
such that i=1 ( pip1
)1 > L.
i
Well, at the moment we (sadly for us) dont know much more about the sequence
of primes except that it is innite, so why dont we just take n to be the product
of the rst r primes p1 = 2, . . . , pr ? And time for a dirty trick: for any i, 1 i r,
we can view 11 1 as the sum of a geometric series with ratio r = p1i . This gives
pi

n
1
2
=
(1 )1 =
(1 + p1
i + pi + . . .).
(n) i=1
pi
i=1
r

The point here is that if we formally extended this product over all primes:

2
3
(1 + p1
i + pi + pi + . . .)
i=1

and multiplied it all out, what would we get? A moments reection reveals a
beautiful surprise: the uniqueness of the prime power factorization is precisely

4. THE TRUTH ABOUT EULERS FUNCTION

111

equivalent to the
statement that multiplying out this innite product we get the
innite series n=1 n1 , i.e., the harmonic series! Well, except that the harmonic
series is divergent. Thats actually a good
r thing; but rst lets just realize that
if we multiply out the nite product i= (1 p1i )1 we get exactly the sum of
the reciprocals of the integers n which are divisible only by the rst r primes. In
particular since of course pr r, this sum contains the reciprocal of the rst r
integers, so: with n = p1 pr ,
r

n
1

.
(n) n=1 n

But now were done, since as we said before the harmonic series diverges recall that a very good approximation to the rth partial sum is log r, and certainly
limr log r = . This proves the result.

To summarize, if we want to make (n)/n arbitrarily small, we can do so by taking
n to be divisible by suciently many primes. On the other hand (n)/n doesnt
1
have to be small: (p)/p = p1
p = 1 p , and of course this quantity approaches 1
as p . Thus the relative size of (n) compared to n depends quite a lot on the
shape of the prime power factorization of n.
Contemplation of this proof shows that we had to take n to be pretty darned
large in order for (n) to be signicantly smaller than n. In fact this is not far from
the truth.
4. The Truth About Eulers Function
It is the following:
Theorem 110. a) For any > 0 and all suciently large n, one has
(n) log log n
e .
n
b) There exists a sequence of distinct positive integers nk such that
lim

(nk ) log log nk

= e .
nj

Comments: (a) Here is our friend the Euler-Mascheroni constant, i.e.,

n

1
( ) log n 0.5772.
n
k

lim

k=1

(b) What the result is really saying is that n/(n) can be, for arbitrarily large n,
as large as a constant times log log n, but no larger.
In stating the result in two parts we have just spelled out a fundamental concept
from real analysis (which however is notoriously dicult for beginning students to
understand): namely, if for any function f : Z+ R we have a number L with the
property: for every > 0, then
(i) for all suciently large n one has
f (n) > L ,

112

9. ASYMPTOTICS OF ARITHMETIC FUNCTIONS

and (ii) for all L < L there are only nitely many n such that f (n) < L , then one
says that L is the lower limit (or limit inferior) of f (n), written
lim inf f (n) = L.
n

There is a similar denition of the upper limit (or limit superior) of a function:
it is the largest L such that for any > 0, for all but nitely many n we have
f (n) < L + . A function which is unbounded below (i.e., takes arbitrarily small
values) has no lower limit according to our denition, so instead one generally says
that lim inf f = , and similarly we put lim sup f = + when f is unbounded
above. With these provisos, the merit of the upper and lower limits is that they
always exist; moreover one has
lim inf f lim sup f
always, and equality occurs i limn f exists (or is ). Using this terminology
we can summarize the previous results much more crisply:
Since (p) = p 1, we certainly have
lim sup (n)/n = 1,
so we are only interested in how small (n) can be for large n. We rst showed
that limn (n) = +, and indeed that for any < 1,
lim (n)/n = .

However, for = 1,
lim inf (n)/n = 0.
n

Thus the lower order of (n) lies somewhere between n for < 1 (i.e., is larger
than this for all suciently large n) and n (i.e., is smaller than this for innitely
many n). In general, one might say that an arithmetic function f has lower order
g : Z+ (0, ) (where g is presumably some relatively simple function) if
lim inf
n

f
= 1.
g

So the truth is that the lower order of is

e n
log log n .

We will not prove this here.

Remark: all statements about limits, lim infs lim sups and so on of a function
f , by their nature are independent of the behavior of f on any xed nite set of
values: if we took any arithmetic function and dened it completely randomly for
10
the rst 1010 values, then we would not change its lower/upper order. However in
practice we would like inequalities which are true for all values of the function, or
at least are true for an explicitly excluded and reasonably small nite set of values.
In the jargon of the subject one describes the latter, better, sort of estimate as an
eective bound. You can always ask the question Is it eective? at the end of
any analytic number theory talk and the speaker will either get very happy or very
defensive according to the answer. So here we can ask if there is an eective lower
bound for of the right order of magnitude, and the answer is a resounding yes.
Here is a nuclear-powered lower bound for the totient function:

5. OTHER FUNCTIONS

113

Theorem 111. For all n > 2 we have

(n) >

n
log log n +

3
log log n

.


Proof. See [RS62, Thm. 15].

5. Other Functions

5.1. The sum of divisors function . The story for the function is quite
similar to that of . In fact there is a very close relationship between the size of
and the size of coming from the following beautiful double inequality.
Proposition 112. For all n, we have
(n)(n)
1
<
< 1.
(2)
n2

Proof. Indeed, if n = i pai i , then

pai +1 1
1 pai 1
i
,
(n) =
=n
pi 1
1 p1
i
i
i
whereas
(n) = n

(1 p1
i ),
i

so

(n)(n)
i 1
=
(1 pa
).
i
n2
i

We have a product of terms in which each factor is less than one; therefore the
product is at most 1. Conversely, each of the exponents
is less than or equal to 2,

so the product is at least as large as the product p (1 p2 ). Now in general, for

s > 1 we have

1
(1 ps )1 =
(1 + ps + p2s + . . .) =
= (s),
ns
p
p
n=1
so the last product is equal to
Remark: Recall that (2) =

1
(2) .

2
6 ,

so that

1
(2)

6
2 .

From this result and the corresponding results for we immediately deduce:
Theorem 113. For every > 0,

(n)
n1+

0.

In fact we can prove this directly, the same way as for the function.
The truth about the lower order of dualizes to give the true upper order of ,
up to an ambiguity in the multiplicative constant, which will be somewhere between
(2)1 e and e . In fact the latter is correct:
Theorem 114.

e (n)
= 1.
n n log log n

lim sup

And again, because (p) = p + 1 p for primes, we nd that the lower order of
(n) is just n.

114

9. ASYMPTOTICS OF ARITHMETIC FUNCTIONS

5.2. The divisor function. The divisor function d(n) is yet more irregularly
behaved than and , as is clear because d(p) = 2 for all primes 2, but of course
d takes on arbitrarily large values. In particular the lower order of d is just the
constant function 2. As regards the upper order, we limit ourselves to the following
two estimates, which you are asked to establish in the homework:
Theorem 115. For any > 0, limn

d(n)
n

= 0.

In other words, for large n, the number of divisors of n is less than any prearranged
power of n. This makes us wonder whether its upper order is logarithmic or smaller,
but in fact this is not the case either.
Proposition 116. For any k Z+ and any real number C, there exists an n
such that d(n) > C(log n)k .
Thus the upper order of d(n) is something greater than logarithmic and something
less than any power function. We leave the matter there, although much more
could be said.
6. Average orders
If we take the perspective that we are interested in the distribution of values of an
arithmetic function like (or d or or . . .) in a statistical sense, then we ought
to worry that just knowing the upper and lower orders is telling us a very small
piece of the story. As a very rough comparison, suppose we tried to study the
American educational system by looking at its best and worst students, not in the
sense of best or worst ever, but were concerned with what sort of education the top
0.1% and the bottom 0.1% of Americans get, durably over time. The rst task is
certainly of some interest for instance, we all wonder how our upper echelon compares to the creme de la creme of the educational systems of other nations and other
times; are we producing more or less scientic geniuses and so forth and the latter
task is profoundly depressing, but probably no one will be deluded into believing
that we are studying anything like what the typical or average American learns.
It may interest you to know that the rich range of statistical techniques that can
be so fruitfully applied to studying distributions of real-world populations can be
equally well applied to study the distribution of values of arithmetic functions. Indeed, this is a ourishing subbranch of analytic number theory: statistical number theory. Here we have time only to sample some of the main developments
of analytic number theory. And, what is yet more sad, we cannot assume that we
know enough about these statistical tools to apply them in all their glory.1 But
probably we are all familiar with the notion of an average.
The idea here is that if f (n) is irregularly behaved, we can smooth it out by
considering its successive averages, say
1
fa (n) =
f (k).
n
n

k=1

1This is one case where by we I mean me; maybe your knowledge of statistics is equal
to the task, but I must confess that mine is not.

6. AVERAGE ORDERS

115

We have every right to expect for fa to be better behaved than f itself, and we
say that the average order of f is some (presumably simpler) function g if fa g.
As a sample we give the following classic result:
Theorem 117. The average order of the totient function is g(n) =

1
2(2) n

3
2 n.

Thus in some sense the typical value of (n)/n is about .304. It would be nice to
interpret this as saying that if we pick an n at random, then with large probability
(n)/n is close to .304, but of course we well know that the average i.e., the
arithmetic mean does not work that way. Just because the average score on an
exam is 78 does not mean that most students got a grade close to 78. (Perhaps
2/3 of the course got A grades and the other third failed; these things do happen.)
Nevertheless it is an interesting result, and to prove it we will derive a very interesting consequence.
First however it is nice to have a harder analysis
n analogue of Theorem 117. That
is, the theorem at the moment asserts that n1 k=1 (k) 32 n, or equivalently
n
k=1 (k)
lim
= 1.
3 2
n
2 n
n
This in turn means that if we dene the error term E(n) = k=1 (k) ( 32 )n2 ,
n
so that k=1 (k) = 32 n2 + E(n), then the error term is small compared to the
main term: namely it is equivalent to
lim

E(n)
= 0.
(3/ 2 )n2

So far we are just pushing around the denitions. But a fundamentally better
thing to do would be to give an upper bound on the error E(n), i.e., to nd a
h(n)
nice, simple function h(n) such that E(n) h(n) and (3/
2 )n2 0 In fact we do
not need E(n) h(n) quite: if E(n) were less than 100h(n) that would be just as
good, because if h(n) divided by (3/ 2 )n2 approaches zero, the same would hold
for 100h(n). This motivates the following notation:
We say that f (n) = O(g(n)) if there exists a constant C such that for all n,
f (n) Cg(n). So it would be enough to show that E(n) = O(h(n)) for some function h which approaches zero when divided by 32 n2 , or in more colloquial language,
for any function grows less than quadratically. So for instance a stronger statement
would be that E(n) = O(n ) for any < 2. In fact one can do a bit better than
this:
Theorem 118.

k=1

(k) =

3 2
n + O(n log n).
2

Or again, dividing through by n, this theorem asserts that that the average over the
rst n values of the function is very nearly 32 n, and the precise sense in which
this is true is that the dierence between the two is bounded by a constant times
log n. Note that it would be best of all to know an actual acceptable value of such

116

9. ASYMPTOTICS OF ARITHMETIC FUNCTIONS

a constant that would be a completely eective version of the statement, but

we do not go into this here (or need to).
Now we can give a very nice application, which we can rst state in geometric
language. It concerns the lattice points in the plane, i.e., the numbers (x, y) R2
with both x and y integers (so, if you like, the Gaussian integers, although this extra structure is not relevant here). Suppose we are some lord of the lattice points,
sitting at the origin (0, 0) and surveying our entire domain. What do we see? Well
assuming a truly 2-dimensional situation we can see some of our loyal subjects
but not others. For instance we can certainly see the point (1, 1), but we cannot
see (2, 2), (3, 3) or any n(1, 1) with n > 1 since the point (1, 1) itself obscures our
view.
Thus we can dene a lattice point (x, y) to be visible (from the origin) if the
line segment from (0, 0) to (x, y) contains no lattice points on its interior. Supppose we start coloring the lattice, coloring a lattice point red if we can see it and
black if we cannot see it. Try it yourself: this gives a very interesting pattern. It is
natural to ask: how many of the lattice points can we see?
Well, the rst observation is that a lattice point (x, y) is visible i gcd(x, y) = 1:
an obstructed view comes precisely from a nontrivial common divisor of x and y.
From this it follows that the answer is innitely many: for instance we can see
(1, n) for all integers n, and many more besides. Well, let us change our question
a bit. Suppose that each of the lattice points is supposed to pay a at tax to our
lordship, and if we see a lattice point then we can see whether or not it has paid
its taxes. What percentage of our revenue are we collecting if we only worry about
the lattice points we can see?
Now to formalize the question. If we ask about the entire lattice at once, the
answer to most of our questions is always going to be innity, and moreover an
actual king (even a two-dimensional one) probably rules over a nite kingdom. So
for a positive integer N , let us write L(N ) for the number of lattice points (x, y)
with |x|, |y| N that is, the lattice points lying in the square centered at the
origin with length (and width) equal to 2N . Well, this number is (2N + 1)2 : there
are 2N + 1 possible values for both x and y. But now dene V (N ) to be the number of visible lattice points, and our question is: when N is large, what can we say
(N )
about VL(N
)?
Theorem 119. We have limN

V (N )
L(N )

6
2 .

Before we prove the result, we can state it in a slightly dierent but equally striking
way. We are asking after all for the number of ordered pairs of integers (x, y) each
of absolute value at most N , with x and y relatively prime. So, with a bit of poetic
license perhaps, we are asking: what is the probability that two randomly chosen
integers are relatively prime? If we lay down the ground rules that we are randomly choosing x and y among all integers of size at most N , then the astonishing
answer is that we can make the probability as close to 62 as we wish by taking N
suciently large.

6. AVERAGE ORDERS

117

Now let us prove the result, or at any rate deduce it from Theorem 117. First
we observe that the eight lattice points immediately nearest the origin i.e., those
with max(|x|, |y|) 1 are all visible. Indeed there is an eightfold symmetry in
the situation: the total number of visible lattice points in the square |x|, |y| N
will then be these 8 plus 8 times the number of lattice points with 2 x N ,
1 y x (i.e., the ones whose angular coordinate satisfy 0 < 2 . But now
we have

V (N ) = 8 +
1=8
(N ).
Aha: we know that

2nN 1mn,(m,n)=1

1nN

(N ) =

3
2
2 N

1nN

+ O(N log N ), so

V (N ) 242 N 2
N log N
|C
.
L(N )
L(N )

log N
0 as N , so we nd that
But now L(N ) = (2N + 1)2 , and C N N
2

V (N ) 242 N 2
,
N
(2N + 1)2

0 = lim
or

24
V (N )
6
2
= lim
= 2.
N L(N )
N (2 + 1 )2

lim

Having given a formal proof of this result based upon the unproved Theorem 117
(trust me that this theorem is not especially dicult to prove; it just requires a
bit more patience than we have at the moment), let us now give a proof which
is not rigorous but is extremely interesting and enlightening. Namely, what does
it really mean for two integers x and y to be relatively prime? It means that
there is no prime number p which simultaneously divides both x and y. Remarkably, this observation leads directly to the result. Namely, the chance that x is
divisible by a prime p is evidently p1 , so the chance that x and y are both divisible
by p is p12 . Therefore the chance that x and y are not both divisible by a prime
p is (1 p2 ). Now we think of being divisible by dierent primes as being independent events: if I tell you that an integer is divisible by 3, not divisible by
5 and divisible by 7, and ask you what are the odds its divisible by 11, then we
1
still think the chance is 11
. Now the probability that each of a set of independent
events all occur is the product of the probabilities that each of them occur, so the
probability that x and y are not simultaneously divisible by any prime p ought to
be (1 22 ) (1 32 . . . (1 p2 )
, but we saw earlier that this innite product

is nothing else than the reciprocal of n=1 n12 = (2). Thus the answer should be
1
6
(2) = 2 !
The argument was not rigorous because the integers are not really a probability
space: there is nothing random about whether, say, 4509814091046 is divisible by
103; either it is or it isnt. Instead of probability one should rather work with the
notion of the density of a set of integers (or of a set of pairs of integers) a notion
which we shall introduce rather soon and then all is well until we pass from sets
dened by divisibility conditions on nitely many primes to divisibility conditions
on all (innitely many) primes. This is not to say that such a probability-inspired
proof cannot be pushed through it absolutely can. Moreover, the fact that the

118

9. ASYMPTOTICS OF ARITHMETIC FUNCTIONS

probabilistic argument gives an answer which can be proven to be the correct answer via conventional means is perhaps most interesting of all.
Finally, we note that probabilistic reasoning gives the same answer to a closely
related question: what is the probability that a large positive integer n is squarefree? This time we want, for each prime p independently, n not to be divisible
by p2 , of which 1 p2 percent of all integers are. Therefore we predict that the
probability that n is squarefree is also 62 , and this too can be proved by similar
(although not identical) means to the proof of Theorem 117.
6.1. The average order of the M
obius function. We are interested in the
behavior of
n
1
a (n) =
(k).
n
k=1

This is a horse of a completely dierent color, as we are summing up the values

0 and 1. We just saw that is nonzero a positive proportion, namely 6 , of the
time. Looking at values of the Mobius function on squarefree integers one nds
that it is indeed +1 about as often as it is 1, which means that there ought to
be a lot of cancellation in the sum. If every single term in the sum were 1 then
a (n) would still only be equal to 1, and similarly if every single term were 1 the
average order would be 1, so the answer (if the limit exists!) is clearly somewhere
in between. The only sensible guess turns out to be true:
Theorem 120. The average order of the M
obius function is zero:
n
k=1 (k)
= 0.
lim
n
n
However, this turns out to be a formidably deep result. Namely, it has been known
for almost two hundred years that this statement is logically equivalent to the single
greatest result in analytic number theory: the prime number theorem (coming up!).
However the prime number theorem has only been known to be true for a bit over
one hundred years.
In fact one can ask for more: the statementthat the average order of is zero
n
is equivalent to the statement that the sum k=1 (k) is of smaller order than n
itself, i.e., we need just enough cancellation to beat the trivial bound. But if you
do some computations you will see that these partial sums seem in practice to be
quite a bit smaller than n, and to say exactly how large they should be turns out
to be a much deeper problem yet: it is equivalent to the Riemann hypothesis. I
hope to return to this later, but for now I leave you with the question: suppose you
believed that the nonzero values of the Mobius function were truly random: i.e.,
for every n we ip a coin and bet on heads: if we win, we add 1 to the sum, and if
we lose, we subtract 1 from the sum. It is then clearly ridiculous to expect to win
or lose all the games or anything close to this: after n games we should indeed be
much closer to even than to having won or lost n dollars. But how close to even
should we expect to be?

CHAPTER 10

The Primes: Infinitude, Density and Substance

1. The Innitude of the Primes
The title of this section is surely, along with the uniqueness of factorization, the
most basic and important fact in number theory. The rst recorded proof was
by Euclid, and we gave it at the beginning of the course. There have since been
(very!) many other proofs, many of which have their own merits and drawbacks. It
is entirely natural to look for further proofs: in terms of the arithmetical function
(n) which counts the number of primes p n, Euclids proof gives that
lim (n) = .

After the previous section we well know that one can ask for more, namely for
the asymptotic behavior (if any) of (n). The asymptotic behavior is known the
celebrated Prime Number Theorem, coming up soon but it admits no proof
simple enough to be included in this course. So it is of interest to see what kind of
bounds (if any!) we get from some of the proofs of the innitude of primes we shall
discuss.
1.1. Euclids proof. We recall Euclids proof. There is at least one prime,
namely p1 = 2, and if p1 , . . . , pn are any n primes, then consider
Nn = p1 pn + 1.
This number Nn may or may not be prime, but being at least 3 it is divisible by
some prime number q, and we cannot have q = pi for any i: if so pi |p1 pn and
pi |Nn implies pi |1. Thus q is a new prime, which means that given any set of n
distinct primes we can always nd a new prime not in our set: therefore there are
innitely many primes.
Comments: (i) Euclids proof is often said to be indirect or by contradiction,
but this is unwarranted: given any nite set of primes p1 , . . . , pn , it gives a perfectly
denite procedure for constructing a new prime.
(ii) Indeed, if we dene E1 = 2, and having dened E1 , . . . , En , we dene En+1 to
be the smallest prime divisor of E1 En + 1, we get a sequence of distinct prime
numbers, nowadays called the Euclid sequence (of course we could get a dierent
sequence by taking p1 to be a prime dierent from 2). The Euclid sequence begins
2, 3, 7, 43, 13, 53, 5, . . .
Many more terms can be found on the online handbook of integer sequences. The
obvious question does every prime occur eventually in the Euclid sequence with
p1 = 2 (or in any Euclid sequence?) remains unanswered.
119

120

10. THE PRIMES: INFINITUDE, DENSITY AND SUBSTANCE

(iii) It is certainly a classic proof, but it is not aesthetically perfect (whatever that may mean). Namely, there is a moment when the reader wonders hey,
why are we multiplying together the known primes and adding one? One can address this by pointing out in advance the key fact that gcd(n, n + 1) = 1 for all n.
Therefore if there were only nitely many primes p1 , . . . , pr , there would be an integer divisible by all of them, N = p1 pr , and then the fact that gcd(N, N + 1) = 1
leads to a contradiction. I do like this latter version better, but it is really just a
rewording of Euclids proof.1
(iv) Euclids proof can be used to prove some further results. For instance:
Theorem 121. Fix a positive integer N > 2. Then there are innitely many
primes p which are not congruent to 1 (mod N ).
Proof. Take p1 = 2, which is not congruent to 1 (mod N ). Assume that
p1 , . . . , pn is a list of n primes, none of which are 1 (mod N ). Now consider the
product
Pn := N p1 . . . pn 1.
Pn N 1 2, so it has a prime divisor. Also Pn 1 (mod N ). So if every
prime divisor q of Pn were 1 mod N , then so would Pn be 1 (mod N ) which it
isnt therefore Pn has at least one prime divisor q which is not 1 (mod N ). As
above, clearly q = pi for any i, which completes the proof.

In fact this argument can be adapted to prove the following generalization.
Theorem 122. Fix a positive integer N > 2, and let H be a proper subgroup of
U (N ) = (Z/N Z) . There are innitely many primes p such that p (mod N ) H.
The proof is left as an exercise. (Suggestion: x a Z+ , 1
< a < N , such that a
n
(mod N ) H. Take P0 = 2N + a and for n 1, Pn = (2N i=1 pi ) + a.)
Remark: If (N ) = 2 that is, for N = 3, 4, or 6 then 1 gives a reduced
residue system modulo N , so that any prime p > N 1 which is not 1 (mod N ) is
necessarily 1 (mod N ). Thus the argument shows that there are innitely many
primes p which are 1 (mod 3), 1 (mod 4) or 1 (mod 6).
Remark: Interestingly, one can also prove without too much trouble that there
are innitely many primes p 1 (mod N ): the proof uses cyclotomic polynomials.
Theorem 123. For any eld F , there are innitely many irreducible polynomials over F , i.e., innitely many irreducible elements in F [T ].
Proof. Euclids argument works here: take e.g. p1 (t) = t, and having produced p1 (t), . . . , pr (t), consider the irreducible factors of p1 (t) pr (t) + 1.

Note that one can even conclude that there are innitely many prime ideals in
F [t] equivalently, there are innitely many monic irreducible polynomials. When
F is innite, the monic polynomials t a for a F do the trick. When F is
1I have heard this argument attributed to the great 19th century algebraist E. Kummer. For
what little its worth, I believe I came up with it myself as an undergraduate. Surely many others
have had similar thoughts.

1. THE INFINITUDE OF THE PRIMES

121

nite, we showed there are innitely many irreducible polynomials, but there are
only #F 1 dierent leading coecients, so there must be innitely many monic
irreducible polynomials. It is interesting to think about why this argument does
not work in an arbitrary PID.2
1.2. Fermat numbers. Another way to construe Euclids proof is that it
suces to nd an innite sequence ni of pairwise coprime positive integers, because
these integers must be divisible by dierent primes. The Euclid sequence is such a
sequence. A more natural looking sequence is the following.
n

Theorem 124. The Fermat numbers Fn = 22 + 1 are pairwise coprime.

Proof. We claim that for all n 1 we have
Fn =

n1

Fd + 2.

d=0

This certainly suces, since if p is some common prime divisor of Fd (for any d < n)
and Fn then p | Fn 2, hence p | 2, but all the Fermat numbers are odd. The claim
itself can be established by induction; we leave it to the reader.

1.3. Mersenne numbers. Recall that Fermat believed that all the Fermat
numbers were prime, and this is not true, since e.g.
5

F5 = 22 + 1 = 641 6700417,
and in fact there are no larger known prime Fermat numbers. Nevertheless the
previous proof shows that there is something to Fermats idea: namely, they are
almost prime in the sense that no two of them have a common divisor. One then
wonders whether one can devise a proof of the innitude of the primes using the
Mersenne numbers 2p 1, despite the fact that it is unknown whether there are
innitely many Mersenne primes. This can indeed be done:
Let p be a prime (e.g. p = 2, as usual) and q a prime divisor of 2p 1. Then
2p 1 (mod q). In other words, p is a multiple of the order of 2 in the cyclic group
(Z/qZ) . Since p is prime the order of 2 must be exactly p. But by Lagranges theorem, the order of an element divides the order of the group, which is (q) = q 1,
so p | q 1 and hence p < q. Thus we have produced a prime larger than the one
we started with.
1.4. Eulers rst proof. It is a remarkable fact that the formal identity

1
1
(1 )1 =
p
n
p
n
which amounts to unique factorization immediately implies the innitude of
primes. Indeed, on the left hand side we have a possibly innite product, and on
the right-hand side we have an innite sum. But the innite sum is well-known to
be divergent, hence the product must be divergent as well, but if it were a nite
product it would certainly be convergent!
2For there are PIDs with only nitely many prime ideals: e.g. the set of rational numbers
whose reduced denominator is prime to 42 is a PID with exactly three prime ideals.

122

10. THE PRIMES: INFINITUDE, DENSITY AND SUBSTANCE

Many times in the course we have seen a rather unassuming bit of abstract algebra turned into a mighty number-theoretic weapon. This example shows that
the same can be true of analysis.
1.5. Chaitins proof. In his most recent book3 the computer scientist Gregory Chaitin announces an algorithmic information theory proof of the innitude
of primes. He says: if there were only nitely many primes p1 , . . . , pk then every
positive integer N could be written as
N = pa1 1 pakk ,
which is too ecient a way of representing all large integers N . Chaitin compares
his proof with Euclids proof and Eulers proof (with a grandiosity that I confess
I nd unjustied and unbecoming). But criticism is cheaper than understanding:
can we at least make sense of his argument?
Let us try to estimate how many integers n, 1 n N , could possibly be expressed in the form pa1 1 pakk , i.e., as powers of a xed set of k primes. In order for
this expression to be at most N , every exponent has to be much smaller than N :
precisely we need 0 ai logpi N ; the latter quantity is at most log2 N , so there
are at most log2 N + 1 choices for each exponent, or (log2 N + 1)k choices overall.
But aha this latter quantity is much smaller than N when N is itself large: it is
indeed the case that the percentage of integers up to N which we can express as a
product of any k primes tends to 0 as N approaches innity.
So Chaitins proof is indeed correct and has a certain admirable directness to it.
1.6. Another important proof. However, the novelty of Chaitins proof is
less clear. Indeed, in many standard texts (including Hardy and Wright, which
was rst written in 1938), one nds the following argument, which is really a more
sophisticated version of Chaitins proof.
Again, we will x k and estimate the number of integers 1 n N which are
divisible only by the rst k primes p1 , . . . , pk , but this time we use a clever trick:
recall that n can be written uniquely as uv 2 where u is squarefree. The number of
squarefree us however large! which are divisible only by the rst k primes is 2k
(for each pi , we either choose to include it or not). On the other hand, n = uv 2 N
1
implies that v 2 N and hence v N 2 . Hence the number of n N divisible only
by the rst k primes is at most 2k N . If there are k primes less than or equal to
N , we therefore have

2k N N
or
k

log2 (N )
.
2

3Its title is Meta Math! The Quest for Omega.

1. THE INFINITUDE OF THE PRIMES

123

1.7. An algebraic number theory proof. We now sketch a proof due to

Lawrence Washington.
Let R be a PID, with eld of fractions F . Suppose K is a nite-degree eld
extension of F in other words, there exists some positive integer d and elements
x1 , . . . , xd of K such that every element x of K can be written as 1 x1 + . . . + d xd
for i F . In such a situation we can dene a subset RL of L, which is the set of
all elements x of L which satisfy a monic polynomial relation with coecients in
R: that is, for some n Z+ ,
xn + rn1 xn1 + . . . + r1 x + r0 = 0,
and ri R for all i. It can be shown that RL is a subring of L, called the integral
closure of R in L. As an example, when R = Z and D is asquarefree integer not
congruent to 1 (mod 4), then taking K = Q andL = Q( D), then the integral
closure of Z in L is our friend the quadratic ring Z[ D]. Anyway, here is the result:
Theorem 125. Suppose that a PID R, with quotient eld K, has only nitely
many prime ideals. Then for any nite-degree eld extension L of K, the integral
closure S of R in L is again a PID.

This shows the innitude of the primes in Z, since we saw that Z[ 5] is not a PID!
The proof of Theorem 125 lies further up and further in the realm of algebraic
number theory than we dare to tread in this course. But here is a sketch of a proof
for the slummers4: the ring S is a Dedekind domain, so for any nonzero prime
ideal p of R, pS is a nontrivial nite product of powers of prime ideals. The distinct prime ideals Pi appearing in this factorization are precisely the prime ideals
P lying over p, i.e., such that P R = p. This shows that the restriction map
P 7 P R from prime ideals of S to prime ideals of R has nite bers. Thus, since
by assumption there are only nitely many prime ideals of R, there are only nitely
many prime ideals of S. Finally, a Dedekind domain with only nitely many prime
ideals is necessarily a PID, as can be shown using the Chinese Remainder Theorem.
This is a proof with a moral: we need to have innitely many primes in order
for number theory to be as complicated as it is.
1.8. Furstenbergs proof. The last proof we will give is perhaps the most
remarkable one. In the 1955 issue of the American Mathematical Monthly there
appeared the following article by Hillel Furstenberg, which we quote in its entirety:
In this note we would like to oer an elementary topological proof of the innitude of the prime numbers. We introduce a topology into the space of integers
S, by using the arithmetic progressions (from to +) as a basis. It is not
dicult to verify that this actually yields a topological space. In fact under this
topology S may be shown to be normal and hence metrizable. Each arithmetic
progression is closed as well as open, since its complement is the union of other
arithmetic progressions (having the same dierence). As a result the union of any
nite number of arithmetic progressions is closed. Consider now the set A = Ap ,
where Ap consists of all multiples of p, and p runs though the set of primes 2.
4i.e., more advanced readers who are reading these notes

124

10. THE PRIMES: INFINITUDE, DENSITY AND SUBSTANCE

The only numbers not belonging to A are 1 and 1, and since the set {1, 1} is
clearly not an open set, A cannot be closed. Hence A is not a nite union of closed
sets which proves that there are an innity of primes.
Remarks: Furstenberg was born in 1935, so this ranks as one of the leading instances of undergraduate mathematics in the 20th century. He is now one of the
leading mathematicians of our day. What is all the more remarkable is that this
little argument serves as a preview of the rest of his mathematical career, which has
concentrated on applying topological and dynamical methods (ergodic theory) to
the study of problems in number theory and combinatorics.
2. Bounds
Let us now go through some of these proofs and see what further information, if
any, they yield on the function (n).
1. From Euclids proof one can deduce that (n) C log log n. We omit the
argument, especially since the same bound follows more readily from the Fermat
numbers proof. Of course this is a horrible bound.
2. The Mersenne numbers proof gives, I believe, an even worse (iterated logarithmic) bound. I leave it to the reader to check this.
3. Eulers rst proof does not immediately come with a bound attached to it.
However, as we saw earlier in our study of the function, it really shows that
r
r

1
1
C log r.
(1 )1 >
pi
r
i=1
i=1
After some work, one can deduce from this that
n

1
C log log n,
p
i=1 i
whence the divergence of the prime reciprocals. We will not enter into the details.
4. Chatins proof gives a lower bound on (n) which is between log log n and
log n (but much closer to log n).
5. As we saw, one of the merits of the proof of 1.6 is that one easily deduces
the bound (n) log22 n . (Of course, this is still almost a full exponential away
from the truth.)
6. As we mentioned, knowing that the prime reciprocals diverge suggests that (n)
is at worst only slightly smaller than n itself. It shows that (n) is not bounded
above by any power function Cn for < 1.
7. The last two proofs give no bounds whatsoever, not even implicitly. This seems
to make them the worst, but there are situations in which one wants to separate
out the problem of proving the innitude of a set of numbers from the problem of
estimating its size, the latter problem being either not of interest or (more often)

3. THE DENSITY OF THE PRIMES

125

hopelessly out of current reach. In some sense all of the arguments except the
last two are implicitly trying to prove too much in that they give lower bounds on
(n). Trying to prove more than what you really want is often a very good technique in mathematics, but sometimes, when the problem is really hard, making
sure that you are concentrating your eorts solely on the problem at hand is also a
key idea. At any rate, there are many problems in analytic combinatorics for which
Furstenberg-type existence proofs either were derived long before the explicit lower
bounds (which require much more complicated machinery) or are, at present, the
only proofs which are known.
3. The Density of the Primes
All of the results of the previous section were lower bounds on (x). It is also of
interest to give an upper bound on (x) beyond the trivial bound (x) x. The
following gives such a result.
Theorem 126. As n , we have

(n)
n

0.

If you like, this result expresses that the probability that a randomly chosen positive
integer is prime is 0. We will come back to this idea after the proof, replacing
probability by the more precise term density.
Proof. Let us rst observe that there are at most N2 primes in the interval
[1, N ] since all but one of them must be odd. Similarly, since only one prime is
divisible by 3, every prime p > 6 must be of the form 6k + 1 or 6k + 5, i.e., only
2 of the 6 residue classes mod 6 can contain more than one prime (in fact some of
them, like 4, cannot contain any primes, but we dont need to worry about this),
so that of the integers n N , at most 26 N + 6 + 2 are primes.
In fact this simple reasoning can be carried much farther, using what we know
about the function. Namely, for any positive integer d, if gcd(a, d) > 1 there is
at most one prime p a (mod d).5 In other words, only (d) out of d congruence
classes mod d can contain more than one prime, so at most ( (d)
d )N + d + (d)
of the integers 1 n N can possibly be prime. (Here we are adding d once to
take care of the one prime that might exist in each congruence class and adding
d a second time to take care of the fact that since N need not be a multiple of
d, so the partial congruence class at the end may contain a higher frequency of
primes than (d)/d, but of course no more than (d) of primes overall.) But we
know, thank goodness, that for every > 0, there exists a d such that (d)
< ,
d
and choosing this d we nd that the number of primes n N is at most
(N )
N + d + (d)
d + (d)

=+
.
N
N
N
This approaches as N , so is, say, less than 2 for all suciently large N . 
Remark: Reecting on the proof, something slightly strange has happened: we
showed that (d)/d got arbitrarily small by evaluating at d = p1 pr , the product
of the rst r primes. Thus, in order to show that the primes are relatively sparse,
we used the fact that there are innitely many of them!
5Recall this is true because if x a (mod d), gcd(a, d) | d | x a, and gcd(a, d) | a, so
gcd(a, d)|x.)

126

10. THE PRIMES: INFINITUDE, DENSITY AND SUBSTANCE

In fact, by similarly elementary reasoning, one can prove a more explicit result,
that (n) logCn
log n . Before moving on to discuss some similar and stronger statements about the order of magnitude of (n), let us digress a bit on the notion of
density of a set of integers.
Denition: A subset A of the positive integers is said to have density (A) = if
#{1 n N | n A}
= .
N
N
lim

We have encountered this notion before: recently we claimed (based on something

less than a rigorous proof) that the density of squarefree integers is 62 . Notice
that we have just shown that the primes have density zero. Here are some further
examples:
Example 1: For any positive integers a and N , the density of the set of positive integers x a (mod N ) is N1 . In particular, the set of all positive integers
1
whose last decimal digit is 1 has density 10
.
Example 2: Any nite set has density zero.
Example 3: For any k > 1, the set of kth powers nk has density 0.
Example 4: In fact the set of all proper powers, i.e., positive integers of the form
nk with k > 1, has density zero.
Example 5: The set A of all positive integers whose rst decimal digit is 1 does
not have a density: that is, the limit does not exist. To see this, let C(N ) be
the number of positive integers 1 n N with rst digit 1. For any k 1,
C(2 10k 1) 21 (2 10k 1), since all of the integers from 10k to 2 10k 1 begin
with 1, and this is half of all integers less than 2 10k 1. On the other hand, none
8
of the integers from 2 10k to 10k+1 1 begin with 1, and this is 10
of the integers
2
k+1
k+1
k+1
1). Thus C(N )/N
less than or equal to 10
1, so C(10
1) 10 (10
does not tend to any limiting value.
Because of this denition it is common to discuss also the upper density (A)
and the lower density (A): in the above denition replace lim by lim inf (resp.
lim sup), the point being that these two quantities exist for any set, and a set A has
a density if = . Note that if (A) = 0, then necessarily (A) exists and equals 0.
Example 6: If A1 , . . . , Ak are nitely many sets having densities 1 , . . . , k , respectively, then the upper density of A1 . . . Ak is at most 1 + . . . + k . If
A1 , . . . , Ak are pairwise disjoint, then the density of A1 . . . Ak exists and is
exactly 1 + . . . + k . (In fact it is enough if the pairwise intersections Ai Aj all
have density zero.)
Density versus probability: Why have we backed o from using the word probability? Because ever since the work of the great early twentieth century Russian

4. SUBSTANCE

127

mathematician Kolmogorov, mathematicians have been trained to use the word

probability only in the measure-theoretic sense, or, in plainer language, for the
following situation: we have a set S (the sample space) and a function which associates to each reasonable subset E (an event) a number P (E), 0 P (E) 1,
and satisfying the axiom of countable additivity: if {Ei }
i=1 is a sequence of
events which are strongly mutually exclusive (i.e., Ei Ej = for all i = j), then
P(

Ei ) =

P (Ei ).

i=1

Our density function satises nite additivity but not countable additivity: indeed, if we took Ai to be the singleton set {i}, then certainly (Ai ) = 0 for all i
but the union of all the Ai s are the positive integers themselves, so have density
1. This is the problem: for a probability measure we cannot have (countably!)
innitely many sets of measure zero adding up to a set of positive measure, but
this happens for densities.
A similar problem occurs in our proof that the squarefree integers have density 62 . The set Sp2 of integers which are not multiples of p2 has density 1 p12 ,
and it is indeed true that these sets are nitely independent in the sense that the
intersection of any nite number of them has density equal to the product of the
densities of the component sets:
(Sp1 . . . Spn ) =

(1

i=1

1
).
p2

4. Substance
Let us dene a subset S of the positive integers to be substantial if

1
nS n

= .

Example 0: Obviously a nite set is not substantial.

Example 1: The set Z+ is substantial: the harmonic series diverges.
Example 2: If S and T are two sets with nite symmetric dierence that is,
there are only nitely many elements that are in S and not T or in T but not S
then S is substantial i T is substantial.
Example 3: For any subset S of Z+ , at least one of S and its complementary
subset S = Z+ \ S is substantial, since
1
1
1
+
=
= .
n
n
n

+
nS

nS

nZ

So there are plenty of substantial subsets. It is certainly possible for both S and
S to be substantial: take, e.g. the set of even numbers (or any S with 0 < (S) < 1:
see below).
Example 4: For any xed k > 1, the
set of all perfect kth powers is not substantial: by (e.g.) the Integral Test, n=1 n1k < .
Example 5: The set of integers whose rst decimal digit is 1 is substantial.

128

10. THE PRIMES: INFINITUDE, DENSITY AND SUBSTANCE

Example 6: Indeed any set S with positive upper density is substantial. This
is elementary but rather tricky to show, and is left as a (harder) exercise.
The converse does not hold. Indeed, we saw above that the primes have zero
density, but we will now establish the following:

Theorem 127. The sum p p1 of the prime reciprocals is innite.

Proof. (Erd
os) Seeking a contradiction, we suppose that the series converges:
then there exists an k such that
1
1
< .
p
2
p>p
k

However, the number of integers 1 n N which are divisible by pk+1 is at most

N
pk+1 ; similarly for pk+2 , pk+3 , so that overall the number of integers which are
divisible by any p > pk is at most
1
N
N
N
+
+ ... = N
= .
pk+1
pk+2
p
2
p>p
k

But this says that for any N , at least half of all positive integers are divisible by
one of the rst k primes, which the argument of 1.6 showed not to be the case. 
Remarks: Maybe this is the best elementary proof of the innitude of the primes.
Aside from being an elegant and interesting argument,
it is a quantum leap beyond
1
the previous results: since for any k 2,
converges,
it shows that there
n nk
are, in some sense, many more primes than perfect squares. In fact it implies that
there is no < 1 and constant C such that (n) Cn for all n, so that if (n)
is well-behaved enough to have a true order of magnitude than its true order is
rather close to n itself.
A striking substance-theoretic result that we will not be able to prove here:
Theorem 128. (Brun) The set T of twin primes i.e., primes p for which
at least one of p 2 and p + 2 is prime is insubstantial.
In a sense, this is disappointing, because we do not know whether T is innite,
whereas if T had turned out to be substantial we would immediately know that
innitely many twin primes exist! Nevertheless a fair amount of work has been
devoted (for some reason) to calculating Bruns sum
1
1.902 . . . .
n
nT

In particular Tom Nicely has done extensive computations of Bruns sum. His work
got some unexpected publicity in the mid 1990s when his calculations led to the
recognition of the infamous Pentium bug, a design aw in many of the Intel microprocessors.6
6The PC I bought in 1994 (my freshman year of college) had such a bug. The Intel corporation
reassured consumers that the bug would be of no practical consequence unless they were doing
substantial oating point arithmetic. Wonderful. . .

4. SUBSTANCE

129

The last word on density versus substance: In 1972 Endre Szemeredi proved
by elementary combinatorial means the sensational result that any subset S of
positive upper density contains arbitrarily long arithmetic progressions, a vast generalization of a famous theorem of van der Waerden (on colorings) which was
conjectured by Erdos and Turan in 1936.7 Unfortunately this great theorem does
not apply to the primes, which have zero density.
However, Erdos and Turan made the much more ambitious conjecture that any
substantial subset should contain arbitrarily long arithmetic progressions. Thus,
when Green and Tao proved in 2002 that there are arbitrarily long arithmetic progressions in the primes, they veried a very special case of this conjecture. Doubtless many mathematicians are now reconsidering the Erdos-Turan conjecture with
renewed seriousness.

7Several other mathematicians have devoted major parts of their career to bringing more

sophisticated technology to bear on this problem, obtaining quantitative improvements of Szemer

edis theorem. Notably Timothy Gowers received the Fields Medal in 1998 for his work in
this area. One must wonder whether the fact that Szemer
edi did not receive the Fields Medal
for his spectacular result is an instance of the prejudice against combinatorial mathematics in the
mainstream mathematical community. (The extent of this prejudice also renders the plot of the
movie Good Will Hunting somewhat implausible.)

CHAPTER 11

The Prime Number Theorem and the Riemann

Hypothesis
1. Some History of the Prime Number Theorem
Recall we have dened, for positive real x,
(x) = # {primes p x}.
The following is probably the single most important result in number theory.
Theorem 129. (Prime Number Theorem) We have (x)
lim

x
log x ;

i.e.,

(x) log x
= 1.
x

1.1. Gauss at 15. The prime number theorem (aectionately called PNT)
was apparently rst conjectured in the late 18th century, by Legendre and Gauss
(independently). In particular, Gauss conjectured an equivalent but more appealing form of the PNT in 1792, at the age of 15 (!!!).
Namely, he looked at the frequency of primes in intervals of lengths 1000:
(x) (x 1000)
.
1000
Computing by hand, Gauss observed that (x) seemed to tend to 0, however very
slowly. To see how slowly he computed the reciprocal, and found
1
log x,
(x)
(x) =

meaning that
1
.
log x
Evidently 15 year old Gauss knew both dierential and integral calculus, because
he realized that (x) was a slope of the secant line to the graph of y = (x). When
x is large, this suggests that the slope of the tangent line to (x) is close to log1 x ,
and hence he guessed that the function
x
dt
Li(x) :=
log
t
2
(x)

was a good approximation to (x).

Proposition 130. We have
Li(x)
131

x
.
log x

132

11. THE PRIME NUMBER THEOREM AND THE RIEMANN HYPOTHESIS

Proof. A calculus exercise (LHopitals rule!).

Thus PNT is equivalent to (x) Li(x). The function Li(x) called the logarithmic integral is not elementary, but has a simple enough power series expansion
(see for yourself). Nowadays we have lots of data, and one can see that the error
|(x) Li(x)| is in general much smaller than |(x) logx x |, so the dilogarithm gives
a better asymptotic expansion. (How good? Read on.)
1.2. A partial result. As far as I know, there was no real progress for more
than fty years, until the Russian mathematician Pafnuty Chebyshev proved the
following two impressive results.
Theorem 131. (Chebyshev, 1848, 1850)
a) There exist explicitly computable positive constants C1 , C2 such that for all x,
C2 x
C1 x
< (x) <
.
log x
log x
b) If limx

(x)
x/(log x)

exists, it necessarily equals 1.

Remarks:
(i) For instance, one version of the proof gives C1 = 0.92 and C2 = 1.7.
(But I dont know what values Chebyshev himself derived.)
(ii) The rst part shows that (x) is of order of magnitude logx x , and the second
shows that if it is regular enough to have an asymptotic value at all, then it must
be asymptotic to logx x . Thus the additional trouble in proving PNT is establishing
this regularity in the distribution of the primes, a quite subtle matter. (We have
seen that other arithmetical functions, like and d are far less regular than this
their upper and lower orders dier by more than a multiplicative constant, so the
fact that this regularity should exist for (x) is by no means assured.)
(iii) Chebyshevs proof is quite elementary: it uses less machinery than some of
the other topics in this course. However we will not give the time to prove it here:
blame it on your instructors failure to understand the proof.
1.3. A complex approach.
The next step was taken by Riemann in 1859. We have seen the zeta function
)1

(
1
1
(s) =
=
1

ns
ps
p
n=1
and its relation to the primes (e.g. obtaining a proof that (x) by the
above factorization). However, Riemann considered (s) as a function of a complex
variable: s = + it (indeed he used these rather strange names for the real and
imaginary parts in his 1859 paper, and we have kept them ever since), so
ns = n+it = n nit .
Here n is a real number and nit = ei(log n)t is a point on the unit circle, so in
modulus we have |ns | = n . From this we get that (s) is absolutely convergent for
= (s) > 1. Using standard results from analysis, one sees that it indeed denes

1. SOME HISTORY OF THE PRIME NUMBER THEOREM

133

an analytic function in the half-plane > 1. Riemann got the zeta function named
after him by observing the following:
Fact: (s) extends (meromorphically) to the entire complex plane and is analytic everywhere except for a simple pole at s = 1.
We recall in passing, for those with some familiarity with complex variable theory, that the extension of an analytic function dened in one (connected) domain
in the complex plane to a larger (connected) domain is unique if it exists at all: this
is the principle of analytic continuation. So the zeta function is well-dened. The
continuation can be shown to exist via an integral representation valid for > 0
and a functional equation relating the values of (s) to that of (1 s). (Note
that the line = 12 is xed under the s 7 1 s.) Riemann conjectured, but could
not prove, certain simple (to state!) analytic properties of (s), which he saw had
profound implications on the distribution of the primes.
1.4. A nonvanishing theorem.
It is a testament to the diculty of the subject that even after this epochal paper
the proof of PNT did not come for almost 40 years. In 1896, Jacques Hadamard
and Charles de la Vallee-Poussin proved PNT, independently, but by rather similar
methods. The key point in both of their proofs (which Riemann could not establish) was that (s) = 0 for any s = 1 + it, i.e., along the line with = 1.
Their proof does come with an explicit error estimate, albeit an ugly one.
Theorem 132. There exist positive constants C and a such that
|(x) Li(x)| Cxea

log x

It is not completely obvious that this is indeed an error bound, i.e., that

ea log x
lim
= 0.
x
Li(x)
This is left as another calculus exercise.
1.5. An elementary proof is prized.
Much was made of the fact that the proof of PNT, a theorem of number theory,
used nontrivial results from complex analysis (which by the end of the 19th century
had been developed to a large degree of sophistication). Many people speculated on
the existence of an elementary proof, a yearning that to my knowledge was never
formalized precisely. Roughly speaking it means a proof that uses no extraneous
concepts from higher analysis (such as complex analytic functions) but only the
notion of a limit and the denition of a prime. It thus caused quite a stir when Atle
Selberg and Paul Erdos (not independently, but not quite collaboratively either
the story is a controversial one!) gave what all agreed to be an elementary proof of
PNT in 1949. In 1950 Selberg (but not Erdos) received the Fields Medal.
In recent times the excitement about the elementary proof has dimmed: most
experts agree that it is less illuminating and less natural than the proof via Riemanns zeta function. Moreover the elementary proof remains quite intricate: ironically, more so than the analytic proof for those with some familiarity with functions

134

11. THE PRIME NUMBER THEOREM AND THE RIEMANN HYPOTHESIS

of a complex variable. For those who do not, the time taken to learn some complex
analysis will probably turn out to be time well spent.
1.6. Equivalents of PNT.
Many statements are equivalent to PNT: i.e., it is much easier to show that
they imply and are implied by PNT than to prove them. Heres one:
Theorem 133. Let pn be the nth prime. Then
pn n log n.

Note that this result implies (by the integral test) that pn
this consequence is much easier to prove than PNT itself.

1
p

log log n; strangely

Far more intriguing is that that PNT is equivalent to an asymptotic formula for
the average value of the Mobius function:
Theorem 134.

N
lim

n=1

(n)

= 0.

Recall that the Mobius function is 0 if n is not squarefree (which we know occurs
with density 1 62 ) and is (1)r if n is a product of r distinct primes. We also
saw that the set of all positive integers divisible by only a bounded number, say
k, of primes is equal to zero, so most integers 1 n N are divisible by lots of
primes, and by adding up the values of we are recording +1 if this large number
is even and 1 if this large number is odd. It is very tempting to view this parity
as being essentially random, similar to what would happen if we ipped a coin for
each (squarefree) n and gave ourselves +1 if we got heads and 1 if we got tails.
With this randomness idea planted in our mind, the above theorem seems to
assert that if we ip a large number N of coins then (with large probability) the
number of heads minus the number of tails is small compared to the total number
of coin ips. But now it seems absolutely crazy that this result is equivalent to
PNT since under the (as yet completely unjustied) assumption of randomness
it is far too weak: doesnt probability theory tell us that the running total of heads
minus tails will be likely to be on the order of the square root of the number of
coin ips? Almost, but not quite. And is this probabilistic model justied? Well,
that is the $ 1 million dollar question.
2. Coin-Flipping and the Riemann Hypothesis
Let us dene the Mertens function
M (N ) =

(n).

n=1

The goal of this lecture is to discuss the following seemingly innocuous question.
Question 5. What is the upper order of M (N )?
Among other incentives for studying this question there is a large nancial one: if
the answer is close to what we think it is, then proving it will earn you $ 1 million!

2. COIN-FLIPPING AND THE RIEMANN HYPOTHESIS

135

Recall (n) takes on only the values 1 and 0, so the trivial bound is
M (N ) N.
In fact we can do better, since we know that (n) = 0 i n is not squarefree, and
we know, asymptotically, how often this happens. This leads to an asymptotic
expression for the absolute sum:
N

|(n)| = #{squarefree n N }

n=1

6
N.
2

(N )
However, in the last lecture we asserted that MN
0, which we interpreted
as saying that the average order of is asymptotically 0. Thus the problem is
one of cancellation in a series whose terms are sometimes positive and sometimes
negative. Stop for a second and recall how much more complicated the theory of
conditional convergence of such series is than the theory of convergence of series
with positive terms. It turns out that the problem of how much cancellation to
expect in a series whose terms are sometimes positive and sometimes negative (or
a complex series in which the arguments of the terms are spread around on the
unit circle) is absolutely a fundamental one in analysis and number theory. Indeed
in such matters we can draw fundamental inspiration (if not proofs, directly) from
probability theory, and to do so i.e., to make heuristic probabilistic reasoning
even in apparently deterministic situations is an important theme in modern
mathematics ever since the work of Erdos and Kac in the mid 20th century.

But our story starts before the 20th century. In the 1890s Mertens1 conjectured:
(MC1) M (N )

N for all suciently large N .

This is quite bold. As we have seen, in studying orders of magnitude, it is safer to

hedge ones bets by at least allowing a multiplicative constant, leading to the weaker

(MC2) M (N ) C N for all N .

The noted Dutch mathematician Stieltjes claimed a proof of (MC2) in 1885. But
his proof was never published and was not found among his papers after his death.
It would be interesting to know why Mertens believed (MC1). He did check the
inequality for all N up to N = 104 : this is an amusingly small search by contemporary standards. The problem is not as computationally tractable as one might
wish, because computing the Mobius function requires factorization of n: thats
hard! Nevertheless we now know that (MC1) holds for all N 1014 .
These are hard problems: while experts have been dubious about (MC1) and
(MC2) for over a century, (MC1) was disproved only in 1985.
Theorem 135. (Odlyzko-te Riele [OlR85]) There are explicit constants C1 >
1, C2 < 1 such that
M (N )
lim sup
C1 ,
N
N
1Franz Mertens, 18401927

136

11. THE PRIME NUMBER THEOREM AND THE RIEMANN HYPOTHESIS

M (N )
lim inf
C2 .
N
N
In plainer terms, each of the inequalities N M (N ) and M (N ) N fails for
innitely many N .
The Odlyzko-te Riele proof doesnot supply a concrete value
of N
for which M (N ) > N , but soon after J. Pintz showed [Pi87] that M (N ) > N for
64
64
some N < e3.2110 101.410 (note the double exponential: this is an enormous
number!). Recent work of Saouter and te Riele [SatR14] shows that this inequality
33
holds for some N < e1.00410 . Yet more recently Best and Trudgian have shown
that in Theorem 135 one may take C1 = 1.6383 C2 = 1.6383 [BTxx].

Remark 136. An earlier draft contained the claim that M (N ) > N for some
N < 10154 . I thank Tim Trudgian for bringing this to my attention. Not only is
a counterexample to (MC1) for such a small value of N not known, in fact it
seems quite unlikely that there is a counterexample at anything close to this order
of magnitude. Trudgian recommends a work of Kotnik and van de Lune [KvdL04]
which contains experimental data and conjectures on M (N ). In particular they give
a conjecture which suggests that the rst counterexample to (MC1) should occur at
23
roughly N 102.310 : i.e., much smaller than the known counterexamples and
much larger than 10154 . It should be emphasized that such conjectures are rather
speculative, and the literature contains several incompatible such conjectures.
We still do not know whether (MC2) holds so conceivably Stieltjes was right all
along and the victim of some terrible mix up although I am about to spin a tale
to try to persuade you that (MC2) should be almost, but not quite, true.
But rst, what about the million dollars?
In the last section we mentioned two interesting equivalents of PNT. The following theorem takes things to another level:
Theorem 137. The following (unknown!) assertions are equivalent:
1

a) For all > 0, there exists a constant C such that |M (N )| C N 2 + .

b) |(x) Li(x)|

1
8 x log x

for all x 2657.

c) Suppose (s0 ) = 0 for some s0 with real part 0 < (s0 ) < 1. Then (s0 ) = 21 .
We note that the somewhat abstruse part c) which refers to the behavior of the
zeta function in a region which it is not obvious how it is dened is the Riemann
hypothesis (RH). Thus we care about RH (for instance) because it is equivalent
to a wonderful error bound in the Prime Number Theorem.
In 2000 the Clay Math Institute set the Riemann Hypothesis as one of seven $ 1
million prize problems. If you dont know complex analysis, no problem: just prove
part a) about the order of magnitude of the partial sums of the Mobius function.
Note that (MC1) (which is false!) = (MC2) = condition a) of the theorem, so in announcing a proof of (MC2) Stieltjes was announcing a stronger result
than the Riemann hypothesis, which did not have a million dollar purse in his day
but was no less a mathematical holy grail then than now. (So you can decide how

2. COIN-FLIPPING AND THE RIEMANN HYPOTHESIS

137

likely it is that Stieltjess paper got lost in the mail and never found.)
But why should we believe in the Riemann hypothesis anyway? There is some
experimental evidence for it in any rectangle |t| N , 0 < < 1 the zeta function
can have only nitely many zeros (this holds for any function meromorphic on C),
so one can nd all the zeros up to a certain imaginary part, and the fact that all of
these zeros lie on the critical line i.e., have real part 21 has been experimentally
conrmed in a certain range of t. It is also known that there are innitely many
zeros lying on the critical line (Hardy) and that even a positive proportion of them
as we go up lie on the critical line (Selberg as I said, a great mathematician). For
various reasons this evidence is rather less than completely convincing.
So let us go back to randomness suppose really were a random variable. What
would it do, in all probability?
We can consider instead the random walk on the integers, where we start at 0
and at time i, step to the right with probability 12 and step to the left with probability 12 . Formally speaking, our walk is given by an innite sequence {i }
i=1 ,
each i = 1. The set of all such sign sequences, {1} forms in a natural way a
probability space (meaning it has a natural measure but dont worry about the
details; just hold on for the ride). Then we dene a random variable
S(N ) = 1 + . . . + n ,
meaning a function that we can evaluate on any sign sequence, and it tells us where
we end up on the integers after N steps. Now the miracle of modern probability
theory is that it makes perfect sense to ask what the lim sup of SN is.
If youve had a course in probability theory (good
for you. . .) you will probably

remember that SN should be no larger than N , more or less. But this seems
disappointing, because that is (MC1) (or maybe (MC2)), which feels quite dubious
for the partial sums of the Mobius function. But in between
Mertens day and ours

probability theory grew up, and we now know that N is not exactly the correct
upper bound. Rather, it is given by the following spectacular theorem:
Theorem 138. (Kolmogorov) With probability 1, we have
SN
lim sup
= 1.
2N log log N
N
Thus if you ip a fair coin N times, then in all probability there will be innitely
many moments in time when your running tally of heads minus tails is larger than
any constant times the square root of the number of ips. (Similarly, and symmetrically, the limit inmum is 1.) So true randomness predicts that (MC2) is false.
On the other hand, it predicts that the RiemannHypothesis is true, since indeed
for all > 0 there exists a constant C such that 2 log log N < C N .
So if we believed in the true randomness of , we would believe the following
Conjecture 139. (Good-Churchhouse [GC68])
lim sup
N

M (N )
< .
N log log N

138

11. THE PRIME NUMBER THEOREM AND THE RIEMANN HYPOTHESIS

lim inf
N

M (N )
> .
N log log N

Later mathematicians have extended these calculations and suggested renements

of Conjecture 139. Based in part on numerical experimentation, Kotnik and van
de Lune [KvdL04] instead conjecture
M (N )
(0, ).
N log log log N
This slower growth informs their estimate of the smallest counterexample to (MC1)).
lim sup
N

Just to make sure, this conjecture is still signicantly more precise than the |M (N )|
1
C N 2 + which is equivalent to the Riemann Hypothesis, making it unclear exactly
how much we should pay the person who can prove it: $ 2 million? Or more??
Kolmogorovs law of the iterated logarithm, and hence Conjecture 139, does
not seem to be very well-known outside of probabilistic circles.2 In searching the
literature I found a paper from the 1960s predicting such a logarithm law for
M (N
). More recently I haveseen another paper suggesting that perhaps it should
be log log log N instead of log log N . To be sure, the Mobius function is clearly
not random, so one should certainly be provisional in ones beliefs about the precise form of the upper bounds on M (N ). The game is really to decide whether the
Mobius function is random enough to make the Riemann hypothesis true.
Nevertheless the philosophy expressed here is a surprisingly broad and deep one:
whenever one meets a sum SN of N things, each of absolute value 1, and varying
in sign (or in argument in the case of complex numbers), one wants to know how
much cancellation there is, i.e., how far one can improve upon the trivial bound
of |SN | N . The mantra here is that if there is really no extrastructure in
the summands i.e., randomness then one should expect SN N , more or
less! More accurately the philosophy has
two parts, and the part that expresses
that |SN | should be no smaller than N unless there is hidden structure is an
2i
extremely reliable one. An example of hidden structure is an = e N , when in fact
n

an = 0.
n=1

But here we have chosen to sum over all of the N th roots of unity in the complex
plane, a special situation. The second
part of the philosophy allows
us tohope that

SN is not too much larger than N . In various contexts, any of C N , N log N ,

1
N 2 + , or even N 1 for some > 0, may count as being not too much larger. So
in truth our philosophy of almost squareroot error is a little bit vague. But
it can be, and has been, a shining light in a dark place,3 and we will see further
instances of such illumination.

2I learned about Kolmogorovs theorem from a talk at Harvard given by W. Russell Mann.
3When all other lights go out?

CHAPTER 12

The Gauss Circle Problem and the Lattice Point

Enumerator
1. Introduction
We wish to study a very classical problem: how many lattice points lie on or inside
the circle x2 + y 2 = r2 ? Equivalently, for how many pairs (x, y) Z2 do we have
x2 + y 2 r2 ? Let L(r) denote the number of such pairs.
Upon gathering a bit of data, it becomes apparent that L(r) grows quadratically
with r, which leads to consideration of L(r)
r 2 . Now:
L(10)/102 = 3.17.
L(100)/1002 = 3.1417.
L(1000)/10002 = 3.141549.
L(104 )/108 = 3.14159053.
The pattern is pretty clear!
Theorem 140. As r , we have L(r) r2 . Explicitly,
L(r)
= 1.
r2
Once stated, this result is quite plausible geometrically: suppose that you have to
tile an enormous circular bathroom with square tiles of side length 1 cm. The total
number of tiles required is going to be very close to the area of the oor in square
centimeters. Indeed, starting somewhere in the middle you can do the vast majority of the job without even worrying about the shape of the oor. Only when you
come within 1 cm of the boundary do you have to worry about pieces of tiles and
so forth. But the number of tiles required to cover the boundary is something like a
constant times the perimeter of the region in centimeters so something like Cr
whereas the number of tiles in the interior is close to r2 . Thus the contribution to
the boundary is neglible: precisely, when divided by r2 , b it approaches 0 as r .
lim

I myself nd this heuristic convincing but not quite rigorous. More precisely, I
believe it for a circular region and become more concerned as the boundary of the
region becomes more irregularly shaped, but the heuristic doesnt single out exactly
what nice properties of the circle are being used. Moreover the error bound is
fuzzy: it would be useful to know an explicit value of C.
To be more quantitative about it, we dene the error
E(r) = |L(r) r2 |,
139

140

12. THE GAUSS CIRCLE PROBLEM AND THE LATTICE POINT ENUMERATOR

so that Theorem 140 is equivalent to the statement

E(r)
= 0.
r2
The above heuristic suggests that E(r) should be bounded above by a linear function of r. The following elementary result was proved by Gauss in 1837.
lim

Theorem 141. For all r 7, E(r) 10r.

Proof. Let P = (x, y) Z2 be such that x2 + y 2 r2 . To P we associate the
square S(P ) = [x, x + 1] [y, y + 1], i.e., the unit square in the plane which has P
as its lower left corner. Note that thediameter of S(P ) i.e., the greatest distance
between any two points of S(P ) is 2. So, while P lies within the circle
of radius
r, S(P ) may not, but it certainly lies within the circle of radius r + 2. It follows
that the total area of all the squares S(P ) which is nothing else thanthe number
L(r) of lattice points is at most the area of the circle of radius r + 2, i.e.,

L(r) (r + 2)2 = r2 + 2 2r + 2.
A similar argument gives a lower bound forL(r). Namely, if (x, y) is any point
with distance from the origin at most r 2, then the entire square (x, x +
1) (y, y + 1) lies within the circle of radius r. Thus the union of all the unit
2
2
squares S(P
) attached to lattice points on or inside x + y = r covers the circle of
radius r 2, giving

L(r) (r 2)2 = r2 2 2r + 2.
Thus

E(r) = |L(r) r2 | 2 + 2 2r 7 + 9r 10r,

the last inequality holding for all r 7.

This argument skillfully exploits the geometry of the circle. I would like to present
an alternate argument with a much dierent emphasis.
The rst step is to notice that instead of counting lattice points in an expanding sequence of closed disks, it is equivalent to x the plane region once and for all
here, the unit disk D : x2 +y 2 1 and consider the number of points (x, y) Q2
with rx, ry Z. That is, instead of dividing the plane into squares of side length
one, we divide it into squares of side length 1r . If we now count these 1r -lattice
points inside D, a moments thought shows that this number is precisely L(r).
What sort of thing is an area? In calculus we learn that areas are associated to integrals. Here we wish to consider the area of the unit disk as a double integral over
the square [1, 1]2 . In order to do this, we need to integrate the characteristic
function D of the unit disk: that is, (P ) evaluates to 1 if P D and (P ) = 0
otherwise. The division of the square [1, 1]2 into 4r2 subsquares of side length 1r
is exactly the sort of sequence of partitions that we need to dene aRiemann sum:
that is, the maximum diameter of a subrectangle in the partition is r2 , which tends

to 0 as r . Therefore if we choose any point Pi,j

in each subsquare, then

r := 2
(Pi,j
)
r i,j

1. INTRODUCTION

141

is a sequence of Riemann sums for D , and thus

lim r =
D = Area(D) = .
r

[1,1]2

But we observe that r is very close to the quantity L(r). Namely, if we take each
sample point to be the lower left corner of corner of the corresponding square, then
r2 r = L(r) 2, because every such sample point is a lattice point (which gets
multiplied by 1 i the point lies inside the unit circle) and the converse is true
except that the points (1, 0) and (0, 1) are not chosen as sample points. So
L(r)
L(r) 2 + 2
= lim
= lim r + 0 = .
r
r
r2
r2
The above argument is less elementary than Gausss and gives a weaker result: no
explicit upper bound on E(r) is obtained. So why have we bothered with it? The
answer lies in the generality of this latter argument. We can replace the circle by
any plane region R [1, 1]2 . For any r R>0 , we dene the r-dilate of R,
lim

rR = {rP | P R}.
This is a plane region which is similar to R in the usual sense of Euclidean
geometry. Note that if R = D is the closed unit disk then rD = {(x, y) R2 | x2 +
y 2 r2 } is the closed disk of radius r. Therefore a direct generalization of the
counting function L(r) is
LR (r) = #{(x, y) Z2 rR}.

As above, we can essentially view LRr2(r) as a sequence of Riemann sums for [1,1]2 R
essentially because any lattice points with x or y coordinate equal to 1 exactly
will contribute to LR (r) but not to the Riemann sum. But since the total number
of 1r -squares which touch the top and/or right sides of the square [1, 1]2 is 4r + 1,
this discrepancy goes to 0 when divided by r2 . (Another approach is just to assume
that R is contained in the interior (1, 1)2 of the unit square. It should be clear
that this is no real loss of generality.) We get the following result:
Theorem 142. Let R [1, 1]2 be a planar region. Then
LR (r)
= Area(R).
r2
There remains a technical issue: what do we mean by a plane region? Any subset
of [1, 1]2 ? A Lebesgue measurable subset? Neither of these is correct: take

(35)

lim

I = {(x, y) [1, 1]2 | x, y R \ Q},

i.e., the subset of the square [1, 1]2 consisting of points both of whose coordinates
2
are irrational. Then I is obtained by removing from
[1, 1] a set of Lebesgue measure zero, so I has Lebesgue measure 4 and thus [1,1]2 I exists in the Lebesgue
sense and is equal to 4. On the other hand, I contains no rational points whatsoever, so for all r Z+ , LR (r) = 0. Thus, if we restrict r to positive integral values,
then both sides of (35) are well-dened, but they are unequal: 0 = 4.
Looking back at the argument, what is needed is precisely the Riemann integrability of the characteristic function D of the region D. It is a basic fact that
a bounded function on a bounded domain is Riemann integrable if and only if it
is continuous except on a set of measure zero. The characteristic function D is

142

12. THE GAUSS CIRCLE PROBLEM AND THE LATTICE POINT ENUMERATOR

discontinuous precisely along the boundary of D, so the necessary condition on D

is that its boundary have measure zero. (Explicitly, this means that for any > 0,
there exists an innite sequence Ri of open rectangles whose union covers D and
such that the sum of the areas of the rectangles is less than or equal to .) In
geometric measure theory, such regions are called Jordan measurable, and this
is the condition we need on our planar region.
Jordan measurability is a relatively mild condition: for instance any region bounded
by a piecewise smooth curve (a circle, ellipse, polygon. . .) is Jordan measurable. In
fact a large collection of regions with fractal boundaries are Jordan measurable:
for instance Theorem 142 applies with R a copy of the Koch snowake, whose
boundary is a nowhere dierentiable curve.
2. Better Bounds
2.1. The soft/hard dichotomy. As in the previous section, suppose we have
a plane region R [1, 1]2 , and consider the function LR (r) which counts the
number of lattice points in the dilate rR of R. The main qualitative, or soft, result
of the last section was
LR (r) Area(R)r2 .
But if we take a more quantitative, or hard, view, this is only the beginning.
Namely, as before, we dene
ER (r) = |LR (r) Area(R)r2 |.
Theorem 142 tells us that limr ER (r) = 0: this is a fundamentally soft-analytic
result. A hard-analytic result would give an explicit upper bound on ER (r). Theorem 140 does just this, albeit in the special case where R is the closed unit disk:
ER (r) 10r.
Here are some natural questions:
Question 6. (Gausss Circle Problem) In the case of R = D, how much can
one improve on Gausss bound ED (r) 10r? Can we nd nontrivial lower bounds?
What is the truth about ED (r)?
Question 7. Can one give an explicit upper bound on ER (r) for an arbitrary
plane region R? Could we have, for instance, that Er (R) is always bounded by a
linear function of r? Or by an even smaller power of r?
Question 6 has received much attention over the years. Lets look again at the data:
r = 10 : L(r) = 317, r2 314, E(r) = 2.8407 . . .
r = 100 : L(r) = 31417, r2 31415.926, E(r) = 1.0734 . . .
r = 1000 : L(r) = 3141549, r2 3141592.653, E(r) = 43.653 . . .
r = 10000 : L(r) = 314159053, r2 314159265.358, E(r) = 212.3589 . . .
We now attempt to describe E(r) by a power law: i.e., to nd a real number
such that E(r) grows like r . If E(r) r , then log E(r) log r, so that to test
for a power law we should consider the ratio P (r) := loglogE(r)
and see whether it
r

2. BETTER BOUNDS

143

tends towards some constant as r . We have at the moment only four values
of r, so this is quite rough, but nevertheless lets try it:
r = 10 : P (r) = .453 . . . ,
r = 100 : P (r) = .01538 . . . ,
r = 1000 : P (r) = .54667 . . . ,
r = 10000 : P (r) = .5817 . . . .
Whatever is happening is happening quite slowly, but it certainly seems like E(r)
Cr for some which is safely less than 1.
The rst theoretical progress was made in 1904 by a Polish undergraduate, in
competition for a prize essay sponsored by the departments of mathematics and
physics at the University of Warsaw. The student showed that there exists a con2
stant C such that ED (r) Cr 3 . His name was Waclaw Sierpinski, and this was
the beginning of a glorious mathematical career.1
On the other hand, in 1916 G.H. Hardy and E. Landau, independently, proved
1
that there does not exist a constant C such that E(r) Cr 2 . The conventional
1
wisdom however says that r 2 is very close to the truth: namely, it is believed that
for every real number > 0, there exists a constant C such that
(36)

E(r) C r 2 + .

Remark: It is not hard to show that this conjecture implies that

1
log E(r)
lim P (r) = lim
= .
r
r
log r
2
(Note that the calculations above certainly are not sucient to suggest this result.
It would therefore be interesting to extend these calculations and see if convergence
to 12 becomes more apparent.)
Note that Theorem 140 above tells us we can take = 12 and C = 10, whereas
Sierpinski showed that we can take = 16 .2 The best current bound was proven by
Huxley in 1993: he showed that (36) holds for every > 19/146 = 0.13 . . .. In early
2007 a preprint of Cappell and Shaneson appeared on the arxiv, which claims to
establish (36) for every > 0. As of this writing (Spring of 2009) the paper has not
been published, nor do I know any expert opinion on its correctness.
As for Question 7, we begin with the following simple but enlightening example.
Example: Let R = [1, 1]2 be the square of sidelength 2 centered at the origin.
Then Area(R) = 4, so that for any r R+ we have Area(rR) = 4r2 . On the other
hand, for r Z+ , we can determine LR (r), the number of lattice points in [r, r]2
exactly: there are 2r + 1 possible values for the x coordinate and the same number
1Sierpinski (1882-1969) may well be the greatest Polish mathematician of all time, and Poland

is a country with an especially distinguished mathematical tradition. Sierpinski is most remembered nowadays for the fractal triangle pattern that bears his name. I have encountered his work
several times over the years, and the work on the Gauss Circle Problem is typical of his style: his
theorems have elementary but striking statements and dicult, intricate proofs.
2I dont know what value he had for C or even whether his proof gave an explicit value.
1
3

144

12. THE GAUSS CIRCLE PROBLEM AND THE LATTICE POINT ENUMERATOR

of possible values for the y-coordinate, so that Lr (R) = (2r + 1)2 = 4r2 + 4r + 1.
In this case we have
ER (r) = |Lr (R) Area(rR)| = 4r + 1,
so that the true error is a linear function of r. This makes us appreciate Sierpinskis
result more: to get a bound of ED (r) Cr for some < 1 one does need to use
properties specic to the circle: in the roughest possible terms, there cannot be as
many lattice points on the boundary of a curved region as on a straight line segment.
More formally, in his 1919 thesis van der Corput proved the following result:
Theorem 143. Let R R2 be a bounded planar region whose boundary is
C -smooth and with nowhere vanishing curvature. Then there exists a constant C
(depending on R) such that for all suciently large r R>0 ,

|LR (r) Area(R)r2 | Cr 3 .

It is also known that this result is best possible there are examples of regions with
very nice boundaries in which the power 23 cannot be lowered. (Thus again, the
circle is very special!) There are many results which study how the behavior of the
error term depends on the assumptions one makes about the boundary of R. To go
to the other extreme, a 1997 result of L. Colzani shows that for any bounded region
R whose boundary has fractal dimension at most (this has a technical meaning
particular to Colzanis paper; we do not give an explicit denition here), then
|Lr (R) Area(R)r2 | Cr2 .
As far as I know, it is an open problem to give corresponding lower bounds: for
instance, to construct, for any > 0, a region R such that
|Lr (R) Area(R)r2 | > r2 for innitely many positive integers r. (I myself do not
know how to construct such a region for any < 1.)
3. Connections to average values
The reader may well be wondering why the Gauss Circle Problem counts as number theory. On the one hand, as we will see later on, number theory is very much
concerned with counting lattice points in certain planar and spatial reasons. But
more specically, Gauss Circle Problem has to do with the average value of an
arithmetical function.
Namely, dene r2 (n) to be the function which counts the number of (x, y) Z2
such that n = x2 + y 2 . The Full Two Squares Theorem says that r2 (n) > 0 i
2 | ordp (n) for every p 3 (mod 4). As you have seen in the homework, in practice this condition behaves quite erratically. Certainly the function r2 (n) does not
have any nice limiting behavior at n : on the one hand it is 0 innitely often,
and on the other hand it assumes arbitrarily large values.
Much more regularity is displayed by the function r2 (n) on average. Namely,
for any function f : Z+ C, we dene a new function
fave : n 7

1
(f (1) + . . . + f (n)) .
n

3. CONNECTIONS TO AVERAGE VALUES

145

As its name suggests, fave (n) is the average of the rst n values of f .
It is also convenient to work also with the summatory function F (n) :=
The relation between them is simple:

n
k=1

f (k).

F (n) = n fave (n).

Theorem 144. For f (n) = r2 (n), F (n) n and fave (n) .
Proof. Indeed, F (n) = r2 (1) + . . . + r2 (n) counts the number of lattice points
on or inside the circle x2 + y 2 n, excepting the origin. Therefore

F (n) = LD ( n) 1 ( n)2 1 n.

In this context, the Gauss Circle Problem is equivalent to studying the error between
F (n) and n. Studying errors in asymptotic expansions for arithmetic functions is
one of the core topics of analytic number theory.
We remark with amusement that the average value of r2 (n) is asymptotically constant and equal to the irrational number : there is no n for which r2 (n) = !
In fact there is a phenomenon here that we should take seriously. A natural question is how often is r2 (n) = 0? We know that r2 (n) = 0 for all n = 4k + 3, so it is
equal to zero at least 41 of the time. But the average value computation allows us
to do better. Suppose that there exists a number 0 < 1 such that r2 (n) = 0 at
most proportion of the time. Then r2 (n) > 0 at least 1 of the time, so the
average value of r2 (n) is at least 8(1 ). Then 8(1 ), or
1 /8 .607.
That is, weve shown that r2 (n) = 0 more than 60% of the time.3
In fact this only hints at the truth. In reality, r2 (n) is equal to zero with probability one. In other words, if we pick a large number N and choose at random an
elment 1 n N , then the probability that n is a sum of two squares approaches
0 as N . This exposes one of the weaknesses of the arithmetic mean (one
that those who compose and grade exams become well aware of): without further
assumptions it is unwarranted to assume that the mean value is a typical value
in any reasonable sense. To better capture the notion of typicality one can import
further statistical methods and study the normal order of an arithmetic function.
With regret, we shall have to pass this concept over entirely as being too delicate
for our course. See for instance G. Tenenbaums text [T] for an excellent treatment.
The lattice point counting argument generalizes straightforwardly (but fruitfully)
to higher-dimensional Euclidean space RN . For instance, the analogous argument
involving lattice points on or inside the sphere of radius r in R3 gives:
Theorem 145. The number R3 (r) of integer solutions (x, y, z) to x2 +y 2 +z 2
r is asymptotic to 43 r3 , with error being bounded by a constant times r2 .
2

3This argument was not intended to be completely rigorous, and it isnt. What it really
shows is that it is not the case that r2 (n) = 0 on a set of density at least = 1 /8. But this
is morally the right conclusion: see below.

146

12. THE GAUSS CIRCLE PROBLEM AND THE LATTICE POINT ENUMERATOR

Corollary 146. The average value of the function r3 (n), whichcounts representations of n by sums of three integer squares, is asymptotic to 34 n.
We can similarly give asymptotic expressions for the average value of rk (n) the
number of representations of n as a sum of k squares for any k, given a formula for
the volume of the unit ball in Rk . We leave it to the reader to nd such a formula
and thereby compute an asymptotic for the average value of e.g. r4 (n).

CHAPTER 13

Minkowskis Convex Body Theorem

1. The Convex Body Theorem
1.1. Introduction.
We have already considered instances of the following type of problem: given a
bounded subset of Euclidean space RN , to determine #( ZN ), the number
of integral points in . It is clear however that there is no answer to the problem
in this level of generality: an arbitrary can have any number of lattice points
whatsoever, including none at all.
In [Gausss Circle Problem], we counted lattice points not just on itself but
on dilates r of by positive integers r. We found that for any reasonable ,
(37)

L (r) := #(r ZN ) rN Vol().

More precisely, we showed that this holds for all bounded sets which are Jordan
measurable, meaning that the characteristic function 1 is Riemann integrable.
It is also natural to ask for sucient conditions on a bounded subset for it
to have lattice points at all. One of the rst results of this kind is a theorem of
Minkowski, which is both beautiful in its own right and indispensably useful in the
development of modern number theory (in several dierent ways).
Before stating the theorem, we need a bit of terminology. Recall that a subset
RN is convex if for all pairs of points P, Q , also the entire line segment
P Q = {(1 t)P + tQ | 0 t 1}
is contained in . A subset RN is centrally symmetric if whenever it contains a point v RN it also contains v, the reection of v through the origin.
A convex body is a nonempty, bounded, centrally symmetric convex set.
Some simple observations and examples:
i) A subset of R is convex i it is an interval.
ii) A regular polygon together with its interior is a convex subset of R2 .
iii) An open or closed disk is a convex subset of R2 .
iv) Similarly, an open or closed ball is a convex subset of RN .
v) If is a convex body, then P ; then P and 0 = 21 P + 12 (P ) .
vi) The open and closed balls of radius r with center P are convex bodies i P = 0.
147

148

13. MINKOWSKIS CONVEX BODY THEOREM

Warning: The term convex body often has a similar but slightly dierent meaning: e.g., according to Wikipedia, a convex body is a closed, bounded convex subset
of RN which has nonempty interior (i.e., there exists at least one point P of
such that for suciently small > 0 the entire open ball B (P ) of points of RN of
distance less than from P is contained in ). Our denition of convex body is
chosen so as to make the statement of Minkowskis Theorem as clean as possible.
First we record a purely technical result, without proof:
Lemma 147. (Minkowski) A bounded convex set RN is Jordan measurable:
that is, the function
1 : x 7 1, x ; 0, x
is Riemann integrable. Therefore we can dene the volume of as

1 .
Vol() =
RN

Remark: We are using volume as a generic term independent of dimensions.

When N = 1 it would be more properly called length; when N = 2, area; and,
perhaps, hyper-volume when N > 3.
Intuitively speaking, this just says that the boundary of a convex set is not pathologically rugged. In our applications, our bodies will be things like polyhedra and
spheres, which are evidently not pathological in this way.
We will also need the following simple result, which ought to be familiar from
a course in geometry, multi-variable calculus and/or linear algebra. The reader
might try to prove it for herself, but we will not assign it as a formal exercise
because we will discuss a more general result in 1.4.
Lemma 148. (Dilation Lemma) Recall that for a subset of RN and a positive
real number we dene the dilate of
:= { P = (x1 , . . . , xn ) | P = (x1 , . . . , xn ) }.
Then:
a) is nonempty is nonempty.
b) is bounded is bounded.
c) is Jordan measurable is Jordan measurable, and if so,
Vol() = N Vol().
d) is convex is convex.
e) is centrally symmetric is centrally symmetric.
An immediate consequence is:
Corollary 149. If RN is a convex body of volume V , then for any
positive real number , is a convex body of volume N V .
We saw above that any convex body RN contains the origin. In particular,
such a set contains at least one point in ZN . Must it contain any more?
Of course not. Take in the plane the disk of radius r centered at the origin. This
is a convex body which, if r < 1, does not intersect any other lattice point besides

1. THE CONVEX BODY THEOREM

149

0. If r = 1, it meets the four closest points to 0 if the disk is closed but not if it is
open; for r > 1 it necessarily meets other lattice points.
Can we nd a convex body in R2 which contains no nonzero lattice points but
has larger area than the open unit disk, i.e., area larger than ? Of course we can:
the open square
(1, 1)2 = {(x, y) R2 | |x|, |y| < 1}
has area 4 but meets no nonzero lattice points. As in the case of circles, this is
certainly the limiting case of its kind : any centrally symmetric i.e., with vertices
(a, b) for positive real numbers a, b will contain the lattice point (1, 0) if a > 1
and the lattice point (0, 1) if b > 1, so if it does not contain any nonzero lattice
points we have max(a, b) 1 and thus its area is at most 4. But what if we rotated
the rectangle? Or took a more elaborate convex body?
One way (not infallible by any means, but a place to start) to gain intuition in
a multi-dimensional geometric problem is to examine the problem in a lower dimension. A symmetric convex subset of the real line R1 is just an interval, either of
the form (a, a) or [a, a]. Thus by reasoning similar to, but even easier than, the
above we see that a centrally symmetric convex subset of R must have a nontrivial lattice point if its one dimensional volume is greater than 2, and a centrally
symmetric convex body (i.e., closed) must have a nontrivial lattice point if its onedimensional volume is at least 2.
Now passing to higher dimensions, we see that the open cube (1, 1)N is a symmetric convex subset of volume 2N which meets no nontrivial lattice point, whereas for
1/N
1/N
any 0 < V < 2N the convex body [ V 2 , V 2 ]N meets no nontrivial lattice point
and has volume V . After some further experimentation, it is natural to suspect the
following result.
Theorem 150. (Minkowskis Convex Body Theorem) Suppose RN is a
convex body with Vol() > 2N . Then there exist integers x1 , . . . , xN , not all zero,
such that P = (x1 , . . . , xN ) .
1.2. First Proof of Minkowksis Convex Body Theorem.
Step 0: By Corollary 149, 12 is also a convex body of volume
1
1
Vol( ) = N Vol() > 1.
2
2
Moreover contains a nonzero integral point P ZN i 12 contains a nonzero
half-integral point a nonzero P such that 2P ZN . So it suces to show:
for any convex body RN with volume greater than one, there exist integers
x1 , . . . , xN , not all zero, such that P = ( x21 , . . . , x2N ) lies in .
Step 1: Observe that if contains P and Q, by central symmetry it contains
Q and then by convexity it contains 12 P + 12 (Q) = 12 P 21 Q.
Step 2: For a positive integer r, let L(r) be the number of 1r -lattice points of ,
i.e., points P RN such that rP ZN . By Lemma 147, is Jordan measurable, and then by [Theorem 3, Gausss Circle Problem], limr L(r)
= Vol().
rN

150

13. MINKOWSKIS CONVEX BODY THEOREM

Since Vol() > 1, for suciently large r we must have L(r) > rN . Because
#(Z/rZ)N = rN , by the pigeonhole principle there exist distinct integral points
P = (x1 , . . . , xN ) = Q = (y1 , . . . , yN )
such that

and xi yi (mod r) for all i. By Step 1 contains

(
)
(
)
(
)
1 1
1 x1 y 1
xN yN
1 1
R :=
P
Q =
,...,
.
2 r
2 r
2
r
r

1
1
r P, r Q

1
N
But xi yi (mod r) for all i and therefore 1r (P Q) = ( x1 y
, . . . , xN y
) ZN
r
r
1 1
and thus R = 2 ( r (P Q)) is a half integral point lying in : QED!

1.3. Second Proof of Minkowskis Convex Body Theorem.

We rst introduce some further terminology.
Let RN be a bounded Jordan measurable set. Consider the following set

P () :=
x + ;
xZN

that is, P () is the union of the translates of by all integer points x. We say
that is packable if the translates are pairwise disjoint, i.e., if for all x = y ZN ,
(x + ) (y + ) = .
Example: Let = B0 (r) be the open disk in RN centered at the origin with
radius r. Then is packable i r 12 .
Example: For r > 0, let = [0, r]N be the cube with side length r and one
vertex on the origin. Then if packable i r < 1, i.e., i Vol() < 1. Also the
open cube (0, 1)N is packable and of volume one.
These examples serve to motivate the following result.
Theorem 151. (Blichfeldts Theorem) If a bounded, Jordan measurable subset
RN is packable, then Vol() 1.
Proof. Suppose that is packable, i.e., that the translates {x + | x ZN }
are pairwise disjoint. Let d be a positive real number such that every point of
lies at a distance at most d from the origin (the boundedness of is equivalent to
d < ).
Let B r (0) be the closed ball of radius r centered at the origin. It has volume
c(N )rN where c(N ) depends only on N .1 By our work on Gausss Circle Problem,
we know that the number of lattice points inside B r (0) is asymptotic to c(N )rN .
Therefore the number of lattice points inside B rd (0) is asymptotic, as r ,
to c(N )(r d)N c(N )rN . Therefore for any xed > 0, there exists R such
that r R implies that the number of lattice points inside B rd (0) is at least
(1 )c(N )rN .
Now note that if x ZN is such that ||x|| r d, then the triangle inequality
1The values of c(N ) are known of course c(2) = and c(3) = 4 are familiar from our
3
2

mathematical childhood, and later on you will be asked to compute c(4) = 2 . But as you will
shortly see, it would be pointless to substitute in the exact value of c(N ) here.

1. THE CONVEX BODY THEOREM

151

gives x + B 0 (r). Then, if is packable, then we have at least (1 )c(N )rN

pairwise disjoint translates of contained inside B 0 (r). Therefore we have
c(N )rN = Vol(B r (0)) Vol(P () B r (0)) (1 )c(N )rN Vol(),
and therefore
1
.
1
Since this holds for all > 0, we conclude Vol() 1.
Vol()

Remark: The reader who knows about such things will see that the proof works
verbatim if is merely assumed to be bounded and Lebesgue measurable.
Now we use Blichfeldts Theorem to give a shorter proof of Minkowksis Theorem. As in the rst proof, after the rescaling 7 12 , our hypothesis is that is
a convex body with Vol() > 1 and we want to prove that contains a nonzero
point with half-integral coordinates. Applying Blichfeldts Lemma to , we get
x, y ZN such that (x + ) (y + ) is nonempty. In other words, there exist
P, Q such that x + P = y + Q, or P Q = y x ZN . But as we saw
above, any convex body which contains two points P and Q also contains Q and
therefore 12 P 12 Q = 12 (P Q), which is a half-integral point.
1.4. Minkowskis Theorem Mark II.
Let RN . In the last section we considered the eect of a dilation on :
we got another subset , which was convex i was, centrally symmetric i
was, and whose area was related to in a predictable way.
Note that dilation by R>0 can be viewed as a linear automorphism of
RN : that is, the map (x1 , . . . , xn ) 7 (x1 , . . . , xn ) is an invertible linear map.
Its action on the standard basis e1 , . . . , eN of RN is simply ei 7 ei , so its matrix
representation is

0 0 ... 0
0 0 ... 0

: RN RN , (x1 , . . . , xn )t 7 .
(x1 , . . . , xn )t .
..

...

Now consider a more general linear automorphism M : RN RN , which we may

identify with its dening matrix M GLN (R) (i.e., M = (mij ) is an N N real
matrix with nonzero determinant). We will now state and prove the following
generalization of the dilation lemma to arbitrary linear automorphisms:
Lemma 152. Let be a subset of RN and M : RN RN be an invertible
linear map. Consider the image
M () = {M (x1 , . . . , xn )t | (x1 , . . . , xn ) }.
a) is nonempty M () is nonempty.
b) is bounded M () is bounded.
c) is convex M () is convex.

152

13. MINKOWSKIS CONVEX BODY THEOREM

d) is centrally symmetric M () is centrally symmetric.

e) is Jordan measurable M () is Jordan measurable, and if so,
Vol(M ()) = | det(M )| Vol().
Proof. Part a) is quite obvious. Part b) holds with M replaced by any homeomorphism of RN : i.e., a continuous map from RN to itself with continuous inverse,
because a subset of RN is bounded i it is contained in a compact subset, and
the image of a compact subset under a continuous function is bounded. Part c)
is true because the image of a line segment under a linear map is a line segment.
Part d) follows because of the property M (v) = M v of linear maps. As for
part e), the preservation of Jordan measurability follows from the fact that an
image of a set of measure zero under a linear map has measure zero. The statement about areas is precisely what one gets by applying the
change of variables
(x1 , . . . , xN ) 7 (y1 , . . . , yN ) = M (x1 , . . . , xN ) in the integral RN 1dx1 dxN . 
Corollary 153. If RN is a convex body and M : RN RN is an invertible linear map, then M () is a convex body, and Vol(M ()) = | det(M )| Vol().
Recall that the lattice points inside r are precisely the 1r -lattice points inside .
This generalizes to arbitrary transformations as follows: for M GLN (R), put
:= M ZN = {M (x1 , . . . , xN )t | (x1 , . . . , xN ) ZN .
The map : ZN AZN is an isomorphism of groups, so AZN is, abstractly,
simply another copy of ZN . However, it is embedded inside RN dierently. A nice
geometric way to look at it is that ZN is the vertex set of a tiling of RN by unit
(hyper)cubes, whereas is the vertex set of a tiling of RN by (hyper)parallelopipeds.
A single parallelopiped is called a fundamental domain for , and the volume of
a fundamental domain is given by | det(M )|.2 We sometimes refer to the volume of
the fundamental domain as simply the volume of and write
Vol() = | det(M )|.
Now the fundamental fact a sort of gure-ground observation is the following:
Proposition 154. Let RN and let M : RN RN be an invertible linear
map. Then M induces a bijection between M 1 (ZN ) and ZN M ().
If the statement is understood, the proof is immediate!
Applying this (with M 1 in place of M ) gives the following: if we have a lattice = M ZN , and a convex body , the number of points of is the same
as the number of points of ZN M 1 (). Since
Vol(M 1 ()) = | det(M 1 )| Vol() =

Vol()
Vol()
=
,
det(M )
Vol(M )

we immediately deduce a more general version of Minkowksis theorem.

2This is the very important geometric interpretation of determinants, which we would like to
assume is familiar from linear algebra. Although we have some concerns as to the validity of this
assumption, we will stick with it nonetheless.

1. THE CONVEX BODY THEOREM

153

Theorem 155. (Minkowksis Theorem Mark II) Let RN be a convex body.

Let M : RN RN be an invertible linear map, and put M = M (ZN ). Suppose
that
Vol() > 2N Vol(M ) = 2N | det(M )|.
Then there exists x (M \ (0, . . . , 0)).
1.5. Comments and complements.
Theorem 150 was rst proved in an 1896 paper of H. Minkowksi, and is treated
at further length in Minkowskis 1910 text Geometrie der Zahlen [?, pp. 73-76].
Another proof is given in his 1927 Diophantische Approximationen [?, pp. 28-30].
Theorem 151 appears in a 1914 paper of H.F. Blichfeldt [?], and the connection
to Minkowksis theorem is noted therein. Our rst proof of Theorem 150 which
seems to me to be the most direct is due to Louis Joel Mordell [?].
Blichfeldts theorem is equivalent to the following result:
Theorem 156. Let RN be a bounded (Jordan or Lebesgue) measurable
subset of volume greater than one. Then there exists x RN such that the translate
x + contains at least two integral points.
We leave the proof as an exercise.
There is also a rotational analogue of Blichfeldts theorem:
Theorem 157. (J. Hammer [?]) Let RN be a convex body. If the volume
of is greater than c(N ), the volume of the unit ball in RN , then there exists an
orthogonal matrix M O(N ) such that M contains a nonzero lattice point.
The proof is not so hard, but it uses some further facts about convex bodies.
Minkowskis theorem is often regarded as the fundamental theorem upon which
an entire eld, the geometry of numbers, is based. Because of this, it is not surprising that many mathematicians including Minkowksi himself and C.L. Siegel
have given various renements over the years. Below we describe one such renement which can be proved along similar lines.
First, we may allow the nonempty, centrally symmetric convex set RN to be
unbounded. In order to do this, we need to make sense of Jordan measurability
and
volume for an unbounded subset . Since we still want to dene Vol() = RN 1 ,
it comes down to dening what it means for a function dened on an unbounded
subset of RN to be Riemann integrable. Evidently what we want is an improper
multivariable Riemann integral. Recall that for improper integrals over the real
line, if the function f is allowed to take both positive and negative values then we
need to be extremely precise about the sense in which the limits are taken, but if f
is a non-negative function all roads lead to the same answer. Note that characteristic functions are non-negative. So the following denition is simple and reasonable:
Let f : RN [0, ) be a function such that the restriction of f to any rectangle

154

13. MINKOWSKIS CONVEX BODY THEOREM

[a, b] =

i=1 [ai , bi ]

is Riemann integrable. Then we dene

f = sup
f,
RN

[a,b]

where the supremum ranges all integrals over all rectangles. Note that such an
improper integral is always dened although it may be : for instance it will be if
we integrate the constant function 1 over RN .
Theorem 158. (Rened Minkowski Theorem) Let RN be a nonempty
centrally symmetric convex subset.
a) Then #( ZN ) 2( Vol()
1) + 1.
2N
) + 1.
b) If is closed and bounded, then #( ZN ) 2( Vol()
2N
In other words, part a) says that if for some positive integer k we have Vol() is
strictly greater than k 2N , then contains at least 2k nonzero lattice points (which
necessarily come in k antipodal pairs P , P ). Part b) says that the same conclusion holds in the limiting case Vol() = k 2N provided is closed and bounded.
There are analogous renements of Blichfeldts theorem; moreover, by a linear
change of variables we can get a Rened Mark II Minkowski Theorem with the
standard integral lattice ZN replaced by any lattice = M ZN , with a suitable
correction factor of Vol() thrown in.
We leave the proof of Theorem 158 and the statements and proofs of these other
renements as exercises for the interested reader.
2. Diophantine Applications
2.1. The Two Squares Theorem Again.
Suppose p = 4k + 1 is a prime number.
By Fermats Lemma (Lemma 2 of Handout 4), there exists u Z such that u2 1
(mod p): equivalently, u has order 4 in (Z/pZ) . Dene
[
]
1 0
M :=
.
u p
We have det(M ) = p2 , so := M Z2 denes a lattice in R2 with
Vol() = det(M ) Vol(Z2 ) = p.
If (t1 , t2 ) Z2 and (x1 , x2 )t = M (t1 , t2 )t , then
x21 + x22 = t21 + (ut1 + pt2 )2 (1 + u2 )t21 0 (mod p).
Now let

= B0 ( 2p) = {(x, y) R2 | x2 + y 2 < 2p}

be the open ball of radius 2 p about the origin in R2 . We have

Vol = ( 2p)2 = 2p > 4p = 22 Vol ,

so by Minkowskis Theorem Mark II there exists (x1 , x2 ) with
0 < x21 + x22 < 2p.

2. DIOPHANTINE APPLICATIONS

155

Since p | x21 + x22 , the only possible conclusion is

x21 + x22 = p.
2.2. The Four Squares Theorem.
Lemma 159. (Eulers Identity) For any integers a1 , . . . , a4 , b1 , . . . , b4 , we have
(a21 + a22 + a23 + a24 )(b21 + b22 + b23 + b24 ) = (a1 b1 a2 b2 a3 b3 a4 b4 )2 +
(a1 b2 +a2 b1 +a3 b4 a4 b3 )2 +(a1 b3 a2 b4 +a3 b1 +a4 b2 )2 +(a1 b4 +a2 b3 a3 b2 +a4 b1 )2 .


Proof. Exercise!

Thus the set of sums of four integer squares is closed under multiplication. Since
1 = 12 + 02 + 02 + 02 is a sum of four squares, it suces to show that each prime p
is a sum of four squares. Since 2 = 12 + 12 + 02 + 02 , we may assume p > 2.
Lemma 160. The (four-dimensional) volume of a ball of radius r in R4 is

2 4
2 r .

Proof. Exercise!
Lemma 161. For a prime p > 2 and a Z, there exist r, s Z such that
r2 + s2 a (mod p).

p1
p+1
Proof. There are p1
2 nonzero squares mod p and hence 2 +1 = 2 squares
2
2
mod p. Rewrite the congruence as r a s (mod p). Since the map Fp Fp
given by t 7 a t is an injection, as x ranges over all elements of Fp both the left
p+1
p+1
and right hand sides take p+1
2 distinct values. Since 2 + 2 > p, these subsets
cannot be disjoint, and any common value gives a solution to the congruence. 

Theorem 162. (Lagrange) Every positive integer is a sum of four integral

squares.
Proof. By Lemma 161, there are
Dene

p
0
M =
0
0

r, s Z such that r2 + s2 + 1 0 (mod p).

0 r
p s
0 1
0 0

s
r
.
0
1

We have det(M ) = p2 , so := M Z4 denes a lattice in R4 with

Vol() = det(M ) Vol(Z4 ) = p2 .
If (t1 , t2 , t3 , t4 ) Z4 and (x1 , x2 , x3 , x4 ) := M (t1 , t2 , t3 , t4 ) then
x21 + x22 + x23 + x24 = (pt1 + rt3 + st4 )2 + (pt2 + st3 rt4 )2 + t23 + t24
t23 (r2 + s2 + 1) + t24 (r2 + s2 + 1) 0 (mod p).
Now let

= B0 ( 2p) = {(x1 , x2 , x3 , x4 ) R4 | x21 + x22 + x23 + x24 < 2p}

be the open ball of radius 2p about the origin in R4 . Using Lemma 160 we have
2 4
( 2p) = 2 2 p2 > 16p2 = 24 Vol ,
Vol() =
2

156

13. MINKOWSKIS CONVEX BODY THEOREM

so by Minkowskis Theorem Mark II there exists (x1 , . . . , x4 ) with

0 < x21 + x22 + x23 + x24 < 2p.
Since p | x21 + x22 + x23 + x24 , the only possible conclusion is
x21 + x22 + x23 + x24 = p.

2.3. Vista: Testing for a PID.
The preceding applications were very pretty, but in that they give new proofs of
old theorems do not really serve to illustrate the power and utility of Minkowksis
Convex Body Theorem. A much deeper application is to the computation of the
class number of a number eld K. Although it will be beyond us to give proofs,
we feel the concept is so important that we should at least sketch out the statement.
Let K be any number eld, i.e., a eld which contains Q as a subeld and is
nite-dimensional as a Q-vector space, say of dimension d. To a number eld we
attach its ring of integers ZK . This is the set of all elements in K which
satisfy a monic polynomial with integral coecients: i.e., for which there exist
a0 , . . . , an1 Z such that
n + an1 n1 + . . . + a1 + a0 = 0.
It is not hard to show that ZK is indeed a subring of K: this is shown in Handout A3.
But more is true: if d is the degree of K over Q, then there exist 1 , . . . , d ZK
such that every element ZK can uniquely be expressed as a Z-linear combination of the i s:
= a1 1 + . . . + ad d , ai Z.
Such a d-tuple (1 , . . . , d ) of elements of ZK is called an integral basis.
Example: Let K = Q. Then ZK = Z, and 1 = 1 is an integral basis.
Example: Let K/Q be a quadratic
extension, so that
there exists a squarefree integer d = 0, 1 such that K = Q( d). Observe that d, satisfying
the monic
polyno

mial t2 d, is an element of ZK , as is the entire subring Z[ d] = {a+b d | a, b Z}

that it generates. With d = 1, thisis just the ring of Gaussian integers, which is
indeed the full ring of integers of Q( 1).
In general things are more subtle: it turns out that if d 2, 3 (mod
4) then

ZK = Z[ d]; however if d 1 (mod 4) then the element d := 1+2 d may not

look like an algebraic integer but it satsies the monic polynomial t2 + t + 1d
4
(which has Z-coecients
since
d

1
(mod
4))
so
in
fact
it
is,
and
in
this
case

ZK = Z[d ] = {a + b( 1+2 d ) | a, b Z}.

Example: LetK = Q(n ) obtained by adjoining to Q a primitive nth root of unity.
Then it is easy to see that n is an algebraic integer, and in this case it can be
shown that ZK = Z[n ] is the full ring of integers.
It is rare to be able to write down an integral basis by pure thought; however,
there exists a straighforward algorithm which, given any single number eld K,

2. DIOPHANTINE APPLICATIONS

157

computes an integral basis for K (the key word here is discriminant, but no more
about that!).
Question 8. For which number elds K is ZK a principal ideal domain?
This is absolutely one of the deepest and most fundamental number-theoretic questions because, as we have seen, in trying to solve a Diophantine equation we are
often naturally led to consider arithmetic in aring of integers ZK e.g., in studying
the equation x2 dy 2 = n we take K = Q( d) and in studying xn + y n = z n we
take K = Q(n ). If ZK turns out to be a PID, we can use Euclids Lemma, a
formidable weapon. Indeed, it turns out that a common explanation of each of the
classical success stories regarding these two families of equations (i.e., theorems of
Fermat, Euler and others) is that the ring ZK is a PID.
Gauss conjectured that there are innitely many squarefree
d > 0 such that the

ring of integers of the real quadratic eld K = Q( d) is a PID. This is still unknown; in fact, for all we can prove there are only nitely many number elds K (of
any and all degrees!) such that ZK is a PID. In this regard two important goals are:
(i) To give an algorithm that will decide, for any given K, whether ZK is a PID;
(ii) When it isnt, to quantify the failure of uniqueness of factorization in ZK .
For this we dene the concept of class number. If R is any integral domain,
we dene an equivalence relation on the set I(R) of nonzero ideals of R. Namely
we put I J i there exist nonzero elements a, b R such that (a)I = (b)J.
This partitions all the nonzero ideals into equivalence classes, simply called ideal
classes.3 The class number of R is indeed the number of classes of ideals. For
an arbitrary domain R, the class number may well be innite.
The point here is that there is one distinguished class of ideals: an ideal I is
equivalent to the unit ideal R = (1) i it is principal. It follows that R is a PID
i its class number is equal to one. Therefore both (i) and (ii) above would be
addressed if we can compute the class number of an arbitrary ring of integers ZK .
This is exactly what Minkowski did:
Theorem 163. (Minkowski) Let K be any number eld.
a) The ideals of the ring ZK of integers of K fall into nitely many equivalence
classes; therefore K has a well-dened class number h(K) < .
b) There is an explicit upper bound on h(K) in terms of invariants of K which can
be easily computed if an integral basis is known.
c) There is an algorithm to compute h(K).
The proof is not easy; apart from the expected ingredients of more basic algebraic
number theory, it also uses, crucially, Theorem 150!
As an example of the usefulness of the class number in quantifying failure of
3In fact, the use of the term class in mathematics in the context of equivalence relations
can be traced back to this very construction in the case of R = ZK the ring of integers of an
imaginary quadratic eld K, which was considered by Gauss in his Disquisitones Arithmeticae.

158

13. MINKOWSKIS CONVEX BODY THEOREM

factorization even when ZK is not a UFD, we note that Lame erroneously believed
he could prove FLT for all odd primes p because he assumed (implicitly, since the
concept was not yet clearly understood) that Z[p ] was always a PID. Lames proof
is essentially correct when the class number of Q(p ) is equal to one, which is some
progress from the previous work on FLT, but unforunately this happens i p 19.
Kummer on the other hand found a sucient condition for FLT(p) to hold which
turns out to be equivalent to: the class number of Q(p ) is not divisible by p.
This condition, in turn, is satised for all p < 200 except for 37, 59, 67, 101, 103,
131, 149, and 157; and conjecturally for a subset of the primes of relative density
1
e 2 0.61. Note nally that this remains conjectural to this day while FLT has
been proven: the study of class numbers really is among the deepest and most
dicult of arithmetic questions.
2.4. Comments and complements.
As is the case for many of the results we have presented, one of the attractions
of Theorem 162 is its simple statement. Anyone who is inquisitive enough to wonder which integers can be written as a sum of four squares will eventually conjecture
the result, but the proof is of course another matter. Apparently the rst recorded
statement without proof is in the Arithmetica of Diophantus of Alexandria,
some time in the third century AD. Diophantus text entered into the mathematical consciousness of Renaissance Europe through Gaspard Bachets 1620 Latin
translation of the Arithmetica.
Famously, Fermat was an ardent reader of Bachets book, and he saw and
claimed a proof of the Four Squares Theorem. As we have already mentioned, with
one exception (FLT for n = 4) Fermat never published proofs, making the question
of exactly which of his theorems he had actually proved a subject of perhaps eternal debate. In this case the consensus among mathematical historians seems to be
skepticism that Fermat actually had a proof. In any case, the proof was still much
sought after Fermats death in 1665. Euler, one of the greatest mathematicians of
the 18th century, labored for 40 years without nding a proof. Finally the theorem
was proved and published in 1770 by the younger and equally great4 Italian-French
mathematician Joseph-Louis Lagrange.
There are many quite dierent looking proofs of the Four Squares Theorem. It
There are proofs which are completely elementary, i.e., which neither require nor
introduce any extraneous concepts like lattices. The most pedestrian proof begins as ours did with Eulers identity and Lemma 161. From this we know that it
suces to represent any prime as a sum of four squares and also that for any prime
p, some positive integer multiple mp is of the form r2 + s2 + 12 and in particular a
sum of four squares, and the general strategy is to let m0 be the smallest integral
multiple of p which is a sum of four squares and to show, through a descent
argument, that m0 = 1. Lagranges original proof followed this strategy, and many
elementary number theory texts contain such a proof, including Hardy and Wright.
Another proof, which has the virtue of explaining the mysterious identity of Lemma
4In quality at least. No one has ever equalled Euler for quantity, not even the famously
prolic and relatively long-lived twentieth century mathematician Paul Erd
os, although there are
one or two living mathematicians that might eventually challenge Euler.

2. DIOPHANTINE APPLICATIONS

159

159 proceeds in analogy to our rst proof of the two squares theorem: it works in
a certain (non-commutative!) ring of integral quaternions. Quaternions play
a vital role modern number theory, but although it is not too hard to introduce
enough quaternionic theory to prove the Four Squares Theorem (again see Hardy
and Wright), one has to dig deeper to begin to appreciate what is really going on.
Yet another proof uses the arithmetic properties of theta series; this leads to an
exact formula for r4 (n), the number of representations of a positive integer as a
sum of four squares. In this case, to understand what is really going on involves
discussion of the arithmetic theory of modular forms, which is again too rich for
our blood (but we will mention that modular forms and quaternions are themselves
quite closely linked!); and again Hardy and Wright manage to give a proof using
only purely formal power series manipulations, which succeeds in deriving the formula for r4 (n).
Regarding generalizations of Theorem 162, we will only mention one: a few months
before Lagranges proof, Edward Waring asserted that every number is a sum of
four squares, nine cubes, nineteen biquadrates [i.e., fourth powers] and so on. In
other words, Waring believed that for every positive integer k there exists a number
n depending only on k such that every positive integer is a sum of n non-negative
kth powers. If so, we can dene g(k) to be the least such integer k. Evidently the
Four Squares Theorem together with the observation that 7 is not a sum of three
squares, give us g(2) = 4. That g(k) actually exists for all k is by no means obvious,
and indeed was rst proven by David Hilbert in 1909. We now know the exact value
of g(k) for all k; that g(3) = 9 was established relatively early on (Wieferich, 1912),
but g(4) was the last value to be established, by Balasubramanian in 1986: indeed
g(4) = 19, so all of Warings conjectures turned out to be correct.
Of more enduring interest is the quantity G(k), dened to be the least positive
integer n such that every suciently large positive integer can be written as a sum
of n non-negative kth powers: i.e., we allow nitely many exceptions. Since for all
k, 8k + 7 is not even a sum of three squares modulo 8, none of these innitely many
integers are sums of three squares, so g(2) = G(2) = 4. On the other hand it is
known that G(3) 7 < 9 = g(3), and it morever suspected that g(3) = 4, but this
is far from being proven. Indeed only one other value of G is known.
Theorem 164. (Davenport, 1939) G(4) = 16.
Getting better bounds on G(k) is an active topic in contemporary number theory.

CHAPTER 14

The Chevalley-Warning Theorem

1. The Chevalley-Warning Theorem
In this chapter we shall discuss a result that was conjectured by Emil Artin in
1935 and proved shortly thereafter by Claude Chevalley. A renement was given
by Artins student Ewald Warning, who, as the story goes, was the one whom
Artin had intended to prove the theorem before Chevalley came visiting Gottingen
and got Artin to say a little too much about the problem his student was working on.
One of the charms of the Chevalley-Warning theorem is that it can be stated and
appreciated without much motivational preamble. So lets just jump right in.
1.1. Statement of the theorem(s).
Let q = pa be a prime power, and let Fq be a nite eld of order q. We saw
earlier in the course that there exists a nite eld of each prime power cardinality.1
For the reader who is unfamiliar with nite elds, it may be a good idea to just
replace Fq with Fp = Z/pZ on a rst reading, and then afterwards look back and
see that the assumption of an arbitrary nite eld changes nothing.
Theorem 165. (Chevalleys Theorem) Let n, d1 , . . . , r be positive integers such
that d1 + . . . + dr < n. For each 1 i r, let Pi (t1 , . . . , tn ) Fq [t1 , . . . , tn ] be a
polynomial of total degree di with zero constant term: Pi (0, . . . , 0) = 0. Then there
exists 0 = x = (x1 , . . . , xn ) Fnq such that
P1 (x) = . . . = Pr (x) = 0.
Exercise 1: Suppose we are
given any system of polynomials P1 (t), . . . , Pr (t) in n
variables t1 , . . . , tn with i deg(Pi ) < n. Deduce from Chevalleys that if there
exists at least one x Fnq such that P1 (x) = . . . = Pr (x), then there exists y = x
such that P1 (y) = . . . = Pr (y).
(Hint: Make a change of variables to reduce to Chevalleys theorem.)
In other words, Exercise 1 asserts that a system of polynomials in n variables
over Fq cannot have exactly one common solution, provided the sum of the degrees
is less than n. Warnings theorem gives a generalization:
Theorem 166. (Warnings Theorem) Let n, d1 , . . . , r be positive integers such
that d1 + . . . + dr < n. For each 1 i r, let Pi (t1 , . . . , tn ) Fq [t1 , . . . , tn ] be a
polynomial of total degree di . Let
Z = #{(x1 , . . . , xn ) Fnq | P1 (x1 , . . . , xn ) = . . . = Pr (x1 , . . . , xn ) = 0.}
1It can be shown that any two nite elds of the same order are isomorphic see any text
on eld theory but we dont need this uniqueness statement here.
161

162

14. THE CHEVALLEY-WARNING THEOREM

Then Z 0 (mod p).

Arin had conjectured the following special case:
Corollary 167. Let P (t1 , . . . , tn ) F[t1 , . . . , tn ] be a homogeneous polynomial
of degree d in n variables over a nite eld F. If n > d then there exists (0, . . . , 0) =
(x1 , . . . , xn ) Fn such that P (x1 , . . . , xn ) = 0.
In in the sequel, we will refer to any of Theorem 165, Theorem 166 or Corollary
167 as the Chevalley-Warning theorem.
1.2. Applications to Quadratic Forms.
Taking d = 1 Corollary 167 asserts that any homogenous linear equation at1 +bt2 =
0 (with a and b not both 0) over a nite eld has a nonzero solution. Of course linear
algebra tells us that the solution set to such an equation is a one-dimensional vector space, and this holds over any eld, innite or otherwise. So this is a trivial case.
Already the case d = 2 is much more interesting. A homogeneous polynomial
of degree 2 is called a quadratic form. For simplicity, we shall for the most part
consider here only nondegenerate diagonal forms over a eld F ,2 i.e.,
q(x) = q(x1 , . . . , xn ) = a1 x21 + . . . + an x2n , x1 , . . . , xn F, x1 xn = 0.
For some elds F , no matter how large we take n to be, we can still choose the
coecients so that q(x) = 0 has no nontrivial solution. For instance, consider the
sum of squares form
qn (x) = x21 + . . . + x2n .
This has no nontrivial solution over the real numbers, or over any subeld of R.
Proposition 168. Let F be any eld, and consider the form qa (x) = x21 + ax22 .
a) The form q2,a has a nontrivial solution i there exists F such that 2 = a.
b) Therefore if F = Fq , q = pa , then q2,1 (x) = x21 + x22 has a nontrivial solution i
p = 2, p 1 (mod 4) or a is even.
Exercise 2: Prove Proposition 168.
Exercise 3: a) Suppose F is a eld (of
characteristic dierent from 2) which admits
a quadratic eld extension K = F ( ). Deduce that there exists a binary quadratic form q2,a (x) over F which has no nontrivial solution.
b) For any odd q = pa , show that there exists a binary quadratic form q over Fq
with only the trivial solution. Can you write one down explicitly?
c)* Show that the conclusion of part b) still holds when q is even, although in this
case one has to take a nondiagonal form q(x, y) = ax2 + bxy + cy 2 = 0.
According to Corollary 167, any quadratic form in at least three variables over
a nite eld has a nontrivial solution. This is quite dierent from the situation for
F = R or F = Q. And it has many useful consequences, e.g.:
2When the characteristic of F is not 2, one can diagonalize every quadratic form by making
a linear change of variables, so no generality is lost by restricting to the diagonal case.

2. TWO PROOFS OF WARNINGS THEOREM

163

Proposition 169. Let F be a eld of characteristic dierent from 2 in which

each quadratic form in three variables has a nontrivial solution. Then, for any
a, b, c F , there exist x, y F such that
ax2 + by 2 = c.
Proof. In other words, we are claiming that the inhomogeneous equation
ax2 + by 2 = c has a solution over F . To see this, we homogenize: introduce a
third variable z and consider the equation: ax2 + by 2 cz 2 = 0. By Corollary 167
there are x0 , y0 , z0 K, not all zero, such that ax20 + by02 = cz02 . If z0 = 0, then
we can divide through, getting
( )2
( )2
x0
y0
a
+b
= c.
z0
z0
If z0 = 0, this doesnt work; rather, we get a nontrivial solution (x0 , y0 ) to ax20 +
by02 = 0. Dividing by a we get x20 + ( ab )y02 = 0. But as above this can only happen if
b
2
2
2 2
a = t is a square in K, and then we can factor q(x) = x t y = (x+ty)(xty).
This gives us a lot more leeway in solving the equation. For instance, we could factor
c as c 1 and give ourselves the linear system
x + ty = c
x ty = 1
c1
which has a solution (x, y) = ( c+1
2 , 2 ). Note that it is here that we use the
hypothesis that the characteristic of K is not 2.

In particular this gives an alternate (much more sophisticated!) proof of [Minkowskis
Theorem Handout, Lemma 15].
2. Two proofs of Warnings theorem
2.1. Polynomials and polynomial functions.
We begin with a discussion about polynomials as ring elements versus polynomials as functions which is of interest in its own right. (In fact, it is because of the
interest of these auxiliary results that we have chosen to include this proof.)
Let R be an integral domain and R[t1 , . . . , tn ] be the polynomial ring in n indeterminates over R. An element P (t) = P (t1 , . . . , tn ) R[t1 , . . . , tn ] is a purely
formal object: it is a nite R-linear combination of monomial terms, which are
added and multiplied according to simple formal rules.
Note that this is not the perspective on polynomials one encounters in calculus and
analysis. For instance a univariate polynomial P (t) = an tn + . . . + a1 t + a0 R[t]
is regarded as a function from R to R, given of course by x 7 P (x). Similarly for
multivariable polynomials: P (t1 , . . . , tn ) R[t1 , . . . , tn ] may be dened by the same
formal R-linear combination of monomial terms as above but that is just notation:
what matters is the function Rn R given by (x1 , . . . , xn ) 7 P (x1 , . . . , xn ). In
other words, a polynomial in n variables can be evaluated at any point of Rn .
Can these two perspectives be reconciled? A moments thought makes it clear

164

14. THE CHEVALLEY-WARNING THEOREM

that the evaluation of a polynomial is a perfectly algebraic operation: in other

words, given any domain R and element P (t) of the polynomial ring R[t1 , . . . , tn ],
we can evaluate P at any point (x1 , . . . , xn ) Rn , getting an element P (x1 , . . . , xn ).
To be formal about it, we have an evaluation map:
: R[t1 , . . . , tn ] 7 Map(Rn , R),
where by Map(Rn , R) we just mean the set of all functions f : Rn R. In fact this
map has some nice algebraic structure. The set Map(Rn , R) of all functions from
Rn to R can be made into a commutative ring in which addition and multiplication
are just dened pointwise:
(f + g)(x1 , . . . , xn ) = f (x1 , . . . , xn ) + g(x1 , . . . , xn ),
(f g)(x1 , . . . , xn ) = f (x1 , . . . , xn ) g(x1 , . . . , xn ).
It is straightforward to see that the evaluation map is then a homomorphism of
rings. Let us put
Pn := (R[t1 , . . . , tn ]) Map(Rn , R),
so that Pn is the ring of polynomial functions in n variables on R.
We are interested in the following question: if P (t), Q(t) R[t1 , . . . , tn ] are such
that for all (x1 , . . . , xn ) Rn we have P (x1 , . . . , xn ) = P (x1 , . . . , xn ) so that P
and Q give the same function from Rn to R must P (t) = Q(t) as elements of
R[t1 , . . . , tn ]? In other words, is injective?
I hope you know that in the familiar case of n = 1, R = R the answer is yes: two
real univariate polynomials which give the same function are term-by-term equal.
The proof is as follows: dene R(t) := P (t) Q(t). We are given that R(x) = 0
for all x R. But if R(x) were not the zero polynomial, it would have some degree
d 0 and basic (high school!) algebra shows that a polynomial over a eld of
degree d cannot have more than d roots. But R(x) has innitely many roots, so it
must be the identically zero polynomial.
Evidently this argument works for univariate polynomials over any innite eld.
The following is a stronger result:
Proposition 170. Let R be an innite integral domain and n Z+ . Then the
evaluation map
: R[t1 , . . . , tn ] Pn Map(Rn , R)
is a homomorphism of rings.
a) Moreover is injective.
b) However, is not surjective: not every function f : Rn R is given by a
polynomial.
Proof. a) Again it suces to show that if (P (t)) = 0, then P (t) is the zero
polynomial. If n = 1, we just showed this when R was a eld. But that argument
easily carries over, since every integral domain R can be embedded into a eld F
(namely its eld of fractions). If there existed a nonzero polynomial P (t) R[t]
such that there were innitely x R such that P (x) = 0, then since R F , there
are also innitely many x F such that P (x) = 0, contradiction. Assume now

2. TWO PROOFS OF WARNINGS THEOREM

165

that n > 1. In general the theory of polynomials of several variables is signcantly

harder than that of univariate polynomials, but here we can use a dirty trick:
R[t1 , . . . , tn1 , tn ] = R[t1 , . . . , tn1 ][tn ].
In other words, a polynomial P (t1 , . . . , tn ) in n variables over the integral domain
R may be viewed as a polynomial Q(tn ) := (P (t1 , . . . , tn1 ))(tn ) in one variable
over the integral domain Rn1 := R[t1 , . . . , tn1 ]. If P (x1 , . . . , xn ) = 0 for all
(x1 , . . . , xn ) Rn then, since R Rn1 , the univariate polynomial Q(tn ) has
innitely many roots in Rn1 and thus is identically zero by the above argument.
As for part b), for instance the function 10 : Rn R which maps 0 Rn to
1 and every other element of Rn to 0 is not a polynomial function. You are asked
to show this in Exercise 4 below. Another argument is by counting: for innite R,
the cardinality of R[t1 , . . . , tn ] is equal to the cardinality of R, whereas the total
n
number of functions from Rn to R has cardinality |R||R | = 2|R| > |R|, so most
functions are not polynomials.

Exercise 4: Let R be an innite integral domain and n Z+ . Show that the characteristic function 10 of the origin i.e., the function which maps 0 = (0, . . . , 0)
to 1 and every other element of Rn to zero is not a polynomial function. (Hint:
restrict the function 10 to a line passing through the origin, and thereby reduce to
the case n = 1.)
We shall not need Proposition 170 later on, but it is interesting to contrast the
innite case with the nite case. First of all:
Lemma 171. Let R = Fq be a nite integral domain (necessarily a eld). Then
every function f : Fnq Fq is given by a polynomial.
Proof. We rst express the function 10 , which takes 0 to 1 and every other
q1
= 0, we
element to 0, as a polynomial. Indeed, since xq1 = 1 for x F
q and 0
n
have for all x = (x1 , . . . , xn ) Fq that
10 (x) =

(1 xq1
).
i

i=1

For an arbitrary function f :

(38)

Fnq

Pf (t) :=

F, dene

yFn
q

f (y)

(1 (ti yi )q1 ).

i=1

Every term in the sum with y = x yields zero, and the term y = x yields f (x).

On the other hand, over a nite eld Fq , a nonzero polynomial may evaluate to the
zero function: indeed tq t is a basic one variable example. There is no contradiction here because a nonzero
polynomial over a domain cannot have more roots
than its degree, but tq t = aFq (t a) has exactly as many roots as its degree.
Moreover, no nonzero polynomial of degree less than q could lie in the kernel of
the evaluation map, so tq t is a minimal degree nonzero element of Ker(). But,
since Fq [t] is a PID, every nonzero ideal I is generated by its unique monic element
of least degree, so Ker() = tq t.
We would like to compute Ker() in the multivariable case. Reasoning as above it

166

14. THE CHEVALLEY-WARNING THEOREM

is clear that for all 1 i n the polynomials tqi ti must lie in the kernel of the
evaluation map, so at least we have J = tq1 t1 , . . . , tqn tn Ker(). We will
see that in fact J = Ker(). We can even do better: for each polynomial P (t) we
can nd a canonical element P of the coset P (t) + Ker().
The key idea is that of a reduced polynomial. We say that a monomial cta1 1 tann
is reduced if ai < q for all i. A polynomial P Fq [t] is reduced if each of its
nonzero monomial terms is reduced. Equivalently, a reduced polynomial is one for
which the total degree in each variable is less than q.
Example: The polynomial Pf (t) above is a sum of polynomials each having degree q 1 in each variable, so is reduced.
Exercise 5: The reduced polynomials form an Fq -subspace of Fq [t1 , . . . , tn ], with a
basis being given by the reduced monomials.
The idea behind the denition is that if in a monomial term we had an exponent tai i with ai q, then from the perspective of the associated function this is
just wasteful: we have
q+(ai q)

xai i = xi

a (q1)

= xqi xai i q = xi xai i q = xi i

Thus by a sequence of elementary reductions of this type we can convert any

polynomial P into a reduced polynomial P . Moreover, a little reection makes
clear that P P J.
Is it possible for a given polynomial P to be congruent modulo Ker() to more
than one reduced polynomial? Well, the reduced polynomials form an Fq -vector
subspace of the space of all polynomials with basis given by the reduced monomials,
n
of which there are q n , so the total number of reduced polynomials is q q . In fact this
n
is also the total number of functions from Fq to Fq . Since we know that every function is given by some reduced polynomial, it must be that evaluation map restricted
to reduced polynomials is a bijection. Finally, since we showed that every polynon
mial was equivalent modulo J to a reduced polynomial, so that #Fq [t]/J q q .
n
qn
By surjectivity of we know #Fq [t]/ Ker() = # Map(Fq , Fq ) = q . Therefore
the quotient map Fq [t]/J Fq [t]/ Ker() is a bijection and hence J = Ker().
Remark: More standard is to prove that a nonzero reduced polynomial does not
induce the zero function by induction on the number of variables. Then the surjectivity of can be deduced from the injectivity on reduced polynomials by noticing,
as we did, that the domain and codomain are nite sets with the same cardinality.
Our treatment here is undeniably more complicated than this, but also seems more
interesting. It will also smooth the way for our rst proof of Warnings theorem.
Let us summarize all the preceding results:
Theorem 172. (Polynomial evaluation theorem) Let R be an integral domain
and n Z+ . Let : R[t] = R[t1 , . . . , tn ] Map(Rn , R) be the homomorphism
of rings obtained by associating to each polynomial the corresponding polynomial
function x = (x1 , . . . , xn ) 7 P (x).

2. TWO PROOFS OF WARNINGS THEOREM

167

a) If R is innite, then is injective but not surjective: every function f : Rn R

is represented by at most one polynomial, and there exist functions not represented
by any polynomial.
b) If R is nite, then is surjective but not injective: its kernel is the ideal tq1
t1 , . . . , tqn tn . Thus every function f : Rn R is represented by innitely
many polynomials. Moreover, for each f there exists a unique reduced polynomial
representative, given explicitly as the polynomial Pf (t) of (38) above.
If f : Fnq Fq is any function, we dene its reduced degree in ti to be the degree
in ti of the associated reduced polynomial, and similarly its reduced total degree
to be the total degree of the associated reduced polynomial.
Exercise 6: Show that if P is any polynomial, the total degree deg(P ) of P is
less than or equal to the total degree deg(P ) of P .
2.2. First proof of Warnings Theorem.
We have polynomials P1 (t), . . . , Pr (t) in n variables with
(39)

r
i=1

deg(Pi ) < n. Put

Z = {(x1 , . . . , xn ) Fnq | P1 (x) = . . . = Pr (x) = 0.}

We want to show that #Z 0 (mod p). Let 1Z : Fnq Fq be the (Fq -valued)
characteristic function of the subset Z, i.e., the function which maps x to 1 if
x Z and x to 0 otherwise. Now one polynomial representative 1Z is
(40)

P (t) :=

)
1 Pi (t)q1 ;

i=1

whereas essentially by (38) above the reduced polynomial representative is

QZ (t) =

)
1 (ti xi )q1 .

xZ i=1

Now comes the devilry: the total degree of P (t) is (q 1) i di < (q 1)n.
in
On the other hand, consider the coecient of the monomial tq1
tq1
n
1
n
QZ (t): it is (1) #Z. If we assume that #Z is not divisible by p, then this term
is nonzero and QZ (t) has total degree at least (q 1)n. By Exercise X.X, we have
deg(P ) deg(P ) < (q 1)n deg(QZ ).
Therefore P = deg(QZ ), whereas we ought to have P = QZ , since each is the
reduced polynomial representative of 1Z . Evidently we assumed something we
shouldnt have: rather, we must have p | #Z, qed.
2.3. Axs proof of Warnings theorem.
The following book proof of Warnings Theorem is due to James Ax [Ax64].
We maintain the notation of the previous section, especially the polynomial P (t)
of (40) and the subset Z of (39). Because P (x) = 1Z (x) for all x Fnq , we have

P (x) (mod p).

#Z
x Fn
q

168

14. THE CHEVALLEY-WARNING THEOREM

So we just need to evaluate the sum. Since every polynomial is an Fq -linear combination
of monomial terms, it is reasonable to start by looking for a formula for

a1
an
x
n
xFq 1 xn for non-negative integers a1 , . . . , an . It is often the case that if
f : G C is a nice
function from an abelian group to the complex numbers,
then the complete sum xG f (x) has a simple expression. Case in point:
Lemma 173. Let a1 , . . . , an be non-negative integers.

a) If for 1 i n, ai is a positive multiple of q1, then xFnq xa1 1 xann = (1)n .

b) In every other case i.e.,
for at least one i, 1 i n, ai is not a positive integer
multiple of q 1 we have xFnq xa1 1 xann = 0.
Proof. Part a) is not needed in the sequel and is just stated for completeness;
we leave the proof as an exercise.
As for part b), we have

xa1 1 xann =
xai i .
x Fn
q

i=1

xi Fq

By assumption there exists at least one i, 1 i n, such

either 0 or
that ai is
is positive but not a multiple of q 1. If ai = 0, then xi Fq xai i = xi Fq 1 =
q 0 Fq , so assume that ai is positive but not divisible by q 1. Let be a
ai
generator for the cyclic group F
q , and put = . Then

xi Fq

xai i = 0ai +

xi F
q

xai i = 0 +

q2

(N )ai =

N =0

q2

N =

N =0

1 q1
11
=
= 0.
1
1


Finally, the polynomial P (t) has degree i=1 di (q 1) = (q 1) i=1 di < (q 1)n.
Thus in each monomial term cta1 1 tanr in P (t) must have a1 +. . .+ar < (q1)n,
so
it cant be the case that each ai q 1. Therefore Lemma 173 applies, and xFnq
is an Fq -linear combination of sums each of which evaluates to 0 in Fq and therefore
the entire sum is 0. This completes our second proof of Warnings Theorem.
3. Some Later Work
Under the hypotheses of Warnings theorem we can certainly have 0 solutions.
For instance, we could take P1 (t) to be any polynomial with deg(P1 ) < n2 and
P2 (t) = P1 (t) + 1. Or, when q is odd, let a Fq be a quadratic nonresidue, let
P1 (t) be a polynomial of degree less than n2 and put P (t) = P1 (t)2 a.
On the other hand, it is natural to wonder: in Warnings theorem, we might actually have #Z 0 mod q? The answer is now known, but it took 46 years.
First consider the case of r = 1, i.e., a single polynomial P of degree less than
n. In [Wa36], Warning proved that #Z, if positive, is at least q nd . And in the
same paper [Ax64], Ax showed that q b | #Z for all b < nd . By hypothesis we can
take b = 1, so the aforementioned question has an armative answer in this case.

3. SOME LATER WORK

169

For the case of multiple polynomials P1 , . . . , Pr of degrees d1 , . . . , dr , in a celebrated

1971 paper N. Katz showed that q b | #Z for all positive integers b satisfying
n (d1 + . . . + dr )
+ 1.
d1
Since the above fraction is by hypothesis strictly positive, we can take b = 1 getting
indeed #Z 0 (mod q) in all cases.
b<

These divisibilities are called estimates of Ax-Katz type. It is known that there
are examples in which the Ax-Katz divisibilities are best possible, but rening these
estimates in various cases is a topic of active research: for instance there is a 2007
paper by W. Cao and Q. Sun, Improvements upon the Chevalley-Warning-Ax-Katztype estimates, J. Number Theory 122 (2007), no. 1, 135141.
Notice that the work since Warning has focused on the problem of getting best
possible p-adic estimates for the number of solutions: that is, instead of bounds of
the form #Z N , we look for bounds of the form ordp (#Z) N . Such estimates
are closely linked to the p-adic cohomology of algebraic varieties, a beautiful (if
technically dicult) eld founded by Pierre Deligne in his landmark paper Weil II.
The hypotheses of the Chevalley-Warning theorem are also immediately suggestive to algebraic geometers: (quite) roughly speaking there is a geometric division
of algebraic varieties into three classes: Fano, Calabi-Yau, and general type. The
degree conditions in Warnings theorem are precisely those which give, among the
class of algebraic varieties represented nicely by r equations in n variables (smooth
complete intersections), the Fano varieties. A recent result of Hel`ene Esnault gives
the geometrically natural generalization: any Fano variety over Fq has a rational
point. There are similar results for other Fano-like varieties.

CHAPTER 15

Additive Combinatorics
1. The Erd
os-Ginzburg-Ziv Theorem
1.1. A Mathematical Card Game.
Consider the following game. One starts with a deck of one hundred cards (or
N cards, for some arbitrary positive integer N ). Any number of players may play;
one of them is the dealer. The dealer shues the deck, and the player to the dealers
left selects a card (any card) from the deck and shows it to everyone. The player
to the dealers right writes down the numerical value of the card, say n, and keeps
this in a place where everyone can see it. The card numbered n is reinserted into
the deck, which is reshued. The dealer then deals cards face up on the table, one
at a time, at one minute intervals, or sooner by unanimous consent (i.e., if everyone
wants the next card, including the dealer, then it is dealt; otherwise the dealer waits
for a full minute). A player wins this round of the game by correctly selecting any
k > 0 of the cards on the table such that the sum of their numerical values is divisible by n. When all the cards are dealt, the players have as much time as they wish.
For example, suppose that n = 5 and the rst card dealt is 16. 16 is not divisible by 5, so the players all immediately ask for another card: suppose it is 92.
92 is not divisible by 5 and neither is 92 + 16 = 118, so if the players are good,
they will swiftly ask for the next card. Suppose the next card is 64. Then someone can win by collecting the 64 and the 16 and calling attention to the fact that
64 + 16 = 80 is divisible by 5.
Heres the question: is it always possible to win the game, or can all the cards
be dealt with no solution?
We claim that it is never necessary to deal more than n cards before a solution
exists. Moreover, if the number N of cards in the deck is suciently large compared
to the selected modulus n, it is possible for fewer than n cards to be insucient.
To see the latter, note that if n = 1 we obviously need n cards, and if n = 2
we will need n cards i the rst card dealt is odd. If n = 3 we may need n cards i
N 4, since if 1 and 4 are the rst two cards dealt there is no solution. In general,
if the cards dealt are 1, 1+n, 1+2n, . . . , 1+(n2)n, then these are n1 cards which
are all 1 (mod n) and clearly we cannot obtain 0 (mod n) by adding up the values
of any 0 < k n1 of these. This is possible provided N n2 2n+1 = (n1)2 .1
1We neglect the issue of guring out exactly how many card are necessary if n is moderately
large compared to N . It seems interesting but does not segue into our ultimate goal.
171

172

15. ADDITIVE COMBINATORICS

But why are n cards always sucient? We can give an explicit algorithm for
nding a solution: for each 1 k n, let Sk = a1 + . . . + ak be the sum of the
values of the rst k cards. If for some k, Sk is divisible by n, we are done: we
can at some point select all the cards. Otherwise, we have a sequence S1 , . . . , Sn
of elements in Z/nZ, none of which are 0 (mod n). By the pigeonhole principle,
there must exist k1 < k2 such that Sk1 Sk2 (mod n), and therefore
0 Sk2 Sk1 = ak1 +1 + . . . + ak2

(mod n).

In other words, not only does a solution exist, for some k n a solution exists
which we can scoop up quite eciently, by picking up a consecutive run of cards
from right to left starting with the rightmost card.
Notice that this is not always the only way to win the game, so if this is the
only pattern you look for you will often lose to more skillful players. For instance,
in our example of n = 5, the sequence (which we will now reduce mod 5) 1, 2, 4
already has a solution but no consecutively numbered solution.
An interesting question that we will leave the reader with is the following: x
n and assume that N is much larger than n: this is eectively the same as drawing with replacement (because after we a draw any one card ai , the change in the
proportion of the cards in the deck which are congruent to ai (mod n) is negligible
if N is suciently large, and we will never deal more than n cards). Suppose then
that we deal 1 k n cards. What is the probability that a solution exists?
Anyway, we have proven the following amusing mathematical fact:
Theorem 174. Let a
1 , . . . , an be any integers. There exists a nonempty subset
I {1, . . . , n} such that iI ai 0 (mod n).
1.2. The Erd
os-Ginzburg-Ziv Theorem.
After a while it is tempting to change the rules of any game. Suppose we make
things more interesting by imposing the following additional requirement: we deal
cards in sequence as before with a predetermined modulus n Z+ . But this time,
instead of winning by picking up any (positive!) number of cards which sum to 0
modulo n, we must select precisely n cards ai1 , . . . , ain such that ai1 + . . . + ain 0
(mod n). Now (again assuming that N gn, or equivalently, dealing with replacement), is it always possible to win eventually? If so, how many cards must be dealt?
Well, certainly at least n: since the problem is more stringent than before, again
if the rst n 1 congruence classes are all 1 (mod n) then no solution exists. If
we have at least n instances of 1 mod n then we can take them and win. On the
other hand, if the rst n 1 cards are all 1s, then by adding up any k n 1 of
them we will get something strictly less than n, so if the next few cards all come
out to be 0 (mod n), then we will not be able to succeed either. More precisely, if
in the rst 2n 2 cards we get n 1 instances of 1 (mod n) and n 1 instances
of 0 (mod n), then there is no way to select precisely n of them that add up to 0
(mod n). Thus at least 2n 1 cards may be required. Conversely:


1. THE ERDOS-GINZBURG-ZIV
THEOREM

173

os-Ginzburg-Ziv, 1961) Let n Z+ and a1 , . . . , a2n1 Z.

Theorem 175. (Erd
There exists a subset I {1, . . . , 2n 1} such that:
(i) #I
= n.
(ii) iI ai 0 (mod n).
Proof. (C. Bailey and R.B. Richter) The rst step is to deduce the theorem
for n = p a prime using Chevalley-Warning. The second step is to show that if the
theorem holds for n1 and for n2 , it holds also for n1 n2 .
Step 1: Suppose n = p is a prime number. Let a1 , . . . , a2p1 Z. Consider
the following elements of the polynomial ring Fp [t1 , . . . , t2p1 ]:
P1 (t1 , . . . , t2p1 ) =

2p1

ai tp1
,
i

i=1

P2 (t1 , . . . , t2p1 ) =

2p1

tp1
.
i

i=1

Since P1 (0) = P2 (0) = 0 and deg(P1 ) + deg(P2 ) = 2p 2 < 2p 1, by Chevalleysuch that

Warning there exists 0 = x = (x1 , . . . , x2p1 ) F2p1
p
2p1

(41)

ai xp1
= 0,
i

i=1
2p1

(42)

xip1 = 0.

i=1

Put
I = {1 i 2p 1 | xi = 0}.
p1

Since (as usual!) x

is equal to 1 if x = 0 and 0 if x = 0, (41) and (42) yield:

ai 0 (mod p),
iI

10

(mod p).

iI

But we have 0 < #I < 2p, and therefore #I = p, completing the proof of Step 1.
Step 2: Because we know the theorem is true for all primes n, by induction we
may assume that n = km for 1 < k, m < n (i.e., n is composite) and, by induction,
that the theorem holds for k and m.
By an easy induction on r, one sees that if for any r 2 we have rk 1 integers a1 , . . . , ark1 , then there are r 1 pairwise disjoint subsets of I1
, . . . , Ir1 of
{1, . . . , rk 1}, each of size k, such that for all 1 j r 1 we have lIj ai 0
(mod k). Apply this with r = 2m to our given set of 2n 1 = (2mk) 1 integers:
this gives 2m 1 pairwise disjoint subsets I1 , . . . , I2m1 {1, . . . , 2n 1}, each of
size k, such that for all 1 j 2m 1 we have

ai 0 (mod k).
iIj

174

15. ADDITIVE COMBINATORICS

Now, for each j as above, put

bj =

ai , bj =

iIj

bj
.
k

b1 , . . . , b2m1 .

We thus have 2m 1 integers

Again using our
inductive hypothesis,
there exists J {1, . . . , 2m 1} such that #J = m and jJ bj 0 (mod m).

Let I = j Ij . Then #I = km = n and

ai
ai
kbj 0 (mod km).
iI

jJ iIj

jJ


1.3. EGZ theorems in nite groups.
This application of Chevalley-Warning one which makes good use of our ability to
choose multiple polynomials is apparently well-known to combinatorial number
theorists. But I didnt know about it until Patrick Corn brought it to my attention.
As with the Chevalley-Warning theorem itself, the EGZ theorem is sort of a prototype for a whole class of problems in combinatorial algebra. In any group G
(which, somewhat unusually, we will write additively even if it is not commutative)
a zero sum sequence is a nite sequence x1 , . . . , xn of elements of G such that
(guess what?) x1 + . . . + xn = 0. By a zero sum subsequence we shall mean
the sequence xi1 , . . . , xik associated to a nonempty subset I {1, . . . , n}. In this
language, our Theorem 174 says that any sequence of n elements in Z/nZ has a
zero sum subsequence. The same argument proves the following result:
Theorem 176. Let G be a nite group (not necessarily commutative), of order
n. Then any sequence x1 , . . . , xn in G has a zero sum subsequence.
Some EGZ-type theorems in this context are collected in the following result.
Theorem 177. (EGZ for nite groups)
a) (Erd
os-Ginzburg-Ziv, 1961) Let G be a nite solvable group of order n and
x1 , . . . , x2n1 G. Then there exist distinct indices i1 , . . . , in (not necessarily in
increasing order) such that xi1 + . . . + xin = 0.
b) [Ol76] Same as part a) but for any nite group.
c) [Su99] Same as part a) but the indices can be chosen in increasing order:
i1 < . . . < in .
d) [Su99] The conclusion of part c) holds for a nite group G provided it holds for
all of its Jordan-H
older factors.
We draw the readers attention to the distinction between the results of parts a)
and b) and those of c) and d): in the rst two parts, we are allowed to reorder
the terms of the subsequence, whereas in the latter two we are not. In a commutative group it makes no dierence thus, the generalization to all nite abelian
groups is already contained in the original paper of EGZ but in a noncommutative group the desire to preserve the order makes the problem signicantly harder.
The inductive argument in Step 2 of Theorem 175 is common to all the proofs,
and is most cleanly expressed in Surys paper as the fact that the class of nite

2. THE COMBINATORIAL NULLSTELLENSATZ

175

groups for which EGZ holds is closed under extensions. Thus the case in which G
is cyclic of prime order is seen to be crucial. In 1961 Erdos, Ginzburg and Ziv gave
an elementary proof avoiding Chevalley-Warning. Nowadays there are several
proofs available; a 1993 paper of Alon and Dubiner presented at Erdos 80th birthday conference gives ve dierent proofs. Olsons proof also uses only elementary
group theory, but is not easy. In contrast, Surys paper makes full use of ChevalleyWarning and is the simplest to read: it is only three pages long.
Surys result has the intriguing implication that it would suce to prove the EGZ
theorem for all nite simple groups (which are now completely classied. . .). To
my knowledge no one has followed up on this.
There is another possible generalization of the EGZ theorem to nite abelian, but
non-cyclic, groups. Consider for instance G(n, 2) := Zn Zn , which of course
has order n2 . Rather than asking for the maximal length of a sequence without
an n2 -term zero sum subsequence, one might ask for the maximal length of a sequence without an n-term zero sum subsequence. (One might ask many other such
questions, of course, but in some sense this is the most reasonable vector-valued
analogue of the EGZ situation.) A bit of thought shows that the analogous lower
bound is given by the sequence consisting of n 1 instances each of (0, 0), (0, 1),
(1, 0) and (1, 1): in other words, this is the obvious sequence with no n-term
zero-sum subsequence, of length 4(n 1). It was conjectured by A. Kemnitz in
1983 that indeed any sequence in G(n, 2) of length at least 4n 3 has an n-term
zero sum subsequence. Kemnitzs conjecture was proved in 2003 independently by
Christian Reiher [Re07] (an undergraduate!) and Carlos di Fiore (a high school
student!!). Both proofs use the Chevalley-Warning theorem, but in quite intricate
and ingenious ways.
For any positive integer k, dene G(n, d) = (Zn )d , the product of d copies of
the cyclic group of order n, and consider lengths of sequences without an n-term
zero sum subsequence: let us put f (n, d) for the maximal length of such a sequence.
Analogues of the above sequences with {0, 1}-coordinates give
f (n, d) 2d (n 1).
In 1973 Heiko Harborth established the (much larger) upper bound
f (n, d) nd (n 1).
Harborth also computed G(3, 3) = 18 > 23 (3 1): i.e., in this case the obvious
examples do not have maximal length! It seems that the computation of G(n, 3)
for all n or still more, of G(n, d) for all d would be a signicant achievement.
2. The Combinatorial Nullstellensatz
In this section we describe a celebrated result of Noga Alon that has served as
a powerful technical tool and organizing principle in combinatorics and additive
number theory. Recall that in 2 we considered the evaluation map
: k[t1 , . . . , tn ] Map(k n , k)
and showed that when k is a nite eld of order q, Ker is the ideal I0 generated
by tq1 t1 , . . . , tqn tn . We showed this in a somewhat unorthodox way: rst, by an
explicit construction we saw that is surjective. Further, clearly Ker contains

176

15. ADDITIVE COMBINATORICS

I0 , and thus by a counting argument Ker = I0 . At the time we remarked that a

more standard approach is to show that no nonzero reduced polynomial evaluates
to the zero function by an induction on the number of variables. We are now in a
position to want that argument, and in fact the following (mild) generalization.
Lemma 178. (Alon-Tarsi [AT92]) Let k be a eld, n Z+ , and f (t) k[t] =
k[t1 , . . . , tn ]; for 1 i
let di be the ti -degree of f , let Si be a subset of k with
n,
n
#Si > di , and let S = i=1 Si . If f (x) = 0 for all x S, then f = 0.
Proof. We go by induction on n. The case n = 1 is truly basic: a nonzero
univariate polynomial over a eld has no more roots than its degree. Now suppose
n 2 and that the result holds for polynomials in n 1 variables. The basic idea
is the identity k[t1 , . . . , tn1 , tn ] = k[t1 , . . . , tn1 ][tn ]: thus we write
f=

dn

fi (t1 , . . . , tn1 )tin

i=0

with fi k[t1 , . . . , tn1 ]. If (x1 , . . . , xn1 ) k n1 , the polynomial f (x1 , . . . , xn1 , tn )

k[tn ] has degree at most dn and vanishes for all #Sn > dn elements xn Sn , so it
is identically zero, i.e., fi (x1 , . . . , xn1 ) = 0 for all 0 i tn . By induction, each
fi (t1 , . . . , tn1 ) is the zero polynomial and thus f is the zero polynomial.

And now the main attraction.
Theorem 179. (Combinatorial Nullstellensatz)
Let k be a eld, S1 , . . . , Sn be
n
nonempty nite subsets of k, and put S = i=1 Si . For 1 i n, put

gi (ti ) =
(ti si ) k[t] = k[t1 , . . . , tn ].
si Si

Suppose that for all s = (s1 , . . . , sn ) S we have f (s) = 0. Then there are
polynomials h1 (t1 , . . . , tn ), . . . , hn (t1 , . . . , tn ) such that
f=

hi gi .

i=1

Proof. For 1 i n, put di = #Si 1; we may write

gi (ti ) =

tdi i +1

di

gij tji .

j=0

Observe that if si Si , then gi (xi ) = 0, i.e.,

(43)

xdi i +1 =

di

gij xji .

j=0

Let f be the polynomial obtained from f by writing f as a sum of monomials and

repeatedly substituting each instance of tei i with ei > di with a k-linear combination
of smaller powers of ti using (43). Then
nthe reduced polynomial f has degree at
most di in ti and f f is of the form i=1 hi gi . Further, for all s = (s1 , . . . , sn )
S, f (s) = f (s) = 0. Thus Lemma 178 applies to give f = 0 and thus f =

n

i=1 hi gi .

3. THE CAUCHY-DAVENPORT THEOREM

177

We hope the reader has noticed that the proof of Theorem 179 bears more than a
passing resemblance to our rst proof of Warnings Theorem.
Example: Let k = Fq be a nite eld, and take S1 = . . . = Sn = Fq . Then
for 1 i n, gi = tqi ti . Applying the Combinatorial Nullstellensatz, we
see that a polynomial f which vanishes at every point in Fnq lies in the ideal
I0 = tq1 t1 , . . . , tqn tn . That is, we have yet again computed the kernel of
the evaluation map .
Exercise: a) Show that, in the notation of the proof of Theorem 179, the polynomials h1 , . . . , hn satisfy deg hi deg f deg gi for all 1 i n.
b) Show that the coecients of h1 , . . . , hn lie in the subring of k generated by the
coecients of f, g1 , . . . , gn .
Corollary 180. (Polynomial Method) Let k be a eld, n Z+ , a1 , . . . , an
N, and let f k[t] = k[t1 , . . . , tn ]. We suppose:
(i) deg f = a1 + . . . + an .
(ii) The coecient of ta1 1 tann in f is nonzero.
Then, for any subsets
S1 , . . . , Sn of k with #Si > ai for 1 i n, there is
n
s = (s1 , . . . , sn ) S = i=1 Si such that f (s) = 0.
Proof. It is no loss of generality to assume that #Si = ai + 1 for all i, and
we do so. We will show that if (i) holds and f |S 0, then (ii) does not hold, i.e.,
the coecient of ta1 1 tann in f is 0.

Dene, for all 1 i n, gi (ti ) = si Si ti si . By Theorem 179 and the

preceding exercise, there are h1 , . . . , hn k[t] such that
f=

hi gi

i=1

and
deg hi (a1 + . . . + an ) deg gi , 1 i n,
so
(44)

deg hi gi deg f.

Thus if hi gi contains any monomial

of degree deg f , such a monomial would be

of maximal degree in hi gi = hi si Si (ti si ) and thus be divisible by tiai +1 . It

follows that for all i, the coecient of ta1 1 tann in hi gi is zero, hence the coecient
of ta1 1 tann in f is zero.

3. The Cauchy-Davenport Theorem
For nonempty subsets A, B of a group (G, +),2 we dene the sumset
A + B = {a + b | a A, b B}.
Exercise: Establish the trivial bound
(45)

#(A + B) max #A, #B.

2In additive combinatorics, it is standard to write even non-commutative groups additively.

178

15. ADDITIVE COMBINATORICS

Theorem 181. (Cauchy-Davenport) Let p be a prime number. For nonempty

subsets A, B of Z/pZ, we have
#(A + B) min(p, #A + #B 1).
Proof. Case 0: We may assume #A + #B > 2.
Case 1: Suppose #A+#B > p. Then for all x Z/pZ we must have A(xB) =
,
hence x A + B. Thus A + B = Z/pZ and #(A + B) = p.
Case 2: Suppose #A+#B p and, seeking a contradiction, that #(A+B) #A+
#B 2. Let C Z/pZ be such that A + B C Z/pZ and #C = #A + #B 2.
The polynomial

f (t1 , t2 ) =
(t1 + t2 c) Fp [t1 , t2 ]
cC

vanishes identically on A B. Let d1 =( #A 1, d)2 = #B 1; then the coecient

of td11 td22 in f is the binomial coecient #A+#B2
, which is nonzero in Z/pZ since
#A1
#A + #B 2 < p. This contradicts Corollary ??.

Exercise: Show that the Cauchy-Davenport Theorem is sharp, in the following
sense: for any prime p and integers a, b with 1 a, b, p, there are subsets
A, B Z/pZ with #A = a, #B = b and #A + B = min(p, #A + #B 1).
G. Karolyi and (slightly later, but independently) J.P. Wheeler gave the following
interesting generalization: for a (not necessarily abelian) group (G, +), we dene
p(G) to be the least order of a nonzero element of G, or if G has no nonzero
elements of nite order.
Exercise: a) Show that p(Z/pZ) = p.
b) If G is nite, show that p(G) is the least prime divisor of #G.
c) Show that in any group G, if p(G) < , then p(G) is a prime number.
Theorem 182. (K
arolyi-Wheeler [K
a05], [Wh12]) For nonempty subsets A, B
of a nite group G,
#(A + B) min(p(G), #A + #B 1).
Here is a very rough sketch of Wheelers proof of Theorem 182: if #G is even then
p(G) = 2 and the trivial bound (45) is sucient. If #G is odd, then by the FeitThompson Theorem G is solvable (!!). Thus there is a normal subgroup H of G
of prime index, whence an isomorphism G/H
= Z/pZ. By an inductive argument
(it takes about a page), one reduces to the Cauchy-Davenport Theorem.

CHAPTER 16

Dirichlet Series
1. Introduction
In considering the arithmetical functions f : N C as a ring under pointwise
addition and convolution:

f g(n) =
f (d1 )g(d2 ),
d1 d2 =n

we employed that old dirty trick of abstract algebra. Namely, we introduced an

algebraic structure without any motivation and patiently explored its consequences
until we got to a result that we found useful (Mobius Inversion), which gave a sort
of retroactive motivation for the denition of convolution.
This denition could have been given to an 18th or early 19th century mathematical audience, but it would not have been very popular: probably they would
not have been comfortable with the Humpty Dumpty-esque redenition of multiplication.1 Mathematics at that time did have commutative rings: rings of numbers,
of matrices, of functions, but not rings with a funny multiplication operation
dened for no better reason than mathematical pragmatism.
So despite the fact that we have shown that the convolution product is a useful operation on arithmetical functions, one can still ask what f g really is.
There are (at least) two possible kinds of answers to this question: one would be to
create a general theory of convolution products of which this product is an example
and there are other familiar examples. Another would be to show how f g is
somehow a more familiar multiplication operation, albeit in disguise.
To try to take the rst approach, consider a more general setup: let (M, ) be a
commutative monoid. Recall from the rst homework assignment that this means
that M is a set endowed with a binary operation which is associative, commutative, and has an identity element, say e: e m = m e = m for all m M . Now
consider the set of all functions f : M C. We can add functions in the obvious
pointwise way:
(f + g)(m) := f (m) + g(m).
We could also multiply them pointwise, but we choose to do something else, dening

(f g)(m) :=
f (d1 )g(d2 ).
d1 d2 =m

But not so fast! For this denition to make sense, we either need some assurance
that for all m M the set of all pairs d1 , d2 such that d1 d2 = m is nite (so
1Recall that Lewis Carroll or rather Charles L. Dodgson (1832-1898) was a mathematician.
179

180

16. DIRICHLET SERIES

the sum is a nite sum), or else some analytical means of making sense of the sum
when it is innite. But let us just give three examples:
Example 1: (M, ) = (Z+ , ). This is the example we started with and of course
the set of pairs of positive integers whose product is a given positive integer is nite.
Example 2: (M, ) = (N, +). This is the additive version of the previous example:

(f g)(n) =
f (i)g(j).
i+j=n

Of course this sum is nite: indeed, for n N it has exactly n+1 terms. As we shall
see shortly, this additive convolution is closely related to the Cauchy product of
innite series.
Example 3: (M, ) = (R, +). Here we have seem to have a problem, because
for functions f, g : R C, we are dening

(f g)(x) =
f (x y)g(y),
f (d1 )g(d2 ) =
yR

d1 +d2 =x

and although it is possible to dene a sum over all real numbers, it turns out never
to converge unless f and g are zero for the vast majority of their values.2 However,
there is a well-known replacement for a sum over all real numbers: the integral.
So one should probably dene

(f g)(x) =
f (x y)g(y)dy.

Here still one needs some conditions on f and g to ensure convergence of this
improper integral. It is a basic result of analysis that if


|f | < ,
|g| < ,

then the convolution product is well-dened. The convolution is an all-important

operation in harmonic analysis: roughly speaking, it provides a way of mixing
together two functions. Like any averaging process, it often happens that f g
has nicer properties than its component functions: for instance, when f and g are
absolutely integrable in the above sense, then f g is not only absolutely integrable
but also continuous.
The most important property of this convolution is its behavior with respect
to the Fourier transform: for a function f : R C and y R, one denes

f(x) =
f (y)e2ix dy.

Then one has the following identity:

f[
g = f g.
2More precisely, if S is an arbitrary set of real numbers, it makes sense to dene
xi S = x

if for all > 0, there exists a nite subset T S such that for all nite subsets T T we have

| xi T xi x| < . (This is a special case of a Moore-Smith limit.) It can be shown that such
a sum can only converge if the set of indices i such that xi = 0 is nite or countably innite.

1. INTRODUCTION

181

In other words, there is a natural type of transform f 7 f under which the

convolution becomes the more usual pointwise product.
Now the question becomes: is there some similar type of transform f 7 f which
carries functions f : M C to some other space of functions and under which the
convolution product becomes the pointwise product?
The answer is well-known to be yes if M is a locally compact abelian group
(e.g. Z, Z/N Z, Rn , . . .), and the construction is in fact rather similar to the above:
this is the setting of abstract Fourier analysis. But our Examples 1 and 2 involve
monoids that are not groups, so what we are looking for is not exactly a Fourier
transform. So let us come back to earth by looking again at Examples 1 and 2.
In the case of Example 2, the construction we are looking for is just:
f {f (n)}
n=0 7 F (x) =

f (n)xn .

n=0

That is,to the sequence {f (n)} we associate the corresponding power series
F (x) = n f (n)xn . One can look at this construction both formally and analytically.
The formal construction is purely algebraic:
the ring of formal power series C[[t]]

consists of all expressions of the form n=0 an xn where the an s are complex numbers. We dene addition and multiplication in the obvious ways:

an xn +

n=0

n=0

an xn )(

bn xn :=

n=0

n=0

bn xn ) :=

(an + bn )xn ,

n=0

(a0 bn + a1 bn1 + . . . + an b0 )xn .

n=0

The latter denition seems obvious because it is consistent with the way we multiply
polynomials, and indeed
then polynomials C[t] sit inside C[[t]] as the subring of all
formal expressions
n an x with an = 0 for all suciently large n. Now note
that this denition of multiplication is just the convolution product in the additive
monoid (N, +):
a0 bn + . . . + an b0 = (a b)(n).
It is not immediately clear that anything has been gained. For instance, it is,
technically, not for free that this multiplication law of formal power series is associative (although of course this is easy to check). Nevertheless, one should not
underestimate the value of this purely formal approach. Famously, there are many
nontrivial results about sequences fn which can be proved
just by simple algebraic

manipulations of the generating function F (x) = n fn xn . For example:

Theorem 183. Let a1 , . . . , ak be a coprime set of positive integers, and dene
r(N ) to be the number of solutions to the equation
x1 a1 + . . . + xk ak = N

182

16. DIRICHLET SERIES

in non-negative integers x1 , . . . , xk . Then as N ,

r(N )

N k1
.
(k 1)!(a1 ak )

Nevertheless we also have andneed an analytic theory of power series, i.e., of the
study of properties of F (x) = n an xn viewed as a function of the complex variable
x. This theory famously works out very nicely, and can be summarized as follows:

Theorem 184. (Theory of power series) Let n an xn be a power series with

1
complex coecients. Let R = (lim supn |an | n )1 . Then:
a) The series converges absolutely for all x C with |x| < R, and diverges indeed,
the general term tends to innity in modulus for all x with |x| > R.
b) The convergence is uniform on compact subsets of the open disk of radius R
(about 0), from which it follows that F (x) is a complex analytic function on this
disk.

c) If two power series F (x) = n an xn , G(x) = n bn xn are dened and equal for
all x in some open disk of radius R > 0, then an = bn for all n.
In particular, it follows
of products of absolutely convergent
from Cauchys theory
series that if F (x) = n an xn and G(x) = n bn xn are two power series convergent on some disk of radius R > 0, then on this disk the function
F G the product

of F and G in the usual sense is given by the power series n (ab)(n)xn . In other
words, with suitable growth conditions on the sequences, we get that the product
of the transforms is the transform of the convolutions, as advertised.
Now we return to the case of interest: (M, ) = (Z+ , ). The transform that does
the trick is f 7 D(f, s), where D(f, s) is the formal Dirichlet series
D(f, s) =

f (n)
.
ns
n=1

To justify this, suppose we try to formally multiply out

(
)(
)
f (m)
g(n)
D(f, s)D(g, s) =
.
ms
ns
m=1
n=1
We will get one term for each pair (m, n) of non-negative integers, so the product
is (at least formally) equal to
f (m)g(n)
f (m)g(n)
=
,
ms ns
(mn)s

(m,n)

(m,n)

where in both sums m and n range over over all positive integers. To make a Dirichlet series out of this, we need to collect all the terms with a given denominator, say
N s . The only way to get 1 in the denominator is to have m = n = 1, so the rst
. Now to get a 2 in the denominator we could have m = 1, n = 2
term is f (1)g(1)
1s
giving the term f (1)g(2)
or also m = 2, n = 1 giving the term f (2)g(1)
, so all in
2s
2s
all the numerator of the 2s -term is f (1)g(2) + f (2)g(1).
Aha. In general, to collect all the terms with a given denominator N s in the

2. SOME DIRICHLET SERIES IDENTITIES

183

product involves summing over all expressions f (m)g(n) with mn = N . In other

words, we have the following formal identity:

f (n) g(n)
d|n f (d)g(n/d)
D(f, s) D(g, s) = (
)(
)=
= D(f g, s).
s
s
n
n
ns
n=1
n=1
n=1
Thus we have attained our goal: under the transformation which associates to
an arithmetical function its Dirichlet series D(f, s), Dirichlet convolution of arithmetical functions becomes the usual multiplication of functions!
There are now several stages in the theory of Dirichlet series:
Step 1: Explore the purely formal consequences: that is, that identities involving
convolution and inversion of arithmetical functions come out much more cleanly on
the Dirichlet series side.
Step 2: Develop the theory of D(f, s) as a function of a complex variable s. It
is rather easy to tell when the series D(f, s) is absolutely convergent. In particular,
with suitable growth conditions on f (n) and g(n), we can see that
D(f, s)D(g, s) = D(f g, s)
holds not just formally but also as an equality of functions of a complex variable.
In particular, this leads to an analytic proof of the Mobius Inversion Formula.
On the other hand, unlike power series there can be a region of the complex
plane with nonempty interior in which the Dirichlet series D(f, s) is only conditionally convergent (that is, convergent but not absolutely convergent). We will
present, without proofs, the basic results on this more delicate convergence theory.
In basic analysis we learn to abjure conditionally convergent series, but they lie
at the heart of analytic number theory. In particular, in order to prove Dirichlets
theorem on arithmetic progressions one studies the Dirichlet series L(, s) attached
to a Dirichlet character (a special kind of arithmetical function we will dene
later on), and it is extremely important that for all = 1, there is a critical strip
in the complex plane for which L(, s) is only conditionally convergent. We will
derive this using the assumed results about conditional convergence of Dirichlet
series and a convergence test, Dirichlets test, from advanced calculus.3 Finally,
as an example of how much more content and subtlety lies in conditionally convergent series, we will use Dirichlet series to give an analytic continuation of the zeta
function to the right half-plane (complex numbers with positive real part), which
allows for a rigorous and concrete statement of the Riemann hypothesis.
2. Some Dirichlet Series Identities
Example 1: If f = 1 is the constant function 1, then by denition D(1, s) is what is
probably the most single important function in all of mathematics, the Riemann
zeta function:

1
.
(s) = D(1, s) =
s
n
n=1
3P.G.L. Dirichlet propounded his convergence test with this application in mind.

184

16. DIRICHLET SERIES

Example 2: Let f (n) = d(n), the divisor function, so D(d, s) = n d(n)

ns . But we
also know that d = 1 1. On Dirichlet series this means that we multiply: so that
D(d, s) = D(1, s)D(1, s), and we get that
D(d, s) = (s) (s) = 2 (s).
Example
3: 0Since (1) = 1 and (n) = 0 for all n > 1, we have D(, s) =
1
+
n=2 ns = 1. Thus the Dirichlet series of the the multiplicative iden1s
tity for convolution is just the constant function 1, the multiplicative identity in
the usual sense of multiplication functions.
Example 4: What is D(, s)? Since 1 = , we must have
1 = D(, s) = D(, s)D(1, s) = D(, s)(s),
so
D(, s) =

1
.
(s)

Probably this is the most important such identity: it relates combinatorial methods (the Mobius function is closely related to the inclusion-exclusion principle) to
analytical methods. More on this later.
We record without proof the following further identities, whose derivations are
similarly straightforward. Some notational reminders: we write for the function
n 7 n; k for the function n 7 nk ; and for the function n 7 (1)(n) , where
(n) is the number of prime divisors of n counted with multiplicity.
D(, s) = (s 1).
D(k , s) = (s k).
D(, s) = (s)(s 1).
D(k , s) = (s)(s k).
D(, s) =

(s 1)
.
(s)

D(, s) =

(2s)
.
(s)

3. Euler Products
Our rst task is to make formal sense of an innite product of innite series, which
is unfortunately somewhat technical. Suppose that we have an innite indexing set
P and for each element of p of P an innite series whose rst term is 1:

n=0

ap,n = 1 + ap,1 + ap,2 + . . . .

Then by the innite product pP n ap,n we mean an innite series whose terms

are indexed by the innite direct sum T =

pP N. Otherwise put, an element

3. EULER PRODUCTS

185

t T is just afunction
t : P N such that t(p) = 0 for all but nitely many p in
P .4 Then by pP n ap,n we mean the formal innite series

ap,t(p) .
tT pP

Note well that for eacht, since t(p) = 0 except for nitely many p and since ap,0 = 1
for all p, the product pP ap,t(p) is really a nite product. Thus the series is welldened formally that is, merely in order to write it down, no notion of limit of
an innite process is involved.
Let us informally summarize the preceding: to make sense of a formal innite
product of the form

(1 + ap,1 + ap,2 + . . . + ap,n + . . .) ,

p

we give ourselves one term for each possible product of one term from the rst
series, one term from the second series, and so forth, but we are only allowed to
choose a term which is dierent from the ap,0 = 1 term nitely many times.
With that out of the way, recall that when developing the theory of arithmetical functions, we found ourselves in much better shape under the hypothesis of
multiplicativity. It is natural to ask what purchase we gain on D(f, s) by assuming the multiplicativity of f . The answer is that multiplicativity of f is equivalent
to the following formal identity:
(
)

f (n)
f (p) f (p2 )
(46)
D(f, s) =
=
1 + s + 2s + . . . .
ns
p
p
p
n=1
Here the product extends over all primes. The fact that this identity holds (as an
identity of formal series) follows from the uniqueness of the prime power factorization of positive integers.
An expression as in (46) is called an Euler product expansion. If f is moreover
k
k
completely multiplicative, then fp(pks ) = ( fp(p)
s ) , and each factor in the product is a
geometric series with ratio

f (p)
ps ,

so we get
)1
(
f (p)
D(f, s) =
1 s
.
p
p

In particular f = 1 is certainly completely multiplicative, so we get the identity

)1
(
1
1 s
(s) =
,
p
p
which we used in our study of the primes. We also get
)

(
1
(n)
1
1

(47)
=
=
,
ns
(s)
ps
p
n=1
4The property that t(p) = 0 except on a nite set is, by denition, what distinguishes the
innite direct sum from the innite direct product.

186

16. DIRICHLET SERIES

and, plugging in s = 2,
(
)

6
1
(n)
1
=
=
=
1

.
2
(2) n=1 n2
p2
p
But not so fast! We changed the game here: so far (47) expresses a formal identity
of Dirichlet series. In order to be able to plug in a value of s, we need to discuss the
convergence properties of Dirichlet series and Euler products. In particular, since
we did not put any particular ordering on our formal innite product, in order for
the sum to be meaningful we need the series involved to be absolutely convergent.
It is therefore to this topic that we now turn.
4. Absolute Convergence of Dirichlet Series

Let us rst study the absolute convergence of Dirichlet series n anns . That is, we

will look instead at the series n |ann | , where s = + it.5

Theorem 185. Suppose a Dirichlet series D(s) = n anns is absolutely convergent at some complex number s0 = 0 + it0 . Then it is also absolutely convergent
at all complex numbers s with = (s) > s0 .
Proof. If = (s) > 0 = (s0 ), then n > n0 for all n Z+ , so

an
|an | |an | an
| s| =

=
| s0 | < .
n
n
n 0
n
n=1
n=1
n=1
n=1

It follows that the domain of absolute convergence of a Dirichlet series D(f, s)
is one of the following:
(i) The empty set. (I.e., for no s does the series absolutely converge.)
(ii) (, ).
(iii) A half-innite interval of the form (S, ).
(iv) A half-innite interval of the form [S, ).
Notice that in all cases, there is a unique ac [, ] such that:
(AAC1) For all s with (s) > ac , D(s) is absolutely convergent.
(AAC2) For all s with (s) < ac , D(s) is not absolutely convergent.
This unique ac is called the abscissa of absolute convergence of D(s).
n
Example 1 (Type i): D(s) = n 2ns .
This series does not converge (absolutely or otherwise) for any s C: no matter
what s is, |2n ns | : exponentials grow faster than power functions. So
ac = .
Example 2 (Type ii): A trivial example is the zero series an = 0 for all n, or
5In other words, for a complex number s we write for its real part and t for its imaginary
part. This seemingly unlikely notation was introduced in a fundamental paper of Riemann, and
remains standard to this day.

4. ABSOLUTE CONVERGENCE OF DIRICHLET SERIES

187

for that matter, any series with an = 0 for all suciently large n: these give nite
sums. Or we could take an = 2n and now the series converges absolutely independent of s. So ac = .
Example 3 (Type iii): (s) =

1
ns

is absolutely convergent for s (1, ). So ac = 1.

Example 4 (Type iv): For an =

[1, ).

1
(log n)2 ,

the domain of absolute convergence is

The following result gives a sucient condition for ac = 1:

Proposition 186. Let D(s) = n=1 anns be a Dirichlet series.

a) Suppose that there exists M R such that |an | M for all n. Then ac 1.
b) suppose that the sequence an does not tend to 0. then ac 1.
c) In particular if the sequence an is bounded but not convergent to 0, then ac = 1.
Proof. a) Suppose |an | M for all n and also that = (s) > 1. Then
an
1
| s| M
= M () < .
n
n
n
n

b) The Dirichlet series at 0 is n ann0 = n an . Of course this series can only be

convergent (absolutely or otherwise) if an 0. Part c) follows immediately from
a) and b).

Denition: We say that an arithmetic function an : Z+ C has polynomial
growth of order N if there exist positive real numbers C and N such that |an |
CnN for all n Z+ . We say that a function has polynomial growth if it has
polynomial growth of order N for some N R+ .
Proposition 187. Suppose {an } has polynomial growth of order N . Then the
associated Dirichlet series D(s) = anns has ac N + 1.
Proof. By hypothesis, there exists C such that |an | CnN for all n Z+ . If
= (s) > N + 1, then there exists > 0 such that > N + 1 + . Then
an
|an |
nN
1
| |

C
=
C
< .
n
nN +1+
nN +1+
n1+
n
n
n
n

Corollary 188. Let f (n), g(n) be arithmetical functions with polynomial
growth of order N . Then
D(f, s)D(g, s) = D(f g, s)
is an equality of functions dened on (N + 1, ).
This follows easily from the theory of absolute convergence and the Cauchy product.
Theorem 189. (Uniqueness Theorem) Let f (n), g(n) be arithmetical functions
whose Dirichlet series are both absolutely convergent in the halfplane = (s) > 0 .
Suppose there exists an innite sequence sk of complex numbers, with k = (sk ) >
0 for all k and k such that D(f, sk ) = D(g, sk ) for all k. Then f (n) = g(n)
for all n.

188

16. DIRICHLET SERIES

Proof. First we put h(n) := f (n) g(n), so that D(h, s) = D(f, s) D(g, s).
Then our assumption is that D(h, sk ) = 0 for all k, and we wish to show that
h(n) = 0 for all n.
So suppose not, and let N be the least n for which h(n) = 0. Then

h(n)
h(N )
h(n)
D(h, s) =
=
+
,
ns
Ns
ns
n=N

n=N +1

so

h(n)
.
ns

h(N ) = N s D(h, s) N s

n=N +1

Taking now s = sk we have that for all k Z ,

+

h(N ) = N sk

n=N +1

h(n)
.
nsk

Fix a > 0 , and choose a k such that k > . Then

|h(N )| N

n=N +1

|h(n)|n

N k

(N + 1)k c

n=N +1

|h(n)|n

(
C

N
N +1

)k
,

for some constant C independent of n and k. Since N is a constant, letting k

the right hand side approaches 0, thus h(N ) = 0, a contradiction.

an
Corollary 190. Let D(s) =
n ns be a Dirichlet series with abscissca of
absolute convergence ac . Suppose that for some s with (s) > ac we have D(s) =
0. Then there exists a halfplane in which D(s) is absolutely convergent and never
zero.
Proof. If not, we have an innite sequence {sk } of complex numbers, with
real parts tending to innity, such that D(sk ) = 0 for all k. By the Uniqueness
Theorem this implies that an = 0 for all n and thus D(s) is identically zero in its
halfplane of absolute convergence, contrary to our assumption.

Corollary 191. (MIF for polynomially growing functions)
If f (n) is an arith
metical function with polynomial growth and F (n) =
f
(n),
then f (n) =
d|n

F
(d)(n/d).
d|n
Surely this was the rst known version of the Mobius inversion formula. Of course
as Hardy and Wright remark in their classic text, the real proof of MIF is the
purely algebraic one we gave earlier, but viewing things in terms of honest functions has a certain appeal.
Moreover, the theory of absolute convergence of innite products (see e.g. [A1,
11.5]) allows us to justify our formal Euler product expansions:

Theorem 192. (Theorem 11.7 of [A1]) Suppose that D(f, s) = n fn(n)

cons
verges absolutely for > ac . If f is multiplicative we have an equality of functions
)
(
f (p) f (p2 )
1 + s + 2s + . . . ,
D(f, s) =
p
p
p

5. CONDITIONAL CONVERGENCE OF DIRICHLET SERIES

189

valid for all s with (s) > ac . If f is completely multiplicative, this simplies to
)1
(
f (p)
D(f, s) =
1 s
.
p
p
Euler products are ubiquitous in modern number theory: they play a prominent
role in (e.g.!) the proof of Fermats Last Theorem.
5. Conditional Convergence of Dirichlet Series
an
Let D(f, s) =
n=1 ns be a Dirichlet series. We assume that the abscissa of
absolute convergence ac is nite.
Theorem 193. There exists a real number c with the following properties:
(i) If (s) > c , then D(f, s) converges (not necessarily absolutely).
(ii) If (s) < c , then D(f, s) diverges.
Because the proof of this result is already somewhat technical, we defer it until
X.X on general Dirichlet series, where we will state and prove a yet stronger result.
Denition: c is called the abscissa of convergence.
Contrary to the case of absolute convergence we make no claims about the convergence or divergence of D(f, s) along the line (s) = : this is quite complicated.
Proposition 194. We have
0 ac c 1.
Proof. Since absolutely convergent series are convergent, we evidently must
have
a complex number such that
aacn . On the other hand, let s = + it abe
n
converges.
Of
course
this
implies
that

0 as n , and that in
n=1 ns
ns
turn implies that there exists an N such that n N implies | anns | = |ann | 1. Now
let s be any complex number with real part + 1 + for any > 0. Then for all
n N,
an
|an |
1
1
| s | = 1+ 1+ ,
n
n
n
n
so by comparison to a p-series with p = 1 + > 1, D(f, s ) is absolutely convergent.

It can be a delicate matter to show that a series is convergent but not absolutely
convergent: there are comparatively few results that give criteria for this. The
following one sometimes encountered in an advanced calculus class will serve us
well.
Proposition 195. (Dirichlets Test) Let {an } be a sequnece of complex numbers and {bn } a sequence of real numbers. Suppose both of the following hold:
N
(i) There exists a xed M such that for all N Z+ , | n=1 an | M (bounded
partial sums);
(ii) b1
b2 . . . bn . . . and limn bn = 0.

Then n=1 an bn is convergent.

190

16. DIRICHLET SERIES

N
Proof. Write SN for n=1 , so that by (i) we have |SN | M for all N . Fix
1
> 0, and choose N such that bN < 2M
. Then, for all m, n N :
|

ak bk | =
n

k=m

=|

n1

(Sk Sk1 )bk |

k=m

k=m

=|

Sk b k

n1

Sk bk+1 |

k=m1

Sk (bk bk+1 ) + Sn bn Sm1 bm |

k=m

n1

|Sk ||bk bk+1 | + |Sn ||bn | + |Sm1 ||bm |

k=m

( n1

|bk bk+1 | + |bn | + |bm |

)
= 2M bm 2M bN < .

k=m

Therefore the series satises the Cauchy criterion and hence converges.6

{an }
n=1

be a complex sequence.
Theorem 196. Let
N
a)
Suppose
that
the
partial
sums
n=1 an are bounded. Then the Dirichlet series
an
has

0.
c
n=1 ns
b) Assume in addition that an does not converge to 0. Then ac = 1, c = 0.
Proof. By Proposition 186, ac = 1. For any real number > 0, by
taking
bn = n1 the hypotheses of Proposition 195 are satised, so that D() = n nan
converges. The smallest right open half-plane which contains all positive real numbers is of course (s) > 0, so 0. By Proposition 194 we have 1 = ac 1 + ,
so we conclude that = 0.

Theorem 197. (Theorem 11.11 of [A1]) A Dirichlet series D(f, s) converges
uniformly on compact subsets of the half-plane of convergence (s) > .
Suce it to say that, in the theory of sequences of functions, uniform convergence on compact subsets is the magic incantation. As a consequence, we may
dierentiate and integrate Dirichlet series term-by-term. Also:
f (n)
Corollary 198. The function D(f, s) =
n=1 ns dened by a Dirichlet
series in its half-plane (s) > of convergence is complex analytic.
6. Dirichlet Series with Nonnegative Coecients

Suppose we are given a Dirichlet series D(s) = n anns with the property that for
all n, an is real and non-negative. There is more to say about the analytic theory
of such series. First, the non-negativity hypothesis ensures that for any real s, D(s)
is a series with non-negative terms, so its absolute convergence is equivalent to its
convergence. Thus:
Lemma 199. For a Dirichlet series with non-negative real coecients, the abscissae of convergence and absolute convergence coincide.
6This type of argument is known as summation by parts.

7. CHARACTERS AND L-SERIES

191

Thus one of the major dierences from the the theory of power series is eliminated
for Dirichlet series with non-negative real coecients. Another critical property of
all complex power series is that the radius of convergence R is as large as conceivably possible, in that the function necessarily has a singularity somewhere on the
boundary of the disk |z z0 | < R of convergence. This property need not be true
for an arbitrary Dirichlet series. Indeed the series

(1)n+1
1
1
D(s) =
= 1 s + s ...,
s
(2n + 1)
3
5
n=1
has = 0 but extends to an analytic function on the entire complex plane.7 However:

Theorem 200. (Landau) Let D(s) = n anns be a Dirichlet series, with an real
and non-negative for all n. Suppose that for a real number , D(s) converges in the
half-plane (s) > , and that D(s) extends to an analytic function in a neigborhood
of . Then strictly exceeds the abscissa of convergence c .
Proof (Kedlaya): Suppose on the contrary that D(s) extends to an analytic function
on the disk |s | < , for some > 0 but = c . Choose c (, + /2), and
write

D(s) =
an nc ncs =
an nc e(cs) log n
n

an nc (log n)k
n=1 k=0

k!

(c s)k .

Here we have a double series with all coecients non-negative, so it must converge
absolutely on the disk |s c| < 2 . In particular, viewed as a Taylor series in (c s),
this must be the Taylor series expansion of D(s) at s = c. Since D(s) is assumed
to be holomorphic in the disk |s c| < 2 , this Taylor series is convergent there.
In particular, choosing any real number with 2 < < , we have that
D( ) is absolutely convergent. But this implies that the original Dirichlet series is
convergent at , contradiction!
For example,
it follows from Landaus theorem that the Riemann zeta function

(s) = n n1s must have a singularity at s = 1, since otherwise there would exist
some < 1 such that the series converges in the entire half-plane (s) > .
Of course this is a horrible illustration of the depth of Landaus theorem, since
we used the fact that (1) = in order to compute the abscissa of convergence
of the zeta function! We will see a much deeper application of Landaus theorem
during the proof of Dirichlets theorem on primes in arithmetic progressions.
7. Characters and L-Series
Let f : Z+ C be an arithmetic function.
Recall that f is said to be completely mutliplicative if f (1) = 0 and for all
a, b Z, f (ab) = f (a)f (b). The conditions imply f (1) = 1.
7We will see a proof of the former statement shortly, but not the latter. More generally, it is
true for the L-function associated to any primitive Dirichlet character.

192

16. DIRICHLET SERIES

For N Z+ , we say a function f is N -periodic if it satises:

(PN ) For all n Z+ , f (n + N ) = f (n).
An arithmetic function is periodic if it is N -periodic for some N Z+ .
Remark: A function f : Z C is said to be N -periodic if for all n Z,
f (n + N ) = f (n). It is easy to see that any N -periodic arithmetic function admits
a unique extension to an N -periodic function with domain Z.
Note that if f is N -periodic it is also kN -periodic for every k Z+ . Conversely, we
dene the period P of a periodic function to be the least positive integer N such
that f is N -periodic, then it is easy to see that f is N -periodic i P | N .
Now we are ready to meet the object of our aections:
A Dirichlet character is a periodic completely multiplicative arithmetic function.8
Example: For an odd prime p, dene Lp : Z+ C by Lp (n) = ( np ) (Legendre
symbol). The period of Lp is p. Notice that Lp (n) = 1 if n is prime to p, whereas
Lp (n) = 0 if gcd(n, p) > 1. This generalizes as follows:
Theorem 201. Let f be a Dirichlet character of period N .
a) If gcd(n, N ) = 1, then f (n) is a (N )th root of unity in C (hence f (n) = 0).
b) If gcd(n, N ) > 1, then f (n) = 0.
Proof. Put d = gcd(n, N ). Assume rst that gcd(n, N ) = 1, so by Lagranges
Theorem n(N ) 1 (mod N ). Then:
f (n)(N ) = f (n(N ) ) = f (1) = 1.
Next assume d > 1, and write n = dn1 , N = dN1 . By assumption N1 properly
divides N , so is strictly less than N . Then f is not N1 -periodic, so there exists
m Z+ such that
f (m + N1 ) f (m) = 0.
On the other hand
f (d) (f (m + N1 ) f (m)) = f (dm + N ) f (dm) = f (dm) f (dm) = 0,
so
f (n) = f (dn1 ) = f (d)f (n1 ) = 0 f (n1 ) = 0.

7.1. Period N Dirichlet characters and characters on U (N ).
A fruitful perspective on the Legendre character L(p) is that it is obtained from a
certain homomorphism from the multiplicative group (Z/pZ) into the multiplicative group C of complex numbers by extending to L(0 (mod p)) := 0. In fact all
Dirichlet characters of a given period can be constructed in this way.
8Recall that by denition a multiplicative function is not identically zero, whence f (1) = 1.

7. CHARACTERS AND L-SERIES

193

We introduce some further notation: for N Z+ , let U (N ) = (Z/N Z) be the

unit group, a nite commutative group of order (N ). Let X(N ) be the group of
characters of U (N ), i.e., the group homomorphisms U (N ) C . We recall from
[Algebra Handout 2.5, 4] that X(N ) is a nite commutative group whose order is
is also (N ).9
Proposition 202. Let N be a positive integer. There is a bijective correspondence between Dirichlet characters with period N and elements of X(N ) =
Hom(U (N ), C ).
Proof. If f : U (N ) C is a homomorphism, we extend it to a function from
f : Z/N Z C by dening f (0) = 0 on all residue classes which are not prime to
N , and then dene
f(n) := f (n mod N ).
In other words, if qN : Z Z/N Z is the quotient map, then f := f qN .
Conversely, if f : Z+ C is a Dirichlet character mod N , then its extension
to Z is N -periodic and therefore factors through f : Z/N Z C.
It is easy to see that these two constructions are mutually inverse.

For example, the function 1 : n 1 for all n is the unique Dirichlet character of
period 1. The character 1 is said to be trivial; all other Dirichlet characters are
said to be nontrivial. Under the correspondence of Proposition 202 it corresponds
to the unique homomorphism from the trivial group Z/1Z C.
7.2. Examples.
Example (Principal character): For any N Z+ , dene N : Z+ C by
N (n) = 1, gcd(n, N ) = 1,
N (n) = 0, gcd(n, N ) > 1.
This is evidently a Dirichlet character mod N , called the principal character. It
corresponds to the trivial homomorphism U (N ) C , i.e., the one which maps
every element to 1 C.
Example: N = 1: Since (1) = 1, the principal character 1 coincides with the
trivial character 1: this is the unique Dirichlet character modulo 1.
Example: N = 2: Since (2) = 1, the principal character 2 , which maps odd
numbers to 1 and even integers to 0, is the unique Dirichlet character modulo 2.
Example: N = 3: Since (3) = 2, there are two Dirichlet characters mod 3, the
principal one 3 and a nonprincipal character, say 3 . One checks that 3 (n) must
[
be 1 if n = 3k+1, 1 if n = 3k+2, and 0 if n is divisible by 3. Thus U
(3) = {3 , 3 }.
Example: N = 4: Since (4) = 2, there is exactly one nonprincipal Dirichlet
n1
character mod 4, 4 . We must dene 4 (n) to be 0 if n is even and (1) 2 if n is
[
odd. Thus U
(4) = {4 , 4 }. Note that 4 = 2 .
9In fact, X(N ) and U (N ) are isomorphic groups: Theorem 15, ibid., but this is actually not
needed here.

194

16. DIRICHLET SERIES

7.3. Conductors and primitive characters.

7.4. Dirichlet L-series.
By denition, a Dirichlet L-series is the Dirchlet series associated to a Dirichlet
character:

(n)
L(, s) = D(, s) =
.
ns
n=1
In particular, taking = 1 = 1, we get L(1 , s) = (s), which has ac = c = 1.
But this is the exception:
Theorem 203. Let be a nontrivial Dirichlet character. Then for the Dirichlet
L-series L(, s) = D(, s), we have ac = 1, c = 0.
Proof. It follows from the orthogonality relations [Handout A2.5, Theorem
17] that since is nonprincipal, the partial sums of L(, s) are bounded. Indeed
since |(n)| 1 for each n and the sum over any N consecutive values is zero, the
partial sums are bounded by N . Also we clearly have (n) = 1 for innitely many
n, e.g. for all n 1 (mod N ). So the result follows directly from Theorem 196. 
We remark that most of the proof of the Dirichlets theorem specically, that
every congruence class n (Z/N Z) contains innitely many primes involves
showing that for every nontrivial character , L(, 1 + it) is nonzero for all t R.
This turns out to be much harder if takes on only real values.
8. An Explicit Statement of the Riemann Hypothesis
Let g be the arithmetical function g(n) = (1)n+1 . Then:
D(g, s) =

(1)n+1
1
1
=

2
= (s)(1 21s ).
s
s
s
n
n
(2k)
n=1
n=1
n=1

This formal manipulation holds analytically on the region on which all series are
absolutely convergent, namely on (s) > 1. On the other hand, by Example XX
above we know that D(g, s) is convergent for (s) > 0. So consider the function
D(g, s)
.
1 21s
By Corollary 198 the numerator is complex analytic for (s)
inator is dened and analytic on the entire complex plane,
21s = e(1s) log 2 = 1, or when 1 s = 2ni
log 2 for n Z, so when
But by construction Z(s) = (s) for (s) > 1, so Z(s) is what
morphic continuation of the zeta function.
Z(s) =

> 0. The denomand is zero when

2n
s = sn = 1 log
2 i.
is called an mero-

Remark: All of the zeroes of 21s are simple (i.e., are not also zeroes for the
derivative). It follows that for n = 0, Z(s) is holomorphic at sn i D(g, sn ) = 0.
We will see in the course of the proof of Dirichlets theorem that this indeed the
case, and thus Z(s) = (s) is analytic in (s) > 0 with the single exception of a
simple pole at s = 1.
However, our above analysis already shows that 21s is dened and nonzero in
the critical strip 0 < (s) < 1, so that for such an s, Z(s) = 0 D(g, s) = 0.

9. GENERAL DIRICHLET SERIES

195

We can therefore give a precise statement of the Riemann hypothesis in the following (misleadingly, of course) innocuous form:
Conjecture 204. (Riemann Hypothesis) Suppose s is a zero of the function
D(g, s) =

(1)n
ns
n=1

with 0 < (s) < 1. Then (s) = 12 .

This serves to show once again how the deepest facts (and conjectures!) in analytic
number theory turn on cancellation in innite series.
9. General Dirichlet Series
Let = {n }
n=1 be a sequence of real numbers which is strictly increasing and
with limn n = . Given a complex sequence (or arithmetical function)
a = {an }
n=1 , we may consider the series
D (a, s) =

an esn ,

n=1

called the general Dirichlet series associated to the sequence of exponents .

The theory we have developed for Dirichlet series can equally well be expressed
in this more general context. Why one might want to do this is probably not yet
clear, but bear with us for a moment.
In particular, if we dene
ac (resp. c ) to be the inmum of all
as before
n
real numbers such that
|a
|e
converges (resp. such that D (a, )
n
n=1
converges), one can prove that (s) > ac (resp. (s) > ) is the largest open
half-plane in which D (a, s) is absolutely convergent (resp. convergent). Moreover,
there are explicit formulas for these abscissae, at
least when c 0 (which holds
in all applications we know of). For instance if n an diverges then c 0.
Theorem 205. ([A2, 8.2]) Let D (a, s) be a general Dirichlet series, and
assume that c 0. Then:
n
log k=1 |ak |
(48)
ac = lim sup
.
n
n
(49)

c = lim sup
n

Remark: If lim supn

if lim supn

log |

k=1

n
k=1

ak |

= 0 and n an diverges, then c = 0;

= 0 and n an converges, then

log |

ak |

log |

k=1

ak |

c = lim sup
n

1
ln |
ai |.
n
i=1

These formulae are highly reminiscent of Hadamards

formula (lim supn |an | n )1

for the radius of convergence of a power series n=0 an xn .

1

196

16. DIRICHLET SERIES

But in fact it is no coincidence: just as general Dirichlet series generalize ordinary Dirichlet series which we recover by taking n = log n, they also generalize
power series which we essentially recover by taking n = n. Indeed,

an ens =
an xn ,
n=1

n=1

with x = es . This change of variables takes right half-planes to disks around the
origin: indeed the open disk |x| < R corresponds to
|x| = |es | = |eit | = e < R,
or > log R, a right half-plane. Under the change of variables x = es the origin
x = 0 corresponds to some ideal complex number with innitely large real part.
At rst the fact that we have a theory which simultaneously encompasses Dirichlet
series and power series seems hard to believe, since the open disks of convergence
and of absolute convergence for a power series are identical. However, the analogue
of Proposition 194 for general Dirichlet series is
Proposition 206. Let D (a, s) be a general Dirichlet series. Then the abscissae of absolute convergence and of convergence are related by:
log n
0 ac c lim sup
.
n
n
In the case n = n we have

log n
n

0, and Proposition 206 conrms that ac = c .

We leave it as an exercise for the interested reader to compare the formulae (48)
1
and (49) with Hadamards formula R1 = lim supn |an | n for the radius of convergence of power series. (After making the change of variables x = es they are not
identical formulae, but it is not too hard to show that they are equivalent in the
sense that any of them can be derived from the others without too much trouble.)

CHAPTER 17

Dirichlets Theorem on Primes in Arithmetic

Progressions
1. Statement of Dirichlets Theorem
The aim of this section is to give a complete proof of the following result:
Theorem 207. (Dirichlet, 1837) Let a, N Z+ be such that gcd(a, N ) = 1.
Then there are innitely many prime numbers p such that p a (mod N ).
We remark that the proof gives more, that the set of primes p a (mod N ) is
substantial in the sense of [Handout 12].1
One of the amazing things about the proof of Dirichlets theorem is how modern
it feels. It is literally amazing to compare the scope of the proof to the arguments
we used to prove some of the other theorems in the course, which historically came
much later. Dirichlets theorem comes 60 years before Minkowksis work on the
geometry of numbers and 99 years before the Chevalley-Warning theorem!
Let us be honest that the proof of Dirichlets theorem is of a diculty beyond
that of anything else we have attempted in this course. On the algebraic side, it
requires the theory of characters on the nite abelian groups U (N ) = (Z/N Z) .
From the perspective of the 21st century mathematics undergraduate with a background in abstract algebra, these are not particularly deep waters. More serious
demands come from the analytic side: the main strategy is, as in Eulers proof of
the innitude of primes, to consider the function

Pa (s) =
pa

(mod N )

1
,
ps

which is dened say for real numbers s > 1, and to show that lims1+ Pa (s) = +.
Of course this suces, because a divergent series must have innitely many terms!
The function Pa (s) will in turn be related to a nite linear combination of logarithms
of Dirichlet L-series, and the diering behavior of the Dirichlet series for principal
and non-principal characters is a key aspect of the proof. Indeed, the fuel for the
entire proof is the following surprisingly deep fact:
Theorem 208. (Dirichlets Nonvanishing Theorem) For any non-principal Dirichlet character of period N , we have L(, 1) = 0.
1In fact, with relatively little additional work, one can show that the primes are, in a certain
precise sense, equidistributed among the (N ) possible congruence classes.
197

198

17. DIRICHLETS THEOREM ON PRIMES IN ARITHMETIC PROGRESSIONS

There are many possible routes to Theorem 208. We have chosen (following Serre)
to present a proof which exploits the theory of Dirichlet series which we have developed in the previous handout in loving detail. As in our treatment of Dirichlet
series, we do nd it convenient to draw upon a small amount of complex function
theory. These result are summarized in Appendix C, which may be most useful
for a reader who has not yet been exposed to complex analysis but has a good
command of the theory of sequences and series of real functions.
I hope that readers who are unable or unwilling to check carefully through all
the analytic details of the proof will still gain an appreciation for the sometimes
dicult but also quite beautiful ideas which are on display here. It may be appropriate for me to end this introduction with a personal statement. I believe
that I rst encountered the proof of Dirichlets theorem during a reading course in
(mostly analytic) number theory that I took as an undergraduate with Professor R.
Narasimhan, but in truth I have little memory of it. For my entire graduate career
I neglected analysis in general and analytic number theory in particular, to the extent that I came to regard the study of conditionally convergent series as a sort of
idle amusement. As a postdoc in Montreal I found myself in an environment where
analytic and algebraic number theory were regarded with roughly equal importance
(and better yet, often practiced simultaneously). Eventually the limitations of my
overly algebraic bias became clear to me, and since my arrival at UGA I have made
some progress working my way back towards a more balanced perspective.
Dirichlets theorem points the way towards modern analytic number theory
more than any other single result (even more than the Prime Number Theorem,
in my opinion, whose analytic proof is harder but less immediately enlightening).
Thus I came to the desire to dicsuss the proof of Dirichlets theorem in the course
(which was not done the rst time I taught it).
The proof that I am about to present is not substantively dierent from what
can be found in many other texts (and especially, to the proof given in [Se73]).
Nevertheless, in order to both follow every detail of the proof and also to get a
sense of what was going on in the proof as a whole took me dozens of hours of
work, much more so than any other topic in this course. But to nally be able to
present the proof feels wonderful, like coming home again. So although I have done
what I can to present this material as transparently as possible, not only will I be
sympathetic if you nd parts of it confusing the rst time around, I will even be a
little jealous if you dont! But do try to enjoy the ride.
2. The Main Part of the Proof of Dirichlets Theorem
2.1. Prelude on complex logarithms.
We begin rather inauspiciously by discussing logarithms. By a complex logarithm,
we mean a holomorphic function L(z) such that eL(z) = z. As compared to the
usual real logarithm, there are two subtleties. First, there are multiple such functions: since ez+2in = ez for all z, if L(z) is any complex logarithm, so is L(z)+2in
for any integer n. More seriously, no complex logarithm can be dened on the entire complex plane. Clearly we cannot have a logarithm dened at 0, since 0 is not
in the image of the complex exponential function. In complex analysis one learns
that if one removes from the complex line any ray passing through the origin

2. THE MAIN PART OF THE PROOF OF DIRICHLETS THEOREM

199

the real interval (, 0] being the most standard choice then one can dene a
complex logarithm on this restricted domain. In particular, given any open disk in
the complex plane which does not contain the origin, there is a complex logarithm
dened on that disk.
For the moment though, let us proceed exactly as in calculus: we dene a function
log(1 z) for |z| < 1 by the following convergent Taylor series expansion:
(50)

log(1 z) =

zn
.
n
n=1

In our analysis, we will come to a point where we have an analytic function, say
f (z), and we will want initially want to interpret log f (z) in a rather formal way,
i.e., simply as the series expansion

(1 f (z))n
.
log(1 (1 f (z))) =
n
n=1
It will be clear for our particular f (z) that the series converges to an analytic
function, say g, of z. The subtle point is whether g really is a logarithm of f
in the above sense, i.e., whether and for which values of z we have eg(z) = f (z).
Our expository choice here is to state carefully the claims we are making about
logarithms during the course of the proof and then come back to explain them at
the end. Readers with less familiarity with complex analysis may skip these nal
justications without fear of losing any essential part of the argument.
2.2. The proof. To begin the proof proper, we let X(N ) denote the group
of Dirichlet characters modulo N . Fix a with gcd(a, N ) = 1 as in the statement of
Dirichlets theorem.
Write Pa for the set of prime numbers p a (mod N ), so our task is of course
to show that Pa is innite. For this we consider the function
1
Pa (s) :=
,
ps
pPa

dened for s with (s) > 1. Our goal is to show that Pa (s) approaches innity as s
approaches 1. (It would be enough to show this for real i.e., lim1+ Pa () =
but nevertheless for the proof it is useful to consider complex s.)
Remark: Notice that this gives more than just the innitude of Pa : it shows that
it is substantial in the sense of Handout X.X.
The overarching idea of the proof is to express Pa (s) in terms of some Dirichlet
L-series for characters X(N ), and thus to reduce the unboundedness of Pa (s)
as s 1 from some corresponding analytic properties of L-series near s = 1.
Why should Pa (s) have anything to do with Dirichlet L-series? First, dene 1a
be the characteristic function of the congruence class a (mod N ): i.e., 1a (n) is 1
if n a (mod N ) and is 0 otherwise. Then Pa (s) is reminiscent of the Dirichlet
series for the arithmetical function 1a , except it is a sum only over primes. Note
that since 1a is not a multiplicative function, it would be unfruitful to consider

200

17. DIRICHLETS THEOREM ON PRIMES IN ARITHMETIC PROGRESSIONS

its Dirichlet series D(1a , s) it does not have an Euler product expansion. Nevertheless 1a has some character-like properties: it is N -periodic and it is 0 when
gcd(n, N ) > 1. Therefore 1a is entirely determined by the corresponding function
U (N ) C, n (mod N ) 7 1a (n).
Now recall from [Handout A2.5, 4.3] that any function f : U (N ) C can
be uniquely expressed as a C-linear combination of characters; [Ibid, Corollary 18]
even gives an explicit formula.
With all this in mind, it is easy to discover the following result (which we may
as well prove directly):
Lemma 209. For all n Z, we have

1a (n) =
X(N )

(a)1
(n).
(N )

Proof: By the complete multiplicativity of the s, the right hand side equals

1
(a1 n) ,
(N )
X(N )

and now by orthogonality the parenthesized sum evaluates to (N ) if a1 n 1

(mod N ) i.e., if n a (mod N ) and 0 otherwise. The result follows.
The corresponding identity for Pa (s) is:
(a)1 (p)
.
(51)
Pa (s) =
(N ) p ps
X(N )

The terms

(p)
ps

are clearly reminiscent of Dirichlet L-series. Starting with

)1
(
(p)
L(, s) =
1 s
.
p
p

and taking logarithms we get

log L(, s) =

log(1

(p)
).
ps

Expanding out this logarithm using the series (50) as advertised above, we get
(p)
(52)
log(L(, s)) =
( s )n /n.
p
p
n
But we regard the above as just being motivational; let us now be a little more
precise. The right hand side of (52) is absolutely convergent for (s) > 1 and
uniformly convergent on closed half-planes (s) 1 + . So if we simply dene
( (p) )n
(, s) :=
/n,
ps
p
n
then, whatever else it may be, (, s) is an analytic function on the half-plane
(s) > 1. Of course we know what the whatever else should be:

2. THE MAIN PART OF THE PROOF OF DIRICHLETS THEOREM

201

First Claim on Logarithms: In the halfplane (s) > 1, we have e(,s) = L(, s).
As stated above, we postpone justication of this claim until the next section.
Notice that the n = 1 contribution to (, s) alone gives precisely the sums appearing in (51); there are also all the n 2 terms, which we dont want. So lets
separate out these two parts of the series: denining
(p)
1 (, s) =
ps
p
and
R(, s) =

(p)n
n2 p

npns

we have
(, s) = 1 (, s) + R(, s)
and also
Pa (s) =

X(N )

(a1 )
1 (, s).
(N )

But recall what were trying to show: that Pa (s) is unbounded as s 1. If were
trying to show that something is bounded, any terms which do remain bounded as
s 1 can be ignored. But
1
( 1 )n
|R(, 1)|

npn
p
p
p
n2

n2

1 p
1

2
< .
2 p1
2
2
p
p
n
p
p
n=1

So R(, s) is absolutely convergent at s = 1 hence remains bounded as s 1, and

thus we can safely ignore the terms R(, s). The following notation expresses this:
Pa (s) =

X(N )

(a)1
(, s) + O(1);
(N )

here the O(1) denotes anything which is uniformly bounded as s 1. Separating

the term corresponding to the principal character N from the other terms, we get

1 s
Pa (s) =
p +
(, s) + O(1).
(N )
p-N

=N

Now p-N ps , is up to a nite number of terms, just the sum p ps . We know

1

well that p p = , and by the Positivity Lemma this implies lims1+ p ps =

+. So the rst term is unbounded near innity. Therefore it would suce to show
that for each nontrivial character , (, s) is bounded as s 1.
Recall that for every nonprincipal we know that the Dirichlet series for L(, s)
is convergent on all of (s) > 0; in particular, L(, s) is a well-dened analytic

202

17. DIRICHLETS THEOREM ON PRIMES IN ARITHMETIC PROGRESSIONS

function at s = 1. Finally, we see the relevance of Theorem 208: if we know that

for each nonprincipal X(N ), L(, 1) = 0, then
L(, 1) = lim L(, s) = lim e(,s) .
s1

s1

Second claim on logarithms: Therefore (, s) is bounded as s 1.

Now, modulo these two claims and the proof of Theorem 208 were done: since
the contribution to Pa (s) from the nonprincipal Dirichlet L-series remains bounded
as s 1 whereas the contribution from the principal Dirichlet L-series does not,
it follows that Pa (s) itself is unbounded as s approaches 1: more precisely, as s
approaches 1 through real values of s > 1, we get

1
lim+ Pa (s) =
= +,
ps
s1
pa

(mod N )

hence there must be innitely many primes p a (mod N ).

2.3. Tidying up the logarithms.
Let us now deal with our two claims on logarithms. For the rst one, we know
from calculus that for a real number s with |s| < 1, the Taylor series expansion
log(1 s) =

sn
n
n=1

is valid: in other words, we do have the identity

e

sn
n=1 n

=1s

for all such s. By the principle of analytic continuation, the corresponding complex
power series gives a well-dened logarithm whenever it is dened, which is at least
for complex s with |s| < 1. We have
lim

(s)+

L(, s) = 1,

so that there exists a 0 such that (s) > 0 implies |1 L(, s)| < 1. Thus in this
halfplane we do have e(,s) = L(, s). By the principle of analytic continuation,
this identity will continue to hold so long as both sides are well-dened analytic
functions, which is the case for all (s) > 1, justifying the rst claim on logarithms.
Similar reasoning establishes the second claim: since L(, s) is analytic and nonzero
at s = 1, there exists some small open disk about L(, 1) which does not contain the
origin, and therefore we can choose a branch of the logarithm such that log L(, s)
is well-dened on the preimage of that disk, so in particular on some small open
disk D about s = 1. Then log L(, 1) is a well-dened complex number. It may not
be equal to our (, 1), but since any two logarithms of the same analytic function
dier by a constant integer multiple of 2i, by the principle of analytic continuation
there exists some n Z such that (, s) 2n = log(, s) on the disk D, and no
matter what n is, this means that (, s) remains bounded as s 1.

3. NONVANISHING OF L(, 1)

203

3. Nonvanishing of L(, 1)
We claim that L(, 1) = 0 for all nonprincipal characters X(N ). Our argument
is as follows: consider the behavior of the Dedekind zeta function

N (s) =
L(, s).
X(N )

near s = 1. We know that for each nonprincipal , L(, s) is holomorphic at s = 1,

whereas for principal we get essentially the Riemann zeta function, which we have
seen has a simple pole at s = 1: we have seen that
(s 1)(s) 1
as s 1. It follows from basic function theory that N (s) has at most a simple pole at s = 1, and indeed has a pole i L(, 1) = 0 for all nontrivial . Thus
our goal is to show that the Dedekind zeta function N (s) has a singularity at s = 1.
The key
we need
order of
theorem

is that the Dirichlet series N (s) has a very particular form. To see this,
just a little notation: for a prime p not dividing N , let f (p) denote the
)
p in the unit group U (N ), and put g(p) = (N
f (p) , which is by Lagranges
a positive integer. Now:

Proposition 210. a) We have

N (s) =
(
p-N

1
1

)g(p) .

pf (p)s

b) Therefore N (s) is a Dirichlet series with non-negative integral coecients, converging absolutely in the half-plane (s) > 1.
Proof. Let f (p) be the group of f (p)th roots of unity. Then for all p - N we
have the polynomial identity

(1 wT ) = 1 T f (p) .
wf (p)

Indeed, both sides have the f (p)th roots of unity as roots (with multiplicity one),
so they dier at most by a multiplicative constant; but both sides evaluate to 1 at
T = 0. Now by the Character Extension Lemma [Lemma 13, Handout A2.5], for
all w f (p) there are precisely g(p) elements X(N ) such that (p) = w. This
establishes part a), and part b) follows from the explicit formula of part a).

Now for a deus ex machina. We are given that N (s) is a Dirichlet series with nonnegative real coecients. Therefore we can apply Landaus Theorem: if is the
abscissca of convergence of the Dirichlet series, then the function N (s) has a singulariety at . Clearly 1, so, contrapositively, if N (s) does not have a singularity
at s = 1, then not only does N (s) extend analytically to some larger halfplane
(s) > 1 , but it extends until it meets a singularity on the real line. But we
have already seen that each Dirichlet L-series is holomorphic for 0 < (s) < 1, so
Landaus theorem tells us that 0.
If you think about it for a minute, it is exceedingly unlikely that a Dirichlet series
with non-negative integral coecients has absissca of convergence 0, and in

204

17. DIRICHLETS THEOREM ON PRIMES IN ARITHMETIC PROGRESSIONS

our case it is quite straightforward to see that this is not the case: take s to be in
the real interval (0, 1). Expanding out the pth Euler factor we get
(
)
1
1
1
(
)g(p) = 1 + pf (p)s + p2f (p)s + . . . .
1
1 pf (p)s
Ignoring all the crossterms gives a crude upper bound: this quantity is at least
1
1
1 + (N )s + 2(N )s + . . . .
p
p
Multiplying this over all p, it follows that

1
N (s)
.
(N
)s
n
n | (n,N )=1

When we evaluate at s =

1
(N )

we get

(n,N )=1

1
.
n

Since the set of integers prime to N has positive density, it is substantial. More
concretely, since every n of the form N k + 1 is coprime to N , this last sum is at
least as large as

1
= .
Nk + 1
k=1

QED!

CHAPTER 18

Rational Quadratic Forms and the Local-Global

Principle
A form of degree k is a polynomial P (x1 , . . . , xn ) which is homogeneous of degree
k: in each monomial term cxi11 xinn , the total degree i1 + . . . + in is k. E.g.
Fn (x, y, z) = xn + y n z n
is a form of degree n, such that the study of solutions to Fn (x, y, z) = 0 is equivalent
to Fermats Last Theorem.
For the most part we will concentrate here on quadratic forms (k = 2):

aij xi xj ,
1ijn

where the coecients aij are usually either integers or rational numbers (although
we shall also be interested in quadratic forms with coecients in Z/nZ and R). For
instance, a binary quadratic form is any expression of the form
q(x, y) = ax2 + bxy + cy 2 .
As for most Diophantine equations, quadratic forms were rst studied over the
integers, meaning that the coecients aij are integers and only integer values of
x1 , . . . , xn are allowed to be plugged in. At the end of the 19th century it was
realized that by allowing the variables x1 , . . . , xn to take rational values, one gets
a much more satisfactory theory. (In fact one can study quadratic forms with coecients and values in any eld F . This point of view was developed by Witt in
the 1930s, expanded in the middle years of this century by, among others, Pster
and Milnor, and has in the last decade become especially closely linked to one of
the deepest and most abstract branches of contemporary mathematics: homotopy
K-theory.) However, a wide array of repower has been constructed over the years
to deal with the complications presented by the integral case, culminating recently
in some spectacular results. Here we will concentrate on what can be done over the
rational numbers, and also on what statements about integral quadratic forms can
be directly deduced from the theory of rational quadratic forms.
Let us distinguish two types of problems concerning a quadratic form q(x1 , . . . , xn ),
which we will allow to have either integral or rational coecients aij .
Homogeneous problem (or isotropy problem): Determine whether there exist
integers, x1 , . . . , xn , not all zero, such that q(x1 , . . . , xn ) = 0. A quadratic form
such that q(x) = 0 has a nontrivial integral solution is said to be isotropic; if there
is no nontrivial solution it is said to be anisotropic.
205

206

18. RATIONAL QUADRATIC FORMS AND THE LOCAL-GLOBAL PRINCIPLE

Example 0: The sum of squares forms x21 + . . . + x2n are all anisotropic. Indeed,
for any real numbers x1 , . . . , xn , not all zero, x21 + . . . + x2n > 0: a form with this
property is said to be positive denite.
Example 1: The Z-quadratic form x2 ny 2 is isotropic i n is a perfect square.
Inhomogeneous problem: For a given integer n, determine whether the equation
q(x1 , . . . , xn ) = n has an integer solution (if so, we say q represents n). More
generally, for xed q, determine all integers n represented by q.
Example 2: We determined all integers n represented by a x21 + x22 , and stated
without proof the results for the quadratic forms x21 + x22 + x23 and x21 + x22 + x23 + x24 ;
in the latter case, all positive integers are represented.
In general the inhomogeneous problem is substantially more dicult than the homogeneous problem. One reason why the homogeneous problem is easier is that,
even if we originally state it in terms of the integers, it can be solved using rational
numbers instead:
Proposition 211. (Principle of homogeneous equivalence) Let P (x1 , . . . , xn )
be a homogeneous polynomial with integral coecients. Then P (x1 , . . . , xn ) has a
nontrivial solution with x1 , . . . , xn Z i it has a nontrivial solution with x1 , . . . , xN
Q.
Proof. Of course a nontrivial integral solution is in particular a nontrivial
rational solution. For the converse, assume there exist pq11 , . . . , pqnn , not all 0, such
that P ( pq11 , . . . , pqnn ) = 0. Suppose P is homogeneous of degree k. Then for any
R , we have
P (x1 , . . . , xn ) = k P (x1 , . . . , xn ),
since we can factor out k s from every term. So let N = lcm(q1 , . . . , qn ). Then
P (N

p1
pn
p1
pn
, . . . , N ) = N k P ( , . . . , ) = N k 0 = 0,
q1
qn
q1
qn

so that (N pq11 , . . . , N pqnn ) is a nontrivial integral solution.

Thus the homogeneous problem for integral forms (of any degree) is really a problem about rational forms.
Remark: The inhomogeneous problem still makes sense for forms of higher degree, but to solve it even for rational forms is generally extremely dicult. For
instance, Selmer conjectured in 1951 that a prime p 4, 7, 8 (mod 9) is of the
form x3 + y 3 for two rational numbers x and y. A proof of this in the rst two
cases was announced (but not published) by Noam Elkies in 1994; more recently,
Dasgupta and Voight have carefully written down a proof of a slightly weaker result
[DV09]. The case of p 8 (mod 9) remains open. In this case (i.e., that of binary
cubic forms) the rich theory of rational points on elliptic curves can be fruitfully
applied. Even less is known about (say) binary forms of higher degree.

1. RATIONAL QUADRATIC FORMS

207

1. Rational Quadratic Forms

In this section, we work with quadratic forms q with coecients aij lying in Q.
(In fact, everything we say works over an arbitrary eld F whose characteristic is
dierent from 2.) This gives many advantages, which we state mostly without proof:
Fact 1: Every rational quadratic form can be diagonalized.
In general, two quadratic forms q and q should be regarded as equivalent if there
is an invertible linear change of variables (x1 , . . . , xn ) = A(x1 , . . . , xn ) carrying one
to the other. In particular, equivalent quadratic forms represent the same values,
and equivalence preserve an/isotropy.
Any quadratic form q(x1 , . . . , xn ) can be represented by a symmetric matrix
Q, such that
q(x1 , . . . , xn ) = xQxT ,
where x = (x1 , . . . , xn ). However, there is a slight annoyance here which is seen by
calculating the quadratic form associated to the symmetric matrix
[
]
a b
b d
; it is
q(x1 , x2 ) = ax21 + 2bx1 x2 + bx.2
So to get the general binary quadratic form of XX, we need to use the matrix
[
]
a 2b
b
d,
2
and
the symmetric matrix M corresponding to the quadratic form
in general,
i j
a
X
X
is
ij ij
mij = aij , i = j,
a
mij = 2ij , i = j,
so the representing matrix M of an integral quadratic form q will in general have
only half-integral entries.
Now the matrix interpretation of equivalence is as follows: the form with representing matrix M is equivalent to the quadratic form with representing matrix
AM AT for any invertible matrix A. If we are working with rational quadratic
forms, then M and A can have rational entries and the condition for invertibility is
that det(A) = 0. However, if we are working with integral quadratic forms, then A
must have integral entries and its inverse must have integral entries, which means
that det(A) = 1.
Recall from linear algebra that every real symmetric matrix M is similar to a
diagonal matrix via a matrix A which is orthogonal: A1 = AT . In fact, for every
symmetric matrix M with entries in a subeld F of C, there exists an invertible
matrix A such that AM AT is diagonal: this amounts to saying that we can rationally diagonalize a symmetric matrix by performing simultaneous row and column
operations. We omit the proof.

208

18. RATIONAL QUADRATIC FORMS AND THE LOCAL-GLOBAL PRINCIPLE

In particular, every rational quadratic form is equivalent to a quadratic form of

the shape
a1 , . . . , an = a1 x21 + . . . + an x2n .
Example:
the integral quadratic form q(x, y) = xy, with associated matrix
[ Consider
]
0 21
M =
. Note that we have det(M ) = 14 . If there exists an integrally
1
0
2
invertible matrix A with AM AT = D diagonal, then
1
det(D) = det(A) det(M ) det(AT ) = det(M ) det(A)2 = det(M ) = .
4
But the diagonal entries of the matrix dening an integral quadratic form must be
integers, so the determinant of any integrally diagonalizable quadratic form must
be an integer. So q(x, y) = xy is not integrally diagonalizable.
Fact 2: Every isotropic rational quadratic form is universal.
There is a special quadratic form
H = 1, 1 = x21 x22 ,
called the hyperbolic plane. By diagonalizing the form q(x, y) = xy, one sees
that it is equivalent, over Q, to H. In particular the hyperbolic plane H is isotropic
indeed take x1 = x2 and moreover it represents every nonzero scalar x Q :
take y = 1. One can show that if q is any isotropic rational quadratic form, then
q
= x21 x22 + q (x3 , . . . , xn ),
so that every isotropic form contains the hyperbolic plane. In particular, every
quadratic form which is isotropic rationally represents every rational number.
This is not true over Z: the isotropic quadratic form x2 y 2 does not represent
every integer. Indeed, x2 y 2 2 (mod 4) has no solution, so x2 y 2 does not
represent any integer which is 2 (mod 4).
Fact 3: Over Q, the representation problem can be reduced to the isotropy problem.
More precisely, one has the following result:
Theorem 212. Let q(x1 , . . . , xn ) be a quadratic form over Q (or over any eld
F of characteristic dierent from 2), and let a Q (or a F ). The following
are equivalent:
a) The quadratic form q(x1 , . . . , xn ) + (a)x2n+1 is isotropic.
b) The quadratic form q rationally represents a.
Proof. If q represents a, then there exist x1 , . . . , xn Q, not all 0, such that
q(x1 , . . . , xn ) = a, but then rewriting gives
q(x1 , . . . , xn ) + (a)(1)2 = 0.
Conversely, suppose there are x1 , . . . , xn , xn+1 in Q, not all 0, such that q(x1 , . . . , xn )+
(a)x2n+1 = 0. If xn+1 = 0, then we can move it to the other side and divide by it

2. LEGENDRES THEOREM

209

(thank goodness we are over Q!) to get

x1
xn
,...,
) = a.
q(
xn+1
xn+1
Otherwise, we have q(x1 , . . . , xn ) = 0, for x1 , . . . , xn not all zero, which means
that q is isotropic, and we averred above that this implies that q contains the
hyperbolic plane H and therefore represents every element of Q , in particular
a.

Thus, if we had an algorithm for deciding whether a given rational quadratic form
is isotropic, then applying it to the form q + (a)x2n+1 , we can equally well decide
whether it rationally represents any given number a.
Remark: There is, to the best of my knowledge, absolutely nothing like Fact
3 for forms of higher degree.
2. Legendres Theorem
We can now give a complete solution to a problem we rst considered early on in
the course: given a, b, c Z, how do we know whether the (quadratic) form
ax2 + by 2 + cz 2 = 0
has a nontrivial solution?
Note that, by the discussion of the last section, if we can solve this problem we
can completely solve the homogeneous problem for ternary integral quadratic forms
q(x, y, z) = 0. Indeed, by Proposition 211 it is enough to decide whether or not
q(x, y, z) = 0 has a nontrivial rational solution, and working rationally we can diagonalize q to get an equation of the above form.
The answer is given by the following beautiful theorem of Legendre. To state
it, we will employ some ad hoc notation: for nonzero integers a and b, we will write
a b to mean that a is a square (possibly
( ) zero) modulo |b|. Note that, if b is odd,
a b implies that the Jacobi symbol ab = 1, but not conversely. A small lemma:
Lemma 213. Let b, c Z \ {0}, with gcd(b, c) = 1. Then a bc a b and
a c.
If there exists an integer x such that a x2 (mod bc), then certainly a x2
(mod b) and a x2 (mod c), giving the forward implication. Conversely, if a x2
(mod b) and a y 2 (mod c), then since b and c are relatively prime, by CRT there
exists a z (mod bc) such that z x (mod b) and z y (mod c), hence a z 2
(mod b) and a z 2 (mod c), so a z 2 (mod bc).
Theorem 214. (Legendre) Let a, b, c be nonzero integers, squarefree, relatively
prime in pairs, and neither all positive nor all negative. Then
ax2 + by 2 + cz 2 = 0
has a nontrivial integral solution i all of the following hold:
(i) ab c.
(ii) bc a.
(iii) ca b.

210

18. RATIONAL QUADRATIC FORMS AND THE LOCAL-GLOBAL PRINCIPLE

Some remarks on the conditions: if a, b and c are all positive or all negative, the
quadratic form is denite over R and has no nontrivial real solutions. Because
integral isotropy is equivalent to rational isotropy, we may adjust a, b and c by any
rational square, and therefore we may assume that they are squarefree integers.
Moreover, if two of them are divisible by a prime p, then they are both exactly divisible by p, and by a simple ordp argument the equation certainly has no solutions
unless p divides c. But then we may divide through a, b and c by p.
Let us prove the easy half of this theorem now, namely showing that these conditions are necessary. In fact, let us show that they are precisely the conditions
obtained by postulating a primitive integral solution (x, y, z) and going modulo a,
b and c. Indeed, go modulo c: we get
ax2 by 2

(mod c);

multiplying by b, which is coprime to c, we get the equivalent condition

abx2 (by)2

(mod c).

Suppose rst that there exists some prime p | c such that p | x. Then since
gcd(b, c) = 1, we get p | y, and that implies p2 | ax2 by 2 = cz 2 . Since c
is squarefree, this implies p | z, contradicting primitivity. Therefore x is nonzero
modulo every prime p dividing c, so x is a unit modulo c, and we can divide, getting
ab (byx1 )2

(mod c),

which is condition (i). By symmetry, reducing modulo a we get (ii) and reducing
modulo b we get (iii).
Following Ireland and Rosen, to prove the suciency we will state the theorem
in an equivalent form, as follows:
Theorem 215. (Legendres theorem restated) For a and b positive squarefree
integers, the equation
ax2 + by 2 = z 2
has a nontrivial integral solution i all of the following hold:
(i) a b.
(ii) b a.
(iii) dab2  d, where d = gcd(a, b).
We leave it as a (not dicult, but somewhat tedious) exercise to the reader to check
that Theorem 215 is equivalent to Theorem 214.
Now we prove the suciency of the conditions of Theorem 215.
The result is obvious if a = 1.
Case 1: a = b. The theorem asserts that ax2 + ay 2 = z 2 has a solution i 1
is a square modulo a. By the rst supplement to QR, this is last condition is equivalent to: no prime p 3 (mod 4) divides a. If this condition holds then by the two
squares theorem we have a = r2 +s2 , and then we can take x = r, y = s, z = r2 +s2 .
On the other hand, if there exists p | a, p 3 (mod 4), then taking ordp of both sides
of the equation z 2 = a(x2 + y 2 ) gives a contradiction, since ordp (z 2 ) = 2 ordp (z) is

2. LEGENDRES THEOREM

211

even, and ordp (a(x2 + y 2 )) = ordp (a) + ordp (x2 + y 2 ) = 1 + ordp (x2 + y 2 ) implies
ordp (x2 + y 2 ) is odd, contradicting the Two Squares Theeorem.
If b > a, we can interchange a and b, so we may now assume that a > b.
We will now prove the theorem by a descent-type argument, as follows: assuming
the hypotheses of Theorem 215 we will construct a new form Ax2 +by 2 = z 2 satisfying the same hypotheses, with 0 < A < a, and such that if this latter equation has a
nontrivial solution then so does ax2 + by 2 = z 2 . We perform this reduction process
repeatedly, interchanging A and b if A < b. Since each step reduces max(A, b),
eventually we will be in the case A = 1 or A = b, in which we have just shown
the equation has a solution. Reversing our sequence of reductions shows that the
original equation has a solution.
Now, since b a, there exist T and c such that
(53)

c2 b = aT,

for T Z. Applying the square/squarefree decomposition, we may write T = Am2

with A squarefree. Choosing c minimally, we may assume that |c| a2 .
Claim: 0 < A < a.
Proof: Since 0 c2 = aAm2 + b < a(Am2 + 1) and a > 0, Am2 > 1; since
b is squarefree, T = am2 = 0, hence Am2 1 and thus A > 0. Also
aAm2 < c2
so
A Am2 <

a2
,
4

a
< a.
4

Claim: A b.
Recalling d = gcd(a, b), write a = a1 d, b = b1 d, so that gcd(a1 , b1 ) = 1; since
a and b are squarefree, this implies gcd(a1 , d) = gcd(b1 , d) = 1. Then (53) reads
c2 b1 d = a1 dAm2 = aAm2 .
So d | c2 , and since d is squarefree, d | c. Put c = c1 d and cancel:
(54)

dc21 b1 = Aa1 m2 .

So Aa1 m2 b1 (mod d); multiplying through by a1 , we get

(55)

Aa21 m2 a1 b1

(mod d).

Now, any common prime factor p of m and d would divide both b1 and d, a contradiction; so gcd(m, d) = 1. Since ab
d2 = a1 b1 is a square modulo d by (iii)
and a1 and m are units modulo d, (55) implies that A d. Moreover, c2 aAm2
(mod b1 ). Since a b, a b1 . Also gcd(a, b1 ) = 1 a common divisor would divide
d, but gcd(b1 , d) = 1 and similarly gcd(m, b1 ) = 1. So
A c2 (am2 )1

(mod b1 ),

and hence A b1 . Since A b1 and A d, by Lemma 213 A b.

212

18. RATIONAL QUADRATIC FORMS AND THE LOCAL-GLOBAL PRINCIPLE

Next, put r = gcd(A, b) and A = rA1 , b = rb2 , so that gcd(A1 , b2 ) = gcd(r, b2 ) = 1.

We claim that A1 b2  r. Using (53) we have
(56)

c2 rb2 = c2 rb = aAm2 = arA1 m2 .

Since b is squarefree, so is r, hence r | c. So if a prime p divides both am and r,

then p2 | c2 aAm2 = rb2 = p2 | r, a contradiction. So gcd(am, r) = 1. Putting
c = rc1 ,
arA1 m2 rb2 (mod r2 ),
so
aA1 m2 b2 (mod r).
Since a b and r | b, a r. Multiplying through by b2 , we get
aA1 b2 m2 b22

(mod r),

and since gcd(am, r) = 1, we conclude A1 b2  r.

Now assume that AX 2 + bY 2 = Z 2 has a nontrivial solution. Then
(57)

AX 2 = Z 2 bY 2 .

Multiplying (57) by (53), we have

a(AXm)2 = (Z 2 bY 2 )(c2 b) = (Zc + bY )2 b(cY + Z)2 .
Note that this unlikely-looking identity can be interpreted as

N (Z + Y b)N (c + b) = N (Zc + bY + (cY + Z) b).

Putting x = AXm, y = cY +Z, z = Zc+bY , this gives a solution to ax2 +by 2 = z 2 ,
which is nontrivial since x = 0. Thus we have completed our descent argument,
which proves that the equation has a solution.
3. Hilberts Reciprocity Law
As we mentioned, Legendres theorem has the following consequence: a ternary
quadratic form
qa,b : aX 2 + bY 2 Z 2
has a nontrivial integral solution i there is a real solution and for every prime p
and every positive integer a the congruence
(58)

aX 2 + bY 2 Z 2

(mod pa )

has a nontrivial solution. As a increases, each of these congruences is stronger

than the last, so it makes some sense to bundle up the innitely many questions
of whether any of these p-power congruences has a solution into a single question.
Let us introduce the following terminology:
An integral quadratic form q(x1 , . . . , xn ) is p-isotropic if for all a Z+ , the congruence q(x1 , . . . , xn ) 0 (mod pa ) has a nontrivial solution. Otherwise we will say
that it is p-anisotropic. We will say that q is -isotropic if it has a real solution.1
Considering the case of qa,b , for each prime p and for we are asking a yes/no
1Dont ask why we have introduced the symbol to describe the real solutions. It is just
traditional to do so. Moreover, we will eventually get tired of saying (and ) and start writing
p . There is no need to read anything deep into this, at least not today.

3. HILBERTS RECIPROCITY LAW

213

question Is qa,b p-isotropic? so it makes some vague sense to denote yes by

+1 and no by 1, so we dene symbols a, bp for all primes p and a, b in
this way: i.e., +1 if qa,b is p-isotropic and 1 if it is p-anisotropic (and the same
for ). So Legendres theorem can be rephrased by saying that qa,b is istropic i
a, bp = 1 for all p .
But now that weve dened the notation, a further question occurs to us: if qa,b is
isotropic, the answers to our questions are always yes; but if it isnt, at least some
of the answers are no. So which combinations of yes and no are possible?
Theorem 216. (Hilbert) a) For every pair of nonzero integers a, b, the symbol
a, bp is equal to +1 except possibly for nitely many values of p .
b) Two integral ternary quadratic forms qa,b and qc,d are rationally equivalent
i.e., one can be obtained from the other by a 3 3 invertible matrix A with rational
entries i a, bp = c, dp for all p .
c) The nite set of p for which a, bp = 1 has an even number of elements.
d) For every subset S of the primes union which is nite and of even order,
there exist a and b such that a, bp = 1 i p S.
We admit that this is a mouthful. In particular parts b) and d) solve yet a third
problem on rational quadratic forms: their classication up to equivalence. We
advise the reader to concentrate on the following
consequence: for any qa,b , by

part a) we can consider the innite product p a, bp (since it equals 1 except

possible nitely many times), and by part c) we get the following relation, the
Hilbert reciprocity law:

(59)
a, bp = 1
p

This has the extremely useful upshot that instead of having to check congruences
modulo all powers of all primes and a sign condition, it suces to omit any one
p from these checks. In particular, we could omit p = from the checking
and get the following result which looks hard to believe based upon the proof we
gave: if ax2 + by 2 = z 2 has a solution modulo pa for all p and a, then it necessarily has an integral solution: in particular the condition that a and b are not
both positive follows automatically from all the congruence conditions, although it
is certainly independent of any nite number of them!
In fact, with a bit of hindsight one can see that the condition of whether or not
there is going to be a solution modulo all powers of 2 is the most complicated one.
This is taken into account in the statement of Legendres theorem: the congruence
conditions on their own would not imply that a, b2 = +1 without the sign conditions (conditions at ), so somehow Legendres clean conditions exploit this
slight redundancy. To see this, consider the case of a = b = 1, which has solutions
modulo every power of an odd prime, but no nontrivial solutions modulo 4 (and
also no real solutions).
Hilbert also found explicit formulae for a, bp in terms of Legendre symbols. For
the sake of concision we do not state it here. However, we cannot help but mentioning that if one knows these formulae (which are not so hard to prove), then
the relation (59) is equivalent to knowing quadratic reciprocity together with its
rst and second supplements! It turns out that all aspects of the theory rational

214

18. RATIONAL QUADRATIC FORMS AND THE LOCAL-GLOBAL PRINCIPLE

quadratic forms can be generalized to the case where the coecients lie not in
Q but in an arbitrary algebraic number eld K. In particular, a suitable version
of Hilberts reciprocity law holds over K, and this is a very clean way to phrase
quadratic reciprocity over number elds.
4. The Local-Global Principle
We are now in a position to state what is surely one of the most important and
inuential results in all of number theory.
Theorem 217. (Hasse-Minkowski) Let q(x1 , . . . , xn ) be an integral quadratic
form. The following are equivalent:
a) q is isotropic (over Z over Q).
b) q is isotropic over R, and for all n Z+ , there are nontrivial solutions to the
congruence q(x1 , . . . , xn ) 0 (mod n).
It is clear that a) = b). Indeed, in contrapositive form, this has been our favorite easy method for showing that an equation does not have a solution: any
integral solution also gives a real solution and a solution to every possible congruence. The matter of it is in the converse, which asserts that if a quadratic form
q(x1 , . . . , xn ) = 0 does not have an integral solution, we can always detect it via
congruences and/or over the real numbers.
This turns out to be the master theorem in the area of rational quadratic forms. It
is not (yet) stated in a form as explicit as Legendres theorem for ternary quadratic
forms which, recall, did not just assert that isotropy modulo n for all n implied
isotropy over Z (or equivalently, over Q) but actually said explicitly, in terms of
the coecients, a nite list of congruence conditions to check. Indeed one knows
such explicit conditions in all cases, and we will return to mention them in the next
section, but for now let us take a broader approach.
First, even in its qualitative form the theorem gives an algorithm for determining
whether any quadratic form is isotropic. Namely, we just have to search in parallel
for one of the two things:
(i) Integers x1 , . . . , xn , not all 0, such that q(x1 , . . . , xn ) = 0.
(ii) An integer N such that the congruence q(x1 , . . . , xn ) 0 (mod N ) has only
the all-zero solution.
For any given N , (ii) is a nite problem: we have exactly N n 1 values to plug
in and see whether we get 0. Similarly, if we wanted to check all tuples of integers
(x1 , . . . , xn ) with maxi |xi | M , then that too is obviously a nite problem. Conceivably we could search forever and never nd either a value of M as in (i) or a
value of N as in (ii) for sure we will never nd both! but the Hasse-Minkowksi
theorem asserts that if we search long enough we will nd either one or the other.
This then is our algorithm!
In point of fact the situation is better for part (ii): it can be shown that for any
degree k form P (x1 , . . . , xn ) with integer coecients, there is a recipe (algorithm!)
for computing a single value of N such that if P (x1 , . . . , xn ) 0 (mod N ) has a

4. THE LOCAL-GLOBAL PRINCIPLE

215

nontrivial solution, then for all N the congruence has a solution. Moreover, one
can determine whether or not there are any real solutions (using methods from
calculus). For this the two essential tools are:
(i) The Weil bounds for points on curves over Z/pZ, which allows one to compute a nite set of primes S such that for all p > S the congruence P 0 (mod p)
automatically has nontrivial solutions (in fact, a number of solutions which tends
to with p).
This is a serious piece of mathematics dating from around the 1940s.
(ii) Hensels Lemma, which gives sucient conditions for lifting a solution (x1 , . . . , xn )
to P 0 (mod p) to solutions modulo all higher powers pa of p.
This turns out to be surprisingly similar to Newtons method for nding roots
of equations, and the proof is relatively elementary.
Alas, we do not have time to say more about either one.
So in nite time we can determine whether or not there is any value of N for
which P (x1 , . . . , xn ) 0 has only the trivial solution, and we can also tell whether
there are real solutions. Of course, if P = 0 fails to have congruential solutions
and/or real solutions, then we know it cannot have nontrivial integral (equivalently, rational) solutions. But suppose we nd that our form P passes all these
tests? Can we then assert that it has a nontrivial integral solution?
As we have just seen (or heard), the answer is a resounding yes when P is a
quadratic form. In general, whenever the answer to this question is yes, one
says that the local-global principle, or Hasse principle, holds for P . Of course
the big question is: does the Hasse principle hold for all forms of higher degree?
One can also ask whether the Hasse principle holds for not-necessarily homogeneous polynomials, like x2 + y 3 + z 7 = 13. The following remarkable result shows
that it could not possibly hold for all polynomials in several variables over the
integers.
Theorem 218. (Davis-Matijasevic-Putnam-Robinson) There is no algorithm
that will accept as input a polynomial P (x1 , . . . , xn ) with integral coecients and
output 1 if P (x1 , . . . , xn ) = 0 has an integral solution, and 0 otherwise.
Since we just said that there is an algorithm which determines if a polynomial (not
necessarily homogeneous, in fact) has congruential solutions and real solutions,
there must therefore be some polynomials which pass these tests and yet still have
no solutions.
Remark: It is unknown whether there exists an algorithm to decide if a polynomial with rational coecients has a rational solution.
One might think that such counterexamples to the Hasse principle might be in
some sense nonconstructive, but this is not at all the case:

216

18. RATIONAL QUADRATIC FORMS AND THE LOCAL-GLOBAL PRINCIPLE

Theorem 219. The following equations have congruential solutions and real
solutions, but no nontrivial integral solutions:
a) (Selmer) 3X 3 + 4Y 3 + 5Z 3 = 0;
b) (Bremner) 5w3 + 9x3 + 10y 3 + 12z 3 = 0.
These are just especially nice examples. It is known (if not well-known) that for
every k > 2 there is a form P (x, y, z) = 0 of degree k which violates the local-global
principle. In fact some of my own work has been devoted to constructing large (in
particular, innite) sets of counterexamples to the local-global principle.
There are however some further positive results, the most famous and important
being the following:
Theorem 220. (Birch) Let k be a positive integer. Then there exists an n0 (k)
with the following property:
a) If k is odd, then every degree k form P (x1 , . . . , xn ) = 0 in n n0 variables has
a nontrivial integral solution.
b) If k is odd and P (x1 , . . . , xn ) is a degree k form in n n0 variables with lowdimensional singularities, then P has a nontrivial integral solution i it has a
nontrivial real solution.
Remark: The condition of low-dimensional singularities is a bit technical. Let us
rather dene what it means for an equation to have no singularities at all, which
is a special case. A nontrivial complex solution (x1 , . . . , xn ) to P (x1 , . . . , xn ) at
P
which all the partial derivatives x
vanish is called a singular point. (Perhaps
i
you remember from multivariable calculus these are the points at which a curve or
surface can be not so nice: i.e., have self-intersections, cusps, or other pathologies.) P is said to be nonsingular if there are no singular points. In particular,
one immediately checks that a diagonal form P (x1 , . . . , xn ) = a1 xk1 + . . . + ak xkn
is nonsingular, so Birchs theorem applies to diagonal forms, and in particular to
quadratic forms. (As far as I know it is an open problem whether the theorem
holds for forms of even degree without any additional hypotheses.)
Thus morally, if only there are enough variables compared to the degree, then
all congruence conditions are automatically satised and moreover th. However, in
the proof n0 does indeed have to be very large compared to k, and it is quite an
active branch of analytic number theory to improve upon these bounds.
Another idea, which we shall be able to express only vaguely and see an example of in the case of the inhomogeneous problem for integral quadratic forms, is
that if one asks as a yes/no question whether or not the existence of congruential
solutions and real solutions is enough to ensure the existence of integral solutions,
then one has to take rather drastic measures e.g., enormously many variables
compared to the degree, as above to ensure that the answer is yes rather than
no most of the time. However, if one can somehow quantify the failure of a
local-global phenomenon, then one can hope that in any given situation it fails
only to a nite extent.

5. LOCAL CONDITIONS FOR ISOTROPY OF QUADRATIC FORMS

217

5. Local Conditions for Isotropy of Quadratic Forms

(ii) Although the result is not phrased in explicit form, part of the point is
that one can easily determine whether the condition of part b) holds. For instance,
there will be real solutions unless, when the quadratic form is diagonalized (over
Q), all of the diagonal entries have the same sign. It is less obvious but still true
that given any equation P (x1 , . . . , xn ), there is an algorithm to check in a nite
amount of time whether for all N , P (x1 , . . . , xn ) 0 (mod N ) has nontrivial solutions. Explicit conditions will be given in the case of ternary quadratic forms
(n = 3), coming up soon. Such conditions are known for all n (for n = 2, they are
the restrictions coming from quadratic reciprocity that we have already seen).
(iii) In fact as the number of variables increases it becomes much easier to satisfy
the congruence conditions, until we get to n = 5: every quadratic form q(x1 , . . . , xn )
in 5 or more variables has nontrivial solutions modulo every integer N ! This has a
remarkable corollary:
Theorem 221.
a) Let q(x1 , . . . , xn ) be an integral quadratic form in at least 5 variables. Then
q(x) = 0 has a nontrivial integral solution i it has a nontrivial real solution, i.e.,
unless q is positive or negative denite.
b) Let q be a quadratic form in at least 4 variables which is not negative (resp.
positive) denite i.e., over R it takes on some positive (resp. negative) values.
Then q rationally represents all positive (resp. negative) rational numbers.
Proof. Part a) follows immediately from the Hasse-Minkowksi theorem and
the assertion that there are no congruential obstructions to a quadratic form in
at least 5 variables being isotropic. Part b) follows morally by applying Theorem
212, although to see it one needs to know that there is a eld Qp of characteristic
0 with the property that q is isotropic over Qp i q is isotropic modulo pa for all
a.

We deduce in particular that every positive rational number is a sum of four rational
squares. This is of course weaker than Lagranges Theorem, and it must be, because
the theorem also applies e.g. to 2x21 + 3x22 + 4x23 + 5x24 , which visibly does not
represent 1 over Z.

CHAPTER 19

Representations of Integers by Quadratic Forms

As we have seen, if
P (x1 , . . . , xn ) = d
is an inhomogeneous polynomial equation (i.e., d = 0), then the determination of
whether it has an integer solution is considerably more subtle than whether it has
a rational solution. Perhaps the best single example of this is the proven nonexistence of an algorithm to determine whether a polynomial equation has an integral
solution. In contrast, the question of whether a homogeneous polynomial equation
must have a nontrivial solution is equivalent to the issue of whether polynomial
equations must have rational solutions, and this is a wide open problem (although
some experts think that it too will turn out to be algorithmically undecidable).
We have just surveyed the complete theory of homogeneous quadratic equations
in any number of variables. One of the great miracles of the quadratic case is that,
over Q, the inhomogeneous problem reduces to the homogeneous problem, so that
given a quadratic form q(x1 , . . . , xn ), we now know how to determine the set of all
integers (or even rational numbers) d such that
q(x1 , . . . , xn ) = d
has a rational solution. Two of the more striking consequences we derived from
this Hasse-Minkowski theory were the following:
Fact 1: A quaternary quadratic form q = ax21 + bx22 + cx23 + dx24 rationally represents all integers allowed by sign considerations:
(i) if a, b, c, d are all positive, q represents all d Q>0 ;
(ii) if a, b, c, d are all negative, q represents all d Q<0 ;
(iii) otherwise q represents all d Q .
Fact 2: The three squares form x2 + y 2 + z 2 rationally represents an integer d
i d > 0 and d = 4a (8k + 7).
These are strongly reminiscent of two results we stated but not did prove for integral quadratic forms, namely that x21 + x22 + x23 + x24 integrally represents all positive
integers and x21 + x22 + x23 + x24 integrally represents all positive integers except precisely those of the form 4a (8k + 7).
It seems clear that we cannot hope to recover general integral representability results from the Hasse-Minkowski theory. For instance, Fact 1 does not distinguish
between the Four Squares form and a form in which a, b, c, d are all at least 2: such
a form clearly cannot represent 1 integrally! Morally speaking, local conditions
219

220

19. REPRESENTATIONS OF INTEGERS BY QUADRATIC FORMS

of congruence and sign do not take into account the size of the coecients of the
quadratic form, whereas one clearly wants some or all of the coecients to be small
in order for a positive denite quadratic form to have a ghting chance at representing small positive integers.
So what to do?
Let us describe some of the ways that various mathematicians have reacted to
this question over the years.
1. The Davenport-Cassels Lemma
Here is a beautiful observation which allows us to solve the representation problem
for x2 + y 2 + z 2 :
n
Lemma 222. (Davenport-Cassels) Let q(x) = f (x1 , . . . , xn ) = i,j=1 aij xi xj
be a quadratic form with aij = aji Z. We suppose condition (DC): that for any
y = (y1 , . . . , yn ) Qn \ Zn , there exists x = (x1 , . . . , xn ) Zn such that
0 < |q(x y)| < 1.
Then, for any integer d, q represents d rationally i q represents d integrally.
Proof. For x, y Qn , put xy := 12 (q(x+y)q(x)q(x)). Then (x, y) 7 xy
is bilinear and x x = q(x). Note that for x, y Zn , we need not have x y Z,
but certainly we have 2(x y) Z. Our computations below are parenthesized so
as to emphasize this integrality property.
Let d Z, and suppose that there exists x Qn such that q(x) = d. Equivalently,
there exists t Z and x Zn such that t2 d = x x . We choose x and t such that
|t| is minimal, and it is enough to show that |t| = 1.

Applying the hypothesis (DC) x = xd , there exists a y Zn such that if

z = x y we have
0 < |q(z)| < 1.
Now put
a = y y d,
b = 2(dt x y),
T = at + b,
X = ax + by.
Then a, b, T Z, and X Zn .
Claim: X X = T 2 d.
Indeed,
X X = a2 (x x ) + ab(2x y) = b2 (y y) = a2 t2 d + ab(2dt b) + b2 (d + a)
= d(a2 t2 + 2abt + b2 ) = T 2 d.
Claim: T = t(z z).
Indeed,
tT = at2 + bt = t2 (y y) dt2 + 2dt2 t(2x y)
= t2 (y y) t(2x y) + x x = (ty x ) (ty x ) = (tz) (tz) = t2 (z z).
Since 0 < |z z| < 1, we have 0 < |T | < |t|, contradicting the minimality of |t|. 

1. THE DAVENPORT-CASSELS LEMMA

221

Remark 1: Suppose that the quadratic form q is anisotropic. Then condition (DC)
is equivalent to the following more easily veried one: for all x Qn , there exists
y Zn such that |q(x y)| < 1. Indeed, since x Zn and y Zn , x y Zn . In
particular x y = (0, . . . , 0), so since q is anistropic, necessarily |q(x y)| > 0.
Remark 2: Lemma 222 has a curious history. So far as I know there is no paper of Davenport and Cassels (two eminent 20th century number theorists) which
contains it: it is more folkloric. The attribution of this result seems to be due to
J.-P. Serre in his inuential text [Se73]. Later, Andre Weil pointed out [W] that
in the special case of f (x) = x21 + x22 + x23 , the result goes back to a 1912 paper of
the amateur mathematician L. Aubry [Au12].
There is also more than the usual amount of variation in the hypotheses of this
result. Serres text makes the additional hypothesis that f is positive denite
i.e., x = 0 = f (x) > 0. Many of the authors of more recent number theory
texts that include this result follow Serre and include the hypothesis of positive
deniteness. Indeed, when I rst wrote these notes in 2006, I did so myself (and included a place-holder remark that I belived that this hypothesis was superuous).1
To get from Serres proof to ours requires only (i) inserting absolute values where
appropriate, and (ii) noting that whenever we need x y to be integral, we have
an extra factor of 2 in the expression to make it so. The result is also stated and
proved (in a mildly dierent way) in Weils text.
Remark 3: In the isotropic case, the stronger hypothesis 0 < |q(x y)| < 1 is
truly necessary. Consider for instance q(x, y) = x2 y 2 : we ask the reader to show
that 2 is represented rationally but not integrally.
One might call a quadratic form Euclidean if it satises (DC). For example, the
quadratic form q(x, y) = x2 dy 2 is Euclidean i given rational numbers rx , ry , we
can nd integers nx , ny such that
(60)

|(rx nx )2 d(ry ny )2 | < 1

Since we know that we can nd an integer within 12 of any rational number (and
that this estimate is best possible!), the quantity in question is at most ( 21 )2 +|d|( 12 )
if d < 0 and at most d4 when d > 0. So the values of d for which (60) holds are precisely d = 1, 2, 2, 3. This should
be a familiar list: these are
precisely the values
of d for which you proved that Z[ d] is a PID. Whenever Z[ d] is a PID, one can
use Euclids Lemma to solve the problem of which primes (and in fact which integers, with more care) are integrally represented by x2 dy 2 . The Davenport-Cassels
Lemma allows for a slightly dierent approach: for these values of d, x2 dy 2 = N
has an integral solution i it has a rational solution i x2 dy 2 N z 2 = 0 is
isotropic, which we can answer using Legendres Theorem.
Also x2 + y 2 + z 2 satises the hypotheses of the Davenport-Cassels lemma: given
rational numbers x, y, z, nd integers n1 , n2 , n3 at most 21 a unit away, and then
(x n1 )2 + (x n2 )2 + (x n3 )2

1 1 1
+ + < 1.
4 4 4

1A notable exception is Lams 2005 text on quadratic forms, which states the result for
anisotropic forms, simplied as in Remark 1.

222

19. REPRESENTATIONS OF INTEGERS BY QUADRATIC FORMS

2. The Three Squares Theorem

Our goal in this section is to prove the following celebrated result.
Theorem 223. (Legendre-Gauss) For n Z+ , the following are equivalent:
(i) n is not of the form 4a (8k + 7) for any a N and k Z.
(ii) n is a sum of three integer squares: there are x, y, z Z with x2 + y 2 + z 2 = n.
2.1. Proof of the Three Squares Theorem.
The strategy of proof is as follows: the quadratic form q(x, y, z) = x2 +y 2 +z 2 satises the hypotheses of the Davenport-Cassels Lemma (Lemma 222) of the previous
section. Therefore, to show that an integer n is a sum of three integer squares
it suces to show the a priori much weaker assertion that it is a sum of three
rational squares. It is traditional to establish the latter assertion using the HasseMinkowski theory of quadratic forms over Q in terms of quadratic forms over the
p-adic numbers. But since in these notes we have not even ocially introduced the
p-adic numbers, we need to do something more elementary. Instead we follow the
second half of a short and clever argument of J. Wojcik [W
o72], which succeeds in
replacing the Hasse-Minkowski Theory with an appeal to (i) Fermats Two Squares
Theorem, (ii) Legendres Theorem on homogeneous ternary quadratic equations
and (iii) Dirichlets Theorem on Primes in Arithmetic Progressions.2
Let us rst dispose of the (easy!) direction (i) = (ii) of Theorem 223.
Lemma 224. Let n be an integer of the form 4a (8k + 7) for some a N, k Z.
Then n is not the sum of three rational squares.
Proof. Step 0: Suppose on the contrary that 4a (8k + 7) is a sum of three
rational squares. We may take our rational numbers to have a common deminator
d > 0 and thus
( x )2 ( y )2 ( z )2
+
+
= 4a (8k + 7).
d
d
d
Clearing denominators, we get
x2 + y 2 + z 2 = d2 4a (8k + 7).
Write d = 2b d with d odd. Since 12 , 32 , 52 , 72 1 (mod 8), we nd that d2 1
(mod 8) and thus
d2 4a (8k + 7) = (2b )2 (d2 )4a (8k + 7) = 4a+b (8k + 7).
In other words, to show that no integer of the form 4a (8k + 7) is a sum of 3 rational
squares, it suces to show that no integer of the form 4a (8k + 7) is a sum of three
integral squares. So let us now show this.
Step 1: We observe that x2 + y 2 + z 2 7 (mod 8) has no solutions. Indeed, since
the squares mod 8 are 0, 1, 4, this is a quick mental calculation. (In particular this
disposes of the a = 0 case.)
Step 2: we observe that if n 0, 4 (mod 8) then the congruence
x2 + y 2 + z 2 n (mod 8)
2That we have given complete proofs of all of these theorems previously is a happy coincidence: I did not learn about W
ojciks argument until 2011, more than four years after these notes
were rst written.

2. THE THREE SQUARES THEOREM

223

has no primitive solutions, i.e., no solutions in which at least one of x, y, z is odd.

Indeed, since the squares mod 8 are 0, 1, 4, so in particular the only odd square is 1.
Since 4 and 0 are both even, if x, y, z are not all even, then exactly one two of them
must be odd, say x and y, so x2 y 2 1 (mod 8) and thus z 2 4 2 (mod 8) or
z 2 8 2 (mod 8), and neither 2 nor 6 is a square modulo 8.
Step 3: Now suppose that there are integers x, y, z such that x2 +y 2 +z 2 = 4a (8k+7).
If a = 0 then by Step 1 reducing modulo 8 gives a contradiction. If a = 1, then
4a (8k + 7) 4 (mod 8), so by Step 2 any representation x2 + y 2 + z 2 = 4(8k + 7)
must have x, y, z all even, and then dividing by 4 gives ( x2 )2 +( y2 )2 +( z2 )2 = (8k +7),
a contradiction. If a 2, then 4a (8k + 7) 0 (mod 8), and again by Step 2 in
any representation x2 + y 2 + z 2 = 4a (8k + 7) we must have x, y, z all even. Thus
writing x = 2X, y = 2Y , z = 2Z we get an integer representation X 2 + Y 2 + Z 2 =
4a1 (8k +7). We may continue in this way until we get a representation of 4(8k +7)
as a sum of three integral squares, which we have just seen is impossible.

Lemma 225. Suppose that every squarefree positive integer n 7 (mod 8) is a
sum of three integral squares. Then every positive integer n = 4a (8k + 7) is a sum
of three integral squares.
Proof. Let n be a positive integer which is not of the form 4a (8k + 7). As for
any positive integer, we may write n as n = 2a n21 n2 , where a 0, n1 is odd and n2
is odd and squarefree.
Case 1: 0 a 1, n2 7 (mod 8). Then 2a n2 is squarefree and not 7 (mod 8),
so by assumption there exist x, y, z Z such that x2 + y 2 + z 2 = 2a n2 , and thus
(n1 x)2 + (n1 y)2 + (n1 z)2 = 2a n21 n2 = n.
Case 2: n2 7 (mod 8). In such a case n is of the form (2b )2 times an integer n of
the type considered in Case 1. Since such an integer n is a sum of three integreal
squares, so is any square times n.
Case 3: n2 7 (mod 8). For n not to be of the form 4a (8k + 7), the power of a
must be odd; in other words, we may write n as a square times 2n2 where n2 is
squarefree and of the form 8k+ 7. Thus 2n2 is squarefree and not of the form 8k + 7,
so by assumption 2n2 is a sum of three squares, hence so is n.

Lemma 226. Let m Z+ , n 3 (mod 8), and write m = p1 pr . Then the
number of i such that pi 3, 5 (mod 8) is even.
( )
Exercise: Prove Lemma 226. (Suggestion: use the Jacobi symbol 2
m .)
Since x2 + y 2 + z 2 rationally represents an integer n i it integrally represents
an integer n, the following result completes the proof of Theorem 223.
Proposition 227. Let n be a squarefree integer, n 7 (mod 8). Then n is a
sum of three rational squares.
Proof. To x ideas we will rst give the argument under certain additional
congruence conditions and then explain how to modify it to deal with the other
cases. Filling in the details for these latters cases would be a good exercise for the
interested reader.
Case 1: Let us suppose that m = p1 pr is squarefree and m 1 (mod 4). Thus
each pi is odd and the number of pi 3 (mod 4) is even. By Dirichlets Theorem
on Primes in Arithmetic Progressions, there is a prime number q such that

224

19. REPRESENTATIONS OF INTEGERS BY QUADRATIC FORMS

( ) ( )
for all 1 i pi and
pqi = 1
pi
q 1 (mod 4).
(Indeed, each of the rst conditions restricts q to a nonempty set of congruence
classes modulo the distinct odd primes pi , whereas the last condition is a condition
modulo a power of 2. By the Chinese Remainder Theorem this amounts to a set of
congruence conditions modulo 4p1 pr and all of the resulting congruence classes
are relatively prime to 4p1 pr , so Dirichlets Theorem applies.)
It follows that for all 1 i r,
(
) (
)( )
q
1
q
=
= 1,
pi
pi
pi
and

m
q

(
=

p1
q

pr
q

(
=

q
p1

q
pr

(
=

1
p1

1
pr

)
= 1.

The last equality holds because the number of factors of 1 is the number of primes
pi 3 (mod 4), which as observed above is an even number.
since q is a square modulo each of the distinct primes pi , by the Chinese Remainder Theorem it is also a square modulo m = p1 pr . Therefore by the Chinese
Remainder Theorem there is an integer x such that
x2 q

(mod m)

x2 m (mod q).
But according to Legendres Theorem, these are precisely the congruence conditions
necessary and sucient for the homogeneous equation
qu2 + z 2 mt2 = 0
to have a solution in integers (u, z, t), not all zero. Indeed, we must have t = 0,
for otherwise qu2 + z 2 = 0 = u = z = 0. Moreover, since q 1 (mod 4),
by Fermats Two Squares Theorem there are x, y Z such that qu2 = x2 + y 2 .
Therefore
mt2 z 2 = qu2 = x2 + y 2 ,
so
m=

( x )2

( y )2

( z )2

t
t
t
and m is a sum of three rational squares, completing the proof in this case.
Case 2: Suppose m = 2m1 = 2p1 pr with m1 = p1 pr squarefree and odd. In
this case we may proceed exactly as above, except that we require q 1 (mod 8).
Case 3: Suppose m = p1 pr is squarefree and m 3 (mod 8). By Lemma 226,
the number of prime divisors pi of m which are either 5 or 7 modulo 8 is even. By
Dirichlets
there exists a prime q such that
)
( ) (Theorem
q
2
pi = pi for all 1 i pi and
q 5 (mod 8).
It follows that for all 1 i r,
(
) (
)( )
2q
2
q
=
= 1,
pi
pi
pi

2. THE THREE SQUARES THEOREM

and

m
q

(
=

p1
q

pr
q

(
=

q
p1

q
pr

(
=

2
p1

225

2
pr

)
= 1.

The last equality holds because the number of factors of 1 is the number of primes
pi 5, 7 (mod 8), which as observed above is an even number.
Therefore there is an integer x such that
x2 2q

(mod m)

x m (mod q),
so by Legendres Theorem the equation
2

2qu2 + z 2 mt2 = 0
has a solution in integers (u, z, t) with t = 0. Since q 1 (mod 4), there are
x, y Z such that 2qu2 = x2 + y 2 , so
mt2 z 2 = 2qu2 = x2 + y 2 ,
and thus once again
m=

( x )2
t

( y )2
t

( z )2
t

.


2.2. Some applications of the Three Squares Theorem.

Knowing exactly which integers are represented by x2 + y 2 + z 2 turns out to be
a powerful weapon for analyzing representation of integers by certain quaternary
quadratic forms.
Proposition 228. The three squares theorem implies the four squares theorem.
Proof. In order to show the Four Squares Theorem it suces to show that
every squarefree positive integer m is a sum of four integer squares. By the Three
Squares Theorem, m is even a sum of three integer squares unless m = 8k + 7. But
if m = 8k + 7, then m 1 = 8k + 6. Now ord2 (8k + 6) = 1, so 8k + 6 is not of the
form 4a (8k + 7), hence 8k + 6 = x2 + y 2 + z 2 and m = 8k + 7 = x2 + y 2 + z 2 + 12 . 
More generally:
Theorem 229. For any 1 d 7, the quadratic form q = x2 + y 2 + z 2 + dw2
integrally represents all positive integers.
Proof. As above it is enough to show that q represents all squarefree positive
integers. Moreover, if m = 8k + 7 is a squarefree positive integer then m is represented already by x2 +y 2 +z 2 so certainly by q. It remains to dispose of m = 8k +7.
Case 1: Suppose d = 1, 2, 4, 6. Then m d 12 = m d is:
m 1 = 8k + 6, if d = 1. This is a sum of 3 squares.
m 2 = 8k + 5, if d = 2. This is a sum of 3 squares.
m 4 = 8k + 3, if d = 3. This is a sum of 3 squares.
m 5 = 8k + 2, if d = 5. This is a sum of 3 squares.
m 6 = 8k + 1, if d = 6. This is a sum of 3 squares.
Case 2: If d = 3, then
m d 22 = m 12 = 8k 5 = 8(k 1) + 3.

226

19. REPRESENTATIONS OF INTEGERS BY QUADRATIC FORMS

Thus, so long as m 12 is positive, it is a sum of three squares. We need to check

separately that positive integers less than 12 are still represented by q, but this is
easy: the only one which is not already a sum of 3 squares is 7 = 22 + 02 + 02 + 3 12 .
Case 3: If d = 7, then
m d 22 = m 28 = 8(k 3) + 5.
Thus, so long as m 28 is positive, it is a sum of three squares. Again we must
separately check that positive integers less than 28 are represented by q, and again
this comes down to checking 7: 7 = 02 + 02 + 02 + 7 12 .

If we are looking for quaternary quadratic forms q = x2 + y 2 + z 2 + dw2 which
represent all positive integers, then we have just found all of them: if d > 7, then
such a q cannot integrally represent 7. Nevertheless we can still use the GaussLegendre Theorem to analyze these forms. For instance.
Proposition 230. For a positive integer n, TFAE:
(i) There are integers x, y, z, w such that n = x2 + y 2 + z 2 + 8w2 .
(ii) n 7 (mod 8).
Proof. (i) = (ii): For any integers x, y, z, w, reducing n = x2 +y 2 +z 2 +8w2
modulo 8 gives n x2 + y 2 + z 2 (mod 8), and we already know that this has no
solutions when n 7 (mod 8).
(ii) = (i): Write n = 2a m with m odd. If m is not of the form 8k + 7 then
both m and 2m are sums of three integer squares, and since n is an even power
of 2 times either m or 2m, n must be a sum of three intege squares. So we are
reduced to the case n = 2a (8k + 7) with a 1. If a = 1 then ord2 (n) = 1 and
again n is a sum of three integer squares. Suppose a = 2, so n = 32k + 28 and
thus n 8 12 = 32k + 20 = 4(8k + 5) is of the form x2 + y 2 + z 2 and thus
n = x2 + y 2 + z 2 + 8w2 . If a 3 is odd, then n is a sum of three squares. If a 4
a2
is even, then n = (2 2 )2 (4 (8k + 7)) is a square times an integer represented by
q, so n is also represented by q.

Exercise: Prove or disprove the following claims:
a) If d is a positive integer which is not divisible by 8, then the quadratic form
x2 + y 2 + z 2 + dw2 integrally represents all suciently large positive integers.
v) If d = 8d is a positive integer, then the quadratic form x2 + y 2 + z 2 + dw2
integrally represents all suciently large positive integers which are not 7 (mod 8).
3. Approximate Local-Global Principle
From now on we restrict to the case of positive-denite integral quadratic forms
q(x1 , . . . , xn ). For such a form, the equation
q(x1 , . . . , xn ) = N
can have at most nitely many integral solutions. Indeed, if we dene rq (N ) to be
the number of solutions, then the summatory function
Rq (N ) =

i=1

rq (i)

3. APPROXIMATE LOCAL-GLOBAL PRINCIPLE

227

is counting lattice points lying on or inside the ellipsoid q(x1 , . . . , xn ) = N in ndimensional Euclidean space. Recalling our previous study of this sort of problem,
we know that there exists a constant V such that
Rq (N ) V N n/2 ,
so that the average value of rq (N ) is asymptotically N 2 1 .
n

To say that q(x1 , . . . , xn ) = N has an integral solution is to say that rq (N ) > 0.

It turns out to be a good strategy to exchange our problem for a seemingly harder
problem: what can one say about the order of magnitude of rq (N )?
One has the following theorem, thanks to the combined work of many leading
mathematicians over a period of about 50 years:
Theorem 231. (Hecke, Eichler, Tartakowsky, Kloosterman, Deligne, . . .) Suppose q(x1 , . . . , xn ) is positive denite and n 4. There exists a decomposition
rq (N ) = rE (N ) + rC (N )
with the following properties:
a) rE (N ) > 0 i the equation q(x1 , . . . , xn ) = N has solutions everywhere locally.
b) There exist eectively computable positive constants C1 , C2 (depending on q)
such that:
rE (N ) > 0 = rE (N ) C1 N n/21 .
|rC (N )| C2 d(N )N 4 2 .
n

Here d(N ) is the divisor function, which recall, grows slower than any positive
power of N . One can interpret this result as saying that a local-global principle for
rq (N ) holds asymptotically, with almost square root error!
The proof of this theorem requires lots of techniques from 20th century number
theory, and in particular the introduction of objects which are a lot less elementary
and quaint than quadratic polynomials with integer coecients. Notably the proof
rst associates to a quadratic form a modular form a certain especially nice
kind of function of a complex variable and the result follows from a bound on
the coecients of a power series expansion of this function. In particular, one uses
results on the number of solutions to much more general systems of equations over
nite elds established by fundamental work of Pierre Deligne in the 1970s (work
that justly landed him the Fields Medal).
Corollary 232. Let q be a positive-denite quadratic form in n 4 variables.
Then there exists N0 such that if N N0 , q(x1 , . . . , xn ) = N satises the localglobal principle (has integral solutions i it has congruential solutions).
Again, the theory of congruential solutions is suciently well-developed so as to
enable one to determine (with some work, to be sure) precise conditions on N such
that solutions exist everywhere locally. Therefore the corollary gives a method
for solving the representation problem for integral quadratic forms in at least four
variables: (i) explicitly compute the value of N0 in the Corollary; (ii) explicitly
compute the local conditions for solvability; (iii) check each of the nitely many
values of N , 1 N N0 to see whether q(x1 , . . . , xn ) = N has a solution.

228

19. REPRESENTATIONS OF INTEGERS BY QUADRATIC FORMS

Thus the representation problem is reduced to a nite calculation. Of course not

all nite problems can be solved in a reasonable (or even unreasonable) amount of
time in practice, so quite a lot of technique and ingenuity is necessary to apply this
method. Here is a success story:
Theorem 233. (Hanke [Han04]) The quadratic form x3 + 3y 2 + 5z 2 + 7w2
integrally represents all positive integers except 2 and 22.
This result had been conjectured by M. Kneser in 1961.
Note that in Theorem 231 the number of variables has to be at least 4. When
n = 2 or 3, the above corollary is false: we already mentioned this in the case of 2
variables, which is in some sense the hardest but also the best understood in terms
of pure algebraic number theory. The case of ternary quadratic forms brings several
new features and remains fascinatingly open. If you want to hear more, you will
have to wait until 2008 and ask Prof. Hanke about it.
4. The 15 and 290 Theorems
The constants in Theorem 231 most denitely depend on the quadratic form q in
question. A greater challenge is to prove results about integral representability
that are in some sense independent of the particular quadratic form. For instance,
a positive-denite quadratic form is said to be universal if it integrally represents
every positive integer. (So the four squares form is universal.) The preceding section asserts the existence of a complicated procedure that can determine whether a
given form is universal. Is there some easy way to determine whether a quadratic
form is universal?
Yes. In the early 1990s, Conway and Schneeburger proved the following result.
Theorem 234. (15 Theorem [Con00]) A positive denite quadratic form with
integral dening matrix integrally represents every positive integer i it integrally
represents the integers 1 through 15.
Example: We will determine all positive integers d for which the form
x2 + y 2 + z 2 + dw2
is universal. We know that by taking w = 0 we can get every positive integer except
those of the form 4a (8k + 7); but since we need only go up to 15 it suces to check
whether we can represent 7. Lets check:
d = 1:
d = 2:
d = 3:
d = 4:
d = 5:
d = 6:
d = 7:

12 + 12 + 12 + 1 22
22 + 12 + 02 + 2 12
22 + 12 + 12 + 3 12
12 + 12 + 12 + 4 12
12 + 12 + 02 + 5 12
12 + 02 + 02 + 6 12
02 + 02 + 02 + 7 12

= 7.
= 7.
= 7.
= 7.
= 7.
= 7.
= 7.

We cannot represent 7 if d 8: taking w = 0 would make the form too large.

4. THE 15 AND 290 THEOREMS

229

In fact, let us consider the problem of which quadratic forms

q(x1 , x2 , x3 , x4 ) = ax21 + bx22 + cx23 + dx24
with a b c d represent all positive integers. A case-by-case analysis shows
that in order for the integers 1, 2, 3 and 5 to all be represented, we need (a, b, c)
to be one of: (1, 1, 1), (1, 1, 2), (1, 1, 3), (1, 2, 2), (1, 2, 3), (1, 2, 4), (1, 2, 5). As it
happens, no ternary quadratic form can represent all positive integers. In the cases
at hand, the smallest exceptions are (as you can readily check):
x2 + y 2 + z 2 does not represent 7.
x2 + y 2 + 2z 2 does not represent 14.
x2 + y 2 + 3z 2 does not represent 6.
x2 + 2y 2 + 2z 2 does not represent 7.
x2 + 2y 2 + 3z 2 does not represent 10.
x2 + 2y 2 + 4z 2 does not represent 14.
x2 + 2y 2 + 5z 2 does not represent 10.
Now one can go through a similar analysis for the other 6 cases as we did for the
rst case, and determine a complete list of diagonal positive denite quaternary
universal quadratic forms: there are precisely 54 of them.3 In fact this investigation was originally done by S. Ramanujan in 1917, except that not having the
15 theorem he was forced to come up with empirical (i.e., conjectural) rules for
which integers are represented by the above ternary quadratic forms, so that he did
not supply proofs for his results.
Remark 4: Given the stories that have been told about Ramanujan and his unearthly intuition, it is interesting to remark that his paper lists a 55th universal
quadratic form: x2 + 2y 2 + 5z 2 + 5w2 . Ironically, this form does not represent 15,
as Dickson observed ten years later.
The 15 theorem was discovered in a graduate seminar that Conway was teaching at Princeton, in which Schneeburger was an attending student. The original
proof was quite computationally onerous, and it was never written down. Indeed,
by the time Manjul Bhargava became a graduate student at Princeton and heard
about the theorem, some of the details of the proof had been forgotten.
Bhargava was doubly stunned by this: that such a wonderful theorem could have
been discovered, and also that it had met such a disappointing fate. He found a
new proof of the 15 theorem which is, truly, one of the most beautiful mathematical arguments I have ever seen. It quite cleverly manages to avoid any unwieldy
computations. In fact he proved the following generalization:
Theorem 235. (Bhargavas Master Theorem) Let S Z+ . There exists a
nite subset S0 of S such that a positive denite integer-matrix quadratic form
represents all integers in S i it represents all integers in S0 .
3It can now be told that I put this as an extra credit problem on the nal exam. Moreover,
I hinted that I might do so, and in fact there was a student who practiced this type of calculation
and was able to give the complete solution!

230

19. REPRESENTATIONS OF INTEGERS BY QUADRATIC FORMS

Example: Taking S to be the prime numbers, Bhargava showed that one may take
S0 to be the primes less than or equal to 73.
The proof gives an algorithm for determining S0 , but whether or not it is practical seems to depend very much on the choice of S: it gets much harder if S does
not contain several very small integers.
Indeed, we have been saying integer matrix quadratic forms for the last few
results, but a quadratic form is represented by a polynomial with integer coecients i its dening matrix satises the slightly weaker condition that its diagonal
entries are integers and its o-diagonal entries are half-integers (e.g. q(x, y) = xy).
However, if q is any integral quadratic form, then the matrix entries of 2q are certainly integers, and q represents an integer N i 2q represents 2N . Thus, applying
Bhargavas Master Theorem to the subset of positive even integers, one deduces the
existence of an integer N0 such that if a positive-denite integral matrix represents
every N {1, . . . , N0 } then it represents every positive integer.
Already in Conways course it was suggested that N0 could be taken to be 290.
However, the calculations necessary to establish this result were Herculean: one
needs to show that each of 6, 436 quaternary quadratic forms is universal. Some
of these forms can be proven universal in relatively slick and easy ways, but about
1, 000 of them are seriously hard. So Bhargava enlisted the help of Jonathan Hanke,
and after several years of intense work (including extremely intensive and carefully
checked computer calculations), they were able to show the following result.
Theorem 236. (290 Theorem [BHxx]) If a positive-denite integral quadratic
form represents each of:
1, 2, 3, 5, 6, 7, 10, 13, 14, 15, 17, 19, 21, 22, 23, 26, 29, 30, 31, 34, 35, 37, 42, 58, 93, 110, 145, 203, 290,
then it represents all positive integers.

APPENDIX A

Rings, Fields and Groups

1. Rings
Recall that a binary operation on a set S is just a function : S S S: in other
words, given any two elements s1 , s2 of S, there is a well-dened element s1 s2 of S.
A ring is a set R endowed with two binary operations + and , called addition
and multiplication, respectively, which are required to satisfy a rather long list of
familiar-looking conditions in all the conditions below, a, b, c denote arbitrary
elements of R
(A1) a + b = b + a (commutativity of addition);
(A2) (a + b) + c = a + (b + c) (associativity of addition);
(A3) There exists an element, called 0, such that 0 + a = a. (additive identity)
(A4) For x R, there is a y R such that x+y = 0 (existence of additive inverses).
(M1) (a b) c = a (b c) (associativity of multiplication).
(M2) There exists an element, called 1, such that 1 a = a 1 = a.
(D) a (b + c) = a b + a c; (a + b) c = a c + b c.
Comments:
(i) The additive inverse required to exist in (A4) is unique, and the additive inverse
of a is typically denoted a. (It is easy to check that a = (1) a.)
(ii) Note that we require the existence of a multiplicative identity (or a unity).
Every once in a while one meets a structure which satises all the axioms except
does not have a multiplicative identity, and one does not eject it from the club just
because of this. But all of our rings will have a multiplicative identity.
(iii) There are two further reasonable axioms on the multiplication operation that
we have not required; our rings will sometimes satisfy them and sometimes not:
(M ) a b = b a (commutativity of multiplication).
(M ) For all a = 0, there exists b R such that ab = 1.
A ring which satises (M ) is called sensibly enough a commutative ring.
Example 1.0: The integers Z form a ring under addition and multiplication. Indeed
they are the universal ring in a sense to be made precise later.

231

232

A. RINGS, FIELDS AND GROUPS

Example 1.1: There is a unique ring in which 1 = 0. Indeed, if r is any element of

such a ring, then
r = 1 r = 0 r = (0 + 0) r = 0 r + 0 r = 1 r + 1 r = r + r;
subtracting r from both sides, we get r = 0. In other words, the only element of the
ring is 0 and the addition laws are just 0 + 0 = 0 = 0 0; this satises all the axioms
for a commutative ring. We call this the zero ring. Truth be told, it is a bit of annoyance: often in statements of theorems one encounters except for the zero ring.
Example 1.n: For any positive integer, let Zn denote the set {0, 1, . . . , n 1}.
There is a function modn from the positive integers to Zn : given any integer m,
modn (m) returns the remainder of m upon division by n, i.e., the unique integer r
satisfying m = qn + r, 0 r < n. We then dene operations of + and on Zn by
viewing it as a subset of the positive integers, employing the standard operations
of + and , and then applying the function modn to force the answer back in the
range 0 r < n. That is, we dene
a +n b := modn (a + b),
a n b := modn (a b).
The addition operation is familiar from clock arithmetic: with n = 12 this is how
we tell time, except that we use 1, 2, . . . , 12 instead of 0, . . . , 11. (However, military
time does indeed go from 0 to 23.)
The (commutative!) rings Zn are basic and important in all of mathematics, especially number theory. The denition we have given the most naive possible one
is not quite satisfactory: how do we know that +n and n satisfy the axioms for a
ring? Intuitively, we want to say that the integers Z form a ring, and the Zn s are
constructed from Z in some way so that the ring axioms become automatic. This
leads us to the quotient construction, which we will present later.
Modern mathematics has tended to explore the theory of commutative rings
much more deeply and systematically than the theory of (arbitrary) non-commutative
rings. Nevertheless noncommutative rings are important and fundamental: the basic example is the ring of n n matrices (say, with real entries) for any n 2.
A ring (except the zero ring!) which satises (M ) is called a division ring (or
division algebra). Best of all is a ring which satises (M ) and (M ): a eld.1
I hope you have some passing familiarity with the elds Q (of rational numbers), R
(of real numbers) and C (of complex numbers), and perhaps also with the existence
of nite elds of prime order (more on these later). In some sense a eld is the richest possible purely algebraic structure, and it is tempting to think of the elements
1A very long time ago, some people used the term eld as a synonym for division ring and
therefore spoke of commutative elds when necessary. The analogous practice in French took
longer to die out, and in relatively recent literature it was not standardized whether corps meant
any division ring or a commutative division ring. (One has to keep this in mind when reading
certain books written by Francophone authors and less-than-carefully translated into English, e.g.
Serres Corps Locaux.) However, the Bourbakistic linguistic philosophy that the more widely used
terminology should get the simpler name seems to have at last persuaded the French that corps
means (commutative!) eld.

2. RING HOMOMORPHISMS

233

of eld as numbers in some suitably generalized sense. Conversely, elements of

arbitrary rings can have some strange properties that we would, at least initially,
not want numbers to have.
2. Ring Homomorphisms
Generally speaking, a homomorphism between two algebraic objects is a map f
between the underlying sets which preserves all the relevant algebraic structure.
So a ring homomorphism f : R S is a map such that f (0) = 0, f (1) = 1 and
for all r1 , r2 R, f (r1 + r2 ) = f (r1 ) + f (r2 ), f (r1 r2 ) = f (r1 )f (r2 ).
In fact it follows from the preservation of addition that f (0) = 0. Indeed, 0 = 0 + 0,
so f (0) = f (0 + 0) = f (0) + f (0); now subtract f (0) from both sides. But in general it seems better to postulate that a homomorphism preserve every structure in
sight and then worry later about whether any of the preservation properties are
redundant. Note well that the property f (1) = 1 unitality is not redundant.
Otherwise every ring R would admit a homomorphism to the zero ring, which would
turn out to be a bit of a pain.
Example 2.1: For any ring R, there exists a unique homomorphism c : Z R.
Namely, any homomorphism must send 1 to 1R , 2 to 1R + 1R , 3 to 1R + 1R + 1R ,
1 to 1R , 2 to 1R + 1R and so forth. (And it is not hard to see that this
necessarily gives a homomorphism.)
Recall that a function f : X Y is an injection if x1 = x2 = f (x1 ) = f (x2 ).
To see whether a homomorphism of rings f : R S is an injection, it suces to look
at the set K(f ) = {x R | f (x) = 0}, the kernel of f . This set contains 0, and if
it contains any other element then f is certainly not injective. The converse is also
true: suppose K(f ) = 0 and f (x1 ) = f (x2 ). Then 0 = f (x2 ) f (x1 ) = f (x2 x1 ),
so x2 x1 K(f ), so by our assumption x2 x1 = 0, and x1 = x2 .
An important case is when R is a ring and S is a subset of R containing 0
and 1 and which is itself a ring under the operations of + and it inherits from
R. (In this case what needs to be checked are the closure of S under +, and :
i.e., for all s1 , s2 S, s1 +s2 , s1 s2 , s1 s2 S.) We say that S is a subring of R.
Suppose R and S are division rings and f : R S is a homomorphism between
them. Suppose that r is in the kernel of f , i.e., f (r) = 0. If r = 0, then it has
a (left and right) multiplicative inverse, denoted r1 , i.e., an element such that
rr1 = r1 r = 1. But then
1 = f (1) = f (rr1 ) = f (r)f (r1 ) = 0 f (r1 ) = 0,
a contradiction. So any homomorphism of division rings is an injection: it is especially common to speak of eld extensions. For example, the natural inclusions
Q , R and R , C are both eld extensions.
Example 2.1, continued: recall we have a unique homomorphism c : Z R. If
c is injective, then we nd a copy of the integers naturally as a subring of R. E.g.
this is the case when R = Q. If not, there exists a least positive integer n such that

234

A. RINGS, FIELDS AND GROUPS

c(n) = 0, and one can check that Ker(c) consists of all integer multiples of n, a set
which we will denote by nZ or by (n). This integer n is called the characteristic
of R, and if no such n exists we say that R is of characteristic 0 (yes, it would seem
to make more sense to say that n has innite characteristic). As an important
example, the homomorphism c : Z Zn is an extension of the map modn to all of
Z; in particular the characteristic of Zn is n.
3. Integral Domains
A commutative ring R (which is not the zero ring!) is said to be an integral domain if it satises either of the following equivalent properties:2
(ID1) If x, y R and xy = 0 then x = 0 or y = 0.
(ID2) If a, b, c R, ab = ac and a = 0, then b = c.
(Suppose R satises (ID1) and ab = ac with a = 0. Then a(b c) = 0, so b c = 0
and b = c; so R satises (ID2). The converse is similar.)
(ID2) is often called the cancellation property and it is extremely useful when
solving equations. Indeed, when dealing with equations in a ring which is not an
integral domain, one must remember not to apply cancellation without further justication! (ID1) expresses the nonexistence of zero divisors: a nonzero element
x of a ring R is called a zero divisor if there exists y in R such that xy = 0.
An especially distressing kind of zero divisor is an element 0 = a R such that
an = 0 for some positive integer n. (If N is the least positive integer N such that
aN = 0 we have a, aN 1 = 0 and a aN 1 = 0, so a is a zero divisor.) Such an
element is called nilpotent, and a ring is reduced if it has no nilpotent elements.
One of the diculties in learning ring theory is that the examples have to run
very fast to keep up with all the denitions and implications among denitions.
But, look, here come some now:
Example 3.1: Let us consider the rings Zn for the rst few n.
The rings Z2 and Z3 are easily seen to be elds: indeed, in Z2 the only nonzero
element, 1 is its own multiplicative inverse, and in Z3 1 = 11 and 2 = (2)1 .
In the ring Z4 22 = 0, so 2 is nilpotent and Z4 is nonreduced.
In Z5 one nds after some trial and error that 11 = 1, 21 = 3, 31 =
1
2, 4 = 4 so that Z5 is a eld.
In Z6 we have 2 3 = 0 so there are zero-divisors, but a bit of calculation shows
there are no nilpotent elements. (We take enough powers of every element until we
get the same element twice; if we never get zero then no power of that element will
be zero. For instance 21 = 2, 22 = 4, 23 = 2, so 2n will equal either 2 or 4 in Z6 :
never 0.)
2The terminology integral domain is completely standardized but a bit awkward: on the
one hand, the term domain has no meaning by itself. On the other hand there is also a notion
of an integral extension of rings. And, alas, it may well be the case that an extension of integral
domains is not an integral extension! But there is no clear remedy here, and proposed changes
in the terminology e.g. Langs attempted use of entire for integral domain have not been
well received.

3. INTEGRAL DOMAINS

235

Similarly we nd that Z7 is a eld, 2 is a nilpotent in Z8 , 3 is a nilpotent in Z9 ,

Z10 is reduced but not an integral domain, and so forth. Eventually it will strike
us that it appears to be the case that Zn is a eld exactly when n is prime. This
realization makes us pay closer attention to the prime factorization of n, and given
this clue, one soon guesses that Zn is reduced i n is squarefree, i.e., not divisible
by the square of any prime. Moreover, it seems that whenever Zn is an integral
domain, it is also a eld. All of these observations are true in general but nontrivial
to prove. The last fact is the easiest:
Proposition 237. Any integral domain R with nitely many elements is a
eld.
Proof. Consider any 0 = a R; we want to nd a multiplicative inverse.
Consider the various powers a1 , a2 , . . . of a. They are, obviously, elements of R, and
since R is nite we must eventually get the same element via distinct powers: there
exist positive integers i and j such that ai+j = ai = 0. But then ai = ai+j = ai aj ,
and applying (ID2) we get aj = 1, so that aj1 is the multiplicative inverse to
a.

Theorem 238. a) The ring Zn is a eld i n is a prime.
b) The ring Zn is reduced i n is squarefree.
Proof. In each case one direction is rather easy. Namely, if n is not prime,
then n = ab for integers 1 < a, b < n, and then a b = 0 in Zn . If n is not
squarefree, then for some prime p we can write n = p2 m, and then the element
mp is nilpotent: (mp)2 = mp2 m = mn = 0 in Zn .
However, in both cases the other direction requires Euclids Lemma: if a prime
p divides ab then p|a or p|b. (We will encounter and prove this result early on in
the course.) Indeed, this says precisely that if ab = 0 in Zn then either a = 0 or
b = 0, so Zp is an integral domain, and, being nite, by Proposition 237 it is then
necessarily a eld. Finally, if n = p1 pn is squarefree, and m < n, then m is not
divisible by some prime divisor of n, say pi , and by the Euclid Lemma neither is
any power ma of m, so for no positive integer a is ma = 0 in Zn .

Example 3.2: Of course, the integers Z form an integral domain. How do we know?
Well, if a = 0 and ab = ac, we can multiply both sides by a1 to get b = c. This
may at rst seem like cheating since a1 is generally not an integer: however it
exists as a rational number and the computation makes perfect sense in Q. Since
Z Q, having b = c in Q means that b = c in Z.
It turns out that for any commutative ring R, if R is an integral domain we can
prove it by the above argument of exhibiting a eld that contains it:
Theorem 239. A ring R is an integral domain i it is a subring of some eld.
Proof. The above argument (i.e., just multiply by a1 in the ambient eld)
shows that any subring of a eld is an integral domain. The converse uses the
observation that given an integral domain R, one can formally build a eld F (R)
whose elements are represented by formal fractions of the form ab with a R, b
R \ {0}, subject to the rule that ab = dc i ad = bc in R. There are many little
checks to make to see that this construction actually works. On the other hand,
this is a direct generalization of the construction of the eld Q from the integral
domain Z, so we feel relatively sanguine about omitting the details here.


236

A. RINGS, FIELDS AND GROUPS

Remark: The eld F (R) is called the eld of fractions3 of the integral domain R.
Example 3.3 (Subrings of Q): There are in general many dierent integral domains
with a given quotient eld. For instance, let us consider the integral domains with
quotient eld Q, i.e., the subrings of Q. The two obvious ones are Z and Q, and
it is easy to see that they are the extremes: i.e., for any subring R of Q we have
Z R Q. But there are many others: for instance, let p be any prime number,
and consider the subset Rp of Q consisting of rational numbers of the form ab where
b is not divisible by any prime except p (so, taking the convention that b > 0, we
are saying that b = pk for some k). A little checking reveals that Rp is a subring
of Q. In fact, this construction can be vastly generalized: let S be any subset of
the prime numbers (possibly innite!), and let RS be the rational numbers ab such
that b is divisible only by primes in S. It is not too hard to check that: (i) RS is a
subring of Q, (ii) if S = S , RS = RS , and (iii) every subring of Q is of the form
RS for some set of primes S. Thus there are uncountably many subrings in all!
4. Polynomial Rings
Let R be a commutative ring. One can consider the ring R[T ] of polynomials with
coecients in T : that
n is, the union over all natural numbers n of the set of all
formal expressions i=0 ai T i (T 0 = 1). (If an = 0, this polynomial is said to have
degree n. By convention, we take the zero polynomial to have degree .) There
are natural addition and multiplication laws which reduce to addition in R, the law
T i T j = T i+j and distributivity. (Formally speaking we should write down these
laws precisely and verify the axioms, but this is not very enlightening.) One gets a
commutative ring R[T ].
One can also consider polynomial rings in more than one variable: R[T1 , . . . , Tn ].
These are what they sound like; among various possible formal denitions, the most
technically convenient is an inductive one: R[T1 , . . . , Tn ] := R[T1 , . . . , Tn1 ][Tn ], so
e.g. the polynomial ring R[X, Y ] is just a polynomial ring in one variable (called
Y ) over the polynomial ring R[X].
Proposition 240. R[T ] is an integral domain i R is an integral domain.
Proof. R is naturally a subring of R[T ] the polynomials rT 0 for r R and
any subring of an integral domain is a domain; this shows necessity. Conversely,
suppose R is an integral domain; then any two nonzero polynomials have the form
an T n + an1 T n1 + . . . + a0 and bm T m + . . . + b0 with an , bm = 0. When we
multiply these two polynomials, the leading term is an bm T n+m ; since R is a domain,
an bm = 0, so the product polynomial has nonzero leading term and is therefore
nonzero.

Corollary 241. A polynomial ring in any number of variables over an integral
domain is an integral domain.
This construction gives us many new integral domains and hence many new elds.
For instance, starting with a eld F , the fraction eld of F [T ] is the set of all formal
3The term quotient eld is also used, even by me until rather recently. But since there is
already a quotient construction in ring theory, it seems best to use a dierent term for the fraction
construction.

5. COMMUTATIVE GROUPS

237

P (T )
quotients Q(T
) of polynomials; this is denoted F (T ) and called the eld of rational
functions over F . (One can equally well consider elds of rational functions in several variables, but we shall not do so here.)

The polynomial ring F [T ], where F is a eld, has many nice properties; in some
ways it is strongly reminiscent of the ring Z of integers. The most important common property is the ability to divide:
Theorem 242. (Division theorem for polynomials) Given any two polynomials
a(T ), b(T ) in F [T ], there exist unique polynomials q(T ) and r(T ) such that
b(T ) = q(T )a(T ) + r(T )
and deg(r(T )) < deg(a(T )).
A more concrete form of this result should be familiar from high school algebra:
instead of formally proving that such polynomials exist, one learns an algorithm for
actually nding q(T ) and r(T ). Of course this is as good or better: all one needs
to do is to give a rigorous proof that the algorithm works, a task we leave to the
reader. (Hint: induct on the degree of b.)
Corollary 243. (Factor theorem) For a(T ) F [T ] and c F , the following
are equivalent:
a) a(c) = 0.
b) a(T ) = q(T ) (T c).
Proof. We apply the division theorem with b(T ) = (T c), getting a(T ) =
q(T )(T c) + r(T ). The degree of r must be less than the degree of T c, i.e.,
zero so r is a constant. Now plug in T = c: we get that a(c) = r. So if a(c) = 0,
a(T ) = q(T )(T c). The converse is obvious.

Corollary 244. A nonzero polynomial p(T ) F [T ] has at most deg(p(T ))
roots.
Remark: The same result holds for polynomials with coecients in an integral domain R, since every root of p in R is also a root of p in the fraction eld F (R).
This may sound innocuous, but do not underestimate its power a judicious application of this Remark (often in the case R = Z/pZ) can and will lead to substantial
simplications of classical arguments in elementary number theory.
Example 4.1: Corollary 244 does not hold for polynomials with coecients in an
arbitrary commutative ring: for instance, the polynomial T 2 1 Z8 [T ] has degree
2 and 4 roots: 1, 3, 5, 7.
5. Commutative Groups
A group is a set G endowed with a single binary operation : GG G, required
to satisfy the following axioms:
(G1) for all a, b, c G, (a b) c = a (b c) (associativity)
(G2) There exists e G such that for all a G, e a = a e = a.
(G3) For all a G, there exists b G such that ab = ba = e.

238

A. RINGS, FIELDS AND GROUPS

Example: Take an arbitrary set S and put G = Sym(S), the set of all bijections
f : S S. When S = {1, . . . , n}, this is called the symmetric group of order n,
otherwise known as the group of all permutations on n elements: it has order n!.
We have notions of subgroups and group homomorphisms that are completely
analogous to the corresponding ones for rings: a subgroup H G is a subset which
is nonempty, and is closed under the group law and inversion: i.e., if g, h H
then also g h and g 1 are in H. (Since there exists some h H, also h1 and
e = h h1 H; so subgroups necessarily contain the identity.)4 And a homomorphism f : G1 G2 is a map of groups which satises f (g1 g2 ) = f (g1 ) f (g2 ) (as
mentioned above, that f (eG1 ) = eG2 is then automatic). Again we get many examples just by taking a homomorphism of rings and forgetting about multiplication.
Example 5.1: Let F be a eld. Recall that for any positive integer n, the n n
matrices with coecients in F form a ring under the operations of matrix addition
and matrix multiplication, denoted Mn (F ). Consider the subset of invertible matrices, GLn (F ). It is easy to check that the invertible matrices form a group under
matrix multiplication (the unit group of the ring Mn (F ), coming up soon). No
matter what F is, this is an interesting and important group, and is not commutative if n 2 (when n = 1 it is just the group of nonzero elements of F under
multiplication). The determinant is a map
det : GLn (F ) F \ {0};
a well-known property of the determinant is that det(AB) = det(A) det(B). In
other words, the determinant is a homomorphism of groups. Moreover, just as
for a homomorphism of rings, for any group homomorphism f : G1 G2 we can
consider the subset Kf = {g G1 | f (g) = eG2 } of elements mapping to the identity
element of G2 , again called the kernel of f . It is easy to check that Kf is always a
subgroup of G1 , and that f is injective i Kf = 1. The kernel of the determinant
map is denoted SLn (F ); by denition, it is the collection
matrices
[ of all n n ]
cos
sin
5
with determinant 1. For instance, the rotation matrices
form a
sin cos
subset (indeed, a subgroup) of the group SL2 (R).
Theorem 245. (Lagrange) For a subgroup H of the nite group G, we have
#H | #G.
The proof6 is combinatorial: we exhibit a partition of G into a union of subsets
Hi , such that #Hi = #H for all i. Then, the order of G is #H n, where n is the
number of subsets.
The Hi s will be the left cosets of H, namely the subsets of the form
gH = {gh | h H}.
4Indeed there is something called the one step subgroup test: a nonempty subset H G
is a subgroup i whenever g and h are in H, then g h1 H. But this is a bit like saying you
can put on your pants in one step if you hold them steady and jump into them: its true but
not really much of a time saver.
5The GL stands for general linear and the SL stands for special linear.
6This proof may be too brief if you have not seen the material before; feel free to look in any
algebra text for more detail, or just accept the result on faith for now.

5. COMMUTATIVE GROUPS

239

Here g ranges over all elements of G; the key is that for g1 , g2 G, the two cosets
g1 H and g2 H are either equal or disjoint i.e., what is not possible is for them to
share some but not all elements. To see this: suppose x g1 H and is also in g2 H.
This means that there exist h1 , h2 H such that x = g1 h1 and also x = g2 h2 ,
1
so g1 h1 = g2 h2 . But then g2 = g1 h1 h1
is
2 , and since h1 , h2 H, h3 := h1 h2
also an element of H, meaning that g2 = g1 h3 is in the coset g1 H. Moreover, for
any h H, this implies that g2 h = g1 h3 h = g1 h4 g1 H, so that g2 H g1 H.
Interchanging the roles of g2 and g1 , we can equally well show that g1 H g2 H, so
that g1 H = g2 H. Thus overlapping cosets are equal, which was to be shown.
Remark: In the proof that G is partitioned into cosets of H, we did not use the
niteness anywhere; this is true for all groups. Indeed, for any subgroup H of any
group G, we showed that there is a set S namely the set of distinct left cosets
{gH} such that the elements of G can be put in bijection with S H. If you know
about such things (no matter if you dont), this means precisely that #H divides
#G even if one or more of these cardinalities is innite.
Corollary 246. If G has order n, and g G, then the order of g i.e., the
least positive integer k such that g k = 1 divides n.
Proof. The set of all positive powers of an element of a nite group forms a
subgroup, denoted g, and it is easily checked that the distinct elements of this
group are 1, g, g 2 , . . . , g k1 , so the order of g is also #g. Thus the order of g
divides the order of G by Lagranges Theorem.

Example 5.2: For any ring R, (R, +) is a commutative group. Indeed, there is
nothing to check: a ring is simply more structure than a group. For instance, we
get for each n a commutative group Zn just by taking the ring Zn and forgetting
about the multiplicative structure.
A group G is called cyclic if it has an element g such that every element x in
G is of the form 1 = g 0 , g n := g g . . . g or g n = g 1 g 1 . . . g 1 for some
positive integer n. The group (Z, +) forms an innite cyclic group; for every positive integer n, the group (Zn , +) is cyclic of order n. It is not hard to show that
these are the only cyclic groups, up to isomorphism.
An element u of a ring R is a unit if there exists v R such that uv = vu = 1.
Example 5.3: 1 is always a unit; 0 is never a unit (except in the zero ring, in
which 0 = 1). The units in Z are 1.
A nonzero ring is a division ring i every nonzero element is a unit.
The set of all units in a ring is denoted R . It is not hard to see that the units
form a group under multiplication: for instance, if u and v are units, then they
have two-sided inverses denoted u1 and v 1 , and then
uv (v 1 u1 ) = (v 1 u1 )uv = 1,
so uv is also a unit. Similarly, the (unique) inverse u1 of a unit is a unit. In
general, R is not commutative, but of course it will be if R is commutative.

240

A. RINGS, FIELDS AND GROUPS

6. Ideals and Quotients

In this section all groups and rings will be commutative.
Let R be a (commutative!) ring. An ideal of R is a subset I of R satisfying:
(IR1) I is a subgroup of the additive group of R.
(IR2) For any r R and any i I, ri I.
We often employ notation like rI = {ri | i I} and then (IR2) can be stated
more succinctly as: for all r R, rI I. In other words, an ideal is a subset
of a ring R which is a subgroup under addition (in particular it contains 0 so is
nonempty) and is not only closed under multiplication but satises the stronger
property that it absorbs all elements of the ring under multiplication.
Remark (Ideals versus subrings): It is worthwhile to compare these two notions;
they are related, but with subtle and important dierences. Both an ideal I and
a subring S of a ring R are subsets of R which are subgroups under addition and
are stable under multiplication. However, each has an additional property: for an
ideal it is the absorption property (IR2). For instance, the integers Z are a subring
of the rational numbers Q, but are clearly not an ideal, since 12 1 = 12 , which is not
an integer. On the other hand a subring has a property that an ideal usually lacks,
namely it must contain the unity 1 of R. For instance, the subset 2Z = {2n | n Z}
is an ideal of Z but is not a subring.
Example (trivial ideals): Any ring R (which is not the zero ring!) contains at
least two ideals: the ideal {0}, and the ideal R itself. These are however not very
interesting examples, and often need to be ignored in a discussion. (The convention that ideal should stand for non-zero ideal whenever convenient is a fairly
common and useful one in the subject.) An ideal I is said to be proper if it is not
R, and again most interesting statements about ideals should really be applied to
proper ideals. Note well that an ideal is proper i it does not contain the unity 1.
Indeed, an ideal lacking 1 is certainly proper, and conversely, if 1 I and r R,
then r 1 = r is in R.

Proposition 247. The following are equivalent for a nonzero commutative

ring R:
a) R has only the trivial ideals {0} and R.
b) R is a eld.
Proof. b) = a): Suppose I is a nonzero ideal of a eld R, so I contains
some 0 = a. Then since a is a eld, a1 exists and 1 = a1 a R I I, so I
contains 1 and is hence all of R.
a) = b): Suppose R is not a eld; then some nonzero element a does not
have an inverse. Then the set aR = {ar | r R} is a proper, nonzero ideal.

The preceding argument shows a general construction of ideals: for any element a
of R, the set of elements {ra | r R} is an ideal of R. (Just to check: r1 a + r2 a =
(r1 + r2 )a, ra = (r)a and r (ra) = (r r)a.) We denote such ideals as either Ra

6. IDEALS AND QUOTIENTS

241

or (a); they are simple and easy to understand and are called principal ideals and
a is called a generator.
Proposition 248. (To contain is to divide) Let a and b be elements of R. The
following are equivalent:
a) (a) (b).
b) a | b; i.e., b = ac for some c in R.
Proof. Exercise!

Proposition 249. Let a and b be elements of an integral domain R. The

following are equivalent:
a) (a) = (b).
b) a = bu for some unit u R .
Proof. Since (a) (b), b = c1 a for some c1 R. Since (b) (a), a = c2 b
for some c2 R. Combining this information we get b = c1 c2 b. If b = 0, then also
a = 0, a trivial case; otherwise, we can cancel b to get c1 c2 = 1, meaning that c1
and c2 are units, so a = c2 b shows what we want.

The notion of generators for ideals can be generalized: for any a1 , . . . , an , there is
an ideal, denoted (a1 , . . . , an ), and dened as the set of all elements of the form
a1 r1 + . . . + an rn as r1 , . . . , rn range over all elements of R. This is called the ideal
generated by a1 , . . . , an , and it is not hard to see that any ideal I which contains
the elements a1 , . . . , an must contain the ideal (a1 , . . . , an ).
Example: In particular, taking R = Z, for any n Z we have an ideal (n) consisting of all integer multiples of n. Taking n = 0 we get the zero ideal; otherwise
(n) = (n), so that the same principal ideal may well have more than one generator. (However, in this case we are quite fortunate and every nonzero principal
ideal has a standard generator, namely the positive one.) Consider the ideal
generated by 4 and 7; is there some simpler way of writing it? Indeed yes: since
1 = 37+(5)4, the ideal (4, 7) contains 1, so it is in fact all of Z: (4, 7) = (1) = Z.
If you play around a bit with ideals generated by two dierent integers, you will
soon come around to the idea that (a, b) is always principal, and is generated by
the greatest common divisor of a and b. (Note that we are all of a sudden doing
number theory!) However, this turns out to be quite nontrivial to prove; it is the
essential content of the fundamental theorem of arithmetic.
Example: Let R = Z[T ], and consider the ideal (2, T ): it consists of all polynomials of the form 2P (T ) + T Q(T ). Is this ideal principal? If so, there would exist
a single magic polynomial M (T ) such that 2 = p1 (T )M (T ) and T = p2 (T )M (T ).
But since the degree of the product polynomial is the sum of the degrees of the
two polynomials, we get that p1 (T ) and M (T ) are both constants, i.e., both integers. Replacing M (T ) by M (T ) if necessary, we see that the only possibilities
are M (T ) = 1 or M (T ) = 2. But if M (T ) = 2, then T = 2p2 (T ) which is impossible, because 2 divides the leading term of 2p2 (T ). So the only possibility is that
M (T ) = 1, i.e., perhaps the ideal (2, T ) is all of R? No, this isnt right either: it is
not possible that 1 = 2P (T ) + T Q(T ): plugging in T = 0 we get that 1 = 2P (0),
and again, 1 is not divisible by 2. The ideal (2, T ) is not principal too bad!

242

A. RINGS, FIELDS AND GROUPS

Denition: A ring R is called principal if every ideal is principal. This property

interacts especially nicely with integral domains: a domain in which each ideal is
principal is called a principal ideal domain, or PID. Such are the rings whose
arithmetic most closely parallels the arithmetic of the integers, so are especially
prized.
6.1. Prime and maximal ideals. A proper ideal I in a ring is prime if
whenever xy I, x I or y I. A proper ideal is maximal if it is not strictly
contained in any larger proper ideal.
The rst denition requires some justication. At the moment, we ask the reader to
consider which of the ideals (n) of the integers are prime. It will turn out that they
are the ones in which are generated by a prime number n = p, and this amounts to
the fundamental property of prime numbers: if a prime p divides xy, then p divides
x or p divides y (Euclids Lemma).
The following two observations are good to keep in mind; their proofs just involve
matching up various denitions, so are left as exercises.
Proposition 250. A ring is an integral domain i the zero ideal is prime.
Proposition 251. A ring is a eld i the zero ideal is maximal.
Proposition 252. In a principal ideal domain, every nonzero prime ideal is
maximal.
Proof. Suppose (a) is a prime ideal which is not maximal: then we have a
proper containment of ideals (a) ( (b), with (b) a proper ideal. By Proposition
248, this means that a = bc for some c R. Since (a) is prime, we get that either
b (a) or c (a). The former implies that (a) = (b), contradicting the strictness
of the containment. So c (a); say c = da. Then a = b(d)a = bda. Since a = 0,
we can cancel, getting bd = 1. Thus b is a unit, so (b) is not a proper ideal, a
contradiction.

Example: In Z[T ], the ideal (T ) is prime: a polynomial is divisible by T i its
constant term is zero. And if P1 (T ) has constant term c1 and P2 (T ) has constant
term c2 , then P2 (T ) has constant term c1 c2 , so if P1 (T )P2 (T ) has constant term
zero, so does at least one of P1 and P2 . On the other hand it is not maximal, since
it is strictly contained in the proper ideal (2, T ).
6.2. Quotient rings.
The most important use of ideals is the quotient construction: if I is an ideal in a
(still assumed commutative) ring R, then we can form a ring R/I endowed with a
canonical homomorphism R R/I, as follows:
The elements of R/I are the cosets r + I of the subgroup I of R. The addition and
multiplication laws are derived from those on R:
(r1 + I) + (r2 + I) = (r1 + r2 + I).
(r1 + I) (r2 + I) = (r1 r2 + I).
One must check that these denitions actually make sense (are well-dened):
namely, that the sum and product of cosets does not depend upon the choice of

6. IDEALS AND QUOTIENTS

243

representative we chose. After all, r1 + I is the same coset as r1 + i1 + I, for any

i1 I. Now we just check that the properties of I are exactly such as to ensure
that the nal answer tolerates such ambiguity: suppose we chose r1 + i1 and r2 + i2
instead. Then we would have dened the sum to be
r1 + i1 + r2 + i2 + I = r1 + r2 + (i1 + i2 + I).
But since i1 , i2 I, so is i1 +i2 , which means that i1 +i2 +I = I, so its okay: we get
the same coset no matter what i1 and i2 we pick. And similarly for multiplication:
(r1 + i1 + I)(r2 + i2 + I) = (r1 + i1 )(r2 + i2 ) + I = r1 r2 + r1 i2 + r2 i1 + i1 i2 .
But again by the absorption property (IR2) of ideals, r1 i2 , r2 i1 , and i1 i2 are all
elements of I, and hence so is their sum. (This shows why a mere subring wouldnt
do!) Thus R/I is indeed a ring. Moreover, the map R R/I is just r 7 r + I. It
is essentially tautological that it is a homomorphism of rings.
When two elements r1 and r2 determine the same coset r1 + I = r2 + I, their
images in R/I are equal (and conversely). In this situation, it is useful to say that
r1 and r2 are equal modulo I.
Basic example: Consider the ideal (n) in Z, where n is some positive integer. Then
a choice of representative for each coset Z + (n) is obtained by taking 0, 1, . . . , n 1.
In other words, for any two distinct integers 0 i, j < n, i j is not a multiple
of n, so i + (n) and j + (n) are distinct cosets. Moreover, for any larger integer k,
the coset k + (n) will be equal to a unique coset i + (n), where i is the remainder
upon dividing k by n.
Note that the ring Z/(n) is nothing else than the nite ring we denoted Zn , and
the way in which the fact that taking usual addition and multiplication and then
taking the remainder upon division by n endow Zn with the structure of a ring is
made rigorous by the quotient construction: it is a systematization of the process of
throwing away multiples of n. I highly recommend thinking about the quotient
construction in this case, since all the abstract ideas are there and it is relatively
easy to understand what it means for two integers a and b to determine the same
cosets.
Many properties of ideals I are equivalent to certain properties of the quotient
ring R/I. Here are two very important examples:
Proposition 253. Let I be an ideal in a ring R.
a) I is prime i R/I is an integral domain.
b) I is maximal i R/I is a eld.
Proof. To say that I is prime is to say that when xy I, either x I or
y I. Now an element x lies in I i its image in R/I is zero, so an ideal I is prime
if whenever a product of two elements x + I and y + I is zero in R/I, at least one
of x + I and y + I is zero. This is exactly the denition of an integral domain!
If R/I is a eld, then whenever x is not an element of I, there exists an element
y R such that (x + I)(y + I) = (xy + I) = (1 + I), i.e., xy 1 = i I. If I is
not maximal, there exists some element x R \ I and a proper ideal J containing
I and x. But 1 = xy i, so any ideal which contains both I and x also contains xy

244

A. RINGS, FIELDS AND GROUPS

and i, hence contains 1, so is not proper. Similarly, if I is maximal and x is any

element of R \ I, then the set Ix = {i + rx | i I, r R} is an ideal containing I
and x, hence Ix strictly contains I so must contain 1. That is, 1 = i + yx for some
i I, y R, and this means that (x + I)(y + I) = 1 + I, so that x + I is invertible
in R/I.

Example: Let R = F [X, Y ] for any eld F . It is easy to check that R/(X)
= F [Y ]:
we are considering polynomials P (X, Y ) modulo multiples of X, and this is amounts
to evaluating X = 0 and considering the corresponding polynomials P (0, Y ), which
form the ring F [Y ]. Since the quotient ring F [Y ] is an integral domain, (X) is
a prime ideal. Since it is not a eld, (X) is not maximal. Therefore R is not a
PID. Note that we showed this without exhibiting any particular nonprincipal ideal.
Tracking through the preceding proofs, we see that there must be a nonprincipal
ideal which contains (X); can you nd one?

APPENDIX B

More on Commutative Groups

1. Reminder on Quotient Groups
Let G be a group and H a subgroup of G. We have seen that the left cosets xH
of H in G give a partition of G. Motivated by the case of quotients of rings by
ideals, it is natural to consider the product operation on cosets. Recall that for any
subsets S, T of G, by ST we mean {st | s S, t T }.
If G is commutative, the product of two left cosets is another left coset:
(xH)(yH) = xyHH = xyH.
In fact, what we really used was that for all y G, yH = Hy. For an arbitrary
group G, this is a property of the subgroup H, called normality. But it is clear
and will be good enough for us that if G is commutative, all subgroups are normal.
If G is a group and H is a normal subgroup, then the set of left cosets, denoted
G/H, itself forms a group under the above product operation, called the quotient
group of G by H. The map which assigns x G to its coset xH G/H is in fact
a surjective group homomorphism q : G G/H, called the quotient map (or in
common jargon, the natural map), and its kernel is precisely the subgroup H.
Theorem 254. (Isomorphism theorem) Let f : G G be a surjective homomorphism of groups, with kernel K. Then G/K is isomorphic to G .
Proof. We dene the isomorphism q(f ) : G/K G in terms of f : map the
coset xK to f (x) G . This is well-dened, because if xK = x K, then x = xk
for some k K, and then
f (x ) = f (x)f (k) = f (x) e = f (x),
since k is in the kernel of f . It is immediate to check that q(f ) is a homomorphism
of groups. Because f is surjective, for y G there exists x G such that f (x) = y
and then q(f )(xK) = y, so q(f ) is surjective. Finally, if q(f )(xK) = e, then
f (x) = e and x K, so xK = K is the identity element of G/K.


In other words, a group G is (isomorphic to) a quotient of a group G i there

exists a surjective group homomorphism from G to G .
Corollary 255. If G and G are nite groups such that there exists a surjective group homomorphism f : G G , then #G | #G.
Proof. G
= G/ ker f , so #G #(ker f ) = #G.
245

246

B. MORE ON COMMUTATIVE GROUPS

Remark: Suitably interepreted, this remains true for innite groups.

Corollary 256. If G is isomorphic to a quotient group of G and G is
isomorphic to a quotient group of G , then G is isomorphic to a quotient group of
G.
Proof. We have surjective homomorphisms q1 : G G and q2 : G G ,
so the composition q2 q1 is a surjective homomorphism from G to G .

2. Cyclic Groups
Recall that a group G is cyclic if there exists some element g in G such that every
x in g is of the form g n for some integer n. (Here we are using the conventions that
g 0 = e is the identity element of G and that g n = (g 1 )n .) Such an element g is
called a generator. In general, a cyclic group will have more than one generator,
and it is a number-theoretic problem to determine how many generators there are.
Example 1: The integers Z under addition are a cyclic group, because 1 is a generator. The only other generator is 1.
Example 2: We denote by Zn the additive group of the ring (Z/nZ). It is also
a cyclic group, because it is generated by the class of 1 (mod n).
We claim that these are the only cyclic groups, up to isomorphism. One (comparatively sophisticated) way to see this is as follows: let G be a cyclic group, with
generator g. Then there is a unique homomorphism f from the additive group of
the integers to G which maps 1 to g. The map f is surjective because, by assumption, every y in G is of the form g n for some n Z, i.e., y = g n = f (n). Let K be
the kernel of this homomorphism. Then it is a subgroup of (Z, +), and since every
additive subgroup of (Z, +) is an ideal, we have K = nZ for some n N. Therefore
by the isomorphism theorem, we have that G is isomorphic to the additive group
of the quotient ring Z/nZ, i.e., to Zn .
Corollary 257. Every quotient group of a cyclic group is cyclic.
Proof. We saw that a group is cyclic i it is isomorphic to a quotient of
(Z, +). Therefore a quotient G of a cyclic group is a group that is isomorphic to a
quotient of a quotient of (Z, +), and by Corollary 256 this simply means that G is
isomorphic to a quotient of (Z, +) and hence is itself cyclic.

Proposition 258. Let n Z+ . For every positive divisor k of n, there is a
unique subgroup of Zn of order k, and these are the only subgroups of Zn .
Proof. For any divisor k of n, the subgroup generated by k (mod n) of
(Z/nZ, +) has order nk , and as k runs through the positive divisors of n so does nk .
So there is at least one cyclic subgroup of Zn of order any divisor of n. Conversely,
let H be a subgroup of (Z/nZ, +) and let k be the least positive integer such that
the class of k mod n lies in H. I leave it to you to show that H is the subgroup
generated by k (mod n).

Remark: Here is a slicker proof: the subgroups of Zn correspond to the ideals in
Z/nZ which by a general principle on ideals in quotient rings correspond to the
ideals of Z containing (nZ), which correspond to the positive divisors of n.

3. PRODUCTS OF ELEMENTS OF FINITE ORDER IN A COMMUTATIVE GROUP

247

Corollary 259. Subgroups of cyclic groups are cyclic.

Proposition 260. For a Z+ , the order of a (Z/nZ, +) is

n
gcd(a,n) .

Proof. Let d = gcd(a, n) and write a = da . The (additive) order of a

(mod n) is the least positive integer k such that n | ka. We have n | ka = kda
n
n
n


d | ka , and since gcd( d , a) = 1, the least such k is d .
Corollary 261. Let a Z, n Z+ .
a) The class of a Zn is a generator if and only if gcd(a, n) = 1. In particular
there are (n) generators.
b) For any d | n,
there are precisely (d) elements of Zn of order d.
c) It follows that d | n (d) = n.
Proof. Part a) is immediate from Proposition 260. For any d | n, each element
of order d generates a cyclic subgroup of order d, and we know that there is exactly
one such subgroup of Zn , so the elements of order d are precisely the (d) generators
of this cyclic group. Part c) follows: the left hand side gives the number of elements
of order d for each d | n and the right hand side is #Zn .

This leads to a very useful result:
Theorem 262. (Cyclicity criterion) Let G be a nite group, not assumed to be
commutative. Suppose that for each n Z+ , there are at most n elements x in G
with xn = e. Then G is cyclic.
Proof. Suppose G has order N , and for all 1 d N , let f (d) be the number
of elements
of G of order d. By Lagranges Theorem, f (d) = 0 unless d | N , so
N = #G = d | N f (d). Now, if f (d) = 0 then there exists at least one element of
order d, which therefore generates a cyclic group of order d, whose elements give
d solutions to the equation xd = e. By our assumption there cannot be any more
solutions to this equation, hence all the elements of order d are precisely the (d)
generators of this cyclic group. In other words, for all d |n we have either f (d) = 0
or f (d) = (d), so in any case we have

N=
f (d)
(d) = N.
d | N

d | N

Therefore we must have f (d) = (d) for all d | N , including d = N , i.e., there exists
an element of G whose order is the order of G: G is cyclic.

Corollary 263. Let F be a eld, and let G F be a nite subgroup of the
group of nonzero elements of F under multiplication. Then G is cyclic.
Proof. By basic eld theory, for any d Z+ the degree d polynomial td 1
can have at most d solutions, so the hypotheses of Theorem 262 apply to G.

3. Products of Elements of Finite Order in a Commutative Group
Let G be a commutative group, and let x, y G be two elements of nite order, say
of orders m and n respectively. There is a unique smallest subgroup H = H(x, y) of
G containing both x and y, called the subgroup generated by x and y. H(x, y)
is the set of all elements of the form xa y b for a, b Z. Moreover, since x has order
m and y has order n, we may write every element of H as xa y b with 0 a < m,
0 b < n, so that #H mn. In particular the subgroup of an abelian group

248

B. MORE ON COMMUTATIVE GROUPS

generated by two elements of nite order is itself nite.

It is very useful to have some information about both the size of H(x, y) and
the order of the element xy in terms of m and n alone. However we cannot expect
a complete answer:
Example 3: Suppose that m = n = N . We could take G to be the additive
group of Z/N Z Z/N Z, x = (1, 0), y = (0, 1). Then the subgroup generated by x
and y is all of G, so has order N 2 , and the order of x + y is N . On the other hand,
we could take G = ZN and x = y = g some generator. Then H(x, y) = G has order
N and #xy is N if N is odd and N2 is N is even. Or we could have taken y = x1
so that the xy = e and has order 1. And there are yet other possibilities.
Example 4: Suppose that gcd(m, n) = 1. We can show that xy has order mn,
and hence is a generator for H(x, y). Indeed, let a Z+ be such that (xy)a = e,
i.e., xa = y a . But the order of xa divides m and the order of y a divides n; since
gcd(m, n) = 1, xa = y a = 1, so that a | m, a | n. Since, again, gcd(m, n) = 1,
this implies a | mn.
The general case is as follows:
Theorem 264. Let x and y be elements of nite order m and n in a commutative group G. Denote by H(x, y) the subgroup generated by x and y.
a) lcm(m, n) | #H(x, y) | mn.
b) lcm(m,n)
gcd(m,n) | #(xy) | lcm(m, n).
Proof. Step 1: Dene a surjective homomorphism of groups : Zm Zn
H(x, y) by (c, d) 7 xc y d , so by #H(x, y) | #(Zm Zn ) by Corollary 255.
Step 2: Let K be the kernel of . By the Isomorphism theorem, #H(x, y) =
mn
#(Zm Zn )/#K = #K
, so #H(x, y) | mn. Moreover, the kernel K consists of
c
pairs (c, d) such that x = y d . Let f = gcd(m, n). Let o be the order of xc = y d .
Since the order of xc divides m and the order of y d divides n, o | gcd(m, n) = f .
There are f values of c (mod m) for which xc has order dividing f , and for each of
these values, there is at most one value of d (mod n) such that xc = y d (because
the elements y i for 0 i < n are distinct elements of G). This shows that the
kernel can be viewed as a subset of Zf , and it is easily checked to be a subgroup.
So #K | f and hence
mn mn
lcm(m, n) =
|
= #H(x, y).
f
#K
Step 3: (xy)lcm(m,n) = xlcm(m,n) y lcm(m,n) = 1, so the order of xy divides lcm(m, n).
Step 4: Finally, suppose that a Z+ is such that (xy)a = xa y a = 1, so xa = y a .
n
m
is equal to the order of y a , which is gcd(a,n)
.
So the order of xa , which is gcd(a,m)
In other words, we have
m gcd(a, n) = n gcd(a, m).
Since

gcd( m
f , n)

= 1,

m
f

| gcd(a, m), or
m | f gcd(a, m) | f a.

4. CHARACTER THEORY OF FINITE ABELIAN GROUPS

249

Similarly
n | f gcd(a, n) | f a.
Therefore lcm(m, n) | f a, or

lcm(m,n)
gcd(m,n)

| a, completing the proof of the theorem. 

Remark: The divisibilities in Theorem 264 are best possible: if h and o are positive
integers such that lcm(m, n) | h | mn and lcm(m,n)
gcd(m,n) | o | lcm(m, n), then there exist
elements x, y Zm Zn such that #H(x, y) = h, #xy = o.
Remark: The situation is profoundly dierent for noncommutative groups: for
every m, n 2 and 2 r there exists a group G containing elements x of
order m, y of order n whose product xy has order r. Moreover, if r < then one
can nd a nite group G with these properties, whereas one can nd an innite
1
group with these properties i m
+ n1 + 1r 1.
The following is a consequence of Theorem 264 (but is much simpler to prove):
Corollary 265. Let m, n Z+ . Then Zm Zn is cyclic i gcd(m, n) = 1.
Proof. The order of any element (c, d) divides lcm(m, n), and the order of
(1, 1) is lcm(m, n). So the group is cyclic i mn = lcm(m, n) i gcd(m, n) = 1. 
4. Character Theory of Finite Abelian Groups
4.1. Introduction.
In this section our goal is to present the theory of characters of nite abelian
groups. Although this is an easy theory in that we can present it in its entirety
here, it nevertheless of the highest impotance, being the jumping o point for at
least two entire disciplines of mathematics: the general theory of linear representations of groups, and Fourier analysis. The special case of characters of the unit
groups U (N ) = (Z/N Z) will be used as one of the essential ingredients in the
proof of Dirichlets theorem on primes in arithmetic progessions.
Let G be a nite commutative group. A character : G C of G is a homomorphism from G to the group C of nonzero complex numbers under multiplication.
Suppose N = #G. By Lagranges theorem we have, for any g G, that g N = e
(the identity element), and thus for any character on G we have
(g)N = (g N ) = (e) = 1.
Thus (g) is itself a complex N th root of unity. Recall that the set of all complex
N th roots of unity forms a cyclic group of order N , say N . In other words, every
character on a group G of order N is really just a homomorphism from G to N ,
or equally well, from G into any xed order N cyclic group.
We write X(G) for the set of all characters of G. We can endow X(G) with the
structure of a group: given 1 , 2 X(G), we dene their product pointwise:
g G, (1 2 )(g) := 1 (g)2 (g).

250

B. MORE ON COMMUTATIVE GROUPS

The identity element is the trivial character g 7 1 for all g, and the inverse of
1
is the function 1 : g 7 (g)
. Because for any z C we have zz = |z|2 , if if z is a
root of unity, then the inverse of z is given by its complex conjugate z. It follows
that the inverse of a character is also given by taking complex conjugates:
1
(g) = (g) =
= 1 (g).
(g)
4.2. The Character Extension Lemma.
Most of the content of the entire theory resides in the following result.
Lemma 266. (Character Extension Lemma) Let H be a subgroup of a nite
commutative group G. For any character : H C , there are precisely [G : H]
characters : G C such that |H = .
Proof. The result is clear if H = G, so we may assume there is g G \ H.
Let Hg = g, H be the subgroup generated by H and g. Now we may or may not
have Hg = G, but suppose that we can establish the result for the group Hg and
its subgroup H. Then the general case follows by induction, since for any H G
choose g1 , . . . , gn such that G = H, g1 , . . . , gn . Then we can dene G0 = H and
for 1 i n, Gi = Gi1 , gi . Applying the Lemma in turn to Gi1 as a subgroup
of Gi gives that in all the number of ways to extend the character of H = G0 is
[G1 : G0 ][G2 : G1 ] [Gn : Gn1 ] = [G : G0 ] = [G : H].
So let us now prove that the number of ways to extend from H to Hg = H, g
:= H g. The
is [Hg : H]. For this, let d be the order of g in G, and consider G
is equal to
number of ways to extend a character of H to a character of G
#g = d: such a homomorphism is uniquely specied by the image of (1, g) in
d C , and all d such choices give rise to homomorphisms.
Moreover, there is a surjective homomorphism : H g to Hg : we just take
(h, g i ) 7 hg i . The kernel of is the set of all pairs (h, g i ) such that g i = h. In
other words it is precisely the intersection H g, which has cardinality a divisor
of d, say e. It follows that
#Hg =

#H g
d
= #H,
#H g
e

so
d
.
e
But a homomorphism f : H g C descends to a homomorhpism on the
quotient Hg i it is trivial on the kernel of the quotient map, i.e., is trivial on H g.
In other words, the extensions of to a character of Hg correspond precisely to the
d
number of ways to map the order d element g into C such that g e gets mapped to
d
1. Thus we must map g to a ( e )th root of unity, and conversely all such mappings
induce extensions of . Thus the number of extensions is de = [Hg : H].

[Hg : H] =

Corollary 267. For any nite commutative group G, X(G) is nite and
#X(G) = #G.
Proof. Apply Lemma 266 with H = 1.

4. CHARACTER THEORY OF FINITE ABELIAN GROUPS

251

Corollary 268. For G a nite commmutative group and g G, TFAE:

(i) For every X(G), (g) = 1.
(ii) g is the identity element e of G.
Proof. Certainly (ii) = (i). Conversely, if g = e, then H := g is a
nontrivial cyclic group. By Corollary 267, there exists a nontrivial character of
H. Since g generates H, this implies (g) = 1. Now apply Lemma 266 to extend
to a character of G.

From these results one can deduce that the character group construction behaves
nicely under homomorphisms: suppose f : G H is a homomorphism of nite
commutative groups. Then we can dene a map X(f ) : X(H) X(G) note
well: in the opposite direction! just by taking a character : H C and
precomposing it with f to get a character f : G C .
Proposition 269. Let f : G H be a homomorphism of nite commutative
groups.
a) The induced map X(f ) : X(H) X(G) is a group homomorphism.
b) The homomorphism f is injective the homomorphism X(f ) is surjective.
c) The homomorphism f is surjective the homomorphism X(f ) is injective.
Proof. Part a) is a straightforward verication which we leave to the reader.
b) Assume rst that f is injective. We may as well assume then that G is a
subgroup of H and f = is the inclusion map. Then the induced homomorphism
X() : X(H) X(G) is nothing else than the map which restricts a character of
H to a character of the subgroup G; that this restriction map is surjective is an
immediate consequence of Lemma 266. Inversely, assume that f is not injective,
so that there exists e = g G such that f (g) = e H. By Corollary 268, there
exists a character : G C such that (g) = 1. But then for any character
: H C , we have
( f )(g) = (e) = 1,
which shows that f = , i.e., is not in the image of X(f ).
c) By the Character Extension Lemma, there are precisely [H : f (G)] characters
on H which are trivial on f (G). Therefore f is surjective i a character on H
for which f is trivial is necessarily itself trivial.

4.3. Orthogonality relations.
Theorem 270. Let G be a nite abelian group,
with character group G.
a) For any nontrivial character X(G), we have gG (g) = 0.

b) For any nontrivial element g of G, we have X(G) (g) = 0.

Proof. a) Put
(61)

S=

(g).

gG

Since is nontrivial, there exists g0 G such that (g0 ) = 1. Multiplying both

sides of (61) by (g0 ), we get

(g0 )S =
(g)(g0 ) =
(gg0 ) =
(g) = S;
gG

gG

gG

252

B. MORE ON COMMUTATIVE GROUPS

the penultimate equality holds because, as g runs through all elements of G, so

does g0 . Therefore we have
((g0 ) 1) S = 0.
Since (g0 ) = 1, we must have S = 0.
b) If g = e, then by Corollary 268 there is a character such that (g) = 1, and
then the argument is identical to part a).1

Let us explain why these are called orthogonality relations. Consider the set CG of
all functions f : G C. Under pointwise addition and scalar multiplication, CG is
a C-vector space of dimension #G. We dene a Hermitian inner product on CG by
1
f (x)g(x).
f, g :=
#G
xG

Now let 1 and 2 be characters of G. If 1 = 2 , then we have

1
1 , 1 =
|1 (x)|2 = 1,
#G
xG

whereas if 1 = 2 , then

1 1
2

is nontrivial, and then Theorem 270 gives

1
1 , 2 =
(1 1
2 )(x) = 0.
#G
xG

In other words, the set X(G) of characters of G is orthonormal with respect to the
given inner product. In particular, the subset X(G) of CG is linearly independent.
Since its cardinality, #G, is equal to the dimension of CG , we conclude:
Corollary 271. Let G be a nite commutative group, and let CG be the Cvector space of all functions from G to C, endowed with the inner product
1
f, g =
f (x)g(x).
#G
xG

Then the set of characters of G forms an orthonormal basis with respect to , .

Therefore, any function f : G C can be expressed as a unique linear combination
of characters. Explicitly:

f=
f, .
X(G)

This can be viewed as the simplest possible case of a Fourier inversion formula.
4.4. The canonical and illicit isomorphism theorems; Pontrjagin duality.
In the course of study of nite commutative groups, one sees that subgroups and
quotient groups have many similar properties. For instance, subgroups of cyclic
groups are cyclic, and also quotients of cyclic groups are cyclic. Moreover, a cyclic
group of order n has a unique subgroup of every order dividing n and no other
subgroups, and the same is true for its quotients. If one plays around for a bit with
nite commutative groups, one eventually suspects the following result:
1Alternately, using the canonical isomorphism G X(X(G)) described in the next section,
=
one can literally deduce part b) from part a).

4. CHARACTER THEORY OF FINITE ABELIAN GROUPS

253

Theorem 272. Let G and H be nite commutative groups. Then TFAE:

(i) H can be realized as a subgroup of G: an injective homomorphism H G.
(ii) H can be realized as a quotient of G: a surjective homomorphism G H.
There is a certain resemblance between Theorem 272 and Proposition 269, but
they are not the same. Proposition 269 asserts that if there is an injection H G,
there is a surjection X(G) X(H) (and similarly with injection and surjection interchanged). To deduce Theorem 272 from Proposition 269, one needs the
following:
Theorem 273. (Illicit Isomorphism Theorem) Any nite commutative group
G is isomorphic to its chracter group X(G).
Some cases of Theorem 273 are easy to establish. For instance, since G and X(G)
have the same order, they must be isomorphic whenever #G is prime. Further, to
give a character on a cyclic group of order N it suces to send a xed generator
to any N th root of unity in C. More precisely, choosing a generator of an abstract
cyclic group G order N amounts to choosing an isomorphism of G with Z/N Z (we
send the generator to 1 (mod N )). And the characters on Z/N Z are all obtained
by exponentiation: for any c Z/N Z, there is a unique character a such that
c (1) = e2ic/N
and therefore for any b Z/N Z
c (b) = e2icb/N .
It is immediate to check that c c = c+c , where addition is taken mod N . Thus

we get a canonical isomorphism X(Z/N Z) Z/N Z.

Moreover, if G1 and G2 are nite commutative groups, then in a natural way
X(G1 G2 ) = X(G1 ) X(G2 );
again we leave the details to the interested reader. Of course the analogous identity
for products of any nite number of groups follows by induction.
Combining these observations, it follows that G
= X(G) for any nite commutative group G of the form Zn1 . . . Znk , i.e., for any direct product of cyclic
groups. Is this enough to prove Theorem 273? Indeed it is, because of the following:
Theorem 274. (Fundamental theorem on nite commutative groups) Let G be
a nite commutative group.
a) There exist prime powers pa1 1 , . . . , par r (we allow pi = pj for i = j) such that
G
= Zpa1 1 . . . Zpar r ,
i.e., G is a direct product of nite cyclic groups of prime power order.
b) Moreover, this decomposition is essentially unique in the following (familiar)
sense: if also we have
G
= Zqb1 . . . Zqsbs ,
1

then r = s and there exists a bijection : {1, . . . , r} {1 . . . s} such that for all
1 i r, q(i) = pi and b(i) = ai .

254

B. MORE ON COMMUTATIVE GROUPS

Now please bear with me while I make a few possibly confusing remarks about why
I have labelled Theorem 273 the illicit isomorphism theorem. In some sense it is
lucky that G
= X(G), in that it is not part of the general meaning of duality
that an object be isomorphic to its dual object. Rather, what one has in much
more generality is a canonical injection from an object to its double dual. Here,
this means the following: we can construct a canonical map G X(X(G)). In
other words, given an element g in G, we want to dene a character, say g, on the
character group, i.e., a homomorphism X(G) C . This may sound complicated
at rst, but in fact there is a very easy way to do this: dene g := (g)! It is no
problem to check that the association g 7 g is a homomorphism of nite abelian
groups. Moreover, suppose that for any xed g G the map g were trivial: that
means that for all X(G), (g) = 1. Applying Corollary 268, we get that g = 1.
Therefore this map
: G X(X(G))
is an injective homomorphism between nite abelian groups. Moreover,
#X(X(G)) = #X(G) = #G,
so it is an injective homomorphism between nite groups of the same order, and
therefore it must be an isomorphism.
In order to write down the isomorphism , we did not have to make any choices.
There is a precise sense in which the isomorphism to the double dual is canonical
and any isomorphism between G and X(G) is noncanonical, but explanining this
involves the use of category theory so is not appropriate here. More interesting is to
remark that there is a vastly more general class of commutative groups G for which
X(G) is dened in such a way as to render true all of the results we have proved here
except the illicit isomorphism theorem: we need not have G
= X(G). For this we
take G to be a commutative group endowed with a topology which makes it locally
compact Hausdor. Any commutative group G can be endowed with the discrete
topology, which gives many examples. For a nite group the discrete topology is the
only Hausdor topology, so this is certainly the right choice, but an innite group
may or may not carry other interesting locally compact topologies. Some examples:
Example 1: The integers Z: here we do want the discrete topology.
Example 2: The additive group (R, +) with its usual Euclidean topology: this
is a locally compact group which is neither discrete nor compact. More generally, one can take (Rn , +) (and in fact, if G1 and G2 are any two locally compact
commutative groups, then so is G1 G2 when endowed with the product topology).
Example 3: The multiplicative group C of the complex numbers is again locally compact but neither discrete nor compact, but it is closer to being compact
then the additive group C
= R2 . In fact, considering polar coordinates gives an
isomorphism of topological groups C
= R>0 S 1 , where S 1 is the unit circle.
Moreover, the logarithm function shows that R>0 is isomorphic as a topological
group to (R, +), so all in all C
= (R, +) S 1 . Note that S 1 , the circle group, is
itself a very interesting example.

4. CHARACTER THEORY OF FINITE ABELIAN GROUPS

255

Now, given any locally compact commutative group G, one denes the Pontrjagin
dual group X(G), which is the group of all continuous group homomorphisms
from G to the circle group S 1 . Moreover, X(G) can be endowed with a natural
topology.2 Again, one has a natural map G X(X(G)) which turns out to be an
isomorphism in all cases.
If G is a nite, discrete commutative group, then as we saw, any homomorphism
to C lands in S 1 (and indeed, the countable subgroup of S 1 consisting of all roots
of unity) anyway; moreover, by discreteness every homomorphism is continuous.
Thus X(G) in this new sense agrees with the character group we have dened. But
for innite groups Pontrjagin duality is much more interesting: it turns out that
G is compact i X(G) is discrete.3 Since a topological space is both compact and
discrete i it is nite, we conclude that a topological group G which is innite and
either discrete or compact cannot be isomorphic to its Pontrjagin dual.
It is easy to see that Hom(Z, S 1 ) = S 1 , which according to the general theory
implies Hom(S 1 , S 1 ) = Z: the discrete group Z and the compact circle group S 1
are mutually dual. This is the theoretical underpinning of Fourier series.
However, if G is neither discrete nor compact, then the same holds for X(G),
so there is at least a ghting chance for G to be isomorphic to X(G). Indeed this
happens for R: Hom(R, S 1 ) = R, where we send x R to the character t 7 e2itx .
This is the theoretical underpinning of the Fourier transform.
Another sense in which the isomorphism between G and X(G) for a nite commutative group G is illicit is that turns out not to be necessary in the standard
number-theoretic applications. A perusal of elementary number theory texts reveals that careful authors take it as a sort of badge of honor to avoid using the
illicit isomorphism, even if it makes the proofs a bit longer. For example, the most
natural analysis of the group structure of (Z/2a Z) for a 3 would consist in
showing: (i) the group has order 2a1 ; (ii) it has a cyclic subgroup of order 2a2 ;
(iii) it has a noncyclic quotient so is itself not cyclic. Applying Theorem 274 one
can immediately conclude that it must be isomorphic to Z2a2 Z2 . In our work
in Handout 9.5, however, we show the isomorphism by direct means.
This was rst drawn to my attention by a close reading of J.-P. Serres text
[Se73] in which the illicit isomorphism is never used. Following Serre, our main
application of character groups namely the proof of Dirichlets theorem on primes
in arihtmetic progressions uses only #X(G) = #G, but not X(G)
= G.
However, to my mind, avoiding the proof of Theorem 274 gives a misleading impression of the diculty of the result.4 On the other hand, Theorem 274 evidently
has some commonalities with the fundamental theorem of arithmetic, which makes
2If you happen to know something about topologies on spaces of functions, then you know

that there is one particular topology that always has nice properties, namely the compact-open
topology. That is indeed the correct topology here.
3Similarly, G is discrete i X(G) is compact; this follows from the previous statement together
with G
= X(X(G)).
4The real reason it is often omitted in such treatments is that the authors know that they
will be giving a more general treatment of the structure theory nitely generated modules over a
principal ideal domain, of which the theory of nite commutative groups is a very special case.

256

B. MORE ON COMMUTATIVE GROUPS

it somewhat desirable to see the proof. In the next section we provide such a proof,
which is not in any sense required reading.
5. Proof of the Fundamental Theorem on Finite Commutative Groups
First some terminology: Let G be a commutative group, written multiplicatively.
If #G = pa is a prime power, we say G is a p-group.
For n Z+ , we put G[n] = {x G | xn = 1}. This is a subgroup of G.
We say that two H1 , H2 subgroups of G are complementary if H1 H2 = {1},
H1 H2 = G. In other words, every element g of G can be uniquely expressed in
the form h1 h2 , with hi Hi . In yet other (equivalent) words, this means precisely
that the homomorphism H1 H2 G, (h1 , h2 ) 7 h1 h2 is an isomorphism. We
say that a subgroup H is a direct factor of G if there exists H such that H, H
are complementary subgroups. Thus, in order to prove part a) it suces to show
that every nite commutative group has a nontrivial direct factor which is cyclic of
prime power order; and in order to prove part b) it suces (but is much harder!)
to show that if G
= H .
= H H then H
= H H
More generally if we have a nite set {H1 , . . . , Hr } of subgroups of G such that
Hi Hj = {1} for all i = j and G = H1 Hr , we say that the Hi s form a set of
complementary subgroups and that each Hi is a direct factor. In such a circumstance we have G
= H1 . . . Hr .
We now begin the proof of Theorem 274.
Step 1 (primary decomposition): For any commutative group G, let Gp be the

set of elements of G whose order is a power of p. Also let Gp be the set of elements

of G whose order is prime to p. It follows from Theorem 264b) that Gp and Gp are

both subgroups of G. We claim that Gp and Gp are complementary subgroups.

Certainly Gp Gp = {e}, since any element of the intersection would have both
order a power of p and relatively prime to p and thus have order 1 and be the
identity. On the other hand, let x be any element of G, and write its order as pk b
with gcd(p, b) = 1. Thus we can choose i and j such that ipk + jb = 1, and then
k
k
k
x = x1 = xip +jb = (xp )i (xb )j , and by Proposition 260 the order of (xp )i divides
b (so is prime to p) and the order of (xb )j divides pk . This proves the claim. Now
a simple induction argument gives the following:
Proposition 275. Let G be a nite abelian group, of order n = pa1 1 par r .
Then {Gpi }ri=1 forms a set of complementary subgroups, and the canonical map
H1 . . . Hr G, (h1 , . . . , hr ) 7 h1 hr is an isomorphism.
Thus any nite commutative group can be decomposed, in a unique way, into a direct product of nite commutative groups of prime power order. We may therefore
assume that G is a commutative p-group from now on.
Step 2: We prove a renement of Theorem 262 for commutative p-groups.

5. PROOF OF THE FUNDAMENTAL THEOREM ON FINITE COMMUTATIVE GROUPS257

Proposition 276. Let p be a prime and G be a nite commutative group of

order pa for some a Z+ . TFAE:
(i) G has exactly p elements of order p.
(ii) G is cyclic.
Proof. We already know that (ii) = (i), of course. Assume (i); the natural
strategy is to appeal to our cyclicity criterion Theorem 262. In this case we wish to
show that for any 0 < k a, there are at most pk elements of G of order dividing
pk . We accomplish this by induction (!); the case of k = 1 is our hypothesis, so
assume that for all 1 < k the number of elements of order dividing p in G is
at most p and we wish to show that the number of element of order dividing pk is
at most pk . For this, consider the endomorphism
: G[pk ] G[pk ], x 7 xp

k1

k1

Now the kernel of is precisely G[p

], which we have inductively assumed has
order at most pk1 . If the order of G[pk ] exceeds pk , then since
G[pk ]/ Ker(),
(G[pk ]) =
we would have #(G[pk ]) > p. But by Proposition 260 the image of consists
entirely of elements of order dividing p, contradiction.

Step 3:
Proposition 277. Let G be a nite commutative p-group, and let pa be the
maximum order of an element of G. Then every cyclic subgroup C of order pa is a
direct factor of G: there exists a complementary subgroup H, giving an isomorphism
G
= C H.
Proof. The result holds vacuously for commutative groups of order p. Assume
that it holds for all commutative groups of order pk for k < a, and suppose we have
G = pa , x an element of maximal order in G and C = x If the order of x is
pa , then G = C is cyclic and the conclusion again holds trivially. Otherwise, by
Proposition 276, there exists an order p subgroup K of G not contained in C, so
C K = {e}. Then the cyclic subgroup (C + K)/K has maximal order in G/K;
by induction there exists a complementary subgroup H of G/K, i.e., a subgroup
H containing K such that (C + K) H = K, (C + K) H = G. It follows that
H C K C = {e} and C H = G, so C and H are complementary subgroups. 
We may now deduce Theorem 274a) from Proposition 277. Indeed, given any nite
p-group G we choose an element x of maximum order pa , which generates a cyclic
subgroup C of maximum order, which according to Proposition 277 has a complementary subgroup H and thus G
= Zpr
= H. Applying the same procedure to
H, eventually we will express G as a product of nite cyclic groups of p-power order.
Step 4: Finally we address the uniqueness of the decomposition of a commutative p-group into a direct product of cyclic groups.5 Suppose we have
G
= Zpa1 . . . Zpar
= Zpb1 . . . Zpbs .
We may assume that a1 . . . ar and b1 . . . bs , and we wish to prove
that r = s and ai = bi for all i. We may also inductively assume the uniqueness
5This part of the proof follows [Su95].

258

B. MORE ON COMMUTATIVE GROUPS

statement for commutative p-groups of smaller order than G. Now let : G G

be x 7 xp . Then we have
(G)
= Zpa1 1 . . . Zpar 1
= Zpb1 1 . . . Zpbs 1 .
Since #(G) < #G, by induction the two decompositions are unique, the only
proviso being that if an exponent ci is equal to 1, then Zpci 1 is the trivial group,
which we do not allow in a direct factor decomposition. Therefore suppose that k
is such that ai = 1 for all i > k and l is such that bj = 1 for all j > l. Then we get
k = l and ai = bi for all 1 i k. But now we have
prk =

#G
#G
= b1 +...+b = psk ,
k
pa1 +...+ak
p

so we conclude r = s and thus ai = bi for 1 i r.

It is interesting to ask which of the steps go through for a group which is innite, non-commutative or both.
Step 1 fails in a non-commutative group: the elements of p-power order need not
form a subgroup. For instance, the symmetric group Sn is generated by transpositions. In any commutative group one can dene the subgroups Gp for primes p, and
they are always pairwise disjoint. The subgroup they generate is called the torsion
subgroup of G and often denoted G[tors]: it consists of all elements of nite order.
Step 2 fails for noncommutative nite p-groups: The quaternion group Q8 =
{1, i, j, k} is a noncyclic group of order 8 = 23 = p3 which has exactly
p = 2 elements of order dividing p. It is false for all innite abelian groups, since
an innite group can only be cyclic if its torsion subgroup is trivial.
Step 3 fails for nite noncommutative groups: again Q8 is a counterexample.
As for Step 4, one may ask the following
Question 9. Suppose we have three groups H, G1 , G2 such that H G1
=
H G2 . Must it then be the case that G1
= G2 ?
Without any restrictions the answer to this question is negative. For instance, one
can take H = G1 = (R, +), G2 = 0, and note that R R
= R as Q-vector spaces,
hence as commutative groups. On the other hand:
Theorem 278. (Remak-Krull-Schmidt) If H, G1 and G2 are all nite groups,
then indeed H G1
= H G2 implies G1
= G2 .
A group G is indecomposable if it is not isomorphic to H1 H2 with H1 and H2
both nonzero. By Theorem 274, a nite commutative group is indecomposable i
it is cyclic of prime power order. Any nite group can be written as a product of
indecomposable groups. Using Theorem 278 it can be shown that if
G
= H1 . . . Hr = K 1 . . . K s ,
where each Hi and Kj are indecomposable (nontrivial) groups, then r = s and there
exists a bijection : {1, . . . , r} {1, . . . , r} such that Ki
= H(i) for 1 i r.

6. WILSONS THEOREM IN A FINITE COMMUTATIVE GROUP

259

6. Wilsons Theorem in a Finite Commutative Group

Here is one of the classic theorems of elementary number theory.
Theorem 279. (Wilsons Theorem) For an odd prime p, (p1)! 1 (mod p).
Remark: The converse of Wilsons Theorem also holds: if for some integer n > 1
we have (n 1)! 1 (mod n), then n is prime. In fact it can be shown that for all
composite n > 4, n | (n 1)! (exercise).
Most of the standard proofs involve starting with an elementary group-theoretic
fact and then recasting it to avoid group-theoretic language to a greater or lesser
extent. Since this handout is meant to be a comprehensive guide to nite commutative groups, we may as well give the argument in its proper language.
For a nite group G, let d2 (G) be the number of order 2 elements in G.
Theorem 280. (Wilsons Theorem in a Finite Commutative
Group)

Let (G, +) be a nite commutative group, and let S = xG x. Then:

a) If d2 (G) = 1, then S = 0.
b) If d2 (G) = 1 so that G has a unique element, say t, of order 2 then d2 (G) = t.
Proof. We set

G[2] = {x G | 2x = 0}.
Every nonzero element of G[2] has order 2, so by Theorem 274, G[2]
= Z2 . . .
Z2 = Z2k , a direct product of copies of the cyclic group of order 2.6
Consider the involution : G G given by x 7 x. The xed points of
i.e., the elements x G such that (x) = x are precisely the elements of
G[2].
Thus the elements of G \ G[2]
occur inpairs of distinct elements x, x, so

xG[2] x, and we are reduced to the

xG x =
xG\G[2] x = 0. In other words,
case G[2]
= Z2k .
Case 1: k = 0, i.e., G[2] = 0. Then

x = 0.
x=
xG[2]

x{0}

Moreover, in this case d2 (G) = 0, in agreement with the statement of the theorem.
Case 2: k = 1, i.e., G[2] = Z2 . Then

x=
x = 0 + 1 = 1,
xG[2]

xZ2

where 1 is the unique element of order 2 in Z2

= G[2] (and thus also the unique
element of order 2 in G). Again, this agrees with the statement
of the theorem.
Case 3: k 2. Then d2 (G) 3, so we wish to show S = xZ k x = 0. For each
2
1 i k, half of the elements of Z2k have ith coordinate 0 Z2 ; the other half
have ith coordinate 1 Z2 . So the sum of the ith coordinates of the elements of Z2k
is 2k /2 = 2k1 = 0 Z2 , since k 2: every coordinate of S equals 0, so S = 0. 
6Invocation of Theorem 274 is overkill here: any 2-torsion commutative group admits the
unique structure of a vector space over the eld F2 with 2 elements. Being nite, G[2] is certainly
nite-dimensional over F2 , so is isomorphic as a vector space hence a fortiori as an additive
group to Fn
2.

260

B. MORE ON COMMUTATIVE GROUPS

Lemma 281. a) Let G1 , . . . , Gr be commutative groups. Then

)
( r
r

Gi [2].
Gi [2] =
i=1

i=1

r
r
b) If G1 , . . . , Gr are nite, then d2 ( i=1 Gi ) = i=1 d2 (Gi ).

r
Proof. a) More generally, consider any x = (x1 , . . . , xn ) i=1 Gi . Then
the order of x is the lcm of the orders of the components xi . Further, the lcm of a
nite set of numbers divides 2 i each number in the set divides 2.
b) This follows immediately from part a).


We now show that Theorem 280 implies Theorem 279. Let F be a nite eld.
We take G = F , the multiplicative group of nonzero elements of F.7 Now x
G[2] x2 = 1, and the polynomial t2 1 has exactly two roots in any eld of
characteristic dierent from 2 and exactly one root in any eld of characteristic 2.
So d2 (F ) is equal to 1 if #F is odd and equal to 0 if #F is even. Thus:

Corollary 282. Let F be a nite eld, put P = xF x. Then:

a) If #F is even, then P = 1.
b) If #F is odd, then P is the unique element of order 2 in F , namely 1.
So for any odd prime p, the second case holds for the eld Z/pZ: Wilsons Theorem.
As we mentioned above, Wilsons Theorem construed as a statement about the
product of all residue classes from 1 up to n 1 modulo n holds exactly when n is
prime. On the other hand, for composite n we may still apply Theorem 280 to the
nite commutative group U (n) = (Z/nZ) .
Theorem 283. (Gauss) Let n > 2 be an integer, and
let U (n) be the multiplicative group of units of the nite ring Z/nZ. Put P = xU (n) x. Then:
a) We always have P = 1 (mod n).
b) More precisely: P = 1 (mod n) if and only if n is 4, an odd prime power pb ,
or twice an odd prime power 2pb .
Proof. a) For n > 2, 1 (mod n) is an element of order 2 in U (n); applying
Theorem 280 to G = U (n), we get P = 1: further, P = 1 if 1 is the only order
2 element of U (n), and P = 1 if there is a further element of order 2.
b) Let n = 2a pb11 pbrr with p1 < . . . < pr odd prime numbers, a N and
b1 , . . . , br Z+ . By the Chinese Remainder Theorem,
U (n)
= U (2a )

U (pbi i ).

i=1

Case 1: r = 0, a = 2. Then U (4) is cyclic of order 2, so d2 (U (4)) = 1 and P = 1.

Case 2: a 3. Then U (2a ) U (n), and U (n) = U (2a )
= Z2a2 Z2 , so by Lemma
281, d2 (U (2a )) = 4. Thus d2 (U (n)) 4 and P = 1.
Case 3: a 1 and r = 1, i.e., n = pb or n = 2pb for an odd prime power pb . The
groups U (1) and U (2) are trivial, so U (n)
= U (pn ). By Theorem 22, U (pn ) is cyclic
7We are now talking about multiplicative groups rather than additive groups. It makes no
mathematical dierence, of course, but the reader may wish to pause to reorient to the new
notation.

6. WILSONS THEOREM IN A FINITE COMMUTATIVE GROUP

261

of even order, so d2 (U (n)) = 1 and P = 1.

Case 4: Suppose r 2. Then U (pb1 ) U (pb2 ) U (n), so
d2 (U (n)) d2 (U (pb1 ) U (pb2 )) = d2 (U (pb1 )) d2 (U (pb2 )) = 4.
Thus P = 1.

After this section was rst written, I found a closely related paper of the early
American group theorist George Abram Miller [Mi03]. In particular Miller proves
Theorem 280 (with a very similar proof) and applies it to prove Theorem 283. That
this result was rst stated and proved by Gauss is not mentioned in Millers paper,
but its title suggests that he may have been aware of this.

APPENDIX C

More on Polynomials
1. Polynomial Rings
Let k be a eld, and consider the univariate polynomial ring k[t].
Theorem 284. The ring k[t] is a PID and hence a UFD.
Proof. In fact the argument is very close to the one we used to show that Z
is a PID. Namely, let I be an ideal of k[t]: we may assume that I = 0. Let b be a
nonzero element of I of minimal degree: we claim that I = a. Indeed, let a be
any element of I. By polynomial division (this is the key!), there are q, r k[t] such
that a = qb + r and deg r < deg b. Since a, b I, r = a qb I. Since deg r < deg b
and b has minimal degree among nonzero elements of I, we must have r = 0, and
thus a = qb and a b. Thus k[t] is a PID and hence also a UFD.

Polynomial dierentiation: When k = R, every polyomial f R[t] can be
viewed as a dierentiable function f : R R, and indeed the derivative f is again
a polynomial. Although the derivative is dened by a limiting process, when restricted to polynomials it is characterized by the following two properties:
(P1): f 7 f is an R-linear map: for all , R and all polynomials f, g,
(f + g) = f + g .
(P2): 1 = 0, and for all n Z+ , (tn ) = ntn1 .
Indeed, the set {1, tn | n Z+ } is a basis for the R-vector space R[t], and since
dierentiation is linear, it is entirely determined by its action on this basis.
Now let k be any eld. It is still true that {1, tn | n Z+ } is a k-basis for k[t], so
there is a unique k-linear endomorphism of k[t] dened by 1 = 0 and (tn ) = ntn1 .
We continue to call the operator f 7 f dierentiation and refer to f as the derivative of f , despite the fact that there are no limits here: it is purely algebraic.
Exercise: Show that for any eld k, polynomial dierentiation satises the product rule: for all f, g k[t], (f g) = f g + f g .
Exercise: Compute the kernel of dierentiation as a linear endomorphism of k[t].
In more concrete terms, nd all polynomials f k[t] such that f = 0. (Hint: the
answer strongly depends on the characteristic of k.)
We say a polynomial f k[t] is separable if gcd(f, f ) = 1.
Proposition 285. A separable polynomial is squarefree.
263

264

C. MORE ON POLYNOMIALS

Proof. By contraposition: suppose f = gh2 for a polynomial h of positive

degree. Then f = (gh2 ) = g h2 + g(2hh ) = h(g h + 2gh ). It follows that h is a
common divisor of f and f , so f is not separable.

Exercise: Let k be a eld of characteristic p > 0, and let K = k(x) be the eld of
rational functions with coecients in k. Consider the polynomial f = tp x K[t].
a) Show that f is squarefree.
b) Show that f is not separable.
As the previous exercise shows, the converse of Proposition 285 is not generally
valid: a squarefree polynomial need not be separable. Of course the counterexample took place over a rather exotic eld. In fact for most of the elds one meets in
undergraduate mathematics (and, in particular, in this text) it turns out that all
squarefree polynomials are separable. Technically speaking, this holds for polynomials over a eld k i k is perfect. The class of perfect elds includes all elds of
characteristic zero and all nite elds.
2. Finite Fields
Proposition 286. Let F be a nite eld. Then #F = pa for some prime
number p and some positive integer a.
Proof. Since F is nite, the elements, 1, 1 + 1, 1 + 1 + 1, . . . , 1 + + 1 cannot
all be distinct. Thus the characteristic of F must be positive and then necessarily
a prime number p. That is, the subeld of F generated by 1 may be identied with
Fp = Z/pZ. Then F is a nite-dimensional vector space over Fp . Let e1 , . . . , ea be
a basis for F over Fp . Then every element of F has a unique expression of the form
1 e1 + . . . + a ea with 1 , . . . , a Fp , and it follows that #F = pa .

Exercise: Let p be a prime number, and let R be a commutative ring with #R = p.
Show that R
= Z/pZ.
The fundamental result on nite elds is the following one.
Theorem 287. Let p be a prime number, a a positive integer, and put q = pa .
a) There is a nite eld F with #F = q.
b) Any two nite elds with the same cardinality are isomorphic.
In view of Theorem 287, for any prime power q we may speak of the nite eld
Fq of order q.1
The proof of Theorem 287 is relatively easy if one has at hand a basic concept
in eld theory, that of a splitting eld for a polynomial f . Then the existence of
a
Fpa follows from the existence of a splitting eld for the polynomial f (t) = tp t
over the eld Fp , and the fact that any two nite elds of the same order are isomorphic follows from the uniqueness of splitting elds. Here we will give a more
concrete proof of Theorem 287a). In fact we will do better: given any nite eld
F, we will give a formula for the number of degree a monic irreducible polynomials
with coecients in F. This argument is done in two steps. The rst step is a piece
of pure eld theory; in the second step we apply Mobius Inversion.
1To be honest it is slightly sloppy to speak in this way, since F is only unique up to isomorq
phism. But this sloppiness is very standard, and, especially for our purposes, absolutely harmless.

2. FINITE FIELDS

265

Lemma 288. Let a, b, x Z+ with x > 1. The following are equivalent:

(i) a | b.
(ii) xa 1 | xb 1.
Proof. Write b = qa + r with 0 r < a.
(i) = (ii): If a | b, then r = 0 and
xb 1 = (xa )q 1 = (xa 1)(1 + xa + . . . + (xa )q1 ).
(ii) = (i): We have
xb 1 = xb xr + xr 1 = xr (xaq 1) + xr 1.
By (i) = (ii) we know that xa 1 | xaq 1. By assumption xa 1 | xb 1, so
we conclude xa 1 | xr 1. Since r < a, if r > 0 wed have xa 1 > xr 1 > 0,
contradiction. So r = 0 and a | b.

Theorem 289. Let F be a nite eld of order q, let a Z+ , and consider
a
f = tq t F[t]. Then f is squarefree, and its factors are precisely the monic
irreducible polynomials P F[t] of degree dividing a.
Proof. Step 1: We have f = q a tq 1 1 = 1, since F has characteristic p.
By Proposition 285, f is squarefree. Since f is monic, it is therefore a product of
distinct monic irreducible polynomials, and our task is now to show that a monic
a
irreducible polynomial P divides f = tq t i deg P | a.
Step 2: For an irreducible polynomial P , put FP = F[t]/(P ), a eld extension of
a
degree d = deg P . Then P | f tq t = 0 FP . Since t generates FP over
a
a
F, if tq = t, then every element x FP satises xq = x, or equivalently every
a
d
nonzero element of FP has order dividing q 1. Since F
p is cyclic of order q 1,
this holds i q d 1 | q a 1 i (by Lemma 288) d | a.

a

Theorem 290. Let F be a nite eld of order q, and let n Z+ . The number
of monic irreducible polynomials of degree n with coecients in Fq is
1 d (n)
q
(62)
I(F, n) =
.
n
d
d|n

Proof. For any d Z , let I(F, d) be the number of monic irreducible degree
n
d polynomials with F-coecients. Let n Z+ . Then since tq t is the squarefree
product of all monic irreducible polynomials of degrees d | n, equating degrees gives

dI(F, d) = q n .
+

d|n

Applying Mobius Inversion, we get

nI(F, n) =

d|n

Dividing both sides by n we get (62).

qd

(n)
d

.


Corollary 291. a) For any nite eld F and any n Z+ , there is at least
one irreducible polynomial of degree n with F-coecients.
b) For every prime power q = pa , there is a nite eld F of order q.

266

C. MORE ON POLYNOMIALS

Proof. a) Theorem 290 gives us an expression for the number of monic irreducible polynomials of degree n with F-coecients. By making some very crude
estimates we can quickly see that this quantity is always positive. Indeed:
1 d (n)
1
I(F, n) =
q
(q n (q n1 + . . . + q + 1))
n
d
n
d|n
(
)
1
qn 1
1
1
=
qn
(q n (q n 1)) = > 0.
n
q1
n
n
b) By part a), there is a degree a irreducible polynomial f with Fp -coecients.
Then Fp [t]/(f ) is a nite eld of order pa .

Exercise: Try to extract from (62) more realistic estimates on the size of I(F, n).

Bibliography
[A1]
[A2]
[AD93]

[Al99]
[An57]
[AT92]
[Au12]
[Ax64]
[BR89]
[Ba11]
[BC12]
[Bh00]

[BHxx]
[Bl14]
[BR51]
[BTxx]
[CaGN]
[CaQF]
[CE59]
[Ch36]
[Cl94]
[Cl09]
[Cl21]
[CM98]
[Cox]

Apostol, Tom M. Introduction to analytic number theory. Undergraduate Texts in

Mathematics. Springer-Verlag, New York-Heidelberg, 1976.
Apostol, Tom M. Modular functions and Dirichlet series in number theory. Second
edition. Graduate Texts in Mathematics, 41. Springer-Verlag, New York, 1990.
N. Alon and M. Dubiner, Zero-sum sets of prescribed size. Combinatorics, Paul Erd
os
is eighty, Vol. 1, 33-50, Bolyai Soc. Math. Stud., Jnos Bolyai Math. Soc., Budapest,
1993.
N. Alon, Combinatorial Nullstellensatz. Recent trends in combinatorics (M
atrah
aza,
1995). Combin. Probab. Comput. 8 (1999), 7-29.
N.C. Ankeny, Sums of three squares. Proc. Amer. Math. Soc. 8 (1957), 316-319.
N. Alon and M. Tarsi Colorings and orientations of graphs. Combinatorica 12 (1992),
125134.
L. Aubry, Sphinx-dipe 7 (1912), 8184.
J. Ax, Zeroes of polynomials over nite elds. Amer. J. Math. 86 (1964), 255-261.
C. Bailey and R.B. Richter, Sum zero (mod n), size n subsets of integers. Amer. Math.
Monthly 96 (1989), 2400-242.
M. Baker, Zolotarevs magical proof of the law of quadratic reciprocity. 2011
A. Brunyate and P.L. Clark, Quadratic reciprocity in abstract number rings, submitted
for publication.
M. Bhargava, On the Conway-Schneeberger fteen theorem. Quadratic forms and their
applications (Dublin, 1999), 2737, Contemp. Math., 272, Amer. Math. Soc., Providence,
RI, 2000.
M. Bhargava and J.P. Hanke, Universal quadratic forms and the 290-theorem, to appear
in Invent. Math.
H.F. Blichfeldt, A new principle in the geometry of numbers, with some applications.
Trans. Amer. Math. Soc. 15 (1914), 227-235.
A. Brauer and R.L. Reynolds, On a theorem of Aubry-Thue. Canadian J. Math. 3
(1951), 367-374.
D.G. Best and T.S. Trudgian, Linear relations of zeroes of the zeta-function. To appear
in Mathematics of Computation.
J.W.S. Cassels, An introduction to the geometry of numbers [corrected reprint of the
1971 edition]. Classics in Mathematics. Berlin: Springer-Verlag; 1997.
J.W.S. Cassels, Rational quadratic forms. London: Academic Press; 1978.
E.D. Cashwell and C.J. Everett, The ring of number-theoretic functions. Pacic J.
Math. 9 (1959) 975985.
C. Chevalley, D
emonstration dune hypoth`
ese de M. Artin. Abh. Math. Sem. Univ.
Hamburg 11 (1936), 73-75.
D.A. Clark, A quadratic eld which is Euclidean but not norm-Euclidean. Manuscripta
Math. 83 (1994), no. 3-4, 327330.
P.L. Clark, Elliptic Dedekind domains revisited. Enseignement Math. 55 (2009), 213
225.
P.L. Clark, Euclidean Quadratic Forms and ADC-forms I. Acta Arithmetica 154 (2012),
137159.
T. Cochrane and P. Mitchell, Small solutions of the Legendre equation. J. Number
Theory 70 (1998), 6266. 1998; 70(1):62-66.
D.A. Cox, Primes of the form x2 + ny 2 : Fermat, class eld theory and complex multiplication. New York: John Wiley & Sons, Inc.; 1989.
267

268

BIBLIOGRAPHY

[Coh73] P.M. Cohn, Unique factorization domains. Amer. Math. Monthly 80 (1973), 118.
[Conr-A] K.
Conrad,
Two
applications
of
unique
factorization.
http://www.math.uconn.edu/kconrad/blurbs/ringtheory/ufdapp.pdf
[Conr-B] K. Conrad, Examples of Mordells Equation.
http://www.math.uconn.edu/kconrad/blurbs/gradnumthy/mordelleqn1.pdf
[Con97] J.H. Conway, The sensual (quadratic) form. With the assistance of Francis Y. C. Fung.
Carus Mathematical Monographs, 26. Mathematical Association of America, Washington, DC, 1997.
[Con00] J.H. Conway, Universal quadratic forms and the fteen theorem. Quadratic forms and
their applications (Dublin, 1999), 23-26, Contemp. Math., 272, Amer. Math. Soc., Providence, RI, 2000.
[CS07]
W. Cao and Q. Sun, Improvements upon the Chevalley-Warning-Ax-Katz-type estimates. J. Number Theory 122 (2007), 135-141.
[Dic27]
L.E. Dickson, Integers represented by positive ternary quadratic forms. Bull. Amer.
Math. Soc. 33 (1927), 63-70.
[DH05] W. Duke and K. Hopkins, Quadratic reciprocity in a nite group. Amer. Math. Monthly
112 (2005), no. 3, 251256.
[DV09]
S. Dasgupta and J. Voight, Heegner points and Sylvesters conjecture. Arithmetic geometry, 91102, Clay Math. Proc., 8, Amer. Math. Soc., Providence, RI, 2009.
E. Ehrhrart, Une g
en
eralisation du th
eor`
eme de Minkowski. C. R. Acad. Sci. Paris 240
[Eh55]
(1955), 483-485.
Euclid, The thirteen books of Euclids Elements translated from the text of Heiberg.
[Euc]
Vol. I: Introduction and Books I, II. Vol. II: Books IIIIX. Vol. III: Books XXIII and
Appendix. Translated with introduction and commentary by Thomas L. Heath. 2nd ed.
Dover Publications, Inc., New York, 1956.
[EGZ61] P. Erd
os, A. Ginzburg and A. Ziv, Theorem in the additive number theory. Bull. Research Council Israel 10F (1961), 4143.
[F]
D.E. Flath, Introduction to Number Theory. Wiley-Interscience Publications, 1989.
H. Furstenberg, On the innitude of primes. Amer. Math. Monthly 62 (1955), 353.
[Fu55]
[Go59]
S.W. Golomb, A Connected Topology for the Integers. Amer. Math. Monthly 66 (1959),
663665.
[GC68] I.J. Good and R.F. Churchhouse, The Riemann hypothesis and pseudorandom features
of the M
obius sequence. Math. Comp. 22 (1968), 857861.
[GM84] R. Gupta and M.R. Murty, A remark on Artins conjecture. Invent. Math. 78 (1984),
127-130.
[GPZ]
J. Gebel, A. Peth
o and H.G. Zimmer, On Mordells equation. Compositio Math. 110
(1998), 335-367.
[Hag11] T. Hagedorn, Primes of the form x2 + ny 2 and the geometry of (convenient) numbers,
preprint.
[Ham68] J. Hammer, On some analogies to a theorem of Blichfeldt in the geomety of numbers.
Amer. Math. Monthly 75 (1968), 157160.
[Han04] J.P. Hanke, Local densities and explicit bounds for representability by a quadratric form.
Duke Math. J. 124 (2004), 351-388.
[Har73] H. Harborth, Ein Extremalproblem f
ur Gitterpunkte. Collection of articles dedicated
to Helmut Hasse on his seventy-fth birthday. J. Reine Angew. Math. 262/263 (1973),
356-360.

[Has28] H. Hasse, Uber

eindeutige Zerlegung in Primelemente oder in Primhauptideale in Integrit?tsbereichen. J. reine Angew. Math. 159 (1928), 312.
D.R. Heath-Brown, Artins conjecture for primitive roots. Quart. J. Math. Oxford Ser.
[HB86]
(2) 37 (1986), 27-38.
L. Holzer, Minimal solutions of Diophantine equations. Canadian J. Math. 2 (1950),
[Ho50]
238-244.
[Hu00]
M.N. Huxley, Integer points in plane regions and exponential sums. Number theory,
157-166, Trends Math., Birkh
auser, Basel, 2000.
K. Ireland and M. Rosen, A classical introduction to modern number theory. 2nd ed.
[IR]
New York: Springer-Verlag; 1990.
N.M. Katz, On a theorem of Ax. Amer. J. Math. 93 (1971), 485-499.
[Ka71]

BIBLIOGRAPHY

269

G. K
arolyi, Cauchy-Davenport theorem in group extensions. Enseign. Math. (2) 51
(2005), 239-254.
[Ke83]
A. Kemnitz, On a lattice point problem. Ars Combin. 16 (1983), B, 151-160.
[KvdL04] T. Kotnik and J. van de Lune, On the order of the Mertens function. Experiment.
Math. 13 (2004), 473-481.
H.W. Lenstra, Solving the Pell equation. Notices Amer. Math. Soc. 49 (2002), 182-192.
[Le02]
[Li33]
F.A Lindemann, The Unique Factorization of a Positive Integer. Quart. J. Math. 4,
319-320, 1933.
H. London and R. Finkelstein, On Mordells equation y 2 k = x3 . Bowling Green State
[LF73]
University, Bowling Green, Ohio, 1973.
[Le96]
M. Lerch, Sur un th
eor`
eme de Zolotarev. Bull. Intern. de lAcad. Francois Joseph 3
(1896), 34-37.
[Mar71] C.F. Martin, Unique factorization of arithmetic functions. Aequationes Math. 7 (1971),
211.
[Me09]
I.D. Mercer, On Furstenbergs proof of the innitude of primes. Amer. Math. Monthly
116 (2009), 355-356.
G.A. Miller, A new proof of the generalized Wilsons theorem. Ann. of Math. (2) 4
[Mi03]
(1903), 188190.
[M]
L.J. Mordell, Diophantine equations. Pure and Applied Mathematics, Vol. 30 Academic
Press, London-New York, 1969.
[Mo69]
L.J. Mordell, On the magnitude of the integer solutions of the equation ax2 +by 2 +cz 2 =
0. J. Number Theory 1 (1969), 13.
[Mo79]
P. Morton, A generalization of Zolotarevs theorem. Amer. Math. Monthly 86 (1979),
374-375.
[MT06] M.R. Murty and N. Thain, Prime numbers in certain arithmetic progressions. Funct.
Approx. Comment. Math. 35 (2006), 249-259.
[MT07] M.R. Murty and N. Thain, Picks theorem via Minkowskis theorem. Amer. Math.
Monthly 114 (2007), 732-736.
T. Nagell, Introduction to number theory. 2nd ed. New York: Chelsea Publishing Com[Nag]
pany; 1964.
[Nar]
W. Narkiewicz. Elementary and analytic theory of algebraic numbers. Third edition.
Springer Monographs in Mathematics. Springer-Verlag, Berlin, 2004.
[NZM]
I. Niven, H.S. Zuckerman and H.L. Montgomery. An introduction to the theory of numbers. 5th ed. New York: John Wiley & Sons, Inc.; 1991.
[Nu10]
L.M. Nunley, Geometry of Numbers Approach to Small Solutions of the Extended Legendre Equation. UGA Masters thesis, 2010.
[Ol76]
J.E. Olson, On a combinatorial problem of Erd
os, Ginzburg, and Ziv. J. Number Theory
8 (1976), 52-57.
[OlR85] A.M. Odlyzko and H.J.J. te Riele Disproof of the Mertens conjecture. J. Reine Angew.
Math. 357 (1985), 138-160.
[Pi87]
J. Pintz. An eective disproof of the Mertens conjecture. Ast
erisque 147148 (1987),
325-333.
[Ra17]
Ramanujan, On the expression of a number in the form ax2 + by 2 + cz 2 + du2 ,
Proceedings of the Cambridge Philosophical Society 19(1917), 1121. See also
http://en.wikisource.org/wiki/Proceedings of the Cambridge Philosophical Society
[Re07]
C. Reiher, On Kemnitz conjecture concerning lattice-points in the plane. Ramanujan
J. 13 (2007), 333-337.
[Ro63]
K. Rogers, Classroom notes: Unique Factorization. Amer. Math. Monthly 70 (1963),
547548.
[RS62]
J.B. Rosser and L. Schoenfeld, Approximate formulas for some functions of prime
numbers. Illinois J. Math. 6 (1962), 64-94.
P. Samuel, Unique factorization. Amer. Math. Monthly 75 (1968), 945952.
[Sa68]
[SatR14] Yannick Saouter and H. te Riele, Improved results on the Mertens conjecture. Math.
Comp. 83 (2014), 421-433.
J.-P. Serre, A course in arithmetic. Translated from the French. Graduate Texts in
[Se73]
Mathematics, No. 7. Springer-Verlag, New York-Heidelberg, 1973.
C.L. Siegel, Lectures on the geometry of numbers. Berlin: Springer-Verlag; 1989.
[SiGN]
[K
a05]

270

BIBLIOGRAPHY

H.M. Stark, A complete determination of the complex quadratic elds of class-number

one. Michigan Math. J. 14 1967 127.
[St-ANT] P.
Stevenhagen,
Number
Rings.
Course
notes
available
at
http://websites.math.leidenuniv.nl/algebra/ant.pdf.
[Su95]
D.B. Surowski, The Uniqueness Aspect of the Fundamental Theorem of Finite Abelian
Groups. Amer. Math. Monthly, 102 (1995), 162163.
[Su99]
B. Sury, The Chevalley-Warning theorem and a combinatorial question on nite groups.
Proc. Amer. Math. Soc. 127 (1999), 951-953.
J. J. Sylvester. Mathematical Questions, with their solutions, Educational Times 41
[Sy84]
(1884), 21.
[T]
G. Tenenbaum, Introduction to analytic and probabilistic number theory. Translated
from the second French edition (1995) by C. B. Thomas. Cambridge Studies in Advanced
Mathematics, 46. Cambridge University Press, Cambridge, 1995.
[Tr88]
H.F. Trotter, An overlooked example of nonunique factorization. Amer. Math. Monthly
95 (1988), no. 4, 339342.
[Vi27]
I.M. Vinogradov, On a general theorem concerning the distribution of the residues and
non-residues of powers. Trans. Amer. Math. Soc. 29 (1927), 209217.
[Wa36]
E. Warning, Bemerkung zur vorstehenden Arbeit von Herrn Chevalley. Abh. Math.
Sem. Hamburg 11 (1936), 76-83.
A. Weil, Number theory. An approach through history from Hammurapi to Legendre.
[W]
Reprint of the 1984 edition. Modern Birkh
auser Classics, Boston, MA, 2007.
[Wh12] J.P. Wheeler, The Cauchy-Davenport Theorem for Finite Groups. Preprint available at
http://arxiv.org/abs/1202.1816.
[W
o72] J. W
ojcik, On sums of three squares. Colloq. Math. 24 (1971/72), 117-119.
E. Zermelo, Elementare Betrachtungen zur Theorie der Primzahlen. Nachr. Gesellsch.
[Z34]
Wissensch. G
ottingen 1 (1934), 4346.
[Zo72]
G. Zolotarev, Nouvelle d
emonstration de la loi de r
eciprocit
e de Legendre. Nouvelles
Ann. Math. (2) 11 (1872), 354362.
[St67]