48

Number
Theory

Róbert Freud
Edit Gyarmati
Number
Theory
UNDERGRADUATE TEXTS • 48

Number
Theory

Róbert Freud
Edit Gyarmati
 EDITORIAL COMMITTEE
Gerald B. Folland (Chair) Steven J. Miller
Jamie Pommersheim Maria Cristina Pereyra

2010 Mathematics Subject Classification. Primary 11-00,

11-01, 11A05, 11A07, 11A25, 11A41.

For additional information and updates on this book, visit

www.ams.org/bookpages/amstext-48

Library of Congress Cataloging-in-Publication Data

Names: Freud, Róbert, author.
Title: Number theory / Róbert Freud, Edit Gyarmati.
Description: Providence, Rhode Island: American Mathematical Society, [2020] | Series: Pure and
applied undergraduate texts, 1943-9334; volume 48 | Includes bibliographical references and
index.
Identifiers: LCCN 2020014015 | ISBN 9781470452759 (paperback) | ISBN 9781470456917 (ebook)
Subjects: LCSH: Number theory. | AMS: Number theory – General reference works (handbooks,
dictionaries, bibliographies, etc.). | Number theory – Instructional exposition (textbooks,
tutorial papers, etc.). | Number theory – Elementary number theory – Multiplicative structure;
Euclidean algorithm; greatest common divisors. | Number theory – Elementary number theory
– Congruences; primitive roots; residue systems. | Number theory – Elementary number theory
– Arithmetic functions; related numbers; inversion formulas. | Number theory – Elementary
number theory – Primes.
Classification: LCC QA241 .F74 2020 | DDC 512.7–dc23
LC record available at https://lccn.loc.gov/2020014015

Copying and reprinting. Individual readers of this publication, and nonprofit libraries acting
for them, are permitted to make fair use of the material, such as to copy select pages for use
in teaching or research. Permission is granted to quote brief passages from this publication in
reviews, provided the customary acknowledgment of the source is given.
Republication, systematic copying, or multiple reproduction of any material in this publication
is permitted only under license from the American Mathematical Society. Requests for permission
to reuse portions of AMS publication content are handled by the Copyright Clearance Center. For
more information, please visit www.ams.org/publications/pubpermissions.
Send requests for translation rights and licensed reprints to reprint-permission@ams.org.

c 2020 by the authors. All rights reserved.
Printed in the United States of America.

∞ The paper used in this book is acid-free and falls within the guidelines
established to ensure permanence and durability.
Visit the AMS home page at https://www.ams.org/
10 9 8 7 6 5 4 3 2 1 25 24 23 22 21 20
Contents

Introduction 1
Structure of the book 1
Exercises 2
Short overview of the individual chapters 2
Technical details 4
Commemoration 4
Acknowledgements 5

Chapter 1. Basic Notions 7

1.1. Divisibility 7
Exercises 1.1 9
1.2. Division Algorithm 11
Exercises 1.2 13
1.3. Greatest Common Divisor 15
Exercises 1.3 19
1.4. Irreducible and Prime Numbers 21
Exercises 1.4 23
1.5. The Fundamental Theorem of Arithmetic 24
Exercises 1.5 27
1.6. Standard Form 28
Exercises 1.6 33

Chapter 2. Congruences 37
2.1. Elementary Properties 37
Exercises 2.1 40

v
vi Contents

2.2. Residue Systems and Residue Classes 41

Exercises 2.2 44
2.3. Euler’s Function 𝜑 46
Exercises 2.3 49
2.4. The Euler–Fermat Theorem 50
Exercises 2.4 51
2.5. Linear Congruences 52
Exercises 2.5 57
2.6. Simultaneous Systems of Congruences 58
Exercises 2.6 64
2.7. Wilson’s Theorem 66
Exercises 2.7 67
2.8. Operations with Residue Classes 68
Exercises 2.8 70

Chapter 3. Congruences of Higher Degree 73

3.1. Number of Solutions and Reduction 73
Exercises 3.1 75
3.2. Order 76
Exercises 3.2 78
3.3. Primitive Roots 80
Exercises 3.3 84
3.4. Discrete Logarithm (Index) 86
Exercises 3.4 87
3.5. Binomial Congruences 88
Exercises 3.5 90
3.6. Chevalley’s Theorem, Kőnig–Rados Theorem 91
Exercises 3.6 95
3.7. Congruences with Prime Power Moduli 96
Exercises 3.7 98

Chapter 4. Legendre and Jacobi Symbols 101

4.1. Quadratic Congruences 101
Exercises 4.1 103
4.2. Quadratic Reciprocity 104
Exercises 4.2 108
4.3. Jacobi Symbol 109
Exercises 4.3 111
Contents vii

Chapter 5. Prime Numbers 113

5.1. Classical Problems 113
Exercises 5.1 117
5.2. Fermat and Mersenne Primes 118
Exercises 5.2 124
5.3. Primes in Arithmetic Progressions 125
Exercises 5.3 127
5.4. How Big Is 𝜋(𝑥)? 128
Exercises 5.4 133
5.5. Gaps between Consecutive Primes 134
Exercises 5.5 139
5.6. The Sum of Reciprocals of Primes 140
Exercises 5.6 147
5.7. Primality Tests 149
Exercises 5.7 157
5.8. Cryptography 160
Exercises 5.8 163

Chapter 6. Arithmetic Functions 165

6.1. Multiplicative and Additive Functions 165
Exercises 6.1 167
6.2. Some Important Functions 170
Exercises 6.2 173
6.3. Perfect Numbers 175
Exercises 6.3 177
6.4. Behavior of 𝑑(𝑛) 178
Exercises 6.4 185
6.5. Summation and Inversion Functions 186
Exercises 6.5 189
6.6. Convolution 190
Exercises 6.6 193
6.7. Mean Value 195
Exercises 6.7 206
6.8. Characterization of Additive Functions 207
Exercises 6.8 209

Chapter 7. Diophantine Equations 211

7.1. Linear Diophantine Equation 212
Exercises 7.1 214
viii Contents

7.2. Pythagorean Triples 215

Exercises 7.2 217
7.3. Some Elementary Methods 218
Exercises 7.3 221
7.4. Gaussian Integers 223
Exercises 7.4 229
7.5. Sums of Squares 230
Exercises 7.5 235
7.6. Waring’s Problem 236
Exercises 7.6 240
7.7. Fermat’s Last Theorem 241
Exercises 7.7 249
7.8. Pell’s Equation 251
Exercises 7.8 255
7.9. Partitions 256
Exercises 7.9 261

Chapter 8. Diophantine Approximation 263

8.1. Approximation of Irrational Numbers 263
Exercises 8.1 268
8.2. Minkowski’s Theorem 270
Exercises 8.2 274
8.3. Continued Fractions 275
Exercises 8.3 280
8.4. Distribution of Fractional Parts 281
Exercises 8.4 283

Chapter 9. Algebraic and Transcendental Numbers 285

9.1. Algebraic Numbers 285
Exercises 9.1 288
9.2. Minimal Polynomial and Degree 288
Exercises 9.2 290
9.3. Operations with Algebraic Numbers 291
Exercises 9.3 294
9.4. Approximation of Algebraic Numbers 296
Exercises 9.4 300
9.5. Transcendence of 𝑒 301
Exercises 9.5 306
9.6. Algebraic Integers 306
Contents ix

Exercises 9.6 308

Chapter 10. Algebraic Number Fields 311

10.1. Field Extensions 311
Exercises 10.1 314
10.2. Simple Algebraic Extensions 315
Exercises 10.2 319
10.3. Quadratic Fields 320
Exercises 10.3 330
10.4. Norm 331
Exercises 10.4 334
10.5. Integral Basis 335
Exercises 10.5 340

Chapter 11. Ideals 341

11.1. Ideals and Factor Rings 341
Exercises 11.1 345
11.2. Elementary Connections to Number Theory 347
Exercises 11.2 350
11.3. Unique Factorization, Principal Ideal Domains, and Euclidean Rings 350
Exercises 11.3 355
11.4. Divisibility of Ideals 357
Exercises 11.4 361
11.5. Dedekind Rings 363
Exercises 11.5 372
11.6. Class Number 373
Exercises 11.6 376

Chapter 12. Combinatorial Number Theory 377

12.1. All Sums Are Distinct 377
Exercises 12.1 384
12.2. Sidon Sets 386
Exercises 12.2 393
12.3. Sumsets 394
Exercises 12.3 402
12.4. Schur’s Theorem 403
Exercises 12.4 407
12.5. Covering Congruences 408
Exercises 12.5 412
x Contents

12.6. Additive Complements 412

Exercises 12.6 418

Answers and Hints 421

A.1. Basic Notions 421
A.2. Congruences 431
A.3. Congruences of Higher Degree 442
A.4. Legendre and Jacobi Symbols 452
A.5. Prime Numbers 455
A.6. Arithmetic Functions 467
A.7. Diophantine Equations 483
A.8. Diophantine Approximation 501
A.9. Algebraic and Transcendental Numbers 505
A.10. Algebraic Number Fields 510
A.11. Ideals 516
A.12. Combinatorial Number Theory 521

Historical Notes 531

Tables 537
Primes 2–1733 538
Primes 1741–3907 539
Prime Factorization 540
Mersenne Numbers 541
Fermat Numbers 542

Index 543
Introduction

The book is intended to serve several purposes; being a

(A) Theoretical textbook for teaching number theory at universities and colleges,
mostly for majors in mathematics, applied mathematics, mathematics education,
and computer science.

(B) Collection of exercises and problems for the above audience.

(C) Handbook for those interested in more detail in some chapters of number theory
beyond the compulsory and elective courses and/or writing a thesis in this subject.

(D) Manual summarizing the most important chapters of (elementary) number the-
ory for mathematicians and mathematics teachers.

Structure of the book

To achieve the above goals, the discussion starts at an absolutely basic level and the
first two chapters are based solely on high school mathematics. This part uses elemen-
tary and non-abstract tools, and instead of overly compact reasoning, detailed expla-
nations facilitate better understanding for beginners. On the other hand, we lay stress
on presenting theorems illustrating the deeper coherence of the material and on proofs
containing nice and difficult ideas.
The subsequent chapters enter more and more deeply into the discussion of vari-
ous topics in number theory. We strive to present a wide panorama of this extremely
multi-colored world (including many old but still unsolved problems) and to discuss
many methods elaborated through many centuries to treat these questions. Where pos-
sible, the newest results of number theory are inserted. Several parts apply some results
and methods from other fields of mathematics too, mostly from (classical, linear, and
abstract) algebra, analysis, and combinatorics.

1
2 Introduction

The book is structured to systemize the material and to provide a close relation
between the individual chapters as much as possible.
As a general guideline, the notions and statements are thoroughly illuminated
from various aspects beyond the formal phrasing, they are illustrated by examples and
connections to the previous material. Their essential features are strongly emphasized
pointing out the complications and analyzing the motives for introducing a given no-
tion. Careful attention is paid to start from the concrete where possible and to proceed
towards the general only afterwards. We try to give a broad perspective about the strong
and colorful relations of number theory to other branches of mathematics.

Exercises
Each section in every chapter is followed by exercises. They serve several purposes:
some of them check the comprehension of the notions, theorems, and methods, and
give a deeper understanding; others present new examples, relations, and applications;
again others study further problems related to the topic. They often include also theo-
rems disguised as exercises revealing some interesting aspects or more remote connec-
tions not treated in the text in detail.
Exercises vary in quantity and in difficulty within fairly large limits depending on
the topic, size, and depth of the material. The hard and extra-hard exercises (in our
judgement) are marked with one and two asterisks, resp. (The difficulty of an exercise
is always relative, of course: besides the abilities, interests, and preliminary general
knowledge of the solver, it depends strongly also on the exercises already solved.)
Answers and/or some hints to nearly all exercises can be found in the chapter An-
swers and Hints. To some (mostly harder) problems detailed solutions are presented
in an online chapter available at www.ams.org/bookpages/amstext-48. These exer-
cises are marked with a letter S in the text.
The reader is advised to consult a hint or solution only if an exercise turns out to
be absolutely unmanageable, or to return to the same problem later, or to solve first
some special case of it.
It is important to unravel the message and background of an exercise, its position
and role in the mathematical environment. Also a generalization or raising new prob-
lems are very useful (even if it is not clear how to solve them).

Short overview of the individual chapters

The first two chapters are introductory, discussing the divisibility of integers, the great-
est common divisor, unique prime factorization, and elementary facts about congru-
ences. A firm mastery of this material is indispensable for understanding the later
chapters.
In Chapters 3 and 4 we continue to develop the theory of congruences.
Short overview of the individual chapters 3

Chapter 5 deals with prime numbers. This simply defined set is one of the most
mysterious objects in mathematics. We discuss Euclid’s theorems (more than two thou-
sand years old) and the sensational discovery of the last decades, the public key cryp-
tosystems based on the contrast of quick primality testing and awfully slow prime fac-
torization. In this chapter we rely both on previously acquired knowledge in number
theory and the results and methods of elementary analysis.
In Chapter 6 we study arithmetic functions. Besides investigating some concrete
important functions, we present several general constructions and applications.
Chapter 7 is about Diophantine equations. After discussing the simplest types (lin-
ear equations, Pythagorean triples), we look at Waring’s problem and prove the special
cases of Fermat’s Last Theorem for exponents three and four. The methods require
the theory of Gaussian and Eulerian integers that will be generalized in Chapters 10
and 11.
The topic of Chapter 8 is Diophantine approximation that is important for certain
applications. We briefly consider also the connection with the geometry of numbers
and continued fractions.
Chapters 9–11 are closely related to each other. The basic properties of algebraic
numbers and algebraic integers from Chapter 9 are essential for understanding the next
two chapters. Chapter 10 studies field extensions, focusing on the arithmetic properties
of algebraic integers in a simple extension of the rational field by an algebraic number.
Here, an intensive use is made of the notions and theorems of elementary linear al-
gebra. Finally, in Chapter 11 the arithmetic aspects of ideals are investigated. On the
one hand, ideals constitute a fine tool for exhibiting some necessary and sufficient, or
useful sufficient, conditions for the validity of unique prime factorization in general
rings, and on the other hand, the validity of unique prime factorization for ideals of
algebraic integers (though in general not for the algebraic integers themselves) plays
an important role in studying algebraic number fields.
In Chapter 12 several interesting problems from combinatorial number theory are
presented. Some of these can be discussed even at a high school study circle, whereas
others require deeper methods from various branches of mathematics. We hope that
the selection gives an idea also about the fundamental role of Paul Erdős in the progress
of this field with thrilling questions and ingenious proofs.
Throughout the text, we often refer to interesting aspects of the history of number
theory and this purpose is served also by the short Historical Notes at the end of the
book.
As is clear also from the above description, the different subfields of number the-
ory are closely interrelated to each other and to other branches of mathematics. This
causes a serious difficulty since, on the one hand, it is important to emphasize this
tight connection during the discussion of the individual topics, but, on the other hand,
it is desirable that every chapter be self-contained and complete. We tried to achieve a
balance that makes it possible to get a gradually growing full picture of a mathematical
field rich in problems and ideas for continuous readers, but allows those who just pick
a few chapters to acquire interesting, substantial, and useful knowledge.
4 Introduction

Technical details
The chapters are divided into sections. Definitions, theorems, and formulas are num-
bered as 𝑘.𝑚.𝑛 where 𝑘 refers to the chapter, 𝑚 to the section, and 𝑛 is the serial num-
ber within the given section. Definitions and theorems have a common list, thus, for
example, Definition 6.2.1 is followed by Theorem 6.2.2. Examples, exercises, etc. are
numbered with a single number restarting in each section. The statement of a defini-
tion or theorem is closed by a ♣ sign and the end of a proof is denoted by .
The search for notations, notions, and theorems can be facilitated by the very de-
tailed Index at the end of the book.
We distinguish the floor and ceiling of (real) numbers, denoted by ⌊ ⌋ and ⌈ ⌉, resp.,
thus e.g. ⌊𝜋⌋ = 3, ⌈𝜋⌉ = 4 (we do not use the notation [𝜋]). The fractional part is de-
noted by { }, i.e. {𝑐} = 𝑐 − ⌊𝑐⌋. Divisibility, greatest common divisor, and least common
multiple are denoted as usual, so e.g. 7 ∣ 42, (9, 15) = 3, and [9, 15] = 45. Square brack-
ets [ ] can mean a least common multiple, a closed interval, or just a replacement for
(round) parentheses (this latter function occurs frequently in Chapter 11 where round
parentheses ( ) stand for an ideal; to avoid confusion, the greatest common divisor is
denoted here by gcd{𝑎, 𝑏}).
Polynomials and functions are denoted generally without indicating the argument:
𝑓, 𝑔, etc. but sometimes also 𝑓(𝑥), 𝑔(𝑥), etc. can occur. The degree of a polynomial is
denoted by “deg,” so e.g., deg(𝑥3 + 𝑥) = 3. As usual, 𝐐, 𝐑, and 𝐂 stand for the rational,
real, and complex numbers. 𝐙, 𝐙𝑚 , and 𝐹[𝑥] mean the integers, the modulo 𝑚 residue
classes, and the polynomials over 𝐹. At field extensions, 𝐐(𝜗) and 𝐼(𝜗) denote the
simple extension of the rationals by 𝜗 and (in case 𝜗 is algebraic) the ring of algebraic
integers in this extension. The letter 𝑝 denotes nearly exclusively a (positive) prime
and the log (without a lower index) stands for natural logarithm (of base 𝑒). For (finite
and infinite) products and sums we often use the signs ∏ and ∑, e.g.
𝑟
𝛼 1
∏ 𝑝𝑖 𝑖 , ∏ 𝑝, ∑
𝑖=1 𝑝≤𝑛 𝑝
𝑝2

𝛼 𝛼
mean the product 𝑝1 1 . . . 𝑝𝑟 𝑟 , the product of primes not greater than 𝑛, and the sum of
reciprocals of squares of primes.

Commemoration
The book is dedicated to the memory of Paul Turán, Paul Erdős, and Tibor Gallai (who
were close friends and collaborators).
Both authors enjoyed the privilege to be in touch with two giants of 20th century
number theory, Paul Turán and Paul Erdős.
We were educated in Paul Turán’s legendary seminars where we learned how to
explore, elaborate, and explain to others the essential components of a mathematical
problem. Turán taught us that connecting seemingly remote areas can often result in
new, efficient methods.
Acknowledgements 5

Edit Gyarmati wrote a number theory textbook (in Hungarian) some fifty years
ago using Turán’s lectures among several other sources that can be considered as a
predecessor of this book in a certain sense. The experiences of our lectures, the stu-
dents’ broadening preliminary knowledge (e.g. in linear algebra), and the new scien-
tific achievements in this field during the past decades necessitated the creation of a
new book instead of a long-due revision. The spirit and structure of the two books show
several similar features, of course.
Both of us were largely influenced by the mathematical and human greatness of
Paul Erdős sharing his enthusiastic devotion towards “nice” mathematical problems
and proofs, talking about these (and many more things) equally naturally and openly
with great scientists or just interested beginners. Róbert Freud owes many adventures
in doing joint mathematics and a great deal of his professional progress to Erdős.
Edit Gyarmati’s choosing mathematics as a profession is mostly due to her unfor-
gettable high school teacher, Tibor Gallai, who was a world-famous expert in graph
theory. Gallai was a brilliant personality whose wonderful classes both in high school
and at universities helped to start mathematical research for the best students, and
offered the joy of understanding and creation for all pupils.

Acknowledgements
We are very thankful for the great job the reviewers Imre Ruzsa (Chapter 12), András
Sárközy (Chapters 1–12), and Mihály Szalay (Chapters 1–11) did. All three of them
checked the manuscript with extreme thoroughness and suggested many general, con-
crete, and stylistic improvements nearly all of which were accepted by us. The concep-
tual remarks of András Sárközy helped us in unifying some notions, homogenizing the
structure, and mentioning several further results. Mihály Szalay checked every tiny de-
tail carefully, solved all the exercises without a solution given in the book, noted even
the smallest inaccuracies, and his concretely worded suggestions made it possible to
correct many lesser or greater errors and discrepancies. Imre Ruzsa added many valu-
able observations on Chapter 12.
In spite of all the efforts of the authors (and reviewers) there probably remain errors
and imperfections in the book. Any comments or suggestions are gratefully accepted.
The book in its present form is an English translation and an improved and cor-
rected version of the two Hungarian editions used by all universities of science in Hun-
gary. Edit Gyarmati, who was not only my coauthor but also my wonderful wife for
many decades, passed away in 2014, and could not participate in preparing this manu-
script. I devote this work to her memory.

Budapest, February 2019

Róbert Freud
Institute of Mathematics, University Eötvös Loránd
1117 Budapest, Pázmány Péter sétány 1c, Hungary
freud@caesar.elte.hu
 Chapter 1

Basic Notions

In this chapter, we survey some basic notions, theorems, and methods about the divisi-
bility of integers. When introducing the concepts, we mostly rely on general divisibility
properties only and keep the special features of the integers to a minimum. Using the
even numbers and some other examples, we point out that certain well known facts,
including the unique factorization into primes (the Fundamental Theorem of Arith-
metic), are by no means obvious.
To prove the Fundamental Theorem, we start from the division algorithm, then
describe the Euclidean algorithm yielding the special property of the greatest common
divisor, which is the key to verify the equivalence of the irreducible and prime elements
among the integers. We provide also a direct proof for the Fundamental Theorem us-
ing induction, that does not rely on the division algorithm. Finally, we discuss some
important consequences.

1.1. Divisibility
If 𝑎 and 𝑏 are rational numbers, where 𝑏 ≠ 0, then dividing 𝑎 by 𝑏, we get a rational
number again. A similar statement does not hold for integers, hence the following
definition makes sense:

Definition 1.1.1. An integer 𝑏 is called a divisor of an integer 𝑎 if there exists some

integer 𝑞 satisfying 𝑎 = 𝑏𝑞. ♣

Notation: 𝑏 ∣ 𝑎. This relation can be expressed also saying that 𝑎 is divisible by 𝑏,

or 𝑎 is a multiple of 𝑏. If there is no integer 𝑞 satisfying 𝑎 = 𝑏𝑞, then 𝑏 is not a divisor
of 𝑎, which is denoted by 𝑏 ∤ 𝑎.
In the following, we shall use the words “integer” and “number” as synonyms
unless stated otherwise.

7
8 1. Basic Notions

The number 0 is divisible by every integer (including 0 itself!) as 0 = 𝑏 ⋅ 0 for any

integer 𝑏. The other extreme contains those numbers which divide every integer:
Definition 1.1.2. A number dividing every integer is called a unit. Multiplying an
integer 𝑐 by a unit, we get an associate of 𝑐. ♣
Theorem 1.1.3. There are two units among the integers: 1 and −1. ♣

Proof. 1 and −1 are units, since for any integer 𝑎, we have 𝑎 = (±1)(±𝑎). Hence
±1 ∣ 𝑎.
Conversely, if 𝜀 is a unit, then 𝜀 divides 1, i.e. 1 = 𝜀𝑞 for some 𝑞. Since |𝜀| ≥ 1 and
|𝑞| ≥ 1, therefore only
|𝜀| = 1, i.e. 𝜀 = ±1
is possible. □

Remark: Divisibility can be introduced also in other sets of numbers (moreover, in any
integral domain, see Exercise 1.1.23). Consider, for example, the even numbers. Here
𝑏 ∣ 𝑎 means that there exists an even number 𝑞 satisfying 𝑎 = 𝑏𝑞. Hence, here 2 ∣ 20,
but 2 ∤ 10, and 10 has no divisors at all. This implies that there are no units among the
even numbers. On the other hand, there are infinitely many units among the (special
real) numbers 𝑐 + 𝑑√2 where 𝑐 and 𝑑 are arbitrary integers (see Exercise 1.1.22). This
means that the units may show very different forms and are related not (only) to the
sign changes as Theorem 1.1.3 could suggest falsely.
Theorem 1.1.4. If 𝜀 and 𝛿 are units and 𝑏 ∣ 𝑎, then also 𝜀𝑏 ∣ 𝛿𝑎 holds. ♣

Proof. As 𝜀 divides also 1, therefore 1 = 𝜀𝑟 with a suitable 𝑟. If 𝑎 = 𝑏𝑞, then 𝛿𝑎 =

(𝜀𝑏)(𝛿𝑞𝑟), hence 𝜀𝑏 ∣ 𝛿𝑎, as claimed. □

By Theorem 1.1.4, a number and its associates behave identically concerning divis-
ibility, i.e. the units “do not count” in this respect. This makes possible to deal (later)
only with non-negative or (after clarifying the special role of 0) with positive integers
in divisibility investigations.
The next theorem summarizes some simple but important properties of divisibility
of integers.
Theorem 1.1.5. (i) For every 𝑎, we have 𝑎 ∣ 𝑎.
(ii) If 𝑐 ∣ 𝑏 and 𝑏 ∣ 𝑎, then 𝑐 ∣ 𝑎.
(iii) Both 𝑎 ∣ 𝑏 and 𝑏 ∣ 𝑎 hold simultaneously if and only if 𝑎 is an associate of 𝑏.
(iv) If 𝑐 ∣ 𝑎 and 𝑐 ∣ 𝑏, then 𝑐 ∣ 𝑎 + 𝑏, 𝑐 ∣ 𝑎 − 𝑏, 𝑐 ∣ 𝑘𝑎 for any (integer) 𝑘, and 𝑐 ∣ 𝑟𝑎 + 𝑠𝑏
for any (integers) 𝑟 and 𝑠. ♣

Properties (i)–(iii) express that divisibility of integers is a reflexive and transitive

relation that is not symmetric (in fact, it is nearly antisymmetric). From (iv), we mostly
use the first three implications, each of which is a special case of the last one (𝑟 = 𝑠 = 1;
𝑟 = 1, 𝑠 = −1; and 𝑟 = 𝑘, 𝑠 = 0, respectively).
 Exercises 1.1 9

Proof. We verify only (iii). The others can be easily proven using just the definition of
divisibility.
If 𝑎 = 𝜀𝑏 where 𝜀 is a unit, then 𝑏 ∣ 𝑎 is straightforward. Also, 1 = 𝜀𝑟 implies
𝑟𝑎 = 𝑏, hence 𝑎 ∣ 𝑏 is valid as well.
Conversely, if 𝑎 ∣ 𝑏 and 𝑏 ∣ 𝑎, i.e. 𝑏 = 𝑎𝑞 and 𝑎 = 𝑏𝑠 with suitable integers 𝑞 and
𝑠, then 𝑏 = 𝑏(𝑞𝑠). If 𝑏 = 0, then necessarily 𝑎 = 0, thus 𝑎 = 𝜀𝑏. If 𝑏 ≠ 0, then 𝑞𝑠 = 1,
hence 𝑠 is a unit (and so is 𝑞), yielding 𝑎 = 𝜀𝑏. □

Exercises 1.1

(Unless stated otherwise, all numbers are integers, the exponents are non-negative in-
tegers, and the digits are understood to be in decimal representation.)
1. Write a three-digit number twice as one string. Show that the resulting six-digit
number is divisible by 91.
2. Verify that 8 always divides the difference of the squares of two odd numbers.

3. Assume that the three digit number 𝑎𝑏𝑐 (having digits 𝑎, 𝑏, and 𝑐 in this order) is
a multiple of 37. Prove that the number 𝑏𝑐𝑎 is also divisible by 37.
4. Show that if 5𝑎 + 9𝑏 is divisible by 23, then 3𝑎 + 10𝑏 is also divisible by 23.
5. True or false?
(a) 𝑐 ∣ 𝑎 + 𝑏 ⟹ 𝑐 ∣ 𝑎, 𝑐 ∣ 𝑏
(b) 𝑐 ∣ 𝑎 + 𝑏, 𝑐 ∣ 𝑎 ⟹ 𝑐 ∣ 𝑏
(c) 𝑐 ∣ 𝑎 + 𝑏, 𝑐 ∣ 𝑎 − 𝑏 ⟹ 𝑐 ∣ 𝑎, 𝑐 ∣ 𝑏
(d) 𝑐 ∣ 2𝑎 + 5𝑏, 𝑐 ∣ 3𝑎 + 7𝑏 ⟹ 𝑐 ∣ 𝑎, 𝑐 ∣ 𝑏
(e) 𝑐 ∣ 𝑎𝑏 ⟹ 𝑐 ∣ 𝑎 or 𝑐 ∣ 𝑏
(f) 𝑐 ∣ 𝑎, 𝑑 ∣ 𝑏 ⟹ 𝑐𝑑 ∣ 𝑎𝑏
(g) 𝑐 ∣ 𝑎, 𝑑 ∣ 𝑎 ⟹ 𝑐𝑑 ∣ 𝑎.
6. Verify the following:
(i) 𝑎 − 𝑏 ∣ 𝑎𝑛 − 𝑏𝑛
(ii) 𝑎 + 𝑏 ∣ 𝑎2𝑘+1 + 𝑏2𝑘+1
(iii) 𝑎 + 𝑏 ∣ 𝑎2𝑘 − 𝑏2𝑘 .
7. Determine all integers 𝑐 for which (𝑐6 − 3)/(𝑐2 + 2) is an integer.
8. Prove that 133 ∣ 11𝑛+2 + 122𝑛+1 for every 𝑛.
9. Find infinitely many 𝑛 satisfying 29 ∣ 2𝑛 + 5𝑛 .
10. Show that (𝑏 − 1)2 ∣ 𝑏𝑘 − 1 holds if and only if 𝑏 − 1 ∣ 𝑘.
* 11. Assume 2𝑏 − 1 ∣ 2𝑎 + 1. Prove that 𝑏 = 1 or 2.
 10 1. Basic Notions

12. Prove the following propositions.

(a) If 𝑏 ∣ 𝑎 and 𝑎 ≠ 0, then |𝑏| ≤ |𝑎|.
(b) Every non-zero integer has only finitely many divisors.
13. Which numbers are equal to the sum of their (a) two; (b) three (not necessarily
distinct) positive divisors?
14. Verify the following divisibility laws. A number is divisible by
(a) 3 or 9 if and only if the sum of its digits is divisible by 3 or 9, respectively;
(b) 4 or 25 if and only if the number formed of its last two digits is divisible by 4
or 25, respectively;
(c) 8 or 125 if and only if the number formed of its last three digits is divisible by
8 or 125, respectively;
(d) 11 if and only if the sum of its digits with alternating signs is divisible by 11.
15. Does there exist a power of 2 (with a positive integer exponent) containing all the
ten digits with the same multiplicity?
* 16. Does there exist a multiple of 21000 having only the digits 1 and 2?
17. Show that
(a) the product of any three consecutive integers is divisible by 6
* (b) the product of any 𝑘 consecutive integers is divisible by 𝑘!.
S 18. Let 𝑛 > 1 be an arbitrary integer. Romeo picks one of the positive divisors of 𝑛, let
it be 𝑑1 . Then Juliet chooses a positive divisor 𝑑2 that does not divide 𝑑1 . Again,
Romeo takes 𝑑3 that divides neither 𝑑1 , nor 𝑑2 , etc. Whoever must pick 𝑛 itself
loses the game. Who has a winning strategy if 𝑛 is
(a) 16
(b) 31111
(c) 10
(d) 50
** (e) 123456789101112131415?
* 19. Prove that taking any 𝑛 + 1 elements from 1, 2, . . . , 2𝑛, one of the numbers will
divide another one.
20. Though the divisibility 0 ∣ 0 holds, why does the division 0/0 make no sense?
21. Restricting ourselves to the set of even numbers, characterize those elements that
have
(a) no divisors at all
(b) exactly two (positive or negative) divisors?
22. We investigate divisibility relations among the (special real) numbers 𝑐 + 𝑑√2
where 𝑐 and 𝑑 are arbitrary integers.
(a) Determine whether or not 12 − 7√2 is divisible by 3 + 4√2.
1.2. Division Algorithm 11

(b) Verify that 1 + √2 is a unit.

(c) Demonstrate that there are infinitely many units.
(d) What is the number of divisors of any element?
(e) Prove that 𝑐 + 𝑑√2 is a unit if and only if |𝑐2 − 2𝑑 2 | = 1.
S* (f) Show that the units are exactly the elements ±(1+ √2)𝑘 where 𝑘 is an arbitrary
integer.
(g) How many times does it occur among the integers that the double of a square
number is bigger or smaller by one, than another square?
23. An integral domain is a commutative ring without zero divisors (containing at least
two elements), i.e. where addition and multiplication are commutative and asso-
ciative, there exists a zero element, every element has a negative (an additive in-
verse), the distributive law is valid, and the product of two non-zero elements is
never zero. (Roughly speaking, we have the usual “nice” properties seen in the in-
tegers.) We can define divisibility and unit according to Definitions 1.1.1 and 1.1.2.
Prove the following propositions (a)-(c).
S (a) There exists a unit if and only if multiplication has an identity element (i.e. an
element 𝑒 satisfying 𝑒𝑎 = 𝑎 for every 𝑎).
(b) The units are exactly the divisors of the identity element, or, stated otherwise,
the units are those elements that have a multiplicative inverse.
(c) Any divisor of a unit and the product or quotient of two units are units.
(d) Investigate the statements of Theorem 1.1.5.

1.2. Division Algorithm

Theorem 1.2.1. To any integers 𝑎 and 𝑏 ≠ 0, there exist some uniquely determined
integers 𝑞 and 𝑟 satisfying
𝑎 = 𝑏𝑞 + 𝑟 and 0 ≤ 𝑟 < |𝑏|. ♣

Proof. Assume first 𝑏 > 0. The condition

0 ≤ 𝑟 = 𝑎 − 𝑏𝑞 < 𝑏
holds if and only if
𝑏𝑞 ≤ 𝑎 < 𝑏(𝑞 + 1),
i.e.
𝑞 ≤ 𝑎/𝑏 < 𝑞 + 1.
Clearly, there exists exactly one such integer 𝑞 namely the floor (or lower integer part)
of 𝑎/𝑏, i.e. the biggest integer that is not greater than 𝑎/𝑏: 𝑞 = ⌊𝑎/𝑏⌋.
If 𝑏 < 0, then the condition
0 ≤ 𝑟 = 𝑎 − 𝑏𝑞 < |𝑏| = −𝑏
is equivalent to
𝑞 ≥ 𝑎/𝑏 > 𝑞 − 1
12 1. Basic Notions

which again holds for exactly one integer 𝑞 (then 𝑞 is the “ceiling” (or upper integer
part) of 𝑎/𝑏: 𝑞 = ⌈𝑎/𝑏⌉, i.e. the smallest integer that is still greater than or equal to
𝑎/𝑏). □

The number 𝑞 is called the quotient and 𝑟 is called the (least non-negative) remain-
der (or residue) of the division algorithm. The divisibility 𝑏 ∣ 𝑎 holds (for 𝑏 ≠ 0) if and
only if the remainder is 0.
It is often more convenient to allow also negative remainders. The following vari-
ant of Theorem 1.2.1 refers to this situation and can be proven similarly.
Theorem 1.2.1A. To any integers 𝑎 and 𝑏 ≠ 0, there exist some uniquely determined
integers 𝑞 and 𝑟 satisfying
|𝑏| |𝑏|
𝑎 = 𝑏𝑞 + 𝑟 and − <𝑟≤ . ♣
2 2
In this case 𝑟 is called the remainder of least absolute value.
Example. Take 𝑎 = 30, 𝑏 = −8, then
30 = (−8)(−3) + 6 = (−8)(−4) − 2,
thus the least non-negative remainder is 6 and the remainder of least absolute value
is −2.

The proof of the next theorem shows how the division algorithm provides the rep-
resentation of positive integers in a number system.
Theorem 1.2.2. Let 𝑡 > 1 be a fixed integer. Then any positive integer 𝐴 has a unique
representation as
𝐴 = 𝑎𝑛 𝑡𝑛 + 𝑎𝑛−1 𝑡𝑛−1 + ⋯ + 𝑎1 𝑡 + 𝑎0 , where 0 ≤ 𝑎𝑖 < 𝑡 and 𝑎𝑛 ≠ 0. ♣

Proof. From 0 ≤ 𝑎0 < 𝑡 and 𝑡 ∣ 𝐴 − 𝑎0 , we have that 𝑎0 is the least non-negative

remainder when 𝐴 is divided by 𝑡 in the division algorithm, hence there exists exactly
one appropriate 𝑎0 . Denoting the quotient by 𝑞0 , we get
𝐴 − 𝑎0
𝑞0 = = 𝑎𝑛 𝑡𝑛−1 + 𝑎𝑛−1 𝑡𝑛−2 + ⋯ + 𝑎2 𝑡 + 𝑎1 .
𝑡
As in the previous situation, we find 𝑎1 as the least non-negative remainder when 𝑞0 is
divided by 𝑡. Continuing the process, we obtain the existence and uniqueness of every
other 𝑎𝑖 , as well. □

In this representation
𝐴 = 𝑎𝑛 𝑡𝑛 + 𝑎𝑛−1 𝑡𝑛−1 + ⋯ + 𝑎1 𝑡 + 𝑎0 ,
the numbers 𝑎𝑖 are the digits of 𝐴 in the number system of base 𝑡 (if 𝑡 > 10, then we have
to extend 0, 1, . . . , 9 with further digits). The above representation is denoted by
𝐴 = 𝑎𝑛 𝑎𝑛−1 . . . 𝑎1 𝑎0 [𝑡] or 𝐴 = 𝑎𝑛 𝑎𝑛−1 . . . 𝑎1 𝑎0 [𝑡]
(the overline may be needed to avoid ambiguity, i.e. not to confuse the string of digits
with a product). If 𝑡 = 10, then we generally omit the notation of the base of the
number system.
Exercises 1.2 13

Example. 38 = 38 [10] = 123[5] since 38 = 1 ⋅ 52 + 2 ⋅ 5 + 3 ⋅ 1.

In everyday life, we generally use the decimal system, but e.g. the binary system
can often be more useful in computers, among others. In the binary system we have
only two digits, 0 and 1, and to perform addition and multiplication we need only the
following simple tables (however, the representation of a number requires many more
digits than in the decimal case):
⊕ 0 1 ⊙ 0 1
0 0 1 0 0 0
1 1 10 1 0 1
Despite its simplicity, the division algorithm (independently of the least non-
negative or least absolute value character of the remainder) has a great significance
both from the practical and theoretical points of view. It can be efficiently used for
divisibility problems since only “the remainder counts” in many cases. Its most impor-
tant application is perhaps the Euclidean algorithm, which consists of a sequence of
division algorithms and will be treated in the next section.

Exercises 1.2

(Unless stated otherwise, all numbers are in decimal representation.)

1. Dividing 10849 and 11873 by the same three digit positive integer, we obtain the
same (non-negative) remainder. What is this remainder?
2. Show that to every 𝑚, there exist infinitely many powers of 2 such that the differ-
ence of any two of them is divisible by 𝑚.
3. Prove that given 𝑛 integers, we can always select some of them (one, or more, or
all) so that their sum is divisible by 𝑛.
4. Show that every positive integer has a non-zero multiple consisting of digits 0 and 1
only.
* 5. The sequence of Fibonacci numbers is defined by the recursion
𝜑0 = 0, 𝜑1 = 1, 𝜑𝑗+1 = 𝜑𝑗 + 𝜑𝑗−1 , 𝑗 = 1, 2, . . . .
The first few elements are
0, 1, 1, 2, 3, 5, 8, 13, 21, 34, . . . .
Prove that every 𝑚 has infinitely many multiples among the Fibonacci numbers.
(Remark: Some books do not consider 0 as a Fibonacci number and define the se-
quence by the above recursion starting with 𝜑1 = 𝜑2 = 1. This causes no confusion
if we agree that by the “𝑛th Fibonacci number” we always mean 𝜑𝑛 .)
6. What are the possible remainders of a square when divided by (a) 3 (b) 4 (c) 5 and
(d) 8?
7. Show that the sum of squares of 12 consecutive integers is never a square.
 14 1. Basic Notions

8. (a) Can all digits of a square (greater than 9) be the same?

* (b) Find all squares greater than 81 having an even number of digits where all
digits of the first half are the same and also all digits of the second half are the
same.
9. Verify that the sum of three odd powers of an integer is always divisible by 3.
* 10. Take eight arbitrary distinct integers and form the product of their pairwise differ-
ences. What is the largest 𝑘 for which this product is divisible by 2𝑘 in any case?
11. How many positive integers with at most 10 digits are divisible by the floor of their
square root? (E.g. 12 has this property since ⌊√12⌋ = 3 divides 12, but 22 does not
because 22 is not a multiple of ⌊√22⌋ = 4.)
12. What is the connection between ⌊𝑎 + 𝑏⌋ and ⌊𝑎⌋ + ⌊𝑏⌋?
13. Can we perform the division algorithm among the even numbers (i.e. are the
analogs of Theorems 1.2.1–1.2.1A valid)?
14. Show that by rephrasing the rules in Exercise 1.1.14 suitably, we can determine
also the remainder (and not just check divisibility). How do these laws generalize
for number systems of other bases?
15. We find that 23 + 46 + 12 + 18 = 99 and 99 divides 23461218, obtained by joining
the above terms into a string. Is this just a fortunate coincidence?
16. Form the sum of digits of 12231001 , then the sum of digits of the number obtained,
etc. till we arrive at a one digit number. What is this final integer?
17. How can we transform quickly the representations of an integer between number
systems of base 3 and 9 into each other? Between which other pairs of number
systems can we establish similar quick conversions?
18. A positive integer 𝑛 has four digits in some number system and two digits in the
number system of base one larger. Determine 𝑛.
19. Converting 740 into a number system of base 𝑡, we obtain a four digit integer whose
last digit is 5. Determine 𝑡.
20. We want to devise ten weights by which a two-armed balance can measure all in-
teger grams up to a limit as large as possible. How should we choose these weights
if we can put them
(a) only onto one of the pans of the balance
* (b) onto both pans?
21. Examine roughly how many more digits are needed to represent a large integer in
base 2 than in base 10. The precise formulation of the problem is: Let 𝐵(𝑛) and
𝐷(𝑛) be the number of digits of 𝑛 in binary and decimal representations. Show
that the sequence 𝐵(𝑛)/𝐷(𝑛) tends to a limit as 𝑛 → ∞ and determine its value.
22. Number systems with varying base. Let 𝑡1 , 𝑡2 , . . . be arbitrary integers greater than 1.
Show that every positive integer 𝐴 has a unique representation as
𝐴 = 𝑎𝑛 𝑡𝑛 𝑡𝑛−1 . . . 𝑡1 + 𝑎𝑛−1 𝑡𝑛−1 . . . 𝑡1 + ⋯ + 𝑎1 𝑡1 + 𝑎0
where 0 ≤ 𝑎𝑖 < 𝑡 𝑖+1 and 𝑎𝑛 ≠ 0.
1.3. Greatest Common Divisor 15

23. Write a positive integer in base 𝑏1 = 2. Then subtract 1 and consider the string as
a number in a larger base 𝑏2 . Subtract 1 again (in base 𝑏2 ) and read the string as a
number in a base 𝑏3 > 𝑏2 , etc. For example, we start with 23[10] = 10111[2] , then
subtracting 1 and switching to 𝑏2 = 5, we obtain 10110[5] = 655[10] . Subtracting
1 again (in base 5) and introducing 𝑏3 = 9, we get 10104[9] = 6646[10] , etc. What
happens if we continue this process indefinitely?

1.3. Greatest Common Divisor

Definition 1.3.1. The greatest common divisor of 𝑎 and 𝑏 is 𝑑 if
(i) 𝑑 ∣ 𝑎, 𝑑 ∣ 𝑏
(ii) if 𝑐 satisfies 𝑐 ∣ 𝑎 and 𝑐 ∣ 𝑏, then 𝑐 ≤ 𝑑. ♣

We often abbreviate the expression greatest common divisor as gcd using its ini-
tials. The notation is: 𝑑 = (𝑎, 𝑏), or 𝑑 = gcd(𝑎, 𝑏), or 𝑑 = gcd{𝑎, 𝑏}.
There is no greatest common divisor of 0 and 0 since every integer is a common
divisor and there is no maximal number among these.
In any other case, however, exactly one 𝑑 satisfies Definition 1.3.1 (for given 𝑎
and 𝑏), namely the maximal element of the set 𝐷 of common divisors; 𝐷 is not empty
since 1 is always a common divisor and 𝐷 is finite since a non-zero integer has only
finitely many divisors (see Exercise 1.1.12b).
Definition 1.3.2. A special common divisor of 𝑎 and 𝑏 is 𝛿, if
(i′ ) 𝛿 ∣ 𝑎, 𝛿 ∣ 𝑏
(ii′ ) if 𝑐 satisfies 𝑐 ∣ 𝑎 and 𝑐 ∣ 𝑏, then 𝑐 ∣ 𝛿. ♣

Thus, a special common divisor is a common divisor which is a multiple of all

common divisors.
The definition implies that if two integers possess a special common divisor, then
it is unique apart from a unit factor. This means that on the one hand, any associate of a
special common divisor is a special common divisor again, and on the other hand, two
special common divisors must be associates. Exercise 1.3.10 requires the verification
of this fact.
For 𝑎 = 𝑏 = 0, the special common divisor is 0 by definition.
In what follows, we disregard this case and assume that at least one of 𝑎 and 𝑏
differs from zero.
Now we show that if there exists a special common divisor 𝛿, then it can only be
an associate of the greatest common divisor 𝑑. By (ii) we have
|𝛿| ≤ 𝑑,
but (ii′ ) implies 𝑑 ∣ 𝛿, hence
𝑑 ≤ |𝛿|.
Combining the two inequalities, we get 𝑑 = |𝛿|, so 𝛿 = ±𝑑.
16 1. Basic Notions

It is not at all straightforward, however, to show that the greatest common divi-
sor satisfies also the special property (ii′ ), i.e. that any two integers possess a special
common divisor.

Theorem 1.3.3. Any two integers have a special common divisor. ♣

Proof. We prove the existence of a special common divisor via the Euclidean algo-
rithm, which is one of the most ancient procedures in mathematics. We divide the first
number by the second one, then we divide the second number by the remainder, etc.,
and continue to divide the actual divisor by the actual remainder till we obtain 0 as a
remainder. We show that the procedure terminates and the last non-zero remainder is
a special common divisor of the two numbers.
Let us see the details. Assume that (e.g.) 𝑏 ≠ 0. If 𝑏 ∣ 𝑎, then 𝛿 = 𝑏.
If 𝑏 ∤ 𝑎, then we obtain for suitable integers 𝑞𝑖 and 𝑟 𝑖
𝑎 = 𝑏𝑞1 + 𝑟1 where 0 < 𝑟1 < |𝑏|
𝑏 = 𝑟1 𝑞2 + 𝑟2 where 0 < 𝑟2 < 𝑟1
𝑟1 = 𝑟2 𝑞3 + 𝑟3 where 0 < 𝑟3 < 𝑟2
⋯
𝑟𝑛−2 = 𝑟𝑛−1 𝑞𝑛 + 𝑟𝑛 where 0 < 𝑟𝑛 < 𝑟𝑛−1
𝑟𝑛−1 = 𝑟𝑛 𝑞𝑛+1 (𝑟𝑛+1 = 0).

The procedure terminates in finitely many steps since the remainders form a
strictly decreasing sequence of non-negative integers:
|𝑏| > 𝑟1 > 𝑟2 > . . . .
Now we verify that 𝑟𝑛 is a special common divisor of 𝑎 and 𝑏, indeed.
Proceeding through the equalities of the algorithm upwards, first we establish that
𝑟𝑛 is a common divisor of 𝑎 and 𝑏. The last equality implies 𝑟𝑛 ∣ 𝑟𝑛−1 . Using the next to
last equality, we get
𝑟𝑛 ∣ 𝑟𝑛−1 , 𝑟𝑛 ∣ 𝑟𝑛 ⟹ 𝑟𝑛 ∣ 𝑟𝑛−1 𝑞𝑛 + 𝑟𝑛 = 𝑟𝑛−2 .
Continuing upwards similarly, finally we arrive at 𝑟𝑛 ∣ 𝑏 and (from the first equality)
𝑟𝑛 ∣ 𝑎.
To show the special property, we proceed now downwards. Let 𝑐 ∣ 𝑎 and 𝑐 ∣ 𝑏,
then we have 𝑐 ∣ 𝑎 − 𝑏𝑞 = 𝑟1 from the first equality. Turning to the second equality, we
obtain
𝑐 ∣ 𝑏, 𝑐 ∣ 𝑟1 ⟹ 𝑐 ∣ 𝑏 − 𝑟1 𝑞2 = 𝑟2 .
Continuing downwards similarly, the next to last equality implies 𝑐 ∣ 𝑟𝑛 . □

Remarks: (1) Instead of least non-negative remainders, we can perform the Euclidean
algorithm also with remainders of least absolute value; then the absolute values
of the remainders form a strictly decreasing sequence of non-negative integers,
hence the procedure terminates in finitely many steps in this case, too.
1.3. Greatest Common Divisor 17

(2) As an integer and its negative behave equivalently concerning divisibility, we can
restrict ourselves to the positive value of the special common divisor which is (as
we have seen) equal to the greatest common divisor. Hence the notations (𝑎, 𝑏)
and gcd(𝑎, 𝑏) will mean this uniquely determined positive integer, and we shall
(generally) use the greatest common divisor name also for the special common
divisor.
(3) For a practical computation of the greatest common divisor, it is often more con-
venient to use the variant
(𝑎, 𝑏) = (𝑏, 𝑟1 ) = (𝑟1 , 𝑟2 ) = ⋯ = (𝑟𝑛−1 , 𝑟𝑛 ) = (𝑟𝑛 , 0) = 𝑟𝑛
of the Euclidean algorithm that is based on the simple relation (𝑎, 𝑏) = (𝑏, 𝑎−𝑘𝑏).
(4) At first sight, Definition 1.3.2, including the special property (ii′ ), might seem
artificial and unnecessary, but it is justified by the fact that it relies on divisibil-
ity relations only in contrast to Definition 1.3.1 which uses also ordering relations
(greater-smaller). Therefore, it is not surprising that—as it will soon turn out—we
can apply rather the special property (ii′ ) instead, both for theoretical and prac-
tical purposes. A further advantage of building the notion purely on divisibility
is that in certain sets of numbers (or more generally in most integral domains)
Definition 1.3.1 does not even make sense. An obvious reason for this is if we
cannot define an order (satisfying the usual “good” properties) in the set as, for
example, in certain subsets of the complex numbers. But we can run into a prob-
lem with Definition 1.3.1 also in sets that can be ordered, e.g., among the num-
bers 𝑐 + 𝑑√2 (where 𝑐 and 𝑑 are integers). Here we have infinitely many units
(see Exercise 1.1.22) and there is no maximal one among them. (If we consider
only common divisors where no two are associates, Definition 1.3.1 still makes
no sense since taking any two common divisors we can multiply the first one by a
unit so that the resulting associate will exceed the second one.) Therefore, in the
further chapters of number theory we shall always define the greatest common
divisor according to Definition 1.3.2.

Now we prove some important properties of the greatest common divisor (among
the integers).
Theorem 1.3.4. If 𝑐 > 0, then (𝑐𝑎, 𝑐𝑏) = 𝑐(𝑎, 𝑏). ♣

Proof. Consider the Euclidean algorithm determining (𝑎, 𝑏) and let 𝑟𝑛 = (𝑎, 𝑏) be the
last non-zero residue. Multiplying each equality by 𝑐, we obtain the Euclidean algo-
rithm producing (𝑐𝑎, 𝑐𝑏). Hence, here the last non-zero residue is (𝑐𝑎, 𝑐𝑏) = 𝑐𝑟𝑛 =
𝑐(𝑎, 𝑏). □

For another proof of Theorem 1.3.4, see Exercise 1.3.11.

Theorem 1.3.5. The greatest common divisor of integers 𝑎 and 𝑏 can be expressed as
(𝑎, 𝑏) = 𝑎𝑢 + 𝑏𝑣 with suitable integers 𝑢 and 𝑣. ♣

Proof. From the first equality of the Euclidean algorithm, we can express 𝑟1 as
𝑟1 = 𝑎 − 𝑏𝑞1 .
18 1. Basic Notions

This and the second equality imply

𝑟2 = 𝑏 − 𝑟1 𝑞2 = 𝑏 − (𝑎 − 𝑏𝑞1 )𝑞2 = 𝑎(−𝑞2 ) + 𝑏(1 + 𝑞1 𝑞2 ),
i.e. 𝑟2 can be written in the form 𝑎𝑈 + 𝑏𝑉. Proceeding similarly, the next to last in-
equality guarantees that (𝑎, 𝑏) = 𝑟𝑛 can be expressed as 𝑎𝑢 + 𝑏𝑣. □

An important consequence of Theorem 1.3.5 is the following theorem about the

solvability of a linear Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐 in two variables. In general, al-
gebraic equations are called Diophantine when both the coefficients and the solutions
are among the integers. We shall study some important types in detail in Chapter 7.
Hence, in the equation 𝑎𝑥 + 𝑏𝑦 = 𝑐, the coefficients 𝑎, 𝑏, and 𝑐 are fixed integers and a
solution means a pair of integers 𝑥, 𝑦.
Theorem 1.3.6. Let 𝑎, 𝑏, and 𝑐 be fixed integers, where 𝑎 and 𝑏 are not both zero. The
Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐 is solvable if and only if (𝑎, 𝑏) ∣ 𝑐. ♣

Proof. Assume first that there exists a solution 𝑥0 , 𝑦0 . Then (𝑎, 𝑏) ∣ 𝑎 and (𝑎, 𝑏) ∣ 𝑏
imply
(𝑎, 𝑏) ∣ 𝑎𝑥0 + 𝑏𝑦0 = 𝑐.
Conversely, assume (𝑎, 𝑏) ∣ 𝑐, i.e. (𝑎, 𝑏)𝑡 = 𝑐 for some integer 𝑡. By Theorem 1.3.5, we
have
(𝑎, 𝑏) = 𝑎𝑢 + 𝑏𝑣
with suitable integers 𝑢 and 𝑣. Multiplying this equality by 𝑡, we get
𝑐 = 𝑎(𝑢𝑡) + 𝑏(𝑣𝑡),
i.e. 𝑥 = 𝑢𝑡, 𝑦 = 𝑣𝑡 is a solution of the Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐. □

Note that the Euclidean algorithm serves also as a procedure to find a solution of
a linear Diophantine equation.
We deal with further questions (the number of solutions, a survey of all solutions,
another method to find the solutions) concerning a linear Diophantine equation in
Section 7.1 and discuss its relation to congruences in Section 2.5.
We define the greatest common divisor of more than two integers by the special
property immediately as a common divisor that is a multiple of every common divi-
sor. We denote the positive greatest common divisor of 𝑎1 , 𝑎2 , . . . , 𝑎𝑘 (not all zero) by
(𝑎1 , 𝑎2 , . . . , 𝑎𝑘 ). Its existence can be proven simply, using that the set of all common di-
visors of two numbers is the same as the set of divisors of the greatest common divisor
of the two numbers. Hence

(𝑎1 , 𝑎2 , . . . , 𝑎𝑘 ) = ((. . . ((𝑎1 , 𝑎2 ), 𝑎3 ), . . . , 𝑎𝑘−1 ), 𝑎𝑘 ).

Definition 1.3.7. The integers 𝑎1 , 𝑎2 , . . . , 𝑎𝑘 are relatively prime or coprime if they have
no other common divisors than units, i.e. (𝑎1 , 𝑎2 , . . . , 𝑎𝑘 ) = 1. ♣
Definition 1.3.8. The integers 𝑎1 , 𝑎2 , . . . , 𝑎𝑘 are pairwise relatively prime or pairwise
coprime if no two have other common divisors than units, i.e. (𝑎𝑖 , 𝑎𝑗 ) = 1 for every
1 ≤ 𝑖 ≠ 𝑗 ≤ 𝑘. ♣
Exercises 1.3 19

Evidently, pairwise coprime integers are coprime as well, but the converse is false
(for 𝑘 > 2); see Exercise 1.3.5.
We saw already in Exercise 1.1.5e that if an integer divides a product and does not
divide one of the factors, then this does not imply that it divides the other factor. The
correct condition is contained in the following theorem, that occurs already in Euclid’s
Elements, and, besides its usefulness in divisibility problems, plays a key role in the
proof of the Fundamental Theorem of Arithmetic.
Theorem 1.3.9. If 𝑐 ∣ 𝑎𝑏 and (𝑐, 𝑎) = 1, then 𝑐 ∣ 𝑏. ♣

Proof. Clearly, we may assume that 𝑎, 𝑏, and 𝑐 are positive. Using the special property
of the greatest common divisor and Theorem 1.3.4, the divisibilities 𝑐 ∣ 𝑎𝑏 and 𝑐 ∣ 𝑐𝑏
imply
𝑐 ∣ (𝑎𝑏, 𝑐𝑏) = (𝑎, 𝑐)𝑏 = 𝑏. □

Exercises 1.3

(Using here the notation (𝑐, 𝑑), we assume automatically that 𝑐 and 𝑑 cannot be both
zero.)
1. Compute (3794, 2226) and write it in the form 3794𝑢 + 2226𝑣.
2. Show that the following fractions are in reduced form for every positive integer 𝑛:
3𝑛 + 5
(a)
7𝑛 + 12
3𝑛2 + 1
(b)
4𝑛2 + 3
𝑛! −1
(c)
(𝑛 + 1)! −1
7𝑛 − 2
(d) 𝑛+1 .
7 −5
3. Find all possible values of (𝑛2 + 2, 𝑛4 + 4) if 𝑛 assumes all positive integers.
4. What are the possible values of
(a) (𝑎 + 𝑏, 𝑎 − 𝑏)
(b) (𝑎 + 2𝑏, 4𝑎 − 𝑏)
if (𝑎, 𝑏) = 5?
5. Exhibit three coprime integers no two of which are coprime.
6. True or false?
𝑎 𝑏
(a) If (𝑎, 𝑏) = 𝑑, then ( 𝑑 , 𝑑 ) = 1.
𝑎 𝑏
(b) If (𝑎, 𝑏) = 𝑑, then at least one of ( 𝑑 , 𝑏) = 1 and (𝑎, 𝑑 ) = 1 holds.
𝑐
(c) 𝑐 ∣ 𝑎𝑏 if and only if (𝑐,𝑎)
∣ 𝑏.
(d) 𝑐 ∣ 𝑎𝑏, (𝑎, 𝑏) = 1 ⟹ 𝑐 ∣ 𝑎 or 𝑐 ∣ 𝑏.
 20 1. Basic Notions

7. Let 𝑎 and 𝑏 be positive integers. How many numbers are divisible by 𝑏 among the
integers 𝑎, 2𝑎, 3𝑎, . . . , 𝑏𝑎?
8. Let 𝑎 and 𝑏 be distinct positive integers. True or false?
(a) (𝑎 + 𝑛, 𝑏 + 𝑛) = 1 holds for infinitely many integers 𝑛.
(b) (𝑎 + 𝑛, 𝑏 + 𝑛) = (𝑏 + 𝑛, 𝑏𝑛) = 1 holds for infinitely many integers 𝑛.
(c) (𝑎 + 𝑛, 𝑏𝑛) = (𝑏 + 𝑛, 𝑏𝑛) = 1 holds for infinitely many integers 𝑛.
9. Let 𝑎 and 𝑏 be given integers.
(a) How many pairs of integers 𝑢, 𝑣 satisfy (𝑎, 𝑏) = 𝑎𝑢 + 𝑏𝑣?
(b) What is the greatest common divisor of 𝑢 and 𝑣 in the representation (𝑎, 𝑏) =
𝑎𝑢 + 𝑏𝑣?
(c) Let 𝐻 be the set of numbers 𝑎𝑢 + 𝑏𝑣 where 𝑢 and 𝑣 assume all integer values.
What is the smallest positive element of 𝐻?
10. Uniqueness of the special common divisor. Let 𝛿 be a special common divisor of
integers 𝑎 and 𝑏. Using the definition of the special common divisor, prove the
following propositions.
(a) For any unit 𝜀, 𝜀𝛿 is a special common divisor of 𝑎 and 𝑏.
(b) If 𝛿1 is another special common divisor of 𝑎 and 𝑏, then 𝛿1 = 𝜀𝛿 for some
unit 𝜀.
S 11. Give an alternative proof for Theorem 1.3.4 that uses only the notion (and exis-
tence) of the special common divisor and does not rely (directly) on the Euclidean
algorithm.
12. We call repunits those positive integers where every digit is 1 (in decimal represen-
tation).
(a) Which numbers have a repunit multiple?
(b) Which is the smallest repunit multiple of 31000 ?
S* 13. Show that
(𝑎𝑛 − 1, 𝑎𝑘 − 1) = 𝑎(𝑛,𝑘) − 1
holds for any integers 𝑛 > 0, 𝑘 > 0, and 𝑎 > 1.
14. Let 𝑎 be a positive integer.
(a) Verify that if 𝑛 and 𝑘 are distinct powers of two an 𝑎 is an even number, then
(𝑎𝑛 + 1, 𝑎𝑘 + 1) = 1.
* (b) Determine (𝑎𝑛 + 1, 𝑎𝑘 + 1) in general.
15. Prove that any two consecutive Fibonacci numbers (see Exercise 1.2.5) are co-
prime. What about the second neighbors? And the third neighbors?
** 16. Let 𝜑𝑚 be the 𝑚th Fibonacci number. Verify
𝑘 ∣ 𝑛 ⟺ 𝜑𝑘 ∣ 𝜑𝑛 , moreover, 𝜑(𝑘,𝑛) = (𝜑𝑘 , 𝜑𝑛 ).
1.4. Irreducible and Prime Numbers 21

17. Commensurability of segments. In his Elements, Euclid investigates also common

measures of segments besides the common divisors of integers. A common mea-
sure of two segments is a segment that can be measured an integer number of times
onto both segments (without remainders). Two segments are commensurable if
they have a common measure.
(a) Prove that two segments are commensurable if and only if the ratio of their
lengths is a rational number.
(b) How many common measures do two commensurable segments possess?
(c) Formulate the division algorithm for segments and show that the Euclidean
algorithm terminates in finitely many steps if and only if the two original seg-
ments are commensurable.
(d) Verify that commensurable segments have a greatest common measure and
any common measure can be measured an integer number of times onto this
greatest one (without remainder).
(e) Show that the side and the diagonal of a square are not commensurable (thus
giving a geometric proof for the irrationality of √2).

1.4. Irreducible and Prime Numbers

We have seen that 0 and the units play special roles in divisibility: every integer divides
0 and the units divide every integer. Consider now any integer 𝑎 different from 0 and
units. By the definition of units, 𝜀 ∣ 𝑎 and 𝜀𝑎 ∣ 𝑎 for every unit 𝜀. These are called
the trivial divisors of 𝑎. The numbers having only trivial divisors are of distinguished
importance:
Definition 1.4.1. An integer 𝑝 different from units (and zero) is called irreducible if it
can be factored into the product of two integers only so that one of the factors is a unit:
𝑝 = 𝑎𝑏 ⟹ 𝑎 or 𝑏 is a unit. ♣

We do not have to prescribe 𝑝 ≠ 0 because 0 has non-trivial factorizations too,

e.g. 0 = 5 ⋅ 0. We note further that in the product 𝑝 = 𝑎𝑏, both factors cannot be units
since then their product, i.e. 𝑝, would be a unit as well. (Hence, the word “or” occurs
at the end of Definition 1.4.1 in an “exclusive” sense.)
Thus, the irreducible numbers are those integers distinct from units that can be
factored into the product of two integers only trivially, or otherwise stated, are divisible
only by their associates and units. Such numbers are e.g. 2, 3, −17, etc. If a non-zero
integer has a non-trivial divisor, then it is called a composite number.
Before introducing the following notion, we recall that if an integer 𝑐 divides a
factor of a product, then 𝑐 necessarily divides also the product, but the converse is false:
e.g. for 𝑐 = 6 we have 6 ∣ 3 ⋅ 4, but 6 ∤ 3 and 6 ∤ 4. The numbers satisfying the converse
are of special significance:
Definition 1.4.2. An integer 𝑝 different from units and zero is called a prime number
(or shortly, just a prime) if it can divide the product of two integers only if it divides at
22 1. Basic Notions

least one of the factors:

𝑝 ∣ 𝑎𝑏 ⟹ 𝑝 ∣ 𝑎 or 𝑝 ∣ 𝑏. ♣

At the end of Definition 1.4.2, the word “or” occurs in an inclusive sense since it
can happen that 𝑝 divides both factors of the product. We also note that the restriction
𝑝 ≠ 0 was necessary here since 0 would otherwise satisfy the property required in
Definition 1.4.2:
0 ∣ 𝑎𝑏 ⟹ 𝑎𝑏 = 0 ⟹ 𝑎 = 0 or 𝑏 = 0 ⟹ 0 ∣ 𝑎 or 0 ∣ 𝑏.
Definition 1.4.2 implies that if a prime divides a product of more (than two) factors,
then it must divide at least one of them.

Theorem 1.4.3. Among the integers, 𝑝 is a prime if and only if it is irreducible. ♣

Proof. We may clearly assume that 𝑝 is not zero and not a unit.
I. First, we take a prime 𝑝 and prove that it is irreducible. Given a product 𝑝 = 𝑎𝑏,
we have to verify that 𝑎 or 𝑏 is a unit.
The equality 𝑝 = 𝑎𝑏 implies that 𝑝 ∣ 𝑎𝑏. Since 𝑝 is a prime, therefore we infer
that 𝑝 ∣ 𝑎 or 𝑝 ∣ 𝑏. The first case means that 𝑎𝑏 ∣ 𝑎 and hence 𝑏 ∣ 1 (since 𝑎 ≠ 0),
i.e. 𝑏 is a unit. The second case yields similarly that 𝑎 is a unit.
II. We assume now that 𝑝 is irreducible and prove that it is a prime. Given 𝑝 ∣ 𝑎𝑏,
we have to verify that at least one of 𝑝 ∣ 𝑎 and 𝑝 ∣ 𝑏 holds.
If 𝑝 ∣ 𝑎, then we are done. If 𝑝 ∤ 𝑎, then the irreducibility of 𝑝 and (𝑝, 𝑎) ∣ 𝑝 yield
(𝑝, 𝑎) = 1. The conditions 𝑝 ∣ 𝑎𝑏 and (𝑝, 𝑎) = 1 imply 𝑝 ∣ 𝑏 by Theorem 1.3.9. □

Thus we have shown that the irreducible and prime numbers coincide among the
integers. Therefore we can define the prime numbers as in high school by the irre-
ducible property and to use either of the two adjectives irreducible and prime for these
numbers. For brevity, we shall generally use the word prime except if we want to em-
phasize the irreducible property.
The two notions, however, are not equivalent in many other sets of numbers. E.g.
among the even numbers, 6 is irreducible since it cannot be written as the product of
two even numbers, but it is not a prime because it divides 18 ⋅ 2 without dividing either
of the factors. We shall see further examples in Chapter 10.
Among the integers, the study of prime numbers is one of the most important
areas in number theory. Euclid proved that there exist infinitely many primes (Theo-
rem 5.1.1), but on the other hand, there are many easily formulated and yet unsolved
problems concerning the prime numbers. We shall deal with these more in detail in
Chapter 5.
 Exercises 1.4 23

Exercises 1.4

According to the conventions, we shall use the word prime or prime number also for
the irreducible numbers among the integers. We note, however, that Exercises 1.4.1–
1.4.7 refer to irreducible numbers.
1. Determine all positive integers 𝑛 for which each of the following numbers is a
prime:
(a) 𝑛, 𝑛 + 2, and 𝑛 + 4
(b) 𝑛 and 𝑛2 + 8
(c) 𝑛, 𝑛 + 6, 𝑛 + 12, 𝑛 + 18, and 𝑛 + 24
(d) 𝑛, 𝑛3 − 6, and 𝑛3 + 6.
2. Does there exist an infinite arithmetic progression with a non-zero difference con-
sisting purely of primes?
3. Captain Immortal has three immortal grandchildren whose ages are three distinct
primes and the sum of the squares of their ages is a prime. How old is the captain’s
youngest grandchild? (Do not forget about the immortality of the grandchildren,
they can be several million years old!)
4. Let 𝑎 and 𝑘 be integers greater than one. Prove the following assertions.
(a) If 𝑎𝑘 − 1 is a prime, then 𝑎 = 2 and 𝑘 is a prime.
(b) If 𝑎𝑘 + 1 is a prime, then 𝑘 is a power of two.
Remark: The primes of the form 2𝑘 − 1 are called Mersenne primes and the primes
of the form 2𝑘 + 1 are called Fermat primes. We shall study them in detail in Sec-
tion 5.2.
S 5. Determine all integers 𝑡 > 1 and odd numbers 𝑘 > 0 for which 1𝑘 +2𝑘 +3𝑘 +⋯+𝑡𝑘
is a prime.
6. Find all positive integers 𝑛 for which
(a) 𝑛3 − 𝑛 + 3
(b) 𝑛3 − 27
(c) 𝑛8 + 𝑛7 + 𝑛6 + 𝑛5 + 𝑛4 + 𝑛3 + 𝑛2 + 𝑛 + 1
(d) 𝑛4 + 4
(e) 𝑛8 + 𝑛6 + 𝑛4 + 𝑛2 + 1
is a prime.
7. Let 𝑛 > 1. Prove the following assertions.
(a) If 𝑛 has no divisor 𝑡 satisfying 1 < 𝑡 ≤ √𝑛, then 𝑛 is a prime.
(b) The smallest divisor of 𝑛 greater than 1 is a prime.
3
(c) If 𝑛 is composite but has no divisor 𝑡 satisfying 1 < 𝑡 ≤ √𝑛, then 𝑛 is the
product of two primes.
24 1. Basic Notions

8. Prove that (𝑛 − 5)(𝑛 + 12) + 51 is never divisible by 289 if 𝑛 is an integer.

9. Which will be the irreducible and prime elements among the even numbers?
10. The notion of irreducible and prime elements can be defined in any integral do-
main 𝐼 (see Exercise 1.1.23). Prove the following propositions.
(a) If multiplication has no identity element in 𝐼, then there are no primes in 𝐼.
(b) If multiplication has an identity element in 𝐼, then every prime is irreducible
in 𝐼.

1.5. The Fundamental Theorem of Arithmetic

Theorem 1.5.1 (The Fundamental Theorem of Arithmetic). Every integer different
from 0 and units is the product of finitely many irreducible numbers and this decom-
position is unique apart from the order of the factors and associates. (Uniqueness means
that if
𝑎 = 𝑝1 𝑝2 . . . 𝑝𝑟 = 𝑞1 𝑞2 . . . 𝑞𝑠
where all 𝑝 𝑖 and 𝑞𝑗 are irreducible, then 𝑟 = 𝑠 and the numbers 𝑝 𝑖 and 𝑞𝑗 can be coupled
into associate pairs.) ♣
Remarks: (1) The units and 0 had to be excluded because these cannot be decomposed
into the product of irreducible numbers: the units can be written only as a product
of units, and writing 0 as a product at least one of the factors must be 0 (and then
this factor is not irreducible).
(2) To interpret the theorem for an irreducible number, it should be considered as a
product of a single factor.
(3) A few remarks concerning the uniqueness. Assume that the integer 𝑎 is the prod-
uct 𝑎 = 𝑝1 𝑝2 . . . 𝑝𝑟 of irreducible numbers. Then changing the order of the factors
we obtain the same product. Also, if 𝜀1 , . . . , 𝜀𝑟 are arbitrary units whose product
is 1, then 𝜀1 𝑝1 , . . . , 𝜀𝑟 𝑝𝑟 are irreducible as well and their product is 𝑎 again. The
uniqueness part of the theorem claims that apart from these trivial variants there
is no other way to write 𝑎 as the product of irreducible elements. Taking e.g. 12,
a few such decompositions are
12 = 2 ⋅ 2 ⋅ 3 = 2 ⋅ (−3) ⋅ (−2) = 3 ⋅ (−2) ⋅ (−2).

(4) When stating the theorem, we should definitely use the notion of irreducible
numbers since the theorem declares that (nearly) every integer can be assembled
essentially in a unique way from these bricks. For clarity, we shall strictly distin-
guish the notions irreducible and prime during the proof. We shall see that their
equivalence is crucial for the validity of the Fundamental Theorem.
(5) The Fundamental Theorem is false in many sets of numbers (and integral do-
mains). Taking e.g. the even numbers, 100 has two essentially different decom-
positions into the product of irreducible elements: 100 = 2 ⋅ 50 = 10 ⋅ 10. We shall
see further examples in Chapter 10.
1.5. The Fundamental Theorem of Arithmetic 25

Now we turn to the proof of the Fundamental Theorem. We shall give two proofs
for the uniqueness part.

Proof of decomposability. Consider an integer 𝑎 different from 0 and units. If 𝑎 is

irreducible, then we are done.
If 𝑎 is composite, then it has a non-trivial irreducible divisor since its smallest non-
trivial positive divisor must be irreducible (see Exercise 1.4.7b). Then 𝑎 = 𝑝1 𝑎1 where
𝑝1 is irreducible and 𝑎1 is not a unit.
If 𝑎1 is irreducible, then we are done; otherwise there exists an irreducible number
𝑝2 satisfying 𝑎1 = 𝑝2 𝑎2 where 𝑎2 is not a unit.
We proceed similarly with 𝑎2 , etc. Our algorithm must terminate in finitely many
steps since the integers |𝑎𝑖 | are positive and form a strictly decreasing sequence:
|𝑎| > |𝑎1 | > |𝑎2 | > . . . ,
hence some 𝑎𝑘 must be irreducible: 𝑎𝑘 = 𝑝 𝑘+1 .
Then we get the decomposition 𝑎 = 𝑝1 𝑝2 . . . 𝑝 𝑘+1 . □

First proof of uniqueness. Our main tool is that every irreducible number is a prime
(Theorem 1.4.3).
The proof is by contradiction. Assume that a certain 𝑎 has (at least) two essentially
different decompositions into the product of irreducible elements:
(1.5.1) 𝑎 = 𝑝1 𝑝2 . . . 𝑝𝑟 = 𝑞1 𝑞2 . . . 𝑞𝑠 .

If some 𝑝 𝑖 is an associate of a 𝑞𝑗 , e.g. 𝑝1 = 𝜀𝑞1 where 𝜀 is a unit, then cancellation

by 𝑞1 yields
𝑎
𝑎′ = = (𝜀𝑝2 )𝑝3 . . . 𝑝𝑟 = 𝑞2 𝑞3 . . . 𝑞𝑠 ,
𝑞1
hence also 𝑎′ has two essentially different decompositions into the product of irre-
ducible elements.
Continuing the process, we get finally an integer where the two decompositions
do not share associate factors. Without loss of generality, we may assume that this is
the case in (1.5.1), i.e. 𝑝 𝑖 ≠ 𝜀𝑞𝑗 .
Using (1.5.1), we have 𝑝1 ∣ 𝑞1 𝑞2 . . . 𝑞𝑠 . Since 𝑝1 is irreducible, therefore it is a prime
by Theorem 1.4.3; thus 𝑝1 must divide at least one of the factors 𝑞𝑗 .
If 𝑝1 ∣ 𝑞𝑗 , then the irreducibility of 𝑞𝑗 implies that 𝑝1 is a unit or it is an associate
of 𝑞𝑗 , and both are impossible. □

Second proof of uniqueness. This proof uses induction on |𝑎|.

Since associates behave equivalently in every divisibility relation, we may restrict
ourselves to the decompositions of positive integers into positive irreducible numbers.
For 𝑎 = 2, the uniqueness holds as 2 is irreducible.
Assuming now that every integer 1 < 𝑎 < 𝑛 has a unique decomposition into
the product of irreducible numbers, we show that then the decomposition of 𝑎 = 𝑛 is
26 1. Basic Notions

unique. If not, then 𝑛 has (at least) two essentially different decompositions into the
product of irreducible numbers:
(1.5.2) 𝑛 = 𝑝1 𝑝2 . . . 𝑝𝑟 = 𝑞1 𝑞2 . . . 𝑞𝑠 .

Clearly, 𝑟 ≥ 2, 𝑠 ≥ 2 and further 𝑝 𝑖 ≠ 𝑞𝑗 since if e.g. 𝑝1 = 𝑞1 , then also the number

1 < 𝑛/𝑝1 < 𝑛 would have two different decompositions contradicting the induction
hypothesis.
Suppose 𝑝1 < 𝑞1 and consider 𝑛1 = 𝑛 − 𝑝1 𝑞2 . . . 𝑞𝑠 . We show that
(1.5.3) 1 < 𝑛1 < 𝑛
and
(1.5.4) 𝑛1 has two different decompositions,
which is a contradiction.
By (1.5.2), the expression 𝑛1 = 𝑛 − 𝑝1 𝑞2 . . . 𝑞𝑠 can be rewritten as
(1.5.5) 𝑛1 = 𝑝1 (𝑝2 . . . 𝑝𝑟 − 𝑞2 . . . 𝑞𝑠 ) = 𝑞2 . . . 𝑞𝑠 (𝑞1 − 𝑝1 ).

Clearly 𝑛1 < 𝑛 and 𝑝1 < 𝑞1 implies

𝑛1 = 𝑞2 . . . 𝑞𝑠 (𝑞1 − 𝑝1 ) ≥ 𝑞2 ⋅ 1 = 𝑞2 > 1,
thus verifying (1.5.3).
Now, write the last factors in both decompositions in (1.5.5) as a product of irre-
ducible numbers:
𝑝2 . . . 𝑝𝑟 − 𝑞2 . . . 𝑞𝑠 = 𝑢1 . . . 𝑢𝑘 and 𝑞1 − 𝑝1 = 𝑣 1 . . . 𝑣 𝑚 .
Then 𝑛1 has the following representations as a product of irreducible elements:
(1.5.6) 𝑛1 = 𝑝1 𝑢1 . . . 𝑢𝑘 = 𝑞2 . . . 𝑞𝑠 𝑣 1 . . . 𝑣 𝑚 .

(If eventually 𝑞1 − 𝑝1 = 1, then the factors 𝑣 𝑖 are missing in which case the argu-
ment will be even more valid.)
We show that the two decompositions in (1.5.6) are essentially different. The first
one contains 𝑝1 . But 𝑝1 is missing from the second one, since on the one hand 𝑝1 ≠ 𝑞𝑗 ,
and on the other hand, if 𝑝1 = 𝑣 𝑖 for some 𝑖, then
𝑝1 ∣ 𝑣 1 . . . 𝑣 𝑚 = 𝑞1 − 𝑝1 ⟹ 𝑝1 ∣ 𝑞1 ,
which is impossible. Thus (1.5.4) is proven. □
Remarks: (1) Analyzing the first proof of uniqueness, we find that the division al-
gorithm served as its basis, after all. It made possible the Euclidean algorithm,
yielding the existence of a special common divisor based on which we showed
(via Theorem 1.3.9) that an irreducible number is always a prime, giving the key
step to the proof.
It is true also generally that if in some number sets (or integral domains) we can
perform the division algorithm, then the Fundamental Theorem of Arithmetic
holds there. Our proof of uniqueness remains valid literally also for the general
case, whereas the decomposability may require some more refined arguments in
Exercises 1.5 27

certain sets. We shall see such examples in Chapters 7 and 10. In Section 11.3,
using ideals, we shall give a unified proof for the general case that division al-
gorithm always implies the Fundamental Theorem (both decomposability and
uniqueness).
We note that the relation between the division algorithm and the Fundamental
Theorem is not symmetric; there exist sets of numbers where the Fundamental
Theorem is true but there do not exist division algorithms of any kind. We shall
see an example in Chapter 10.
(2) The second proof of uniqueness did not rely on the theorems of Sections 1.3 and
1.4. Thus we can give new proofs for some of those theorems using the Funda-
mental Theorem. We emphasize two important results: the existence of a special
common divisor (Theorem 1.3.3) and that every irreducible number is a prime
(the “harder” part of Theorem 1.4.3). To derive these from the Fundamental The-
orem, consult the proof of Theorem 1.6.4 for the first one, and Exercise 1.5.8 for
the second one.

Exercises 1.5

1. Verify that the number of irreducible factors in the decomposition of 𝑎 is at most

log2 |𝑎|.
2. Consider the set of even numbers.
(a) Which numbers have an essentially unique decomposition into the product
of irreducible elements?
(b) Find a number that has exactly 1000 essentially distinct decompositions.
3. Analyze the reason why our proofs of uniqueness fail for the even numbers.
4. Demonstrate that the Fundamental Theorem is false among the integers divisi-
ble by 10 and there exist elements with decompositions not even having the same
number of irreducible factors.
5. Consider the set 𝐹 of finite decimal fractions.
(a) Determine the units and the irreducible elements.
(b) Prove that the Fundamental Theorem is valid in 𝐹.
* (c) Verify that we can perform a division algorithm in 𝐹, i.e. we can assign to every
𝑐 ∈ 𝐹 a non-negative integer 𝑓(𝑐) where 𝑓(𝑐) = 0 if and only if 𝑐 = 0 and to
every 𝑎 and 𝑏 ∈ 𝐹, 𝑏 ≠ 0, there exist 𝑞 and 𝑟 ∈ 𝐹 satisfying 𝑎 = 𝑏𝑞 + 𝑟 and
𝑓(𝑟) < 𝑓(𝑏).
6. There are many variants of the second proof of uniqueness. Elaborate the argu-
ment if we work with 𝑛1 = 𝑛 − 𝑝1 𝑞2 .
7. Compute the number of decompositions of a given integer into the product of irre-
ducible elements if we count separately those that differ only in the order of factors
and/or in associates.
 28 1. Basic Notions

S 8. Derive from the Fundamental Theorem that every irreducible number is a prime.
9. Find all (not necessarily positive and not necessarily distinct) primes (among the
integers) satisfying
1 1 1
= + .
𝑝1 − 𝑝2 − 𝑝3 𝑝2 𝑝3
S* 10. Determine all positive primes (among the integers) a power of which (with positive
integer exponent) is the sum of the cubes of two positive integers.

1.6. Standard Form

In the sequel, we shall deal only with positive divisors of positive integers, and a prime
will always mean a positive irreducible number. Then the Fundamental Theorem
reads as follows: Every integer 𝑛 > 1 is the product of finitely many primes and this
decomposition is unique apart from the order of the factors. (Units play no role now
due to positivity.)
Combining the product of the same primes into a power, we can write 𝑛 as the
product of powers of distinct primes. This yields the following form of the Fundamen-
tal Theorem:
Theorem 1.6.1. Every integer 𝑛 > 1 can be decomposed as
𝑟
𝛼 𝛼 𝛼 𝛼
𝑛 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 = ∏ 𝑝𝑖 𝑖
𝑖=1

where 𝑝1 , . . . , 𝑝𝑟 are distinct (positive) primes and each 𝛼𝑖 > 0 is an integer. This form is
𝛼
unique apart from the order of the prime power factors 𝑝𝑖 𝑖 . ♣

We call this decomposition the standard form (or canonical representation) of 𝑛.

We shall see that sometimes (e.g. when studying more numbers simultaneously)
it is more convenient to allow 0 as an exponent for some primes. Then uniqueness is
understood apart from these (eventually fictitious) primes, of course. This allows us to
assign a standard form also to 1 (here all primes have exponent 0).
We shall always indicate when we need to allow exponent 0 in the standard form,
and in all other cases we shall assume automatically that each exponent is positive.
First, we describe how the standard form helps us to characterize the divisors of
an integer, the number of these divisors, and the greatest common divisor and the least
common multiple of two integers.
Theorem 1.6.2. A positive integer 𝑑 divides the number 𝑛 of standard form
𝛼 𝛼 𝛼
𝑛 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟
if and only if 𝑑 has standard form
𝛽 𝛽 𝛽
𝑑 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 , where 0 ≤ 𝛽 𝑖 ≤ 𝛼𝑖 , 𝑖 = 1, 2, . . . , 𝑟. ♣

We used the modified standard form for the divisors.

We obtain the trivial divisors 1 and 𝑛 when 𝛽 𝑖 = 0 and 𝛽 𝑖 = 𝛼𝑖 , resp., for every 𝑖.
1.6. Standard Form 29

Proof. To verify sufficiency, assume that 𝑑 is of the above form. Then

𝛼 −𝛽1 𝛼2 −𝛽2 𝛼 −𝛽𝑟
𝑞 = 𝑝1 1 𝑝2 . . . 𝑝𝑟 𝑟
is an integer since 𝛼𝑖 ≥ 𝛽 𝑖 and 𝑛 = 𝑑𝑞, i.e 𝑑 ∣ 𝑛. (This part did not need the uniqueness
of the standard form, and we did not even use that the numbers 𝑝 𝑖 are primes.)
To prove the necessity, assume 𝑑 ∣ 𝑛, i.e. 𝑛 = 𝑑𝑞 for some (positive) integer 𝑞. Then
we obtain the standard form of 𝑛 by multiplying the standard forms of 𝑑 and 𝑞. This
means that every prime divisor of 𝑑 occurs in the standard form of 𝑛, moreover with
an exponent at least as big as in 𝑑, i.e. 𝛼𝑖 ≥ 𝛽 𝑖 . □

We denote the number of positive divisors of an integer 𝑛 > 0 by 𝑑(𝑛).

Example. 𝑑(1) = 1, 𝑑(10) = 4, 𝑑(𝑛) = 2 if and only if 𝑛 is a prime.
Theorem 1.6.3. The number of positive divisors of 𝑛 with standard form
𝛼 𝛼 𝛼
𝑛 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟
is
𝑑(𝑛) = (𝛼1 + 1)(𝛼2 + 1) . . . (𝛼𝑟 + 1). ♣

Proof. By Theorem 1.6.2, we obtain all positive divisors of 𝑛 if the exponents 𝛽1 , 𝛽2 ,

. . . , 𝛽𝑟 in the standard form of
𝛽 𝛽 𝛽
𝑑 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟
assume independently the values
𝛽1 = 0, 1, . . . , 𝛼1 , 𝛽2 = 0, 1, . . . , 𝛼2 , ... , 𝛽𝑟 = 0, 1, . . . , 𝛼𝑟 .
Hence, the exponent 𝛽 𝑖 can be chosen in 𝛼𝑖 + 1 ways and thus there are altogether
(1.6.1) (𝛼1 + 1)(𝛼2 + 1) . . . (𝛼𝑟 + 1)
options to choose the exponents 𝛽1 , . . . , 𝛽𝑟 independently. Since every positive divisor
has only one such decomposition (due to the uniqueness of its prime factorization),
(1.6.1) yields the number of positive divisors of 𝑛. □

Now, we turn to the standard form of the greatest common divisor of two inte-
gers. We use the modified standard form again: we include in the standard forms of
both numbers also those primes that divide only one of our integers (these occur with
exponent 0 in the standard form of the other integer, of course).
Theorem 1.6.4. Let the standard forms of the positive integers 𝑎 and 𝑏 be
𝛼 𝛼 𝛼 𝛽 𝛽 𝛽
𝑎 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 and 𝑏 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 where 𝛼𝑖 ≥ 0, 𝛽𝑗 ≥ 0.
Then
min(𝛼1 ,𝛽1 ) min(𝛼2 ,𝛽2 ) min(𝛼𝑟 ,𝛽𝑟 )
(𝑎, 𝑏) = 𝑝1 𝑝2 . . . 𝑝𝑟
(where min(𝛼𝑖 , 𝛽 𝑖 ) means the smaller number of 𝛼𝑖 and 𝛽 𝑖 if 𝛼𝑖 ≠ 𝛽 𝑖 , and their common
value if 𝛼𝑖 = 𝛽 𝑖 ). ♣
30 1. Basic Notions

Proof. Consider
𝑟
min(𝛼𝑖 ,𝛽𝑖 )
𝑑 = ∏ 𝑝𝑖 .
𝑖=1
We shall show that 𝑑 is a common divisor of 𝑎 and 𝑏 and is a multiple of every common
divisor. We shall rely on Theorem 1.6.2.
Since min(𝛼𝑖 , 𝛽 𝑖 ) ≤ 𝛼𝑖 and min(𝛼𝑖 , 𝛽 𝑖 ) ≤ 𝛽 𝑖 , 𝑑 ∣ 𝑎 and 𝑑 ∣ 𝑏, so 𝑑 is a common
divisor.
Let 𝑐 be an arbitrary common divisor of 𝑎 and 𝑏. Then
𝑟
𝛾
𝑐 = ∏ 𝑝𝑖 𝑖 where 𝛾 𝑖 ≤ 𝛼𝑖 , 𝛾 𝑖 ≤ 𝛽 𝑖 .
𝑖=1

This means that 𝛾 𝑖 ≤ min(𝛼𝑖 , 𝛽 𝑖 ), hence 𝑐 ∣ 𝑑. □

Example. Compute the greatest common divisor of 4840 and 2156.
The standard forms of the numbers are 4840 = 23 ⋅ 5 ⋅ 112 and 2156 = 22 ⋅ 72 ⋅ 11.
Thus (4840, 2156) = 22 ⋅ 50 ⋅ 70 ⋅ 11 = 44.
Remark: This method seems to be very convenient to compute the gcd, but unfortu-
nately it cannot be applied for large numbers, since we do not know a quick way to
exhibit their standard forms. On the other hand, the Euclidean algorithm determines
the gcd quickly even for very large integers. We shall investigate these problems (with
applications) in Sections 5.7 and 5.8.

We turn now to the least common multiple, or shortly lcm. According to its name,
this means the smallest positive element among the common multiples.
Definition 1.6.5. The least common multiple of integers 𝑎 and 𝑏 is the positive integer
𝑘 if
(i) 𝑎 ∣ 𝑘, 𝑏 ∣ 𝑘
(ii) if 𝑎 ∣ 𝑐 and 𝑏 ∣ 𝑐 for some 𝑐 > 0, then 𝑐 ≥ 𝑘. ♣

We denote the least common multiple of 𝑎 and 𝑏 by [𝑎, 𝑏] (or lcm(𝑎, 𝑏)).
Since the product 𝑎𝑏 is clearly a common multiple of 𝑎 and 𝑏, we can determine
[𝑎, 𝑏] by checking the finitely many positive integers not greater than 𝑎𝑏, seeing which
is the smallest among the common multiples of 𝑎 and 𝑏. Thus the existence and unique-
ness of the least common multiple are obvious.
Analogously to the greatest common divisor, we can replace the minimality of the
least common multiple by a more important special divisibility property: the least com-
mon multiple divides every common multiple (the lcm is often defined by this feature
directly). We summarize this and further basic facts concerning the lcm in the next
theorem.
Theorem 1.6.6. (I) If the standard forms of the positive integers 𝑎 and 𝑏 are
𝛼 𝛼 𝛼 𝛽 𝛽 𝛽
𝑎 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 and 𝑏 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 where 𝛼𝑖 ≥ 0, 𝛽𝑗 ≥ 0,
1.6. Standard Form 31

then
max(𝛼1 ,𝛽1 ) max(𝛼2 ,𝛽2 ) max(𝛼𝑟 ,𝛽𝑟 )
[𝑎, 𝑏] = 𝑝1 𝑝2 . . . 𝑝𝑟
(where max(𝛼𝑖 , 𝛽 𝑖 ) denotes the larger number of 𝛼𝑖 and 𝛽 𝑖 if 𝛼𝑖 ≠ 𝛽 𝑖 , and their
common value if 𝛼𝑖 = 𝛽 𝑖 ).
(II) 𝑎 ∣ 𝑐, 𝑏 ∣ 𝑐 if and only if [𝑎, 𝑏] ∣ 𝑐.
(III) (𝑎, 𝑏)[𝑎, 𝑏] = 𝑎𝑏. ♣

Proof. I and II. A positive integer 𝑐 is a common multiple of 𝑎 and 𝑏 if and only if both
𝑎 ∣ 𝑐 and 𝑏 ∣ 𝑐. This means that the exponent 𝛾 𝑖 of any prime 𝑝 𝑖 in the standard form
of 𝑐 satisfies 𝛾 𝑖 ≥ 𝛼𝑖 and 𝛾 𝑖 ≥ 𝛽 𝑖 , which is equivalent to 𝛾 𝑖 ≥ max(𝛼𝑖 , 𝛽 𝑖 ).
We obtain the smallest such 𝑐 when 𝛾 𝑖 = max(𝛼𝑖 , 𝛽 𝑖 ) (𝑖 = 1, 2, . . . , 𝑟) and 𝑐 is not
divisible by any other primes than the 𝑝 𝑖 . This proves I.
We also obtained that the exponents of the primes 𝑝 𝑖 in the standard forms of all
common multiples 𝑐 are greater than or equal to the exponent in [𝑎, 𝑏] and there may
also occur other primes in their standard forms. This means that the common multi-
ples 𝑐 are the same as the multiples of [𝑎, 𝑏]. This proves II.
III. We show that every prime 𝑝 𝑖 occurs with the same exponent in the standard
forms of (𝑎, 𝑏)[𝑎, 𝑏] and 𝑎𝑏, i.e.
min(𝛼𝑖 , 𝛽 𝑖 ) + max(𝛼𝑖 , 𝛽 𝑖 ) = 𝛼𝑖 + 𝛽 𝑖 , 𝑖 = 1, 2, . . . , 𝑟.
If e.g 𝛼𝑖 ≤ 𝛽 𝑖 , then the left-hand side is 𝛼𝑖 + 𝛽 𝑖 which is the same as the right-hand
side. □
Remarks: (1) An important consequence of III is that 𝑎𝑏 = [𝑎, 𝑏] if and only if (𝑎, 𝑏) =
1.
(2) Note that 𝑎 ∣ 𝑐 and 𝑏 ∣ 𝑐 do not imply 𝑎𝑏 ∣ 𝑐, e.g. 4 ∣ 36, and 6 ∣ 36, but 24 ∤ 36.
The correct implication is given by II:
𝑎 ∣ 𝑐, 𝑏 ∣ 𝑐 ⟹ [𝑎, 𝑏] ∣ 𝑐.
If 𝑎 and 𝑏 are coprime, then, according to the previous remark, we have [𝑎, 𝑏] =
𝑎𝑏, and obtain the following important special case:
𝑎 ∣ 𝑐, 𝑏 ∣ 𝑐, (𝑎, 𝑏) = 1 ⟹ 𝑎𝑏 ∣ 𝑐.
So, to prove 72 ∣ 𝑐, it suffices to verify that 𝑐 is divisible both by 8 and 9. Also in
general, any divisibility problem can be reduced to divisibilities by prime powers:
𝑟 𝛼
If the standard form of 𝑚 is 𝑚 = ∏𝑖=1 𝑝𝑖 𝑖 (𝛼𝑖 > 0), then
𝑚∣𝑐
if and only if
𝛼
𝑝𝑖 𝑖 ∣ 𝑐, 𝑖 = 1, 2, . . . , 𝑟.
(3) The notion and properties of the lcm can be generalized for more than two inte-
gers. We shall often use that the least common multiple of finitely many positive
integers equals their product if and only if the integers are pairwise coprime. We
also note that the equality in III has no simple direct generalization for more than
two numbers (see Exercise 1.6.15).
32 1. Basic Notions

We infer from the Fundamental Theorem that two integers are coprime if and only
if they share no common prime divisors. This implies the following theorem immedi-
ately:
Theorem 1.6.7.
(𝑐, 𝑎𝑏) = 1 ⟺ (𝑐, 𝑎) = 1 and (𝑐, 𝑏) = 1. ♣
Therefore, if two positive integers are coprime, then generally it is best to exhibit
their standard forms without common primes, as
𝑟 𝑠
𝛼 𝛽𝑗
𝑎 = ∏ 𝑝𝑖 𝑖 , 𝑏 = ∏ 𝑞𝑗 , 𝑝 𝑖 ≠ 𝑞𝑗 .
𝑖=1 𝑗=1

Finally, we describe the standard form of 𝑛!:

Theorem 1.6.8 (Legendre’s formula). The standard form of 𝑛! is
∞
𝑛
𝑛! = ∏ 𝑝𝛼𝑝 , where 𝛼𝑝 = ∑ ⌊ ⌋. ♣
𝑝≤𝑛 𝑘=1
𝑝𝑘

In the formula, ⌊𝑥⌋ is the floor or (lower) integer part of 𝑥 and 𝑝 under the product
sign means a (positive) prime, so we have to form the product for all primes 𝑝 satisfying
𝑝 ≤ 𝑛. We shall often meet similar notations later, as well,
1
∑ , ∏ 𝑝, ∑1
𝑝≤𝑛
𝑝 𝑝≤𝑛 𝑝∣𝑛

mean the sum of reciprocals of primes not greater than 𝑛, the product of primes not
greater than 𝑛, and the number of distinct prime divisors of 𝑛.
Observe that in Theorem 1.6.8, it is sufficient to consider only finitely many terms
in the sum defining 𝛼𝑝 since we have ⌊𝑛/𝑝𝑘 ⌋ = 0 for 𝑝𝑘 > 𝑛 (hence the number of
non-zero terms is ⌊log𝑝 𝑛⌋).

Proof. Since every factor in 𝑛! = 1 ⋅ 2 ⋅ ⋯ ⋅ 𝑛 is at most 𝑛, no primes greater than 𝑛 can

occur in the standard form of 𝑛!.
Let 𝑝 ≤ 𝑛 be a fixed prime and let 𝛼𝑝 be the exponent of 𝑝 in the standard form of
𝑛!. We have to verify
∞
𝑛
(1.6.2) 𝛼𝑝 = ∑ ⌊ ⌋.
𝑘=1
𝑝𝑘
To determine 𝛼𝑝 , we decompose the numbers 1, 2, . . . , 𝑛 into the product of primes
and count how many times 𝑝 will appear.
The multiples of 𝑝 contain at least one 𝑝; we consider these first. The following
numbers are divisible by 𝑝:
𝑝, 2𝑝, . . . , 𝑡𝑝 where 𝑡𝑝 ≤ 𝑛 < (𝑡 + 1)𝑝.
Hence
𝑛 𝑛
𝑡≤ < 𝑡 + 1, so 𝑡 = ⌊ ⌋ .
𝑝 𝑝
This means that there are ⌊𝑛/𝑝⌋ numbers divisible by 𝑝 among the integers 1, 2, . . . , 𝑛.
 Exercises 1.6 33

The multiples of 𝑝2 contain at least two copies of 𝑝, but we considered only one of
these so far. Thus every multiple of 𝑝2 yields a new 𝑝. The number of these newcomers
is ⌊𝑛/𝑝2 ⌋, similar to the previous case.
We can continue similarly. Every multiple of 𝑝3 gives rise to a new 𝑝 since there
are at least three factors of 𝑝 in them and we took only two of them into consideration
in the first two steps of our argument. This means a further ⌊𝑛/𝑝3 ⌋ copies of 𝑝, etc.
The procedure terminates in finitely many steps, since if 𝑝𝑘 > 𝑛, then none of the
numbers 1, 2, . . . , 𝑛 is divisible by 𝑝𝑘 .
This method counted every prime occurring in 𝑛! exactly once, hence 𝛼𝑝 is equal
to the sum in (1.6.2). □

Exercises 1.6

(We always mean a positive integer by number, divisor, prime, etc. in the exercises.)
1. How can we see from the standard form that a given integer is a square, a cube, or
in general, a 𝑘th power (of a positive integer)?
2. (a) Demonstrate that if the product of two coprime integers is a 𝑘th power, then
the factors are 𝑘th powers.
(b) How should we modify this assertion if we consider all integers (instead of
positive numbers)?
(c) How does the statement generalize for more factors?
S 3. Prove that the product of
(a) 2
(b) 3
* (c) 4
consecutive (positive) integers is never a power of an integer with exponent greater
than one.
Remark: It is true in general that the product of consecutive integers is never a
power. This long-standing conjecture of Catalan was proven by Paul Erdős and
John Selfridge in 1975.

S 4. For which primes 𝑝 is (2𝑝−1 − 1)/𝑝 a square?

5. (a) Prove that 𝑐 ∣ 𝑎𝑏 if and only if 𝑐 = 𝑎1 𝑏1 where 𝑎1 ∣ 𝑎 and 𝑏1 ∣ 𝑏.
(b) Show that if (𝑎, 𝑏) = 1, then the above 𝑎1 and 𝑏1 are unique.
(c) Verify that if (𝑎, 𝑏) ≠ 1, then there exists a divisor 𝑐 ∣ 𝑎𝑏 that can expressed in
more than one way as 𝑐 = 𝑎1 𝑏1 .
(d) Prove that any 𝑐 ∣ 𝑎𝑏 has at most 𝑑((𝑎, 𝑏)) representations in the form 𝑐 = 𝑎1 𝑏1 .
(e) Which divisors 𝑐 ∣ 𝑎𝑏 have 𝑑((𝑎, 𝑏)) representations as 𝑐 = 𝑎1 𝑏1 ?
6. Assume that 𝑎𝑘 ∣ 𝑏𝑘+100 holds for every 𝑘. Prove that 𝑎 ∣ 𝑏.
 34 1. Basic Notions

7. Which is the smallest positive integer having exactly

(a) 31
(b) 33
(c) 32
(positive) divisors?
8. For which values of 𝑛 is 𝑑(𝑛) odd?
9. A cruel lord keeps 400 prisoners in 400 separate dark cells. Turning the lock on the
door of a cell once, the door opens, and turning it once again, the door closes, etc.
At present, all doors are closed, of course. The lord decides to be generous on his
birthday and orders a guard to turn the locks on each door once. Then he changes
his mind and sends a second guard to turn the locks on each second door once.
This guard is followed by a third one who turns the locks on each third door once,
etc., and finally the four hundredth guard changes the position of the lock on the
four hundredth door. Those prisoners get free whose door is open now. How many
people were released by the lord?
S 10. A positive integer is squarefree if it has no square divisors greater than 1. E.g. 1
and 30 are squarefree, but 12 is not squarefree. Let 𝐴(𝑛) and 𝐵(𝑛) be the number
of (positive) squarefree divisors and the number of square divisors of 𝑛.
(a) Prove that 𝐴(𝑛)𝐵(𝑛) ≥ 𝑑(𝑛) for every 𝑛.
(b) When do we have equality?
11. Prove
(a) 𝑑(𝑛) ≤ 𝑛/2 + 1
(b) 𝑑(𝑛) ≤ 𝑛/3 + 2
(c) 𝑑(𝑛) ≤ 2√𝑛.
12. Exhibit a simple formula for the product of the (positive) divisors of 𝑛.
13. What is the maximal number of divisors of 10𝑛 where no one divides another one?
14. (a) For which pairs of integers 𝑎, 𝑏 can we find positive integers having 𝑎 as their
gcd and 𝑏 as their lcm?
(b) How many such pairs exist if 𝑎 = 5 and 𝑏 = 35000?
(c) Determine the number of such pairs in general for arbitrary 𝑎 and 𝑏.
15. Verify the following assertions.
(a) (𝑎, 𝑏, 𝑐)[𝑎, 𝑏, 𝑐] ∣ 𝑎𝑏𝑐 but equality does not hold in general.
(b) (𝑎, 𝑏, 𝑐)[𝑎, 𝑏, 𝑐] = 𝑎𝑏𝑐 if and only if 𝑎, 𝑏, 𝑐 are pairwise coprime.
(c) (𝑎, 𝑏, 𝑐)[𝑎𝑏, 𝑏𝑐, 𝑎𝑐] = 𝑎𝑏𝑐.
16. True or false?
(a) (𝑎, 𝑏) = (𝑎 + 𝑏, 𝑎𝑏).
(b) (𝑎, 𝑏) = 1 if and only if (𝑎 + 𝑏, 𝑎𝑏) = 1.
Exercises 1.6 35

(c) (𝑎, 𝑏𝑐) = (𝑎, 𝑏)(𝑎, 𝑐).

(d) (𝑎3 , 𝑏3 ) = (𝑎, 𝑏)3 .
17. Prove the following propositions.
(a) [𝑎, 𝑏] ∣ 𝑎 + 𝑏 if and only if 𝑎 = 𝑏.
(b) 𝑎 + 𝑏 ∣ [𝑎, 𝑏] never holds.
(c) There exist infinitely many pairs 𝑎, 𝑏, 𝑎 ≠ 𝑏, satisfying 𝑎 + 𝑏 ∣ 𝑎𝑏.
(d) 𝑎 + 𝑏 ∣ 𝑎𝑏 if and only if 𝑎 + 𝑏 ∣ (𝑎, 𝑏)2 .
18. Show that if (𝑎, 𝑏2 ) = (𝑎2 , 𝑏), then (𝑎7 , 𝑏1000 ) = (𝑎1000 , 𝑏7 ).
19. Verify the following distributive laws.
(a) [𝑎, (𝑏, 𝑐)] = ([𝑎, 𝑏], [𝑎, 𝑐]).
(b) (𝑎, [𝑏, 𝑐]) = [(𝑎, 𝑏), (𝑎, 𝑐)].
20. (a) Prove that for given positive integers 𝑎, 𝑏, and 𝑐, there exist integers 𝑥, 𝑦, and
𝑧 satisfying
(𝑥, 𝑦) = 𝑎, (𝑦, 𝑧) = 𝑏, and (𝑧, 𝑥) = 𝑐
if and only if (𝑎, 𝑏) = (𝑏, 𝑐) = (𝑐, 𝑎).
(b) Find the number of such triples 𝑥, 𝑦, 𝑧 (for given 𝑎, 𝑏, and 𝑐).
(c) Examine the dual problem for least common multiples instead of greatest
common divisors.
21. Verify the divisibility 240 ∣ 𝑝4 − 1 for every prime 𝑝 > 5.
22. Prove that 504 ∣ 𝑎6 − 𝑏6 if (𝑎𝑏, 42) = 1.
23. Show that 𝑎6 + 85𝑎4 + 994𝑎2 is divisible by 360 for any 𝑎.
24. Prove that 26101 − 33101 + 7101 is divisible by 606606.
25. How many digits 0 occur at the end of (a) 1111! (b) (125
60
)?
26. (a) Prove that 𝑐𝑛 ∤ 𝑛! for 𝑐 > 1.
(b) Find all values of 𝑛 > 1 and 𝑐 > 1 satisfying 𝑐𝑛−1 ∣ 𝑛!.
27. Let 𝑛 ≥ 2 and 1 ≤ 𝑘 ≤ 𝑛 − 1.
(a) Show that if 𝑘 and 𝑛 are coprime, then 𝑛 ∣ (𝑛𝑘).
(b) Is the converse also true?
(c) Determine all values of 𝑛 such that
𝑛 𝑛 𝑛
(c1) 𝑛 || ( ) (c2) ( ) is even (c3) ( ) is odd
𝑘 𝑘 𝑘
for every 1 ≤ 𝑘 ≤ 𝑛 − 1.
(d) Do there exist 𝑛 and 𝑘, 1 ≤ 𝑘 ≤ 𝑛 − 1, when 𝑛 and (𝑛𝑘) are coprime?
 36 1. Basic Notions

S* 28. Finitely many monkeys sit around a round table and play the following game. In
front of each monkey there is a dime on the table. At a command, each monkey
checks the coin of her right neighbor: if it shows head, then she turns her own coin;
if it shows tail, then she leaves her coin as it was. They repeat this procedure till
all coins show tails. What can the number of monkeys be if the game terminates
for every initial position of the coins?
S* 29. Show that each of the integers 𝑛! +1, . . . , 𝑛! +𝑛 has a prime divisor that divides
none of the other 𝑛 − 1 numbers.
S 30. Consider 5000 distinct positive integers where any ten of them have the same lcm.
At most how many of them can be pairwise coprime?
31. Which positive integers 𝑛 satisfy 𝑛 ∣ 𝑘2 ⟹ 𝑛 ∣ 𝑘 (i.e. 𝑛 can divide a square of a
number only if it divides the number itself)?
32. Show that the difference of two 𝑘th powers never divides their sum (for 𝑘 > 1).
5
33. Prove that (a) √100 (b) log6 18 are irrational numbers.
S* 34. Given a positive integer 𝑚, consider all sets of integers 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑡 where
𝑎1 = 𝑚 and 𝑎1 𝑎2 . . . 𝑎𝑡 is a square (𝑡 = 1 is allowed). We denote the smallest
possible value of 𝑎𝑡 by 𝑆(𝑚). For example, 𝑆(1) = 1, 𝑆(2) = 6 since the product
2 ⋅ 3 ⋅ 6 is the best choice for 𝑚 = 2, 𝑆(3) = 8, 𝑆(4) = 4, etc.
Prove that the sequence 𝑆(2), 𝑆(3), 𝑆(4), . . . contains exactly the positive composite
numbers and each of them occurs exactly once.
S* 35. (a) Can distinct powers form an infinite arithmetic progression?
(b) Can distinct powers form finite arithmetic progressions of arbitrary length?
 Chapter 2

Congruences

We study the basic facts concerning congruences in this chapter. After introducing the
notion of congruence, we investigate residue classes, residue systems, and Euler’s func-
tion 𝜑. We prove the theorems of Euler–Fermat and Wilson, using linear congruences
for the latter one. Related to linear congruences, we treat also simultaneous systems
of congruences. We shall learn more about congruences in Chapters 3 and 4.

2.1. Elementary Properties

We often see in divisibility problems that only the remainder matters, i.e. two integers
behave identically if their remainders are the same. This (too) underlines the introduc-
tion of the notion below:

Definition 2.1.1. Let 𝑎 and 𝑏 be integers and 𝑚 a positive integer. We say that 𝑎 is
congruent to 𝑏 modulo 𝑚 if 𝑚 ∣ 𝑎 − 𝑏. ♣

Notation: 𝑎 ≡ 𝑏 (mod 𝑚) or just 𝑎 ≡ 𝑏 (𝑚). The number 𝑚 is called the modulus

and is kept fixed, in general. As 𝑚 ∣ 𝑎 − 𝑏 if and only if 𝑚 ∣ 𝑏 − 𝑎, therefore

𝑎 ≡ 𝑏 (mod 𝑚) ⟺ 𝑏 ≡ 𝑎 (mod 𝑚) ,

and so we may say also that “𝑎 and 𝑏 are congruent modulo 𝑚”. (Instead of “modulo 𝑚”,
we can use the expressions “mod 𝑚,” or “with respect to the modulus 𝑚,” or “related
to the modulus 𝑚,” as well.)
Clearly, 𝑎 and 𝑏 are congruent modulo 𝑚 if and only if 𝑎 and 𝑏 give the same
(least non-negative) remainder when they are divided by 𝑚. (The same holds for the
remainder of least absolute value.)
If 𝑎 and 𝑏 are not congruent modulo 𝑚, we write 𝑎 ≢ 𝑏 (mod 𝑚), and we say that
𝑎 and 𝑏 are incongruent modulo 𝑚 (or 𝑎 is incongruent to 𝑏 modulo 𝑚).

Example. 11 ≡ 5 (mod 3), 32 ≡ −1 (mod 11), 21 ≢ 6 (mod 10).

37
38 2. Congruences

Clearly, any two integers are congruent with respect to the modulus 𝑚 = 1.
The definition of congruence can trivially be extended for 𝑚 < 0, but we can ignore
it since 𝑚 ∣ 𝑎 − 𝑏 if and only if −𝑚 ∣ 𝑎 − 𝑏.
Theorem 2.1.2. (i) 𝑎 ≡ 𝑎 (mod 𝑚) for every 𝑎.
(ii) 𝑎 ≡ 𝑏 (mod 𝑚) ⟹ 𝑏 ≡ 𝑎 (mod 𝑚).
(iii) 𝑎 ≡ 𝑏 (mod 𝑚) and 𝑏 ≡ 𝑐 (mod 𝑚) ⟹ 𝑎 ≡ 𝑐 (mod 𝑚).
(iv) 𝑎 ≡ 𝑏 (mod 𝑚) and 𝑐 ≡ 𝑑 (mod 𝑚) ⟹ 𝑎 + 𝑐 ≡ 𝑏 + 𝑑 (mod 𝑚) and 𝑎 − 𝑐 ≡ 𝑏 − 𝑑
(mod 𝑚).
(v) 𝑎 ≡ 𝑏 (mod 𝑚) and 𝑐 ≡ 𝑑 (mod 𝑚) ⟹ 𝑎𝑐 ≡ 𝑏𝑑 (mod 𝑚). ♣

Proof. All the assertions follow easily from the definition of congruence and the ele-
mentary properties of divisibility, hence we verify only property (v) as an illustration.
We rewrite the assumptions as 𝑚 ∣ 𝑎 − 𝑏 and 𝑚 ∣ 𝑐 − 𝑑 which imply
𝑚 ∣ 𝑐(𝑎 − 𝑏) + 𝑏(𝑐 − 𝑑) = 𝑎𝑐 − 𝑏𝑑, so 𝑎𝑐 ≡ 𝑏𝑑 (mod 𝑚) . □

Properties (i), (ii), and (iii) express that congruence is reflexive, symmmetric, and
transitive, hence it is an equivalence relation. We can thus divide the integers into (pair-
wise) disjoint sets of numbers congruent to each other, i.e. those that give the same
remainder when divided by 𝑚. (Properties (i)–(iii) guarantee that the expression “con-
gruent to each other” makes sense.) These sets are called residue classes modulo 𝑚. We
shall study them in Section 2.2.
By (iv) and (v), congruences (with the same modulus) can be added, subtracted,
and multiplied. This implies immediately that we can add the same number to both
sides of a congruence, and this holds also for subtraction and multiplication. Further,
a congruence can be multiplied by itself arbitrarily many times, so we may raise a con-
gruence to a power with a positive integer exponent:
(vi) 𝑎 ≡ 𝑏 (mod 𝑚) ⟹ 𝑎 + 𝑐 ≡ 𝑏 + 𝑐 (mod 𝑚) and 𝑎 − 𝑐 ≡ 𝑏 − 𝑐 (mod 𝑚).
(vii) 𝑎 ≡ 𝑏 (mod 𝑚) ⟹ 𝑎𝑐 ≡ 𝑏𝑐 (mod 𝑚).
(viii) 𝑎 ≡ 𝑏 (mod 𝑚) ⟹ 𝑎𝑛 ≡ 𝑏𝑛 (mod 𝑚).
The repeated application of these relations yields the useful law:
(ix) Let 𝑓 be a polynomial with integer coefficients. Then
𝑎 ≡ 𝑏 (mod 𝑚) ⟹ 𝑓(𝑎) ≡ 𝑓(𝑏) (mod 𝑚) .

We illustrate the efficiency of the above rules with a few examples.

Examples. E1 Demonstrate that any natural number 𝑛 satisfies
17 ∣ 33𝑛+1 52𝑛+1 + 25𝑛+1 11𝑛 .
Solution: We have to show
33𝑛+1 52𝑛+1 + 25𝑛+1 11𝑛 ≡ 0 (mod 17) .
2.1. Elementary Properties 39

We replace the left-hand side with congruent expressions till we obtain 0:

33𝑛+1 52𝑛+1 + 25𝑛+1 11𝑛 = 3 ⋅ 27𝑛 ⋅ 5 ⋅ 25𝑛 + 2 ⋅ 32𝑛 ⋅ 11𝑛 ≡
≡ 15(−7)𝑛 8𝑛 + 2(−2)𝑛 (−6)𝑛 =
= 15(−56)𝑛 + 2(12)𝑛 ≡ 15(−5)𝑛 + 2(−5)𝑛 =
= 17(−5)𝑛 ≡ 0 (mod 17) .

E2 Give a new proof for the divisibility 𝑎 − 𝑏 ∣ 𝑎𝑛 − 𝑏𝑛 .

Solution: Clearly, we can restrict ourselves to the case 𝑎 − 𝑏 > 0. Applying (viii),
we have
𝑎 ≡ 𝑏 (mod 𝑎 − 𝑏) ⟹ 𝑎𝑛 ≡ 𝑏𝑛 (mod 𝑎 − 𝑏) .

E3 Verify that 232 +1 is a composite number. (Cf. with Exercise 1.4.4 and Section 5.2.)
Solution: We establish the divisibility 641 ∣ 232 + 1 relying on
641 = 54 + 24 = 5 ⋅ 27 + 1.
We infer
−1 ≡ 5 ⋅ 27 (mod 641) and 54 ≡ −24 (mod 641) .
Raising the first congruence to the fourth power and substituting the result into
the second one, we obtain
1 = (−1)4 ≡ 54 ⋅ 228 ≡ −24 ⋅ 228 = −232 (mod 641) ,
so 641 ∣ 232 + 1.

We have seen that concerning addition, subtraction, and multiplication, congru-

ences behave like equalities. There is a big difference for division, however; two con-
gruences must not be divided. First of all, the results of the divisions are not always
integers, and then the congruence between the fractional quotients makes no sense
since only integers can appear in congruences. But even if the quotients are integers,
the congruence obtained after the division will not necessarily be true. For example,
28 ≡ 46 (mod 6) and 2 ≡ 2 (mod 6) but 14 ≢ 23 (mod 6) .
Concerning division of congruences, we should be aware that also a fraction means a
division. Therefore we must not replace the numerator or denominator of a fraction
with an integer value even when the new fraction is an integer. E.g.
45 35
45 ≡ 35 (mod 10) and 15 ≡ 5 (mod 10) but 3= ≢ = 7 (mod 10) .
15 5
After clarifying what is forbidden, let us see what we are allowed to do. We shall deal
only with the special case when division is just cancellation. The following theorem
states that in performing the cancellation, we have to change the modulus:
𝑚
Theorem 2.1.3. Let 𝑑 = (𝑐, 𝑚). Then 𝑎𝑐 ≡ 𝑏𝑐 (mod 𝑚) if and only if 𝑎 ≡ 𝑏 (mod 𝑑
).
♣
40 2. Congruences

Proof. By the definition of congruence, we have

𝑎𝑐 ≡ 𝑏𝑐 (mod 𝑚) ⟺ 𝑚 ∣ (𝑎 − 𝑏)𝑐,

which is equivalent to the divisibility

𝑚| 𝑐
(2.1.1) (𝑎 − 𝑏) .
𝑑 | 𝑑
Since (𝑚/𝑑, 𝑐/𝑑) = 1, (2.1.1) holds if and only if
𝑚| 𝑚
𝑎 − 𝑏, i.e. 𝑎 ≡ 𝑏 (mod ). □
𝑑 | 𝑑

An important special case of Theorem 2.1.3 is when 𝑐 and the modulus are co-
prime. Then the congruence remains valid with the same modulus after cancellation
by 𝑐:

Theorem 2.1.3A.

𝑎𝑐 ≡ 𝑏𝑐 (mod 𝑚) , (𝑐, 𝑚) = 1 ⟹ 𝑎 ≡ 𝑏 (mod 𝑚) .

Exercises 2.1

1. Prove 23 ∣ 61𝑘+1 + 11𝑘 72𝑘 33𝑘 25𝑘+3 .

888
2. What are the last three digits of 999777 (in decimal representation)?

3. Give a new proof using congruences for the divisibility rules by 9 and 11 (Exer-
cise 1.1.14) and for their generalizations in other number systems (Exercise 1.2.14).

4. True or false?

(a) 𝑘 ∣ 𝑛, 𝑎 ≡ 𝑏 (mod 𝑛) ⟹ 𝑎 ≡ 𝑏 (mod 𝑘).

(b) 𝑘 ∣ 𝑛, 𝑎 ≡ 𝑏 (mod 𝑘) ⟹ 𝑎 ≡ 𝑏 (mod 𝑛).
(c) 𝑎 ≡ 𝑏 (mod 𝑛), 𝑎 ≡ 𝑏 (mod 𝑘) ⟺ 𝑎 ≡ 𝑏 (mod 𝑘𝑛).
(d) 𝑎 ≡ 𝑏 (mod 𝑛), 𝑎 ≡ 𝑏 (mod 𝑘) ⟺ 𝑎 ≡ 𝑏 (mod [𝑘, 𝑛]).
(e) 𝑎 ≡ 𝑏 (mod 𝑛) ⟺ 𝑘𝑎 ≡ 𝑘𝑏 (mod 𝑘𝑛).
(f) 𝑎 ≡ 𝑏 (mod 𝑛), 𝑐 ≡ 𝑑 (mod 𝑘) ⟹ 𝑎𝑐 ≡ 𝑏𝑑 (mod 𝑘𝑛).
(g) 𝑎2 ≡ 𝑏2 (mod 𝑛) ⟹ 𝑎 ≡ ±𝑏 (mod 𝑛).
(h) 𝑎2 ≡ 𝑏2 (mod 101) ⟹ 𝑎 ≡ ±𝑏 (mod 101).

5. There are several digits that can not be the last one in the decimal representation
of a square. How many such digits can be found in the number system of base 101?

6. Comment on the following “theorem” and “proof” of Professor Donkey Monkey:

“Theorem: For any integer 𝑛 > 3, we have (𝑛4) ≡ (𝑛+1
4
) (mod 4).
 2.2. Residue Systems and Residue Classes 41

Proof: Since 𝑛 + 1 ≡ 𝑛 − 3 (mod 4) holds for every 𝑛,

𝑛 𝑛(𝑛 − 1)(𝑛 − 2)(𝑛 − 3)
( )= ≡
4 1⋅2⋅3⋅4
𝑛(𝑛 − 1)(𝑛 − 2)(𝑛 + 1) 𝑛+1
≡ =( ) (mod 4) .”
1⋅2⋅3⋅4 4

7. Verify: 𝑚 ∣ 𝑎 − 𝑏 ⟹ 𝑚2 ∣ 𝑎𝑚 − 𝑏𝑚 .
8. Assuming 3 ∤ 𝑎 and (6, 𝑛) = 1, prove 𝑎𝑛 ≡ 𝑏𝑛 (mod 3𝑛 ) ⟹ 𝑎 ≡ 𝑏 (mod 3𝑛 ).
9. Let 𝑝 > 2 be a prime and 1 ≤ 𝑘 ≤ 𝑝−1. Verify the following congruences modulo 𝑝:
(a) (𝑘𝑝) ≡ 0
(b) (𝑝−1
𝑘
) ≡ (−1)𝑘
(c) (𝑝−2
𝑘
) ≡ (−1)𝑘 (𝑘 + 1).
10. Determine all primes 𝑝 for which the remainder of (3𝑝
𝑝
) when divided by 𝑝 is 𝑝 − 2.
* 11. Let 𝑝 be a prime. Prove the following congruences modulo 𝑝:
𝑛
(a) (𝑛𝑝) ≡ ⌊ 𝑝 ⌋
𝑛
(b) (𝑘𝑝) ≡ (⌊𝑛/𝑝⌋
𝑘
)
𝑛
(c) (𝑝𝑛𝑘 ) ≡ ⌊ 𝑝𝑘 ⌋.

2.2. Residue Systems and Residue Classes

We mentioned the notion of a residue class modulo 𝑚 after Theorem 2.1.2: it is the set
of all integers giving the same remainder when divided by 𝑚.
Definition 2.2.1. Given the modulus 𝑚, the set of integers congruent to 𝑎 is called the
residue class represented by 𝑎. ♣

Notation: (𝑎)𝑚 . If there is no ambiguity, we can omit the index 𝑚 referring to the
modulus.
Thus, the residue class (𝑎)𝑚 is an infinite arithmetic progression in both directions
with difference 𝑚 and 𝑎 being one of its elements. There are 𝑚 residue classes mod 𝑚,
and each contains infinitely many numbers. By the definition, (𝑎)𝑚 = (𝑐)𝑚 if and only
if 𝑎 ≡ 𝑐 (mod 𝑚).
Example. (23)7 = {. . . , −5, 2, 9, 16, 23, 30, . . . } = (100)7 .
Definition 2.2.2. Given the modulus 𝑚, choosing one element from each residue
class, we obtain a complete residue system modulo 𝑚. ♣
Example. {33, −5, 11, −11, −8} is a complete residue system modulo 5.

We use mostly the following complete residue systems:

(A) Least non-negative residues: 0, 1, . . . , 𝑚 − 1.
42 2. Congruences

(B) Residues of least absolute value:

𝑚−1
0, ±1, ±2, . . . , ± , for 𝑚 odd
2
and
𝑚−2 𝑚
0, ±1, ±2, . . . , ± , , for 𝑚 even
2 2
(in the latter, 𝑚/2 can be replaced by −𝑚/2).
We can apply the following simple criterion to check whether or not given numbers
form a complete residue system:
Theorem 2.2.3. A set of integers forms a complete residue system modulo 𝑚 if and only
if
(i) their number is 𝑚 and
(ii) they are pairwise incongruent modulo 𝑚. ♣

Proof. Let 𝐶𝑚 be a complete residue system modulo 𝑚. Since there are 𝑚 residue
classes and we picked one element from each class, 𝐶𝑚 contains exactly 𝑚 numbers.
Further, we took each number from a different residue class, hence the elements of 𝐶𝑚
are pairwise incongruent modulo 𝑚.
Conversely, consider 𝑚 integers pairwise incongruent modulo 𝑚. Then they be-
long to distinct residue classes. Since their number is 𝑚, they represent 𝑚 residue
classes, i.e. all classes are represented. Thus, these integers form a complete residue
system modulo 𝑚. □

Multiplying a complete residue system by an integer coprime to the modulus and

then adding an arbitrary integer yields a complete residue system again:
Theorem 2.2.4. If 𝑟1 , 𝑟2 , . . . , 𝑟𝑚 is a complete residue system modulo 𝑚, (𝑎, 𝑚) = 1, and
𝑏 is any integer, then
𝑎𝑟1 + 𝑏, 𝑎𝑟2 + 𝑏, . . . , 𝑎𝑟𝑚 + 𝑏
is a complete residue system modulo 𝑚. ♣

Proof. Since the new system has 𝑚 elements, it is enough to show, by Theorem 2.2.3,
that the elements are pairwise incongruent mod 𝑚. We have to prove that 𝑎𝑟 𝑖 + 𝑏 ≡
𝑎𝑟𝑗 + 𝑏 (mod 𝑚) implies 𝑖 = 𝑗. Subtracting 𝑏 from both sides, we obtain 𝑎𝑟 𝑖 ≡ 𝑎𝑟𝑗
(mod 𝑚). Since (𝑎, 𝑚) = 1, by Theorem 2.1.3A, we can cancel 𝑎: 𝑟 𝑖 ≡ 𝑟𝑗 (mod 𝑚), and
so 𝑖 = 𝑗, indeed. □

Note that for (𝑎, 𝑚) ≠ 1, the integers 𝑎𝑟 𝑖 +𝑏 never form a complete residue system;
see Exercise 2.2.11.
We examine now the distribution of the integers coprime to the modulus in the
residue classes. It turns out that in a residue class, either all elements, or no elements
are coprime to the modulus:
Let 𝑎 ≡ 𝑏 (mod 𝑚). Then (𝑎, 𝑚) = 1 if and only if (𝑏, 𝑚) = 1.
2.2. Residue Systems and Residue Classes 43

We prove a stronger assertion in the next theorem:

Theorem 2.2.5.
𝑎 ≡ 𝑏 (mod 𝑚) ⟹ (𝑎, 𝑚) = (𝑏, 𝑚). ♣
Proof. By the assumption, 𝑏 = 𝑎 + 𝑚𝑐 for some integer 𝑐.
On the right-hand side, both 𝑎 and 𝑚 are divisible by (𝑎, 𝑚), hence (𝑎, 𝑚) ∣ 𝑏. This
means that (𝑎, 𝑚) is a common divisor of 𝑏 and 𝑚, hence (𝑎, 𝑚) ∣ (𝑏, 𝑚).
We get the converse divisibility (𝑏, 𝑚) ∣ (𝑎, 𝑚) similarly, and so (𝑎, 𝑚) = (𝑏, 𝑚). □

The residue classes with elements coprime to the modulus play an important role
in the sequel:
Definition 2.2.6. A residue class (𝑎)𝑚 is called a reduced residue class (mod 𝑚) if
(𝑎, 𝑚) = 1. ♣

As mentioned previously, Theorem 2.2.5 implies that if some element of a residue

class is coprime to the modulus, then every element in the residue class has this prop-
erty. Therefore Definition 2.2.6 does not depend on which number was picked to rep-
resent the residue class (𝑎)𝑚 .
We introduce now one of the most important functions in number theory:
Definition 2.2.7 (Euler’s function 𝜑). For 𝑛 given, 𝜑(𝑛) counts how many integers of
1, 2, . . . , 𝑛 are coprime to 𝑛. ♣
Example. 𝜑(1) = 1, 𝜑(10) = 4, 𝜑(𝑛) = 𝑛 − 1 if and only if 𝑛 is a prime.

Clearly, 𝜑(𝑛) is also the number of reduced residue classes modulo 𝑛.

We can easily compute 𝜑(𝑛) from the standard form of 𝑛; we shall discuss this
formula in Section 2.3.
Next, we define the notion of a reduced residue system analogously to the complete
residue system:
Definition 2.2.8. Given the modulus 𝑚, choosing one element from each reduced
residue class, we obtain a reduced residue system modulo 𝑚. ♣
Example. {17, −5, 11, −11} is a reduced residue system modulo 12.

The simplest way to obtain a reduced residue system is to select the elements co-
prime to the modulus from the least non-negative remainders or from the remainders
of least absolute value.
Now, we prove the analogues of Theorems 2.2.3 and 2.2.4 for reduced residue sys-
tems.
Theorem 2.2.9. A set of integers forms a reduced residue system modulo 𝑚 if and only
if
(i) their number is 𝜑(𝑚)
(ii) they are pairwise incongruent modulo 𝑚 and
(iii) each of them is coprime to 𝑚. ♣
44 2. Congruences

Proof. Let 𝑅𝑚 be a reduced residue system modulo 𝑚. Since there are 𝜑(𝑚) reduced
residue classes and we picked one element from each, 𝑅𝑚 contains exactly 𝜑(𝑚) el-
ements. Further, because we took each element from a different residue class, the
elements of 𝑅𝑚 are pairwise incongruent modulo 𝑚. Finally, every element of 𝑅𝑚 is
coprime to 𝑚, since they were chosen from reduced residue classes.
Conversely, consider 𝜑(𝑚) pairwise incongruent integers modulo 𝑚 that are co-
prime to 𝑚. The pairwise incongruence and the relative primeness guarantee that they
belong to distinct reduced residue classes. Since their number is 𝜑(𝑚), they represent
𝜑(𝑚) reduced residue classes, i.e. all classes are represented. Thus, these integers form
a reduced residue system modulo 𝑚. □
Theorem 2.2.10. If 𝑟1 , 𝑟2 , . . . , 𝑟𝜑(𝑚) is a reduced residue system modulo 𝑚 and (𝑎, 𝑚) = 1,
then
𝑎𝑟1 , 𝑎𝑟2 , . . . , 𝑎𝑟𝑚
is also a reduced residue system modulo 𝑚. ♣

Proof. We check criteria (i)–(iii) of Theorem 2.2.9.

(i) The new system has 𝜑(𝑚) elements.
(ii) 𝑎𝑟 𝑖 ≡ 𝑎𝑟𝑗 (mod 𝑚), (𝑎, 𝑚) = 1 ⟹ 𝑟 𝑖 ≡ 𝑟𝑗 (mod 𝑚) ⟹ 𝑖 = 𝑗.
(iii) (𝑎, 𝑚) = 1, (𝑟 𝑖 , 𝑚) = 1 ⟹ (𝑎𝑟 𝑖 , 𝑚) = 1. □

Note that for (𝑎, 𝑚) ≠ 1, the integers 𝑎𝑟 𝑖 never form a reduced residue system, and
moreover none of them is coprime to 𝑚.
Adding an integer 𝑏 to the elements of a reduced residue system will not, in gen-
eral, yield a reduced residue system, a significant difference from the complete residue
systems. See Exercise 2.2.12.

Exercises 2.2

We assume everywhere that the modulus 𝑚 ≥ 2.

1. Determine the modulus 𝑚 knowing that the integers below are elements of a re-
duced residue system:
(a) 2 and 14
(b) 18, 78, and 178
(c) 𝑎 and −𝑎.
2. In how many (a) complete (b) reduced residue systems does every element 𝑎𝑖 sat-
isfy 0 ≤ 𝑎𝑖 ≤ 5𝑚 + 1?
3. Given 𝑚, characterize those arithmetic progressions that are infinite in both direc-
tions and contain modulo 𝑚
(a) a residue class
(b) a complete residue system?
 Exercises 2.2 45

4. For which 𝑚 ≥ 2 can we find a complete residue system consisting of

(a) odd numbers
(b) composite numbers
(c) squares
(d) integers ending with 1357 (in decimal representation)
(e) consecutive elements of a geometric series
S* (f) repunits (i.e. every digit is 1 in decimal system)
S* (g) powers?
5. For which 𝑚 ≥ 2 can we find a reduced residue system consisting of
(a) multiples of 15
(b) numbers not divisible by 15
(c) squares
(d) integers ending with 1357 (in decimal representation)
(e) powers?
6. True or false?
(a) If 𝑟1 , 𝑟2 , . . . , 𝑟 𝑘 is a reduced residue system modulo 7, then it is a reduced
residue system modulo 14.
(b) If 𝑟1 , 𝑟2 , . . . , 𝑟 𝑘 is a reduced residue system modulo 14, then it is a reduced
residue system modulo 7.
7. (a) What is the remainder of the sum of elements of a complete residue system
modulo 𝑚?
(b) Let 𝑚 be even, and 𝑎1 , 𝑎2 , . . . , 𝑎𝑚 and 𝑏1 , 𝑏2 , . . . , 𝑏𝑚 be two complete residue
systems modulo 𝑚. Prove that 𝑎1 +𝑏1 , . . . , 𝑎𝑚 +𝑏𝑚 never is a complete residue
system modulo 𝑚. What can we say for 𝑚 odd?
(c) Examine the analogous questions for reduced residue systems instead of com-
plete residue systems.
S 8. (a) There are 𝑚 trees around a circular clearing with a squirrel in each tree. The
squirrels want to get together in one tree, but they are allowed to move only
the following way: every minute, any two squirrels may jump to an adjacent
tree. For which values of 𝑚 can they gather in one tree?
(b) What happens if we modify the admissible step so that the two squirrels must
jump to the adjacent trees in opposite directions (i.e. one of them clockwise,
and the other counterclockwise).
* 9. (a) Determine all 𝑚 for which 0, 0 + 1, 0 + 1 + 2, . . . , 0 + 1 + 2 + ⋯ + (𝑚 − 1) form
a complete residue system mod 𝑚.
(b) For which 𝑚 does there exist a complete residue system 𝑎1 , . . . , 𝑎𝑚 mod 𝑚 so
that 𝑎1 , 𝑎1 + 𝑎2 , 𝑎1 + 𝑎2 + 𝑎3 , . . . , 𝑎1 + 𝑎2 + 𝑎3 + ⋯ + 𝑎𝑚 is also a complete
residue system mod 𝑚?
 46 2. Congruences

10. Let 𝑘 ∣ 𝑚. True or false?

(a) Every residue class mod 𝑘 is the union of residue classes mod 𝑚.
(b) Every reduced residue class mod 𝑘 is the union of reduced residue classes
mod 𝑚.
* (c) Every reduced residue class mod 𝑘 contains a subset that is a reduced residue
class mod 𝑚.
(d) Every reduced residue system mod 𝑘 can be extended to a reduced residue
system mod 𝑚.
* (e) Every reduced residue system mod 𝑚 contains a reduced residue system mod 𝑘.
11. Let 𝑟1 , 𝑟2 , . . . , 𝑟𝑚 be a complete residue system modulo 𝑚, (𝑎, 𝑚) ≠ 1, and 𝑏 arbitrary.
(a) Prove that 𝑎𝑟1 + 𝑏, . . . , 𝑎𝑟𝑚 + 𝑏 is never a complete residue system modulo 𝑚.
(b) How many residue classes modulo 𝑚 are represented by the elements 𝑎𝑟1 + 𝑏,
. . . , 𝑎𝑟𝑚 + 𝑏 altogether?
S* 12. Let 𝑟1 , 𝑟2 , . . . , 𝑟𝜑(𝑚) be a reduced residue system modulo 𝑚.
(a) Determine all integers 𝑎 such that the numbers 𝑎𝑟1 , . . . , 𝑎𝑟𝜑(𝑚) are pairwise
incongruent modulo 𝑚.
(b) Find all integers 𝑏 such that the numbers 𝑟1 + 𝑏, . . . , 𝑟𝜑(𝑚) + 𝑏 form a reduced
residue system modulo 𝑚.
S* 13. For which integers 𝑚 and 𝑘 do there exist a complete residue system 𝑎1 , . . . , 𝑎𝑚
modulo 𝑚 and a complete residue system 𝑏1 , . . . , 𝑏𝑘 modulo 𝑘 so that the numbers
𝑎𝑖 𝑏𝑗 form a complete residue system modulo 𝑚𝑘?
S 14. Let 𝑎 and 𝑏 be positive integers.
(a) Prove that
𝑇 = { 𝑖𝑏 + 𝑗𝑎 ∣ 𝑖 = 1, 2, . . . , 𝑎, 𝑗 = 1, 2, . . . , 𝑏 }
is a complete residue system modulo 𝑎𝑏 if and only if (𝑎, 𝑏) = 1.
(b) Let 𝑟1 , . . . , 𝑟𝜑(𝑎) and 𝑠1 , . . . , 𝑠𝜑(𝑏) be reduced residue systems modulo 𝑎 and
modulo 𝑏. Prove that
𝑅 = { 𝑟 𝑖 𝑏 + 𝑠𝑗 𝑎 ∣ 𝑖 = 1, 2, . . . , 𝜑(𝑎), 𝑗 = 1, 2, . . . , 𝜑(𝑏) }
is a reduced residue system modulo 𝑎𝑏 if and only if (𝑎, 𝑏) = 1.
(c) Demonstrate that if (𝑎, 𝑏) = 1, then 𝜑(𝑎𝑏) = 𝜑(𝑎)𝜑(𝑏).

2.3. Euler’s Function 𝜑

We introduced Euler’s function 𝜑 in Definition 2.2.7: If 𝑛 is a positive integer, then 𝜑(𝑛)
is the number of integers coprime to 𝑛 among the integers 1, 2, . . . , 𝑛.
This implies immediately that there are 𝜑(𝑚) reduced residue classes modulo 𝑚
and a reduced residue system consists of 𝜑(𝑚) integers.
2.3. Euler’s Function 𝜑 47

We prove now a formula for 𝜑(𝑛) from the standard form of 𝑛:

Theorem 2.3.1. Let the standard form of 𝑛 be

𝑟
𝛼 𝛼 𝛼 𝛼
𝑛 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟 = ∏ 𝑝𝑖 𝑖 , where 𝛼𝑖 > 0.
𝑖=1

Then
𝑟
𝛼 𝛼 −1 𝛼 𝛼 −1 𝛼 𝛼 −1
𝜑(𝑛) = (𝑝1 1 − 𝑝1 1 ) . . . (𝑝𝑟 𝑟 − 𝑝𝑟 𝑟 ) = ∏ (𝑝𝑖 𝑖 − 𝑝𝑖 𝑖 ). ♣
𝑖=1

This formula for 𝜑(𝑛) is valid only if the exponents 𝛼𝑖 in the standard form of 𝑛
are positive (in contrast e.g. to the formula for 𝑑(𝑛) in Theorem 1.6.3 which remains
valid even if we allow 0 to occur among the exponents 𝛼𝑖 ). Some equivalent forms of
the formula are:
𝑟 𝑟
𝛼 −1 1 1
𝜑(𝑛) = ∏ 𝑝𝑖 𝑖 (𝑝 𝑖 − 1) = 𝑛 ∏ (1 − ) = 𝑛 ∏ (1 − ) .
𝑖=1 𝑖=1
𝑝𝑖 𝑝∣𝑛
𝑝
𝑝 prime

We give two proofs of Theorem 2.3.1. A third one can be derived from Exercise 6.5.4b.
Also, Exercises 2.2.14 and 2.6.10 contain two further verifications of assertion II which
is the key step in the first proof.

First proof. We infer the theorem from the two propositions below:

(I) If 𝑝 is a prime (and 𝛼 > 0), then 𝜑(𝑝𝛼 ) = 𝑝𝛼 − 𝑝𝛼−1 .

(II) If (𝑎, 𝑏) = 1, then 𝜑(𝑎𝑏) = 𝜑(𝑎)𝜑(𝑏).

These imply the theorem: It follows from II by induction on the number of factors
that if the integers 𝑎1 , . . . , 𝑎𝑟 are pairwise coprime, then 𝜑(𝑎1 . . . 𝑎𝑟 ) = 𝜑(𝑎1 ) . . . 𝜑(𝑎𝑟 ).
𝛼 𝛼
Applying this for 𝑎𝑖 = 𝑝𝑖 𝑖 and substituting the value for 𝜑(𝑝𝑖 𝑖 ) obtained in I, we arrive
at the desired formula.
We start with the verification of I. An integer is coprime to 𝑝𝛼 if and only if it is not
divisible by 𝑝. Hence, we obtain the coprime integers to 𝑝𝛼 among 1, 2, . . . , 𝑝𝛼 , if we
discard the multiples of 𝑝. We thus discard 𝑝, 2𝑝, . . . , 𝑝𝛼−1 𝑝, which are 𝑝𝛼 /𝑝 = 𝑝𝛼−1
numbers. This implies that 𝜑(𝑝𝛼 ) = 𝑝𝛼 − 𝑝𝛼−1 integers remain.
Now, we turn to the proof of II. (As indicated earlier, two other methods are avail-
able in Exercises 2.2.14 and 2.6.10.)
The number 𝜑(𝑎𝑏) is the number of positive integers not greater than 𝑎𝑏 that are
coprime to 𝑎𝑏, i.e. are relatively prime to both 𝑎 and 𝑏.
Denoting the smallest positive elements of the reduced residue classes modulo 𝑎
by 𝑟1 , 𝑟2 , . . . , 𝑟𝜑(𝑎) , we enumerate all positive integers not greater than 𝑎𝑏 and coprime
48 2. Congruences

to 𝑎:
𝑟1 𝑟2 ... 𝑟𝜑(𝑎)
𝑎 + 𝑟1 𝑎 + 𝑟2 ... 𝑎 + 𝑟𝜑(𝑎)
(2.3.1) 2𝑎 + 𝑟1 2𝑎 + 𝑟2 ... 2𝑎 + 𝑟𝜑(𝑎)
⋮ ⋮ ⋮
(𝑏 − 1)𝑎 + 𝑟1 (𝑏 − 1)𝑎 + 𝑟2 ... (𝑏 − 1)𝑎 + 𝑟𝜑(𝑎)

We have to select those numbers from (2.3.1) that are coprime also to 𝑏.
Consider an arbitrary column of the table. For example, the integers in column 𝑖
are

(2.3.2) 𝑟 𝑖 , 𝑎 + 𝑟 𝑖 , 2𝑎 + 𝑟 𝑖 , . . . , (𝑏 − 1)𝑎 + 𝑟 𝑖 .

These numbers were obtained from the complete residue system 0, 1, . . . , 𝑏 − 1

modulo 𝑏 by multiplying the elements by 𝑎 coprime to 𝑏 and then adding 𝑟 𝑖 . By The-
orem 2.2.4, (2.3.2) is a complete residue system modulo 𝑏, so every column of table
(2.3.1) is a complete residue system modulo 𝑏.
Since a complete residue system modulo 𝑏 contains 𝜑(𝑏) elements coprime to 𝑏,
there are 𝜑(𝑏) numbers relatively prime to 𝑏 in each column of (2.3.1).
The number of columns in (2.3.1) is 𝜑(𝑎), so the table has altogether 𝜑(𝑎)𝜑(𝑏) ele-
ments coprime to 𝑏.
This means that there are 𝜑(𝑎)𝜑(𝑏) numbers among the positive integers not
greater than 𝑎𝑏 that are coprime both to 𝑎 and 𝑏, i.e. to 𝑎𝑏. By definition, this value
equals 𝜑(𝑎𝑏), hence 𝜑(𝑎𝑏) = 𝜑(𝑎)𝜑(𝑏), indeed. □

Second proof. We use the Inclusion and Exclusion formula.

We have to determine, how many numbers are coprime to 𝑛 among 1, 2, . . . , 𝑛, that
is, how many are divisible by none of the primes 𝑝1 , 𝑝2 , . . . , 𝑝𝑟 .
Thus we have to delete those “bad” numbers from 1, 2, . . . , 𝑛 which are divisible
by one or more primes 𝑝𝑗 .
Consider first those elements that are multiples of a given 𝑝𝑗 (disregarding whether
or not they are divisible by some other prime factors of 𝑛). Clearly, there are 𝑛/𝑝𝑗 such
integers.
Now we count those numbers that are divisible by a given set of primes 𝑝𝑗 (not
caring again whether or not they are multiples of some other prime factors of 𝑛). An
integer is divisible by both of two (distinct) primes if and only if it is divisible by their
product. Hence, 𝑛/(𝑝1 𝑝2 ) elements are divisible by both 𝑝1 and 𝑝2 , 𝑛/(𝑝1 𝑝3 𝑝7 ) ele-
ments are divisible by each of 𝑝1 , 𝑝3 , and 𝑝7 , etc.
Thus, the Inclusion and Exclusion formula yields
𝑛 𝑛 𝑛 𝑛 𝑛 𝑛 𝑛
(2.3.3) 𝜑(𝑛) = 𝑛 − − −⋯− + + +⋯+ − − ...
𝑝1 𝑝2 𝑝𝑟 𝑝1 𝑝2 𝑝1 𝑝3 𝑝𝑟−1 𝑝𝑟 𝑝1 𝑝2 𝑝3
 Exercises 2.3 49

A simple direct calculation verifies that the right-hand side of (2.3.3) is equal to the
product
𝑟
1
𝑛 ∏ (1 − ) ,
𝑖=1
𝑝 𝑖

which is an alternative version of the formula in the theorem. □

Exercises 2.3

1. Verify that 𝜑(𝑛) is even for every 𝑛 > 2.

2. Find all values of 𝑛 for which 𝜑(𝑛) is (a) 2 (b) 4 (c) 14 (d) 60.
3. Which is the smallest 𝑛 for which 𝜑(𝑛) is divisible by
(a) 210
(b) 310 ?
4. Determine all possible values of 𝜑(100𝑛)/𝜑(𝑛) for 𝑛 a positive integer.
5. Prove the following propositions.
(a) 𝑘 ∣ 𝑛 ⟹ 𝜑(𝑘) ∣ 𝜑(𝑛).
(b) 𝜑((𝑎, 𝑏)) | (𝜑(𝑎), 𝜑(𝑏)) and [𝜑(𝑎), 𝜑(𝑏)] | 𝜑([𝑎, 𝑏]).
(c) 𝜑((𝑎, 𝑏)) = (𝜑(𝑎), 𝜑(𝑏)) ⟺ [𝜑(𝑎), 𝜑(𝑏)] = 𝜑([𝑎, 𝑏]).
6. Show that 𝜑(𝑎)/𝜑(𝑏) = 𝑎/𝑏 holds if and only if 𝑎 and 𝑏 have exactly the same prime
factors.
7. Let 𝑛 > 2. True or false?
(a) If (𝑛, 𝜑(𝑛)) = 1, then 𝑛 is an odd squarefree number.
(b) If 𝑛 is an odd squarefree number, then (𝑛, 𝜑(𝑛)) = 1.
* 8. Prove that for every positive integer 𝑘 there exists an 𝑛 satisfying (𝑛, 𝜑(𝑛)) = 𝑘.
9. Verify that 𝜑(𝑛) + 𝑑(𝑛) ≤ 𝑛 + 1 holds for every 𝑛. When do we have equality?
10. (a) Demonstrate that if (𝑎, 𝑏) ≠ 1, then 𝜑(𝑎𝑏) > 𝜑(𝑎)𝜑(𝑏) (thus equality is never
true in this case).
(b) In the first proof of Theorem 2.3.1, the key step was the verification of II, i.e. of
(𝑎, 𝑏) = 1 ⟹ 𝜑(𝑎𝑏) = 𝜑(𝑎)𝜑(𝑏). Where does the argument fail if 𝑎 and 𝑏 are
not coprime?
(c) Show that
𝜑(𝑎𝑏)𝜑((𝑎, 𝑏)) = (𝑎, 𝑏)𝜑(𝑎)𝜑(𝑏)
holds for every 𝑎 and 𝑏.
11. (a) Prove that 𝑛 − 𝜑(𝑛) ≥ √𝑛 if 𝑛 is composite. When is equality true?
(b) Find those 𝑛 for which 𝑛 − 𝜑(𝑛) is
(b1) 1
(b2) 6
 50 2. Congruences

(b3) 7
(b4) 10.
12. Which integers occur in the range of the function 𝑛/𝜑(𝑛)?
13. Prove that 𝜑(𝑛2 ) = 𝜑(𝑘2 ) holds only for 𝑛 = 𝑘.
14. Verify ∑𝑑∣𝑛 𝜑(𝑑) = 𝑛.
15. Show that 𝜑(𝑛) → ∞ if 𝑛 → ∞.
* 16. Demonstrate that for every positive integer 𝑘 there exists an 𝑛 satisfying 𝜑(𝑛) =
𝜑(𝑛 + 𝑘).
* 17. Exhibit 1000 distinct integers where the function 𝜑 assumes the same value.
S* 18. Determine all 𝑛 satisfying 𝜑(𝑛! ) = 𝑘! for some 𝑘.
S* 19. For which 𝑚 can a reduced residue system mod 𝑚 form an arithmetic progression?

2.4. The Euler–Fermat Theorem

Theorem 2.4.1 (Euler–Fermat Theorem).
(𝑎, 𝑚) = 1 ⟹ 𝑎𝜑(𝑚) ≡ 1 (mod 𝑚) . ♣

Proof. Let 𝑟1 , 𝑟2 , . . . , 𝑟𝜑(𝑚) be a reduced residue system modulo 𝑚.

Since (𝑎, 𝑚) = 1, 𝑎𝑟1 , . . . , 𝑎𝑟𝜑(𝑚) is also a reduced residue system modulo 𝑚.
This means that to every 1 ≤ 𝑖 ≤ 𝜑(𝑚), there exists exactly one 1 ≤ 𝑗 ≤ 𝜑(𝑚)
satisfying 𝑎𝑟 𝑖 ≡ 𝑟𝑗 (mod 𝑚). Denote this 𝑟𝑗 by 𝑠𝑖 :
𝑎𝑟1 ≡ 𝑠1 (mod 𝑚) ,
𝑎𝑟2 ≡ 𝑠2 (mod 𝑚) ,
(2.4.1)
⋮
𝑎𝑟𝜑(𝑚) ≡ 𝑠𝜑(𝑚) (mod 𝑚) .

Here 𝑠1 , . . . , 𝑠𝜑(𝑚) is a permutation of the numbers 𝑟1 , . . . , 𝑟𝜑(𝑚) .

Multiplying the congruences in (2.4.1), we obtain
𝑎𝜑(𝑚) 𝑟1 𝑟2 . . . 𝑟𝜑(𝑚) ≡ 𝑠1 𝑠2 . . . 𝑠𝜑(𝑚) (mod 𝑚) ,
or
(2.4.2) 𝑎𝜑(𝑚) 𝑟1 𝑟2 . . . 𝑟𝜑(𝑚) ≡ 𝑟1 𝑟2 . . . 𝑟𝜑(𝑚) (mod 𝑚) .
We can cancel every 𝑟 𝑖 in (2.4.2) , since (𝑟 𝑖 , 𝑚) = 1, which yields the desired congruence
𝑎𝜑(𝑚) ≡ 1 (mod 𝑚). □

An important special case is when the modulus is a prime 𝑝. Then 𝜑(𝑝) = 𝑝 − 1

and we obtain:
Theorem 2.4.1A (First form of Fermat’s Little Theorem). If 𝑝 is a prime and (𝑎, 𝑝) = 1,
then 𝑎𝑝−1 ≡ 1 (mod 𝑝).
Exercises 2.4 51

Note that for a prime 𝑝, the conditions (𝑎, 𝑝) = 1, 𝑝 ∤ 𝑎, and 𝑎 ≢ 0 (mod 𝑝) are
equivalent.
From Theorem 2.4.1A, it is easy to get a congruence valid for every 𝑎:
Theorem 2.4.1B (Second form of Fermat’s Little Theorem). If 𝑝 is a prime, then 𝑎𝑝 ≡ 𝑎
(mod 𝑝) holds for every 𝑎.

Proof. If 𝑝 ∤ 𝑎, then 𝑎𝑝−1 ≡ 1 (mod 𝑝) by Theorem 2.4.1A. Multiplying this congru-

ence by 𝑎, we obtain the desired 𝑎𝑝 ≡ 𝑎 (mod 𝑝).
If 𝑝 ∣ 𝑎, then 𝑎 ≡ 0 (mod 𝑝). Raising this to the 𝑝th power (or multiplying it by
𝑎𝑝−1 ), we get 𝑎𝑝 ≡ 0 (mod 𝑝), hence also 𝑎𝑝 ≡ 𝑎 (mod 𝑝) holds. □

Remarks: (1) The converse of the Euler–Fermat Theorem (Theorem 2.4.1) is also true,
i.e. (𝑎, 𝑚) = 1 is not only a sufficient, but also a necesssary condition for 𝑎𝜑(𝑚) ≡
1 (mod 𝑚). In fact, the following stronger proposition holds: There exists an
exponent 𝑘 > 0 such that 𝑎𝑘 ≡ 1 (mod 𝑚) only if 𝑎 and 𝑚 are coprime. Namely,
𝑎𝑘 ≡ 1 (mod 𝑚) implies (𝑎𝑘 , 𝑚) = (1, 𝑚) = 1 by Theorem 2.2.5, hence also
(𝑎, 𝑚) = 1 must hold.
(2) The second form of Fermat’s Little Theorem (Theorem 2.4.1B) has no natural gen-
eralization for arbitrary modulus 𝑚, i.e. there exists no simple variant of the gen-
eral Euler–Fermat Theorem that would be valid for every 𝑎 (see Exercise 2.4.15).
(3) As their names indicate, Theorems 2.4.1A and B are due to Fermat. Both variants
can be verified directly, without relying on Theorem 2.4.1. Form B can be proven
by induction (on 𝑎), and form A follows easily (see Exercise 2.4.16). Theorem 2.4.1
was found by Euler as a generalization of Fermat’s Little Theorem.
(4) The adjective “little” serves to distinguish this result from Fermat’s Last Theorem
which is a very famous and only recently solved problem of mathematics. We
shall treat this topic in Chapter 7.

Exercises 2.4

1. Prove 𝑛 ∣ 2𝑛! − 1 for any odd 𝑛.

2. Determine the last two digits of 17938642 (in decimal representation).
3. Verify that 𝑛20 + 4𝑛44 + 8𝑛80 is a multiple of 13 for every 𝑛.
4. Show that if 𝑛 is any integer, then at least one of 𝑛6 + 13 and 𝑛2 + 21 is a composite
number.
5. Prove 1703601900 ∣ 𝑎62 − 𝑎2 for every 𝑎.
6. Verify the following propositions:
(a) 11 ∣ 𝑎30 + 𝑏30 + 𝑐30 ⟹ 1130 ∣ 𝑎30 + 𝑏30 + 𝑐30 .
(b) 9 ∣ 𝑎30 + 𝑏30 + 𝑐30 ⟹ 915 ∣ 𝑎30 + 𝑏30 + 𝑐30 .
52 2. Congruences

7. Show that 𝑎88 − 𝑏88 is not divisible by 23 if and only if exactly one of 𝑎 and 𝑏 is
divisible by 23.
8. Let 𝑝 be a prime and 𝑟1 , . . . , 𝑟𝑝 be a complete residue system mod 𝑝. Prove that also
2𝑝−3 2𝑝−3
𝑟1 , . . . , 𝑟𝑝 is a complete residue system mod 𝑝.
9. (a) Let 𝑝 be a prime, 𝑎 an integer, and 𝑖 and 𝑗 positive integers satisfying 𝑖 ≡ 𝑗
(mod 𝑝 − 1). Prove 𝑎𝑖 ≡ 𝑎𝑗 (mod 𝑝).
(b) How can we generalize the assertion in (a) for arbitrary 𝑚 (instead of primes)?
10. True or false? (With decimal notation and powers with positive integer exponents.)
(a) Infinitely many powers of 133 terminate with the string 133.
(b) Infinitely many powers of 134 terminate with the string 134.
(c) Infinitely many powers of 136 terminate with the string 136.
11. Show that an infinite arithmetic progression of distinct positive integers 𝑎, 𝑎+𝑑, . . . ,
𝑎 + 𝑘𝑑, . . . contains infinitely many powers of 𝑎 (with positive integer exponents)
if and only if 𝑑/(𝑎, 𝑑) and 𝑎 are coprime.
12. Give a new solution to Exercise 1.3.12a using the Euler–Fermat Theorem.
13. Verify that every positive odd divisor of 𝑛2 + 1 is of the form 4𝑘 + 1.
14. Assume that 19 divides 𝑎40 + 𝑏40 . Show that then 19 must divide both 𝑎 and 𝑏, as
well.
15. Verify the following propositions and investigate their relation to Fermat’s Little
Theorem.
(a) 𝑎𝜑(𝑚)+1 ≡ 𝑎 (mod 𝑚) holds for every 𝑎 if and only if 𝑚 is squarefree.
(b) 𝑎𝑚 ≡ 𝑎𝑚−𝜑(𝑚) (mod 𝑚) holds for every 𝑚 and 𝑎.
(c) 𝑎1729 ≡ 𝑎 (mod 1729) holds for every 𝑎.
16. Give a direct proof of both versions of Fermat’s Little Theorem: First verify Theo-
rem 2.4.1B by induction and then deduce Theorem 2.4.1A.

2.5. Linear Congruences

This section deals with the simplest type of congruences with variables (or congruence
equations), the linear congruences.
Definition 2.5.1. Let 𝑎 and 𝑏 be integers and 𝑚 a positive integer. The congruence
𝑎𝑥 ≡ 𝑏 (mod 𝑚) is called a linear congruence, and by a solution of it we mean an
integer 𝑠 which substituted into 𝑥 makes the congruence valid. ♣

Clearly, if 𝑠 is a solution, then every other element of the residue class (𝑠)𝑚 is a
solution, too. Hence, to find all solutions, it is enough to check a complete residue
system to see which elements of it satisfy the congruence; then all solutions are the
integers congruent to them.
Therefore the number of solutions of a linear congruence is defined as how many
pairwise incongruent integers satisfy the congruence, i.e. what is the number of residue
2.5. Linear Congruences 53

classes the solutions come from, or (again in a slightly different formulation) how many
elements of a complete residue system make the congruence valid. The same applies
for congruences of higher degree as well, thus we define this convention immediately
for the general case.

Definition 2.5.2. Let 𝑓 be a polynomial with integer coefficients. The number of so-
lutions of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑚) is how many elements 𝑠 of a complete
residue system modulo 𝑚 satisfy 𝑓(𝑠) ≡ 0 (mod 𝑚). ♣

Since 𝑢 ≡ 𝑣 (mod 𝑚) ⟹ 𝑓(𝑢) ≡ 𝑓(𝑣) (mod 𝑚), this notion does not depend on
which complete residue system modulo 𝑚 we considered.
Returning to linear congruences, we want to answer the following questions aris-
ing for equations in general:
(i) What is a necessary and sufficient condition for solvability?
(ii) How many solutions do we have?
(iii) How can we describe or characterize all solutions?
(iv) Which methods yield these solutions?
We discuss solvability first.

Theorem 2.5.3. The congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is solvable if and only if (𝑎, 𝑚) ∣ 𝑏. ♣

Proof. The solvability of 𝑎𝑥 ≡ 𝑏 (mod 𝑚) means that 𝑎𝑠 ≡ 𝑏 (mod 𝑚) for some 𝑠.

This is equivalent to the existence of an integer 𝑡 satisfying 𝑎𝑠 + 𝑚𝑡 = 𝑏, i.e. 𝑠 and
𝑡 are a solution of the linear Diophantine equation 𝑎𝑥 + 𝑚𝑦 = 𝑏.
Hence, the linear congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is solvable if and only if the linear
Diophantine equation 𝑎𝑥 + 𝑚𝑦 = 𝑏 is solvable.
The necessary and sufficient condition for the solvability of the latter is
(𝑎, 𝑚) ∣ 𝑏, by Theorem 1.3.6. Thus the same criterion applies for the solvability of
𝑎𝑥 ≡ 𝑏 (mod 𝑚). □

We see from the proof that the linear congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚) and the linear
Diophantine equation 𝑎𝑥 + 𝑚𝑦 = 𝑏 can be deduced from each other. (Moreover, the
linear Diophantine equation 𝑎𝑥 + 𝑚𝑦 = 𝑏 can also be transformed into the linear
congruence 𝑚𝑦 ≡ 𝑏 (mod |𝑎|) if 𝑎 ≠ 0.)
Based on this, every result obtained for linear congruences can be used also for
linear Diophantine equations and vice versa.
We should be aware, however, of the significant differences: The solutions of a lin-
ear congruence are integers (or rather residue classes), whereas the solutions of a linear
Diophantine equation are pairs of integers; the number of solutions of a congruence is
finite, but a linear Diophantine equation has infinitely many solutions, etc.
In the next theorem, we determine the number of solutions of a linear congruence,
and also see how we can get all solutions from a given one.
54 2. Congruences

Theorem 2.5.4. (I) If 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is solvable, then there are (𝑎, 𝑚) solutions.
(II) Let (𝑎, 𝑚) = 𝑑, 𝑚 = 𝑑𝑚1 , and 𝑠 be a solution of 𝑎𝑥 ≡ 𝑏 (mod 𝑚). Then
(2.5.1) 𝑠, 𝑠 + 𝑚1 , 𝑠 + 2𝑚1 , ... , 𝑠 + (𝑑 − 1)𝑚1
are pairwise incongruent modulo 𝑚, satisfy the congruence, and every solution is
congruent to one of them modulo 𝑚. ♣

Proof. We verify the two assertions simultaneously.

We assumed that 𝑠 was a solution, so
(2.5.2) 𝑎𝑠 ≡ 𝑏 (mod 𝑚) .
An integer 𝑡 is a solution if and only if
(2.5.3) 𝑎𝑡 ≡ 𝑏 (mod 𝑚) .
Using (2.5.2), formula (2.5.3) is equivalent to
(2.5.4) 𝑎𝑡 ≡ 𝑎𝑠 (mod 𝑚) .
By Theorem 2.1.3, (2.5.4) is equivalent to
𝑚
𝑡 ≡ 𝑠 (mod ) or 𝑡 ≡ 𝑠 (mod 𝑚1 ) .
(𝑚, 𝑎)
We can rewrite this as
(2.5.5) 𝑡 = 𝑠 + 𝑘𝑚1 ,
with some integer 𝑘.
This means that the numbers 𝑡 in (2.5.5) give all solutions of 𝑎𝑥 ≡ 𝑏 (mod 𝑚).
Thus, we have to prove that these integers 𝑡 in (2.5.5) belong to 𝑑 distinct residue
classes and (2.5.1) lists a representative from each class.
When do two such 𝑡 fall into the same residue class modulo 𝑚? Let
𝑡 ′ = 𝑠 + 𝑘 ′ 𝑚1 and 𝑡 ″ = 𝑠 + 𝑘 ″ 𝑚1 .
Then
(2.5.6) 𝑡′ ≡ 𝑡″ (mod 𝑚) ⟺ 𝑘′ 𝑚1 ≡ 𝑘″ 𝑚1 (mod 𝑚) ⟺ 𝑘′ ≡ 𝑘″ (mod 𝑑) .
Here, we first subtracted 𝑠 from 𝑡′ ≡ 𝑡″ (mod 𝑚), then cancelled 𝑚1 and changed the
modulus to 𝑚/(𝑚1 , 𝑚) = 𝑚/𝑚1 = 𝑑, according to Theorem 2.1.3.
Implication (2.5.6) means that two integers 𝑡 fall into the same residue class mod-
ulo 𝑚 if and only if the relevant two integers 𝑘 are congruent modulo 𝑑.
Thus, if 𝑘 assumes the values 0, 1, . . . , 𝑑 − 1, then the integers
𝑡 = 𝑠 + 𝑘𝑚1 , or 𝑠, 𝑠 + 𝑚1 , . . . , 𝑠 + (𝑑 − 1)𝑚1
occurring in (2.5.1) are just the representatives of the relevant residue classes mod-
ulo 𝑚. □

The most important special case of the linear congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is when
(𝑎, 𝑚) = 1. Then (𝑎, 𝑚) ∣ 𝑏 holds automatically, so the congruence is solvable, by The-
orem 2.5.3, and it has (𝑎, 𝑚) = 1 (pairwise incongruent) solutions, by Theorem 2.5.4.
2.5. Linear Congruences 55

We state this important result as a theorem:

Theorem 2.5.5. If (𝑎, 𝑚) = 1, then the congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is solvable for every
𝑏 and the number of solutions is 1. ♣

We make some general preliminary remarks concerning methods for finding the
solutions.
(A) In general, it is advisable to check by the criterion of Theorem 2.5.3 whether the
congruence is solvable at all.
(B) If (𝑎, 𝑚) = 1, then the congruence is satisfied by the elements of just one residue
class, so if we find somehow a solution, then we are done. Also, in the general
case, it is sufficient to guess a single solution because we can easily obtain all
solutions by Theorem 2.5.4/II.
(C) In most cases, the best start is to reduce the original linear congruence to one
where the coefficient of 𝑥 and the modulus are coprime. We can do this as follows.
If 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is solvable, then (𝑎, 𝑚) ∣ 𝑏. Let 𝑑 = (𝑎, 𝑚), then
𝑎 = 𝑑𝑎1 , 𝑚 = 𝑑𝑚1 , 𝑏 = 𝑑𝑏1 , and (𝑎1 , 𝑚1 ) = 1.
Hence, we can divide the congruence by 𝑑 (including also the modulus): 𝑎𝑥 ≡ 𝑏
(mod 𝑚) is equivalent to 𝑎1 𝑥 ≡ 𝑏1 (mod 𝑚1 ) and here (𝑎1 , 𝑚1 ) = 1. (Looking at
the corresponding Diophantine equations, this just means that 𝑎𝑥 + 𝑚𝑦 = 𝑏 is
divided by 𝑑 to yield 𝑎1 𝑥 + 𝑚1 𝑦 = 𝑏1 .)
The word “equivalent” in the previous paragraph should remind us that though
the two congruences are satisfied by the same integers, we have to group them into
residue classes of different moduli: mod 𝑚 at the first congruence and mod 𝑚1 at the
second one. As a consequence, the two congruences will differ also in the number of
solutions (for 𝑑 > 1).
We turn now to the detailed discussion of a few methods for finding the solutions
of a linear congruence. Each will be illustrated by an example.
M1 Trial. We check each element of a complete residue system modulo 𝑚 to see if it
satisfies the congruence. (This should be applied only for very small moduli.)
E1 23𝑥 ≡ 11 (mod 5). To make calculations simpler, it is worthwhile to replace the
coefficients with congruent numbers having smaller (absolute) value before substitut-
ing into 𝑥: 3𝑥 ≡ 1 (mod 5) or −2𝑥 ≡ 1 (mod 5). Testing the numbers 0, 1, 2, 3, 4 (or
0, ±1, ±2), we obtain that the residue class 𝑥 ≡ 2 (mod 5) is the only solution. (Since
(23, 5) = 1 implies that there is only one solution, after finding it we do not have to
check more numbers.)
M2 Diophantine equation. We reduce the linear congruence to a Diophantine equation
as seen in the proof of Theorem 2.5.3, and then reconstitute its solutions into solutions
of the congruence.
E2 18𝑥 ≡ 38 (mod 28). The corresponding Diophantine equation is 18𝑥 + 28𝑦 = 38.
Dividing by 2, we obtain 9𝑥 +14𝑦 = 19. Following the proof of Theorem 1.3.6, we write
the gcd of 9 and 14 in form 9𝑢+14𝑣. From the Euclidean algorithm or after a few trials,
56 2. Congruences

we have 9 ⋅ (−3) + 14 ⋅ 2 = 1. Multiplying by 19, we obtain 9 ⋅ (−57) + 14 ⋅ 38 = 19, so

𝑥 = −57, 𝑦 = 38 is a solution of the equation 9𝑥 + 14𝑦 = 19.
Returning to the congruence 18𝑥 ≡ 38 (mod 28), this means that 𝑥 = −57 is a
solution. We find all solutions by Theorem 2.5.4/II: 𝑥 ≡ −57 (mod 28) and 𝑥 ≡ −43
(mod 28). (The representatives −57 and −43 can be replaced by any others, e.g. by −1
and 13.)
Note that to solve a linear Diophantine equation, it is more convenient to apply
the procedure described in Section 7.1 that characterizes all solutions immediately in
a parametric form. (Actually, also this is a variant of the Euclidean algorithm.)
M3 Euler–Fermat Theorem. We reduce the congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚) to 𝑎1 𝑥 ≡ 𝑏1
𝜑(𝑚 )
(mod 𝑚1 ) where (𝑎1 , 𝑚1 ) = 1, as seen in remark (C). T hen 𝑎1 1 ≡ 1 (mod 𝑚1 ) by
𝜑(𝑚 )−1
the Euler–Fermat Theorem. Therefore 𝑥 = 𝑎1 1 𝑏1 is a solution:
𝜑(𝑚1 )−1 𝜑(𝑚1 )
𝑎1 ⋅ 𝑎1 𝑏 1 = 𝑎1 𝑏1 ≡ 𝑏1 (mod 𝑚1 ) .

𝜑(𝑚 )−1
Hence, 𝑥 = 𝑎1 1 𝑏1 is a solution of the original congruence, too. Finally, we can
obtain all solutions from Theorem 2.5.4/II.
E3 36𝑥 ≡ 81 (mod 21). Here (36, 21) = 3, hence we can reduce the problem to the
congruence 12𝑥 ≡ 27 (mod 7). Decreasing the coefficients, we obtain −2𝑥 ≡ −1
(mod 7). Its solution is 𝑥 = (−2)6−1 (−1) ≡ 4 (mod 7). Thus, all solutions of the
original congruence are 𝑥 ≡ 4, 11, 18 (mod 21).
Reducing the coefficients in the congruence 12𝑥 ≡ 27 (mod 7), we may choose
the least non-negative remainders instead of the ones with least absolute value. Then
we get 5𝑥 ≡ 6 (mod 7) and 𝑥 ≡ 55 ⋅ 6 (mod 7).
Since (12, 7) = 1, 12𝑥 ≡ 27 (mod 7) has a unique solution modulo 7, i.e. 55 ⋅ 6 ≡ 4
(mod 7) For a direct verification, one should not compute the actual value of 55 but
rather take the remainders modulo 7 while raising to powers:

52 = 25 ≡ 4 (mod 7) , 54 ≡ 42 ≡ 2 (mod 7) , 55 ≡ 5 ⋅ 2 ≡ 3 (mod 7) ,

hence 6 ⋅ 55 ≡ 6 ⋅ 3 ≡ 4 (mod 7).

M4 Tricks. Multiplying or dividing the congruence by well-chosen integers coprime
to the modulus, we get equivalent congruences till finally we can easily read the solu-
tion(s).
E4 Consider 80𝑥 ≡ 32 (mod 108). Here (80, 108) = 4, so we can reduce the problem
to solve 20𝑥 ≡ 8 (mod 27).
As (4, 27) = 1, cancelling 4 yields an equivalent congruence: 5𝑥 ≡ 2 (mod 27).
We show two methods of how to get rid of the coefficient 5 in 5𝑥 ≡ 2 (mod 27).
I. Division: We can replace 2 on the right-hand side by −25: 5𝑥 ≡ −25 (mod 27).
Since (5, 27) = 1, we can cancel the 5: 𝑥 ≡ −5 (mod 27).
II. Multiplication: We multiply by a suitable number to change the coefficient of 𝑥
into an integer congruent to 1 (or −1) modulo 27. (This multiplier is then automatically
coprime to 27 guaranteeing equivalence.) We can multiply our congruence 5𝑥 ≡ 2
 Exercises 2.5 57

(mod 27) by 11: 55𝑥 ≡ 22 (mod 27) and since 55 ≡ 1 (mod 27) we obtain 𝑥 ≡ 22(≡ −5)
(mod 27).
So the solutions of the original congruence are 𝑥 ≡ −5, 22, 49, 76 (mod 108).
Comparing the above methods, M3 or M4 could seem to be the easiest to apply at
first sight. It turns out, however, that only M2 works for large moduli. This will be
treated in Section 5.7.

Exercises 2.5

1. Solve Examples E1–E4 with every method M2–M4.

2. Solve the following congruences:
(a) 24𝑥 ≡ 60 (mod 51)
(b) 100𝑥 ≡ 88 (mod 116)
(c) 555𝑥 ≡ 5555 (mod 55555)
(d) (2𝑘 + 1)𝑥 ≡ 2𝑘+1 + 1 (mod 2𝑘+2 + 1)
(e) 10𝑥39 + 8𝑥20 + 9𝑥3 + 7𝑥 ≡ 0 (mod 19)
(f) 13𝑥41 ≡ 27 (mod 100).
3. Determine the two smallest positive integers which when multiplied by 13 will
have last digit 3 and next to last digit 4 in the number system of base seven.
4. Compute the last two digits of 3279 (in decimal representation).
5. Check (each of) the following conditions to see if they are sufficient for the solv-
ability of the congruence 𝑎𝑥 ≡ 𝑏 (mod 𝑚).
(a) (𝑎, 𝑚) ∣ (𝑎, 𝑏)
(b) (𝑎, 𝑏) ∣ (𝑎, 𝑚)
(c) 𝑎, 𝑚, 𝑏 is an arithmetic progression
(d) 𝑎, 𝑚, 𝑏 is a geometric series
(e) 𝑎, 𝑏, 𝑚 is an arithmetic progression
(f) 𝑎, 𝑏, 𝑚 is a geometric series.
6. True or false?
(a) The number of solutions of 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is at most 𝑏 if 𝑏 > 0.
(b) If 𝑎𝑥 ≡ 𝑏 (mod 𝑚) is solvable, then 𝑎2 𝑥 ≡ 𝑏2 (mod 𝑚2 ) is solvable.
(c) If both 𝑎1 𝑥 ≡ 𝑏1 (mod 𝑚1 ) and 𝑎2 𝑥 ≡ 𝑏2 (mod 𝑚2 ) are solvable, then 𝑎1 𝑎2 𝑥 ≡
𝑏1 𝑏2 (mod 𝑚1 𝑚2 ) is solvable.
S 7. Let 𝑎 and 𝑚 be fixed and denote the number of solutions of 𝑎𝑥 ≡ 𝑏 (mod 𝑚) by
𝑚
𝑓(𝑏). Compute ∑𝑏=1 𝑓(𝑏).
58 2. Congruences

2.6. Simultaneous Systems of Congruences

A simultaneous system of congruences means that several congruence conditions with
different moduli are imposed on the same variable:
𝑓1 (𝑥) ≡ 0 (mod 𝑚1 ) , 𝑓2 (𝑥) ≡ 0 (mod 𝑚2 ) , ... , 𝑓𝑘 (𝑥) ≡ 0 (mod 𝑚𝑘 )
where 𝑓1 , . . . , 𝑓𝑘 are polynomials with integer coefficients.
Clearly, a necessary condition for the solvability of such a system is that each con-
gruence should be solvable. Thus, after solving the individual congruences, we have
to study only the (special linear) systems of the form
𝑥 ≡ 𝑐 1 (mod 𝑚1 ) , 𝑥 ≡ 𝑐 2 (mod 𝑚2 ) , ... , 𝑥 ≡ 𝑐 𝑘 (mod 𝑚𝑘 ) .
We consider first systems with two congruences.
Theorem 2.6.1. (I) The simultaneous system of congruences
𝑥 ≡ 𝑐 1 (mod 𝑚1 )
(2.6.1)
𝑥 ≡ 𝑐 2 (mod 𝑚2 )
is solvable if and only if
(𝑚1 , 𝑚2 ) ∣ 𝑐 1 − 𝑐 2 .
(II) If solvable, the solutions form a residue class modulo [𝑚1 , 𝑚2 ]. Or, putting it into
another form: if 𝑠 is a solution, then all solutions 𝑡 are given by
𝑡 ≡ 𝑠 (mod [𝑚1 , 𝑚2 ]) , or 𝑡 = 𝑠 + 𝑘[𝑚1 , 𝑚2 ], where 𝑘 is an integer. ♣

The proof will yield a method for finding the solutions; one has to solve a linear
Diophantine equation (or, equivalently, a linear congruence).

Proof. I. By the definition of congruences, (2.6.1) can be transformed into

(2.6.2) 𝑥 = 𝑐 1 + 𝑧 1 𝑚1 , 𝑥 = 𝑐 2 + 𝑧 2 𝑚2
where 𝑧1 and 𝑧2 are integers.
Condition (2.6.2) is equivalent to
(2.6.3) 𝑐 1 + 𝑧 1 𝑚1 = 𝑐 2 + 𝑧 2 𝑚2 .
Rearranging (2.6.3), we obtain
(2.6.4) 𝑐 1 − 𝑐 2 = 𝑧 2 𝑚2 − 𝑧 1 𝑚1 .

This means that the system of congruences (2.6.1) can be reduced to the linear
Diophantine equation (2.6.4).
By Theorem 1.3.6, it is solvable if and only if (𝑚1 , 𝑚2 ) ∣ 𝑐 1 − 𝑐 2 , hence the same
applies for (2.6.1).
As we indicated before the proof, we also obtained a method of finding the solu-
tions: we have to solve Diophantine equation (2.6.4) or a corresponding congruence.
II. Let 𝑠 be a solution so
𝑠 ≡ 𝑐 1 (mod 𝑚1 ) ,
(2.6.5)
𝑠 ≡ 𝑐 2 (mod 𝑚2 ) .
2.6. Simultaneous Systems of Congruences 59

An integer 𝑡 is a solution if and only if

𝑡 ≡ 𝑐 1 (mod 𝑚1 ) ,
(2.6.6)
𝑡 ≡ 𝑐 2 (mod 𝑚2 ) .
Using (2.6.5), condition (2.6.6) is equivalent to
𝑡 ≡ 𝑠 (mod 𝑚1 )
(2.6.7)
𝑡 ≡ 𝑠 (mod 𝑚2 ) .
Rewrite (2.6.7) as divisibilities and apply the properties of lcm (Theorem 1.6.6/II):
𝑚1 ∣ 𝑡 − 𝑠
} ⟺ [𝑚1 , 𝑚2 ] ∣ 𝑡 − 𝑠 ⟺ 𝑡 ≡ 𝑠 (mod [𝑚1 , 𝑚2 ]) . □
𝑚2 ∣ 𝑡 − 𝑠

The most importamt special case is when the moduli 𝑚1 and 𝑚2 in system (2.6.1)
are coprime. Then (𝑚1 , 𝑚2 ) ∣ 𝑐 1 − 𝑐 2 holds automatically, so the system of congruences
is solvable and the solutions form a unique residue class modulo 𝑚1 𝑚2 . We state this
important result as a theorem:
Theorem 2.6.1A. If (𝑚1 , 𝑚2 ) = 1, then the simultaneous system of congruences
𝑥 ≡ 𝑐 1 (mod 𝑚1 )
𝑥 ≡ 𝑐 2 (mod 𝑚2 )
is solvable for arbitrary 𝑐 1 and 𝑐 2 , and the solutions form a single residue class modulo
𝑚1 𝑚2 .

Theorem 2.6.1A implies that if 𝑚1 and 𝑚2 are coprime, then the remainder of a
number when divided by 𝑚1 is independent of its remainder mod 𝑚2 . For example, the
last digits of an integer give its remainder modulo a power of 10 and they provide no
information on the remainder, say, modulo 3, 7, or 13, since these moduli are coprime
to 10.
Turning to systems consisting of more than two congruences, we deal only with the
case when the moduli are pairwise coprime (see Exercise 2.6.13 for the general case).
This result was known by the Chinese mathematician Sun Tsu about 2000(!) years ago,
therefore it is generally referred to as the Chinese Remainder Theorem.
Theorem 2.6.2 (Chinese Remainder Theorem). Let 𝑚1 , . . . , 𝑚𝑘 be pairwise coprime.
Then the system of congruences
𝑥 ≡ 𝑐 1 (mod 𝑚1 )
𝑥 ≡ 𝑐 2 (mod 𝑚2 )
(2.6.8)
⋮
𝑥 ≡ 𝑐 𝑘 (mod 𝑚𝑘 )
is solvable for any integers 𝑐 1 , . . . , 𝑐 𝑘 , and the solutions form one residue class modulo
𝑚1 𝑚2 . . . 𝑚 𝑘 . ♣

First proof. We can easily obtain the result from Theorem 2.6.1A by induction on 𝑘.
The case 𝑘 = 2 is just Theorem 2.6.1A.
60 2. Congruences

Assume now that the statement is true for systems of 𝑘 − 1 congruences, and
consider the system (2.6.8) of 𝑘 congruences. The integers satsifying the first 𝑘 − 1
congruences constitute one residue class modulo 𝑚1 𝑚2 . . . 𝑚𝑘−1 by the induction hy-
pothesis, so we can replace the first 𝑘 − 1 congruences by the congruence 𝑥 ≡ 𝑐
(mod 𝑚1 𝑚2 . . . 𝑚𝑘−1 ) with a suitable integer 𝑐. Thus, (2.6.8) is equivalent to the system
𝑥 ≡ 𝑐 (mod 𝑚1 𝑚2 . . . 𝑚𝑘−1 )
(2.6.9)
𝑥 ≡ 𝑐 𝑘 (mod 𝑚𝑘 )
Applying Theorem 2.6.1A to (2.6.9), we obtain just the statement for 𝑘. □

Second proof. We show a new argument for solvability and we produce a solution in
an explicit form (in a certain sense).
The procedure reminds us somewhat of the construction of the interpolation poly-
nomials by Lagrange.
We consider first the special case of (2.6.8) when one 𝑐 𝑖 is 1 and all other 𝑐𝑗 are 0,
and then use this result to solve the general case.
Let us see the details. Let
𝑀
𝑀 = 𝑚1 . . . 𝑚𝑘 and 𝑀𝑖 = , 𝑖 = 1, 2, . . . , 𝑘.
𝑚𝑖
Since the moduli 𝑚1 , . . . , 𝑚𝑘 are pairwise coprime,
(2.6.10) (𝑀𝑖 , 𝑚𝑖 ) = 1, 𝑖 = 1, 2, . . . , 𝑘.
I. We fix an index 1 ≤ 𝑖 ≤ 𝑛 and solve the problem in the special case when 𝑐 𝑖 = 1 and
𝑐𝑗 = 0 for 𝑗 ≠ 𝑖 in (2.6.8).
The congruences 𝑥 ≡ 0 (mod 𝑚𝑗 ) mean that 𝑥 is a multiple of every 𝑚𝑗 with 𝑗 ≠ 𝑖.
The moduli 𝑚𝑗 are pairwise coprime, hence equivalently 𝑥 is a multiple of the product
𝑀𝑖 of the numbers 𝑚𝑗 : 𝑥 = 𝑀𝑖 𝑧.
Substituting this in the remaining congruence 𝑥 ≡ 1 (mod 𝑚𝑖 ), we obtain
(2.6.11) 𝑀𝑖 𝑧 ≡ 1 (mod 𝑚𝑖 ) .

This a linear congruence for 𝑧 that is solvable by (2.6.10).

Let 𝑏𝑖 be a solution of (2.6.11). Then 𝑥 = 𝑏𝑖 𝑀𝑖 is a solution of (2.6.8).
II. We consider now the general case with arbitrary 𝑐 𝑖 in (2.6.8). We show that
(2.6.12) 𝑥 = 𝑐 1 𝑏1 𝑀1 + ⋯ + 𝑐 𝑘 𝑏𝑘 𝑀𝑘 (where 𝑀𝑖 𝑏𝑖 ≡ 1 (mod 𝑚𝑖 ), 𝑖 = 1, . . . , 𝑘)
is a solution of (2.6.8).
Let us check for example the congruence 𝑥 ≡ 𝑐 3 (mod 𝑚3 ). Since 𝑏3 𝑀3 ≡ 1
(mod 𝑚3 ) and all the other 𝑀𝑗 are divisible by 𝑚3 , therefore the right-hand side of
(2.6.12)
𝑐 1 𝑏1 𝑀1 + ⋯ + 𝑐 𝑘 𝑏𝑘 𝑀𝑘 ≡ 𝑐 3 𝑏3 𝑀3 ≡ 𝑐 3 (mod 𝑚3 ) . □

An important corollary of Theorem 2.6.2 is that any congruence with a composite

modulus can be reduced to congruences with prime power moduli. If the standard
2.6. Simultaneous Systems of Congruences 61

𝛼 𝛼
form of 𝑚 is 𝑚 = 𝑝1 1 . . . 𝑝𝑟 𝑟 , then the congruence
(2.6.13) 𝑓(𝑥) ≡ 0 (mod 𝑚)
is equivalent to the system
𝛼
𝑓(𝑥) ≡ 0 (mod 𝑝1 1 )
𝛼
𝑓(𝑥) ≡ 0 (mod 𝑝2 2 )
(2.6.14)
⋮
𝛼
𝑓(𝑥) ≡ 0 (mod 𝑝𝑟 𝑟 ) .
We solve every congruence of (2.6.14) separately. If some of them are not solvable,
then (2.6.13) is not solvable either. If all of them are solvable, then consider a solution
of each, say ℎ1 , . . . , ℎ𝑟 . Now, solving the system
𝛼
𝑥 ≡ ℎ1 (mod 𝑝1 1 )
𝛼
𝑥 ≡ ℎ2 (mod 𝑝2 2 )
⋮
𝛼
𝑥 ≡ ℎ𝑟 (mod 𝑝𝑟 𝑟 ) ,
we get a solution of the original congruence (2.6.13). We obtain all solutions by con-
sidering all possible solution systems ℎ1 , . . . , ℎ𝑟 for the congruences (2.6.14).
Example E1. Solve the congruence
(2.6.15) 10𝑥84 + 3𝑥 + 7 ≡ 0 (mod 245) .
By the above, (2.6.15) is equivalent to the system
(2.6.16) 10𝑥84 + 3𝑥 + 7 ≡ 0 (mod 5)
(2.6.17) 10𝑥84 + 3𝑥 + 7 ≡ 0 (mod 49) .
(2.6.16) is identical to 3𝑥 + 7 ≡ 0 (mod 5) since 10 ≡ 0 (mod 5). The only solution of
this linear congruence is
(2.6.16a) 𝑥 ≡ 1 (mod 5) .

In looking for the solutions of (2.6.17), we distinguish two cases:

(i) (𝑥, 49) = 1
(ii) (𝑥, 49) ≠ 1.
In case (i),
𝑥84 = 𝑥2𝜑(49) ≡ 1 (mod 49) ,
by the Euler–Fermat Theorem. Thus (2.6.17) is equivalent to 3𝑥 + 17 ≡ 0 (mod 49) in
this case. This has one solution
(2.6.17a) 𝑥 ≡ −22 (mod 49) .

In case (ii), 7 ∣ 𝑥. Then 𝑥84 ≡ 0 (mod 49). Thus (2.6.17) is equivalent to 3𝑥 + 7 ≡ 0

(mod 49) in this case. The only solution (satisfying also the condition 7 ∣ 𝑥) is
(2.6.17b) 𝑥 ≡ 14 (mod 49) .
62 2. Congruences

Thus, the solutions of (2.6.15) are obtained from the systems

(2.6.16a) 𝑥≡1 (mod 5) .

(2.6.17a) 𝑥 ≡ −22 (mod 49) .

and

(2.6.16a) 𝑥 ≡ 1 (mod 5) .
(2.6.17b) 𝑥 ≡ 14 (mod 49) .

To determine the solutions, we can use the procedure in the proof of Theorem 2.6.1,
but it is often more convenient to apply the following method.
From the congruence (2.6.17a)—using the larger modulus—-we have:

(2.6.18) 𝑥 = 49𝑧 − 22.

Substituting (2.6.18) into (2.6.16a), we get

49𝑧 − 22 ≡ 1 (mod 5) .

We find that

(2.6.19) 𝑧 ≡ 2 (mod 5) so 𝑧 = 5𝑤 + 2.

Substituting (2.6.19) back into (2.6.18), we obtain 𝑥 = 245𝑤 + 76. Thus the solution of
the first system of congruences is 𝑥 ≡ 76 (mod 245).
Proceeding similarly, the solution of the second system is 𝑥 ≡ 161 (mod 245).
Thus all solutions of (2.6.15) are

𝑥 ≡ 76 (mod 245) and 𝑥 ≡ 161 (mod 245) .

Finally, we discuss an application of the Chinese Remainder Theorem in computer

science. Many operations in computers are composed of a sequence of additions, sub-
tractions, and multiplications of integers. Therefore, it is essential to know how quickly
these basic steps can be performed.
Consider e.g. addition. Using the usual representation in a number system, the
addition of digits cannot be done independently since overflows influence the result
significantly. In the so-called remainder number systems, however, we can perform the
operations with the “digits.” i.e. remainders, absolutely independently. This is mostly
used if there are many parallel processors available.
The main point of the method is the following. Assume that only integers with
absolute value less than 𝑁 can occur during the operations. (This is no restriction
since every computer can display and work with numbers only up to a given limit.)
Let 𝑚 = 𝑝1 . . . 𝑝𝑟 be the product of the first 𝑟 (positive) primes, and choose 𝑟 to satisfy
𝑚 > 2𝑁.
Then every integer with absolute value less than 𝑁 is equal to its remainder of least
absolute value modulo 𝑚. And this can be represented by the system of remainders
modulo 𝑝 𝑖 , which will be the digits in the remainder number system.
2.6. Simultaneous Systems of Congruences 63

The digits actually are a simultaneous system of congruences where the moduli 𝑝 𝑖
are pairwise coprime, hence the remainder modulo 𝑚, i.e. the original number itself,
can be uniquely reconstructed.
Adding or multiplying two numbers, we have to add or multiply the correspond-
ing remainders (i.e. digits), there is no overflow, and the operations can be performed
independently for the various moduli. From the system of the remainders modulo 𝑝 𝑖
thus obtained, we have to determine the remainder modulo 𝑚, i.e. the number itself.
Example E2. As an illustration, let 𝑁 = 1000, and we execute the multiplication 27⋅34
in the remainder number system.
We can take
𝑚 = 2 ⋅ 3 ⋅ 5 ⋅ 7 ⋅ 11 = 2310.
The remainders of 27 when divided by the primes 2, 3, 5, 7, and 11 are 1, 0, 2, 6, and 5,
so the representation of 27 in the remainder number system is
27 = (1, 0, 2, 6, 5).
Similarly,
34 = (0, 1, 4, 6, 1).
To do the multiplication 27 ⋅ 34, we multiply the corresponding digits (there is no over-
flow), reduce the products modulo 𝑝 𝑖 , and solve the resulting system of congruences:
27 ⋅ 34 = (1 ⋅ 0, 0 ⋅ 1, 2 ⋅ 4, 6 ⋅ 6, 5 ⋅ 1) = (0, 0, 3, 1, 5).
The solution of the system
𝑥 ≡ 0 (mod 2)
𝑥 ≡ 0 (mod 3)
𝑥 ≡ 3 (mod 5)
𝑥 ≡ 1 (mod 7)
𝑥 ≡ 5 (mod 11)
is
𝑥 ≡ 918 (mod 2310) .
Thus, 27 ⋅ 34 = 918.

If we perform more operations, we can keep working with the form in the remain-
der number system and convert only the final result into the usual representation of
numbers.
We mention that systems of congruences can similarly be applied also to solve
systems of linear equations (with rational coefficients). The main point of the method
is that the system of equations is handled modulo various prime moduli, and from
the solutions obtained we determine the solution modulo the product of these primes.
This yields the solution wanted if certain conditions are satisfied and sufficiently many
moduli are used. The advantage of the method in contrast with the traditional Gaussian
elimination is that no too large (or too small) numbers can occur here, and thus there
is no danger of overflow.
 64 2. Congruences

Exercises 2.6

(We use decimal representation unless stated otherwise.)

1. (a) A centipede wants to count its feet knowing that their number does not exceed
250. Counting them in elevens and in fifteens, 5 and 3 are left out. How many
feet has the centipede?
(b) Another centipede tries this method, too. It counts its feet by twelves and
fifteens and finds that 4 and 8 are left out. Prove that it made a miscalculation.
2. The last digit of an integer in number system with base 20 is “eleven”. What can
be its last digit with base (a) 9 (b) 8?
3. Solve the congruences:
(a) 2𝑥20 + 3𝑥 + 4 ≡ 0 (mod 176)
(b) 21𝑥66 + 16𝑥30 + 11𝑥 + 6 ≡ 0 (mod 333)
(c) 3𝑥9 + 5𝑥 + 7 ≡ 0 (mod 105).
4. Let 𝑎, 𝑏, and 𝑐 be pairwise coprime integers greater than 1. What is the remainder
(a) of 𝑎𝜑(𝑏) + 𝑏𝜑(𝑎) modulo 𝑎𝑏
(b) of 𝑎𝜑(𝑏𝑐) + 𝑏𝜑(𝑎𝑐) + 𝑐𝜑(𝑎𝑏) modulo 𝑎𝑏𝑐?
5. Determine the last three digits of 12349876 .
6. I thought of an integer between 200 and 2000. Adding its 501st and 201st power to
the original number, the sum will terminate in 998. Which number did I think of?
7. Which are those (a) two digit (b) three digit positive integers whose squares termi-
nate in the same two and three digits, respectively?
8. (a) How many 21-digit positive integers have the property that every power of
them terminates with the same 20 digits as the original number?
(b) How many 21-digit positive integers have the property that every odd power
of them terminates with the same 20 digits as the original number?
37
S 9. What will be the exact time (in hours and minutes) 3938 minutes after midnight?
10. (a) Let (𝑎, 𝑏) = 1, and 𝑟1 , . . . , 𝑟𝜑(𝑎) and 𝑠1 , . . . , 𝑠𝜑(𝑏) be reduced residue systems
modulo 𝑎 and modulo 𝑏. For 𝑖 = 1, . . . , 𝜑(𝑎), 𝑗 = 1, . . . , 𝜑(𝑏), denote by 𝑐 𝑖𝑗 a
solution of the system
𝑥 ≡ 𝑟 𝑖 (mod 𝑎)
𝑥 ≡ 𝑠𝑗 (mod 𝑏) .
Show that the 𝑐 𝑖𝑗 form a reduced residue system modulo 𝑎𝑏. Use only the
definition of the reduced residue system (Definition 2.2.8) during the proof,
and do not rely on Theorem 2.2.9 or on part (b) of this exercise.
(b) Give a new proof for (𝑎, 𝑏) = 1 ⟹ 𝜑(𝑎𝑏) = 𝜑(𝑎)𝜑(𝑏).
 Exercises 2.6 65

11. Verify that there are arbitrarily large gaps in the sequence of squarefree numbers.
That is, for any 𝐾, there exist 𝐾 consecutive positive integers none of which is
squarefree.

* 12. (a) Prove that the following two systems are solvable for any positive integers 𝑎,
𝑏, and 𝑐.
(a1) 𝑥 ≡ 𝑎 + 𝑏 (mod 𝑐)
𝑥 ≡ 𝑏 + 𝑐 (mod 𝑎)
𝑥 ≡ 𝑐 + 𝑎 (mod 𝑏)
(a2) 𝑥 ≡ 𝑎𝑏 (mod 𝑐)
𝑥 ≡ 𝑏𝑐 (mod 𝑎)
𝑥 ≡ 𝑐𝑎 (mod 𝑏) .
(b) Show that

𝑥 ≡ 𝑏 (mod 𝑐) , 𝑥 ≡ 𝑐 (mod 𝑎) , 𝑥 ≡ 𝑎 (mod 𝑏)

is solvable if and only if (𝑎, 𝑏) = (𝑏, 𝑐) = (𝑐, 𝑎).

* 13. Demonstrate that the system

𝑥 ≡ 𝑐 1 (mod 𝑚1 ) , 𝑥 ≡ 𝑐 2 (mod 𝑚2 ) , ... , 𝑥 ≡ 𝑐 𝑘 (mod 𝑚𝑘 )

(where the moduli 𝑚𝑖 are not necessarily pairwise coprime) is solvable if and only
if (𝑚𝑖 , 𝑚𝑗 ) ∣ 𝑐 𝑖 − 𝑐𝑗 for every 1 ≤ 𝑖 < 𝑗 ≤ 𝑘.

14. Does there exist a polynomial 𝑓(𝑥) with integer coefficients for which the congru-
ence 𝑓(𝑥) ≡ 0 (mod 30) has exactly 14 solutions?

15. (a) Prove that there exist integers forming both a complete residue system mod-
ulo 𝑛 and a reduced residue system modulo 𝑘 if and only if 𝜑(𝑘) = 𝑛 and
(𝑘, 𝑛) = 1.
** (b) Prove that there exist integers forming a reduced residue system both mod-
ulo 𝑛 and modulo 𝑘 if and only if 𝜑(𝑛) = 𝜑(𝑘).

16.* (a) Verify that for any distinct integers 𝑎1 , 𝑎2 , and 𝑎3 , there exist infinitely many
positive numbers 𝑛 such that 𝑎1 + 𝑛, 𝑎2 + 𝑛, and 𝑎3 + 𝑛 are pairwise coprime.
(b) Find distinct integers 𝑎1 , 𝑎2 , 𝑎3 , and 𝑎4 such that the numbers 𝑎𝑖 + 𝑛, 𝑖 =
1, 2, 3, 4 are not pairwise coprime for any 𝑛.
* (c) Demonstrate that for any distinct integers 𝑎1 , 𝑎2 , 𝑎3 , and 𝑎4 , there exist infin-
itely many positive numbers 𝑛 such that (𝑎𝑖 + 𝑛, 𝑎𝑗 + 𝑛) ≤ 2 for every 𝑖 ≠ 𝑗.
* (d) Verify that for any distinct integers 𝑎1 , 𝑎2 , 𝑎3 , and 𝑎4 , there exist infinitely
many positive numbers 𝑛 such that (𝑎𝑖 + 𝑛, 𝑎𝑗 + 𝑛, 𝑎𝑘 + 𝑛) = 1 for all 1 ≤ 𝑖 <
𝑗 < 𝑘 ≤ 4.
* (e) Do the statements in (c) and (d) remain valid if we increase the number of
integers 𝑎𝑖 from four to five or six?
66 2. Congruences

2.7. Wilson’s Theorem

Theorem 2.7.1 (Wilson’s Theorem). If 𝑝 is a (positive) prime, then (𝑝−1)! ≡ −1 (mod 𝑝).
♣

Since the numbers 1, 2, . . . , 𝑝 − 1 form a reduced residue system modulo 𝑝 and

the product of the elements of every reduced residue system gives the same remainder
modulo 𝑝, we can rewrite Wilson’s Theorem in the following form:
If 𝑝 is a (positive) prime, then the product of the elements of a reduced residue
system is congruent to −1 modulo 𝑝.
We discuss generalizations for composite moduli and connections with group the-
ory in Exercise 2.7.1 and in Section 2.8.

Proof. The theorem is clearly true for 𝑝 = 2 and 𝑝 = 3.

We show that for 𝑝 ≥ 5, the numbers 2, 3, . . . , 𝑝 − 2 can be paired so that the
product of the two elements in every pair is congruent to 1 modulo 𝑝. This implies the
theorem since then 2 ⋅ 3 ⋅ ⋯ ⋅ (𝑝 − 2) ≡ 1 (mod 𝑝), hence
(𝑝 − 1)! = 2 ⋅ 3 ⋅ ⋯ ⋅ (𝑝 − 2) ⋅ 1 ⋅ (𝑝 − 1) ≡ 1 ⋅ 1 ⋅ (𝑝 − 1) ≡ −1 (mod 𝑝) .
We illustrate the pairing first for 𝑝 = 11. The mate of 2 is obtained from the congruence
2𝑥 ≡ 1 (mod 11). Its only solution is 𝑥 ≡ 6 (mod 11), so 2 is matched with 6. Here, 2
and 6 correspond to each other mutually as 2 ⋅ 6 = 6 ⋅ 2 ≡ 1 (mod 11).
Continuing similarly, we obtain the pairs 3–4, 5–9, and 7–8. Thus
10! = (2 ⋅ 6) ⋅ (3 ⋅ 4) ⋅ (5 ⋅ 9) ⋅ (7 ⋅ 8) ⋅ 1 ⋅ 10 ≡ 1 ⋅ 1 ⋅ 1 ⋅ 1 ⋅ 1 ⋅ (−1) = −1 (mod 11) .
Let us see how this works in general. We have to verify the following facts to obtain a
perfect match:
(i) To every integer 2 ≤ 𝑎 ≤ 𝑝 − 2, there exists exactly one 𝑏 = 𝑓(𝑎) satisfying
𝑎𝑏 ≡ 1 (mod 𝑝) and 2 ≤ 𝑏 ≤ 𝑝 − 2.
(ii) If 𝑓(𝑎) = 𝑏, then 𝑓(𝑏) = 𝑎, so 𝑎 and 𝑏 are assigned mutually to each other.
(iii) 𝑓(𝑎) ≠ 𝑎, so no element is the partner of itself.
(i) Since (𝑎, 𝑝) = 1, the congruence 𝑎𝑥 ≡ 1 (mod 𝑝) is solvable and has exactly
one solution 𝑏 in the complete residue system 0, 1, 2, . . . , 𝑝 − 1. If 𝑥 = 0, 1, or 𝑝 − 1,
then 𝑎𝑥 ≡ 0, 𝑎, or −𝑎 (mod 𝑝), thus 𝑎𝑥 ≢ 1 (mod 𝑝) for these values of 𝑥. Hence, 𝑏
falls in the interval 2 ≤ 𝑏 ≤ 𝑝 − 2, as required.
(ii) The condition 𝑓(𝑎) = 𝑏 means 𝑎𝑏 ≡ 1 (mod 𝑝). The value of 𝑓(𝑏) is the solu-
tion of the congruence 𝑏𝑦 ≡ 1 (mod 𝑝). Clearly, 𝑦 = 𝑎 is a solution and we know from
(i) that there is exactly one solution in the interval 2 ≤ 𝑦 ≤ 𝑝 − 2. Hence, necessarily
𝑓(𝑏) = 𝑎.
(iii) The condition 𝑏 = 𝑎 would mean 𝑎2 ≡ 1 (mod 𝑝). Considering the corre-
sponding divisibility and using the prime property of 𝑝, we obtain
𝑝 ∣ (𝑎 − 1)(𝑎 + 1) ⟹ 𝑝 ∣ 𝑎 − 1 or 𝑝 ∣ 𝑎 + 1 ⟹ 𝑎 ≡ ±1 (mod 𝑝) .
This, however, contradicts the condition 2 ≤ 𝑎 ≤ 𝑝 − 2. □
 Exercises 2.7 67

For further proofs of Wilson’s Theorem, see the note after Theorem 3.1.2 and Ex-
ercise 3.3.6.

Exercises 2.7

(Primes are assumed to be positive.)

1. Generalizations of Wilson’s Theorem for composite moduli. Let 𝑚 be composite.
What is the remainder modulo 𝑚 of
(a) (𝑚 − 1)!
* (b) (𝜑(𝑚))!
* (c) the product of all elements of a reduced residue system?
2. Which integers 𝑚 > 6 satisfy (𝑚 − 6)! ≡ 1 (mod 𝑚)?
3. Let 𝑎1 , . . . , 𝑎𝑚 and 𝑏1 , . . . , 𝑏𝑚 be any two permutations of 1, 2, . . . , 𝑚.
(a) Show that if 𝑚 > 2 is a prime, then there exist 𝑖 and 𝑗, 𝑖 ≠ 𝑗 satisfying
𝑚 ∣ 𝑎𝑖 𝑏𝑖 − 𝑎𝑗 𝑏𝑗 .
* (b) Prove the same assertion if 𝑚 is composite.
4. Let 𝑝 be a prime of the form 4𝑘 − 1. Prove
𝑝−1
( )! ≡ ±1 (mod 𝑝) .
2
5. Verify
𝑝𝑝 ∣ (𝑝2 − 1)! −𝑝𝑝−1
for any prime 𝑝.
6. Let 𝑝 > 3 be a prime. What is the remainder of 3(𝑝 − 3)! modulo 𝑝?
7. What is the remainder of 99! when divided by 10100?
8. Compute the possible values of (𝑛! +3, (𝑛 + 2)! +6) if 𝑛 is a positive integer.
9. For which 𝑚 does there exist a (a) complete (b) reduced residue system of numbers
of the form 𝑘!?
10. Let 𝑎1 , . . . , 𝑎30 be a reduced residue system modulo 31. Prove
31 ∣ (𝑎1 𝑎2 𝑎3 )3 + (𝑎4 𝑎5 . . . 𝑎30 )27 .

11. Let 𝑝 > 2 be a prime and construct an arithmetic progression of 𝑝 − 1 integers.

What can the remainder of the product of its elements modulo 𝑝 be?
12. Solve the congruence 𝑥! (𝑧 − 𝑥)! ≡ 1 (mod 𝑧) where 0 < 𝑥 < 𝑧 are integers.
* 13. For which primes 𝑝 is (𝑝 − 1)! +1 a power of 𝑝 (with positive integer exponents)?
68 2. Congruences

2.8. Operations with Residue Classes

We define an addition and a multiplication for residue classes modulo 𝑚 and investi-
gate their properties. We assume throughout that the modulus 𝑚 > 1 is fixed.
Definition 2.8.1. The sum and product of the residue classes (𝑎)𝑚 and (𝑏)𝑚 are the
residue classes (𝑎 + 𝑏)𝑚 and (𝑎𝑏)𝑚 , i.e.
(𝑎)𝑚 + (𝑏)𝑚 = (𝑎 + 𝑏)𝑚 and (𝑎)𝑚 (𝑏)𝑚 = (𝑎𝑏)𝑚 . ♣

We have to verify that we have defined the operations so that both addition and
multiplication assign a unique residue class to any two given residue classes.
The difficulty is that addition and multiplication of residue classes were defined
using representatives, thus we have to clarify that the resulting residue classes do not
depend on which representatives in the initial two classes were chosen.
Consider addition. We have to show that if (𝑎)𝑚 = (𝑎′ )𝑚 and (𝑏)𝑚 = (𝑏′ )𝑚 , then
(𝑎 + 𝑏)𝑚 = (𝑎′ + 𝑏′ )𝑚 . This holds since
(𝑎)𝑚 = (𝑎′ )𝑚 ⟹ 𝑎 ≡ 𝑎′ (mod 𝑚)
} ⟹ 𝑎 + 𝑏 ≡ 𝑎′ + 𝑏′ (mod 𝑚)
(𝑏)𝑚 = (𝑏′ )𝑚 ⟹ 𝑏 ≡ 𝑏′ (mod 𝑚)
⟹ (𝑎 + 𝑏)𝑚 = (𝑎′ + 𝑏′ )𝑚 .
We can argue similarly about multiplication.
We must be aware that there are many operations on the integers that cannot be
defined for residue classes using representatives. We illustrate this by an example; for
some further examples see Exercise 2.8.6.
Let 𝑎 and 𝑏 be integers and denote by max(𝑎, 𝑏) the larger one (or their common
value if 𝑎 = 𝑏). This maximum assigns a unique integer to any two integers, so it is a
well defined operation on the integers.
Among the residue classes modulo 𝑚, however, the specification max((𝑎)𝑚 , (𝑏)𝑚 )
= (max(𝑎, 𝑏))𝑚 does not define an operation, since the right-hand side of the equality
(may) give different residue classes if we represent (𝑎)𝑚 and/or (𝑏)𝑚 with another el-
ement. For example, let the modulus be 𝑚 = 9 and consider the two residue classes
𝐴 = (3)9 = (12)9 and 𝐵 = (10)9 = (1)9 . Then max(𝐴, 𝐵) would be (max(3, 10))9 =
(10)9 on the one hand and (max(12, 1))9 = (12)9 on the other hand but (10)9 ≠ (12)9 .
We turn now to study the most important properties of addition and multiplication
defined on the residue classes.
We can easily derive that most properties valid among the integers hold also for
the residue classes:
Theorem 2.8.2. Among the residue classes modulo 𝑚,
• addition is associative and commutative
• (0)𝑚 is a zero element, i.e. (0)𝑚 + (𝑎)𝑚 = (𝑎)𝑚 + (0)𝑚 = (𝑎)𝑚 holds for every (𝑎)𝑚
• the negative of (𝑎)𝑚 is (−𝑎)𝑚 , i.e. (−𝑎)𝑚 + (𝑎)𝑚 = (𝑎)𝑚 + (−𝑎)𝑚 = (0)𝑚
• multiplication is associative and commutative
2.8. Operations with Residue Classes 69

• (1)𝑚 is an identity element, i.e. (1)𝑚 (𝑎)𝑚 = (𝑎)𝑚 (1)𝑚 = (𝑎)𝑚 holds for every (𝑎)𝑚
• the distributive law is valid. ♣

Proof. Each statement follows immediately from the definition of the operations and
from the corresponding property of the integers. We illustrate this for the commutative
law for addition:
(𝑎)𝑚 + (𝑏)𝑚 = (𝑎 + 𝑏)𝑚 = (𝑏 + 𝑎)𝑚 = (𝑏)𝑚 + (𝑎)𝑚
(we applied the definition of addition for residue classes in the first and third equalities
and the commutative law for the addition of integers in the second equality). □

Summarizing the properties listed in Theorem 2.8.2, the residue classes modulo 𝑚
form a commutative ring with identity element with respect to addition and multiplica-
tion.
We mention that—as in every ring—also subtraction can be performed for residue
classes, i.e. to any (𝑎)𝑚 and (𝑏)𝑚 , there exists exactly one (𝑐)𝑚 satisfying (𝑎)𝑚 = (𝑏)𝑚 +
(𝑐)𝑚 ; we obtain this (𝑐)𝑚 as (𝑎)𝑚 + (−𝑏)𝑚 . (We can verify the existence of subtraction
also by relying on subtraction among the integers; then we have (𝑐)𝑚 = (𝑎 − 𝑏)𝑚 .)
We examine now which residue classes have a multiplicative inverse (or “recipro-
cal”), i.e. for which (𝑎)𝑚 does there exist a residue class (𝑐)𝑚 satisfying
(2.8.1) (𝑐)𝑚 (𝑎)𝑚 = (𝑎)𝑚 (𝑐)𝑚 = (1)𝑚 ?
Condition (2.8.1) is equivalent to (𝑎𝑐)𝑚 = (1)𝑚 , i.e. to 𝑎𝑐 ≡ 1 (mod 𝑚) which means
that the linear congruence 𝑎𝑥 ≡ 1 (mod 𝑚) is solvable. By Theorem 2.5.3, this holds
if and only if (𝑎, 𝑚) ∣ 1, or (𝑎, 𝑚) = 1. This is exactly the case when (𝑎)𝑚 is a reduced
residue class. Thus, we have proved:
Theorem 2.8.3. Among the residue classes modulo 𝑚, exactly the reduced residue classes
have a multiplicative inverse. ♣

We note that for any associative operation, every element can have only one in-
verse. Thus, the inverse of a reduced residue class is unique, as well. (This follows also
from Theorem 2.5.5.)
A field is a commutative ring (with at least two elements) that has an identity ele-
ment and every non-zero element has an inverse. By Theorem 2.8.3, the residue classes
satisfy these requirements if and only if every non-zero residue class is reduced, i.e. 𝑚
is a prime. This gives the result:
Theorem 2.8.4. The residue classes modulo 𝑚 form a field if and only if 𝑚 is a prime. ♣

It can occur that the product of two non-zero residue classes is the zero residue
class, e.g. (5)10 (4)10 = (0)10 . A residue class (𝑎)𝑚 ≠ (0)𝑚 is called a zero divisor if
(2.8.2) there exists some (𝑏)𝑚 ≠ (0)𝑚 satisfying (𝑎)𝑚 (𝑏)𝑚 = (0)𝑚 .
Thus, (4)10 and (5)10 are zero divisors in the previous example.
Theorem 2.8.5. A residue class (𝑎)𝑚 ≠ (0)𝑚 is a zero divisor if and only if (𝑎)𝑚 is not a
reduced residue class, i.e. (𝑎, 𝑚) ≠ 1. ♣
70 2. Congruences

The condition (𝑎)𝑚 ≠ (0)𝑚 means 𝑚 ∤ 𝑎 or (𝑎, 𝑚) < 𝑚 for the representative 𝑎.

Proof. Rephrasing the definition in (2.8.2), the residue class (𝑎)𝑚 ≠ (0)𝑚 is a zero
divisor if and only if
(2.8.3) there exists some 𝑏 ≢ 0 (mod 𝑚) satisfying 𝑎𝑏 ≡ 0 (mod 𝑚).
Since 𝑥 ≡ 0 (mod 𝑚) is always a solution of 𝑎𝑥 ≡ 0 (mod 𝑚), (2.8.3) means that 𝑎𝑥 ≡ 0
(mod 𝑚) has more solutions. The number of solutions is (𝑎, 𝑚), hence (𝑎)𝑚 ≠ (0)𝑚 is
a zero divisor if and only if (𝑎, 𝑚) > 1. □

We see from Theorem 2.8.5 that residue classes modulo 𝑚 contain a zero divisor if
and only if 𝑚 is composite.
Finally, we touch briefly some group theoretic connections of the residue classes.
A set 𝐺 is called a group if an associative operation with an identity element is
defined on 𝐺 and every element has an inverse. If the operation is commutative we
have a commutative or Abelian group.
Thus, the residue classes modulo 𝑚 form a commutative group under addition,
and the same is true for the reduced residue classes with respect to multiplication (this
follows from the fact that the product of two reduced classes and the inverse of a re-
duced class is a reduced class again).
The Euler–Fermat Theorem can be considered as a special case of a general theo-
rem for groups: For any element 𝑎 of a finite group 𝐺, 𝑎|𝐺| is the identity element (where
|𝐺| denotes the number of elements in the group). This general result can be verified
similarly to the Euler–Fermat Theorem for commutative groups (see Exercise 2.8.7)
and follows from Lagrange’s Theorem for arbitrary 𝐺.
Generalizing Wilson’s theorem, we can ask which element of a finite commutative
group will be equal to the product of all its elements (see Exercise 2.8.8).

Exercises 2.8
1. For which 𝑚 does there exist a non-zero residue class that is the negative of itself?
2. Consider the ring of the residue classes modulo 100.
(a) What is the multiplicative inverse of the residue class (13)?
(b) What is the number of zero divisors?
(c) How many zero divisor pairs belong to (40), i.e. how many residue classes
(𝑏) ≠ (0) satisfy (40)(𝑏) = (0)?
(d) Does there exist a residue class (𝑐) satisfying (35)(𝑐) = (90)?
3. How many residue classes modulo 𝑚 are their own multiplicative inverses if 𝑚 is
(a) 47
(b) 30
(c) 800
* (d) arbitrary?
 Exercises 2.8 71

4. Consider the ring of residue classes modulo a composite 𝑚.

(a) Show that if (𝑎) is a zero divisor, then (𝑎)(𝑐) is a zero divisor or (0) for any (𝑐).
(b) Demonstrate that if (𝑎)(𝑐) is a zero divisor, then at least one of (𝑎) and (𝑐) is a
zero divisor.
(c) Determine all 𝑚 where the sum of any two zero divisors is a zero divisor or
(0).
(d) Compute the sum and product of all zero divisors.
(e) For which 𝑚 does there exist an (𝑎) ≠ (0) satisfying (𝑎)2 = (0)?
5. (a) Let 𝐻 be the set of those residue classes modulo 20 that are “divisible” by 4,
i.e.
𝐻 = {(0)20 , (4)20 , (8)20 , (12)20 , (16)20 }.
Prove that 𝐻 is a field under the addition and multiplication of residue classes.
(b) Let 𝐾 be the set of those residue classes modulo 40 that are divisible by 4, i.e.
𝐾 = {(0)40 , (4)40 , . . . , (36)40 }.
Verify that 𝐾 is a commutative ring under the addition and multiplication of
residue classes, but it is not a field, it has no identity element, and every non-
zero element is a zero divisor.
S* (c) Generalize the problem (as far as possible).
6. Examine in detail whether it is possible to define the following operations for
residue classes modulo 𝑚 using their positive representatives.
(a) Gcd: gcd((𝑎)𝑚 , (𝑏)𝑚 ) = (gcd(𝑎, 𝑏))𝑚
(b) Third power: (𝑎)3𝑚 = (𝑎3 )𝑚
3 3
(c) Cube root: √(𝑎)𝑚 = ( √𝑎)𝑚
(d) Arithmetic mean: ((𝑎)𝑚 + (𝑏)𝑚 )/2 = ((𝑎 + 𝑏)/2)𝑚
(𝑏)𝑚
(e) Exponentiation: (𝑎)𝑚 = (𝑎𝑏 )𝑚 .
7. Generalization of the Euler–Fermat Theorem. In a finite commutative group 𝐺, let
|𝐺| denote the number of elements and 𝑒 be the identity element. Prove that 𝑎|𝐺| =
𝑒 holds for any 𝑎 ∈ 𝐺.
* 8. Generalization of Wilson’s Theorem. In a finite commutative group 𝐺, let 𝑒 be the
identity element and 𝑃 the product of all elements. Show that if 𝐺 contains exactly
one element 𝑐 ≠ 𝑒 satisfying 𝑐2 = 𝑒, then 𝑃 = 𝑐, and 𝑃 = 𝑒 in all other cases.
 Chapter 3

Congruences of Higher
Degree

We start with a few general remarks concerning congruences modulo a prime. Next, we
discuss the most important properties of order, primitive roots, and discrete logarithms.
Applying these, we “take roots” modulo 𝑝, i.e. examine binomial congruences. We
will include an interesting theorem by Kőnig and Rados and another one by Chevalley.
Finally, we show how congruences with composite moduli can be reduced to those
with prime moduli.

3.1. Number of Solutions and Reduction

Let 𝑚 be a fixed positive integer and 𝑓 a polynomial with integer coefficients. We want
to find the solutions of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑚).
As with linear congruences, by a solution we mean an integer 𝑠 which substituted
for 𝑥 makes the congruence valid. It is clear also in this general case that if an integer 𝑠
is a solution, then every element of the residue class (𝑠)𝑚 is a solution as well since 𝑠 ≡ 𝑟
(mod 𝑚) implies 𝑓(𝑠) ≡ 𝑓(𝑟) (mod 𝑚). Therefore the number of solutions is defined as
the number of the pairwise incongruent solutions, i.e. how many residue classes yield
the solutions (see Definition 2.5.2).
Obviously, also it is only the residue class of the coefficients of 𝑓 that matters.
By the above, it is often more convenient and more natural to handle both the
coefficients and the solutions as residue classes modulo 𝑚 (instead of integers). This
means that 𝑓 is considered as a polynomial over the ring 𝐙𝑚 of these residue classes
and the solutions of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑚) are the roots of 𝑓 in 𝐙𝑚 . We
adopt this view also when defining the degree of a polynomial modulo 𝑚:

Definition 3.1.1. The degree of a polynomial 𝑓 = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛 𝑥𝑛 modulo 𝑚 is

𝑘 if 𝑎𝑘 ≢ 0 (mod 𝑚), but 𝑎𝑖 ≡ 0 (mod 𝑚) for every 𝑖 > 𝑘. If 𝑎𝑖 ≡ 0 (mod 𝑚) for every
𝑖, so every coefficient of 𝑓 is 0 (mod 𝑚), then 𝑓 has no degree modulo 𝑚. ♣

73
74 3. Congruences of Higher Degree

Example. The polynomial 𝑓 = 6 + 12𝑥 + 15𝑥2 + 21𝑥3 has degree 3 modulo 5, 2

modulo 7, and has no degree modulo 3.

The rest of this section deals with congruences with prime moduli.
Theorem 3.1.2. If 𝑝 is a prime and the degree of 𝑓 modulo 𝑝 is 𝑘, then the congruence
𝑓(𝑥) ≡ 0 (mod 𝑝) has at most 𝑘 solutions. ♣

Proof. According to the preliminary remarks, we consider 𝑓 as a polynomial over the

ring 𝐙𝑝 of the residue classes modulo 𝑝. Then the number of solutions is the number
of roots of 𝑓 in 𝐙𝑝 .
Since 𝐙𝑝 is a field by Theorem 2.8.4, Theorem 3.1.2 follows immediately from a
well-known basic result in classical algebra: If the degree of a polynomial over a field
𝐹 is 𝑘, then 𝑓 can have at most 𝑘 roots in 𝐹. □

The statement of Theorem 3.1.2 is false for composite moduli. For example, the
linear congruence
10𝑥 − 15 ≡ 0 (mod 25)
has 5 solutions, the congruence
𝑥(𝑥 − 1)(𝑥 − 2)(𝑥 − 3) ≡ 0 (mod 24)
of degree 4 has 24 solutions, etc.

Using Theorem 3.1.2, we can get a new proof for Wilson’s Theorem (Theorem 2.7.1):
If 𝑝 is a prime, then (𝑝 − 1)! ≡ −1 (mod 𝑝).
This is obvious for 𝑝 = 2. Let 𝑝 > 2 and consider the polynomial
𝑓 = 𝑥𝑝−1 − 1 − (𝑥 − 1)(𝑥 − 2) . . . (𝑥 − (𝑝 − 1)) = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑝−2 𝑥𝑝−2 .
By Fermat’s Little Theorem, each of the (pairwise incongruent) numbers 𝑥 = 1, 2, . . . ,
𝑝 − 1 satisfies the congruence 𝑓(𝑥) ≡ 0 (mod 𝑝), hence the number of solutions is at
least 𝑝 − 1. If 𝑓 had a degree modulo 𝑝, then this degree could be at most 𝑝 − 2 contra-
dicting Theorem 3.1.2. Therefore 𝑓 has no degree modulo 𝑝, i.e. every coefficient 𝑎𝑖 is
0 (mod 𝑝). Hence,
𝑎0 = −1 − (−1)𝑝−1 (𝑝 − 1)! = −1 − (𝑝 − 1)! ≡ 0 (mod 𝑝) ,
thus proving Wilson’s Theorem. □

Since a congruence modulo 𝑚 can have at most 𝑚 solutions, the statement of The-
orem 3.1.2 becomes empty if the degree of 𝑓 modulo 𝑝 is 𝑝 or larger. In this case, we
can reduce the congruence 𝑓(𝑥) ≡ 0 (mod 𝑝) to a congruence of degree at most 𝑝 − 1,
in the following sense:
Theorem 3.1.3. To every prime 𝑝 and polynomial 𝑓 with integer coefficients, there exists
a polynomial 𝑔 with integer coefficients such that
(i) the degree of 𝑔 modulo 𝑝 is at most 𝑝 − 1 or every coefficient of 𝑔 is 0 (mod 𝑝)
(ii) 𝑓(𝑐) ≡ 𝑔(𝑐) (mod 𝑝) for every integer 𝑐. ♣
Exercises 3.1 75

In other words, Theorem 3.1.3 asserts that to every polynomial over the field 𝐙𝑝 ,
we can find a polynomial 𝑔 of degree at most 𝑝 − 1 (allowing also the zero polynomial)
such that the two polynomials define the same function.
The theorem clearly implies that the congruences 𝑓(𝑥) ≡ 0 (mod 𝑝) and 𝑔(𝑥) ≡ 0
(mod 𝑝) have exactly the same solutions, hence the number of solutions is at most the
degree of 𝑔 modulo 𝑝 by Theorem 3.1.2.

First proof. Replace 𝑥𝑝 by 𝑥 everywhere in 𝑓 as long as this is possible. We arrive at

a polynomial 𝑔 of degree at most 𝑝 − 1 modulo 𝑝 or with all coefficients 0 (mod 𝑝). By
Fermat’s Little Theorem, 𝑐𝑝 ≡ 𝑐 (mod 𝑝) for every 𝑐, hence also 𝑓(𝑐) ≡ 𝑔(𝑐) (mod 𝑝)
holds. □

Second proof. Divide 𝑓 by 𝑥𝑝 − 𝑥. Since the leading coefficient of 𝑥𝑝 − 𝑥 is 1, the

quotient and the remainder will have integer coefficients. We show that the remainder
serves as 𝑔. Indeed,
𝑓 = (𝑥𝑝 − 𝑥)ℎ + 𝑔,
where the degree of 𝑔 is at most 𝑝 − 1 or 𝑔 is the zero polynomial. Then
𝑓(𝑐) = (𝑐𝑝 − 𝑐)ℎ(𝑐) + 𝑔(𝑐) ≡ 0 + 𝑔(𝑐) = 𝑔(𝑐) (mod 𝑝)
for every integer 𝑐. □
Remarks: (1) In the second proof, we can divide the polynomials over the field 𝐙𝑝 , but
this is slightly more complicated.
(2) Both proofs yield also an algorithm to find 𝑔 (in fact, they are two interpretations
of the same procedure).
(3) A third proof is obtained using the interpolation polynomials, but this is not really
suitable for getting 𝑔 in an explicit form (see Exercise 3.1.9).
(4) Note that the polynomial 𝑔 meeting the requirements of Theorem 3.1.2 is unique
(modulo 𝑝, see Exercise 3.1.8).

Exercises 3.1

1. What is the number of solutions of the following congruences?

(a) 𝑥100 + 𝑥 ≡ 0 (mod 101)
(b) 𝑥100 + 𝑥 ≡ 0 (mod 100)
(c) 21𝑥9 + 18𝑥6 + 15 ≡ 0 (mod 77)
(d) 𝑥(𝑥2 − 1)(𝑥2 − 4) ≡ 0 (mod 60).
2. Prove that 𝑐 is a solution of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑚) if and only if there
exists a polynomial ℎ with integer coefficients such that every coefficient of the
polynomial 𝑓 − (𝑥 − 𝑐)ℎ is a multiple of 𝑚.
3. Let 𝑁(𝑓, 𝑚) denote the number of solutions of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑚).
True or false?
76 3. Congruences of Higher Degree

(a) 𝑁(𝑓𝑔, 𝑚) ≤ 𝑁(𝑓, 𝑚) + 𝑁(𝑔, 𝑚).

(b) 𝑁(𝑓𝑔, 𝑚) ≤ 𝑁(𝑓, 𝑚) + 𝑁(𝑔, 𝑚) + 1000.
(c) 𝑁(𝑓𝑔, 13) ≤ 𝑁(𝑓, 13) + 𝑁(𝑔, 13).
(d) 𝑁(𝑓𝑔, 13) = 𝑁(𝑓, 13) + 𝑁(𝑔, 13).
4. (a) Exhibit a polynomial 𝑓 of degree 13 modulo 37 such that the congruence
𝑓(𝑥) ≡ 0 (mod 37) has 12 solutions.
(b) How many 𝑓 satisfy the conditions in (a) if every coefficient is taken from the
numbers 1, 2, . . . , 37?
5. Let 𝑝 be a prime and denote the number of solutions of 𝑓(𝑥) ≡ 0 (mod 𝑝) by 𝑟.
Prove
𝑝
𝑟 ≡ − ∑ 𝑓(𝑖)𝑝−1 (mod 𝑝) .
𝑖=1

6. Let 𝑝 > 2 be a prime and 1 ≤ 𝑗 ≤ 𝑝 − 2. Show that the sum of all products with 𝑗
distinct factors taken from the numbers 1, 2, . . . , 𝑝 − 1 is divisible by 𝑝.
7. Let 𝑝 > 2 be a prime and
𝑓 = 𝑎 0 + 𝑎1 𝑥 + ⋯ + 𝑎 𝑛 𝑥 𝑛 where 𝑎0 ≢ 0 (mod 𝑝) .
Prove that 𝑓(𝑥) ≡ 0 (mod 𝑝) can be reduced to a congruence of degree at most
𝑝 − 2 in the following sense: We can find a polynomial ℎ of degree at most 𝑝 − 2
modulo 𝑝 or with all coefficients 0 (mod 𝑝) satisfying 𝑓(𝑐) ≡ ℎ(𝑐) (mod 𝑝) for
every (𝑐, 𝑝) = 1.
8. Prove the existence of a polynomial 𝑔 occurring in Theorem 3.1.3 using the inter-
polation polynomials by Lagrange or Newton.
9. Prove that the polynomial 𝑔 satisfying the requirements of Theorem 3.1.3 is unique
over 𝐙𝑝 , i.e. its coefficients are uniquely determined modulo 𝑝.
10. Demonstrate that Theorem 3.1.3 remains valid also for composite moduli.

3.2. Order
It follows from the Euler–Fermat Theorem that if (𝑎, 𝑚) = 1, then 𝑎𝑡 ≡ 1 (mod 𝑚) for
some positive integer 𝑡 and 𝜑(𝑚) or any multiple of it can be taken as 𝑡. The minimal
positive integer 𝑡 with this property plays a distinguished role in the further investiga-
tions:
Definition 3.2.1. Let (𝑎, 𝑚) = 1. The positive integer 𝑘 is called the order of 𝑎 mod-
ulo 𝑚, if 𝑎𝑘 ≡ 1 (mod 𝑚) and 𝑎𝑖 ≢ 1 (mod 𝑚) for every 0 < 𝑖 < 𝑘. ♣

We denote the order of 𝑎 by 𝑜𝑚 (𝑎). For example, 𝑜7 (2) = 3, 𝑜10 (3) = 4, etc. If there
is no ambiguity, we can omit the index referring to the modulus.
The Euler–Fermat Theorem implies that every 𝑎 coprime to 𝑚 has an order and
𝑜𝑚 (𝑎) ≤ 𝜑(𝑚).
The order can be defined only for (𝑎, 𝑚) = 1: If (𝑎, 𝑚) ≠ 1, then there is no 𝑘 > 0
satisfying 𝑎𝑘 ≡ 1 (mod 𝑚) (see the first remark after Theorem 2.4.1B).
3.2. Order 77

It is clear from the definition of the order that

𝑎 ≡ 𝑏 (mod 𝑚) ⟹ 𝑜𝑚 (𝑎) = 𝑜𝑚 (𝑏),
thus all elements of a reduced residue class have the same order.
The next theorem summarizes the most important properties of the order.

Theorem 3.2.2. Let 𝑡, 𝑢, and 𝑣 be non-negative integers and (𝑎, 𝑚) = 1.

(i) 𝑎𝑡 ≡ 1 (mod 𝑚) ⟺ 𝑜𝑚 (𝑎) ∣ 𝑡.
(ii) 𝑎ᵆ ≡ 𝑎𝑣 (mod 𝑚) ⟺ 𝑢 ≡ 𝑣 (mod )).
(iii) 𝑎 has 𝑜𝑚 (𝑎) pairwise incongruent powers with positive integer exponents modulo 𝑚.
(iv) 𝑜𝑚 (𝑎) ∣ 𝜑(𝑚). ♣

Proof. (i) If 𝑡 = 𝑞𝑜𝑚 (𝑎), then

𝑞
𝑎𝑡 = (𝑎𝑜𝑚 (𝑎) ) ≡ 1𝑞 = 1 (mod 𝑚) , .
For the converse, we apply the division algorithm for 𝑡 by 𝑜𝑚 (𝑎): 𝑡 = 𝑞𝑜𝑚 (𝑎) + 𝑟 where
0 ≤ 𝑟 < 𝑜𝑚 (𝑎). Then
𝑞
1 ≡ 𝑎𝑡 = (𝑎𝑜𝑚 (𝑎) ) ⋅ 𝑎𝑟 ≡ 1 ⋅ 𝑎𝑟 = 𝑎𝑟 (mod 𝑚) .
Since 𝑟 < 𝑜𝑚 (𝑎), only 𝑟 = 0 is possible by the definition of the order, so 𝑜𝑚 (𝑎) ∣ 𝑡.
(ii) Let 𝑢 ≥ 𝑣. Then, using (𝑎, 𝑚) = 1 and (i), we obtain
𝑎ᵆ ≡ 𝑎𝑣 (mod 𝑚) ⟺ 𝑎ᵆ−𝑣 ≡ 1 (mod 𝑚)
⟺ 𝑜𝑚 (𝑎) ∣ 𝑢 − 𝑣
⟺ 𝑢 ≡ 𝑣 (mod 𝑜𝑚 (𝑎)) .

(iii) This is a direct consequence of (ii).

(iv) By the Euler–Fermat Theorem, 𝑎𝜑(𝑚) ≡ 1 (mod 𝑚), hence (i) implies
𝑜𝑚 (𝑎) ∣ 𝜑(𝑚). □

Example. Compute the order of 13 modulo 59.

As 13 and 59 are coprime, 𝑜59 (13) makes sense. Since 𝑜59 (13) ∣ 𝜑(59) and
𝜑(59) = 58,
𝑜59 (13) = 1, 2, 29, or 58.
Clearly, 13 ≢ 1 (mod 59) and 132 ≢ 1 (mod 59), so 𝑜59 (13) can be only 29 or 58. This
means that if 1329 ≡ 1 (mod 59), then the order is 29, whereas if 1329 ≢ 1 (mod 59),
then the order is 58.
The remainder of 1329 modulo 59 can be determined using repeated squarings:
132 = 169 ≡ −8 (mod 59)
134 ≡ (−8)2 ≡ 5 (mod 59)
138 ≡ 52 = 25 (mod 59)
1316 ≡ 252 ≡ −24 (mod 59)
 78 3. Congruences of Higher Degree

thus
1329 = 1316 ⋅ 138 ⋅ 134 ⋅ 13
≡ (−24) ⋅ 25 ⋅ 5 ⋅ 13
= (−600) ⋅ 65
≡ (−10) ⋅ 6
≡ −1 (mod 59) .
Hence 𝑜59 (13) = 58. (There is no need to compute the remainder of 1358 modulo 59;
we know from the Euler–Fermat Theorem that it must be 1.)

Finally, we mention that Definition 3.2.1 is a special case of the order of an element
in a group, and also the analog of Theorem 3.2.2 is true in arbitrary groups.

Exercises 3.2

(The notation 𝑜(𝑎) without an index refers to an arbitrary modulus unless a modulus
𝑚 or 𝑝 was specified in the exercise.)
1. Compute:
(a) 𝑜77 (155)
(b) 𝑜100 (199)
(c) 𝑜65 (2)
(d) 𝑜47 (43).
2. Does there exist an 𝑎 with 𝑜𝑚 (𝑎) = 4 if 𝑚 is (a) 11 (b) 12 (c) 17?
3. Which moduli 𝑚 satisfy 𝑜𝑚 (2) = 6?
4. Let (𝑎, 𝑚) = 1, 𝑜𝑚 (𝑎) = 𝑘, and 𝑖 ≥ 0. Prove
(a) 𝑜𝑚 (𝑎𝑖 ) ∣ 𝑘
(b) 𝑜𝑚 (𝑎𝑖 ) = 𝑘 ⟺ (𝑖, 𝑘) = 1
(c) 𝑜𝑚 (𝑎𝑖 ) = 𝑘/(𝑖, 𝑘).
5. What are the possible values of 𝑜(𝑎) if 𝑜(𝑎3 ) is (a) 10 (b) 12?
S 6. Let 𝑝 > 2 be a prime. Verify 𝑜𝑝 (𝑎) = 𝑜𝑝 (−𝑎) ⟺ 4 ∣ 𝑜𝑝 (𝑎).
7. Assume that 𝑎5 , 𝑎13 , and 𝑎21 belong to exactly two reduced residue classes mod-
ulo 𝑚. Compute 𝑜𝑚 (𝑎).
8. Let 𝑝 be a prime and 𝑜𝑝 (𝑎) = 3.
(a) Show that 1 + 𝑎 + 𝑎2 ≡ 0 (mod 𝑝).
(b) Determine 𝑜𝑝 (1 + 𝑎).
S 9. Assume that 𝑝 > 5 is a prime and 𝑎2𝑝−10 ≡ −1 (mod 𝑝). Compute 𝑜𝑝 (𝑎).
 Exercises 3.2 79

10. (a) Show that both congruences 𝑎𝑛 ≡ 1 (mod 𝑚) and 𝑎𝑘 ≡ 1 (mod 𝑚) hold
simultaneously if and only if 𝑎(𝑛,𝑘) ≡ 1 (mod 𝑚).
(b) Using (a), find a new proof for Exercise 1.3.13.
11. Show that (𝑎𝑛 − 1, 𝑎𝑘 + 1) ≤ 2 if 𝑛 is odd.
12. Let 𝑝 > 2 be a prime and (𝑎, 𝑝) = 1. Verify that 𝑎𝑠 ≡ −1 (mod 𝑝) is true for some 𝑠
if and only if 𝑜𝑝 (𝑎) is even. What happens if we replace 𝑝 by a composite modulus
𝑚?
13. Prove
(a) (𝑎, 𝑚) = 1, 𝑑 ∣ 𝑚 ⟹ 𝑜 𝑑 (𝑎) ∣ 𝑜𝑚 (𝑎)
(b) (𝑎, 𝑚𝑛) = 1 ⟹ 𝑜 [𝑚,𝑛] (𝑎) = [𝑜𝑚 (𝑎), 𝑜𝑛 (𝑎)].
14. How many of the integers 1, 2, . . . , 999 have order 2 modulo 1000?
* 15. Let 𝑜(𝑎) = 𝑢 and 𝑜(𝑏) = 𝑣. Verify
(a) 𝑜(𝑎𝑏) = 𝑢𝑣 ⟺ (𝑢, 𝑣) = 1
[ᵆ,𝑣]
(b) | 𝑜(𝑎𝑏) and 𝑜(𝑎𝑏) ∣ [𝑢, 𝑣].
(ᵆ,𝑣)

* 16. Assume 𝑎𝑜(𝑏) ≡ 𝑏𝑜(𝑎) (mod 𝑚). Prove 𝑜(𝑎) = 𝑜(𝑏).

17. Show that 𝑛 ∣ 𝜑(𝑎𝑛 − 1) holds for every 𝑎 > 1 and 𝑛 > 0.
𝜑(𝑚)
* 18. Let 𝑎1 , . . . , 𝑎𝜑(𝑚) be a reduced residue system modulo 𝑚. Show that ∑𝑖=1 𝑜𝑚 (𝑎𝑖 )
is always an odd number.
19. Let 𝑝 be a prime and (𝑎, 𝑝) = 1. What is the remainder of the sum and product
below mod 𝑝?
(a) 𝑎 + 𝑎2 + ⋯ + 𝑎𝑜(𝑎)
(b) 𝑎 ⋅ 𝑎2 ⋅ ⋯ ⋅ 𝑎𝑜(𝑎) .
20. Decimal fractions. We deal only with the digits following the decimal point, hence
it is sufficient to consider numbers 𝛼 with 0 < 𝛼 < 1. We exclude those decimal
fractions that end with infinitely many 9s. A decimal fraction is finite if it has
only finitely many digits. We write these in their shortest form, so the last digit
is not zero. An infinite decimal fraction is periodic if the sequence of the digits is
eventually periodic. The periodicity is pure or mixed depending on whether or not
the first period starts immediately after the decimal point. For fractions 𝑎/𝑏 we
assume 𝑏 > 0 and (𝑎, 𝑏) = 1. Prove the following characterizations.
(a) The decimal fraction of a real number 𝛼 is finite or periodic if and only if 𝛼 is
rational.
(b) The decimal fraction of the rational number 𝑎/𝑏 is finite if and only if the
standard form of 𝑏 contains no other primes than 2 and 5: 𝑏 = 2𝑟 5𝑠 . In this
case, the number of digits after the decimal point is 𝑘 = max(𝑟, 𝑠), i.e. 𝑏 ∣ 10𝑘
but 𝑏 ∤ 10𝑘−1 .
(c) The decimal fraction of the rational number 𝑎/𝑏 has a pure periodicity if and
only if (𝑏, 10) = 1. In this case, the length of the (smallest) period is 𝑜 𝑏 (10).
80 3. Congruences of Higher Degree

(d) The decimal fraction of the rational number 𝑎/𝑏 has a mixed periodicity if
and only if (𝑏, 10) > 1 but 𝑏 has also a prime divisor different from 2 and 5:
𝑏 = 2𝑟 5𝑠 𝑡 where (𝑡, 10) = 1, 𝑡 > 1, and 𝑘 = max(𝑟, 𝑠) > 0. Then the (first)
period starts with the (𝑘 + 1)st digit after the decimal point and its length is
𝑜𝑡 (10).

3.3. Primitive Roots

We obtained from the Euler–Fermat Theorem that 𝑜𝑚 (𝑎) ≤ 𝜑(𝑚) for every (𝑎, 𝑚) = 1.
A special case is when this holds with equality.
Definition 3.3.1. A number 𝑔 is a primitive root modulo 𝑚 if 𝑜𝑚 (𝑔) = 𝜑(𝑚). ♣
It is clear from the definition that a primitive root must be coprime to the modulus
𝑚, and in a reduced residue class either all elements are primitive roots, or there are
no such elements at all.
Examples. E1 3 is a primitive root modulo 10 as 𝑜10 (3) = 𝜑(10) = 4.
E2 2 is not a primitive root modulo 31 since 𝑜31 (2) = 5 < 𝜑(31) = 30.
E3 There are no primitive roots modulo 12. It is enough to check the orders in the
reduced residue system {±1, ±5}: 1 has order 1 and all other elements have order
2, so every order is less than 𝜑(12) = 4.
To determine whether or not a number 𝑎 (coprime to 𝑚) is a primitive root mod-
ulo 𝑚, there is no need to check 𝑎𝜑(𝑚) ≡ 1 (mod 𝑚) since this follows from the Euler–
Fermat Theorem. Using 𝑜𝑚 (𝑎) ∣ 𝜑(𝑚), we have to test whether 𝑎𝑑 ≡ 1 (mod 𝑚) holds
for some divisor 𝑑 < 𝜑(𝑚) of 𝜑(𝑚); 𝑎 is a primitive root if and only if there is no such
𝑑. In fact, it is enough to consider the maximal proper divisors of 𝜑(𝑚), those of the
form 𝜑(𝑚)/𝑞 where 𝑞 is a prime.
The applications of primitive roots are mostly based on the following property:
Theorem 3.3.2. A number 𝑔 is a primitive root modulo 𝑚 if and only if 1, 𝑔, 𝑔2 , . . . ,
𝑔𝜑(𝑚)−1 form a reduced residue system modulo 𝑚. ♣

Proof. Assume that 𝑔 is a primitive root, so 𝑜𝑚 (𝑔) = 𝜑(𝑚). Then the 𝜑(𝑚) numbers
1, 𝑔, 𝑔2 , . . . , 𝑔𝜑(𝑚)−1 are pairwise incongruent modulo 𝑚 by part (ii) of Theorem 3.2.2,
and (𝑔, 𝑚) = 1 implies that they are all coprime to 𝑚. Thus they constitute a reduced
residue system mod 𝑚 by Theorem 2.2.9.
For the converse, assume that the powers of 𝑔 form a reduced residue system
mod 𝑚. Then (𝑔, 𝑚) = 1 implies that 𝑜𝑚 (𝑔) exists and 𝑜𝑚 (𝑔) ≤ 𝜑(𝑚) by the Euler–
Fermat Theorem. Further, the pairwise incongruence guarantees that none of 𝑔, 𝑔2 ,
. . . , 𝑔𝜑(𝑚)−1 can be congruent to the element 1 in this reduced residue system. Hence,
𝑜𝑚 (𝑔) = 𝜑(𝑚). □

Now we examine, for which moduli 𝑚 a primitive root exists. Or, in a group theo-
retic formulation, for which 𝑚 is the multiplicative group of the reduced residue classes
cyclic.
We prove first that all prime moduli have a primitive root.
3.3. Primitive Roots 81

Theorem 3.3.3. If 𝑝 is a prime, then there exists a primitive root modulo 𝑝. ♣

As a generalization of Theorem 3.3.3, it can be shown that any finite field contains
an element whose powers supply all non-zero elements in the field. Theorem 3.3.3 is
the special case for the field 𝐙𝑝 of the residue classes mod 𝑝.
We give two proofs for Theorem 3.3.3 and a third argument is sketched in Exer-
cise 3.3.14. All three proofs can be adapted with suitable modifications to verify the
more general proposition mentioned above.

First proof. If 𝑝 = 2, then 𝑔 = 1 (or any odd number) is a primitive root.

For 𝑝 > 2, let 𝑞1 , . . . , 𝑞𝑠 be the distinct prime divisors of 𝑝 − 1.
To prove by contradiction, assume that there is no primitive root, so 𝑜𝑝 (𝑖) = 𝑑𝑖 <
𝑝 − 1 for every 1 ≤ 𝑖 ≤ 𝑝 − 1. Since 𝑑𝑖 ∣ 𝑝 − 1, therefore 𝑑𝑖 ∣ (𝑝 − 1)/𝑞 for some
(𝑝−1)/𝑞
prime divisor 𝑞 of 𝑝 − 1. This implies 𝑑𝑖 ≡ 1 (mod 𝑝). Hence, every element of
a reduced residue system is a root of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑝) where
(3.3.1) 𝑓 = (𝑥(𝑝−1)/𝑞1 − 1)(𝑥(𝑝−1)/𝑞2 − 1) . . . (𝑥(𝑝−1)/𝑞𝑠 − 1).
Further, 𝑓(0) = (−1)𝑠 ≢ 0 (mod 𝑝), thus the congruence has exactly 𝑝 − 1 solutions.
Performing the multiplications in (3.3.1), we obtain 𝑓 as a sum of monomials ±𝑥𝑘
where the exponent
(3.3.2) 𝑘 is the sum of (one or more) terms (𝑝 − 1)/𝑞𝑗 with distinct 𝑞𝑗
or 𝑘 = 0. Apply now the reduction in the first proof of Theorem 3.1.3: replace 𝑥𝑝
by 𝑥 as long as possible. The resulting polynomial 𝑔 has degree at most 𝑝 − 1 and
𝑓(𝑐) ≡ 𝑔(𝑐) (mod 𝑝) for every 𝑐. This means that the congruence 𝑔(𝑥) ≡ 0 (mod 𝑝)
has exactly 𝑝 − 1 solutions and therefore the degree of 𝑔 modulo 𝑝 must be equal to
𝑝 − 1 by Theorem 3.1.2.
Then 𝑔 must contain a term 𝑥𝑝−1 . During the reduction, this was obtained from
terms 𝑥𝑠 in 𝑓 where
(3.3.3) the exponent 𝑠 is of the form 𝑠 = (𝑝 − 1)𝑡 with 𝑡 > 0,
since the exponents (greater than 𝑝 − 1) were always decreased by 𝑝 − 1 in each step.
Combining (3.3.2) and (3.3.3), we have (say)
1 1 1
(3.3.4) 𝑡= + +⋯+ .
𝑞1 𝑞2 𝑞𝑟
Multiplying (3.3.4) by 𝑞2 . . . 𝑞𝑟 makes all terms integers except the first term on the
right-hand side. This is a contradiction. □

Second proof. Let ℎ(𝑑) be the number of those integers among 1, 2, . . . , 𝑝 − 1 that
have order 𝑑 modulo 𝑝. Clearly, ℎ(𝑑) = 0 if 𝑑 ∤ 𝑝 − 1 and
(3.3.5) ∑ ℎ(𝑑) = 𝑝 − 1.
𝑑∣𝑝−1

We show that
(3.3.6) ℎ(𝑑) ≤ 𝜑(𝑑)
holds for every 𝑑.
82 3. Congruences of Higher Degree

If there is no element of order 𝑑, then (3.3.6) is true trivially since 0 = ℎ(𝑑) < 𝜑(𝑑).
Thus, we can assume that 𝑜𝑝 (𝑎) = 𝑑 for some 𝑎. Then 𝑎, 𝑎2 , . . . , 𝑎𝑑 are pairwise
incongruent modulo 𝑝, and by (𝑎𝑡 )𝑑 = (𝑎𝑑 )𝑡 ≡ 1 (mod 𝑝), they are all solutions of the
congruence 𝑥𝑑 ≡ 1 (mod 𝑝).
Since this congruence cannot have more than 𝑑 solutions, every 𝑐 satisfying 𝑐𝑑 ≡ 1
(mod 𝑝) must be congruent to one of the numbers 𝑎, 𝑎2 , . . . , 𝑎𝑑 .
Every integer of order 𝑑 is a solution of 𝑥𝑑 ≡ 1 (mod 𝑝), hence it must be congruent
to one of 𝑎, 𝑎2 , . . . , 𝑎𝑑 . By Exercise 3.2.4b, 𝑜𝑝 (𝑎𝑗 ) = 𝑜𝑝 (𝑎) = 𝑑 holds if and only if
(𝑗, 𝑑) = 1. Therefore exactly 𝜑(𝑑) numbers will have order 𝑑 among 𝑎, 𝑎2 , . . . , 𝑎𝑑 ,
i.e. ℎ(𝑑) = 𝜑(𝑑). Thus we have verified (3.3.6).
Using (3.3.5), (3.3.6), and the equality ∑𝑑∣𝑝−1 𝜑(𝑑) = 𝑝 − 1 from Exercise 2.3.14,
we obtain
𝑝 − 1 = ∑ ℎ(𝑑) ≤ ∑ 𝜑(𝑑) = 𝑝 − 1.
𝑑∣𝑝−1 𝑑∣𝑝−1
This can hold only if ℎ(𝑑) = 𝜑(𝑑) for every 𝑑 ∣ 𝑝 − 1.
This proves that in a reduced residue system mod 𝑝, exactly 𝜑(𝑑) elements have
order 𝑑. For 𝑑 = 𝑝 − 1 this means that the number of primitive roots is 𝜑(𝑝 − 1)
(implying the existence of primitive roots). □
Remark: The second proof yielded a (seemingly) stronger result: Besides guarantee-
ing a primitive root, we obtained also the number of (pairwise incongruent) primitive
roots, and even more generally, the number of elements of order 𝑑 for every given
𝑑. This surplus, however, easily follows merely from the existence of a single primitive
root (whichever proof produced it) using Theorem 3.3.2 and Exercises 3.2.4b and 3.2.4c
(see Exercise 3.3.9).

We formulate these important results as a theorem:

Theorem 3.3.4. Let the modulus be a prime 𝑝.
(i) The 𝑖th power of a primitive root is a primitive root if and only if (𝑖, 𝑝 − 1) = 1.
(ii) The number of pairwise incongruent primitive roots is 𝜑(𝑝 − 1).
(iii) In general, the number of elements of order 𝑑 in a reduced residue system mod 𝑝 is
𝜑(𝑑) if 𝑑 ∣ 𝑝 − 1. ♣

In the next theorem we characterize the moduli that have primitive roots.
Theorem 3.3.5. There exists a primitive root modulo 𝑚 > 1 if and only if 𝑚 = 𝑝𝛼 , 2𝑝𝛼 , 2,
or 4 where 𝑝 > 2 is a prime and 𝛼 > 0. ♣

Proof. The cases 𝑚 = 𝑝 and 𝑚 = 2 were verified in Theorem 3.3.3. Also, 𝑔 = 3 is a

primitive root for 𝑚 = 4. For the other moduli, we perform the proof in the following
steps:
(Y1) Yes, there exists a primitive root modulo 𝑝2 .
(Y2) Yes, there exists a primitive root modulo 𝑝𝛼 for every 𝛼 > 2.
(Y3) Yes, there exists a primitive root modulo 2𝑝𝛼 for every 𝛼 > 0.
3.3. Primitive Roots 83

(N1) No, there is no primitive root modulo 𝑚 if 𝑚 has an odd prime divisor and is
divisible by 4, or it has at least two distinct odd prime divisors.
(N2) No, there is no primitive root modulo 2𝛼 with 𝛼 > 2.
(Y1) Let 𝑔 be a primitive root modulo 𝑝. We show that at least one of 𝑔 and 𝑔 + 𝑝 is a
primitive root modulo 𝑝2 .
We know that
𝑜𝑝2 (𝑔) ∣ 𝜑(𝑝2 )
and
𝑜𝑝 (𝑔) ∣ 𝑜𝑝2 (𝑔)
by Exercise 3.2.13a. Substituting 𝜑(𝑝2 ) = 𝑝(𝑝 − 1) and 𝑜𝑝 (𝑔) = 𝑝 − 1, we get
𝑝 − 1 ∣ 𝑜𝑝2 (𝑔) and 𝑜𝑝2 (𝑔) ∣ 𝑝(𝑝 − 1).
Hence, 𝑜𝑝2 (𝑔) = 𝑝 − 1 or 𝑜𝑝2 (𝑔) = 𝑝(𝑝 − 1).
In the second case, 𝑔 is a primitive root modulo 𝑝2 (by definition).
We show that if 𝑜𝑝2 (𝑔) = 𝑝 − 1, then 𝑔 + 𝑝 is a primitive root mod 𝑝2 .
Repeating the previous argument with 𝑔 + 𝑝 instead of 𝑔, we find that 𝑜𝑝2 (𝑔 + 𝑝)
can equal only 𝑝 − 1 or 𝑝(𝑝 − 1). Thus, it is sufficient to verify (𝑔 + 𝑝)𝑝−1 ≢ 1 (mod 𝑝2 ).
By the binomial theorem,
𝑝 − 1 2 𝑝−3
(𝑔 + 𝑝)𝑝−1 ≡ 𝑔𝑝−1 + (𝑝 − 1)𝑝𝑔𝑝−2 + ( )𝑝 𝑔 + ... .
2
The first term on the right-hand side is 1 (mod 𝑝2 ) by our assumption and every other
term is divisible by 𝑝2 except the second one. Hence,
(𝑔 + 𝑝)𝑝−1 ≡ 𝑔𝑝−1 + (𝑝 − 1)𝑝𝑔𝑝−2 ≡ 1 − 𝑝𝑔𝑝−2 ≢ 1 (mod 𝑝2 ) .
(Y2) We show that if 𝑔 is a primitive root modulo 𝑝2 , then it is a primitive root mod-
ulo 𝑝𝛼 for any 𝛼 > 2. As in (Y1), it is enough to check
𝛼−2 (𝑝−1)
𝑔𝑝 ≢ 1 (mod 𝑝𝛼 ) .
We shall verify this in the form
𝛼−2 (𝑝−1)
(3.3.7) 𝑔𝑝 = 1 + 𝑡𝛼 𝑝𝛼−1 where 𝑝 ∤ 𝑡𝛼 .

We prove (3.3.7) by induction on 𝛼.

For 𝛼 = 2, we have 𝑔𝑝−1 = 1 + 𝑡2 𝑝 by Fermat’s Little Theorem and here 𝑝 ∤ 𝑡2 as 𝑔
is a primitive root modulo 𝑝2 .
Assume now that (3.3.7) holds for some 𝛼(≥ 2). We show that it holds also for 𝛼+1
(instead of 𝛼). We raise (3.3.7) to the 𝑝th power:
𝛼−1 (𝑝−1) 𝑝 𝑝
(3.3.8) 𝑔𝑝 = (1 + 𝑡𝛼 𝑝𝛼−1 )𝑝 = 1 + ( )𝑡𝛼 𝑝𝛼−1 + ( )(𝑡𝛼 𝑝𝛼−1 )2 + . . . .
1 2
Here the exponent of 𝑝 in the third term is 1 + 2(𝛼 − 1) ≥ 𝛼 + 1 and later terms have
exponents at least that big. Therefore
𝛼−1 (𝑝−1)
𝑔𝑝 = 1 + 𝑡𝛼 𝑝𝛼 + 𝑠𝑝𝛼+1 = 1 + 𝑡𝛼+1 𝑝𝛼 where 𝑝 ∤ 𝑡𝛼+ 1 .
This means that (3.3.7) holds also for 𝛼 + 1.
84 3. Congruences of Higher Degree

(Y3) Let 𝑔 be a primitive root modulo 𝑝𝛼 . One of 𝑔 and 𝑔 + 𝑝𝛼 is odd; denoting it by ℎ,

we show that ℎ is a primitive root modulo 2𝑝𝛼 .
Since ℎ𝑖 ≡ 1 (mod 2) for every 𝑖,
ℎ𝑟 ≡ 1 (mod 𝑝𝛼 ) ⟺ ℎ𝑟 ≡ 1 (mod 2𝑝𝛼 ) .
This means that
𝑜2𝑝𝛼 (ℎ) = 𝑜𝑝𝛼 (ℎ) = 𝜑(𝑝𝛼 ) = 𝜑(2𝑝𝛼 ).
(N1) We show that if (𝑎, 𝑚) = 1, then 𝑎𝑟 ≡ 1 (mod 𝑚) for some 0 < 𝑟 < 𝜑(𝑚), hence
𝑎 cannot be a primitive root.
The moduli can be written as 𝑚 = 𝑢𝑣 with suitable 𝑢 > 2 and 𝑣 > 2 where
(𝑢, 𝑣) = 1. We claim that the exponent 𝑟 = [𝜑(𝑢), 𝜑(𝑣)] works.
Both 𝜑(𝑢) and 𝜑(𝑣) are even since 𝑢 > 2 and 𝑣 > 2 (see Exercise 2.3.1), thus
(𝜑(𝑢), 𝜑(𝑣)) ≥ 2. Hence,
𝜑(𝑢)𝜑(𝑣) 𝜑(𝑚)
𝑟 = [𝜑(𝑢), 𝜑(𝑣)] ≤ = .
2 2
Further, 𝜑(𝑢) ∣ 𝑟 implies 𝑎𝑟 ≡ 1 (mod 𝑢) and the same holds also mod 𝑣. Therefore,
𝑎𝑟 ≡ 1 (mod 𝑚) is true as well.
(N2) We show by induction on 𝛼 that
𝛼−2
(3.3.9) 𝑎2 ≡ 1 (mod 2𝛼 ) so 𝑜2𝛼 (𝑎) ≤ 2𝛼−2 < 𝜑(2𝛼 )
if 𝛼 ≥ 3 and 𝑎 is odd. For 𝛼 = 3,
23 = 8 ∣ 𝑎2 − 1 = (𝑎 − 1)(𝑎 + 1).
Assume now that (3.3.9) holds for some 𝛼; we prove that it is also true for 𝛼 + 1. Con-
sidering
𝛼−1 𝛼−2 𝛼−2
𝑎2 − 1 = (𝑎2 − 1)(𝑎2 + 1),
the first factor is divisible by 2𝛼 by the induction hypothesis and the second factor is
divisible by 2. Thus, the product is divisible by 2𝛼+1 . □

Exercises 3.3

1. Determine all primitive roots modulo (a) 7 (b) 10 (c) 18.

2. Exhibit a number that is a primitive root both modulo 11 and 14.
3. Exhibit
(a) a primitive root mod 625
(b) a primitive root mod 5 which is not a primitive root mod 625.
4. True or false?
(a) If 𝑔 is a primitive root mod 11, then 𝑔 is a primitive root mod 22.
(b) If 𝑔 is a primitive root mod 22, then 𝑔 is a primitive root mod 11.
(c) If 𝑔 is a primitive root mod 𝑚, then 𝑔3 is a primitive root mod 𝑚.
 Exercises 3.3 85

(d) If 𝑔3 is a primitive root mod 𝑚, then 𝑔 is a primitive root mod 𝑚.

(e) If 𝑔 is a primitive root mod 𝑚, then 𝑔2𝜑(𝑚)−1 is a primitive root mod 𝑚.
(f) If (𝑎, 34) = 1 and 𝑎8 ≢ 1 (mod 34), then 𝑎 is a primitive root mod 34.
(g) If (𝑎, 25) = 1 and 𝑎10 ≢ 1 (mod 25), then 𝑎 is a primitive root mod 25.
5. Let the modulus be an arbitrary but fixed prime 𝑝 > 2.
(a) Show that the product of two primitive roots is never a primitive root.
(b) Prove that there exist three primitive roots whose product is a primitive root.
(c) For which primes 𝑝 is the product of any three primitive roots a primitive root
again?
6. Give a new proof for Wilson’s Theorem using primitive roots.
7. Let 𝑝 > 2 be a prime. What is the remainder of 1𝑘 + 2𝑘 + ⋯ + (𝑝 − 1)𝑘 mod 𝑝?
8. Let 𝑝 > 2 be a prime. What is the remainder of the product of all (pairwise in-
congruent) primitive roots mod 𝑝? (For the sum of the primitive roots, see Exer-
cise 6.5.9c.)
9. (a) Let 𝑝 be a prime, 𝑑 ∣ 𝑝 − 1, 𝑔 a primitive root mod 𝑝, and (𝑎, 𝑝) = 1. Prove
𝑡(𝑝 − 1)
𝑜𝑝 (𝑎) = 𝑑 ⟺ 𝑎 ≡ 𝑔𝑗 (mod 𝑝) , where 𝑗 = and (𝑡, 𝑑) = 1.
𝑑
(b) Using (a), determine the number of elements of order 𝑑 in a reduced residue
system modulo 𝑝.
S* 10. Let 𝑝 > 2 be a prime and (𝑎, 𝑝) = (𝑏, 𝑝) = 1. Prove that 𝑜𝑝 (𝑎) = 𝑜𝑝 (𝑏) holds if and
only if 𝑎 ≡ 𝑏𝑟 (mod 𝑝) and 𝑏 ≡ 𝑎𝑠 (mod 𝑝) for some positive integers 𝑟 and 𝑠.
11. How can Theorem 3.3.4 be generalized for composite moduli possessing a primi-
tive root?
12. Let 𝑚 = 2𝛼 where 𝛼 ≥ 3. Verify:
(a) 𝑜𝑚 (5) = 2𝛼−2 .
(b) The congruence 5𝑥 ≡ −1 (mod 𝑚) is not solvable.
(c) The numbers ±5𝑘 , 0 ≤ 𝑘 < 𝜑(𝑚)/2 form a reduced residue system modulo 𝑚.
Remark: We know from Theorem 3.3.5 that there is no primitive root for 𝑚 =
2𝛼 if 𝛼 ≥ 3. We obtain from (c) that 5 is “nearly” a primitive root for these
moduli.
𝛼 𝛼
* 13. Let the standard form of the odd integer 𝑚 > 1 be 𝑚 = 𝑝1 1 . . . 𝑝𝑟 𝑟 . Show that for
suitable integers 𝑢1 , . . . , 𝑢𝑟 , the numbers
𝑘 𝑘 𝛼
𝑢1 1 . . . 𝑢 𝑟 𝑟 , 0 ≤ 𝑘𝑖 < 𝜑(𝑝𝑖 𝑖 ), 𝑖 = 1, 2, . . . , 𝑟
form a reduced residue system modulo 𝑚. Formulate and prove the analogous
statement for even integers 𝑚.
14. Let 𝑝 > 2 be a prime. Give a new proof for the existence of a primitive root mod-
ulo 𝑝 following the argument below.
86 3. Congruences of Higher Degree

(a) Show that if a polynomial 𝑓 with integer coefficients divides 𝑥𝑝−1 − 1, then
the number of solutions of 𝑓(𝑥) ≡ 0 (mod 𝑝) is equal to the degree of 𝑓.
(b) Assume that 𝑞𝛽 ∣ 𝑝 − 1 for some prime 𝑞 and 𝛽 > 0. Verify for the polynomials
𝛽 𝛽−1
𝑓1 = 𝑥𝑞 − 1 and 𝑓2 = 𝑥𝑞 −1
that the congruences 𝑓1 (𝑥) ≡ 0 (mod 𝑝) and 𝑓2 (𝑥) ≡ 0 (mod 𝑝) have exactly
𝑞𝛽 and 𝑞𝛽−1 solutions.
(c) Using the notations and result of (b), exhibit the existence of a 𝑐 satisfying
𝑜𝑝 (𝑐) = 𝑞𝛽 .
(d) Using (c) and Exercise 3.2.15a, verify the existence of elements of order 𝑑 for
every 𝑑 ∣ 𝑝 − 1.

3.4. Discrete Logarithm (Index)

In this and the next section, we assume that the modulus is a prime 𝑝. We note that
the notions and results can be generalized to every modulus that possesses a primitive
root.
Let 𝑔 be a primitive root mod 𝑝. By Theorem 3.3.2, the integers 1, 𝑔, . . . , 𝑔𝑝−2
form a reduced residue system mod 𝑝, thus to any 𝑎 coprime to 𝑝, there is a unique
exponent 0 ≤ 𝑘 ≤ 𝑝 − 2 satisfying 𝑎 ≡ 𝑔𝑘 (mod 𝑝). This makes possible to introduce
the logarithm.
Definition 3.4.1. Let 𝑔 be a primitive root mod 𝑝 and (𝑎, 𝑝) = 1. Then the discrete
logarithm or index of 𝑎 with base 𝑔 is the (unique) integer 0 ≤ 𝑘 ≤ 𝑝 − 2 satisfying
𝑎 ≡ 𝑔𝑘 (mod 𝑝). ♣

Notation: ind𝑝,𝑔 (𝑎). Since the modulus 𝑝 is fixed in most cases, we can write just
ind𝑔 𝑎 in general. If there is no ambiguity concerning the primitive root, then ind 𝑎 is
sufficient.
By the preliminary remark, ind𝑔 𝑎 exists and is unique for any (𝑎, 𝑝) = 1. Of course,
the discrete logarithm of a number 𝑎 depends on which primitive root 𝑔 was chosen as
base.
If 𝑎 ≡ 𝑏 (mod 𝑝), then clearly ind𝑔 𝑎 = ind𝑔 𝑏, thus all elements in a reduced
residue class have the same discrete logarithm (with 𝑔 fixed).
We shall often use the fact
𝑔𝑠 ≡ 𝑔𝑡 (mod 𝑝) ⟺ 𝑠 ≡ 𝑡 (mod 𝑝 − 1)
(which follows from assertion (ii) in Theorem 3.2.2 with 𝑚 = 𝑝, 𝑎 = 𝑔, and 𝑜𝑝 (𝑔) =
𝑝 − 1).
According to this, all integers 𝑗 ≥ 0 satisfying 𝑔𝑗 ≡ 𝑎 (mod 𝑝) are just the non-
negative elements of a residue class modulo 𝑝 − 1, i.e.
𝑔𝑗 ≡ 𝑎 (mod 𝑝) ⟺ 𝑗 ≡ ind𝑔 𝑎 (mod 𝑝 − 1) .
(Therefore, as an alternative definition, the discrete logarithm of 𝑎 with base 𝑔 could
mean this entire residue class mod 𝑝 − 1.)
 Exercises 3.4 87

The analogs of the logarithmic identities are valid also for the discrete log (see
Exercises 3.4.3 and 3.4.4).
The discrete logarithm will be the key for taking roots modulo 𝑝 in the next section.
An application in cryptography will be mentioned in Exercise 5.8.6.
As an illustration, we attach an exponential and a logarithmic table for the modu-
lus 𝑝 = 13 and the primitive root 𝑔 = 2.
𝑗 0 1 2 3 4 5 6 7 8 9 10 11
2𝑗 (mod 13) 1 2 4 8 3 6 12 11 9 5 10 7

𝑎 1 2 3 4 5 6 7 8 9 10 11 12
ind2 𝑎 0 1 4 2 9 5 11 3 8 10 7 6

Exercises 3.4

Throughout the exercises, 𝑔 and ℎ denote primitive roots modulo a prime 𝑝 > 2, 𝑎 and
𝑏 are coprime to 𝑝, and the index refers to base 𝑔 unless indicated otherwise.
1. For which primes 𝑝 is ind𝑝,7 (2) = 3?
2. Compute the discrete logarithms.
(a) ind𝑔 1
(b) ind𝑔 (−1)
(c) ind𝑔 (−𝑔).
3. Verify the logarithmic identities.
(a) ind(𝑎𝑏) ≡ ind 𝑎 + ind 𝑏 (mod 𝑝 − 1)
(b) ind(𝑎𝑘 ) ≡ 𝑘 ⋅ ind 𝑎 (mod 𝑝 − 1).
4. Demonstrate the law for switching between logarithms from base 𝑔 to base ℎ
(a) ind𝑔 ℎ ⋅ indℎ 𝑔 ≡ 1 (mod 𝑝 − 1)
(b) indℎ 𝑎 ≡ indℎ 𝑔 ⋅ ind𝑔 𝑎 (mod 𝑝 − 1).
5. Determine the smallest positive integer 𝑠 satisfying 𝑝 − 1 ∣ 𝑠 ⋅ ind 𝑎.
6. Prove that 𝑎 is a primitive root mod 𝑝 if and only if (ind𝑔 𝑎, 𝑝 − 1) = 1.
7. Verify the propositions.
(a) (ind𝑔 𝑎, 𝑝 − 1) = 1 ⟺ (indℎ 𝑎, 𝑝 − 1) = 1.
(b) (ind𝑔 𝑎, 𝑝 − 1) = (indℎ 𝑎, 𝑝 − 1).
8. Let 𝑎, 𝑏, and 𝑐 be arbitrary primitive roots modulo 𝑝. Show that
𝑎ind𝑏 𝑐
is a primitive root mod 𝑝.
S* 9. Show that 𝑜𝑝 (𝑎) = 𝑜𝑝 (𝑏) holds if and only if ind𝑔 𝑎 = indℎ 𝑏 for some primitive
roots 𝑔 and ℎ.
 88 3. Congruences of Higher Degree

10. Find the smallest positive primitive roots for the primes below and prepare the
corresponding tables of indices (a) 7 (b) 11 (c) 17.
* 11. Prove that for any prime 𝑝 and integer 𝑎, there are infinitely many positive integers
satisfying 𝑎 ≡ 𝑘𝑘 (mod 𝑝).

3.5. Binomial Congruences

To get the 𝑘th root of a positive real number, we divide its logarithm by 𝑘 and the quo-
tient yields the logarithm of the root (this is how calculators work). We can use the
discrete logarithm similarly to take roots modulo 𝑝, i.e. to solve the congruence 𝑥𝑘 ≡ 𝑎
(mod 𝑝) where 𝑝 is a prime. As it has just two terms, it is called a binomial congru-
ence. The general binomial congruence 𝑐𝑥𝑘 ≡ 𝑑 (mod 𝑝) with 𝑐 ≢ 0 (mod 𝑝) can be
reduced to 𝑥𝑘 ≡ 𝑎 (mod 𝑝) where 𝑎 is the unique solution of the linear congruence
𝑐𝑦 ≡ 𝑑 (mod 𝑝).
If (𝑎, 𝑝) ≠ 1, then 𝑎 ≡ 0 (mod 𝑝), i.e. we get the congruence 𝑥𝑘 ≡ 0 (mod 𝑝).
Using the prime property of 𝑝, it follows that 𝑥 ≡ 0 (mod 𝑝) is the only solution.
Thus, we assume (𝑎, 𝑝) = 1 from now on.
Theorem 3.5.1. Let 𝑝 be a prime and (𝑎, 𝑝) = 1. The congruence
(3.5.1) 𝑥𝑘 ≡ 𝑎 (mod 𝑝)
is solvable if and only if
𝑝−1
(3.5.2) 𝑎 (𝑘,𝑝−1) ≡ 1 (mod 𝑝) .
If it is solvable, then there are (𝑘, 𝑝 − 1) (pairwise incongruent) solutions.
Condition (3.5.2) is equivalent to
(3.5.3) (𝑘, 𝑝 − 1) ∣ ind𝑔 𝑎
where 𝑔 denotes an arbitrary primitive root modulo 𝑝. ♣

Proof. We use the discrete logarithm with base 𝑔.

We look for solutions in the form 𝑥 ≡ 𝑔ind 𝑥 (mod 𝑝). Then (3.5.1) can be written
as
(3.5.4) 𝑔𝑘⋅ind 𝑥 ≡ 𝑔ind 𝑎 (mod 𝑝) .
Applying 𝑔𝑠 ≡ 𝑔𝑡 (mod 𝑝) ⟺ 𝑠 ≡ 𝑡 (mod 𝑝 − 1), (3.5.4) is equivalent to
(3.5.5) 𝑘 ⋅ ind 𝑥 ≡ ind 𝑎 (mod 𝑝 − 1) .
(3.5.5) is a linear congruence for ind 𝑥. By Theorem 2.5.3, it is solvable if and only if
(3.5.3) holds, hence the same applies for the solvability of (3.5.1).
There is a one-to-one correspondence between the pairwise incongruent solutions
modulo 𝑝 − 1 of (3.5.5) and the pairwise incongruent solutions modulo 𝑝 of (3.5.1),
therefore the number of solutions of the two congruences is the same. By Theorem
2.5.4, it is (𝑘, 𝑝 − 1).
3.5. Binomial Congruences 89

We show the equivalence of (3.5.2) and (3.5.3). Since

𝑝−1 𝑝−1 ind 𝑎
(𝑝−1) (𝑘,𝑝−1)
(3.5.6) 𝑎 (𝑘,𝑝−1) ≡ (𝑔ind 𝑎 ) (𝑘,𝑝−1) = 𝑔 (mod 𝑝) ,
(𝑝−1)/(𝑘,𝑝−1)
𝑎 ≡ 1 (mod 𝑝) is true if and only if the exponent of 𝑔 in the last term of
(3.5.6) is a multiple of 𝑝 − 1, i.e. (𝑘, 𝑝 − 1) ∣ ind 𝑎. □
Remarks: (1) The proof provides a method for obtaining the solutions assuming that
we have a table of indices for some primitive root.
(2) The values of ind𝑔 𝑎 (may) vary depending on the choice of the primitive root 𝑔.
However, as the solvability of (3.5.1) does not depend on 𝑔, the condition in (3.5.3)
has to be independent of 𝑔; it holds either for all, or for none of the primitive roots.
(This follows from Exercise 3.4.7b.)
Example. Solve the congruence 5𝑥22 ≡ 6 (mod 13).
The (only) solution of 5𝑦 ≡ 6 (mod 13) is 𝑦 ≡ 9 (mod 13). This reduces our task
to solving the congruence 𝑥22 ≡ 9 (mod 13).
According to the proof of Theorem 3.5.1, this is equivalent to
22 ⋅ ind 𝑥 ≡ ind 9 (mod 12) .
Note that 2 is a primitive root modulo 13 and the relevant exponential and logarithmic
tables are at the end of Section 3.4. From the logarithmic table, we have ind 9 = 8.
The linear congruence
22 ⋅ ind 𝑥 ≡ 8 (mod 12)
is solvable since (22, 12) ∣ 8 and it has (22, 12) = 2 (pairwise incongruent) solutions
(mod 12). They are
ind 𝑥 ≡ 2 (mod 12) and ind 𝑥 ≡ 8 (mod 12) .
Using the exponential table, we obtain
𝑥 ≡ 4 (mod 13) and 𝑥 ≡ 9 (mod 13) .
We note that it is unnecessary to first solve the congruence 5𝑦 ≡ 6 (mod 13) as we can
switch immediately to the indices:
ind 5 + 22 ⋅ ind 𝑥 ≡ ind 6 (mod 12) or 9 + 22 ⋅ ind 𝑥 ≡ 5 (mod 12) .
Thus, we arrived in a single step at the linear congruence 22 ⋅ ind 𝑥 ≡ 8 (mod 12).
Definition 3.5.2. Let 𝑝 be a prime and (𝑎, 𝑝) = 1. The number 𝑎 is a 𝑘th power residue
mod 𝑝 if the congruence 𝑥𝑘 ≡ 𝑎 (mod 𝑝) is solvable and it is a 𝑘th power non-residue
mod 𝑝 if the congruence 𝑥𝑘 ≡ 𝑎 (mod 𝑝) is not solvable. ♣
Theorem 3.5.3. Let 𝑝 be a prime and (𝑎, 𝑝) = 1. The integer 𝑎 is a 𝑘th power residue
mod 𝑝 if and only if
𝑝−1
𝑎 (𝑘,𝑝−1) ≡ 1 (mod 𝑝) i.e. (𝑘, 𝑝 − 1) ∣ ind𝑔 𝑎
where 𝑔 is an arbitrary primitive root modulo 𝑝.
The number of (pairwise incongruent) 𝑘th power residues is (𝑝 − 1)/(𝑘, 𝑝 − 1). ♣
90 3. Congruences of Higher Degree

Proof. The first assertion is just a reformulation of (a part of) Theorem 3.5.1.
To prove the second assertion, note that by Theorem 3.5.1, the 𝑘th power residues
are exactly the solutions of the congruence
(𝑝−1)
𝑧 (𝑘,𝑝−1) ≡ 1 (mod 𝑝)
and the number of solutions is
𝑝−1 𝑝−1
( , 𝑝 − 1) = . □
(𝑘, 𝑝 − 1) (𝑘, 𝑝 − 1)

Exercises 3.5

In the exercises, the modulus is a prime 𝑝 > 2.

1. Solve the following congruences. (For moduli 11, 13, and 17 use the relevant tables
of indices at the end of Section 3.4 and the hint to Exercise 3.4.10.)
(a) 3𝑥50 ≡ 2 (mod 101).
(b) 𝑥99 ≡ 2 (mod 101).
(c) 𝑥46 ≡ 50 (mod 23).
(d) 5𝑥14 ≡ 14𝑥2 (mod 17).
(e) 4𝑥7 + 7𝑥4 ≡ 0 (mod 13).
(f) 4𝑥27 + 5𝑥20 + 7𝑥17 + 9𝑥8 + 3 ≡ 0 (mod 11).
2. Determine the number of solutions.
(a) (𝑥30 − 1)(𝑥45 − 1) ≡ 0 (mod 73).
(b) 1 + 𝑥 + 𝑥2 + ⋯ + 𝑥𝑘 ≡ 0 (mod 31).
3. For which 𝑎 is
1 + 𝑥 + ⋯ + 𝑥𝑝−2 ≡ 𝑎 (mod 𝑝)
solvable?
4. Show that if 𝑔 is a primitive root, then the congruence 𝑥𝑘 ≡ 𝑔 (mod 𝑝) can have at
most one solution.
5. Denote by 𝑏1 , . . . , 𝑏𝑟 the (pairwise incongruent) solutions of 𝑥𝑘 ≡ 1 (mod 𝑝). Let
(𝑎, 𝑝) = 1 and 𝑐 be a solution of 𝑥𝑘 ≡ 𝑎 (mod 𝑝). How can we describe all solutions
of 𝑥𝑘 ≡ 𝑎?
6. Determine the power residues of exponent
(a) 𝑝 − 1
(b) (𝑝 − 1)/2.
7. For which 𝑘 can we take unique 𝑘th roots mod 𝑝, i.e. when does the congruence
𝑥𝑘 ≡ 𝑎 (mod 𝑝) have exactly one solution for any 𝑎?
8. For which primes can we form a complete residue system purely from cubes?
9. Prove the following assertions.
 3.6. Chevalley’s Theorem, Kőnig–Rados Theorem 91

(a) The product of two 𝑘th power residues is always a 𝑘th power residue.
(b) The product of a 𝑘th power residue and a 𝑘th power non-residue is always a
𝑘th power non-residue.

10. How can we characterize in terms of 𝑝 and 𝑘 that there exist 𝑘th power residues
and the product of any two of them is again a 𝑘th power residue?

11. What is the remainder mod 𝑝 of (a) the sum (b) the product of all (pairwise incon-
gruent) 𝑘th power residues?

S 12. Prove that 𝑎 is both a 20th and 50th power residue modulo 𝑝 if and only if it is a
100th power residue. Investigate also the generalized problem.

3.6. Chevalley’s Theorem, Kőnig–Rados Theorem

We discuss two famous theorems concerning congruences with prime modulus. We
consider first a system of congruences

(3.6.1) 𝑓𝑖 (𝑥1 , 𝑥2 , . . . , 𝑥𝑡 ) ≡ 0 (mod 𝑝) , 𝑖 = 1, 2, . . . , 𝑘

where 𝑝 is a prime, 𝑘 ≥ 1, and

𝑓𝑖 (𝑥1 , 𝑥2 , . . . , 𝑥𝑡 ), 𝑖 = 1, 2, . . . , 𝑘

are polynomials in 𝑡 variables with integer coefficients and constant terms 0, i.e.

(3.6.2) 𝑓𝑖 (0, 0, . . . , 0) = 0, 𝑖 = 1, 2, . . . , 𝑘.

(3.6.2) implies that 𝑥1 ≡ 𝑥2 ≡ ⋯ ≡ 𝑥𝑡 ≡0 (mod 𝑝) satisfies (3.6.1). We call this a trivial

solution.
Chevalley’s Theorem asserts that with suitable requirements for the degrees of 𝑓𝑖 ,
𝑛 𝑛
(3.6.1) has a non-trivial solution, too. (The degree of a term 𝑥1 1 . . . 𝑥𝑡 𝑡 is 𝑛1 + ⋯ + 𝑛𝑡
and the degree of a polynomial is the maximal degree among its terms having non-zero
coefficient.)

Theorem 3.6.1 (Chevalley’s Theorem). If the polynomials 𝑓𝑖 in (3.6.1) satisfy (3.6.2)

and the sum of their degrees is less than the number of variables, i.e.
𝑘
(3.6.3) ∑ deg 𝑓𝑖 < 𝑡,
𝑖=1

then (3.6.1) has a non-trivial solution. ♣

Examples. The system of congruences

𝑥1 + 2𝑥2 + 3𝑥3 + 4𝑥4 + 5𝑥5 ≡ 0 (mod 23)
𝑥13 + 2𝑥1 𝑥2 + 3𝑥2 𝑥3 + 4𝑥3 𝑥42 + 5𝑥52 ≡ 0 (mod 23)

has a non-trivial solution with not all 𝑥𝑖 multiples of 23. (Here 𝑘 = 2 and 5 = 𝑡 >
1 + 3 = deg 𝑓1 + deg 𝑓2 .)
92 3. Congruences of Higher Degree

We can apply Theorem 3.6.1 also for 𝑘 = 1, just one polynomial. For example, the
divisibility
𝑝 ∣ 𝑥13 + 3𝑥23 + 5𝑥33 + 7𝑥43 + 9𝑥1 𝑥2 + 11𝑥3 𝑥4
can be satisfied for any prime 𝑝 so that not all 𝑥𝑖 are divisible by 𝑝. (Now 𝑡 = 4 and
deg 𝑓 = 3.)

Proof. Assuming that there is only a trivial solution, we shall force a contradiction.
We define two new polynomials in 𝑡 variables:
𝑘
𝑝−1
𝐹(𝑥1 , 𝑥2 , . . . , 𝑥𝑡 ) = ∏(1 − 𝑓𝑖 (𝑥1 , 𝑥2 , . . . , 𝑥𝑡 )) and
𝑖=1
𝑡
𝑝−1
𝐺(𝑥1 , 𝑥2 , . . . , 𝑥𝑡 ) = ∏(1 − 𝑥𝑗 ).
𝑗=1

By Fermat’s Little Theorem,

𝑝−1
𝑐𝑗 ≢ 0 (mod 𝑝) ⟹ 𝑐𝑗 ≡ 1 (mod 𝑝) .
This implies that substituting arbitrary integers 𝑐 1 , . . . , 𝑐 𝑡 into 𝐺, we get
1 (mod 𝑝) , if 𝑐 1 ≡ ⋯ ≡ 𝑐 𝑡 ≡ 0 (mod 𝑝)
(3.6.4) 𝐺(𝑐 1 , 𝑐 2 , . . . , 𝑐 𝑡 ) ≡ {
0 (mod 𝑝) , otherwise.
We show that the same holds also for 𝐹, i.e.
1 (mod 𝑝) , if 𝑐 1 ≡ ⋯ ≡ 𝑐 𝑡 ≡ 0 (mod 𝑝)
(3.6.5) 𝐹(𝑐 1 , 𝑐 2 , . . . , 𝑐 𝑡 ) ≡ {
0 (mod 𝑝) , otherwise.
We consider first
𝑐 1 ≡ ⋯ ≡ 𝑐 𝑡 ≡ 0 (mod 𝑝) .
By (3.6.2),
𝑓(𝑐 1 , . . . , 𝑐 𝑡 ) ≡ 0 (mod 𝑝)
for every 𝑖, so every factor of 𝐹(𝑐 1 , . . . , 𝑐 𝑡 ) and so 𝐹(𝑐 1 , . . . , 𝑐 𝑡 ) itself is congruent to 1
modulo 𝑝.
Now, we turn to the other case when at least one of the integers 𝑐 1 , . . . , 𝑐 𝑡 is not a
multiple of 𝑝. We assumed that (3.6.1) has only a trivial solution, hence 𝑐 1 , . . . , 𝑐 𝑡 is not
a solution, so
𝑓𝑖 (𝑐 1 , . . . , 𝑐 𝑡 ) ≢ 0 (mod 𝑝)
for at least one 𝑖. Applying Fermat’s Little Theorem again, this implies
𝑝−1
𝑓𝑖 (𝑐 1 , 𝑐 2 , . . . , 𝑐 𝑡 ) ≡ 1 (mod 𝑝) .
This means that a factor of 𝐹(𝑐 1 , . . . , 𝑐 𝑡 ) and so 𝐹(𝑐 1 , . . . , 𝑐 𝑡 ) itself is divisible by 𝑝. Here-
with we have proven (3.6.5).
By (3.6.4) and (3.6.5),
(3.6.6) 𝐹(𝑐 1 , . . . , 𝑐 𝑡 ) ≡ 𝐺(𝑐 1 , . . . , 𝑐 𝑡 ) (mod 𝑝)
for arbitrary integers 𝑐 1 , . . . , 𝑐 𝑡 .
3.6. Chevalley’s Theorem, Kőnig–Rados Theorem 93

From now on, we shall consider all polynomials as polynomials in 𝑡 variables over
the modulo 𝑝 field.
In this interpretation, (3.6.6) tells us that 𝐹 and 𝐺 assume the same values for every
substitution (the same polynomial functions belong to 𝐹 and 𝐺; however, this does not
imply in general the equality of the polynomials themselves, that is, the equality of the
coefficients in the case of a finite field).
𝑝
Let 𝐻 ∗ be the reduced form of the polynomial 𝐻 obtained by replacing every 𝑥𝑖
in 𝐻 with 𝑥𝑖 as long as possible. The exponents of 𝑥𝑖 in the terms of 𝐻 ∗ are at most
𝑝 − 1, and 𝐻 and 𝐻 ∗ assume the same values everywhere. It can be easily proven by
induction on the number of variables that if the polynomials 𝐻 and 𝐾 assume the same
values everywhere, then the (formal) polynomials 𝐻 ∗ and 𝐾 ∗ are equal (so they have
the same coefficients).
We saw that 𝐹 and 𝐺 assume the same values everywhere, therefore the polyno-
mials 𝐹 ∗ and 𝐺 ∗ are equal. Hence, deg 𝐺 ∗ = deg 𝐹 ∗ . However, by 𝐺 = 𝐺 ∗ and (3.6.3),
this leads to a contradiction:

𝑘
deg 𝐺 ∗ = deg 𝐺 = (𝑝 − 1)𝑡 > (𝑝 − 1) ( ∑ deg 𝑓𝑖 ) = deg 𝐹 ≥ deg 𝐹 ∗ . □
𝑖=1

In the second half of this section, we express the number of solutions of a con-
gruence 𝑓(𝑥) ≡ 0 (mod 𝑝) in an exact formula with the help of the coefficients. This
theorem by Kőnig and Rados is rather only of theoretical significance; it can be hardly
applied for computing the number of solutions in practice.

Theorem 3.6.2 (Kőnig–Rados Theorem). Let 𝑝 be a prime and 𝑓 = 𝑎0 + 𝑎1 𝑥 + ⋯ +

𝑎𝑝−2 𝑥𝑝−2 be a polynomial with integer coefficients having 𝑎0 ≢ 0 (mod 𝑝). Then the
number of solutions of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑝) is 𝑝 − 1 − 𝑟 where 𝑟 = 𝑟(𝐴) is
the rank of the cyclic (𝑝 − 1) × (𝑝 − 1) matrix 𝐴 over the modulo 𝑝 field,

𝑎 𝑎1 ... 𝑎𝑝−2
⎛ 0 ⎞
𝑎𝑝−2 𝑎0 ... 𝑎𝑝−3
𝐴=⎜ ⎟. ♣
⎜ ⋮ ⋮ ⋱ ⋮ ⎟
⎝ 𝑎1 𝑎2 ... 𝑎0 ⎠

Remarks: (1) The theorem immediately implies that 𝑓(𝑥) ≡ 0 (mod 𝑝) is solvable if
and only if the rank of 𝐴 is less than 𝑝 − 1, i.e. det 𝐴 ≡ 0 (mod 𝑝).

(2) The requirements imposed on 𝑓 are not serious restrictions; we can obtain the
number of solutions for an arbitrary polynomial 𝑓 by a simple reduction to the
Kőnig–Rados Theorem, see Exercise 3.6.11.

Proof. We shall need the following elementary results from linear algebra. They all
refer to 𝑛 × 𝑛 matrices over a field 𝐹 where 𝑟(𝐵) denotes the rank of matrix 𝐵; in our
case, 𝑛 = 𝑝 − 1 and 𝐹 is the modulo 𝑝 field.
94 3. Congruences of Higher Degree

(i) Let 𝑡1 , 𝑡2 , . . . , 𝑡𝑛 be distinct elements in 𝐹. Then the Vandermonde matrix

1 1 1 ... 1
⎛ ⎞
⎜ 𝑡1 𝑡2 𝑡3 ... 𝑡𝑛 ⎟
𝑉 = 𝑉(𝑡1 , 𝑡2 , . . . , 𝑡𝑛 ) = ⎜ 𝑡12 𝑡22 𝑡32 ... 𝑡𝑛2 ⎟
⎜ ⎟
⋮ ⋮ ⋮ ⋱ ⋮
⎜ ⎟
𝑛−1
⎝𝑡1 𝑡2𝑛−1 𝑡3𝑛−1 ... 𝑡𝑛𝑛−1 ⎠
has rank 𝑟(𝑉) = 𝑛.
(ii) If 𝑟(𝐵) = 𝑛, so 𝐵 has an inverse, then 𝑟(𝐶𝐵) = 𝑟(𝐶) for an arbitrary 𝐶.
Assertion (ii) follows from the inequality
𝑟(𝑀𝑁) ≤ min(𝑟(𝑀), 𝑟(𝑁))
valid for arbitrary matrices 𝑀 and 𝑁. On the one hand, 𝑟(𝐶𝐵) ≤ 𝑟(𝐶), and on the other
hand, 𝑟(𝐶) = 𝑟((𝐶𝐵)𝐵 −1 ) ≤ 𝑟(𝐶𝐵).
Turning to the proof of Theorem 3.6.2, let 𝑠 denote the number of solutions of the
congruence 𝑓(𝑥) ≡ 0 (mod 𝑝). Consider the matrix 𝐷 = 𝐴𝑉 where 𝑉=𝑉(1, 2, . . . , 𝑝−1).
By (i) and (ii),
(3.6.7) 𝑟(𝐷) = 𝑟(𝐴) = 𝑟.
Performing the multiplication 𝐴𝑉, the 𝑗th element of the first row in 𝐷 is
𝑑1𝑗 = 𝑎0 + 𝑎1 𝑗 + 𝑎2 𝑗2 + ⋯ + 𝑎𝑝−2 𝑗𝑝−2 = 𝑓(𝑗).
For a simple form of the 𝑗th element in the second row, we use also 𝑗𝑝−1 ≡ 1 (mod 𝑝):
𝑑2𝑗 = 𝑎𝑝−2 + 𝑎0 𝑗 + 𝑎1 𝑗2 + ⋯ + 𝑎𝑝−3 𝑗𝑝−2 ≡
≡ 𝑎𝑝−2 𝑗𝑝−1 + 𝑎0 𝑗 + 𝑎1 𝑗2 + ⋯ + 𝑎𝑝−3 𝑗𝑝−2 = 𝑗𝑓(𝑗) (mod 𝑝) .
Similarly, for the 𝑗th element in the 𝑖th row, we obtain
𝑑𝑖𝑗 ≡ 𝑗𝑖−1 𝑓(𝑗) (mod 𝑝) .
This means that (working with equality in the modulo 𝑝 field instead of congruences)
𝑓(1) 𝑓(2) 𝑓(3) ... 𝑓(𝑝 − 1)
⎛ ⎞
⎜𝑓(1) 2𝑓(2) 3𝑓(3) ... (𝑝 − 1)𝑓(𝑝 − 1) ⎟
⎜
𝐷 = 𝐴𝑉 = 𝑓(1) 22 𝑓(2) 32 𝑓(3) ... (𝑝 − 1)2 𝑓(𝑝 − 1) ⎟
⎜ ⎟
⋮ ⋮ ⋮ ⋮
⎜ ⎟
𝑝−2
⎝𝑓(1) 2 𝑓(2) 3𝑝−2 𝑓(3) ... (𝑝 − 1)𝑝−2 𝑓(𝑝 − 1)⎠
In column 𝑗 of 𝐷 every element is 0 if and only if 𝑓(𝑗) ≡ 0 (mod 𝑝). Thus, 𝐷 has exactly
𝑠 columns with all 0s. The other columns are distinct columns of 𝑉 multiplied by a non-
zero scalar, so they are linearly independent according to (i). Hence, 𝑟(𝐷) = 𝑝 − 1 − 𝑠.
Combined with (3.6.7), this proves the theorem. □
 Exercises 3.6 95

Exercises 3.6

1. Which well-known theorem is obtained as a special case of Chevalley’s Theorem

when each polynomial 𝑓𝑖 has degree one?
2. Verify that the congruence 𝑎𝑥2 + 𝑏𝑦2 + 𝑐𝑧2 ≡ 0 (mod 𝑝) has a non-trivial solution
for every prime 𝑝 and any integers 𝑎, 𝑏, and 𝑐.
3. Prove.
(a) For any 𝑛 > 1, there exist three integers such that taking the sum 𝑠 of their
squares, 𝑛 ∣ 𝑠 but 𝑛2 ∤ 𝑠.
(b) Moreover, even (𝑛, 𝑠/𝑛) = 1 can be attained.
4. Show that every prime 𝑝 has a positive multiple less than 𝑝4 /4 that can be written
as the sum of at most five fourth powers.
* 5. (a) Let 𝑞1 , . . . , 𝑞𝑘 be distinct primes and 𝑐 1 , . . . , 𝑐 𝑡 distinct positive integers not
divisible by any other primes than the 𝑞𝑖 . Prove that if 𝑡 ≥ 2𝑘 + 1, then we can
select some distinct numbers from the 𝑐𝑗 (maybe just one, maybe all of them)
so that their product is a cube.
(b) Generalize (a) for 𝑝th powers where 𝑝 is an arbitrary prime.
Remark: The analogous result can be proven (using different methods) for
𝑚th powers where 𝑚 is a prime power, but it is not proved for any other values
of 𝑚.
* 6. Show that from any 2𝑛 − 1 integers, we can select 𝑛 whose sum is divisible by 𝑛.
7. Prove the following generalization of Chevalley’s Theorem. We omit the assump-
tion that the constant terms of the polynomials are 0 and leave the other conditions
unchanged. Then the following hold for the system of congruences in question:
(a) If it is solvable, then there are at least two solutions.
* (b) The number of solutions is divisible by 𝑝.
8. Let 𝑝 > 2 be a prime and (𝑎𝑏, 𝑝) = 1. As an illustration of the Kőnig–Rados
Theorem, determine the number of solutions of the congruence 𝑓(𝑥) ≡ 0 (mod 𝑝)
for the following polynomials 𝑓:
(a) 𝑎𝑥 − 𝑏
(b) 1 + 𝑥 + ⋯ + 𝑥𝑝−2
(c) 𝑥𝑝−2 − 𝑎.
9. Deduce the solvability of the following congruences from the Kőnig–Rados Theo-
rem:
(a) 𝑥𝑘 ≡ 1 (mod 𝑝) where 𝑝 is an odd prime and 1 ≤ 𝑘 ≤ 𝑝 − 2
(b) 𝑥2 ≡ −1 (mod 𝑝), where 𝑝 is a prime of the form 4𝑘 + 1.
96 3. Congruences of Higher Degree

10. Let 𝑝 > 3 be a prime, (𝑎0 , 𝑝) = (𝑎1 , 𝑝) = (𝑎𝑝−2 , 𝑝) = 1 and

𝑓 = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑝−3 𝑥𝑝−3 + 𝑎𝑝−2 𝑥𝑝−2
𝑔 = 𝑎1 + 𝑎2 𝑥 + ⋯ + 𝑎𝑝−2 𝑥𝑝−3 + 𝑎0 𝑥𝑝−2
ℎ = 𝑎𝑝−2 + 𝑎𝑝−3 𝑥 + ⋯ + 𝑎1 𝑥𝑝−3 + 𝑎0 𝑥𝑝−2 .
Prove that the congruences
𝑓(𝑥) ≡ 0 (mod 𝑝) , 𝑔(𝑥) ≡ 0 (mod 𝑝) , and ℎ(𝑥) ≡ 0 (mod 𝑝)
have the same number of solutions.
11. Let 𝑔 = 𝑏0 +𝑏1 𝑥+⋯+𝑏𝑛 𝑥𝑛 be an arbitrary polynomial with integer coefficients. To
determine the number of solutions of 𝑔(𝑥) ≡ 0 (mod 𝑝) in the case 𝑛 > 𝑝−2 and/or
𝑏0 ≡ 0 (mod 𝑝), how can we reduce the problem to the Kőnig–Rados Theorem?

3.7. Congruences with Prime Power Moduli

We saw in Section 2.6 that a congruence with a composite modulus can be reduced to
congruences with prime power moduli by the Chinese Remainder Theorem. Now, we
examine how we can reduce the prime power modulus case to that of a prime modulus.
Let 𝑝 be a prime, 𝑘 a positive integer, 𝑓 a polynomial with integer coefficients, and
consider the congruence
(3.7.1) 𝑓(𝑥) ≡ 0 (mod 𝑝𝑘 ) .
If 𝑐 is a solution of (3.7.1), then 𝑐 also satisfies
(3.7.2) 𝑓(𝑥) ≡ 0 (mod 𝑝) .
Therefore, we shall start from the solutions of (3.7.2) to determine the solutions of
(3.7.1).
Theorem 3.7.1. Let 𝑐 be a solution of (3.7.2), and assume that 𝑓′ (𝑐) ≢ 0 (mod 𝑝) where
𝑓′ stands for the derivative of 𝑓. Then (3.7.1) has exactly one solution 𝑥 ≡ 𝑐 𝑘 (mod 𝑝𝑘 )
satisfying 𝑐 𝑘 ≡ 𝑐 (mod 𝑝). ♣

The proof yields a procedure to produce 𝑐 𝑘 and clarifies the situation in the case
𝑓′ (𝑐) ≡ 0 (mod 𝑝) as well.

Proof. We shall use the observation

(3.7.3) 𝑗 ≥ 1 ⟹ 𝑓(𝑎 + 𝑡𝑝𝑗 ) ≡ 𝑓(𝑎) + 𝑡𝑝𝑗 𝑓′ (𝑎) (mod 𝑝𝑗+1 ) .
To verify (3.7.3), consider the representation of 𝑓(𝑎 + 𝑡𝑝𝑗 ) by Taylor’s formula,
𝑓″ (𝑎) 𝑓(𝑛) (𝑎)
(3.7.4) 𝑓(𝑎 + 𝑡𝑝𝑗 ) = 𝑓(𝑎) + 𝑡𝑝𝑗 𝑓′ (𝑎) + 𝑡2 𝑝2𝑗 + ⋯ + 𝑡𝑛 𝑝𝑛𝑗
2! 𝑛!
(𝑟)
where 𝑛 is the degree of 𝑓. Every 𝑓 (𝑎)/(𝑟! ) is an integer, since the 𝑟th derivative of a
term 𝑥𝑠 is 𝑠(𝑠 − 1) . . . (𝑠 − 𝑟 + 1)𝑥𝑠−𝑟 (for 𝑠 ≥ 𝑟) and the product of 𝑟 consecutive integers
is always divisible by 𝑟! (see Exercise 1.1.17b). This implies that on the right-hand side
of (3.7.4), every term except the first two is divisible by 𝑝𝑗+1 , thus proving (3.7.3).
We prove Theorem 3.7.1 by induction on 𝑘. The case 𝑘 = 1 is obvious (even without
the assumption on the derivative).
3.7. Congruences with Prime Power Moduli 97

Assume now that the assertion is true for 𝑘 − 1. This means that the congruence
(3.7.5) 𝑓(𝑥) ≡ 0 (mod 𝑝𝑘−1 )
has exactly one solution 𝑥 ≡ 𝑐 𝑘−1 (mod 𝑝𝑘−1 ) with 𝑐 𝑘−1 ≡ 𝑐 (mod 𝑝).
We want to find a solution of (3.7.1) satisfying also 𝑐 𝑘 ≡ 𝑐 (mod 𝑝). Because (3.7.5)
holds for 𝑐 𝑘 , 𝑐 𝑘 ≡ 𝑐 𝑘−1 (mod 𝑝𝑘−1 ), so
(3.7.6) 𝑐 𝑘 = 𝑐 𝑘−1 + 𝑡𝑝𝑘−1 .

Substituting (3.7.6) into (3.7.1) and applying (3.7.3) (with 𝑎 = 𝑐 𝑘−1 and 𝑗 = 𝑘 − 1)
we obtain
(3.7.7) 𝑓(𝑐 𝑘 ) = 𝑓(𝑐 𝑘−1 + 𝑡𝑝𝑘−1 ) ≡ 𝑓(𝑐 𝑘−1 ) + 𝑡𝑝𝑘−1 𝑓′ (𝑐 𝑘−1 ) ≡ 0 (mod 𝑝𝑘 ) .
Here, 𝑝𝑘−1 ∣ 𝑓(𝑐 𝑘−1 ) by the induction hypothesis. Cancelling 𝑝𝑘−1 in (3.7.7) and using
𝑐 𝑘−1 ≡ 𝑐 (mod 𝑝), we obtain
𝑓(𝑐 𝑘−1 )
(3.7.8) + 𝑡𝑓′ (𝑐) ≡ 0 (mod 𝑝) .
𝑝𝑘−1
This is a linear congruence for 𝑡 that has exactly one solution 𝑡 ≡ 𝑡0 (mod 𝑝) due
to 𝑓′ (𝑐) ≢ 0 (mod 𝑝). Hence, 𝑡 = 𝑡0 + 𝑠𝑝. Substitution into (3.7.6) yields
𝑐 𝑘 = 𝑐 𝑘−1 + 𝑡0 𝑝𝑘−1 + 𝑠𝑝𝑘 so 𝑐 𝑘 ≡ 𝑐 𝑘−1 + 𝑡0 𝑝𝑘−1 (mod 𝑝𝑘 ) .
Thus we have proven that 𝑐 𝑘 exists and is unique mod 𝑝𝑘 . □

Following the proof, we can build up the values 𝑐 2 , . . . , 𝑐 𝑘 recursively starting from
𝑐 = 𝑐 1 . (We can even get a formula for 𝑐 𝑘 , see Exercise 3.7.4.)
If 𝑓′ (𝑐) ≡ 0 (mod 𝑝), then either every 𝑡, or no 𝑡 is a solution of (3.7.8) depending on
whether or not 𝑝𝑘 ∣ 𝑓(𝑐 𝑘−1 ). This means that a solution 𝑐 𝑘−1 of (3.7.5) either gives rise
to 𝑝 suitable 𝑐 𝑘 , or to none. In this case, the above recursion is much more complicated.
Example. Solve the congruence 𝑥3 + 2𝑥 ≡ 22 (mod 125).
We solve first
𝑓(𝑥) = 𝑥3 + 2𝑥 − 22 ≡ 0 (mod 5) .
Checking the elements of the complete residue system 0, ±1, ±2 modulo 5, we get two
solutions:
(i) 𝑥 ≡ 2 (mod 5), and
(ii) 𝑥 ≡ −1 (mod 5).
(i) If 𝑥 ≡ 2 (mod 5), then
𝑓′ (2) ≡ 3 ⋅ 22 + 2 ≡ −1 (mod 5) ,
hence we can apply Theorem 3.7.1.
Substituting 𝑥 = 2 + 5𝑡 into 𝑥3 + 2𝑥 − 22 ≡ 0 (mod 25), we obtain
−10 + (5𝑡) ⋅ 14 ≡ 0 (mod 25) so − 2 − 𝑡 ≡ 0 (mod 5) .
So 𝑡 ≡ −2 (mod 5) and 𝑡 = 5𝑠 − 2. Then
𝑥 = 2 + 5𝑡 = 2 + 5(5𝑠 − 2) = −8 + 25𝑠.
98 3. Congruences of Higher Degree

Thus 𝑥 ≡ −8 (mod 25) is the only solution of

𝑥3 + 2𝑥 − 22 ≡ 0 (mod 25)
satisfying 𝑥 ≡ 2 (mod 5).
We proceed similarly from modulus 52 to 53 . Writing 𝑥 = −8 + 25𝑠 in
𝑥3 + 2𝑥 − 22 ≡ 0 (mod 125)
we get
−50 + (25𝑠) ⋅ 194 ≡ 0 (mod 125) .
Thus 𝑠 ≡ −2 (mod 5), hence
𝑥 = −8 + 25𝑠 = −58 + 125𝑟 or 𝑥 ≡ −58 (mod 125) .
′
(ii) If 𝑥 ≡ −1 (mod 5), then 𝑓 (−1) ≡ 0 (mod 5). According to the remark after
the proof, we have to check in each step whether or not the value 𝑓(𝑐 𝑘−1 ) in (3.7.8) is
divisible by 𝑝𝑘 .
Since 𝑓(−1) ≡ 0 (mod 25), every 𝑥 ≡ −1 (mod 5) satisfies 𝑥3 + 2𝑥 − 22 ≡ 0
(mod 25). Hence, the solutions are
𝑥 ≡ −1, 4, 9, 14, and 19 (mod 25) .
Out of these, only the last two will make 𝑓(𝑥) a multiple of 125, so
𝑥 ≡ 14 (mod 25) and 𝑥 ≡ 19 (mod 25)
3
will be the solutions of 𝑥 + 2𝑥 − 22 ≡ 0 (mod 125) (these form 2 ⋅ 5 = 10 residue
classes modulo 125).
Summarizing, all solutions of the congruence 𝑥3 + 2𝑥 ≡ 22 (mod 125) are the
following eleven residue classes modulo 125:
−58, 14 + 25𝑗, and 19 + 25𝑗 where 0 ≤ 𝑗 ≤ 4.

Exercises 3.7

1. What is the number of solutions of the following congruences?

(a) 𝑥80 + 𝑥3 ≡ 8 (mod 320 )
(b) 𝑥99 + 𝑥3 ≡ 8 (mod 320 )
(c) 𝑥60 ≡ 1 (mod 7320 )
(d) 𝑥73 ≡ 1 (mod 7320 )
(e) 𝑥(𝑥 − 1)(𝑥 − 2) ≡ 0 (mod 1020 ).
2. Let 𝑝 be a prime and 𝑎 and 𝑛 positive integers not divisible by 𝑝. Prove that if
𝑥𝑛 ≡ 𝑎 (mod 𝑝) is solvable, then 𝑥𝑛 ≡ 𝑎 (mod 𝑝𝑘 ) is solvable for every 𝑘.
3. For which 𝑎 coprime to the modulus are the following congruences solvable? De-
termine the number of solutions, too.
(a) 𝑥10 ≡ 𝑎 (mod 1150 )
S* (b) 𝑥2 ≡ 𝑎 (mod 250 ).
Exercises 3.7 99

4. Assume that the conditions of Theorem 3.7.1 hold, and let 𝑢 satisfy 𝑢𝑓′ (𝑐) ≡ 1
(mod 𝑝). Prove that the values 𝑐 𝑘 obey the recursion
𝑐1 = 𝑐 and 𝑐 𝑘 = 𝑐 𝑘−1 − 𝑢𝑓(𝑐 𝑘−1 ) for 𝑘 > 1.
5. Solve 𝑥6 + 4𝑥 ≡ 𝑑 (mod 73 ) where 𝑑 is
(a) 3
(b) 2
(c) 72.
 Chapter 4

Legendre and Jacobi

Symbols

Legendre symbol is the principal tool for handling quadratic congruences. Besides its
basic properties, we shall prove Gauss’s Lemma and the celebrated Quadratic Reci-
procity Law, among other theorems. At the end of the chapter, we see that the Jacobi
symbol provides a useful generalization of the Legendre symbol.

4.1. Quadratic Congruences

We assume throughout this section that 𝑝 > 2 is a prime and (𝑎, 𝑝) = 1.
As a special case 𝑘 = 2 of Definition 3.5.2, we introduce the quadratic residues and
non-residues.
Definition 4.1.1. Let 𝑝 > 2 be a prime and (𝑎, 𝑝) = 1. An integer 𝑎 is a quadratic
residue or a quadratic non-residue modulo 𝑝 depending on whether the congruence
𝑥2 ≡ 𝑎 (mod 𝑝) is solvable or not. ♣

The numbers 𝑎 ≡ 0 (mod 𝑝) are neither quadratic residues nor quadratic non-
residues.
Theorem 4.1.2. (i) An integer 𝑎 is a quadratic residue mod 𝑝 if and only if 𝑎(𝑝−1)/2 ≡
1 (mod 𝑝). An equivalent condition is that the index (with base to any primitive
root) of 𝑎 is even.
(ii) An integer 𝑎 is a quadratic non-residue mod 𝑝 if and only if 𝑎(𝑝−1)/2 ≡ −1 (mod 𝑝).
An equivalent condition is that the index (with base to any primitive root) of 𝑎 is odd.
(iii) The number of (pairwise incongruent) quadratic residues is (𝑝 − 1)/2 and the same
holds for the number of non-residues.
(iv) If 𝑎 is a quadratic residue, then the congruence 𝑥2 ≡ 𝑎 (mod 𝑝) has two (pairwise
incongruent) solutions. ♣

101
102 4. Legendre and Jacobi Symbols

Proof. We obtain (i) and (iii) from Theorem 3.5.3 and (iv) from an assertion of Theo-
rem 3.5.1 as special cases of 𝑘 = 2.
By (i), 𝑎 is a quadratic non-residue if and only if 𝑎(𝑝−1)/2 ≢ 1 (mod 𝑝), or equiva-
lently, the index of 𝑎 is odd. Thus, to prove (ii), we need only the equivalence
𝑝−1 𝑝−1
(4.1.1) 𝑎 2 ≢ 1 (mod 𝑝) ⟺ 𝑎 2 ≡ −1 (mod 𝑝) .
Since (𝑎(𝑝−1)/2 )2 = 𝑎𝑝−1 ≡ 1 (mod 𝑝) and 𝑝 is a prime, only 𝑎(𝑝−1)/2 ≡ ±1 (mod 𝑝)
are possible. Also, 1 ≢ −1 (mod 𝑝) for 𝑝 > 2, therefore (4.1.1) holds. □
𝑎
Definition 4.1.3. The Legendre symbol ( 𝑝 ) is defined by

𝑎 1, if 𝑎 is a quadratic residue mod 𝑝

( )={ ♣
𝑝 −1, if 𝑎 is a quadratic non-residue mod 𝑝.
Remark: It is sometimes useful to extend the Legendre symbol to the case 𝑝 ∣ 𝑎 as
𝑎
( 𝑝 ) = 0 (see Exercise 4.1.15). We restrict ourselves, however, to the condition (𝑎, 𝑝) = 1
unless stated otherwise.
2
Example. ( 7 ) = 1 since 𝑥2 ≡ 2 (mod 7) is solvable: 𝑥 ≡ 3 (mod 7) is a solution. We
can verify the solvability also by checking
7−1
2 2 = 23 ≡ 1 (mod 7) .

Combining the definition of the Legendre symbol with Theorem 4.1.2, we obtain
𝑝−1 𝑎
(4.1.2) 𝑎 2 ≡ ( ) (mod 𝑝)
𝑝
for every 𝑎.
We summarize some basic properties of the Legendre symbol in the next theorem.
𝑎 𝑏
Theorem 4.1.4. (i) 𝑎 ≡ 𝑏 (mod 𝑝) ⟹ ( ) = ( ).
𝑝 𝑝
𝑎𝑏 𝑎 𝑏
(ii) ( ) = ( )( ).
𝑝 𝑝 𝑝
(iii)
−1 1, if 𝑝 ≡ 1 (mod 4)
( )={ ♣
𝑝 −1, if 𝑝 ≡ −1 (mod 4).

Proof. Each assertion follows from (4.1.2) immediately; we describe the details only
for (ii):
𝑎𝑏 𝑝−1 𝑝−1 𝑝−1 𝑎 𝑏
( ) ≡ (𝑎𝑏) 2 = 𝑎 2 𝑏 2 ≡ ( )( ) (mod 𝑝) .
𝑝 𝑝 𝑝
Thus
𝑎𝑏 𝑎 𝑏
𝐾 = ( ) − ( )( )
𝑝 𝑝 𝑝
is divisible by 𝑝 > 2. As 𝐾 can assume no other values than 0 and ±2, only 𝐾 = 0 is
possible. □
Exercises 4.1 103

By Theorem 4.1.4, we can reduce the calculation of a Legendre symbol to the de-
2 𝑞
termination of ( 𝑝 ) and ( 𝑝 ) where 𝑞 > 2 is a prime different from 𝑝. We discuss these
results in the next section.

Exercises 4.1

(The symbol 𝑝 always represents an odd prime.)

1. Verify by three different methods that 𝑐2 is a quadratic residue mod 𝑝 if (𝑐, 𝑝) = 1.
2. Compute the Legendre symbols
39
(a) ( )
19
37
(b) ( )
19
−100
(c) ( ).
19
3. Compute the sum and product of the Legendre symbols
1 2 𝑝−1
( ) , ( ) , ... , ( ).
𝑝 𝑝 𝑝
4. Demonstrate that every quadratic residue is congruent to exactly one of the num-
bers
𝑝−1 2
12 , 22 , . . . , ( ) .
2
5. Show that if 𝑎2 + 𝑏2 is a multiple of 77, then it is divisible by 5929.
6. Let 𝑝 be a prime of the form 4𝑘 + 1. Prove that the solutions of 𝑥2 ≡ −1 (mod 𝑝)
are 𝑝−1
𝑥 ≡ ±( )! (mod 𝑝) .
2
7. Let 𝑝 be a prime of the form 4𝑘 + 3 and 𝑎 a quadratic residue mod 𝑝. Verify that
the solutions of 𝑥2 ≡ 𝑎 (mod 𝑝) are
𝑝+1
𝑥 ≡ ±𝑎 4 (mod 𝑝) .
8. (a) Show that if 𝑜𝑝 (𝑎) is odd, then 𝑎 is a quadratic residue mod 𝑝.
(b) For which primes 𝑝 is the converse true?
9. (a) Prove that every primitive root is a quadratic non-residue modulo 𝑝.
* (b) For which primes 𝑝 is the converse true?
10. Assume that (𝑐, 97) = 1 and 𝑐 is neither a quadratic residue nor a primitive root
mod 97. Compute 𝑜97 (𝑐).
11. Prove that if
(a) 𝑝 = 4𝑘 − 1
(b) 𝑝 = 4𝑘 + 1,
then 𝑥2 ≡ 𝑘 (mod 𝑝) is solvable.
104 4. Legendre and Jacobi Symbols

12. Show that for every 𝑝, at least one of the congruences

𝑥2 ≡ 30, 𝑥2 ≡ 33, 𝑥2 ≡ 70, 𝑥2 ≡ 105, and 𝑥2 ≡ 165
has a solution mod 𝑝.
13. Solve the congruences
S (a) 3𝑥2 + 5𝑥 + 5 ≡ 0 (mod 13)
(b) 7𝑥2 + 8𝑥 ≡ 5 (mod 17)
(c) 6𝑥25 + 𝑥5 + 5𝑥 ≡ 0 (mod 23)
(d) 2𝑥17 + 5𝑥 + 1 ≡ 0 (mod 19).
14. Denote by 𝑛(𝑝) the smallest positive integer that is a quadratic non-residue mod 𝑝.
For example, 𝑛(5) = 2 and 𝑛(7) = 3. Prove that
(a) 𝑛(𝑝) is always a prime;
** (b) 𝑛(𝑝) < 1 + √𝑝.
𝑎
15. Extend the definition of the Legendre symbol for 𝑝 ∣ 𝑎 as ( 𝑝 ) = 0. Verify the
following assertions for
𝑝
𝑖(𝑖 + 𝑎)
𝑆(𝑎, 𝑝) = ∑ ( ).
𝑖=1
𝑝

(a) 𝑆(0, 𝑝) = 𝑝 − 1
* (b) (𝑎, 𝑝) = 1 ⟹ 𝑆(𝑎, 𝑝) = 𝑆(1, 𝑝)
𝑝−1
(c) ∑𝑎=0 𝑆(𝑎, 𝑝) = 0
(d) 𝑆(1, 𝑝) = −1.
16. Let 𝑀(𝑝) be the number of those integers 𝑎, 1 ≤ 𝑎 ≤ 𝑝 − 2, for which both 𝑎 and
𝑎 + 1 are quadratic residues mod 𝑝.
(a) Prove
𝑝−2
𝑎 𝑎+1
4𝑀(𝑝) = ∑ (( ) + 1)(( ) + 1).
𝑎=1
𝑝 𝑝
(b) Show that 𝑀(𝑝) is approximately 𝑝/4: if 𝑝 = 4𝑘 ± 1, then 𝑀(𝑝) = 𝑘 − 1.

4.2. Quadratic Reciprocity

We assume in this section too that 𝑝 > 2 is a prime. We shall discuss theorems con-
2 𝑞
cerning the Legendre symbols ( 𝑝 ) and ( 𝑝 ) where 𝑞 > 2 is a prime. Both results will
require the following lemma:
Theorem 4.2.1 (Gauss’s Lemma). Let (𝑎, 𝑝) = 1 and consider the least positive remain-
𝑝−1 𝑝
ders of 𝑎, 2𝑎, . . . , 2 𝑎 modulo 𝑝. Let 𝑣 denote how many of them are greater than 2 .
Then
𝑎
( ) = (−1)𝑣 . ♣
𝑝
4.2. Quadratic Reciprocity 105

𝑝−1
Proof. Taking the least positive remainders of the given 2
numbers, let 𝑟1 , . . . , 𝑟ᵆ be
𝑝 𝑝 𝑝−1
the ones smaller than 2 and 𝑝 − 𝑠1 , . . . , 𝑝 − 𝑠𝑣 the ones greater than 2
(𝑢 + 𝑣 = 2
).
𝑝−1
Then for every 1 ≤𝑡≤ 2
(4.2.1) 𝑡𝑎 ≡ 𝑟 𝑖 or 𝑡𝑎 ≡ 𝑝 − 𝑠𝑗 (mod 𝑝)
𝑝−1
with a suitable 𝑖 or 𝑗. Note that every 𝑟 𝑖 and 𝑠𝑗 is one of the integers 1, 2, . . . , 2
.
We show that 𝑟 𝑖 and 𝑠𝑗 are distinct, therefore they are the same as the numbers 1,
𝑝−1
2, . . . , 2 in some order.
Assuming 𝑟 𝑖 = 𝑟 𝑘 for some 𝑖 ≠ 𝑘, we have
𝜆𝑎 ≡ 𝑟 𝑖 = 𝑟 𝑘 ≡ 𝜇𝑎 (mod 𝑝)
𝑝−1
with suitable numbers 𝜆, 𝜇, 1 ≤ 𝜆 < 𝜇 ≤ 2
. Since (𝑎, 𝑝) = 1, cancelling 𝑎 gives 𝜆 ≡ 𝜇
(mod 𝑝), which is a contradiction.
We get a contradiction similarly assuming the equality of two 𝑠𝑗 .
Finally, if 𝑟 𝑖 = 𝑠𝑗 , then
𝜆𝑎 ≡ 𝑟 𝑖 = 𝑠𝑗 ≡ −𝜇𝑎 (mod 𝑝) ,
so 𝑝 ∣ 𝑎(𝜆 + 𝜇). However, (𝑎, 𝑝) = 1 and 0 < 𝜆 + 𝜇 < 𝑝, hence none of the factors is
divisible by 𝑝, which contradicts the prime property of 𝑝.
Multiplying the congruences (4.2.1) for 𝑡 = 1, 2, . . . , (𝑝 − 1)/2, we obtain
𝑝−1 𝑝−1
( )! 𝑎 2 ≡ 𝑟1 . . . 𝑟ᵆ (𝑝 − 𝑠1 ) . . . (𝑝 − 𝑠𝑣 ) ≡
(4.2.2) 2
𝑝−1
≡ (−1)𝑣 𝑟1 . . . 𝑟ᵆ 𝑠1 . . . 𝑠𝑣 = (−1)𝑣 ( )! (mod 𝑝) .
2
𝑝−1
Cancelling ( 2
)! in (4.2.2), we arrive at
𝑝−1 𝑎
𝑎 2 ≡ (−1)𝑣 (mod 𝑝) or ( ) = (−1)𝑣 . □
𝑝

As a simple application of Gauss’s Lemma, we determine which primes have 2 as

a quadratic residue.
Theorem 4.2.2.
2 1, if 𝑝 ≡ ±1 (mod 8)
( )={ ♣
𝑝 −1, if 𝑝 ≡ ±3 (mod 8).

Proof. To apply Gauss’s Lemma for 𝑎 = 2, we count how many of the numbers 2, 4,
𝑝
6, . . . , 𝑝 − 1 exceed 2 .
𝑝−1 𝑝−1 𝑝
There are altogether 2
numbers, ⌊ 4
⌋ of which are less than 2 , hence the 𝑣 to
be computed is
𝑝−1 𝑝−1
𝑣= −⌊ ⌋.
2 4
2
If 𝑝 = 8𝑘 + 1, then 𝑣 = 4𝑘 − 2𝑘 = 2𝑘, so ( 𝑝 ) = (−1)2𝑘 = 1.
We get the propositions for 𝑝 = 8𝑘 ± 3 and 8𝑘 − 1 similarly. □
106 4. Legendre and Jacobi Symbols

It is easy to check that an equivalent form of Theorem 4.2.2 is

2 2
( ) = (−1)(𝑝 −1)/8 .
𝑝
Now, we turn to the most important result concerning the Legendre symbol.

Theorem 4.2.3 (Quadratic Reciprocity Law). If 𝑝 > 2 and 𝑞 > 2 are two distinct primes,
then
𝑞 𝑝 𝑝−1 𝑞−1
(4.2.3) ( ) ( ) = (−1) 2 ⋅ 2 ,
𝑝 𝑞
or
𝑝
𝑞 −( ), if 𝑝 ≡ 𝑞 ≡ −1 (mod 4)
( ) = { 𝑝𝑞 ♣
𝑝 ( ), otherwise.
𝑞

Proof. We shall verify two claims:

(A) If (𝑎, 𝑝) = 1 and 𝑎 is odd, then
𝑝−1
2
𝑎 𝑡𝑎
(4.2.4) ( ) = (−1)𝑤 where 𝑤 = ∑⌊ ⌋.
𝑝 𝑡=1
𝑝

(B) If 𝑏 and 𝑐 are coprime odd numbers greater than 1, then

(𝑐−1)/2 (𝑏−1)/2
𝜇𝑏 𝜈𝑐 𝑏−1 𝑐−1
(4.2.5) ∑ ⌊ ⌋+ ∑ ⌊ ⌋= ⋅ .
𝜇=1
𝑐 𝜈=1
𝑏 2 2

These imply Theorem 4.2.3: by (4.2.4),

(𝑝−1)/2 (𝑞−1)/2
𝑞 𝑝 𝜇𝑞 𝜈𝑝
( )( ) = (−1)𝑧 where 𝑧= ∑ ⌊ ⌋ + ∑ ⌊ ⌋,
𝑝 𝑞 𝜇=1
𝑝 𝜈=1
𝑞

and since
𝑝−1 𝑞−1
𝑧= ⋅
2 2
by (4.2.5), (4.2.3) holds.
To prove (A), we apply Gauss’s Lemma (Theorem 4.2.1). Keeping the previous
notations, it is sufficient to show
(𝑝−1)/2
𝑡𝑎
(4.2.6) 𝑤= ∑ ⌊ ⌋ ≡ 𝑣 (mod 2) .
𝑡=1
𝑝

We rewrite the congruences in (4.2.1) as equalities obtained from the division al-
gorithm:

𝑡𝑎 either 𝑟 𝑖
(4.2.7) 𝑡𝑎 = ⌊ ⌋𝑝 + {
𝑝 or 𝑝 − 𝑠𝑗 .
4.2. Quadratic Reciprocity 107

𝑝−1
Taking the sum of the equalities (4.2.7) for 𝑡 = 1, 2, . . . , 2
, we obtain
(𝑝−1)/2 ᵆ 𝑣
𝑝−1 𝑡𝑎
(1 + 2 + ⋯ + )𝑎 = 𝑝 ∑ ⌊ ⌋ + ∑ 𝑟 𝑖 + ∑ (𝑝 − 𝑠𝑗 ).
2 𝑡=1
𝑝 𝑖=1 𝑗=1

𝑝−1
Since 𝑟1 , . . . , 𝑟ᵆ , 𝑠1 , . . . , 𝑠𝑣 is a permutation of 1, 2, . . . , 2
, we get, after ordering
𝑣 (𝑝−1)/2
𝑝−1 𝑡𝑎
(4.2.8) (1 + 2 + ⋯ + ) (𝑎 − 1) + 2 ∑ 𝑠𝑗 = 𝑝 ( ∑ ⌊ ⌋ + 𝑣) .
2 𝑗=1 𝑡=1
𝑝

As 𝑎 is odd, the left-hand side of (4.2.8) is even. Since 𝑝 > 2, (4.2.6) holds.
To verify (B), consider a rectangle 𝑅 in the plane with vertices
𝑏 𝑏 𝑐 𝑐
𝐴 = (0, 0),
𝐵 = ( , 0), 𝐶 = ( , ), and 𝐷 = (0, ).
2 2 2 2
The right-hand side of (4.2.5) is the number of points with integer coordinates (lattice
points) inside 𝑅.
We show that also the left-hand side of (4.2.5) is the number of these lattice points.
𝑐
We halve the rectangle 𝑅 along the diagonal 𝑦 = 𝑏 𝑥 connecting 𝐴 and 𝐶. The diagonal
itself does not contain lattice points since (𝑏, 𝑐) = 1.
Now, we count the number 𝑛 of lattice points inside the lower triangle 𝐴𝐵𝐶. Con-
sider such a lattice point on the vertical line 𝑥 = 𝜈. Its first coordinate is 𝜈 and its
𝑐 𝜈𝑐
second coordinate 𝑦 satisfies 1 ≤ 𝑦 < 𝑏 𝜈. Thus, there are ⌊ 𝑏 ⌋ lattice points on this
vertical segment. To obtain the total number of lattice points inside the triangle 𝐴𝐵𝐶,
𝜈𝑐 𝑏−1
we sum these values ⌊ 𝑏 ⌋ for 𝜈 = 1, 2, . . . , 2 :
(𝑏−1)/2
𝜈𝑐
𝑛= ∑ ⌊ ⌋.
𝜈=1
𝑏
This is just the second sum on the left-hand side of (4.2.5).
We can verify the same way that counting the lattice points inside the upper tri-
angle 𝐴𝐶𝐷 by the horizontal lines 𝑦 = 𝜇, we get the first sum on the left-hand side of
(4.2.5). Thus (4.2.5) is proven and so we have completed the proof of Theorem 4.2.3.
□

The next example illustrates how Theorems 4.1.4, 4.2.2, and 4.2.3 can be used to
compute a Legendre symbol.
Example. Is the congruence 𝑥2 ≡ 198 (mod 1997) solvable? (1997 is a prime.)
The standard form of 198 is 198 = 2 ⋅ 32 ⋅ 11, therefore
198 2 3 2 11
( )=( )( ) ( ).
1997 1997 1997 1997
2
1997 ≡ −3 (mod 8), thus ( 1997 ) = −1 by Theorem 4.2.2.
1997 ≡ 1 (mod 4), so using Theorem 4.2.3, then 1997 ≡ −5 (mod 11), etc.,
11 1997 −5 −1 5 11 1
( )=( ) = ( ) = ( )( ) = (−1)( ) = (−1)( ) = −1.
1997 11 11 11 11 5 5
 108 4. Legendre and Jacobi Symbols

Hence,
198
( ) = (−1) ⋅ 1 ⋅ (−1) = 1,
1997
so 𝑥2 ≡ 198 (mod 1997) is solvable.

For very large numbers, a problem arises. We have to factor the “numerators” of
the Legendre symbols and no fast algorithm is known for that. We shall see in the next
section how the Jacobi symbol eliminates this difficulty.

Exercises 4.2

1. Which congruences are solvable?

(a) 𝑥2 ≡ 66 (mod 191)
(b) 𝑥2 ≡ 7! (mod 83)
(c) 𝑥2 ≡ 94! (mod 101)
(d) 𝑥2 ≡ 30 (mod 77)
(e) 𝑥2 ≡ 38 (mod 187)
(f) 2𝑥2 + 3𝑥 + 5 ≡ 0 (mod 101).
2. For which primes 𝑝 > 2 are the following congruences solvable?
(a) 𝑥2 ≡ −2 (mod 𝑝)
(b) 𝑥2 ≡ 3 (mod 𝑝)
2
(c) 𝑥 ≡ −3 (mod 𝑝)
(d) 𝑥2 ≡ 5 (mod 𝑝)
4
(e) 𝑥 ≡ 4 (mod 𝑝)
* (f) 𝑥4 ≡ −4 (mod 𝑝)
* (g) 𝑥8 ≡ 16 (mod 𝑝)
* (h) 𝑥8 ≡ 81 (mod 𝑝).
3. Verify that if 1999 ∣ 𝑎2 + 2𝑏2 , then 1999 ∣ 𝑎 and 1999 ∣ 𝑏.
* 4. Prove that 43100 ∣ 2𝑐8 + 1 for some integer 𝑐.
5. Demonstrate the following propositions (𝑐 ≠ 0).
(a) Every prime divisor of 8𝑐2 − 1 is of the form 8𝑘 ± 1 and at least one of them is
of the form 8𝑘 − 1.
(b) Every prime divisor of 12𝑐2 − 1 is of the form 12𝑘 ± 1 and at least one of them
is of the form 12𝑘 − 1.
(c) An odd number 𝑐2 + 4 has a prime divisor of the form 8𝑘 + 5 and for 3 ∤ 𝑐 also
a prime divisor of the form 12𝑘 + 5 (these two prime divisors may coincide).
6. Let 𝑝1 , 𝑝2 , 𝑝3 , 𝑝4 , 𝑝5 be distinct odd primes, 𝑃 = 𝑝1 . . . 𝑝5 , and 𝑎𝑖 = 𝑃/𝑝 𝑖 , 𝑖 =
1, 2, 3, 4, 5.
 4.3. Jacobi Symbol 109

(a) Verify that among the congruences

𝑥𝑖2 ≡ 𝑎𝑖 (mod 𝑝 𝑖 ) , 𝑖 = 1, 2, 3, 4, 5,
an even number is solvable if and only if
5
−1
∑( ) = ±1.
𝑖=1
𝑝𝑖
(b) Assume that each congruence
𝑧2𝑖 ≡ 𝑝 𝑖 (mod 𝑎𝑖 ) , 𝑖 = 1, 2, 3, 4, 5
is solvable. Show that
5
−1
∑( ) ≥ 3.
𝑖=1
𝑝𝑖
7. (a) Prove that the sum of the squares of 19 consecutive integers is never a power.
* (b) Show that 19 can be replaced by any prime of the form 12𝑘 ± 5.
S** 8. Construct a polynomial 𝑓 with integer coefficients so that the equation 𝑓(𝑥) = 0
has no rational roots but the congruence 𝑓(𝑥) ≡ 0 (mod 𝑚) is solvable for every 𝑚.

4.3. Jacobi Symbol

Definition 4.3.1. Let the odd number 𝑚 > 1 have the factorization 𝑚 = 𝑝1 . . . 𝑝𝑟 into
(not necessarily distinct) positive primes. For (𝑎, 𝑚) = 1, we define the Jacobi symbol
𝑎 𝑎
( 𝑚 ) as the product of the Legendre symbols ( 𝑝 ):
𝑖

𝑎 𝑎 𝑎
( ) = ( ) . . . ( ). ♣
𝑚 𝑝1 𝑝𝑟
7 7 2 7 2
Example. ( ) = ( ) ( ) = ( ) = −1.
45 3 5 5
For 𝑚 prime, the Jacobi symbol equals the Legendre symbol. Therefore, no ambi-
guity can arise if we use the same notation for both.
In contrast to prime moduli, the solvability of 𝑥2 ≡ 𝑎 (mod 𝑚) cannot be charac-
𝑎
terized with the Jacobi symbol ( 𝑚 ) for composite 𝑚 (see Exercise 4.3.2).
On the other hand, the Jacobi symbol inherits the properties of the Legendre sym-
bol listed in Theorems 4.1.4, 4.2.2, and 4.2.3.
Theorem 4.3.2. Assume that the Jacobi symbols below make sense, i.e. every “denomi-
nator” is an odd number greater than 1 coprime to the “numerator” (thus e.g. in (v), 𝑚
and 𝑛 are coprime odd integers greater than 1).
𝑎 𝑏
(i) 𝑎 ≡ 𝑏 (mod 𝑚) ⟹ ( 𝑚 ) = ( 𝑚 ).
𝑎𝑏 𝑎 𝑏 𝑎 𝑎 𝑎
(ii) ( 𝑚 ) = ( 𝑚 )( 𝑚 ), ( 𝑚𝑛 ) = ( 𝑛 )( 𝑚 ).

−1 1, if 𝑚 ≡ 1 (mod 4)
(iii) ( 𝑚 ) = {
−1, if 𝑚 ≡ −1 (mod 4).
110 4. Legendre and Jacobi Symbols

2 1, if 𝑚 ≡ ±1 (mod 8)
(iv) ( 𝑚 ) = {
−1, if 𝑚 ≡ ±3 (mod 8).
𝑛
𝑚 − ( ) , if 𝑛 ≡ 𝑚 ≡ −1 (mod 4)
(v) ( 𝑛 ) = { 𝑚 𝑛 ♣
( 𝑚 ) , otherwise.

Proof. Each property follows from the definition of the Jacobi symbol and from the
corresponding property of the Legendre symbol. We verify this for (v) (i.e. for reci-
procity) in detail; the others can be proven similarly.
Let 𝑚 = 𝑝1 . . . 𝑝𝑟 and 𝑛 = 𝑞1 . . . 𝑞𝑠 (where 𝑝 𝑖 ≠ 𝑞𝑗 ). The definition of the Jacobi
symbol and the multiplicativity of the Legendre symbol (or properties (ii) of the present
theorem) imply
𝑚 𝑝 𝑛 𝑞𝑗
(4.3.1) ( ) = ∏ ( 𝑖) and ( ) = ∏ ( ).
𝑛 1≤𝑖≤𝑟
𝑞𝑗 𝑚 1≤𝑖≤𝑟
𝑝𝑖
1≤𝑗≤𝑠 1≤𝑗≤𝑠

Denote by 𝑢 and 𝑣 the number of primes of the form 4𝑘 − 1 among the 𝑝 𝑖 and the 𝑞𝑗 .
𝑝 𝑞 𝑝 𝑞
Then ( 𝑞 𝑖 ) = −( 𝑝𝑗 ) for these 𝑢𝑣 pairs 𝑝 𝑖 , 𝑞𝑗 , and ( 𝑞 𝑖 ) = ( 𝑝𝑗 ) for all other pairs. Hence,
𝑗 𝑖 𝑗 𝑖
by (4.3.1),
𝑚 𝑛
( ) = − ( ) ⟺ 𝑢𝑣 is odd
𝑛 𝑚
⟺ 𝑢 and 𝑣 are odd
⟺ 𝑚 ≡ 𝑛 ≡ −1 (mod 4) . □

Example. Is the congruence 𝑥2 ≡ 2342 (mod 11239) solvable? (11239 is a prime.)

2342
We compute the Legendre symbol ( ) as a Jacobi symbol using Theorem 4.3.2.
11239
We have to separate only the largest power of two from the actual numerator, and we
can apply the reciprocity directly for the remaining odd part without factoring it.
2342 2 1171 11239 −471
( )=( )( ) = 1(−1) ( ) = −( )=
11239 11239 11239 1171 1171
−1 471 1171 229
= −( )( ) = −(−1)(−1) ( ) = −( )=
1171 1171 471 471
471 13 229 8 2 3
= −( ) = −( ) = −( ) = − ( ) = − ( ) = 1.
229 229 13 13 13
Thus, the congruence has a solution.

The procedure is a variant of the Euclidean algorithm.

The Jacobi symbol plays an important role also in primality testing (see Theo-
rem 5.7.4).
Exercises 4.3 111

Exercises 4.3

1. Compute the following Jacobi symbols:

1234567
(a) ( )
225
31
(b) ( )
95
589
(c) ( )
1999
1113
(d) ( ).
11131
2. Let 𝑚 > 1 be an odd number and (𝑎, 𝑚) = 1.
𝑎
(a) Show that if 𝑥2 ≡ 𝑎 (mod 𝑚) is solvable, then ( 𝑚 ) = 1.
(b) Demonstrate with an example that the converse of (a) is false.
* (c) For which 𝑚 is the converse of (a) true?
3. Prove that if 𝑝 is a prime and 𝑝 = 𝑎2 + 𝑏2 , then at least one of the congruences
𝑥2 ≡ 𝑎 (mod 𝑝) and 𝑥2 ≡ 𝑏 (mod 𝑝)
is solvable.
4. Compute the sums of Jacobi symbols:
111
2
(a) ∑ ( )
𝑘=1
2𝑘 + 1
111
𝑘
(b) ∑ ( ).
𝑘=1
2𝑘 + 1
5. Let 𝑎, 𝑚, and 𝑛 be greater than 1, 𝑚 and 𝑛 odd, and (𝑎, 𝑚) = (𝑎, 𝑛) = 1.
(a) Prove that if 𝑎 ≡ 0 or 1 (mod 4), then
𝑎 𝑎
𝑚 ≡ 𝑛 (mod 𝑎) ⟹ () = ( ).
𝑚 𝑛
(b) Show that for 𝑎 ≡ 2 or 3 (mod 4) we can find 𝑚 and 𝑛 with
𝑎 𝑎
𝑚 ≡ 𝑛 (mod 𝑎) but ( ) ≠ ( ).
𝑚 𝑛
6. Let 𝑚 > 1 be odd. Compute the sum and product of Jacobi symbols:
𝑟
(a) ∑ ( )
1≤𝑟≤𝑚
𝑚
(𝑟,𝑚)=1
𝑟
(b) ∏ ( ).
1≤𝑟≤𝑚
𝑚
(𝑟,𝑚)=1
𝑎
7. (a) Determine all odd numbers 𝑚 > 1 satisfying ( 𝑚 ) = 1 for every 𝑎 coprime to 𝑚.
𝑎
S* (b) Determine all integers 𝑎 satisfying ( 𝑚 ) = 1 for every odd 𝑚 > 1 coprime to 𝑎.
 Chapter 5

Prime Numbers

The notion of primes is very simple, but they form perhaps the most mysterious se-
quence in mathematics. Euclid’s Elements contains a proof that there are infinitely
many of them, but we do not know whether the same holds for twin primes. After
introducing some other similar famous, innocent looking but hopelessly difficult un-
solved problems, we shall deal with primes of special forms such as Mersenne and
Fermat primes and with primes in arithmetic progressions. Concerning the distribu-
tion of primes, we shall establish lower and upper bounds for the number of primes
not exceeding 𝑥 and investigate the sum of reciprocals of the primes. Finally, we shall
study how we can determine practically whether a large number is prime or not (pri-
mality testing), and how we can factor a large composite number (prime factorization).
The amount of time needed to solve these two types of problems differ dramatically (at
least according to our present knowledge), and we shall discuss the RSA scheme, the
widely applied public key cryptosystem based on this discrepancy.

5.1. Classical Problems

Throughout this chapter, by prime we shall always mean a positive prime number (gen-
erally in the sense of a positive irreducible integer) and 𝑝 will always denote a (positive)
prime (so ∏ 𝑝 stands for the product of the primes in the interval (0, 𝑛]).
𝑝≤𝑛

First we discuss two remarkable results of ancient Greek mathematics.

Theorem 5.1.1. There are infinitely many primes. ♣

Proof. Assume the converse, i.e. there exist only finitely many primes, 𝑝1 (= 2), . . . ,
𝑝𝑟 . Consider the number 𝐴 = 𝑝1 . . . 𝑝𝑟 + 1.
Clearly, 𝐴 is not divisible by any of the primes 𝑝1 , . . . , 𝑝𝑟 .

113
114 5. Prime Numbers

As with every integer greater than 1, 𝐴 has a prime divisor. It must differ from the
primes 𝑝1 , . . . , 𝑝𝑟 , which contradicts the assumption that these were the only primes.
□

Remark: The proof yields also an upper bound

𝑛
𝑝𝑛 < 22 ,

where 𝑝𝑛 denotes the 𝑛th prime number (Exercise 5.1.9a). A much better upper bound
will be established in Section 5.4.
Now we present the sieve of Eratosthenes. This procedure generates all primes up
to a given limit 𝑁.

Theorem 5.1.2 (Sieve of Eratosthenes). We list all integers from 2 to 𝑁. In the first step
we mark the number 2 and delete all multiples of 2 greater than 2: 4, 6, 8, . . . Then we
mark the smallest integer not yet marked or deleted; this is the number 3, and then we
delete all its multiples greater than itself: 6, 9, . . . ( 6, 12, etc. are deleted the second time).
We repeat the above process always with the smallest integer not yet marked or deleted
as long as this number does not exceed √𝑁. If every number up to √𝑁 is either marked
or deleted, then we stop.
At this point, the remaining numbers (i.e. the marked and the unmarked but un-
deleted integers together) form all primes not greater than 𝑁 (the marked ones are the
primes not greater than √𝑁, whereas those unmarked but undeleted are the primes be-
tween √𝑁 and 𝑁). ♣

Proof. The deleted numbers are clearly composite since they have a proper divisor
greater than 1.
We show by induction that the marked numbers are primes. The first marked
number, 2 is irreducible. Let now 𝑠 ≤ √𝑁 be the 𝑘th marked integer, and assume that
the first 𝑘 − 1 marked integers constitute all irreducible elements less than 𝑠. None of
them divides 𝑠 (since 𝑠 was not deleted), i.e. 𝑠 is not divisible by any irreducible element
less than 𝑠, hence 𝑠 must be irreducible itself.
Finally, let 𝑡 be any other undeleted (and unmarked) integer (√𝑁 < 𝑡 ≤ 𝑁). If
𝑡 were composite, then (e.g. by Exercise 1.4.7a-b) 𝑡 would have an irreducible factor
𝑝 ≤ √𝑡 ≤ √𝑁. This is a contradiction, however, since 𝑡 was not divisible by any
marked number, i.e. by any irreducible integer up to √𝑁. □

Now we mention a few famous unsolved problems about prime numbers. We shall
deal with some of them more in detail in later sections of this chapter.

Twin primes. {3, 5}, {5, 7}, {11, 13}, {17, 19}, . . . : Does it occur infinitely often that
two consecutive odd integers are both primes?

Remarks: (1) As of Feb. 2019 the largest known twin primes are 2996863034895 ⋅
21290000 ± 1 (these numbers have 388342 digits in decimal system).
5.1. Classical Problems 115

(2) Replacing 2 by any other even number 2𝑘, it is unknown whether there exist
infinitely many pairs of primes with a difference of 2𝑘. It was a major break-
through, however, when, improving the recent results and ideas of Goldston,
Pintz, and Yildirim, Zhang proved in 2013 that there exists such a number 2𝑘 <
70000000. The Polymath8 group led by Terence Tao obtained the presently known
best bound 2𝑘 ≤ 246 in 2014.
(3) As further generalizations, one can investigate prime triples, quadruples, etc. It
is easy to check that each of 𝑛, 𝑛 + 2, and 𝑛 + 4 is prime only if 𝑛 = 3, but it is
conceivable that 𝑛, 𝑛 + 2, and 𝑛 + 6, or even 𝑛, 𝑛 + 2, 𝑛 + 6, and 𝑛 + 8 are all primes
for infinitely many 𝑛, etc. (Cf. with Exercises 1.4.1 and 5.1.1.)
(4) The twin prime problem asks whether the difference of two consecutive primes is
very small infinitely often. Another famous conjecture in the opposite direction
is that there is always a prime between any two consecutive squares, so the differ-
ence of consecutive primes cannot grow too fast. We investigate the gaps between
consecutive primes in more detail in Section 5.5.
(5) The twin primes (even if there are infinitely many of them) are very rare among
the primes. The sum of their reciprocals converges, whereas the sum of recipro-
cals of all primes diverges (see Section 5.6).
(6) Another interesting result is that there exist infinitely many primes 𝑝 where 𝑝 + 2
is either prime or the product of two primes (i.e. just one step is missing from the
solution of the twin prime problem).

Goldbach conjecture. Notice that 4 = 2 + 2, 6 = 3 + 3, 8 = 5 + 3, 10 = 7 + 3,

12 = 7 + 5, . . . . Is every even number greater than 2 the sum of two primes?
Remarks: (1) This problem is often called the even Goldbach conjecture to distinguish
it from the odd (or ternary or weak) Goldbach conjecture stating that every odd
integer greater than 5 is the sum of three primes. This latter statement immedi-
ately follows from the even conjecture (see Exercise 5.1.2), and in contrast to its
still unsolved even brother, has been settled completely. The first step was done
by Vinogradov in 1937 who showed that every sufficiently large odd integer is the
sum of three primes. The proof also yielded an upper bound from where this type
of representation holds for the odd numbers, so the remaining task was “just” to
check this property for the finitely many odd integers below the bound. Unfortu-
nately, the bound was so huge that the check could not be done till recently even
using computers and the newer results decreasing the bound. Finally, Helfgott
proved the odd Goldbach conjecture completely in 2013.
(2) Some partial results concerning the (even) Goldbach conjecture:
(A) Every even integer is the sum of at most four primes. This is a direct con-
sequence of the odd Goldbach conjecture: It clearly holds for 2𝑘 ≤ 8, and
otherwise 2𝑘 = 3 + (2𝑘 − 3) where 2𝑘 − 3 is the sum of three primes. (The
first result in this direction was obtained by Schnirelmann in 1930 with a few
thousand summands instead of four.)
116 5. Prime Numbers

(B) Every sufficiently large even integer can be written in the form 𝑝 + 𝑚 where
𝑝 is a prime and 𝑚 is either a prime, or the product of two primes. (The first
result in this direction where 𝑚 is the product of at most 𝑘 primes with some
fixed 𝑘 was found by Rényi in 1947.)
(C) The even integers possibly not representable as the sum of two primes occur
as very rare exceptions (in a precisely defined sense). Unfortunately “rare”
cannot be replaced yet by “finitely many”.

Long arithmetic progressions. {3, 5, 7}, {5, 11, 17, 23, 29}, {7, 37, 67, 97, 127, 157},
. . . : Are there arbitrarily long (nonconstant) arithmetic progressions consisting purely
of primes? It was a great surprise when Ben Green and Terence Tao proved in 2004
that the answer is yes.
Remarks: (1) It is very hard to exhibit such long arithmetic progressions explicitly.
The record length as of February 2019 is 26; one of the record-holders is
43142746595714191 + 23681770 ⋅ 223092870𝑘, 𝑘 = 0, 1, . . . , 25.
Here 223092870 is the product of all primes less than 26, which necessarily divides
the difference of any such arithmetic progression (see Exercise 5.1.5).
(2) An infinite arithmetic progression cannot consist purely of primes (see Exercise
1.4.2), but there are infinitely many primes in it if its first (or any other) term and
the difference are coprime (Dirichlet’s Theorem, see Section 5.3).

Primes of special form.

• Are there infinitely many primes of the form 2𝑘 − 1 and 2𝑘 + 1 (Mersenne and
Fermat primes, see Section 5.2)?
• Are there infinitely many primes of the form 𝑛2 + 1 (cf. Exercise 1.4.6)?
• Are there infinitely many primes among the repunits (having all digits 1 in deci-
mal system), among the integers of the form 333 . . . 31, among the Fibonacci num-
bers, etc.?

Formulas for primes. Can we establish a formula of practical value that yields
the 𝑛th prime for every 𝑛, or at least an effectively computable function defined on the
natural numbers that assumes only prime values (among its infinitely many values)?
Remarks: (1) It is generally agreed that there is no real hope of finding such a func-
tion. The formulas in Exercises 5.1.9b and 5.5.9b do not meet the requirement of
practical computability.
(2) As noticed by Euler, 𝑛2 +𝑛+41 is a prime for every 0 ≤ 𝑛 ≤ 39 (but it is composite
for 𝑛 = 40). This immediately implies that
(𝑛 − 40)2 + (𝑛 − 40) + 41 = 𝑛2 − 79𝑛 + 1601
is a prime for every 0 ≤ 𝑛 ≤ 79. If we allow polynomials with rational coefficients,
then we can construct arbitrarily long such sequences of primes (Exercise 5.1.7).
However, a (nonconstant) polynomial cannot yield a general formula for primes
since it cannot assume prime values at every integer (Exercise 5.1.8).
Exercises 5.1 117

(3) On the other hand, we have the following surprising result (also of theoretical
significance only): There are polynomials in several variables where on substitut-
ing all non-negative integers into the variables, the set of positive values is exactly
the set of all (positive) primes. (Such a polynomial may assume the same prime
values at different places and it assumes negative values as well.)
The existence of such a polynomial was first shown by Matiyasevich in 1970 as
a by-product when he (crowning the work of many other mathematicians) pro-
vided a negative answer to Hilbert’s tenth problem: he disproved the existence of
a general algorithm that could decide for every Diophantine equation whether or
not it has a(n integer) solution. The present records for such polynomials are the
following: (i) the minimal degree is 5 with 42 variables; (ii) the minimal number
of variables is 10, but then the degree is about 1.6 ⋅ 1045 .

Exercises 5.1

See also Exercises 1.4.1–1.4.7.

1. Consider integers 𝑟1 , . . . , 𝑟 𝑘 , and assume that 𝑛 + 𝑟1 , . . . , 𝑛 + 𝑟 𝑘 are all primes for
infinitely many integers 𝑛. Show that the numbers 𝑟1 , . . . , 𝑟 𝑘 cannot contain a
complete residue system modulo 𝑚 for any 𝑚 > 1.
2. Prove that
(a) the odd Goldbach conjecture follows from the even one; and
(b) the even Goldbach conjecture is equivalent to the proposition that every inte-
ger 𝑛 ≥ 6 is the sum of three primes.
3. Which even integers are the sums of two (positive) composite numbers? And of
two odd (positive) composite numbers?
4. Determine all prime pairs where both their sum and difference are primes.
5. Consider an arithmetic progression of primes with 𝑛 terms and difference 𝑑 > 0.
Verify that
(a) 𝑛 = 4 implies 6 ∣ 𝑑
(b) 𝑛 = 6 implies 30 ∣ 𝑑
S (c) in general, 𝑑 is divisible by all primes less than 𝑛.
6. Show that there are infinitely many composite numbers among each type of num-
bers listed above in “Primes of special form”.
7. Let 𝑘 be any positive integer. Prove that there exists a polynomial 𝑓 with rational
coefficients where 𝑓(𝑖) is the 𝑖th prime for every 1 ≤ 𝑖 ≤ 𝑘.
8. (a) Let 𝑓 be any nonconstant polynomial in one variable with integer coefficients.
Show that 𝑓(𝑛) cannot be a prime for every natural number 𝑛.
(b) Verify the same property also for polynomials
(i) with rational coefficients
118 5. Prime Numbers

(ii) with complex coefficients

(iii) of several variables.
9. Let 𝑝𝑛 denote the 𝑛th prime.
𝑛
(a) Prove 𝑝𝑛 < 22 .
(b) Consider
∞
𝑝𝑛
𝑐= ∑ = 0.000200000000000300 . . . ,
10 2 2𝑛
𝑛=1

where the digits in the decimal fraction 𝑐 are obtained from the decimal expan-
sions of the primes written one after the other and separated by sufficiently
many 0 digits to avoid collision. Show that
2𝑛 2𝑛 −22𝑛−1 2𝑛−1
𝑝𝑛 = ⌊102 𝑐⌋ − 102 ⋅ ⌊102 𝑐⌋.

(c) Why is the formula in (b) not suitable to determine 𝑝𝑛 effectively?

10. Find a number 𝐾 so that:
An integer 𝑐 in the range 104 ≤ 𝑐 ≤ 108 is prime if and only if (𝑐, 𝐾) = 1.

5.2. Fermat and Mersenne Primes

In this section we investigate the primes of the form 2𝑘 + 1 and 2𝑘 − 1; they are called
Fermat and Mersenne primes, respectively. As mentioned in the previous section, it is
unknown whether or not there exist infinitely many Fermat or Mersenne primes.
In Exercise 1.4.4 we have seen that if 2𝑘 +1 is a prime, then 𝑘 is necessarily a power
of two, whereas if 2𝑘 − 1 is a prime, then 𝑘 itself must be a prime. Thus it is enough to
𝑛
investigate the Fermat numbers 𝐹𝑛 = 22 + 1 and the Mersenne numbers 𝑀𝑝 = 2𝑝 − 1
(where 𝑝 is a prime).
We consider Fermat numbers first. Fermat believed that 𝐹𝑛 was always a prime
(this is not the famous Fermat’s Last Theorem to be discussed in Chapter 7). For 0 ≤
𝑛 ≤ 4 these are primes (3, 5, 17, 257, and 65537), but Euler showed that 𝐹5 = 232 + 1 is
composite, since it is divisible by 641.
As of February 2019 we know that 𝐹𝑛 is composite for 5 ≤ 𝑛 ≤ 32 and also for some
larger values of 𝑛. The record is 𝐹3329780 (with more than 101000000 decimal digits!)
having a factor 193 ⋅ 23329782 + 1. No other Fermat primes have been found other than
the 𝐹𝑛 with 𝑛 ≤ 4. We have no information about 𝐹33 . No factors of 𝐹20 or 𝐹24 are
known (though they are known to be composite). The factorization of 𝐹5 , 𝐹6 , and 𝐹7
can be found in the table of Fermat numbers at the end of this book (the complete
factorization of 𝐹𝑛 is known only for 𝑛 ≤ 11).
The Fermat primes play a central role in the Euclidean constructibility of regular
polygons: Gauss’s theorem states that a regular 𝑁-gon is constructible if and only if the
standard form of 𝑁, 𝑁 ≥ 3 is 𝑁 = 2𝛼 𝑝1 . . . 𝑝𝑟 where 𝛼 ≥ 0, 𝑟 ≥ 0, and the numbers 𝑝 𝑖
are distinct Fermat primes. The first few values are 𝑁 = 3, 4, 5, 6, 8, 10, 12, 15, 16, 17,
20, . . . .
5.2. Fermat and Mersenne Primes 119

The following two theorems give practical tools for investigating the Fermat num-
bers. Theorem 5.2.1 is an effective help in finding their prime divisors and Theo-
rem 5.2.2 yields a (relatively) fast algorithm to test whether a given Fermat number
is prime or composite.
Theorem 5.2.1. Any (positive) divisor of 𝐹𝑛 is of the form 𝑘2𝑛+1 + 1, and for 𝑛 ≥ 2 it is
of the form 𝑟2𝑛+2 + 1. ♣

Presumably Euler used this theorem for proving that 𝐹5 is composite: the prime
divisors of 𝐹5 can only be primes of form 128𝑘 + 1. The first two of these are 257 and
641, and the latter one divides 𝐹5 .

Proof. First we verify the statement if the divisor is a prime 𝑝. Then 𝑝 ∣ 𝐹𝑛 means
𝑛
(5.2.1) 22 ≡ −1 (mod 𝑝) .
Squaring both sides, we obtain
𝑛+1
(5.2.2) 22 ≡ 1 (mod 𝑝) .
By Theorem 3.2.2(i),
2𝑗 ≡ 1 (mod 𝑝) ⟺ 𝑜𝑝 (2) ∣ 𝑗.
Hence (5.2.2) implies
𝑜𝑝 (2) ∣ 2𝑛+1 ,
and by (5.2.1), we have
𝑜𝑝 (2) ∤ 2𝑛 ,
since clearly 𝑝 > 2, and thus −1 ≢ 1 (mod 𝑝). It follows that
𝑜𝑝 (2) = 2𝑛+1 .
Using 𝑜𝑝 (2) ∣ 𝑝 − 1, we obtain 2𝑛+1 ∣ 𝑝 − 1, so 𝑝 = 𝑘2𝑛+1 + 1 for a suitable integer 𝑘.
If 𝑛 ≥ 2, then this implies 𝑝 = 8𝑠 + 1, so
2 𝑝−1
( ) = 1, hence 2 2 ≡ 1 (mod 𝑝) .
𝑝
Therefore
𝑝−1
𝑜𝑝 (2) = 2𝑛+1 || ,
2
so 𝑝 = 𝑟2𝑛+2 + 1 for a suitable integer 𝑟.
These results can be written also as 𝑝 ≡ 1 (mod 2𝑛+1 ), and for 𝑛 ≥ 2, as 𝑝 ≡ 1
(mod 2𝑛+2 ).
Consider an arbitrary divisor 𝑑 ∣ 𝐹𝑛 . Write 𝑑 as the product of (not necessarily
distinct) primes (if 𝑑 > 1): 𝑑 = 𝑝1 . . . 𝑝𝑠 . We have just proven that 𝑝 𝑖 ≡ 1 (mod 2𝑛+1 )
for every 𝑖. Multiplying these congruences, we see that also 𝑑 ≡ 1 (mod 2𝑛+1 ) holds.
We can use the same argument also for the modulus 2𝑛+2 . □
Theorem 5.2.2 (Pepin’s test). Let 𝑛 ≥ 1. Then 𝐹𝑛 is prime if and only if
(5.2.3) 3(𝐹𝑛 −1)/2 ≡ −1 (mod 𝐹𝑛 ) . ♣
120 5. Prime Numbers

Proof. Assume first that 𝐹𝑛 is a prime. Then (5.2.3) means that 3 is a quadratic non-
residue modulo 𝐹𝑛 , i.e.
3
( ) = −1.
𝐹𝑛
𝑛
To verify this, we use that 𝑛 ≥ 1 yields 22 = 4𝑡 , hence
𝐹𝑛 ≡ 1 (mod 4) , and 𝐹𝑛 = 4𝑡 + 1 ≡ −1 (mod 3) .
Applying quadratic reciprocity, we obtain
3 𝐹 −1
( ) = ( 𝑛 ) = ( ) = −1.
𝐹𝑛 3 3
To prove the converse, assume that (5.2.3) holds. Squaring both sides, we get
(5.2.4) 3𝐹𝑛 −1 ≡ 1 (mod 𝐹𝑛 ) .

Congruences (5.2.4) and (5.2.3) imply

𝐹𝑛 − 1
𝑜𝐹𝑛 (3) ∣ 𝐹𝑛 − 1 and 𝑜𝐹𝑛 (3) ∤ .
2
Since 𝐹𝑛 − 1 is a power of two, we infer
𝑜𝐹𝑛 (3) = 𝐹𝑛 − 1.
Therefore 𝐹𝑛 − 1 ∣ 𝜑(𝐹𝑛 ) follows. Clearly 𝜑(𝐹𝑛 ) ≤ 𝐹𝑛 − 1, therefore 𝐹𝑛 − 1 = 𝜑(𝐹𝑛 ), or
equivalently, 𝐹𝑛 is a prime. □

Using Theorem 5.2.2, we can show the compositeness of 𝐹5 = 232 +1 by computing

31
the residue of 32 modulo 𝐹5 by 31 squarings and reducing modulo 𝐹5 in every step.
It turns out that this residue is not −1. Moreover, even Fermat’s Little Theorem is
sufficient for our purposes: 32 such steps of squaring and reduction reveal
32
3𝐹5 −1 = 32 ≢ 1 (mod 𝐹5 ) ,
hence 𝐹5 cannot be a prime. So Fermat could have disproved his conjecture about
Fermat primes with his own theorem (the computations would have been no obstacle
since even more lengthy calculations were regularly done in those times).
Theorem 5.2.2 is an efficient tool in general for determining whether a Fermat
number is prime or composite: we can check the validity of (5.2.3) quickly by repeated
squarings (and reducing modulo 𝐹𝑛 ); we need altogether 2𝑛−1 ≈ log2 𝐹𝑛 such steps.
Unfortunately, the practical application is limited by the fact that the Fermat numbers
2
grow with enormous speed, 𝐹𝑛 ≈ 𝐹𝑛−1 , therefore computers are unable to handle even
relatively small values of 𝑛.
Now we turn to study the Mersenne numbers 𝑀𝑝 = 2𝑝 − 1 (where 𝑝 is a prime). It
is easy to see that not all of them are primes; the smallest composite number is obtained
for 𝑝 = 11:
211 − 1 = 2047 = 23 ⋅ 89.
The significance of Mersenne primes lies, partly, in their connection with the even
perfect numbers (see Theorem 6.3.2). Mersenne was a superb scientific manager in
the seventeenth century, corresponding intensively with Fermat, Descartes, and other
5.2. Fermat and Mersenne Primes 121

leading scientists, and encouraged the search for such primes in the hope of finding
new perfect numbers.
Mersenne was aware of the difficulty of determining whether a large integer is
prime or composite. He wrote in his book in 1644: “To tell if a given number of 15 or
20 digits is prime or not, all time would not suffice for the test, whatever use is made of
what is already known.” A few pages later, however, we can read his claim that: 2𝑝 − 1
is a prime for 𝑝 = 2, 3, 5, 7, 13, 17, 19, 31, 67, 127, 257, but for no other values of 𝑝
below 257.
For more than two centuries, nobody knew whether Mersenne’s list was correct or
not. The first error was discovered in 1876(!) by another Frenchman, Édouard Lucas,
who proved that 267 − 1 is composite. It is interesting that Lucas proved the compos-
iteness of 267 − 1 without exhibiting any factors of it (based on Theorem 5.2.4 bearing
also his name). The factorization
193707721 ⋅ 761838257287
was found only in 1903(!) by the American mathematician F. N. Cole who spent three
years of Sunday afternoons wrestling with the problem (remember, he had to work by
hand without computers, since these were invented half a century later).
Later four other errors were discovered in Mersenne’s list: the missing 261 − 1,
289 − 1, and 2107 − 1 are primes and 2257 − 1 is composite.
The presently (as of February 2019) known 51 Mersenne primes are 2𝑝 − 1 where
𝑝 = 2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253,
4423, 9689, 9941, 11213, 19937, 21701, 23209, 44497, 86243, 110503, 132049, 216091,
756839, 859433, 1257787, 1398269, 2976221, 3021377, 6972593, 13466917, 20996011,
24036583, 25964951, 30402457, 32582657, 37156667, 42643801, 43112609, 57885161,
74207281, 77232917, and 82589933. The last number, 282589933 − 1 is the largest known
prime—it has 24862048 decimal digits! It is a famous unsolved problem whether there
are infinitely many Mersenne primes.
In the table of Mersenne numbers at the end of this book you can find the prime
factorization of all composite Mersenne numbers for the (prime) exponents between
10 and 100.
Now we prove the analogues of Theorems 5.2.1 and 5.2.2 for Mersenne numbers.
Theorem 5.2.3. Let 𝑝 > 2 be a prime. Then any (positive) divisor of 𝑀𝑝 = 2𝑝 − 1 is of
the forms 2𝑘𝑝 + 1 and 8𝑟 ± 1. ♣
Example. Consider 𝑝 = 47. Then for any prime divisor 𝑞 of 𝑀47 = 247 − 1, we have
𝑞 = 94𝑘 + 1 = 8𝑟 ± 1. Solving the system of simultaneous congruences
𝑥 ≡ 1 (mod 94) , 𝑥 ≡ ±1 (mod 8)
we obtain
𝑥 ≡ 1 or 95 (mod 376) .
The primes satisfying these conditions are
𝑞 = 1129, 1223, 2351, . . .
We find that 2351 ∣ 𝑀47 , hence 𝑀47 is composite.
122 5. Prime Numbers

It is conceivable that also Mersenne found this divisor of 𝑀47 , and therefore he
did not include 𝑝 = 47 into his list (and the missing of this value is not just a lucky
coincidence).

Proof. Similar to the argument seen at the Fermat numbers, it is sufficient to prove
the statement for prime divisors.
Assume that a prime 𝑞 satisfies
𝑞 ∣ 2𝑝 − 1, i.e. 2𝑝 ≡ 1 (mod 𝑞) .
Then 𝑜𝑞 (2) ∣ 𝑝, and 𝑜𝑞 (2) ≠ 1, hence 𝑜𝑞 (2) = 𝑝.
We infer 𝑝 ∣ 𝑞 − 1, thus 𝑞 = 𝑡𝑝 + 1. Since 𝑞 and 𝑝 are odd, therefore 𝑡 is even, so
𝑞 = 2𝑘𝑝 + 1.
To verify 𝑞 = 8𝑟 ± 1, we have to show that 2 is a quadratic residue mod 𝑞. This
follows from the congruence 2𝑝 ≡ 1 (mod 𝑞) by the properties of the Legendre symbol
using that 𝑝 is odd:
𝑝
2 2 2𝑝 1
( ) = ( ) = ( ) = ( ) = 1. □
𝑞 𝑞 𝑞 𝑞
Theorem 5.2.4 (Lucas–Lehmer-test). Let 𝑝 > 2 be a prime, 𝑎1 = 4, and 𝑎𝑖+1 = 𝑎2𝑖 − 2
for 𝑖 ≥ 1. Then 𝑀𝑝 is a prime if and only if
(5.2.5) 𝑀𝑝 ∣ 𝑎𝑝−1 . ♣
Example. Put 𝑝 = 5. Then
𝑎1 = 4, 𝑎2 = 14, 𝑎3 = 194 ≡ 8 (mod 31) , and 𝑎4 ≡ 62 ≡ 0 (mod 31) ,
hence 𝑀5 = 31 is a prime.

When checking (5.2.5), we compute the modulo 𝑀𝑝 remainders of the 𝑎𝑖 , which

requires 𝑝 − 2 ≈ log2 𝑀𝑝 steps of squaring (plus subtracting and reducing).

Proof. The numbers 𝑎+𝑏√3 (where 𝑎, 𝑏 are integers) form a (commutative) ring (with
identity element and without zero divisors) for the usual operations; we denote this
ring by 𝐻. In our proof we shall rely on the elementary properties of divisibility, con-
gruences, and order in 𝐻 (which hold exactly the same way as for the integers). Unique
prime factorization is valid in 𝐻 (see Theorem 10.3.6 and Exercise 10.3.1), but we shall
not need this result in our argument.
I. We can easily verify by induction that
𝑘−1 𝑘−1
𝑎𝑘 = (2 + √3)2 + (2 − √3)2
holds for every 𝑘. Hence (5.2.5) is equivalent to the divisibility
𝑝−2 𝑝−2
(5.2.6) 𝑀𝑝 ∣ (2 + √3)2 + (2 − √3)2 .
Factoring the right-hand side in (5.2.6), we obtain
𝑝−2 𝑝−1
(5.2.7) 𝑀𝑝 ∣ (2 − √3)2 ((2 + √3)2 + 1).

We note that the divisibility in (5.2.7) holds among the integers if and only if it is
valid in 𝐻 (see Exercise 5.2.10), and (2 − √3)(2 + √3) = 1 implies that 2 ± √3 raised to
5.2. Fermat and Mersenne Primes 123

integer powers are units in 𝐻. Therefore (5.2.7) and thus (5.2.5) are equivalent to the
congruence
𝑝−1
(5.2.8) (2 + √3)2 ≡ −1 (mod 𝑀𝑝 ) .
We conclude that Theorem 5.2.4 can be reformulated as follows: 𝑀𝑝 is a prime if
and only if (5.2.8) holds.
II. We shall need the following lemma: For any prime 𝑞 > 3, we have
3
(5.2.9) (𝑎 + 𝑏√3)𝑞 ≡ 𝑎 + ( ) 𝑏√3 (mod 𝑞) .
𝑞
Proof of the lemma: Consider the binomial expansion
𝑞 𝑞
(5.2.10) (𝑎 + 𝑏√3)𝑞 = 𝑎𝑞 + ( )𝑎𝑞−1 𝑏√3 + ( )𝑎𝑞−2 3𝑏2 + ⋯ + 𝑏𝑞 3(𝑞−1)/2 √3.
1 2
By Fermat’s Little Theorem,
𝑎𝑞 ≡ 𝑎 (mod 𝑞) and 𝑏𝑞 ≡ 𝑏 (mod 𝑞) ,
further, each of
𝑞 𝑞 𝑞
( ), ( ), . . . , ( )
1 2 𝑞−1
is divisible by 𝑞, and
3
3(𝑞−1)/2 ≡ ( ) (mod 𝑞) .
𝑞
Substituting these into (5.2.10), we obtain (5.2.9) as stated.
III. Now we are in the position to show that (5.2.8) implies the primality of 𝑀𝑝 .
Squaring (5.2.8), we have
𝑝
(5.2.11) (2 + √3)2 ≡ 1 (mod 𝑀𝑝 ) .
Let 𝑞 be a prime divisor of 𝑀𝑝 (clearly 𝑞 > 3). Then (5.2.11) and (5.2.8) hold also
for the modulus 𝑞 instead of 𝑀𝑝 . This yields (similar to the argument used in the proofs
of Theorems 5.2.1 and 5.2.2) that 𝑜𝑞 (2 + √3) = 2𝑝 .
3
If ( 𝑞 ) = 1, then by (5.2.9) we obtain

(2 + √3)𝑞−1 = (2 − √3)(2 + √3)𝑞 ≡ (2 − √3)(2 + √3) = 1 (mod 𝑞) ,

hence
𝑜𝑞 (2 + √3) = 2𝑝 ≤ 𝑞 − 1.
But this is impossible since 𝑞 ≤ 𝑀𝑝 = 2𝑝 − 1.
3
If ( 𝑞 ) = −1, then similarly

(2 + √3)𝑞+1 ≡ (2 − √3)(2 + √3) = 1 (mod 𝑞) ,

thus
𝑜𝑞 (2 + √3) = 2𝑝 ≤ 𝑞 + 1.
Comparing this with 𝑞 ≤ 𝑀𝑝 = 2𝑝 − 1, we have 𝑞 = 𝑀𝑝 , i.e. 𝑀𝑝 is a prime.
IV. Finally, we prove that if 𝑀𝑝 is a prime, then (5.2.8) must hold.
124 5. Prime Numbers

We shall use that 𝑀𝑝 ≡ −1 (mod 8) implies

2
(5.2.12) ( ) = 1,
𝑀𝑝
further, using 𝑀𝑝 ≡ 1 (mod 3), 𝑀𝑝 ≡ −1 (mod 4), and the law of reciprocity we get
3 𝑀𝑝 1
(5.2.13) ( ) = −( ) = − ( ) = −1.
𝑀𝑝 3 3
Starting from the equality
2(2 + √3) = (1 + √3)2 ,
we raise both sides to the power (𝑀𝑝 + 1)/2 = 2𝑝−1 :
𝑝−1
(5.2.14) 2(𝑀𝑝 +1)/2 ⋅ (2 + √3)2 = (1 + √3)𝑀𝑝 +1 .
For the first factor on the left-hand side of (5.2.14), using (5.2.12), we obtain
2
(5.2.15) 2(𝑀𝑝 +1)/2 = 2 ⋅ 2(𝑀𝑝 −1)/2 ≡ 2 ( ) = 2 (mod 𝑀𝑝 ) .
𝑀𝑝
The right-hand side of (5.2.14) can be transformed as follows, applying (5.2.9) with
𝑎 + 𝑏√3 = 1 + √3 and 𝑞 = 𝑀𝑝 , and using (5.2.13):

(1 + √3)𝑀𝑝 +1 = (1 + √3)(1 + √3)𝑀𝑝

3
(5.2.16) ≡ (1 + √3)(1 + ( ) √3)
𝑀𝑝
= (1 + √3)(1 − √3) = −2 (mod 𝑀𝑝 ) .
Substituting (5.2.15) and (5.2.16) into (5.2.14), we infer
𝑝−1
(5.2.17) 2(2 + √3)2 ≡ −2 (mod 𝑀𝑝 ) .
Multiplying (5.2.17) by 2𝑝−1 and using 2𝑝 ≡ 1 (mod 𝑀𝑝 ), we obtain the desired con-
gruence (5.2.8). □

Exercises 5.2

1. (a) Verify 𝐹𝑛+1 = 𝐹0 𝐹1 . . . 𝐹𝑛 + 2.

(b) Demonstrate that the Fermat numbers are pairwise relatively prime (cf. Ex-
ercise 1.3.14).
(c) Use part (b) to devise a new proof for the existence of infinitely many primes.
(d) Give a new proof for the statement of Exercise 5.1.9a.
2. Show that Theorem 5.2.2 remains valid for 𝑛 ≥ 2 if 3 is replaced by 5 or 10 in
formula (5.2.3).
3. Let 𝑛 ≥ 2. Prove that 𝐾𝑛 = 5 ⋅ 2𝑛 + 1 is a prime if and only if
3(𝐾𝑛 −1)/2 ≡ −1 (mod 𝐾𝑛 ) .
 5.3. Primes in Arithmetic Progressions 125

4. Verify that 𝜑(𝑁) is a power of two if and only if 𝑁 = 2𝛼 𝑝1 . . . 𝑝𝑟 , where 𝛼 ≥ 0, 𝑟 ≥ 0

and 𝑝 𝑖 are distinct Fermat primes.
S 5. For how many values of 𝑘 can we construct a regular (2𝑘 − 1)-gon?
6. Find the smallest prime divisors of the numbers:
(a) 223 − 1
(b) 229 − 1
(c) 237 − 1
(d) 243 − 1.
S 7. Prove that 𝑀𝑝 is divisible by 2𝑝+1 if and only if 2𝑝+1 is a prime and 𝑝 ≡ 3 (mod 4).
(Illustration: 11 ≡ 3 (mod 4), 2 ⋅ 11 + 1 = 23 is a prime, and also 23 ∣ 211 − 1.)
8. Assume that for a prime 𝑞 its square 𝑞2 divides a Fermat number or a Mersenne
number. Prove
2𝑞−1 ≡ 1 (mod 𝑞2 ) .
Remark: It is an unsolved problem whether the assumption of the exercise can hold
at all; it may well happen that all Fermat and Mersenne numbers are squarefree.
It is also unknown, how many primes 𝑞 satisfy the above congruence; it is possible
that the only such primes 𝑞 are the presently known 1093 and 3511.
S 9. The pairs 8 and 9, 16 and 17, or 31 and 32 are adjacent prime powers (also primes
are considered to be prime powers). Characterize all such pairs 𝑛, 𝑛 + 1.
10. Let 𝐻 denote the ring of the numbers 𝑎 + 𝑏√3 (where 𝑎, 𝑏 are integers, see the
proof of Theorem 5.2.4), and let 𝑘 and 𝑛 be integers. Show that the divisibility 𝑘 ∣ 𝑛
holds in 𝐻 if and only if it is valid among the integers.
* 11. Another unsolved problem is whether there are infinitely many composite Fermat
numbers. Similarly, we do not know if there are infinitely many primes or com-
𝑛
posite numbers 𝐻𝑛 = 62 + 1. Prove, however, that there must occur infinitely
many composite numbers in at least one of the two sequences 𝐹𝑛 and 𝐻𝑛 .

5.3. Primes in Arithmetic Progressions

By arithmetic progression we mean an infinite arithmetic progression of integers with
a positive difference:
𝑎 + 𝑘𝑑, where 𝑑 > 0 and 𝑎 are integers, 𝑘 = 0, 1, 2, . . . .
We saw in Section 5.1 that such a sequence cannot consist purely of primes. Also, if
(𝑎, 𝑑) = 𝑡 > 1, then every element is divisible by 𝑡, thus the sequence can contain
one (positive) prime at most. For (𝑎, 𝑑) = 1, however, the sequence contains infinitely
many primes:
Theorem 5.3.1 (Dirichlet’s Theorem). If the integers 𝑑 > 0 and 𝑎 are coprime, then
there are infinitely many primes in the arithmetic progression 𝑎 + 𝑘𝑑, 𝑘 = 0, 1, 2, . . . . ♣

We do not prove this general theorem; we shall verify only a few special cases.
Theorem 5.3.2. There are infinitely many primes of the form 4𝑘 + 3. ♣
126 5. Prime Numbers

Proof. We follow the Euclidean ideas seen in Theorem 5.1.1. For a proof by contra-
diction, we assume that there exist only finitely many primes of the form 4𝑘 + 3. Let
them be 𝑝1 = 3, . . . , 𝑝𝑟 , and let 𝐴 = 4𝑝1 . . . 𝑝𝑟 − 1.
Clearly, no 𝑝 𝑖 divides 𝐴.
We write 𝐴 as a product of primes: 𝐴 = 𝑞1 . . . 𝑞𝑠 (possibly 𝑠 = 1 or 𝑞𝑖 = 𝑞𝑗 ). Every
𝑞𝑗 > 2, since 𝐴 is odd. Further, all factors 𝑞𝑗 cannot satisfy 𝑞𝑗 ≡ 1 (mod 4), because
multiplying these congruences would yield 𝐴 ≡ 1 (mod 4) which is false. Therefore
there must be a prime of the form 4𝑘 + 3 among the 𝑞𝑗 . This differs from the primes
𝑝1 , . . . , 𝑝𝑟 , providing thus a contradiction. □

Theorem 5.3.3. There are infinitely many primes of the form 4𝑘 + 1. ♣

Proof. We need a further refinement of the Euclidean ideas. Again, we assume that
there exist only finitely many such primes, 𝑝1 = 5, . . . , 𝑝𝑟 . We consider now 𝐴 =
(2𝑝1 . . . 𝑝𝑟 )2 + 1.
Clearly, no 𝑝 𝑖 divides 𝐴.
Let 𝑞 be any prime divisor of 𝐴. Obviously, 𝑞 > 2. We rewrite the divisibility 𝑞 ∣ 𝐴
as
(2𝑝1 . . . 𝑝𝑟 )2 ≡ −1 (mod 𝑞) .
It follows that the congruence 𝑥2 ≡ −1 (mod 𝑞) is solvable, i.e. 𝑞 ≡ 1 (mod 4). Thus
we found a new prime of the form 4𝑘 + 1 which is a contradiction. □

Using quadratic congruences, we can settle many other special cases of Dirichlet’s
Theorem, too, see Exercise 5.3.3.
Now we verify Dirichlet’s Theorem for any arithmetic progression having 1 as its
first term:

Theorem 5.3.4. For any 𝑚 > 0, there are infinitely many primes in the sequence 𝑚𝑘 + 1,
𝑘 = 0, 1, 2, . . . . ♣

Proof. We shall use the following facts about cyclotomic polynomials and multiple
roots of polynomials:
(i) The 𝑚th cyclotomic polynomial Φ𝑚 has leading coefficient 1 and its zeros are the
complex 𝑚th primitive roots of unity. Thus the degree of Φ𝑚 is 𝜑(𝑚). Examples:

Φ4 = 𝑥2 + 1, Φ11 = 𝑥10 + 𝑥9 + ⋯ + 1.

It can be shown that Φ𝑚 has integer coefficients, and

(5.3.1) Φ𝑚 ∣ 𝑥𝑚 − 1, moreover, 𝑥𝑚 − 1 = ∏ Φ𝑑 .
𝑑|𝑚

(ii) Let 𝐹 be any (commutative) field and let 𝑓 ∈ 𝐹[𝑥]. An element 𝛼 ∈ 𝐹 is called a
multiple root of 𝑓 if (𝑥 − 𝛼)2 ∣ 𝑓. This holds if and only if 𝑓(𝛼) = 𝑓′ (𝛼) = 0, where
𝑓′ is the (formal) derivative of 𝑓.
Exercises 5.3 127

Using the above notions and theorems, we prove first the following lemma of in-
dependent interest:
Let 𝑐 be an integer and 𝑞 a prime. Then

(5.3.2) 𝑜𝑞 (𝑐) = 𝑚 ⟺ 𝑞 ∣ Φ𝑚 (𝑐) and 𝑞 ∤ 𝑚.

Proof of the lemma. Assume first 𝑜𝑞 (𝑐) = 𝑚. Then 𝑚 ∣ 𝑞 − 1, hence 𝑞 ∤ 𝑚.

Substitute 𝑐 for 𝑥 in (5.3.1):

(5.3.3) 𝑐𝑚 − 1 = ∏ Φ𝑑 (𝑐).
𝑑|𝑚

Because 𝑜𝑞 (𝑐) = 𝑚 implies 𝑐𝑚 ≡ 1 (mod 𝑞), 𝑞 divides the left-hand side of (5.3.3).
Since 𝑞 is a prime, a factor Φ𝑑 (𝑐) on the right-hand side must be a multiple of 𝑞. Due
to Φ𝑑 (𝑐) ∣ 𝑐𝑑 − 1 we get 𝑐𝑑 ≡ 1 (mod 𝑞) for some 𝑑 ∣ 𝑚. But 𝑜𝑞 (𝑐) = 𝑚, therefore only
𝑑 = 𝑚 can occur, so 𝑞 ∣ Φ𝑚 (𝑐).
Turning to the converse, we assume 𝑞 ∣ Φ𝑚 (𝑐) and 𝑞 ∤ 𝑚. Then Φ𝑚 (𝑐) ∣ 𝑐𝑚 − 1
implies 𝑐𝑚 ≡ 1 (mod 𝑞). Assuming 𝑜𝑞 (𝑐) = 𝑡 < 𝑚, we shall arrive at a contradiction.
We have 𝑡 ∣ 𝑚 and 𝑐𝑡 ≡ 1 (mod 𝑞). Applying (5.3.3) for 𝑡 instead of 𝑚, we obtain
𝑞 ∣ Φ𝑑 (𝑐) for some 𝑑 ∣ 𝑡. This means that at least two factors are divisible by 𝑞 on the
right-hand side of the original (5.3.3).
We shall consider the identity 𝑥𝑚 − 1 = ∏𝑑|𝑚 Φ𝑑 in (5.3.1) over the modulo 𝑞 field
𝐙𝑞 . Then the last sentence of the previous paragraph can be interpreted so that 𝑐 (as an
element of 𝐙𝑞 ) is a root of at least two factors in ∏𝑑|𝑚 Φ𝑑 . This product equals 𝑥𝑚 − 1,
hence 𝑐 is a multiple root of the polynomial 𝑓 = 𝑥𝑚 − 1 ∈ 𝐙𝑞 [𝑥]. By (ii), we have
𝑓′ (𝑐) = 𝑚𝑐𝑚−1 = 0 (in 𝐙𝑞 ).
Since 𝑞 ∤ 𝑚 and 𝑞 ∤ 𝑐, i.e. 𝑚 ≠ 0 and 𝑐 ≠ 0 in the field 𝐙𝑞 , therefore 𝑚𝑐𝑚−1 cannot
be 0, which is a contradiction. This completes the proof of the lemma.
Turning to the proof of Theorem 5.3.4, we assume that there are only finitely many
primes (possibly none) of the form 𝑚𝑘+1, 𝑝1 , . . . , 𝑝𝑟 . Define 𝑐 as 𝑐 = 𝑣𝑚𝑝1 . . . 𝑝𝑟 , where
𝑣 is any positive integer (𝑐 = 𝑣𝑚 if 𝑟 = 0). If 𝑣 is large enough, Φ𝑚 (𝑐) > 1.
Let 𝑞 be any prime divisor of Φ𝑚 (𝑐). Here Φ𝑚 (𝑐) ∣ 𝑐𝑚 − 1 guarantees (𝑞, 𝑐) = 1,
hence 𝑞 ∤ 𝑚. Thus 𝑜𝑞 (𝑐) = 𝑚, by the lemma.
Therefore 𝑚 ∣ 𝑞 − 1, so 𝑞 is of the form 𝑞 = 𝑚𝑘 + 1. Finally, (𝑞, 𝑐) = 1 implies
𝑞 ≠ 𝑝 𝑖 , which contradicts our assumption that 𝑝1 , . . . , 𝑝𝑟 were all primes of the form
𝑚𝑘 + 1. □

Exercises 5.3

1. How many modulo 9999 residue classes contain a positive prime?

2. Why can one not apply the proof of Theorem 5.3.2 to Theorem 5.3.3 directly, taking
𝐴 = 4𝑝1 . . . 𝑝𝑟 + 1?
128 5. Prime Numbers

3. Prove without relying on the general form of Dirichlet’s Theorem that the arith-
metic progressions below contain infinitely many primes:
(a) 6𝑘 + 5
(b) 8𝑘 + 3
(c) 8𝑘 + 5
(d) 8𝑘 + 7
(e) 10𝑘 + 9
(f) 12𝑘 + 5
(g) 12𝑘 + 7
(h) 12𝑘 + 11.
4. How many primes have 4321 as last four digits in their decimal representation?
5. Write all primes one after the other following the decimal point. Show that the
resulting number 0.235711131719 . . . is irrational.
6. For which positive integers 𝑎, 𝑏, 𝑐 does the set of numbers 𝑎 + 𝑏𝑘 + 𝑐𝑛 contain
infinitely many primes, where 𝑘 = 0, 1, 2, . . . , 𝑛 = 0, 1, 2, . . . ?
7. (a) Show that every non-zero integer is a quadratic residue mod 𝑝 for some suit-
able prime 𝑝.
(b) Which integers are quadratic non-residues mod 𝑝 for some suitable prime 𝑝?
8. Prove that for any 𝑛 > 1, there exists a polynomial 𝑓 with integer coefficients of
degree 𝑛 reducible over the rational field such that 𝑓(𝑣 𝑖 ) is a positive prime for each
of the suitably chosen integers 𝑣 1 , . . . , 𝑣 𝑛 .
9. Show (without relying on the general form of Dirichlet’s Theorem), that if there ex-
ists a prime of the form 𝑎+𝑘𝑑 for every pair of coprime integers 𝑎 and 𝑑, then there
always exist infinitely many such primes. (This means that the main difficulty in
proving Dirichlet’s Theorem lies not in guaranteeing the infinitude of such primes
but in showing that there exist such primes at all in every suitable arithmetic pro-
gression.)

5.4. How Big Is 𝜋(𝑥)?

We denote the number of (positive) primes not exceeding 𝑥 by 𝜋(𝑥). For example,
𝜋(1) = 0, 𝜋(6.7) = 3, 𝜋(20) = 8. It is sufficient to investigate the values of 𝜋(𝑥) for
positive integers 𝑥.
Though the distribution of primes is very irregular, the asymptotic behavior of 𝜋(𝑥)
can be well characterized by the so-called Prime Number Theorem stated below with-
out proof:
Theorem 5.4.1 (Prime Number Theorem). Let log stand for the natural logarithm.
Then
𝜋(𝑥)
lim 𝑥 = 1,
𝑥→∞
log 𝑥
𝑥
i.e. 𝜋(𝑥) is asymptotically equal to log 𝑥
. ♣
5.4. How Big Is 𝜋(𝑥)? 129

Remarks: (1) The Prime Number Theorem refers to the ratio, and not to the difference
𝑥 𝑥
of 𝜋(𝑥) and log 𝑥 . In fact, lim𝑥→∞ 𝜋(𝑥) − log 𝑥 = ∞.
𝑥
(2) The Prime Number Theorem states that there are approximately log 𝑥 primes not
exceeding 𝑥. Whether this is much or few, depends on to which set it is compared.
Compared to all positive integers, the primes are very scarce as
𝑥
𝜋(𝑥) log 𝑥 1
lim = lim = lim = 0.
𝑥→∞ ⌊𝑥⌋ 𝑥→∞ 𝑥 𝑥→∞ log 𝑥

At the same time, the primes occur much more densely than, for example, the
squares since there are ⌊√𝑥⌋ squares up to 𝑥, and
𝑥
𝜋(𝑥) log 𝑥 √𝑥
lim = lim = lim = ∞.
𝑥→∞ ⌊√𝑥⌋ 𝑥→∞ √𝑥 𝑥→∞ log 𝑥

(3) The Prime Number Theorem was first conjectured at the end of the 18th century
by Legendre and Gauss independently. Gauss was just 15 years old, and 𝑥/ log 𝑥
is replaced by the logarithmic integral
𝑥
𝑑𝑡
Li(𝑥) = ∫
2
log 𝑡
in his conjecture. Later it turned out that this integral approximates 𝜋(𝑥) much
better than 𝑥/ log 𝑥. The way towards the proof of the Prime Number Theorem
was devised some 70 years later by Riemann, and the first proofs were achieved
in 1896 independently by de la Vallée Poussin and Hadamard. Erdős and Selberg
found a so-called elementary proof (not relying on deep theorems from analysis)
in 1949.

The Prime Number Theorem provides an asymptotic formula for the 𝑛th prime.

Theorem 5.4.2. Let 𝑝𝑛 be the 𝑛th prime. Then

𝑝𝑛
(5.4.1) lim = 1. ♣
𝑛→∞ 𝑛 log 𝑛

Proof. Since 𝜋(𝑝𝑛 ) = 𝑛, the Prime Number Theorem implies

𝜋(𝑝𝑛 ) 𝑛 log 𝑝𝑛
(5.4.2) lim 𝑝𝑛 = lim = 1.
𝑛→∞ 𝑛→∞ 𝑝𝑛
log 𝑝𝑛

The reciprocal of the sequence on the left-hand side of (5.4.1) can be written as
𝑛 log 𝑛 𝑛 log 𝑝𝑛 log 𝑛
(5.4.3) = ⋅ .
𝑝𝑛 𝑝𝑛 log 𝑝𝑛
By (5.4.2) and (5.4.3), to prove (5.4.1) we have to show that the limit of the second
fraction on the right-hand side of (5.4.3) is 1, i.e.
log 𝑛
(5.4.4) lim = 1.
𝑛→∞ log 𝑝𝑛
130 5. Prime Numbers

Taking the logarithm of (5.4.2) we obtain

𝑛 log 𝑝𝑛
(5.4.5) lim log( ) = lim (log 𝑛 + log log 𝑝𝑛 − log 𝑝𝑛 ) = 0.
𝑛→∞ 𝑝𝑛 𝑛→∞

As 1/(log 𝑝𝑛 ) is bounded, (5.4.5) implies

log 𝑛 log log 𝑝𝑛
(5.4.6) lim ( + − 1) = 0.
𝑛→∞ log 𝑝𝑛 log 𝑝𝑛
Here
log log 𝑝𝑛
lim = 0,
𝑛→∞ log 𝑝𝑛
hence (5.4.4) and thus also (5.4.1) follow from (5.4.6). □

In the remaining part of the section we prove a result weaker than the Prime Num-
ber Theorem:
Theorem 5.4.3. There exist positive constants 𝑐 1 and 𝑐 2 and an 𝑥0 such that every 𝑥 ≥ 𝑥0
satisfies
𝑥 𝑥
(5.4.7) 𝑐1 < 𝜋(𝑥) < 𝑐 2 . ♣
log 𝑥 log 𝑥
Remarks: (1) Theorem 5.4.3 means that the order of magnitude of 𝜋(𝑥) is the same
as that of 𝑥/ log 𝑥. This in itself is sufficient to answer several questions, e.g. the
density comparisons in Remark 2 after Theorem 5.4.1.
(2) To parallel Theorems 5.4.1 and 5.4.3, the quotient of 𝜋(𝑥) and 𝑥/ log 𝑥 tends to 1
by the Prime Number Theorem, and stays between two positive constants (for 𝑥
large enough) by Theorem 5.4.3. It immediately follows that (5.4.7) can hold only
with constants 𝑐 1 ≤ 1 and 𝑐 2 ≥ 1. The Prime Number Theorem means that the
estimates of Theorem 5.4.3 are valid for any constants 0 < 𝑐 1 < 1 and 𝑐 2 > 1,
i.e. there exists an 𝑥0 for any constants 0 < 𝑐 1 < 1 and 𝑐 2 > 1 so that (5.4.7)
holds for every 𝑥 ≥ 𝑥0 . (Moreover, even 𝑐 1 = 1 is possible; see Remark 1 after
Theorem 5.4.1.)
(3) In Theorem 5.4.3 even 𝑥0 = 2 is possible (at the price of obtaining worse values
for 𝑐 1 and 𝑐 2 ), see Exercise 5.4.2.
(4) Theorem 5.4.3 was first proven by Chebyshev in 1850. Below we present Erdős’s
proof for the lower bound and a joint proof by Erdős and Kalmár for the upper
bound.

Proof. I. Lower bound for 𝜋(𝑥).

We need the following lemma:
Lemma 5.4.4. Any prime power divisor of the binomial coefficient (𝑛𝑘) is less than or
equal to 𝑛. ♣

Proof. Using the standard form of

𝑛 𝑛!
(5.4.8) ( )= = ∏ 𝑝𝛽𝑝 ,
𝑘 𝑘! (𝑛 − 𝑘)! 𝑝≤𝑛

we have to show 𝑝𝛽𝑝 ≤ 𝑛, i.e. 𝛽𝑝 ≤ ⌊log𝑝 𝑛⌋.

5.4. How Big Is 𝜋(𝑥)? 131

Consider a prime 𝑝, and denote ⌊log𝑝 𝑛⌋ by 𝑡. We determine the exponent of 𝑝 in

𝑛!, 𝑘!, and (𝑛 − 𝑘)! by Legendre’s formula (Theorem 1.6.8). The exponent of 𝑝 in (𝑛𝑘) is
𝑛 𝑛 𝑛
𝛽𝑝 = ⌊ ⌋ + ⌊ 2⌋ + ⋯ + ⌊ 𝑡⌋ −
𝑝 𝑝 𝑝
𝑘 𝑘 𝑘
− ⌊ ⌋ − ⌊ 2⌋ − ⋯ − ⌊ 𝑡⌋ −
𝑝 𝑝 𝑝
𝑛−𝑘 𝑛−𝑘 𝑛−𝑘
−⌊ ⌋−⌊ 2 ⌋ − ⋯ − ⌊ 𝑡 ⌋ .
𝑝 𝑝 𝑝

The sum of terms in each of the 𝑡 columns is of the form ⌊𝑎 + 𝑏⌋ − ⌊𝑎⌋ − ⌊𝑏⌋. It follows
that each expression is always 0 or 1 (see Exercise 5.4.1), hence 𝛽𝑝 ≤ 𝑡. □

Now we turn to the proof of the lower bound for 𝜋(𝑥). The right-hand side of
(5.4.8) is the product of (at most) 𝜋(𝑛) prime powers, and each of these factors is less
than or equal to 𝑛, by Lemma 5.4.4. This immediately implies
𝑛
(5.4.9) ( ) = ∏ 𝑝𝛽𝑝 ≤ 𝑛𝜋(𝑛) .
𝑘 𝑝≤𝑛

Summing the inequalities (5.4.9) for 𝑘 = 0, 1, . . . , 𝑛, we get

𝑛
𝑛
2𝑛 = ∑ ( ) ≤ (𝑛 + 1)𝑛𝜋(𝑛) .
𝑘=0
𝑘
Taking the logarithm, we obtain
𝑛 log 2 ≤ log(𝑛 + 1) + 𝜋(𝑛) log 𝑛.
This yields
𝑛 log(𝑛 + 1)
(5.4.10) 𝜋(𝑛) ≥ log 2 ⋅ − .
log 𝑛 log 𝑛
The second term on the right-hand side of (5.4.10) is bounded, hence it is less than
(say) 0.01𝑛/ log 𝑛 for 𝑛 large enough, so
𝑛
𝜋(𝑛) > (log 2 − 0.01) .
log 𝑛
II. Upper bound for 𝜋(𝑥).
Here again we need a lemma that provides an upper bound for the product of
primes not exceeding 𝑛:
Lemma 5.4.5. For any positive integer 𝑛, we have
(5.4.11) ∏ 𝑝 < 4𝑛 . ♣
𝑝≤𝑛
(𝑝 prime)

Proof. We proceed by induction.

Clearly, (5.4.11) holds for 𝑛 = 1, 2, and 3.
We assume now that it holds for 𝑛 = 1, 2, . . . , 𝑚 (where 𝑚 ≥ 3), and show that it
is valid also for 𝑛 = 𝑚 + 1.
132 5. Prime Numbers

If 𝑚 is odd, then 𝑚 + 1 > 2 is even, so it is composite. Applying the induction

hypothesis for 𝑛 = 𝑚, we get
∏ 𝑝 = ∏ 𝑝 < 4𝑚 < 4𝑚+1 .
𝑝≤𝑚+1 𝑝≤𝑚

Let now 𝑚 be even, 𝑚 = 2𝑘, so 𝑚 + 1 = 2𝑘 + 1. We write our product as

(5.4.12) ∏ 𝑝= ∏𝑝⋅ ∏ 𝑝.
𝑝≤2𝑘+1 𝑝≤𝑘+1 𝑘+2≤𝑝≤2𝑘+1

We apply the induction hypothesis for 𝑛 = 𝑘 + 1 to the first product on the right-hand
side of (5.4.12):
(5.4.13) ∏ 𝑝 < 4𝑘+1 .
𝑝≤𝑘+1

We get an upper bound for the second product using the binomial coefficient
2𝑘 + 1 (2𝑘 + 1)(2𝑘) . . . (𝑘 + 2)
( )= .
𝑘 𝑘!
Every prime 𝑘 + 2 ≤ 𝑝 ≤ 2𝑘 + 1 occurs in the numerator, but none of them divides the
denominator, hence (the integer) (2𝑘+1
𝑘
) is divisible by each of them, so it is a multiple
of their product, as well:
| 2𝑘 + 1
∏ 𝑝|( ).
𝑘+2≤𝑝≤2𝑘+1 |
𝑘
Hence
2𝑘 + 1
(5.4.14) ∏ 𝑝≤( ).
𝑘+2≤𝑝≤2𝑘+1
𝑘

Further,
2𝑘 + 1 1 2𝑘 + 1 2𝑘 + 1 1
(5.4.15) ( ) = (( )+( )) < ⋅ 22𝑘+1 = 4𝑘 .
𝑘 2 𝑘 𝑘+1 2
(5.4.14) and (5.4.15) imply
(5.4.16) ∏ 𝑝 < 4𝑘 .
𝑘+2≤𝑝≤2𝑘+1

Finally, substituting (5.4.13) and (5.4.16) into (5.4.12), we obtain the desired inequality
∏ 𝑝 < 42𝑘+1 . □
𝑝≤2𝑘+1

Now we turn to the proof of the upper bound for 𝜋(𝑥). There are 𝜋(𝑛) factors on
the left-hand side of (5.4.11). To get an upper bound for 𝜋(𝑛), we try to replace every
factor by the smallest prime, i.e. by 2. Unfortunately, this gives only
2𝜋(𝑛) < ∏ 𝑝 < 4𝑛 ,
𝑝≤𝑛

yielding 𝜋(𝑛) < 2𝑛 which is worse than the trivial upper bound 𝑛.
 Exercises 5.4 133

We refine the method of reducing the product on the left-hand side of (5.4.11) so
that we omit the small primes and replace the other factors (roughly) by their mini-
mum:
𝜋(𝑛)−𝜋(√𝑛)
(5.4.17) ∏𝑝 ≥ ∏ 𝑝 ≥ √𝑛 .
𝑝≤𝑛 √𝑛<𝑝≤𝑛

Combining (5.4.17) and (5.4.11), we get

𝜋(𝑛)−𝜋(√𝑛)
√𝑛 < 4𝑛 .
Taking the logarithm gives
(𝜋(𝑛) − 𝜋(√𝑛)) log(√𝑛) < 𝑛 log 4.
Hence
𝑛
(5.4.18) 𝜋(𝑛) < 2 ⋅ log 4 ⋅ + 𝜋(√𝑛).
log 𝑛
Finally, using 𝜋(√𝑛) < √𝑛 and
√𝑛 log 𝑛
lim 𝑛 = lim = 0,
𝑛→∞ 𝑛→∞ √𝑛
log 𝑛

we obtain that 𝜋(√𝑛) is less than (say) 0.01𝑛/ log 𝑛 for 𝑛 large enough, thus (5.4.18)
implies
𝑛
𝜋(𝑛) < (2 log 4 + 0.01) . □
log 𝑛

Exercises 5.4

𝑝 always denotes a prime, 𝑝𝑛 stands for the 𝑛th prime, and 𝑢𝑛 ∼ 𝑣 𝑛 means 𝑢𝑛 is asymp-
totically equal to 𝑣 𝑛 , i.e. lim𝑛→∞ 𝑢𝑛 /𝑣 𝑛 = 1.
1. Verify that ⌊𝑎 + 𝑏⌋ − ⌊𝑎⌋ − ⌊𝑏⌋ equals 0 or 1 for any real numbers 𝑎 and 𝑏.
2. Show that Theorem 5.4.3 holds with 𝑥0 = 2, i.e. the corresponding inequalities
(5.4.7) are true with suitable positive constants 𝑐′1 and 𝑐′2 for every real number
𝑥 ≥ 2.
* 3. Which lower and upper bounds follow for 𝑝𝑛 if (instead of Theorem 5.4.1) we rely
on (the weaker) Theorem 5.4.3?
4. Verify the estimates below using the Prime Number Theorem.
(a) ∑𝑝≤𝑛 log 𝑝 ∼ 𝑛.
(b) The product of all primes not exceeding 𝑛 is approximately 𝑒𝑛 in the following
sense (cf. Lemma 5.4.5): To any 𝜀 > 0 there exists an 𝑛0 such that
𝑒(1−𝜀)𝑛 < ∏ 𝑝 < 𝑒(1+𝜀)𝑛
𝑝≤𝑛

holds for every 𝑛 > 𝑛0 .

 134 5. Prime Numbers

* 5. Let 1 ≤ 𝑎1 < 𝑎2 < . . . be an arbitrary subsequence of the positive integers and let
𝐴(𝑛) denote the number of its elements not greater than 𝑛, i.e. 𝐴(𝑛) = ∑𝑎 ≤𝑛 1.
𝑖
Prove the equivalence of the following four statements.
(i) 𝐴(𝑛) ∼ 𝑛/ log 𝑛.
(ii) 𝑎𝑛 ∼ 𝑛 log 𝑛.
(iii) ∑𝑎 ≤𝑛 log 𝑎𝑖 ∼ 𝑛.
𝑖
(iv) To any 𝜀 > 0 there exists an 𝑛0 such that
𝑒(1−𝜀)𝑛 < ∏ 𝑎𝑖 < 𝑒(1+𝜀)𝑛
𝑎𝑖 ≤𝑛

is valid for every 𝑛 > 𝑛0 .

Remark: This shows that the statements of Theorems 5.4.1 and 5.4.2, and of Exer-
cise 5.4.4 are strongly correlated for more general sequences than the sequence of
primes.
* 6. Let 𝑆(𝑛) denote the sum of primes not exceeding 𝑛, i.e. 𝑆(𝑛) = ∑𝑝≤𝑛 𝑝. Prove the
estimates for 𝑆(𝑛).
(a) There exist positive constants 𝑐 3 and 𝑐 4 such that
𝑛2 𝑛2
𝑐3 < 𝑆(𝑛) < 𝑐 4
log 𝑛 log 𝑛
is true for every 𝑛 > 1.
(b) 𝑆(𝑛) ∼ 𝑛2 /(2 log 𝑛).
7. (a) Show that to any 𝐾 there exists an even integer that has at least 𝐾 representa-
tions as the sum of two primes.
(b) Demonstrate the similar statement for differences instead of sums.
8. Verify
𝑛
(𝑗 − 1)! +1 (𝑗 − 1)!
𝜋(𝑛) = ∑ (⌊ ⌋−⌊ ⌋).
𝑗=2
𝑗 𝑗
Is this formula suitable for the practical computation of 𝜋(𝑛)?

5.5. Gaps between Consecutive Primes

We show first that there occur arbitrarily large gaps between consecutive primes:
Theorem 5.5.1. For any positive integer 𝐾 there exist 𝐾 consecutive composite numbers.
♣

Proof. Take any 𝑁 > 𝐾, and consider the integers 𝑎𝑖 = 𝑁! +𝑖, 𝑖 = 2, 3, . . . , 𝐾 + 1.

Clearly, 𝑖 ∣ 𝑎𝑖 and 𝑎𝑖 > 𝑖, hence every 𝑎𝑖 is composite. □
Remark: We can replace 𝑁! in the proof by the product of primes not exceeding 𝑁.

Generalizing Theorem 5.5.1, we prove now that even both of two consecutive gaps
can be arbitrarily large, i.e. there exist primes surrounded by many composite numbers
from both sides (these are called solitary primes).
5.5. Gaps between Consecutive Primes 135

Theorem 5.5.2. For any positive integer 𝐾 there exists a prime 𝑝 such that all numbers
𝑝 ± 1, 𝑝 ± 2, . . . , 𝑝 ± 𝐾 are composite. ♣

Proof. We choose a prime 𝑞 ≥ 𝐾 + 2, and consider

(2𝑞 − 2)!
𝑑 = 2 ⋅ 3 . . . (𝑞 − 2)(𝑞 − 1)(𝑞 + 1)(𝑞 + 2) . . . (2𝑞 − 2) = .
𝑞
Here (𝑞, 𝑑) = 1, thus there exist (infinitely many) 𝑘 > 0 for which 𝑝 = 𝑞 + 𝑑𝑘 is a
prime. We show that such a 𝑝 meets the requirements. For any 1 ≤ 𝑗 ≤ 𝑞 − 2 we have
𝑘(2𝑞 − 2)!
𝑝 ± 𝑗 = 𝑞 + 𝑘𝑑 ± 𝑗 = (𝑞 ± 𝑗) + = (𝑞 ± 𝑗)(1 + 𝑐𝑗 ),
𝑞
where 𝑐𝑗 is a positive integer. Thus every 𝑝 ± 𝑗 is composite. □

Now we prove Chebyshev’s Theorem stating that there must occur a prime be-
tween any number and its double.
Theorem 5.5.3 (Chebyshev’s Theorem). For any integer 𝑛 ≥ 1 there exists a prime 𝑝
satisfying 𝑛 < 𝑝 ≤ 2𝑛. ♣

This obviously implies that the theorem remains valid for any real numbers 𝑛 ≥ 1
(instead of integers).
Another name for this result is Bertrand’s postulate, because the conjecture was
first formulated in 1845 by Bertrand in a slightly stronger form: To every 𝑛 > 3 there
is a prime 𝑝 satisfying 𝑛 < 𝑝 ≤ 2𝑛 − 2. (This version is true as well, and even much
stronger results hold, see assertions (A) in Theorems 5.5.4 and 5.5.5.) Theorem 5.5.3
was proved by Chebyshev in 1852. The proof below was found by Erdős when he was
19 years old.

Proof. The basic idea is to observe that the product of primes between 𝑛 and 2𝑛 is
closely related to the binomial coefficient (2𝑛
𝑛
). We assume 𝑛 ≥ 5 from now on.
I. We write the standard form of (2𝑛
𝑛
) and break it into the product of three factors
according to the size of the primes the following way:
2𝑛
(5.5.1) ( ) = ∏ 𝑝𝜈𝑝 = ∏ 𝑝𝜈𝑝 ⋅ ∏ 𝑝𝜈𝑝 ⋅ ∏ 𝑝𝜈𝑝 .
𝑛 𝑝≤2𝑛 𝑛+1≤𝑝≤2𝑛
𝑝≤√2𝑛 √2𝑛<𝑝≤𝑛

We denote the three subproducts on the right-hand side of (5.5.1) by 𝐴, 𝐵, and

𝐶. It is sufficient to show 𝐶 > 1, since then there must exist a prime 𝑝 satisfying
𝑛 + 1 ≤ 𝑝 ≤ 2𝑛. (It can be easily shown that every exponent 𝜈𝑝 in 𝐶 is 1, so 𝐶 equals
the product of primes between 𝑛 and 2𝑛, see Exercise 5.5.7a.)
To verify 𝐶 > 1, we establish upper bounds for 𝐴 and 𝐵, and a lower bound for
(2𝑛
𝑛
).
II. Lower bound for (2𝑛
𝑛
): Since (2𝑛
𝑘
) ≤ (2𝑛
𝑛
) for every 0 ≤ 𝑘 ≤ 2𝑛 (see Exercise 5.5.5)
2𝑛
2𝑛 2𝑛
(2𝑛 + 1)( ) > ∑ ( ) = 22𝑛 ,
𝑛 𝑘=0
𝑘
136 5. Prime Numbers

So
2𝑛 4𝑛
(5.5.2) ( )> .
𝑛 2𝑛 + 1
III. Upper bound for 𝐴: By Lemma 5.4.4, we have 𝑝𝜈𝑝 ≤ 2𝑛, hence

(5.5.3) 𝐴 = ∏ 𝑝𝜈𝑝 ≤ (2𝑛)𝜋(√2𝑛) < (2𝑛)√2𝑛 .

𝑝≤√2𝑛

IV. Upper bound for 𝐵: Again, 𝑝𝜈𝑝 ≤ 2𝑛, by Lemma 5.4.4, and since 𝑝 > √2𝑛, this
implies 𝜈𝑝 ≤ 1.
We show that 𝜈𝑝 = 0 for (𝑝 > 2 and) 2𝑛/3 < 𝑝 ≤ 𝑛. Indeed, such a 𝑝 occurs exactly
to the first power both in the numerator and denominator of
2𝑛 2𝑛(2𝑛 − 1) . . . (𝑛 + 1)
( )= ,
𝑛 𝑛!
it appears only in the factor 2𝑝 in the numerator, and in the factor 𝑝 in the denominator.
Hence
(5.5.4) 𝐵= ∏ 𝑝𝜈𝑝 = ∏ 𝑝𝜈𝑝 ≤ ∏ 𝑝.
√2𝑛<𝑝≤𝑛 √2𝑛<𝑝≤2𝑛/3 √2𝑛<𝑝≤2𝑛/3

This and Lemma 5.4.5 imply

(5.5.5) 𝐵 < ∏ 𝑝 < 42𝑛/3 .
𝑝≤2𝑛/3

V. Substituting (5.5.2), (5.5.3), and (5.5.5) into (5.5.1), and expressing 𝐶, we get
4𝑛 4𝑛/3
(5.5.6) 𝐶> > .
(2𝑛 + 1)(2𝑛)√2𝑛 ⋅ 42𝑛/3 (2𝑛 + 1)1+√2𝑛
To prove 𝐶 > 1 it is sufficient to verify that the logarithm of the expression 𝑠𝑛 on the
right-hand side of (5.5.6) is positive. Since
𝑛 log 4
(5.5.7) log 𝑠𝑛 = − (1 + √2𝑛) log(2𝑛 + 1) → ∞ as 𝑛 → ∞,
3
log 𝑠𝑛 > 0 if 𝑛 is large enough. A calculation shows that 𝑛 > 511 guarantees positivity,
hence 𝐶 > 1 for 𝑛 > 511.
VI. Finally, we verify the statement directly for 𝑛 ≤ 511. This can be done by
generating a sequence of primes starting with 2 where every element is less than the
double of the previous element: 2, 3, 5, 7, 13, 23, 43, 83, 163, 317, 631 is such a sequence.
(It is Chebyshev’s Theorem which guarantees the existence of an infinite sequence with
this property.) □

Related to Chebyshev’s Theorem the following more general problem arises con-
cerning the “gap function”:
For which functions ℎ(𝑛) is it true that the open interval (𝑛, 𝑛 + ℎ(𝑛)) always con-
tains a prime if 𝑛 is large enough?
5.5. Gaps between Consecutive Primes 137

Chebyshev’s Theorem asserts that ℎ(𝑛) = 𝑛 works, but according to Theorem 5.5.1,
a constant ℎ(𝑛) is not suitable, as the interval (𝑛, 𝑛 + 𝐾) is primefree for infinitely many
𝑛 however we fix 𝐾.
The order of magnitude of the best ℎ(𝑛) is a famous unsolved problem. We state
the related strongest results without proof:
Theorem 5.5.4. (A) Let 𝜃 = 0.525. Then the interval (𝑛, 𝑛 + 𝑛𝜃 ) contains a prime for
every 𝑛 is large enough.
(B) There exists a constant 𝑐 > 0 such that the interval
𝑐 ⋅ log 𝑛 ⋅ log log 𝑛 ⋅ log log log log 𝑛
(𝑛, 𝑛 + )
log log log 𝑛
is primefree for infinitely many positive integers 𝑛. ♣

Both assertions in Theorem 5.5.4 are very deep results (they are much sharper
than the ones deducible from the Prime Number Theorem, see Theorem 5.5.5). There
is, however, an enormous gulf between them: ℎ(𝑛) can be chosen as 𝑛𝜃 , and cannot be
chosen as a function not much bigger than the logarithm. Some probabilistic consid-
erations suggest that the boundary should be around (log 𝑛)2 .
It is interesting to note that (A) does not imply even the innocent looking conjec-
ture mentioned in Section 5.1 claiming that every interval between two consecutive
squares contains a prime. To prove this conjecture one has to reduce the exponent 𝜃
to 1/2 which could not be verified even assuming the famous unproved Riemann Hy-
pothesis.
Another remarkable fact about the difficulties in this field is that the previous best
result concerning primefree intervals was achieved in 1936(!), which differed from (𝐵)
just in the denominator being squared, and there was no progress at all for nearly
80(!) years, in spite of all efforts and a prize of 10000(!) US dollars offered by Erdős.
The five authors of this slight improvement thus got the biggest prize ever given (now
with the contribution of Ron Graham) for the solution of an Erdős problem.
In what follows, we show how the results of Theorems 5.5.3 and 5.5.1 can be sharp-
ened using the Prime Number Theorem.
Theorem 5.5.5. (A) For any 𝜀 > 0 there exists an 𝑛0 (depending on 𝜀) such that the
interval (𝑛, (1 + 𝜀)𝑛) contains a prime for every 𝑛 > 𝑛0 .
(B) For any 0 < 𝜀 < 1 there exist infinitely many positive integers so that the interval
(𝑛, 𝑛 + (1 − 𝜀) log 𝑛) is primefree. ♣

Proof. To prove (A), we have to verify

(5.5.8) 𝜋((1 + 𝜀)𝑛) − 𝜋(𝑛) > 0
for every 𝑛 large enough. Using the Prime Number Theorem in two different directions,
we get
𝜀 𝑛
(5.5.9) 𝜋(𝑛) < (1 + ) ⋅
4 log 𝑛
138 5. Prime Numbers

on the one hand, and

𝜀 (1 + 𝜀)𝑛
(5.5.10) 𝜋((1 + 𝜀)𝑛) > (1 − ) ⋅
4 log((1 + 𝜀)𝑛)
on the other hand, if 𝑛 is sufficiently large. Further,
𝜀
(5.5.11) log((1 + 𝜀)𝑛) = log(1 + 𝜀) + log 𝑛 < (1 + ) log 𝑛.
4
From (5.5.9), (5.5.10), and (5.5.11) we get
𝜀
(1 − 4 )(1 + 𝜀) 𝜀 𝑛
(5.5.12) 𝜋((1 + 𝜀)𝑛) − 𝜋(𝑛) > ( 𝜀 − (1 + )) .
1+ 4 log 𝑛
4
The coefficient of 𝑛/ log 𝑛 on the right-hand side of (5.5.12) is
𝜀 𝜀 2 𝜀 5𝜀
(1 − 4 )(1 + 𝜀) − (1 + 4 ) 4
(1 − 4
)
𝜀 = 𝜀 >0
1+ 4
1+ 4
(since we may assume 𝜀 < 4/5), hence (5.5.8) follows from (5.5.12).
We apply a proof by contradiction for (B): we assume that the interval
(𝑛, 𝑛 + (1 − 𝜀) log 𝑛) contains a prime for every 𝑛 > 𝑛0 for some given 𝜀 > 0 and
𝑛0 .
We fix a large integer 𝑁 and consider all primes between 𝑛0 and 𝑁: 𝑛0 < 𝑝𝑟 <
𝑝𝑟+1 < ⋯ < 𝑝 𝑘 ≤ 𝑁. Using our assumption, we obtain the inequalities
𝑝𝑟+1 < 𝑝𝑟 + (1 − 𝜀) log 𝑝𝑟
𝑝𝑟+2 < 𝑝𝑟+1 + (1 − 𝜀) log 𝑝𝑟+1
(5.5.13)
⋮
𝑝 𝑘+1 < 𝑝𝑘 + (1 − 𝜀) log 𝑝 𝑘 .
Summing the inequalities in (5.5.13), the terms 𝑝𝑟+1 , . . . , 𝑝 𝑘 get cancelled, and we
obtain
𝑘
(5.5.14) 𝑝 𝑘+1 < 𝑝𝑟 + (1 − 𝜀) ∑ log 𝑝𝑗 .
𝑗=𝑟

By the definition of 𝑝 𝑘 , we have 𝑝 𝑘+1 > 𝑁, thus to get a contradiction it is sufficient

to show that the right-hand side of (5.5.14) is less than 𝑁.
To achieve this, we estimate the right-hand side of (5.5.14) from above the follow-
ing way:
𝑘
(5.5.15) 𝑝𝑟 + (1 − 𝜀) ∑ log 𝑝𝑗 < 𝑝𝑟 + (1 − 𝜀)𝜋(𝑁) log 𝑁.
𝑗=𝑟

If 𝑁 is large enough, then

𝜀 𝑁
(5.5.16) 𝜋(𝑁) < (1 + )
4 log 𝑁
by the Prime Number Theorem and
𝜀𝑁
(5.5.17) 𝑝𝑟 <
4
 Exercises 5.5 139

if 𝑁 is large enough. Substituting (5.5.16) and (5.5.17) into (5.5.15), we obtain that the
right-hand side of (5.5.14) is less than
𝜀 𝜀 𝜀
((1 − 𝜀)(1 + ) + ) 𝑁 < (1 − )𝑁 < 𝑁,
4 4 2
yielding the desired contradiction. □

Exercises 5.5

1. Prove that 𝑛! is not a perfect power if 𝑛 > 1.

2. Verify that at least one of any two consecutive integers is representable as the sum
of distinct primes (we allow sums consisting of a single term).
3. Demonstrate that infinitely many primes have
(a) 1 as first digit
(b) 4 as the first thousand digits in decimal system.
4. Prove that neither of the following sums is an integer for 1 ≤ 𝑘 < 𝑛:
𝑛
1
(a) ∑
𝑗=1
𝑗
𝑛
1
(b) ∑ .
𝑗=𝑘
𝑗

5. Show that (2𝑛

𝑛
) is the largest among the binomial coefficients (2𝑛
𝑘
), 0 ≤ 𝑘 ≤ 2𝑛.
6. Give another proof for Theorem 5.5.2 on the following lines: Choose 2𝐾 primes
greater than 𝐾, 𝑝1 , . . . , 𝑝𝐾 , 𝑞1 , . . . , 𝑞𝐾 , and consider the system of simultaneous
congruences
𝑥 ≡ 𝑗 (mod 𝑝𝑗 ) , 𝑥 ≡ −𝑗 (mod 𝑞𝑗 ) , 𝑗 = 1, 2, . . . , 𝐾.
Show that the solutions contain (infinitely many) primes 𝑝 and they meet the re-
quirements of the theorem.
7. (a) Prove that (2𝑛
𝑛
) is divisible by exactly the first power of every prime 𝑛 + 1 ≤
𝑝 ≤ 2𝑛.
(b) Show that if 𝑝 > 3 is a prime and 2𝑛/5 < 𝑝 ≤ 𝑛/2, then (2𝑛
𝑛
) is not divisible by
𝑝. How can we generalize this observation?
8. Show that the proof of Chebyshev’s Theorem yields the following stronger result
(for 𝑛 ≥ 2): There are more than 𝑐𝑛/ log 𝑛 primes between 𝑛 and 2𝑛 where 𝑐 is a
suitable positive constant.
S 9. (a) Using (A) in Theorem 5.5.4, verify that there is a prime between any two suf-
ficiently large consecutive cubes.
 140 5. Prime Numbers

𝑛
* (b) Prove the existence of a real number 𝛼 > 1 such that ⌊𝛼3 ⌋ is a prime for every
positive integer 𝑛.
(c) Why can one not generate large primes practically with the formula in (b)?
10. Establish results similar to (B) in Theorem 5.5.5 using the following facts or meth-
ods instead of the Prime Number Theorem:
(a) Theorem 5.4.3
(b) the proof of Theorem 5.5.1
(c) the Remark after the proof of Theorem 5.5.1.
* 11. (Cf. with Remark 2 on twin primes in Section 5.1.) Prove that for any 𝜀 > 0 there
exist infinitely many positive integers 𝑛 satisfying 𝑝𝑛+1 − 𝑝𝑛 < (1 + 𝜀) log 𝑛. (As
usual, 𝑝𝑛 denotes the 𝑛th prime.)

5.6. The Sum of Reciprocals of Primes

In this section we prove that the infinite series of the reciprocals of primes is divergent.
This means that the reciprocals of primes decrease slowly, i.e. the primes themselves
grow slowly, so they occur fairly densely among the positive integers. As a comparison,
the infinite series of the reciprocals of squares converges, i.e. the squares form a rare
subsequence of the natural numbers (cf. with Remark 2 after Theorem 5.4.1).
We present three proofs for the divergence of the sum of reciprocals of primes.
The first one shows that this follows from the Prime Number Theorem (or even from
the weaker Theorem 5.4.3). The second one is an ingenious proof by contradiction of
Erdős. The third one is due to Euler who was the first to state and prove this theorem.
Finally, we show that the sum of reciprocals of primes not exceeding 𝑥 can be
approximated extremely well by the function log log 𝑥.
Theorem 5.6.1. The infinite series of the reciprocals of primes diverges, i.e.
1
∑ = ∞. ♣
𝑝
𝑝

First proof. We have to show

𝑛
1
(5.6.1) lim ∑ = ∞,
𝑛→∞ 𝑝
𝑗=1 𝑗

where 𝑝𝑗 denotes the 𝑗th prime.

By Theorem 5.4.2 (or Exercise 5.4.3), there exist 𝑐 and 𝑛0 such that 𝑝𝑗 < 𝑐𝑗 log 𝑗
for every 𝑗 ≥ 𝑛0 . Hence
𝑛 𝑛
1 1 1
(5.6.2) ∑ > ∑ .
𝑝
𝑗=1 𝑗
𝑐 𝑗=𝑛
𝑗 log 𝑗
0

For every integer 𝑛0 ≤ 𝑗 ≤ 𝑛, we draw a rectangle so that its base is the segment
[𝑗, 𝑗 + 1] on the 𝑥-axis, and its height is 1/(𝑗 log 𝑗). Then the sum of the areas of the
rectangles is just the sum on the right-hand side of (5.6.2) (without the multiplier 1/𝑐).
5.6. The Sum of Reciprocals of Primes 141

As the function 1/(𝑥 log 𝑥) is strictly decreasing for 𝑥 > 1, in the interval [𝑛0 , 𝑛+1],
its graph lies in the region formed by the rectangles. Hence, the area below the graph
of the function is less than the total area of the rectangles, i.e.
𝑛 𝑛+1
1 𝑑𝑥
(5.6.3) ∑ >∫ .
𝑗=𝑛0
𝑗 log 𝑗 𝑛
𝑥 log 𝑥
0

Computing the integral on the right-hand side of (5.6.3), we obtain

𝑛+1
𝑑𝑥 𝑛+1
(5.6.4) ∫ = [log log 𝑥]𝑛 = log log(𝑛 + 1) − log log 𝑛0 .
𝑛0
𝑥 log 𝑥 0

Combining (5.6.2), (5.6.3), and (5.6.4), we get

𝑛
1 1
(5.6.5) ∑ > (log log(𝑛 + 1) − log log 𝑛0 ).
𝑗=1
𝑝𝑗 𝑐

Since
lim log log 𝑛 = ∞,
𝑛→∞

the right-hand side in (5.6.5) tends to infinity if 𝑛 → ∞. But then the same holds also
for the left-hand side, so (5.6.1) is true. □

Remark: The proof yields

1
(5.6.5a) ∑ > 𝑐′ log log 𝑛.
𝑝≤𝑛
𝑝

with a suitable positive constant 𝑐′ if 𝑛 is large enough. We can show similarly that
1
∑ < 𝑐″ log log 𝑛.
𝑝≤𝑛
𝑝

A slightly more refined use of the Prime Number Theorem (or equivalently, of Theo-
rem 5.4.2) gives
1
∑ ∼ log log 𝑛.
𝑝≤𝑛
𝑝

Much sharper estimates will be obtained in Theorem 5.6.2 (without relying on the
Prime Number Theorem). Even (5.6.13) in our third proof of Theorem 5.6.1 is much
better than (5.6.5a).

Second proof. For a proof by contradiction, assume that the sum of reciprocals of
primes converges. Then
∞
1 1
(5.6.6) ∑ <
𝑗=𝑘+1
𝑝𝑗 2

for some 𝑘. We fix 𝑘, and divide the positive integers into two groups: the first group
consists of the numbers with a prime divisor greater than 𝑝 𝑘 , and the second group is
formed by the numbers with all prime divisors less than or equal to 𝑝 𝑘 .
142 5. Prime Numbers

Let 𝑁 be a (large) natural number, and consider the set 𝐻 = {1, 2, . . . , 𝑁}. We show
that each of the two groups contains less than the half of the elements in 𝐻 for 𝑁 large
enough, which is a contradiction.
𝑁
We start with the first group. There are ⌊ 𝑝 ⌋ elements in 𝐻 divisible by a prime 𝑝.
This yields the following upper bound for the size of the first group:
∞
𝑁 𝑁 1 𝑁
∑ ⌊ ⌋≤ ∑ <𝑁 ∑ <
𝑝𝑘 <𝑝≤𝑁
𝑝 𝑝 <𝑝≤𝑁
𝑝 𝑝
𝑗=𝑘+1 𝑗
2
𝑘

(we used (5.6.6) in the last step). This means that fewer than half of the elements in 𝐻
belong to the first group.
To investigate the second group, we shall use the fact that every positive integer
has a (unique) representation as a product of a square and a squarefree number. This
is a direct consequence of unique prime factorization: separating the even and odd
exponents in the standard form of 𝑛,
2𝛽1 2𝛽 2𝛽 +1 2𝛽𝑠 +1
𝑛 = 𝑞1 . . . 𝑞𝑟 𝑟 𝑞𝑟+1𝑟+1 . . . 𝑞𝑠
(𝑟 = 0 or 𝑟 = 𝑠 may occur), we obtain the required representation as
2
𝛽 𝛽 𝑟+1 𝛽 𝛽
𝑛 = (𝑞1 1 . . . 𝑞𝑟 𝑟 𝑞𝑟+1 . . . 𝑞𝑠 𝑠 ) ⋅ (𝑞𝑟+1 . . . 𝑞𝑠 ).

We write the elements of the second group in 𝐻 in the form 𝑎2 𝑏 where 𝑏 is squarefree.
Then 1 ≤ 𝑎 ≤ ⌊√𝑁⌋, and 𝑏 is the product of some of the primes 𝑝1 , . . . , 𝑝 𝑘 (possibly of
all of them, or 𝑏 can be also the empty product when 𝑏 = 1).
Hence, 𝑎2 can assume ⌊√𝑁⌋ values, and 𝑏 can be chosen in 2𝑘 ways (this is the
number of subsets in the set {𝑝1 , . . . , 𝑝 𝑘 }). Thus there are at most √𝑁 ⋅ 2𝑘 such products
𝑎2 𝑏. Since 𝑘 is fixed, 2𝑘 < √𝑁/2 for 𝑁 large enough, so √𝑁 ⋅ 2𝑘 < 𝑁/2. This proves
that fewer than half of the elements in 𝐻 belong to the second group. □

Third proof. We shall use the following theorems from analysis:

𝑛 1
(i) ∑𝑗=1 𝑗
> log 𝑛
∞ 1
(ii) ∑𝑗=1 𝑗2
<2
1 𝑥2 𝑥3 1
(iii) log 1−𝑥 = 𝑥 + 2
+ 3
+ . . . ≤ 𝑥 + 𝑥2 if 0 ≤ 𝑥 ≤ 2 .
To prove our theorem, we consider the product
1 1 1
𝐴𝑛 = ∏ (1 + + + ⋯ + 𝜈𝑝 ) ,
𝑝≤𝑛
𝑝 𝑝2 𝑝

where 𝑛 > 1 is an integer and

𝑝𝜈𝑝 ≤ 𝑛 < 𝑝𝜈𝑝 +1 , so 𝜈𝑝 = ⌊log𝑝 𝑛⌋.
We claim that
𝑛
1
(5.6.7) 𝐴𝑛 ≥ ∑ .
𝑗=1
𝑗
5.6. The Sum of Reciprocals of Primes 143

To illustrate the idea, we consider first 𝑛 = 10, and write the factors of 𝐴10 in detail:
1 1 1 1 1 1 1
𝐴10 = (1 + + 2 + 3 ) (1 + + 2 ) (1 + ) (1 + ) .
2 2 2 3 3 5 7
For 𝑗 ≤ 10, the standard form of 𝑗 may contain only the primes 2, 3, 5, and 7 with
an exponent not greater than the ones in the corresponding factors of 𝐴10 . Therefore
𝑗 ≤ 10 is a (unique) product of these prime powers. This means that performing the
multiplication in 𝐴10 , we shall obtain the reciprocals of all integers 𝑗 ≤ 10 (and of some
10
others, too), thus 𝐴10 ≥ ∑𝑗=1 1/𝑗.
Applying the same argument for any 𝑛 instead of 10, we obtain (5.6.7). Using (i),
we infer
(5.6.8) 𝐴𝑛 > log 𝑛.
Now we establish an upper bound for 𝐴𝑛 . The summation of the geometric series in
the factors of 𝐴𝑛 gives
1 𝜈𝑝 +1
1 − (𝑝) 1
(5.6.9) 𝐴𝑛 = ∏ 1 <∏ 1 .
𝑝≤𝑛 1− 𝑝 𝑝≤𝑛 1− 𝑝

By (5.6.8) and (5.6.9), we have

1
(5.6.10) log 𝑛 < ∏ 1 .
𝑝≤𝑛 1− 𝑝

Taking the logarithm of (5.6.10), we get

1
(5.6.11) log log 𝑛 < ∑ log 1 .
𝑝≤𝑛 1− 𝑝

We estimate the right-hand side of (5.6.11) by (iii):

1 1
(5.6.12) log log 𝑛 < ∑ + ∑ 2 .
𝑝≤𝑛
𝑝 𝑝≤𝑛
𝑝

Finally, the second sum on the right-hand side of (5.6.12) is less than 2 by (ii), hence
1
(5.6.13) ∑ > log log 𝑛 − 2,
𝑝≤𝑛
𝑝

which implies the theorem. □

We observe from the third proof that the sum of reciprocals of primes not greater
than 𝑛 cannot be much less than log log 𝑛 (see (5.6.13)). We sharpen this result by
showing that the difference of this sum of reciprocals and of log log 𝑛 is bounded:
Theorem 5.6.2. There exists a constant 𝑐 such that
1
(5.6.14) | ∑ − log log 𝑛| < 𝑐
𝑝≤𝑛
𝑝

holds for every integer 𝑛 ≥ 3. ♣

Proof. We shall need an estimate for the sum ∑𝑝≤𝑛 (log 𝑝)/𝑝.
144 5. Prime Numbers

Theorem 5.6.3. There exists a constant 𝑐′ such that

log 𝑝
(5.6.15) |∑ − log 𝑛| < 𝑐′
𝑝≤𝑛
𝑝

holds for every integer 𝑛 ≥ 2. ♣

Proof. We take the logarithm of the standard form of 𝑛! (see Theorem 1.6.8):
𝑛 𝑛 𝑛
(5.6.16) log 𝑛! = ∑ log 𝑝 (⌊ ⌋ + ⌊ 2 ⌋ + ⌊ 3 ⌋ + . . . ) .
𝑝≤𝑛
𝑝 𝑝 𝑝

We shall show that the left-hand side of (5.6.16) is about 𝑛 log 𝑛, and we can omit
the floor in the multiplier of log 𝑝 on the right-hand side and only the first term counts,
i.e. the right-hand side is about 𝑛 ∑𝑝≤𝑛 (log 𝑝)/𝑝. Then dividing by 𝑛, we get (5.6.15).
Let us see the details. To estimate log 𝑛! on the left-hand side of (5.6.16), we use
𝑛 𝑛
( ) < 𝑛! < 𝑛𝑛
𝑒
for 𝑛 ≥ 2. The upper bound is obvious, and the lower bound can be easily verified by
induction. Taking the logarithm, we obtain
(5.6.17) 𝑛(log 𝑛 − 1) < log 𝑛! < 𝑛 log 𝑛.
2
The sum ⌊𝑛/𝑝⌋ + ⌊𝑛/𝑝 ⌋ + . . . can be estimated as follows:
𝑛 𝑛 𝑛 𝑛 𝑛 𝑛 𝑛
(5.6.18) − 1 < ⌊ ⌋ + ⌊ 2⌋ + ⋯ < + 2 + ⋯ = + .
𝑝 𝑝 𝑝 𝑝 𝑝 𝑝 𝑝(𝑝 − 1)
Denoting the right-hand side of (5.6.16) by 𝐽, we get the following bounds from (5.6.18):
log 𝑝 log 𝑝 log 𝑝
(5.6.19) 𝑛∑ − ∑ log 𝑝 < 𝐽 < 𝑛 ∑ +𝑛 ∑ .
𝑝≤𝑛
𝑝 𝑝≤𝑛 𝑝≤𝑛
𝑝 𝑝≤𝑛
𝑝(𝑝 − 1)

By Lemma 5.4.5,
(5.6.20) ∑ log 𝑝 = log ∏ 𝑝 < log 4𝑛 = 𝑛 log 4,
𝑝≤𝑛 𝑝≤𝑛

further
∞
log 𝑝 log 𝑘
(5.6.21) ∑ < ∑ ,
𝑝≤𝑛
𝑝(𝑝 − 1) 𝑘=2 𝑘(𝑘 − 1)

where the infinite series on the right-hand side of (5.6.21) is convergent and it can be
shown that its sum is less than 4. Using (5.6.20) and (5.6.21), we infer from (5.6.19)
that
|𝐽 |
(5.6.22) | − ∑ log 𝑝 | < 4.
|𝑛 𝑝 ||
| 𝑝≤𝑛

At the same time, 𝐽 = log 𝑛! by (5.6.16), hence (5.6.17) implies

(5.6.23) || 𝐽 − log 𝑛|| < 1.

|𝑛 |
Finally, (5.6.22) and (5.6.23) guarantee (5.6.15) (with 𝑐′ = 5). □
5.6. The Sum of Reciprocals of Primes 145

Turning to the proof of Theorem 5.6.2, it is more convenient to extend Theorem

5.6.3 from the integers to every real number 𝑥 ≥ 2. Observe that
log 𝑝 log 𝑝 𝑥 3
∑ = ∑ and |log 𝑥 − log⌊𝑥⌋| = log < log ,
𝑝≤𝑥
𝑝 𝑝≤⌊𝑥⌋
𝑝 ⌊𝑥⌋ 2

thus (5.6.15) implies

log 𝑝 log 𝑝 3
|∑ − log 𝑥| ≤ | ∑ − log⌊𝑥⌋| + |log⌊𝑥⌋ − log 𝑥| < 𝑐′ + log .
𝑝≤𝑥
𝑝 𝑝≤⌊𝑥⌋
𝑝 2

Thus we verified that

log 𝑝
(5.6.24) |∑ − log 𝑥| < 6
𝑝≤𝑥
𝑝

holds for every real number 𝑥 ≥ 2.

We define the following functions for every real number 𝑥 ≥ 2:
log 𝑝 1
(5.6.25) 𝑓(𝑥) = ∑ , 𝑔(𝑥) = , and ℎ(𝑥) = 𝑓(𝑥) − log 𝑥.
𝑝≤𝑥
𝑝 log 𝑥

Then 𝑓(2)𝑔(2) = 1/2, and for any integer 𝑘 ≥ 3 we have

1
, if 𝑘 is a prime
(𝑓(𝑘) − 𝑓(𝑘 − 1))𝑔(𝑘) = { 𝑘
0, if 𝑘 is not a prime.

This implies
𝑛
1
(5.6.26) ∑ = 𝑓(2)𝑔(2) + ∑ (𝑓(𝑘) − 𝑓(𝑘 − 1))𝑔(𝑘)
𝑝≤𝑛
𝑝 𝑘=3

for every integer 𝑛 ≥ 3. Rewriting the right-hand side of (5.6.26) by Abel’s partial
summation, we obtain
1
∑ =𝑓(2)(𝑔(2) − 𝑔(3)) + 𝑓(3)(𝑔(3) − 𝑔(4)) + . . .
𝑝
(5.6.27) 𝑝≤𝑛

⋯ + 𝑓(𝑛 − 1)(𝑔(𝑛 − 1) − 𝑔(𝑛)) + 𝑓(𝑛)𝑔(𝑛).

We show that a general term on the right-hand side of (5.6.27) (except the last one)
can be transformed into
𝑘+1
(5.6.28) 𝑓(𝑘)(𝑔(𝑘) − 𝑔(𝑘 + 1)) = − ∫ 𝑓(𝑡)𝑔′ (𝑡) 𝑑𝑡.
𝑘

Indeed, the function 𝑓(𝑡) assumes the constant value 𝑓(𝑘) on the interval [𝑘, 𝑘 + 1)
(closed from the left and open from the right), further
𝑘+1
∫ 𝑔′ (𝑡) 𝑑𝑡 = 𝑔(𝑘 + 1) − 𝑔(𝑘)
𝑘

by the Newton–Leibniz law.

146 5. Prime Numbers

Combining (5.6.27) and (5.6.28), we get

𝑛
1
(5.6.29) ∑ = 𝑓(𝑛)𝑔(𝑛) − ∫ 𝑓(𝑡)𝑔′ (𝑡) 𝑑𝑡.
𝑝≤𝑛
𝑝 2

Now we compute the integral on the right-hand side of (5.6.29). Using

′
1 −1
𝑓(𝑡) = log 𝑡 + ℎ(𝑡) and 𝑔′ (𝑡) = ( ) =
log 𝑡 𝑡(log 𝑡)2
we have
𝑛 𝑛 𝑛
𝑑𝑡 ℎ(𝑡) 𝑑𝑡
(5.6.30) − ∫ 𝑓(𝑡)𝑔′ (𝑡) 𝑑𝑡 = ∫ +∫ .
2 2
𝑡 log 𝑡 2
𝑡(log 𝑡)2

The first integral on the right-hand side of (5.6.30) is

𝑛
𝑑𝑡 𝑛
(5.6.31) ∫ = [log log 𝑡]2 = log log 𝑛 − log log 2.
2
𝑡 log 𝑡

To estimate the second integral on the right-hand side of (5.6.30), we rely on |ℎ(𝑡)| < 6
(which follows from (5.6.24) and (5.6.25)):

| 𝑛 ℎ(𝑡) 𝑑𝑡 | 𝑛
𝑑𝑡 −1
𝑛
6 6
(5.6.32) |∫ | < 6 ∫ = 6 [ ] = − .
| 2 𝑡(log 𝑡)2 | 2
𝑡(log 𝑡) 2 log 𝑡 2 log 2 log 𝑛

Substituting (5.6.32) and (5.6.31) into (5.6.30), we obtain

𝑛
(5.6.33) − ∫ 𝑓(𝑡)𝑔′ (𝑡) 𝑑𝑡 = log log 𝑛 + 𝑠(𝑛), where 𝑠(𝑛) is bounded.
2

Now we verify that the product 𝑓(𝑛)𝑔(𝑛) on the right-hand side of (5.6.29) is
bounded:
| log 𝑛 + ℎ(𝑛) | | ℎ(𝑛) |
(5.6.34) |𝑓(𝑛)𝑔(𝑛)| = | | = |1 + | < 1 + 6 = 7.
| log 𝑛 | | log 𝑛 |

Finally, combining (5.6.29), (5.6.33), and (5.6.34), we obtain the statement of The-
orem 5.6.2. □

Remark: Repeating the estimate in (5.6.32) for the interval [𝑛, 𝑁] instead of [2, 𝑛], it
turns out that the second integral on the right-hand side of (5.6.30) has a limit as 𝑛 →
∞, and the difference between the integral and the limit is at most 6/ log 𝑛 in absolute
value. The same is obvious for 𝑓(𝑛)𝑔(𝑛). This proves that with suitable constants 𝑐 1
and 𝑐 2 ,
| ∑ 1 − log log 𝑛 − 𝑐 | ≤ 𝑐 2
| 𝑝 1|
log 𝑛
𝑝≤𝑛

is valid for every integer 𝑛 ≥ 3.

 Exercises 5.6 147

Exercises 5.6

S 1. Let 𝐿 be a fixed positive integer. Consider the following sequences of positive inte-
gers and determine whether the series of the reciprocals of their elements converge
or diverge:
(a) the multiples of 𝐿
(b) the perfect powers
(c) the squarefree numbers
(d) the integers with no prime divisor greater than 𝐿
(e) the integers with no prime divisors less than 𝐿
(f) the squareful numbers, i.e. the ones where no prime has exponent 1 in the
standard form.
Examine in each case except for (c), about how many elements are in the sequence
up to some large 𝑛; more precisely, find asymptotics or good estimates for the
counting function 𝑈(𝑛) = ∑ᵆ ≤𝑛 1 of the sequence 𝑈 = {𝑢1 < 𝑢2 < . . . }. (For
𝑖
the squarefree numbers see Exercise 6.7.2.)
2. Using the integral criterion seen in the first proof of Theorem 5.6.1, determine
whether the following infinite series converge or diverge:
∞
1
(a) ∑ 1.01
𝑛=1
𝑛
∞
1
(b) ∑
𝑛=2
𝑛(log 𝑛)2
∞
1
(c) ∑ .
𝑛=2
𝑛 ⋅ log 𝑛 ⋅ log log 𝑛
3. In the infinite series below, the summation is over all primes. Investigate the ques-
tion of convergence or divergence:
1
(a) ∑
𝑝
𝑝 log 𝑝
1
(b) ∑ .
𝑝
𝑝 log log 𝑝

4. Consider sequences 𝑎1 < 𝑎2 < . . . of positive integers with the properties below.
What can be asserted about the convergence/divergence of the infinite series of
the reciprocals of their elements? (Possible answers: always convergent—always
divergent—can be convergent, but can be divergent, as well.)
(a) The elements 𝑎𝑛 are pairwise coprime composite numbers.
(b) The sum of exponents of primes in the standard form of 𝑎𝑛 is at least 2 log 𝑛
for every 𝑛.
(c) 𝑎𝑛+1 − 𝑎𝑛 < 101000 for every 𝑛.
 148 5. Prime Numbers

(d) 𝑎𝑛+1 /𝑎𝑛 < 1.00001 for every 𝑛.

(e) No two 𝑎𝑛 have the same number of divisors.
∞
5. If ∑𝑛=1 1/𝑎𝑛 < ∞ for the sequence 𝐴 = {𝑎1 < 𝑎2 < . . . } of positive integers, this
means that 𝐴 is a rare subsequence of the natural numbers. Is it worth refining the
∞
notion of rarity according to the value of ∑𝑛=1 1/𝑎𝑛 ?
S 6. The Riemann zeta function is defined as
∞
1
(5.6.35) 𝜁(𝑠) = ∑ 𝑠
𝑛=1
𝑛

for any real number 𝑠 > 1. It is well known (or can be proven similarly to Exer-
cise 5.6.2a) that the infinite series on the right-hand side of (5.6.35) converges for
𝑠 > 1. E.g. 𝜁(2) = 𝜋2 /6.
Now we define an infinite product (𝑝 ranges over the primes):
1 1
(5.6.36) ∏ 1 = lim ∏ 1 .
𝑝 1− 𝑝𝑠
𝑛→∞
𝑝≤𝑛 1− 𝑝𝑠

Verify for 𝑠 > 1 that the limit on the right-hand side of (5.6.36) exists and is equal
to 𝜁(𝑠).
7. Let 0 < 𝑎𝑗 < 1, 𝑗 = 1, 2, . . . , and define the infinite product
∞ 𝑛
∏(1 − 𝑎𝑗 ) = lim ∏(1 − 𝑎𝑗 ).
𝑛→∞
𝑗=1 𝑗=1

Prove
∞ ∞
∑ 𝑎𝑗 = ∞ ⟺ ∏(1 − 𝑎𝑗 ) = 0.
𝑗=1 𝑗=1

Remark: In general, an infinite product (with no zero elements) is called conver-

gent, if its partial products tend to a finite limit different from 0.
* 8. In the third proof of Theorem 5.6.1 we demonstrated
1
log 𝑛 < ∏ 1
𝑝≤𝑛 1− 𝑝

(see formula (5.6.10)). In the other direction, exhibit the following lower bound:
There exists a constant 𝑐 such that
1
𝑐 log 𝑛 > ∏ 1
𝑝≤𝑛 1 − 𝑝

for every 𝑛 ≥ 2.
9. For 𝑛 > 1, let 𝑝(𝑛) and 𝑃(𝑛) denote the smallest and largest prime divisor of 𝑛.
Determine whether the following infinite series converge or diverge:
∞
1
(a) ∑
𝑛=2
𝑛𝑝(𝑛)
5.7. Primality Tests 149

∞
1
** (b) ∑ .
𝑛=2
𝑛𝑃(𝑛)
10. Give a new proof for Exercise 5.3.5 based on the following observation: If writing
positive integers 𝑎1 < 𝑎2 < . . . one after the other following the decimal point, the
∞
resulting decimal fraction is rational, then ∑𝑖=1 1/𝑎𝑖 < ∞.

5.7. Primality Tests

Is it easy to find the prime factorization of an integer? Seemingly yes since we just
have to check whether it is divisible by 2, 3, 5, etc. If we find a (prime) divisor, then we
continue by factoring the quotient. And if there was no divisor up to the square root of
the number, then it must be a prime (see Exercise 1.4.7a).
This way we can factor e.g. 143(= 11 ⋅ 13), or can show that 197 is a prime (it is not
divisible by any prime up to 13).
For large numbers we cannot manage to just try the primes as potential divisors
since we do not have a list of them. We do not have to try all numbers, of course: we
divide our number in question repeatedly by 2 till we get an odd number, and then we
can restrict ourselves to divisibility by odd numbers. An improved version of this idea
is when besides 2 we do the same with the powers of (say) 3 and 5, and then look only
for divisors coprime to 30.
For really big numbers, however, trial division is absolutely useless: the time to
perform the huge amount of trial divisions would require many billions of years even
for the fastest computers. And the same holds for the improved versions of the method
or for other factorization algorithms invented so far; they are all hopeless from a practi-
cal point of view: A composite number with 500 digits with no special property cannot
be factored in the lifetime of Earth according to our present knowledge. (This might
change in the future if quantum computers can be implemented effectively.)
At the same time, there are algorithms that can decide quickly (with absolute or
nearly absolute certainty) whether a given large number is prime or composite (but
cannot find factors in the latter case). These procedures are called primality tests.
The existence of quick primality tests seems to be very surprising at first hearing,
especially compared to the task of detecting a non-trivial divisor which is harder than
finding a needle in a haystack. These algorithms, however, instead of looking for divi-
sors, check some quickly verifiable properties where the primes pass the test, but the
composite numbers practically fail on it. (Here “practically” means that most methods
run a minimal risk of error by allowing the possibility of some very rare exceptions.)
We have already proved primality tests for some special types of integers: see The-
orems 5.2.2 and 5.2.4 for the tests of Fermat and Mersenne numbers.
Before discussing general primality tests, we show that there exist quick algorithms
to solve some basic problems in number theory.
Theorem 5.7.1. Let 𝑎, 𝑏, 𝑐, and 𝑚 be integers where 𝑏 > 1 and 𝑚 > 0. Then we can
compute
I the remainder of 𝑎𝑏 modulo 𝑚
150 5. Prime Numbers

II the gcd of 𝑎 and 𝑏

𝑎
III the Jacobi symbol ( 𝑏 ) ( for 𝑏 odd and (𝑎, 𝑏) = 1)

IV the solutions of the linear Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐 and

V the solutions of the linear congruence 𝑎𝑥 ≡ 𝑐 (mod 𝑏)

in at most 5 log2 𝑏 steps, where a step is an addition, subtraction, multiplication, or a
division algorithm of two integers. ♣

Thus, considering a large 𝑏 with 500 digits, these computations can be executed in

5 log2 𝑏 ≈ 2500 log2 10 < 9000

steps at most. They can be performed in a split second by a fast computer and the
procedures can even be speeded up and automated by a more efficient organization.

Proof. I. The remainder of 𝑎𝑏 modulo 𝑚 can be computed by repeated squarings and

reducing the result modulo 𝑚 after each step. (This method occurred in the Example
of Section 3.2 when we determined the residue of 1329 modulo 59, and in the test of the
Fermat numbers, see the remarks after the proof of Theorem 5.2.2.)
We write the exponent 𝑏 in binary system:

𝑏 = 2𝑖1 + 2𝑖2 + ⋯ + 2𝑖𝑠 , where 0 ≤ 𝑖1 < 𝑖2 < ⋯ < 𝑖𝑠 ≤ 𝑡 = ⌊log2 𝑏⌋.

Probably 𝑏 is stored in the computer in this form, but if necessary, the conversion from
another base can be done in not more than log2 𝑏 steps, since we obtain the digits from
a sequence of division algorithms, by Theorem 1.2.2.
Then we compute the remainder of
𝑡
𝑎2 , 𝑎 4 , 𝑎 8 , . . . , 𝑎 2

modulo 𝑚 by repeated squarings (and reducing always mod 𝑚). Finally,

𝑖 𝑖 𝑖
𝑎𝑏 = 𝑎2 1 𝑎2 2 . . . 𝑎2 𝑠

yields the desired residue.

For example, to determine 51000 modulo 𝑚, we compute first the remainders of

52 , 54 , 58 , . . . , 5512

modulo 𝑚, and then multiply the relevant ones (reducing modulo 𝑚 in each step):

51000 = 58 ⋅ 532 ⋅ 564 ⋅ 5128 ⋅ 5256 ⋅ 5512 .

To determine the remainder of 𝑎𝑏 modulo 𝑚, we do 𝑡 squarings and not more than 𝑡

further multiplications (and reductions modulo 𝑚). This requires at most 2𝑡 ≤ 2 log2 𝑏
multiplications and reductions, i.e. division algorithms. Counting the representation
of 𝑏 in the binary system, we needed altogether at most 5 log2 𝑏 steps (multiplications
or division algorithms) to get the remainder of 𝑎𝑏 modulo 𝑚.
5.7. Primality Tests 151

II. To compute a greatest common divisor, we apply the Euclidean algorithm with
remainders of least absolute value (i.e. allowing also negative remainders, but the ab-
solute value of a remainder is at most the half of the absolute value of the divisor, see
Theorem 1.2.1A):
𝑏
𝑎 = 𝑏𝑞1 + 𝑟1 where |𝑟1 | ≤
2
|𝑟1 | 𝑏
𝑏 = 𝑟1 𝑞2 + 𝑟2 where |𝑟2 | ≤ ≤
2 4
|𝑟2 | 𝑏
𝑟1 = 𝑟2 𝑞3 + 𝑟3 where |𝑟3 | ≤ ≤
2 8
⋮
|𝑟𝑛−1 | 𝑏
𝑟𝑛−2 = 𝑟𝑛−1 𝑞𝑛 + 𝑟𝑛 where |𝑟𝑛 | ≤ ≤ 𝑛
2 2
𝑟𝑛−1 = 𝑟𝑛 𝑞𝑛+1 (𝑟𝑛+1 = 0).

The Euclidean algorithm consists of 𝑛 + 1 steps in this case. Since

𝑏
1 ≤ |𝑟𝑛 | ≤ ,
2𝑛
therefore

2𝑛 ≤ 𝑏 or 𝑛 ≤ log2 𝑏.
This shows that the Euclidean algorithm requires 1 + log2 𝑏 steps at most (where each
step is a division algorithm).
We note that also the usual Euclidean algorithm with least non-negative residues
terminates in at most a constant times log 𝑏 steps, see Exercise 5.7.1.
III. By Theorem 4.3.2, we can compute a Jacobi symbol by the repeated application
of detaching the powers of two in the numerator (we call, in a mild abuse of language,
the top and bottom of Jacobi and Legendre symbols the numerator and the denomina-
tor) and using the law of reciprocity (which is just a variant of the Euclidean algorithm,
as in the Example after Theorem 4.3.2).
𝑎
Let us see the details. To compute ( 𝑏 ), we first perform the division algorithm of
𝑎 by 𝑏, and have
𝑎 𝑟 𝑏
( ) = ( ), where |𝑟| < .
𝑏 𝑏 2
−1
If necessary, we can achieve 𝑟 > 0 with the help of ( 𝑏 ). If 𝑟 is even, then we can halve
the numerator by separating a factor of 2. If 𝑟 is odd, then using the law of reciprocity,
𝑟 gets transferred into the denominator, and the new numerator is the remainder 𝑠 of 𝑏
when divided by 𝑟. Thus |𝑠| < 𝑟/2, and we can achieve 𝑠 > 0 now, as well. This means
that the numerator gets halved in each step, so no more than log2 𝑏 steps occur. To
−1 2
compute ( 𝑣 ) and ( 𝑣 ) we need the modulo 4 and modulo 8 residues of 𝑣, which can
be obtained by a division algorithm or can be seen directly from the two or three last
digits in the binary representation of 𝑣. It is likewise simple to check the parity for the
numerator and to halve it if it is even.
152 5. Prime Numbers

𝑎
The Jacobi symbol ( 𝑏 ) makes sense only for odd 𝑏 > 1 and (𝑎, 𝑏) = 1. This latter
condition can be checked in advance by the Euclidean algorithm, but there is no need
for that: If (𝑎, 𝑏) = 𝑑 > 1, then applying the procedure, we shall run into a situation
where the numerator is 𝑑, and the denominator is a multiple of 𝑑 (see Exercise 5.7.2).
𝑎
Thus we get stuck, and the Jacobi symbol ( 𝑏 ) does not exist. (This cannot occur for
±1 ±2
(𝑎, 𝑏) = 1 because the last step is to compute a Jacobi symbol ( 𝑣
) or ( 𝑣
).)
IV–V. We saw in Section 2.5 that the two tasks are equivalent. Further, by The-
orems 1.3.6 and 1.3.5 (or 7.1.1), we can find the solutions of a Diophantine equation
𝑎𝑥 + 𝑏𝑦 = 𝑐 from the Euclidean algorithm, which gives the desired bound for the
number of steps. □

Now we turn to the discussion of primality tests. The simplest general test is a
direct consequence of Fermat’s Little Theorem:
If 2𝑛−1 ≢ 1 (mod 𝑛) for some 𝑛 > 2, then 𝑛 is composite.
This condition can be checked quickly, by Theorem 5.7.1. But what can we say
about 𝑛 if 2𝑛−1 ≡ 1 (mod 𝑛)? Unfortunately, we cannot be absolutely certain that 𝑛 is
a prime, since infinitely many composite 𝑛 satisfy 2𝑛−1 ≡ 1 (mod 𝑛), as well. They are
called pseudoprimes of base 2 (the smallest one is 341).
It can be shown, however, that the pseudoprimes of base 2 occur very rarely com-
pared to the primes: the ratio of the number of pseudoprimes up to 𝑥 and 𝜋(𝑥) tends
(very strongly) to 0 when 𝑥 → ∞. (As an illustration, up to 1010 there are 14887 pseu-
doprimes of base 2 and 455052511 primes, their ratio is roughly one to thirty thousand.)
Thus if a large number 𝑛 satisfies 2𝑛−1 ≡ 1 (mod 𝑛), then we can declare that 𝑛 is
a prime with very high probability. This assertion means that if we execute the test for
many random integers 𝑛, then it will happen only very rarely (practically never) that
the remainder of 2𝑛−1 is 1, but 𝑛 is composite.
We summarize the above in a theorem.
Theorem 5.7.2. Let 𝑛 > 2. If 2𝑛−1 ≢ 1 (mod 𝑛), then 𝑛 is necessarily composite. If
2𝑛−1 ≡ 1 (mod 𝑛), then it is nearly sure that 𝑛 is a prime. ♣

The condition can be checked quickly if we compute the power by repeated squar-
ings. We can improve the test by checking the residue of 𝑎𝑛−1 modulo 𝑛 not just for
𝑎 = 2, but for (say) all primes less than 1000: if the residue is different from 1 for at
least one 𝑎 (and 𝑛 > 1000), then 𝑛 must be composite by Fermat’s Little Theorem. It is
even more efficient, if 𝑎 is chosen randomly from the numbers not divisible by 𝑛 (see
Exercise 5.7.13).
If 𝑎𝑛−1 ≡ 1 (mod 𝑛) for every tested 𝑎, then 𝑛 is even more probably prime, but
we can still not be absolutely sure because there exist composite numbers 𝑛 satisfying
𝑎𝑛−1 ≡ 1 (mod 𝑛) for every (𝑎, 𝑛) = 1. For example, 1729 has this property (see Exer-
cise 2.4.15c). These integers are called universal pseudoprimes or Carmichael numbers.
We summarize the types of pseudoprimes in the following definition:
Definition 5.7.3. If a composite integer 𝑛 satisfies 𝑎𝑛−1 ≡ 1 (mod 𝑛), then 𝑛 is a
pseudoprime of base 𝑎.
5.7. Primality Tests 153

If a composite integer 𝑛 satisfies the above congruence for every (𝑎, 𝑛) = 1, then 𝑛
is a universal pseudoprime or Carmichael number. ♣

For some equivalent characterizations of Carmichael numbers see Exercise 5.7.7.

It has long been known that there are infinitely many pseudoprimes for any base
𝑎 > 1 (see Exercise 5.7.5). In 1992 it was proved that the same holds for the universal
pseudoprimes.
We present now two primality tests that detect also the pseudoprimes. Both use
random numbers in the following sense: we consider a large but finite set of integers,
and select elements one after the other so that all numbers occur with the same prob-
ability (like drawing balls from a box). For example, to generate a random number of
2000 binary digits, we write 1 as a first digit and determine the other digits by tossing
a coin 1999 times. Of course, it is the computer who tosses the coin, or rather, it uses
some pseudorandom number generator that produces a pseudorandom sequence of
integers that is very similar to a truly random sequence.
Theorem 5.7.4 (Solovay–Strassen primality test). (A) Let 𝑛 > 1 be an odd integer and
consider the congruence
𝑛−1 𝑎
(5.7.1) 𝑎 2 ≡ ( ) (mod 𝑛)
𝑛
𝑎
where ( 𝑛 ) denotes the Jacobi symbol.
If 𝑛 is a prime, then every 𝑎 ≢ 0 (mod 𝑛) satisfies (5.7.1).
If 𝑛 is composite, then (5.7.1) is satisfied for fewer than half of the elements in a
complete residue system modulo 𝑛.
(B) Using criterion (A), we can decide whether a large odd 𝑛 is prime or composite as
follows. We select (say) 1000 random numbers 𝑎 ≢ 0 (mod 𝑛) and check (5.7.1)
for each of them. If (5.7.1) is not satisfied for at least one 𝑎, then 𝑛 is necessarily
composite. If every chosen 𝑎 satisfies (5.7.1), then the probability of 𝑛 being composite
is less than 2−1000 . ♣
𝑎
Remarks: (1) For (𝑎, 𝑛) > 1 the Jacobi symbol ( 𝑛 ) makes no sense, so (5.7.1) cannot
hold.
(2) Condition (5.7.1) can be checked quickly (even for 1000 values of 𝑎) by Theo-
rem 5.7.1.
(3) Even the Solovay–Strassen primality test cannot avoid the error of declaring a
composite number as a prime. However, it is a great advance over the test in
Theorem 5.7.2 from both the theoretical and the practical point of view.
The test in Theorem 5.7.2 is unable to detect the pseudoprimes of base 2, it fails
completely in this case. So we are wrong when we think that a pseudoprime is
a prime as suggested by the test (though this happens only very seldom as pseu-
doprimes are rare). Similarly, the improved version of checking (say) a million
values of 𝑎 is not suitable for detecting a large universal pseudoprime: we will
falsely think that this composite 𝑛 is a prime (except if some 𝑎 was not coprime
to 𝑛 but the probability of this is practically zero).
154 5. Prime Numbers

At the same time, no composite integer can hide from the Solovay–Strassen test,
there are no pseudoprimes related to it: there are lots of, so-called, witnesses who
certify the compositeness of 𝑛. This means that the probability of error can be
made arbitrarily small (independent of the tested integer) by checking sufficiently
many values of 𝑎. (The error probability of 2−1000 in the case of a thousand trials
provides a perfect practical security.)

Proof. (B) is a direct consequence of (A), thus it is sufficient to verify the latter.
For a prime 𝑛, we obtain (5.7.1) from Theorem 4.1.2 and the definition of the Le-
gendre symbol (see formula (4.1.2) after Definition 4.1.3).
Let now 𝑛 be composite. Since (5.7.1) can be valid only for 𝑎 coprime to 𝑛, it is
enough to show that (5.7.1) is satisfied by at most half of the elements in a reduced
residue system modulo 𝑛.
Let us call 𝑎 coprime to 𝑛 a witness (for compositeness) if (5.7.1) is false, and an
accomplice if (5.7.1) is true. Thus we have to prove that at least half of the elements in
a reduced residue system are witnesses.
We start by showing that there exists a witness for any odd 𝑛.
Consider first the case when 𝑛 is not squarefree, i.e. 𝑞2 ∣ 𝑛 for some prime 𝑞. Let
𝑞 = 𝑞1 , 𝑞2 , . . . , 𝑞𝑠 be the distinct prime divisors of 𝑛, let 𝑔 be a primitive root modulo
𝑞2 , and let 𝑣 be a solution of the system of congruences
𝑥 ≡ 𝑔 (mod 𝑞2 ) , 𝑥 ≡ 1 (mod 𝑞𝑖 ) , 2≤𝑖≤𝑠
(for 𝑠 = 1, take 𝑣 = 𝑔). We claim that 𝑣 is a witness.
Since (𝑣, 𝑞𝑖 ) = 1 for every 𝑖, (𝑣, 𝑛) = 1. For a proof by contradiction, assume
𝑛−1 𝑣
(5.7.2) 𝑣 2 ≡ ( ) (mod 𝑛) .
𝑛
Squaring (5.7.2), we obtain
𝑣 2
(5.7.3) 𝑣𝑛−1 ≡ ( ) = 1 (mod 𝑛) .
𝑛
Since 𝑞2 ∣ 𝑛, (5.7.3) remains valid if we replace the modulus 𝑛 by 𝑞2 . Using 𝑣 ≡ 𝑔
(mod 𝑞2 ), this gives
(5.7.4) 𝑔𝑛−1 ≡ 1 (mod 𝑞2 ) .
As 𝑔 is a primitive root mod 𝑞2 , its order is 𝜑(𝑞2 ) = 𝑞(𝑞 − 1), so (5.7.4) implies 𝑞(𝑞 − 1) ∣
𝑛 − 1. But 𝑞2 ∣ 𝑛 so 𝑞 divides both 𝑛 and 𝑛 − 1, which is a contradiction.
Now we turn to the case where 𝑛 is squarefree, 𝑛 = 𝑞1 . . . 𝑞𝑠 with distinct primes
𝑞𝑖 and 𝑠 ≥ 2.
Let ℎ be a quadratic non-residue modulo 𝑞1 , and let 𝑤 be a solution of the system
of congruences
(5.7.5) 𝑥 ≡ ℎ (mod 𝑞1 ) , 𝑥 ≡ 1 (mod 𝑞𝑖 ) , 2 ≤ 𝑖 ≤ 𝑠.
We claim that 𝑤 is a witness. Assume the converse, i.e. 𝑤 satisfies (5.7.1). Then (𝑤, 𝑛) =
1 and
𝑤 𝑤 𝑤 𝑤 ℎ 1 1
( ) = ( ) ( ) . . . ( ) = ( ) ( ) . . . ( ) = −1.
𝑛 𝑞1 𝑞2 𝑞𝑠 𝑞1 𝑞2 𝑞𝑠
5.7. Primality Tests 155

By (5.7.1), we have
𝑛−1
𝑤 2 ≡ −1 (mod 𝑛) .
Since 𝑞2 ∣ 𝑛 and 𝑤 ≡ 1 (mod 𝑞2 ) by (5.7.5), we infer
𝑛−1
(5.7.6) −1 ≡ 𝑤 2 ≡ 1 (mod 𝑞2 ) ,
which is a contradiction. Hence 𝑤 is a witness.
We have proved that there exists a witness for any odd composite 𝑛.
Finally, we show that at least half of the elements in a reduced residue system are
witnesses.
Let 𝑤 be an arbitrary witness and let 𝑎1 , 𝑎2 , . . . , 𝑎𝑘 be pairwise incongruent accom-
plices. We claim that 𝑤𝑐 1 , . . . , 𝑤𝑐 𝑘 are pairwise incongruent witnesses.
From (𝑤, 𝑛) = (𝑎𝑖 , 𝑛) = 1, (𝑤𝑎𝑖 , 𝑛) = 1 and 𝑤𝑎𝑖 are pairwise incongruent mod-
ulo 𝑛. For a proof by contradiction, assume that some 𝑤𝑎𝑖 is an accomplice, i.e.
𝑛−1 𝑤𝑎
(5.7.7) (𝑤𝑎𝑖 ) 2 ≡ ( 𝑖 ) (mod 𝑛) .
𝑛
Since 𝑎𝑖 is an accomplice,
𝑛−1
𝑎𝑖
(5.7.8) 𝑎𝑖 2 ≡ (
) (mod 𝑛) .
𝑛
Multiplying (5.7.7) and (5.7.8), we obtain
𝑛−1 𝑤 𝑎 2
(5.7.9) 𝑤 2 𝑎𝑛−1
𝑖 ≡ ( ) ( 𝑖 ) (mod 𝑛) .
𝑛 𝑛
Squaring (5.7.8), we have
𝑎𝑖 2
𝑎𝑛−1
𝑖 ≡( ) = 1 (mod 𝑛)
𝑛
which substituted into (5.7.9) yields
𝑤 𝑛−1
≡ ( ) (mod 𝑛) .
𝑤 2
𝑛
This means that 𝑤 is an accomplice, which is a contradiction.
Thus we verified that multiplying pairwise incongruent accomplices by a fixed wit-
ness gives pairwise incongruent accomplices. So the number of witnesses in a reduced
residue system is at least as big as the number of accomplices: at least half of the ele-
ments are witnesses. □

The next primality test is based on Fermat’s Little Theorem and on the fact that if
2
𝑢 ≡ 1 (mod 𝑝) for a prime 𝑝, then 𝑢 ≡ ±1 (mod 𝑝). This implies that for 𝑝 ∤ 𝑎, the
sequence of remainders of least absolute value of the numbers
𝑝−1 𝑝−1
𝑎𝑝−1 , 𝑎 2 ,𝑎 4 , ...
starts with 1 and either remains 1 to the very end, or the first remainder different from 1
must be −1. At the same time, replacing 𝑝 by a composite 𝑛, the sequence of remainders
will not obey this rule for many values of 𝑎. This gives the following primality test (for
technical reasons, we state the above condition in a modified form, essentially for the
inverted sequence):
156 5. Prime Numbers

Theorem 5.7.5 (Miller–Lenstra–Rabin primality test). Let 𝑛 > 1 be odd and 𝑛−1 = 2𝑘 𝑟
with 𝑟 odd. The numbers
𝑘−2 𝑟 𝑛−1 𝑘−1 𝑟 𝑛−1
(5.7.10) 𝑎𝑟 , 𝑎2𝑟 , 𝑎4𝑟 , . . . , 𝑎2 =𝑎 4 , 𝑎2 =𝑎 2

form a good sequence if either −1 occurs among their residues of least absolute value mod-
ulo 𝑛, or the residue of 𝑎𝑟 is 1.
For a prime 𝑛, (5.7.10) is a good sequence for every 𝑎 ≢ 0 (mod 𝑛).
For a composite 𝑛, (5.7.10) is a good sequence only for fewer than half of the elements
of a complete residue system modulo 𝑛. ♣

This criterion can be checked quickly: we compute the remainder of 𝑎𝑟 modulo 𝑛

by repeated squarings and then continued squarings give the other elements of the
sequence one by one.
Based on the criterion, we can formulate the concrete algorithm, similarly to
part (B) in Theorem 5.7.4.

Outline of proof. We follow the ideas and the usage of “witness” and “accomplice”
seen in Theorem 5.7.4 with suitable modifications.
If 𝑛 is a prime, then we sketched before stating Theorem 5.7.5 that every 𝑝 ∤ 𝑎
produces a good sequence.
If 𝑛 is composite and is not squarefree, then we can construct a witness exactly as
in the proof of Theorem 5.7.4.
If 𝑛 is composite and squarefree, then consider the largest 0 ≤ 𝑗 ≤ 𝑘 − 1 satisfying
𝑗𝑟
(5.7.11) 𝑎2 ≢ 1 (mod 𝑛)
for some 𝑎 coprime to 𝑛. Since (5.7.11) holds with some 𝑗 and 𝑎, e.g. with 𝑗 = 0 and
𝑎 = −1 (as (−1)𝑟 ≢ 1 (mod 𝑛)), therefore a maximal 𝑗 exists.
By (5.7.11),
𝑗
𝑎2 𝑟 ≢ 1 (mod 𝑞1 )
for some prime divisor 𝑞1 of 𝑛. Then 𝑤 obtained from the system of congruences (5.7.6)
in the proof of Theorem 5.7.4 is a witness, since similarly to the argument seen there,
𝑗𝑟
𝑤2 ≢ ±1 (mod 𝑛) ,
but
𝑗+1
𝑤2 𝑟 ≡ 1 (mod 𝑛)
by the maximal property of 𝑗 (for 𝑗 < 𝑘 − 1).
Finally, multiplying this 𝑤, or 𝑣 in the not squarefree case, by pairwise incongru-
ent accomplices we obtain pairwise incongruent witnesses as seen in the proof of The-
orem 5.7.4 (but 𝑤 cannot be replaced now by an arbitrary witness). Thus we proved
that if 𝑛 is composite, then at least half of the elements in a reduced residue system are
witnesses. □
Remarks: (1) The Miller–Lenstra-Rabin test is even more efficient than stated in The-
orem 5.7.5: it can be shown by more refined methods that more than 75% of ele-
ments in a reduced residue system are witnesses.
Exercises 5.7 157

(2) Comparing the Solovay–Strassen and Miller–Lenstra–Rabin tests, it turns out that
the latter is more efficient in detecting composite numbers (see Exercise 5.7.17).

Agrawal, Kayal, and Saxena devised a quick primality test in 2002 that determines
not with 99.99999999999% but 100% certainty whether 𝑛 is prime or composite. The
test starts with a polynomial version of Fermat’s Little Theorem. We sketch the basic
idea below.
For (𝑐, 𝑛) = 1, we consider the polynomials 𝑓𝑐 = 𝑥𝑛 − 𝑐 and 𝑔𝑐 = (𝑥 − 𝑐)𝑛 over
𝐙𝑛 . If 𝑛 is a prime, then 𝑓𝑐 = 𝑔𝑐 (i.e. their coefficients are equal, which is a stronger
statement than the equality of the corresponding values assumed by the functions).
For the constant terms −𝑐 and (−𝑐)𝑛 , this follows from Fermat’s Little Theorem, the
leading coefficients are 1, and the other coefficients (𝑛𝑘)(−𝑐)𝑘 in 𝑔𝑐 are divisible by 𝑛 as
𝑛 is prime (see Exercise 2.1.9a), hence they are 0 in 𝐙𝑛 . It is another simple observation
that (𝑛𝑘) is not divisible by 𝑛 for some 0 < 𝑘 < 𝑛 if 𝑛 is composite, and as (𝑐, 𝑛) = 1, the
coefficient of 𝑥𝑛−𝑘 is not 0 in 𝑔𝑐 implying 𝑓𝑐 ≠ 𝑔𝑐 . Thus this is a perfect primality test
(e.g. with 𝑐 = 1), but unfortunately it is awfully slow since computing the coefficients
of 𝑔 requires many steps even using repeated squarings, due to the huge number of
terms.
The ingenious idea of the AKS test is that instead of 𝑓𝑐 = 𝑔𝑐 we check just the
equality of remainders of 𝑓𝑐 and 𝑔𝑐 divided by a suitable polynomial ℎ ∈ 𝐙𝑛 [𝑥]. If ℎ is
of sufficiently small degree (compared to 𝑛), then the computation can be carried out if
during the repeated squarings we reduce also modulo ℎ. This reduction is particularly
simple if ℎ is of the form ℎ = 𝑥𝑟 − 1, since then we just have to reduce the exponents
in the powers of 𝑥 mod 𝑟 (i.e. we replace 𝑥𝑗 by 𝑥𝑗−𝑟 as long as possible).
If 𝑛 is a prime, then 𝑓𝑐 = 𝑔𝑐 implies that the remainders are equal modulo any ℎ.
The main point in the AKS test is that choosing 𝑟 appropriately, no composite integer
satisfies this, so to any composite 𝑛 there exists some 𝑐 ≤ 𝐾 (where 𝐾 is very small
compared to 𝑛), such that 𝑓𝑐 and 𝑔𝑐 do not yield the same remainder when divided by
𝑥𝑟 − 1.
The corresponding algorithm hence selects a suitable 𝑟 and then checks 𝑓𝑐 ≡ 𝑔𝑐
(mod 𝑥𝑟 − 1) for every 𝑐 = 1, 2, . . . , 𝐾. If this fails for some 𝑐, then 𝑛 is composite (this
follows from our initial considerations). On the other hand, if it holds for every 𝑐, then
𝑛 is a prime for sure (this is the hard part in the proof of the test).
We have to select 𝑟 as a not too big prime with some special properties, its existence
is guaranteed by a deep theorem in number theory. To prove that after fixing this 𝑟,
any composite number gets detected by checking a few values of 𝑐, we need some basic
results about finite fields.

Exercises 5.7

1. Consider the usual Euclidean algorithm for the integers 𝑎, 𝑏, 𝑎 > 𝑏 > 0, where the
remainders satisfy 𝑏 = 𝑟0 > 𝑟1 > 𝑟2 > . . . ≥ 0.
𝑟𝑘
(a) Verify 𝑟 𝑘+2 < 2
for every 𝑘.
 158 5. Prime Numbers

(b) Which upper bound follows from this for the number of steps in the algo-
rithm?
* (c) Prove that if the algorithm requires exactly 𝑠 steps, then the minimal possi-
ble value of 𝑏 is 𝜑𝑠+1 where 𝜑𝑗 denotes the 𝑗th Fibonacci number (defined in
Exercise 1.2.5).
Remark: By the explicit formula

1 1 + √5 𝑗 1 − √5 𝑗
𝜑𝑗 = (( ) −( ))
√5 2 2

for the Fibonacci numbers, (c) implies that the usual Euclidean algorithm re-
quires at most log𝛾 𝑏+𝛿 steps where 𝛾 = (1+√5)/2 and 𝛿 is a suitable constant,
and this bound is best possible.
2. Consider the procedure in part III of the proof of Theorem 5.7.1 for computing the
𝑎
Jacobi symbol ( 𝑏 ). Show that for (𝑎, 𝑏) = 𝑑 > 1, this leads to a situation when the
numerator is 𝑑 and the denominator is a multiple of 𝑑. (Thus the method reveals
that the Jacobi symbol makes no sense in this case, and there is no need to check
separately whether or not 𝑎 and 𝑏 are coprime.)
3. Show that 341 is a pseudoprime of base 2, but not of base 3.
S 4. Prove that if 𝑛 is a pseudoprime of base 2, then so is 2𝑛 − 1.
5. Let 𝑎 > 1. Show that if the prime 𝑝 > 2 does not divide 𝑎 ± 1, then
𝑎2𝑝 − 1
𝑛=
𝑎2 − 1
is a pseudoprime of base 𝑎. (For 𝑎 = 2 and 𝑝 = 5 we obtain 𝑛 = 341.)
6. Verify that 561 is a universal pseudoprime.
7. Prove the equivalence of the following conditions
(a) 𝑎𝑛−1 ≡ 1 (mod 𝑛) for any (𝑎, 𝑛) = 1.
(b) 𝑛 is squarefree and 𝑝 ∣ 𝑛 ⟹ 𝑝 − 1 ∣ 𝑛 − 1.
(c) 𝑎𝑛 ≡ 𝑎 (mod 𝑛) for any 𝑎.
Remark: This means that in Definition 5.7.3 of universal pseudoprimes we could
have chosen condition (c) (or (b)) instead of (a).
8. Show that a universal pseudoprime has at least three prime divisors.
9. (a) In the primality tests discussed, we check a condition, and there is no need to
compute in advance whether 𝑎 and 𝑛 are coprime. What advantage is there if
we compute (𝑎, 𝑛)?
(b) If 𝑛 is the product of two primes of hundred digits, then roughly what is the
chance that a random 𝑎 is not coprime to 𝑛?
10. Prove that if 𝑎2 ≡ 1 (mod 𝑛) but 𝑎 ≢ ±1 (mod 𝑛), then we can determine a non-
trivial divisor of 𝑛.
 Exercises 5.7 159

* 11. Verify that if we know a (non-zero) multiple of 𝜑(𝑛) besides 𝑛, then we can find
the standard form of 𝑛 quickly. (More precisely, there is a theoretical chance that
we still cannot factor 𝑛, but this occurs practically never.)

12. Analyze whether Wilson’s Theorem and its converse, i.e. checking whether or not
𝑛 divides (𝑛 − 1)! +1, are suitable or not as a primality test.

13. (a) Show that if a composite number 𝑛 is not a universal pseudoprime, then 𝑎𝑛−1
≡ 1 (mod 𝑛) holds for fewer than half of the elements in a complete residue
system modulo 𝑛.
(b) Describe the concrete primality test based on part (a).

14. Prove that the following primality test can be performed quickly, and its probability
of error can be reduced below an arbitrarily small bound (prescribed in advance).
We want to decide whether an odd integer 𝑛 > 1 is prime or composite. We check
the remainder of 𝑎(𝑛−1)/2 modulo 𝑛 for a fixed (but sufficiently large) amount of
random integers 𝑎 where 𝑛 ∤ 𝑎. We declare 𝑛 to be a prime if every such remainder
is ±1 with −1 occurring at least once among them.

15. Let 𝑛 = 2𝑘 𝑟 + 1 with 𝑘 ≥ 1, 𝑟 odd, and 0 < 𝑟 < 2𝑘 . Assume that

𝑛−1
𝑎 2 ≡ −1 (mod 𝑛)

holds for some integer 𝑎. Prove that 𝑛 is a prime.

16. Let 𝑛 > 2. Show that any of the following conditions imply that 𝑛 is a prime.

(a) There is an integer 𝑎 satisfying 𝑎𝑛−1 ≡ 1 (mod 𝑛) and

𝑛−1
𝑝𝑖
𝑎 ≢ 1 (mod 𝑛)

for every prime divisor 𝑝 𝑖 of 𝑛 − 1.

* (b) To any prime divisor 𝑝 𝑖 of 𝑛 − 1 there exists an integer 𝑎𝑖 satisfying
𝑛−1
𝑝𝑖
𝑎𝑛−1
𝑖 ≡ 1 (mod 𝑛) and 𝑎𝑖 ≢ 1 (mod 𝑛) .

* (c) There exists a divisor 𝑐 of 𝑛−1 greater than √𝑛 such that for any prime divisor
𝑝 𝑖 of 𝑐 there exists an integer 𝑎𝑖 satisfying
𝑛−1
𝑝𝑖
𝑎𝑛−1
𝑖 ≡ 1 (mod 𝑛) and (𝑎𝑖 − 1, 𝑛) = 1.

S 17. Show that the Miller–Lenstra–Rabin test is more efficient than the Solovay–
Strassen test in the following sense. If 𝑎 is a witness for 𝑛 in the Solovay–Strassen
test, then the same 𝑎 is a witness in the Miller–Lenstra–Rabin test; i.e. if condition
(5.7.1) of Theorem 5.7.4 is false for some 𝑎, then the set (5.7.10) in Theorem 5.7.5
cannot form a good sequence for this 𝑎.
160 5. Prime Numbers

5.8. Cryptography
In classical cryptography 𝐴 and 𝐵 agree in advance on an encoding key 𝐸 (e.g. to write
always the next letter instead of each letter in the alphabet). The inverse of 𝐸 is the
decoding key 𝐷 (in the example above, this means to write the preceding letter). When
communicating, (say) 𝐴 encodes the plain text by 𝐸 into a ciphertext and sends it to 𝐵
who can decode it by 𝐷.
The keys may refer not just to letters but also to sequences of characters, and can
be very complicated. In that case, computers do the encoding and decoding and the
messages are sent electronically instead of by a messenger.
These schemes meet two basic requirements, that only 𝐵 can understand the mes-
sage of 𝐴, and no third party can send a false message in the name of 𝐴. There are,
however, several disadvantages: the two parties have to agree on the keys in advance,
which may be a difficult (and dangerous) task; no disputes between 𝐴 and 𝐵 can be
resolved, since either party can falsify a message with the common keys in the other’s
name; and the bilateral communication of 𝐴 with several parties (e.g. in business) re-
quires a new pair of keys with each partner.
Diffie and Hellman suggested a cryptosystem based on a revolutionary new idea:
we make the key 𝐸 public and keep only 𝐷 secret.
This sounds absurd at the first hearing, since if we know the procedure in one
direction, then we can find it out in the opposite direction. Let the functions 𝐸 and
𝐷 be bijections of the set {1, 2, . . . , 𝑁} (we shall see that we can always assume this
without loss of generality). If we want to determine (say) 𝐷(5), then we compute 𝐸(1),
𝐸(2), . . . with the help of the public key 𝐸 till 𝐸(𝑘) = 5 occurs, providing 𝐷(5) = 𝑘.
This sounds good in principle, but if 𝑁 has (say) 500 digits, then it cannot be carried
out in practice. A computer could determine only a negligible fraction of the values
𝐸(1), 𝐸(2), . . . even in billions of years and so most probably would never find 𝐷(5).
(We illustrate the situation with an analogy. An English-French dictionary can be used
as a French-English dictionary in principle: if we want to find the English equivalent
of the French word “eau”, then we go through the English words of the English-French
dictionary (in alphabetic order) till we find “eau” among the French meanings. This
will occur at the English word “water”. So probably nobody would not also buy the
French-English dictionary.)
Hence it is not inconceivable that 𝐸 being public, 𝐷 can still remain secret. We
now discuss public key cryptosystems based on this idea.
Each party creates a pair of keys 𝐸 and 𝐷 which are inverses of each other, makes
𝐸 public, but keeps 𝐷 in secret. Let 𝐸𝐴 and 𝐷𝐴 be the keys of 𝐴, and 𝐸𝐵 and 𝐷𝐵 be the
keys of 𝐵. Then 𝐴 transforms the plain text 𝑢 into the ciphertext 𝑣 = 𝐸𝐵 (𝐷𝐴 (𝑢)) and
sends it to 𝐵 who can decode it as 𝑢 = 𝐸𝐴 (𝐷𝐵 (𝑣)):

𝐸𝐴 (𝐷𝐵 (𝑣)) = 𝐸𝐴 (𝐷𝐵 (𝐸𝐵 (𝐷𝐴 (𝑢)))) = 𝐸𝐴 (𝐷𝐴 (𝑢)) = 𝑢.

(To compute 𝑣, 𝐴 uses his own function 𝐷𝐴 and the public function 𝐸𝐵 , and 𝐵 can act
similarly.)
5.8. Cryptography 161

This scheme meets the two basic requirements discussed above: only 𝐵 can under-
stand A’s message, since no one else knows 𝐷𝐵 needed for the decoding, and a third
party cannot falsify a message in the name of 𝐴 since only 𝐴 knows 𝐷𝐴 necessary for
the encoding.
The method has several further important advantages. There is no need to agree
about the keys in advance, and everybody can use the same keys with each partner.
There cannot be any dispute about the message between 𝐴 and 𝐵, since 𝐷𝐴 cannot be
falsified even by 𝐵, it acts as an electronic signature for 𝐴.
To implement the system, we have to construct pairs of keys 𝐸 and 𝐷 where the
owner knows both keys but other persons cannot determine 𝐷 even using the publicly
accessible 𝐸.
We saw previously that the prime factorization of a large number can serve as such
a secret known only by the person who formed the product of these primes. Based on
this, Rivest, Shamir, and Adleman made a concrete realization of the Diffie–Hellman
principle. Their procedure is called the RSA scheme from the initials of the discoverers
(or inventors?).
Before discussing RSA, we show that any cryptosystem can be reduced to the case
where 𝐸 and 𝐷 are permutations, i.e. bijections of the set {1, 2, . . . , 𝑁} where 𝑁 is a
sufficiently large integer. To see this, we encode (in a publicly known standard way)
letters and other characters as numbers, thus transforming a message into a sequence
of integers. Then we cut it into blocks of a given size, and consider each block as one
(large) number with many digits. These numbers will constitute both the domain and
the range of the functions 𝐸 and 𝐷.
We can transform letters and other characters into numbers for example in the
following way: A ↦ 01, B ↦ 02, . . . , Z ↦ 26, comma ↦ 27, space ↦ 28, etc. and say
that four such two-digit numbers should form a block. Then any message is converted
into a sequence of integers between 1 and 108 − 1 so 𝑁 = 108 − 1.
Let us find the equivalent of the expression “number theory”. N is converted into
14, U into 21, M into 13, etc., so we get the sequence
14211302|05182820|08051518|25.
Hence the blocks are 14211302, 05182820, 08051518, and 25999999 (the last block was
completed with 9s). We apply the keys 𝐸 and 𝐷 to these four numbers. (We repeatedly
emphasize that this conversion of the text into numbers is publicly known and its only
purpose is to provide a unified and comfortable handling of the functions 𝐸 and 𝐷.)
Now we turn to the construction of the keys 𝐸 and 𝐷 in the RSA.
Let 𝑁 = 𝑝𝑞 where 𝑝 and 𝑞 are two large primes. The holder of the key keeps 𝑝
and 𝑞 secret, but makes 𝑁 public. Further, he/she chooses an integer 𝑒 > 1 coprime to
𝜑(𝑁), and declares publicly his/her key 𝐸:
(5.8.1) 𝐸(𝑟) = the least positive residue (mod 𝑁) of 𝑟𝑒 , 𝑟 = 1, 2, . . . , 𝑁.
How can we get 𝐷 = 𝐸 −1 ? We try to find it in a similar form:
(5.8.2) 𝐷(𝑠) = the least positive residue (mod 𝑁) of 𝑠𝑑 , 𝑟 = 1, 2, . . . , 𝑁.
162 5. Prime Numbers

This meets the requirements if and only if for every 𝑟 we have

𝑟 = 𝐸𝐷(𝑟) = 𝐷𝐸(𝑟) = the least positive residue (mod 𝑁) of 𝑟𝑒𝑑 ,
i.e. if and only if
(5.8.3) 𝑟𝑒𝑑 ≡ 𝑟 (mod 𝑁)
for every 𝑟. Using Fermat’s Little Theorem for the primes 𝑝 and 𝑞, we easily derive that
(5.8.4) 𝑟1+𝑘𝜑(𝑁) ≡ 𝑟 (mod 𝑁)
holds for any 𝑘 and 𝑟 (see Exercise 5.8.3a).
By (5.8.4), we obtain a suitable 𝑑 in (5.8.3) (and thus in (5.8.2), as well) if we solve
the linear Diophantine equation
(5.8.5) 𝑑𝑒 = 1 + 𝑘𝜑(𝑁)
for 𝑑 (and 𝑘). Since (𝑒, 𝜑(𝑁)) = 1, (5.8.5) is solvable and we can get a solution quickly
using the Euclidean algorithm.
But all this can be done only by the holder of the key, as nobody else can compute
𝜑(𝑁) for lack of the prime factors of 𝑁.
The holder of the key generates the primes 𝑝 and 𝑞 in the following way. He
chooses odd random numbers with (say) 400 and 500 digits and checks (e.g. with one
of the primality tests in Section 5.7) whether or not they are primes. He will get 𝑝 and
𝑞 fairly soon, since the primality tests are fast and there are many primes with 400 and
500 digits: according to the Prime Number Theorem, a random 500-digit odd number
is prime with probability 1/(log(10500 )/2) ≈ 1/576.
Both 𝐸(𝑟) in (5.8.1) and 𝑀(𝑠) in (5.8.2) can be computed quickly by repeated squar-
ings (of course, the latter can be done only by the holder of the key).
When selecting 𝑝, 𝑞, and 𝑒, a few safety measures have to be taken. If 𝑝 and 𝑞 are
too close to each other, then 𝑁 can be factored more easily, therefore we had to test
random numbers of different sizes for 𝑝 and 𝑞. Similar reasons require that 𝑝 − 1 and
𝑞 − 1 should have large prime factors. We do not discuss these and similar technical
details.
How safe is this procedure? Presently it seems that (following the precautionary
measures) we do not have to worry. It is not completely impossible, however, that
somebody finds a quick method for factoring integers, and then can get 𝐷, too. It is
also conceivable that one can exhibit 𝐷 in some different form. But these are highly
improbable.
We summarize the essential points of RSA in the the following theorem.
Theorem 5.8.1 (RSA scheme). Let 𝑝 and 𝑞 be two large primes, 𝑁 = 𝑝𝑞, and (𝑒, 𝜑(𝑁)) =
1. Define the pair of keys 𝐸 and 𝐷 by (5.8.1) and (5.8.2) where 𝑑 satisfies (5.8.5). 𝑁, 𝑒,
and 𝐸 are public, but 𝑝, 𝑞, 𝜑(𝑁), 𝑑, and 𝐷 are secret. Then 𝐷 = 𝐸 −1 , and 𝐷 cannot be
determined even knowing 𝐸.
The holder of the key generates the primes 𝑝 and 𝑞 by testing random numbers, and
can find 𝑑 quickly. The holder of the key can compute 𝐷(𝑠) quickly, and anyone can
compute 𝐸(𝑟) quickly. ♣
 Exercises 5.8 163

Exercises 5.8

1. What type of problem can occur if 𝐴 sends to 𝐵 just 𝑣′ = 𝐸𝐵 (𝑢) instead of 𝑣 =

𝐸𝐵 (𝐷𝐴 (𝑢)) in the Diffie–Hellman scheme?
2. Show that the function 𝐸 defined in (5.8.1) is invertible if and only if (𝑒, 𝜑(𝑁)) = 1.
3. Let 𝑁 = 𝑝𝑞 where 𝑝 and 𝑞 are distinct primes.
(a) Verify 𝑟1+𝑘𝜑(𝑁) ≡ 𝑟 (mod 𝑁) for every 𝑟.
(b) Find all integers 𝑣 > 0 satisfying 𝑟𝑣 ≡ 𝑟 (mod 𝑁) for every 𝑟.
4. Assume that (due to the imperfection of primality testing) we use a universal pseu-
doprime 𝑝 in RSA. Do we have to worry about this?
* 5. Show that RSA is not safe if the order of the exponent 𝑒 is small modulo 𝜑(𝑁).
6. Let 𝑝 be a large prime and 𝑔 a primitive root modulo 𝑝. At present we know no
quick algorithm for computing the discrete logarithm, so it is not possible to deter-
mine ind𝑔 𝑎. This means that we can compute the residue 𝑎 mod 𝑝 of 𝑔𝑘 , but no
one else can find 𝑘 from 𝑎.
𝐴 and 𝐵 choose exponents 𝑘𝐴 and 𝑘𝐵 , keeping them secret, but make the remain-
ders of 𝑔𝑘𝐴 and 𝑔𝑘𝐵 modulo 𝑝 public. Prove that both 𝐴 and 𝐵 can compute the
remainder of 𝑔𝑘𝐴 𝑘𝐵 modulo 𝑝, but (hopefully) no one else can do this. (This means
that 𝐴 and 𝐵 can find a common password without preliminary negotiations and
without revealing their secret exponents 𝑘𝐴 and 𝑘𝐵 to each other).
7. It seemed for a while that also the following scheme, the so-called modular knap-
sack or subset problem could be used for public key cryptosystems, but later it
turned out that it is not safe.
(a) A sequence of positive integers 𝐶 = {𝑐 0 , 𝑐 1 , . . . , 𝑐 𝑘−1 } is sum injective, if the
sums of arbitrarily many distinct 𝑐 𝑖 s are all distinct.
Prove that if 𝐶 is super-increasing, i.e.
𝑖−1
(5.8.6) 𝑐 𝑖 > ∑ 𝑐𝑗 , 𝑖 = 1, 2, . . . , 𝑘 − 1,
𝑗=0

then 𝐶 is sum injective.

𝑘−1
(b) Let 𝐶 be sum injective, 𝑚 > ∑𝑖=0 𝑐 𝑖 , (𝑟, 𝑚) = 1, and
(5.8.7) 𝑑𝑖 = the least positive remainder (mod 𝑚) of 𝑟𝑐 𝑖 , 0 ≤ 𝑖 ≤ 𝑘 − 1.
Verify that the sequence 𝑑0 , . . . , 𝑑𝑘−1 is sum injective.
(c) Let 0 ≤ 𝑢 < 2𝑘 , and write 𝑢 in binary system:
𝑘−1
𝑢 = ∑ 𝛿 𝑖 2𝑖 , where 𝛿 𝑖 = 0 or 1, 𝑖 = 0, 1, . . . , 𝑘 − 1.
𝑖=0
164 5. Prime Numbers

Show that if 𝐻 is sum injective, then 𝑢 can be determined in principle from

the number
𝑘−1
𝑣 = ∑ 𝛿 𝑖 ℎ𝑖 .
𝑖=0
(d) Prove that 𝑢 can be determined quickly also in practice for sequences of type
(5.8.6) and their derivatives of type (5.8.7).
Based on the above considerations, we take a sequence 𝐶 of type (5.8.6) and
convert it into a sequence 𝐷 of type (5.8.7). The sequence 𝐷 will be public, but
𝑐 𝑖 , 𝑚, and 𝑟 are kept secret. Then anybody can compute 𝑣 from 𝑢 quickly, and
we can do this also backwards using 𝐶, 𝑚, and 𝑟. Since it is very hard to get 𝑢
from 𝑣 in practice for general sum injective sequences, it seemed reasonable
that this should be the case also for sequences of type (5.8.7) without knowing
𝑐 𝑖 , 𝑚, and 𝑟. As mentioned earlier, this belief turned out to be false.
 Chapter 6

Arithmetic Functions

An arithmetic function is a complex-valued function defined on the positive integers.

We shall mostly deal with those reflecting some arithmetic properties of positive in-
tegers, such as 𝑑(𝑛), the number of positive divisors of 𝑛, or Euler’s function 𝜑(𝑛) in-
dispensable for congruences, which appeared in Chapters 1 and 2. Some further im-
portant examples are 𝜎(𝑛), the sum of positive divisors of 𝑛, related also to the perfect
numbers, and the Möbius function 𝜇(𝑛) that plays an important role in the summation
and inversion functions. Using 𝑑(𝑛) as an example, we illustrate how double-faced
many arithmetic functions behave, as they assume hectically oscillating values on the
one hand, but show a regular pattern if considered on average on the other hand. Ap-
plying convolution, we extend this type of investigation of mean values to 𝜎(𝑛) and
𝜑(𝑛). The latter result gives also the probability (in a precisely defined meaning) of
two numbers being relatively prime. (This probability turns out to be surprisingly big:
6/𝜋2 ≈ 0.61.) The study of 𝜔(𝑛), denoting the number of distinct (positive) prime divi-
sors of 𝑛, is of special interest, since (in contrast to 𝑑(𝑛)) it assumes mostly values close
to its mean value. We present Turán’s simple proof for this famous theorem of Hardy
and Ramanujan whose argument became the starting point of probabilistic number
theory. Finally, we give a glimpse into a topic initiated by Erdős, namely which condi-
tions can characterize the logarithm among the additive arithmetic functions.

6.1. Multiplicative and Additive Functions

Definition 6.1.1. An arithmetic function is a complex-valued function defined on the
positive integers. ♣

Examples. 𝑑(𝑛) is the number of positive divisors of 𝑛 (see Theorem 1.6.3)

Euler’s function 𝜑 (see Definition 2.2.7 and Theorem 2.3.1)
𝑓(𝑛) = (−1)𝑛 , 𝑔(𝑛) = √𝑛2 + 5 + 𝑖 sin 𝑛, etc.

We shall discuss some important arithmetic function in Section 6.2.

165
166 6. Arithmetic Functions

The following properties often play an important role:

Definition 6.1.2. An arithmetic function 𝑓 is multiplicative if 𝑓(𝑎𝑏) = 𝑓(𝑎)𝑓(𝑏) for
every coprime 𝑎 and 𝑏. ♣
Definition 6.1.3. An arithmetic function 𝑓 is completely multiplicative (or totally mul-
tiplicative), if 𝑓(𝑎𝑏) = 𝑓(𝑎)𝑓(𝑏) for every 𝑎 and 𝑏. ♣
Examples. Euler’s function 𝜑 is multiplicative (this was verified in the first proof of
Theorem 2.3.1), but it is not completely multiplicative, as 𝜑(8) ≠ 𝜑(2)𝜑(4). The same
holds for 𝑑(𝑛) (see Exercise 6.1.1).
If 𝛼 is a fixed real number, then 𝑓(𝑛) = 𝑛𝛼 is completely multiplicative (hence it is
multiplicative.
𝑔(𝑛) = 3𝑛 − 2 is not multiplicative, since (2, 3) = 1, but 𝑔(6) ≠ 𝑔(2)𝑔(3).

Requiring similar conditions for the sum of the values instead of their product, we
get the notion of additive and completely additive arithmetic functions, resp.:
Definition 6.1.4. An arithmetic function 𝑓 is additive if 𝑓(𝑎𝑏) = 𝑓(𝑎) + 𝑓(𝑏) for every
coprime 𝑎 and 𝑏. ♣
Definition 6.1.5. An arithmetic function 𝑓 is completely additive (or totally additive),
if 𝑓(𝑎𝑏) = 𝑓(𝑎) + 𝑓(𝑏) for every 𝑎 and 𝑏. ♣

The definitions both of additivity and complete additivity refer to the values of
𝑓(𝑎𝑏) (and not of 𝑓(𝑎 + 𝑏)).
Examples. The logarithm function (with any base) is completely additive.
𝑓(𝑛) = 1 + (−1)𝑛 is additive, but not completely additive.
𝑔(𝑛) = 1 + log2 𝑛 is not additive (hence it cannot be completely additive either).
The identically zero function 𝑓 = 0 is both completely multiplicative and com-
pletely additive, but no other function can be both multiplicative and additive (this
follows from Theorem 6.1.6).

We show first that additive and non-zero multiplicative functions can assume only
special values at 1:
Theorem 6.1.6. If 𝑓 is multiplicative and 𝑓 ≠ 0, then 𝑓(1) = 1.
If 𝑔 is additive, then 𝑔(1) = 0. ♣

Proof. Let 𝑎 be a positive integer satisfying 𝑓(𝑎) ≠ 0. Then (𝑎, 1) = 1 implies 𝑓(𝑎) =
𝑓(𝑎 ⋅ 1) = 𝑓(𝑎)𝑓(1), and dividing by 𝑓(𝑎) ≠ 0 we get 1 = 𝑓(1).
The other statement can be proved similarly. □

Theorem 6.1.6 gives a necessary (but not sufficient) condition for a function to be
additive or multiplicative.
The definitions of additivity and multiplicativity imply that additive and (≠ 0) mul-
tiplicative functions are uniquely determined by their values at prime powers:
Exercises 6.1 167

𝛼 𝛼
Theorem 6.1.7. Let 𝑓 be multiplicative, 𝑔 additive, and 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard
form of 𝑛 > 1. Then
𝛼 𝛼 𝛼 𝛼
𝑓(𝑛) = 𝑓(𝑝1 1 ) . . . 𝑓(𝑝𝑟 𝑟 ) and 𝑔(𝑛) = 𝑔(𝑝1 1 ) + ⋯ + 𝑔(𝑝𝑟 𝑟 ). ♣

We used this fact deducing the formula for 𝜑(𝑛) (in the first proof of Theorem 2.3.1).
Similarly, completely additive and (≠ 0) completely multiplicative functions are
uniquely determined by their values at primes:
Theorem 6.1.8. Let 𝑓 be completely multiplicative, 𝑔 completely additive, and
𝛼 𝛼
𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard form of 𝑛 > 1. Then
𝑓(𝑛) = 𝑓(𝑝1 )𝛼1 . . . 𝑓(𝑝𝑟 )𝛼𝑟 and 𝑔(𝑛) = 𝛼1 𝑔(𝑝1 ) + ⋯ + 𝛼𝑟 𝑔(𝑝𝑟 ). ♣

We can add to Theorem 6.1.7 that additivity or multiplicativity does not impose
any restrictions on the values assumed at prime powers, these can be chosen freely.
This means that prescribing the values arbitrarily at prime powers, gives a multiplica-
tive/additive function. An analogous statement holds with primes instead of prime
powers for completely multiplicative/additive functions (see Exercise 6.1.4).

Exercises 6.1

1. Verify that 𝑑(𝑛) is multiplicative but not completely.

2. Which of the following functions are multiplicative, completely multiplicative, ad-
ditive, and completely additive?
0, if 6 ∣ 𝑛
(a) 𝑓(𝑛) = {
1, if 6 ∤ 𝑛.
0, if 3 ∣ 𝑛
(b) 𝑔(𝑛) = {
1, if 3 ∤ 𝑛.
0, if 3 ∣ 𝑛
(c) ℎ(𝑛) = {
2, if 3 ∤ 𝑛.
2, if 3 ∣ 𝑛
(d) 𝑘(𝑛) = {
0, if 3 ∤ 𝑛.
3. Does there exist an (a) additive (b) multiplicative function ℎ satisfying ℎ(6) = 0,
ℎ(10) = 1, and ℎ(15) = 3?
4. Consider the sequence of primes 𝑝1 , 𝑝2 , . . . = 2, 3, 5, 7, . . . , the sequence of prime
powers 𝑞1 , 𝑞2 , . . . = 2, 3, 4, 5, 7, 8, 9, 11, . . . , and let 𝑐 1 , 𝑐 2 , . . . be arbitrary complex
numbers.
(a) Prove that there exists exactly one multiplicative function 𝑓 ≠ 0 and exactly
one additive function 𝑔 satisfying
𝑓(𝑞𝑖 ) = 𝑔(𝑞𝑖 ) = 𝑐 𝑖 , 𝑖 = 1, 2, . . . .
 168 6. Arithmetic Functions

(b) Prove that there exists exactly one completely multiplicative function 𝑠 ≠ 0
and exactly one completely additive function 𝑡 satisfying
𝑠(𝑝 𝑖 ) = 𝑡(𝑝 𝑖 ) = 𝑐 𝑖 , 𝑖 = 1, 2, . . . .
5. If 𝑔 can assume only positive integer values, then we can define the composite
function ℎ(𝑛) = (𝑓 ∘ 𝑔)(𝑛) = 𝑓(𝑔(𝑛)) for any 𝑓. True or false?
(a) If 𝑓 and 𝑔 are completely multiplicative, then ℎ is completely multiplicative.
(b) If 𝑓 and 𝑔 are completely additive, then ℎ is completely additive.
(c) If 𝑓 is multiplicative and 𝑔 is completely multiplicative, then ℎ is multiplica-
tive.
(d) If 𝑓 is completely multiplicative and 𝑔 is multiplicative, then ℎ is multiplica-
tive.
6. (a) Let 𝑓 be completely additive. For which positive integers 𝑘 is the function
𝑔(𝑛) = 𝑓(𝑘𝑛) completely additive?
(b) Solve the problem for the case when we prescribe only additivity instead of
complete additivity (for both of 𝑓 and 𝑔).
(c) Investigate the variants for completely multiplicative and multiplicative func-
tions.
S 7. (a) Show that if 𝑓 is completely additive, then
(A.6.1) 𝑓(𝑎) + 𝑓(𝑏) = 𝑓((𝑎, 𝑏)) + 𝑓([𝑎, 𝑏]) holds for every 𝑎 and 𝑏.
(b) Prove (A.6.1) for any additive 𝑓.
* (c) Determine all functions 𝑓 satisfying (A.6.1).
* (d) Investigate also the corresponding equation 𝑓(𝑎)𝑓(𝑏) = 𝑓((𝑎, 𝑏))𝑓([𝑎, 𝑏]).
8. Let 𝑓 be real valued and 𝑔(𝑛) = 2𝑓(𝑛) . Demonstrate that 𝑔 is multiplicative if and
only if 𝑓 is additive.
Remark: This means that properties of additive functions assuming real values and
of multiplicative functions assuming positive values can be mutually deduced from
each other.
9. (a) Verify that both the sum and the difference of two additive functions are ad-
ditive, and the same holds if “additive” is replaced by “completely additive.”
(b) Prove that the product of two completely additive functions is never com-
pletely additive except in the trivial case when at least one of the factors is
the 0 function.
(c) Give examples when the product of two ≠ 0 additive functions is (c1) additive
(c2) not additive.
S* (d) Find all pairs of additive functions whose product is additive.
(e) Show that the product of two multiplicative functions is multiplicative, and
the same holds if “multiplicative” is replaced by “completely multiplicative.”
(f) Verify that neither the sum nor the difference of two distinct ≠ 0 multiplicative
functions can be multiplicative.
 Exercises 6.1 169

10. (a) Show that the arithmetic mean of two additive or completely additive func-
tions has the same property.
(b) Prove that if the arithmetic mean of two completely multiplicative functions
is completely multiplicative then the two functions are equal. What happens
if we require only multiplicativity instead of complete multiplicativity (for all
three functions)?
11. Assume that 𝑓 is multiplicative, 𝑔 is additive, and 𝑓 + 𝑔 is constant. Show that
𝑓1000 + 𝑔1000 is multiplicative and 𝑓1000 𝑔1000 is additive.
* 12. Let ℎ be an additive function.

(a) Prove that if ℎ is the difference of two multiplicative functions, then

ℎ(𝑎)ℎ(𝑏)ℎ(𝑐) = 0 for any pairwise coprime integers 𝑎, 𝑏, and 𝑐.
(b) If ℎ has only the trivial representation 1 ⋅ ℎ = ℎ as the product of a multiplica-
tive and an additive function, then ℎ(𝑎)ℎ(𝑏)ℎ(𝑐) = 0 for any pairwise coprime
integers 𝑎, 𝑏, and 𝑐.
S 13. (a) Assume that the range 𝑅(𝑓) of an additive function 𝑓 is finite. Show that every
𝑐 ∈ 𝑅(𝑓) occurs infinitely often, i.e., there are infinitely many positive integers
𝑏 satisfying 𝑓(𝑏) = 𝑐.
(b) Give an example that shows that the same does not necessarily hold for mul-
tiplicative functions.
(c) Assume that the range 𝑅(𝑓) of a multiplicative function 𝑓 is finite and some
𝑑 ∈ 𝑅(𝑓) occurs only finitely many times, i.e. 𝑓(𝑏) = 𝑑 holds only for finitely
many positive integers 𝑏. Prove that there exists a 𝐾 such that 𝑓(𝑛) = 0 for
every 𝑛 having a prime divisor greater than 𝐾.
14. True or false?
(a) If 𝑓 is additive and 𝑓(𝑎𝑏) = 𝑓(𝑎) + 𝑓(𝑏) for some 𝑎 and 𝑏 not coprime, then 𝑓
is completely additive.
(b) If 𝑓 is additive and 𝑓(𝑎𝑏) = 𝑓(𝑎) + 𝑓(𝑏) for some 𝑎 and 𝑏 not coprime, then
there exist infinitely many such 𝑎 and 𝑏.
(c) If 𝑓 is additive but not completely, then (𝑎, 𝑏) ≠ 1 implies 𝑓(𝑎𝑏) ≠ 𝑓(𝑎)+𝑓(𝑏).
(d) If 𝑓 is additive but not completely, then 𝑓(𝑎𝑏) ≠ 𝑓(𝑎) + 𝑓(𝑏) for infinitely
many 𝑎 and 𝑏.
(e) If 𝑓 is multiplicative but not completely, then 𝑓(𝑎𝑏) ≠ 𝑓(𝑎)𝑓(𝑏) for infinitely
many 𝑎 and 𝑏.
S* 15. Let 𝜑2 (𝑛) denote the number of integers 𝑖 ∈ {1, 2, . . . , 𝑛} satisfying (𝑖, 𝑛) =
(𝑖 + 1, 𝑛) = 1. Give a formula for 𝜑2 (𝑛) based on the standard form of 𝑛.
* 16. Prove
∑ (𝑘 − 1, 𝑛) = 𝜑(𝑛)𝑑(𝑛).
1≤𝑘≤𝑛
(𝑘,𝑛)=1
170 6. Arithmetic Functions

6.2. Some Important Functions

We introduce some basic functions in this section: 𝜎(𝑛), 𝜇(𝑛), 𝜔(𝑛), Ω(𝑛), and 𝑑𝑘 (𝑛).
Definition 6.2.1. 𝜎(𝑛) is the sum of positive divisors of 𝑛. ♣
Example. 𝜎(1) = 1, 𝜎(10) = 18; 𝜎(𝑛) = 𝑛 + 1 ⟺ 𝑛 is a prime.

A divisor will always mean a positive divisor in this chapter.

𝛼 𝛼
Theorem 6.2.2. If the standard form of 𝑛 is 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 , then
𝑟 𝑟 𝛼 +1
𝛼 𝑝 𝑖 −1
𝜎(𝑛) = ∏(1 + 𝑝 𝑖 + 𝑝𝑖2 +⋯+ 𝑝𝑖 𝑖 ) =∏ 𝑖 . ♣
𝑖=1 𝑖=1
𝑝𝑖 − 1

Proof. We follow the argument applied for deducing the formula for 𝑑(𝑛) (Theorem
1.6.3).
By Theorem 1.6.2, all divisors 𝑑 of 𝑛 are
𝛽 𝛽 𝛽
(6.2.1) 𝑑 = 𝑝1 1 𝑝2 2 . . . 𝑝𝑟 𝑟
where the exponents 𝛽1 , 𝛽2 , . . . , 𝛽𝑟 assume the values
𝛽1 = 0, 1, . . . , 𝛼1 , 𝛽2 = 0, 1, . . . , 𝛼2 , ... , 𝛽𝑟 = 0, 1, . . . , 𝛼𝑟 ,
further, every divisor has a unique representation in that form. Accordingly, 𝜎(𝑛) is the
sum of all these values of 𝑑.
On the other hand, we get the same sum performing the multiplication
𝑟
𝛼
(6.2.2) ∏(1 + 𝑝 𝑖 + 𝑝𝑖2 + ⋯ + 𝑝𝑖 𝑖 ) ∶
𝑖=1

𝛽 𝛽
product (6.2.1) occurs if we multiply 𝑝1 1 from the first factor of (6.2.2), 𝑝2 2 from the
second factor, etc.
This proves the first equality stated in the theorem.
The second equality follows from the well-known summation formula for finite
geometric series. □

For another possible proof of Theorem 6.2.2, see Exercise 6.2.1.

Definition 6.2.3. The Möbius function 𝜇(𝑛) is defined by

⎧ 1, if 𝑛 = 1
𝜇(𝑛) = (−1)𝑟 , if 𝑛 = 𝑝1 . . . 𝑝𝑟 where 𝑝𝑗 are distinct primes ♣
⎨
⎩ 0, if 𝑝2 ∣ 𝑛 for some prime.

Example. 𝜇(10) = 1, 𝜇(20) = 0, 𝜇(30) = −1.

The following property is the key to the important applications of the Möbius func-
tion 𝜇:
6.2. Some Important Functions 171

Theorem 6.2.4.
1, if 𝑛 = 1
∑ 𝜇(𝑑) = { ♣
𝑑∣𝑛 0, if 𝑛 > 1.

Proof. If 𝑛 = 1, then ∑𝑑∣1 𝜇(𝑑) = 𝜇(1) = 1.

𝛼 𝛼
For 𝑛 > 1, let 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard form of 𝑛. As 𝜇(𝑘) = 0 if 𝑘 is not
squarefree, it is sufficient to do the summation for the squarefree divisors of 𝑛. Hence,
∑ 𝜇(𝑑) = 𝜇(1) + 𝜇(𝑝1 ) + ⋯ + 𝜇(𝑝𝑟 )+
𝑑∣𝑛

+ 𝜇(𝑝1 𝑝2 ) + 𝜇(𝑝1 𝑝3 ) + ⋯ + 𝜇(𝑝𝑟−1 𝑝𝑟 ) + ⋯ + 𝜇(𝑝1 𝑝2 . . . 𝑝𝑟 ) =

𝑟 𝑟 𝑟
= 1 − 𝑟 + ( ) − ( ) + ⋯ + (−1)𝑟 ( ) = (1 − 1)𝑟 = 0. □
2 3 𝑟
Definition 6.2.5. 𝜔(𝑛) is the number of distinct (positive) prime divisors of 𝑛.
Ω(𝑛) is the total number of (positive) prime divisors of 𝑛, i.e. we count the primes
according to their multiplicity given by the exponent in the standard form of 𝑛.
So 𝜔(1) = Ω(1) = 0, and if the standard form of 𝑛 is
𝛼 𝛼
𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 (where every 𝛼𝑖 > 0),
then
𝜔(𝑛) = 𝑟 and Ω(𝑛) = 𝛼1 + ⋯ + 𝛼𝑟 . ♣
Example. 𝜔(500) = 2, Ω(500) = 5; 𝜔(𝑛) = Ω(𝑛) ⟺ 𝑛 is squarefree.
Definition 6.2.6. Let 𝑘 be a fixed positive integer. Then 𝑑𝑘 (𝑛) is the number of positive
integer solutions of the equation 𝑛 = 𝑥1 𝑥2 . . . 𝑥𝑘 where two solutions are considered as
distinct even if they differ only in the order of the factors. ♣

Clearly, 𝑑1 (𝑛) = 1, 𝑑𝑘 (1) = 1, and 𝑑2 (𝑛) = 𝑑(𝑛) (thus 𝑑𝑘 (𝑛) is a generalization of

𝑑(𝑛)).
𝛼 𝛼
Theorem 6.2.7. If the standard form of 𝑛 is 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 , then
𝑟
𝛼𝑖 + 𝑘 − 1
𝑑𝑘 (𝑛) = ∏ ( ). ♣
𝑖=1
𝑘−1

Proof. No prime divisor can occur in 𝑥𝑖 other than 𝑝1 , . . . , 𝑝𝑟 , hence the standard form
of 𝑥𝑖 is
𝛽 𝛽 𝛽 𝛽
𝑥1 = 𝑝1 11 . . . 𝑝𝑟 𝑟1 , ... , 𝑥𝑘 = 𝑝1 1𝑘 . . . 𝑝𝑟 𝑟𝑘 ,
where
0 ≤ 𝛽 𝑖𝑗 ≤ 𝛼𝑖 , 𝑖 = 1, 2, . . . , 𝑟, 𝑗 = 1, 2, . . . 𝑘.
(The first index in the exponents refers to the prime, the second index refers to the
variable.)
Then 𝑛 = 𝑥1 𝑥2 . . . 𝑥𝑘 holds if and only if
(6.2.3) 𝛼1 = 𝛽11 + 𝛽12 + ⋯ + 𝛽1𝑘 , ... , 𝛼𝑟 = 𝛽𝑟1 + 𝛽𝑟2 + ⋯ + 𝛽𝑟𝑘 .
172 6. Arithmetic Functions

System (6.2.3) contains 𝑟 equations of the type

(6.2.4) 𝛼 = 𝑦1 + 𝑦2 + ⋯ + 𝑦 𝑘 , 𝑦 𝑖 is a non-negative integer.
We establish a formula for the number of solutions of (6.2.4). That is, we determine
in how many ways 𝛼 can be written as the sum of 𝑘 non-negative integers where the
order of the terms counts, so two representations are considered as distinct even if they
differ only in the order of the summands.
We take a segment of length 𝛼, and measure segments of length 𝑦1 , . . . , 𝑦 𝑘 (includ-
ing the ones of length 0) onto it in this order. We can encode this process by writing 𝑦1
pieces of 1s, then writing a sign ∗ to indicate the end of the first segment, then writing
𝑦2 pieces of 1s followed again by a delimiter ∗, etc., and finally 𝑦 𝑘 pieces of 1s close the
row.
E.g. if 𝛼 = 7 and 𝑘 = 4, then the representation 7 = 4 + 0 + 1 + 2 can be encoded as
1111 ∗ ∗1 ∗ 11. Conversely, ∗1111 ∗ 111∗ stands for the representation 7 = 0 + 4 + 3 + 0.
Thus the number of solutions of (6.2.4) is equal to the number of such sequences
composed of 1s and ∗s. A sequence consists of 𝛼 pieces of 1s and 𝑘 − 1 pieces of ∗s, in
arbitrary order. Hence the number of sequences is
𝛼+𝑘−1
(6.2.5) ( ).
𝑘−1
By (6.2.5), the equations in (6.2.3) have
𝛼 + 𝑘 − 1 𝛼2 + 𝑘 − 1 𝛼 +𝑘−1
(6.2.6) ( 1 ), ( ), . . . , ( 𝑟 )
𝑘−1 𝑘−1 𝑘−1
solutions. Since these equations are independent, the number of solutions of (6.2.3) is
the product of the number of solutions of the individual equations, i.e. of the binomial
coefficients listed in (6.2.6). □

We note that the formulas for 𝜎(𝑛), Ω(𝑛), and 𝑑𝑘 (𝑛) (hence also for 𝑑(𝑛)) remain
valid even if the standard form of 𝑛 may contain some exponents 𝛼𝑖 = 0, but the for-
mulas for 𝜑(𝑛) and 𝜔(𝑛) are valid only if every exponent in the standard form is strictly
positive.
Finally, we examine these functions from the point of view of multiplicativity and
additivity.
Theorem 6.2.8. 𝜑(𝑛), 𝜎(𝑛), 𝜇(𝑛), and 𝑑𝑘 (𝑛) are multiplicative, but not completely (apart
from the trivial case 𝑑1 (𝑛) = 1).
𝜔(𝑛) is additive, but not completely.
Ω(𝑛) is completely additive. ♣

Proof. The multiplicativity of 𝜑(𝑛) was shown in the first proof of Theorem 2.3.1 (and
also in Exercises 2.2.14 and 2.6.10). Further,
6 = 𝜑(9) ≠ 𝜑(3)𝜑(3) = 4,
thus 𝜑(𝑛) is not completely multiplicative. (Moreover, 𝜑(𝑎𝑏) = 𝜑(𝑎)𝜑(𝑏) never holds
if 𝑎 and 𝑏 are not coprime, see Exercise 2.3.10a.)
Exercises 6.2 173

To show that 𝜎(𝑛) is multiplicative, we use the formula in Theorem 6.2.2 (another
proof can be obtained based on Exercise 1.6.5a-b, see Exercise 6.2.1).
If 𝑎 = 1 or 𝑏 = 1, then 𝜎(1) = 1 guarantees 𝜎(𝑎𝑏) = 𝜎(𝑎)𝜎(𝑏).
If 𝑎 and 𝑏 are coprime and their standard forms are
𝛼 𝛼 𝛽 𝛽
𝑎 = 𝑝1 1 . . . 𝑝𝑟 𝑟 and 𝑏 = 𝑞1 1 . . . 𝑞 𝑠 𝑠 ,
where 𝑝 𝑖 ≠ 𝑞𝑗 (due to (𝑎, 𝑏) = 1), then the standard form of 𝑎𝑏 is
𝛼 𝛼 𝛽 𝛽
𝑎𝑏 = 𝑝1 1 . . . 𝑝𝑟 𝑟 𝑞1 1 . . . 𝑞𝑠 𝑠 .
Applying the formula of 𝜎 for 𝑎, 𝑏, and 𝑎𝑏, we obtain
𝛼 +1 𝛼 +1 𝛽 +1 𝛽 +1
𝑝1 1 − 1 𝑝𝑟 𝑟 − 1 𝑞1 1 − 1 𝑞𝑠 𝑠 − 1
𝜎(𝑎)𝜎(𝑏) = ⋅⋯⋅ ⋅ ⋅⋯⋅ = 𝜎(𝑎𝑏).
𝑝1 − 1 𝑝𝑟 − 1 𝑞1 − 1 𝑞𝑠 − 1
Because
36 = 𝜎(2)𝜎(6) ≠ 𝜎(12) = 28,
thus 𝜎(𝑛) is not completely multiplicative. (Moreover, 𝜎(𝑎𝑏) = 𝜎(𝑎)𝜎(𝑏) never holds if
𝑎 and 𝑏 are not coprime, see Exercise 6.2.2.)
We verify the multiplicativity of 𝜇(𝑛) using its Definition 6.2.3. If 𝑎 = 1 or 𝑏 = 1,
then 𝜇(𝑎𝑏) = 𝜇(𝑎)𝜇(𝑏) since 𝜇(1) = 1. If at least one of 𝑎 and 𝑏 is not squarefree, then
their product is not squarefree, so 𝜇(𝑎𝑏) = 𝜇(𝑎)𝜇(𝑏) = 0. Finally if both 𝑎 and 𝑏 are
squarefree and are coprime, then their product is squarefree:
𝑎 = 𝑝1 . . . 𝑝𝑟 , 𝑏 = 𝑞1 . . . 𝑞 𝑠 , 𝑎𝑏 = 𝑝1 . . . 𝑝𝑟 𝑞1 . . . 𝑞𝑠 ,
thus
𝜇(𝑎)𝜇(𝑏) = (−1)𝑟 (−1)𝑠 = (−1)𝑟+𝑠 = 𝜇(𝑎𝑏).
Because
−1 = 𝜇(5)𝜇(15) ≠ 𝜇(75) = 0,
hence 𝜇(𝑛) is not completely multiplicative.
(We note that—in contrast with the behavior of 𝑑(𝑛), 𝜑(𝑛), and 𝜎(𝑛)—there are
infinitely many pairs 𝑎 and 𝑏 with (𝑎, 𝑏) ≠ 1 for which 𝜇(𝑎)𝜇(𝑏) = 𝜇(𝑎𝑏); e.g. 𝑎 = 4
and 𝑏 is an arbitrary even number.)
For 𝑑𝑘 (𝑛), we can proceed similarly as seen at 𝜎(𝑛).
Finally, the statements for 𝜔(𝑛) and Ω(𝑛) follow directly from Definition 6.2.5. □

Exercises 6.2

1. Prove the multiplicativity of 𝜎(𝑛) via Exercise 1.6.5a-b, and deduce the formula for
𝜎(𝑛) from the multiplicative property.
2. Show that if (𝑎, 𝑏) ≠ 1, then 𝜎(𝑎𝑏) < 𝜎(𝑎)𝜎(𝑏) and 𝑑𝑘 (𝑎𝑏) < 𝑑𝑘 (𝑎)𝑑𝑘 (𝑏) for 𝑘 > 1.
3. Assume that 𝑛𝜑(𝑛)𝜎(𝑛) is not divisible by 3. Verify that 𝑛 must be a square.
4. Prove that to any 𝑛 there exist infinitely many 𝑘 satisfying 𝜎(𝑛) ∣ 𝜎(𝑛𝑘 ).
 174 6. Arithmetic Functions

5. We divide the sum of divisors of 𝑛 by the sum of reciprocals of the divisors of 𝑛.

What is the quotient?
6. For which values of 𝑛 is 𝜎(𝑛) (a) odd (b) a power of 2?
S* 7. Show that infinitely many positive integers are missing from the range of 𝜎(𝑛).
S* 8. Find all positive integers 𝑛 for which 𝜎(𝑛! ) = 𝑘! with a suitable 𝑘.
9. Prove 𝜎(𝑛) ≥ 𝑛 + √𝑛 + 1 for any composite 𝑛. When does equality hold?
10. Consider the equation 𝜎(𝑛) = 𝑛 + 𝑐 where 𝑛 is the variable and 𝑐 is a fixed positive
integer.
(a) Solve the equation if 𝑐 is (a1) 1; (a2) 5; (a3) 8; (a4) 11.
(b) For which 𝑐 are there infinitely many solutions?
(c) Assume that the even Goldbach conjecture holds in the following slightly
stronger form: Every even number greater than 6 is the sum of two distinct
primes. Show that the above equation has a solution for any odd number
𝑐 ≠ 5.
Remark: It was a long-standing unsolved problem whether the equation has no
solutions for infinitely many positive integers 𝑐. Finally, Erdős showed that there
exist infinitely many such (even) 𝑐.
11. Consider the equation 𝜎(𝑛) − 𝜑(𝑛) = 𝑐 where 𝑛 is the variable and 𝑐 is a fixed
positive integer.
(a) Solve the equation if 𝑐 is (a1) 2; (a2) 4; (a3) 5; (a4) 10.
(b) For which 𝑐 are there infinitely many solutions?
(c) Assume that the even Goldbach conjecture holds in the following slightly
stronger form: Every even number greater than 6 is the sum of two distinct
primes. Find infinitely many 𝑐 for which the equation has a solution.
12. How many pairs of composite integers 𝑎 ≠ 𝑏 satisfy
(a) 𝑎 + 𝜑(𝑏) = 𝑏 + 𝜑(𝑎)
* (b) 𝑎 + 𝜎(𝑏) = 𝑏 + 𝜎(𝑎)?
13. Show that the following inequalities hold for every 𝑛 and determine the cases of
equality.
(𝑛 + 1)𝑑(𝑛)
(a) 𝜎(𝑛) ≤
2
𝑛𝑑(𝑛)
(b) 𝜎(𝑛) ≤ +1
2
(c) 𝜎(𝑛) ≥ 𝑛 + 2𝑑(𝑛) − 3.
* 14. Solve the equation 2𝜎(𝑛) = 𝑛𝑑(𝑛).
15. (a) Show that the following inequalities hold for every 𝑛 and determine the cases
of equality.
(a1) 𝜎(𝑛)𝜑(𝑛) ≤ 𝑛2 − 1
(a2) 𝜎(𝑛) + 𝜑(𝑛) ≥ 2𝑛.
 6.3. Perfect Numbers 175

(b) Demonstrate
𝑛2
* (b1) 𝜎(𝑛)𝜑(𝑛) >
2
𝜍(𝑛)𝜑(𝑛) 6
(b2) inf 𝑛2
= .
𝜋2
* 16. Prove
𝜑(𝑛) ∣ 𝑛𝜎(𝑛) − 2 ⟺ 𝑛 is a prime or 𝑛 = 1, 4, 6, 22.
17. What is the range of the following functions?
(a) 𝑓(𝑛) = 𝜇(𝑛) + 𝜇(2𝑛) + 𝜇(5𝑛) + 𝜇(10𝑛)
S (b) 𝑔(𝑛) = ∑ 𝜇(𝑘𝑛).
𝑘∣100!

18. (a) How many consecutive integers are there such that 𝜇(𝑛) is zero for none of
them?
(b) How many consecutive integers are there such that 𝜇(𝑛) is zero for each of
them?
* 19. Show that the sum of the 𝑛th primitive complex roots of unity is 𝜇(𝑛).
20. Give a simpler form for the function 𝜇(𝑛)(Ω(𝑛) − 𝜔(𝑛)).
21. (a) Prove
2𝜔(𝑛) ≤ 𝑑(𝑛) ≤ 2Ω(𝑛)
for every 𝑛. When do we have equality?
(b) How can we generalize part (a) for 𝑑𝑘 (𝑛) instead of 𝑑(𝑛)?
22. True or false?
(a) If 𝑛 is a square, then 𝑑(𝑛) ∣ 𝑑3 (𝑛).
(b) If 𝑑(𝑛) ∣ 𝑑3 (𝑛), then 𝑛 is a square.
23. Let 𝜈 be an arbitrary real number and define 𝜎𝜈 (𝑛) to be the sum of 𝜈th powers of
the divisors of 𝑛:
𝜎𝜈 (𝑛) = ∑ 𝑑 𝜈 .
𝑑∣𝑛
In particular: 𝜎1 (𝑛) = 𝜎(𝑛) and 𝜎0 (𝑛) = 𝑑(𝑛).
Find a formula for 𝜎𝜈 (𝑛) and show that 𝜎𝜈 (𝑛) is multiplicative.

6.3. Perfect Numbers

Antique Greek numerology viewed the proper divisors of a number as parts of it (i.e. the
number itself was not regarded as a divisor), and called a number perfect if it can be
“assembled from its parts”. E.g. 6 = 1+2+3 and 28 = 1+2+4+7+14 have this property.
The famous book Elements by Euclid provides the following general construction (with
proof!):
If we form a geometric series of double proportion starting from the unity till the
sum will be a prime, and multiply the sum by the last term, then the product is a perfect
number.
176 6. Arithmetic Functions

In modern terminology, a number 𝑛 is perfect if and only if 𝜎(𝑛) = 2𝑛 (since we

count also 𝑛 itself as a divisor), and Euclid’s theorem claims that
(1 + 2 + 22 + ⋯ + 2𝑘 )2𝑘 = (2𝑘+1 − 1)2𝑘
is perfect if 2𝑘+1 − 1 is a prime. For 𝑘 = 1 and 𝑘 = 2 we obtain 6 and 28.
Primes of the form 2𝑠 − 1 are the Mersenne primes (see Section 5.2), and then 𝑠
is necessarily a prime, too. As mentioned in Section 5.2, Mersenne (and many other
contemporaries) investigated these primes in search of large perfect numbers.
Euler proved that every even perfect number is given by Euclid’s construction. This
means that there are exactly as many even perfect numbers as Mersenne primes. It is
unknown whether there exist infinitely many Mersenne primes, hence we do not know
whether there are infinitely many even perfect numbers. Another unsolved problem is
whether there are odd perfect numbers at all. These simply formulated questions, more
than 2000 years old, are perhaps the most ancient unsolved problems in mathematics.
Now we repeat the definition of perfect numbers and prove the theorems of Euclid
and Euler characterizing the even perfect numbers.
Definition 6.3.1. The positive integer 𝑛 is a perfect number if 𝜎(𝑛) = 2𝑛. ♣
Theorem 6.3.2. An even number 𝑛 is perfect if and only if 𝑛 = 2𝑝−1 (2𝑝 − 1) where 2𝑝 − 1
is a (Mersenne) prime (and thus also 𝑝 is a prime). ♣

Proof. First we show that these numbers are perfect. Since 2𝑝 − 1 is a prime, therefore
𝑛 is given in its standard form, and
𝜎(𝑛) = (1 + 2 + ⋯ + 2𝑝−1 )(1 + (2𝑝 − 1)) = (2𝑝 − 1)2𝑝 = 2𝑛,
by Theorem 6.2.2.
For the converse, assume that 𝑛 is even and perfect, i.e.
(6.3.1) 𝑛 = 2𝑘 𝑡, where 𝑘 ≥ 1 and 𝑡 is odd, and 𝜎(𝑛) = 2𝑛.
𝑘
Since (2 , 𝑡) = 1, we get
(6.3.2) 2𝑘+1 𝑡 = 2𝑛 = 𝜎(𝑛) = 𝜎(2𝑘 )𝜎(𝑡) = (2𝑘+1 − 1)𝜎(𝑡),
using the multiplicativity of 𝜎 and the formula for 𝜎(2𝑘 ).
Subtracting (2𝑘+1 − 1)𝑡 from the first and last terms in (6.3.2), we can factor 𝑡 as
(6.3.3) 𝑡 = (2𝑘+1 − 1)(𝜎(𝑡) − 𝑡).

We observe from (6.3.3) that 𝜎(𝑡)−𝑡 is a divisor of 𝑡. Also, 𝑘 ≥ 1 implies 2𝑘+1 −1 > 1,
thus 𝜎(𝑡) − 𝑡 ≠ 𝑡, by (6.3.3).
Since 𝜎(𝑡) − 𝑡 and 𝑡 are distinct divisors of 𝑡, with sum 𝜎(𝑡) which is the sum of all
divisors of 𝑡, 𝑡 has no other divisors. This means that 𝑡 is a prime, so 𝜎(𝑡) − 𝑡 = 1.
Substituting into (6.3.3) and (6.3.1), we obtain
𝑛 = 2𝑘 (2𝑘+1 − 1), where 2𝑘+1 − 1 is a prime,
which yields the desired form of 𝑛 (after replacing 𝑘 + 1 by 𝑝). □
 Exercises 6.3 177

Exercises 6.3

1. Show that the last digit of an even perfect number is 6 or 8 (in the decimal system).
2. Prove that if there exists an odd perfect number 𝑛, then
(a) 𝑛 = 𝑠2 𝑝 where 𝑝 is a prime of the form 4𝑘 + 1
(b) 𝑛 ≡ 1 (mod 12) or 𝑛 ≡ 9 (mod 36).
3. Following the ancient Greeks, we call a natural number deficient if it is greater
than the sum of its proper divisors (i.e. the total of its parts is less than the number
itself). A number is abundant if this sum is greater than the number (i.e. its parts
together surpass the number). For example, 10 is deficient since 1 + 2 + 5 < 10,
but 12 is abundant as 1 + 2 + 3 + 4 + 6 > 12.
Verify the following statements.
(a) Every prime power is deficient.
(b) If an odd number has only two distinct prime divisors, then it is deficient.
(c) For every 𝑘 ≥ 3 there are both infinitely many odd abundant numbers and
infinitely many odd deficient numbers with exactly 𝑘 distinct prime divisors.
(d) Every multiple of an abundant number is abundant.
(e) Every deficient number has both infinitely many abundant multiples and in-
finitely many deficient multiples.
* 4. If we disregard trivial divisors (1 and the number itself), and want to assemble a
number from its other divisors, then we get the condition 𝜎(𝑛) = 2𝑛 + 1. Prove
that 𝑛 must be the square of an odd integer.
Remark: These numbers are called quasiperfect. It is unknown whether there exist
any quasiperfect numbers.
S* 5. A positive integer 𝑛 is called superperfect if 𝜎(𝜎(𝑛)) = 2𝑛. Prove the following
assertions.
(a) An even number 𝑛 is superperfect if and only if 𝑛 = 2𝑝−1 where 2𝑝 − 1 is a
(Mersenne) prime.
(b) An odd superperfect number must be a square.
(c) An odd prime power cannot be superperfect.
Remark: By part (a), there are as many even superperfect numbers as
Mersenne primes, thus it is unknown whether there exist infinitely many even
superperfect numbers. It is also unknown whether there are any odd superperfect
numbers.
6. A positive integer 𝑛 is a harmonic number (or Ore number) if the harmonic mean
of its divisors is an integer. Verify the following propositions.
(a) 𝑛 is harmonic if and only if 𝜎(𝑛) ∣ 𝑛𝑑(𝑛).
(b) Every perfect number is harmonic.
178 6. Arithmetic Functions

(c) No prime powers are harmonic.

(d) 6 is the only squarefree harmonic number.

Remark: Numbers that are not perfect can be harmonic, e.g. 1 and 140 are har-
monic. It is unknown whether there are infinitely many harmonic numbers, and
whether there exists an odd harmonic number greater than 1.

7. The positive integers 𝑎 ≠ 𝑏 form an amicable pair if 𝜎(𝑎) = 𝜎(𝑏) = 𝑎 + 𝑏. E.g. 220
and 284 form an amicable pair.

(a) Show that every amicable pair consists of a deficient and an abundant number
(see the definitions in Exercise 6.3.3).
(b) Verify that a power of two cannot be a member of an amicable pair.

Remark: The origin of this notion is the ancient Greek numerology, as well: Each
of the two numbers can be assembled from the parts (i.e. from the proper divisors)
of the other. It is unknown whether there are infinitely many amicable pairs, and
whether there exists an amicable pair where the members are coprime or have
opposite parity.

6.4. Behavior of 𝑑(𝑛)

We show first that the values of 𝑑(𝑛) fluctuate capriciously, with arbitrarily deep
canyons and arbitrarily high peaks in the graph of the function.

Theorem 6.4.1 (Canyon theorem). Given any positive integer 𝐾, there are infinitely
many 𝑛 satisfying

(6.4.1) 𝑑(𝑛 − 1) − 𝑑(𝑛) > 𝐾 and 𝑑(𝑛 + 1) − 𝑑(𝑛) > 𝐾

simultaneously. ♣

Proof. We shall choose 𝑛 as a suitable prime number, so 𝑑(𝑛) = 2.

Then (6.4.1) requires that both 𝑛 − 1 and 𝑛 + 1 have at least 𝐾 + 3 divisors. This is
certainly true if e.g. 2𝐾+2 ∣ 𝑛 − 1 and 3𝐾+2 ∣ 𝑛 + 1, so 𝑛 is a solution of the system of
congruences

(6.4.2) 𝑥 ≡ 1 (mod 2𝐾+2 ) , 𝑥 ≡ −1 (mod 3𝐾+2 ) .

Since (2𝐾+2 , 3𝐾+2 ) = 1, (6.4.2) is solvable and all (positive) solutions are of the
form 𝑥 ≡ 𝑥0 (mod 6𝐾+2 ), or

(6.4.3) 𝑥 = 𝑥0 + 𝑡6𝐾+2 , 𝑡 = 0, 1, 2, . . . .

We have to show that the arithmetic progression (6.4.3) contains infinitely many
primes. By Dirichlet’s Theorem (Theorem 5.3.1), this holds if 𝑥0 and 6𝐾+2 are coprime.
Since 𝑥0 is a solution of (6.4.2), 𝑥0 is relatively prime to both 2 and 3, hence also to
6𝐾+2 . □
6.4. Behavior of 𝑑(𝑛) 179

Theorem 6.4.2 (Peak theorem). Given any positive integer 𝐾, there are infinitely many
𝑛 satisfying
(6.4.4) 𝑑(𝑛) − 𝑑(𝑛 − 1) > 𝐾 and 𝑑(𝑛) − 𝑑(𝑛 + 1) > 𝐾
simultaneously. ♣

Proof. We choose 𝑛 as the product of the first 𝑟 primes:

(6.4.5) 𝑛 = 𝑝1 . . . 𝑝𝑟 so 𝑑(𝑛) = 2𝑟 .
We shall show
(6.4.6) 𝑑(𝑛 − 1) ≤ 2𝑟−1 and 𝑑(𝑛 + 1) ≤ 2𝑟−1 .
From (6.4.5) and (6.4.6)
𝑑(𝑛) − 𝑑(𝑛 − 1) ≥ 2𝑟−1 and 𝑑(𝑛) − 𝑑(𝑛 + 1) ≥ 2𝑟−1 ,
so (6.4.4) is true if 2𝑟−1 > 𝐾.
We verify the second inequality in (6.4.6); the first one can be treated similarly.
Write 𝑛 + 1 as a product of primes: 𝑛 + 1 = 𝑞1 . . . 𝑞𝑠 (now 𝑞𝑖 = 𝑞𝑗 may occur, too).
Since 𝑛 is the product of the first 𝑟 primes and (𝑛 + 1, 𝑛) = 1, 𝑞𝑖 > 𝑝𝑟 for every 𝑖 (where
𝑝𝑟 is the 𝑟th prime).
Each divisor of 𝑛 + 1 is the product of some of its prime divisors (e.g. 1 and 𝑛 + 1
are obtained when no 𝑞𝑗 or every 𝑞𝑗 is taken). If the 𝑞𝑗 are not all distinct, then some
products may give the same divisor. Hence, 𝑑(𝑛 + 1) ≤ 2𝑠 .
Thus the second inequality 𝑑(𝑛 + 1) ≤ 2𝑟−1 in (6.4.6) follows if we show 𝑠 ≤ 𝑟 − 1.
For a proof by contradiction, assume 𝑠 ≥ 𝑟. Then we get a contradiction (for 𝑟 ≥ 2)
from the chain of inequalities
𝑛 + 1 = 𝑞1 . . . 𝑞𝑠 ≥ 𝑞1 . . . 𝑞𝑟 ≥ 𝑝𝑟𝑟 + 1 ≥ 𝑝1 . . . 𝑝𝑟 + 2 = 𝑛 + 2. □

The canyon and peak theorems illustrate that the behavior of 𝑑(𝑛) is very irregular.
Now we shall investigate the average of the first 𝑛 values of the function. It turns out
that this mean value function (or average value function) is already very nice.
Theorem 6.4.3. Let
𝑛
𝐷(𝑛) = ∑ 𝑑(𝑖).
𝑖=1
Then
(6.4.7) | 𝐷(𝑛) − log 𝑛| ≤ 1
| 𝑛 |
for every 𝑛. ♣

Proof. We shall use the fact that

𝑛
1
(6.4.8) log 𝑛 < ∑ ≤ 1 + log 𝑛
𝑗=1
𝑗

for every 𝑛. (Inequalities (6.4.8) can be proved by comparing suitable areas and inte-
grals similar to the method applied in the first proof of Theorem 5.6.1.)
180 6. Arithmetic Functions

We construct an 𝑛 × 𝑛 matrix where the 𝑗th element of the 𝑖th row 𝑎𝑖𝑗 is 1 or 0,
depending on whether 𝑗 divides 𝑖 or not:
1, if 𝑗 ∣ 𝑖
𝑎𝑖𝑗 = {
0, if 𝑗 ∤ 𝑖.
For example, we obtain the following matrix for 𝑛 = 6:
1 0 0 0 0 0
⎛ ⎞
1 1 0 0 0 0
⎜ ⎟
⎜1 0 1 0 0 0⎟
.
⎜1 1 0 1 0 0⎟
⎜1 0 0 0 1 0⎟
⎝1 1 1 0 0 1⎠
The key idea of the proof is to determine the sum of all elements in the matrix (i.e. the
number of 1s) in two different ways.
In row 𝑖 there are 1s whenever 𝑗 ∣ 𝑖, so the sum of elements in row 𝑖 is 𝑑(𝑖). Thus
summing by rows, we obtain that the sum of all elements in the matrix is
𝑛
(6.4.9) 𝐷(𝑛) = ∑ 𝑑(𝑖).
𝑖=1

In column 𝑗 there are 1s exactly in places

𝑛
𝑗, 2𝑗, . . . , ⌊ ⌋𝑗,
𝑗
thus the sum of elements in column 𝑗 is ⌊𝑛/𝑗⌋. Summing by columns, we get that the
sum of all elements in the matrix is
𝑛
𝑛
(6.4.10) ∑ ⌊ ⌋.
𝑗=1
𝑗

Both (6.4.9) and (6.4.10) provide the sum of elements in the matrix, so
𝑛
𝑛
(6.4.11) 𝐷(𝑛) = ∑ ⌊ ⌋.
𝑗=1
𝑗

Using the inequalities

𝑛 𝑛 𝑛
−1<⌊ ⌋≤
𝑗 𝑗 𝑗
and (6.4.8), we deduce from (6.4.11) that
𝑛 𝑛
𝑛 1
(6.4.12a) 𝐷(𝑛) ≤ ∑ = 𝑛 ∑ ≤ 𝑛(1 + log 𝑛)
𝑗=1
𝑗 𝑖=1
𝑗

and
𝑛 𝑛
𝑛 1
(6.4.12b) 𝐷(𝑛) > ∑ ( − 1) = (𝑛 ∑ ) − 𝑛 > 𝑛(−1 + log 𝑛).
𝑗=1
𝑗 𝑗=1
𝑗

Dividing inequalities (6.4.12a) and (6.4.12b) by 𝑛, we obtain (6.4.7). □

6.4. Behavior of 𝑑(𝑛) 181

Theorem 6.4.3 can be written also in the form |𝐷(𝑛) − 𝑛 log 𝑛| ≤ 𝑛. The next
theorem gives a better estimate for the difference of 𝐷(𝑛) and 𝑛 log 𝑛 (i.e. we obtain a
better bound for the error term).
𝑛
We shall need a more precise estimate of the sum ∑𝑗=1 1/𝑗 than that given by
𝑛
(6.4.8): The sequence ∑𝑗=1 1/𝑗−log 𝑛 converges, its limit is known as Euler’s constant,
𝛾 = 0.577 . . . , and
| 𝑛 1 |
(6.4.13) | ∑ − log 𝑛 − 𝛾| ≤ 10
| |
|𝑗=1 𝑗 | 𝑛

for every 𝑛.

Theorem 6.4.4. There exists a constant 𝑐 such that

(6.4.14) |𝐷(𝑛) − 𝑛 log 𝑛 − (2𝛾 − 1)𝑛| < 𝑐√𝑛

for every 𝑛. ♣

Proof. 𝑑(𝑖) is the number of pairs of positive integers 𝑥 and 𝑦 satisfying 𝑥𝑦 = 𝑖 (where
𝑛
the order of 𝑥 and 𝑦 counts). Therefore 𝐷(𝑛) = ∑𝑖=1 𝑑(𝑖) is the number of pairs of
positive integers 𝑥 and 𝑦 satisfying 𝑥𝑦 ≤ 𝑛.
This means that 𝐷(𝑛) is the number of lattice points (𝑥, 𝑦) (with integer coordi-
nates) in the region defined by the positive halves of the coordinate axes and the hy-
perbola 𝑥𝑦 = 𝑛, including the lattice points on the hyperbola but not the ones on the
axes. Now we count these lattice points.
Let 𝐴(𝑛) be the number of lattice points (𝑥, 𝑦) with 𝑥 ≤ √𝑛. As lattice points are
symmetric about the line 𝑦 = 𝑥, the number of lattice points with 𝑦 ≤ √𝑛 is also 𝐴(𝑛).
We took thus all lattice points into consideration, but counted twice the lattice
points satisfying both 𝑥 ≤ √𝑛 and 𝑦 ≤ √𝑛. These are the lattice points in the square
where one of the diagonals is the segment connecting the origin and (√𝑛, √𝑛), so there
are ⌊√𝑛⌋2 lattice points in this square.
Thus the total number of lattice points is

(6.4.15) 𝐷(𝑛) = 2𝐴(𝑛) − ⌊√𝑛⌋2 .

Now we determine 𝐴(𝑛). There are ⌊𝑛/𝑗⌋ lattice points with first coordinate 𝑗, so

⌊√𝑛⌋
𝑛
(6.4.16) 𝐴(𝑛) = ∑ ⌊ ⌋.
𝑗=1
𝑗

Estimating the sum on the right-hand side of (6.4.16) similar to the proof of Theo-
rem 6.4.3, we obtain
⌊√𝑛⌋
1
(6.4.17) 𝐴(𝑛) = 𝑛 ∑ + 𝑓(𝑛), where |𝑓(𝑛)| < √𝑛.
𝑗=1
𝑗
182 6. Arithmetic Functions

We apply (6.4.13) for the sum in (6.4.17):

⌊√𝑛⌋
1 10
(6.4.18) ∑ = log⌊√𝑛⌋ + 𝛾 + 𝑔(𝑛) where |𝑔(𝑛)| ≤ .
𝑗=1
𝑗 ⌊√𝑛⌋

Substituting back into (6.4.17), we get

(6.4.19a) 𝐴(𝑛) = 𝑛 log⌊√𝑛⌋ + 𝛾𝑛 + ℎ(𝑛)

where
10𝑛 10𝑛
(6.4.19b) |ℎ(𝑛)| = |𝑛𝑔(𝑛) + 𝑓(𝑛)| < + √𝑛 < + √𝑛 = 21√𝑛.
⌊√𝑛⌋ √𝑛
2
log 𝑛
To replace log⌊√𝑛⌋ in (6.4.19a) by log √𝑛 = 2
, we estimate the error term, the dif-
log 𝑛
ference 2
− log⌊√𝑛⌋.
Applying the mean value theorem of Lagrange and (log 𝑥)′ = 1/𝑥, to any 𝑎 > 1
there exists some 𝑢 satisfying 𝑎 − 1 < 𝑢 < 𝑎 and
log 𝑎 − log(𝑎 − 1) 1 1
log 𝑎 − log(𝑎 − 1) = = < .
𝑎 − (𝑎 − 1) 𝑢 𝑎−1
Therefore
log 𝑛 1 2
(6.4.20) 0≤ − log⌊√𝑛⌋ < log √𝑛 − log(√𝑛 − 1) < ≤
2 √𝑛 − 1 √𝑛
for any 𝑛 ≥ 4.
By (6.4.20), we can rewrite (6.4.19a) and (6.4.19b) as
𝑛 log 𝑛
(6.4.21) 𝐴(𝑛) = + 𝛾𝑛 + 𝑘(𝑛), where |𝑘(𝑛)| < 23√𝑛.
2
To eliminate the floor sign in (6.4.15) and to replace ⌊√𝑛⌋2 by 𝑛, we estimate 𝑛 − ⌊√𝑛⌋2 :

0 ≤ 𝑛 − ⌊√𝑛⌋2
= (√𝑛)2 − ⌊√𝑛⌋2
(6.4.22) = (√𝑛 − ⌊√𝑛⌋)(√𝑛 + ⌊√𝑛⌋)
< 1(√𝑛 + √𝑛)
= 2√𝑛.

Finally, substituting (6.4.21) and (6.4.22) into (6.4.15), we obtain

𝐷(𝑛) = 𝑛 log 𝑛 + (2𝛾 − 1)𝑛 + ℓ(𝑛) where |ℓ(𝑛)| < 48√𝑛. □

Remarks: (1) Improving the bound (6.4.14) for the error term in Theorem 6.4.4 is
called the divisor problem and has an extensive literature. It was shown that √𝑛
can be replaced by 𝑛0.32 , but not by 𝑛0.25 .
6.4. Behavior of 𝑑(𝑛) 183

(2) As
log 1 + log 2 + ⋯ + log 𝑛 ∼ 𝑛 log 𝑛
(the two functions are asymptotically equal, their ratio tends to 1), Theorem 6.4.3
(or 6.4.4) implies
(6.4.23) 𝑑(1) + 𝑑(2) + ⋯ + 𝑑(𝑛) ∼ log 1 + log 2 + ⋯ + log 𝑛.

Relation (6.4.23) expresses that the average order of magnitude of 𝑑(𝑛) is log 𝑛.
This does not mean, however, that a typical 𝑛 has about log 𝑛 divisors; we prove in
Section 6.7 (see Exercise 6.7.6), that the number of divisors is smaller in general:
𝑑(𝑛) is about
(log 𝑛)log 2 = (log 𝑛)0.69. . .
for most integers 𝑛. The bigger average log 𝑛 is due to those rarely occurring num-
bers that have extremely many divisors.

Finally, we examine a few further properties of the range of 𝑑(𝑛).

Note that 𝑑(𝑛) assumes every value 𝑘 ≥ 2 infinitely often, since 𝑑(𝑝𝑘−1 ) = 𝑘 for
any prime 𝑝.
As for upper bounds for 𝑑(𝑛) depending on 𝑛, we established some of them in
Exercise 1.6.11. The next theorem improves those results significantly:
Theorem 6.4.5. For any fixed 𝛿 > 0,
𝑑(𝑛)
lim = 0. ♣
𝑛→∞ 𝑛𝛿
The proof relies on the following fact of independent interest:
Theorem 6.4.6. Let
{𝑞1 < 𝑞2 < . . . } = {2, 3, 4, 5, 7, 8, 9, 11, . . . }
be the sequence of all prime powers and 𝑓 an arbitrary multiplicative function. Then
lim 𝑓(𝑞𝑗 ) = 0 ⟹ lim 𝑓(𝑛) = 0. ♣
𝑗→∞ 𝑛→∞

Proof. The condition implies

(6.4.24) |𝑓(𝑞𝑗 )| ≤ 𝐻 for every 𝑗 and |𝑓(𝑞𝑗 )| ≤ 1, for 𝑗 > 𝑘
with suitable values 𝐻 and 𝑘.
First we show
(6.4.25) |𝑓(𝑚)| ≤ 𝐻 𝑘
𝑟 𝛼
for every 𝑚. If the standard form of 𝑚 is 𝑚 = ∏𝑖=1 𝑝𝑖 𝑖 , then
𝑟
𝛼
(6.4.26) |𝑓(𝑚)| = ∏ |𝑓(𝑝𝑖 𝑖 )|
𝑖=1

since 𝑓 is multiplicative. By (6.4.24), at most 𝑘 factors on the right-hand side of (6.4.26)

are greater than 1, and each is less than or equal to 𝐻, thus (6.4.25) holds.
184 6. Arithmetic Functions

Let 𝜀 > 0 be arbitrary. We have to guarantee an 𝑛0 = 𝑛0 (𝜀) such that |𝑓(𝑛)| < 𝜀 for
every 𝑛 > 𝑛0 .
By the condition, there exists an 𝑠 = 𝑠(𝜀) such that
𝜀
(6.4.27) |𝑓(𝑞𝑗 )| < 𝑘 , for every 𝑗 > 𝑠.
𝐻
We claim that 𝑞1 . . . 𝑞𝑠 can be chosen as 𝑛0 .
If 𝑛 > 𝑞1 . . . 𝑞𝑠 , then there must occur a prime power 𝑞𝑗 greater than 𝑞𝑠 : 𝑛 = 𝑞𝑗 𝑚
where (𝑞𝑗 , 𝑚) = 1.
By (6.4.27), |𝑓(𝑞𝑗 )| < 𝜀/𝐻 𝑘 , and |𝑓(𝑚)| ≤ 𝐻 𝑘 , by (6.4.25), so
𝜀
|𝑓(𝑛)| = |𝑓(𝑞𝑗 )| ⋅ |𝑓(𝑚)| < 𝑘 ⋅ 𝐻 𝑘 = 𝜀. □
𝐻
Proof of Theorem 6.4.5. We apply Theorem 6.4.6 for the function
𝑑(𝑛)
𝑓(𝑛) = .
𝑛𝛿
To do this, we have to show
𝑑(𝑞𝑗 )
(6.4.28) lim = 0.
𝑗→∞ 𝑞𝑗𝛿
Let 𝑞𝑗 = 𝑝𝛼 (where 𝑝 is a prime). Then
2 log(𝑝𝛼 ) 2 log 𝑞𝑗
𝑑(𝑞𝑗 ) = 𝑑(𝑝𝛼 ) = 𝛼 + 1 ≤ 2𝛼 = ≤ ,
log 𝑝 log 2
hence
𝑑(𝑞𝑗 ) 2 log 𝑞𝑗
(6.4.29) ≤ ⋅ .
𝑞𝑗𝛿 log 2 𝑞𝑗𝛿
Since
log 𝑥
lim= 0,
𝑥𝛿
𝑥→∞
the right-hand side in (6.4.29) tends to 0, therefore this is true also for the left-hand
side. □
Remark: It can be shown that the maximal order of magnitude of 𝑑(𝑛) is approximately
log 2
𝑛 log log 𝑛 .
The precise formulation is:
(i) For any 𝜀 > 0, there exists an 𝑛0 = 𝑛0 (𝜀) such that
(1+𝜀) log 2
𝑑(𝑛) < 𝑛 log log 𝑛

for every 𝑛 > 𝑛0 .

(ii) For any 𝜀 > 0 there exist infinitely many 𝑛 satisfying
(1−𝜀) log 2
𝑑(𝑛) > 𝑛 log log 𝑛 .

The proof of (ii) is Exercise 6.4.3b.

 Exercises 6.4 185

Exercises 6.4

* 1. Show that the statements of Theorems 6.4.1 and 6.4.2 remain valid if 𝑑(𝑛) is re-
placed by 𝜎(𝑛), 𝜑(𝑛), Ω(𝑛), 𝜔(𝑛), or 𝑑𝑘 (𝑛) with 𝑘 > 1.
2. Prove
𝑑𝑘 (𝑛)
lim =0
𝑛→∞ 𝑛𝛿
for any fixed 𝛿 > 0 and positive integer 𝑘.
3. Let 𝜀 > 0 be arbitrary. Find infinitely many 𝑛 satisfying
(a) 𝑑(𝑛) > (log 𝑛)100
(1−𝜀) log 2
* (b) 𝑑(𝑛) > 𝑛 log log 𝑛 .
4. Prove Ω(𝑛) ≤ log2 𝑛 for every 𝑛. When do we get equality?
* 5. Let 𝜀 > 0 be arbitrary. Prove the following statements.
(a) If 𝑛 is sufficiently large, then
(1 + 𝜀) log 𝑛
𝜔(𝑛) < .
log log 𝑛
(b) There are infinitely many 𝑛 satisfying
(1 − 𝜀) log 𝑛
𝜔(𝑛) > .
log log 𝑛
6. Show that if 𝑛 is large enough, then
(a) 𝜑(𝑛) > 𝑛0.99
𝑛
(b) 𝜑(𝑛) >
2 log 𝑛
𝑛
* (c) 𝜑(𝑛) >
𝐶 log log 𝑛
(d) 𝜎(𝑛) < 𝑛1,01
(e) 𝜎(𝑛) < 2𝑛 log 𝑛
* (f) 𝜎(𝑛) < 𝐶𝑛 log log 𝑛
where 𝐶 is a suitable absolute constant in parts (c) and (f).
7. Verify.
(a) The range of 𝜑(𝑛)/𝑛 is everywhere dense in the interval [0, 1].
(b) The range of 𝜎(𝑛)/𝑛 is everywhere dense in [1, ∞].
* 8. Dirichlet’s Theorem (Theorem 5.3.1) states that if the positive integers 𝑎 and 𝑑 are
coprime, then the arithmetic progression 𝑎 + 𝑘𝑑, 𝑘 = 0, 1, 2, . . . contains infinitely
many primes. The following significantly stronger results hold as well:
(i) The sum of reciprocals of these primes is divergent.
 186 6. Arithmetic Functions

(ii) The number of such primes not greater than 𝑛 (with 𝑎 and 𝑑 fixed) is asymp-
totically
𝑛
𝜑(𝑑) log 𝑛
when 𝑛 → ∞.
(i) and (ii) are far-reaching generalizations of Theorems 5.6.1 and 5.4.1.
(a) Let 𝑘 be a fixed positive integer. Apply (i) to show that 𝑘 ∣ 𝜑(𝑛) holds for nearly
every 𝑛. More precisely, let 𝐹(𝑁) be the number of integers 𝑥 ≤ 𝑁 satisfying
𝑘 ∣ 𝜑(𝑥); then lim𝑁→∞ 𝐹(𝑁)/𝑁 = 1.
S (b) Prove that nearly all positive integers are missing from the range of 𝜑(𝑛). (Sim-
ilar to the previous interpretation, let 𝐺(𝑁) be the number of values 𝑦 ≤ 𝑁
occurring in the range of 𝜑(𝑛); then lim𝑁→∞ 𝐺(𝑁)/𝑁 = 0.)
* 9. Show that the statements of the previous exercise remain valid if 𝜑 is replaced by 𝜎.

6.5. Summation and Inversion Functions

Definition 6.5.1. The summation function with respect to divisors of the arithmetic
function 𝑓 is
𝑓+ (𝑛) = ∑ 𝑓(𝑑). ♣
𝑑∣𝑛

Examples. The summation function of 𝑓(𝑛) = 1 is 𝑓+ (𝑛) = 𝑑(𝑛), the one of 𝑔(𝑛) = 𝑛
is 𝑔+ (𝑛) = 𝜎(𝑛).
By Exercise 2.3.14, 𝜑+ (𝑛) = 𝑛, and by Theorem 6.2.4, 𝜇+ (𝑛) = 𝑒(𝑛) where
1, if 𝑛 = 1
(6.5.1) 𝑒(𝑛) = {
0, if 𝑛 > 1.
Theorem 6.5.2. To every arithmetic function 𝑓 there exists exactly one function having
𝑓 as its summation function. This uniquely determined function is called the inversion
function of 𝑓 and is denoted by 𝑓.̃ ♣

Proof. We write the equalities

̃
𝑓(𝑛) = ∑ 𝑓(𝑑)
𝑑∣𝑛

required from the inversion function for every 𝑛:

̃
𝑓(1) = 𝑓(1)
̃ + 𝑓(2)
𝑓(2) = 𝑓(1) ̃
̃ + 𝑓(3)
𝑓(3) = 𝑓(1) ̃
̃ + 𝑓(2)
𝑓(4) = 𝑓(1) ̃ + 𝑓(4)
̃
̃ + 𝑓(5)
𝑓(5) = 𝑓(1) ̃
̃ + 𝑓(2)
𝑓(6) = 𝑓(1) ̃ + 𝑓(3)
̃ + 𝑓(6)
̃
⋮
6.5. Summation and Inversion Functions 187

We have to show that this system consisting of infinitely many equations and contain-
̃
ing infinitely many variables 𝑓(1), ̃
𝑓(2), . . . has a unique solution.
The first equation is satisfied if and only if
̃ = 𝑓(1).
𝑓(1)
̃ is the value obtained from
Both of the first two equations are valid if and only if 𝑓(1)
the first equation and
̃ = 𝑓(2) − 𝑓(1).
𝑓(2) ̃
We can proceed similarly by induction. Assume that the system of the first 𝑚 − 1
equations has exactly one solution 𝑓(1),̃ . . . , 𝑓(𝑚̃ − 1), and consider the system of the
̃
first 𝑚 equations. Since the variable 𝑓(𝑚) occurs only in the 𝑚th equation, the first 𝑚
̃
equations are satisfied if and only if 𝑓(1), ̃ − 1) are the unique values obtained
. . . , 𝑓(𝑚
from the first 𝑚 − 1 equations (according to the induction hypothesis) and
(6.5.2) ̃
𝑓(𝑚) ̃
= 𝑓(𝑚) − ∑ 𝑓(𝑑).
𝑑∣𝑚
𝑑<𝑚

This proves the existence and uniqueness of the function 𝑓.̃ (Formula (6.5.2) serves as
a recursion for determining the values of 𝑓.)̃ □

Examples. Reading the examples after Definition 6.5.1 backwards (and keeping the
notation used there), we have
̃
𝑑(𝑛) =1 𝜎(𝑛)
̃ =𝑛 𝑔(𝑛)
̃ = 𝜑(𝑛) 𝑒(𝑛)
̃ = 𝜇(𝑛).

Now we establish a formula for the inversion function:

Theorem 6.5.3 (Möbius Inversion Formula).

(6.5.3) ̃ = ∑ 𝜇(𝑑)𝑓( 𝑛 ).
𝑓(𝑛)
𝑑∣𝑛
𝑑

Proof. Since 𝑓 ̃ is unique by Theorem 6.5.2, it is sufficient to verify that the summation
function ℎ+ (𝑛) of
𝑛
ℎ(𝑛) = ∑ 𝜇(𝑑)𝑓( ) = ∑ 𝜇(𝑑)𝑓(𝑐)
𝑑∣𝑛
𝑑 𝑐𝑑=𝑛

on the right-hand side of (6.5.3) is 𝑓(𝑛). We can do this by rearranging the sums and
applying (6.5.1):
ℎ+ (𝑛) = ∑ ℎ(𝑘) = ∑ ∑ 𝜇(𝑑)𝑓(𝑐) = ∑ 𝜇(𝑑)𝑓(𝑐)
𝑘∣𝑛 𝑘∣𝑛 𝑐𝑑=𝑘 𝑐𝑑∣𝑛
𝑛 𝑛
+
= ∑ 𝑓(𝑐)(∑ 𝜇(𝑑)) = ∑ 𝑓(𝑐)𝜇 ( ) = ∑ 𝑓(𝑐)𝑒( ) = 𝑓(𝑛). □
𝑐∣𝑛 𝑛 𝑐∣𝑛
𝑐 𝑐∣𝑛
𝑐
𝑑∣ 𝑐

Finally, we present the Smith determinant as an interesting application of the in-

version function:
188 6. Arithmetic Functions

Theorem 6.5.4. Let 𝑓 be an arithmetic function and construct the 𝑛 × 𝑛 matrix

𝑓((1, 1)) 𝑓((1, 2)) ... 𝑓((1, 𝑛))
⎛ ⎞
𝑓((2, 1)) 𝑓((2, 2)) ... 𝑓((2, 𝑛))
𝐴=⎜ ⎟
⎜ ⋮ ⋮ ⋱ ⋮ ⎟
⎝𝑓((𝑛, 1)) 𝑓((𝑛, 2)) ... 𝑓((𝑛, 𝑛))⎠
where (𝑖, 𝑗) denotes the gcd of 𝑖 and 𝑗. Then the determinant of 𝐴 is
̃ 𝑓(2)
det 𝐴 = 𝑓(1) ̃ . . . 𝑓(𝑛).
̃ ♣

Proof. Consider the 𝑛 × 𝑛 matrices 𝐵 and 𝐶 where the 𝑗th element in row 𝑖 is 𝑏𝑖𝑗 and
𝑐 𝑖𝑗 , defined as
1, if 𝑗 ∣ 𝑖
𝑏𝑖𝑗 = {
0, if 𝑗 ∤ 𝑖,
and
̃
𝑓(𝑗), if 𝑗 ∣ 𝑖;
̃
𝑐 𝑖𝑗 = 𝑏𝑖𝑗 𝑓(𝑗), i.e. 𝑐 𝑖𝑗 = {
0, if 𝑗 ∤ 𝑖.
Both matrices have only 0s above the main diagonal, hence each determinant is the
product of the elements on the main diagonal. The main diagonal of 𝐵 consists of 1s,
̃
whereas the elements on the main diagonal of 𝐶 are 𝑓(1), ̃
. . . , 𝑓(𝑛), hence
(6.5.4) det 𝐵 = 1 and ̃ 𝑓(2)
det 𝐶 = 𝑓(1) ̃ . . . 𝑓(𝑛).
̃

Now we examine the product 𝐷 = 𝐵𝐶 𝑇 where 𝐶 𝑇 means the transpose of 𝐶. The 𝑗th
element in row 𝑖 in 𝐷 is
𝑑𝑖𝑗 = 𝑏𝑖1 𝑐𝑗1 + 𝑏𝑖2 𝑐𝑗2 + ⋯ + 𝑏𝑖𝑛 𝑐𝑗𝑛 =
(6.5.5)
̃ + 𝑏𝑖2 𝑏𝑗2 𝑓(2)
= 𝑏𝑖1 𝑏𝑗1 𝑓(1) ̃ + ⋯ + 𝑏𝑖𝑛 𝑏𝑗𝑛 𝑓(𝑛).
̃

Here
̃
̃ = {𝑓(𝑘),
𝑏𝑖𝑘 𝑏𝑗𝑘 𝑓(𝑘)
if 𝑘 ∣ 𝑖 and 𝑘 ∣ 𝑗
0, otherwise,
so
̃
𝑓(𝑘), if 𝑘 ∣ (𝑖, 𝑗)
(6.5.6) ̃ ={
𝑏𝑖𝑘 𝑏𝑗𝑘 𝑓(𝑘)
0, if 𝑘 ∤ (𝑖, 𝑗).

Substituting (6.5.6) into (6.5.5) and applying the definition of 𝑓,̃ we obtain
̃ = 𝑓((𝑖, 𝑗)),
𝑑𝑖𝑗 = ∑ 𝑓(𝑘)
𝑘∣(𝑖,𝑗)

thus 𝐷 = 𝐴.
Finally, (6.5.4) and the product rule of determinants imply
̃ 𝑓(2)
det 𝐴 = det 𝐷 = (det 𝐵)(det 𝐶) = 𝑓(1) ̃ . . . 𝑓(𝑛).
̃ □
Exercises 6.5 189

Exercises 6.5

1. Demonstrate 𝑑𝑘+ (𝑛) = 𝑑𝑘+1 (𝑛).

2. Prove the assertions:
(a) 𝑓 is multiplicative ⟺ 𝑓+ is multiplicative.
(b) 𝑓 is multiplicative ⟺ 𝑓 ̃ is multiplicative.
Remark: Exercise 6.5.2 immediately implies that 𝑑(𝑛), 𝜎(𝑛), and 𝜑(𝑛) are multi-
plicative.
3. (a) Determine all completely multiplicative functions with a completely multi-
plicative summation function.
(b) Find all additive functions with an additive summation function.
𝛼 𝛼
4. Let 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard form of 𝑛. Verify the following statements.
(a) If 𝑓 is multiplicative and 𝑓 ≠ 0, then
𝑟
𝛼
𝑓+ (𝑛) = ∏(1 + 𝑓(𝑝 𝑖 ) + 𝑓(𝑝𝑖2 ) + ⋯ + 𝑓(𝑝𝑖 𝑖 ))
𝑖=1
and
𝑟
̃ = ∏(𝑓(𝑝𝛼𝑖 ) − 𝑓(𝑝𝛼𝑖 −1 ).
𝑓(𝑛) 𝑖 𝑖
𝑖=1
(b) If 𝑓 is completely multiplicative and its values at primes are all different from
0 and 1, then
𝑟 𝑟
𝑓(𝑝 𝑖 )𝛼𝑖 +1 − 1 ̃ = 𝑓(𝑛) ∏(1 − 1
𝑓+ (𝑛) = ∏ and 𝑓(𝑛) ).
𝑖=1
𝑓(𝑝 𝑖 ) − 1 𝑖=1
𝑓(𝑝 𝑖 )
Which formulas do we obtain in the special case 𝑓(𝑛) = 𝑛?
5. Determine the inversion function of
(a) 𝑓(𝑛) = 𝑐 (a constant function)
(−1)𝑛 +1
(b) 𝑔(𝑛) = 2
(c) Ω(𝑛)
(d) 𝜔(𝑛).
̃ = 0.
6. Let 𝑓 be additive and 𝜔(𝑛) ≥ 2. Prove 𝑓(𝑛)
7. Find a simpler form for the sum
∑ 𝜎(𝑎)𝜇(𝑏).
𝑎𝑏=𝑛

8. Prove the identity

𝜇(𝑑) 𝜑(𝑛)
∑ = .
𝑑∣𝑛
𝑑 𝑛
190 6. Arithmetic Functions

9. Verify.
(a) The sum of all primitive complex 𝑛th roots of unity is 𝜇(𝑛).
* (b) The sum of the 𝑘th powers of all primitive complex 𝑛th roots of unity is
𝜇(𝑛′ )𝜑(𝑛) 𝑛
where 𝑛′ = .
𝜑(𝑛′ ) (𝑛, 𝑘)
(c) For any prime 𝑝, the sum of all pairwise incongruent primitive roots modulo 𝑝
is congruent to 𝜇(𝑝 − 1) modulo 𝑝.
10. Evaluate the determinants of 𝑛 × 𝑛 matrices whose 𝑗th element in row 𝑖 is
(a) (𝑖, 𝑗)
(b) 𝜎((𝑖, 𝑗))
(c) 𝑑((𝑖, 𝑗))
(d) 𝜔((𝑖, 𝑗)).
11. Let 𝑠1 , . . . , 𝑠𝑛 be arbitrary distinct integers such that every divisor of each 𝑠𝑖 occurs
among the numbers 𝑠𝑗 . Show that the analog of Theorem 6.5.4 remains valid if the
numbers 1, 2, . . . , 𝑛 are replaced by 𝑠1 , . . . , 𝑠𝑛 .

6.6. Convolution
Definition 6.6.1. The convolution of arithmetic functions 𝑓 and 𝑔 is
𝑛
(𝑓 ∗ 𝑔)(𝑛) = ∑ 𝑓(𝑑)𝑔( ) = ∑ 𝑓(𝑑)𝑔(𝑐). ♣
𝑑∣𝑛
𝑑 𝑐𝑑=𝑛

The summation and inversion functions are special cases of convolution: by def-
inition, 𝑓+ is the convolution of 𝑓 and the constant function 1, and by the Möbius
inversion formula, 𝑓 ̃ is the convolution of 𝑓 and 𝜇, i.e.
𝑓+ = 𝑓 ∗ 1 and 𝑓 ̃ = 𝑓 ∗ 𝜇.
Now we examine the properties of convolution as an operation.
Theorem 6.6.2. Convolution is associative and commutative, the identity element is
1, if 𝑛 = 1
𝑒(𝑛) = {
0, if 𝑛 > 1,
and 𝑓 has an inverse if and only if 𝑓(1) ≠ 0. ♣

Proof. The commutative law follows directly from the definition.

Associative law:
(𝑓 ∗ (𝑔 ∗ ℎ))(𝑛) = ∑ 𝑓(𝑏)( ∑ 𝑔(𝑐)ℎ(𝑑)) = ∑ 𝑓(𝑏)𝑔(𝑐)ℎ(𝑑),
𝑏𝑘=𝑛 𝑐𝑑=𝑘 𝑏𝑐𝑑=𝑛

and ((𝑓 ∗ 𝑔) ∗ ℎ)(𝑛) can be transformed into the same final form.
Identity element:
𝑛 𝑛
(𝑒 ∗ 𝑓)(𝑛) = ∑ 𝑒(𝑑)𝑓( ) = 1 ⋅ 𝑓(𝑛) + ∑ 0 ⋅ 𝑓( ) = 𝑓(𝑛).
𝑑∣𝑛
𝑑 1<𝑑∣𝑛
𝑑
6.6. Convolution 191

Inverse: We can argue similarly as in the proof of Theorem 6.5.2. The inverse 𝑔 of
𝑓 has to satisfy 𝑒 = 𝑓 ∗ 𝑔 so
1 = 𝑒(1) = 𝑓(1)𝑔(1)
0 = 𝑒(2) = 𝑓(1)𝑔(2) + 𝑓(2)𝑔(1)
0 = 𝑒(3) = 𝑓(1)𝑔(3) + 𝑓(3)𝑔(1)
0 = 𝑒(4) = 𝑓(1)𝑔(4) + 𝑓(2)𝑔(2) + 𝑓(4)𝑔(1)
0 = 𝑒(5) = 𝑓(1)𝑔(5) + 𝑓(5)𝑔(1)
0 = 𝑒(6) = 𝑓(1)𝑔(6) + 𝑓(2)𝑔(3) + 𝑓(3)𝑔(2) + 𝑓(6)𝑔(1)
⋮
In this system of infinitely many equations, 𝑔(1), 𝑔(2), . . . are the unknowns to be de-
termined. The first 𝑚 equations contain only the variables 𝑔(1), . . . , 𝑔(𝑚), and 𝑔(𝑚)
occurs first in the 𝑚th equation.
If 𝑓(1) = 0, then the first equation has no solution, hence 𝑓(1) ≠ 0 is a necessary
condition for the existence of the inverse. To prove its sufficiency, we have to show that
for 𝑓(1) ≠ 0 the system of equations has a (unique) solution.
The first equation holds if and only if
1
𝑔(1) = .
𝑓(1)
The first two equations hold simultaneously if and only if 𝑔(1) is the uniquely deter-
mined value obtained from the first equation and
−𝑓(2)𝑔(1)
𝑔(2) = .
𝑓(1)
We can proceed similarly by induction. Assume that the system consisting of the first
𝑚 − 1 equations has a unique solution 𝑔(1), . . . , 𝑔(𝑚 − 1), and consider now the system
of the first 𝑚 equations. As 𝑔(𝑚) occurs first in the 𝑚th equation, the first 𝑚 equations
are satisfied if and only if 𝑔(1), . . . , 𝑔(𝑚−1) are the uniquely determined values obtained
from the first 𝑚 − 1 equations and
−1 𝑚
𝑔(𝑚) = ∑ 𝑔(𝑑)𝑓( ).
𝑓(1) 𝑑∣𝑚 𝑑
𝑑<𝑚

This recursion defines the unique inverse 𝑔 of function 𝑓. □

Convolution gives a simple proof for the Möbius inversion formula and it will also
clarify why the function 𝜇 plays such a special role.
Using convolution, the inversion function can be written as
(6.6.1) 𝑓 ̃ ∗ 1 = 𝑓,
and we have to express 𝑓.̃ Let 𝑔 be the inverse of the constant function 1, and multiply
(6.6.1) by 𝑔, i.e. apply the convolution 𝑔 to both sides. Then, using also the properties
of convolution, we obtain
(6.6.2) 𝑓 ̃ = 𝑓 ∗ 𝑔.
192 6. Arithmetic Functions

Here 𝑔 is the inverse of 1, so 1∗𝑔 = 𝑒, i.e. 𝑔+ = 𝑒, or equivalently, 𝑔 = 𝑒 ̃ = 𝜇. Substituting

this into (6.5.2), we get
𝑓̃ = 𝑓 ∗ 𝜇
which is precisely the Möbius inversion formula.
In studying arithmetic functions, Dirichlet series play a very important role:
Definition 6.6.3. Let 𝑓 be an arithmetic function and 𝑆 the set of those real numbers
𝑠 for which the infinite series
∞
𝑓(𝑛)
(6.6.3) ∑
𝑛=1
𝑛𝑠
converges. Then the Dirichlet series belonging to 𝑓 is the function 𝐹 ∶ 𝑆 → 𝐂 defined
by
∞
𝑓(𝑛)
𝐹(𝑠) = ∑ 𝑠 . ♣
𝑛=1
𝑛

Thus the domain of 𝐹 is the set of those real numbers for which the infinite series
(6.5.3) converges.
It is easy to check (see Exercise 6.6.6) that if (6.5.3) converges for some 𝑠0 , then it
is absolutely convergent for every 𝑠 > 𝑠0 + 1. In the sequel, we shall consider function
𝐹(𝑠) only at places 𝑠 where the series (6.5.3) is absolutely convergent. This will have
the advantage that we can use theorems on absolutely convergent series that can be
roughly summarized as stating that the same rules of computation apply to absolutely
convergent series as to the sums with finitely many terms. This means, among other
things, that rearranging and grouping the terms of an absolutely convergent series arbi-
trarily gives an absolutely convergent series again having the same sum as the original
one, and multiplying two absolutely convergent series using the every term by every
term law (and rearranging and grouping the result in any fashion) yields an absolutely
convergent series whose sum is the product of the sums of the two original series.
We note that a Dirichlet series can be investigated as a function of a complex vari-
able, and also as formal series when convergence is not considered, but we do not deal
with these variants.
The most famous Dirichlet series is Riemann’s zeta function belonging to 𝑓 = 1:
∞
1
(6.6.4) 𝜁(𝑠) = ∑ 𝑠
,
𝑛=1
𝑛
defined already in Exercise 5.6.6. The series (6.6.4) is absolutely convergent for 𝑠 > 1,
and by Exercise 5.6.6, it can be represented as the infinite product
1 1
(6.6.5) 𝜁(𝑠) = ∏ lim ∏
1 = 𝑛→∞ 1 .
𝑝 1 − 𝑝𝑠 𝑝≤𝑛 1 − 𝑝𝑠

Formula (6.6.5) is due to Euler, and it reveals why the distribution of primes is closely
connected to the behavior of the 𝜁 function. Extremely important theorems concern-
ing the primes would follow from the Riemann Hypothesis which claims that all non-
real roots of the extended version of the zeta function to complex variables have real
part 1/2.
Exercises 6.6 193

The next theorem reveals the connection between Dirichlet series and convolution:
Theorem 6.6.4. Assume that the Dirichlet series 𝐹(𝑠), 𝐺(𝑠), and 𝐻(𝑠) belonging to the
arithmetic functions 𝑓, 𝑔, and ℎ, are absolutely convergent, and ℎ = 𝑓 ∗ 𝑔. Then 𝐻(𝑠) =
𝐹(𝑠)𝐺(𝑠). ♣

Proof. Using the properties of multiplication of absolutely convergent series, we get

∞ ∞
𝑓(𝑘) 𝑔(𝑚)
𝐹(𝑠)𝐺(𝑠) = ( ∑ 𝑠
)( ∑ )
𝑘=1
𝑘 𝑚=1
𝑚𝑠
∞ ∞
𝑓(𝑘)𝑔(𝑚)
= ∑ ∑
𝑘=1 𝑚=1
(𝑘𝑚)𝑠
∞
∑𝑘𝑚=𝑛 𝑓(𝑘)𝑔(𝑚)
= ∑
𝑛=1
𝑛𝑠
∞
ℎ(𝑛)
= ∑ = 𝐻(𝑠). □
𝑛=1
𝑛𝑠

Theorem 6.6.4 can be used to determine the Dirichlet series

∞
𝜇(𝑛)
𝑀(𝑠) = ∑
𝑛=1
𝑛𝑠

belonging to the Möbius function. By |𝜇(𝑛)| ≤ 1, this series is absolutely convergent

for 𝑠 > 1. Since 𝜇 ∗ 1 = 𝑒,
∞ ∞
𝑒(𝑛) 1 0
𝑀(𝑠)𝜁(𝑠) = ∑ 𝑠
= 𝑠 + ∑ 𝑠 = 1,
𝑛=1
𝑛 1 𝑛=2
𝑛

hence
∞
1 𝜇(𝑛) 1
(6.6.6) 𝑀(𝑠) = , i.e. ∑ 𝑠
= ∞ 1 .
𝜁(𝑠) 𝑛=1
𝑛 ∑𝑛=1 𝑛𝑠

Substituting 𝑠 = 2, we get the formula

∞
𝜇(𝑛) 6
(6.6.7) ∑ 2
= 2.
𝑛=1
𝑛 𝜋

Exercises 6.6

1. Which (well known) function will be the 𝑘th power by convolution of the function
𝑓 = 1 (i.e. the convolution 1 ∗ 1 ∗ ⋯ ∗ 1 of 𝑘 factors)?
2. Prove that the arithmetic functions form a commutative ring with identity element
and without zero divisors with respect to the operations of addition and convolu-
tion.
194 6. Arithmetic Functions

3. Let 𝑓 be a (complex-valued) arithmetic function satisfying 𝑓(1) ≠ 0. How many

𝑘th roots does 𝑓 possess with respect to convolution?

4. (a) Verify that the convolution of two multiplicative functions is multiplicative.

(b) Let 𝑓 and 𝑔 be completely multiplicative. Show that 𝑓 ∗ 𝑔 is completely mul-
tiplicative if and only if (𝑓𝑔)(𝑛) = 0 for every 𝑛 > 1.

5. Prove
𝑛
∑ 𝜎(𝑑)𝜑( ) = 𝑛𝑑(𝑛).
𝑑∣𝑛
𝑑

6. Demonstrate that if the infinite series

∞
𝑓(𝑛)
∑
𝑛=1
𝑛𝑠

is convergent for 𝑠 = 𝑠0 , then it is absolutely convergent for every 𝑠 > 𝑠0 + 1.

̃ be the Dirichlet series belonging to the functions 𝑓, 𝑓+ ,
7. Let 𝐹(𝑠), 𝐹 + (𝑠), and 𝐹(𝑠)
̃
and 𝑓. Prove that in the case of absolute convergence,

𝐹 + (𝑠) = 𝑓(𝑠)𝜁(𝑠) and ̃ = 𝐹(𝑠)

𝐹(𝑠)
𝜁(𝑠)
for every 𝑠 > 1.

8. Show that for 𝑠 > 1

∞
𝑑(𝑛)
(a) ∑ = 𝜁2 (𝑠)
𝑛=1
𝑛𝑠
∞
𝑑𝑘 (𝑛)
(b) ∑ 𝑠
= 𝜁𝑘 (𝑠).
𝑛=1
𝑛

9. Prove that if 𝑠 > 2, then

∞
𝜎(𝑛)
(a) ∑ = 𝜁(𝑠)𝜁(𝑠 − 1)
𝑛=1
𝑛𝑠
∞
𝜑(𝑛) 𝜁(𝑠 − 1)
(b) ∑ 𝑠
= .
𝑛=1
𝑛 𝜁(𝑠)

10. In this exercise we generalize the product form of 𝜁 for multiplicative and com-
pletely multiplicative functions. The infinite product taken for all primes is defined
as in Exercise 5.6.6 (and as in (6.6.5) of this section), and absolute convergence is
assumed for all infinite series.

(a) For a multiplicative 𝑓, show

∞ ∞
𝑓(𝑛) 𝑓(𝑝𝑘 )
∑ = ∏ ( ∑ ).
𝑛=1
𝑛𝑠 𝑝 𝑘=0
𝑝𝑘𝑠
 6.7. Mean Value 195

(b) Let 𝑓 ≠ 0, 𝑓 be completely multiplicative, and |𝑓(𝑝)| < 𝑝𝑠 for every prime 𝑝.
Prove
∞
𝑓(𝑛) 1
∑ 𝑠 =∏ .
𝑛=1
𝑛 𝑝 1−
𝑓(𝑝)
𝑝𝑠

11. Demonstrate
∞
𝜇(𝑛) 1
∑ 𝑠
= ∏(1 − 𝑠 )
𝑛=1
𝑛 𝑝
𝑝
for 𝑠 > 1.
S 12. Compute the sums
∞
𝑑(𝑛)
(a) ∑
𝑛=1
𝑛2
∞
𝑑(𝑛) 2
* (b) ∑ ( ) .
𝑛=1
𝑛
* 13. Determine the sum of squares of reciprocals of all squarefree numbers.
14. (a) Prove that if |𝑥| < 1 and both infinite series occurring in
∞ ∞
𝑓(𝑛)𝑥𝑛
∑ = ∑ 𝑓+ (𝑘)𝑥𝑘
𝑛=1
1 − 𝑥𝑛 𝑘=1

are convergent, then equality holds.

(b) Compute the sums
∞
𝜇(𝑛)
(b1) ∑ 𝑛−1
𝑛=1
2
∞
𝜑(𝑛)
(b2) ∑ 𝑛−1
.
𝑛=1
2

6.7. Mean Value

We proved in Section 6.4 that though the values of 𝑑(𝑛) oscillate, the average of the
values at the first 𝑛 integers behaves smoothly. In this section, we investigate the mean
value functions of 𝜎, 𝜑, and 𝜔.
Definition 6.7.1. Let 𝑓 be an arithmetic function and 𝐹(𝑛) = 𝑓(1) + 𝑓(2) + ⋯ + 𝑓(𝑛).
The mean value (or average value) function of 𝑓 is defined to be
𝐹(𝑛) (1) + 𝑓(2) + ⋯ + 𝑓(𝑛)
= . ♣
𝑛 𝑛
We shall often need the following theorem when computing mean value functions.
Theorem 6.7.2. If 𝑓 = 𝑔 ∗ ℎ, then
𝑛 𝑛 ⌊𝑛/𝑗⌋
(6.7.1) 𝐹(𝑛) = ∑ 𝑓(𝑖) = ∑ 𝑔(𝑗)( ∑ ℎ(𝑘)). ♣
𝑖=1 𝑗=1 𝑘=1
196 6. Arithmetic Functions

Proof. By the definition of convolution,

𝑛 𝑛 𝑛 ⌊𝑛/𝑗⌋
∑ 𝑓(𝑖) = ∑ ∑ 𝑔(𝑗)ℎ(𝑘) = ∑ 𝑔(𝑗)( ∑ ℎ(𝑘)). □
𝑖=1 𝑖=1 𝑗𝑘=𝑖 𝑗=1 𝑘=1

The simplest special case of Theorem 6.7.2 is 𝑓 = 𝑔+ = 𝑔 ∗ 1. Then

𝑛 𝑛 ⌊𝑛/𝑗⌋ 𝑛
𝑛
(6.7.2) ∑ 𝑓(𝑖) = ∑ 𝑔(𝑗)( ∑ 1) = ∑ 𝑔(𝑗)⌊ ⌋.
𝑖=1 𝑗=1 𝑘=1 𝑗=1
𝑗

For 𝑓(𝑛) = 𝑑(𝑛) we have 𝑔 = 1, thus (6.7.2) gives

𝑛
𝑛
𝐷(𝑛) = ∑ ⌊ ⌋
𝑗=1
𝑗

which is just equality (6.4.11) in the proof of Theorem 6.4.3.

We determine first the mean value of 𝜎.
Theorem 6.7.3. Let Σ(𝑛) = 𝜎(1) + 𝜎(2) + ⋯ + 𝜎(𝑛). Then
𝜋2 2
(6.7.3) Σ(𝑛) ∼ 𝑛
12
where ∼ stands for asymptotic equality.
Two equivalent forms of (6.7.3) are
Σ(𝑛) 𝜋2
(6.7.4) ∼ 𝑛
𝑛 12
and
𝜋2 𝜋2 𝜋2
(6.7.5) 𝜎(1) + 𝜎(2) + ⋯ + 𝜎(𝑛) ∼ ⋅1+ ⋅2+⋯+ 𝑛. ♣
6 6 6
Thus (6.7.4) states that the mean value of 𝜎 can be well approximated by 𝜋2 𝑛/12,
and (6.7.5) expresses that the average order of magnitude of 𝜎 is 𝜋2 𝑛/6.

Proof. We try first a suitable modification of the method used for 𝑑(𝑛), applying (6.7.2).
Let 𝑣(𝑛) = 𝑛, then 𝜎 = 𝑣+ = 𝑣 ∗ 1, so
𝑛 𝑛
𝑛
(6.7.6) Σ(𝑛) = ∑ 𝜎(𝑖) = ∑ 𝑗⌊ ⌋.
𝑖=1 𝑗=1
𝑗

Estimating the right-hand side of (6.7.6) by the usual inequalities 𝑎 − 1 < ⌊𝑎⌋ ≤ 𝑎, we
get
𝑛(𝑛 + 1)
𝑛2 − < Σ(𝑛) ≤ 𝑛2
2
which does not yield an asymptotic value for Σ(𝑛).
Therefore we interchange the roles of 1 and 𝑣(𝑛) = 𝑛, and apply Theorem 6.7.2
with 𝑔 = 1 and ℎ = 𝑣 for the convolution 𝜎 = 1 ∗ 𝑣:
𝑛 𝑛
𝑛 ⌊𝑛/𝑗⌋ 𝑛 ⌊ 𝑗 ⌋ (⌊ 𝑗 ⌋ + 1)
(6.7.7) Σ(𝑛) = ∑ ∑ 𝑘 = ∑ .
𝑗=1 𝑘=1 𝑗=1
2
6.7. Mean Value 197

We estimate the right-hand side of (6.7.7) using

𝑎2 − 𝑎 = (𝑎 − 1)𝑎 < ⌊𝑎⌋(⌊𝑎⌋ + 1) ≤ 𝑎(𝑎 + 1) = 𝑎2 + 𝑎
for 𝑎 > 0 which gives
(6.7.8) |⌊𝑎⌋(⌊𝑎⌋ + 1) − 𝑎2 | ≤ 𝑎.

Applying (6.7.8) with 𝑎 = 𝑛/𝑗 to (6.7.7), we obtain

𝑛 2 𝑛
|Σ(𝑛) − ∑ 𝑛 | ≤ ∑ 𝑛 ≤ 𝑛(1 + log 𝑛) ,
| 2𝑗2 | 𝑗=1 2𝑗 2
𝑗=1

so
𝑛
𝑛2 1
(6.7.9) Σ(𝑛) = ∑ + 𝑈(𝑛), where |𝑈(𝑛)| < 𝑛 log 𝑛 for 𝑛 ≥ 3.
2 𝑗=1 𝑗2

Dividing (6.7.9) by 𝑛2 , we get

𝑛
Σ(𝑛) 1 1 𝑈(𝑛)
(6.7.10) = ∑ 2+ 2 .
𝑛2 2 𝑗=1 𝑗 𝑛

If 𝑛 → ∞, then the limit of the first term on the right-hand side of (6.7.10) is
∞
1 1 𝜋2
∑ 2 = ,
2 𝑗=1 𝑗 12

whereas the second term tends to 0, thus

Σ(𝑛) 𝜋2
lim = .
𝑛→∞ 𝑛2 12
This is equivalent to (6.7.3). □

We can treat the mean value of 𝜑 with similar methods:

Theorem 6.7.4. Let Φ(𝑛) = 𝜑(1) + 𝜑(2) + ⋯ + 𝜑(𝑛). Then

3 2
(6.7.11) Φ(𝑛) ∼ 𝑛
𝜋2
where ∼ stands for asymptotic equality.
Two equivalent forms of (6.7.11) are
Φ(𝑛) 3
(6.7.12) ∼ 2𝑛
𝑛 𝜋
and
6 6 6
(6.7.13) 𝜑(1) + 𝜑(2) + ⋯ + 𝜑(𝑛) ∼ ⋅ 1 + 2 ⋅ 2 + ⋯ + 2 𝑛. ♣
𝜋2 𝜋 𝜋

Thus (6.7.12) states that the mean value of 𝜑 can be well approximated by 3𝑛/𝜋2 ,
and (6.7.13) expresses that the average order of magnitude of 𝜑 is 6𝑛/𝜋2 .
198 6. Arithmetic Functions

Proof. We apply Theorem 6.7.2 now for the convolution 𝜑 = 𝜇 ∗ 𝑣, i.e. with 𝑔 = 𝜇 and
ℎ = 𝑣 (where 𝑣(𝑛) = 𝑛):
𝑛 𝑛
𝑛 ⌊𝑛/𝑗⌋ 𝑛 ⌊ 𝑗 ⌋(⌊ 𝑗 ⌋ + 1)
(6.7.14) Φ(𝑛) = ∑ 𝜇(𝑗) ∑ 𝑘 = ∑ 𝜇(𝑗) .
𝑗=1 𝑘=1 𝑗=1
2

We can continue analogously to the proof of Theorem 6.7.3 (for estimating the error
term, we use |𝜇(𝑗)| ≤ 1). Finally we arrive at
𝑛
Φ(𝑛) 1 𝜇(𝑗) 𝑈(𝑛)
(6.7.15) = ∑ 2 + 2 ,
𝑛2 2 𝑗=1 𝑗 𝑛

which corresponds to (6.7.10). If 𝑛 → ∞, then the second term on the right-hand side
of (6.7.15) tends to 0, and the limit of the first term is
∞
1 𝜇(𝑗)
∑ .
2 𝑗=1 𝑗2

According to formula (6.6.7) after Theorem 6.6.4,

∞
𝜇(𝑗) 6
∑ 2
= 2,
𝑗=1
𝑗 𝜋

therefore
Φ(𝑛) 3
lim = 2. □
𝑛→∞ 𝑛2 𝜋

As a corollary of Theorem 6.7.4, we can determine the probability of two numbers

being coprime. In a more picturesque formulation, what is the probability that a lattice
point 𝑃 can be seen from the origin (since there are no further lattice points on the
segment connecting 𝑃 and the origin if and only if the coordinates of 𝑃 are coprime)?
We need first an exact definition of this probability. Let 𝑄𝑛 be the square of side
length 𝑛 with the origin as a vertex and two sides lying on the positive halves of the axes.
We consider the lattice points in 𝑄𝑛 (apart from the points on the axes), determine the
ratio of the ones visible from the origin (i.e. having coprime coordinates), and take the
limit of this ratio as the side length of 𝑄𝑛 tends to infinity:
𝐻(𝑛)
(6.7.16) lim , where 𝐻(𝑛) = ∑ 1.
𝑛→∞ 𝑛2 1≤𝑎≤𝑛,1≤𝑏≤𝑛
(𝑎,𝑏)=1

We show that this limit exists and will call it the probability in question.
Theorem 6.7.5. The probability of two numbers being relatively prime (in the sense of
(6.7.16)) is 6/𝜋2 . ♣

It is part of the theorem, of course, that this probability, the limit in (6.7.16), exists.
As indicated earlier, this probability is closely related to the mean value of 𝜑, so
Theorem 6.7.5 will follow immediately from Theorem 6.7.4. We shall present also a
second proof of Theorem 6.7.5 based on the Inclusion and Exclusion Principle (actually,
herewith we obtain another proof also of Theorem 6.7.4).
6.7. Mean Value 199

First proof. We verify that

𝑛
Φ(𝑛) = ∑ 𝜑(𝑖) and 𝐻(𝑛) = ∑ 1
𝑖=1 1≤𝑎≤𝑛,1≤𝑏≤𝑛
(𝑎,𝑏)=1

satisfy
(6.7.17) 𝐻(𝑛) = 2Φ(𝑛) − 1.
To prove (6.7.17), consider the square 𝑄𝑛 and cut it into two triangles along its diagonal,
starting from the origin. 𝐻(𝑛) is just the number of lattice points in 𝑄𝑛 with coprime
coordinates (disregarding the lattice points on the axes). These lattice points are sym-
metric about the diagonal starting from the origin. In the lower triangle, a lattice point
with first coordinate 𝑖 counts if and only if its second coordinate 𝑡 satisfies 1 ≤ 𝑡 ≤ 𝑖
and (𝑖, 𝑡) = 1. There are 𝜑(𝑖) such lattice points, hence there are altogether
𝑛
∑ 𝜑(𝑖) = Φ(𝑛)
𝑖=1

suitable lattice points in the lower triangle. By symmetry, the same holds for the upper
triangle. We counted twice the lattice points on the diagonal, but (1, 1) is the only
relevant point here. Accordingly, the number of lattice points visible from the origin is
2Φ(𝑛) − 1.
By Theorem 6.7.4, (6.7.17) implies
𝐻(𝑛) Φ(𝑛) 6
lim 2
= 2 lim 2
= 2. □
𝑛→∞ 𝑛 𝑛→∞ 𝑛 𝜋

Second proof. We compute 𝐻(𝑛) with the Inclusion and Exclusion Principle.
We have to find the number of ordered pairs { (𝑎, 𝑏) ∣ 1 ≤ 𝑎 ≤ 𝑛, 1 ≤ 𝑏 ≤ 𝑛} where
𝑎 and 𝑏 are coprime.
We exclude the wrong ones, i.e. those for which 𝑎 and 𝑏 share one or more prime
divisors.
Consider first those pairs where both coordinates are divisible by a prime 𝑝 (not
examining whether or not they have some other common prime divisors too). There
are ⌊𝑛/𝑝⌋2 such pairs.
Consider now those pairs where both coordinates are divisible by more than one
of the primes 𝑝𝑗 (again not caring whether or not they share further common prime
divisors). An integer is a multiple of each of them if and only if it is a multiple of their
product. Thus there are
𝑛 2
⌊ ⌋
𝑝1 𝑝2
pairs where both coordinates are divisible both by 𝑝1 and 𝑝2 where 𝑝1 < 𝑝2 are distinct
primes, etc.
Hence, by the Inclusion and Exclusion Principle,
𝑛 2 𝑛 2
(6.7.18) 𝐻(𝑛) = 𝑛2 − ∑ ⌊ ⌋ + ∑ ⌊ ⌋ ∓ ... .
𝑝≤𝑛
𝑝 𝑝 𝑝 ≤𝑛
𝑝1 𝑝2
1 2
200 6. Arithmetic Functions

The right-hand side of (6.7.18) is just the sum of terms

𝑛 2
𝜇(𝑗)⌊ ⌋ , 𝑗 = 1, 2, . . . , 𝑛
𝑗
so
𝑛
𝑛 2
(6.7.19) 𝐻(𝑛) = ∑ 𝜇(𝑗)⌊ ⌋ .
𝑗=1
𝑗

To estimate the right-hand side of (6.7.19) we use

0 ≤ 𝑎2 − ⌊𝑎⌋2 = (𝑎 − ⌊𝑎⌋)(𝑎 + ⌊𝑎⌋) < 2𝑎
for 𝑎 > 0, so
(6.7.20) |⌊𝑎⌋2 − 𝑎2 | < 2𝑎.
Applying |𝜇(𝑗)| ≤ 1 and (6.7.20) with 𝑎 = 𝑛/𝑗 to (6.7.19), we obtain
𝑛 𝑛
|𝐻(𝑛) − ∑ 𝜇(𝑗)( 𝑛 )2 | < 2 ∑ 𝑛 < 2𝑛(1 + log 𝑛),
| 𝑗 | 𝑗
𝑗=1 𝑗=1

i.e.
𝑛
𝜇(𝑗)
(6.7.21) 𝐻(𝑛) = 𝑛2 ∑ + 𝑉(𝑛) where |𝑉(𝑛)| < 4𝑛 log 𝑛
𝑗=1
𝑗2

if 𝑛 ≥ 3. Dividing (6.7.21) by 𝑛2 yields

𝑛
𝐻(𝑛) 𝜇(𝑗) 𝑉(𝑛)
2
=∑ 2 + 2
𝑛 𝑗=1
𝑗 𝑛

and we get
∞
𝐻(𝑛) 𝜇(𝑗) 6
lim =∑ 2 = 2
𝑛→∞ 𝑛2 𝑗 𝜋
𝑗=1
similar to the end of the proof of Theorem 6.7.4. □

Now we determine the mean value of 𝜔.

Theorem 6.7.6. The difference between the mean value function of 𝜔 and log log 𝑛 is
bounded. In other words, if 𝑧(𝑛) = 𝜔(1) + 𝜔(2) + ⋯ + 𝜔(𝑛), then there is a constant 𝐶
such that every integer 𝑛 ≥ 3 satisfies
| 𝑧(𝑛) − log log 𝑛| < 𝐶. ♣
| 𝑛 |

Proof. We apply Theorem 6.7.2 for the convolution 𝜔 = 𝜔̃ ∗ 1 (then 𝑔 = 𝜔̃ and ℎ = 1):
𝑛 𝑛
𝑛
(6.7.22) 𝑧(𝑛) = ∑ 𝜔(𝑖) = ∑ 𝜔(𝑗)⌊
̃ ⌋.
𝑖=1 𝑗=1
𝑗

It is easy to check (see e.g. Exercise 6.5.5d) that

1, if 𝑗 is a prime
(6.7.23) 𝜔(𝑗)
̃ ={
0, otherwise.
6.7. Mean Value 201

Substituting (6.7.23) into (6.7.22), we get

𝑛
(6.7.24) 𝑧(𝑛) = ∑ ⌊ ⌋.
𝑝≤𝑛
𝑝

Applying the inequality

𝑎 − 1 < ⌊𝑎⌋ ≤ 𝑎
with 𝑎 = 𝑛/𝑝, we can rewrite (6.7.24) as
1
𝑧(𝑛) = 𝑛 ∑ + 𝑊(𝑛) where |𝑊(𝑛)| ≤ 𝜋(𝑛) < 𝑛,
𝑝≤𝑛
𝑝

i.e.
(6.7.25) | 𝑧(𝑛) − ∑ 1 | < 1.
| 𝑛 𝑝|
𝑝≤𝑛

Since
1
∑ − log log 𝑛
𝑝≤𝑛
𝑝
is bounded (for 𝑛 ≥ 3) by Theorem 5.6.2, the desired assertion follows from (6.7.25).
□

It is easy to see that

𝑛
∑ log log 𝑖 ∼ 𝑛 log log 𝑛,
𝑖=2
therefore Theorem 6.7.6 implies
(6.7.26) 𝜔(2) + ⋯ + 𝜔(𝑛) ∼ log log 2 + log log 3 + ⋯ + log log 𝑛.
Relation (6.7.26) expresses that the average order of magnitude of 𝜔 is log log 𝑛.
It is not true in general that an arithmetic function assumes mostly values close to
its mean value or average order of magnitude. For example, consider
𝑛, if 𝑛 is a square
𝑓(𝑛) = {
0, otherwise.
Then
𝑛
𝑛3/2
𝐹(𝑛) = ∑ 𝑓(𝑖) = ∑ 𝑘2 ∼ ,
𝑖=1
3
𝑘≤√𝑛

which means that the mean value of 𝑓 is

𝐹(𝑛) √𝑛
∼ ,
𝑛 3
and we can easily deduce that the average order of magnitude of 𝑓(𝑛) is √𝑛/2. However,
𝑓(𝑛) = 0 for almost all 𝑛.
A famous theorem of Hardy and Ramanujan states that 𝜔 assumes mostly values
close to its mean value, i.e. most numbers 𝑛 have about log log 𝑛 distinct prime divisors.
We present the proof of Paul Turán which became the starting-point of applications of
probability theory in number theory.
202 6. Arithmetic Functions

Theorem 6.7.7 (Hardy–Ramanujan Theorem). Let 𝛿 > 1/2 be a fixed real number,
𝑛 ≥ 3, and 𝑘(𝑛) the number of integers 𝑖 satisfying 3 ≤ 𝑖 ≤ 𝑛 and
(6.7.27) |𝜔(𝑖) − log log 𝑖| < (log log 𝑖)𝛿 .
Then
𝑘(𝑛)
lim = 1. ♣
𝑛→∞ 𝑛
Since
(log log 𝑖)𝛿
lim =0
𝑖→∞ log log 𝑖
(for 𝛿 < 1), Theorem 6.7.7 implies that apart from a rare subsequence
𝜔(𝑖) ∼ log log 𝑖.
We shall deduce Theorem 6.7.7 from its finite variant.
Theorem 6.7.7A. For any 𝜀 > 0 there exists a 𝑇 (depending on 𝜀) such that for any 𝑛 ≥ 3
at least (1 − 𝜀)𝑛 integers 𝑖 among the integers 1, 2, . . . , 𝑛 satisfy
(6.7.28) |𝜔(𝑖) − log log 𝑛| < 𝑇√log log 𝑛.

We call the attention to the difference that the argument of log log is 𝑖 in (6.7.27)
and 𝑛 in (6.7.28). But as the function log log increases very slowly, this means only a
negligible difference for most values of 𝑖 (as shown in (6.7.41) later).
We prove Theorem 6.7.7A first, and then show how this implies Theorem 6.7.7.

Proof. The basic idea is to verify that the sum of squares

𝑛
2
(6.7.29) 𝑈 = ∑ (𝜔(𝑖) − log log 𝑛)
𝑖=1

is relatively small, hence the non-negative terms |𝜔(𝑖) − log log 𝑛| can be large only for
a few values of 𝑖.
Let us see the details. We show
𝑛
2
(6.7.30) 𝑈 = ∑ (𝜔(𝑖) − log log 𝑛) < 𝑐𝑛 log log 𝑛
𝑖=1

with a suitable constant 𝑐 for every 𝑛 ≥ 3. We use Theorems 6.7.6 and 5.6.2 stating (for
𝑛 ≥ 3)
𝑛
(6.7.31) 𝑧(𝑛) = ∑ 𝜔(𝑖) = 𝑛 log log 𝑛 + 𝑛𝐴(𝑛) where 𝐴(𝑛) is bounded,
𝑖=1

and
1
(6.7.32) ∑ = log log 𝑛 + 𝐵(𝑛) where 𝐵(𝑛) is bounded.
𝑝≤𝑛
𝑝

We expand the square in (6.7.29):

𝑛 𝑛
𝑈 = ∑ 𝜔2 (𝑖) − 2 log log 𝑛 ∑ 𝜔(𝑖) + 𝑛(log log 𝑛)2 .
𝑖=1 𝑖=1
6.7. Mean Value 203

By (6.7.31), we obtain

𝑛
𝑈 = ∑ 𝜔2 (𝑖) − 2 log log 𝑛(𝑛 log log 𝑛 + 𝑛𝐴(𝑛)) + 𝑛(log log 𝑛)2 =
𝑖=1
(6.7.33) 𝑛
= ∑ 𝜔2 (𝑖) − 𝑛(log log 𝑛)2 − 2𝑛𝐴(𝑛) log log 𝑛.
𝑖=1

To estimate 𝑈 from above, we will estimate

𝑛
(6.7.34) 𝑉 = ∑ 𝜔2 (𝑖)
𝑖=1

from above.
Substituting (partly) the definition of 𝜔(𝑖) and rearranging the sum, we get

𝑛 𝑛 ⌊𝑛/𝑝⌋
(6.7.35) 𝑉 = ∑ 𝜔2 (𝑖) = ∑ 𝜔(𝑖) ∑ 1 = ∑ ∑ 𝜔(𝑝𝑘).
𝑖=1 𝑖=1 𝑝∣𝑖 𝑝≤𝑛 𝑘=1

Since

𝜔(𝑘), if 𝑝 ∣ 𝑘
𝜔(𝑝𝑘) = {
1 + 𝜔(𝑘), if 𝑝 ∤ 𝑘,

(6.7.35) implies

⌊𝑛/𝑝⌋ ⌊𝑛/𝑝⌋
𝑛
(6.7.36) 𝑉 ≤ ∑ ∑ (1 + 𝜔(𝑘)) = ∑ ⌊ ⌋ + ∑ ∑ 𝜔(𝑘).
𝑝≤𝑛 𝑘=1 𝑝≤𝑛
𝑝 𝑝≤𝑛 𝑘=1

Let 𝐾 denote the first sum on the right-hand side of (6.7.36) and 𝐿 denote the second
double sum there.
By (6.7.32), we get an upper estimate for 𝐾:

𝑛 1
(6.7.37) 𝐾 = ∑ ⌊ ⌋ ≤ 𝑛 ∑ = 𝑛(log log 𝑛 + 𝐵(𝑛)).
𝑝≤𝑛
𝑝 𝑝≤𝑛
𝑝

To estimate 𝐿 from above, we substitute the definition of 𝜔(𝑘), rearrange the sum
as usual (here 𝑝′ indicates that the summation is performed for primes), and apply
204 6. Arithmetic Functions

(6.7.32):
⌊𝑛/𝑝⌋
𝐿 = ∑ ∑ 𝜔(𝑘)
𝑝≤𝑛 𝑘=1
⌊𝑛/𝑝⌋
= ∑ ∑ ∑1
𝑝≤𝑛 𝑘=1 𝑝′ ∣𝑘
𝑛
= ∑ ∑ ⌊ ⌋
(6.7.38) 𝑝≤𝑛 𝑝′ ≤𝑛/𝑝
𝑝𝑝′
1
≤𝑛 ∑ ′
𝑝𝑝′ ≤𝑛
𝑝𝑝
1 1
≤ 𝑛( ∑ )( ∑ ′ )
𝑝≤𝑛
𝑝 ′
𝑝 ≤𝑛
𝑝
2
= 𝑛(log log 𝑛 + 𝐵(𝑛)) .

Substituting (6.7.37) and (6.7.38) into (6.7.36), we obtain

2
(6.7.39) 𝑉 ≤ 𝑛(log log 𝑛 + 𝐵(𝑛)) + 𝑛(log log 𝑛 + 𝐵(𝑛)) .

Combining (6.7.39), (6.7.34), and (6.7.33), the terms 𝑛(log log 𝑛)2 get cancelled and we
have

𝑈 ≤ (1 + 2𝐵(𝑛) − 2𝐴(𝑛))𝑛 log log 𝑛 + (𝐵(𝑛) + 𝐵 2 (𝑛))𝑛 < 𝑐𝑛 log log 𝑛

thus proving (6.7.30).

Now we will elaborate the argument indicated at the beginning of the proof that if
the sum of squares (6.7.29) is small, then it can contain only few large terms.
Let 𝑠 denote the number of wrong integers 1 ≤ 𝑖 ≤ 𝑛, those that do not satisfy
(6.7.28). Then an equivalent formulation of the theorem is that for any 𝜀 > 0 there
exists a 𝑇 such that 𝑠 < 𝜀𝑛.
2
We reduce the left-hand side of (6.7.30) by replacing (𝜔(𝑖) − log log 𝑛) with
𝑇 2 log log 𝑛 at the 𝑠 wrong values of 𝑖 and with 0 at the other values of 𝑖. Then (6.7.30)
implies
𝑐
𝑠𝑇 2 log log 𝑛 < 𝑐𝑛 log log 𝑛 or 𝑠 < 2 𝑛.
𝑇
We get the required estimate 𝑠 < 𝜀𝑛 by choosing 𝑇 to satisfy
𝑐
(6.7.40) < 𝜀. □
𝑇2

Proof of Theorem 6.7.7. We will verify that for any 𝜀 > 0 there exists an 𝑛0 (depend-
ing on 𝜀) such that for every 𝑛 > 𝑛0 there are at most 𝜀𝑛 numbers 𝑖 among the integers
3, 4, . . . , 𝑛 that do not satisfy (6.7.27).
As noted earlier, Theorem 6.7.7A refers to log log 𝑛 in (6.7.28), whereas Theo-
rem 6.7.7 has log log 𝑖 in (6.7.27). The proof basically overcomes this discrepancy.
6.7. Mean Value 205

The main idea is the following observation: log log grows so slowly that it can be
considered as almost constant between √𝑛 and 𝑛, and there are so few values 𝑖 less
than √𝑛 that they can be included in the set of exceptions.
Let us see the details. We apply Theorem 6.7.7A with 𝜀/2 instead of 𝜀. Then there
are at most 𝜀𝑛/2 values 𝑖 among the integers between √𝑛 and 𝑛 that do not satisfy
(6.7.28). As √𝑛 ≤ 𝑖 ≤ 𝑛 implies

(6.7.41) log log 𝑛 − log 2 = log log √𝑛 ≤ log log 𝑖 ≤ log log 𝑛,

the previous sentence remains valid if we replace both occurrences of log log 𝑛
in (6.7.28) by log log 𝑖; we just have to make 𝑇 larger than prescribed in (6.7.40). If 𝑛 is
large enough, then the number of values 𝑖 smaller than √𝑛 is less than 𝜀𝑛/2. Summa-
rizing, we infer that with a suitable 𝑇 and for 𝑛 large enough, there are at least (1 − 𝜀)𝑛
values 𝑖 among the integers 3, 4, . . . , 𝑛 satisfying

(6.7.42) |𝜔(𝑖) − log log 𝑖| < 𝑇√log log 𝑖.

As 𝛿 > 1/2, therefore

𝑇√log log 𝑖 < (log log 𝑖)𝛿
if 𝑖 is sufficiently large depending on 𝑇 and 𝛿. Thus (6.7.42) implies the statement of
Theorem 6.7.7. □

Remark: The probabilistic background in the proof of Theorem 6.7.7A is the following.
Let 𝑛 be fixed, and consider 𝜔 as a random variable assuming each of the values 𝜔(1),
𝜔(2), . . . , 𝜔(𝑛) with the same probability 1/𝑛. The expectation 𝐸 of this random variable
is, by definition, the mean value of 𝜔 at 𝑛, which is about log log 𝑛. The expression 𝑈
in (6.7.29) is around 𝑛𝐷2 where 𝐷 is the standard deviation of 𝜔. Theorem 6.7.7A then
follows from the upper estimation of 𝐷 (see (6.7.30)) and Chebyshev’s inequality about
the small probability of the variable being far from its expectation:
1
(6.7.43) 𝑃(|𝜔 − 𝐸| > 𝑟𝐷) < .
𝑟2
Theorems 6.7.6, 6.7.7, and 6.7.7A remain valid also for Ω instead of 𝜔, see Exer-
cise 6.7.5b. Combining these with the inequality

2𝜔(𝑛) ≤ 𝑑(𝑛) ≤ 2Ω(𝑛) ,

we can verify the surprising fact mentioned in Section 6.4 that most 𝑛 have about

(log 𝑛)log 2 = (log 𝑛)0.69. . .

divisors, which is much less than the number log 𝑛 corresponding to the mean value
of 𝑑(𝑛) (see Exercise 6.7.6).
 206 6. Arithmetic Functions

Exercises 6.7

1. Compute
𝑛
𝑛
∑ 𝜇(𝑗)⌊ ⌋.
𝑗=1
𝑗

2. What is the probability that a positive integer is squarefree?

* 3. Prove the following asymptotic equalities for 𝑑3 (𝑛) and 𝜎𝜈 (𝑛) (with fixed 𝜈 > 0)
defined in Exercise 6.2.22:
2
𝐷3 (𝑛) 𝑑 (1) + 𝑑3 (2) + ⋯ + 𝑑3 (𝑛) log (𝑛)
(a) = 3 ∼
𝑛 𝑛 2
Σ𝜈 (𝑛) 𝜎𝜈 (1) + 𝜎𝜈 (2) + ⋯ + 𝜎𝜈 (𝑛) 𝑛𝜈 𝜁(𝜈 + 1)
(b) = ∼
𝑛 𝑛 𝜈+1
S* 4. Prove that for any 𝑘 there exist distinct integers 𝑛1 , . . . , 𝑛𝑘 satisfying 𝜎(𝑛1 ) = ⋯ =
𝜎(𝑛𝑘 ).
5. (a) Verify
𝑛
0 ≤ ∑ (Ω(𝑖) − 𝜔(𝑖)) < 𝑛.
𝑖=1
(b) Prove that Theorems 6.7.6, 6.7.7, and 6.7.7A remain valid if 𝜔 is replaced by
Ω.
6. Show that most integers 𝑛 have about
(log 𝑛)log 2
divisors in the following sense. Let 𝜀 > 0 be arbitrary and 𝑘(𝑛) denote the number
of integers 1 ≤ 𝑖 ≤ 𝑛 satisfying
(log 𝑛)log 2−𝜀 < 𝑑(𝑖) < (log 𝑛)log 2+𝜀 .
Then
𝑘(𝑛)
lim = 1.
𝑛→∞ 𝑛
* 7. Let ℎ(𝑛) denote the number of integers 1 ≤ 𝑖 ≤ 𝑛 that can be written as the product
of two factors each less than √𝑛. Compute the limit
ℎ(𝑛)
lim .
𝑛→∞ 𝑛

8. Formulate precisely and prove the following generalization of the Hardy–Ramanu-

jan Theorem:
Assume that the real-valued additive function 𝑓 meets the following requirements.
(i) There is a 𝐾 such that 0 ≤ 𝑓(𝑝) ≤ 𝐾 for all primes 𝑝.
(ii) 𝑓(𝑝𝛼 ) = 𝑓(𝑝) for every prime 𝑝 and 𝛼 > 0.
(iii) The infinite series ∑𝑝 𝑓(𝑝)/𝑝 is divergent.
6.8. Characterization of Additive Functions 207

Then
𝑓(𝑝)
𝑓(𝑛) ∼ ∑
𝑝≤𝑛
𝑝

for almost every 𝑛.

6.8. Characterization of Additive Functions

We saw that the oscillation of values is typical for most arithmetic functions. The next
theorem of Erdős shows that the only true exception among the additive functions is
the logarithm:

Theorem 6.8.1. Let 𝑓 be a real-valued additive function and assume that

(i) 𝑓(𝑛) is monotone, or

(ii) 𝑓(𝑛 + 1) − 𝑓(𝑛) → 0 if 𝑛 → ∞.

Then 𝑓(𝑛) = 𝑐 log 𝑛 with a suitable constant 𝑐. ♣

Proof. We shall prove a slightly stronger result: If a real-valued additive function 𝑓

satisfies

(6.8.1) lim inf(𝑓(𝑛 + 1) − 𝑓(𝑛)) ≥ 0,

𝑛→∞

then 𝑓(𝑛) = 𝑐 log 𝑛.

This implies Theorem 6.8.1: if 𝑓 satisfies (ii) or is monotone increasing, then (6.8.1)
holds, and if 𝑓 is monotone decreasing, then −𝑓 satisfies (6.8.1), so (−𝑓)(𝑛) = 𝑐 log 𝑛,
i.e. 𝑓(𝑛) = −𝑐 log 𝑛.
The basic idea of the proof is the following. Let 𝑘 > 1 be a fixed integer, and write
an arbitrary 𝑛 in number system of base 𝑘:

(6.8.2) 𝑛 = 𝑎𝑠 𝑘𝑠 + ⋯ + 𝑎2 𝑘2 + 𝑎1 𝑘 + 𝑎0 , 𝑠 = ⌊log𝑘 𝑛⌋.

Deleting the last digit of 𝑛 and modifying suitably the second-to-last digit, we find an
integer

(6.8.3) 𝑛′ = 𝑎𝑠 𝑘𝑠 + ⋯ + 𝑎2 𝑘2 + 𝑎′1 𝑘

fairly close to 𝑛 where (𝑎′1 , 𝑘) = 1. By the condition, 𝑓(𝑛) is not too far from

(6.8.4) 𝑓(𝑛′ ) = 𝑓(𝑘) + 𝑓(𝑎𝑠 𝑘𝑠−1 + ⋯ + 𝑎2 𝑘 + 𝑎′1 ).

We repeat the process for the second term on the right-hand side of (6.8.4), etc., and
finally we arrive at
𝑓(𝑘) log 𝑛 𝑓(𝑛) 𝑓(𝑘)
𝑓(𝑛) ∼ 𝑠𝑓(𝑘) ∼ , so lim = .
log 𝑘 𝑛→∞ log 𝑛 log 𝑘
Hence 𝑓(𝑘)/ log 𝑘 is equal to this limit independent of 𝑘, so 𝑓(𝑘)/ log 𝑘 is a constant.
208 6. Arithmetic Functions

Let us see the detailed and precise elaboration. Let 𝜀 > 0 be arbitrary. By (6.8.1),
there exists an 𝑛0 (depending on 𝜀) such that every 𝑛 > 𝑛0 satisfies
(6.8.5) 𝑓(𝑛 + 1) − 𝑓(𝑛) ≥ −𝜀, i.e. 𝑓(𝑛) ≤ 𝑓(𝑛 + 1) + 𝜀.
(For technical convenience we assume 𝑛0 > 𝑘2 .)
Replacing 𝑛 by 𝑛 + 1, 𝑛 + 2, . . . , 𝑛 + 𝑡 − 1 in (6.8.5), we obtain
𝑓(𝑛 + 1) ≤ 𝑓(𝑛 + 2) + 𝜀, 𝑓(𝑛 + 2) ≤ 𝑓(𝑛 + 3) + 𝜀, . . . , 𝑓(𝑛 + 𝑡 − 1) ≤ 𝑓(𝑛 + 𝑡) + 𝜀,
thus
(6.8.6) 𝑓(𝑛) ≤ 𝑓(𝑛 + 1) + 𝜀 ≤ 𝑓(𝑛 + 2) + 2𝜀 ≤ . . . ≤ 𝑓(𝑛 + 𝑡) + 𝑡𝜀.

Let now 𝑛 be much bigger than 𝑛0 , and consider the representation (6.8.2) (with
a fixed 𝑘 > 1). We select the smallest 𝑛′ according to (6.8.3) satisfying 𝑛′ > 𝑛 and
(𝑎′1 , 𝑘) = 1. This means that we delete the last digit 𝑎0 of 𝑛, and replace the last but one
digit 𝑎1 by a bigger number 𝑎′1 (𝑎′1 = 𝑘 + 1 is possible). We consider the difference 𝑡 of
𝑛′ and 𝑛:
(6.8.7) 𝑡 = 𝑛′ − 𝑛 = (𝑎′1 − 𝑎1 )𝑘 − 𝑎0 .
If 𝑎1 = 0, then 𝑎′1 = 1, and if 𝑎1 ≥ 1, then 1 ≤ 𝑎1 < 𝑎′1 ≤ 𝑘 + 1, therefore (6.8.7) implies
(6.8.8) 0 < 𝑡 ≤ 𝑘2 .
Applying (6.8.6), (6.8.7), (6.8.8), and (6.8.4) in this order for 𝑛 > 𝑛0 , we obtain
(6.8.9) 𝑓(𝑛) ≤ 𝑓(𝑛 + 𝑡) + 𝑡𝜀 ≤ 𝑓(𝑛′ ) + 𝑘2 𝜀 = 𝑓(𝑘) + 𝑓(𝑎𝑠 𝑘𝑠−1 + ⋯ + 𝑎2 𝑘 + 𝑎′1 ) + 𝑘2 𝜀.
Consider now the number
𝑛1 = 𝑎𝑠 𝑘𝑠−1 + ⋯ + 𝑎2 𝑘 + 𝑎′1
in the middle term of the right-hand side of (6.8.9). If here 𝑎′1 = 𝑘 + 1, then transform
𝑛1 into the usual representation in the number system (where the coefficient of each
power of 𝑘 is less than 𝑘; the last digit will be 1, the last but one digit increases by 1, or
if it was 𝑘 − 1, then further changes are possible, too).
Now we repeat the process for 𝑛1 instead of 𝑛. We obtain
𝑓(𝑎𝑠 𝑘𝑠−1 + ⋯ + 𝑎2 𝑘 + 𝑎′1 ) = 𝑓(𝑛1 ) ≤ 𝑓(𝑘) + 𝑓(𝑎𝑠 𝑘𝑠−2 + ⋯ + 𝑎2′ ) + 𝑘2 𝜀.
Substituting into (6.8.9), we get
𝑓(𝑛) ≤ 2𝑓(𝑘) + 𝑓(𝑎𝑠 𝑘𝑠−2 + ⋯ + 𝑎′2 ) + 2𝑘2 𝜀.
We proceed similarly as long as the values of the function are greater than 𝑛0 . Finally,
we have
(6.8.10) 𝑓(𝑛) ≤ (𝑠 − 𝑠0 )𝑓(𝑘) + (𝑠 − 𝑠0 )𝑘2 𝜀 + 𝑀0 ,
where 𝑠 − 𝑠0 is the number of steps and 𝑀0 is the maximum value of 𝑓 assumed at
integers up to 𝑛0 . Here 𝑀0 depends only on 𝜀, and 𝑠0 depends on 𝜀 and on (the fixed)
𝑘, thus (6.8.10) can be rewritten as
(6.8.11) 𝑓(𝑛) ≤ 𝑠𝑓(𝑘) + 𝑠𝑘2 𝜀 + 𝑀1
where 𝑀1 is a constant depending on 𝜀 and 𝑘.
Exercises 6.8 209

We can estimate 𝑓(𝑛) from below using a similar method. We choose 𝑛′ close to 𝑛
with (𝑎′1 , 𝑘) = 1, but instead of the minimal 𝑛′ > 𝑛 we take the maximal 𝑛′ < 𝑛 (now
𝑎′1 = −1 can happen). We have to modify the steps of the upper estimate by defining 𝑡
as 𝑛 − 𝑛′ and applying
𝑓(𝑛) ≥ 𝑓(𝑛 − 𝑡) − 𝑡𝜀
instead of (6.8.6). We get finally
(6.8.12) 𝑓(𝑛) ≥ 𝑠𝑓(𝑘) − 𝑠𝑘2 𝜀 − 𝑀2
where 𝑀2 is a suitable constant.
Dividing (6.8.11) and (6.8.12) by 𝑠 = ⌊log𝑘 𝑛⌋, we obtain
| 𝑓(𝑛) | 𝑀
(6.8.13) | − 𝑓(𝑘)| ≤ 𝑘2 𝜀 + .
| ⌊log𝑘 𝑛⌋ | ⌊log𝑘 𝑛⌋
If 𝑛 → ∞, then the right-hand side of (6.8.13) tends to 𝑘2 𝜀. But 𝜀 was arbitrary, hence
𝑓(𝑛)
(6.8.14) lim = 𝑓(𝑘).
𝑛→∞ ⌊log𝑘 𝑛⌋
This clearly implies
𝑓(𝑛)
lim = 𝑓(𝑘),
𝑛→∞ log𝑘 𝑛
so
𝑓(𝑛) 𝑓(𝑘)
(6.8.15) lim = .
𝑛→∞ log 𝑛 log 𝑘
Denote the limit in (6.8.15) by 𝑐; as 𝑐 is independent of 𝑘
𝑓(𝑘)
= 𝑐,
log 𝑘
i.e.
(6.8.16) 𝑓(𝑘) = 𝑐 log 𝑘
for any 𝑘 > 1. Finally, 𝑓(1) = log 1 = 0, thus (6.8.16) holds for 𝑘 = 1. □

Exercises 6.8

1. Prove that if a complex valued completely additive function 𝑓 is bounded, then

𝑓 = 0.
2. Show that if the sequence of values 𝑓(𝑛) of a complex-valued completely additive
function 𝑓 is convergent, then 𝑓 = 0.
3. Which are the real-valued monotone multiplicative functions?
4. Verify that if a real-valued additive function 𝑓 satisfies
lim sup(𝑓(𝑛) − 𝑓(𝑛 − 1)) ≤ 0,
𝑛→∞

then 𝑓(𝑛) = 𝑐 log 𝑛.

210 6. Arithmetic Functions

5. Prove that if a complex-valued additive function 𝑓 satisfies

lim (𝑓(𝑛) − 𝑓(𝑛 − 1)) = 0,
𝑛→∞

then 𝑓(𝑛) = 𝑐 log 𝑛 where 𝑐 is a suitable complex constant.

6. Verify the following assertions.
(a) There exists an arbitrary rare subsequence 𝑎𝑛 of the natural numbers such that
if 𝑓(𝑎𝑛 ) is monotone for a real-valued additive function 𝑓, then 𝑓(𝑛) = 𝑐 log 𝑛.
(b) There exists an arbitrary rare subsequence 𝑎𝑛 of the natural numbers such
that if
lim (𝑓(𝑎𝑛 ) − 𝑓(𝑎𝑛−1 )) = 0
𝑛→∞
for a real-valued additive function 𝑓, then 𝑓 = 0.
(Arbitrary rare means that to any sequence 𝑏𝑛 there is a sequence 𝑎𝑛 with the pre-
scribed property and 𝑎𝑛 > 𝑏𝑛 .)
 Chapter 7

Diophantine Equations

By a Diophantine equation, we generally mean an algebraic equation with integer co-

efficients where we are looking for integer (or sometimes for rational) solutions. The
Greek mathematician Diophantus lived in Alexandria in the 3rd century CE and inves-
tigated many types of such problems. (At that time, it was perfectly natural to search
only for integer or rational solutions, since irrational numbers were not really accepted
though their existence was proved by the Greeks.) The history of Diophantine equa-
tions is even older; clay tables show that nearly 4000 years ago the Babylonians were
familiar with Pythagorean triples.
The handling of Diophantine equations requires a large variety of methods, and
there exists no general procedure (as mentioned in Section 5.1, there is no universal
algorithm for answering the simpler question of whether or not an arbitrary Diophan-
tine equation has a solution at all). Also, it is often very hard to decide if an equation
is solvable, not to mention finding the number of solutions or determining them. The
topic is rich in unsolved problems.
After a detailed discussion of linear Diophantine equations, we deal with Pythag-
orean triples, and then present some useful general elementary methods. The equa-
tions of the later sections require seemingly remote mathematical tools: the Gaussian
integers give the key to the representation of integers as the sum of two squares, the
Eulerian integers help to settle the cubic case of Fermat’s Last Theorem, and Diophan-
tine approximation serves as a basis to handle Pell’s equation. The development of
these aids into independent branches was mainly due to their role played in Diophan-
tine equations. We discuss these areas in more detail in Chapters 8–11. The last section
of this chapter is devoted to partitions, where both the questions and the methods are
significantly different.

211
212 7. Diophantine Equations

7.1. Linear Diophantine Equation

We discuss first the linear Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐 in two variables. Here 𝑎,
𝑏, and 𝑐 are fixed integers. We exclude the case 𝑎 = 𝑏 = 0, and a solution means a pair
of integers 𝑥 and 𝑦.
We proved the necessary and sufficient condition of solvability in Theorem 1.3.6,
and clarified the relation of the equation to linear congruences in the proof of Theo-
rem 2.5.3. We saw from the proof of Theorem 1.3.6 that the Euclidean algorithm pro-
vides a solution. By Theorem 5.7.1, this implied that we can obtain a solution quickly
even for large coefficients; we made use of this fact in the RSA scheme (Theorem 5.8.1).
Now we get the number of solutions and the description of all solutions. In the
next theorem, for the sake of completeness, we summarize also the statements proved
earlier concerning the condition of solvability and the method for solving the equation.
Theorem 7.1.1. Let 𝑎, 𝑏, and 𝑐 be fixed integers where at least one of 𝑎 and 𝑏 is not zero,
and consider the Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐.
(i) There is a solution if and only if (𝑎, 𝑏) ∣ 𝑐.
(ii) If solvable, there are infinitely many solutions. Let 𝑥0 , 𝑦0 be a solution; then all
solutions 𝑥′ , 𝑦′ are given by
𝑏 𝑎
(7.1.1) 𝑥 ′ = 𝑥0 + 𝑡 , 𝑦′ = 𝑦 0 − 𝑡 , where 𝑡 = 0, ±1, ±2, . . .
(𝑎, 𝑏) (𝑎, 𝑏)
(iii) We can get a solution using the Euclidean algorithm. ♣

Proof. As mentioned previously, (i) and (iii) were proved in Theorem 1.3.6.
Turning to (ii), we show first that the integers 𝑥′ , 𝑦′ given in (7.1.1) give a solution
of the equation. Since 𝑥0 , 𝑦0 is a solution, 𝑎𝑥0 + 𝑏𝑦0 = 𝑐, so
𝑏 𝑎
𝑎𝑥′ + 𝑏𝑦′ = 𝑎 (𝑥0 + 𝑡 ) + 𝑏 (𝑦0 − 𝑡 ) = 𝑎𝑥0 + 𝑏𝑦0 = 𝑐.
(𝑎, 𝑏) (𝑎, 𝑏)
To prove the converse, we assume that 𝑥′ , 𝑦′ is an arbitrary solution, and show that 𝑥′
and 𝑦′ are in the prescribed form.
We know that
𝑎𝑥0 + 𝑏𝑦0 = 𝑐 and 𝑎𝑥′ + 𝑏𝑦′ = 𝑐.
Subtracting, we get
𝑎(𝑥′ − 𝑥0 ) + 𝑏(𝑦′ − 𝑦0 ) = 0.
After rearranging the terms and dividing by (𝑎, 𝑏), we obtain
𝑎 𝑏
(7.1.2) (𝑥′ − 𝑥0 ) = (𝑦 − 𝑦′ ).
(𝑎, 𝑏) (𝑎, 𝑏) 0
Since
𝑏 𝑎
( , ) = 1,
(𝑎, 𝑏) (𝑎, 𝑏)
(7.1.2) implies
𝑏
∣ 𝑥 ′ − 𝑥0 ,
(𝑎, 𝑏)
7.1. Linear Diophantine Equation 213

so
𝑏
(7.1.3) 𝑥 ′ = 𝑥0 + 𝑡
(𝑎, 𝑏)
with a suitable integer 𝑡. Substituting (7.1.3) into (7.1.2), we arrive at
𝑎
𝑦′ = 𝑦 0 − 𝑡 .
(𝑎, 𝑏)
Thus we have shown that 𝑥′ and 𝑦′ are of the form in (7.1.1). □

To solve a Diophantine equation, it is effective to apply a variant of the Euclidean

algorithm that yields all solutions immediately in a parametric form. We present this
procedure in an example:

Example. Solve the Diophantine equation 43𝑥 + 25𝑦 = 98.

We solve for the variable with coefficient of smaller absolute value and separate the
integer parts from the fraction so that the numbers in the numerator of the remaining
fraction have minimal absolute value:
98 − 43𝑥 7𝑥 − 2
(A1) 𝑦= = 4 − 2𝑥 + .
25 25
The fraction (7𝑥 − 2)/25 on the right-hand side of (A1) is an integer, we denote it by
𝑢. This gives 7𝑥 − 2 = 25𝑢 which is a similar Diophantine equation but the coefficient
of 𝑥 has smaller absolute value than the coefficient of 𝑦 had in the original equation.
We repeat the process for the equation 7𝑥 − 2 = 25𝑢: we solve for 𝑥
25𝑢 + 2 2 − 3𝑢
(A2) 𝑥= = 4𝑢 + .
7 7
The fraction (2 − 3𝑢)/7 on the right-hand side of (A2) is an integer, we denote it by 𝑣,
thus 2 − 3𝑢 = 7𝑣. Continuing similarly, we get
2 − 7𝑣 2−𝑣
(A3) 𝑢= = −2𝑣 + .
3 3
Denoting the integer (2 − 𝑣)/3 by 𝑤, we have 2 − 𝑣 = 3𝑤, i.e.
(A4) 𝑣 = 2 − 3𝑤.
Since (A4) contains no fractions, we turn and go backwards: we find 𝑢, 𝑥, and 𝑦 one
after the other from (A3), (A2), and (A1), using 𝑤 as a parameter:
(B3) 𝑢 = −2𝑣 + 𝑤 = −2(2 − 3𝑤) + 𝑤 = −4 + 7𝑤
(B2) 𝑥 = 4𝑢 + 𝑣 = 4(−4 + 7𝑤) + (2 − 3𝑤) = −14 + 25𝑤
(B1) 𝑦 = 4 − 2𝑥 + 𝑢 = 4 − 2(−14 + 25𝑤) + (−4 + 7𝑤) = 28 − 43𝑤.
It is clear from the procedure that formulas (B2)–(B1) provide all solutions of the Dio-
phantine equation 43𝑥 + 25𝑦 = 98 where the parameter 𝑤 is an arbitrary integer. If
a pair of integers 𝑥 and 𝑦 is a solution, then steps (A1)–(A3) lead to 𝑤, and then this
yields formulas (B2)–(B1) for 𝑥 and 𝑦 and, taking an arbitrary integer 𝑤, the numbers
𝑥 and 𝑦 expressed with it are integers and satisfy the equation.
214 7. Diophantine Equations

Remarks: (1) The following pairs of coordinates occur during the procedure:
{43, 25}; {25, 7}; {7, 3}; {3, 1}.
How did we get them? In the first step, the remainder (of least absolute value) on
division of 43 by 25 was −7, in the next step the remainder on division of 25 by
7 was −3, etc. Thus we used a variant of the Euclidean algorithm. This implies
that we can find the solutions of the equation quickly with this procedure.
(2) The essential point of the method is reducing the absolute values of the coeffi-
cients of the variables to eliminate the fractions completely. It is irrelevant from
this point of view whether or not we reduce the absolute values also of the con-
stant term; it does not influence the number of steps in the procedure, though it
may be slightly easier to work with smaller numbers.
(3) We do not have to check in advance whether the equation is solvable because the
procedure decides automatically if there is no solution: we arrive at a fraction that
contains no variables but its value is not an integer.
(4) Formulas (B2)–(B1) correspond to (7.1.1) describing all solutions in Theorem
7.1.1; now 𝑥0 = −14, 𝑦0 = 28, and 𝑤 plays the role of 𝑡. This is a useful tool
to detect calculation errors.

We have similar results for linear Diophantine equations with more than two vari-
ables. We summarize them in the next theorem, and ask for the proofs in Exercise 7.1.8.

Theorem 7.1.2. Let 𝑘 ≥ 2, 𝑎1 , . . . , 𝑎𝑘 integers not all 0, 𝑐 any integer, and consider the
Diophantine equation
𝑎1 𝑥1 + ⋯ + 𝑎𝑘 𝑥𝑘 = 𝑐
where a solution is a 𝑘-tuple of integers 𝑥1 , . . . , 𝑥𝑘 .
(i) The equation is solvable if and only if (𝑎1 , . . . , 𝑎𝑘 ) ∣ 𝑐.
(ii) If it is solvable, there are infinitely many solutions. We can describe all solutions with
𝑘 − 1 integer parameters. We can find the solutions with a suitable generalization of
the method used for two variables. ♣

Exercises 7.1

1. In Crazyland there exist banknotes only of 47 and 79 dollars. How many ways can
we pay exactly 10000 dollars?
2. An island is inhabited by dragons with 7 or 11 heads. How many dragons live on
the island if they have 118 heads altogether?
3. A shop sells three types of chocolate bars costing 70 cents, 1 dollar and 30 cents,
and a dollar and a half. How many ways can we buy (exactly) 50 bars for (exactly)
50 dollars?
 7.2. Pythagorean Triples 215

S 4. In a certain year of the twentieth century, Alice notes that her age in years equals
the sum of digits in the year of her birth date. Bob, who was born in a later year,
notes that his age has the same property. How much older is Alice than Bob, if
neither of them is older than 99 years?
5. Demonstrate that statement (ii) in Theorem 7.1.1 follows from the proof of Theo-
rem 2.5.4.
6. How many lattice points in the plane can lie on a line if its slope is (a) rational (b)
irrational?
7. Find all solutions of the Diophantine equation 6𝑥 + 10𝑦 + 15𝑧 = 7.
8. Verify the statements in Theorem 7.1.2.
9. Prove that the Diophantine equation 𝑎1 𝑥1 + ⋯ + 𝑎𝑘 𝑥𝑘 = 𝑐 is solvable if and only
if the congruence 𝑎1 𝑥1 + ⋯ + 𝑎𝑘 𝑥𝑘 ≡ 𝑐 (mod 𝑚) is solvable for every positive
integer 𝑚.
* 10. Characterize the integers 𝑎1 , . . . , 𝑎𝑘 for which the Diophantine equation 𝑎1 𝑥1 +
⋯ + 𝑎𝑘 𝑥𝑘 = 𝑐 is solvable in positive integers for every 𝑐 large enough.
* 11. Let 𝑎 and 𝑏 be fixed coprime integers greater than 1. We say that a positive integer
𝑐 is assemblable (from 𝑎 and 𝑏) if 𝑐 can be represented as 𝑐 = 𝑎𝑥 + 𝑏𝑦 with non-
negative integers 𝑥 and 𝑦.
(a) Show that every 𝑐 > 𝑎𝑏 − 𝑎 − 𝑏 is assemblable, but 𝑐 = 𝑎𝑏 − 𝑎 − 𝑏 is not
assemblable.
(b) How many positive integers are not assemblable?
Remark: We can generalize part (a) for more variables. Let 𝑎1 , . . . , 𝑎𝑘 be fixed
coprime integers greater than 1. Find the maximal integer 𝐹 = 𝐹(𝑎1 , . . . , 𝑎𝑘 ) for
which the Diophantine equation 𝑎1 𝑥1 + ⋯ + 𝑎𝑘 𝑥𝑘 = 𝐹 has no solutions in non-
negative integers. Intensive research has been done to answer this question, called
the problem of Frobenius for 𝑘 > 2, but we have no completely satisfactory answer
even in the case 𝑘 = 3.
* 12. (a) Show that for every sufficiently large 𝑛, there exist 𝑛 (not necessarily congru-
ent) cubes in space such that we can assemble a cube from them (using each
exactly once).
(b) Verify this for every 𝑛 ≥ 48.
(c) Find all 𝑛 for which there exist 𝑛 (not necessarily congruent) squares in the
plane such that we can assemble a square from them (using each exactly once).
Remark: It is unknown whether (b) is true for 𝑛 = 47.

7.2. Pythagorean Triples

Pythagorean triples are the positive integer solutions of equation 𝑥2 + 𝑦2 = 𝑧2 . Geo-
metrically, Pythagorean triples give the lengths of the three sides of a right triangle if
these lengths are integers.
216 7. Diophantine Equations

We immediately see that the equation is solvable (the triple 3, 4, 5 is a solution),

and, multiplying a solution 𝑥, 𝑦, 𝑧 by any positive integer 𝑑, the new triple 𝑑𝑥, 𝑑𝑦, 𝑑𝑧 is
a solution. Therefore it is worthwhile to investigate the solutions satisfying (𝑥, 𝑦, 𝑧) = 1
separately. These are called primitive Pythagorean triples.
We show that there are infinitely many primitive triples, we describe all of them,
and characterize all (primitive and non-primitive) triples with suitable parameters:
Theorem 7.2.1. (i) All primitive Pythagorean triples, i.e. all positive integer solutions of
equation
(7.2.1) 𝑥2 + 𝑦2 = 𝑧 2
satisfying
(7.2.2) (𝑥, 𝑦, 𝑧) = 1
are
(7.2.3) 𝑥 = 2𝑚𝑛, 𝑦 = 𝑚 2 − 𝑛2 , 𝑧 = 𝑚2 + 𝑛2
where the positive integer parameters
(7.2.4) 𝑚 and 𝑛 are of opposite parity, 𝑚 > 𝑛, and (𝑚, 𝑛) = 1.
We can interchange the roles of 𝑥 and 𝑦, of course.
(ii) All Pythagorean triples are multiples of the primitive triples, so
(7.2.5) 𝑥 = 2𝑚𝑛𝑑, 𝑦 = (𝑚2 − 𝑛2 )𝑑, 𝑧 = (𝑚2 + 𝑛2 )𝑑
where 𝑑 is any positive integer and positive integers 𝑚 and 𝑛 satisfy (7.2.4). ♣

Proof. All variables will be positive integers throughout the proof.

(i) We show first that if 𝑥, 𝑦, and 𝑧 form a primitive solution (they satisfy (7.2.1)
and (7.2.2)), then they are necessarily of the form described in (7.2.3) and (7.2.4).
We start by verifying that 𝑥, 𝑦, and 𝑧 are pairwise coprime. We show that (𝑥, 𝑧) = 1,
the other two pairs can be handled similarly. For a proof by contradiction, we assume
𝑝 ∣ 𝑥 and 𝑝 ∣ 𝑧 for some prime 𝑝. Then 𝑝 ∣ 𝑧2 − 𝑥2 = 𝑦2 , so 𝑝 ∣ 𝑦 since 𝑝 is a prime. But
then 𝑝 is a common divisor of 𝑥, 𝑦, and 𝑧, which contradicts (7.2.2).
Now we show that 𝑥 and 𝑦 are of opposite parity. Both cannot be even since
(𝑥, 𝑦) = 1. If both are odd, then their squares’ residues are 1 mod 4. Thus the left-
hand side of 𝑥2 + 𝑦2 = 𝑧2 is 2 mod 4, whereas the right-hand side is 0 or 1, which is a
contradiction.
We may assume that 𝑥 is even and 𝑦 is odd. Rearranging (7.2.1), dividing by 4, and
factoring, we get
𝑥 2 𝑧+𝑦 𝑧−𝑦
(7.2.6) ( ) = ⋅ .
2 2 2
We prove that the two factors on the right-hand side of (7.2.6) are coprime. Assume
that 𝑘 divides both (𝑧 + 𝑦)/2 and (𝑧 − 𝑦)/2. Then
𝑧+𝑦 𝑧−𝑦 𝑧+𝑦 𝑧−𝑦
𝑘∣ + = 𝑧 and 𝑘 ∣ − = 𝑦.
2 2 2 2
Exercises 7.2 217

But (𝑦, 𝑧) = 1, so 𝑘 ∣ 1, thus

𝑧+𝑦 𝑧−𝑦
(7.2.7) ( , ) = 1.
2 2
By Exercise 1.6.2a, (7.2.6) and (7.2.7) imply that each of the two (positive) factors
on the right-hand side of (7.2.6) is a square, so
𝑧+𝑦 𝑧−𝑦
(7.2.8) = 𝑚2 and = 𝑛2
2 2
with suitable positive integers 𝑚 and 𝑛. Adding and subtracting the equalities in (7.2.8)
and substituting into (7.2.6), we get the required forms (7.2.3) for 𝑧, 𝑦, and 𝑥.
The conditions in (7.2.4) hold, as well; these follow from 𝑧 (or 𝑦) being odd, 𝑦 > 0,
and (7.2.7).
Turning to the converse, we show that formulas (7.2.3)–(7.2.4) always define a
primitive Pythagorean triple.
The numbers 𝑥, 𝑦, and 𝑧 are positive integers due to 𝑚 > 𝑛 > 0, and a simple
substitution verifies that (7.2.1) is true.
We need to prove (𝑥, 𝑦, 𝑧) = 1. This follows if we check that (e.g.) 𝑦 and 𝑧 are
coprime.
For a proof by contradiction, we assume 𝑝 ∣ 𝑦 and 𝑝 ∣ 𝑧 for some prime 𝑝. Then
𝑝 ∣ 𝑧 + 𝑦 and 𝑝 ∣ 𝑧 − 𝑦, so
(7.2.9) 𝑝 ∣ (𝑚2 + 𝑛2 ) + (𝑚2 − 𝑛2 ) = 2𝑚2 and 𝑝 ∣ (𝑚2 + 𝑛2 ) − (𝑚2 − 𝑛2 ) = 2𝑛2 .

As 𝑝 is a prime, (7.2.9) implies that 𝑝 = 2 or 𝑝 ∣ 𝑚2 and 𝑝 ∣ 𝑛2 .

The case 𝑝 = 2 is impossible since 𝑧 = 𝑚2 + 𝑛2 is odd due to the opposite parity of
𝑚 and 𝑛.
In the other case (using again that 𝑝 is a prime), we have 𝑝 ∣ 𝑚 and 𝑝 ∣ 𝑛, which
contradicts the condition (𝑚, 𝑛) = 1.
(ii) As mentioned before, multiplying a primitive (or any) solution by 𝑑, gives a
solution again. Conversely, any solution 𝑥, 𝑦, 𝑧 can be obtained by multiplying the
primitive solution 𝑥/𝑑, 𝑦/𝑑, 𝑧/𝑑 by 𝑑 = (𝑥, 𝑦, 𝑧). □

Exercises 7.2

1. Show that if the side lengths of a right triangle are integers, then their product is a
multiple of 60.
2. Compute the side lengths of a right triangle of area 60 if these lengths are integers.
3. Find all right triangles with integer side lengths whose area and perimeter are
equal.
4. For which integers 𝑘 does there exist a right triangle with integer side lengths one
of them being 𝑘?
218 7. Diophantine Equations

5. Prove that there exist infinitely many three-term arithmetic progressions of co-
prime squares.

7.3. Some Elementary Methods

In this section we present a few typical methods for handling Diophantine equations.
I. A product is a constant
In each of the four hints to Exercises 7.2.2 and 7.2.3, the key was a Diophantine
equation with an integer 𝑐 ≠ 0 on one side, and a product on the other side:
𝑑 2 𝑚𝑛(𝑚 − 𝑛)(𝑚 + 𝑛) = 60, (𝑥 − 4)(𝑦 − 4) = 8, etc.
Using a similar type of factoring, we now determine which integers can be written as
the difference of two squares, and in how many ways.

Theorem 7.3.1. We consider the Diophantine equation 𝑥2 − 𝑦2 = 𝑛.

(i) The equation is solvable if and only if 𝑛 ≢ 2 (mod 4).
𝑛
(ii) The number of solutions is 2𝑑(𝑛) for 𝑛 odd and 2𝑑 ( 4 ) for 4 ∣ 𝑛 (where 𝑑(𝑘) means
the number of positive divisors of 𝑘). ♣

We count as distinct solutions that differ only in signs. From the theorem, we can
easily obtain the number of essentially distinct solutions, see Exercise 7.3.1.

Proof. Equality (𝑥 + 𝑦)(𝑥 − 𝑦) = 𝑛 holds if and only if 𝑥 + 𝑦 and 𝑥 − 𝑦 are two com-
plementary divisors of 𝑛, or
(7.3.1) 𝑥 + 𝑦 = 𝑑1 , 𝑥 − 𝑦 = 𝑑2 , where 𝑑1 𝑑2 = 𝑛.
Solving system (7.3.1), we get
𝑑1 + 𝑑 2 𝑑 − 𝑑2
𝑥= , 𝑦= 1 .
2 2
Here 𝑥 and 𝑦 are integers if and only if 𝑑1 and 𝑑2 have the same parity.
Accordingly, the Diophantine equation 𝑥2 − 𝑦2 = 𝑛 is solvable if and only if 𝑛 is
the product of two of its divisors of the same parity, and the number of solutions is the
number of such pairs of divisors (where also the signs and the order of the two divisors
count).
If 𝑛 is odd, then its divisors are odd. Therefore the equation is solvable and the
number of solutions is the number of all positive and negative divisors of 𝑛, i.e. 2𝑑(𝑛).
If 𝑛 is even but not a multiple of 4, then 𝑛 cannot be written as the product of
two divisors of the same parity, since the product of two odd numbers is odd, and the
product of two even numbers is divisible by 4. Thus the equation has no solutions for
such 𝑛.
If 4 ∣ 𝑛, then suitable pairs are 2𝑘1 , 2𝑘2 where: 𝑛 = (2𝑘1 )(2𝑘2 ). This is equivalent
to 𝑛/4 = 𝑘1 𝑘2 , so the equation is solvable and the number of solutions is the number
of all positive and negative divisors of 𝑛/4, i.e. 2𝑑(𝑛/4). □
7.3. Some Elementary Methods 219

II. A product is a power

The Fundamental Theorem of Arithmetic implies that if a 𝑘th power is the prod-
uct of two coprime factors, then each factor is a 𝑘th power, apart from units (see Ex-
ercise 1.6.2). This fact played an important role in the proof of Theorem 7.2.1 (see
formulas (7.2.6), (7.2.7), and (7.2.8) there), and also in solving Exercise 1.6.3. The next
example illustrates that similar arguments can be applied if the factors are not neces-
sarily coprime.
Example. Solve the Diophantine equation 𝑥3 + 7𝑥 = 𝑦3 .
Clearly, 𝑥 = 𝑦 = 0 is a solution, and if 𝑥, 𝑦 is a solution, then so is −𝑥, −𝑦. Therefore
we may assume 𝑥 (and thus 𝑦) is positive.
We factor the left-hand side of the equation:
(7.3.2) 𝑥(𝑥2 + 7) = 𝑦3
and check the possible values of the gcd of the two factors. Let 𝑑 = (𝑥, 𝑥2 + 7), then
𝑑 ∣ (𝑥2 + 7) − 𝑥 ⋅ 𝑥 = 7,
thus 𝑑 = 1 and 𝑑 = 7 are the only potential values.
If 𝑑 = 1, then both 𝑥 and 𝑥2 + 7 are cubes, so
(7.3.3) 𝑥 = 𝑢3 and 𝑥2 + 7 = 𝑣 3
for suitable (positive) integers 𝑢 and 𝑣. Replacing 𝑥 by 𝑢3 in the second equality, we get
(7.3.4) 𝑣3 − 𝑢6 = 7.
The difference of two positive cubes can be 7 only for the pair (8, 1): if 𝑎 > 𝑏 > 0, then
𝑎3 − 𝑏3 ≥ (𝑏 + 1)3 − 𝑏3 = 3𝑏2 + 3𝑏 + 1 ≥ 7,
and equality holds only for 𝑏 = 1 and 𝑎 = 𝑏 + 1 = 2. (Another justification: in the
product
7 = 𝑎3 − 𝑏3 = (𝑎 − 𝑏)(𝑎2 + 𝑎𝑏 + 𝑏2 ),
the factors can only be ±1 and ±7 in suitable pairings.)
By (7.3.3) and (7.3.4), we get the solution 𝑥 = 1, 𝑦 = 2.
Now we consider the case 𝑑 = 7. Then 7 ∣ 𝑥 and 𝑥 ∣ 𝑦3 imply 7 ∣ 𝑦3 , so 7 ∣ 𝑦
since 7 is a prime. We check the exponent of 7 on the right-hand side and in the two
factors on the left-hand side of (7.3.2). The right-hand side, 𝑦3 , is divisible by at least
73 , whereas the second factor of the left-hand side, 𝑥2 + 7 is not divisible by 72 since
72 ∣ 𝑥2 . Therefore the exponent of 7 in the first factor of the left-hand side is at least
3 − 1 = 2, so 72 ∣ 𝑥.
Substituting 𝑥 = 72 𝑟 and 𝑦 = 7𝑠 into (7.3.2) and cancelling 73 , we obtain
(7.3.5) 𝑟(73 𝑟2 + 1) = 𝑠3 .
The two factors on the left-hand side of (7.3.5) are coprime, hence each is a cube:
𝑟 = 𝑤3 and 7 3 𝑟2 + 1 = 7 3 𝑤 6 + 1 = 𝑧 3 .
The second equality says 𝑧3 − (7𝑤2 )3 = 1, but this is impossible for non-zero cubes.
Hence, the case 𝑑 = 7 cannot occur.
220 7. Diophantine Equations

Thus the equation has three solutions altogether:

𝑥=𝑦=0 𝑥 = 1, 𝑦 = 2 𝑥 = −1, 𝑦 = −2.
There is another way to treat this equation, see IV below.

III. Proving insolvability via congruences

If the two sides of a Diophantine equation are never congruent modulo a suitable
integer, then equality cannot hold. (The converse is false!)

Example. Solve the Diophantine equation 𝑥4 + 5𝑦4 = 4𝑧4 .

Clearly, 𝑥 = 𝑦 = 𝑧 = 0 is a solution. We claim that there are no other solutions.
For a proof by contradiction, we assume the existence of a solution where 𝑥, 𝑦, and
𝑧 are not all 0. We can assume also that 𝑥, 𝑦, and 𝑧 are coprime: If (𝑥, 𝑦, 𝑧) = 𝑑 > 1,
then dividing the equation by 𝑑 4 , we see that 𝑥/𝑑, 𝑦/𝑑, 𝑧/𝑑 is a solution and these three
numbers are coprime.
If 𝑥4 + 5𝑦4 = 4𝑧4 , then
(7.3.6) 𝑥4 + 5𝑦4 ≡ 4𝑧4 (mod 5) .
By Fermat’s Little Theorem,

1 (mod 5) , if 5 ∤ 𝑎
(7.3.7) 𝑎4 ≡ {
0 (mod 5) , if 5 ∣ 𝑎,
for any integer 𝑎. If 5 ∤ 𝑥, then the left-hand side of (7.3.6) is congruent to 1 and the
right-hand side is congruent to 0 or 4 modulo 5, by (7.3.7), which is impossible. The
case 5 ∤ 𝑧 leads to a contradiction similarly. Therefore 5 ∣ 𝑥 and 5 ∣ 𝑧.
Substituting 𝑥 = 5𝑥1 and 𝑧 = 5𝑧1 into the original equation, we get
54 𝑥14 + 5𝑦4 = 4 ⋅ 54 𝑧41 , i.e. 53 𝑥14 + 𝑦4 = 4 ⋅ 53 𝑧41 .
Thus 5 ∣ 𝑦4 , and so 5 ∣ 𝑦, as 5 is a prime. This, however, contradicts the condition
(𝑥, 𝑦, 𝑧) = 1.

Remarks: (1) We can arrive at a contradiction similarly modulo 16.

(2) In general, it is helpful to choose a modulus that divides some coefficient in the
equation, or one for which the powers in the equation fall into few residue classes.
For example, a square can be congruent only to 0, 1, or 4 modulo 8 and the possible
remainders of a fourth power modulo 16 are 0 and 1, thus it is often good to try 8
or 16 as a modulus.
(3) If we get no contradiction for a modulus, this means only the solvability of the
corresponding congruence but does not imply that the equation is solvable (and
does not imply, of course, that the equation has no solutions). For example, mod-
uli 𝑚 = 3 or 𝑚 = 7 would have not helped with the equation above, as the con-
gruence 𝑥4 + 5𝑦4 ≡ 4𝑧4 has a non-trivial solution both mod 3 and mod 7:
(±1)4 + 5(±1)4 ≡ 4 ⋅ 34 (mod 3) and (±1)4 + 5(±2)4 ≡ 4(±1)4 (mod 7) .
Exercises 7.3 221

(4) We emphasize repeatedly that this method (in itself) can be successful only if the
Diophantine equation has no solutions except perhaps a trivial one (as 𝑥 = 𝑦 =
𝑧 = 0 at the equation above). If the equation has a non-trivial solution, then it
satisfies also the corresponding congruence for every modulus 𝑚, so we cannot get
a contradiction for any modulus. (Of course, such arguments with congruences
can help to exclude solutions of certain types for any Diophantine equation.)
(5) This method is often not effective even if a Diophantine equation has no solu-
tions. It may be that we are not clever or lucky enough to find a suitable modulus
leading to a contradiction, but it is possible that no such modulus exists. We saw
an equation in Exercise 4.2.8 that had no integer or rational solutions, but the
corresponding congruence was solvable for every modulus 𝑚.

IV. Application of inequalities

Consider a Diophantine equation 𝑓(𝑥) = 𝑦𝑘 . Assume that for some 𝑐, every integer
𝑥 of absolute value greater than 𝑐 has the property that 𝑓(𝑥) is between two consecutive
𝑘th powers (not allowing equality). Then only solutions |𝑥| ≤ 𝑐 are possible. Checking
these finitely many values, we can obtain all solutions of the equation.
We illustrate the procedure for the Diophantine equation 𝑥3 + 7𝑥 = 𝑦3 (discussed
in II).
As observed previously, we can restrict ourselves to 𝑥 > 0, and we see that 𝑥 = 1,
𝑦 = 2 is a solution.
A simple calculation shows
𝑥3 < 𝑥3 + 7𝑥 < (𝑥 + 1)3
for 𝑥 > 1. Therefore 𝑥3 + 7𝑥 cannot be a cube for 𝑥 > 1.
Thus the three pairs given in II provide all solutions of the equation.

Exercises 7.3

1. Let 𝑛 be a fixed positive integer. In how many essentially distinct ways can 𝑛 be
represented as the difference of two squares, i.e. what is the number of solutions
of the equation 𝑥2 − 𝑦2 = 𝑛 in non-negative integers?
2. A housewife wants to slice up a rectangular cake (into uniform rectangular pieces)
so that she should get as many crispy pieces (that touched the tin’s wall) as soft
ones (that were away from the tin’s wall). How should she do the slicing?
3. Géza Ottlik was a famous Hungarian writer in the twentieth century who also stud-
ied mathematics. In his memoirs, he gives a vivid description how he succeeded
in defeating the problem:
Let 𝑝 > 2 be a prime. Verify that 2/𝑝 has exactly one representation as
a sum of reciprocals of two distinct positive integers. (The order of the
terms is irrelevant.)
 222 7. Diophantine Equations

Remark: The reciprocals of positive integers, i.e. the rational numbers having pos-
itive denominators and 1 as numerator, are called unit fractions or Egyptian frac-
tions since the ancient Egyptians generally expressed the rational numbers as the
sum of such fractions.
* 4. Which fractions with numerator 4 can be written as the sum of reciprocals of two
natural numbers?
5. Show that if 𝑛 is a positive integer not of the form 24𝑘 + 1, then 4/𝑛 can be written
as a sum of reciprocals of three natural numbers.
Remark: A long-standing unsolved conjecture of Erdős and Straus claims that ev-
ery positive integer 𝑛 has this property.
6. Prove that every positive rational number has infinitely many representations as a
sum of reciprocals of finitely many distinct positive integers.
7. Can a fourth power exceed a fifth power by 4?
S 8. Find all solutions of the system of equations
𝑡2 + (𝑠 + 𝑥)2 = 𝑠2 + 𝑦2 = (𝑦 + 𝑡)2 + 𝑥2
in rational numbers 𝑥, 𝑦, 𝑠, and 𝑡.
9. Prove that the sum of 99 consecutive squares cannot be a power.
S 10. Determine all integers whose cubes are the sum of eight consecutive cubes.
* 11. Show that 6 consecutive natural numbers cannot be partitioned into two (disjoint)
groups so that the product of the elements in the two groups is equal. Demonstrate
that this is true also if 6 is replaced by 106.
12. For a given positive integer 𝑚, find all positive integers 𝑛, 𝑥, and 𝑦 satisfying
(𝑛, 𝑚) = 1 and (𝑥2 + 𝑦2 )𝑚 = (𝑥𝑦)𝑛 .

13. Solve the Diophantine equations

(a) 𝑥𝑦 + 3𝑥 + 5𝑦 = 7
(b) 𝑥2 − 2𝑦2 + 363𝑧2 = 77
(c) 2𝑥2 + 3𝑦2 = 𝑧2
(d) 𝑥2 − 230𝑦2 = 7𝑧2
* (e) 𝑥5 + 3𝑦5 = 5𝑧5
(f) (𝑥2 − 2)(𝑥2 + 7) = 𝑧3
S* (g) 𝑥2 − 2𝑦4 = 1
S (h) 𝑥𝑦 = 𝑦𝑥 (where 𝑥 and 𝑦 are positive integers)
S* (i) 2𝑥 − 𝑦5 = 31.
14. In which number systems are the following numbers squares?
(a) 111
* (b) 11111
7.4. Gaussian Integers 223

(c) 111111.
(See Exercise 7.7.7 for the missing 1111.)

7.4. Gaussian Integers

Theorem 7.3.1 described completely which positive integers can be written as the dif-
ference of two squares and in how many ways. Now we raise the analogous question
for sums instead of differences, i.e. which positive integers can be represented as the
sum of two squares and in how many ways.
In solving 𝑥2 −𝑦2 = 𝑛, the key step was factoring the left-hand side. For 𝑥2 +𝑦2 = 𝑛,
we have no such factorization among the integers (or even among the real numbers),
but we can factor over the complex numbers: (𝑥 + 𝑦𝑖)(𝑥 − 𝑦𝑖) = 𝑛. Therefore it is
promising to develop number theory for complex numbers 𝑎 + 𝑏𝑖 where 𝑎 and 𝑏 are
integers. These complex numbers are called Gaussian integers.
Analogously to the integers, we define here the relevant notions (divisibility, unit,
greatest common divisor, irreducible, and prime), show that the Fundamental Theo-
rem of Arithmetic is true for the Gaussian integers and determine all Gaussian primes.
This makes it possible to handle our original problem, the Diophantine equation
𝑥2 + 𝑦2 = 𝑛, in the next section.
Definition 7.4.1. Gaussian integers are those complex numbers 𝛼 = 𝑎 + 𝑏𝑖 where both
𝑎 and 𝑏 are integers. ♣

To make a clear distinction, Roman letters will denote integers, and Greek letters
will denote Gaussian integers.
The Gaussian integers form a commutative ring without zero divisors (i.e. an inte-
gral domain) with an identity element under the addition and multiplication of com-
plex numbers.
The norm plays a central role in the number theory of Gaussian integers:
Definition 7.4.2. The norm 𝑁(𝛼) of a Gaussian integer 𝛼 = 𝑎 + 𝑏𝑖 is the square of the
absolute value of 𝛼:
𝑁(𝛼) = |𝛼|2 = 𝛼𝛼 = 𝑎2 + 𝑏2 . ♣

A few simple but important properties of the norm follow immediately from the
definition of Gaussian integers and from the properties of the absolute values of com-
plex numbers:
Theorem 7.4.3. (i) 𝑁(𝛼) is a non-negative integer.
(ii) 𝑁(𝛼) = 0 ⟺ 𝛼 = 0.
(iii) 𝑁(𝛼𝛽) = 𝑁(𝛼)𝑁(𝛽), for any Gaussian integers 𝛼 and 𝛽. ♣

To develop number theory for Gaussian integers, we follow the path for integers in
Chapter 1; we define the notions and prove the Fundamental Theorem of Arithmetic
according to that model. There is some difference in the form of the division algorithm
(Theorem 7.4.8), otherwise we just copy the structure for the integers.
224 7. Diophantine Equations

Definition 7.4.4. The Gaussian integer 𝛽 is a divisor of the Gaussian integer 𝛼 if there
exists a Gaussian integer 𝛾 satisfying 𝛼 = 𝛽𝛾. ♣

Similar to the integers, the expressions “𝛼 is divisible by 𝛽” and “𝛼 is a multiple of

𝛽” have the same meaning. We use the notation 𝛽 ∣ 𝛼 for Gaussian integers, too.
𝛼
If 𝛽 ≠ 0, then 𝛽 ∣ 𝛼 holds if and only if the complex number is a Gaussian integer.
𝛽
Examples.
7+𝑖
2 + 𝑖 ∣ 7 + 𝑖, as =3−𝑖
2+𝑖
4−𝑖 15 8
4 + 𝑖 ∤ 4 − 𝑖, since = − 𝑖.
4+𝑖 17 17
The following (one-way) bridge is an important connection between integers and
Gaussian integers:
Theorem 7.4.5. If 𝛽 ∣ 𝛼 (in the Gaussian integers), then 𝑁(𝛽) ∣ 𝑁(𝛼) (in the integers).
♣

Proof. The implication follows from Definition 7.4.4 and Theorem 7.4.3(iii). □

The converse of Theorem 7.4.5 is false, see e.g. the second example above the the-
orem.
Definition 7.4.6. A Gaussian integer dividing every Gaussian integer is called a unit.
Multiplying a Gaussian integer 𝛾 by a unit, we get an associate of 𝛾. ♣

Units have several characterizations.

Theorem 7.4.7. The following statements are equivalent:
(i) 𝜀 is a unit.
(ii) 𝜀 ∣ 1.
(iii) 𝑁(𝜀) = 1.
(iv) 𝜀 = 1, −1, 𝑖, or −𝑖. ♣

Proof. (i)⟹(ii): If 𝜀 divides every Gaussian integer, then it divides 1 in particular.

(ii)⟹(iii): This follows from Theorem 7.4.5.
(iii)⟹(iv): 𝑁(𝑎 + 𝑏𝑖) = 𝑎2 + 𝑏2 = 1 holds with integers 𝑎 and 𝑏 only in the cases
𝑎 = ±1, 𝑏 = 0, or 𝑎 = 0, 𝑏 = ±1.
(iv)⟹(i): For any Gaussian integer 𝛼,
𝛼 = 1𝛼 = (−1)(−𝛼) = 𝑖(−𝑖𝛼) = (−𝑖)(𝑖𝛼). □

Now we turn to the division algorithm for Gaussian integers.

Theorem 7.4.8. For any Gaussian integers 𝛼 and 𝛽 ≠ 0, there exist Gaussian integers 𝛾
and 𝜚 satisfying
(7.4.1) 𝛼 = 𝛽𝛾 + 𝜚 and 𝑁(𝜚) < 𝑁(𝛽). ♣
7.4. Gaussian Integers 225

Proof. Condition (7.4.1) is equivalent to

𝛼 𝜚 | 𝜚 | < 1.
−𝛾= and |𝜚| < |𝛽|, i.e. |𝛽|
𝛽 𝛽
Thus we have to find a Gaussian integer 𝛾 satisfying
(7.4.2) | 𝛼 − 𝛾| < 1.
|𝛽 |

The Gaussian integers form the usual unit square lattice in the complex plane.
Hence, (7.4.2) means that the point (with rational coordinates) in the plane correspond-
ing to 𝛼/𝛽 is closer to lattice point 𝛾 than 1, i.e. it falls inside the unit circle around 𝛾.
Consider a unit square in the lattice that contains 𝛼/𝛽 (inside or on its border; there
is more than one such unit square if and only if at least one of the coordinates of 𝛼/𝛽 is
an integer). If we draw unit circles around two opposite vertices, the interiors of these
circles cover this unit square entirely except the two other vertices. Thus for any point
in the plane, there is a lattice point whose distance from it is less than 1. So to any 𝛼/𝛽,
there is a suitable 𝛾.
The value of 𝜚 is determined then by 𝜚 = 𝛼 − 𝛽𝛾. □
Remarks: (1) We see from the proof that the quotient 𝛾 and the remainder 𝜚 are not
unique in general; uniqueness holds if and only if 𝛼/𝛽 itself is a lattice point, i.e.
𝛽 ∣ 𝛼 (and the remainder is 0). Otherwise there are two, three, or four suitable
pairs 𝛾, 𝜚, depending on the position of 𝛼/𝛽.
(2) The proof yields an algorithm to find 𝛾 and 𝜚: we can choose 𝛾 as the closest
lattice point to 𝛼/𝛽. (Choose one if there exists more than one.) Algebraically, if
𝛼/𝛽 = 𝑟 + 𝑠𝑖, then choose 𝛾 = 𝑢 + 𝑣𝑖 where 𝑢 and 𝑣 are the closest integers to the
rational numbers 𝑟 and 𝑠. (Again, just choose in the event of a tie.) Then
2 2 2
| 𝛼 − 𝛾| = (𝑟 − 𝑢)2 + (𝑠 − 𝑣)2 ≤ ( 1 ) + ( 1 ) = 1 .
|𝛽 | 2 2 2
For Gaussian integers, we define the greatest common divisor immediately with
the special common divisor property seen in Definition 1.3.2 at the integers: it is a
common divisor that is a multiple of all common divisors.
Definition 7.4.9. The greatest common divisor (or gcd) of Gaussian integers 𝛼 and 𝛽
is 𝛿 if
(i) 𝛿 ∣ 𝛼, 𝛿 ∣ 𝛽
(ii) if 𝛾 satisfies 𝛾 ∣ 𝛼 and 𝛾 ∣ 𝛽, then 𝛾 ∣ 𝛿. ♣

We assume now that at least one of 𝛼 and 𝛽 is not zero, and denote the greatest
common divisor by (𝛼, 𝛽) or gcd(𝛼, 𝛽).
The existence of a greatest common divisor follows from the Euclidean algorithm
as in the proof of Theorem 1.3.3 (the procedure terminates in finitely many steps also
for Gaussian integers since the norms of the remainders form a strictly decreasing se-
quence of non-negative integers). The Euclidean algorithm is suitable for the practical
computation of the greatest common divisor.
226 7. Diophantine Equations

The greatest common divisor is unique apart from a unit factor, i.e. if 𝛿 is a gcd of
the Gaussian integers 𝛼 and 𝛽, then all greatest common divisors are the associates of
𝛿. (This follows from the definition of gcd.)
There are four units, so any two Gaussian integers (not both zero) have exactly four
greatest common divisors. Since they are associates, they behave identically concern-
ing divisibility. Also, there is no natural principle to distinguish one of them, as we
chose the positive value among the integers. Therefore the notation (𝛼, 𝛽) can mean
any of the four values.
The relevant further theorems and definitions in Section 1.3 are equally valid for
Gaussian integers.
Now we define the notions of Gaussian irreducibles and Gaussian primes on the
model of Definitions 1.4.1 and 1.4.2.
Definition 7.4.10. A Gaussian integer 𝜋 different from units (and zero) is called a
Gaussian irreducible if it can be factored into the product of two integers only so that
one of the factors is a unit:
𝜋 = 𝛼𝛽 ⟹ 𝛼 or 𝛽 is a unit. ♣
Definition 7.4.11. A Gaussian integer 𝜋 different from units and zero is called a Gauss-
ian prime if it can divide the product of two integers only if it divides at least one of the
factors:
𝜋 ∣ 𝛼𝛽 ⟹ 𝜋 ∣ 𝛼 or 𝜋 ∣ 𝛽. ♣

The analog of Theorem 1.4.3 is valid for Gaussian integers, and the proof is literally
the same:
Theorem 7.4.12. A Gaussian integer is a Gaussian prime if and only if it is a Gaussian
irreducible. ♣

We shall generally use the shorter term Gaussian prime also for a Gaussian irre-
ducible.
We are ready now to state and prove the analog of Theorem 1.5.1:
Theorem 7.4.13 (The Fundamental Theorem of Arithmetic). Every Gaussian integer
different from 0 and units is the product of finitely many Gaussian irreducibles and this
decomposition is unique apart from associates and the order of factors. ♣

Proof. The first proof of uniqueness for integers remains valid literally for Gaussian
integers (see Exercise 7.4.11 for the analog of the second proof).
We can apply the same arguments as at the integers for the decomposability with
two minor modifications: instead of “minimal positive non-trivial divisor” we need
“a(ny) non-trivial divisor of minimal norm”, and |𝑎𝑖 | should be replaced by 𝑁(𝛼𝑖 ). We
leave the details to the reader. □
Remark: As a summary, we can state that we arrived at the Fundamental Theorem
of Arithmetic almost identically both for integers and Gaussian integers. We proved
decomposability in both cases directly (using similar ideas), and deduced uniqueness
with the following steps:
7.4. Gaussian Integers 227

Division algorithm ⇒ existence of a greatest common divisor (in the sense of a

special common divisor) ⇒ every irreducible is a prime ⇒ the uniqueness part of the
Fundamental Theorem of Arithmetic.
We shall show later that the existence of a division algorithm always implies the
Fundamental Theorem of Arithmetic but the converse is false (see Section 11.3).

Our next goal is to characterize all Gaussian primes. As a preparation, we establish

a relation between Gaussian primes and ordinary prime numbers in 𝐙:
Theorem 7.4.14. (i) For every Gaussian prime 𝜋, there exists exactly one positive
prime number 𝑝 satisfying 𝜋 ∣ 𝑝.
(ii) Every positive prime number 𝑝 is either a Gaussian prime, or it is the product of two
complex conjugate Gaussian primes having norm 𝑝. ♣

Proof. (i) As 𝜋 is different from 0 and units, we have 𝑁(𝜋) > 1, so 𝑁(𝜋) is the product
of positive prime numbers: 𝑁(𝜋) = 𝑝1 𝑝2 . . . 𝑝𝑟 . Then
𝜋 ∣ 𝜋𝜋 = 𝑁(𝜋) = 𝑝1 𝑝2 . . . 𝑝𝑟 ,
thus 𝜋 must divide some 𝑝 𝑖 , as well.
To prove uniqueness by contradiction, we assume 𝜋 ∣ 𝑝 and 𝜋 ∣ 𝑞 for some positive
prime numbers 𝑝 ≠ 𝑞. Since 𝑝 and 𝑞 are coprime (among the integers), we have 1 =
𝑝𝑢 + 𝑞𝑣 with suitable integers 𝑢 and 𝑣. Then 𝜋 ∣ 𝑝 and 𝜋 ∣ 𝑞 imply 𝜋 ∣ 𝑝𝑢 + 𝑞𝑣 = 1,
which is a contradiction.
(ii) If the prime number 𝑝 > 0 is not a Gaussian prime, then it is the product of at
least two Gaussian primes (by the Fundamental Theorem of Arithmetic):
(7.4.3) 𝑝 = 𝜋1 . . . 𝜋𝑟 , where 𝑟 ≥ 2.
Taking norms in (7.4.3), we obtain
(7.4.4) 𝑝2 = 𝑁(𝑝) = 𝑁(𝜋1 ) . . . 𝑁(𝜋𝑟 ).
Every 𝑁(𝜋𝑖 ) > 1 since 𝜋𝑖 is neither 0 nor a unit. The integer 𝑝2 has only one decompo-
sition into the product of two integers greater than 1: 𝑝2 = 𝑝 ⋅ 𝑝. Therefore, there are
only two factors on the right-hand side of (7.4.4), so the same is true for (7.4.3):
𝑝 = 𝜋 1 𝜋2 , where 𝑁(𝜋1 ) = 𝑁(𝜋2 ) = 𝑝.
Finally,
𝑝 = 𝜋1 𝜋2 and 𝑝 = 𝑁(𝜋1 ) = 𝜋1 𝜋1
imply 𝜋2 = 𝜋1 . □

And now, here is the list of Gaussian primes:

Theorem 7.4.15. The following Gaussian integers constitute all Gaussian primes (where
𝜀 denotes a unit):
(A) 𝜀(1 + 𝑖)
(B) 𝜀𝑞 where 𝑞 is a positive prime number of the form 4𝑘 − 1
228 7. Diophantine Equations

(C) 𝜋 where 𝑁(𝜋) is a positive prime number of the form 4𝑘 + 1; to each such prime
number, there belong two Gaussian primes (apart from unit factors) that are com-
plex conjugates but not associates. ♣
Examples. −1 + 𝑖 = 𝑖(1 + 𝑖) and −7𝑖 are Gaussian primes.
Also 2 − 5𝑖 is a Gaussian prime since (2 − 5𝑖)(2 + 5𝑖) = 29 and 29 is a positive prime
number of the form 4𝑘 + 1.
Also 2 + 5𝑖 is a Gaussian prime that is not an associate of 2 − 5𝑖.
The factors of the decomposition 29 = (5 − 2𝑖)(5 + 2𝑖) can only be associates of the
previous two Gaussian primes (by the Fundamental Theorem of Arithmetic): 5 − 2𝑖 =
(−𝑖)(2 + 5𝑖) and 5 + 2𝑖 = 𝑖(2 − 5𝑖).
−37 is not a Gaussian prime, as 37 is a prime number, but not of the form 4𝑘 − 1.
Also 9 + 2𝑖 is not a Gaussian prime because (9 + 2𝑖)(9 − 2𝑖) = 85 is not a prime
number.

Proof. By Theorem 7.4.14, we obtain all Gaussian primes from the factorization of
positive prime numbers into the product of Gaussian primes. We get different decom-
positions when the positive prime number is (A) 2, has the form (B) 4𝑘 − 1, or (C)
4𝑘 + 1.
(A) Since 2 = (1 + 𝑖)(1 − 𝑖) = (−𝑖)(1 + 𝑖)2 , the only Gaussian prime divisor of 2 is
1 + 𝑖, apart from associates.
(B) Let 𝑞 be a positive prime number of the form 4𝑘 − 1. For a proof by contradic-
tion, we assume that 𝑞 is not a Gaussian prime. Then, by (ii) in Theorem 7.4.14, there
exists a Gaussian prime 𝜋 = 𝑎 + 𝑏𝑖 satisfying 𝑞 = 𝑁(𝜋) = 𝑎2 + 𝑏2 . This is impossible,
however, as the sum of two squares cannot be of the form 4𝑘 − 1.
(C) Let 𝑝 be a positive prime number of the form 4𝑘 + 1. We show first that 𝑝 is
not a Gaussian prime.
By Theorem 4.1.4, the congruence 𝑥2 ≡ −1 (mod 𝑝) is solvable, so 𝑝 ∣ 𝑐2 + 1 for
some integer 𝑐. Hence, 𝑝 divides the product (𝑐 + 𝑖)(𝑐 − 𝑖) among the Gaussian integers.
But
𝑐±𝑖 𝑐 1
= ± 𝑖
𝑝 𝑝 𝑝
are not Gaussian integers because their imaginary parts are not integers, thus none of
the factors 𝑐 + 𝑖 and 𝑐 − 𝑖 are divisible by 𝑝. Therefore, by definition, 𝑝 is not a Gaussian
prime.
This means, according to Theorem 7.4.14, that 𝑝 = 𝜋𝜋 where 𝜋 and 𝜋 are Gaussian
primes. By the Fundamental Theorem of Arithmetic, this is the only decomposition of
𝑝 into the product of Gaussian primes, apart from associates.
Finally, we have to show 𝜋 ≠ 𝜀𝜋 for some unit 𝜀. We can verify this by a simple
calculation checking all cases 𝜀 = 1, −1, 𝑖, and −𝑖 for 𝑝 = 𝑎 + 𝑏𝑖. It follows also from
Exercise 7.4.3. □
Exercises 7.4 229

Exercises 7.4

(𝛼, 𝛽, and 𝑎 + 𝑏𝑖 denote Gaussian integers throughout.)

1. Which Gaussian integers are divisible by 1 + 𝑖?
2. Verify:
(a) 𝛾 ∣ 𝛼 ⟺ 𝛾 ∣ 𝛼
(b) (𝛼, 𝛾) = (𝛼, 𝛾)
(c) 𝛼 is a Gaussian prime ⟺ 𝛼 is a Gaussian prime.
3. Let 𝛼 = 𝑎 + 𝑏𝑖. Prove
𝛼 ∣ 𝛼 ⟺ |𝑎| = |𝑏| or 𝑎𝑏 = 0.
4. If 𝑎 and 𝑏 ≠ 0 are two integers, then the divisibility 𝑏 ∣ 𝑎 and gcd(𝑎, 𝑏) could depend
on whether 𝑎 and 𝑏 are considered as integers or as Gaussian integers. Show that
there is no need for such a distinction:
(a) 𝑏 ∣ 𝑎 holds among Gaussian integers if and only if it is true in 𝐙
(b) the greatest common divisor of 𝑎 and 𝑏 in 𝐙 is the same as their gcd among
the Gaussian integers, apart from associates.
5. True or false?
(a) (𝑁(𝛼), 𝑁(𝛽)) = 1 ⟹ (𝛼, 𝛽) = 1.
(b) (𝛼, 𝛽) = 1 ⟹ (𝑁(𝛼), 𝑁(𝛽)) = 1.
(c) (𝛼, 𝛽) = (𝛼, 𝛽) = 1 ⟹ (𝑁(𝛼), 𝑁(𝛽)) = 1.
6. Compute the gcd of 𝛼 and 𝛽 for
(a) 𝛼 = 8 + 𝑖 and 𝛽 = 11 − 3𝑖
(b) 𝛼 = 39(1 − 𝑖)3 and 𝛽 = 62(2 + 𝑖)3
(c) 𝛼 = (4 + 𝑖)10 + (2 + 𝑖)11 and 𝛽 = (4 + 𝑖)10 − (2 + 𝑖)11 .
7. Let 𝛼 = 𝑎 + 𝑏𝑖.
(a) True or false?
(a1) (𝛼, 𝛼) = 1 ⟹ (𝑎, 𝑏) = 1.
(a2) (𝑎, 𝑏) = 1 ⟹ (𝛼, 𝛼) = 1.
(b) What is the connection between (𝛼, 𝛼) and (𝑎, 𝑏), in general?
8. Let us call two Gaussian integers 𝛼 and 𝛽 friends if they are coprime and an ordinary
integer is a multiple of 𝛼 if and only if it is a multiple of 𝛽.
(a) Prove that 𝑎 + 𝑏𝑖 has a friend if and only if (𝑎, 𝑏) = 1 and 𝑎 ≢ 𝑏 (mod 2).
(b) How many friends belong to 𝑎 + 𝑏𝑖 in this case?
9. Decompose 270 + 2610𝑖 into a product of Gaussian primes.
10. True or false?
(a) If 𝛼 is a Gaussian prime, then 𝑁(𝛼) is a prime number.
 230 7. Diophantine Equations

(b) If 𝑁(𝛼) is a prime number, then 𝛼 is a Gaussian prime.

(c) If 𝛼 is the cube of a Gaussian integer, then 𝑁(𝛼) is the cube of a non-negative
integer.
(d) If 𝑁(𝛼) is the cube of a non-negative integer, then 𝛼 is the cube of a Gaussian
integer.
(e) If 𝛼 ∣ 𝛼, then 𝑁(𝛼) is a square or the double of a square.
(f) If 𝑁(𝛼) is a square or the double of a square, then 𝛼 ∣ 𝛼.
* 11. Prove the uniqueness part of the Fundamental Theorem of Arithmetic with a suit-
able modification of the second proof of Theorem 1.5.1.

7.5. Sums of Squares

In this section, we examine which positive integers can be represented as the sum of
two, three, or four squares (allowing also 0 as a summand).
Theorem 7.5.1 (Two Squares Theorem). Let the standard form of the positive integer 𝑛
be
𝛽 𝛽 𝛾 𝛾
(7.5.1) 𝑛 = 2𝛼 𝑝1 1 . . . 𝑝𝑟 𝑟 𝑞1 1 . . . 𝑞𝑠 𝑠
where the primes 𝑝𝜇 are of the form 4𝑘 + 1, the primes 𝑞𝜈 are of the form 4𝑘 − 1, and the
exponents 𝛼, 𝛽𝜇 , 𝛾𝜈 are non-negative integers.
The Diophantine equation
(7.5.2) 𝑥2 + 𝑦2 = 𝑛
is solvable if and only if every 𝛾𝜈 is even, and then the number of solutions is
𝑟
4 ∏(𝛽𝜇 + 1). ♣
𝜇=1

Similar to Theorem 7.3.1, we consider as distinct solutions differing only in signs

or in the order of terms. We can easily deduce from our result also the number of
essentially different solutions, see Exercise 7.5.1.
Example. Consider 𝑛 = 4050. Its standard form is 2 ⋅ 34 ⋅ 52 . The exponent of 3 is
even, thus we have a solution, and the number of solutions is 4(2 + 1) = 12 obtained
from the exponent of 5. The solutions are
4050 = (±45)2 + (±45)2 = (±9)2 + (±63)2 = (±63)2 + (±9)2 .

Proof. The equation 𝑥2 + 𝑦2 = 𝑛 can be rewritten as

(7.5.3) (𝑥 + 𝑦𝑖)(𝑥 − 𝑦𝑖) = 𝑛.
Thus we have to determine which integers 𝑛 can be factored and in how many ways as
a product of two conjugate Gaussian integers.
We determine first the standard form of 𝑛 among the Gaussian integers. By stan-
dard form, we mean a representation
𝜅 𝜅
𝜀𝜚1 1 . . . 𝜚𝑡 𝑡
7.5. Sums of Squares 231

where no two Gaussian primes 𝜚𝑗 are associates and 𝜀 is a unit. For example, a standard
form of 4 is (−1)(1 + 𝑖)4 or (−1)(−1 + 𝑖)4 , etc. (We need the extra factor of a unit also
among the integers if we want to extend the standard form to negative integers: e.g. −9
can be represented only in the form (−1)32 or (−1)(−3)2 .)
By Theorem 7.4.15, a standard form of 𝑛 among the Gaussian integers is
𝛽 𝛽1 𝛽 𝛽𝑟 𝛾 𝛾
(7.5.4) 𝑛 = (−𝑖)𝛼 (1 + 𝑖)2𝛼 𝜋1 1 𝜋1 . . . 𝜋𝑟 𝑟 𝜋𝑟 𝑞1 1 . . . 𝑞𝑠 𝑠 ,
where 𝜋𝜇 𝜋𝜇 = 𝑝𝜇 . (No two Gaussian primes on the right-hand side of (7.5.4) are
associates.)
As 𝑥 + 𝑦𝑖 ∣ 𝑛, the standard form of 𝑥 + 𝑦𝑖, according to the Fundamental Theorem
of Arithmetic, is
𝑟 ′ ″
𝑠
′ 𝛽𝜇 𝛽𝜇 𝛾′
(7.5.5) 𝑥 + 𝑦𝑖 = 𝜀(1 + 𝑖)𝛼 ∏ (𝜋𝜇 𝜋𝜇 ) ∏ 𝑞𝜈𝜈
𝜇=1 𝜈=1

where 𝜀 is a unit and each Gaussian prime occurs with an exponent not greater than
in (7.5.4).
We construct a standard form of 𝑥 − 𝑦𝑖 by conjugating (7.5.5) and using 1 − 𝑖 =
(−𝑖)(1 + 𝑖):
𝑟 ″ ′
𝑠
′ ′ 𝛽𝜇 𝛽𝜇 𝛾′
(7.5.6) 𝑥 − 𝑦𝑖 = (𝜀(−𝑖)𝛼 )(1 + 𝑖)𝛼 ∏ (𝜋𝜇 𝜋𝜇 ) ∏ 𝑞𝜈𝜈 .
𝜇=1 𝜈=1

By the Fundamental Theorem of Arithmetic, (7.5.3) holds if and only if the exponent
of each Gaussian prime in (7.5.4) is the sum of the corresponding exponents in (7.5.5)
and (7.5.6), and the extra unit factor in (7.5.4) equals the product of the unit factors in
(7.5.5) and (7.5.6).
This gives the following equalities:

(7.5.7a) exponent of 1 + 𝑖: 2𝛼 = 𝛼′ + 𝛼′
(7.5.7b) exponent of 𝜋𝜇 : 𝛽𝜇 = 𝛽𝜇′ + 𝛽𝜇″
(7.5.7c) exponent of 𝜋𝜇 : 𝛽𝜇 = 𝛽𝜇″ + 𝛽𝜇′
(7.5.7d) exponent of 𝑞𝜈 : 𝛾𝜈 = 𝛾𝜈′ + 𝛾𝜈′
′
(7.5.7e) unit: (−𝑖)𝛼 = 𝜀𝜀(−𝑖)𝛼 .
Equality (7.5.7a) implies 𝛼′ = 𝛼, and then (7.5.7e) is true automatically for any 𝜀.
(7.5.7b) and (7.5.7c) mean the same condition that holds if and only if
𝛽𝜇′ = 0, 1, . . . , 𝛽𝜇 and 𝛽𝜇″ = 𝛽𝜇 − 𝛽𝜇′ , 𝜇 = 1, 2, . . . , 𝑟.
Finally, (7.5.7d) is valid if and only if 𝛾𝜈 is even and 𝛾𝜈′ = 𝛾𝜈 /2.
The above imply that (7.5.2) is solvable if and only if every 𝛾𝜈 is even.
The number of solutions equals the number of possible choices of 𝜀, 𝛼′ , 𝛽𝜇′ , 𝛽𝜇″ , and
𝛾𝜇′ . We can select these five values independently in 4, 1, 𝛽𝜇 + 1, 1, and 1 ways, thus the
𝑟
number of solutions of (7.5.2) is the product of these numbers, 4 ∏𝜇=1 (𝛽𝜇 + 1). □
232 7. Diophantine Equations

Theorem 7.5.2 (Three Squares Theorem). A positive integer 𝑛 is not representable as

the sum of three squares if and only if 𝑛 is of the form
(7.5.8) 𝑛 = 4𝑘 (8𝑚 + 7). ♣

Proof. We verify only the easier direction that an integer of the form (7.5.8) cannot be
written as the sum of three squares. The proof of the converse is significantly harder.
We proceed by induction on 𝑘.
For 𝑘 = 0, we have to show that integers of the form 8𝑚 + 7 cannot be represented
as a sum of three squares. This holds since a square can have a residue of 0, 1, or 4
modulo 8, and the sum of three such remainders can never produce a remainder of 7.
We assume now that the assertion is true for some 𝑘 and deduce it for 𝑘 + 1. For a
proof by contradiction, let 𝑎, 𝑏, and 𝑐 be integers satisfying
(7.5.9) 4𝑘+1 (8𝑚 + 7) = 𝑎2 + 𝑏2 + 𝑐2 .

The left-hand side of (7.5.9) is divisible by 4. The remainder modulo 4 of an even

square is 0 and of an odd square is 1. Thus the right-hand side is divisible by 4 only if
each of 𝑎, 𝑏, and 𝑐 is even, and so 𝑎/2, 𝑏/2, and 𝑐/2 are integers. Dividing (7.5.9) by 4,
we obtain
𝑎 2 𝑏 2 𝑐 2
4𝑘 (8𝑚 + 7) = ( ) + ( ) + ( ) ,
2 2 2
which contradicts the induction hypothesis. □
Theorem 7.5.3 (Four Squares Theorem). Every positive integer is the sum of four
squares. ♣

Proof. We need the following two lemmas.

Lemma 7.5.4. If each of two integers is a sum of four squares, then so is their product:
(7.5.10)
(𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 )(𝑏21 + 𝑏22 + 𝑏23 + 𝑏24 ) =
(𝑎1 𝑏1 + 𝑎2 𝑏2 + 𝑎3 𝑏3 + 𝑎4 𝑏4 )2 + (𝑎1 𝑏2 − 𝑎2 𝑏1 + 𝑎3 𝑏4 − 𝑎4 𝑏3 )2 +
+ (𝑎1 𝑏3 − 𝑎3 𝑏1 − 𝑎2 𝑏4 + 𝑎4 𝑏2 )2 + (𝑎1 𝑏4 − 𝑎4 𝑏1 + 𝑎2 𝑏3 − 𝑎3 𝑏2 )2 . ♣
Lemma 7.5.5. The congruence
(7.5.11) 1 + 𝑥2 + 𝑦2 ≡ 0 (mod 𝑝)
is solvable for any prime 𝑝. ♣

Proof of Lemma 7.5.4. We can justify identity (7.5.10) by a computation. □

We note that a natural proof of (7.5.10) arises by using quaternions: taking

𝛼 = 𝑎 1 + 𝑎2 𝑖 + 𝑎 3 𝑗 + 𝑎 4 𝑘 and 𝛽 = 𝑏1 + 𝑏2 𝑖 + 𝑏3 𝑗 + 𝑏4 𝑘,
(7.5.10) is the expanded version of the identity 𝑁(𝛼)𝑁(𝛽) = 𝑁(𝛽𝛼) for the norms of
quaternions. (Of course, the law 𝑁(𝛼)𝑁(𝛽) = 𝑁(𝛼𝛽) would also prove the first sentence
in Lemma 7.5.4 with another identity instead of (7.5.10), but we shall need (7.5.10)
explicitly in the proof of Theorem 7.5.3.)
7.5. Sums of Squares 233

Proof of Lemma 7.5.5. The statement is obvious for 𝑝 = 2.

For a proof by contradiction, we assume that (7.5.11) has no solution for some
prime 𝑝 > 2, i.e.
(7.5.12) 𝑥2 ≢ −1 − 𝑦2 (mod 𝑝)
for any integers 𝑥 and 𝑦.
If 𝑥 runs over a complete residue system modulo 𝑝, then the values of 𝑥2 are 0 and
the quadratic residues modulo 𝑝. This gives
𝑝−1 𝑝+1
+1=
2 2
pairwise incongruent values, by Theorem 4.1.2.
The same applies also for 𝑦2 , and thus for −1 − 𝑦2 . By (7.5.12), this would produce
𝑝+1
altogether 2 2 = 𝑝 + 1 pairwise incongruent numbers modulo 𝑝, which is clearly
nonsense. □

We note that Lemma 7.5.5 can also be easily deduced from Chevalley’s Theorem 3.6.1
or from Exercise 3.6.2 (see Exercise 7.5.19).

We turn to the proof of Theorem 7.5.3. For the sake of brevity, we call a positive integer
“nice” if it is the sum of four squares. Clearly, 1 and 2 are nice integers.
By Lemma 7.5.4, it is sufficient to show that every prime 𝑝 > 2 is nice.
There exists a nice multiple of 𝑝, e.g. 4𝑝2 . We take the smallest positive 𝑚 for which
𝑚𝑝 is nice, and let
(7.5.13) 𝑚𝑝 = 𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 .
We have to prove 𝑚 = 1. We shall show that if 𝑚 > 1, then also 𝑚1 𝑝 is nice for
some 0 < 𝑚1 < 𝑚. This, however, contradicts the minimality of 𝑚, so 𝑚 = 1.
We verify first 𝑚 < 𝑝, so 𝑝 has a nice (positive) multiple less than 𝑝2 . By Lemma
7.5.5, (7.5.11) is solvable. Taking the system of residues of least absolute value mod-
𝑝 𝑝
ulo 𝑝, we get a solution 𝑥 and 𝑦 satisfying |𝑥| < 2 and |𝑦| < 2 . Then
𝑝 2
𝑣 = 12 + 𝑥2 + 𝑦2 + 02 is nice, 𝑝∣𝑣 0 < 𝑣 < 2( ) + 1 < 𝑝2 .
and
2
Next we show that 𝑚 must be odd. Otherwise, we can partition the four values 𝑎𝜈 into
two pairs whose elements have the same parity; say 𝑎1 and 𝑎2 are both odd or both
even, and the same holds for 𝑎3 and 𝑎4 . Then
𝑚 𝑎 + 𝑎2 2 𝑎 − 𝑎2 2 𝑎 + 𝑎4 2 𝑎 − 𝑎4 2
)𝑝 = ( 1
( ) +( 1 ) +( 3 ) +( 3 ) ,
2 2 2 2 2
which contradicts the minimality of 𝑚.
We shall consider now (7.5.13) modulo 𝑚. Let 𝑏1 , 𝑏2 , 𝑏3 , and 𝑏4 be the residues of
least absolute value modulo 𝑚 of 𝑎1 , 𝑎2 , 𝑎3 , and 𝑎4 , i.e.
𝑚−1
(7.5.14) 𝑏𝜈 ≡ 𝑎𝜈 (mod 𝑚) , |𝑏𝜈 | ≤ , 𝜈 = 1, 2, 3, 4.
2
Then
𝑏21 + 𝑏22 + 𝑏23 + 𝑏24 ≡ 𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 ≡ 0 (mod 𝑚) ,
234 7. Diophantine Equations

thus

(7.5.15) 𝑚𝑚1 = 𝑏21 + 𝑏22 + 𝑏23 + 𝑏24

for some integer 𝑚1 . We show 0 < 𝑚1 < 𝑚 in (7.5.15).

If 𝑚1 = 0, then 𝑏𝜈 = 0, so every 𝑎𝜈 is divisible by 𝑚. This implies

𝑚2 ∣ 𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 = 𝑚𝑝, thus 𝑚 ∣ 𝑝,

which contradicts 1 < 𝑚 < 𝑝.

The inequality 𝑚1 < 𝑚 follows from
4
𝑚−1 2 𝑚 2
𝑚𝑚1 = ∑ 𝑏2𝜈 ≤ 4( ) < 4( ) = 𝑚2 .
𝜈=1
2 2

Multiplying (7.5.13) and (7.5.15), we obtain

(7.5.16) 𝑚2 𝑚1 𝑝 = 𝑐21 + 𝑐22 + 𝑐23 + 𝑐24

where the integers 𝑐 𝜈 are determined by (7.5.10).

We show that every 𝑐 𝜈 is a multiple of 𝑚. Since 𝑏𝜈 ≡ 𝑎𝜈 (mod 𝑚), we obtain

𝑐 1 = 𝑎1 𝑏1 + 𝑎2 𝑏2 + 𝑎3 𝑏3 + 𝑎4 𝑏4 ≡ 𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 = 𝑚𝑝 ≡ 0 (mod 𝑚) ,

and we derive the divisibility by 𝑚 for the other three values of 𝑐 𝜈 similarly.
Dividing (7.5.16) by 𝑚2 , we obtain that 𝑚1 𝑝 is the sum of four squares. But 0 <
𝑚1 < 𝑚 contradicts the minimality of 𝑚. □

Remark: The method used in the proof was a variant of infinite descent. The name
will be clearer from the following formulation of our argument: If 𝑝 itself is not nice,
then considering a nice (positive) multiple 𝑚𝑝 of 𝑝, we find another nice multiple 𝑚1 𝑝
where 0 < 𝑚1 < 𝑚, then we find similarly a nice multiple 𝑚2 𝑝 where 0 < 𝑚2 < 𝑚1 , etc.
We get a strictly decreasing infinite sequence 𝑚 > 𝑚1 > 𝑚2 > ⋯ of positive integers
so we perform an infinite descent among the positive integers, which is impossible.
The infinite descent for positive integers resembles an induction proof by contra-
diction. For example, the second proof for the uniqueness of prime factorization in
Theorem 1.5.1 was basically an infinite descent.
Despite its connection to induction, infinite descent is based on a different princi-
ple: it uses the well-ordering property, i.e. every subset has a minimal element, and so
we cannot form a sequence of infinite descent. Thus if some property gets inherited in
an infinite descent, then no element of a well-ordered set can have this property.
Since the axiom of choice implies that every set can be well-ordered, infinite descent
can be applied more widely than induction.
 Exercises 7.5 235

Exercises 7.5

1. Let 𝑛 be a fixed positive integer. In how many essentially different ways can a pos-
itive integer be represented as the sum of two squares? (For instance, the example
of 4050 after Theorem 7.5.1 has two such representations: 4050 = 452 + 452 =
92 + 632 .)
2. How many Gaussian integers have norm 98000?
3. Determine the largest 𝑟 such that there exist infinitely many sequences of 𝑟 con-
secutive integers each being the sum or difference of two squares.
4. Give a new proof to Exercise 4.1.5.
5. For which integers 𝑛 is the Diophantine equation 𝑥2 + 4𝑦2 = 𝑛 solvable, and what
is the number of solutions?
* 6. Which positive integers can be represented and in how many ways as the sum of
squares of two coprime integers?
* 7. (a) How many (pairwise incongruent) right triangles have integer side lengths
one of them being 𝑘?
(b) Solve the same problem if we assume that the side lengths are coprime.
8. Verify that the Diophantine equation 𝑥2 + 𝑦2 = 𝑛 has 4𝑑 ′ (𝑛) − 4𝑑 ″ (𝑛) solutions
where 𝑑 ′ (𝑛) and 𝑑 ″ (𝑛) are the numbers of positive divisors of the form 4𝑘 + 1 and
4𝑘 − 1, of the positive integer 𝑛.
* 9. How many representations has a positive integer as a sum of two squares, on aver-
age? In a precise formulation, we ask about the approximate behavior of the mean
value function
𝑟(1) + 𝑟(2) + ⋯ + 𝑟(𝑛)
𝑛
for large values of 𝑛, where 𝑟(𝑛) denotes the number of solutions of the Diophan-
tine equation 𝑥2 + 𝑦2 = 𝑛.
S* 10. Solve the Diophantine equation 𝑥2 + 4 = 𝑦3 .
S* 11. Which Gaussian integers are the sum of squares of two Gaussian integers?
12. In the proof of Theorem 7.5.1, we defined standard form for Gaussian integers, and
observed that a Gaussian integer can have several standard forms. Prove that the
number of standard forms of any Gaussian integer, different from 0 and units, is a
power of 4. (Two standard forms are considered the same if they differ only in the
order of factors, and we exclude the possibility that some Gaussian prime occurs
with exponent 0.)
13. True or false?
(a) If each of two positive integers is the sum of two squares, then so is their prod-
uct.
(b) If the product of two positive integers is the sum of two squares, then so is
each factor.
 236 7. Diophantine Equations

(c) If both the product of two positive integers and one of the factors are sums of
two squares, then so is the other factor.
(d) If each of two positive integers is the sum of three squares, then so is their
product.
* 14. What is the probability that a positive integer is a sum of three squares?
15. Determine the smallest 𝑟 such that every sufficiently large positive integer is the
sum of at most 𝑟 odd squares?
16. Deduce the Four Squares Theorem from the Three Squares Theorem.
S 17. Which positive integers can be represented as a sum of four squares so that at least
two summands are equal?
18. Is the Diophantine equation 𝑥2 + 9𝑦2 + 𝑧2 + 𝑤2 = 1011 + 23 solvable?
19. Give two new proofs for Lemma 7.5.5 based on Chevalley’s Theorem 3.6.1 and on
Exercise 3.6.2.
20. Theorem 7.5.1 implies that every positive prime of the form 4𝑘 + 1 is the sum of
two squares. Give a new proof following the lines of the proof of Theorem 7.5.3.
* 21. The goal of this exercise is to present another proof for the Four Squares Theorem.
We shall rely on Lemmas 7.5.4 and 7.5.5 but will establish the existence of a small
nice multiple of 𝑝 using part (a) below instead of infinite descent.
(a) Thue’s lemma. We call two 𝑘-dimensional vectors with integer coordinates
congruent modulo a prime 𝑝 if the corresponding coordinates are congruent
modulo 𝑝. Let 𝐶 be a 𝑘 × 𝑘 matrix with integer elements and 𝑢1 , . . . , 𝑢𝑘 , 𝑣 1 ,
. . . , 𝑣 𝑘 positive integers satisfying
𝑢1 . . . 𝑢 𝑘 𝑣 1 . . . 𝑣 𝑘 > 𝑝 𝑘 .
Then there exist vectors
𝑥1 𝑧1
𝐱 = ( ⋮ ) ≠ 𝟎 and 𝐳 = ( ⋮ )
𝑥𝑘 𝑧𝑘
with integer coordinates such that
𝐶𝐱 ≡ 𝐳 (mod 𝑝) and |𝑥𝑖 | < 𝑢𝑖 , |𝑧𝑖 | < 𝑣 𝑖 , 𝑖 = 1, 2, . . . , 𝑘.
(b) Using a special case with 𝑘 = 2 of part (a) and relying on Lemma 7.5.5, prove
that any prime 𝑝 has a nice multiple less than 4𝑝.
(c) Finally, verify that if 2𝑝 or 3𝑝 is nice for a prime 𝑝 > 3, then 𝑝 itself is nice.

7.6. Waring’s Problem

After sums of squares, we turn to representations as a sum of higher powers in general.
Throughout this section, 𝑘 denotes a positive integer greater than 1, and a 𝑘th power
means the 𝑘th power of a non-negative integer.
7.6. Waring’s Problem 237

Waring stated in 1770 that “every natural number is the sum of 4 squares, 9 cubes,
19 fourth powers, etc.” This self-confident declaration hides serious deficiencies, espe-
cially concerning the last innocent word “etc.” First of all, it is hard to observe any rule
for the continuation of the three numbers 4, 9, and 19 and it is absolutely not clear that
these numbers can be continued to infinity at all. This requires the proof of: To any 𝑘,
there exists an 𝑟, depending only on 𝑘, such that every positive integer is the sum of 𝑟
terms of 𝑘th powers. This was first proved by Hilbert in 1909(!).
Today we already know how to continue Waring’s numbers apart from a minimal
uncertainty to be specified later. It is interesting that the problem of the 19 fourth
powers defied the siege longest, it was proved only in 1986, 63 years after Waring’s
proclamation.
Since a sum of 𝑘th powers can always be extended by an arbitrary number of terms
0𝑘 , we are interested in the smallest number of 𝑘th powers sufficient for the represen-
tation of every positive integer:
Definition 7.6.1. Let 𝑘 > 1. Then 𝑔(𝑘) is the minimal 𝑟 such that every positive integer
is the sum of 𝑟 terms of 𝑘th powers of non-negative integers. ♣
Example. 𝑔(2) = 4, since every positive integer is the sum of four squares by the Four
Squares Theorem and there exists a number, e.g. 7, that cannot be written as the sum
of three squares.
Theorem 7.6.2.
3 𝑘
(7.6.1) 𝑔(𝑘) ≥ 2𝑘 + ⌊( ) ⌋ − 2. ♣
2
Proof. To get a lower bound for 𝑔(𝑘), it is sufficient to find just one positive integer 𝑛
that requires many 𝑘th powers.
Let 𝑛 be the greatest integer of the form 𝑡2𝑘 − 1 that is less than 3𝑘 . Then we can
only use terms 1𝑘 and 2𝑘 to represent 𝑛, and clearly
𝑛 = 𝑡2𝑘 − 1 = 2⏟⎵
𝑘⎵
+⎵⏟⎵
⋯⎵+⎵⏟ 𝑘⎵
2𝑘 + 1⏟⎵+⎵⏟⎵
⋯⎵ 1𝑘
+⎵⏟
𝑡 − 1 terms 2𝑘 − 1 terms

is the representation with the least number of summands. Hence,

𝑔(𝑘) ≥ 2𝑘 + 𝑡 − 2.
3 𝑘
We have to verify 𝑡 = ⌊( ) ⌋. This follows from
2
3 𝑘
(7.6.2) 𝑡2𝑘 − 1 < 3𝑘 ⟺ 𝑡2𝑘 ≤ 3𝑘 ⟺ 𝑡 ≤ ( ) ,
2
and 𝑡 is the largest integer satisfying (7.6.2). □

The most important result for 𝑔(𝑘) is that (7.6.1) holds with equality in general:
There may be only finitely many 𝑘 for which 𝑔(𝑘) is greater than the right-hand side
of (7.6.1), and then its value is obtained from the worst 𝑛 less than 4𝑘 (thus also the
term 3𝑘 can be used), similar to the proof of Theorem 7.6.2. This might occur only if
(3/2)𝑘 is abnormally close to its ceiling, satisfying some special inequality. No integer
238 7. Diophantine Equations

less than 471000000 meets this requirement and it is almost certain that there are no
such exceptions at all, so
3 𝑘
𝑔(𝑘) = 2𝑘 + ⌊( ) ⌋ − 2
2
for every 𝑘. Accordingly, the right-hand side of (7.6.1) is the continuation of Waring’s
numbers. When 𝑘 = 2, 3, and 4 we obtain the values 4, 9, and 19.
Theorem 7.6.2 shows that some small integers 𝑛 need extremely many 𝑘th powers
to be represented. Therefore, it is worthwhile to analyze how many 𝑘th powers are
necessary to represent every sufficiently large 𝑛:
Definition 7.6.3. Let 𝑘 > 1. Then 𝐺(𝑘) is the minimal 𝑠 such that every sufficiently
large positive integer is a sum of 𝑠 terms of 𝑘th powers of non-negative integers. ♣
Example. 𝐺(2) = 4, as obviously 𝐺(2) ≤ 𝑔(2) = 4, and by the Three Squares Theorem,
infinitely many integers are not representable as the sum of three squares.

The next table summarizes the best known results for 𝑔(𝑘) and 𝐺(𝑘) for some small
values of 𝑘:
𝑘 2 3 4 5 6 7 8
𝑔(𝑘) 4 9 19 37 73 143 279
𝐺(𝑘) 4 4–7 16 6–17 9–24 8–31 32–39
The table reflects the great uncertainty about the exact values of 𝐺(𝑘) even for small
integers 𝑘 (e.g. 4–7 at 𝐺(3) means that we know no better bounds than 4 ≤ 𝐺(3) ≤ 7).
The exact values of 𝐺(𝑘) were determined only for 𝑘 = 2 and 4 so far.
We know, however, that 𝐺(𝑘) is much smaller than 𝑔(𝑘) if 𝑘 is large: e.g. 𝐺(𝑘) <
6𝑘 log 𝑘 for every 𝑘 > 1. The best known result is that to any 𝜀 > 0, there exists a
𝑘0 = 𝑘0 (𝜀) such that 𝐺(𝑘) < (1 + 𝜀)𝑘 log 𝑘 for every 𝑘 > 𝑘0 . Thus 𝐺(𝑘) is almost linear
in contrast with 𝑔(𝑘), which has an exponential order.
Now we get some lower bounds for 𝐺(𝑘).
Theorem 7.6.4. 𝐺(𝑘) ≥ 𝑘 + 1 for every 𝑘 > 1. ♣

Proof. For a proof by contradiction, we assume 𝐺(𝑘) ≤ 𝑘 for some 𝑘. Then there exists
𝑛0 such that every integer 𝑛 > 𝑛0 is a 𝑘-term sum of 𝑘th powers, i.e.
(7.6.3) 𝑛 = 𝑥1𝑘 + 𝑥2𝑘 + ⋯ + 𝑥𝑘𝑘 .

We fix (temporarily) a large positive integer 𝑀, and let 𝑓(𝑀) denote the number of
integers 𝑛 that are representable as 𝑘-term sums of 𝑘th powers and
(7.6.4) 0 ≤ 𝑛 ≤ 𝑀.
By our assumption,
(7.6.5) 𝑓(𝑀) ≥ 𝑀 − 𝑛0 .

We establish now an upper bound for 𝑓(𝑀). Considering the representations

(7.6.3) of integers 𝑛 in (7.6.4), the numbers 𝑥𝑖 must satisfy
𝑘
0 ≤ 𝑥𝑖 ≤ 𝑘√𝑛 ≤ √𝑀, 𝑖 = 1, 2, . . . , 𝑘.
7.6. Waring’s Problem 239

This means that the values of an 𝑥𝑖 can only be

𝑘
(7.6.6) 0, 1, . . . , 𝑇 = ⌊ √𝑀⌋.

We count how many sums 𝑥1𝑘 + ⋯ + 𝑥𝑘𝑘 can be formed from the integers listed in
(7.6.6); some of these sums may coincide, and many of them exceed 𝑀, so the number of
such formal sums is ≥ 𝑓(𝑀). Such a formal sum is equivalent to selecting 𝑘 elements
from the list (7.6.6) so that any element can be chosen arbitrarily many times (since
there may be equal terms in (7.6.3)), and the order of selection is irrelevant as the sum
remains the same if we permute its terms. Such a selection is called a combination of 𝑘
elements out of 𝑇 + 1, allowing repetitions, and there are (𝑇+𝑘
𝑘
) such combinations. To
be self-contained, we give a proof of this formula.
To characterize a combination, assume that we choose 𝑚𝑗 pieces of 𝑗 for every
0 ≤ 𝑗 ≤ 𝑇. We write 𝑚0 small circles ∘ for the 𝑚0 pieces of 0s followed by a delimiter
bar |, then draw 𝑚1 small circles ∘ for the 𝑚1 pieces of 1s followed again by a delimiter
bar |, etc. Finally we draw the last 𝑚𝑇 small circles ∘ for the 𝑚𝑇 pieces of terms 𝑇. For
𝑘 = 5 and 𝑀 = 75 , the sum 05 +15 +15 +35 +75 corresponds to the sequence ∘|∘∘||∘||||∘.
We established a bijection between the formal sums and the sequences of 𝑘 circles
and 𝑇 = ⌊ 𝑘√𝑀⌋ bars. Hence, the number of formal sums is equal to the number of
⌊ 𝑘√𝑀⌋ + 𝑘
these sequences, which is ( ).
𝑘
Summarizing, we have proved
𝑘 + ⌊ 𝑘√𝑀⌋
(7.6.7) 𝑓(𝑀) ≤ ( ).
𝑘
Inequalities (7.6.5) and (7.6.7) imply
𝑘 + ⌊ 𝑘√𝑀⌋
(7.6.8) 𝑀 − 𝑛0 ≤ ( ).
𝑘
In the expanded form
1 𝑘 𝑘 𝑘
(𝑘 + ⌊ √𝑀⌋)(𝑘 − 1 + ⌊ √𝑀⌋) . . . (1 + ⌊ √𝑀⌋)
𝑘!
of the right-hand side in (7.6.8), we can omit the floor signs, which does not decrease
the right-hand side in (7.6.8). Dividing both sides by 𝑀 so that each factor 𝑖 + 𝑘√𝑀 is
divided by 𝑘√𝑀, we obtain
𝑛0 1 𝑘 𝑘−1 1
(7.6.9) 1− ≤ (1 + 𝑘 ) (1 + 𝑘 ) . . . (1 + 𝑘 ) .
𝑀 𝑘! √𝑀 √𝑀 √𝑀
For 𝑀 → ∞, the left-hand side of (7.6.9) tends to 1 and the right-hand side tends to
1/𝑘!, which is a contradiction, since 𝑘 > 1. □
Remark: The proof yields that many integers 𝑛 are not representable as a 𝑘-term sum
5! −1 119
of 𝑘th powers (e.g. for 𝑘 = 5, this happens with probability at least = which
5! 120
is more than 99 percent!). At the same time, this was not a constructive proof because
it did not exhibit any 𝑛 which is not representable.
 240 7. Diophantine Equations

We show now that the upper bound in Theorem 7.6.4 can be improved e.g. for
𝑘 = 6:
Theorem 7.6.5. 𝐺(6) ≥ 9. ♣

Proof. We use the fact that

1 (mod 9) , if 3 ∤ 𝑎
(7.6.10) 𝑎6 ≡ {
0 (mod 9) , if 3 ∣ 𝑎.
The case 3 ∤ 𝑎 follows from the Euler–Fermat Theorem, and if 3 ∣ 𝑎, then 𝑎6 is divisible
not only by 9, but also by 36 .
To prove Theorem 7.6.5, we will show that infinitely many 𝑛 cannot be written as
the sum of eight sixth powers. We claim that integers of the form 𝑛 = 27𝑡 + 9 have no
such representation.
For a proof by contradiction, assume
(7.6.11) 𝑛 = 𝑥16 + ⋯ + 𝑥86 .
Considering (7.6.11) modulo 9, (7.6.10) implies
(7.6.12) 0 ≡ 𝑢1 + ⋯ + 𝑢8 (mod 9) , where 𝑢𝑖 = 0 or 1, 𝑖 = 1, 2, . . . , 8,
which can hold only if 𝑢𝑖 = 0 for every 𝑖. Thus each 𝑥𝑖 is a multiple of 3. But then
(7.6.11) yields 36 ∣ 𝑛, which is a contradiction. □

Further lower bounds for 𝐺(𝑘) occur in Exercise 7.6.2.

Exercises 7.6

1. Verify 𝐺(200) ≤ 𝐺(600).

* 2. (a) Establish the lower bounds for 𝐺(𝑘):
(a1) 𝐺(4) ≥ 16
(a2) 𝐺(8) ≥ 32
(a3) 𝐺(24) ≥ 32
(a4) 𝐺(100) ≥ 125
(a5) 𝐺(250) ≥ 312.
(b) For which integers 𝑘 can we generalize the results in part (a)?
3. Let 𝑘 > 1 be arbitrary. Demonstrate the existence of a positive integer 𝑛 that has at
least 1000 essentially different representations as a (𝑘+1)-term sum of 𝑘th powers.
4. (a) Verify the identity
∑ ((𝑎𝑖 + 𝑎𝑗 )4 + (𝑎𝑖 − 𝑎𝑗 )4 ) = 6(𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 )2
1≤𝑖<𝑗≤4

where 𝑎1 , 𝑎2 , 𝑎3 , 𝑎4 are arbitrary complex numbers.

(b) Prove 𝑔(4) ≤ 53.
7.7. Fermat’s Last Theorem 241

5. If we represent the integers as signed sums of 𝑘th powers, then generally fewer
terms are sufficient than 𝑔(𝑘) or even 𝐺(𝑘). Show that the minimal number of
terms is three for 𝑘 = 2 and, moreover, each of the Diophantine equations
𝑥2 + 𝑦2 − 𝑧2 = 𝑛 and 𝑥2 − 𝑦2 − 𝑧2 = 𝑛 has infinitely many solutions for every
positive integer 𝑛.

7.7. Fermat’s Last Theorem

In Section 7.2 we proved that the Pythagorean equation 𝑥2 + 𝑦2 = 𝑧2 has infinitely
many solutions in positive integers and all solutions can be described by three param-
eters. According to Fermat’s famous conjecture verified recently by Andrew Wiles, the
situation is completely different for higher powers:

Theorem 7.7.1 (Fermat’s Last Theorem). For integers 𝑘 > 2, the equation 𝑥𝑘 + 𝑦𝑘 = 𝑧𝑘
has no solutions in positive integers. ♣

The history of the conjecture started in 1637 when, reading a 1621 edition of Dio-
phantus’s book, Fermat added a note to the part about Pythagorean triples: “The sum
of two cubes is never a cube, the sum of two fourth powers is never a fourth power, etc.
I found a wonderful proof for this but the margin is too small to contain it.”
These few lines caused great excitement among both mathematicians and out-
siders for three and a half centuries. The problem seems innocent and can be under-
stood without any mathematical training; many amateurs tried to solve it, but in vain.
Professional mathematicians did not perform much better either.
It is easy to show (see Exercise 7.7.1) that if the conjecture is true for an exponent
𝑘, then it is true for every multiple of 𝑘. Hence, it is sufficient to settle the problem for
prime exponents 𝑘 and for 𝑘 = 4. Fermat did prove the case 𝑘 = 4, and more than 100
years later Euler succeeded with exponent 𝑘 = 3. This list was extended with a few
more values of 𝑘 in the first half of the nineteenth century.
The middle of the nineteenth century brought the first major breakthrough with
the introduction of “ideal numbers.” Today we call them ideals, and will discuss them
in Chapter 11. Several new criteria were developed that guaranteed that Fermat’s Last
Theorem is true if a prime exponent 𝑘 satisfies them. In principle, these criteria can
be numerically checked for any particular 𝑘, and many such computations were per-
formed, using computers in the last decades.
In spite of all these efforts and results, the conjecture was still verified only for
finitely many prime exponents as late as 1980. At the same time, many more general
conjectures were formulated, since it was expected that the solution for Fermat’s equa-
tion will follow from a theorem about a more general problem.
In 1983, Gerd Faltings achieved a sensational new result: For any fixed expo-
nent 𝑘, Fermat’s equation can have only finitely many primitive solutions, those with
(𝑥, 𝑦, 𝑧) = 1.
The true sensation, however, occurred in 1993 when Andrew Wiles published a
decisive solution after working for many years alone, in secret. It turned out that there
242 7. Diophantine Equations

was an error in the proof but Wiles, with the help of Richard Taylor, corrected it in
1994.
Thus today Fermat’s Last Theorem is no longer a famous unsolved problem but is
a valid theorem. The several hundred pages of Wiles’ proof are understandable only
by a very small group of top specialists, but we can hope for somewhat simpler proofs
later.
Fermat’s “wonderful proof” was probably either just a vague idea, or a wrong argu-
ment that assumed the validity of the Fundamental Theorem of Arithmetic in sets of
numbers where it is false (see Section 11.2 for more details). We can practically exclude
the possibility that somebody will find a genuinely elementary proof.
During the centuries of assiduous and intensive research on Fermat’s Last Theo-
rem, mathematicians elaborated many new, effective theories. Though they brought
only partial success in handling the original problem, they became indispensable in
some other fields of mathematics. This illustrates well that research on a given prob-
lem may help indirectly the development of the entirety of mathematics, too.
We shall prove below, following the historical order, the two easiest special cases
of Fermat’s Last Theorem for exponents 𝑘 = 4 and 3.
In both cases, we shall prove a slightly stronger result, since we can give an answer
to the original problem only by proving sharper theorems.
Fermat’s Last Theorem for 𝑘 = 4 follows from the following statement.

Theorem 7.7.2. The equation 𝑥4 + 𝑦2 = 𝑧4 has no solutions in positive integers. ♣

Proof. We shall use the following lemma of independent interest.

Lemma 7.7.3. The sum and difference of two non-zero squares cannot both be squares.
♣

Proof. We apply infinite descent (see the Remark after Theorem 7.5.3).
We want to show that the system of equations

(7.7.1a) 𝑥2 + 𝑦2 = 𝑧 2
(7.7.1b) 𝑥2 − 𝑦2 = 𝑤 2

has no solutions in positive integers. Assume the converse, and let 𝑥0 , 𝑦0 , 𝑧0 , 𝑤 0 be

a solution where 𝑧0 is minimal. We prove that then there is a solution 𝑥1 , 𝑦1 , 𝑧1 , 𝑤 1
where 0 < 𝑧1 < 𝑧0 , which contradicts the minimality of 𝑧0 . Hence no solution can
exist.
We may assume (𝑥0 , 𝑧0 ) = 1: if some prime 𝑝 divides 𝑥0 and 𝑧0 , then similar to the
Pythagorean triples, (7.7.1a) implies 𝑝 ∣ 𝑦0 , then we infer 𝑝 ∣ 𝑤 0 from (7.7.1b), and so
𝑥0 /𝑝, 𝑦0 /𝑝, 𝑧0 /𝑝, 𝑤 0 /𝑝 is a solution with 𝑧0 /𝑝 < 𝑧0 , which contradicts the minimality
of 𝑧0 .
7.7. Fermat’s Last Theorem 243

Substituting 𝑥0 , 𝑦0 , 𝑧0 , 𝑤 0 into (7.7.1a) and (7.7.1b), adding and subtracting the

two equalities, we obtain
(7.7.2a) 2𝑥02 = 𝑧20 + 𝑤20
(7.7.2b) 2𝑦20 = 𝑧20 − 𝑤20 .
By (7.7.2a), 𝑧0 and 𝑤 0 have the same parity. Therefore we can rewrite (7.7.2a) as
𝑧0 + 𝑤 0 2 𝑧 − 𝑤0 2
(7.7.3) 𝑥02 = ( ) +( 0 ) .
2 2
Here
𝑧0 + 𝑤 0 𝑧0 − 𝑤 0
(7.7.4) (𝑥0 , , )=1
2 2
since 𝑥0 is coprime to the sum of the other two numbers, which is 𝑧0 .
𝑧 +𝑤 𝑧 −𝑤
By (7.7.3) and (7.7.4), 0 2 0 , 0 2 0 , and 𝑥0 form a primitive Pythagorean triple.
Thus, by Theorem 7.2.1,
𝑧0 + 𝑤 0 𝑧0 − 𝑤 0
(7.7.5) = 2𝑚𝑛 and = 𝑚 2 − 𝑛2 ,
2 2
or vice versa, for some coprime integers of opposite parity with 𝑚 > 𝑛 > 0.
Using (7.7.5), we rewrite the right-hand side of
𝑦20 𝑧 + 𝑤 0 𝑧0 − 𝑤 0
= 0 ⋅ ,
2 2 2
equivalent to (7.7.2b), and divide by 2 to get
𝑦0 2
(7.7.6) ( ) = 𝑚𝑛(𝑚 + 𝑛)(𝑚 − 𝑛).
2
Since 𝑚 and 𝑛 are coprime and have opposite parity, the four positive integers on the
right-hand side of (7.7.6) are pairwise coprime. Therefore each of them is a square, so
(7.7.7) 𝑚 = 𝑥12 , 𝑛 = 𝑦21 , 𝑚 + 𝑛 = 𝑧21 , and 𝑚 − 𝑛 = 𝑤21 .
By (7.7.7), 𝑥1 , 𝑦1 , 𝑧1 , 𝑤 1 satisfy the system of equations (7.7.1a)–(7.7.1b) and
𝑧 ± 𝑤0
𝑧1 ≤ 𝑧21 = 𝑚 + 𝑛 ≤ (𝑚 + 𝑛)(𝑚 − 𝑛) = 0 < 𝑧0 ,
2
which contradicts the minimality of 𝑧0 . □

We turn now to the proof of Theorem 7.7.2. We assume

(7.7.8) 𝑐4 − 𝑎4 = 𝑏2
for some positive integers 𝑎, 𝑏, and 𝑐, and find a contradiction. If (𝑎, 𝑏, 𝑐) = 𝑑, then 𝑎/𝑑,
𝑏/𝑑 2 , 𝑐/𝑑 is also a solution of the equation, so we may assume (𝑎, 𝑏, 𝑐) = 1. This implies
that 𝑎, 𝑏, and 𝑐 are pairwise coprime as we have seen in several similar situations.
Factoring the left-hand side of (7.7.8), we get
(7.7.9) (𝑐2 + 𝑎2 )(𝑐2 − 𝑎2 ) = 𝑏2 .
Let ℎ denote the greatest common divisor of the two factors on the left-hand side of
(7.7.9): ℎ = (𝑐2 + 𝑎2 , 𝑐2 − 𝑎2 ). Since (𝑎2 , 𝑐2 ) = 1, ℎ can be only 1 or 2. By the Funda-
mental Theorem of Arithmetic, the factors on the left-hand side of (7.7.9) are squares
244 7. Diophantine Equations

themselves in the first case, and are the doubles of squares if the second condition
holds.
Thus if ℎ = 1, then 𝑐2 + 𝑎2 and 𝑐2 − 𝑎2 are squares, which contradicts Lemma 7.7.3.
If ℎ = 2, then
(7.7.10) 𝑐2 + 𝑎2 = 2𝑢2 and 𝑐2 − 𝑎2 = 2𝑣2
for some integers 𝑢 > 𝑣 > 0. Taking the sum and the difference of the equalities
(7.7.10) and cancelling the results by 2, we obtain
𝑐2 = 𝑢2 + 𝑣2 and 𝑎2 = 𝑢2 − 𝑣2 .
But this is impossible according to Lemma 7.7.3. □

To prove Fermat’s Last Theorem for the exponent 𝑘 = 3, we develop number theory
in the ring of Eulerian (or Eisenstein) integers, which behave similarly to Gaussian
integers.
Definition 7.7.4. By an Eulerian integer (or Eisenstein integer), we mean a complex
number 𝑎 + 𝑏𝜔 where 𝑎, 𝑏 are integers, and
2𝜋 2𝜋 1 √3
𝜔 = cos + 𝑖 sin =− +𝑖 . ♣
3 3 2 2
The complex numbers 𝜔 and 𝜔2 = −1 − 𝜔 are the primitive third roots of unity.
The factorization
(7.7.11) 𝑥3 = 𝑧3 − 𝑦3 = (𝑧 − 𝑦)(𝑧 − 𝑦𝜔)(𝑧 − 𝑦𝜔2 )
reveals the connection between Fermat’s equation 𝑥3 + 𝑦3 = 𝑧3 and the Eulerian in-
tegers. Our proof will be based on the investigation of an equation similar to (7.7.11)
and we shall rely heavily on the number theory of Eulerian integers.
Definition 7.7.5. The norm 𝑁(𝛼) of an Eulerian integer 𝛼 = 𝑎 + 𝑏𝜔 is the square of
the absolute value of 𝛼:
𝑁(𝛼) = |𝛼|2 = 𝛼𝛼 = (𝑎 + 𝑏𝜔)(𝑎 + 𝑏𝜔2 ) = 𝑎2 − 𝑎𝑏 + 𝑏2 . ♣

Clearly, 𝑁(𝛼) is a non-negative integer, and 𝑁(𝛼) = 0 ⟺ 𝛼 = 0. We note that

the form 𝑎2 − 𝑎𝑏 + 𝑏2 of the norm of the Eulerian integer 𝑎 + 𝑏𝜔 can be rewritten as
𝑐2 + 3𝑑 2 with suitable integers 𝑐 and 𝑑, see Exercise 7.7.10a.
The Eulerian integers form a parallelogram lattice in the complex plane consisting
of rhombuses with sides of unit length and with angles of 120 and 60 degrees.
We define divisibility, unit, greatest common divisor, irreducible, and prime ex-
actly as we did for Gaussian integers (see Definitions 7.4.4, 7.4.6, 7.4.9, 7.4.10, and
7.4.11, the adjective “Gaussian” is replaced everywhere by “Eulerian,” of course).
Apart from the description of Eulerian units and primes, the theorems and proofs
seen for Gaussian integers remain valid for Eulerian integers:
• properties of the norm (Theorems 7.4.3, 7.4.5)
• division algorithm (Theorem 7.4.8; in the proof, we have to consider the corre-
sponding lattice rhombus instead of a square)
7.7. Fermat’s Last Theorem 245

• equivalence of prime and irreducible (Theorem 7.4.12)

• the Fundamental Theorem of Arithmetic (Theorem 7.4.13)
• connection between Eulerian primes and positive prime numbers in 𝐙 (Theo-
rem 7.4.14).
Theorem 7.4.7 and its proof can be adapted to Eulerian integers if we modify the
explicit description in part (iv) as follows:
Theorem 7.7.6. There are six units among the Eulerian integers:
±1, ±𝜔, ±𝜔2 = ∓(1 + 𝜔),
which are just the complex sixth roots of unity. ♣

Finally, Eulerian primes are characterized by

Theorem 7.7.7. All Eulerian primes are (𝜀 denotes an arbitrary unit):
(A) 𝜀(𝑖√3) = 𝜀(1 + 2𝜔)
(B) 𝜀𝑞 where 𝑞 is a positive prime number of the form 3𝑡 − 1
(C) 𝜋 where 𝑁(𝜋) is a positive prime number of the form 3𝑡 + 1; to every such prime
number, there belong exactly two Eulerian primes (apart from unit factors) that are
conjugates but not associates. ♣

Proof. We have to modify the arguments used in Theorem 7.4.15 accordingly, thus we
indicate only the differences briefly.
By the analog of Theorem 7.4.14, we obtain all Eulerian primes from the factor-
ization of positive prime numbers. We get different types of decompositions when this
positive prime is (A) 3, (B) is of the form 3𝑡 − 1, or (C) is of the form 3𝑡 + 1.
(A) Since 3 = (−1)(𝑖√3)2 , the only Eulerian prime divisor of 3 is 𝑖√3, apart from
associates.
(B) The positive prime numbers of the form 3𝑡 − 1 are Eulerian primes: we have to
show that the norm of an Eulerian integer cannot be of this form, which can be justified
as seen at the Gaussian integers.
−3
(C) If 𝑝 is a positive prime number of the form 3𝑡 + 1, then ( 𝑝
) = 1 (see Exer-
2
cise 4.2.2c), thus 𝑝 ∣ 𝑐 + 3 for some integer 𝑐. We consider the factorization
𝑐2 + 3 = (𝑐 + 𝑖√3)(𝑐 − 𝑖√3) = (𝑐 + 1 + 2𝜔)(𝑐 − 1 − 2𝜔)
among the Eulerian integers, and follow the argument used for the Gaussian integers.
□

In the proof of Fermat’s Last Theorem for cubes, some important properties of the
Eulerian prime 𝑖√3 play an important role. For a convenient formulation, we introduce
congruences also among Eulerian integers:
Definition 7.7.8. Let 𝜇 ≠ 0, 𝛼, and 𝛽 Eulerian integers. We say that 𝛼 is congruent to
𝛽 modulo 𝜇, if 𝜇 ∣ 𝛼 − 𝛽. ♣
246 7. Diophantine Equations

We shall use the notation 𝛼 ≡ 𝛽 (mod 𝜇) or 𝛼 ≡ 𝛽 (𝜇) for short. The elementary
properties of congruences for integers are equally valid for Eulerian integers.
We summarize some important properties of the Eulerian prime 𝑖√3:

Theorem 7.7.9. Let 𝜆 = 𝑖√3 = 1 + 2𝜔.

(i) The associates of 𝜆 are ±(1 + 2𝜔), ±(2 + 𝜔), ±(1 − 𝜔).
(ii) Any Eulerian integer is congruent to exactly one of the three values 0 and ±1 mod-
ulo 𝜆.
(iii) 𝛼3 ≡ 𝛼 (mod 𝜆) for every Eulerian integer 𝛼.
(iv) 𝛼 ≡ ±1 (mod 𝜆) ⟹ 𝛼3 ≡ ±1 (mod 𝜆4 ). ♣

Proof. (i) By Theorem 7.7.6, the associates of 𝜆 are ±𝜆, ∓𝜔𝜆, and ±𝜔2 𝜆. Performing
the multiplications and applying the relations 𝜔2 = −1 − 𝜔 and 𝜔3 = 1, we obtain the
six Eulerian integers stated in the theorem.
(ii) The identity
𝑎 + 𝑏𝜔 = 𝑎 + 𝑏 − 𝑏(1 − 𝜔) = 𝑎 + 𝑏 − 𝑏𝜔2 𝜆
implies
𝑎 + 𝑏𝜔 ≡ 𝑎 + 𝑏 (mod 𝜆) .
Since 𝑎 + 𝑏 ≡ 0, 1, or −1 (mod 3) and 𝜆 ∣ 3,
𝑎 + 𝑏 ≡ 0, 1, or −1 (mod 𝜆).
This proves that any Eulerian integer 𝑎 + 𝑏𝜔 is congruent to 0, 1, or −1 modulo 𝜆.
We have to show that 0, 1, and −1 are pairwise incongruent modulo 𝜆, so 𝜆 does
not divide the difference ±1 or ±2 of any two of these three numbers. If 𝜆 ∣ ±1 or
𝜆 ∣ ±2, then 𝑁(𝜆) ∣ 1 or 𝑁(𝜆) ∣ 4, but this is impossible since 𝑁(𝜆) = 3.
(iii) This follows immediately from (ii) using the identity
𝛼3 − 𝛼 = 𝛼(𝛼 − 1)(𝛼 + 1).
(iv) If 𝛼 ≡ 1 (mod 𝜆), then 𝛼 = 1 + 𝛽𝜆 for a suitable Eulerian integer 𝛽. Cubing
both sides, we obtain
𝛼3 = 1 + 3𝛽𝜆 + 3𝛽 2 𝜆2 + 𝛽 3 𝜆3 .
2
From 3 = −𝜆 , we get
(7.7.12) 𝛼3 = 1 − 𝛽𝜆3 − 𝛽 2 𝜆4 + 𝛽 3 𝜆3 = 1 − 𝛽 2 𝜆4 + (𝛽 3 − 𝛽)𝜆3 .
Since 𝜆 ∣ 𝛽 3 − 𝛽 by (iii), (7.7.12) implies 𝛼3 ≡ 1 (mod 𝜆4 ).
We can proceed similarly in the case 𝛼 ≡ −1 (mod 𝜆) or deduce it by applying the
previous case to −𝛼 ≡ 1 (mod 𝜆). □
Remark: Several statements of Theorem 7.7.9 are valid for more general moduli instead
of 𝜆 (see Exercise 7.7.12):
(ii): The number of residue classes modulo any Eulerian integer 𝜇 ≠ 0 is 𝑁(𝜇).
Moreover, if 𝑁(𝜇) is a prime number 𝑝, then the integers in a complete residue system
in 𝐙 modulo 𝑝 form a complete residue system among the Eulerian integers modulo 𝜇.
(Theorem 7.7.9 contained the special case 𝜇 = 𝜆 and 𝑁(𝜆) = 3.)
7.7. Fermat’s Last Theorem 247

(iii): Any Eulerian integer 𝛼 and Eulerian prime 𝜋 satisfy

𝛼𝑁(𝜋) ≡ 𝛼 (mod 𝜋) .
(This is the analog of Fermat’s Little Theorem.)

After the preparations we are ready to prove Fermat’s Last Theorem for the expo-
nent 𝑘 = 3.
Theorem 7.7.10. The equation 𝑥3 + 𝑦3 = 𝑧3 has no solutions where 𝑥, 𝑦, and 𝑧 are
non-zero integers. ♣

Proof. We shall verify a more general statement, namely, the equation

(7.7.13) 𝜉 3 + 𝜂3 + 𝜓3 = 0
has no solutions where 𝜉, 𝜂, and 𝜓 are non-zero Eulerian integers.
For a proof by contradiction, we assume that there exists such a solution. As we
have seen several times, we can restrict ourselves to the case when 𝜉, 𝜂, and 𝜓 are
coprime, and moreover, pairwise coprime.
The outline of the proof follows. We show first that exactly one of 𝜉, 𝜂, and 𝜓 is a
multiple of 𝜆, say it is 𝜉. Factoring out the maximal power of 𝜆 from 𝜉 and replacing
−𝜂 by 𝜅, we transform (7.7.13) into
(7.7.14) 𝜀𝜆3𝑛 𝛾3 = 𝜅3 − 𝜓3
where
(7.7.15) 𝑛 ≥ 1, 𝜀 is a unit, and, 𝜆, 𝛾, 𝜅, and 𝜓 are pairwise coprime.
We show that 𝑛 ≠ 1, but on the other hand, if (7.7.14) and (7.7.15) hold for some 𝑛,
then they hold also for 𝑛 − 1 instead of 𝑛 with some other values of the variables 𝜀, 𝛾,
𝜅, and 𝜓. This infinite descent yields the contradiction.
The key step for the infinite descent is a factorization of (7.7.14) as in (7.7.11) where
the gcd of the three factors on the right-hand side is 𝜆, so after dividing the equation
by 𝜆3 , each of the remaining three pairwise coprime numbers is an associate of a cube
of an Eulerian integer, by the Fundamental Theorem of Arithmetic.
We turn now to details.
I. In (7.7.13), at most one of the pairwise coprime 𝜉, 𝜂, and 𝜓 can be divisible by 𝜆.
If none of them were a multiple of 𝜆, then
0 = 𝜉3 + 𝜂3 + 𝜓3 ≡ ±1 ± 1 ± 1 = ±1 or ±3 (mod 𝜆4 )
by (iv) in Theorem 7.7.9. This would imply 𝜆4 ∣ 3, or 9 ∣ 3 ,which is impossible.
II. We have thus verified that exactly one of 𝜉, 𝜂, and 𝜓 is a multiple of 𝜆, let it be,
say, 𝜉, so
(7.7.16) 𝜉 = 𝜆𝑛 𝛾, where 𝑛 > 0 and 𝜆 ∤ 𝛾.
Substituting (7.7.16) into (7.7.13), and denoting −𝜂 by 𝜅, we get just (7.7.14) and (7.7.15)
(now 𝜀 = 1).
So it suffices to prove that (7.7.14) and (7.7.15) cannot hold for any unit 𝜀.
248 7. Diophantine Equations

III. We show 𝑛 ≠ 1 in (7.7.14).

Considering (7.7.14) modulo 𝜆4 , we get
(7.7.17) 𝜀𝜆3𝑛 𝛾3 = 𝜅3 − 𝜓3 ≡ ±1 ± 1 = 0 or ±2 (mod 𝜆4 )
from (iv) in Theorem 7.7.9. The case ±2 is impossible as it would imply 𝜆 ∣ 2. Therefore
the right-hand side of (7.7.17) is 0, so
𝜆4 ∣ 𝜀𝜆3𝑛 𝛾3 .
As (𝜆, 𝜀𝛾) = 1, we get 𝜆4 ∣ 𝜆3𝑛 , implying 𝑛 ≥ 2.
IV. Now comes infinite descent as key step: If (7.7.14) and (7.7.15) hold for some
𝑛, then this can be realized also for 𝑛 − 1 instead of 𝑛 with some other values of the
variables 𝜀, 𝛾, 𝜅, and 𝜓.
Factoring the right-hand side of (7.7.14), we obtain
(7.7.18) 𝜀𝜆3𝑛 𝛾3 = (𝜅 − 𝜓)(𝜅 − 𝜓𝜔)(𝜅 − 𝜓𝜔2 ).

Since the Eulerian prime 𝜆 divides the left-hand side of (7.7.18), it must divide at
least one factor on the right-hand side, too. The pairwise differences of the three factors
are (𝜔 − 1)𝜓, (𝜔2 − 1)𝜓, and (𝜔2 − 𝜔)𝜓, which are all multiples of 𝜔 − 1 = 𝜀𝜆. This
implies that 𝜆 divides all three factors on the right-hand side of (7.7.18).
We verify now that the gcd of any two factors on the right-hand side of (7.7.18) is
𝜆. We check it for the first two factors; the other two pairs can be handled similarly.
Put 𝛿 = (𝜅 − 𝜓, 𝜅 − 𝜓𝜔). Then
𝛿 ∣ (𝜅 − 𝜓) − (𝜅 − 𝜓𝜔) = 𝜓(𝜔 − 1)
and
𝛿 ∣ 𝜔(𝜅 − 𝜓) − (𝜅 − 𝜓𝜔) = 𝜅(𝜔 − 1),
so
𝛿 ∣ (𝜓(𝜔 − 1), 𝜅(𝜔 − 1)) = (𝜔 − 1)(𝜅, 𝜓) = 𝜔 − 1 = 𝜀𝜆.
Combined with 𝜆 ∣ 𝛿, shown earlier, this gives 𝛿 = 𝜆.
Thus
𝜅−𝜓 𝜅 − 𝜓𝜔 𝜅 − 𝜓𝜔2
, , and
𝜆 𝜆 𝜆
are pairwise coprime. By the Fundamental Theorem of Arithmetic,
𝜅 − 𝜓 = 𝜀1 𝜆𝜈31
(7.7.19) 𝜅 − 𝜓𝜔 = 𝜀2 𝜆𝜈32
𝜅 − 𝜓𝜔2 = 𝜀3 𝜆𝜈33
where 𝜀1 , 𝜀2 , 𝜀3 are units and 𝜈1 , 𝜈2 , 𝜈3 are pairwise coprime Eulerian integers.
We check now the behavior of 𝜈 𝑖 concerning divisibility by 𝜆. Since 𝜈 𝑖 are pairwise
coprime, two of them, say 𝜈2 and 𝜈3 are not multiples of 𝜆. Let 𝑠 be the exponent of 𝜆
in the standard form of 𝜈1 . We claim that 𝑠 = 𝑛 − 1.
To verify it, we compare the exponents of 𝜆 on the two sides of (7.7.18). This ex-
ponent is 3𝑛 on the left-hand side. On the right-hand side, we know from (7.7.19) that
Exercises 7.7 249

each factor contains 𝜆 on the first power and 𝜈31 contains it with exponent 3𝑠. Hence,
3𝑛 = 3 + 3𝑠, so 𝑠 = 𝑛 − 1.
Thus
(7.7.20) 𝜈1 = 𝜆𝑛−1 𝛾1 where (𝛾1 , 𝜆) = 1.
Here 𝑛 − 1 ≥ 1 as 𝑛 ≥ 2.
In the next step we show that taking a suitable combination of the equations in
(7.7.19), we get an equality like (7.7.14) with 𝑛 − 1 instead 𝑛 and this completes the
proof.
We multiply the second equation in (7.7.19) by 𝜔 and the third equation by 𝜔2 , and
add to the first equation:
(7.7.21) (𝜅 − 𝜓) + 𝜔(𝜅 − 𝜓𝜔) + 𝜔2 (𝜅 − 𝜓𝜔2 ) = 𝜀1 𝜆𝜈31 + 𝜀4 𝜆𝜈32 + 𝜀5 𝜆𝜈33 ,
where 𝜀4 = 𝜀2 𝜔 and 𝜀5 = 𝜀3 𝜔2 are units. The left-hand side of (7.7.21) is
(7.7.22) (𝜅 − 𝜓) + 𝜔(𝜅 − 𝜓𝜔) + 𝜔2 (𝜅 − 𝜓𝜔2 ) = (1 + 𝜔 + 𝜔2 )(𝜅 − 𝜓) = 0.
By (7.7.20), (7.7.21), and (7.7.22) we obtain
0 = 𝜀1 𝜆3(𝑛−1)+1 𝛾13 + 𝜀4 𝜆𝜈32 + 𝜀5 𝜆𝜈33 .
Dividing by 𝜀5 𝜆 and rearranging the terms yields
(7.7.23) 𝜀6 𝜆3(𝑛−1) 𝛾13 = 𝜀7 𝜈32 − 𝜈33
where also 𝜀6 and 𝜀7 are units.
We claim 𝜀7 = ±1, so we can rewrite the term 𝜀7 𝜈32 as (±𝜈2 )3 . We consider (7.7.23)
modulo 𝜆3 . Since 𝑛 − 1 ≥ 1, 𝜆 ∤ 𝜈2 , and 𝜆 ∤ 𝜈3 , part (iv) of Theorem 7.7.9 implies
𝜀7 (±1) − (±1) ≡ 0 (mod 𝜆3 ) ,
so 𝜆3 divides 𝜀7 − 1 or 𝜀7 + 1. From
𝑁(𝜆3 ) ∣ 𝑁(𝜀7 ∓ 1), 𝑁(𝜆3 ) = 27, and 𝑁(𝜀7 ∓ 1) < 27,
we get 𝜀7 ∓ 1 = 0, thus 𝜀7 = ±1.
Therefore we can rewrite (7.7.23) as
𝜀6 𝜆3(𝑛−1) 𝛾13 = (±𝜈2 )3 − 𝜈33 .
This means that (7.7.14) holds with 𝑛 − 1 instead of 𝑛, and the conditions in (7.7.15)
are satisfied, with 𝜀, 𝛾, 𝜅, and 𝜓 replaced by 𝜀6 , 𝛾1 , ±𝜈2 , and 𝜈3 . □

Exercises 7.7

1. (a) Show that if 𝑘 ∣ 𝑚, and the sum of two positive 𝑘th powers is never a 𝑘th
power, then the sum of two positive 𝑚th powers cannot be an 𝑚th power.
(b) Explain why it is sufficient to prove Fermat’s Last Theorem for prime expo-
nents and for 𝑘 = 4.
2. How many solutions do the following equations have in positive integers?
 250 7. Diophantine Equations

(a) 𝑥20 + 𝑦24 = 𝑧28

(b) 𝑥3 + 𝑦4 = 𝑧5 .
3. Solve the exponential version 𝑘𝑥 + 𝑘𝑦 = 𝑘𝑧 of Fermat’s equation where 𝑘, 𝑥, 𝑦, and
𝑧 are positive integers.
4. We examine Fermat’s equation in some cases where the exponent is not a positive
integer. Find all solutions 𝑥, 𝑦, 𝑧 in positive integers.
1 1 1
(a) 𝑘 = −4: + = 4
𝑥4 𝑦4 𝑧
1 1 1
(b) 𝑘 = −2: + = 2
𝑥2 𝑦2 𝑧
(c) 𝑘 = 1/2: √𝑥 + √𝑦 = √𝑧
3 3 3
(d) 𝑘 = 1/3: √𝑥 + √𝑦 = √𝑧.
5. Prove the propositions.
(a) Both 𝑥4 + 𝑦2 = 𝑧2 and 𝑥2 + 𝑦2 = 𝑧4 have infinitely many solutions in positive
integers satisfying (𝑥, 𝑦, 𝑧) = 1.
S* (b) The equation 𝑥4 + 𝑦4 = 𝑧2 has no solutions in positive integers.
Remark: Part (b) yields another proof for the case 𝑘 = 4 of Fermat’s Last
Theorem.
* 6. Solve the Diophantine equation 𝑥4 − 2𝑦2 = −1.
S** 7. In which number systems is the integer 1111 a square?
8. Which Eulerian integers divide their conjugates?
9. Verify the identity
(𝑎2 − 𝑎𝑏 + 𝑏2 )(𝑐2 − 𝑐𝑑 + 𝑑 2 ) =
= (𝑎𝑐 − 𝑏𝑑)2 − (𝑎𝑐 − 𝑏𝑑)(𝑎𝑑 + 𝑏𝑐 − 𝑏𝑑) + (𝑎𝑑 + 𝑏𝑐 − 𝑏𝑑)2
for any real numbers 𝑎, 𝑏, 𝑐, and 𝑑.
10. S (a) Prove that the Diophantine equations 𝑥2 − 𝑥𝑦 + 𝑦2 = 𝑛 and 𝑥2 + 3𝑦2 = 𝑛 are
solvable for exactly the same positive integers 𝑛.
* (b) For which values of 𝑛 are the equations in part (a) solvable and what is the
number of solutions?
S* 11. Solve the Diophantine equation 𝑥2 + 243 = 𝑦3 .
12. Let 𝜇 ≠ 0 be an Eulerian integer. The Eulerian integers 𝜚1 , . . . , 𝜚𝑟 form a complete
residue system modulo 𝜇 if any Eulerian integer 𝛼 satisfies the congruence 𝛼 ≡ 𝜚𝑖
(mod 𝜇) for exactly one 𝜚𝑖 . Show:
* (a) There are 𝑁(𝜇) elements in a complete residue system modulo 𝜇.
(b) If 𝑁(𝜇) is a prime number 𝑝, then 0, 1, 2, . . . , 𝑁(𝜇) − 1 form a complete residue
system modulo 𝜇.
7.8. Pell’s Equation 251

(c) The analog of Fermat’s Little Theorem is true:

𝛼𝑁(𝜋) ≡ 𝛼 (mod 𝜋)
for any Eulerian integer 𝛼 and Eulerian prime 𝜋.
13. Solve the Diophantine equation
𝑢 𝑣 𝑤
+ = .
𝑣 𝑤 𝑢
14. (a) Show that if the side lengths of a right triangle are integers, then the area of
the triangle cannot be a square.
(b) Prove that if the side lengths of a right triangle are pairwise coprime integers,
then the area of the triangle cannot be a cube.
(c) Does there exist a right triangle with integer side lengths whose area is a cube?
(d) Generalize the problem for higher powers.

7.8. Pell’s Equation

Pell’s equation is a Diophantine equation of the form
(7.8.1) 𝑥2 − 𝑚𝑦2 = 1
where 𝑚 is a positive integer that is not a square. Equation (7.8.1) has two trivial solu-
tions 𝑥 = ±1, 𝑦 = 0; the other solutions (with 𝑦 ≠ 0) are called non-trivial solutions.
We can factor the left-hand side of (7.8.1):
(7.8.2) (𝑥 + 𝑦√𝑚)(𝑥 − 𝑦√𝑚) = 1.
So if the pair 𝑥, 𝑦 satisfies (7.8.1), then the (real) numbers 𝑥 + 𝑦√𝑚 and 𝑥 − 𝑦√𝑚 divide
1 in the ring of numbers of the form 𝑎 + 𝑏√𝑚 where 𝑎 and 𝑏 are integers, i.e. they
are units in this ring. We know that any integer power of a unit is a unit, thus if there
exists a unit 𝜀 ≠ ±1, then the powers of 𝜀 produce infinitely many units. Returning
to Pell’s equation, this shows that if (7.8.1) has a non-trivial solution, then there are
infinitely many solutions. The special cases 𝑚 = 2 and 𝑚 = 3 occurred essentially in
Exercise 1.1.22 and in the proof of Theorem 5.2.4.
Now we show that every Pell’s equation has infinitely many solutions (it would be
sufficient to prove the existence of at least one non-trivial solution, as discussed above).
Then we characterize how to obtain all solutions.
We note that (7.8.1) behaves entirely differently if 𝑚 ≤ 0 or 𝑚 = 𝑘2 , see Exer-
cise 7.8.1.
Theorem 7.8.1. Let 𝑚 be a positive integer that is not square. Then the Diophantine
equation (7.8.1) has infinitely many solutions. ♣

In the proof, we shall rely on Theorem 8.1.1 from the next chapter.

Proof. If 𝑦 ≠ 0, then the equivalent form (7.8.2) of (7.8.1) can be written as

𝑥 1
(7.8.3) − √𝑚 = .
𝑦 𝑦(𝑥 + 𝑦√𝑚)
252 7. Diophantine Equations

We see from (7.8.3) that a pair of positive integers 𝑥 and 𝑦 can give a solution only
if 𝑥/𝑦 is very close to √𝑚: (7.8.3) implies

(7.8.4) |√𝑚 − 𝑥 | < 1 .

| 𝑦 | 𝑦2

As √𝑚 is irrational, it follows from Theorem 8.1.1 that (7.8.4) holds for infinitely many
pairs of integers 𝑥, 𝑦. Based on this fact, we prove that (7.8.2) has infinitely many
solutions. (Conditions (7.8.4) and (7.8.2) are not equivalent; only a small number of 𝑥
and 𝑦 satisfying (7.8.4) will be solutions of (7.8.2)).
I. Our first step is to show that there exists an integer 𝑡 ≠ 0 such that the Diophan-
tine equation

(7.8.5) 𝑥2 − 𝑚𝑦2 = 𝑡

has infinitely many solutions.

Let 𝑐𝑗 , 𝑑𝑗 (𝑗 = 1, 2, . . . ) be infinitely many pairs of positive integers satisfying
(7.8.4), so
𝑐
|√𝑚 − 𝑗 | < 1 , 𝑗 = 1, 2, . . . .
| 𝑑𝑗 | 𝑑𝑗2
Then
𝑐𝑗 𝑐𝑗 𝑐𝑗
|𝑐𝑗2 − 𝑚𝑑𝑗2 | = 𝑑𝑗2 || − √𝑚|| ⋅ || + √𝑚|| < || + √𝑚|| =
𝑑𝑗 𝑑𝑗 𝑑𝑗
(7.8.6) 𝑐𝑗 1
= || − √𝑚 + 2√𝑚|| < 2 + 2√𝑚 ≤ 1 + 2√𝑚.
𝑑𝑗 𝑑𝑗

(7.8.6) implies that all values 𝑐𝑗2 −𝑚𝑑𝑗2 are integers in the interval (−1−2√𝑚, 1+2√𝑚),
and none of them is 0 as √𝑚 is irrational. By the pigeonhole principle, there must be
an integer 𝑡 ≠ 0 in this interval for which

𝑐𝑗2 − 𝑚𝑑𝑗2 = 𝑡

holds for infinitely many pairs 𝑐𝑗 , 𝑑𝑗 . This means that the Diophantine equation (7.8.5)
has infinitely many solutions.
II. Now we prove that the quotients of suitable solutions of (7.8.5) yield solutions
for equation (7.8.1).
Let 𝑥 = 𝑎1 , 𝑦 = 𝑏1 and 𝑥 = 𝑎2 , 𝑦 = 𝑏2 be two solutions of (7.8.5), so

(7.8.7a) 𝑎21 − 𝑚𝑏21 = (𝑎1 + 𝑏1 √𝑚)(𝑎1 − 𝑏1 √𝑚) = 𝑡

(7.8.7b) 𝑎22 − 𝑚𝑏22 = (𝑎2 + 𝑏2 √𝑚)(𝑎2 − 𝑏2 √𝑚) = 𝑡

and assume

(7.8.8) 𝑎1 ≡ 𝑎2 (mod |𝑡|) and 𝑏1 ≡ 𝑏2 (mod |𝑡|) .

If (7.8.7a), (7.8.7b), and (7.8.8) hold, then the pairs 𝑎1 , 𝑏1 and 𝑎2 , 𝑏2 are called modulo |𝑡|
congruent solutions of (7.8.5).
7.8. Pell’s Equation 253

Dividing (7.8.7a) by (7.8.7b), we obtain

𝑎1 + 𝑏1 √𝑚 𝑎1 − 𝑏1 √𝑚
(7.8.9) ⋅ = 1.
𝑎2 + 𝑏2 √𝑚 𝑎2 − 𝑏2 √𝑚
The first fraction on the left-hand side of (7.8.9) can be written as
𝑎1 + 𝑏1 √𝑚
= 𝑢 + 𝑣√𝑚
𝑎2 + 𝑏2 √𝑚
where 𝑢 and 𝑣 are rational numbers, and then the second fraction is necessarily
𝑎1 − 𝑏1 √𝑚
= 𝑢 − 𝑣√𝑚.
𝑎2 − 𝑏2 √𝑚
We show that 𝑢 and 𝑣 are integers if (7.8.8) holds, so 𝑢 and 𝑣 provide an integer solution
of (7.8.1).
By eliminating the square root in the denominator and using (7.8.7b), we obtain
𝑎1 + 𝑏1 √𝑚 (𝑎1 + 𝑏1 √𝑚)(𝑎2 − 𝑏2 √𝑚) (𝑎1 + 𝑏1 √𝑚)(𝑎2 − 𝑏2 √𝑚)
= = .
𝑎2 + 𝑏2 √𝑚 𝑎22 − 𝑚𝑏22 𝑡
Thus we have to verify that in
(𝑎1 + 𝑏1 √𝑚)(𝑎2 − 𝑏2 √𝑚) = 𝑟 + 𝑠√𝑚
𝑟 and 𝑠 are divisible by 𝑡. This follows from (7.8.8) and (7.8.7a):
𝑟 + 𝑠√𝑚 = (𝑎1 + 𝑏1 √𝑚)(𝑎2 − 𝑏2 √𝑚) ≡
≡ (𝑎1 + 𝑏1 √𝑚)(𝑎1 − 𝑏1 √𝑚) = 𝑡 ≡ 0 (mod |𝑡|) .
(Congruences for numbers 𝑎 + 𝑏√𝑚 are in the usual natural sense.)
III. Since there are |𝑡| possible remainders modulo |𝑡| for each of 𝑎 and 𝑏, the num-
ber of pairwise incongruent solutions of (7.8.5) is at most 𝑡2 . Applying the pigeonhole
principle again, we infer that among the infinitely many solutions of (7.8.5), there are
infinitely many such that any two of them are congruent modulo |𝑡|. Let 𝑥 = 𝑓𝑖 , 𝑦 = 𝑔𝑖 ,
𝑖 = 1, 2, . . . be such solutions.
Then, according to part II, the values 𝑟 𝑖 , 𝑠𝑖 arising as quotients of 𝑓𝑖 , 𝑔𝑖 and 𝑓1 , 𝑔1
will give infinitely many distinct integer solutions of (7.8.1). □
Theorem 7.8.2. Let 𝑚 be a positive integer which is not a square and 𝑥0 , 𝑦0 the uniquely
determined solution of the Diophantine equation (7.8.1) where 𝑥0 > 0, 𝑦0 > 0, and
𝑥0 + 𝑦0 √𝑚 is minimal. Then all solutions are the pairs of integers 𝑥, 𝑦 such that
(7.8.10) 𝑥 + 𝑦√𝑚 = ±(𝑥0 + 𝑦0 √𝑚)𝑛 , 𝑛 = 0, ±1, ±2, . . . ♣

By (7.8.2),
(7.8.11) (𝑥0 + 𝑦0 √𝑚)−𝑛 = (𝑥0 − 𝑦0 √𝑚)𝑛 ,
thus an equivalent form of (7.8.10) is
𝑥 + 𝑦√𝑚 = ±(𝑥0 ± 𝑦0 √𝑚)𝑛 , 𝑛 = 0, 1, 2, . . . .
For 𝑛 = 0, we obtain the two trivial solutions.
254 7. Diophantine Equations

Proof. We shall apply several times the fact that the product of two solutions gives a
solution.
Assume that both 𝑥1 , 𝑦1 , and 𝑥2 , 𝑦2 are solutions of (7.8.1), i.e.

(7.8.12a) (𝑥1 + 𝑦1 √𝑚)(𝑥1 − 𝑦1 √𝑚) = 1

(7.8.12b) (𝑥2 + 𝑦2 √𝑚)(𝑥2 − 𝑦2 √𝑚) = 1.

Multiplying (7.8.12a) and (7.8.12b), we get

(𝑥1 𝑥2 + 𝑚𝑦1 𝑦2 + (𝑥1 𝑦2 + 𝑦1 𝑥2 )√𝑚)(𝑥1 𝑥2 + 𝑚𝑦1 𝑦2 − (𝑥1 𝑦2 + 𝑦1 𝑥2 )√𝑚) = 1.

This means that

𝑥3 = 𝑥1 𝑥2 + 𝑚𝑦1 𝑦2 , 𝑦 3 = 𝑥 1 𝑦 2 + 𝑦 1 𝑥2
is also a solution of (7.8.1). (In the formulation for units indicated in the introduction,
this corresponds to the fact that the product of two units is a unit.)
The above and (7.8.11) imply that the pairs of integers 𝑥, 𝑦 defined by (7.8.10)
satisfy (7.8.1).
Now we show that there are no other solutions. Assume that 𝑥, 𝑦 is a solution not
of this type. Then also −𝑥, −𝑦 is a solution not listed in (7.8.10). Hence we may assume
𝑥 + 𝑦√𝑚 > 0.
Then

(7.8.13) (𝑥0 + 𝑦0 √𝑚)𝑘 < 𝑥 + 𝑦√𝑚 < (𝑥0 + 𝑦0 √𝑚)𝑘+1

for some integer 𝑘. Multiplying (7.8.13) by (𝑥0 − 𝑦0 √𝑚)𝑘 , we obtain

(7.8.14) 1 < (𝑥 + 𝑦√𝑚)(𝑥0 − 𝑦0 √𝑚)𝑘 < 𝑥0 + 𝑦0 √𝑚.

As we multiplied two solutions,

(𝑥 + 𝑦√𝑚)(𝑥0 − 𝑦0 √𝑚)𝑘 = 𝑥′ + 𝑦′ √𝑚,

𝑥′ , 𝑦′ is a solution too, so

(7.8.15) (𝑥′ + 𝑦′ √𝑚)(𝑥′ − 𝑦′ √𝑚) = 1.

By the first inequality in (7.8.14),

(7.8.16a) 𝑥′ + 𝑦′ √𝑚 > 1,

thus

(7.8.16b) 0 < 𝑥′ − 𝑦′ √𝑚 < 1,

by (7.8.15). According to (7.8.16b), the cases 𝑦′ = 0; 𝑥′ < 0, 𝑦′ > 0; and 𝑥′ > 0, 𝑦′ < 0
are impossible, and (7.8.16a) excludes 𝑥′ < 0, 𝑦′ < 0. Therefore 𝑥′ > 0, 𝑦′ > 0, but
then (7.8.14) contradicts the minimality of 𝑥0 + 𝑦0 √𝑚. □
 Exercises 7.8 255

Exercises 7.8

1. Determine all solutions of the Diophantine equation 𝑥2 − 𝑚𝑦2 = 1 if 𝑚 ≤ 0 or 𝑚

is a square.
2. In how many cases does it occur that writing a digit 1 after a square (in decimal
system), gives another square?
3. Let 𝑚 be a positive integer that is not a square, and 𝑟 be any integer different from
0. Prove that if the Diophantine equation 𝑥2 − 𝑚𝑦2 = 𝑟 is solvable, then it has
infinitely many solutions.
4. (a) How many squares are (a1) greater by 1 (a2) smaller by 1
than the double of a square?
(b) Investigate the question when double is replaced by triple.
5. For how many integers 𝑛 is (𝑛2) a square?
6. What is the number of pairwise incongruent right triangles whose leg lengths are
consecutive integers and the length of the hypotenuse is an integer?
7. Determine the number of solutions of the Diophantine equations
(a) 𝑥2 − 3𝑦2 = 2
(b) 𝑥2 − 3𝑦2 = 7
(c) 𝑥2 − 3𝑦2 = 13
(d) 𝑥2 − 3𝑦2 = 39
(e) 2𝑥2 − 3𝑦2 = 1
(f) 3𝑥2 − 2𝑦2 = 1.
* 8. For which primes 𝑝 > 0 is the Diophantine equation 𝑥2 − 𝑝𝑦2 = −1 solvable?
9. Let 𝑎, 𝑏, and 𝑐 pairwise coprime non-zero integers, and assume that the Diophan-
tine equation 𝑎𝑥2 + 𝑏𝑦2 + 𝑐𝑧2 = 0 has a non-trivial solution, one differing from
𝑥 = 𝑦 = 𝑧 = 0. Verify that the signs of 𝑎, 𝑏, and 𝑐 cannot be all the same and the
congruences
𝑢2 ≡ −𝑏𝑐 (mod |𝑎|) , 𝑣2 ≡ −𝑎𝑐 (mod |𝑏|) , 𝑤2 ≡ −𝑎𝑏 (mod |𝑐|)
are solvable.
Remark: It can be shown that these conditions are not only necessary but also
sufficient for the non-trivial solvability of the Diophantine equation 𝑎𝑥2 + 𝑏𝑦2 +
𝑐𝑧2 = 0.
10. For how many integers 𝑘 is 2 + 2√28𝑘2 + 1 a square?
* 11. Prove that Pell’s equation 𝑥2 − 2𝑦2 = 1 has no non-trivial solutions when 𝑥 or 𝑦 is
a square.
256 7. Diophantine Equations

7.9. Partitions
Definition 7.9.1. A partition of a positive integer 𝑛 is a representation of 𝑛 as a sum
of positive integers, allowing also a one-term sum. We consider only the essentially
different representations, where the order of the terms is irrelevant.
The number of partitions of 𝑛 is denoted by 𝑝(𝑛). ♣

Example. All partitions of 4 are

4 = 3 + 1 = 2 + 2 = 2 + 1 + 1 = 1 + 1 + 1 + 1,
so 𝑝(4) = 5.

We state without proof the asymptotic behavior of 𝑝(𝑛): as 𝑛 → ∞,

𝑐𝑒𝑑√𝑛 1 𝜋√6
𝑝(𝑛) ∼ where 𝑐 = and 𝑑= .
𝑛 4√3 3

We often investigate special partitions where there are some restrictions on the sum-
mands or on their number: e.g. we prescribe that each summand should be odd or the
terms should be all distinct, etc.
The basic tools for handling partitions are generating functions. As an illustration,
we consider the money changing problem: In how many ways can we pay 𝑛 dollars with
banknotes of denomination less than (say) 50 dollars, including the rare two dollar
bills? We want partitions of 𝑛 into summands 1, 2, 5, 10, and 20 only. Let us denote the
number of such partitions by 𝑓(𝑛).
We rewrite the problem. Let 𝑢1 , . . . , 𝑢5 denote the numbers of 1, 2, 5, 10, and 20
dollar bills, when paying 𝑛 dollars. Then 𝑓(𝑛) is the number of non-negative integer
solutions of the Diophantine equation
(7.9.1) 1𝑢1 + 2𝑢2 + 5𝑢3 + 10𝑢4 + 20𝑢5 = 𝑛.

The generating function of 𝑓(𝑛) is the power series

∞
(7.9.2) 𝐹(𝑥) = 1 + ∑ 𝑓(𝑛)𝑥𝑛 .
𝑛=1

We show first that the series is absolutely convergent for |𝑥| < 1/2.
Since 0 ≤ 𝑢𝑖 ≤ 𝑛 for every 𝑖 in (7.9.1),
0 ≤ 𝑓(𝑛) ≤ (𝑛 + 1)5 .
It is easy to see that (𝑛 + 1)5 < 2𝑛 for 𝑛 large enough, thus, for |𝑥| < 1/2, the convergent
infinite geometric series
∞
∑ (2|𝑥|)𝑛
𝑛=0

is a majorant of the infinite series (7.9.2). Therefore 𝐹(𝑥) is absolutely convergent for
|𝑥| < 1/2. It can also be proved that this holds for |𝑥| < 1.
7.9. Partitions 257

We write 𝐹(𝑥) as a product of convergent geometric series, still assuming |𝑥| < 1/2:

𝐹(𝑥) = (1 + 𝑥 + 𝑥2 + . . . )(1 + 𝑥2 + (𝑥2 )2 + . . . )(1 + 𝑥5 + (𝑥5 )2 + . . . )⋅

(7.9.3)
⋅ (1 + 𝑥10 + (𝑥10 )2 + . . . )(1 + 𝑥20 + (𝑥20 )2 + . . . ).

As the power series expansion of a function around 0 is unique, we have to show that
multiplying the finitely many absolutely convergent series on the right-hand side of
(7.9.3) we get 𝑓(𝑛) as the coefficient of 𝑥𝑛 . We map a representation (7.9.1) of 𝑛 into a
product of the terms

𝑥 ᵆ1 , (𝑥2 )ᵆ2 , (𝑥5 )ᵆ3 , (𝑥10 )ᵆ4 , (𝑥20 )ᵆ5

on the right-hand side of (7.9.3). This product is

𝑥ᵆ1 (𝑥2 )ᵆ2 (𝑥5 )ᵆ3 (𝑥10 )ᵆ4 (𝑥20 )ᵆ5 = 𝑥1ᵆ1 +2ᵆ2 +5ᵆ3 +10ᵆ4 +20ᵆ5 = 𝑥𝑛 .

Thus we established a bijection between the representations and the products, so after
performing the multiplication, the coefficient of 𝑥𝑛 is 𝑓(𝑛).
Using the summation formula for geometric series, we can write (7.9.3) into the
form
1
𝐹(𝑥) = (for |𝑥| < 1/2).
(1 − 𝑥)(1 − 𝑥2 )(1 − 𝑥5 )(1 − 𝑥10 )(1 − 𝑥20 )
We obtain the following more general result exactly the same way.

Theorem 7.9.2. Let 𝑎1 , 𝑎2 , . . . , 𝑎𝑟 be distinct positive integers, and let 𝑓(𝑛) denote the
number of partitions of the positive integer 𝑛 using no summands other than 𝑎1 , 𝑎2 , . . . ,
∞
𝑎𝑟 . Then the infinite series 1 + ∑𝑛=1 𝑓(𝑛)𝑥𝑛 is absolutely convergent for |𝑥| < 1/2, and
∞ 𝑟
1
1 + ∑ 𝑓(𝑛)𝑥𝑛 = ∏ . ♣
𝑛=1 𝑖=1
1 − 𝑥 𝑎𝑖

We obtain the generating function of 𝑝(𝑛) similarly.

Theorem 7.9.3.
∞ ∞
1
(7.9.4) 𝑃(𝑥) = 1 + ∑ 𝑝(𝑛)𝑥𝑛 = ∏ (for |𝑥| < 1). ♣
𝑛=1 𝑖=1
1 − 𝑥𝑖

The infinite product on the right-hand side of (7.9.4) is the limit (as seen in Exer-
cises 5.6.6 and 5.6.7)
∞ 𝑟
1 1
∏ = lim ∏ .
𝑖=1
1 − 𝑥𝑖 𝑟→∞ 𝑖=1 1 − 𝑥𝑖
To prove Theorem 7.9.3, we apply Theorem 7.9.2 with 𝑎𝑖 = 𝑖, and then take the limit
when 𝑟 → ∞. We leave the details to the reader.
Besides generating functions, combinatorial arguments can be applied to parti-
tions. We can plot a partition 𝑛 = 𝑎1 + 𝑎2 + ⋯ + 𝑎𝑟 satisfying 𝑎1 ≥ 𝑎2 ≥ . . . ≥ 𝑎𝑟 as a
258 7. Diophantine Equations

scheme with 𝑎1 points in the first row, 𝑎2 points in the second row, etc., as the scheme
• • • • •
• • •
(7.9.5)
• • •
•
corresponds to the partition 12 = 5 + 3 + 3 + 1. It is obvious from the definition that
no row can be longer than the row above it.
Thus the rows correspond to the terms of the partition. We can look at the scheme
also according to its columns. So scheme (7.9.5) gives the partition 12 = 4+3+3+1+1.
The two interpretations of the schemes yield the result:
Theorem 7.9.4. Let 𝑔𝑟 (𝑛) and ℎ𝑟 (𝑛), be the number of partitions of 𝑛 where the number
of terms and the largest term is 𝑟, resp. Then 𝑔𝑟 (𝑛) = ℎ𝑟 (𝑛). ♣

Proof. Consider the schemes of 𝑛 points with exactly 𝑟 rows. Counting the points in
the scheme by rows, we get a partition of 𝑛 into 𝑟 terms. Considering the scheme by
columns, we have a partition of 𝑛 where the largest term is 𝑟. Doing this for all schemes,
we infer 𝑔𝑟 (𝑛) = ℎ𝑟 (𝑛). □

Below we investigate partitions of 𝑛 into an even or odd number of pairwise distinct

terms. The next theorem of Euler shows that the difference between the numbers of
these two types of partitions is at most 1.
Theorem 7.9.5. Let 𝑒(𝑛) and 𝑜(𝑛), be the number of partitions of the positive integer 𝑛
where all terms are distinct and the number of summands is even or odd. Then
1
(−1)𝑘 , if 𝑛 = 2 (3𝑘2 ± 𝑘)
(7.9.6) 𝑒(𝑛) − 𝑜(𝑛) = { ♣
0, otherwise.
Example. The partitions of 𝑛 = 7 into distinct terms are
6+1=5+2=4+3 where the number of terms is even
7=4+2+1 where the number of terms is odd,
so 𝑒(7) = 3 and 𝑜(7) = 2. The equality 𝑒(7) − 𝑜(7) = 1 = (−1)2 agrees with (7.9.6) as
1
7 = 2 (3 ⋅ 22 + 2).

Proof. We shall establish an almost bijection between the partitions of 𝑛 into an even
or odd number of distinct summands.
Partitions into distinct terms correspond to schemes where the numbers of ele-
ments in the rows are strictly decreasing downwards, as the partition 23 = 7+6+5+3+2
is represented by
• • • • • • •
• • • • • •
(7.9.7) • • • • •
• • •
• •
7.9. Partitions 259

Let us call the edge of such a partition the longest line of points starting from the
upper-right corner and running 45 degrees from northeast to southwest. The edge of
scheme (7.9.7) consists of three points. The length of the edge depends on how long
the terms decrease one by one, and an edge may contain just a single point.
Let 𝑈 be the transformation that transfers the edge of a scheme under the last row,
creating a new last row provided that we again get a partition into distinct terms, so the
new scheme consists of rows with strictly decreasing numbers of points. Similarly, let
𝐸 be the transformation that transfers the last row of a scheme near the edge (obliquely,
as a new edge) provided this creates an appropriate new scheme. Applying 𝐸 to (7.9.7),
we obtain
• • • • • • • •
• • • • • • •
• • • • •
• • •
but 𝑈 cannot be applied.
We show that apart from a few exceptions, any scheme allows exactly one of 𝑈 and
𝐸 to be applied.
Let the number of points be 𝑢 in the last row and 𝑒 in the edge.
If 𝑢 ≤ 𝑒, then 𝑈 cannot be applied, but 𝐸 can, except if 𝑢 = 𝑒 and the last row and
the edge have a common point; in this case neither 𝑈, nor 𝐸 can be applied:

• • • • • • •
• • • • • •
(∗)
• • • • •
• • • •

If 𝑢 > 𝑒, then 𝐸 is impossible, but 𝑈 works, except if 𝑢 = 𝑒 + 1 and the last row
and the edge share a point; in this case neither 𝑈, nor 𝐸 can be applied:

• • • • • •
(∗∗) • • • • •
• • • •

Transformation 𝑈 increases the number of rows by 1, whereas 𝐸 reduces it by

1, so the numbers of terms in the original and new partitions have opposite parity.
Further, 𝑈 and 𝐸 are inverses of each other so their composition in any order restores
the original scheme. This means that the pair of transformations 𝑈 and 𝐸 establishes,
apart from partitions of type (∗ ) and (∗∗ ), a bijection between the partitions of 𝑛 into
distinct summands with an even and odd number of terms. This proves 𝑒(𝑛) = 𝑜(𝑛)
except if 𝑛 has a partition of type (∗ ) or (∗∗ ) when 𝑒(𝑛) − 𝑜(𝑛) is 1 or −1, depending
on whether the bad partition consists of an even or odd number of terms (we have to
verify that a given 𝑛 cannot have more than one bad partitions).
If the partition (∗ ) contains 𝑘 terms, i.e. the scheme has 𝑘 rows, then
(3𝑘 − 1)𝑘
(7.9.8) 𝑛 = (2𝑘 − 1) + (2𝑘 − 2) + ⋯ + 𝑘 = .
2
260 7. Diophantine Equations

We obtain similarly that if the partition (∗∗ ) consists of 𝑘 terms, then

(3𝑘 + 1)𝑘
(7.9.9) 𝑛 = 2𝑘 + (2𝑘 − 1) + ⋯ + (𝑘 + 1) = .
2
For a given 𝑛, neither (7.9.8) nor (7.9.9) can be true for more values of 𝑘 and 𝑛 cannot
be simultaneously of the form (7.9.8) and (7.9.9) as
(3𝑘 − 1)𝑘 (3𝑗 + 1)𝑗
= ⟺ (3𝑘 − 3𝑗 − 1)(𝑘 + 𝑗) = 0,
2 2
which is impossible for positive integers 𝑘 and 𝑗.
Thus (7.9.8) and (7.9.9) determine the exceptional integers 𝑛, and every such 𝑛 has
only one bad transformation. This verifies (7.9.6). □

As indicated before, Theorem 7.9.5 has important consequences concerning 𝑝(𝑛).

If 𝑣(𝑛) = 𝑒(𝑛) − 𝑜(𝑛), then the generating function of 𝑣(𝑛) is
∞ ∞
1 2 +𝑘) 1 2 −𝑘)
𝑉(𝑥) = 1 + ∑ 𝑣(𝑛)𝑥𝑛 = 1 + ∑ (−1)𝑘 (𝑥 2 (3𝑘 + 𝑥 2 (3𝑘 )=
(7.9.10) 𝑛=1 𝑘=1

= 1 − 𝑥 − 𝑥2 + 𝑥5 + 𝑥 − 𝑥 7 12
− 𝑥15 + . . . ,
by Theorem 7.9.5. This infinite series is absolutely convergent for |𝑥| < 1/2.
On the other hand, we can obtain 𝑉(𝑥) as an infinite product, convergent for |𝑥| <
1/2:
∞ 𝑟
(7.9.11) 𝑉(𝑥) = ∏(1 − 𝑥𝑖 ) = lim ∏(1 − 𝑥𝑖 ).
𝑟→∞
𝑖=1 𝑖=1

To verify (7.9.11), we consider the product

𝑟
(7.9.12) ∏(1 − 𝑥𝑖 ).
𝑖=1

Performing the multiplication, we get terms of the type

(7.9.13) (−𝑥𝑖1 )(−𝑥𝑖2 ) . . . (−𝑥𝑖𝑗 ) = (−1)𝑗 𝑥𝑖1 +𝑖2 +⋯+𝑖𝑗
where 0 ≤ 𝑗 ≤ 𝑟 and 𝑖1 , . . . , 𝑖𝑗 are distinct positive integers not greater than 𝑟. (For
𝑗 = 0, we obtain 1 corresponding to the empty product.)
We perform the multiplication in (7.9.12). By (7.9.13), every partition of 𝑛 with an
even or odd number of distinct summands not greater than 𝑟 generates a term 𝑥𝑛 with
coefficient +1 or −1. If 1 ≤ 𝑛 ≤ 𝑟, then any partition of 𝑛 can contain only terms not
greater than 𝑟. This means that for 𝑟 ≥ 𝑛, expanding (7.9.12) into a polynomial the
coefficient of 𝑥𝑛 is precisely 𝑒(𝑛) − 𝑜(𝑛) = 𝑣(𝑛).
Finally, we can deduce (7.9.11) taking the limit for 𝑟 → ∞. We leave the details to
the reader.
Theorem 7.9.3 and (7.9.11) imply that the generating functions of 𝑝(𝑛) and 𝑣(𝑛)
are reciprocals of each other:
∞ ∞
(7.9.14) (1 + ∑ 𝑝(𝑛)𝑥𝑛 )(1 + ∑ 𝑣(𝑛)𝑥𝑛 ) = 𝑃(𝑥)𝑉(𝑥) = 1.
𝑛=1 𝑛=1
 Exercises 7.9 261

Thus multiplying the two power series on the left-hand side of (7.9.14), the coefficient
of 𝑥𝑛 is 0 for every 𝑛 ≥ 1 so
(7.9.15) 𝑝(𝑛) + 𝑝(𝑛 − 1)𝑣(1) + 𝑝(𝑛 − 2)𝑣(2) + ⋯ + 𝑝(1)𝑣(𝑛 − 1) + 𝑣(𝑛) = 0.
Substituting the values 𝑣(𝑗) determined in Theorem 7.9.5 into (7.9.15), we obtain the
recursion
(7.9.16) 𝑝(𝑛) = 𝑝(𝑛 − 1) + 𝑝(𝑛 − 2) − 𝑝(𝑛 − 5) − 𝑝(𝑛 − 7) + 𝑝(𝑛 − 12) + . . .
We can observe from the right-hand side of (7.9.16) that the recursion contains only
about 2√2𝑛/3 terms, so we can use it to compute 𝑝(𝑛) effectively even for relatively
large values of 𝑛, e.g.
𝑝(200) = 3972999029388.

Exercises 7.9

1. Prove 𝑝(𝑛 + 1) ≤ 2𝑝(𝑛). When does equality hold?

2. Compute the limits
(a) lim (𝑝(𝑛 + 1) − 𝑝(𝑛))
𝑛→∞
(b) lim (𝑝(𝑛 + 1) − 2𝑝(𝑛)).
𝑛→∞

3. Which integers have an odd number of partitions into (pairwise) distinct terms?
4. What is the number of representations of 𝑛 as the sum of positive integers if we
consider two representations distinct if they differ in the order of terms?
5. Show that the number of partitions of 𝑛 into exactly 𝑟 terms is the same as the
number of partitions of 𝑛 − 𝑟 into at most 𝑟 terms.
6. Exhibit the generating function of ℎ𝑟 (𝑛) in Theorem 7.9.4.
7. (a) Let 𝑢(𝑛) be the number of partitions of 𝑛 into pairwise distinct positive inte-
gers, and 𝑤(𝑛) be the number of partitions into odd, but not necessarily dis-
tinct, positive integers. Prove 𝑢(𝑛) = 𝑤(𝑛).
(b) (Generalization of part (a).) Let 𝑢𝑘 (𝑛) be the number of partitions of 𝑛 where
no integer can occur 𝑘 times among the summands, and let 𝑤 𝑘 (𝑛) be the
number of partitions where none of the summands is a multiple of 𝑘. Then
𝑢𝑘 (𝑛) = 𝑤 𝑘 (𝑛).
8. Verify
∞ ∞
𝑥𝑟
∑ 𝑝(𝑛)𝑥𝑛 = ∑
𝑛=1 𝑟=1
(1 − 𝑥)(1 − 𝑥2 ) . . . (1 − 𝑥𝑟 )
for |𝑥| < 1/2.
** 9. Prove the identity
1
(−1)𝑘+1 𝑛, if 𝑛 = 2 (3𝑘2 ± 𝑘)
𝜎(𝑛) − 𝜎(𝑛 − 1) − 𝜎(𝑛 − 2) + 𝜎(𝑛 − 5) + 𝜎(𝑛 − 7) − ⋯ = {
0, otherwise.
 Chapter 8

Diophantine Approximation

In this chapter we investigate how close irrational numbers can be to rational num-
bers. The closeness is expressed in terms of the denominator 𝑠 of the approximating
fraction. It turns out that a typical irrational number can be best approximated to an
order of magnitude 1/𝑠2 . To handle the problem, we also use continued fractions and
Minkowski’s basic theorem in the geometry of numbers. Finally, we deal with the dis-
tribution of fractional parts of certain sequences. Diophantine approximation is related
to Pell’s equation (we used Theorem 8.1.1 in the proof of Theorem 7.8.1), and further
applications will appear in the next chapter.

8.1. Approximation of Irrational Numbers

The rational numbers are everywhere dense on the number line, so there are infinitely
many rational numbers in any arbitrarily small neighborhood of an irrational number.
In this chapter we deal with approximation in a stronger sense, when the difference
of the irrational number and the approximating fraction is small as a function of the
denominator of the fraction. We have the basic result:
Theorem 8.1.1. For any irrational number 𝛼, there exist infinitely many fractions 𝑟/𝑠
satisfying
|𝛼 − 𝑟| 1
(8.1.1) | < . ♣
𝑠 | 𝑠2
Remark: We always assume 𝑠 > 0 for the approximating rational number 𝑟/𝑠. It is
clear that if (8.1.1) holds for a fraction with (𝑟, 𝑠) > 1, then this is even more true for
the fraction 𝑟′ /𝑠′ in lowest terms obtained after cancellation (since 𝑠′ < 𝑠). On the
other hand, we can easily verify (see Exercise 8.1.2) that only finitely many forms 𝑟/𝑠
of the same rational number can satisfy (8.1.1). By the above, Theorem 8.1.1 and later
similar theorems remain equally valid whether we speak about infinitely many distinct
rational numbers 𝑟/𝑠, or infinitely many distinct fractional forms 𝑟/𝑠 (in the latter case
we count the different forms 𝑟/𝑠 of the same rational number as distinct). Similarly,

263
264 8. Diophantine Approximation

the assertion remains true also if we require (𝑟, 𝑠) = 1 for the approximating fractions
𝑟/𝑠.
To prove Theorem 8.1.1, we need
Theorem 8.1.2. Let 𝛼 be a real number and 𝑛 a positive integer. Then there exists at least
one fraction 𝑟/𝑠 satisfying
𝑟 1
(8.1.2) 1 ≤ 𝑠 ≤ 𝑛 and ||𝛼 − || < . ♣
𝑠 𝑛𝑠
Proof. The fractional part of a real number 𝑐 is {𝑐} = 𝑐 − ⌊𝑐⌋. For example, {3} = 0;
{2.9} = 0.9; {−2.9} = 0.1. Clearly, 0 ≤ {𝑐} < 1.
We consider the fractional parts
{𝛼}, {2𝛼}, . . . , {(𝑛 + 1)𝛼}.
They are in the interval [0, 1).
We partition the interval [0, 1) into 𝑛 subintervals of length 1/𝑛, each closed on the
left and open on the right. There are 𝑛 + 1 fractional parts {𝑗𝛼} and 𝑛 subintervals. By
the pigeonhole principle, there is a subinterval containing at least two fractional parts,
so the distance between them is less than 1/𝑛, so
1
(8.1.3) |{𝑗𝛼} − {𝑖𝛼}| <
𝑛
for some 1 ≤ 𝑖 < 𝑗 ≤ 𝑛 + 1. We can rewrite (8.1.3) as
1
(8.1.4) |(𝑗𝛼 − ⌊𝑗𝛼⌋) − (𝑖𝛼 − ⌊𝑖𝛼⌋)| = |(𝑗 − 𝑖)𝛼 − (⌊𝑗𝛼⌋ − ⌊𝑖𝛼⌋)| < .
𝑛
Let
𝑠 = 𝑗 − 𝑖 and 𝑟 = ⌊𝑗𝛼⌋ − ⌊𝑖𝛼⌋.
Then dividing (8.1.4) by 𝑠, we get the statement of the theorem. □

Proof of Theorem 8.1.1. Observe that 1 ≤ 𝑠 ≤ 𝑛 in (8.1.2) guarantees

|𝛼 − 𝑟 | < 1 ≤ 1 .
| 𝑠 | 𝑛𝑠 𝑠2
Applying Theorem 8.1.2 with 𝛼 and any positive integer 𝑛 = 𝑛1 , we get a fraction 𝑟1 /𝑠1
satisfying
|𝛼 − 𝑟1 | < 1 .
| 𝑠1 | 𝑠21
Now we repeat this step with a suitable 𝑛2 instead of 𝑛1 ; we obtain an approximating
fraction 𝑟2 /𝑠2 . We will show that 𝑟2 /𝑠2 is distinct from 𝑟1 /𝑠1 .
Since 𝛼 is irrational, 𝛼 − 𝑟1 /𝑠1 ≠ 0, thus we can choose 𝑛2 to satisfy
|𝛼 − 𝑟1 | > 1 .
| 𝑠1 | 𝑛2
By Theorem 8.1.2,
|𝛼 − 𝑟2 | < 1 ≤ 1 < |𝛼 − 𝑟1 |,
| 𝑠 2 | 𝑛2 𝑠 2 𝑛2 | 𝑠1 |
hence
𝑟2 𝑟
≠ 1.
𝑠2 𝑠1
Continuing the procedure, we get infinitely many distinct suitable fractions 𝑟 𝑖 /𝑠𝑖 . □
8.1. Approximation of Irrational Numbers 265

Remark: If 𝛼 is rational, then 𝛼 can be best approximated by itself, obviously. Despite

this, the question of approximation is not completely uninteresting even for rational
𝛼—e.g. we might need a good approximation with fractions having small denomina-
tors both for theoretical and practical purposes. In contrast with the order of magni-
tude 1/𝑠2 for irrational numbers, a rational 𝛼 can be best approximated, excluding 𝛼
itself from the approximating fractions, only with order of magnitude 𝑐/𝑠, where 𝑐 is a
constant depending on 𝛼 (see Exercise 8.1.1).

The next theorem is about the simultaneous approximation of more irrational

numbers with fractions having the same denominator:
Theorem 8.1.3. For any irrational numbers 𝛼1 , . . . , 𝛼𝑘 , there exist infinitely many ratio-
nal 𝑘-tuples with a common denominator
𝑟1𝑖 𝑟2𝑖 𝑟 𝑘𝑖
, , ... , , 𝑖 = 1, 2, . . .
𝑠𝑖 𝑠𝑖 𝑠𝑖
satisfying
𝑟𝑗𝑖 1
(8.1.5) |𝛼 − |< , 𝑗 = 1, 2, . . . , 𝑘, 𝑖 = 1, 2, . . . . ♣
| 𝑗 𝑠𝑖 | 1+
1
𝑠𝑖 𝑘

Theorem 8.1.3 can be verified similarly to the proof of Theorem 8.1.1; we require
now a 𝑘-dimensional version of Theorem 8.1.2:
Theorem 8.1.4. Let 𝛼1 , . . . , 𝛼𝑘 be real numbers and 𝑛 a positive integer. Then there exist
integers 𝑟1 , . . . , 𝑟 𝑘 , and 𝑠 satisfying
𝑟𝑗 1
1 ≤ 𝑠 ≤ 𝑛𝑘 and ||𝛼𝑗 − || < , 𝑗 = 1, 2, . . . , 𝑘. ♣
𝑠 𝑛𝑠
We leave the details of the proofs to the reader.
We state a sharper version of Theorem 8.1.1 without proof:
Theorem 8.1.5. For any irrational number 𝛼, there exist infinitely many fractions 𝑟/𝑠
satisfying
|𝛼 − 𝑟 | < 1 . ♣
| 𝑠 | √5𝑠2

We shall verify a slightly weaker statement with 2 instead of √5 by two different

methods in Sections 8.2 and 8.3.
Theorem 8.1.5 cannot be improved:

Theorem 8.1.6. Let 𝜀 > 0 be arbitrary and 𝛼 = (1 + √5)/2. Then only finitely many
fractions 𝑟/𝑠 can satisfy
|𝛼 − 𝑟| 1
(8.1.6) | < . ♣
𝑠 | (√5 + 𝜀)𝑠2

Proof. To achieve a contradiction, assume that (8.1.6) holds for infinitely many 𝑟/𝑠.
The distance between fractions with a given denominator 𝑠 is (at least) 1/𝑠, and 𝑠 ≥ 1
266 8. Diophantine Approximation

implies
1 2
> ,
𝑠 (√5 + 𝜀)𝑠2
so for a given 𝑠, (8.1.6) can be valid with at most one 𝑟.
Hence, there must occur arbitrarily large integers among the denominators of the
infinitely many fractions 𝑟/𝑠 satisfying (8.1.6).
As 𝛼 is a root of equation 𝑥2 − 𝑥 − 1 = 0, we have 𝛼(𝛼 − 1) = 1. This helps us to
eliminate the square root in 𝛼 on the left-hand side of (8.1.6):
𝑟 𝑟 𝑟 𝑟2 𝑟 𝑟2
(8.1.7) (𝛼 − )((𝛼 − 1) + ) = 𝛼(𝛼 − 1) + (𝛼 − (𝛼 − 1)) − 2 = 1 + − 2 .
𝑠 𝑠 𝑠 𝑠 𝑠 𝑠
The right-hand side of (8.1.7) is a fraction with denominator 𝑠2 which is not zero
as 𝛼 is irrational, so its absolute value is at least 1/𝑠2 . Then, by (8.1.7),
|𝛼 − 𝑟| | 𝑟| 1
(8.1.8) | ⋅ (𝛼 − 1) + ≥ .
𝑠| | 𝑠 | 𝑠2
By (8.1.6), 𝑟/𝑠 is close to 𝛼, thus the second factor on the left-hand side of (8.1.8) is
about 2𝛼 − 1 = √5, which contradicts (8.1.6). To see this precisely, we start with the
upper estimate
|(𝛼 − 1) + 𝑟| 𝑟 1
(8.1.9) | ≤ (2𝛼 − 1) + || − 𝛼|| < √5 + .
𝑠| 𝑠 √5𝑠2
For 𝑠 large enough,
1
< 𝜀,
√5𝑠2
thus (8.1.9) implies
|(𝛼 − 1) + 𝑟|
(8.1.10) | < √5 + 𝜀.
𝑠|
Combining (8.1.8) and (8.1.10), we get
|𝛼 − 𝑟| 1
| >
𝑠 | (√5 + 𝜀)𝑠2
for 𝑠 large enough, which contradicts (8.1.6). □

Theorem 8.1.6 shows that Theorems 8.1.5 and 8.1.1 express the right order of mag-
nitude of best approximation for irrational numbers, since some irrational numbers 𝛼
cannot be approximated substantially better than guaranteed by these theorems.
Now we show that Theorems 8.1.5 and 8.1.1 give the right order of magnitude of
best approximation for irrational numbers also in the following sense: only few irra-
tional numbers can be approximated much better. To get a precise meaning of “few”,
we introduce the notion of measure zero:
Definition 8.1.7. A subset 𝐻 of the real numbers has measure zero (or is of measure
zero), if to any 𝜀 > 0 there exist countably many intervals of total length less than 𝜀 so
that their union covers 𝐻. ♣
8.1. Approximation of Irrational Numbers 267

It is easy to see that the set of rational numbers and every countable set has measure
zero, but there exist also sets of measure zero that have the cardinality of the continuum
(see Exercise 8.1.9).
Theorem 8.1.8. Let 𝜅 > 0 be a real number and 𝐻 the set of real numbers 𝛼 to which
there are infinitely many 𝑟/𝑠 satisfying

(8.1.11) |𝛼 − 𝑟 | < 1 .
| 𝑠 | 𝑠2+𝜅
Then 𝐻 has measure zero. ♣

Proof. Let
𝐻𝑖 = 𝐻 ∩ [𝑖, 𝑖 + 1), 𝑖 = 0, ±1, ±2, . . . .
The approximation property (8.1.11) depends only on the fractional part of 𝛼, so any
two sets 𝐻𝑖 are congruent. Thus it is enough to show that 𝐻0 has measure zero, since
∞
𝐻= 𝐻𝑖 ,
⋃
𝑖=−∞

and the union of countably many sets of measure zero has measure zero (see Exer-
cise 8.1.10c).
For a given integer 𝑠 > 1, let 𝐴𝑠 be the set of real numbers 0 ≤ 𝛼 < 1 for which
(8.1.11) holds with some 𝑟. Clearly, 𝐴𝑠 consists of the points in [0, 1) belonging to the
open intervals of radius 1/𝑠2+𝜅 around the points
0 1 𝑠
, , ... , ,
𝑠 𝑠 𝑠
so
𝑠−1
𝑟 1 𝑟 1 1 1
(8.1.12) 𝐴𝑠 = ( ( − , + )) [0, ) (1 − 2+𝜅 , 1).
⋃ 𝑠 𝑠2+𝜅 𝑠 𝑠2+𝜅 ⋃ 𝑠2+𝜅 ⋃ 𝑠
𝑟=1

The total length of the intervals in 𝐴𝑠 is

2 1 2𝑠 2
(8.1.13) (𝑠 − 1) 2+𝜅 + 2 2+𝜅 = 2+𝜅 = 1+𝜅 .
𝑠 𝑠 𝑠 𝑠
If 𝛼 ∈ 𝐻0 , then, by the condition, 𝛼 ∈ 𝐴𝑠 for infinitely many 𝑠. This implies
∞
(8.1.14) 𝐻0 ⊆ 𝐴𝑠
⋃
𝑠=𝑚

for an arbitrary 𝑚. By (8.1.12), (8.1.13), and (8.1.14), 𝐻0 can be covered by countably

many intervals of total length
∞
2
(8.1.15) ∑ 1+𝜅
.
𝑠=𝑚
𝑠
The infinite series
∞
1
∑ 1+𝜅
𝑠=1
𝑠
is convergent, thus we can find for any 𝜀 > 0 an 𝑚 for which the sum in (8.1.15) is less
than 𝜀. Thus we have proved that 𝐻0 , and so 𝐻, have measure zero. □
268 8. Diophantine Approximation

Generalizing Theorem 8.1.8, we can examine the following question. Let 𝑓 be

a function defined on the positive integers assuming positive values so that 𝑓(𝑠)/𝑠 is
strictly increasing. Let 𝐻(𝑓) be the set of real numbers 𝛼 satisfying
|𝛼 − 𝑟 | < 1
| 𝑠 | 𝑠𝑓(𝑠)
for infinitely many 𝑟/𝑠. Similar to the proof of Theorem 8.1.8, it can be shown that if
∞
1
∑ <∞
𝑠=1
𝑓(𝑠)
then 𝐻(𝑓) has measure zero.
If, however,
∞
1
∑ =∞
𝑠=1
𝑓(𝑠)
then the situation turns upside down: 𝐻(𝑓) contains every real number apart from a
set of measure zero. The proof of this result is much more difficult.

Exercises 8.1

1. Let 𝛼 be a rational number 𝛼 = 𝑎/𝑏, where (𝑎, 𝑏) = 1 and 𝑏 > 0.

(a) Verify
𝑟 𝑎 𝑟 1
(8.1.16) ≠ ⟹ ||𝛼 − || ≥ .
𝑠 𝑏 𝑠 𝑏𝑠
(b) Show that the right-hand side of (8.1.16) holds with equality for infinitely
many fractions 𝑟/𝑠.
2. Equality (8.1.1) in Theorem 8.1.1 can be satisfied by more than one fractional form
𝑟/𝑠 of a rational number. Demonstrate that this cannot hold for infinitely many
forms 𝑟/𝑠 of the same rational number.
3. Let 𝛼 be an irrational number, and consider infinitely many fractions 𝑟 𝑖 /𝑠𝑖 satisfy-
ing
|𝛼 − 𝑟 𝑖 | < 1 , 𝑖 = 1, 2, . . . .
| 𝑠𝑖 | 𝑠2𝑖
Prove
(a) lim 𝑠𝑖 = ∞
𝑖→∞
𝑟𝑖
(b) lim = 𝛼.
𝑖→∞ 𝑠𝑖
4. Verify:
(a) For any real number 𝛼 there exist infinitely many integers 𝑟 and non-negative
integers 𝑘 satisfying
|𝛼 − 𝑟 | ≤ 1 .
| 2𝑘 | 3 ⋅ 2𝑘
Exercises 8.1 269

(b) There exits an 𝛼 such that

|𝛼 − 𝑟 | ≥ 1
| 2𝑘 | 3 ⋅ 2 𝑘
for every fraction 𝑟/2𝑘 .
(c) For any real number 𝛼 there exist infinitely many integers 𝑟 and non-negative
integers 𝑘 satisfying
|𝛼 − 𝑟 | ≤ 1 .
| 3𝑘 | 2 ⋅ 3𝑘
(d) There exists an 𝛼 such that
|𝛼 − 𝑟 | ≥ 1
| 3𝑘 | 2 ⋅ 3 𝑘
for every fraction 𝑟/3𝑘 .
(e) For any irrational 𝛼 > 0 there exist infinitely many fractions 𝑟2 /𝑠2 satisfying
2
|𝛼 − 𝑟 | < 𝑐(𝛼) ,
| 𝑠 |
2 𝑠2
where 𝑐(𝛼) is a constant depending on 𝛼.
(f) There exists an irrational 𝛼 > 0 and a constant 𝑐 > 0 such that
2
|𝛼 − 𝑟 | > 𝑐
| 𝑠2 | 𝑠2
for every fraction 𝑟2 /𝑠2 .
5. Prove that for any irrational number 𝛼 there exist infinitely many fractions 𝑟/𝑠 with
distinct numerators satisfying
𝑟 | 𝑐(𝛼)
|𝛼 −
| < 2 ,
𝑠| 𝑟
where 𝑐(𝛼) is a constant depending on 𝛼.
6. Find a constant 𝑐 > 0 such that
|√2 − 𝑟 | > 𝑐
| 𝑠 | 𝑠2
for every fraction 𝑟/𝑠.
7. Let 𝑡 > 1 be a real number. We say that a real number 𝛼 can be approximated to
exponential order 𝑡 if
|𝛼 − 𝑟 | < 𝑐(𝛼)
| 𝑠| 𝑠𝑡
holds for infinitely many fractions 𝑟/𝑠, where 𝑐(𝛼) is a constant depending on 𝛼.
Thus Theorem 8.1.1 implies that every irrational number can be approximated to
order 2, whereas real numbers that can be approximated to order greater than 2
form a set of measure zero.
Assume that the real number 𝛼 can be approximated to order 20.
Prove:
(a) The number 𝑎𝛼+𝑏 can be approximated to order 20 if 𝑎 ≠ 0 and 𝑏 are rational
numbers.
(b) The number 𝛼2 can be approximated to order 10.
270 8. Diophantine Approximation

8. Determine all possible values of the following expression as 𝛼 and 𝛽 assume all real
numbers independently:
(a) {𝛼} + {𝛽} − {𝛼 + 𝛽}
(b) {𝛼}{𝛽} − {𝛼𝛽}
S* (c) {𝛼}2 − {𝛼2 }.
9. (a) Show that every countable subset of the real numbers has measure zero.
* (b) Consider those real numbers between 0 and 1 that do not contain the digit 1 in
their ternary (base 3) representation (this is the so-called Cantor set). Verify
that this set has the cardinality of the continuum, but still has measure zero.
10. Prove:
(a) A subset of a set of measure zero has measure zero.
(b) The union of finitely many sets of measure zero has measure zero.
(c) The union of countably many sets of measure zero has measure zero.
(d) The union of more than countably many sets of measure zero may, but does
not necessarily, have measure zero.

8.2. Minkowski’s Theorem

We discuss an important theorem in the geometry of numbers and its applications.
Theorem 8.2.1 (Minkowski’s Theorem). Let 𝐿 be a parallelogram lattice in the plane
and let 𝐻 be a closed, convex region symmetric around a lattice point. Assume that the
area of 𝐻 is at least 4Δ, where Δ is the area of the fundamental parallelogram in the
lattice. Then 𝐻 contains a lattice point different from its center. ♣
Remarks: (1) It is easy to check that the conditions of the theorem are necessary.
(2) We may assume that 𝐻 is bounded. It can be shown that any unbounded convex
set can have area only zero or infinity. In the latter, intersecting 𝐻 by a (closed)
circle around its center and with a sufficiently large radius, we get a bounded,
closed, convex region symmetric around a lattice point with area at least 4Δ.
(3) For a generalization in higher dimensions and for sets of larger area, see Exercises
8.2.1 and 8.2.2.

We present two proofs of Minkowski’s theorem. We denote the center of symmetry

of 𝐻 by 𝑂, and the area of 𝐻 by ℎ.

First proof. We consider first the case when ℎ > 4Δ.

We shrink the lattice 𝐿 by the ratio 2/𝑘 from point 𝑂, where 𝑘 is a large integer. Let
𝑁(𝑘) be the number of lattice points in the resulting lattice 𝐿𝑘 that are elements of 𝐻.
The area of the fundamental parallelogram of 𝐿𝑘 is 4Δ/𝑘2 , so the area of 𝐻 is
4Δ
(8.2.1) ℎ = lim 𝑁(𝑘) 2 .
𝑘→∞ 𝑘
Since ℎ > 4Δ, we get from (8.2.1) that 𝑁(𝑘) > 𝑘2 for 𝑘 large enough.
8.2. Minkowski’s Theorem 271

Consider the generally skew coordinate system with origin 𝑂 and axes parallel to
the sides of the fundamental parallelogram. Then the lattice points in 𝐿 have coordi-
nates (𝑖𝑎, 𝑗𝑏), and the lattice points in 𝐿𝑘 have coordinates
2𝑖 2𝑗
𝑎, 𝑏),
(
𝑘 𝑘
where 𝑎 and 𝑏 are the side lengths of the fundamental parallelogram in 𝐿 and 𝑖 and 𝑗
are arbitrary integers.
Since the pairs (𝑖, 𝑗) can give 𝑘2 residues on division by 𝑘 and 𝑁(𝑘) > 𝑘2 , the pi-
geonhole principle guarantees the existence of two distinct lattice points
2𝑖1 2𝑗1 2𝑖2 2𝑗2
𝑄1 = ( 𝑎, 𝑏) and 𝑄2 = ( 𝑎, 𝑏),
𝑘 𝑘 𝑘 𝑘
in 𝐿𝑘 satisfying
(8.2.2) 𝑘 ∣ 𝑖 1 − 𝑖2 and 𝑘 ∣ 𝑗1 − 𝑗2 .
As 𝐻 is symmetric about 𝑂, the mirror image
−2𝑖2 −2𝑗2
𝑄′2 = ( 𝑎, 𝑏)
𝑘 𝑘
of 𝑄2 is in 𝐻, and by convexity, the midpoint
2𝑖1 − 2𝑖2 2𝑗1 − 2𝑗2
𝐹=( 𝑎, 𝑏)
2𝑘 2𝑘
of the segment 𝑄1 𝑄′2 belongs to 𝐻. The divisibilities (8.2.2) imply 𝐹 = (𝑟𝑎, 𝑠𝑏) with
some integers 𝑟 and 𝑠, so 𝐹 is a lattice point in the original 𝐿. Since 𝑄1 ≠ 𝑄2 , 𝐹 ≠ 𝑂.
Thus we have proved that 𝐻 contains a lattice point of 𝐿 different from 𝑂.
We still have to verify the case ℎ = 4Δ. For a proof by contradiction, we assume
that the center 𝑂 is the only lattice point of 𝐿 in 𝐻. Let 𝑚 be the minimum of the
distances of lattice points 𝑃 ≠ 𝑂 from 𝐻. Since 𝐻 is closed, we have 𝑚 > 0. Thus we
can magnify 𝐻 so that even the resulting 𝐻 ′ contains no lattice point besides 𝑂. But
this is impossible because the area of 𝐻 ′ is greater than 4Δ. □

Second proof. We verify first a lemma which expresses an intuitively obvious fact: If
translating a bounded set in the plane with all lattice vectors we obtain pairwise disjoint
copies, then the area of the set cannot be greater than the area of the fundamental
parallelogram in the lattice.
Lemma 8.2.2. Let Δ be the area of the fundamental parallelogram in the lattice 𝐿 and 𝑡
the area of a bounded set 𝐾 in the plane. For a fixed lattice point 𝑂 and an arbitrary lattice
point 𝑃, let 𝐾𝑃 denote the copy of 𝐾 translated by the vector 𝑂𝑃, so 𝐾𝑂 = 𝐾. Assume that
the sets 𝐾𝑃 are disjoint. Then 𝑡 ≤ Δ. ♣

Proof. The essence of the proof is the observation: We enlarge the fundamental par-
allelogram (in all directions) by a large 𝑟, and place the resulting parallelogram 𝑀 so
that 𝑂 should be approximately in the center of 𝑀. Then the translated copies of 𝐾
by lattice points in 𝑀 cannot go much beyond 𝑀, so the total area of the translated
copies, which is about 𝑟2 𝑡, cannot be much bigger than the area of 𝑀, which is 𝑟2 Δ.
The statement now follows by taking the limit for 𝑟 → ∞.
272 8. Diophantine Approximation

Let us see all this precisely and in detail. Consider the generally skew coordinate
system, used already in the first proof of Theorem 8.2.1, with origin 𝑂 and axes parallel
to the sides of the fundamental parallelogram. Then the coordinates of lattice points
in 𝐿 are (𝑖𝑎, 𝑗𝑏), where 𝑎 and 𝑏 are the side lengths of the fundamental parallelogram
and 𝑖 and 𝑗 are arbitrary integers.
Let 𝑛 be an arbitrary integer and consider the (2𝑛 + 1)2 lattice points 𝑃𝑖𝑗 = (𝑖𝑎, 𝑗𝑏)
with |𝑖| ≤ 𝑛 and |𝑗| ≤ 𝑛. Let 𝑈𝑛 denote the union of the sets 𝐾𝑃 belonging to these
points 𝑃𝑖𝑗 . Then the area of 𝑈𝑛 is (2𝑛 + 1)2 𝑡. As 𝐾 is bounded, the coordinates of every
point in 𝐾 are less in absolute value than 𝑐𝑎 and 𝑐𝑏, with a suitable constant 𝑐 > 0.
Then 𝑈𝑛 is contained in a parallelogram 𝐺𝑛 where the coordinates of vertices are
(±𝑎(𝑛 + 𝑐), ±𝑏(𝑛 + 𝑐)),
so the area of 𝐺𝑛 is (2𝑛 + 2𝑐)2 Δ. Being a subset, the area of 𝑈𝑛 is not greater than the
area of 𝐺𝑛 , so
(2𝑛 + 1)2 𝑡 ≤ (2𝑛 + 2𝑐)2 Δ.
This implies
2𝑐 − 1 2
𝑡 ≤ (1 + ) Δ.
2𝑛 + 1
Taking the limit as 𝑛 → ∞, we obtain the desired inequality 𝑡 ≤ Δ. □

Turning to the proof of Theorem 8.2.1, it is sufficient to consider the case ℎ > 4Δ.
We shrink 𝐻 from 𝑂 by half and denote the resulting set by 𝐾. By the condition, the
area of 𝐾 is 𝑡 = ℎ/4 > Δ, so by Lemma 8.2.2, there exist two distinct lattice points 𝑄 and
𝑅 for which 𝐾𝑄 and 𝐾𝑅 share a common point. A translation by the vector 𝑄𝑂 maps
this common point into a common point 𝐴 of 𝐾𝑂 = 𝐾 and 𝐾𝑃 with a suitable lattice
point 𝑃 other than 𝑂. We show that 𝑃 is an element of 𝐻, thus proving the statement
of the theorem.
Let 𝐵 be the translate of 𝐴 by the vector 𝑃𝑂, 𝐶 the reflected image of 𝐵 through 𝑂,
and 𝐷 the midpoint of segment 𝐴𝐶.
Since 𝐴 ∈ 𝐾𝑃 , 𝐵 ∈ 𝐾. By the symmetry of 𝐾, 𝐶 ∈ 𝐾. As both 𝐴 and 𝐶 are in 𝐾, by
convexity, their midpoint 𝐷 is in 𝐾.
By the construction, 𝑃𝐴𝑂𝐶 is a parallelogram, since sides 𝑂𝐶 and 𝐴𝑃 are parallel
and equal. Therefore 𝐷 is the midpoint of the diagonal 𝑂𝑃, and the twofold magnifica-
tion around 𝑂 maps 𝐷 into 𝑃. Since this magnification takes 𝐾 into 𝐻, and 𝐷 is in 𝐾, 𝑃
must be in 𝐻. Thus we have proved that 𝐻 contains the lattice point 𝑃 different from
𝑂. □

We apply Minkowski’s theorem in Diophantine approximation to improve Theo-

rem 8.1.1.

Theorem 8.2.3. For any irrational number 𝛼, there exist infinitely many fractions 𝑟/𝑠
satisfying

(8.2.3) |𝛼 − 𝑟 | < 1 . ♣
| 𝑠 | 2𝑠2
8.2. Minkowski’s Theorem 273

Proof. For 𝑠 ≠ 0, (8.2.3) is equivalent to

1
(8.2.4) 𝑠(𝑠𝛼 − 𝑟)| < .
2
We introduce the new variables
𝑥 = 𝑠𝛼 − 𝑟, 𝑦 = 𝑠.
If 𝑟 and 𝑠 assume integer values independently, then the points (𝑥, 𝑦) form a lattice
where the vertices of the fundamental parallelogram are
(8.2.5) (0, 0), (−1, 0), (𝛼, 1), (𝛼 − 1, 1).
For the new variables, (8.2.4) implies |𝑥𝑦| < 1/2. So we are looking for lattice points
(𝑥, 𝑦) in the region having the hyperbolas 𝑥𝑦 = 1/2 and 𝑥𝑦 = −1/2 as boundaries, and
containing the origin. The equality 𝑥𝑦 = ±1/2 cannot hold for a lattice point since 𝛼 is
irrational, hence we can replace < in (8.2.3) and (8.2.4) by ≤. Thus we can extend the
region with its boundary, and we shall deal with the arising closed set 𝑍 in the sequel.
The condition 𝑠 ≠ 0 means that we do not count the lattice points on the 𝑥-axis.
In the fundamental parallelogram (8.2.5) both the horizontal side and the height
have unit length, so the area of the fundamental parallelogram is Δ = 1.
As 𝑍 is not convex (and is not bounded either), we cannot apply Minkowski’s the-
orem directly to 𝑍. Instead, we shall consider suitable convex subsets of 𝑍, namely
rhombuses touching the four branches of the hyperbolas and with vertices on the axes
of the hyperbolas. These rhombuses are convex, closed sets symmetric around the ori-
gin.
We show that each such rhombus has area 4. If the rhombus touches the branch
of hyperbola in the first quadrant at (𝑎, 1/(2𝑎)), then the equation of the tangent line is
1 −1
𝑦− = 2 (𝑥 − 𝑎).
2𝑎 2𝑎
This line intersects the coordinate axes at points 𝑥 = 2𝑎 and 𝑦 = 1/𝑎. Thus the right
1
triangle with the origin and these two points as vertices has area 2 (2𝑎)(1/𝑎) = 1. The
rhombus consists of four such triangles, so its area is 4.
Since the area is 4 = 4Δ, by Minkowski’s theorem, every such rhombus contains a
lattice point besides the origin.
Choose the rhombuses to be narrower and narrower in the direction of the 𝑦-axis.
Thus we can require that each subsequent rhombus does not contain any of the non-
trivial lattice points in the previous ones, and it does not contain any lattice point on
the 𝑥-axis apart from the origin. Thus we obtain infinitely many suitable lattice points,
and the usual condition 𝑠 > 0 can be granted by central symmetry. □

As another application of Minkowski’s theorem, we present a new proof for the

part of Theorem 7.5.1 stating that every prime 𝑝 > 0 of the form 4𝑘 + 1 is the sum of
two squares.
Theorem 8.2.4. Every prime 𝑝 > 0 of the form 4𝑘 + 1 can be represented as a sum of
two squares. ♣
274 8. Diophantine Approximation

Proof. By Theorem 4.1.4, 𝑐2 ≡ −1 (mod 𝑝) with a suitable integer 𝑐.

Consider the points on the plane with coordinates
(8.2.6) 𝑥 = 𝑝𝑢 + 𝑐𝑣, 𝑦 = 𝑣,
where 𝑢 and 𝑣 assume integer values independently. These points form a lattice where
the area of the fundamental parallelogram is Δ = 𝑝.
For any lattice point,
𝑥2 + 𝑦2 = (𝑝𝑢 + 𝑐𝑣)2 + 𝑣2 = 𝑝(𝑝𝑢2 + 2𝑐𝑢𝑣) + 𝑣2 (𝑐2 + 1) ≡ 0 (mod 𝑝) ,
so 𝑝 ∣ 𝑥2 + 𝑦2 . This means that if 𝑥2 + 𝑦2 < 2𝑝 for some lattice point different from the
origin, then 𝑥2 + 𝑦2 = 𝑝.
We apply Minkowski’s theorem for the closed circle 𝑥2 + 𝑦2 ≤ 4𝑝/𝜋 around the
origin having area 4𝑝 = 4Δ. Thus this circle contains a lattice point (𝑥, 𝑦) different
from the origin. For this lattice point, we have
4𝑝
𝑥2 + 𝑦2 ≤ < 2𝑝. □
𝜋
We note that a similar but much more complex application of the three-dimension-
al version of Minkowski’s theorem (see Exercise 8.2.1a) leads to the proof of the hard
part of the Three Squares Theorem 7.5.2 stated there without proof (we have to rely
also on Dirichlet’s theorem about primes in arithmetic progressions).
For some further applications of Minkowski’s theorem, see Exercises 8.2.3–8.2.5.

Exercises 8.2
1. (a) Prove Minkowski’s theorem in space: Let 𝐿 be any parallelepiped lattice in the
space and 𝐻 a closed, convex set symmetric around a lattice point. Assume
that the volume of 𝐻 is at least 8Δ, where Δ is the volume of the fundamental
parallelepiped in the lattice. Then 𝐻 contains a lattice point different from its
center.
(b) Generalize the theorem for arbitrary dimensions.
2. Verify the following generalization of Minkowski’s theorem: If 𝐿 and 𝐻 meet the
requirements of Theorem 8.2.1 and the area of 𝐻 is at least 4𝑟Δ for some integer
𝑟 > 0, then 𝐻 contains at least 2𝑟 lattice points besides its center.
3. Prove that every positive prime of the form 3𝑘 + 1 can be written as 𝑥2 + 3𝑦2 with
suitable integers 𝑥 and 𝑦.
4. Let 𝑎11 , 𝑎12 , 𝑎21 , and 𝑎22 be integers satisfying
𝑎 𝑎12
𝐷 = [ 11 ] ≠ 0.
𝑎21 𝑎22
Prove that if 𝑏1 𝑏2 ≥ |𝐷| for the positive (real) numbers 𝑏1 and 𝑏2 , then the system
of inequalities
|𝑎11 𝑥1 + 𝑎12 𝑥2 | ≤ 𝑏1 , |𝑎21 𝑥1 + 𝑎22 𝑥2 | ≤ 𝑏2
has a non-trivial, i.e (𝑥1 , 𝑥2 ) ≠ (0, 0), solution in integers.
 8.3. Continued Fractions 275

* 5. Verify that for any irrational numbers 𝛼1 and 𝛼2 there exist infinitely many pairs
𝑟1 /𝑠, 𝑟2 /𝑠 of rational numbers with a common denominator satisfying

𝑟𝑗
|𝛼 − |< 2⋅ 1 , 𝑗 = 1, 2.
| 𝑗 𝑠 | 3 𝑠3/2

8.3. Continued Fractions

For any real number 𝛼, consider the following algorithm. Let

(8.3.1) 𝑐 0 = ⌊𝛼⌋ and 𝛼1 = {𝛼}, then 𝛼 = 𝑐 0 + 𝛼1 .

If 𝛼1 ≠ 0, then let

1 1 1
𝑐1 = ⌊ ⌋ and 𝛼2 = { }, then 𝛼 = 𝑐 0 + 𝛼1 = 𝑐 0 + .
𝛼1 𝛼1 𝑐 1 + 𝛼2

If 𝛼2 ≠ 0, then we form the floor and fractional part of 1/𝛼2 , etc. In general, if 𝑐 0 , 𝑐 1 ,
. . . , 𝑐𝑛 and 𝛼1 , . . . , 𝛼𝑛+1 have already been determined and 𝛼𝑛+1 ≠ 0, then let

1 1
(8.3.2) 𝑐𝑛+1 = ⌊ ⌋ and 𝛼𝑛+2 = { },
𝛼𝑛+1 𝛼𝑛+1

so

1
(8.3.3) 𝛼 = 𝑐0 + .
1
𝑐1 +
1
𝑐2 +
1
⋱ 𝑐𝑛 + 𝑐𝑛+1 +𝛼𝑛+2

We call the multiple-decked fraction on the right-hand side of (8.3.3) a (finite) con-
tinued fraction, and for convenience, we denote it by 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐𝑛 , 𝑐𝑛+1 + 𝛼𝑛+2 ).
We shall sometimes apply this notation for the right-hand side of (8.3.3) even if the
numbers 𝑐 𝑖 are not integers.)
If 𝛼𝑛+1 = 0, the algorithm terminates.
The integers 𝑐 0 , 𝑐 1 , . . . are called the digits in the continued fraction expansion of 𝛼.

Definition 8.3.1. By the continued fraction digits of a real number 𝛼, we mean the
(finite or infinite) sequence 𝑐 0 , 𝑐 1 , . . . defined by (8.3.1) and (8.3.2). ♣

It is clear from the definition that the digits are uniquely determined integers and
𝑐 𝑖 > 0 for 𝑖 ≥ 1.
276 8. Diophantine Approximation

Examples. E1 Let 𝛼 = 111/25. Then

111 11
=4+ , 𝑐0 = 4
25 25
25 3
=2+ , 𝑐1 = 2
11 11
11 2
=3+ , 𝑐2 = 3
3 3
3 1
=1+ , 𝑐3 = 1
2 2
2
= 2 + 0, 𝑐 4 = 2.
1
Thus the digits in the continued fraction expansion of 111/25 are 4, 2, 3, 1, 2. This
means also
111 1
= 𝐶(4, 2, 3, 1, 2) = 4 + .
25 1
2+
1
3+
1
1+
2
E2 Let 𝛼 = √2. Then
√2 = =1 + (√2 − 1), 𝑐0 = 1
1
= √2 + 1=2 + (√2 − 1), 𝑐1 = 2
√2 − 1
1
= √2 + 1=2 + (√2 − 1), 𝑐2 = 2
√2 − 1
⋮

Hence the continued fraction digits of √2 are 1, 2, 2, 2, . . . We introduce the (so far
formal) notation √2 = 𝐶(1, 2, 2, . . . ) and call this an infinite continued fraction.

Theorem 8.3.2. The sequence of continued fraction digits of 𝛼 is finite if and only if 𝛼 is
a rational number. ♣

Proof. Let the sequence of continued fraction digits be finite, so 𝛼 = 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐 𝑘 )

for suitable integers 𝑐 𝑖 . Then condensing the multiple-decked fraction, we get 𝛼 as the
quotient of two integers, so 𝛼 is rational.
Conversely, let 𝛼 = 𝑎/𝑏, where 𝑏 > 0 and 𝑎 are integers. We show that the steps
defining the continued fraction digits correspond to the steps of the Euclidean algo-
rithm for 𝑎 and 𝑏. This means that the algorithm yielding the continued fraction digits
terminates in finitely many steps.
The first step in the Euclidean algorithm is a division of 𝑎 by 𝑏:
𝑎 = 𝑏𝑞1 + 𝑟1 , 0 ≤ 𝑟1 < 𝑏.
8.3. Continued Fractions 277

We can rewrite it as
𝑎 𝑟 𝑎 𝑎
= 𝑞1 + 1 = ⌊ ⌋ + { }
𝑏 𝑏 𝑏 𝑏
so, using the notation of the continued fraction algorithm 𝑐 0 = 𝑞1 and 𝛼1 = 𝑟1 /𝑏.
If 𝑟1 ≠ 0, then the next step in the Euclidean algorithm is
𝑏 = 𝑟1 𝑞2 + 𝑟2 , 0 ≤ 𝑟2 < 𝑟1 ,
i.e.
1 𝑏 𝑟 𝑏 𝑏
= = 𝑞2 + 2 = ⌊ ⌋ + { },
𝛼1 𝑟1 𝑟1 𝑟1 𝑟1
thus 𝑐 1 = 𝑞2 and 𝛼2 = 𝑟2 /𝑟1 .
We obtain the same way that also the further continued fraction digits are the quo-
tients occurring in the Euclidean algorithm. □

In the sequel we assume that 𝛼 is irrational and use continued fractions to exhibit
rational numbers approximating 𝛼 well. They will be the initial finite sections of the in-
finite continued fraction expansion of 𝛼, i.e., the finite continued fractions formed from
the first 𝑛 + 1 continued fraction digits for 𝑛 ≥ 0. We denote these rational numbers
by 𝐶𝑛 (𝛼), so if 𝛼 = 𝐶(𝑐 0 , 𝑐 1 , . . . ), then
(8.3.4) 𝐶𝑛 (𝛼) = 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐𝑛 ), 𝑛 = 0, 1, 2, . . . .
Theorem 8.3.3. Let 𝑐 0 , 𝑐 1 , . . . be the continued fraction digits of an irrational number
𝛼, and
𝑟
(8.3.5) 𝐶𝑛 (𝛼) = 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐𝑛 ) = 𝑛 , where (𝑟𝑛 , 𝑠𝑛 ) = 1, 𝑠𝑛 > 0.
𝑠𝑛
Then
(8.3.6) |𝛼 − 𝑟𝑛 | < 1
| 𝑠𝑛 | 𝑠2𝑛
for any 𝑛. Moreover, if 𝑛 > 0, then at least one of the inequalities

(8.3.7) |𝛼 − 𝑟𝑛 | < 1 , |𝛼 − 𝑟𝑛+1 | < 1

| 𝑠𝑛 | 2 | 𝑠𝑛+1 | 2𝑠2𝑛+1
2𝑠𝑛
holds. ♣
Remarks: (1) Clearly, Theorem 8.3.3 contains the statements of Theorems 8.1.1 and
8.2.3. Besides showing the existence of good approximating fractions, it gives a
practical algorithm to find them.
(2) It can be shown that all rational numbers providing a really good approximation
are among the fractions 𝑟𝑛 /𝑠𝑛 in (8.3.5): If
|𝛼 − 𝑟 | < 1
| 𝑠 | 2𝑠2
(so 𝑟/𝑠 approximates 𝛼 to the order of magnitude in Theorem 8.2.3), then 𝑟/𝑠 must
be equal to some 𝑟𝑛 /𝑠𝑛 .
(3) We can use continued fractions to prove Theorem 8.1.5, stated there without proof.
By similar but more complex arguments than applied below to verify Theorem
8.3.3, it can be shown that at least one of any three consecutive continued frac-
tions 𝐶𝑛 (𝛼) satisfies the approximation in Theorem 8.1.5.
278 8. Diophantine Approximation

(4) Using Exercise 8.1.3a, Theorem 8.3.3 implies

lim 𝐶𝑛 (𝛼) = 𝛼, or lim 𝐶(𝑐 0 , . . . , 𝑐𝑛 ) = 𝐶(𝑐 0 , 𝑐 1 , . . . ).

𝑛→∞ 𝑛→∞

This gives a natural meaning to the (till now formal) expression “infinite contin-
ued fraction” 𝛼 = 𝐶(𝑐 0 , 𝑐 1 , . . . ).

To prove Theorem 8.3.3, we need

Lemma 8.3.4. Let 𝑐 0 , 𝑐 1 , 𝑐 2 , . . . be arbitrary real numbers, where 𝑐 𝑖 > 0 for 𝑖 ≥ 1, and
form the

(8.3.8a) 𝑟0 = 𝑐 0 , 𝑟1 = 𝑐 1 𝑐 0 + 1, 𝑟𝑛 = 𝑐𝑛 𝑟𝑛−1 + 𝑟𝑛−2 ,

(8.3.8b) 𝑠0 = 1, 𝑠1 = 𝑐 1 , 𝑠𝑛 = 𝑐𝑛 𝑠𝑛−1 + 𝑠𝑛−2 .

Then
𝑟𝑛
(8.3.9) 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐𝑛 ) =
𝑠𝑛

and

𝑟𝑛 𝑟 (−1)𝑛−1
(8.3.10) − 𝑛−1 = (𝑛 ≥ 1).
𝑠𝑛 𝑠𝑛−1 𝑠𝑛−1 𝑠𝑛

If the numbers 𝑐𝑛 are integers, then so are also 𝑟𝑛 and 𝑠𝑛 , further (𝑟𝑛 , 𝑠𝑛 ) = 1, and 𝑠𝑛+1 >
𝑠𝑛 for 𝑛 > 0. ♣

Remark: It follows from Lemma 8.3.4 that the sequences 𝑟𝑛 and 𝑠𝑛 defined by (8.3.5)
in Theorem 8.3.3 satisfy recursion (8.3.8a)–(8.3.8b), so the notations 𝑐𝑛 , 𝑟𝑛 , and 𝑠𝑛 in
Lemma 8.3.4 and Theorem 8.3.3 are in harmony.

Proof. I. We prove (8.3.9) by induction on 𝑛.

In the cases 𝑛 = 0, 1, and 2,
𝑐0 𝑟0
𝐶(𝑐 0 ) = 𝑐0 = =
1 𝑠0
1 𝑐 𝑐 +1 𝑟
𝐶(𝑐 0 , 𝑐 1 ) = 𝑐0 + = 1 0 = 1
𝑐1 𝑐1 𝑠1
𝑐 𝑐 𝑐 + 𝑐2 + 𝑐0 𝑐 𝑟 + 𝑟0 𝑟
𝐶(𝑐 0 , 𝑐 1 , 𝑐 2 ) = 2 1 0 = 21 = 2
𝑐2𝑐1 + 1 𝑐 2 𝑠1 + 𝑠 0 𝑠2

So (8.3.9) holds.
Assume now that (8.3.9) is true for 𝑛 = 𝑚 ≥ 2, so
𝑟𝑚 𝑐 𝑟 +𝑟
𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐𝑚 ) = = 𝑚 𝑚−1 𝑚−2 ,
𝑠𝑚 𝑐𝑚 𝑠𝑚−1 + 𝑠𝑚−2
8.3. Continued Fractions 279

where 𝑟𝑚−1 , 𝑠𝑚−1 , 𝑟𝑚−2 , and 𝑠𝑚−2 depend only on 𝑐 0 , . . . , 𝑐𝑚−1 . Then
1
𝐶(𝑐 0 , . . . , 𝑐𝑚−1 , 𝑐𝑚 , 𝑐𝑚+1 ) = 𝐶(𝑐 0 , . . . , 𝑐𝑚−1 , 𝑐𝑚 + )
𝑐𝑚+1
1
(𝑐𝑚 + )𝑟
𝑐𝑚+1 𝑚−1
+ 𝑟𝑚−2
=
1
(𝑐𝑚 + )𝑠 + 𝑠𝑚−2
𝑐𝑚+1 𝑚−1
𝑐𝑚+1 (𝑐𝑚 𝑟𝑚−1 + 𝑟𝑚−2 ) + 𝑟𝑚−1
=
𝑐𝑚+1 (𝑐𝑚 𝑠𝑚−1 + 𝑠𝑚−2 ) + 𝑠𝑚−1
𝑐𝑚+1 𝑟𝑚 + 𝑟𝑚−1
=
𝑐𝑚+1 𝑠𝑚 + 𝑠𝑚−1
𝑟
= 𝑚+1
𝑠𝑚+1
so (8.3.9) holds also for 𝑛 = 𝑚 + 1.
II. We now verify (8.3.10). By (8.3.8a)–(8.3.8b),
𝑟𝑛 𝑠𝑛−1 − 𝑟𝑛−1 𝑠𝑛 = (𝑐𝑛 𝑟𝑛−1 + 𝑟𝑛−2 )𝑠𝑛−1 − 𝑟𝑛−1 (𝑐𝑛 𝑠𝑛−1 + 𝑠𝑛−2 )
= −(𝑟𝑛−1 𝑠𝑛−2 − 𝑟𝑛−2 𝑠𝑛−1 ).
Repeating this step for 𝑛 − 1, 𝑛 − 2, . . . , 2 instead of 𝑛, we obtain
(8.3.11) 𝑟𝑛 𝑠𝑛−1 − 𝑟𝑛−1 𝑠𝑛 = (−1)𝑛−1 (𝑟1 𝑠0 − 𝑟0 𝑠1 ) = (−1)𝑛−1 .
Dividing by 𝑠𝑛 𝑠𝑛−1 , we get (8.3.10).
III. In the case when every 𝑐 𝑖 is an integer, all but one of the statements are obvious
from the conditions, and (𝑟𝑛 , 𝑠𝑛 ) = 1 follows from (8.3.11). □

Proof of Theorem 8.3.3. As mentioned before, Lemma 8.3.4 implies that sequences
𝑟𝑛 and 𝑠𝑛 defined by (8.3.5) satisfy (8.3.8a)–(8.3.8b).
In the sequel we shall use that 𝛼 itself can be written as a finite continued fraction:
by (8.3.3),
(8.3.12) 𝛼 = 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐𝑛 , 𝑐𝑛+1 + 𝛼𝑛+2 )
for any 𝑛, where 0 < 𝛼𝑛+2 < 1 by (8.3.2) and the irrationality of 𝛼.
To estimate the difference 𝛼 − 𝑟𝑛 /𝑠𝑛 , we shall apply Lemma 8.3.4 for 𝑐 0 , 𝑐 1 , . . . , 𝑐𝑛 ,
′
and 𝑐𝑛+1 = 𝑐𝑛+1 + 𝛼𝑛+2 (instead of 𝑐𝑛+1 ), and stop. Then we get
′
𝑟0 , 𝑟1 , . . . , 𝑟𝑛 , 𝑟𝑛+1 and 𝑠0 , 𝑠1 , . . . , 𝑠𝑛 , 𝑠′𝑛+1 ,
from (8.3.8a)–(8.3.8b), where
′ ′
𝑟𝑛+1 = 𝑐𝑛+1 𝑟𝑛 + 𝑟𝑛−1 = (𝑐𝑛+1 + 𝛼𝑛+2 )𝑟𝑛 + 𝑟𝑛−1 ,
𝑠′𝑛+1 = 𝑐𝑛+1
′
𝑠𝑛 + 𝑠𝑛−1 = (𝑐𝑛+1 + 𝛼𝑛+2 )𝑠𝑛 + 𝑠𝑛−1
280 8. Diophantine Approximation

for 𝑛 ≥ 1. By (8.3.12), (8.3.9), and (8.3.4),

′
𝑟𝑛+1 𝑟𝑛
𝛼= and 𝐶𝑛 (𝛼) = .
𝑠′𝑛+1 𝑠𝑛
Applying (8.3.10), we obtain
𝑟𝑛 𝑟′ 𝑟 (−1)𝑛
(8.3.13) 𝛼− = 𝑛+1
′ − 𝑛 = .
𝑠𝑛 𝑠𝑛+1 𝑠𝑛 𝑠𝑛 𝑠′𝑛+1
Since 𝑠′𝑛+1 > 𝑠𝑛 , (8.3.13) implies (8.3.6).
To verify (8.3.7) by contradiction, assume
|𝛼 − 𝑟𝑛 | ≥ 1 𝑟 1
(8.3.14) | and ||𝛼 − 𝑛+1 || ≥ 2 .
𝑠𝑛 | 2𝑠2𝑛 𝑠𝑛+1 2𝑠𝑛+1
By (8.3.13), the differences 𝛼 − 𝑟𝑛 /𝑠𝑛 and 𝛼 − 𝑟𝑛+1 /𝑠𝑛+1 have opposite signs, so 𝛼 is
between the fractions 𝑟𝑛 /𝑠𝑛 and 𝑟𝑛+1 /𝑠𝑛+1 . Accordingly,
(8.3.15) |𝛼 − 𝑟𝑛 | + |𝛼 − 𝑟𝑛+1 | = | 𝑟𝑛 − 𝑟𝑛+1 |.
| 𝑠𝑛 | | 𝑠𝑛+1 | | 𝑠𝑛 𝑠𝑛+1 |
We estimate the left-hand side of (8.3.15) using (8.3.14), and replace the right-hand side
by 1/(𝑠𝑛 𝑠𝑛+1 ) based on (8.3.10), so
1 1 1
(8.3.16) + ≤ so (𝑠𝑛+1 − 𝑠𝑛 )2 ≤ 0.
2𝑠2𝑛 2𝑠2𝑛+1 𝑠𝑛 𝑠𝑛+1
But (8.3.16) cannot hold since 𝑠𝑛+1 > 𝑠𝑛 for 𝑛 > 0, and we have reached a contradiction.
□

Exercises 8.3

1. Compute the continued fraction digits of the following numbers:

(a) 53/11
(b) √3
(c) √5
(d) (1 + √5)/2.
2. Which numbers have the continued fraction expansion
(a) 1, 2, 3, 4
(b) 1, 2, 1, 2, 1, 2, . . . ?
3. Prove that for any irrational 𝛼 there exist infinitely many fractions 𝑟/𝑠 with odd
denominators 𝑠 satisfying
|𝛼 − 𝑟 | < 1 .
| 𝑠 | 𝑠2
4. Prove
| 1 + √5 − 𝜑𝑛+1 | < 1
| 2 𝜑𝑛 | 𝜑2𝑛
for every 𝑛 ≥ 1, where 𝜑𝑛 is the 𝑛th Fibonacci number (see Exercise 1.2.5).
 8.4. Distribution of Fractional Parts 281

S 5. Prove that if the conditions of Lemma 8.3.4 hold, then

𝑟𝑛 𝑟 (−1)𝑛 𝑐𝑛
− 𝑛−2 =
𝑠𝑛 𝑠𝑛−2 𝑠𝑛−2 𝑠𝑛
for any 𝑛 ≥ 2.
S* 6. Assume that the continued fraction digits of an irrational 𝛼 form a periodic se-
quence (so there exist positive integers 𝑘 and 𝑀 such that 𝑐𝑛 = 𝑐𝑛−𝑘 for every
𝑛 > 𝑀). Prove that 𝛼 is a root of a quadratic polynomial with integer coefficients.
Remark: The converse of this statement is also true.

8.4. Distribution of Fractional Parts

We deal with the distribution of fractional parts of sequences of real numbers in this
section.

Theorem 8.4.1. The fractional parts of the multiples of any irrational number are ev-
erywhere dense in the interval [0, 1].
Formally, let 𝛼 be an irrational number and 𝑣 ∈ [0, 1]. Then for any 𝜀 > 0 there
exists an integer 𝑛 > 0 satisfying |{𝑛𝛼} − 𝑣| < 𝜀. ♣

Proof. By Theorem 8.1.1, there are infinitely many fractions 𝑟/𝑠 satisfying
|𝛼 − 𝑟 | < 1 , i.e. |𝑠𝛼 − 𝑟| <
1
.
| 𝑠 | 𝑠2 𝑠
Choose a fraction with 𝑠 > 1/𝜀 from them, so |𝑠𝛼 − 𝑟| < 𝜀. Let 𝑑 = |𝑠𝛼 − 𝑟| (thus 𝑑 < 𝜀),
and consider the fractional parts
(8.4.1) {𝑠𝛼}, {2𝑠𝛼}, {3𝑠𝛼}, . . . , {𝑚𝑠𝛼}
where 𝑚 = ⌊1/𝑑⌋ (we can obviously assume 𝜀 < 1, so 𝑚 ≥ 1).
Consider first the case 𝑠𝛼 − 𝑟 > 0. Then for every 1 ≤ 𝑖 ≤ 𝑚, we have
0 < 𝑖𝑠𝛼 − 𝑖𝑟 = 𝑖(𝑠𝛼 − 𝑟) = 𝑖𝑑 < 1, i.e. {𝑖𝑠𝛼} = 𝑖𝑑.
This means that the fractional parts listed in (8.4.1) form a monotone increasing se-
quence where the distance between consecutive elements is 𝑑 < 𝜀, and also the dis-
tances between the first element and 0, and between the last element and 1 are less
than 𝜀. This implies that there is an element in the sequence that is closer to 𝑣 than 𝜀
(in fact, closer than 𝜀/2).
We can handle the case 𝑠𝛼 − 𝑟 < 0 similarly: then {𝑖𝑠𝛼} = 1 − 𝑖𝑑 for 1 ≤ 𝑖 ≤ 𝑚, so
the fractional parts in (8.4.1) form a monotone decreasing sequence where the distance
between consecutive elements, between the first element and 1, and between the last
element and 0 are all less than 𝜀. □

Now we consider the variant of the problem of Theorem 8.4.1 for higher dimen-
sions. The simplest case is when 𝛼1 and 𝛼2 are irrational numbers and we investigate
the distribution of the points 𝑃𝑛 = ({𝑛𝛼1 }, {𝑛𝛼2 }) in the unit square.
282 8. Diophantine Approximation

Similar to the proof of Theorem 8.4.1, we obtain from Theorem 8.1.3 that for any
𝜀 > 0 there exist integers 𝑟1 , 𝑟2 , and 𝑠 > 0 satisfying
|𝑠𝛼1 − 𝑟1 | < 𝜀 and |𝑠𝛼2 − 𝑟2 | < 𝜀.
This means that 𝑃𝑠 = ({𝑠𝛼1 }, {𝑠𝛼2 }) is close to a vertex of the unit square. Similar to the
proof of Theorem 8.4.1, it follows that 𝑃𝑠 , 𝑃2𝑠 , 𝑃3𝑠 , . . . lie densely on the line connecting
𝑃𝑠 with this vertex.
It is not true, however, that the points 𝑃𝑛 are dense everywhere in the unit square
for every 𝛼1 and 𝛼2 . Take 𝛼2 = 𝛼1 + 1. Then {𝑛𝛼1 } = {𝑛𝛼2 } for every 𝑛, so each point 𝑃𝑛
is on the line 𝑦 = 𝑥.
The condition for everywhere dense distribution can be formulated with the help
of linear independence.
Theorem 8.4.2. For real numbers 𝛼1 , . . . , 𝛼𝑘 , the points
𝑃𝑛 = ({𝑛𝛼1 }, {𝑛𝛼2 }, . . . , {𝑛𝛼𝑘 }), 𝑛 = 1, 2, 3, . . .
are everywhere dense in the 𝑘-dimensional unit cube if and only if 1, 𝛼1 , . . . , 𝛼𝑘 are linearly
independent over the rational field. ♣

Linear independence means that 𝑐 0 + 𝑐 1 𝛼1 + ⋯ + 𝑐 𝑘 𝛼𝑘 = 0 can hold with rational

numbers 𝑐 𝑖 only in the trivial case 𝑐 0 = 𝑐 1 = ⋯ = 𝑐 𝑘 = 0. This implies that every 𝛼𝑖
must be irrational.
In the example 𝑘 = 2, 𝛼2 = 𝛼1 + 1, we saw that the points 𝑃𝑛 are not everywhere
dense in the unit circle, and 1, 𝛼1 , 𝛼2 are not linearly independent, as 1 ⋅ 1 + 1𝛼1 +
(−1)𝛼2 = 0.
We do not prove the sufficiency of the condition in Theorem 8.4.2, and have the
proof of necessity in Exercise 8.4.3.
Returning to the one-dimensional case, we examine now uniform distribution,
which is a much stronger requirement than being everywhere dense.
Uniform distribution means that the fractional parts of 𝑢1 , 𝑢2 , . . . can be found in
any subinterval 𝐼 of [0, 1] proportional to the length of 𝐼: for 𝑛 large, about 𝑑𝑛 from the
first 𝑛 fractional parts {𝑢𝑖 } are in 𝐼 where 𝑑 is the length of 𝐼. The precise definition is:
Definition 8.4.3. A sequence of real numbers 𝑢1 , 𝑢2 , . . . is uniformly distributed mod-
ulo 1 (or has uniform distribution), if for any subinterval 𝐼 in [0, 1],
𝑓𝑛 (𝐼)
lim = 𝑑,
𝑛→∞ 𝑛
where 𝑑 is the length of interval 𝐼 and 𝑓𝑛 (𝐼) is the number of those fractional parts
among {𝑢1 }, . . . , {𝑢𝑛 } that fall into 𝐼. ♣

We state Weyl’s basic result about uniform distribution without proof.

Theorem 8.4.4. A sequence of real numbers 𝑢1 , 𝑢2 , . . . is uniformly distributed if and
only if for every 𝑚 ≠ 0,
𝑛
1
lim ∑ 𝑒2𝜋𝑖𝑚𝑢𝑡 = 0. ♣
𝑛→∞ 𝑛
𝑡=1
 Exercises 8.4 283

The notion of uniform distribution and the criterion of Weyl can be extended to
higher dimensions.
Relying on Weyl’s condition, we show that the multiples of an irrational number
are uniformly distributed.
Theorem 8.4.5. If 𝛼 is an irrational number, then 𝛼, 2𝛼, . . . , 𝑛𝛼, . . . are uniformly dis-
tributed. ♣

Proof. By Theorem 8.4.4, we have to show

𝑛
1
(8.4.2) lim ∑ 𝑒2𝜋𝑖𝑚𝑡𝛼 = 0
𝑛→∞ 𝑛
𝑡=1

for any integer 𝑚 ≥ 0. The sum on the left-hand side of (8.4.2) is a geometric series of
𝑛 terms and with quotient 𝑒2𝜋𝑖𝑚𝛼 ≠ 1, as 𝛼 is irrational. Hence
𝑛 2𝜋𝑖𝑚𝛼
| 1 ∑ 𝑒2𝜋𝑖𝑚𝑡𝛼 | = |𝑒 | ⋅ |𝑒2𝜋𝑖𝑚𝑛𝛼 − 1| 1⋅2
|𝑛 | 2𝜋𝑖𝑚𝛼
≤ 2𝜋𝑖𝑚𝛼
→ 0,
𝑡=1
𝑛|𝑒 − 1| 𝑛|𝑒 − 1|
as 𝑛 → ∞. □

Exercises 8.4

S 1. Examine whether or not the fractional parts of the sequences below are everywhere
dense in the interval [0, 1]:
(a) (1 + √2)𝑛
(b) √𝑛
(c) √𝑛2 + 1
(d) √2𝑛2 + 1
(e) sin(𝑛𝜋/180)
(f) sin 𝑛
(g) log10 𝑛.
* 2. Show the existence of a real number 𝛼 such that the fractional parts of
𝛼, 𝛼2 , 𝛼3 , ... , 𝛼𝑛 , . . .
are everywhere dense in [0, 1].
S 3. Prove that the condition of linear independence given in Theorem 8.4.2 is neces-
sary for the points 𝑃𝑛 to be everywhere dense in the 𝑘-dimensional unit cube.
4. Verify the following statements.
(a) If the fractional parts of a sequence are everywhere dense in [0, 1], then we
can rearrange them into a uniformly distributed sequence.
(b) Any uniformly distributed sequence can be rearranged into one that is not
uniformly distributed.
284 8. Diophantine Approximation

5. True or false?
(a) Any subsequence of a uniformly distributed sequence has uniform distribu-
tion.
(b) If we add the same real number to every element of a uniformly distributed
sequence, the new sequence will have uniform distribution.
(c) If we multiply every element of a uniformly distributed sequence by the same
non-zero real number, the new sequence will have uniform distribution.
(d) The sum of two uniformly distributed sequences is uniformly distributed.
(e) The product of two uniformly distributed sequences is uniformly distributed.
(f) The square of a uniformly distributed sequence is uniformly distributed.
(g) The square of a uniformly distributed sequence can never be uniformly dis-
tributed.
6. Demonstrate that the following sequences are not uniformly distributed:
(a) log10 𝑛
(b) sin 𝑛.
7. Prove that if a natural number 𝑡 is not a power of 10, then there exists a positive
integer 𝑛 such that the first five digits of 𝑡𝑛 are 54321 in the decimal system.
 Chapter 9

Algebraic and
Transcendental Numbers

A complex number is algebraic if it is a root of some non-zero polynomial with rational

(or equivalently, integer) coefficients, otherwise it is transcendental. We show that
most complex numbers are transcendental. On the other hand, however, it is generally
very hard to determine, whether a given number is algebraic or transcendental. This
will be illustrated by the proof of the transcendence of 𝑒 and by a long list of unsolved
problems.
We discuss first the properties of minimal polynomials, degree, and operations
with algebraic numbers. Then we prove that algebraic numbers cannot be approxi-
mated well. As a consequence, we construct a transcendental number relatively easily,
and we infer that some types of Diophantine equations cannot have infinitely many so-
lutions. At the end of the chapter, we introduce algebraic integers as a generalization
of ordinary integers.
Algebraic numbers and algebraic integers also play an important role in the next
two chapters.

9.1. Algebraic Numbers

The rational numbers can be characterized among all complex numbers as roots of
linear polynomials with rational coefficients. Discarding the restriction on the degree
of the polynomial, we get the notion of algebraic numbers:

Definition 9.1.1. A complex number 𝛼 is an algebraic number (or, is algebraic), if

𝑓(𝛼) = 0 for some non-zero polynomial 𝑓 with rational coefficients. ♣

Remarks: (1) We had to exclude the polynomial 𝑓 = 0, since every complex number
is a root of it.

285
286 9. Algebraic and Transcendental Numbers

(2) If 𝛼 is a root of a polynomial with rational coefficients, than multiplying this poly-
nomial by the least common multiple of the denominators in the coefficients, we
get a polynomial with integer coefficients having 𝛼 as a root. Thus we arrive at
the same notion if in Definition 9.1.1 we replace “rational coefficients” by “integer
coefficients”.

(3) The situation changes dramatically, however, if we require real or complex coef-
ficients instead of rational or integer ones: Every complex number is a root of a
non-zero polynomial with real coefficients (which are thus complex coefficients),
see Exercise 9.1.7.

(4) Instead of “algebraic number” we can say also “algebraic number over the ra-
tionals” (or “algebraic element over the rational field”) as we can generalize the
notion to algebraic elements over other fields than the rationals (see Definition
10.1.4).

Examples. As mentioned before, every rational number is algebraic.

5
Among the irrational numbers, e.g. √2 or √ 13 are algebraic, as they are roots of
2 5
polynomials 𝑥 − 2 and 𝑥 − 13.
Every complex root of unity is algebraic, being a root of some polynomial 𝑥𝑛 − 1.

Further examples occur in Exercises 9.1.1 and 9.1.2. With the help of theorems in
Section 9.3, we will be able to construct many types of algebraic numbers. The non-
algebraic numbers are called transcendental.

Definition 9.1.2. A complex number is a transcendental number (or shortly, transcen-

dental) if it is not a root of any non-zero polynomial with rational coefficients. ♣

Theorem 9.1.3. There exist transcendental numbers, moreover almost all complex num-
bers are transcendental: the algebraic numbers are countable, whereas the cardinality of
transcendental numbers is continuum. ♣

Proof. Since the cardinality of complex numbers is that of the continuum, all state-
ments follow if we verify that the algebraic numbers are countable, so we can order the
algebraic numbers in a sequence.
The algebraic numbers are the roots of non-zero polynomials with integer coeffi-
cients, so first we put these polynomials into a sequence. Then we obtain a sequence of
all algebraic numbers by taking all (complex) roots of these polynomials that had not
yet been listed as roots of previous polynomials. Let 𝑓 = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛 𝑥𝑛 be an
arbitrary non-zero polynomial with integer coefficients where 𝑎𝑛 ≠ 0, and define 𝐻(𝑓)
as

𝐻(𝑓) = 𝑛 + |𝑎0 | + |𝑎1 | + ⋯ + |𝑎𝑛 |.

9.1. Algebraic Numbers 287

For example,
𝐻(𝑓) = 1 ⟺ 𝑓 = ±1
𝐻(𝑓) = 2 ⟺ 𝑓 = ±2, ±𝑥
(9.1.1) 𝐻(𝑓) = 3 ⟺ 𝑓 = ±3, ±𝑥 ± 1, ±2𝑥, ±𝑥2
𝐻(𝑓) = 4 ⟺ 𝑓 = ±4, ±𝑥 ± 2, ±2𝑥 ± 1, ±3𝑥,
± 𝑥2 ± 1, ±𝑥2 ± 𝑥, ±2𝑥2 , ±𝑥3 .

It is clear from the definition of 𝐻(𝑓) that for any 𝑘 there exist only finitely many 𝑓
satisfying 𝐻(𝑓) = 𝑘. Therefore we get a suitable sequence by taking one after another
the polynomials with 𝐻(𝑓) = 1, 2, 3, . . . From this we get a sequence of all algebraic
numbers. The first few elements are, using the order of polynomials in (9.1.1),
1 1
0, 1, −1, 2, −2, , − , 𝑖, −𝑖, . . .
2 2
The non-zero constant polynomials have no roots, 0 comes from 𝑥, ±1 comes from
𝑥 ∓ 1, etc., the constant multiples, products or divisors of previous polynomials provide
no new roots. Thus we can restrict ourselves to polynomials 𝑓 satisfying 𝑛 > 0, 𝑎𝑛 > 0,
(𝑎0 , 𝑎1 , . . . , 𝑎𝑛 ) = 1, and being irreducible over the rational field. □

In Theorem 9.1.3 we verified the existence of many transcendental numbers with-

out exhibiting a single one. In Section 9.4 we shall construct one, and in Section 9.5 we
shall prove that 𝑒 (the base of the natural logarithm) is transcendental.
Some other notable transcendental numbers are
• 𝜋
• sin 𝑛, where the angle 𝑛 is an integer measured in radians
• log10 𝑛, where 𝑛 is a positive integer, except the trivial case when 𝑛 is a power of
10 (with an integer exponent), see Exercise 9.3.7
• 2√2 , see Theorem 9.3.5
∞
1
• 𝜁(2) = ∑ 2
, see Exercise 9.1.3.
𝑘=1
𝑘

In general, it is difficult to determine whether a given number is algebraic or transcen-

dental; for each of the examples listed, the proof of transcendence is much beyond the
scope of this book (Theorem 9.3.5 is stated without proof, and the other two references
reduce the question to this theorem and to the transcendence of 𝜋).
It is unknown whether 𝑒 + 𝜋 is transcendental, or at least irrational. It is also
∞
unknown whether 𝜁(3) = ∑𝑘=1 𝑘−3 is transcendental; its irrationality was proved only
in 1975. About 𝜁(5) we do not even know whether it is irrational.
288 9. Algebraic and Transcendental Numbers

Exercises 9.1

1. Prove that the following numbers are algebraic.

(a) 20√7
(b) √2 + 3
(c) √2 + √3
3
(d) √2 + √ 4
3 3
(e) √ 2+√ 4
(f) √2 + √3 + √5
2. Prove that if 𝛼 is algebraic, then also
(a) −𝛼
(b) 𝛼
(c) 1/𝛼 (for 𝛼 ≠ 0)
(d) 𝑟 + 𝛼
(e) 𝑟𝛼
(f) 𝑘√𝛼
are algebraic, where 𝑟 is an arbitrary rational number and 𝑘 is a positive integer.
∞
3. Using the transcendence of 𝜋, verify that 𝜁(2) = ∑𝑘=1 𝑘−2 is transcendental.
4. Assume that 𝛼 is transcendental and 𝑓 ≠ 0 is a polynomial with integer coeffi-
cients. Show that also 𝑓(𝛼) is transcendental.
5. Let 𝑔 be a non-zero polynomial with complex coefficients. Prove that there exists a
non-zero polynomial ℎ with integer coefficients satisfying 𝑔 ∣ ℎ if and only if every
(complex) root of 𝑔 is an algebraic number.
6. Verify that a complex number 𝛼 is algebraic if and only if 1, 𝛼, . . . , 𝛼𝑛 are linearly
dependent over the rational field for some positive integer 𝑛.
7. Prove that every complex number is a root of some non-zero polynomial with
(a) complex (b) real coefficients.

9.2. Minimal Polynomial and Degree

Any algebraic number is a root of infinitely many polynomials with rational coeffi-
cients: if 𝑓 is such a non-zero polynomial, then 𝑓 multiplied by an arbitrary polyno-
mial (with rational coefficients) will have this property, too. Thus it is worthwhile to
distinguish those polynomials that have minimal degree:
Definition 9.2.1. The minimal polynomial of an algebraic number 𝛼 is a polynomial
with rational coefficients of minimal degree having 𝛼 as one of its roots. We denote the
minimal polynomial of 𝛼 by 𝑚𝛼 . ♣
9.2. Minimal Polynomial and Degree 289

The minimal polynomial is not completely unique: if 𝑓 is a minimal polynomial of

𝛼, then 𝑐𝑓 meets this requirement, where 𝑐 ≠ 0 is an arbitrary rational number. Apart
from this ambiguity, however, the minimal polynomial is unique:
Theorem 9.2.2. If 𝑓 and 𝑔 are minimal polynomials of the same algebraic number 𝛼,
then 𝑔 = 𝑐𝑓 for some rational number 𝑐 ≠ 0. ♣

Proof. Let
𝑓 = 𝑎 0 + 𝑎1 𝑥 + ⋯ + 𝑎 𝑛 𝑥 𝑛 , 𝑎𝑛 ≠ 0
𝑛
𝑔 = 𝑏0 + 𝑏1 𝑥 + ⋯ + 𝑏𝑛 𝑥 , 𝑏𝑛 ≠ 0.

Then 𝛼 is a root of the polynomial ℎ = 𝑏𝑛 𝑓 − 𝑎𝑛 𝑔 which is either the zero polynomial

or has degree at most 𝑛 − 1. By the definition of minimal polynomial, the second case
is impossible, so ℎ = 0. Therefore 𝑔 = 𝑐𝑓, where 𝑐 = 𝑏𝑛 /𝑎𝑛 . □

The notation 𝑚𝛼 can refer in the sequel to any minimal polynomial of 𝛼. This can
cause no problem by Theorem 9.2.2.
We summarize the most important properties of minimal polynomials in
Theorem 9.2.3. (i) Let 𝑔 ∈ 𝐐[𝑥]. Then 𝑔(𝛼) = 0 ⟺ 𝑚𝛼 ∣ 𝑔.
(ii) 𝑚𝛼 is irreducible over 𝐐.
(iii) If 𝑓 is irreducible over 𝐐 and 𝑓(𝛼) = 0, then 𝑓 is a minimal polynomial of 𝛼. ♣

Proof. (i) We first assume 𝑚𝛼 ∣ 𝑔, i.e. 𝑔 = ℎ𝑚𝛼 , for some ℎ ∈ 𝐐[𝑥]. Then
𝑔(𝛼) = ℎ(𝛼)𝑚𝛼 (𝛼) = ℎ(𝛼) ⋅ 0 = 0.
Conversely, we assume 𝑔(𝛼) = 0. Applying the division algorithm for 𝑔 and 𝑚𝛼 , we get
𝑔 = 𝑚𝛼 ℎ + 𝑟, where ℎ, 𝑟 ∈ 𝐐[𝑥], and deg 𝑟 < deg 𝑚𝛼 or 𝑟 = 0.
Then
0 = 𝑔(𝛼) = 𝑚𝛼 (𝛼)ℎ(𝛼) + 𝑟(𝛼) = 0 + 𝑟(𝛼) = 𝑟(𝛼).
The case deg 𝑟 < deg 𝑚𝛼 contradicts the definition of minimal polynomial, so only
𝑟 = 0 is possible, so 𝑚𝛼 ∣ 𝑔.
(ii) For a proof by contradiction, assume 𝑚𝛼 = 𝑔ℎ, where 𝑔 and ℎ are polynomials
with rational coefficients of smaller degree than 𝑚𝛼 . Then as there are no zero divisors
in the complex field,
0 = 𝑚𝛼 (𝛼) = 𝑔(𝛼)ℎ(𝛼) ⟹ 𝑔(𝛼) = 0 or ℎ(𝛼) = 0,
which contradicts the definition of minimal polynomial.
(iii) By part (i), 𝑚𝛼 ∣ 𝑓. This implies 𝑚𝛼 = 𝑐 or 𝑓 = 𝑐𝑚𝛼 for some constant 𝑐,
since 𝑓 is irreducible. The first case is impossible, and the second case says that 𝑓 is a
minimal polynomial. □
Definition 9.2.4. The degree of an algebraic number 𝛼 is the degree of its minimal
polynomial: deg 𝛼 = deg 𝑚𝛼 . ♣
290 9. Algebraic and Transcendental Numbers

Examples. E1 A minimal polynomial of 0 is 𝑚0 = 𝑥, that of 1 is 𝑚1 = 𝑥 − 1, and

in general, 𝑚𝑟 = 𝑥 − 𝑟 is a minimal polynomial of a rational number 𝑟. It is also
clear that exactly the rational numbers have degree 1, and there are no algebraic
numbers of degree 0.
E2 A minimal polynomial of 𝑖 is 𝑥2 + 1, so deg 𝑖 = 2.
5
E3 A minimal polynomial of √ 3 is 𝑥5 − 3, since this polynomial is irreducible over 𝐐
by the Schönemann–Eisenstein criterion.
E4 For any positive integer 𝑘, there exist infinitely many algebraic numbers of de-
gree 𝑘, as, using the Schönemann–Eisenstein criterion, there are infinitely many
irreducible polynomials over 𝐐 having degree 𝑘.
E5 A minimal polynomial of a primitive complex 𝑛th root of unity 𝜚 is the 𝑛th cy-
clotomic polynomial Φ𝑛 , since Φ𝑛 (𝜚) = 0 and Φ𝑛 is irreducible over 𝐐. Hence,
deg 𝜚 = deg Φ𝑛 = 𝜑(𝑛). (Example E2 was a special case 𝑛 = 4.)

Exercises 9.2

1. What is the connection between the degrees of the numbers in Exercise 9.1.2 and
the degree of 𝛼?
2. Determine the degree of the algebraic numbers
7
(a) √ 12
(b) cos 20∘
3 3
(c) √ 3−√ 9

(d) √7 − 4√3
4
(e) √ 2 + √2
4 4
(f) √ 2 + √2 + √ 8.
3. Prove that 𝛼 is an algebraic number of degree 2 if and only if 𝛼 = 𝑟 + √𝑠, where 𝑟
and 𝑠 are rational numbers and 𝑠 is not the square of a rational number.
4. Demonstrate that the algebraic numbers of degree 𝑛 are everywhere dense
(a) on the real number line for 𝑛 ≥ 1
(b) on the complex plane for 𝑛 ≥ 2.
5. Let 𝑓 be a polynomial with rational coefficients of degree 𝑛 ≥ 1 and 𝛼1 , . . . , 𝛼𝑛 its
(complex) roots, counted with multiplicity.
𝑛
(a) Verify ∑𝑖=1 deg 𝛼𝑖 ≤ 𝑛2 .
(b) When does (a) hold with equality?
𝑛
(c) Show that if (a) holds with strict inequality, then ∑𝑖=1 deg 𝛼𝑖 ≤ 𝑛2 − 2𝑛 + 2.
 9.3. Operations with Algebraic Numbers 291

6. We know that deg 𝛼 = 6 and 𝛼 is a root of the polynomial

𝑓 = 𝑥7 + 8𝑥6 + 15𝑥5 + 10𝑥3 + 35𝑥2 + 5𝑥 − 30.
Find a minimal polynomial of 𝛼.
7. Assume that the complex numbers 𝛼 and 𝛽 are roots of a non-zero polynomial 𝑓
with rational coefficients and deg 𝑓 < deg 𝛼 + deg 𝛽. Prove 𝑚𝛼 = 𝑚𝛽 .
S 8. Assume that polynomials with rational coefficients 𝑓 ≠ 0 and 𝑔, and complex
numbers 𝛼 and 𝛽 satisfy 𝑓(𝛼) = 𝑔(𝛼) = 𝑓(𝛽) = 0, 𝑔(𝛽) = 1. Show that 𝑓 is
reducible over 𝐐.

9.3. Operations with Algebraic Numbers

In this section we discuss the connection of algebraic numbers to the four basic arith-
metic operations and exponentiation.
Theorem 9.3.1. The algebraic numbers form a subfield of the complex numbers, so the
sum, difference, product, and (if the divisor is not zero, then) quotient of two algebraic
numbers are algebraic. ♣
We prove the theorem using symmetric polynomials. (For another proof, see Sec-
tion 10.2.)
A polynomial of 𝑘 variables 𝐹(𝑥1 , . . . , 𝑥𝑘 ) over a ring 𝑅 is called symmetric if per-
muting the variables 𝑥𝑖 gives the same polynomial. Such polynomials are e.g. the sum
or product of the variables, or more generally, the sum of all possible products of 𝑗
(distinct) variables:
(9.3.1)
𝜎𝑗 (𝑥1 , . . . , 𝑥𝑘 ) = ∑ 𝑥𝑖1 . . . 𝑥𝑖𝑗
1≤𝑖1 <⋯<𝑖𝑗 ≤𝑘

= 𝑥1 𝑥2 . . . 𝑥𝑗−1 𝑥𝑗 + 𝑥1 𝑥2 . . . 𝑥𝑗−1 𝑥𝑗+1 + ⋯ + 𝑥𝑘−𝑗+1 𝑥𝑘−𝑗+2 . . . 𝑥𝑘−1 𝑥𝑘 ,

𝑗 = 1, . . . , 𝑘.
The polynomials 𝜎𝑗 are called the elementary symmetric polynomials of variables
𝑥1 , . . . , 𝑥 𝑘 .
Since sums and products of symmetric polynomials are symmetric, thus 𝜎1 +𝜎23 , or
in general, any polynomials formed with coefficients from 𝑅 in variables 𝜎𝑗 are again
symmetric polynomials in variables 𝑥𝑖 .
The importance of elementary symmetric polynomials lies primarily in the fact
that the converse of the previous observation is true: Every symmetric polynomial can
be obtained as a polynomial of elementary symmetric polynomials.
Theorem 9.3.2 (The Fundamental Theorem of Symmetric Polynomials). Let
𝐹(𝑥1 , . . . , 𝑥𝑘 ) be a symmetric polynomial (of 𝑘 variables) over a ring 𝑅. Then there ex-
ists a polynomial 𝐺 of 𝑘 variables over 𝑅 such that
𝐹(𝑥1 , . . . , 𝑥𝑘 ) = 𝐺(𝜎1 , . . . , 𝜎 𝑘 ),
where 𝜎𝑗 = 𝜎𝑗 (𝑥1 , . . . , 𝑥𝑘 ) denote the elementary symmetric polynomials with variables
𝑥𝑖 defined by (9.3.1). ♣
292 9. Algebraic and Transcendental Numbers

Example. We can express the sum of squares of 𝑥𝑖 with elementary symmetric poly-
nomials 𝜎𝑗 as
𝑥12 + 𝑥22 + ⋯ + 𝑥𝑘2 = (𝑥1 + ⋯ + 𝑥𝑘 )2 − 2(𝑥1 𝑥2 + 𝑥1 𝑥3 + ⋯) = 𝜎12 − 2𝜎2 .

The proof of the Fundamental Theorem of Symmetric Polynomials can be found

in any introductory algebra textbook.
We can add to the theorem that 𝐺 is unique, and its coefficients are obtained from
the coefficients of 𝐹 using only addition and subtraction.
We shall apply the theorem mostly for the two cases where 𝑅 is the rational field
or the ring of integers. Thus if the coefficients of a symmetric polynomial 𝐹 are ratio-
nal numbers or integers, then the corresponding polynomial 𝐺 has rational or integer
coefficients, resp.

Proof of Theorem 9.3.1. We saw in Exercise 9.1.2 that the negative of an algebraic
number and the reciprocal of a non-zero algebraic number are algebraic. Thus it is
enough to verify that the sum and product of two algebraic numbers are algebraic.
Assume that the algebraic numbers 𝛼 and 𝛽 are roots of polynomials with rational
coefficients
𝑚 𝑛
𝑓 = ∏(𝑥 − 𝛼𝑖 ) and 𝑔 = ∏(𝑥 − 𝛽𝑗 ),
𝑖=1 𝑗=1

where 𝛼1 = 𝛼 and 𝛽1 = 𝛽. Then 𝛼 + 𝛽 is a root of the polynomial

𝑚 𝑛
ℎ = ∏ ∏(𝑥 − 𝛼𝑖 − 𝛽𝑗 ).
𝑖=1 𝑗=1

We show that ℎ = 𝑐 0 + 𝑐 1 𝑥 + ⋯ + 𝑐𝑛𝑚−1 𝑥𝑛𝑚−1 + 𝑥𝑛𝑚 has rational coefficients.

Rewrite ℎ as
𝑚
ℎ = ∏ 𝑔(𝑥 − 𝛼𝑖 ),
𝑖=1
and observe that any permutation of the numbers 𝛼𝑖 leaves ℎ, and so each coefficient
𝑐𝑟 , unchanged. This means that if we consider 𝛼1 , . . . , 𝛼𝑚 as variables, then every
coefficient 𝑐𝑟 is a symmetric polynomial in the 𝛼𝑖 :
𝑐𝑟 = 𝐹𝑟 (𝛼1 , . . . , 𝛼𝑚 ), 𝑟 = 0, 1, . . . , 𝑛𝑚 − 1,
where 𝐹𝑟 is a symmetric polynomial with rational coefficients (since these were ob-
tained from the coefficients of 𝑔). By Theorem 9.3.2, 𝐹𝑟 can be represented as a polyno-
mial in the elementary symmetric polynomials 𝜎𝑗 formed from the numbers 𝛼𝑖 , i.e.
𝑐𝑟 = 𝐹𝑟 (𝛼1 , . . . , 𝛼𝑚 ) = 𝐺𝑟 (𝜎1 , . . . , 𝜎𝑚 )
for a suitable polynomial 𝐺𝑟 with rational coefficients. By Viète’s formulas about the
relation between roots and coefficients, the elementary symmetric polynomials of 𝛼𝑖 s
are just the coefficients of 𝑓, possibly with a negative sign. Hence 𝑐𝑟 = 𝐺𝑟 (𝜎1 , . . . , 𝜎𝑚 )
is a rational number. We have thus proved that ℎ has rational coefficients, so 𝛼 + 𝛽 is
an algebraic number.
9.3. Operations with Algebraic Numbers 293

We can verify similarly that 𝛼𝛽 is algebraic: now we have to consider the polyno-
mial
𝑚 𝑛 𝑚
𝑥
∏ ∏(𝑥 − 𝛼𝑖 𝛽𝑗 ) = ∏ 𝛼𝑛𝑖 𝑔( ).
𝑖=1 𝑗=1 𝑖=1
𝛼𝑖
If 𝛼 ≠ 0, then we can assume that no 𝛼𝑖 is zero, and if 𝛼 = 0, then it is obvious that
𝛼𝛽 = 0 is algebraic. □

An important corollary of Theorem 9.3.1 is that the question whether a complex

number is algebraic or transcendental can be reduced to the similar question for real
numbers:
Theorem 9.3.3. A complex number is algebraic if and only if both its real and imaginary
parts are algebraic. ♣

Proof. Let 𝛼 = 𝑎 + 𝑏𝑖 where 𝑎 and 𝑏 are real numbers.

We assume first that 𝑎 and 𝑏 are algebraic. Since 𝑖 is algebraic as a root of the
polynomial 𝑥2 +1, and products and sums of algebraic numbers are algebraic, 𝛼 = 𝑎+𝑏𝑖
is algebraic.
Conversely, assume that 𝛼 = 𝑎 + 𝑏𝑖 is algebraic. Then 𝛼 = 𝑎 − 𝑏𝑖 is algebraic (see
Exercise 9.1.2b). Since sums, differences, and quotients of algebraic numbers, includ-
ing 2 and 2𝑖, are algebraic, hence
𝛼+𝛼 𝛼−𝛼
𝑎= and 𝑏=
2 2𝑖
are algebraic. □

Now we consider powers of algebraic numbers. Since we define the powers of 0

only for positive real exponents and they all are 0, in the sequel we can restrict our
investigation to powers of non-zero algebraic numbers.
Theorem 9.3.4. All powers of algebraic numbers with rational exponents are algebraic.
♣

Proof. Since products and reciprocals of algebraic numbers are algebraic and 1 is al-
gebraic, the statement holds for integer exponents. The statement for fractional expo-
nents follows from the fact that roots of algebraic numbers with integer exponents are
algebraic (see Exercise 9.1.2f). □

For non-rational exponents, the simplest question is whether 2√2 is transcenden-

tal, or at least irrational. This occurs among the famous Hilbert problems from the
year 1900, and Hilbert thought it to be more difficult than Fermat’s Last Theorem or
Riemann’s Hypothesis. This, however, did not discourage researchers, and Gelfond
and Schneider proved the following general result in 1934, independently and with
different methods, which we state without proof:
Theorem 9.3.5 (Gelfond–Schneider Theorem). If 𝛼 and 𝛽 are algebraic numbers, 𝛼 ≠ 0
or 1, and 𝛽 is not rational, then 𝛼𝛽 is transcendental. ♣
294 9. Algebraic and Transcendental Numbers

This implies that if an integer 𝑛 is not a power of 10 with an integer exponent, then
log10 𝑛 is transcendental (see Exercise 9.3.7).
Theorem 9.3.5 is true also for complex exponents 𝛽, when the power generally has
infinitely many values. This makes possible a simple verification of the transcendence
of 𝑒𝜋 (see Exercise 9.3.4b), whereas we cannot answer the weaker question of whether
𝑒+𝜋, 𝑒−𝜋, 𝑒𝜋, 𝑒/𝜋, and 𝜋𝑒 are irrational, though most of them must be transcendental,
see Exercise 9.3.4a.
We saw in Theorem 9.3.4 (and in Exercise 9.1.2f) that the algebraic numbers are
closed under taking roots with integer exponents. Another formulation of this fact is
that if 𝛼 is an algebraic number, then the roots of the polynomial 𝑥𝑘 −𝛼 having algebraic
coefficients are algebraic. This holds not only for such polynomials of special form, but
for any polynomials with algebraic coefficients.
Theorem 9.3.6. If the coefficients of a polynomial 𝑓 ≠ 0 are algebraic numbers, then all
(complex) roots of 𝑓 are algebraic, as well. ♣

Proof. We shall use again the Fundamental Theorem 9.3.2 of Symmetric Polynomials.
We shall see another proof in Section 10.2.
Let 𝑓 = 𝛼 + 𝛽𝑥 + ⋯ + 𝜉𝑥𝑛 , where 𝛼, 𝛽, . . . , 𝜉 are algebraic numbers, and let 𝛼𝑖 , 𝛽𝑗 ,
. . . , 𝜉𝑘 denote the other roots of the minimal polynomials of 𝛼, 𝛽, . . . , 𝜉, (𝛼1 = 𝛼, etc.).
Consider the polynomial
ℎ = ∏ (𝛼𝑖 + 𝛽𝑗 𝑥 + ⋯ + 𝜉𝑘 𝑥𝑛 ).
𝑖,𝑗,. . .,𝑘

Since 𝑓 is a factor of ℎ, all roots of 𝑓 are roots also of ℎ. Thus it is sufficient to verify
that ℎ has rational coefficients.
Let 𝑐𝑟 be a coefficient of ℎ. Similar to the arguments in the proof of Theorem 9.3.1,
𝑐𝑟 is a symmetric polynomial 𝐹𝑟 with variables 𝛼𝑖 , where the coefficients of 𝐹𝑟 are ob-
tained from the numbers 𝛽𝑗 , . . . , 𝜉𝑘 by addition, subtraction, and multiplication. By
Theorem 9.3.2, 𝐹𝑟 is a polynomial in elementary symmetric polynomials of variables
𝛼𝑖 . Using Viète’s formulas connecting the roots and coefficients of the minimal poly-
nomial 𝑚𝛼 , we get that these elementary symmetric polynomials are rational numbers.
Thus we eliminated the numbers 𝛼𝑖 from 𝑐𝑟 . Repeating the same argument for 𝛽𝑗 , etc.,
we obtain that 𝑐𝑟 is a rational number. □

Summarizing the statements of Theorems 9.3.1 and 9.3.6, the algebraic numbers
form an algebraically closed field.

Exercises 9.3

1. (a) Verify that the sum of an algebraic number and a transcendental number is
transcendental.
(b) Give examples of two transcendental numbers whose sum is (a) transcenden-
tal (b) algebraic.
(c) Investigate similar questions for products instead of sums.
 Exercises 9.3 295

2. What can we assert about 𝛼 and 𝛽 (from algebraic/transcendental aspect), if

(a) 𝛼 + 𝛽 and 𝛼 − 𝛽 are algebraic
(b) 𝛼 + 𝛽 is algebraic and 𝛼 − 𝛽 is transcendental
(c) 𝛼 + 𝛽 and 𝛼 − 𝛽 are transcendental
(d) 𝛼𝛽 and 𝛼/𝛽 are algebraic
(e) 𝛼 + 𝛽 is algebraic and 𝛼𝛽 is transcendental
(f) 𝛼 + 𝛽 is transcendental and 𝛼𝛽 is algebraic
(g) 𝛼 + 𝛽 and 𝛼𝛽 are transcendental
(h) 𝛼 + 𝛽 and 𝛼𝛽 are algebraic?
What are the changes if 𝛼 and 𝛽 are real numbers, and the words “algebraic” and
“transcendental” are replaced everywhere by “rational” and “irrational”, respec-
tively?
3. Assume that 𝛼 + 𝛽 and 𝛼 + 𝛾 are algebraic and 𝛽 + 𝛾 is transcendental. Determine
for each of the following numbers whether it is algebraic or transcendental
(a) 𝛼
(b) 2𝛼 + (1 − 𝑖)𝛽 + (1 + 𝑖)𝛾
(c) 3𝛼 + (2 − 𝑖)𝛽 + (2 + 𝑖)𝛾.
4. As mentioned before, the transcendence, or even the irrationality, of 𝑒 + 𝜋, 𝑒 − 𝜋,
𝑒𝜋, 𝑒/𝜋, and 𝜋𝑒 is a notorious unsolved problem.
(a) At most how many of 𝑒 + 𝜋, 𝑒 − 𝜋, 𝑒𝜋, and 𝑒/𝜋 can possibly be algebraic?
(b) Prove that (b1) 𝑒 + 𝑖𝜋 and (b2) 𝑒𝜋 are transcendental.
5. For each of the following numbers, determine whether it is algebraic or transcen-
dental
(a) sin 7∘
(b) 𝑖𝜋 + 𝜋/𝑖
(c) 𝜋7 + 𝑖𝜋5 + √2𝜋.
S 6. Let the trigonometric form of a complex number 𝛼 ≠ 0 be 𝛼 = 𝑟(cos 𝜑 + 𝑖 sin 𝜑).
Verify that 𝛼 is algebraic if and only if both 𝑟 and cos 𝜑 are algebraic.
7. Assume that the positive integer 𝑛 is not a power of 10 with an integer exponent.
Prove that log10 𝑛 is transcendental.
8. For complex numbers 𝛼 and 𝛽, form the sequence
𝐻 = (𝛼 + 𝛽, 𝛼2 + 𝛽 2 , . . . , 𝛼𝑘 + 𝛽 𝑘 , . . . ).
Show that if at least two elements of 𝐻 are algebraic and not both of them are 0,
then every element of 𝐻 is algebraic.
9. Consider the powers with real transcendental exponents of a positive algebraic
number different from 1. Prove that there are infinitely many algebraic and in-
finitely many transcendental numbers among them.
296 9. Algebraic and Transcendental Numbers

9.4. Approximation of Algebraic Numbers

In this section we discuss the approximation of algebraic numbers and its consequenc-
es. As a non-real complex number cannot be approximated well by rationals, we in-
vestigate only approximation of real algebraic numbers.
We saw in Exercise 8.1.1 that rational numbers can be approximated only very
poorly. We showed in Theorem 8.1.6 and Exercise 8.1.6, that the irrational numbers
(1 + √5)/2 and √2 satisfy only a pretty poor approximation. Liouville proved that it is
true in general that no algebraic number can be approximated well, in the following
sense:
Theorem 9.4.1. Let 𝑛 ≥ 2 and 𝛼 a (real) algebraic number of degree 𝑛. Then there exists
a real constant 𝑐 = 𝑐(𝛼) > 0 such that every rational number 𝑟/𝑠 satisfies

(9.4.1) |𝛼 − 𝑟 | > 𝑐(𝛼) . ♣

| 𝑠| 𝑠𝑛
Remarks: (1) Another formulation of Theorem 9.4.1 is: There exists a real constant
𝑐′ = 𝑐′ (𝛼) > 0 such that
′
|𝛼 − 𝑟 | < 𝑐 (𝛼)
| 𝑠 | 𝑠𝑛
is true only for finitely many rational numbers 𝑟/𝑠. This means that we allow
finitely many exceptions in (9.4.1). They can easily be eliminated by choosing 𝑐(𝛼)
so small that the finitely many exceptional fractions 𝑟/𝑠 satisfy (9.4.1). Thus the
two forms of the theorem are equivalent, and each implies the other immediately.
(2) Another corollary of Theorem 9.4.1 is that for any real numbers 𝑡 > 𝑛 and 𝑐∗ > 0,
∗
|𝛼 − 𝑟 | < 𝑐
| 𝑠 | 𝑠𝑡
can be valid only for finitely many rational number 𝑟/𝑠, since if 𝑠 is large enough
(depending on 𝑡 and 𝑐∗ ), then
𝑐∗ 𝑐(𝛼)
< 𝑛 .
𝑠𝑡 𝑠
This means that, using the term introduced in Exercise 8.1.7, an algebraic number
of degree 𝑛 cannot be approximated to a greater order than 𝑛, i.e. it cannot be
approximated to order 𝑡 for any 𝑡 > 𝑛. However, even a much stronger result
holds, see Theorem 9.4.4.
(3) By Exercise 8.1.1, Theorem 9.4.1 is valid also for 𝑛 = 1 if we exclude 𝛼 = 𝑟/𝑠.

Proof. For a proof by contradiction, we assume that for every 𝑐 > 0 there exists a
rational number 𝑟/𝑠 (with 𝑠 > 0) satisfying
|𝛼 − 𝑟 | < 𝑐 .
| 𝑠 | 𝑠𝑛
This means
𝑟
(9.4.2) lim 𝑠𝑛𝑖 (𝛼 − 𝑖 ) = 0
𝑖→∞ 𝑠𝑖
9.4. Approximation of Algebraic Numbers 297

for a suitable sequence of rational numbers 𝑟 𝑖 /𝑠𝑖 (where 𝑠𝑖 > 0). A direct consequence
is
𝑟 𝑟
(9.4.3) lim (𝛼 − 𝑖 ) = 0 or lim 𝑖 = 𝛼.
𝑖→∞ 𝑠𝑖 𝑖→∞ 𝑠𝑖

We consider a copy of 𝑚𝛼 with integer coefficients, and denote its complex roots
by 𝛼1 = 𝛼, 𝛼2 , . . . , 𝛼𝑛 . Then
𝑛
(9.4.4) 𝑚𝛼 = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛 𝑥𝑛 = 𝑎𝑛 ∏(𝑥 − 𝛼𝑗 ),
𝑗=1

where 𝑎0 , 𝑎1 , . . . , 𝑎𝑛 are integers and 𝑎𝑛 ≠ 0. Since 𝑚𝛼 is irreducible over 𝐐, it cannot

have multiple roots (see Exercise 9.4.4), so the numbers 𝛼𝑗 are distinct.
Substituting 𝑟 𝑖 /𝑠𝑖 into 𝑚𝛼 , we obtain by (9.4.4)
𝑛
𝑟𝑖 𝑟 𝑛 𝑟 𝑟
(9.4.5) 𝑎0 + 𝑎1 ( ) + ⋯ + 𝑎𝑛 ( 𝑖 ) = 𝑎𝑛 ( 𝑖 − 𝛼) ∏( 𝑖 − 𝛼𝑗 ).
𝑠𝑖 𝑠𝑖 𝑠𝑖 𝑠
𝑗=2 𝑖

The left-hand side of (9.4.5) is a rational number with denominator 𝑠𝑛𝑖 , and is not
0, as 𝑚𝛼 has no rational roots. Thus the absolute value of the left-hand side in (9.4.5)
is at least 1/𝑠𝑛𝑖 . Multiplying (9.4.5) by 𝑠𝑖𝑛 we get
𝑛
𝑟 𝑟
(9.4.6) 1 ≤ ||𝑠𝑖𝑛 𝑎𝑛 (𝛼 − 𝑖 ) ∏( 𝑖 − 𝛼𝑗 )||.
𝑠𝑖 𝑗=2 𝑠𝑖

From (9.4.3) we obtain

𝑛 𝑛
𝑟𝑖
lim ∏( − 𝛼𝑗 ) = ∏(𝛼 − 𝛼𝑗 ).
𝑖→∞
𝑗=2
𝑠𝑖 𝑗=2

Combining this with (9.4.2), we see that the right-hand side of (9.4.6) tends to 0 for
𝑖 → ∞, which is an obvious contradiction. □

Liouville used Theorem 9.4.1 to construct transcendental numbers: If a real num-

ber 𝛼 can be approximated extremely well, then it must be transcendental. We can
obtain such an 𝛼 as the sum of an infinite series where the partial sums converge ex-
tremely quickly. Below we present Liouville’s construction in detail.

Theorem 9.4.2. The number

∞
1
(9.4.7) 𝛼= ∑ 𝑘!
= 0.110001000000000000000001 . . .
𝑘=1
10

is transcendental. The decimal digits at places 𝑘! are 1, all other digits are 0. ♣

Equation (9.4.7) defines a real number, as we see from the decimal representa-
tion form, it also follows from the convergence of the infinite series since the infinite
∞
geometric series ∑𝑘=1 10−𝑘 is its majorant.
298 9. Algebraic and Transcendental Numbers

Proof. We show that the partial sums of the infinite series (9.4.7) approximate 𝛼 very
well.
We write the 𝑚th partial sum as 𝑟𝑚 /𝑠𝑚 , where (𝑟𝑚 , 𝑠𝑚 ) = 1 and 𝑠𝑚 > 0. The
common denominator is 10𝑚! , and
𝑚
1 10𝐴 + 1
∑ = ,
𝑘=1
10 𝑘! 10𝑚!

thus 𝑠𝑚 = 10𝑚! . Then

∞ ∞
𝑟𝑚 1 1 10 10
0<𝛼− = ∑ < ∑ = = 𝑚+1 .
𝑠𝑚 𝑘=𝑚+1 10𝑘! 𝑗=(𝑚+1)! 10𝑗 9 ⋅ 10(𝑚+1)! 9𝑠𝑚

This implies

(9.4.8) |𝛼 − 𝑟𝑚 | < 10 .
| 𝑠𝑚 | 9𝑠𝑚+1
𝑚

Assume now that 𝛼 is algebraic and its degree is 𝑛. Since 𝛼 is not a periodic decimal
fraction, 𝛼 is irrational, so 𝑛 ≥ 2. By Theorem 9.4.1 there is a constant 𝑐(𝛼) > 0 such
that (9.4.1) holds for every rational number 𝑟/𝑠. Then this is true also for 𝑟𝑚 /𝑠𝑚 , so

(9.4.9) |𝛼 − 𝑟𝑚 | > 𝑐(𝛼) .

| 𝑠𝑚 | 𝑠𝑛𝑚
Combining (9.4.8) and (9.4.9), we get
𝑐(𝛼) 10 10
< 𝑚+1 , i.e. 𝑠𝑚−𝑛+1
𝑚 < ,
𝑠𝑛𝑚 9𝑠𝑚 9𝑐(𝛼)
which is a contradiction if 𝑚 is large enough. □

Theorem 9.4.1 can be improved significantly, as we mentioned in Remark 2 after

the theorem. Thue and Roth proved the following results that we state without proof:

Theorem 9.4.3 (Thue’s Theorem). Let 𝛼 be a real algebraic number of degree 𝑛 ≥ 3 and
𝑐 an arbitrarily large constant. Then the inequality
|𝛼 − 𝑟| 𝑐
(9.4.10) | <
𝑠 | 𝑠𝑛
is satisfied only by finitely many rational numbers 𝑟/𝑠. ♣

Theorem 9.4.4 (Roth’s Theorem). Let 𝛼 be an algebraic number and 𝜅 > 0 arbitrary.
Then the inequality

(9.4.11) |𝛼 − 𝑟 | < 1
| 𝑠 | 𝑠2+𝜅
is satisfied only by finitely many rational numbers 𝑟/𝑠. ♣

Remarks: (1) Roth’s theorem is clearly much stronger than Thue’s, but Thue’s theo-
rem already has important consequences for Diophantine equations (see Theo-
rem 9.4.5).
9.4. Approximation of Algebraic Numbers 299

(2) By Roth’s theorem, the exceptional set 𝐻 in Theorem 8.1.8 consists purely of tran-
scendental numbers. But Theorem 8.1.8 also demonstrates that (besides all alge-
braic numbers) most transcendental numbers can be approximated very
badly.

Diophantine approximation is closely related to the behavior of certain Diophan-

tine equations. We saw in Section 7.8 that if a positive integer 𝑚 is not a square, then
Pell’s equation 𝑥2 − 𝑚𝑦2 = 1 has infinitely many solutions (Theorem 7.8.1); this was
based on the fact that the irrational number √𝑚 can be approximated to order 2. Now
we shall rely on the poor approximation of algebraic numbers to show that certain
Diophantine equations of higher degree can have at most finitely many solutions.
Theorem 9.4.5. Let 𝑓 = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛 𝑥𝑛 be a polynomial of degree 𝑛 with integer
coefficients, where 𝑛 ≥ 3 and 𝑓 is irreducible over 𝐐. Then for any ( fixed) integer 𝑏, the
Diophantine equation
𝑧
(9.4.12) 𝑔(𝑦, 𝑧) = 𝑦𝑛 𝑓 ( ) = 𝑎0 𝑦𝑛 + 𝑎1 𝑦𝑛−1 𝑧 + ⋯ + 𝑎𝑛 𝑧𝑛 = 𝑏
𝑦
can have at most finitely many solutions. ♣

Proof. Assume that infinitely many pairs of integers (𝑦 𝑖 , 𝑧𝑖 ) satisfy (9.4.12). Since for
a given 𝑦 there can be at most 𝑛 values of 𝑧,
(9.4.13) lim |𝑦 𝑖 | = ∞,
𝑖→∞

and we may assume that none of the values 𝑦 𝑖 is 0.

Substituting (𝑦 𝑖 , 𝑧𝑖 ) into (9.4.12) and dividing by 𝑦𝑛𝑖 , we obtain
𝑧𝑖 𝑏
(9.4.14) 𝑓( ) = 𝑛.
𝑦𝑖 𝑦𝑖
From (9.4.13) and (9.4.14) we infer
𝑧𝑖
(9.4.15) lim 𝑓( ) = 0.
𝑖→∞ 𝑦𝑖
Let 𝛼1 , . . . , 𝛼𝑛 be the roots of 𝑓, so
𝑛
(9.4.16) 𝑓 = 𝑎𝑛 ∏(𝑥 − 𝛼𝑗 ).
𝑗=1

Substituting 𝑧𝑖 /𝑦 𝑖 , we get
𝑛
𝑧𝑖 𝑧
(9.4.17) 𝑓( ) = 𝑎𝑛 ∏( 𝑖 − 𝛼𝑗 ).
𝑦𝑖 𝑗=1
𝑦𝑖

By (9.4.15), the left-hand side of (9.4.17) tends to 0 for 𝑖 → ∞, thus, taking a suitable
subsequence of the indices 𝑖, the limit of some factor on the right-hand side has to be
0. Suppose it is the first factor on the right-hand side, and for convenience we use the
notation of the original sequence for the subsequence. So
𝑧 𝑧
(9.4.18) lim ( 𝑖 − 𝛼1 ) = 0 or lim 𝑖 = 𝛼1 .
𝑖→∞ 𝑦 𝑖 𝑖→∞ 𝑦 𝑖
300 9. Algebraic and Transcendental Numbers

This implies that 𝛼1 is a real number. By (9.4.18),

𝑛 𝑛
𝑧𝑖
(9.4.19) lim 𝑎𝑛 ∏( − 𝛼𝑗 ) = 𝑎𝑛 ∏(𝛼1 − 𝛼𝑗 ).
𝑖→∞
𝑗=2
𝑦𝑖 𝑗=2

Let 𝑑 denote the limit in (9.4.19). Due to the irreducibility of 𝑓, the numbers 𝛼𝑗 are
distinct, hence 𝑑 ≠ 0. Then
𝑛
(9.4.20) |𝑎 ∏( 𝑧𝑖 − 𝛼 )| > | 𝑑 |
| 𝑛 𝑦𝑖 𝑗 | |2|
𝑗=2

for 𝑖 large enough. Finally, from (9.4.14), (9.4.17), and (9.4.20) we obtain
| 𝑏 | | 𝑧𝑖 |
| 𝑛 | = |𝑓 ( )|
| 𝑦𝑖 | | 𝑦 𝑖 |
| 𝑛
𝑧 |
= ||𝑎𝑛 ∏ ( 𝑖 − 𝛼𝑗 )||
| 𝑗=1 𝑦 𝑖 |
𝑧 | | |
𝑛
| 𝑧
= |𝛼1 − 𝑖 | ⋅ ||𝑎𝑛 ∏ ( 𝑖 − 𝛼𝑗 )||
| 𝑦 𝑖 | | 𝑗=2 𝑦 𝑖 |
| 𝑧 | |𝑑|
> |𝛼1 − 𝑖 | ⋅ || || ,
| 𝑦𝑖 | 2
if 𝑖 is sufficiently large, so
| 𝑧 | | 2𝑏 1 |
(9.4.21) |𝛼1 − 𝑖 | < | ⋅ 𝑛 | .
| 𝑦 𝑖 | | 𝑑 𝑦𝑖 |
Since 𝛼1 is an algebraic number of degree 𝑛, (9.4.21) contradicts Theorem 9.4.3. □

If instead of Theorem 9.4.3 we rely on Theorem 9.4.4, then we can prove by similar
arguments that a much wider class of Diophantine equations cannot have infinitely
many solutions (see Exercise 9.4.3).

Exercises 9.4

1. An irrational number 𝛼 is a Liouville number if for every positive integer 𝑛 there

exists a rational number 𝑟/𝑠 satisfying 𝑠 > 1 and
|𝛼 − 𝑟 | < 1 .
| 𝑠 | 𝑠𝑛
By Theorem 9.4.1, every Liouville number is transcendental.
S (a) Let 𝛼 be a Liouville number, ℎ ≠ 0 a rational number, and 𝑘 a positive integer.
Verify that the following numbers are Liouville numbers:
(i) ℎ + 𝛼
(ii) ℎ𝛼
 9.5. Transcendence of 𝑒 301

(iii) 𝛼𝑘
(iv) 1/𝛼.
(b) Prove that there are infinitely many Liouville numbers, moreover, they have
the cardinality of the continuum.
2. Demonstrate that the statement of Theorem 9.4.5 remains valid for a polynomial
𝑓 of degree at least three with integer coefficients if we replace irreducibility over
𝐐 with one of the weaker conditions:
(a) 𝑓 has no divisor of degree 1 or 2 among polynomials with rational coefficients.
(b) If 𝑏 = 0, then 𝑓 has no rational roots, and if 𝑏 ≠ 0, then 𝑓 has no multiple
(complex) roots.
3. Let 𝑔(𝑦, 𝑧) be the polynomial in two variables defined in Theorem 9.4.5, and ℎ(𝑦, 𝑧)
be any polynomial in two variables of degree at most 𝑛−3 with integer coefficients.
Using Theorem 9.4.4, prove that the Diophantine equation 𝑔(𝑦, 𝑧) = ℎ(𝑦, 𝑧) cannot
have infinitely many solutions.
S 4. Show that if a polynomial is irreducible over 𝐐, then it cannot have multiple (com-
plex) roots.

9.5. Transcendence of 𝑒
First we show that 𝑒 (the base of natural logarithm) and 𝜋 are irrational numbers, then
we prove that 𝑒 is transcendental. We note that an improvement of the method can
yield the transcendence of 𝜋. An important consequence of this is that we cannot get
by Euclidean constructions a square having the same area as a given circle.
Theorem 9.5.1. 𝑒 is an irrational number. ♣

Proof. We use the representation of 𝑒 as the sum of an infinite series:

1 1 1
(9.5.1) 𝑒=1+ + +⋯+ + ... .
1! 2! 𝑛!
For a proof by contradiction, assume 𝑒 = 𝑎/𝑏, where 𝑎 and 𝑏 are positive integers. Then
𝑏! 𝑒 is an integer. Multiplying (9.5.1) by 𝑏!, we obtain
1 1
𝑏! 𝑒 = 𝑛𝑏 + + + ...
𝑏 + 1 (𝑏 + 1)(𝑏 + 2)
where 𝑛𝑏 is an integer depending on 𝑏. We have the following lower and upper bounds
for the integer 𝑏! 𝑒 − 𝑛𝑏 :
0 < 𝑏! 𝑒 − 𝑛𝑏
1 1
= + + ...
𝑏 + 1 (𝑏 + 1)(𝑏 + 2)
1 1
< + + ...
𝑏 + 1 (𝑏 + 1)2
1 1 1
= ⋅ = .
𝑏+1 1− 1 𝑏
𝑏+1
302 9. Algebraic and Transcendental Numbers

This means that the integer 𝑏! 𝑒 − 𝑛𝑏 lies between 0 and 1/𝑏, which is an obvious con-
tradiction. □

Theorem 9.5.2. 𝜋 is an irrational number. ♣

Proof. For a proof by contradiction, we assume 𝜋 = 𝑎/𝑏, where 𝑎 and 𝑏 are positive
integers.
Let 𝑛 be a large positive integer and 𝑓 be the polynomial of degree 2𝑛
𝑥𝑛 (1 − 𝑥)𝑛
𝑓(𝑥) = .
𝑛!
We consider the integral
1
𝐼 = 𝑎2𝑛+1 ∫ sin(𝜋𝑥)𝑓(𝑥) 𝑑𝑥.
0

We get a contradiction by showing that, on the one hand,

(A) 𝐼 is an integer,
but, on the other hand,
(B) 0 < 𝐼 < 1 if 𝑛 is sufficiently large.
We verify (B) first. Since for 0 < 𝑥 < 1,
1
0 < sin(𝜋𝑥) ≤ 1 and 0 < 𝑓(𝑥) < ,
𝑛!
so
𝑎2𝑛+1
0<𝐼< .
𝑛!
If 𝑛 is large enough, then 𝑎2𝑛+1 /𝑛! < 1, verifying (B).
Turning to (A), we show first that 𝑓 and all its derivatives assume integer values at
0 and 1, i.e.

(9.5.2) 𝑓(𝑚) (0) and 𝑓(𝑚) (1) are integers, 𝑚 = 0, 1, 2, . . . .

Since 𝑓(𝑥) = 𝑓(1 − 𝑥), 𝑓(𝑚) (𝑥) = (−1)𝑚 𝑓(𝑚) (1 − 𝑥) for every 𝑚, thus 𝑓(𝑚) (0) =
(−1)𝑚 𝑓(𝑚) (1). Therefore it is sufficient to deal with 𝑥 = 0.
Another form of 𝑓 is
1
𝑓(𝑥) = (𝑐 𝑥𝑛 + 𝑐𝑛+1 𝑥𝑛+1 + ⋯ + 𝑐 2𝑛 𝑥2𝑛 )
𝑛! 𝑛
with integer coefficients 𝑐 𝑖 . Hence

0, if 0 ≤ 𝑚 < 𝑛 or 𝑚 > 2𝑛
𝑓(𝑚) (0) = { 𝑐𝑚 𝑚!
= 𝑐𝑚 (𝑛 + 1)(𝑛 + 2) . . . 𝑚, if 𝑛 ≤ 𝑚 ≤ 2𝑛
𝑛!
which proves (9.5.2).
9.5. Transcendence of 𝑒 303

We shall integrate by parts several times to show that 𝐼 is an integer. Assuming

𝜋 = 𝑎/𝑏, the first such integration yields
1
𝐼 = 𝑎2𝑛+1 ∫ sin(𝜋𝑥)𝑓(𝑥) 𝑑𝑥 =
0
1 1
(9.5.3) − cos(𝜋𝑥)𝑓(𝑥) 𝑎2𝑛+1
= 𝑎2𝑛+1 [ ] − ∫ − cos(𝜋𝑥)𝑓′ (𝑥) 𝑑𝑥 =
𝜋 0 𝜋 0

= −𝑎2𝑛 𝑏(𝑓(1) cos 𝜋 − 𝑓(0) cos 0) + 𝐼1

where
1
𝐼1 = 𝑎2𝑛 𝑏 ∫ cos(𝜋𝑥)𝑓′ (𝑥) 𝑑𝑥.
0
As 𝑎, 𝑏, 𝑓(1), 𝑓(0), cos 𝜋, and cos 0 are integers, so by (9.5.3), 𝐼 is an integer if and only
if 𝐼1 is an integer.
We integrate 𝐼1 by parts, using 𝜋 = 𝑎/𝑏 again:
1
𝐼1 = 𝑎2𝑛 𝑏 ∫ cos(𝜋𝑥)𝑓′ (𝑥) 𝑑𝑥 =
0
1 1
sin(𝜋𝑥)𝑓′ (𝑥) 𝑎2𝑛 𝑏
= 𝑎2𝑛 𝑏 [ ] − ∫ sin(𝜋𝑥)𝑓″ (𝑥) 𝑑𝑥
𝜋 0 𝜋 0
= 𝑎2𝑛−1 𝑏2 (𝑓′ (1) sin 𝜋 − 𝑓′ (0) sin 0) − 𝐼2
where
1
𝐼2 = 𝑎2𝑛−1 𝑏2 ∫ sin(𝜋𝑥)𝑓″ (𝑥) 𝑑𝑥.
0
Similar to the previous step, 𝐼1 is an integer if and only if 𝐼2 is an integer.
Continuing the process, we arrive at
1
𝐼2𝑛+1 = 𝑏2𝑛+1 ∫ cos(𝜋𝑥)𝑓(2𝑛+1) (𝑥) 𝑑𝑥
0

and we have to show that it is an integer. Since 𝑓 is a polynomial of degree 2𝑛, 𝑓(2𝑛+1) (𝑥)
= 0, thus 𝐼2𝑛+1 = 0. Hence 𝐼2𝑛+1 , and so 𝐼 are integers, proving (A). □
Theorem 9.5.3. 𝑒 is a transcendental number. ♣

Proof. Assume that 𝑒 is algebraic, i.e.

(9.5.4) 𝑎0 + 𝑎1 𝑒 + ⋯ + 𝑎𝑛 𝑒𝑛 = 0.
for some integers 𝑛 ≥ 1 and 𝑎0 ≠ 0, 𝑎1 , . . . , 𝑎𝑛 . Similar to the irrationality of 𝜋, a
suitable integral will provide the contradiction.
Let 𝑓 be a polynomial to be specified later, deg 𝑓 = 𝑘, and consider the integral
𝑠
(9.5.5) 𝐼(𝑠) = ∫ 𝑒−𝑥 𝑓(𝑥) 𝑑𝑥
0
304 9. Algebraic and Transcendental Numbers

for an integer 𝑠 ≥ 0. Integrating by parts, we obtain

𝑠
𝑠
(9.5.6) 𝐼(𝑠) = [−𝑒−𝑥 𝑓(𝑥)]0 + ∫ 𝑒−𝑥 𝑓′ (𝑥) 𝑑𝑥 = 𝑓(0) − 𝑓(𝑠)𝑒−𝑠 + 𝐼1 (𝑠)
0
where
𝑠
𝐼1 (𝑠) = ∫ 𝑒−𝑥 𝑓′ (𝑥) 𝑑𝑥.
0
Similarly, integrating 𝐼1 (𝑠) by parts yields
𝑠
𝑠
(9.5.7) 𝐼1 (𝑠) = [−𝑒−𝑥 𝑓′ (𝑥)]0 + ∫ 𝑒−𝑥 𝑓″ (𝑥) 𝑑𝑥 = 𝑓′ (0) − 𝑓′ (𝑠)𝑒−𝑠 + 𝐼2 (𝑠)
0
where
𝑠
𝐼2 (𝑠) = ∫ 𝑒−𝑥 𝑓″ (𝑥) 𝑑𝑥.
0
Thus, by (9.5.6) and (9.5.7) we have
𝐼(𝑠) = [𝑓(0) + 𝑓′ (0)] − [𝑓(𝑠) + 𝑓′ (𝑠)]𝑒−𝑠 + 𝐼2 (𝑠).
Continuing the process, and using 𝐼𝑘+1 = 0 due to 𝑓(𝑘+1) = 0, we get
𝑠
𝐼(𝑠) = ∫ 𝑒−𝑥 𝑓(𝑥) 𝑑𝑥
(9.5.8) 0
= [𝑓(0) + 𝑓′ (0) + ⋯ + 𝑓(𝑘) (0)] − [𝑓(𝑠) + 𝑓′ (𝑠) + ⋯ + 𝑓(𝑘) (𝑠)]𝑒−𝑠 .
We multiply (9.5.8) by 𝑎𝑠 𝑒𝑠 , and add the equalities for 𝑠 = 0, 1, . . . , 𝑛:
𝑛 𝑛 𝑠
∑ 𝑎𝑠 𝑒𝑠 𝐼(𝑠) = ∑ 𝑎𝑠 𝑒𝑠 ∫ 𝑒−𝑥 𝑓(𝑥) 𝑑𝑥
𝑠=0 𝑠=0 0
𝑛
(9.5.9) = ∑ 𝑎𝑠 𝑒𝑠 [𝑓(0) + 𝑓′ (0) + ⋯ + 𝑓(𝑘) (0)]
𝑠=0
𝑛
− ∑ 𝑎𝑠 [𝑓(𝑠) + 𝑓′ (𝑠) + ⋯ + 𝑓(𝑘) (𝑠)].
𝑠=0

The sum in the second line of (9.5.9) is 0 by (9.5.4), thus (9.5.9) is equivalent to
𝑛 𝑠 𝑛
(9.5.10) ∑ 𝑎𝑠 𝑒𝑠 ∫ 𝑒−𝑥 𝑓(𝑥) 𝑑𝑥 = − ∑ 𝑎𝑠 [𝑓(𝑠) + 𝑓′ (𝑠) + ⋯ + 𝑓(𝑘) (𝑠)].
𝑠=0 0 𝑠=0

We achieve a contradiction by showing for a suitable 𝑓 that the left-hand side of

(9.5.10) has absolute value less than 1, whereas the right-hand side is a non-zero integer.
Let 𝑝 > 𝑛|𝑎0 | a (large) prime and
𝑥𝑝−1 (𝑥 − 1)𝑝 . . . (𝑥 − 𝑛)𝑝
(9.5.11) 𝑓(𝑥) = .
(𝑝 − 1)!
As a generalization of (9.5.2) in the proof of Theorem 9.5.2, we now show: If 𝑡 ≥ 0 and
𝑗 are integers, and ℎ(𝑥) is a polynomial with integer coefficients, then the polynomial
(𝑥 − 𝑗)𝑡 ℎ(𝑥)
𝑔(𝑥) =
𝑡!
9.5. Transcendence of 𝑒 305

and all its derivatives assume integer values at 𝑗, so 𝑔(𝑚) (𝑗) is an integer for every inte-
ger 𝑚. Writing 𝑔(𝑥) as
𝑑𝑡 (𝑥 − 𝑗)𝑡 + 𝑑𝑡+1 (𝑥 − 𝑗)𝑡+1 + ⋯ + 𝑑𝑟 (𝑥 − 𝑗)𝑟
𝑔(𝑥) = ,
𝑡!
we obtain
0, if 0 ≤ 𝑚 < 𝑡 or 𝑚 > 𝑟
(9.5.12) 𝑔(𝑚) (𝑗) = { 𝑑𝑚 𝑚!
= 𝑑𝑚 (𝑡 + 1)(𝑡 + 2) . . . 𝑚, if 𝑡 ≤ 𝑚 ≤ 𝑟.
𝑡!
Since
(𝑥 − 1)𝑝 ℎ1 (𝑥)
𝑓(𝑥) = 𝑝 ⋅ ,
𝑝!
where the polynomial ℎ1 (𝑥) has integer coefficients, applying (9.5.12) for 𝑔(𝑥) = 𝑓(𝑥)/𝑝,
𝑡 = 𝑝, 𝑗 = 1, and ℎ(𝑥) = ℎ1 (𝑥), we obtain that 𝑓(𝑚) (1) is an integer divisible by 𝑝 for
every 𝑚. Similarly,
(9.5.13) 𝑝 ∣ 𝑓(𝑚) (𝑗), 𝑗 = 1, 2, . . . , 𝑛, 𝑚 = 0, 1, 2, . . . .
Finally, writing 𝑓(𝑥) as
𝑥𝑝−1 ℎ0 (𝑥)
𝑓(𝑥) = ,
(𝑝 − 1)!
where the polynomial ℎ0 (𝑥) has integer coefficients, and applying (9.5.12) for 𝑔(𝑥) =
𝑓(𝑥), 𝑡 = 𝑝 − 1, 𝑗 = 0 and ℎ(𝑥) = ℎ0 (𝑥), we obtain that also 𝑓(𝑚) (0) is an integer for
every 𝑚, and
(9.5.14) 𝑝 ∤ 𝑓(𝑝−1) (0) = (−1)𝑛𝑝 (𝑛! )𝑝 , but 𝑝 ∣ 𝑓(𝑚) (0), if 𝑚 ≠ 𝑝 − 1,
this holds because (9.5.12) implies 𝑓(𝑚) (0) = 0 for 𝑚 < 𝑝−1, and the product 𝑓(𝑚) (0) =
𝑑𝑚 𝑝 . . . 𝑚 contains a factor 𝑝 for 𝑚 ≥ 𝑝.
By (9.5.13) and (9.5.14), we see that every term of the sum on the right-hand side
of (9.5.10) is an integer, and each is divisible by 𝑝 except the term 𝑎0 𝑓(𝑝−1) (0). Thus
the right-hand side of (9.5.10) is an integer not divisible by 𝑝, so it cannot be 0.
Now we show that the left-hand side of (9.5.10) has absolute value less than 1 for
𝑝 large enough. If 0 < 𝑥 < 𝑛, then
| 𝑥𝑝−1 (𝑥 − 1)𝑝 . . . (𝑥 − 𝑛)𝑝 | 𝑛(𝑛+1)𝑝−1
|𝑒−𝑥 | < 1 and |𝑓(𝑥)| = | |< ,
| (𝑝 − 1)! | (𝑝 − 1)!
hence
𝑛 𝑠 𝑛 𝑝
𝑒𝑛 (∑𝑠=0 |𝑎𝑠 |)(𝑛𝑛+1 )
(9.5.15) | ∑ 𝑎 𝑒𝑠 ∫ 𝑒−𝑥 𝑓(𝑥) 𝑑𝑥| ≤ .
| 𝑠 | (𝑝 − 1)!
𝑠=0 0

The right-hand side of (9.5.15) is of the form 𝐴⋅𝐵 𝑝 /(𝑝−1)!, where 𝐴 and 𝐵 are constants.
This expression tends to 0 for 𝑝 → ∞, so it will be less than 1 if 𝑝 is large enough.
Thus we have verified that the left-hand side of (9.5.10) has absolute value less
than 1, whereas the right-hand side is a nonzero integer. Thus the assumption (9.5.4)
led to a contradiction, and so 𝑒 cannot be an algebraic number. □
 306 9. Algebraic and Transcendental Numbers

Exercises 9.5

1. Let 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑛 < . . . be a sequence of positive integers where 𝑎𝑛 ∣ 𝑎𝑛+1 for
every 𝑛 and every positive integer 𝑘 is a divisor of at least one 𝑎𝑛 . Show that the
∞
infinite series ∑𝑛=1 1/𝑎𝑛 is convergent and its sum is an irrational number.
2. Let 𝑟 denote a rational number. Prove:
(a) sin 1 and cos 1 are irrational.
* (b) If 0 < 𝑟 ≤ 𝜋, then at least one of sin 𝑟 and cos 𝑟 is irrational.
(c) If 0 < 𝑟 < 𝜋/2, then tan 𝑟 is irrational.
(The angles are given in radians. Do not rely on the fact stated before without proof
that sin 𝑛 is transcendental if 𝑛 is an integer. For trigonometric functions of angles
being rational measured in degrees, see Exercise 9.6.11.)
* 3. Refining the proof of Theorem 9.5.2, show that 𝜋2 is irrational.

9.6. Algebraic Integers

Algebraic integers are special algebraic numbers that can be considered as generaliza-
tions of (ordinary) integers.
In preparation, we give a characterization of integers within the rationals that can
be then extended to algebraic numbers.
The rational numbers are exactly the algebraic numbers of degree one and a mini-
mal polynomial of a rational number 𝑟 is 𝑥 − 𝑟. This minimal polynomial with leading
coefficient 1 has integer coefficients if and only if 𝑟 is an integer. Thus we can distin-
guish the integers among the rational numbers by observing that they have a minimal
polynomial with integer coefficients and leading coefficient 1.
Extending this property to algebraic numbers, we get the notion of algebraic inte-
gers.
Definition 9.6.1. An algebraic number is an algebraic integer if it has a minimal poly-
nomial with integer coefficients and leading coefficient 1. ♣

For convenience, minimal polynomials will have leading coefficient 1 in this sec-
tion.
Examples. E1 A rational number 𝑟 is an algebraic integer if and only if 𝑟 is an integer
(this was our starting point in creating the definition of algebraic integers).
3 3
E2 √ 2 is an algebraic integer, but √ 1/2 is not, since their minimal polynomials are
𝑥3 − 2 and 𝑥3 − (1/2).
E3 The Gaussian integers discussed in Section 7.4 are algebraic integers. Moreover,
considering the Gaussian rationals, those complex numbers 𝑎 + 𝑏𝑖 where 𝑎 and 𝑏
are rational, exactly the Gaussian integers are algebraic integers among them (see
Exercise 9.6.3 a,f). A similar statement is true also for Eulerian integers and the
9.6. Algebraic Integers 307

corresponding Eulerian rationals investigated in Section 7.7. In Chapters 10 and

11 we shall develop number theory in detail for similar types of algebraic integers.

The following theorem makes it possible to verify that a number is an algebraic

integer without determining its minimal polynomial, but it cannot be applied to prove
that the number is not an algebraic integer.
Theorem 9.6.2. A complex number 𝛼 is an algebraic integer if and only if there exists a
polynomial 𝑓 with integer coefficients and leading coefficient 1 with 𝑓(𝛼) = 0. ♣

Proof. If 𝛼 is an algebraic integer, then an appropriate 𝑓 is its minimal polynomial 𝑚𝛼

which has leading coefficient 1.
For the converse, assume that 𝑓(𝛼) = 0 for some polynomial with integer coef-
ficients and leading coefficient 1. By Theorem 9.2.3, 𝑚𝛼 ∣ 𝑓, so 𝑓 = 𝑔𝑚𝛼 for some
polynomial 𝑔 with rational coefficients. The leading coefficients of 𝑓 and 𝑚𝛼 are 1,
so 𝑔 has leading coefficient 1. We use now a basic lemma of Gauss stating that if a
non-zero polynomial with integer coefficients is a product of two polynomials with ra-
tional coefficients, then it is the product of two polynomials with integer coefficients
obtained from the original factors by multiplying them with suitable constants. As 𝑓
has integer coefficients and 𝑓 = 𝑔𝑚𝛼 , there exists a rational number 𝑐 such that both
𝑐𝑔 and (1/𝑐)𝑚𝛼 have integer coefficients. Then their leading coefficients are 𝑐 and 1/𝑐,
which both are integers if and only if 𝑐 = ±1. This means that 𝑚𝛼 and 𝑔 have integer
coefficients, so 𝛼 is an algebraic integer by definition, indeed. □

Remarks: (1) We can use Theorem 9.6.2 to show that a complex root of unity is an
algebraic integer without referring to the cyclotomic polynomials: An 𝑛th root of
unity is a root of 𝑥𝑛 − 1 having integer coefficients and leading coefficient 1.
(2) As we mentioned, we cannot use Theorem 9.6.2 to prove that a given number is
not an algebraic integer. If 𝛼 is a root of even infinitely many polynomials with
rational coefficients where not all coefficients are integers and the leading co-
efficients are 1, we have no information about whether or not 𝛼 is an algebraic
integer. For example, 1 is an algebraic integer, but it is a root of polynomials
𝑓𝑛 = (𝑥 − 1)(𝑥 − 1/2)𝑛 (𝑛 = 1, 2, . . . ), each having rational coefficients not all of
which are integers and leading coefficient is 1. We can construct similar examples
for any algebraic integer. To verify that an algebraic number is not an algebraic
integer, we need its minimal polynomial.

Now we discuss the connection of algebraic integers to operations. The next theo-
rem summarizes the analogs of Theorems 9.3.1, 9.3.4, and 9.3.6 for algebraic integers.
Theorem 9.6.3. (i) The algebraic integers form a subring of the complex numbers, so
sums, differences, and products of algebraic integers are algebraic integers, as well,
(though this is not true for quotients in general).
(ii) Powers of algebraic integers with rational exponents are algebraic integers.
(iii) If the coefficients of a polynomial 𝑓 are algebraic integers and its leading coefficient
is 1, then its roots are algebraic integers. ♣
 308 9. Algebraic and Transcendental Numbers

Proof. We can adapt the proofs seen for algebraic numbers in Theorems 9.3.1, 9.3.4,
and 9.3.6: we just replace the phrases “algebraic number” with “algebraic integer”,
“rational number” with “integer”, and “with rational coefficients” with “with integer
coefficients and leading coefficient 1.” (Disregard, of course, the parts about recipro-
cals. In adapting the proof of Theorem 9.3.6 note that 𝜉 = 1, so we do not need the 𝜉𝑘 .)
We leave to the reader to check each step in detail. □

Exercises 9.6

1. Show that if 𝛼 is an algebraic integer, then so are 𝛼, 2Re(𝛼), 2Im(𝛼), and |𝛼|.
2. Which are algebraic integers?
5 7
(a) √ 5 + (√ 7/2)
(b) (1 + √3)/2
(c) (1 + 𝑖√3)/2
(d) cos 1∘ .
3. Let 𝛼 = 𝑎 + 𝑏𝑖 be a complex number, where 𝑎 and 𝑏 are real numbers. True or
false?
(a) If 𝑎 and 𝑏 are algebraic integers, then so is 𝛼.
(b) If 𝑎 is an algebraic integer, then so is 𝛼.
(c) If 𝑎 and |𝛼| are algebraic integers, then so is 𝛼.
(d) If 𝛼 is an algebraic integer, then so are 𝑎 and 𝑏.
(e) If 𝛼 and 𝑎 are algebraic integers, then so is 𝑏.
(f) If 𝛼 is an algebraic integer and 𝑎 and 𝑏 are rational numbers, then 𝑎 and 𝑏 are
integers.
(g) If 𝛼 + 3𝛽 and 5𝛼 + 7𝛽 are algebraic integers, then so are 𝛼 and 𝛽.
(h) If 𝛼 + 𝛽 and 𝛼𝛽 are algebraic integers, then so are 𝛼 and 𝛽.
4. Investigate the variant of Fermat’s Last Theorem for algebraic integers: For an ex-
ponent 𝑛 ≥ 3, is the equation 𝑥𝑛 + 𝑦𝑛 = 𝑧𝑛 solvable in non-zero algebraic integers?
S 5. Let 𝑓 be a polynomial with rational coefficients where not all coefficients are in-
tegers and the leading coefficient is 1, and consider its (complex) roots. True or
false?
(a) At least one root of 𝑓 is not an algebraic integer.
(b) No root of 𝑓 is an algebraic integer.
(c) If 𝑓 is irreducible over 𝐐, then no root of 𝑓 is an algebraic integer.
(d) If exactly one of the roots of 𝑓 is not an algebraic integer, then 𝑓 has a rational
root.
6. Prove that every algebraic number is the quotient of two algebraic integers, more-
over, we can require that either of them is an (ordinary) integer.
 Exercises 9.6 309

7. How can we see from the minimal polynomial of an algebraic integer 𝛼 that also
1/𝛼 is an algebraic integer?
8. Verify.
(a) For any algebraic integer 𝛼 there exist infinitely many algebraic integers 𝛽
such that 𝛼/𝛽 is an algebraic integer.
(b) For an algebraic integer 𝛼 ≠ 0 there exist infinitely many algebraic integers 𝛽
where 1/𝛽 is not, but 𝛼/𝛽 is, an algebraic integer if and only if 1/𝛼 is not an
algebraic integer.
(c) For any algebraic integer 𝛼 ≠ 0 there exist only finitely many integers 𝑏 for
which 𝛼/𝑏 is an algebraic integer.
9. Is there a complex number of absolute value one that is not a root of unity, but still
is (a) an algebraic number ∗ (b) an algebraic integer?
* 10. (a) Verify that if 𝑛 ≥ 2, then the real algebraic integers of degree 𝑛 are everywhere
dense in the real number line.
(b) Are the algebraic integers of degree 𝑛 everywhere dense on the complex plane
if (b1) 𝑛 = 2 (b2) 𝑛 = 4?
11. (a) Let 𝑟 be a real number. Prove that at least one of 𝑟 and cos 𝑟∘ is irrational,
except if 𝑟 is an integer divisible by 60 or 90.
(b) Formulate and prove similar statements for sine and tangent.
 Chapter 10

Algebraic Number Fields

The simple algebraic extensions of the rational field are called algebraic number fields.
In this chapter we deal with such extensions and with the arithmetic properties of al-
gebraic integers in them. We discuss algebraic integers of quadratic fields in detail. As
special cases, we have already seen Gaussian and Eulerian integers in Chapter 7, and
applied them to handle the Diophantine equations 𝑥2 + 𝑦2 = 𝑛 and 𝑥3 + 𝑦3 = 𝑧3 . We
continue studying algebraic number fields in the next chapter with the help of ideals.
The general introductory section about extensions is valid for any (commutative)
field, but we shall apply these notions and facts for subfields of the complex numbers
only. In this chapter we shall often rely on some basic notions and theorems from linear
algebra, mostly related to the dimension of vector spaces.

10.1. Field Extensions

Field will always mean a commutative field.
Definition 10.1.1. A field 𝑀 is an extension of the field 𝐿 if 𝐿 is a subfield of 𝑀, i.e.
𝐿 ⊆ 𝑀, and the operations in 𝐿 are the restrictions of the operations in 𝑀. ♣

The usual notation for this relation is 𝑀 ∣ 𝐿 or 𝑀/𝐿, but as this might be confused
with some other notion, we shall use the notation 𝑀 ∶ 𝐿.
If 𝑀 is an extension of 𝐿, then 𝑀 is also a vector space over 𝐿 under the naturally
arising operations. These vector space operations come from the field operations of 𝑀:
we add two vectors in 𝑀 as two elements of the field 𝑀, and multiply a vector in 𝑀 by
a scalar in 𝐿 so that we form the product of these two elements in the field 𝑀.
We have a special name and notation for the dimension of 𝑀 as a vector space over
the field 𝐿:
Definition 10.1.2. If 𝑀 is an extension of 𝐿, then the dimension of 𝑀 as a vector
space over 𝐿 is called the degree of the extension and is denoted by deg(𝑀 ∶ 𝐿). If this
dimension is finite, we say that the extension is finite (or has a finite degree). ♣

311
312 10. Algebraic Number Fields

Examples. deg(𝐂 ∶ 𝐑) = 2, deg(𝐑 ∶ 𝐐) = ∞.

An important fact is that the degree of a chain of extensions is the product of the
degrees of the links:
Theorem 10.1.3 (Tower Theorem). If deg(𝑁 ∶ 𝑀) < ∞ and deg(𝑀 ∶ 𝐿) < ∞ in the
chain of extensions 𝐿 ⊆ 𝑀 ⊆ 𝑁, then
(10.1.1) deg(𝑁 ∶ 𝐿) = deg(𝑁 ∶ 𝑀) ⋅ deg(𝑀 ∶ 𝐿). ♣

We note that the theorem can be extended to infinite degrees: If at least one of
deg(𝑁 ∶ 𝑀) and deg(𝑀 ∶ 𝐿) is infinite, then deg(𝑁 ∶ 𝐿) is infinite and (10.1.1) remains
valid in the more refined sense when the degrees mean the cardinalities of the bases.

Proof. We denote the elements of 𝐿, 𝑀, and 𝑁 with Greek letters, minuscules, and
capitals, respectively.
Let 𝑏1 , . . . , 𝑏𝑛 be a basis in the vector space 𝑀 ∶ 𝐿, and let 𝐶1 , . . . , 𝐶𝑘 be a basis in
𝑁 ∶ 𝑀. We are done if we verify that the 𝑘𝑛 vectors
(10.1.2) 𝑏𝑖 𝐶𝑗 , 𝑖 = 1, 2, . . . , 𝑛, 𝑗 = 1, 2, . . . , 𝑘
form a basis in 𝑁 ∶ 𝐿.
We show first that the vectors in (10.1.2) are linearly independent in 𝑁 ∶ 𝐿. Con-
sider a linear combination
𝑛 𝑘
(10.1.3) ∑ ∑ 𝜆𝑖𝑗 (𝑏𝑖 𝐶𝑗 ) = 0
𝑖=1 𝑗=1

with scalars 𝜆𝑖𝑗 ∈ 𝐿. Transforming the left-hand side of (10.1.3) using identities in the
field 𝑁, we obtain
𝑘 𝑛
(10.1.4) ∑ ( ∑ 𝜆𝑖𝑗 𝑏𝑖 )𝐶𝑗 = 0.
𝑗=1 𝑖=1

Since 𝐶1 , . . . , 𝐶𝑘 are linearly independent in 𝑁 ∶ 𝑀, (10.1.4) implies

𝑛
(10.1.5) ∑ 𝜆𝑖𝑗 𝑏𝑖 = 0, 𝑗 = 1, . . . , 𝑘.
𝑖=1

Now we apply the fact that 𝑏1 , . . . , 𝑏𝑛 are linearly independent in 𝑀 ∶ 𝐿. Then (10.1.5)
yields that every 𝜆𝑖𝑗 = 0. Thus we have proved that 𝑏𝑖 𝐶𝑗 are linearly independent in
𝑁 ∶ 𝐿.
Now we demonstrate that 𝑏𝑖 𝐶𝑗 span 𝑁 ∶ 𝐿. As 𝐶1 , . . . , 𝐶𝑘 span 𝑁 ∶ 𝑀, therefore
every 𝑈 ∈ 𝑁 has a representation
(10.1.6) 𝑈 = 𝑣 1 𝐶1 + ⋯ + 𝑣 𝑘 𝐶𝑘
with some 𝑣𝑗 ∈ 𝑀. Also, 𝑏1 , . . . , 𝑏𝑛 span 𝑀 ∶ 𝐿, thus every 𝑣𝑗 is a linear combination
of the vectors 𝑏𝑖 :
(10.1.7) 𝑣𝑗 = 𝛼1𝑗 𝑏1 + ⋯ + 𝛼𝑛𝑗 𝑏𝑛 , 𝛼𝑖𝑗 ∈ 𝐿, 1 ≤ 𝑖 ≤ 𝑛, 1 ≤ 𝑗 ≤ 𝑘.
10.1. Field Extensions 313

Substituting the representations in (10.1.7) into (10.1.6), we obtain

𝑛 𝑘
𝑈 = ∑ ∑ 𝛼𝑖𝑗 𝑏𝑖 𝐶𝑗 ,
𝑖=1 𝑗=1

which means that 𝑏𝑖 𝐶𝑗 span 𝑁 ∶ 𝐿. □

Now we generalize the notion of algebraic numbers.

Definition 10.1.4. Let 𝐿 be a subfield in 𝑀. An element 𝜗 ∈ 𝑀 is algebraic over the

field 𝐿 if 𝑓(𝜗) = 0 for some non-zero polynomial 𝑓 ∈ 𝐿[𝑥]. ♣

Examples. The algebraic numbers are the special case 𝐿 = 𝐐, 𝑀 = 𝐂.

Over the real or complex field every complex number is algebraic (see Exercise
9.1.7).

The minimal polynomial and degree of an algebraic element are defined analo-
gously to Definitions 9.2.1 and 9.2.4:

Definition 10.1.5. Let 𝐿 be a subfield in 𝑀. The minimal polynomial of an algebraic

element 𝜗 ∈ 𝑀 over 𝐿 is a polynomial in 𝐿[𝑥] of minimal degree having 𝜗 among its
roots. The degree of 𝜗 is the degree of its minimal polynomial. ♣

The minimal polynomial and the degree depend not only on 𝜗 but also on over
which field 𝐿 we consider 𝜗. For example the minimal polynomial of √2 over 𝐐 is
𝑥2 − 2, but over 𝐑 it is 𝑥 − √2. It can be shown that modifying 𝑀 does not influence
the minimal polynomial of 𝜗.
Accordingly, in the notation 𝑚𝜗,𝐿 and deg𝐿 𝜗 of the minimal polynomial and de-
gree we have to indicate also the field 𝐿 (in the case 𝐿 = 𝐐 of algebraic numbers we
keep the previous fieldless notations 𝑚𝜗 and deg 𝜗).
The analogues of Theorems 9.2.2 and 9.2.3 remain valid for minimal polynomials
of algebraic elements.

Theorem 10.1.6. Let 𝐿 be a subfield in 𝑀 and 𝜗 ∈ 𝑀 an algebraic element over 𝐿. Then

(i) the minimal polynomial 𝑚𝜗,𝐿 is unique apart from a constant factor in 𝐿
(ii) for polynomials 𝑓 ∈ 𝐿[𝑥], we have 𝑓(𝜗) = 0 if and only if 𝑚𝜗,𝐿 ∣ 𝑓
(iii) a polynomial 𝑔 ∈ 𝐿[𝑥] is a minimal polynomial of 𝜗 if and only if 𝑔(𝜗) = 0 and 𝑔 is
irreducible over 𝐿. ♣

The proofs are exactly the same as for Theorems 9.2.2 and 9.2.3.
The following fact is useful information about the structure of certain extensions.

Theorem 10.1.7. If deg(𝑀 ∶ 𝐿) < ∞, then every element of 𝑀 is algebraic over 𝐿. ♣

Proof. Let deg(𝑀 ∶ 𝐿) = 𝑛, and let 1 denote the common identity element of the
fields 𝐿 and 𝑀. Then for any 𝑣 ∈ 𝑀, the number of elements 1, 𝑣, 𝑣2 , . . . , 𝑣𝑛 is greater
314 10. Algebraic Number Fields

than the dimension of the vector space 𝑀 ∶ 𝐿, thus they are linearly dependent. This
means
𝛼0 + 𝛼 1 𝑣 + ⋯ + 𝛼 𝑛 𝑣 𝑛 = 0
for some scalars 𝛼0 , . . . , 𝛼𝑛 ∈ 𝐿 not all 0. So 𝑣 is a root of the non-zero polynomial
𝑓 = 𝛼0 + 𝛼1 𝑥 + ⋯ + 𝛼𝑛 𝑥𝑛 , i.e. 𝑣 is an algebraic element over 𝐿. □

Remarks: (1) We obtained also deg𝐿 𝑣 ≤ deg(𝑀 ∶ 𝐿) from the proof. We shall show a
stronger result, deg𝐿 𝑣 ∣ deg(𝑀 ∶ 𝐿), in Theorem 10.2.5.
(2) The converse of Theorem 10.1.7 is false. For example, let 𝐿 be the rational field and
𝑀 the field of all algebraic numbers (over 𝐐). Then every element in 𝑀 is algebraic
over 𝐿 (by definition), but deg(𝑀 ∶ 𝐿) = ∞, because deg(𝑀 ∶ 𝐿) = 𝑛 < ∞ would
imply by the previous remark that every algebraic number has degree at most 𝑛,
which contradicts the existence of algebraic numbers of arbitrarily large degrees
(Section 9.2, Example E4).

Exercises 10.1

1. Verify that if deg(𝑀 ∶ 𝐿) is a prime and a subfield 𝐹 in 𝑀 contains 𝐿, then 𝐹 = 𝑀

or 𝐹 = 𝐿.
2. Let 𝐺 = { 𝑎 + 𝑏𝑖 ∣ 𝑎, 𝑏 ∈ 𝐐 } be the field of Gaussian rationals and 𝐴 the field of
algebraic numbers. Compute
(a) deg(𝐺 ∶ 𝐐)
(b) deg(𝐂 ∶ 𝐴)
(c) deg(𝐴 ∶ 𝐺).
3. Let 𝐾 = { 𝑎 + 𝑏√2 ∣ 𝑎, 𝑏 ∈ 𝐐 }. Clearly, 𝐾 is a subfield in 𝐑.
(a) Prove that a complex number 𝛼 is algebraic over 𝐾 if and only if it is algebraic
over 𝐐 (i.e. it is an algebraic number).
(b) Determine the degrees of the complex numbers over 𝐾:
(b1) 3 + 7√2
(b2) √2 + 𝑖
4
(b3) √ 2
3
(b4) √ 2.
4. Consider the chain of extensions 𝐿 ⊆ 𝑀 ⊆ 𝑁, and let 𝜗 ∈ 𝑁.
(a) True or false?
(a1) If 𝜗 is algebraic over 𝐿, then it is algebraic over 𝑀.
(a2) If 𝜗 is algebraic over 𝑀, then it is algebraic over 𝐿.
(b) If 𝜗 is algebraic over both 𝑀 and 𝐿, what is the relation between 𝑚𝜗,𝑀 and
𝑚𝜗,𝐿 , and between deg𝑀 𝜗 and deg𝐿 𝜗?
10.2. Simple Algebraic Extensions 315

10.2. Simple Algebraic Extensions

The simplest and most important type of extension occurs when the extension is gen-
erated by a single element. For convenience, we discuss this notion only for the special
case 𝐐(𝜗), when we adjoin a complex number 𝜗 to the rational field, but everything
holds in general when 𝐐 is replaced by any field 𝐿 and instead of 𝜗 ∈ 𝐂 we consider
𝜗 ∈ 𝑀 where the field 𝑀 is an arbitrary extension of 𝐿.
By a simple extension of 𝐐 with a complex number 𝜗, we shall mean the set of com-
plex numbers obtained from rational numbers and 𝜗 by the four arithmetic operations
of the complex field. We consider all elements 𝑎0 + 𝑎1 𝜗 + ⋯ + 𝑎𝑛 𝜗𝑛 , where 𝑛 is an
arbitrary non-negative integer and the 𝑎𝑖 are rational numbers and form the quotients
of such expressions. The number 𝑎0 + 𝑎1 𝜗 + ⋯ + 𝑎𝑛 𝜗𝑛 is just the value 𝑔(𝜗) ∈ 𝐂 of
the polynomial 𝑔 = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛 𝑥𝑛 ∈ 𝐐[𝑥] at 𝜗. Thus the quotients are com-
plex numbers 𝑔(𝜗)/ℎ(𝜗), where 𝑔 and ℎ are arbitrary polynomials in 𝐐[𝑥] and ℎ(𝜗) ≠ 0.
These elements constitute the smallest subfield of 𝐂 containing 𝜗 and 𝐐. We formulate
all this precisely in the following definition and theorem.
Definition 10.2.1. For a complex number 𝜗, consider the set of complex numbers
𝑔(𝜗)
(10.2.1) , where 𝑔, ℎ ∈ 𝐐[𝑥], ℎ(𝜗) ≠ 0,
ℎ(𝜗)
or, written in detail,
𝑛 𝑘
∑𝑖=0 𝑎𝑖 𝜗𝑖
(10.2.2) 𝑘
, where 𝑎𝑖 , 𝑏𝑗 ∈ 𝐐, ∑ 𝑏𝑗 𝜗𝑗 ≠ 0, 𝑛, 𝑘 = 0, 1, 2, . . . .
∑𝑗=0 𝑏𝑗 𝜗𝑗 𝑗=0

This set is called a simple extension of the field 𝐐 with 𝜗, and is denoted by 𝐐(𝜗). If 𝜗
is an algebraic number, then we speak about a simple algebraic extension. ♣
Theorem 10.2.2. 𝐐(𝜗) is the smallest subfield in the complex field containing 𝜗 and the
rational field, so
(i) 𝐐(𝜗) is a subfield in 𝐂
(ii) 𝜗 ∈ 𝐐(𝜗), 𝐐 ⊆ 𝐐(𝜗)
(iii) if 𝐹 is a subfield in 𝐂 and 𝜗 ∈ 𝐹, 𝐐 ⊆ 𝐹, then 𝐐(𝜗) ⊆ 𝐹. ♣

Proof. (i) We have to show that sums, differences, products, and, if the divisor is not
0, quotients of elements in (10.2.1) are in (10.2.1). Clearly,
𝑔1 (𝜗) 𝑔2 (𝜗) 𝑔(𝜗)
+ = ,
ℎ1 (𝜗) ℎ2 (𝜗) ℎ(𝜗)
where 𝑔 = 𝑔1 ℎ2 + 𝑔2 ℎ1 and ℎ = ℎ1 ℎ2 are polynomials with rational coefficients and
ℎ(𝜗) = ℎ1 (𝜗)ℎ2 (𝜗) ≠ 0, since there are no zero divisors in the complex field. The
statements for differences, products, and quotients can be verified similarly.
(ii) If 𝑔 = 𝑥 and ℎ = 1, then 𝑔(𝜗)/ℎ(𝜗) = 𝜗, so 𝜗 ∈ 𝐐(𝜗). If 𝑟 is a rational number,
then choosing polynomials 𝑔 = 𝑟 and ℎ = 1, we have 𝑔(𝜗)/ℎ(𝜗) = 𝑟, thus 𝑟 ∈ 𝐐(𝜗).
(iii) If a subfield 𝐹 of the complex numbers contains 𝜗 and 𝐐, then the sums of
any products formed from 𝜗 and rational numbers and the quotients of such sums are
316 10. Algebraic Number Fields

in 𝐹. This means that every complex number in (10.2.2) is an element of 𝐹, hence

𝐐(𝜗) ⊆ 𝐹. □

We show that if 𝜗 is an algebraic number, then the elements of 𝐐(𝜗) have a simpler
representation.
As an example, consider the extension 𝐐(√2) of the rational field with √2. This
is the set 𝐹 of numbers 𝑎0 + 𝑎1 √2, where 𝑎𝑖 ∈ 𝐐, since 𝐹 is a field containing √2 and
the rational numbers, and it is obviously the smallest field having this property. This
means that compared to the form of elements in Definition 10.2.1, we need neither
division, nor powers of √2 with exponents greater than 1.
3 3
If instead of √2, we consider the extension 𝐐( √ 5) with √ 5, then we need only
3
powers of √ 5 with exponents at most 2, since the higher powers can be expressed by
these and with suitable rational numbers.
In the general case, we have:
Theorem 10.2.3. If 𝜗 is an algebraic number of degree 𝑛, then the elements of 𝐐(𝜗) can
be uniquely represented in the form
𝑎0 + 𝑎1 𝜗 + ⋯ + 𝑎𝑛−1 𝜗𝑛−1
with rational numbers 𝑎𝑖 . In other words, to every 𝛼 ∈ 𝐐(𝜗) there exists exactly one
polynomial 𝑓 ∈ 𝐐[𝑥] satisfying
𝛼 = 𝑓(𝜗) and deg 𝑓 ≤ 𝑛 − 1 or 𝑓 = 0. ♣

Proof. I. First we show that there is no need for denominators in (10.2.1), i.e. if 𝑔, ℎ ∈
𝐐[𝑥] and ℎ(𝜗) ≠ 0, then 𝑔(𝜗)/ℎ(𝜗) = 𝑡(𝜗) for some polynomial 𝑡 ∈ 𝐐[𝑥].
We perform the following equivalent transformations (relying on the condition
ℎ(𝜗) ≠ 0 and on Theorem 9.2.3(i)):
𝑔(𝜗)/ℎ(𝜗) = 𝑡(𝜗) ⟺ 𝑔(𝜗) = ℎ(𝜗)𝑡(𝜗) ⟺ (𝑔 − ℎ𝑡)(𝜗) = 0 ⟺
⟺ 𝑚𝜗 ∣ 𝑔 − ℎ𝑡 ⟺ 𝑔 = ℎ𝑡 + 𝑚𝜗 𝑠, where 𝑠 ∈ 𝐐[𝑥].
Thus we have to verify the existence of polynomials 𝑡 and 𝑠 with rational coefficients
satisfying
(10.2.3) 𝑔 = ℎ𝑡 + 𝑚𝜗 𝑠.
Equality (10.2.3) looks like a linear Diophantine equation, where 𝑡 and 𝑠 are the vari-
ables, with integers replaced here by polynomials with rational coefficients. The nec-
essary and sufficient condition for the solvability of a linear Diophantine equation was
discussed in Theorem 1.3.6, and in the proof we relied only on a consequence of the
Euclidean algorithm, i.e. we needed only the division algorithm. Since there is a divi-
sion algorithm for polynomials over a field, therefore the condition of solvability is the
same for Diophantine equations with polynomials. Thus we have to show (ℎ, 𝑚𝜗 ) ∣ 𝑔
for the solvability of (10.2.3).
The polynomial 𝑚𝜗 is irreducible over 𝐐, so (ℎ, 𝑚𝜗 ) = 1 or 𝑚𝜗 . But the latter
would imply ℎ(𝜗) = 0, so only (ℎ, 𝑚𝜗 ) = 1 is possible and (ℎ, 𝑚𝜗 ) ∣ 𝑔. This means, as
10.2. Simple Algebraic Extensions 317

we have seen before, that (10.2.3) is solvable and we obtain a polynomial 𝑡 satisfying
𝑡(𝜗) = 𝑔(𝜗)/ℎ(𝜗).
II. We have proved so far that every 𝛼 ∈ 𝐐(𝜗) can be written as 𝛼 = 𝑡(𝜗) with
a suitable polynomial 𝑡 ∈ 𝐐[𝑥]. Now we show that 𝛼 = 𝑓(𝜗) can be gotten with a
polynomial 𝑓 ∈ 𝐐[𝑥] where deg 𝑓 ≤ 𝑛 − 1 or 𝑓 = 0.
Apply the division algorithm to 𝑡 and 𝑚𝜗 . We claim that we can choose the re-
mainder as 𝑓. If
𝑡 = 𝑞𝑚𝜗 + 𝑓, where deg 𝑓 ≤ 𝑛 − 1 or 𝑓 = 0,
then
𝛼 = 𝑡(𝜗) = 𝑞(𝜗)𝑚𝜗 (𝜗) + 𝑓(𝜗) = 0 + 𝑓(𝜗) = 𝑓(𝜗).
III. We show that 𝑓 is unique. Assume that the polynomials 𝑓1 and 𝑓2 with rational
coefficients satisfy
𝑓1 (𝜗) = 𝑓2 (𝜗) and deg 𝑓𝑖 ≤ 𝑛 − 1 or 𝑓𝑖 = 0, 𝑖 = 1, 2.
Then the polynomial 𝑓3 = 𝑓1 − 𝑓2 has rational coefficients, 𝑓3 (𝜗) = 0, and deg 𝑓3 < 𝑛
or 𝑓3 = 0. Since deg 𝜗 = 𝑛, only 𝑓3 = 0 is possible. So 𝑓1 = 𝑓2 and the polynomial 𝑓 in
the theorem is unique. □

Theorem 10.2.3 expresses that the elements 1, 𝜗, . . . , 𝜗𝑛−1 form a basis in the vec-
tor space 𝐐(𝜗) over 𝐐. Thus the dimension of this vector space, i.e. the degree of the
extension 𝐐(𝜗) ∶ 𝐐 is equal to the degree of the algebraic number 𝜗. We restate this
important fact as a theorem:
Theorem 10.2.4. If 𝜗 is an algebraic number, then deg(𝐐(𝜗) ∶ 𝐐) = deg 𝜗. ♣

We can add to Theorems 10.2.3 and 10.2.4, that if 𝜗 is a transcendental number,

then there is no simpler form than given in Definition 10.2.1 for representing the ele-
ments of 𝐐(𝜗), and the degree of the extension 𝐐(𝜗) ∶ 𝐐 is infinite. In this case, the
field 𝐐(𝜗) is isomorphic to the field of formal quotients of polynomials with rational
coefficients, called the quotient field of 𝐐[𝑥] or the field of algebraic fractions over 𝐐
(see Exercise 10.2.13).
We also note that if 𝜗 is an algebraic number, then by Theorem 10.2.3, we can
think of the elements in 𝐐(𝜗) as remainders on division by the polynomial 𝑚𝜗 : in this
case the field 𝐐(𝜗) is isomorphic to the factor ring 𝐐[𝑥]/(𝑚𝜗 ) (see Theorem 11.1.6 and
Exercise 11.1.9a). This interpretation of simple algebraic extensions makes it possible,
for an arbitrary field 𝐿 instead of 𝐐, to construct 𝐿(𝜗) even if no field 𝑀 containing 𝐿
and no element 𝜗 are given, see Exercise 11.1.9b.
We mention without proof that every finite extension of 𝐐 can be obtained as 𝐐(𝜗)
with a suitable algebraic number 𝜗, so the finite extensions of 𝐐 are the same as the
simple algebraic extensions of 𝐐. This is true also if 𝐐 is replaced by any field in which
a sum 𝑎 + 𝑎 + ⋯ + 𝑎 can be 0 only for 𝑎 = 0.
Sharpening Theorem 10.1.7, we show that the degree of an element in a finite ex-
tension must divide the degree of the extension. We formulate the statement for exten-
sions of 𝐐, but it is equally valid for arbitrary fields.
318 10. Algebraic Number Fields

Theorem 10.2.5. If 𝑀 is a subfield in 𝐂 and deg(𝑀 ∶ 𝐐) = 𝑘 < ∞, then deg 𝛼 ∣ 𝑘 for

every 𝛼 ∈ 𝑀. ♣

Proof. The field 𝐐(𝛼) is contained in 𝑀 by Theorem 10.2.2, so

(10.2.4) 𝐐 ⊆ 𝐐(𝛼) ⊆ 𝑀.

The condition deg(𝑀 ∶ 𝐐) = 𝑘 < ∞ implies that both links in the chain of extensions
(10.2.4) are of finite degree, so we can apply the Tower Theorem 10.1.3. This yields
deg(𝐐(𝛼) ∶ 𝐐) ∣ 𝑘. By Theorem 10.1.7, 𝛼 is an algebraic number, so by Theorem 10.2.4,
we have deg(𝐐(𝛼) ∶ 𝐐) = deg 𝛼. Thus deg 𝛼 ∣ 𝑘. □

Now we give new proofs of Theorems 9.3.1 and 9.3.6. For convenience, we restate
them with new numbers.

Theorem 10.2.6. The algebraic numbers form a subfield in the complex field. ♣

Proof. Let 𝛼 and 𝛽 be two algebraic numbers. We have to show that 𝛼 + 𝛽, 𝛼 − 𝛽, 𝛼𝛽,
and 𝛼/𝛽 (𝛽 ≠ 0) are algebraic.
We extend 𝐐 with 𝛼, and then extend the resulting field 𝐾 = 𝐐(𝛼) with 𝛽. This
field 𝑁 = 𝐾(𝛽) contains both 𝛼 and 𝛽, thus it must contain also their sum, difference,
product, and quotient.
Consider the chain of extensions 𝐐 ⊆ 𝐾 ⊆ 𝑁 where 𝐾 = 𝐐(𝛼) and 𝑁 = 𝐾(𝛽).
Here
deg(𝐾 ∶ 𝐐) = deg 𝛼 and deg(𝑁 ∶ 𝐾) = deg𝐾 𝛽 ≤ deg 𝛽,
so deg(𝑁 ∶ 𝐾) < ∞ by the tower theorem. By Theorem 10.1.7, all elements in 𝑁, thus
𝛼 + 𝛽, 𝛼 − 𝛽, 𝛼𝛽, and 𝛼/𝛽 are algebraic numbers. □

Theorem 10.2.7. If the coefficients of a polynomial 𝑓 ≠ 0 are algebraic numbers, then

all (complex) roots of 𝑓 are algebraic numbers. ♣

Proof. Let 𝑓 = 𝛼0 + 𝛼1 𝑥 + ⋯ + 𝛼𝑛 𝑥𝑛 and let 𝛾 be an arbitrary root of 𝑓.

We define a sequence of fields 𝐾𝑖 by

𝐾0 = 𝐐(𝛼0 ), 𝐾𝑗 = 𝐾𝑗−1 (𝛼𝑗 ), 𝑗 = 1, 2, . . . , 𝑛, 𝐾𝑛+1 = 𝐾𝑛 (𝛾),

and consider the chain of extensions

𝐐 ⊆ 𝐾0 ⊆ 𝐾1 ⊆ ⋯ ⊆ 𝐾𝑛 ⊆ 𝐾𝑛+1 .

Every link is an extension with an algebraic number over the previous field, thus every
link has a finite degree. Thus by the tower theorem, the extension 𝐾𝑛+1 ∶ 𝐐 is finite,
so every element in 𝐾𝑛+1 , including 𝛾, is algebraic over 𝐐. □
Exercises 10.2 319

Exercises 10.2

1. Prove that for a complex number 𝜗 and rational number 𝑟 ≠ 0, the extension 𝐐(𝜗)
is equal to
(a) 𝐐(𝑟 + 𝜗)
(b) 𝐐(𝑟𝜗)
(c) 𝐐(1/𝜗) (if 𝜗 ≠ 0).
2. Let 𝛼 ∈ 𝐐(𝜗). Verify.
(a) 𝐐(𝛼) ⊆ 𝐐(𝜗).
(b) If 𝜗 is algebraic, then 𝐐(𝛼) = 𝐐(𝜗) if and only if deg 𝛼 = deg 𝜗.
* (c) If 𝜗 is transcendental, 𝐐(𝛼) = 𝐐(𝜗) if and only if
𝑎0 + 𝑎 1 𝜗
𝛼= , where 𝑎𝑖 , 𝑏𝑖 ∈ 𝐐 and 𝛼 ∉ 𝐐.
𝑏0 + 𝑏1 𝜗
3. True or false?
(a) 𝐐(𝜗) = 𝐐(𝜗).
(b) If |𝜗|2 is a rational number, then 𝐐(𝜗) = 𝐐(𝜗).
(c) If 𝐐(𝜗) = 𝐐(𝜗), then |𝜗|2 is a rational number.
(d) If 𝐐(𝜗) ⊆ 𝐐(𝜗), then 𝐐(𝜗) = 𝐐(𝜗).
(e) 𝐐(𝜗) = 𝐐(𝜗 + 𝜗2 ).
3 3
4. Represent the following numbers in the form 𝑎0 + 𝑎1 √ 2 + 𝑎2 √ 4 with rational
numbers 𝑎0 , 𝑎1 , and 𝑎2 :
3 3
(a) ( √ 4 + 3√ 2)2
1
(b)
3
√2
3
1+√ 2
(c) .
3
1 + 2√ 2
5. Determine the degree of the algebraic numbers
S (a) √7 + 3𝑖
5
(b) 𝑖 √ 3
7 7
(c) √ 3+√ 1/3
4
(d) √ 2 + √2.
6. Write in a simpler form:
3 3
(a) 𝐐( √ 54) ⧵ 𝐐( √ 16)
6 9
(b) 𝐐( √ 7) ∩ 𝐐( √ 7)
4 4
(c) 𝐐( √ 5) ∩ 𝐐(𝑖 √ 5).
 320 10. Algebraic Number Fields

S 7. Determine the real numbers in 𝐐(𝜗) if 𝜗 is

5
(a) √ 3(cos 144∘ + 𝑖 sin 144∘ )
6
(b) 𝑖 √ 3
(c) any value of √𝑖.
S* 8. Prove that if |𝜗| = 1, then 𝐐(𝜗) ∩ 𝐑 = 𝐐(Re 𝜗).
7 7 7
9. Let 𝛼 = 1 + 3√ 25 + 11√ 125 + 999√ 625. Prove the existence of a polynomial 𝑓
7
with rational coefficients satisfying 𝑓(𝛼) = √ 5.
10. Let 𝑘 be the degree of an algebraic number 𝛽. What are the possible values of
deg(𝛽 2 )?
S 11. Find all algebraic numbers of odd degree on the unit circle.
12. (a) Prove that if 𝛼 and 𝛽 are algebraic numbers, then the degrees of 𝛼 + 𝛽, 𝛼 − 𝛽,
𝛼𝛽, 𝛼/𝛽 (𝛽 ≠ 0) are less than or equal to (deg 𝛼) ⋅ (deg 𝛽).
(b) If the coefficients of a polynomial 𝑓 = 𝛼0 + 𝛼1 𝑥 + ⋯ + 𝛼𝑛 𝑥𝑛 are algebraic
𝑛
numbers and 𝑓(𝛾) = 0, then deg 𝛾 ≤ 𝑛 ∏𝑗=0 deg 𝛼𝑗 .
13. Let 𝑔1 , 𝑔2 , ℎ1 ≠ 0, ℎ2 ≠ 0 be polynomials with rational coefficients and 𝜗 a tran-
scendental number. Verify the following statements.
𝑔1 (𝜗) 𝑔 (𝜗)
(a) = 2 ⟺ 𝑔1 ℎ2 = 𝑔2 ℎ1 .
ℎ1 (𝜗) ℎ2 (𝜗)
(b) The field 𝐐(𝜗) is isomorphic to the field of formal quotients of polynomials
with rational coefficients, i.e. algebraic fractions over 𝐐.

10.3. Quadratic Fields

In this section we investigate the quadratic extensions of 𝐐 within the complex field
and the algebraic integers in them.

Theorem 10.3.1. All extensions of 𝐐 of degree 2 are of the form 𝐐(√𝑡), where 𝑡 is a
positive or negative squarefree integer and 𝑡 ≠ 1. Different values of 𝑡 induce different
extensions. ♣
Remark: We speak about real or imaginary quadratic extensions according to 𝑡 > 0 or
𝑡 < 0. In the imaginary case, we can take either of the two values of √𝑡 since these are
negatives of each other and 𝐐(𝜗) = 𝐐(−𝜗) for every 𝜗; in the sequel we let √𝑡 be the
value of the square root in the upper half plane: √𝑡 = 𝑖√|𝑡|.

Proof. Let 𝑀 be a subfield in 𝐂 with deg(𝑀 ∶ 𝐐) = 2. Then any non-rational element

𝛼 in 𝑀 satisfies deg 𝛼 = 2 and 𝑀 = 𝐐(𝛼). We verify that 𝐐(𝛼) can be given in the form
𝐐(√𝑡) with a suitable squarefree 𝑡 ≠ 1.
Let the minimal polynomial of 𝛼 be 𝑚𝛼 = 𝑎0 + 𝑎1 𝑥 + 𝑎2 𝑥2 , where 𝑎0 , 𝑎1 , 𝑎2 are
integers. Then the quadratic formula yields 𝛼 = 𝑟0 + 𝑟1 √𝑠, where 𝑟1 ≠ 0 and 𝑟0 are
rational numbers and 𝑠 ≠ 0 is an integer. Factoring out the largest possible square
10.3. Quadratic Fields 321

from 𝑠, we get 𝑠 = 𝑘2 𝑡, where 𝑡 is squarefree and 𝑡 ≠ 1. Thus 𝛼 = 𝑟0 + 𝑟1 𝑘√𝑡, and so

𝑀 = 𝐐(𝛼) = 𝐐(√𝑡) by Exercise 10.2.1.
We will show that 𝑡 is unique, so if 𝐐(√𝑡1 ) = 𝐐(√𝑡2 ), where 𝑡𝑗 are squarefree and
𝑡𝑗 ≠ 1, then 𝑡1 = 𝑡2 .
The conditions imply
√𝑡2 ∈ 𝐐(√𝑡1 ) so √𝑡2 = 𝑎 + 𝑏√𝑡1
with some rational 𝑎 and 𝑏. Squaring yields
𝑡2 = 𝑎2 + 𝑡1 𝑏2 + 2𝑎𝑏√𝑡1 .
Since √𝑡1 is irrational, 𝑏 = 0 or 𝑎 = 0. In the first case, √𝑡2 is rational, which is
impossible. In the second case, √𝑡2 /√𝑡1 is rational, and since 𝑡1 and 𝑡2 are squarefree,
we get 𝑡1 = 𝑡2 . □
Examples. E1 The Gaussian rationals are the elements of the extension 𝐐(𝑖); here
𝑡 = −1.
E2 The Eulerian rationals are the elements of the extension 𝐐(𝜔), where
2𝜋 2𝜋 −1 + 𝑖√3
𝜔 = cos + 𝑖 sin = .
3 3 2
Here 𝑡 = −3.

Now we investigate how to characterize the algebraic integers in a quadratic ex-

tension.
We consider first the Gaussian rationals, those complex numbers 𝑎 + 𝑖𝑏, where 𝑎
and 𝑏 are rational. We mentioned in Section 9.6 (Example E3, Exercise 9.6.3 a, f) that
a Gaussian rational is an algebraic integer if and only if it is a Gaussian integer, i.e. 𝑎
and 𝑏 are integers.
Now we look at the Eulerian rationals, i.e. numbers
−1 + 𝑖√3 2𝑐 − 𝑑 𝑑
(10.3.1) 𝛼 = 𝑐+𝑑𝜔 = 𝑐+𝑑 = + √−3 = 𝑎+𝑏√−3 (𝑎, 𝑏, 𝑐, 𝑑 ∈ 𝐐).
2 2 2
We indicated in Example E3 in Section 9.6 that an Eulerian rational is an algebraic
integer if and only if it is an Eulerian integer. This means that the Eulerian rational
𝛼 in (10.3.1) is an algebraic integer if and only if 𝑐 and 𝑑 are integers; that is, if either
both 𝑎 and 𝑏 are integers, or both of them are fractions with an odd numerator and a
denominator 2.
Our examples show that the results obtained for 𝑡 = −1 and 𝑡 = −3 are some-
what different. We have these two possibilities in the general case, depending on the
remainder modulo 4 of the integer 𝑡 characterizing the extension:
Theorem 10.3.2. Let 𝑡 ≠ 1 be a squarefree integer. Then the algebraic integers of the
extension 𝐐(√𝑡) are exactly those numbers 𝑐 + 𝑑𝜗 where 𝑐 and 𝑑 are integers and
√𝑡, if 𝑡 ≢ 1 (mod 4)
𝜗={
(1 + √𝑡)/2, if 𝑡 ≡ 1 (mod 4).
322 10. Algebraic Number Fields

In another formulation, a number 𝑎 + 𝑏√𝑡 (𝑎, 𝑏 ∈ 𝐐) in 𝐐(√𝑡) is an algebraic integer if

and only if
(1) 𝑎 and 𝑏 are integers for 𝑡 ≢ 1 (mod 4)
(2) 𝑎 = 𝑢/2, 𝑏 = 𝑣/2, where 𝑢 and 𝑣 are integers of the same parity for 𝑡 ≡ 1 (mod 4).
♣

The two formulations of the theorem are obviously equivalent.

Our results about Gaussian and Eulerian integers were special cases of this theo-
rem for 𝑡 = −1 ≢ 1 (mod 4) and 𝑡 = −3 ≡ 1 (mod 4).

Proof. Since a rational number is an algebraic integer if and only if it is an (ordinary)

integer, the statement of the theorem is straightforward for the rational elements of the
extension 𝐐(√𝑡).
Thus in the sequel we can restrict ourselves to the non-rational elements of the
extension. Any such 𝛼 ∈ 𝐐(√𝑡) has a unique representation 𝛼 = 𝑟0 + 𝑟1 √𝑡, where
𝑟1 ≠ 0 and 𝑟0 are rational numbers. With a common denominator, we obtain
𝑎 + 𝑏√𝑡
(10.3.2) 𝛼= , where 𝑎, 𝑏, 𝑐 are integers, (𝑎, 𝑏, 𝑐) = 1, 𝑐 > 0, 𝑏 ≠ 0.
𝑐
Squaring the equality
𝑎 𝑏√𝑡
𝛼− = ,
𝑐 𝑐
we get
2𝑎 𝑎2 − 𝑡𝑏2
(10.3.3) 𝛼2 − 𝛼+ = 0.
𝑐 𝑐2
Since deg 𝛼 = 2, (10.3.3) implies that the minimal polynomial of 𝛼 is
2𝑎 𝑎2 − 𝑡𝑏2
(10.3.4) 𝑚𝛼 = 𝑥 2 − 𝑥+ .
𝑐 𝑐2
Thus 𝛼 is an algebraic integer if and only if the minimal polynomial in (10.3.4) has
integer coefficients, or
(10.3.5) 𝑐 ∣ 2𝑎 and 𝑐2 ∣ 𝑎2 − 𝑡𝑏2 .
We have to verify that (10.3.5) is equivalent to
(10.3.6a) 𝑐 = 1, if 𝑡 ≢ 1 (mod 4)
(10.3.6b) 𝑐 = 2 and 𝑎 and 𝑏 are odd, or 𝑐 = 1, if 𝑡 ≡ 1 (mod 4).

We assume first that 𝑐 is odd. Then the first divisibility in (10.3.5) implies 𝑐 ∣ 𝑎, and
thus we get 𝑐2 ∣ 𝑎2 −(𝑎2 −𝑡𝑏2 ) = 𝑡𝑏2 . Since 𝑡 is squarefree, we infer by the Fundamental
Theorem of Arithmetic that 𝑐2 ∣ 𝑏2 , hence 𝑐 ∣ 𝑏. Therefore 𝑐 ∣ (𝑎, 𝑏, 𝑐) = 1, so 𝑐 = 1.
Conversely, it is obvious that 𝑐 = 1 satisfies (10.3.5) for any integers 𝑡, 𝑎, and 𝑏.
Now let 𝑐 be even, 𝑐 = 2𝑘. Then the first divisibility in (10.3.5) implies 𝑘 ∣ 𝑎,
so 𝑘2 ∣ 𝑎2 − (𝑎2 − 𝑡𝑏2 ) = 𝑡𝑏2 . Similar to the odd case, now 𝑘 ∣ 𝑏, and therefore
𝑘 ∣ (𝑎, 𝑏, 𝑐) = 1, so 𝑘 = 1, and 𝑐 = 2. So the second divisibility in (10.3.5) means
(*) 𝑎2 − 𝑡𝑏2 ≡ 0 (mod 4), where at least one of 𝑎 and 𝑏 is odd due to (𝑎, 𝑏, 𝑐) = 1,
10.3. Quadratic Fields 323

and 𝑡 ≢ 0 (mod 4) as 𝑡 is squarefree. From these conditions and using that modulo 4
a square is 0 or 1 depending on its parity, we see that the congruence (*) holds if and
only if both 𝑎 and 𝑏 are odd and 𝑡 ≡ 1 (mod 4).
Thus we have verified that conditions (10.3.5) and (10.3.6a))–(10.3.6b) are equiva-
lent, and have completed the proof of the theorem. □

We denote the set of algebraic integers in 𝐐(√𝑡) by 𝐼(√𝑡). Thus Theorem 10.3.2
states
(10.3.7a) 𝐼(√𝑡) = { 𝑐 + 𝑑√𝑡 ∣ 𝑐, 𝑑 ∈ 𝐙 } , if 𝑡 ≢ 1 (mod 4)

and

1 + √𝑡
(10.3.7b) 𝐼(√𝑡) = { 𝑐 + 𝑑 ∣ 𝑐, 𝑑 ∈ 𝐙 } , if 𝑡 ≡ 1 (mod 4).
2

As 𝐼(√𝑡) is the intersection of the ring of all algebraic integers and the field 𝐐(√𝑡),
𝐼(√𝑡) is a subring in the complex field. It is commutative, free of zero divisors, and
has an identity element, but is not a field since it contains only the integers among
the rational numbers. Thus—similarly to the Gaussian and Eulerian integers —it is
worthwhile to investigate some basic number theoretical questions in 𝐼(√𝑡).
The notions of divisibility, units, greatest common divisor, irreducible and prime
elements can be defined in 𝐼(√𝑡) exactly as we did for Gaussian integers (see Defini-
tions 7.4.4, 7.4.6, 7.4.9, 7.4.10, and 7.4.11, in which the adjective “Gaussian” should be
omitted).
The norm plays an important role in the number theory of 𝐼(√𝑡):

Definition 10.3.3. The norm of an element 𝛼 = 𝑎 + 𝑏√𝑡 ∈ 𝐼(√𝑡) is

𝑁(𝛼) = 𝑎2 − 𝑡𝑏2 = (𝑎 − 𝑏√𝑡)(𝑎 + 𝑏√𝑡). ♣

Theorem 10.3.2 implies that the norm of every 𝛼 ∈ 𝐸(√𝑡) is an integer.

We see immediately that Theorems 7.4.3 and 7.4.5 remain valid in every 𝐼(√𝑡) with
𝑡 < 0, and the only difference for 𝑡 > 0 is that 𝑁(𝛼) can be a negative integer, too (and,
if 𝑡 > 0 and 𝛼 is non-rational, then 𝑁(𝛼) is not the square of the absolute value of 𝛼).
In the general case, Theorems 7.4.7 and 7.7.6, about units, are modified as follows:

Theorem 10.3.4. (A) The following conditions are equivalent for an element 𝜀 ∈ 𝐼(√𝑡):
(i) 𝜀 is a unit
(ii) 𝜀 ∣ 1
(iii) |𝑁(𝜀)| = 1.

(B) If 𝑡 > 0, then there are infinitely many units in 𝐼(√𝑡).

(C) If 𝑡 < 0 and 𝑡 ≠ −1, −3, then 𝐼(√𝑡) has just two units, namely ±1. ♣
324 10. Algebraic Number Fields

Proof. (A): (i)⟹(ii): If 𝜀 divides every element in 𝐼(√𝑡), then in particular it must
divide 1.
(ii)⟹(i): If 𝜀 ∣ 1, so 𝜀𝛽 = 1 with some 𝛽 ∈ 𝐼(√𝑡), then 𝜀(𝛽𝛼) = 𝛼, so 𝜀 ∣ 𝛼 for any
𝛼 ∈ 𝐸(√𝑡), and 𝜀 is a unit.
(ii)⟹(iii): If 𝜀 ∣ 1, then 𝑁(𝜀) ∣ 𝑁(1) = 1, so 𝑁(𝜀) = ±1.
(iii)⟹(ii): If 𝜀 = 𝑎 + 𝑏√𝑡 and
𝑁(𝜀) = (𝑎 + 𝑏√𝑡)(𝑎 − 𝑏√𝑡) = ±1,
then 𝑎 − 𝑏√𝑡 ∈ 𝐼(√𝑡) implies 𝜀 ∣ 1.
(B) If 𝑡 > 0, then Pell’s equation 𝑥2 − 𝑡𝑦2 = 1 has infinitely many solutions in
integers 𝑥, 𝑦 (Theorem 7.8.1), so the corresponding elements 𝛼 = 𝑥 + 𝑦√𝑡 ∈ 𝐼(√𝑡)
have 𝑁(𝛼) = 1, and thus are units.
(C) If 𝑡 < 0, 𝑡 ≢ 1 (mod 4), then the elements of 𝐼(√𝑡) are of the form 𝛼 = 𝑎 + 𝑏√𝑡,
where 𝑎, 𝑏 are integers. For 𝑡 ≠ −1,
𝑁(𝛼) = 𝑎2 + |𝑡|𝑏2 = 1
can hold only with 𝑏 = 0 and 𝑎 = ±1, so 𝛼 = ±1.
If 𝑡 < 0, 𝑡 ≡ 1 (mod 4), then 𝛼 can have the form (𝑢/2) + (𝑣/2)√𝑡, too, where 𝑢 and
𝑣 are odd integers. Then we have to check
𝑢2 + |𝑡|𝑣2
(10.3.8) 𝑁(𝛼) = =1 or 𝑢2 + |𝑡|𝑣2 = 4.
4
If |𝑡| > 3 and 𝑢, 𝑣 are odd, then
𝑢2 + |𝑡|𝑣2 > 1 + 3 ⋅ 1 = 4,
thus (10.3.8) cannot hold. □

Remarks: (1) For many values of 𝑡, condition (A)(iii) in Theorem 10.3.4 means 𝑁(𝜀)
= 1, as 𝑁(𝜀) = −1 cannot occur. This is the case for every 𝑡 < 0, because the norm
of every element is non-negative. But we have this situation e.g. for all positive
𝑡 ≡ 3 (mod 4), since then every element in 𝐼(√𝑡) has the form 𝛼 = 𝑎 + 𝑏√𝑡 with
integer 𝑎, 𝑏, and 𝑁(𝛼) = 𝑎2 − 𝑡𝑏2 ≢ −1 (mod 4).
(2) Related to part (B) in Theorem 10.3.4, we can characterize the units of 𝐼(√𝑡) for
𝑡 > 0 as follows. If 𝑡 ≢ 1 (mod 4), then all units are the elements 𝑥 +𝑦√𝑡 obtained
from the integer solutions of equations 𝑥2 − 𝑡𝑦2 = ±1. If 𝑡 ≡ 1 (mod 4), then
besides these (𝑥 + 𝑦√𝑡)/2 are units, where 𝑥, 𝑦 are odd solutions of 𝑥2 − 𝑡𝑦2 = ±4.
We can describe these solutions relying on Theorem 7.8.2 (see also the hint to
Exercise 7.8.3).

Now we turn to the problem of unique prime factorization, i.e. what can be said
concerning the Fundamental Theorem of Arithmetic? The statement about decom-
posability is valid in all 𝐼(√𝑡): Every element in 𝐼(√𝑡) not 0 or a unit can be written as a
product of irreducible elements of 𝐼(√𝑡). This can be verified using the absolute value
of the norm as we saw in the proof of Theorem 7.4.13 for Gaussian integers.
10.3. Quadratic Fields 325

The situation is completely different for uniqueness of decomposition, which does

not hold in general. We shall investigate first a few concrete extensions, and then state
the results and unsolved problems in the general case.

Theorem 10.3.5. The Fundamental Theorem of Arithmetic is true in 𝐼(√2), but is false
in 𝐼(√−5) and in 𝐼(√10). ♣

Proof. As indicated before, decomposability holds in every 𝐼(√𝑡), so it suffices to check

uniqueness (or the lack of it).
𝐼(√2): We show that similar to the Gaussian and Eulerian integers, we have a
division algorithm here, too. As seen several times, this implies the uniqueness part of
the theorem.
The division algorithm for Gaussian and Eulerian integers used the norm: The
norm is a non-negative integer, only the zero element has norm 0, and we get that the
norm of the remainder is smaller than the norm of the divisor. (These properties guar-
antee that the Euclidean algorithm terminates; see Section 11.3 for a generalization.)
Since the norm of an element in 𝐼(√2) can be negative, we use the absolute value
of the norm, i.e. we verify the possibility of a division algorithm with respect to the
absolute value of the norm in 𝐼(√2).
It is clear that the absolute value of the norm in 𝐼(√2) is non-negative and only 0
has norm 0.
We have to show that to any 𝛽 ≠ 0 and 𝛼 in 𝐼(√2), we can find 𝛾 and 𝜚 satisfying
(10.3.9) 𝛼 = 𝛽𝛾 + 𝜚 and |𝑁(𝜚)| < |𝑁(𝛽)|.

We can extend the notion of norm to the elements of 𝐐(√2): for 𝑎, 𝑏 ∈ 𝐐 let
𝑁(𝑎 + 𝑏√2) = (𝑎 + 𝑏√2)(𝑎 − 𝑏√2) = 𝑎2 − 2𝑏2 .
Then clearly, 𝑁(𝜉)𝑁(𝜓) = 𝑁(𝜉𝜓) for any 𝜉, 𝜓 ∈ 𝐐(√2).
Thus, dividing (10.3.9) by 𝛽, we get an equivalent condition:
𝛼 𝜚 𝜚
(10.3.10) =𝛾+ and ||𝑁( )|| < 1.
𝛽 𝛽 𝛽
We can formulate (10.3.10) as follows: Given 𝛼/𝛽, we need a 𝛾 ∈ 𝐼(√2) satisfying
(10.3.11) |𝑁( 𝛼 − 𝛾)| < 1.
| 𝛽 |

Let 𝛼/𝛽 = 𝑢 + 𝑣√2, where 𝑢, 𝑣 ∈ 𝐐. We choose the number 𝑐 + 𝑑√2 ∈ 𝐼(√2) as 𝛾

where 𝑐 and 𝑑 are integers closest to 𝑢 and 𝑣. Then
𝛼
𝑁( − 𝛾) = (𝑢 − 𝑐)2 − 2(𝑣 − 𝑑)2 ,
𝛽
and 0 ≤ |𝑢 − 𝑐| ≤ 1/2, 0 ≤ |𝑣 − 𝑑| ≤ 1/2 imply
−1 1
≤ (𝑢 − 𝑐)2 − 2(𝑣 − 𝑑)2 ≤ ,
2 4
so (10.3.11) holds.
326 10. Algebraic Number Fields

𝐼(√−5): We show that 6 has two essentially distinct decompositions as a product

of irreducible elements in 𝐼(√−5):

6 = 2 ⋅ 3 = (1 + √−5)(1 − √−5).

We have to check that 2, 3, 1 + √−5, and 1 − √−5 are irreducible in 𝐼(√−5), and that
3, for example, is not an associate of 1 ± √−5.
The latter statement is obvious, since the only units in 𝐼(√−5) are ±1 by part (C)
of Theorem 10.3.4.
We verify the irreducibility of 2, we can proceed similarly for the other three num-
bers.
For a proof by contradiction, assume 2 = 𝛼𝛽, where neither 𝛼 nor 𝛽 is a unit in
𝐼(√−5). Then 4 = 𝑁(2) = 𝑁(𝛼)𝑁(𝛽), and 𝑁(𝛼) ≠ 1, 𝑁(𝛽) ≠ 1, so 𝑁(𝛼) = 𝑁(𝛽) = 2 (as
the norm is non-negative in 𝐼(√−5)).
Let 𝛼 = 𝑎 + 𝑏√−5. Now 𝑎 and 𝑏 are integers as −5 ≢ 1 (mod 4). Then clearly
𝑁(𝛼) = 𝑎2 + 5𝑏2 = 2 is impossible. This contradiction justifies that 2 is irreducible in
𝐼(√−5).
𝐼(√10): Note that −9 has two essentially distinct decompositions into the product
of irreducible elements:

(10.3.12) −9 = 3(−3) = (1 + √10)(1 − √10).

In (10.3.12), ±3 is not an associate of 1 ± √10, since

1 ± √10 ±1 ±1
= ± √10 ∉ 𝐼(√10).
±3 3 3

We have to show that all factors in (10.3.12) are irreducible. If ±3 or 1 ± √10 were
not irreducible, then similar to the argument seen at 𝐼(√−5), there would be an 𝛼 =
𝑎 + 𝑏√10 with integers 𝑎 and 𝑏 having 𝑁(𝛼) = 𝑎2 − 10𝑏2 = ±3. This is impossible,
however, as 𝑎2 ≢ ±3 (mod 5). □

The question of the validity of the Fundamental Theorem of Arithmetic is very

hard for general quadratic fields, and is unsolved in general.
We start with real quadratic fields:

R1 It is not known whether the Fundamental Theorem holds in infinitely many 𝐼(√𝑡)
with 𝑡 > 0.

R2 All values 𝑡 > 0 are known where we can perform the division algorithm in 𝐼(√𝑡)
using the absolute value of the norm (see part (iii) in Theorem 10.3.6 below). Thus
the Fundamental Theorem is true in 𝐼(√𝑡) for these values of 𝑡. There exist, how-
ever, other positive integers 𝑡, too, e.g. 𝑡 = 14, 22, 23, or 31, when the Fundamental
Theorem holds.
10.3. Quadratic Fields 327

We have had the complete answer for imaginary quadratic fields since 1968:
I1 The Fundamental Theorem is true in exactly nine 𝐼(√𝑡) with 𝑡 < 0, those listed in
part (i) of Theorem 10.3.6. Two of the nine cases are the Gaussian and Eulerian
integers discussed earlier.
I2 The division algorithm using the norm works in exactly five cases out of the nine
(see part (ii) of Theorem 10.3.6). It can be shown for the other four cases, that
there is no division algorithm with any conceivable measure instead of the norm.
We return to the precise meaning and proof of this statement in Section 11.3.
We summarize the results indicated in I1, I2, and R2 without proof in
Theorem 10.3.6. (i) If 𝑡 < 0, then the Fundamental Theorem of Arithmetic holds in
𝐼(√𝑡) if and only if
𝑡 = −1, −2, −3, −7, −11, −19, −43, −67, −163.

(ii) We can perform the division algorithm in 𝐼(√𝑡) with respect to the norm for exactly
the first five of the nine values 𝑡 < 0 listed in (i).
(iii) If 𝑡 > 0, we can perform the division algorithm in 𝐼(√𝑡) with respect to the absolute
value of the norm if and only if
𝑡 = 2, 3, 5, 6, 7, 11, 13, 17, 19, 21, 29, 33, 37, 41, 57, 73. ♣

We ask for the proof of statement (ii) of Theorem 10.3.6 in Exercise 10.3.4.
Finally, we present two theorems about irreducible and prime elements in 𝐼(√𝑡).
The first result is valid in any 𝐼(√𝑡) independent of the validity of the Fundamental
Theorem. Accordingly, we must be careful about the distinction between irreducible
and prime, since they are not equivalent due to the lack of the Fundamental Theorem.
The second result is about quadratic fields where the Fundamental Theorem is true,
so here the two types of elements coincide.
Theorem 10.3.7. Let 𝑝 > 2 be a prime number and (𝑝, 𝑡) = 1. Then 𝑝 is a prime in
𝑡
𝐼(√𝑡) if and only if ( 𝑝 ) = −1. ♣

𝑡
Proof. First we demonstrate that if ( 𝑝 ) = −1, then 𝑝 is a prime in 𝐼(√𝑡).
We assume 𝑝 ∣ 𝛼𝛽, and want to show that at least one of 𝑝 ∣ 𝛼 and 𝑝 ∣ 𝛽 must hold.
Divisibility 𝑝 ∣ 𝛼𝛽 implies
𝑝2 = 𝑁(𝑝) ∣ 𝑁(𝛼)𝑁(𝛽).
Since 𝑝 is a prime in 𝐙, 𝑝 divides at least one of the factors in the product 𝑁(𝛼)𝑁(𝛽),
𝑡
say 𝑝 ∣ 𝑁(𝛼). Using ( 𝑝 ) = −1, we shall infer 𝑝 ∣ 𝛼.

Let 𝛼 = 𝑎 + 𝑏√𝑡. We treat first the case 𝑡 ≢ 1 (mod 4). Then 𝑎 and 𝑏 are integers.
Thus 𝑝 ∣ 𝑁(𝛼) = 𝑎2 − 𝑡𝑏2 can be written as
(10.3.13) 𝑎2 ≡ 𝑡𝑏2 (mod 𝑝) .
328 10. Algebraic Number Fields

If (𝑎, 𝑝) = (𝑏, 𝑝) = 1, then (10.3.13) implies

2 2
𝑎 𝑡 𝑏 𝑡
1 = ( ) = ( )( ) = ( ),
𝑝 𝑏 𝑝 𝑝
𝑡
which contradicts ( 𝑝 ) = −1. If exactly one of 𝑎 and 𝑏 is a multiple of 𝑝, then exactly
one side of (10.3.13) is divisible by 𝑝, which is impossible. Thus (10.3.13) can hold only
with 𝑎 ≡ 𝑏 ≡ 0 (mod 𝑝). Then 𝑝 ∣ 𝑎 + 𝑏√𝑡 = 𝛼.
In the case 𝑡 ≡ 1 (mod 4) we have to consider the possibility of 𝑎 = 𝑢/2, 𝑏 = 𝑣/2,
too, with odd 𝑢 and 𝑣. Then we can work with the congruence 𝑢2 ≡ 𝑡𝑣2 (mod 𝑝)
instead of (10.3.13), and arrive at 𝑝 ∣ 𝛼 similarly.
𝑡
For the converse, assume ( 𝑝 ) = 1. Then 𝑐2 ≡ 𝑡 (mod 𝑝) for some integer 𝑐. Thus

𝑝 ∣ 𝑐2 − 𝑡 = (𝑐 + √𝑡)(𝑐 − √𝑡), but 𝑝 ∤ 𝑐 ± √𝑡.

This contradicts the prime property of 𝑝 in 𝐼(√𝑡). □

The following theorem is a generalization of Theorems 7.4.12, 7.4.14, 7.4.15, and

7.7.7 for Gaussian and Eulerian integers, if the Fundamental Theorem is true in 𝐼(√𝑡):
Theorem 10.3.8. Assume the validity of the Fundamental Theorem of Arithmetic in
𝐼(√𝑡). Then:
(i) An element in 𝐼(√𝑡) is irreducible if and only if it is prime. (Thus we shall use the
shorter word prime instead of irreducible.)

(ii) Every prime 𝜋 in 𝐼(√𝑡) has exactly one multiple 𝑝 among the positive prime numbers
(of 𝐙).

(iii) Every positive prime number 𝑝 is either a prime in 𝐼(√𝑡), or is a product of exactly
two primes having norm ±𝑝 and being conjugates in the following sense, (cf. Defini-
tion 10.4.1): Let 𝜋1 = 𝑎 + 𝑏√𝑡, then 𝜋2 = ±(𝑎 − 𝑏√𝑡).
𝑡
(iv) If 𝑝 > 2 is a prime number, (𝑝, 𝑡) = 1, and ( 𝑝 ) = −1, then 𝑝 is a prime in 𝐼(√𝑡).
𝑡
(v) If 𝑝 > 2 is a prime, (𝑝, 𝑡) = 1, and ( 𝑝 ) = 1, then 𝑝 is the product of two non-associate
primes in 𝐼(√𝑡).
(vi) If 𝑡 is odd, then the behavior of 2 is the following:
(a) If 𝑡 ≡ 3 (mod 4), then 2 is the product of two associate primes (i.e. 2 is an
associate of a prime square);
(b) If 𝑡 ≡ 1 (mod 8), then 2 is the product of two non-associate primes;
(c) If 𝑡 ≡ 5 (mod 8), then 2 is a prime.
(vii) If a prime number 𝑝 divides 𝑡, then 𝑝 is a product of two associate primes (i.e. 𝑝 is
an associate of a prime square).

(viii) The associates of primes listed in parts (iv)–(vii) provide all primes in 𝐼(√𝑡). ♣
10.3. Quadratic Fields 329

Proof. (i) A prime is necessarily irreducible—see the proof of Theorem 1.4.3. The
converse follows from the Fundamental Theorem of Arithmetic, see Exercise 1.5.8 (or
Theorem 11.3.1).
(ii) and (iii) can be verified in exactly the same way that Theorem 7.4.14 was proved.
(iv) follows from Theorem 10.3.7.
For (v)–(vii), we first determine whether or not 𝑝 and 2, are primes in 𝐼(√𝑡).
For (v), this follows from Theorem 10.3.7.
(vi) If 𝑡 ≡ 3 (mod 4), then
2 ∣ 𝑡2 − 𝑡 = (𝑡 + √𝑡)(𝑡 − √𝑡), but 2 ∤ 𝑡 ± √𝑡,
so 2 is not a prime.
If 𝑡 ≡ 1 (mod 8), then
1−𝑡 1 + √𝑡 1 − √𝑡 1 ± √𝑡
2∣ = ⋅ , but 2∤ ,
4 2 2 2
so 2 is not a prime.
If 𝑡 ≡ 5 (mod 8) and 2 were not a prime, then 2 would have a divisor
𝑢 + 𝑣√𝑡
𝛼= ∈ 𝐼(√𝑡),
2
where 𝑢 and 𝑣 are integers of the same parity, satisfying
𝑁(𝛼) = ±2, so 𝑢2 − 𝑡𝑣2 = ±8.
However, 𝑢2 − 𝑡𝑣2 cannot be of the form 16𝑘 + 8, a contradiction.
(vii) Since
𝑝 ∣ 𝑡 = √𝑡 ⋅ √𝑡, but 𝑝 ∤ √𝑡
(this holds also for 𝑝 = 2), 𝑝 cannot be a prime.
The previous observations imply that in cases (v), (vi)(a), (vi)(b), and (vii), 𝑝 and
2, are not primes. So by (iii), 𝑝 and 2, can be written as a product of two primes
𝜋1 = 𝑎 + 𝑏√𝑡 and 𝜋2 = ±(𝑎 − 𝑏√𝑡).
Here 𝑎 and 𝑏 are integers if 𝑡 ≢ 1 (mod 4), and 𝑎 = 𝑢/2, 𝑏 = 𝑣/2 for some integers 𝑢
and 𝑣 of the same parity if 𝑡 ≡ 1 (mod 4).
Since |𝑁(𝜋1 )| = |𝑁(𝜋2 )| = 𝑝 (or 2), |𝑁(𝜋1 /𝜋2 )| = 1. Thus 𝜋1 and 𝜋2 are associates
if and only if
𝜋1 𝑎 + 𝑏√𝑡 𝑎2 + 𝑡𝑏2 2𝑎𝑏
(10.3.14) = = + √𝑡 ∈ 𝐼(√𝑡).
𝜋2 ±(𝑎 − 𝑏√𝑡) 𝑝 𝑝

(10.3.14) is impossible for (v), as 2𝑎𝑏/𝑝 cannot be an integer or a fraction with

denominator 2, because |𝑁(𝜋1 )| = 𝑝.
For (vi)(a), we have 𝑝 = 2 in (10.3.14), and 𝑎 and 𝑏 are integers because 𝑡 ≡ 3
(mod 4), and 𝑎2 − 𝑡𝑏2 = ±2 implies that 𝑎 and 𝑏 are odd. Hence
𝑎2 + 𝑡𝑏2 2𝑎𝑏
and = 𝑎𝑏
2 2
are integers, so 𝜋1 and 𝜋2 are associates.
 330 10. Algebraic Number Fields

For (vi)(b), we again have 𝑝 = 2 in (10.3.14), but now

𝑎2 − 𝑡𝑏2 = ±2 and 𝑡 ≡ 1 (mod 4)
imply that 𝑎 and 𝑏 are not integers. Hence 𝑎 = 𝑢/2 and 𝑏 = 𝑣/2 for some odd 𝑢 and 𝑣.
Then 2𝑎𝑏/2 = 𝑢𝑣/4 in (10.3.14) is neither an integer nor a fraction with denominator 2,
so (10.3.14) is false. So 𝜋1 and 𝜋2 are not associates.
At (vii), we investigate first the case when 𝑎 and 𝑏 are integers. Then
𝑎2 − 𝑡𝑏2 = ±𝑝 and 𝑝∣𝑡
imply 𝑝 ∣ 𝑎, thus both
𝑎2 + 𝑡𝑏2 2𝑎𝑏
and
𝑝 𝑝
are integers in (10.3.14), so 𝜋1 and 𝜋2 are associates.
We can handle similarly the case when 𝑡 ≡ 1 (mod 4) and 𝑎 = 𝑢/2, 𝑏 = 𝑣/2 for
some odd 𝑢 and 𝑣.
Finally, (viii) follows immediately from (ii) and (iv)–(vii). □

Exercises 10.3

1. (a) Verify that the Fundamental Theorem of Arithmetic is true in 𝐼(√3).

(b) How can the following equalities be reconciled with the Fundamental Theo-
rem:
(b1) 7 + 3√3 = (1 + √3)(1 + 2√3) = (−4 + 3√3)(5 + 3√3)
(b2) 19 + 5√3 = (5 − √3)(5 + 2√3) = (−4 + 3√3)(11 + 7√3)?
(c) Determine all primes in 𝐼(√3).
* (d) For which positive integers 𝑛 is the Diophantine equation 𝑥2 − 3𝑦2 = 𝑛 solv-
able, and what is the number of solutions?
2. (a) Show that the Fundamental Theorem of Arithmetic holds in 𝐼(√−2).
(b) Determine all primes in 𝐼(√−2).
* (c) Solve the Diophantine equation 𝑥2 + 2 = 𝑦3 .
3. Demonstrate that the Fundamental Theorem of Arithmetic is false in 𝐼(√𝑡) if 𝑡 is
(a) 15
(b) 26
(c) −6
(d) −10.
* 4. Prove (ii) of Theorem 10.3.6: There is a division algorithm with respect to the norm
in an imaginary 𝐼(√𝑡) if and only if 𝑡 = −1, −2, −3, −7, or −11.
S* 5. Show that if 𝑡 is a squarefree composite negative integer, then the Fundamental
Theorem of Arithmetic is false in 𝐼(√𝑡).
 10.4. Norm 331

S* 6. Let 𝑘 > 1 be an integer and 𝑓 = 𝑥2 + 𝑥 + 𝑘. Show that if the Fundamental Theorem

of Arithmetic is true in 𝐼(√−4𝑘 + 1), then all integers
𝑓(0), 𝑓(1), . . . , 𝑓(𝑘 − 2)
are prime numbers.
Remark: It can be shown that the converse holds, too. Thus by Theorem 10.3.6(i),
the property in the exercise is true only for 𝑘 = 2, 3, 5, 11, 17, and 41. For 𝑘 = 41,
we obtain that 𝑛2 + 𝑛 + 41 is a prime number for 0 ≤ 𝑛 ≤ 39, as mentioned in
Section 5.1. By the above, there is no such sequence of primes for 𝑘 > 41.
7. Show that if |𝑁(𝛼)| is a prime number for some 𝛼 ∈ 𝐼(√𝑡), then 𝛼
(a) is irreducible
* (b) is a prime
in 𝐼(√𝑡) (independent of the validity of the Fundamental Theorem of Arithmetic
in 𝐼(√𝑡)).
8. Prove that if 𝛼2 ∣ 𝛽 2 for some 𝛼, 𝛽 ∈ 𝐼(√𝑡), then also 𝛼 ∣ 𝛽, whether or not the
Fundamental Theorem of Arithmetic holds in 𝐼(√𝑡).
9. We investigate which prime numbers 𝑝 > 0 are irreducible or prime elements in
𝐼(√−5).
(a) 5 is not irreducible and hence is not a prime.
(b) 2 is irreducible but is not a prime.
(c) If 𝑝 ≡ 11, 13, 17, or 19 (mod 20), then 𝑝 is a prime and thus irreducible.
(d) If 𝑝 ≡ 3 or 7 (mod 20), then 𝑝 is irreducible but is not a prime.
S* (e) If 𝑝 ≡ 1 or 9 (mod 20), then 𝑝 is not irreducible and so cannot be a prime.

10.4. Norm
In this section, we extend the notion of norm to every extension 𝐐(𝜗), where 𝜗 is an
algebraic number. First, for every element 𝛼 ∈ 𝐐(𝜗), we have to introduce the notions
of conjugates of 𝛼 over 𝐐 and of relative conjugates of 𝛼 with respect to 𝐐(𝜗).
Definition 10.4.1. The complex roots of a minimal polynomial of an algebraic number
𝛼 are called the conjugates of 𝛼 over 𝐐. ♣

Since 𝑚𝛼 is irreducible over 𝐐, and an irreducible polynomial has no multiple com-

plex roots (see Exercise 9.4.4), an algebraic number of degree 𝑛 has 𝑛 distinct conjugates
over 𝐐 including the number itself.
Also the complex conjugate 𝛼 of 𝛼 occurs among the conjugates of 𝛼 over 𝐐, as 𝛼
and 𝛼 have the same minimal polynomial.
In the sequel, we shall say just “conjugate” for brevity instead of “conjugate over
𝐐” in general, but we shall never omit the adjective for the complex conjugate.
Examples. E1 A rational number has a single conjugate, namely itself.
332 10. Algebraic Number Fields

E2 Let 𝛼 = 𝑎 + 𝑏𝑖 be a non-real Gaussian rational, 𝑎, 𝑏 ∈ 𝐐, 𝑏 ≠ 0. Then one of its

conjugates is 𝛼 itself, and the other is its complex conjugate 𝛼 = 𝑎 − 𝑏𝑖. The same
holds for non-real Eulerian rationals.
E3 Let 𝛼 = 𝑎 + 𝑏√2 be a non-rational element in 𝐐(√2), i.e. 𝑎, 𝑏 ∈ 𝐐, 𝑏 ≠ 0. Then
its two conjugates are itself and 𝑎 − 𝑏√2.
5
E4 The conjugates of 𝛼 = √ 2 are the numbers 𝜚𝛼, where 𝜚 is a fifth complex root of
unity.
Definition 10.4.2. Let
𝜗 (1) = 𝜗, 𝜗 (2) , ... , 𝜗 (𝑛)
be the conjugates of an algebraic number 𝜗 of degree 𝑛, and take 𝛼 ∈ 𝐐(𝜗). By Theo-
rem 10.2.3, there is a unique polynomial 𝑓 ∈ 𝐐[𝑥] satisfying
𝛼 = 𝑓(𝜗) and deg 𝑓 ≤ 𝑛 − 1 or 𝑓 = 0.
Then the numbers
𝑓(𝜗 (𝑗) ), 𝑗 = 1, 2, . . . , 𝑛
are called the relative conjugates of 𝛼 with respect to 𝐐(𝜗). ♣

Thus a relative conjugate 𝑓(𝜗 (𝑗) ) is an element in 𝐐(𝜗 (𝑗) ). The extension 𝐐(𝜗 (𝑗) )
does not coincide with 𝐐(𝜗) in general, so the relative conjugates of 𝛼 are mostly not
contained in 𝐐(𝜗).
In Definition 10.4.2 the relative conjugates 𝑓(𝜗 (𝑗) ) seem to depend not only on 𝛼
and the extension 𝐐(𝜗), but also on the choice of 𝜗, since a given extension can be
generated by many different elements. Theorem 10.4.3, however, will guarantee that
this is not the case: If 𝐐(𝜗) = 𝐐(𝜓), then the relative conjugates of 𝛼 will be the same
whether they were constructed using 𝜗 or 𝜓.
Examples. E5 All relative conjugates of a rational number 𝑟 are itself for any ex-
tension 𝐐(𝜗). The constant polynomial 𝑓 = 𝑟 meets the requirements 𝑓(𝜗) = 𝑟,
deg 𝑓 < deg 𝜗 or 𝑓 = 0, thus 𝑓(𝜗 (𝑗) ) = 𝑟 for every 𝑗.
E6 Let 𝜗 = 𝑖, then its conjugates are 𝜗 (1) = 𝑖 and 𝜗 (2) = −𝑖. Thus the relative
conjugates of an element 𝛼 = 𝑎 + 𝑏𝑖 (𝑎, 𝑏 ∈ 𝐐) of 𝐐(𝑖) are
𝑎 + 𝑏𝑖 = 𝛼 and 𝑎 + 𝑏(−𝑖) = 𝑎 − 𝑏𝑖 = 𝛼.
This means that if 𝛼 is not a rational number, then its relative conjugates are the
same as its conjugates over 𝐐. We have the same result also for 𝐐(√−3), 𝐐(√2),
and for quadratic fields in general.
4
E7 If 𝜗 = √ 3, then its conjugates are ±𝜗 and ±𝑖𝜗. The polynomial representing
𝛼 = √3 ∈ 𝐐(𝜗) according to Theorem 10.2.3 is 𝑓 = 𝑥2 , since √3 = (𝜗)2 . Thus
the relative conjugates of √3 are

(±𝜗)2 = √3 and (±𝑖𝜗)2 = −√3.

These four numbers are just the conjugates of √3 over 𝐐, each taken twice.
10.4. Norm 333

The examples indicate that the relative conjugates of 𝛼 ∈ 𝐐(𝜗) are the same as the
conjugates of 𝛼 over 𝐐, each counted with a suitable multiplicity:

Theorem 10.4.3. Let 𝛼 be an element of degree 𝑘 in the extension 𝐐(𝜗) of degree 𝑛. Then
we get the relative conjugates of 𝛼 by taking each conjugate of 𝛼 over 𝐐 with multiplicity
𝑛/𝑘. ♣

The theorem implies that the relative conjugates remain the same if we replace 𝜗
by another generating element of 𝐐(𝜗), so the relative conjugates depend only on 𝛼
and the extension itself.
Theorem 10.4.3 gives a new proof for deg 𝛼 being a divisor of the extension 𝐐(𝜗)
(cf. Theorem 10.2.5).

Proof. Let
𝑛 𝑘
𝑚𝜗 = ∏(𝑥 − 𝜗 (𝑗) ), where 𝜗 (1) = 𝜗, and 𝑚𝛼 = ∏(𝑥 − 𝛼(𝑠) ), where 𝛼(1) = 𝛼,
𝑗=1 𝑠=1

be the minimal polynomials of 𝜗 and 𝛼, and 𝑓 the polynomial representing 𝛼 according

to Theorem 10.2.3, so 𝑓(𝜗) = 𝛼.
I. We verify first that every relative conjugate 𝑓(𝜗 (𝑗) ) of 𝛼 coincides with a conjugate
𝛼𝑠 of 𝛼 over 𝐐 and disregard multiplicity temporarily.
Consider the polynomial 𝑔(𝑥) = 𝑚𝛼 (𝑓(𝑥)). Clearly, 𝑔 ∈ 𝐐[𝑥], and
𝑔(𝜗) = 𝑚𝛼 (𝑓(𝜗)) = 𝑚𝛼 (𝛼) = 0.
Hence 𝑚𝜗 ∣ 𝑔, so
0 = 𝑔(𝜗 (𝑗) ) = 𝑚𝛼 (𝑓(𝜗 (𝑗) ))
for every 𝑗. This means that 𝑓(𝜗 (𝑗) ) is a root of 𝑚𝛼 , so 𝑓(𝜗 (𝑗) ) is equal to some 𝛼𝑠 .
II. We still have to show that each 𝛼𝑠 occurs with the same multiplicity among the
numbers 𝑓(𝜗 (𝑗) ) (𝑗 = 1, 2, . . . , 𝑛). Consider the polynomial
𝑛
ℎ = ∏(𝑥 − 𝑓(𝜗 (𝑗) )).
𝑗=1

By the Fundamental Theorem 9.3.2 of Symmetric Polynomials, we obtain similar to the

proofs of Theorems 9.3.1 and 9.3.6 that ℎ has rational coefficients: Every coefficient 𝑐𝑟
of ℎ is a symmetric polynomial of the variables 𝜗 (𝑗) , so 𝑐𝑟 can be written as a polynomial
with rational coefficients of the elementary symmetric polynomials 𝜎𝑗 of the variables
𝜗 (𝑗) . By Viète’s formulas connecting roots and coefficients, the values ±𝜎𝑗 are just the
coefficients of 𝑚𝜗 , which are rational numbers, so 𝑐𝑟 is rational.
Decompose ℎ into a product of polynomials irreducible over 𝐐. Since the roots of
ℎ, i.e. the numbers 𝑓(𝜗 (𝑗) ), are roots of the irreducible polynomial 𝑚𝛼 , each factor in
the decomposition of ℎ is 𝑚𝛼 . Further, both ℎ and 𝑚𝛼 have leading coefficient 1, so ℎ
is a power of 𝑚𝛼 : ℎ = 𝑚𝑡𝛼 . Comparing the degrees, we have 𝑡 = 𝑛/𝑘 so each root 𝛼𝑠 of
𝑚𝛼 occurs 𝑛/𝑘 times among the numbers 𝑓(𝜗 (𝑗) ). □
334 10. Algebraic Number Fields

Now we are ready to give a general definition for the norm:

Definition 10.4.4. The norm of an element 𝛼 ∈ 𝐐(𝜗) is the product of its relative
conjugates: If the conjugates of 𝜗 are 𝜗 (1) = 𝜗, 𝜗 (2) , . . . , 𝜗 (𝑛) and 𝛼 = 𝑓(𝜗), then
𝑛
𝑁(𝛼) = ∏ 𝑓(𝜗 (𝑗) ). ♣
𝑗=1

The norm in quadratic number fields introduced in Definition 10.3.3 is a special

case of Definition 10.4.4.
We summarize the most important properties of the norm in
Theorem 10.4.5. (i) Let 𝛼 ∈ 𝐐(𝜗), deg 𝜗 = 𝑛, and deg 𝛼 = 𝑘. Then
𝑘 𝑛/𝑘
𝑁(𝛼) = (∏ 𝛼𝑠 ) = (−1)𝑛 𝑎𝑛/𝑘
0 ,
𝑠=1

where 𝛼(1) = 𝛼, 𝛼(2) , . . . , 𝛼(𝑘) are the conjugates of 𝛼 over 𝐐 and 𝑎0 is the constant
term in the minimal polynomial of 𝛼 with leading coefficient 1.
(ii) 𝛼, 𝛽 ∈ 𝐐(𝜗) ⟹ 𝑁(𝛼𝛽) = 𝑁(𝛼)𝑁(𝛽).
(iii) If 𝛼 is an algebraic integer, then 𝑁(𝛼) is an ordinary integer. ♣

Proof. The first equality in (i) follows immediately from Theorem 10.4.3, and the sec-
ond equality is a direct consequence of Viète’s formula about the product of roots of
the polynomial 𝑚𝛼 . This form of 𝑁(𝛼) in (i) implies (iii).
To verify (ii), let
𝛼 = 𝑓1 (𝜗), 𝛽 = 𝑓2 (𝜗), and 𝛼𝛽 = 𝑓3 (𝜗).
Then 𝜗 is a root of ℎ = 𝑓3 − 𝑓1 𝑓2 ∈ 𝐐[𝑥], so 𝑚𝜗 ∣ ℎ. This implies that all other roots of
𝑚𝜗 , i.e. all conjugates 𝜗 (𝑗) of 𝜗 are roots of ℎ too, so
0 = ℎ(𝜗 (𝑗) ) = 𝑓3 (𝜗 (𝑗) ) − 𝑓1 (𝜗 (𝑗) )𝑓2 (𝜗 (𝑗) ), 𝑗 = 1, 2, . . . , 𝑛.
Multiplying the equalities 𝑓3 (𝜗 (𝑗) ) = 𝑓1 (𝜗 (𝑗) )𝑓2 (𝜗 (𝑗) ), we obtain
𝑛 𝑛 𝑛
𝑁(𝛼𝛽) = ∏ 𝑓3 (𝜗 (𝑗) ) = (∏ 𝑓1 (𝜗 (𝑗) ))(∏ 𝑓2 (𝜗 (𝑗) )) = 𝑁(𝛼)𝑁(𝛽). □
𝑗=1 𝑗=1 𝑗=1

Exercises 10.4

1. Determine the conjugates of the algebraic numbers over 𝐐

(a) √2 + √3
(b) √2(1 + 𝑖)
(c) cos 20∘
(d) cos 1∘ + 𝑖 sin 1∘ .
10.5. Integral Basis 335

2. Let 𝜗 (1) = 𝜗, 𝜗 (2) , . . . , 𝜗 (𝑛) denote the conjugates of an algebraic number 𝜗 over 𝐐.
Verify.
(a) If deg 𝜗 = 2, then 𝐐(𝜗 (1) ) = 𝐐(𝜗 (2) ).
(b) If 𝜗 is a non-real complex number and deg 𝜗 is odd, then 𝐐(𝜗 (𝑗) ) ≠ 𝐐(𝜗 (𝑘) )
for some 𝑗 and 𝑘.
(c) If 𝜗 is a non-real complex number and deg 𝜗 = 3, then 𝑗 ≠ 𝑘 implies 𝐐(𝜗 (𝑗) ) ∩
𝐐(𝜗 (𝑘) ) = 𝐐.
4
3. Find the relative conjugates and norm of the elements in 𝐐( √ 2)
4
(a) 1 + √ 2
(b) 1 + √2
4 4
(c) 1 + √ 2 + √2 + √ 8.
4. Prove that an element 𝜀 is a unit in the ring 𝐼(𝜗) of all algebraic integers of 𝐐(𝜗) if
and only if 𝑁(𝜀) = ±1.
Remark: There are infinitely many units in 𝐼(𝜗) except when 𝐐(𝜗) is an imaginary
quadratic field or 𝐐(𝜗) = 𝐐.
5. Verify.
(a) There exists a Gaussian rational which is not a Gaussian integer, but its norm
is an integer.
(b) There exists an element 𝛼 in every quadratic field 𝐐(𝜗) that is not an algebraic
integer, but 𝑁(𝛼) is an integer.

10.5. Integral Basis

In this section, 𝜗 always denotes an algebraic number of degree 𝑛.
We know from Theorem 10.2.3 that every 𝛼 ∈ 𝐐(𝜗) has a unique representation
(10.5.1) 𝛼 = 𝑎0 + 𝑎1 𝜗 + ⋯ + 𝑎𝑛−1 𝜗𝑛−1 , 𝑎𝑗 ∈ 𝐐, 𝑗 = 0, 1, . . . , 𝑛 − 1,
so 1, 𝜗, . . . , 𝜗𝑛−1 form a basis in 𝐐(𝜗) considered as a vector space over 𝐐.
Representation (10.5.1) gives no information in general about whether or not 𝛼
is an algebraic integer. For a quadratic field, however, we proved in Theorems 10.3.1
and 10.3.2 the existence of a basis 𝜔1 , 𝜔2 that does: Every quadratic field can be written
as 𝐐(√𝑡), where 𝑡 is a squarefree integer different from 1, and taking
√𝑡, if 𝑡 ≢ 1 (mod 4)
𝜔1 = 1 and 𝜔2 = {
(1 + √𝑡)/2, if 𝑡 ≡ 1 (mod 4),

every 𝛼 ∈ 𝐐(√𝑡) has a unique representation as

𝛼 = 𝑟1 𝜔1 + 𝑟2 𝜔2 , 𝑟1 , 𝑟2 ∈ 𝐐,
and, 𝛼 is an algebraic integer if and only if both 𝑟1 and 𝑟2 are ordinary integers.
In general, a basis with this property is called an integral basis of 𝐐(𝜗).
336 10. Algebraic Number Fields

Definition 10.5.1. The elements 𝜔1 , . . . , 𝜔𝑛 of an extension 𝐐(𝜗) form an integral basis

in 𝐐(𝜗) if every 𝛼 ∈ 𝐐(𝜗) has a unique representation
(10.5.2) 𝛼 = 𝑟1 𝜔1 + 𝑟2 𝜔2 + ⋯ + 𝑟𝑛 𝜔𝑛 , 𝑟𝑗 ∈ 𝐐, 𝑗 = 1, 2, . . . , 𝑛,
and 𝛼 is an algebraic integer if and only if every 𝑟𝑗 is an ordinary integer. ♣

Our goal is to prove that every extension 𝐐(𝜗) possesses an integral basis.
Let 𝜗 be an algebraic number of degree 𝑛. We consider the extension 𝐐(𝜗). To
make a clear distinction, bases of the vector space 𝐐(𝜗) over 𝐐 will be called v-bases,
and the integral bases among them will be referred to as i-bases.
We examine first how to determine whether 𝑛 elements of 𝐐(𝜗) form a v-basis. Let
𝛼1 , . . . , 𝛼𝑛 ∈ 𝐐(𝜗),
(10.5.3a) 𝛼𝑖 = 𝑓𝑖 (𝜗), where 𝑓𝑖 ∈ 𝐐[𝑥], deg 𝑓𝑖 ≤ 𝑛 − 1 or 𝑓𝑖 = 0, 𝑖 = 1, . . . , 𝑛

so
(10.5.3b)
𝛼𝑖 = 𝑎0𝑖 + 𝑎1𝑖 𝜗 + ⋯ + 𝑎𝑛−1,𝑖 𝜗𝑛−1 , 𝑎𝑘𝑖 ∈ 𝐐, 0 ≤ 𝑘 ≤ 𝑛 − 1, 1 ≤ 𝑖 ≤ 𝑛.
Consider the linear transformation 𝒜 of the vector space 𝐐(𝜗) that maps the elements
1, 𝜗, . . . , 𝜗𝑛−1 of the v-basis to the vectors 𝛼1 , . . . , 𝛼𝑛 , in this order. Then the matrix of
the transformation 𝒜 in the v-basis 1, 𝜗, . . . , 𝜗𝑛−1 is
𝑎 𝑎02 ... 𝑎0𝑛
⎛ 01 ⎞
𝑎 𝑎12 ... 𝑎1𝑛
(10.5.4) 𝐴 = ⎜ 11 ⎟
⎜ ⋮ ⋮ ⋱ ⋮ ⎟
⎝𝑎𝑛−1,1 𝑎𝑛−1,2 ... 𝑎𝑛−1,𝑛 ⎠
where 𝑎𝑘𝑖 are the rational numbers in (10.5.3b).
We know from elementary linear algebra that the vectors 𝛼1 , . . . , 𝛼𝑛 form a v-basis
if and only if matrix 𝒜 has an inverse, or det 𝐴 ≠ 0.
Observe that the numbers 𝛼1 , . . . , 𝛼𝑛 can be expressed as
𝛼 1
⎛ 1⎞ ⎛ ⎞
𝛼2 𝜗
(10.5.3c) ⎜ ⎟ = 𝐴𝑇 ⎜ ⎟
⎜⋮⎟ ⎜ ⋮ ⎟
⎝𝛼𝑛 ⎠ ⎝𝜗𝑛−1 ⎠
where 𝐴𝑇 denotes the transpose of the matrix 𝐴.
To verify the existence of an i-basis, we shall use the discriminant which is the
square of the determinant of a matrix closely related to 𝐴.
Let 𝑉 be the Vandermonde matrix generated by the conjugates of 𝜗 over 𝐐:
1 1 1 ... 1
⎛ ⎞
𝜗
⎜ (1) 𝜗 (2) 𝜗 (3) ... 𝜗 (𝑛) ⎟
(10.5.5) 𝑉 = 𝑉(𝜗 (1) , 𝜗 (2) , . . . , 𝜗 (𝑛) ) = ⎜ 𝜗(1)
2 2
𝜗(2) 2
𝜗(3) ... 2 ⎟
𝜗(𝑛)
⎜ ⎟
⎜ ⋮ ⋮ ⋮ ⋱ ⋮ ⎟
𝑛−1 𝑛−1 𝑛−1 𝑛−1
⎝𝜗(1) 𝜗(2) 𝜗(3) ... 𝜗(𝑛) ⎠
10.5. Integral Basis 337

and
(10.5.6) 𝐴̃ = 𝐴𝑇 𝑉.
Then the 𝑗th element in row 𝑖 of the matrix 𝐴̃ is the inner product of row 𝑖 in 𝐴 and
column 𝑗 in 𝑉, or
𝑛−1
(10.5.7) 𝑎0𝑖 + 𝑎1𝑖 𝜗 (𝑗) + ⋯ + 𝑎𝑛−1,𝑖 𝜗(𝑗) .
By (10.5.3a)–(10.5.3b), the sum in (10.5.7) is just the 𝑗th relative conjugate 𝑓𝑖 (𝜗 (𝑗) ) of
𝛼𝑖 .
The discriminant Δ(𝛼1 , . . . , 𝛼𝑛 ) of the numbers 𝛼1 , . . . , 𝛼𝑛 is the square of the de-
terminant of matrix 𝐴:̃
Definition 10.5.2. Consider the extension 𝐐(𝜗), where deg 𝜗 = 𝑛, and let 𝜗 (1) = 𝜗,
𝜗 (2) , . . . , 𝜗 (𝑛) denote the conjugates of 𝜗. The discriminant Δ(𝛼1 , . . . , 𝛼𝑛 ) of the numbers
𝛼1 , . . . , 𝛼𝑛 is the square of the determinant of the matrix 𝐴,̃ i.e. using (10.5.3a)–(10.5.7),
2
|𝑓1 (𝜗 (1) ) 𝑓1 (𝜗 (2) ) . . . 𝑓1 (𝜗 (𝑛) )|
|𝑓 (𝜗 ) 𝑓2 (𝜗 (2) ) . . . 𝑓2 (𝜗 (𝑛) )||
Δ(𝛼1 , . . . , 𝛼𝑛 ) = (det(𝐴𝑇 𝑉))2 = || 2 (1) . ♣
| ⋮ ⋮ ⋱ ⋮ ||
|𝑓𝑛 (𝜗 (1) ) 𝑓𝑛 (𝜗 (2) ) . . . 𝑓𝑛 (𝜗 (𝑛) )|

We summarize the most important properties of the discriminant in

Theorem 10.5.3. (i) The discriminant Δ(𝛼1 , . . . , 𝛼𝑛 ) is a rational number, and for al-
gebraic integers 𝛼𝑖 , it is an integer.
(ii) 𝛼1 , . . . , 𝛼𝑛 is a v-basis if and only if Δ(𝛼1 , . . . , 𝛼𝑛 ) ≠ 0.
(iii) If 𝐶 is an 𝑛 × 𝑛 matrix with rational elements and
𝛽 𝛼
⎛ 1⎞ ⎛ 1⎞
𝛽2 𝛼2
⎜ ⎟ = 𝐶⎜ ⎟
⎜⋮⎟ ⎜⋮⎟
⎝𝛽𝑛 ⎠ ⎝𝛼𝑛 ⎠
then
Δ(𝛽1 , . . . , 𝛽𝑛 ) = (det 𝐶)2 Δ(𝛼1 , . . . , 𝛼𝑛 ). ♣

Proof. (i) The discriminant is a symmetric polynomial in the variables 𝜗 (𝑗) . Inter-
changing two 𝜗 (𝑗) means interchanging two columns in the determinant, which gives
a sign change for the determinant, so its square remains the same. This implies in the
usual way (as in the proofs of Theorems 9.3.1, 9.3.6, or 10.4.3) that the discriminant is
a rational number.
If every 𝛼𝑖 is an algebraic integer, then their conjugates, and so their relative conju-
gates, are algebraic integers. The discriminant is computed from the relative conjugates
using addition, subtraction, and multiplication. As the algebraic integers form a ring,
the discriminant is an algebraic integer, too. Hence the discriminant is both a rational
number and an algebraic integer, so it is necessarily an integer.
(ii) By the rule of multiplication of determinants,
Δ(𝛼1 , . . . , 𝛼𝑛 ) = (det 𝐴)2 (det 𝑉)2 .
338 10. Algebraic Number Fields

Since the generating elements 𝜗 (𝑗) of the Vandermonde determinant 𝑉 are all distinct,
det 𝑉 ≠ 0. Thus
Δ(𝛼1 , . . . , 𝛼𝑛 ) ≠ 0 ⟺ det 𝐴 ≠ 0.
And as we showed earlier, 𝛼1 , . . . , 𝛼𝑛 is a v-basis if and only if det 𝐴 ≠ 0.
(iii) By (10.5.3c),
𝛼 1 𝛽 1
⎛ 1⎞ ⎛ ⎞ ⎛ 1⎞ ⎛ ⎞
𝛼2 𝜗 𝛽2 𝜗
⎜ ⎟ = 𝐴𝑇 ⎜ ⎟ and ⎜ ⎟ = 𝐵𝑇 ⎜ ⎟
⎜⋮⎟ ⎜ ⋮ ⎟ ⎜⋮⎟ ⎜ ⋮ ⎟
⎝𝛼𝑛 ⎠ ⎝𝜗𝑛−1 ⎠ ⎝𝛽𝑛 ⎠ ⎝𝜗𝑛−1 .⎠
Thus
𝛽 𝛼 1
⎛ 1⎞ ⎛ 1⎞ ⎛ ⎞
𝛽2 𝛼2 𝜗
⎜ ⎟ = 𝐶 ⎜ ⎟ = 𝐶𝐴𝑇 ⎜ ⎟
⎜⋮⎟ ⎜⋮⎟ ⎜ ⋮ ⎟
⎝𝛽𝑛 ⎠ ⎝𝛼𝑛 ⎠ ⎝𝜗𝑛−1 ,⎠
so 𝐵𝑇 = 𝐶𝐴𝑇 by the uniqueness of matrix 𝐵 belonging to the numbers 𝛽 𝑖 . This implies
Δ(𝛽1 , . . . , 𝛽𝑛 ) = (det(𝐵 𝑇 𝑉))2 = (det(𝐶𝐴𝑇 𝑉))2
= (det 𝐶)2 (det(𝐴𝑇 𝑉))2 = (det 𝐶)2 Δ(𝛼1 , . . . , 𝛼𝑛 ). □

Now we are ready to prove the existence of an i-basis.

Theorem 10.5.4. There exists an integral basis in 𝐐(𝜗) for any algebraic number 𝜗. ♣

Proof. We establish first a few properties of i-bases that will help to find an i-basis
among the v-bases.
If 𝜔1 , . . . , 𝜔𝑛 is an i-basis, then every 𝜔𝑖 is an algebraic integer, since every coeffi-
cient is an integer in the representation
𝜔𝑖 = 0 ⋅ 𝜔1 + ⋯ + 1 ⋅ 𝜔𝑖 + ⋯ + 0 ⋅ 𝜔𝑛 .
If 𝜔1 , . . . , 𝜔𝑛 is an i-basis and 𝛽1 , . . . , 𝛽𝑛 is a v-basis of algebraic integers, then every 𝛽 𝑖
is a linear combination with integer coefficients of the basis vectors 𝜔𝑗 , so
𝛽 𝜔
⎛ 1⎞ ⎛ 1⎞
𝛽2 𝜔2
⎜ ⎟ = 𝐶⎜ ⎟
⎜⋮⎟ ⎜⋮⎟
⎝𝛽𝑛 ⎠ ⎝𝜔𝑛 ⎠
with a suitable invertible matrix 𝐶 with integer elements. Then Theorem 10.5.3(iii)
implies
Δ(𝛽1 , . . . , 𝛽𝑛 ) = Δ(𝜔1 , . . . , 𝜔𝑛 )(det 𝐶)2 .
Since det 𝐶 is a non-zero integer, (det 𝐶)2 ≥ 1, so
|Δ(𝛽1 , . . . , 𝛽𝑛 )| ≥ |Δ(𝜔1 , . . . , 𝜔𝑛 )|.
This says that the absolute value of the discriminant of an i-basis is less than or equal
to the absolute value of the discriminant of any v-basis consisting of algebraic integers.
Accordingly, a v-basis can be an i-basis only if its elements are algebraic integers
and the absolute value of its discriminant is minimal among all v-bases of this type.
10.5. Integral Basis 339

We verify that there exists a v-basis with this property, and it is also an i-basis.
We show first that there are v-bases consisting of algebraic integers. Let 𝛾1 , . . . , 𝛾𝑛
be an arbitrary v-basis. By Exercise 9.6.6, every 𝛾 𝑖 can be written as 𝛾 𝑖 = 𝛼𝑖 /𝑐 𝑖 , where
𝛼𝑖 is an algebraic integer and 𝑐 𝑖 ≠ 0 is an ordinary integer. Then clearly 𝛼1 , . . . , 𝛼𝑛 is a
v-basis.
Consider all v-bases of algebraic integers. The discriminant of each is a non-zero
integer, by Theorem 10.5.3(i)–(ii). Choose a v-basis 𝜔1 , . . . , 𝜔𝑛 that has a discriminant
of minimal absolute value. We prove that 𝜔1 , . . . , 𝜔𝑛 is an i-basis. Thus, we have to
verify that 𝛼 ∈ 𝐐(𝜗) is an algebraic integer if and only if every 𝑟𝑗 is an integer in repre-
sentation (10.5.2)
𝛼 = 𝑟1 𝜔1 + 𝑟2 𝜔2 + ⋯ + 𝑟𝑛 𝜔𝑛 , 𝑟𝑗 ∈ 𝐐, 𝑗 = 1, 2, . . . , 𝑛.
Assume first that 𝑟1 , . . . , 𝑟𝑛 are integers. Since every 𝜔𝑖 is an algebraic integer and the
𝑛
algebraic integers form a ring, 𝛼 = ∑𝑗=1 𝑟𝑗 𝜔𝑗 is an algebraic integer.
Conversely, let 𝛼 ∈ 𝐐(𝜗) be an algebraic integer. Assume that, say, 𝑟1 is not an
integer in representation (10.5.2)
𝛼 = 𝑟1 𝜔1 + 𝑟2 𝜔2 + ⋯ + 𝑟𝑛 𝜔𝑛 .
Let
𝛽1 = 𝛼 − ⌊𝑟1 ⌋𝜔1 = {𝑟1 }𝜔1 + 𝑟2 𝜔2 + ⋯ + 𝑟𝑛 𝜔𝑛 and 𝛽𝑗 = 𝜔𝑗 for 2 ≤ 𝑗 ≤ 𝑛.
Then the numbers 𝛽1 , . . . , 𝛽𝑛 are algebraic integers, and
𝛽 𝜔
⎛ 1⎞ ⎛ 1⎞
𝛽2 𝜔2
⎜ ⎟ = 𝐶⎜ ⎟
⎜⋮⎟ ⎜⋮⎟
⎝𝛽𝑛 ⎠ ⎝𝜔𝑛 ⎠
where
{𝑟 } 𝑟2 𝑟3 ... 𝑟𝑛
⎛ 1 ⎞
0 1 0 ... 0
⎜ ⎟
𝐶=⎜ 0 0 1 ... 0⎟
⎜ ⋮ ⋮ ⋮ ⋱ ⋮⎟
⎝ 0 0 0 ... 1⎠
By Theorem 10.5.3(iii),
Δ(𝛽1 , . . . , 𝛽𝑛 ) = Δ(𝜔1 , . . . , 𝜔𝑛 )(det 𝐶)2 = Δ(𝜔1 , . . . , 𝜔𝑛 ){𝑟1 }2 ,
and 0 < {𝑟1 } < 1 implies
0 < |Δ(𝛽1 , . . . , 𝛽𝑛 )| < |Δ(𝜔1 , . . . , 𝜔𝑛 )|,
which contradicts the minimality of |Δ(𝜔1 , . . . , 𝜔𝑛 )|. □
Remarks: (1) We see from the proof that the absolute values of the discriminants are
the same for any two integral bases in 𝐐(𝜗). It can be shown that the discrimi-
nants themselves are equal, see Exercise 10.5.2b. This common value is called the
discriminant of the extension 𝐐(𝜗).
(2) The proof above shows only the existence of an integral basis, and is not suitable
to construct one explicitly.
 340 10. Algebraic Number Fields

(3) We can exhibit an integral basis in a quadratic field by Theorem 10.3.2, but for
extensions of higher degree, it is hard to find an integral basis. It can be shown
that if 𝜗 is a 𝑝th primitive complex root of unity for a prime 𝑝 > 2, then 1, 𝜗, . . . ,
𝜗𝑝−2 form an integral basis in 𝐐(𝜗).

Exercises 10.5

1. Compute the discriminant Δ(1, 𝜗, . . . , 𝜗𝑛−1 ) in 𝐐(𝜗) if 𝜗 is

(a) 𝑖
(b) cos(2𝜋/3) + 𝑖 sin(2𝜋/3)
3
(c) √ 2;
* (d) 𝑛√2.
2. Consider an extension 𝐐(𝜗), where deg 𝜗 = 𝑛. Prove.
(a) If 𝜔1 , . . . , 𝜔𝑛 is an integral basis and 𝛽1 , . . . , 𝛽𝑛 ∈ 𝐐(𝜗) are algebraic integers,
then Δ(𝜔1 , . . . , 𝜔𝑛 ) ∣ Δ(𝛽1 , . . . , 𝛽𝑛 ).
(b) Any two integral bases have the same discriminant.
3. Determine the discriminant of an integral basis in a quadratic field.
4. Let deg 𝜗 = 𝑛 and 𝛼1 , . . . , 𝛼𝑛 algebraic integers in 𝐐(𝜗) such that Δ(𝛼1 , . . . , 𝛼𝑛 ) is
squarefree. Show that 𝛼1 , . . . , 𝛼𝑛 is an integral basis in 𝐐(𝜗).
5. (a) Find a necessary and sufficient condition for Gaussian rationals 𝑎 + 𝑏𝑖 and
𝑐 + 𝑑𝑖 to form an integral basis in 𝐐(𝑖).
(b) Answer the similar question for Eulerian rationals.
S 6. In which quadratic fields does there exist an integral basis 𝜔1 , 𝜔2 , where 𝜔2 is the
conjugate of 𝜔1 over 𝐐?
7. Let deg 𝜗 = 𝑛, and assume that the minimal polynomial 𝑚𝜗 has only real roots.
Then Δ(𝛽1 , . . . , 𝛽𝑛 ) ≥ 0 for any elements 𝛽1 , . . . , 𝛽𝑛 in 𝐐(𝜗).
8. (a) Exhibit an example showing that the discriminant Δ(𝛼1 , . . . , 𝛼𝑛 ) can be a non-
zero integer even if not all the 𝛼𝑖 are algebraic integers.
(b) Prove that if 𝐐(𝜗) ≠ 𝐐, then there exists a v-basis in 𝐐(𝜗) such that none of
its elements is an algebraic integer, but its discriminant is an integer.
 Chapter 11

Ideals

Ideals play a central role in ring theory, but we restrict ourselves to the number theo-
retic relations. We establish a necessary and sufficient condition for the validity of the
Fundamental Theorem of Arithmetic, and show that it always holds in principal ideal
domains and Euclidean rings. Then we build number theory for ideals, and prove that
unique prime factorization is true among the ideals of algebraic integers in an algebraic
number field. As an application, we illustrate through an example that ideals can help
to handle Diophantine equations even if the Fundamental Theorem of Arithmetic is
false for the algebraic integers of the corresponding extension.

11.1. Ideals and Factor Rings

“Ideal numbers” were introduced by Kummer in the middle of the 19th century for a
more efficient approach to Fermat’s Last Theorem. We shall discuss this in Section 11.2
in more detail. The notion of ideals, developed from ideal numbers, has become a fun-
damental tool in ring-theoretical investigations, independent of its impact on number
theory.

Definition 11.1.1. A non-empty subset 𝐼 of a ring 𝑅 is an ideal in 𝑅, if

(A) 𝐼 is closed for addition and taking negatives so
𝑖, 𝑗 ∈ 𝐼 ⟹ 𝑖 + 𝑗 ∈ 𝐼, −𝑖 ∈ 𝐼;

(B) Multiplying any element of 𝐼 by an arbitrary element of 𝑅 gives a product that is

in 𝐼:
𝑖 ∈ 𝐼, 𝑟 ∈ 𝑅 ⟹ 𝑟𝑖 ∈ 𝐼, 𝑖𝑟 ∈ 𝐼. ♣

In an equivalent formulation, an ideal 𝐼 is a special subring where also those prod-

ucts are in 𝐼 when one of the factors is in 𝐼 and the other factor is not.

Examples of Ideals. E1 The set of multiples of 𝑚 in the ring of integers.

341
342 11. Ideals

E2 The set of polynomials having a given complex number 𝛼 among their roots in
the ring of polynomials with rational coefficients.
E3 The set of polynomials having an even constant term in the ring of polynomials
with integer coefficients.
E4 In any ring, the ring itself and the one-element subset containing the zero alone.
These are called trivial ideals. A field has just the two trivial ideals (see Exer-
cise 11.1.3).

Since we investigate only number-theoretic connections of ideals, we shall restrict

ourselves in this chapter to rings 𝑅 that are commutative, free of zero divisors, and have
an identity element or identity, for short.
The first two properties mean that 𝑅 is an integral domain (see Exercise 1.1.23).
As we deal mostly with polynomial rings and subrings of the complex field, we shall
denote the identity element by 1.
The simplest, but also most important, ideals are the ones generated by a single
element. These are the principal ideals.
Definition 11.1.2. Let 𝑎 be an arbitrary element in an integral domain 𝑅 with identity.
The set { 𝑟𝑎 ∣ 𝑟 ∈ 𝑅 } is called a principal ideal generated by 𝑎 and is denoted by (𝑎). ♣

Thus the principal ideal (𝑎) consists of the multiples of 𝑎 formed by elements of 𝑅.
The phrases “generated by 𝑎” and “ideal” in the definition are justified by
Theorem 11.1.3. The principal ideal (𝑎) is the smallest ideal containing 𝑎, i.e.
(i) (𝑎) is an ideal in 𝑅
(ii) 𝑎 ∈ (𝑎)
(iii) if 𝐼 is an ideal in 𝑅 and 𝑎 ∈ 𝐼, then (𝑎) ⊆ 𝐼. ♣

Proof. (i) We verify that the non-empty set { 𝑟𝑎 ∣ 𝑟 ∈ 𝑅 } satisfies Definition 11.1.1.
To avoid ambiguity in the formulas, we use square brackets for the usual meaning of
parentheses, and keep round parentheses for denoting ideals.
𝑟1 𝑎 + 𝑟2 𝑎 = [𝑟1 + 𝑟2 ]𝑎, −[𝑟𝑎] = [−𝑟]𝑎, and [𝑟1 𝑎]𝑟2 = 𝑟2 [𝑟1 𝑎] = [𝑟2 𝑟1 ]𝑎.
(ii) 𝑎 = 1𝑎 ∈ { 𝑟𝑎 ∣ 𝑟 ∈ 𝑅 }.
(iii) If ideal 𝐼 contains 𝑎, then by (B) in Definition 11.1.1, it must also contain 𝑟𝑎
for every 𝑟 ∈ 𝑅, so (𝑎) ⊆ 𝐼. □

We used the identity element and the commutative law in verifying (ii) and (i), and
we did not need the lack of zero divisors.
Examples. The two trivial ideals (in Example E4) are principal ideals, generated by
the identity and zero: 𝑅 = (1) and {0} = (0).
The ideals in examples E1 and E2 are principal ideals: The multiples of 𝑚 in 𝐙
constitute the principal ideal (𝑚); the polynomials satisfying 𝑓(𝛼) = 0 in 𝐐[𝑥] consti-
tute (0) or (𝑚𝛼 ) according to 𝛼 being transcendental or algebraic (𝑚𝛼 is the minimal
polynomial of 𝛼).
11.1. Ideals and Factor Rings 343

The ideal in example E3, however, is not a principal ideal. Let 𝐼 denote this set
of polynomials with integer coefficients having an even constant term, and assume
𝐼 = (𝑓) for some 𝑓. Then 𝑓 is a divisor of every element in 𝐼, including 2. Therefore
only 𝑓 = ±1 or ±2 are possible. However, (±1) contains all polynomials with integer
coefficients, whereas (±2) is the polynomials where every coefficient is even. Hence
these principal ideals are not equal to 𝐼. This contradiction shows that 𝐼 is not a prin-
cipal ideal.

As a generalization of principal ideals, we introduce the notion of finitely gener-

ated ideals.
Definition 11.1.4. Let 𝑎1 , . . . , 𝑎𝑘 be elements of an integral domain 𝑅 with identity.
𝑘
Then the set { ∑𝑗=1 𝑟𝑗 𝑎𝑗 ∣ 𝑟𝑗 ∈ 𝑅 } is called the principal ideal generated by 𝑎1 , . . . , 𝑎𝑘
and is denoted by (𝑎1 , . . . , 𝑎𝑘 ).
An ideal 𝐼 is finitely generated if 𝐼 = (𝑎1 , . . . , 𝑎𝑘 ) for some suitable elements 𝑎1 , . . . , 𝑎𝑘 .
♣

The analog of Theorem 11.1.3 holds for finitely generated ideals:

Theorem 11.1.5. The ideal (𝑎1 , . . . , 𝑎𝑘 ) is the smallest ideal containing the elements 𝑎𝑗 :
(i) (𝑎1 , . . . , 𝑎𝑘 ) is an ideal in 𝑅
(ii) 𝑎𝑗 ∈ (𝑎1 , . . . , 𝑎𝑘 ), 𝑗 = 1, 2, . . . , 𝑘
(iii) if 𝐼 is any ideal in 𝑅 and 𝑎𝑗 ∈ 𝐼, 𝑗 = 1, 2, . . . , 𝑘, then (𝑎1 , . . . , 𝑎𝑘 ) ⊆ 𝐼. ♣

The proof of Theorem 11.1.5 is similar to that seen in Theorem 11.1.3, so we leave
the details to the reader.
Examples. Clearly, every principal ideal is a finitely generated ideal, generated by a
single element.
Also, the ideal 𝐼 in Example E3 is finitely generated: 𝐼 = (2, 𝑥).
In the ring 𝑈 of all algebraic integers,
𝑘
𝐾 = { 𝜉 √2 ∣ 𝜉 ∈ 𝑈, 𝑘 = 2, 3, 4, . . . }
is an ideal, but cannot be generated by finitely many elements (see Exercise 11.1.4).
If 𝜗 is an algebraic number, then every ideal in 𝐼(𝜗) is finitely generated (see Ex-
ercise 11.1.10). (As earlier, 𝐼(𝜗) denotes the ring of algebraic integers in the extension
𝐐(𝜗).)

Finally we present the construction of factor rings with respect to ideals (or, for
short, modulo ideals). This is a generalization of the ring of modulo 𝑚 residue classes
(see Section 2.8).
We saw in Example E1 after Definition 11.1.1 that the multiples of 𝑚 form an ideal 𝐼
in the ring 𝐙. The residue class modulo 𝑚 containing the integer 𝑎 (the one represented
by 𝑎) has the form
(11.1.1) 𝑎 + 𝐼 = { 𝑎 + 𝑖 ∣ 𝑖 ∈ 𝐼 }.
344 11. Ideals

We defined addition and multiplication for residue classes using their representatives.
Using (11.1.1), this means
(11.1.2) [𝑎 + 𝐼] + [𝑏 + 𝐼] = [𝑎 + 𝑏] + 𝐼 and [𝑎 + 𝐼][𝑏 + 𝐼] = 𝑎𝑏 + 𝐼.
We had to verify that (11.1.2) defines operations for the classes, i.e. the resulting class
is unique, it does not depend on the choice of the representatives taken from the two
classes. Analyzing the proof, it turns out that uniqueness is guaranteed by 𝐼 being an
ideal. Thus we arrive at the generalization:
Theorem 11.1.6. Let 𝐼 be an ideal in a ring 𝑅. Then the residue classes (11.1.1) modulo 𝐼
are disjoint subsets in 𝑅 and their union equals 𝑅. Further, they form a ring with respect
to the addition and multiplication defined by (11.1.2). This ring is called the factor ring
of 𝑅 modulo 𝐼, and is denoted by 𝑅/𝐼. ♣

Accordingly, the ring of residue classes modulo 𝑚 is the factor ring 𝐙/(𝑚) of the
integers modulo the principal ideal (𝑚).
We leave the proof of Theorem 11.1.6 to the reader. One has to use the ideal prop-
erties of 𝐼 to show that the classes (11.1.1) cover 𝑅, any two of them either coincide or
are distinct, and the operations in 𝑅/𝐼 are uniquely defined. The commutative, asso-
ciative, and distributive laws in 𝑅/𝐼 follow from the ones in 𝑅, the zero element of 𝑅/𝐼
is the residue class 0 + 𝐼, that is the ideal 𝐼 itself, and the negative of a residue class 𝑎 + 𝐼
is the residue class [−𝑎] + 𝐼.
Example. We analyze the factor ring 𝐐[𝑥]/(𝑥2 − 2) of the ring of polynomials with
rational coefficients modulo the principal ideal of polynomials divisible by 𝑥2 − 2.
We can apply similar considerations to those we used when we constructed the
ring of residue classes modulo 𝑚 at the integers, which is in fact the factor ring 𝐙/(𝑚).
Polynomials fall into the same residue class modulo the principal ideal (𝑥2 − 2) if they
give the same remainder on division by 𝑥2 − 2. Thus every residue class can be charac-
terized uniquely by a remainder, i.e. by a polynomial 𝑎 + 𝑏𝑥 (with rational coefficients)
of degree at most one (including the 0 polynomial representing the ideal itself).
Computations in the factor ring are actually done with these remainders, so to
multiply two residue classes we multiply the corresponding remainders and take the
remainder of the product on division by 𝑥2 −2 (just as the product of 7 and 6 modulo 15
is 12). Thus we perform addition as
[𝑎 + 𝑏𝑥] + [𝑐 + 𝑑𝑥] = [𝑎 + 𝑐] + [𝑏 + 𝑑]𝑥,
and the rule for multiplication is
𝑎 + 𝑏𝑥][𝑐 + 𝑑𝑥] = 𝑎𝑐 + [𝑎𝑑 + 𝑏𝑐]𝑥 + 𝑏𝑑𝑥2 =
= 𝑎𝑐 + [𝑎𝑑 + 𝑏𝑐]𝑥 + 2𝑏𝑑 + 𝑏𝑑[𝑥2 − 2] = [𝑎𝑐 + 2𝑏𝑑] + [𝑎𝑑 + 𝑏𝑐]𝑥,

exactly as in 𝐐(√2) (imagine everywhere √2 instead of the letter 𝑥).

This means that the factor ring 𝐐[𝑥]/(𝑥2 − 2) is isomorphic to (or, in literal trans-
lation, “is of the same form as”) the field 𝐐(√2).

Similar to this example, we can characterize 𝐐(𝜗) as a factor ring for any algebraic
number 𝜗, the field 𝐐(𝜗) is isomorphic to 𝐐[𝑥]/(𝑚𝜗 ). See Exercise 11.1.9.
Exercises 11.1 345

Exercises 11.1

1. Consider the sets of Gaussian integers 𝛼 = 𝑎 + 𝑏𝑖 with the properties:

(a) both 𝑎 and 𝑏 are even

(b) 𝑎 ≡ 𝑏 (mod 2)
(c) 𝑎 ≡ 𝑏 (mod 3)
(d) 2 ∣ 𝑁(𝛼)
(e) 5 ∣ 𝑁(𝛼)
(f) 7 ∣ 𝑁(𝛼).

Which of the sets form an ideal in the ring of Gaussian integers? Which of them
are principal ideals? Find a generating element for each of them.

2. Consider the sets of polynomials 𝑓 with integer coefficients having the properties:

(a) 𝑓(1/2) = 0
(b) 𝑓(√2) = 𝑓(√3) = 0
(c) 𝑓(√2) = 𝑓(√3)
(d) 𝑓(3) is even
(e) the leading coefficient of 𝑓 is even or 𝑓 = 0.

Which of the sets are ideals in the ring 𝐙[𝑥], and what is the minimal number of
generators?

3. Prove that a non-zero, commutative ring with identity element and no zero divisors
is a field if and only if it has only trivial ideals.

4. Let 𝑈 be the ring of all algebraic integers and

𝑘
𝐾 = { 𝜉 √2 ∣ 𝜉 ∈ 𝑈, 𝑘 = 2, 3, 4, . . . } .

Show that 𝐾 is an ideal in 𝑈, but cannot be generated by finitely many elements.

5. Let 𝛼1 , . . . , 𝛼𝑘 and 𝜉 arbitrary elements of an integral domain 𝑅 with identity. Verify

(𝛼1 , 𝛼2 , . . . , 𝛼𝑘 ) = (𝛼1 − 𝜉𝛼2 , 𝛼2 , . . . , 𝛼𝑘 ).

6. Let 𝐺 be the ring of Gaussian integers.

(a) How many elements are there in the factor rings modulo the ideals below, and
which of them are fields:
(a1): (2)
 346 11. Ideals

(a2): (3)
(a3): (2 + 𝑖)?
* (b) Answer these questions in general for an arbitrary principal ideal in 𝐺.

7. Consider the ring 𝐼(√−5).

(a) Show that the ideal (2, 1 + √−5) is not a principal ideal in 𝐼(√−5).
(b) How many elements are there in the factor rings modulo the ideals below, and
which of them are fields:
(b1): (2, 1 + √−5)
(b2): (1 + √−5)
(b3): (11)?

S 8. (a) Which of the factor rings are fields:

(a1): 𝐑[𝑥]/(𝑥2 − 2)
(a2): 𝐑[𝑥]/(𝑥2 + 1)
(a3): 𝐂[𝑥]/(𝑥2 + 1)?
(b) Let 𝐹 be an arbitrary commutative field and 𝑔 ∈ 𝐹[𝑥]. Find a necessary and
sufficient condition for the factor ring 𝐹[𝑥]/(𝑔) to be a field.
(c) Verify that the factor ring 𝐙[𝑥]/(2, 𝑥2 + 𝑥 + 1) is a field.

* 9. (a) Let 𝜗 be an algebraic number. Prove that the field 𝐐(𝜗) is isomorphic to the
factor ring 𝐐[𝑥]/(𝑚𝜗 ).
(b) Let 𝐿 be an arbitrary commutative field and 𝑓 an irreducible polynomial over
𝐿. Construct a field 𝑀 satisfying the properties:
(i) 𝑀 has a subfield 𝐿∗ isomorphic to 𝐿
(ii) If we obtain the coefficients of the polynomial 𝑓∗ ∈ 𝐿∗ [𝑥] from the co-
efficients of 𝑓 using the isomorphism 𝐿 → 𝐿∗ , then 𝑓∗ has a root 𝜗 ∈ 𝑀
(iii) 𝑀 = 𝐿∗ (𝜗).
Remark: This construction enables extending 𝐿 by a—not yet existing(!)—root
of an irreducible polynomial even if no field containing 𝐿 is given.

* 10. (a) Let 𝜗 be an algebraic number and 𝐾 ≠ 0 an ideal in 𝐼(𝜗). Show that the factor
ring 𝐼(𝜗)/𝐾 has finitely many elements.
(b) Verify that in 𝐼(𝜗) there is no infinite strictly increasing chain of ideals

𝐴1 ⊂ 𝐴2 ⊂ ⋯ ⊂ 𝐴𝑗 ⊂ . . . .

(c) Prove that every ideal in 𝐼(𝜗) is finitely generated.

Remark: We sharpen this result in Theorem 11.5.9 by proving that every ideal
in 𝐼(𝜗) can be generated by at most two elements.
11.2. Elementary Connections to Number Theory 347

11.2. Elementary Connections to Number Theory

In this section, we discuss how ideals are related to divisibility, units, and greatest com-
mon divisor.
Divisibility and units can be defined in any integral domain 𝑅 with identity the
usual way (as in Definitions 1.1.1 and 1.1.2), and the elementary properties listed in
Theorems 1.1.4 and 1.1.5 are valid in general, too.
We show first that divisibility and the role of units can be described simply using
principal ideals.
Theorem 11.2.1. In any integral domain 𝑅 with identity,
(i) 𝑎 ∣ 𝑏 ⟺ 𝑏 ∈ (𝑎) ⟺ (𝑏) ⊆ (𝑎)
(ii) 𝑎 and 𝑏 are associates if and only if (𝑎) = (𝑏). ♣

Proof. Using the definition of principal ideals, we can rewrite the three conditions in
(i) as
𝑎 is a divisor of 𝑏
𝑏 occurs among the multiples of 𝑎
all multiples of 𝑏 occur among the multiples of 𝑎,
so the three conditions are equivalent.
(ii) (𝑎) = (𝑏) means by part (i) that both 𝑎 ∣ 𝑏 and 𝑏 ∣ 𝑎 hold, or equivalently, that
𝑎 and 𝑏 are associates (see Theorem 1.1.5/(iii)). □

Now we turn to the connection of ideals to the greatest common divisor.

The greatest common divisor is a common divisor that is a multiple of all common
divisors according to Definitions 1.3.2 or 7.4.9.
In the rings of integers, Gaussian integers, or Eulerian integers, any two elements
have a greatest common divisor as guaranteed by the Euclidean algorithm.
Two elements can have a gcd even if there is no division algorithm in the ring. For
example, the polynomials with integer coefficients form such a ring. (We shall return
to this problem later.)
There are, however, rings where two elements do not necessarily possess a gcd,
e.g. 2 + 2√−5 and 6 have no greatest common divisor in the ring 𝐼(√−5) (see Exer-
cise 11.2.4).
It is true in any ring 𝑅 that if two elements have a gcd, then it is unique up to
associates; this follows from the definition of the greatest common divisor.
The greatest common divisor of two elements is closely related to the ideal gener-
ated by them. To avoid ambiguity in notation, the greatest common divisor of 𝑎 and 𝑏
will be denoted in this chapter by gcd{𝑎, 𝑏}, whereas (𝑎, 𝑏) stands for ideal generated
by 𝑎 and 𝑏.
Consider first the ring of integers. Here the ideal (6, 15) is the set of numbers 6𝑢 +
15𝑣, where 𝑢 and 𝑣 are arbitrary integers. By Theorem 1.3.6 about the solvability of
linear Diophantine equations, this set is equal to the set of all multiples of gcd{6, 15} = 3
348 11. Ideals

which set is just the principal ideal (3). It is true in general among the integers that if
𝑑 = gcd{𝑎, 𝑏}, then (𝑎, 𝑏) = (𝑑). In an arbitrary ring, the situation is slightly more
complicated.

Theorem 11.2.2. Let 𝑅 be an arbitrary integral domain with identity.

(i) If (𝑎, 𝑏) = (𝑑), then 𝑑 = gcd{𝑎, 𝑏}.
(ii) 𝑑 = gcd{𝑎, 𝑏} implies (𝑎, 𝑏) ⊆ (𝑑), but (𝑎, 𝑏) ≠ (𝑑) in general.
(iii) (𝑎, 𝑏) = (𝑑) if and only if 𝑑 = gcd{𝑎, 𝑏} and 𝑑 = 𝑎𝑢 + 𝑏𝑣 with suitable 𝑢, 𝑣 ∈ 𝑅. ♣

Proof. (i) From (𝑎, 𝑏) = (𝑑) we have 𝑎 ∈ (𝑎, 𝑏) = (𝑑), so 𝑑 ∣ 𝑎, and similarly 𝑑 ∣ 𝑏, so
𝑑 is a common divisor of 𝑎 and 𝑏.
Let now 𝑐 be an arbitrary common divisor, so 𝑐 ∣ 𝑎 and 𝑐 ∣ 𝑏. By Theorem 11.2.1,
𝑎 ∈ (𝑐) and 𝑏 ∈ (𝑐). Since (𝑎, 𝑏) is the smallest ideal containing 𝑎 and 𝑏, (𝑑) = (𝑎, 𝑏) ⊆
(𝑐), so, using Theorem 11.2.1 again, 𝑐 ∣ 𝑑.
(ii) If 𝑑 = gcd{𝑎, 𝑏}, then 𝑑 ∣ 𝑎 and 𝑑 ∣ 𝑏. This means that 𝑎 and 𝑏 are in the ideal
(𝑑), hence (𝑑) must be at least as large as the smallest ideal containing 𝑎 and 𝑏. So
(𝑎, 𝑏) ⊆ (𝑑).
The next example shows that equality does not necessarily hold. Among the poly-
nomials with integer coefficients, the greatest common divisor of 2 and 𝑥 is 1, but
(2, 𝑥) ≠ (1). We saw in the previous section that (2, 𝑥) is not even a principal ideal.
We shall give another type of counterexample in Exercise 11.2.4c.
(iii) If (𝑎, 𝑏) = (𝑑), then 𝑑 = gcd{𝑎, 𝑏} as was proved in (i) and we have 𝑑 ∈ (𝑎, 𝑏),
so 𝑑 = 𝑎𝑢 + 𝑏𝑣 with suitable elements of 𝑅, by definition.
For the converse, we assume 𝑑 = gcd{𝑎, 𝑏} and 𝑑 = 𝑎𝑢 + 𝑏𝑣. The first condition
implies (𝑎, 𝑏) ⊆ (𝑑) by (ii), the second condition means 𝑑 ∈ (𝑎, 𝑏), so (𝑑) ⊆ (𝑎, 𝑏), so
(𝑎, 𝑏) = (𝑑). □

Remark: There are many rings where Theorem 11.2.2 can be reduced to
(11.2.1) 𝑑 = gcd{𝑎, 𝑏} ⟺ (𝑎, 𝑏) = (𝑑).
For example, the ring of integers has this property, as we sketched before stating the
theorem. Similar considerations show that (11.2.1) holds in every ring with a division
algorithm.

As mentioned earlier, ideals appeared first in Kummer’s investigations of Fermat’s

Last Theorem. To understand the situation, consider Fermat’s equation
(11.2.2) 𝑥𝑝 + 𝑦𝑝 = 𝑧 𝑝
for a prime 𝑝 > 2. The factorization
𝑝−1
2𝜋 2𝜋
(11.2.3) 𝑥𝑝 + 𝑦𝑝 = ∏(𝑥 + 𝑦𝜚𝑗 ), 𝜚 = cos( ) + 𝑖 sin( )
𝑗=0
𝑝 𝑝

shows that (11.2.2) is closely related to the number theory of the ring 𝐼(𝜚).
11.2. Elementary Connections to Number Theory 349

Combining (11.2.2) and (11.2.3), we get

𝑝−1
(11.2.4) ∏(𝑥 + 𝑦𝜚𝑗 ) = 𝑧𝑝 .
𝑗=0

The product on the left-hand side is a 𝑝th power. We might try the tactics successful
many times earlier to show that each factor is itself a 𝑝th power in 𝐼(𝜚), and use the
𝑝
resulting 𝑝 equations 𝑥 + 𝑦𝜚𝑗 = 𝛼𝑗 to arrive at a contradiction (assuming a non-trivial
solution 𝑥, 𝑦, 𝑧).
We know in the integers that if the factors of a product are pairwise coprime and
the product is a 𝑝th power, then each factor is an associate of a 𝑝th power. The same
holds for Gaussian or Eulerian integers, and in general, in every ring where the Fun-
damental Theorem of Arithmetic is valid. However, this is no longer true in the lack
of the Fundamental Theorem: 32 = (2 + √−5)(2 − √−5) in 𝐼(√−5), and though the
factors on the right-hand side are coprime, they are not associates of squares (in fact,
they are irreducible).
Thus, our attempt above to prove Fermat’s Last Theorem can be promising only
if the Fundamental Theorem of Arithmetic is true in 𝐼(𝜚). It can be shown, however,
that this is not the case for 𝑝 > 19, and so other approaches have to be applied.
We mention as a historical curiosity that Lamé, a member of the French Academy,
gave an erroneous proof in 1847 of Fermat’s Last Theorem along the lines of the argu-
ment above, taking the Fundamental Theorem for granted for 𝐼(𝜚). (It is conceivable
that Fermat’s “wonderful proof”—if it existed at all—was based on a similar mistake.)
It was Liouville, who pointed out the gap in Lamé’s argument (at that time Liouville
was not yet aware in which cases the Fundamental Theorem holds). Lamé made an-
other mistake by not considering that even if the factors on the left-hand side of (11.2.4)
are pairwise coprime and the Fundamental Theorem is true, we cannot infer that they
are necessarily 𝑝th powers, only that they are associates of 𝑝th powers. And since there
are infinitely many units in 𝐼(𝜚) for 𝑝 > 3, this minor inattentiveness causes another
hardly repairable gap in Lamé’s argument.
At roughly the same time, the German Kummer followed a similar path, but he
realized the importance of the Fundamental Theorem in 𝐼(𝜚), and observed that it does
not always hold. He knew also that if any two elements have a greatest common divisor,
then one can deduce the Fundamental Theorem easily. This gave him the idea to adjoin
ideal numbers to the rings 𝐼(𝜚) where the Fundamental Theorem was false: these were
intended to make up the missing greatest common divisors in 𝐼(𝜚). Kummer hoped
that any two elements will have a gcd in this enlarged set and also the Fundamental
Theorem will hold.
Kummer based the construction of ideal numbers on the following property of
the greatest common divisor. We know in the integers that if gcd{𝑎, 𝑏} = 𝑑, then the
multiples of 𝑑 are just the numbers of the form 𝑎𝑢 + 𝑏𝑣, and as we indicated, the same
applies also for every 𝐼(𝜗). Thus, Kummer defined the ideal number belonging to a
fixed pair 𝛼 and 𝛽 as the set of numbers

{ 𝛼𝜉 + 𝛽𝜓 ∣ 𝜉, 𝜓 ∈ 𝐼(𝜗) }.
350 11. Ideals

In modern terminology, this is just the ideal (𝛼, 𝛽) generated by 𝛼 and 𝛽. If 𝛼 and 𝛽 have
a greatest common divisor 𝛿, then this set is the multiples of 𝛿, and so we can identify
it with 𝛿. If, however, gcd{𝛼, 𝛽} does not exist, then this ideal number can compensate
the lack of the greatest common divisor. Then Kummer built number theory among
the ideal numbers (i.e. ideals), and achieved significant progress concerning Fermat’s
Last Theorem. (We shall discuss number theory for ideals in Section 11.4.)

Exercises 11.2

1. Verify that the following subsets form a principal ideal in the ring of integers, and
exhibit a generating element for each of them.
(a) (30, 50, 75)
(b) (20) ∩ (30).
2. Consider the ring 𝐺 of Gaussian integers.
(a) In how many ways can we generate a given non-zero principal ideal with a
single element?
(b) How many principal ideals contain 22 + 6𝑖?
3. Let 𝑅 be an integral domain with identity and 𝑎, 𝑏 ∈ 𝑅. Demonstrate
𝑎 + 𝑏 ∈ (𝑎) ∩ (𝑏) ⟺ (𝑎) = (𝑏).

4. Consider the ring 𝐼(√−5).

(a) Show that 2 + 2√−5 and 6 have no greatest common divisor.
(b) Find all principal ideals containing the ideal (2 + 2√−5, 6).
(c) Exhibit an example where 𝛼 and 𝛽 have a greatest common divisor 𝛿, but
(𝛼, 𝛽) ≠ (𝛿).

11.3. Unique Factorization, Principal Ideal Domains, and Euclidean

Rings
This section is devoted to the Fundamental Theorem of Arithmetic.
The notions of irreducible and prime elements are defined in an arbitrary integral
domain 𝑅 with identity exactly as in the rings discussed earlier (see Definitions 1.4.1
and 1.4.2 for integers, or Definitions 7.4.10 and 7.4.11 for Gaussian integers).
Saying that the Fundamental Theorem of Arithmetic (or unique prime factoriza-
tion) holds in 𝑅 has the usual meaning that every element in 𝑅 different from 0 and
units is the product of finitely many irreducible elements, and this decomposition is
unique apart from associates and the order of factors (see e.g. Theorem 1.5.1).
As we have pointed out several times, one of the crucial questions of number the-
oretic investigations is (also from the point of view of applications) whether the Fun-
damental Theorem in a ring is true or false. Nearly every part of number theory for
integers uses the Fundamental Theorem in 𝐙. In handling the Diophantine equations
11.3. Unique Factorization, Principal Ideal Domains, and Euclidean Rings 351

𝑥2 + 𝑦2 = 𝑛 and 𝑥3 + 𝑦3 = 𝑧3 , we applied the Fundamental Theorem for Gaussian and

Eulerian integers. In Section 11.2 we indicated that the proof of Fermat’s Last Theorem
would have been much easier if the Fundamental Theorem were true for algebraic in-
tegers in certain algebraic number fields. The Fundamental Theorem for polynomials
with rational coefficients played an important role in the theory of algebraic numbers.
Below, we establish first a necessary and sufficient condition for the validity of the
Fundamental Theorem in a ring (Theorem 11.3.1). Then we demonstrate that the divi-
sion algorithm always implies the Fundamental Theorem. The proof will be somewhat
different from those seen for integers, Gaussian integers, etc.: We deduce from the di-
vision algorithm that every ideal is a principal ideal (Theorem 11.3.5) and show that
the Fundamental Theorem holds in rings with this property (Theorem 11.3.3).
In the proofs, several parts will be literally identical to the arguments seen for the
integers, so we shall just refer to them without repeating them in detail.
Before turning to the general theorems, we say a few words about the relation be-
tween irreducible and prime elements. In formulating the Fundamental Theorem, we
use only the naturally occurring notion of irreducible and we do not need the notion
of prime at all. The validity of the Fundamental Theorem, however, depends strongly
on the relation of primes and irreducibles.
A prime must be irreducible in every integral domain 𝑅 with identity, as we can
see from the first part of the proof for Theorem 1.4.3. The converse is false, however,
e.g. in 𝐼(√−5), where the Fundamental Theorem does not hold, the number 2 is irre-
ducible, but is not a prime. On the other hand, every irreducible is a prime in the rings
of integers, Gaussian integers, and Eulerian integers, and this was a decisive step in
proving uniqueness in the Fundamental Theorem. The result below shows that in the
general case, one of the essential conditions for the Fundamental Theorem to be true
is that every irreducible is a prime.
Theorem 11.3.1. The Fundamental Theorem of Arithmetic holds in an integral domain
𝑅 with identity if and only if
(i) a strictly increasing sequence
(𝑎1 ) ⊂ (𝑎2 ) ⊂ ⋯ ⊂ (𝑎𝑗 ) ⊂ . . .
of ideals cannot be infinite,
(ii) every irreducible element is a prime. ♣

Proof. We prove first the sufficiency of conditions (i) and (ii).

Uniqueness follows from (ii) exactly as in the first proof of uniqueness in Theo-
rem 1.5.1.
We shall use (i) to establish decomposability. Let 𝑎 be an arbitrary element in 𝑅
different from 0 and units. First we show that 𝑎 has an irreducible divisor.
If 𝑎 is irreducible, we are done. Otherwise, 𝑎 = 𝑎1 𝑏1 , where neither of 𝑎1 and 𝑏1 is
a unit. Then (𝑎) ⊂ (𝑎1 ) by Theorem 11.2.1 with strict containment, as 𝑏1 is not a unit.
If 𝑎1 is irreducible, then it is an irreducible divisor of 𝑎. Otherwise, 𝑎1 = 𝑎2 𝑏2 ,
where neither of 𝑎2 and 𝑏2 is a unit. Then (𝑎1 ) ⊂ (𝑎2 ) with strict containment.
352 11. Ideals

We show that continuing the procedure, some 𝑎𝑖 is necessarily irreducible. If this

were not the case, then
(𝑎) ⊂ (𝑎1 ) ⊂ ⋯ ⊂ (𝑎𝑗 ) ⊂ . . .
would be an infinite strictly ascending chain of principal ideals, contradicting thus (i).
Thus we have proved that 𝑎 has an irreducible divisor.
Now we show that 𝑎 can be written as a product of irreducible elements. If 𝑎 is
irreducible, then we are done. Otherwise, 𝑎 = 𝑝1 𝑐 1 , where 𝑝1 is irreducible and 𝑐 1 is
not a unit. Since 𝑝1 is not a unit either, (𝑎) ⊂ (𝑐 1 ) (with strict containment).
If 𝑐 1 is irreducible, then both factors in 𝑎 = 𝑝1 𝑐 1 are irreducible and we are done.
Otherwise, 𝑐 1 = 𝑝2 𝑐 2 , where 𝑝2 is irreducible and 𝑐 2 is not a unit. Thus (𝑐 1 ) ⊂ (𝑐 2 )
(with strict containment).
Continuing the procedure, some 𝑐 𝑖 is necessarily a unit, since otherwise the infinite
strictly ascending chain
(𝑎) ⊂ (𝑐 1 ) ⊂ ⋯ ⊂ (𝑐𝑗 ) ⊂ . . .
contradicts (i). This means that we arrived at a decomposition of 𝑎 into the product of
irreducible elements.
Turning to necessity, assume that the Fundamental Theorem holds in 𝑅. We can
prove (ii) exactly as in the solution of Exercise 1.5.8.
To prove (i) by contradiction, assume the existence of an infinite strictly increasing
chain
(𝑎1 ) ⊂ (𝑎2 ) ⊂ ⋯ ⊂ (𝑎𝑗 ) ⊂ . . .
of principal ideals. Here 𝑎2 ≠ 0, and 𝑎3 , 𝑎4 , . . . are infinitely many pairwise non-
associate divisors of 𝑎2 . But this is impossible, since if 𝑎2 = 𝑝1 . . . 𝑝 𝑘 where every 𝑝 𝑖 is
irreducible, then the Fundamental Theorem implies that every divisor of 𝑎2 is either a
unit or an associate of the product of some factors 𝑝 𝑖 (and if 𝑎2 is a unit, then so are all
its divisors, too). □

Remark: We saw several examples where the uniqueness part of the Fundamental The-
orem was false (see Theorems 10.3.5 and 10.3.6, and the paragraphs about Fermat’s Last
Theorem in Section 11.2). But we can easily find a ring where there is a problem with
decomposability: there are no irreducible elements at all in the ring 𝑈 of all algebraic
integers (see Exercise 11.3.1), so no element can be written as a product of irreducible
elements.

Now we show that if every ideal in 𝑅 is a principal ideal, then the Fundamental
Theorem of Arithmetic is valid in 𝑅.
Definition 11.3.2. An integral domain 𝑅 with identity is a principal ideal domain, if
every ideal in 𝑅 is a principal ideal. ♣
Theorem 11.3.3. The Fundamental Theorem of Arithmetic is true in every principal
ideal domain. ♣

Proof. We verify that a principal ideal domain satisfies conditions (i) and (ii) of The-
orem 11.3.1.
11.3. Unique Factorization, Principal Ideal Domains, and Euclidean Rings 353

(i) To achieve a contradiction, assume the existence of an infinite strictly increasing

chain
(𝑎1 ) ⊂ (𝑎2 ) ⊂ ⋯ ⊂ (𝑎𝑗 ) ⊂ . . .
∞
of principal ideals. A calculation shows that 𝐴 = ⋃𝑗=1 (𝑎𝑗 ) is an ideal (see Exer-
cise 11.3.4). As 𝑅 is a principal ideal domain, 𝐴 is a principal ideal, 𝐴 = (𝑏). Then
∞
𝑏∈𝐴= (𝑎 ),
⋃ 𝑗
𝑗=1

so 𝑏 ∈ (𝑎𝑘 ), and (𝑏) ⊆ (𝑎𝑘 ) for some 𝑘. Thus

∞
𝐴 = (𝑏) ⊆ (𝑎𝑘 ) ⊂ (𝑎𝑘+1 ) ⊂ (𝑎𝑗 ) = 𝐴,
⋃
𝑗=1

a contradiction.
(ii) We verify that any two elements 𝑎 and 𝑏 have a greatest common divisor.
Since (𝑎, 𝑏) is a principal ideal, we know (𝑎, 𝑏) = (𝑑) and Theorem 11.2.2 implies
𝑑 = gcd{𝑎, 𝑏}.
The existence of a greatest common divisor yields (ii): see the proof for Theo-
rem 1.3.4 given in the solution of Exercise 1.3.11, the proof of Theorem 1.3.9, and fi-
nally, part II in the proof of Theorem 1.4.3. □
Remarks: (1) There exist rings that are not principal ideal domains, but for which the
Fundamental Theorem still holds, the simplest example being 𝐙[𝑥]. On the one
hand, we saw in Section 11.1 that (2, 𝑥) is not a principal ideal in 𝐙[𝑥]. On the
other hand, the Fundamental Theorems in 𝐙 and in 𝐐[𝑥] imply its validity also in
𝐙[𝑥]: It follows from a basic lemma of Gauss used in the proof of Theorem 9.6.2
that a polynomial 𝑓 is irreducible over 𝐙 if and only if 𝑓 is either a constant that
is a prime number, or the coefficients of 𝑓 are coprime (not necessarily pairwise)
and 𝑓 is irreducible over 𝐐.
(2) Among the algebraic number fields, the principal ideal domains are exactly the
same as the ones where the Fundamental Theorem holds: A ring 𝐼(𝜗) is a princi-
ple ideal domain if and only if the Fundamental Theorem is true in it (see Exer-
cise 11.3.9b).

We turn to the general formulation of the division algorithm and prove that if
there is a division algorithm in 𝑅, then 𝑅 is a principal ideal domain, and so (by Theo-
rem 11.3.3,) the Fundamental Theorem of Arithmetic is true in 𝑅.
Definition 11.3.4. An integral domain 𝑅 with identity is a Euclidean ring, if we can
assign to every 𝑐 ∈ 𝑅 a non-negative integer 𝑓(𝑐) such that 𝑓(𝑐) = 0 ⟺ 𝑐 = 0 and to
every 𝑎, 𝑏 ∈ 𝑅, 𝑏 ≠ 0 there exist 𝑞, 𝑟 ∈ 𝑅 satisfying
(11.3.1) 𝑎 = 𝑏𝑞 + 𝑟 and 𝑓(𝑟) < 𝑓(𝑏). ♣
Remarks: (1) An equivalent definition of Euclidean rings is if we assign only to the
non-zero elements 𝑐 ∈ 𝑅 a non-negative integer 𝑓(𝑐), and in (11.3.1) we allow the
possibility that 𝑟 = 0 (besides 𝑓(𝑟) < 𝑓(𝑏)).
354 11. Ideals

(2) We do not have to assume in Definition 11.3.4 that 𝑅 has an identity because this
follows from the division algorithm (see Exercise 11.3.6).

(3) We investigated several rings with a division algorithm earlier; see most examples
below. In them, the function 𝑓 had further useful properties, such as 𝑓(𝑎𝑏) =
𝑓(𝑎)𝑓(𝑏) or at least 𝑓(𝑎) ≤ 𝑓(𝑎𝑏). However, we do not have to require such prop-
erties in the definition of Euclidean rings.

Examples. E1 For the integers, we can choose 𝑓(𝑐) = |𝑐|, i.e. we will have |𝑟| < |𝑏|.
We note that in this case, the quotient and the remainder are generally not unique,
as for 𝑎 = 33 and 𝑏 = 5, we can satisfy (11.3.1) in two ways:

33 = 6 ⋅ 5 + 3 = 7 ⋅ 5 + (−2).

In Theorems 1.2.1 and 1.2.1A, we required the stronger conditions 0 ≤ 𝑟 < |𝑏| and
−|𝑏|/2 < 𝑟 ≤ |𝑏|/2, instead of |𝑟| < |𝑏|, to guarantee the uniqueness of quotient
and remainder. This uniqueness, however, has no impact on the proof of the
Fundamental Theorem.

E2 For Gaussian or Eulerian integers, we can take 𝑓(𝑐) = 𝑁(𝑐). (We saw during the
proof of Theorem 7.4.8 that the quotient and the remainder are not unique in
general.)

E3 In 𝐼(√2), we may choose 𝑓(𝑐) = |𝑁(𝑐)|.

E4 In a polynomial ring over a field, we can perform a division algorithm with respect
to the degree. To satisfy Definition 11.3.4 formally, we define 𝑓(0) = 0 and 𝑓(𝑐) =
1 + deg 𝑐 for 𝑐 ≠ 0.

E5 Finite decimal fractions form a Euclidean ring, see Exercise 1.5.5c.

Theorem 11.3.5. If 𝑅 is a Euclidean ring, then 𝑅 is a principal ideal domain. ♣

Proof. We have to verify that every ideal 𝐼 of 𝑅 is a principal ideal.

If the only element in 𝐼 is 0, then 𝐼 = (0). Otherwise, consider the values 𝑓(𝑐) of the
non-zero elements of 𝐼. They are positive integers, so there must be a smallest among
them, let it be 𝑓(𝑏) (here 𝑏 is not unique in general). We prove 𝐼 = (𝑏).
As 𝑏 ∈ 𝐼, (𝑏) ⊆ 𝐼. Conversely, let 𝑎 be an element in 𝐼. We have to show 𝑎 ∈ (𝑏),
i.e. 𝑏 ∣ 𝑎.
We apply the division algorithm for 𝑎 and 𝑏: there exist 𝑞, 𝑟 ∈ 𝑅 satisfying (11.3.1).
Since 𝑎, 𝑏 ∈ 𝐼 and 𝐼 is an ideal, so 𝑟 = 𝑎 − 𝑏𝑞 ∈ 𝐼. Further, 𝑓(𝑏) was minimal and
𝑓(𝑟) < 𝑓(𝑏), hence only 𝑟 = 0 is possible and 𝑏 ∣ 𝑎. □

Remark: The converse of Theorem 11.3.5 is false as there exist principal ideal domains
which are not Euclidean rings. Some examples are

(11.3.2) 𝐼(√−19), 𝐼(√−43), 𝐼(√−67), and 𝐼(√−163)

(see Exercise 11.3.10).

Exercises 11.3 355

In general, it is difficult to determine whether or not a ring 𝑅 is Euclidean. Of

course, if we find a suitable 𝑓, then 𝑅 is Euclidean, and if the Fundamental Theorem
of Arithmetic is false in 𝑅 or 𝑅 is not a principal ideal domain, then it follows from
Theorems 11.3.3 and 11.3.5 that 𝑅 cannot be Euclidean either. However, we have ba-
sically no tools to show that some principal ideal domain is not a Euclidean ring. It is
not enough to verify that some given or naturally arising function 𝑓 does not meet the
requirements in Definition 11.3.4, but we have to do that for every posssible 𝑓.
Let us take a closer look at the rings of algebraic integers in algebraic number fields.
In Remark 2 after Theorem 11.3.3, we indicated that if the Fundamental Theorem holds
in 𝐼(𝜗), then 𝐼(𝜗) is a principal ideal domain (see Exercise 11.3.9b). As to the division
algorithm, we performed it in the previously discussed cases (Gaussian or Eulerian in-
tegers, 𝐼(√2), etc.) with respect to the absolute value of the norm. There were some
rings 𝐼(𝜗) where this failed though the Fundamental Theorem was true (see Theo-
rem 10.3.6). However, we cannot exclude the possibility that there still is a division
algorithm with respect to some other function 𝑓. Our present (lack of) knowledge is
slightly paradoxical:
(A) Some deep conjectures make probable that apart from the imaginary quadratic
fields, every 𝐼(𝜗) where the Fundamental Theorem holds is Euclidean, so it sat-
isfies Definition 11.3.4 for some function 𝑓 (even if |𝑁(𝛼)| is not suitable for this
purpose).
(B) For a long time, however, no ring 𝐼(𝜗) was known where the Fundamental The-
orem is true, the ring is not Euclidean with respect to the absolute value of the
norm, but there exists some other division algorithm. The first such proven ex-
ample was 𝐼(√69) in 1994, which opened new horizons: today we know that apart
from at most 2(!) exceptions, all real quadratic fields with unique factorization are
Euclidean.
For imaginary quadratic fields, it can be shown that if 𝐼(𝜗) is Euclidean, then the di-
vision algorithm can be performed with respect to |𝑁(𝛼)| (see Exercise 11.3.10). Thus
Theorem 10.3.6 implies that the four examples listed in (11.3.2) are principal ideal do-
mains but are not Euclidean rings.

Exercises 11.3

1. Let 𝑈 be the ring of all algebraic integers.

(a) Characterize the units in 𝑈 with the help of their minimal polynomials.
(b) Show that there are no irreducible elements in 𝑈, thus the Fundamental The-
orem of Arithmetic is false.
2. We can perform number theoretic investigations also in a (commutative) field 𝐹
(but it does not makes much sense, as we see below).
(a) Which 𝑎, 𝑏 ∈ 𝐹 satisfy 𝑎 ∣ 𝑏?
(b) Determine the units, irreducible, and prime elements in 𝐹.
 356 11. Ideals

(c) Show that the Fundamental Theorem of Arithmetic is true in 𝐹, that 𝐹 is a

principal ideal domain, and is a Euclidean ring.

3. Let 𝑊 be the set of rational numbers with odd denominators.

(a) Verify that that there is just one irreducible element in 𝑊 apart from asso-
ciates.
(b) If we try to adapt the argument for proving the existence of infinitely many
prime numbers in the integers (see Theorem 5.1.1), why does it not work in
𝑊?
(c) Show that 𝑊 is a Euclidean ring.
(d) Determine all ideals in 𝑊.
∞
4. Let 𝐼1 ⊆ 𝐼2 ⊆ . . . be arbitrary ideals in a ring 𝑅. Demonstrate that also ⋃𝑗=1 𝐼𝑗 is
an ideal in 𝑅.

S 5. Let 𝑅 be an integral domain with identity. Prove that the polynomial ring 𝑅[𝑥] is a
principal ideal domain if and only if 𝑅 is a field.

6. Show that there is no need to require in Definition 11.3.4 of Euclidean rings that 𝑅
has an identity, since this follows from the other conditions.

7. Let 𝑅 be a Euclidean ring, 𝑓 a function meeting the requirements in Definition

11.3.4, and 𝑘 the minimal positive value of 𝑓. True or false?

(a) If 𝑓(𝑐) = 𝑘, then 𝑐 is a unit.

(b) If 𝑐 is a unit, then 𝑓(𝑐) = 𝑘.

8. Verify that in the integers, the division algorithm can be performed not only with
respect to the absolute value, but also using the following function 𝑓:

1 + ⌊log2 |𝑐|⌋, if 𝑐 ≠ 0
𝑓(𝑐) = {
0, if 𝑐 = 0,
so

𝑓(0) = 0, 𝑓(±1) = 1, 𝑓(±2) = 𝑓(±3) = 2,

𝑓(±4) = 𝑓(±5) = 𝑓(±6) = 𝑓(±7) = 3, . . . .

9. S* (a) Assume that the Fundamental Theorem of Arithmetic holds in an integral

domain 𝑅 with identity and the factor ring 𝑅/𝐼 has finitely many elements
for every ideal 𝐼 ≠ 0. Prove that 𝑅 is a principal ideal domain.
(b) Verify that if 𝜗 is an algebraic number and the Fundamental Theorem of
Arithmetic holds in 𝐼(𝜗), then 𝐼(𝜗) is a principal ideal domain.

S* 10. Let 𝑡 be a negative squarefree integer. Show that the algebraic integers of the imag-
inary quadratic field 𝐐(√𝑡) form a Euclidean ring if and only if 𝑡 = −1, −2, −3,
−7, or −11.
11.4. Divisibility of Ideals 357

11.4. Divisibility of Ideals

In this section we define a multiplication for ideals in an integral domain 𝑅 with iden-
tity. This makes it possible to introduce divisibility of ideals and to study the greatest
common divisor, irreducible ideals, and prime ideals.
By developing number theory for ideals, our main goal is to get further information
about the rings 𝐼(𝜗). Therefore, when introducing the notions, we shall require further
restrictions that are satisfied by the ideals in 𝐼(𝜗), but do not hold in every ring 𝑅.
Definition 11.4.1. Let 𝐴 and 𝐵 be two ideals in an integral domain 𝑅 with identity.
We define the product of 𝐴 and 𝐵 by
𝑛
(11.4.1) 𝐴𝐵 = { ∑ 𝑎𝑖 𝑏𝑖 ∣ 𝑛 = 1, 2, . . . , 𝑎𝑖 ∈ 𝐴, 𝑏𝑖 ∈ 𝐵, 𝑖 = 1, . . . , 𝑛 } . ♣
𝑖=1

Thus the product of two ideals is the set of all possible sums (of arbitrarily many
terms) of products where the factors are taken from 𝐴 and 𝐵.
We summarize some important properties of multiplication of ideals in
Theorem 11.4.2. (i) The product 𝐴𝐵 of ideals 𝐴 and 𝐵 is the smallest ideal containing
all elements 𝑎𝑏, where 𝑎 ∈ 𝐴 and 𝑏 ∈ 𝐵.
(ii) The product of finitely generated ideals is finitely generated, as well.
(iii) The product of principal ideals is a principal ideal.
(iv) 𝐴𝐵 ⊆ 𝐴 ∩ 𝐵.
(v) The multiplication of ideals in a ring 𝑅 is a commutative and associative operation,
with identity element (1) = 𝑅:
(11.4.2) 𝐴𝐵 = 𝐵𝐴, (𝐴𝐵)𝐶 = 𝐴(𝐵𝐶), (1)𝐴 = 𝐴(1) = 𝐴.
Only the identity has an inverse and
𝐴𝐵 = (0) ⟺ 𝐴 = (0) or 𝐵 = (0). ♣

Proof. (i) We have to verify that

(a) 𝐴𝐵 is an ideal
(b) 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵 ⟹ 𝑎𝑏 ∈ 𝐴𝐵
(c) if an ideal 𝐼 contains all elements 𝑎𝑏, where 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵, then 𝐴𝐵 ⊆ 𝐼.
(a) We show that 𝐴𝐵 satisfies Definition 11.1.1. The elements of 𝐴𝐵 are of the form
𝑛
𝑢 = ∑𝑖=1 𝑎𝑖 𝑏𝑖 . The sum of two such elements has the same form. The negative
𝑛 𝑛
−𝑢 = − ∑ 𝑎𝑖 𝑏𝑖 = ∑ (−𝑎𝑖 )𝑏𝑖 ∈ 𝐴𝐵,
𝑖=1 𝑖=1

since −𝑎𝑖 ∈ 𝐴 as 𝐴 is an ideal. Similarly, for any 𝑟 ∈ 𝑅,

𝑛 𝑛
𝑢𝑟 = 𝑟𝑢 = 𝑟 ∑ 𝑎𝑖 𝑏𝑖 = ∑ (𝑟𝑎𝑖 )𝑏𝑖 ∈ 𝐴𝐵,
𝑖=1 𝑖=1
since 𝑟𝑎𝑖 ∈ 𝐴 because 𝐴 is an ideal.
358 11. Ideals

(b) For 𝑛 = 1, we get just the elements 𝑎𝑏 in (11.4.1).

(c) If an ideal 𝐼 contains the elements 𝑎𝑖 𝑏𝑖 , then the ideal property implies that 𝐼
𝑛
must contain also their sum, so every ∑𝑖=1 𝑎𝑖 𝑏𝑖 ∈ 𝐴𝐵 and 𝐴𝐵 ⊆ 𝐼.
(ii) We show that if
𝐴 = (𝛼1 , . . . , 𝛼𝑘 ) and 𝐵 = (𝛽1 , . . . , 𝛽𝑚 )
then
𝐴𝐵 = (𝛼1 𝛽1 , 𝛼1 𝛽2 , . . . , 𝛼𝑖 𝛽𝑗 , . . . , 𝛼𝑘 𝛽𝑚 ),
so the products of the generator elements of 𝐴 and 𝐵 form a (possible) generating sys-
tem of 𝐴𝐵.
The products 𝛼𝑖 𝛽𝑗 are in 𝐴𝐵 by definition, so the ideal generated by them is a subset
of 𝐴𝐵.
For the reverse containment, it is sufficient by (i) to verify that every 𝑎𝑏 with 𝑎 ∈ 𝐴,
𝑏 ∈ 𝐵 lies in the ideal generated by the elements 𝛼𝑖 𝛽𝑗 . This means that 𝑎𝑏 can be
expressed as a combination of the elements 𝛼𝑖 𝛽𝑗 with coefficients from 𝑅. This holds
as for suitable 𝑟 𝑖 , 𝑠𝑗 ∈ 𝑅, we have
𝑘 𝑚 𝑘 𝑚
𝑎𝑏 = ( ∑ 𝑟 𝑖 𝛼𝑖 )( ∑ 𝑠𝑗 𝛽𝑗 ) = ∑ ∑ (𝑟 𝑖 𝑠𝑗 )(𝛼𝑖 𝛽𝑗 ).
𝑖=1 𝑗=1 𝑖=1 𝑗=1

(iii) Applying the proof of (ii) for the special case 𝑘 = 𝑚 = 1, we get (𝛼)(𝛽) = (𝛼𝛽).
𝑛
(iv) Since 𝐴 is an ideal, 𝑎𝑖 𝑏𝑖 ∈ 𝐴 for any 𝑎𝑖 ∈ 𝐴 and 𝑏𝑖 ∈ 𝐵, and thus ∑𝑖=1 𝑎𝑖 𝑏𝑖 ∈ 𝐴,
so 𝐴𝐵 ⊆ 𝐴. We get 𝐴𝐵 ⊆ 𝐵 similarly.
(v) The properties in (11.4.2) follow immediately from the definition of multipli-
cation of ideals and from the ring properties of 𝑅.
The inverse of the identity 𝑅 = (1) is itself. Conversely, if the ideal 𝐼 has an inverse,
so 𝐽𝐼 = 𝑅 for some ideal 𝐽, then 𝑅 ⊆ 𝐼 by (iv) and so 𝐼 = 𝑅.
If 𝐴 = (0) or 𝐵 = (0), then every sum in the definition of 𝐴𝐵 is 0, thus 𝐴𝐵 = (0).
If, however, there exist non-zero elements 𝑎 ∈ 𝐴 and 𝑏 ∈ 𝐵, then 𝑎𝑏 ≠ 0 since 𝑅 is free
of zero divisors. As 𝑎𝑏 ∈ 𝐴𝐵, 𝐴𝐵 ≠ (0). □
Remarks: (1) The products 𝑎𝑏 with 𝑎 ∈ 𝐴 and 𝑏 ∈ 𝐵 do not form an ideal in general
(see Exercise 11.4.1a). This is the reason why we had to take sums of such products
in the definition of 𝐴𝐵.
(2) We defined only multiplication for ideals so far. Addition can be defined, see
Remark 4 after Theorem 11.4.5. Some of the usual nice properties do not hold for
it (only the zero element has a negative), and so the ideals in 𝑅 do not form a ring
for this addition and multiplication.
Examples. E1 Let 𝑅 = 𝐙[𝑥], and let 𝐴 and 𝐵 be the sets of polynomials having con-
stant terms divisible by 2 and 3. Then 𝐴𝐵 is the set of polynomials with constant
term divisible by 6:
𝐴𝐵 = (2, 𝑥)(3, 𝑥) = (6, 2𝑥, 3𝑥, 𝑥2 )
= (6, 2𝑥, 3𝑥 − 2𝑥, 𝑥2 ) = (6, 2𝑥, 𝑥, 𝑥2 ) = (6, 𝑥).
11.4. Divisibility of Ideals 359

E2 Let 𝑅 = 𝐸(√−5), 𝐴 = (3, 1+ √−5), and 𝐵 = (3, 1− √−5). Then 𝐴𝐵 is the principal
ideal (3):
𝐴𝐵 = (3, 1 + √−5)(3, 1 − √−5) = (9, 3 + 3√−5, 3 − 3√−5, 6)
= (9 − 6, 3 + 3√−5, 3 − 3√−5, 6) = (3).

Using multiplication, we can introduce divisibility among ideals of 𝑅:

Definition 11.4.3. An ideal 𝐵 is a divisor of an ideal 𝐴 if there is an ideal 𝐶 satisfying
𝐵𝐶 = 𝐴. We denote this relation by 𝐵 ∣ 𝐴, as usual. ♣
Remarks: (1) We can easily see that divisibility of principal ideals is equivalent to the
divisibility of their generators (in 𝑅):
(𝛽) ∣ (𝛼) ⟺ 𝛽 ∣ 𝛼.
Moreover, if 𝛽 ≠ 0 and (𝛼) = (𝛽)𝐶, then 𝐶 is a principal ideal, 𝐶 = (𝛾), where 𝛾
can be chosen to satisfy 𝛼 = 𝛽𝛾 (see Exercise 11.4.3). This means that divisibility
of ideals can be considered as a generalization of divisibility in 𝑅.
(2) We discuss some elementary properties of divisibility in Exercise 11.4.2. An im-
portant one is
(11.4.3) 𝐵 ∣ 𝐴 ⟹ 𝐴 ⊆ 𝐵.
The converse of (11.4.3) is true for principal ideals by the previous remark and
Theorem 11.2.1. It is false, however, in general for arbitrary ideals, see Exer-
cise 11.4.6.

In the sequel we deal only with rings 𝑅 where multiplication of ideals obeys the
cancellation law:
(11.4.4) 𝐴𝐵 = 𝐴𝐶, 𝐴 ≠ (0) ⟹ 𝐵 = 𝐶,
and the converse of (11.4.3) is true:
(11.4.5) 𝐵 ∣ 𝐴 ⟺ 𝐴 ⊆ 𝐵.
We shall show in Section 11.5 that the rings 𝐼(𝜗) constituting the main direction of our
investigation meet requirements (11.4.4) and (11.4.5).
Now we define the greatest common divisor of two ideals in the usual way as a
common divisor that is a multiple of every common divisor:
Definition 11.4.4. An ideal 𝐷 is the greatest common divisor of ideals 𝐴 and 𝐵 if
(i) 𝐷 ∣ 𝐴, 𝐷 ∣ 𝐵
(ii) if 𝐶 ∣ 𝐴 and 𝐶 ∣ 𝐵 for some ideal 𝐶, then 𝐶 ∣ 𝐷. ♣
Theorem 11.4.5. Any two ideals 𝐴 and 𝐵 have a unique greatest common divisor 𝐷 and
(11.4.6) 𝐷 = { 𝑎 + 𝑏 ∣ 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵 }. ♣

Proof. Based on (11.4.5), we can characterize the greatest common divisor by con-
tainment: it is the smallest ideal containing 𝐴 and 𝐵. We can verify easily (see Exer-
cise 11.4.4a) that 𝐷 defined by (11.4.6) is the unique ideal with this property. □
360 11. Ideals

Remarks: (1) We can consider 𝐷 as the ideal generated by 𝐴 and 𝐵. Thus the notation
𝐷 = (𝐴, 𝐵) agrees with the usual notation both for greatest common divisor and
generated ideal.
(2) If 𝐴 and 𝐵 are principal ideals, 𝐴 = (𝛼) and 𝐵 = (𝛽), then their greatest common
divisor by (11.4.6) is 𝐷 = { 𝑟𝛼 + 𝑠𝛽 ∣ 𝑟, 𝑠 ∈ 𝑅 }, which is just the ideal (𝛼, 𝛽).
This shows again that an ideal generated by two elements can be considered as a
generalization of the notion of greatest common divisor.
(3) If 𝐴 and 𝐵 are finitely generated ideals,
𝐴 = (𝛼1 , . . . , 𝛼𝑘 ) and 𝐵 = (𝛽1 , . . . , 𝛽𝑚 ),
then their greatest common divisor by (11.4.6) is
𝐷 = (𝛼1 , 𝛼2 , . . . , 𝛼𝑘 , 𝛽1 , 𝛽2 , . . . , 𝛽𝑚 ),
so the union of generators of 𝐴 and 𝐵 form a (possible) generating system of 𝐷.
(4) By (11.4.6), we can interpret 𝐷 also as the sum of ideals 𝐴 and 𝐵. We empha-
size once again that the ideals of 𝑅 do not form a ring for this addition and the
multiplication introduced in Definition 11.4.1 (see Exercise 11.4.4b).

Now we turn to the notion, properties, and relation of irreducible and prime ideals.
The definitions of irreducible and prime are analogous to the previous definitions
of irreducible and prime. The only unit among the ideals of 𝑅 is (1) = 𝑅, since this is
the only ideal dividing every ideal (see Exercise 11.4.2e).

Definition 11.4.6. An ideal 𝐼 of 𝑅 is irreducible if it is non-trivial (differs from (0)

and (1)), and it can be written as a product of two ideals only if one of the factors is (1),
so
(11.4.7) 𝐼 = 𝐴𝐵 ⟹ 𝐴 = (1) or 𝐵 = (1). ♣

By (11.4.4) and (11.4.5), irreducibility of a non-trivial ideal 𝐼 is equivalent to either

of the two conditions (here 𝐴 denotes an arbitrary ideal):
𝐼 has only trivial divisors:
(11.4.8) 𝐴 ∣ 𝐼 ⟹ 𝐴 = (1) or 𝐴 = 𝐼.
There is no non-trivial ideal containing 𝐼 as a proper subset:
(11.4.9) 𝐼 ⊆ 𝐴 ⊆ 𝑅 ⟹ 𝐴 = 𝑅 or 𝐴 = 𝐼.

Ideals satisfying (11.4.9) are called maximal ideals (also in rings where (11.4.5) is
not valid).

Definition 11.4.7. An ideal 𝑃 of 𝑅 is a prime ideal if it is non-trivial (differs from (0)

and (1)), and it can divide a product of two ideals only if it divides at least one of the
factors:
(11.4.10) 𝑃 ∣ 𝐴𝐵 ⟹ 𝑃 ∣ 𝐴 or 𝑃 ∣ 𝐵. ♣
Exercises 11.4 361

By (11.4.5), we can rephrase the definition of a prime ideal using containment: an

ideal different from (0) and (1) is a prime ideal if and only if
(11.4.11) 𝐴𝐵 ⊆ 𝑃 ⟹ 𝐴 ⊆ 𝑃 or 𝐵 ⊆ 𝑃.
Another equivalent condition is
(11.4.12) 𝑎𝑏 ∈ 𝑃 ⟹ 𝑎 ∈ 𝑃 or 𝑏 ∈ 𝑃.
The equivalence of (11.4.11) and (11.4.12) holds also in rings where (11.4.5) is not valid
(see Exercise 11.4.7), and in this case, (11.4.11) or (11.4.12) serves as a definition for
prime ideals.
If (11.4.4) and (11.4.5) hold, then prime ideals are the same as irreducible ideals:
Theorem 11.4.8. An ideal 𝑃 is a prime ideal if and only if it is an irreducible ideal. ♣

Proof. We follow the lines of the proof of Theorem 1.4.3. We can assume that 𝑃 is a
non-trivial ideal.
First we assume that 𝑃 is a prime ideal, and want to show that it is also irreducible.
Consider a product representation 𝑃 = 𝐴𝐵; we have to verify 𝐴 = (1) or 𝐵 = (1).
Since 𝑃 = 𝐴𝐵, so also 𝑃 ∣ 𝐴𝐵. As 𝑃 is a prime ideal, we infer 𝑃 ∣ 𝐴 or 𝑃 ∣ 𝐵.
If 𝑃 ∣ 𝐴, then 𝐴 = 𝑃𝐶 = 𝐴𝐵𝐶 with a suitable ideal 𝐶. Combining it with the
equality 𝐴 = 𝐴(1), we obtain 𝐴𝐵𝐶 = 𝐴(1). Cancelling by 𝐴 ≠ 0, we get 𝐵𝐶 = (1). This
implies 𝐵 = (1) (and 𝐶 = (1)).
If 𝑃 ∣ 𝐵, then we obtain 𝐴 = (1) similarly.
Now we assume that 𝑃 is irreducible, and show that it is a prime ideal. Starting
from divisibility 𝑃 ∣ 𝐴𝐵, we have to verify that at least one of 𝑃 ∣ 𝐴 and 𝑃 ∣ 𝐵 holds.
If 𝑃 ∣ 𝐴, we are done. If 𝑃 ∤ 𝐴, then (𝑃, 𝐴) = (1) since 𝑃 is irreducible.
Since 𝑃 ∣ 𝑃𝐵 and 𝑃 ∣ 𝐴𝐵, we infer 𝑃 ∣ (𝑃𝐵, 𝐴𝐵). By Exercise 11.4.4c, we obtain
(𝑃𝐵, 𝐴𝐵) = (𝑃, 𝐴)𝐵 = (1)𝐵 = 𝐵, and so 𝑃 ∣ 𝐵. □

Exercises 11.4

Throughout, 𝐴, 𝐵, and 𝐶 denote ideals in an integral domain 𝑅 with identity. In the

exercises related to greatest common divisor, irreducible ideals and prime ideals, we
assume, unless stated otherwise, the validity of (11.4.4) and (11.4.5), so the cancellation
law for ideals, and the equivalence of divisibility and (opposite) containment (these
hold in rings 𝐼(𝜗), as mentioned earlier).
1. Let 𝐻 be the set of products 𝑎𝑏 formed from elements of 𝐴 and 𝐵: 𝐻 = { 𝑎𝑏 ∣ 𝑎 ∈ 𝐴,
𝑏 ∈ 𝐵 }.
(a) Give an example where 𝐻 is not an ideal.
(b) Prove that if at least one of 𝐴 and 𝐵 is a principal ideal, then 𝐻 is an ideal (and
so 𝐻 = 𝐴𝐵).
362 11. Ideals

2. Verify the elementary properties of divisibility of ideals:

(a) 𝐴 ∣ 𝐴 for every 𝐴.
(b) 𝐶 ∣ 𝐵, 𝐵 ∣ 𝐴 ⟹ 𝐶 ∣ 𝐴.
(c) 𝐵 ∣ 𝐴 ⟹ 𝐴 ⊆ 𝐵.
(d) 𝐴 ∣ 𝐵, 𝐵 ∣ 𝐴 ⟹ 𝐴 = 𝐵.
(e) 𝐵 ∣ 𝐴 for every 𝐴 ⟺ 𝐵 = (1).
3. Verify the statements about divisibility of principal ideals:
(a) (𝛽) ∣ (𝛼) ⟺ 𝛽 ∣ 𝛼.
(b) If 𝛽 ≠ 0 and (𝛼) = (𝛽)𝐶, then 𝐶 is necessarily a principal ideal, as well, 𝐶 =
(𝛾), where 𝛾 can be chosen to satisfy 𝛼 = 𝛽𝛾.
4. Let 𝐷 = { 𝑎 + 𝑏 ∣ 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵 }.
(a) Prove that 𝐷 is the smallest ideal containing 𝐴 and 𝐵.
(b) Interpreting 𝐷 as the sum of 𝐴 and 𝐵, show that this addition of ideals is com-
mutative and associative, (0) is a zero element, but only (0) has a negative.
Remark: By part (a), we can consider 𝐷 as the ideal generated by 𝐴 and 𝐵, and
so 𝐷 is also the greatest common divisor of 𝐴 and 𝐵 by the connection between
containment and divisibility (see Theorem 11.4.5). Accordingly, we use the
notation 𝐷 = (𝐴, 𝐵). For part (b), however, it is better to write 𝐷 = 𝐴 + 𝐵.
(c) Demonstrate the distributive law 𝐴(𝐵, 𝐶) = (𝐴𝐵, 𝐴𝐶) (or, 𝐴(𝐵+𝐶) = 𝐴𝐵+𝐴𝐶,
by the other notation).
5. Define least common multiple for ideals, and show that if (11.4.4) and (11.4.5) are
valid, then two ideals 𝐴 and 𝐵 have a unique least common multiple 𝑀, namely
𝑀 = 𝐴 ∩ 𝐵.
6. Give an example of ideals 𝐴 and 𝐵, such that 𝐴 ⊆ 𝐵, but 𝐵 ∤ 𝐴.
7. Prove that (11.4.11) and (11.4.12) about prime ideals (after Definition 11.4.7) are
equivalent in any integral domain 𝑅 with identity (even if (11.4.4) or (11.4.5) is
false in 𝑅).
8. Consider the ring 𝐼(√−5).
S (a) Find all divisors of the ideals:
(a1): (2, 1 + √−5)
(a2): (2)
(a3): (1 + √−5).
(b) Compute the gcd of the ideals:
(b1): (2) and (1 + √−5)
(b2): (2, 1 + √−5) and (3, 1 − √−5).
(c) Determine which of the ideals are irreducible:
(c1): (2, 1 + √−5)
(c2): (2)
(c3): (11).
 11.5. Dedekind Rings 363

S 9. True or false?
(a) If 𝛼 is an irreducible element in 𝑅, then (𝛼) is an irreducible ideal.
(b) If (𝛼) is an irreducible ideal, then 𝛼 is an irreducible element in 𝑅.
(c) If 𝛼 is a prime element in 𝑅, then (𝛼) is a prime ideal.
(d) If (𝛼) is a prime ideal, then 𝛼 is a prime element in 𝑅.
10. (a) Show by an example that ideals of 𝐙[𝑥] do not obey the cancellation law
(11.4.4): 𝐴𝐵 = 𝐴𝐶, 𝐴 ≠ (0) ⇏ 𝐵 = 𝐶.
(b) Prove that we can cancel by a non-zero principal ideal in any integral domain
𝑅 with identity: If 𝐴 = (𝛼) ≠ (0), then 𝐴𝐵 = 𝐴𝐶 ⇒ 𝐵 = 𝐶.
11. Consider the ring 𝑅 of polynomials with non-negative rational exponents and real
coefficients (3 + 7𝑥4/7 + 11𝑥5/3 is such a polynomial).
(a) Verify that the elements without term 𝑥0 (i.e. having constant term 0) form an
ideal 𝐼 in 𝑅.
(b) Demonstrate that 𝐼 can be decomposed into the product of two ideals only as
𝐼 = (1)𝐼 = 𝐼(1) = 𝐼 ⋅ 𝐼.
Remark: The ideal 𝐼 meets the requirements (11.4.8) and (11.4.9) concerning
irreducible ideals, but it has also a non-trivial factorization 𝐼 = 𝐼 ⋅ 𝐼 (which
shows that 𝑅 does not obey the cancellation law (11.4.4)). Due to this and
similar singularities, we generally discuss irreducibility (and other number-
theoretic notions) only for ideals of rings where (11.4.4) and (11.4.5) are valid.
12. Let 𝑅 be an integral domain with identity (but we do not require (11.4.4) and
(11.4.5) now). Among the non-trivial ideals, we define maximal and prime ideals
by (11.4.9) and (11.4.12). We call a non-trivial ideal 𝑄 quasi-irreducible if 𝑄 = 𝐴𝐵
implies 𝐴 = 𝑄 or 𝐵 = 𝑄 (or both, cf. the previous exercise).
(a) Prove that every prime ideal is quasi-irreducible.
(b) Exhibit a quasi-irreducible ideal that is not a prime ideal.
(c) Verify that every maximal ideal is also a prime ideal and hence quasi-irreduc-
ible.
(d) Give an example of a prime ideal, that is not maximal.
(e) Demonstrate that 𝐼 is a maximal ideal if and only if the factor ring 𝑅/𝐼 is a
field, and 𝐼 is a prime ideal if and only if 𝑅/𝐼 contains no zero divisors.
Remark: We introduced quasi-irreducible ideals just for the exercise, but maximal
and prime ideals in this interpretation play an important role in arbitrary rings (as
is suggested by part (e)).

11.5. Dedekind Rings

In this section, 𝜗 denotes an algebraic number.
We show that the Fundamental Theorem of Arithmetic holds for the ideals of 𝐼(𝜗),
so every ideal different from (0) and (1) is the product of irreducible ideals, and this
364 11. Ideals

decomposition is unique apart from the order of factors. Rings with this property are
called Dedekind rings.
First we verify a result of independent interest about the product of polynomials
with algebraic integer coefficients (Theorem 11.5.1). It is a generalization of a basic
lemma of Gauss for polynomials with rational coefficients (see Exercise 11.5.9) that
occurred in the proof of Theorem 9.6.2 and was referred to in Remark 1 after the proof
of Theorem 11.3.3. We apply Theorem 11.5.1 to show that to every ideal 𝐴 ≠ (0) of
𝐼(𝜗) there exists an ideal 𝐵 ≠ (0) such that 𝐴𝐵 is a principal ideal (Theorem 11.5.5).
As a consequence, we obtain the cancellation law for ideals (Theorem 11.5.6), and the
equivalence of divisibility and the (opposite) containment of ideals (Theorem 11.5.7);
we required these properties in the previous section when discussing general number-
theoretic notions for ideals. Then we prove unique prime factorization for ideals (The-
orem 11.5.8). Finally, we establish the surprising result that every ideal of 𝐼(𝜗) can be
generated by at most two elements (Theorem 11.5.9).
Theorem 11.5.1. Let
𝑓(𝑥) = 𝛼0 + 𝛼1 𝑥 + ⋯ + 𝛼𝑚 𝑥𝑚 and 𝑔(𝑥) = 𝛽0 + 𝛽1 𝑥 + ⋯ + 𝛽𝑛 𝑥𝑛
be polynomials with algebraic integer coefficients and consider their product
𝑓(𝑥)𝑔(𝑥) = 𝛾0 + 𝛾1 𝑥 + ⋯ + 𝛾𝑚+𝑛 𝑥𝑚+𝑛 .
Assume that some algebraic integer 𝛿 divides all coefficients of the product:
(11.5.1) 𝛿 ∣ 𝛾𝑘, 𝑘 = 0, 1, . . . , 𝑚 + 𝑛.
Then
𝛿 ∣ 𝛼𝑖 𝛽𝑗 , 𝑖 = 0, 1, . . . , 𝑚, 𝑗 = 0, 1, . . . , 𝑛. ♣

Proof. We need a chain of three lemmas.

Lemma 11.5.2. The product of a root and the leading coefficient of a polynomial with
algebraic integer coefficients is an algebraic integer. ♣

Proof of Lemma 11.5.2. Let

𝑟
(11.5.2) ℎ(𝑥) = 𝜆0 + 𝜆1 𝑥 + ⋯ + 𝜆𝑟 𝑥𝑟 = 𝜆𝑟 ∏(𝑥 − 𝜉𝑖 ).
𝑖=1

We verify that 𝜆𝑟 𝜉1 is an algebraic integer. Multiplying

0 = 𝑓(𝜉1 ) = 𝜆0 + 𝜆1 𝜉1 + ⋯ + 𝜆𝑟 𝜉1𝑟
by 𝜆𝑟−1
𝑟 , we obtain

0 = 𝜆0 𝜆𝑟−1
𝑟 + 𝜆1 𝜆𝑟−2
𝑟 (𝜆𝑟 𝜉1 ) + ⋯ + 𝜆𝑟−1 (𝜆𝑟 𝜉1 )
𝑟−1
+ (𝜆𝑟 𝜉1 )𝑟 .
This means that 𝜆𝑟 𝜉1 is a root of the polynomial
𝜆0 𝜆𝑟−1
𝑟 + 𝜆1 𝜆𝑟−2
𝑟 𝑥 + ⋯ + 𝜆𝑟−1 𝑥
𝑟−1
+ 𝑥𝑟
with algebraic integer coefficients and leading coefficient one. Hence, 𝜆𝑟 𝜉1 is an alge-
braic integer by Theorem 9.6.3/(iii). □
11.5. Dedekind Rings 365

Lemma 11.5.3. Dividing a polynomial with algebraic integer coefficients by any of its
root factors, we obtain a polynomial with algebraic integer coefficients again. (A root
factor of a polynomial 𝑓 is a linear polynomial 𝑥 − 𝛼 where 𝑓(𝛼) = 0.) ♣

Proof of Lemma 11.5.3. Let ℎ be the polynomial in (11.5.2). We show that the coef-
ficients of
ℎ(𝑥)
ℎ1 (𝑥) =
𝑥 − 𝜉1
are algebraic integers.
We proceed by induction on the degree 𝑟 of ℎ.
The statement is true for 𝑟 = 1 because then ℎ1 (𝑥) is the constant polynomial 𝜆1 .
Assume now that the statement holds for every polynomial of degree not greater
than 𝑟 − 1. Consider the polynomial
𝑠(𝑥) = ℎ(𝑥) − 𝜆𝑟 (𝑥 − 𝜉1 )𝑥𝑟−1 .
Clearly, the degree of 𝑠(𝑥) is at most 𝑟 − 1, 𝑠(𝜉1 ) = 0, and 𝜆𝑟 𝜉1 is an algebraic integer by
Lemma 11.5.2, so the coefficients of 𝑠(𝑥) are algebraic integers.
By the induction hypothesis, the coefficients of
𝑠(𝑥) ℎ(𝑥)
𝑠1 (𝑥) = = − 𝜆𝑟 𝑥𝑟−1 = ℎ1 (𝑥) − 𝜆𝑟 𝑥𝑟−1
𝑥 − 𝜉1 𝑥 − 𝜉1
are algebraic integers. Since 𝜆𝑟 is an algebraic integer, we obtain that ℎ1 (𝑥) has alge-
braic integer coefficients. □

Lemma 11.5.4. The product of the leading coefficient and arbitrarily many roots of a
polynomial with algebraic integer coefficients is an algebraic integer. ♣

Proof of Lemma 11.5.4. Let ℎ be the polynomial in (11.5.2). We verify that 𝜆𝑟 𝜉1 . . . 𝜉𝑘

is an algebraic integer.
Dividing ℎ(𝑥) by the missing root factors, those with indices greater than 𝑘, we
obtain the polynomial
𝑘
𝑡(𝑥) = 𝜆𝑟 ∏(𝑥 − 𝜉𝑗 ),
𝑗=1

which has algebraic integer coefficients by repeated applications of Lemma 11.5.3.

Thus its constant term
(−1)𝑘 𝜆𝑟 𝜉1 . . . 𝜉𝑘
is an algebraic integer. □

Now we turn to the proof of Theorem 11.5.1.

Let the roots of the polynomials 𝑓 and 𝑔 be 𝜉1 , . . . , 𝜉𝑚 , and 𝜂1 , . . . , 𝜂𝑛 . Then
𝑚+𝑛 𝑚 𝑛
(11.5.3) 𝑓(𝑥)𝑔(𝑥) = ∑ 𝛾 𝑘 𝑥𝑘 = 𝛼𝑚 𝛽𝑛 ∏(𝑥 − 𝜉𝑖 ) ∏(𝑥 − 𝜂𝑗 ).
𝑘=0 𝑖=1 𝑗=1
366 11. Ideals

Dividing (11.5.3) by 𝛿 (appearing in the statement of Theorem 11.5.1), we get

𝑚+𝑛 𝑚 𝑛
𝛾 𝛼 𝛽
(11.5.4) ∑ 𝑘 𝑥𝑘 = 𝑚 𝑛 ∏(𝑥 − 𝜉𝑖 ) ∏(𝑥 − 𝜂𝑗 ).
𝑘=0
𝛿 𝛿 𝑖=1 𝑗=1

By (11.5.1), the polynomial on the left-hand side of (11.5.4) has algebraic integer coef-
ficients. Thus an arbitrary product
𝛼𝑚 𝛽𝑛
(11.5.5) 𝜉𝑖1 . . . 𝜉𝑖𝑟 𝜂𝑗1 . . . 𝜂𝑗𝑠
𝛿
is an algebraic integer by Lemma 11.5.4.
Using the root factor decomposition, we get any coefficient 𝛼𝑖 of 𝑓 by adding some
terms of the form ±𝛼𝑚 𝜉𝑖1 . . . 𝜉𝑖𝑟 , and we have a similar result for 𝑔. Therefore every
𝛼𝑖 𝛽𝑗 can be written as

𝛼𝑖 𝛽𝑗 = (∑ ±𝛼𝑚 𝜉𝑖1 . . . 𝜉𝑖𝑟 )(∑ ±𝛽𝑛 𝜂𝑗1 . . . 𝜂𝑗𝑠 ),

so
𝛼𝑖 𝛽𝑗 𝛼 𝛽
(11.5.6) = 𝑚 𝑛 (∑ ±𝜉𝑖1 . . . 𝜉𝑖𝑟 )(∑ ±𝜂𝑗1 . . . 𝜂𝑗𝑠 ).
𝛿 𝛿
The right-hand side of (11.5.6) is a sum with signs of algebraic integers of the form in
(11.5.5), so it is an algebraic integer. This proves that 𝛼𝑖 𝛽𝑗 /𝛿 on the left-hand side is an
algebraic integer. □

The following result of Kronecker plays a central role in studying ideals of 𝐼(𝜗):
It makes it possible to get at least partial answers for many questions by reducing the
problems to principal ideals, as these have a much more transparent structure.
Theorem 11.5.5. To every ideal 𝐴 ≠ (0) in 𝐼(𝜗) there exists an ideal 𝐵 ≠ (0) such that
𝐴𝐵 is a principal ideal. ♣
Remark: It turns out from the proof that we can choose 𝐵 ≠ (0) to yield 𝐴𝐵 = (𝑐) with
an integer 𝑐. This can also be easily deduced from the statement of the theorem (see
Exercises 11.5.1 and 11.5.2).

Proof. By Exercise 11.1.10c, the ideal 𝐴 is finitely generated:

𝐴 = (𝛼0 , 𝛼1 , . . . , , 𝛼𝑘 ).
Let 𝜗 (1) = 𝜗, 𝜗 (2) , . . . , 𝜗 (𝑛) be the conjugates of 𝜗 over 𝐐 (i.e. the roots of its minimal
polynomial), and let 𝑓𝜈 (𝜗 (𝑗) ) denote the 𝑗th relative conjugate of the generator 𝛼𝜈 (see
Section 10.4); in particular, 𝑓𝜈 (𝜗 (1) ) = 𝛼𝜈 .
Consider the polynomials
𝐹𝑗 (𝑥) = 𝑓0 (𝜗 (𝑗) ) + 𝑓1 (𝜗 (𝑗) )𝑥 + ⋯ + 𝑓𝑘 (𝜗 (𝑗) )𝑥𝑘 , 𝑗 = 1, 2, . . . , 𝑛.
(Thus the coefficient of 𝑥𝑖 in 𝐹𝑗 (𝑥) is the 𝑗th relative conjugate of the generator 𝛼𝑖 .) In
particular,
𝐹1 (𝑥) = 𝛼0 + 𝛼1 𝑥 + ⋯ + 𝛼𝑘 𝑥𝑘 .
𝑛
Let 𝐺(𝑥) = ∏𝑗=1 𝐹𝑗 (𝑥).
11.5. Dedekind Rings 367

𝐺(𝑥) is a symmetric polynomial in variables 𝜗𝑗 , so the same applies for its coeffi-
cients. By the fundamental theorem of symmetric polynomials and the Viète formulas
for the minimal polynomial of 𝜗, we infer (in the usual way we have seen several times)
that 𝐺(𝑥) has rational coefficients.
As the coefficients of 𝐺(𝑥) are obtained from the algebraic integers 𝛼𝜈 and their
algebraic integer relative conjugates with the help of addition and multiplication, the
coefficients of 𝐺(𝑥) are algebraic integers. Since they are also rational, they must be
integers,
𝐺(𝑥) = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑘𝑛 𝑥𝑘𝑛 , 𝑎𝑠 ∈ 𝐙, 𝑠 = 0, 1, . . . , 𝑘𝑛.
Let
𝑛
𝐺(𝑥)
𝐻(𝑥) = = ∏ 𝐹 (𝑥).
𝐹1 (𝑥) 𝑗=2 𝑗
Since the coefficients of every 𝐹𝑗 (𝑥) are algebraic integers, 𝐻(𝑥) has algebraic integer
coefficients. Further, the coefficients of 𝐺(𝑥) and 𝐹1 (𝑥) are in 𝐐(𝜗), and the division
algorithm has terms that are in the field containing the coefficients, so the coefficients
of 𝐻(𝑥) belong to 𝐐(𝜗). Combining the two observations, we see that the coefficients
of 𝐻(𝑥) are in 𝐼(𝜗),
𝐻(𝑥) = 𝛽0 + 𝛽1 𝑥 + ⋯ + 𝛽 𝑘𝑛−𝑘 𝑥𝑘𝑛−𝑘 .
We show that
𝐵 = (𝛽0 , 𝛽1 , . . . , 𝛽 𝑘𝑛−𝑘 ) and 𝑐 = gcd{𝑎0 , 𝑎1 , . . . , 𝑎𝑘𝑛 }
satisfy 𝐴𝐵 = (𝑐).
As 𝑐 is the greatest common divisor of the coefficients of 𝐺 ≠ 0, 𝑐 ≠ 0 (and so
clearly 𝐵 ≠ (0)).
We verify first 𝐴𝐵 ⊆ (𝑐). By the definition of 𝑐, it divides every coefficient of the
polynomial 𝐺(𝑥) = 𝐹1 (𝑥)𝐻(𝑥). Then, by Theorem 11.5.1, 𝑐 divides every product 𝛼𝑖 𝛽𝑗 ,
so 𝛼𝑖 𝛽𝑗 ∈ (𝑐), hence 𝐴𝐵 ⊆ (𝑐).
To prove the reverse containment (𝑐) ⊆ 𝐴𝐵, observe that 𝐺(𝑥) = 𝐹1 (𝑥)𝐻(𝑥), so
𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑘𝑛 𝑥𝑘𝑛 = (𝛼0 + 𝛼1 𝑥 + ⋯ + 𝛼𝑘 𝑥𝑘 )(𝛽0 + 𝛽1 𝑥 + ⋯ + 𝛽 𝑘𝑛−𝑘 𝑥𝑘𝑛−𝑘 )
implies
𝑎𝑠 = ∑ 𝛼𝑖 𝛽𝑗 ∈ 𝐴𝐵, 𝑠 = 0, 1, . . . , 𝑘𝑛.
𝑖+𝑗=𝑠
By Theorem 1.3.5, which refers to a property of the gcd for integers, we have
𝑘𝑛
𝑐 = ∑ 𝑎𝑠 𝑢𝑠
𝑠=0

with suitable integers 𝑢𝑠 , thus

𝑐 ∈ (𝑎0 , 𝑎1 , . . . , 𝑎𝑘𝑛 ) ⊆ 𝐴𝐵 so (𝑐) ⊆ 𝐴𝐵.
The mutual containment proves 𝐴𝐵 = (𝑐). □
Theorem 11.5.6. The cancellation law holds for ideals of 𝐼(𝜗):
𝐴𝐵 = 𝐴𝐶, 𝐴 ≠ (0) ⟹ 𝐵 = 𝐶. ♣
368 11. Ideals

Proof. By Theorem 11.5.5, given an ideal 𝐴 ≠ (0) there exists an ideal 𝐷 ≠ (0) such
that 𝐴𝐷 is a principal ideal, so 𝐴𝐷 = (𝜓) for some (0 ≠)𝜓 ∈ 𝐸(𝜗) (moreover, 𝜓 can be
chosen to be an integer).
Multiplying 𝐴𝐵 = 𝐴𝐶 by 𝐷, we obtain (𝜓)𝐵 = (𝜓)𝐶. Then 𝐵 = 𝐶 follows by
Exercise 11.4.10b. □
Theorem 11.5.7. For ideals of 𝐼(𝜗), 𝐵 ∣ 𝐴 ⟺ 𝐴 ⊆ 𝐵. ♣

Proof. We saw in Exercise 11.4.2c that the implication ⇒ holds in any integral domain
with identity.
For the converse, assume 𝐴 ⊆ 𝐵. We may clearly restrict ourselves to the case
𝐵 ≠ (0). By Theorem 11.5.5, multiplying 𝐵 ≠ (0) by a suitable ideal 𝐷 ≠ (0), the
product is a principal ideal: 𝐵𝐷 = (𝜓). Then 𝐴𝐷 ⊆ 𝐵𝐷 = (𝜓).
Every ideal in 𝐼(𝜗), including 𝐴𝐷, is finitely generated. By the condition 𝐴𝐷 ⊆ (𝜓),
every generator is divisible by 𝜓:
𝐴𝐷 = (𝜂1 𝜓, . . . , 𝜂𝑠 𝜓) = (𝜓)(𝜂1 , . . . , 𝜂𝑠 ).
Denoting the ideal (𝜂1 , . . . , 𝜂𝑠 ) by 𝐾, we obtain
𝐴𝐷 = (𝜓)𝐾 = 𝐵𝐷𝐾.
Cancelling 𝐷 ≠ (0), we get
𝐴 = 𝐵𝐾, so 𝐵 ∣ 𝐾. □

By Theorems 11.5.6 and 11.5.7, the ideals of 𝐼(𝜗) obey the cancellation law, and
divisibility is equivalent to containment (in the opposite direction). Accordingly, the
results of Section 11.4 depending on these properties are valid for ideals in 𝐼(𝜗). We
stress among them the equivalence of irreducible and prime ideals (Theorem 11.4.8).
This will have a crucial role in the proof of the next theorem: We show that the Fun-
damental Theorem of Arithmetic holds for the ideals of 𝐼(𝜗).
Theorem 11.5.8. Every ideal in 𝐼(𝜗) different from (0) and (1) is the product of finitely
many irreducible ideals, and the decomposition is unique apart from the order of factors.
♣

Proof. We follow closely the argument in the proof of sufficiency in Theorem 11.3.1.
Decomposability. Let 𝐴 be a non-trivial ideal. We show first that 𝐴 has a divisor
among the irreducible ideals.
If 𝐴 itself is irreducible, then we are done.
Otherwise, 𝐴 = 𝐴1 𝐵1 , where 𝐴1 ≠ (1), 𝐵1 ≠ (1). Then 𝐴 ⊂ 𝐴1 with strict contain-
ment, since if 𝐴 = 𝐴1 , then cancelling 𝐴 in 𝐴(1) = 𝐴 = 𝐴𝐵1 would imply (1) = 𝐵1 .
If 𝐴1 is irreducible, then it is an irreducible divisor of 𝐴. Otherwise, 𝐴1 = 𝐴2 𝐵2 ,
where 𝐴2 ≠ (1), 𝐵2 ≠ (1). Then 𝐴1 ⊂ 𝐴2 (with strict containment).
Continuing the procedure similarly, we get a strictly ascending chain of ideals
𝐴 ⊂ 𝐴1 ⊂ 𝐴2 ⊂ ⋯ ⊂ 𝐴𝑗 ⊂ . . . .
It cannot be infinite by Exercise 11.1.10b, so some 𝐴𝑖 must be irreducible.
11.5. Dedekind Rings 369

Now we verify that 𝐴 is a product of irreducible ideals. If 𝐴 is irreducible, then we

are done. Otherwise, 𝐴 = 𝑃1 𝐶1 , where 𝑃1 is irreducible and 𝐶1 ≠ (1). Since 𝑃1 ≠ (1), we
have 𝐴 ⊂ 𝐶1 (with strict containment).
If 𝐶1 is irreducible, then both factors are irreducible in the product 𝐴 = 𝑃1 𝐶1 , and
we are done. Otherwise, 𝐶1 = 𝑃2 𝐶2 , where 𝑃2 is irreducible and 𝐶2 ≠ (1). Therefore
𝐶1 ⊂ 𝐶2 (with strict containment).
Continuing the procedure, we get a strictly increasing chain of ideals
𝐴 ⊂ 𝐶1 ⊂ ⋯ ⊂ 𝐶𝑗 ⊂ . . . .
It cannot be infinite by Exercise 11.1.10b, so some 𝐶𝑖 = (1), and 𝐴 is a product of
irreducible ideals.
Uniqueness: Assume that some 𝐴 has at least two essentially distinct decomposi-
tions into the product of irreducible ideals:
(11.5.7) 𝐴 = 𝑃1 𝑃2 . . . 𝑃𝑟 = 𝑄1 𝑄2 . . . 𝑄𝑠 .
If a 𝑃𝑖 is equal to a 𝑄𝑗 , then we can cancel by the common factor. Thus we may assume
that 𝑃𝑖 ≠ 𝑄𝑗 in (11.5.7).
We have 𝑃1 ∣ 𝑄1 𝑄2 . . . 𝑄𝑠 . Since 𝑃1 is irreducible, it is a prime ideal by Theo-
rem 11.4.8. Therefore 𝑃1 divides at least one factor 𝑄𝑗 .
As 𝑄𝑗 is irreducible, 𝑃1 ∣ 𝑄𝑗 implies 𝑃1 = (1) or 𝑃1 = 𝑄𝑗 , but both are impossible. □

Example. Factor the principal ideal (6) in 𝐼(√−5) into a product of irreducible ideals.
We saw earlier that 6 has two essentially distinct representations as a product of
irreducible elements in 𝐼(√−5):
6 = 2 ⋅ 3 = [1 + √−5][1 − √−5].
Accordingly, the principal ideal (6) has two decompositions into the product of princi-
pal ideals:
(6) = (2)(3) = (1 + √−5)(1 − √−5).
Each factor can be written as a product of two irreducible ideals:
(2) = (2, 1 + √−5)(2, 1 − √−5) = (2, 1 + √−5)2
(3) = (3, 1 + √−5)(3, 1 − √−5)
(1 + √−5) = (2, 1 + √−5)(3, 1 + √−5)
(1 − √−5) = (2, 1 − √−5)(3, 1 − √−5).
Thus the principal ideal (6) has the following factorization into the product of irre-
ducible ideals:
(6) = (2, 1 + √−5)2 (3, 1 + √−5)(3, 1 − √−5).
The irreducible ideals arise from the two decompositions of 6 into irreducible factors:
we can interpret the ideal (3, 1 + √−5) as a “hiding common divisor ideal number” in
the factors 3 and 1 + √−5, and in fact, we refined the two distinct decompositions of 6
into a common decomposition of the principal ideal (6) with the help of these hidden
factors.
370 11. Ideals

Because of the equivalence of irreducible and prime ideals, we shall use the name
prime ideal for both notions in the sequel.
We can introduce the standard form of ideals by Theorem 11.5.8: If 𝐴 ≠ (0) and
𝐴 ≠ (1), then
𝑟
𝛼 𝛼𝑟 𝛼
𝐴 = 𝑃1 1 . . . 𝑃𝑟 = ∏ 𝑃𝑖 𝑖 ,
𝑖=1
where 𝑃1 , . . . , 𝑃𝑟 are distinct prime ideals and 𝛼1 , . . . , 𝛼𝑟 are positive integers.
The standard forms for the greatest common divisor (see Definition 11.4.4. and
Theorem 11.4.5) and the least common multiple (see Exercise 11.4.5) of ideals have the
same well-known formulas as for integers: Every prime ideal occurring in the ideals
has to be taken with the minimal or maximal exponent, respectively, and 𝑃 0 = (1). The
proof is the same as for integers.
As an application of Theorems 11.5.5 and 11.5.8, we prove that every ideal in 𝐼(𝜗)
is almost a principal ideal:
Theorem 11.5.9. Every ideal in 𝐼(𝜗) can be generated by at most two elements. ♣

Proof. We can assume 𝐴 ≠ (0) and 𝐴 ≠ (1).

By Theorem 11.5.5, 𝐴𝐵 = (𝜓) for some ideal 𝐵 ≠ (0). We want to find a principal
ideal (𝛾) such that the greatest common divisor of (𝛾) and 𝐴𝐵 = (𝜓) is 𝐴, since then
(11.5.8) 𝐴 = (𝜓, 𝛾)
by Remark 2 after Theorem 11.4.5.
Let 𝑃1 , . . . , 𝑃𝑟 be all prime ideals that divide at least one of 𝐴 and 𝐵 and let
𝑟
𝛼 𝛼𝑟 𝛼𝑖
𝐴 = 𝑃1 1 . . . 𝑃𝑟 = ∏ 𝑃𝑖
𝑖=1
0
be the standard form of 𝐴 where 𝛼𝑖 = 0, so 𝑃𝑖 = (1) may occur, if 𝑃𝑖 divides only 𝐵.
Consider the ideals:
𝑟
1+𝛼𝑖 𝛼𝑗 1+𝛼𝑖
𝐶 = ∏ 𝑃𝑖 , and 𝐶𝑗 = 𝑃𝑗 ∏ 𝑃𝑖 , 𝑗 = 1, 2, . . . , 𝑟.
𝑖=1 𝑖≠𝑗

Then
𝐶𝑗 ∣ 𝐶, so 𝐶 ⊂ 𝐶𝑗 , but 𝐶 ≠ 𝐶𝑗 .
Choose 𝛾1 , . . . , 𝛾𝑟 satisfying
𝛾𝑗 ∈ 𝐶𝑗 , but 𝛾𝑗 ∉ 𝐶, 𝑗 = 1, 2, . . . , 𝑟.
We prove
1+𝛼𝑖
(11.5.9a) 𝛾𝑗 ∈ 𝑃𝑖 if 𝑗 ≠ 𝑖
𝛼𝑖
(11.5.9b) 𝛾 𝑖 ∈ 𝑃𝑖
1+𝛼𝑖
(11.5.9c) 𝛾 𝑖 ∉ 𝑃𝑖 .
1+𝛼 1+𝛼 1+𝛼𝑖
If 𝑗 ≠ 𝑖, then 𝑃𝑖 𝑖 ∣ 𝐶𝑗 implies 𝐶𝑗 ⊆ 𝑃𝑖 𝑖 , and so 𝛾𝑗 ∈ 𝑃𝑖 , since 𝛾𝑗 ∈ 𝐶𝑗 . This
verifies (11.5.9a), and (11.5.9b) can be shown similarly.
11.5. Dedekind Rings 371

1+𝛼𝑖
We prove (11.5.9c) by contradiction. If 𝛾 𝑖 ∈ 𝑃𝑖 , then combining it with
(11.5.9a), we obtain
𝑟
1+𝛼𝑡
(11.5.10) 𝛾𝑖 ∈ 𝑃𝑡 .
⋂
𝑡=1

By Exercise 11.4.5, the intersection of ideals is their least common multiple, so

𝑟 𝑟
1+𝛼𝑡 1+𝛼1 1+𝛼𝑟 1+𝛼𝑡
(11.5.11) 𝑃𝑡 = lcm{𝑃1 , . . . , 𝑃𝑟 } = ∏ 𝑃𝑡 = 𝐶.
⋂
𝑡=1 𝑡=1

From (11.5.10) and (11.5.11) we get 𝛾 𝑖 ∈ 𝐶, which contradicts the selection of 𝛾 𝑖 .

We claim that for
𝛾 = 𝛾1 + ⋯ + 𝛾𝑟

the greatest common divisor of 𝐴𝐵 and (𝛾) is 𝐴, and so (11.5.8) holds.

We have to verify that in the standard form of the gcd of 𝐴𝐵 and (𝛾)

(i) only the prime ideals 𝑃𝑖 can occur

(ii) the exponent of 𝑃𝑖 is 𝛼𝑖 (𝑖 = 1, 2, . . . , 𝑟).

Condition (i) holds, as only the prime ideals 𝑃𝑖 appear also in the standard form of 𝐴𝐵.
Since 𝐴 ∣ 𝐴𝐵, the exponent of 𝑃𝑖 in the standard form of 𝐴𝐵 is at least 𝛼𝑖 . Thus to
show (ii), we have to verify that the exponent of 𝑃𝑖 in the standard form of (𝛾) is exactly
𝛼𝑖 , or
𝛼𝑖
(iii) 𝑃𝑖 ∣ (𝛾), but
1+𝛼𝑖
(iv) 𝑃𝑖 ∤ (𝛾).

(iii): By (11.5.9a) and (11.5.9b),

𝛼
𝛾𝑡 ∈ 𝑃𝑖 𝑖 , 𝑡 = 1, 2, . . . , 𝑟,
𝛼 𝛼𝑖 𝛼
so every term in the sum defining 𝛾 is an element of 𝑃𝑖 𝑖 . As 𝑃𝑖 is an ideal, 𝛾 ∈ 𝑃𝑖 𝑖 ,
and thus
𝛼 𝛼𝑖
(𝛾) ⊆ 𝑃𝑖 𝑖 , so 𝑃𝑖 ∣ (𝛾).

(iv): By (11.5.9a) and (11.5.9c),

1+𝛼𝑖 1+𝛼𝑖
𝛾𝑗 ∈ 𝑃𝑖 if 𝑗 ≠ 𝑖, but 𝛾 𝑖 ∉ 𝑃𝑖 ,
1+𝛼𝑖
so every term in the sum defining 𝛾 is an element of 𝑃𝑖 with the exception of exactly
1+𝛼 1+𝛼
one term. As 𝑃𝑖 𝑖 is an ideal, 𝛾 ∉ 𝑃𝑖 𝑖 , and so
1+𝛼𝑖 1+𝛼𝑖
(𝛾) ⊈ 𝑃𝑖 , i.e. 𝑃𝑖 ∤ (𝛾). □
 372 11. Ideals

Exercises 11.5

All exercises refer to ideals of 𝐼(𝜗).

1. Prove that to an element 𝛼 ∈ 𝐼(𝜗) and an ideal 𝐴 there exists an ideal 𝐵 satisfying
𝐴𝐵 = (𝛼) if and only if 𝛼 ∈ 𝐴.
2. (a) Demonstrate 𝛼 ∣ 𝑁(𝛼) for any 𝛼 ∈ 𝐼(𝜗).
(b) Show that every ideal 𝐴 ≠ (0) in 𝐼(𝜗) contains infinitely many integers that
form a principal ideal in 𝐙.
3. Verify that an ideal 𝐴 ≠ (0) has only finitely many divisors.
4. Consider the prime ideals in a given 𝐼(𝜗).
(a) Demonstrate that every prime ideal contains exactly one positive prime num-
ber.
(b) Prove that there are infinitely many prime ideals.
(c) Can a prime number be an element of two different prime ideals?
(d) Can a prime number be an element of infinitely many different prime ideals?
5. Prove that the product of any two ideals in 𝐼(𝜗) equals the product of their sum and
intersection.
6. Show 𝛼𝛽 ∈ (𝛼2 , 𝛽 2 ) for any 𝛼, 𝛽 ∈ 𝐼(𝜗).

7. Consider the ring 𝐼(√−5).

(a) Factor the principal ideal (21) into a product of prime ideals.
(b) For which primes 𝑝 > 0 is (𝑝, 1 + √−5) a prime ideal?
S* (c) For which primes 𝑝 > 0 is (𝑝, 𝑎 + √−5) a prime ideal for a suitable 𝑎?
8. Prove that the Fundamental Theorem of Arithmetic holds for the elements of 𝐼(𝜗)
if and only if every prime ideal is a principal ideal.
S 9. A non-constant polynomial with integer coefficients is called primitive if its coeffi-
cients are coprime. Deduce from Theorem 11.5.1:
(a) (First form of Gauss’s Lemma.) The product of two primitive polynomials is
primitive, too.
(b) (Second form of Gauss’s Lemma.) If a polynomial 𝐻 with integer coefficients is
the product of polynomials 𝐹 and 𝐺 with rational coefficients, 𝐻 = 𝐹𝐺, then
𝐻 = 𝐹1 𝐺 1 , where 𝐹1 and 𝐺 1 are polynomials with integer coefficients and are
constant multiples of 𝐹 and 𝐺.
Remark: Statements (a) and (b) can be deduced from each other easily, therefore
both are referred to as Gauss’s lemma. Some books, however, call only statement
(a) by this name.
11.6. Class Number 373

11.6. Class Number

We assume also in this section that 𝜗 is an algebraic number and introduce an equiva-
lence relation among the non-zero ideals of 𝐼(𝜗). The number of resulting equivalence
classes plays an important role in the number theory of 𝐼(𝜗). As an application of ideals,
we show that the Diophantine equation 𝑥2 + 17 = 𝑦3 has no solution.

Definition 11.6.1. The ideals 𝐴 ≠ (0) and 𝐵 ≠ (0) are equivalent if there exist principal
ideals (𝛼) ≠ (0) and (𝛽) ≠ (0) such that

(𝛼)𝐴 = (𝛽)𝐵. ♣

Notation: 𝐴 ∼ 𝐵.
In the sequel we always assume that ideals (including the principal ideals) are not
zero.
We summarize some simple but important properties of equivalence in

Theorem 11.6.2. (i) The relation ∼ in Definition 11.6.1 is reflexive, symmetric, and
transitive, so it is an equivalence relation.

(ii) 𝐴 ∼ 𝐵, 𝐶 ∼ 𝐷 ⟹ 𝐴𝐶 ∼ 𝐵𝐷.

(iii) 𝐴 ∼ 𝐵 ⟺ 𝐴𝐶 ∼ 𝐵𝐶.

(iv) 𝐴 ∼ (1) ⟺ 𝐴 is a principal ideal. ♣

Proof. (i) 𝐴 ∼ 𝐴, since (1)𝐴 = 𝐴. Symmetry is obvious from the definition. If 𝐴 ∼ 𝐵

and 𝐵 ∼ 𝐶, or
(𝛼)𝐴 = (𝛽)𝐵 and (𝛾)𝐵 = (𝛿)𝐶
with suitable non-zero principal ideals (𝛼), (𝛽), (𝛾), and (𝛿), then

(𝛼𝛾)𝐴 = (𝛽𝛾)𝐵 = (𝛽𝛿)𝐶.

(ii) If 𝐴 ∼ 𝐵 and 𝐶 ∼ 𝐷, or

(𝛼)𝐴 = (𝛽)𝐵 and (𝜚)𝐶 = (𝜉)𝐷,

then
(𝛼𝜚)𝐴𝐶 = (𝛽𝜉)𝐵𝐷.

(iii) As 𝐶 ≠ (0), so (𝛼)𝐴 = (𝛽)𝐵 ⟺ (𝛼)𝐴𝐶 = (𝛽)𝐵𝐶.

(iv) If 𝐴 = (𝜚), then (1)𝐴 = (1)(𝜚) = (𝜚)(1) guarantees 𝐴 ∼ (1). Conversely, if
𝐴 ∼ (1), so 𝐴(𝛼) = (1)(𝛽) = (𝛽), then 𝐴 is a principal ideal by Exercise 11.4.3b. □

The equivalence relation ∼ partitions the non-zero ideals of 𝐼(𝜗) into disjoint
classes. We state the following fundamental result without proof:

Theorem 11.6.3. There are finitely many ideal classes of 𝐼(𝜗). ♣

374 11. Ideals

We denote the number of ideal classes of 𝐼(𝜗) by ℎ(𝜗).

The following table contains the class number of 𝐼(√𝑡) for some negative integers 𝑡:
𝑡 −1 −3 −5 −17 −31 −35 −74
ℎ(√𝑡) 1 1 2 4 3 2 10

It is easy to verify that the Fundamental Theorem of Arithmetic holds for the ele-
ments of 𝐼(𝜗) if and only if ℎ(𝜗) = 1 (see Exercise 11.6.2).
We show now that any (non-zero) ideal in 𝐼(𝜗) raised to the power ℎ(𝜗) is always
a principal ideal:

Theorem 11.6.4. Let ℎ(𝜗) be the number of ideal classes of 𝐸(𝜗) and let 𝐴 ≠ (0) be an
ideal. Then 𝐴ℎ(𝜗) is a principal ideal. ♣

Proof. We follow the proof of the Euler–Fermat Theorem 2.4.1. Let ℎ(𝜗) = ℎ and

(11.6.1) 𝐴1 , 𝐴 2 , . . . , 𝐴 ℎ

be any representatives of the (distinct) ideal classes. We show that

(11.6.2) 𝐴𝐴1 , 𝐴𝐴2 , . . . , 𝐴𝐴ℎ

fall into different classes. If 𝐴𝐴𝑖 ∼ 𝐴𝐴𝑗 , or

(𝜚)𝐴𝐴𝑖 = (𝜏)𝐴𝐴𝑗 ,

then cancellation by 𝐴 ≠ (0) yields 𝐴𝑖 ∼ 𝐴𝑗 , so 𝑖 = 𝑗.

This means that the ideals listed in (11.6.2) are equivalent to the ideals in (11.6.1)
in some order. Thus to every 1 ≤ 𝑖 ≤ ℎ there exists exactly one𝑗, 1 ≤ 𝑗 ≤ ℎ, such that
𝐴𝐴𝑖 ∼ 𝐴𝑗 . We denote this 𝐴𝑗 by 𝐵𝑖 :
𝐴𝐴1 ∼ 𝐵1
𝐴𝐴2 ∼ 𝐵2
(11.6.3)
⋮
𝐴𝐴ℎ ∼ 𝐵ℎ .
The ideals 𝐵1 , . . . , 𝐵ℎ are a permutation of the ideals 𝐴1 , . . . , 𝐴ℎ .
Multiplying the equivalences in (11.6.3), we obtain

(11.6.4) 𝐴ℎ 𝐴1 𝐴2 . . . 𝐴ℎ ∼ 𝐵1 𝐵2 . . . 𝐵ℎ = 𝐴1 𝐴2 . . . 𝐴ℎ

by Theorem 11.6.3(ii). By Theorem 11.6.3(iii), we can cancel by every ideal 𝐴𝑖 ≠ (0)

yielding 𝐴ℎ ∼ (1). It follows from Theorem 11.6.3/(iv) that 𝐴ℎ is a principal ideal. □

We close the chapter with an illustration that shows that ideals may be suitable to
handle Diophantine equations even if the Fundamental Theorem of Arithmetic is false
for the algebraic integers of the corresponding number field.

Theorem 11.6.5. The Diophantine equation 𝑥2 + 17 = 𝑦3 has no solution. ♣

11.6. Class Number 375

Proof. We discussed similar Diophantine equations earlier: 𝑥2 + 4 = 𝑦3 (Exercise

7.5.10) and 𝑥2 + 243 = 𝑦3 (Exercise 7.7.11). We factored the left-hand side in the
Gaussian and Eulerian integers and showed by the Fundamental Theorem of Arith-
metic that each factor is an associate of a cube, which made it possible to determine
the solutions.
Now we have to overcome the difficulty that after the factorization

(11.6.5) [𝑥 + √−17][𝑥 − √−17] = 𝑦3

we cannot proceed similarly, since the Fundamental Theorem of Arithmetic is false in

𝐼(√−17). Therefore we have to switch from (11.6.5) involving numbers to the corre-
sponding equation with principal ideals:

(11.6.6) (𝑥 + √−17)(𝑥 − √−17) = (𝑦)3 .

We show that the ideals (𝑥 + √−17) and (𝑥 − √−17) are coprime. Assume that a prime
ideal 𝑃 is their common divisor. Then 𝑃 divides (𝑦)3 , and as 𝑃 is a prime ideal, it divides
(𝑦), as well. Switching to the corresponding inclusions,

𝑥 + √−17 ∈ 𝑃, 𝑥 − √−17 ∈ 𝑃, and 𝑦 ∈ 𝑃.

Then
√−17[[𝑥 − √−17] − [𝑥 + √−17]] = 2 ⋅ 17 = 34 ∈ 𝑃
holds.
We show that 𝑦 and 34 are coprime in the integers.
If 17 ∣ 𝑦, then we see from the original equation that 17 divides 𝑥. Then 𝑥2 + 17
and 𝑦3 are divisible by exactly the first and at least the third powers of 17, which is
impossible.
If 2 ∣ 𝑦, then 𝑥 is odd, and the residues of the two sides modulo 8 of the equation
are 2 and 0, which cannot hold.
Thus we have proved that 𝑦 and 34 are coprime. Then 1 = 𝑦𝑢 + 34𝑣 for some
integers 𝑢 and 𝑣. Since 34 and 𝑦 are elements of 𝑃, 1 lies in 𝑃, so 𝑃 = (1), which
contradicts the definition of a prime ideal.
Thus the two (principal) ideals on the left-hand side of (11.6.6) are coprime. It
follows from the unique prime factorization for ideals (Theorem 11.5.8) that both ideals
are cubes of ideals, and so

(11.6.7) (𝑥 + √−17) = 𝐴3 .

Since the number of ideal classes in 𝐼(√−17) is ℎ(√−17) = 4, therefore by Theo-

rem 11.6.4, 𝐴4 is a principal ideal, 𝐴4 = (𝛾). Multiplying (11.6.7) by 𝐴, we obtain

𝐴(𝑥 + √−17) = (𝛾).

By Exercise 11.4.3b, 𝐴 is a principal ideal, so 𝐴 = (𝛼). We can rewrite (11.6.7) as

(11.6.8) (𝑥 + √−17) = (𝛼3 ) or 𝑥 + √−17 = 𝜀𝛼3 ,

 376 11. Ideals

where 𝜀 is a unit in 𝐼(√−17). The only units in 𝐼(√−17) are ±1, which are cubes them-
selves and the elements of 𝐼(√−17) are of the form 𝑎 + 𝑏√−17 with integer 𝑎 and 𝑏,
since −17 ≡ −1 (mod 4). Therefore (11.6.8) is equivalent to
𝑥 + √−17 = 𝛽 3 = [𝑎 + 𝑏√−17]3 .
Cubing and comparing the imaginary parts gives
1 = 3𝑎2 𝑏 − 17𝑏3 = 𝑏[3𝑎2 − 17𝑏2 ].
This implies 𝑏 = ±1, but we get no integer values for 𝑎. Thus the Diophantine equation
𝑥2 + 17 = 𝑦3 has no solution. □

Exercises 11.6

1. Verify that the ideals (2, √−6) and (3, √−6) are equivalent in 𝐸(√−6).
2. Prove that the Fundamental Theorem of Arithmetic holds for the elements of 𝐼(𝜗)
if and only if ℎ(𝜗) = 1.
S 3. Assume that the integers 𝑘 > 0 and ℎ = ℎ(𝜗) are coprime. Prove:
(a) 𝐴𝑘 ∼ 𝐵 𝑘 ⟹ 𝐴 ∼ 𝐵.
(b) If 𝐴𝑘 is a principal ideal, then so is 𝐴.
4. Solve the Diophantine equations:
(a) 𝑥2 + 5 = 𝑦3
(b) 17𝑥2 + 1 = 𝑦3
(c) 𝑥2 + 74 = 𝑦3
S (d) 𝑥2 + 35 = 𝑦3 .
 Chapter 12

Combinatorial Number
Theory

The intersection of number theory and combinatorics is a relatively young area (at least
compared to other branches of number theory) as its classical results, the theorems of
Schur and Van der Waerden, are barely a century old. The field is extremely rich both
in content and methods and its far-reaching questions can be attacked by ingenious
elementary ideas combined with delicate arguments of analysis, algebra, and proba-
bility theory. Its continuous dynamic progress has been motivated greatly by the work
of Paul Erdős, and nearly all problems discussed in this chapter are connected to him.

12.1. All Sums Are Distinct

In 1993 University Eötvös Loránd (ELTE, Budapest) awarded an honorary doctoral de-
gree to the eighty-year-old Paul Erdős and asked him to give a talk on “The Actual
Problems of Mathematics.” The university’s largest auditorium was completely full on
this occasion. The lecture was recorded and quoting its start evokes the fascinating
personality of Erdős.
“Can you hear me well? Also in the back rows? If you cannot hear me, please
protest.
“Well, the title of the talk is a bit arrogant, but it was not my formulation; it cannot
be said that the questions I will talk about are the actual problems of mathematics. The
last such lecture was held by Hilbert at the Paris mathematical congress in 1900, and
it is not sure that now we could find a human being capable to perform such a talk.
Anyway, it would need years of preparations, and a mathematical congress would be
the suitable scene for it. I cannot undertake this task, partly because of my high age,
but also because I know nothing about many areas, for example I am not an expert in
algebraic topology, algebraic geometry, or logic. Thus a more suitable title of my talk is

377
378 12. Combinatorial Number Theory

“My favorite problems”, and since some people in the audience are not mathematicians,
I will speak about elementary geometry and number theory.
“Let us start with elementary number theory. I will tell you now two problems. I
raised the first one in 1931, so long ago, that I am not certain whether it was before or
after Christ. By the way, an old joke of mine is that I am two and a half billion years
old. To prove it, the age of Earth was two billion years when I was a child, and now it is
well known to be 4.6 billion years. Obviously, the difference is my age, and once I gave
a talk in Los Angeles with the title “My First Two Billion Years in Mathematics”, and
the students made a figure with a diagram “Earth born, Erdős born, dinosaur born”,
and drew a picture where I was riding a dinosaur.
“But putting the joke aside, the problem is the following, I pay 500 dollars for a
proof or disproof, maybe there is some chalk around, can I get some chalk please, be-
cause I am captured by the wire [of the microphone], thank you very much, thus here
is the problem:
“Let be given a sequence of integers: 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑘 ≤ 𝑛, and assume that all
subset sums
𝑘
∑ 𝜀𝑗 𝑎𝑗 , 𝜀𝑗 = 0 or 1,
𝑗=1

are distinct. Such numbers are for example the powers of two: 1, 2, 4, 8, 16, . . . , since
every baby knows that each number has a unique representation as the sum of [dis-
tinct] powers of two. Now the 500 dollar problem is to determine max 𝑘, i.e. maximally
how many numbers can be given up to 𝑛 so that all these sums should be distinct.”

For powers of two (including 20 = 1), we have 𝑘 = 1 + ⌊log2 𝑛⌋, and at first glance
one could think that this gives the maximum. This is false, however: for 𝑛 = 221
Conway and Guy found a sequence that was denser by one element, for which 𝑘 = 2 +
⌊log2 𝑛⌋. This implies that such a sequence exists for every 𝑛 ≥ 221 , see Exercise 12.1.12.
It is unknown whether further improvements are possible or not.
On the other hand, Erdős proved that the maximum cannot be much bigger than
log2 𝑛:

Theorem 12.1.1. Assume that all sums formed from distinct integers 1 ≤ 𝑎1 < 𝑎2 <
⋯ < 𝑎𝑘 ≤ 𝑛 are distinct. Then
(12.1.1) 𝑘 ≤ log2 𝑛 + log2 log2 𝑛 + 1,
and ( for 𝑛 > 8)
log2 log2 𝑛
(12.1.2) 𝑘 ≤ log2 𝑛 + + 2. ♣
2
Combined with the lower bound max𝑘 > log2 𝑛, the estimates guarantee the as-
ymptotic equality max𝑘 ∼ log2 𝑛 with fairly good error terms. The sharper estimate
(12.1.2) is a joint result of Erdős and Leo Moser, and this is the best upper bound cur-
rently known (apart from the fact that the number 2 at the end of the formula can be
replaced by a slightly smaller constant, see Exercise 12.1.13).
12.1. All Sums Are Distinct 379

Thus the maximum wanted by Erdős falls between the two bounds
log2 log2 𝑛
(12.1.3) ⌊log2 𝑛⌋ + 2 ≤ max 𝑘 ≤ log2 𝑛 + + 2.
2
The 500 dollar prize was offered by Erdős to clarify whether or not the difference
max 𝑘 − log2 𝑛 remains bounded as 𝑛 grows to infinity. This problem is still unsolved.

𝑘
Proof. We can form 2𝑘 sums 𝑢𝑗 from the numbers 𝑎𝑖 (also 𝑍 = ∑𝑖=1 𝑎𝑖 and the empty
sum 0 appear among the integers 𝑢𝑗 ). Each 𝑢𝑗 falls into the interval [0, 𝑛𝑘 − 1] (if
𝑘 > 1). According to the assumption, the values 𝑢𝑗 are distinct, hence the number of
these sums must be less than or equal to the number of integers in the interval, i.e.
(12.1.4) 2𝑘 ≤ 𝑛𝑘.
Taking logarithms, we obtain
(12.1.5) 𝑘 ≤ log2 𝑛 + log2 𝑘.
Now we will establish an upper bound to the second term on the right-hand side of
(12.1.5) in terms of 𝑛. Since clearly 𝑘 ≤ 𝑛, therefore log2 𝑘 ≤ log2 𝑛, so (12.1.5) implies
(12.1.6) 𝑘 ≤ 2 log2 𝑛.
Taking logarithms again, we have
(12.1.7) log2 𝑘 ≤ 1 + log2 log2 𝑛,
and substituting this into (12.1.5) we arrive at (12.1.1).
To prove the stronger result, we shall make use of the fact that the sums 𝑢𝑗 are
not evenly distributed in the interval [0, 𝑛𝑘 − 1], but their major part clusters around
the mean. We shall get the precise formulation using elementary probability theory
(though everything could be discussed even without this, but the essential point will
be seen much better with a probabilistic view).
Consider the random variable 𝜂 that assumes each of the 2𝑘 sums 𝑢𝑗 with proba-
bility 2−𝑘 . Denoting expectation by 𝐸, standard deviation by 𝐷, and probability by 𝑃,
Chebyshev’s inequality
(12.1.8) 𝑃(|𝜂 − 𝐸(𝜂)| < 𝑐𝐷(𝜂)) > 1 − 𝑐−2
says that the number of sums 𝑢𝑗 in the interval with center 𝐸(𝜂) and length 2𝑐𝐷(𝜂) is
at least 1 − 𝑐−2 times the number of all values 𝑢𝑗 . We shall repeat the argument used
to verify (12.1.1) for this interval (with a suitable 𝑐).
Turning to the details, the expectation is 𝐸(𝜂) = 𝑍/2, since pairing the comple-
mentary sums 𝑢𝑗 , the sum of every pair is 𝑍. To compute the variance, we introduce
the random variables 𝜉𝑖 , 𝑖 = 1, 2, . . . , 𝑘, where 𝜉𝑖 assumes each of the values 𝑎𝑖 and 0
with probability 1/2. Then the variables 𝜉𝑖 are independent and their sum is 𝜂, so we
get
𝑘 𝑘
1 𝑘𝑛2
𝐷2 (𝜂) = ∑ 𝐷2 (𝜉𝑖 ) = ∑ 𝑎2𝑖 < .
𝑖=1
4 𝑖=1 4
380 12. Combinatorial Number Theory

We now apply Chebyshev’s inequality (12.1.8) with 𝑐 = 2 for 𝐸(𝜂) = 𝑍/2 and 𝐷(𝜂) <
𝑛√𝑘/2. We obtain that at least 75% of the 2𝑘 (distinct) sums 𝑢𝑗 are in the interval with
center 𝑍/2 and of length 2𝑛√𝑘. Therefore

3 ⋅ 2𝑘 8𝑛√𝑘
(12.1.9) ≤ 2𝑛√𝑘 or 2𝑘 ≤
4 3
(compared to the similar estimate in (12.1.4), the factor 𝑘 on the right-hand side has
changed to √𝑘).
Taking logarithms in (12.1.9), we obtain
log2 𝑘 8
(12.1.10) 𝑘 < log2 𝑛 + + log2 ( ) .
2 3
Inequality (12.1.10) clearly implies (12.1.6) (for 𝑛 > 8), thus also (12.1.7) is valid,
which substituted into (12.1.10) gives us (12.1.2). □

Sets with distinct subset sums give rise to another interesting problem of Erdős:
Theorem 12.1.2. If all sums formed from distinct integers 1 ≤ 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑘 are
distinct, then
𝑘
1
(12.1.11) ∑ < 2. ♣
𝑎
𝑖=1 𝑗

The example of powers of two shows that 2 cannot be replaced by a smaller number
on the right-hand side of (12.1.11) (if there is no bound on 𝑘). For 𝑘 fixed, the maximal
sum of reciprocals is attained exactly if we take the first 𝑘 powers of 2 (1, 2, 4, . . . 2𝑘−1 );
this will be clear from the second and third proofs. If we allow also infinite sets then the
theorem remains valid in the form that the sum of reciprocals is less than or equal to 2,
and equality holds only in case we take all powers of two. This result can be verified
by a suitable modification of any of the proofs below.
The statement of Theorem 12.1.2 was conjectured by Erdős, and was first proved
by Ryavec using a series of ingenious tricks (see the first proof). This proof, however,
relies quite strongly on analysis, and it is hard to see why it works. Many years later
two further proofs were given that use only high school mathematics and their ideas
(differing also from each other) are very natural (see the second and third proofs created
by Bruen and Borwein, and Peter Frenkel; the third proof was found by Frenkel when
he was still a high school student). This example shows that in combinatorial number
theory it is sometimes possible to achieve new results using completely elementary
methods.
The first proof is the most difficult, but besides keeping the chronological order, it
is worth to wade through this argument first to enjoy the natural beauty of the second
and third proofs even better.

First proof. Consider the product

(12.1.12) (1 + 𝑥𝑎1 )(1 + 𝑥𝑎2 ) . . . (1 + 𝑥𝑎𝑘 ).
12.1. All Sums Are Distinct 381

Performing the multiplication, we obtain terms 𝑥𝑚 where 𝑚 is the sum of some distinct
exponents 𝑎𝑖 (here 1 = 𝑥0 represents the empty sum). According to the assumption,
all terms 𝑥𝑚 are distinct, hence for 0 < 𝑥 < 1 the product (12.1.12) is less than the sum
of the infinite geometric series
1
1 + 𝑥 + 𝑥2 + ⋯ + 𝑥𝑛 + ⋯ = ,
1−𝑥
so
1
(12.1.13) (1 + 𝑥𝑎1 )(1 + 𝑥𝑎2 ) . . . (1 + 𝑥𝑎𝑘 ) <
, if 0 < 𝑥 < 1.
1−𝑥
Now we apply the following trick: Take the (natural) log of both sides, divide by 𝑥, and
integrate from 0 to 1:
𝑘 1 1
log(1 + 𝑥𝑎𝑖 ) log(1 − 𝑥)
(12.1.14) ∑∫ 𝑑𝑥 < − ∫ 𝑑𝑥.
𝑖=1 0
𝑥 0
𝑥
We make a substitution in the integrals on the left-hand side:
𝑑𝑦
𝑥𝑎𝑖 = 𝑦, then 𝑑𝑦 = 𝑎𝑖 𝑥𝑎𝑖 −1 𝑑𝑥, hence 𝑑𝑥 = ,
𝑎𝑖 𝑥𝑎𝑖 −1
and thus
1 1 1
log(1 + 𝑥𝑎𝑖 ) log(1 + 𝑦) 1 log(1 + 𝑦)
(12.1.15) ∫ 𝑑𝑥 = ∫ 𝑎𝑖 −1
𝑑𝑦 = ∫ 𝑑𝑦.
0
𝑥 0 𝑥𝑎 𝑖 𝑥 𝑎𝑖 0 𝑦
Using (12.1.15), we can rewrite (12.1.14) as
𝑘 1 1
1 log(1 + 𝑦) log(1 − 𝑥)
(12.1.16) (∑ ) ∫ 𝑑𝑦 < − ∫ 𝑑𝑥.
𝑎
𝑖=1 𝑖 0
𝑦 0
𝑥
1 log(1+𝑥)
To complete the proof, we will show that the integral 𝐴 = ∫0 𝑥
𝑑𝑥 on the left-
1 log(1−𝑥)
hand side is half of 𝐵 = − ∫0 𝑥
𝑑𝑥 on the right-hand side. Taking
1 1
log(1 + 𝑥) log(1 − 𝑥) log(1 − 𝑥2 )
𝐴−𝐵 =∫ ( + ) 𝑑𝑥 = ∫ 𝑑𝑥,
0
𝑥 𝑥 0
𝑥
and substituting 𝑡 = 𝑥2 , 𝑑𝑡 = 2𝑥𝑑𝑥, we obtain
1 1
log(1 − 𝑡) 1 log(1 − 𝑡) 1 𝐵
𝐴−𝐵 =∫ 𝑑𝑡 = ∫ 𝑑𝑡 = − 𝐵, so 𝐴= . □
0
𝑥 ⋅ 2𝑥 2 0 𝑡 2 2
Remark: We can also finish the proof by computing the integrals in (12.1.16); we expand
the integrands into power series and integrate term by term (which is allowed given our
present conditions):
− log(1 − 𝑥) 𝑥 𝑥2 𝑥𝑗−1
=1+ + +⋯+ + ... ,
𝑥 2 3 𝑗
thus
1 ∞
log(1 − 𝑥) 𝑥2 𝑥3 𝑥𝑗 1 1 𝜋2
(12.1.17) 𝐵 = − ∫ 𝑑𝑥 = [𝑥 + + + ⋯ + 2 + ... ] = ∑ 2 = .
0
𝑥 4 9 𝑗 0
𝑗=1
𝑗 6
382 12. Combinatorial Number Theory

Similarly,
1
log(1 + 𝑥) 𝑥2 𝑥3 𝑥𝑗 1
𝐴=∫ 𝑑𝑥 = [𝑥 − + − ⋯ + (−1)𝑗+1 2 + . . . ] =
0
𝑥 4 9 𝑗 0
(12.1.18) ∞ ∞ ∞ ∞
1 1 1 2 1 𝜋2
= ∑ (−1)𝑗+1 = ∑ − 2 ∑ = (1 − ) ∑ = .
𝑗=1
𝑗2 𝑗=1 𝑗2 𝑡=1
(2𝑡)2 4 𝑗=1 𝑗2 12

So 𝐴 = 𝐵/2.

Second proof. According to the condition, the 2𝑖 − 1 non-empty sums formed from
the numbers 𝑎1 , 𝑎2 , . . . , 𝑎𝑖 give distinct positive integers for every 𝑖, 1 ≤ 𝑖 ≤ 𝑘, hence
the largest of these sums is at least 2𝑖 − 1, so

(12.1.19) 𝑎1 + 𝑎2 + ⋯ + 𝑎𝑖 ≥ 2𝑖 − 1, 𝑖 = 1, 2, . . . , 𝑘.

Introducing the notation

𝑏𝑖 = 2𝑖−1 , 𝑖 = 1, 2, . . . , 𝑘,

we can rewrite (12.1.19) as

(12.1.20) 𝑎1 + 𝑎2 + ⋯ + 𝑎𝑖 ≥ 𝑏1 + 𝑏2 + ⋯ + 𝑏𝑖 , 𝑖 = 1, 2, . . . , 𝑘.

To prove our theorem, it is sufficient to show that

1 1 1 1
(12.1.21) +⋯+ ≤ +⋯+
𝑎1 𝑎𝑘 𝑏1 𝑏𝑘

since the right-hand side of (12.1.21) is

1 1 1 1
1+ + + ⋯ + 𝑘−1 = 2 − 𝑘−1 < 2.
2 4 2 2
We shall prove the (stronger) statement that (12.1.21) holds with equality only if
𝑎𝑖 = 𝑏𝑖 , 𝑖 = 1, 2, . . . , 𝑘, hence the maximal sum of reciprocals is obtained for 𝑎𝑖 = 2𝑖−1 .
We show that (12.1.20) implies (12.1.21) for any real numbers

(12.1.22) 0 < 𝑎 1 < 𝑎 2 < ⋯ < 𝑎𝑘 , 0 < 𝑏1 < 𝑏2 < ⋯ < 𝑏𝑘 .

Rearranging (12.1.21) and (12.1.20), we have to verify the inequality

1 1 1 1 1 1
(12.1.21a) − + − +⋯+ − ≥0
𝑏1 𝑎1 𝑏2 𝑎2 𝑏 𝑘 𝑎𝑘

assuming (12.1.22) and

(12.1.20a) 𝑐 𝑖 = 𝑎1 − 𝑏1 + 𝑎2 − 𝑏2 + ⋯ + 𝑎𝑖 − 𝑏𝑖 ≥ 0, 𝑖 = 1, 2, . . . , 𝑘.
12.1. All Sums Are Distinct 383

We can transform the left-hand side of (12.1.21a) to get (in Steps 2 and 3 we apply the
so-called Abelian summation)
(12.1.23)
1 1 1 1 1 1 𝑎 − 𝑏1 𝑎2 − 𝑏2 𝑎 − 𝑏𝑘
− + − +⋯+ − = 1 + +⋯+ 𝑘
𝑏1 𝑎1 𝑏2 𝑎2 𝑏𝑘 𝑎𝑘 𝑎1 𝑏 1 𝑎2 𝑏2 𝑎𝑘 𝑏 𝑘
𝑐1 𝑐2 − 𝑐1 𝑐 𝑘 − 𝑐 𝑘−1
= + +⋯+
𝑎1 𝑏1 𝑎2 𝑏2 𝑎𝑘 𝑏𝑘
1 1 1 1
= 𝑐1 ( − ) + 𝑐2 ( − ) + ...
𝑎1 𝑏1 𝑎2 𝑏2 𝑎2 𝑏2 𝑎3 𝑏3
1 1 𝑐
+ 𝑐 𝑘−1 ( − )+ 𝑘 .
𝑎𝑘−1 𝑏𝑘−1 𝑎𝑘 𝑏𝑘 𝑎𝑘 𝑏𝑘
In the sum obtained at the end of (12.1.23), the numbers 𝑐 𝑖 ≥ 0 are multiplied by
positive numbers according to (12.1.20a) and (12.1.22), so this sum is non-negative, as
claimed.
We obtained also that we have equality in (12.1.21) if and only if every 𝑐 𝑖 = 0,
which implies by (12.1.20a) that 𝑎𝑖 = 𝑏𝑖 for every 𝑖. This means that if all sums are
distinct then the maximal sum of reciprocals is attained for 𝑎𝑖 = 2𝑖−1 , as indicated. □

Third proof. We shall use only (12.1.19), established in the beginning of the second
proof, and will show that if it holds for positive integers 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑘 , then the
sum of reciprocals is less than 2.
If for every 𝑖 we have equality in (12.1.19), then 𝑎𝑖 = 2𝑖−1 , and the sum of recipro-
cals is 2 − 1/2𝑘−1 < 2.
If we do not have equality in (12.1.19) for every 𝑖, then modifying one or two values
of 𝑎𝑖 we shall increase the sum of reciprocals whereas (12.1.19) remains valid. It will be
clear from the process that in finitely many steps we shall have equality in (12.1.19) for
every 𝑖. This completes the proof that the sum of reciprocals is maximal for 𝑎𝑖 = 2𝑖−1
(which is somewhat stronger than the original assertion of the theorem).
Let 𝑟 be the smallest number for which we have strict inequality in (12.1.19) ( 𝑟 = 1
is possible), so
𝑎1 + 𝑎2 + ⋯ + 𝑎𝑖 = 2𝑖 − 1, 𝑖 = 1, 2, . . . , 𝑟 − 1, and
(12.1.24) 𝑟
𝑎1 + 𝑎2 + ⋯ + 𝑎𝑟 > 2 − 1.

We distinguish two cases: (A) We have strict inequality in (12.1.19) for every 𝑖 > 𝑟
and (B) There exists an 𝑖 > 𝑟, for which (12.1.19) holds with equality.
(A) We put 𝑎′𝑟 = 𝑎𝑟 − 1 and the other integers 𝑎𝑖 remain unchanged. The sum of
reciprocals is clearly larger (since 1/𝑎′𝑟 > 1/𝑎𝑟 ), but (12.1.19) remained valid, as the left-
hand side of (12.1.19) decreased by 1 for 𝑖 ≥ 𝑟, so the inequality is preserved (possibly
with ≥ instead of >).
We have to show that our new numbers form a positive increasing sequence. For
𝑟 = 1, we have 𝑎1 > 1 from (12.1.24), hence 𝑎′1 > 0. For 𝑟 > 1, we have to exhibit
𝑎′𝑟 = 𝑎𝑟 − 1 > 𝑎𝑟−1 , so 𝑎𝑟 ≥ 𝑎𝑟−1 + 2. Using (12.1.24) again,
𝑎𝑟 = (𝑎1 + ⋯ + 𝑎𝑟 ) − (𝑎1 + ⋯ + 𝑎𝑟−1 ) ≥ 2𝑟 − (2𝑟−1 − 1) = (2𝑟−1 − 1) + 2 = 𝑎𝑟−1 + 2.
 384 12. Combinatorial Number Theory

(B) Let 𝑠 be the smallest number greater than 𝑟 for which we have equality in
(12.1.19) (𝑠 = 𝑟 + 1 is possible), so
𝑎1 + 𝑎2 + ⋯ + 𝑎𝑖 > 2𝑖 − 1, 𝑖 = 𝑟, 𝑟 + 1, . . . , 𝑠 − 1, and
(12.1.25) 𝑠
𝑎1 + 𝑎2 + ⋯ + 𝑎𝑠 = 2 − 1.

Put 𝑎′𝑟 = 𝑎𝑟 − 1, 𝑎𝑠′ = 𝑎𝑠 + 1, and let the other integers 𝑎𝑖 be unchanged. Then
(12.1.19) is still valid, because for 𝑟 ≤ 𝑖 ≤ 𝑠 − 1 the left-hand side of (12.1.19) became
smaller by 1, hence the inequality still holds (some > may be replaced by ≥), and for
𝑖 ≥ 𝑠 (and also for 𝑖 < 𝑟) the left-hand side of (12.1.19) was not affected.
We show that the sum of reciprocals has increased, so
1 1 1 1
+ < ′ + ′,
𝑎𝑟 𝑎𝑠 𝑎𝑟 𝑎𝑠
or
𝑎𝑟 + 𝑎𝑠 (𝑎 − 1) + (𝑎𝑠 + 1)
< 𝑟 .
𝑎𝑟 𝑎𝑠 (𝑎𝑟 − 1)(𝑎𝑠 + 1)
As the numerators are equal, this is equivalent to the converse inequality for the de-
nominators (all occurring numbers are positive), and a calculation gives 𝑎𝑟 − 1 < 𝑎𝑠
which clearly holds.
Finally, we can show that our numbers form a positive, strictly increasing sequence
in a similar way as seen in case (A).
It is clear from the algorithm that applying the steps a finite number of times we
get that there should be equality in (12.1.19) also for 𝑖 = 𝑟. Then we repeat the whole
process with the first value 𝑖 > 𝑟 for which there is a strict inequality in (12.1.19) till
we get equality for this value 𝑖. This proves that in finitely many steps we arrive at the
state when we have equality everywhere in (12.1.19), as stated. □

Exercises 12.1

In the exercises 1 ≤ 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑘 ≤ 𝑛 denote integers satisfying various condi-
tions.
1. (a) Find the maximum of 𝑘 (in terms of 𝑛), if no 𝑎𝑖 is the sum of (more than one)
distinct integers 𝑎𝑗 .
* (b) Let 𝑎1 < 𝑎2 < . . . be an infinite sequence of positive integers such that no 𝑎𝑖 is
the sum of (more than one) distinct integers 𝑎𝑗 . Let 𝐴(𝑛) denote the number
of elements in the sequence not exceeding 𝑛. Prove lim𝑛→∞ 𝐴(𝑛)/𝑛 = 0.
2. Assume that no 𝑎𝑖 can be written as 𝑎𝑗 + 𝑎𝑗+1 . Let 𝑓(𝑛) be the maximum of 𝑘 with
this condition. Show that lim𝑛→∞ 𝑓(𝑛)/𝑛 = 2/3.
S 3. We examine the number of representations of an integer 𝑡 as a sum of consecutive
elements 𝑎𝑖 , i.e in the form 𝑡 = 𝑎𝑖 + 𝑎𝑖+1 + ⋯ + 𝑎𝑗 (there is no restriction on the
number of terms and we allow 𝑖 = 𝑗). Let 𝐿(𝑘) be the maximal number of solutions
of the equation 𝑡 = 𝑎𝑖 + 𝑎𝑖+1 + ⋯ + 𝑎𝑗 taken for all possible systems 𝑎𝑖 and 𝑡 (also
𝑛 can be arbitrary). Verify 𝐿(𝑘) = ⌈𝑘/2⌉.
Exercises 12.1 385

4. Assume [𝑎𝑖 , 𝑎𝑗 ] > 𝑛 for every 𝑖 ≠ 𝑗 (where [ ] stands for the least common multi-
ple). Prove that the sum of reciprocals of the numbers 𝑎𝑖 is less than (a) 2 (b) 3/2.
Remark: Schinzel and Szekeres showed that the maximal sum of reciprocals is
31/30, and this occurs only for the numbers 2, 3, 5, and 𝑛 = 5.
𝑘−1
1
5. Show ∑ < 1 (for any integers 𝑎𝑖 ).
𝑖=1
[𝑎𝑖 , 𝑎𝑖+1 ]

6. Assume that 𝑎𝑖 + 𝑎𝑗 is never a square. Let 𝑔(𝑛) be the maximum of 𝑘 with this
condition.
(a) Verify
1 𝑔(𝑛) 𝑔(𝑛) 1
≤ lim inf and lim sup ≤ .
3 𝑛→∞ 𝑛 𝑛→∞ 𝑛 2
* (b) Improve the lower bound to 11/32 in the previous inequality.
Remark: In 2002 Endre Szemerédi proved that lim𝑛→∞ 𝑔(𝑛)/𝑛 = 11/32.
* 7. Assume that 𝑎𝑖 − 𝑎𝑗 is never a square (for 𝑖 ≠ 𝑗). Let ℎ(𝑛) be the maximum of 𝑘
with this condition. Verify ℎ(𝑛) ≥ 𝑛0.7 if 𝑛 is large enough.
Remark: This result is due to Ruzsa. Sárközy and Fürstenberg proved that (in con-
trast to the sum problem in the previous exercise) lim𝑛→∞ ℎ(𝑛)/𝑛 = 0, but the exact
order of magnitude of ℎ(𝑛) in not known.
* 8. Assume that the products formed from arbitrarily many (distinct) numbers 𝑎𝑖 are
distinct. Let 𝑠(𝑛) be the maximum of 𝑘 with this condition. Prove
|𝑠(𝑛) − 𝜋(𝑛)| < 2𝑛2/3 ,
where 𝜋(𝑛) is the number of primes not exceeding 𝑛.
Remark: Erdős proved that there exist positive constants 𝑐 1 and 𝑐 2 such that for
every 𝑛 large enough

√𝑛 √𝑛
𝜋(𝑛) + 𝑐 1 < 𝑠(𝑛) < 𝜋(𝑛) + 𝑐 2 .
log 𝑛 log 𝑛
A related question is a multiplicative variant of the (additive) Sidon problem (to be
investigated in the next section), when we require only products 𝑎𝑖 𝑎𝑗 composed of
two factors (𝑖 < 𝑗) to be distinct. Erdős showed that (for suitable positive constants
𝑐 3 and 𝑐 4 , and for every 𝑛 large enough)
𝑛3/4 𝑛3/4
𝜋(𝑛) + 𝑐 3 3/2
< max 𝑘 < 𝜋(𝑛) + 𝑐 4 .
(log 𝑛) (log 𝑛)3/2

9. Determine the maximum of 𝑘 (in terms of 𝑛) if no 𝑎𝑖 divides the product of some

other integers 𝑎𝑗 .
10. Assume 6 ∣ 𝑛. Find the maximum of 𝑘 (in terms of 𝑛) if among any three 𝑎𝑖 there
are two numbers that are not coprime.
386 12. Combinatorial Number Theory

𝑎𝑖
11. Show that if 𝑘 is a prime, then ≥ 𝑘 for some 𝑖 and 𝑗.
(𝑎𝑖 , 𝑎𝑗 )

Remark: The result is true also for every 𝑘. This long-standing unsolved conjecture
of R. L. Graham was proved (for 𝑘 large enough) by Mario Szegedy in 1985, when
he was still a university student.

12. Assume that for 𝑛 = 2𝑗 there exist 𝑘 = 2 + ⌊log2 𝑛⌋ integers 𝑎𝑖 between 1 and 𝑛 so
that all subset sums are distinct. Show that the same holds also for every 𝑛 ≥ 2𝑗 .

13. How far can be improve the upper bound (12.1.2) in Theorem 12.1.1 if we use an
optimal 𝑐 in Chebyshev’s inequality in the proof?

12.2. Sidon Sets

In this section we deal with Sidon sets, another favorite of Erdős. Sidon sets are finite
or infinite sequences 𝑎1 < 𝑎2 < ⋯ of positive integers where the sums 𝑎𝑖 + 𝑎𝑗 , 𝑖 ≤ 𝑗
(or equivalently, the differences 𝑎𝑖 − 𝑎𝑗 , 𝑖 ≠ 𝑗) are all distinct. These occurred first in
Simon Sidon’s investigations of Fourier series around 1930.
We consider finite Sidon sets first.
At most how many elements can a Sidon set have in the interval [1, 𝑛]? We shall
prove that the maximum is about √𝑛. This contains two statements: On the one hand,
there exists a Sidon set between 1 and 𝑛 that has about √𝑛 elements (a lower estimate
for the maximum), and on the other hand, no Sidon set can have substantially more
elements within these limits (an upper estimate for the maximum).
Erdős and Turán showed in 1941 that the maximum is at most 𝑛1/2 + 2𝑛1/4 . Later
Lindström improved this to 𝑛1/2 + 𝑛1/4 + 1 by a different method, but it also follows
from a more precise execution of the Erdős–Turán proof (Theorem 12.2.4). Relying on
a result of J. Singer, Erdős and S. Chowla proved independently in 1944 that there exists
a Sidon set of size 𝑛1/2 − 𝑛𝜚 for a suitable positive constant 𝜚 < 1/2 (Theorem 12.2.3).
These two theorems together mean that the maximal size of a Sidon set in the interval
[1, 𝑛] is asymptotically √𝑛 with very good (upper and lower) error terms. It is a much
stronger conjecture that the difference of the maximum and √𝑛 is bounded (indepen-
dently of 𝑛). For a proof or disproof Erdős offered 1000 US dollars, but there has been
no improvement in the last 70 years.
Let 𝑠 = 𝑠(𝑛) denote the maximal possible number of a Sidon set up to 𝑛. We first
establish some simple upper bound for 𝑠. There are (𝑠+1 2
) sums 𝑎𝑖 + 𝑎𝑗 that are distinct
and fall between 2 and 2𝑛, hence (𝑠+1 2
) < 2𝑛, and so 𝑠 < 2√𝑛. We get a better upper
bound by considering the differences 𝑎𝑖 − 𝑎𝑗 > 0; these (2𝑠) numbers are distinct and
they are less than 𝑛, hence (2𝑠) < 𝑛, and so 𝑠 < √2𝑛 + 1. Thus we attained immediately
the order of magnitude √𝑛, and only the coefficient √2 of √𝑛 has to be reduced to 1.
12.2. Sidon Sets 387

In the opposite direction, it is much less clear how we can get the order of magni-
tude √𝑛. The example of powers of two yields log2 𝑛, and the greedy algorithm guar-
3
antees only √𝑛 (see Exercise 12.2.1). But a nice elementary construction of Erdős pro-
vides √𝑛/2 elements (see Exercise 12.2.2), and as mentioned, we can lift the coefficient
of √𝑛 to 1.
Let us start constructing really big Sidon sets. We do this for some special 𝑛 first,
and then use the result to handle general 𝑛.
Theorem 12.2.1. Let 𝑝 be an arbitrary positive prime and 𝑛 = 𝑝2 + 𝑝 + 1. There exists
a Sidon set in the interval [1, 𝑛] that has ⌈√𝑛⌉ = 𝑝 + 1 elements. ♣

Theorem 12.2.1 is a consequence of a surprising and much sharper statement of

independent interest.
Theorem 12.2.2. Let 𝑝 be a positive prime. Then there exist 𝑝 + 1 integers 𝑎𝑖 such that
the differences 𝑎𝑖 − 𝑎𝑗 , 𝑖 ≠ 𝑗 are pairwise incongruent modulo 𝑝2 + 𝑝 + 1. ♣
Remark: The number of differences in Theorem 12.2.2 is 𝑝2 + 𝑝, and there are just that
many non-zero residues modulo 𝑝2 + 𝑝 + 1. This means that each non-zero residue
has exactly one representation as a difference 𝑎𝑖 − 𝑎𝑗 .
It is clear that the integers 𝑎𝑖 in Theorem 12.2.2 must be pairwise incongruent
themselves, so they can be chosen between 1 and 𝑛 = 𝑝2 + 𝑝 + 1. Thus Theorem 12.2.1
follows.

Proof. We use some basic facts about finite fields and a bit of linear algebra.
Consider the finite field 𝐹3 of 𝑝3 elements and its subfield 𝐹1 of 𝑝 elements. Let Δ
be a generator of the cyclic multiplicative group of 𝐹3 , so
3 −1
(12.2.1) 𝐹3 = {0, Δ, Δ2 , . . . , Δ𝑝 = 1}.
The non-zero elements of 𝐹1 form a subgroup of the multiplicative group of 𝐹3 . This
cyclic subgroup is generated by Δ𝑛 , where 𝑛 = (𝑝3 − 1)/(𝑝 − 1) = 𝑝2 + 𝑝 + 1. Thus
3 −1
𝐹1 = {0, Δ𝑛 , Δ2𝑛 , . . . , Δ(𝑝−1)𝑛 = Δ𝑝 = 1}.
Consider 𝐹3 as a vector space over 𝐹1 . By the above, Δ and Δ𝑗 in 𝐹3 are linearly depen-
𝑖

dent over 𝐹1 if and only if

(12.2.2) 𝑖 ≡ 𝑗 (mod 𝑛) .
We now construct the integers 𝑎𝑖 . We fix Θ ∈ 𝐹3 ⧵ 𝐹1 , and form the elements Θ + 𝛾 𝑖 ,
where 𝛾1 , . . . , 𝛾𝑝 are the elements of 𝐹1 . By (12.2.1), we can write
(12.2.3) Θ + 𝛾 𝑖 = Δ𝑎𝑖 ,
and so we obtained 𝑝 integers 𝑎𝑖 , 1 ≤ 𝑖 ≤ 𝑝. Let 𝑎𝑝+1 = 0.
We verify that these numbers meet the requirements, so the differences 𝑎𝑖 − 𝑎𝑗 , or
equivalently the sums 𝑎𝑖 + 𝑎𝑗 are pairwise incongruent modulo 𝑝2 + 𝑝 + 1.
Assume 𝑎𝑖 + 𝑎𝑗 ≡ 𝑎𝑘 + 𝑎𝑚 (mod 𝑝2 + 𝑝 + 1). If none of the four numbers is
𝑎𝑝+1 = 0, then by (12.2.2) and (12.2.3), this gives
Δ𝑎𝑖 Δ𝑎𝑗 = Δ𝑎𝑖 +𝑎𝑗 = 𝛾Δ𝑎𝑘 +𝑎𝑚 = 𝛾Δ𝑎𝑘 Δ𝑎𝑚 ,
388 12. Combinatorial Number Theory

so
(Θ + 𝛾 𝑖 )(Θ + 𝛾𝑗 ) − 𝛾(Θ + 𝛾 𝑘 )(Θ + 𝛾𝑚 ) = 0
for some 𝛾 ∈ 𝐹1 . Since the degree of Θ is 3 over 𝐹1 , it cannot be a root of a polynomial
of degree at most 2. Therefore only 𝛾 = 1 and {𝛾 𝑖 , 𝛾𝑗 } = {𝛾 𝑘 , 𝛾𝑚 } are possible which
means that the corresponding pairs of integers 𝑎𝑖 are the same, as stated.
The proof runs the same way if 𝑎𝑝+1 = 0 occurs among the four integers 𝑎𝑖 . □

Remark: Theorem 12.2.2 and its proof remain valid if 𝑝 is a prime power. All this is
closely related to finite projective planes.
Theorem 12.2.3. If 𝑛 is large enough, then the interval [1, 𝑛] contains a Sidon set having
at least 𝑛1/2 − 𝑛0.27 elements. ♣

Proof. Consider the biggest prime 𝑝 less than or equal to 𝑝2 + 𝑝 + 1 ≤ 𝑛 and perform
the previous construction of 𝑝 + 1 elements for 𝑝2 + 𝑝 + 1. By Theorem 5.5.4(A), there
is a prime between 𝑛1/2 − 𝑛0.27 and 𝑛1/2 if 𝑛 is large enough, so 𝑝 > 𝑛1/2 − 𝑛0.27 , thus
verifying the theorem for a general 𝑛. □

Remark: In the transition to an arbitrary 𝑛, we used that the primes occur densely. If
we know that there is a prime between 𝑁 and 𝑁 + 𝑁 𝑐 for 𝑁 large enough, then the
error term in our theorem can be reduced to 𝑛𝑐/2 . As we experienced in Section 5.5, the
question of the size of the gaps between consecutive primes is a very hard problem.

For other proofs of Theorem 12.2.3, see Exercises 12.2.3 and 12.2.4.
Now we turn to the sharp upper bound of the size of Sidon sets.
Theorem 12.2.4. A Sidon set in the interval [1, 𝑛] has at most 𝑛1/2 +𝑛1/4 +1 elements. ♣

First proof. Let 𝑡 be an integer to be specified later. We push a segment of length 𝑡 − 1

through the interval [0, 𝑛], i.e. we consider the intervals [−𝑡 + 1, 0], [−𝑡 + 2, 1], . . . ,
[𝑛, 𝑛 + 𝑡 − 1]. We take a Sidon set of size 𝑠 and denote the number of its elements in
these intervals by 𝐴1 , 𝐴2 , . . . , 𝐴𝑛+𝑡 . Then
𝑛+𝑡
(12.2.4) ∑ 𝐴𝑖 = 𝑡𝑠.
𝑖=1

We now count the pairs {𝑎𝑖 , 𝑎𝑗 }, 𝑖 > 𝑗 that fall into such an interval. We count them
with the suitable multiplicity, so each pair is counted as many times as the number of
intervals that contain it. Let 𝐷 be the total number of such pairs. Then
𝑛+𝑡 𝑛+𝑡 2 𝑛+𝑡
𝐴 𝐴 𝐴
(12.2.5) 𝐷 = ∑ ( 𝑖) = ∑ 𝑖 − ∑ 𝑖 .
𝑖=1
2 𝑖=1
2 𝑖=1
2

On the other hand, if the difference 𝑎𝑖 − 𝑎𝑗 in a pair is 𝑑, then it falls into exactly 𝑡 − 𝑑
intervals. By the Sidon property, every such 𝑑 can occur at most once, so
𝑡−1
𝑡(𝑡 − 1)
(12.2.6) 𝐷 ≤ ∑ (𝑡 − 𝑑) = .
𝑑=1
2
12.2. Sidon Sets 389

Combining (12.2.5) and (12.2.6), we obtain

𝑛+𝑡 𝑛+𝑡
(12.2.7) ∑ 𝐴2𝑖 − ∑ 𝐴𝑖 ≤ 𝑡(𝑡 − 1).
𝑖=1 𝑖=1

Using (12.2.4) and the inequality for arithmetic and quadratic means, we can estimate
the left-hand side of (12.2.7) from below:
𝑛+𝑡 2
𝑛+𝑡 𝑛+𝑡 (∑𝑖=1 𝐴𝑖 ) 𝑡 2 𝑠2
(12.2.8) ∑ 𝐴2𝑖 − ∑ 𝐴𝑖 ≥ − 𝑡𝑠 = − 𝑡𝑠.
𝑖=1 𝑖=1
𝑛+𝑡 𝑛+𝑡
From (12.2.7) and (12.2.8), we infer
𝑛 𝑛
𝑠2 − 𝑠 ( + 1) − ( + 1) (𝑡 − 1) ≤ 0.
𝑡 𝑡
Solving this quadratic inequality, we get
𝑛 1 𝑛2 𝑛 3
𝑠≤ + + √𝑛 + 𝑡 + 2 − − .
2𝑡 2 4𝑡 2𝑡 4
Choosing 𝑡 = ⌊𝑛3/4 ⌋ + 1, we arrive at the statement of the theorem. □

Second proof. We shall estimate the sum of certain differences 𝑎𝑖 −𝑎𝑗 from both sides.
Let
(12.2.9) 𝐾= ∑ (𝑎𝑖 − 𝑎𝑗 ),
0<𝑖−𝑗≤𝑟

where 𝑟 will be specified later. The sum in (12.2.9) contains

𝑟(𝑟 + 1)
(𝑠 − 1) + (𝑠 − 2) + ⋯ + (𝑠 − 𝑟) = 𝑟𝑠 − = 𝑟𝑤
2
terms, where
𝑟+1
(12.2.10) 𝑤 =𝑠− .
2
Each term is a difference 𝑎𝑖 − 𝑎𝑗 , and these are distinct by the Sidon property. Thus 𝐾
is not less than the sum of the first 𝑟𝑤 positive integers, so
𝑟𝑤(𝑟𝑤 + 1) 𝑟2 𝑤2
(12.2.11) 𝐾≥ > .
2 2
On the other hand, the sum in (12.2.9) contains e.g.
(𝑎𝑠 − 𝑎𝑠−1 ) + (𝑎𝑠−1 − 𝑎𝑠−2 ) + ⋯ + (𝑎2 − 𝑎1 ) < 𝑎𝑠 ≤ 𝑛,
and many other telescoping sums, which can be estimated from above similarly. Their
general form is
(𝑎𝑠−𝜈 − 𝑎𝑠−𝜈−𝜇 ) + (𝑎𝑠−𝜈−𝜇 − 𝑎𝑠−𝜈−2𝜇 ) + ⋯ < 𝑎𝑠−𝜈 ≤ 𝑛, 0 ≤ 𝜈 < 𝜇 ≤ 𝑟.
Moreover, the entire 𝐾 consists of such telescoping sums; the indices cover all maximal
arithmetic progressions between 1 and 𝑠 where the difference is at most 𝑟. There are
𝜇 arithmetic progressions with difference 𝜇, so there are 1 + 2 + ⋯ + 𝑟 = 𝑟(𝑟 + 1)/2
telescoping sums. Each such telescoping sum is not greater than 𝑛, hence
𝑛𝑟(𝑟 + 1)
(12.2.12) 𝐾≤ .
2
390 12. Combinatorial Number Theory

Combining (12.2.11) and (12.2.12) and multiplying by 2/𝑟2 , we obtain the inequality
𝑤2 < 𝑛 + 𝑛/𝑟. Taking a square root and substituting (12.2.10), we get

𝑟+1 𝑛
𝑠< + 𝑛+ .
2 √ 𝑟

Choosing 𝑟 = ⌊𝑛1/4 ⌋ + 1, we arrive at the statement of the theorem. □

Now we turn to infinite Sidon sets. Erdős showed in 1955 that an infinite Sidon
set is necessarily less dense; it cannot be of about the maximal finite size, i.e. √𝑛 in
interval [1, 𝑛] for every 𝑛:

Theorem 12.2.5. Let 𝐴(𝑛) denote the number of elements in an infinite sequence 𝐴 up
to 𝑛. If 𝐴 is an infinite Sidon set, then
𝐴(𝑛) 𝐴(𝑛)
lim inf = 0, moreover lim inf < ∞. ♣
𝑛→∞ √𝑛 𝑛→∞ √𝑛/ log 𝑛

Proof. Let 𝑁 be a large integer and 𝐴𝑖 the number of elements of 𝐴 in the interval
[(𝑖 − 1)𝑁 + 1, 𝑖𝑁], so

𝐴𝑖 = 𝐴(𝑖𝑁) − 𝐴((𝑖 − 1)𝑁), 𝑖 = 1, 2, . . . , 𝑁.

𝑁
There are altogether ∑𝑖=1 (𝐴2𝑖 ) pairs of points in the intervals and their differences are
all distinct and do not exceed the length 𝑁 − 1 of an interval, therefore
𝑁
𝐴
∑ ( 𝑖 ) < 𝑁.
𝑖=1
2

Hence
𝑁 𝑁
1
2𝑁 > ∑ 𝐴𝑖 (𝐴𝑖 − 1) ≥ ∑ (𝐴2 − 1),
𝑖=1
2 𝑖=1 𝑖
so
𝑁
(12.2.13) ∑ 𝐴2𝑖 < 5𝑁.
𝑖=1

We shall estimate
𝑁
𝐴𝑖
𝑆=∑
𝑖=1 √𝑖
from both directions. On the one hand, applying Cauchy’s inequality and (12.2.13), we
obtain
√
√ 𝑁 𝑁
1
(12.2.14) 𝑆 ≤ √( ∑ 𝐴2𝑖 ) ( ∑ ) ≈ √5𝑁 log 𝑁.
𝑖
√ 𝑖=1 𝑖=1
12.2. Sidon Sets 391

On the other hand, using Abelian summation, we can estimate 𝑆 as

𝑁
𝐴(𝑖𝑁) − 𝐴((𝑖 − 1)𝑁)
𝑆=∑ >
𝑖=1
𝑖
(12.2.15)
𝑁−1 𝑁−1
1 1 𝐴(𝑖𝑁)
> ∑ 𝐴(𝑖𝑁) ( − )> ∑ .
𝑖=1 √𝑖 √𝑖 + 1 𝑖=1 2(𝑖 + 1)√𝑖
Assuming now

𝑖𝑁
(12.2.16) 𝐴(𝑖𝑁) > 𝑐 , 𝑖 = 1, 2, . . . , 𝑁,
√ log(𝑖𝑁)
for some 𝑐 > 0, then (12.1.15) implies
𝑁−1 𝑁−1
√𝑖𝑁 𝑐√𝑁 1 𝑐
(12.2.17) 𝑆>𝑐 ∑ = ∑ ≈ √𝑁 log 𝑁.
𝑖=1 2(𝑖 + 1)√𝑖 log 𝑁 2 √8 log 𝑁 𝑖=1
𝑖 + 1 √8

Since (12.1.17) contradicts (12.1.14) for 𝑐 > √40, (12.1.16) cannot hold for 𝑐 > √40,
which proves the statement of the theorem. □

Theorem 12.2.5 does not assert that an infinite Sidon set could not be now and then
as dense as a finite one. In fact, Erdős and later Krückeberg constructed an infinite
Sidon set that has nearly √𝑛 elements in the interval [1, 𝑛] for infinitely many integers
𝑛 (see Exercise 12.2.5).
If we want to construct an infinite Sidon set that is sufficiently dense in every finite
3
initial segment, then the greedy algorithm provides one having always at least √𝑛 ele-
ments up to 𝑛 (see Exercise 12.2.1). It is surprising that it took a long time to surpass
this order of magnitude: Ajtai, Komlós, and Szemerédi proved in 1981 the existence
3
of an infinite Sidon set that has at least 𝑐 √𝑛 log 𝑛 elements up to every (sufficiently
3
large) 𝑛 with a suitable positive constant 𝑐. Even this was just slightly better than √𝑛
obtained by the greedy algorithm. In 1997 Ruzsa improved the bound significantly to
𝑐𝑛√2−1−𝜀 , though even this is far from the order of magnitude 𝑛1/2−𝜀 conjectured by
Erdős (where 𝜀 is an arbitrarily small positive number).
Finally, we consider infinite sequences where the Sidon property is replaced by
a weaker condition: the number of representations of positive integers as 𝑎𝑖 + 𝑎𝑗 is
bounded (this bound is 1 for Sidon sets). We show that we can achieve the order of
magnitude 𝑛1/2−𝜀 for such sequences:
Theorem 12.2.6. For every 𝜖 > 0 there exist an integer 𝑚 and an infinite sequence 𝐴 =
{1 ≤ 𝑎1 < 𝑎2 < ⋯} such that
𝐴(𝑛)
lim inf 1/2−𝜖 > 0,
𝑛→∞ 𝑛
and every positive integer has at most 𝑚 representations in the form 𝑎𝑖 + 𝑎𝑗 . ♣

Theorem 12.2.6 is due to Erdős and Rényi. Their proof was among the first prob-
abilistic constructions in number theory: Introducing a suitable probability space on
392 12. Combinatorial Number Theory

the set of sequences of positive integers, they verified that (with respect to this proba-
bility) almost all sequences meet the requirements. We shall use this type of argument
to prove Theorem 12.6.3.
The elementary proof below to Theorem 12.2.6 is due to Ruzsa.

Proof. We shall use a number system with varying bases, so we write integers in the
form
𝑐 0 + 𝑐 1 𝑘1 + 𝑐 2 𝑘1 𝑘2 + ⋯ + 𝑐 𝑖 𝑘1 . . . 𝑘𝑖 + ⋯ ,
where 𝑘1 , 𝑘2 , . . . are integers greater than 1 (these are the varying bases) and the digits
are 0 ≤ 𝑐 𝑖 < 𝑘𝑖+1 . We choose the bases as a slowly increasing sequence to satisfy

(12.2.18) 𝑘𝑖+1 ≈ 𝑘1+𝛿

𝑖

for some small positive 𝛿. We also fix a finite Sidon set 𝑆 𝑖 of maximal size between 0
and 𝑘𝑖 /2 for every 𝑖 (we may clearly assume that the smallest element is 0 in 𝑆 𝑖 ).
We can construct the required infinite set as follows. We take integers with digits
from the corresponding Sidon sets, i.e. 𝑐 𝑖 ∈ 𝑆 𝑖+1 , and at most 𝑡 digits can differ from 0.
Adding two such numbers, there occurs no carrying, so every integer can be writ-
ten as the sum of two such numbers in at most 2𝑡 ways (at every place the digits can be
interchanged between the two numbers), so 𝑚 = 2𝑡 . We shall guarantee the required
density by a suitable choice of 𝛿 and 𝑡.
For any 𝑛
(12.2.19) 𝑘1 𝑘2 . . . 𝑘𝑗 ≤ 𝑛 < 𝑘1 𝑘2 . . . 𝑘𝑗 𝑘𝑗+1
for some 𝑗. Our sequence definitely contains all the integers with digits
(12.2.20) 𝑐 0 = 𝑐 1 = ⋯ = 𝑐𝑗−𝑡−1 = 0 and 𝑐 𝑖 ∈ 𝑆 𝑖+1 , 𝑖 = 𝑗 − 𝑡, . . . , 𝑗 − 1.

We shall show that the number of these integers alone is greater than 𝑛1/2−𝜀 , if we
choose a sufficiently small 𝛿 and a sufficiently large 𝑡.
Let us see the details. Let 𝑘1 = 𝑟 and
𝑖−1
(12.2.21) 𝑘𝑖 = ⌊𝑟(1+𝛿) ⌋

according to (12.2.18). Then

𝑘𝑖 (1 + 𝛿)𝑖−1 − log𝑟 4
(12.2.22) |𝑆 𝑖 | > √ > 𝑟ℎ𝑖 , where ℎ𝑖 = .
3 2
Let 𝐾 denote the number of integers satisfying (12.2.20). Then it is enough to show
1
(12.2.23) 𝐾 > 𝑛1/2−𝜀 , or log𝑟 𝐾 > ( − 𝜀) log𝑟 𝑛
2
for every sufficiently large 𝑛. We estimate log𝑟 𝑛 from above with the help of (12.2.19)
and (12.2.21):
(1 + 𝛿)𝑗+1
(12.2.24) log𝑟 𝑛 < log𝑟 (𝑘1 𝑘2 . . . 𝑘𝑗+1 ) ≤ 1 + (1 + 𝛿) + ⋯ + (1 + 𝛿)𝑗 < .
𝛿
 Exercises 12.2 393

Now we estimate log𝑟 𝐾 from below. Since 𝐾 = |𝑆𝑗−𝑡+1 | ⋅ ⋯ ⋅ |𝑆𝑗 |, (12.2.22) yields
(1 + 𝛿)𝑗−𝑡 + ⋯ + (1 + 𝛿)𝑗−1 − 𝑡 log𝑟 4
log𝑟 𝐾 >
2
𝑗−𝑡 𝑡
(12.2.25) (1 + 𝛿) ((1 + 𝛿) − 1) 𝑡 log𝑟 4
= −
2𝛿 2
(1 + 𝛿)𝑗 𝑡 log 𝑟4
= (1 − (1 + 𝛿)−𝑡 ) − .
2𝛿 2
By (12.2.24) and (12.2.25),
2 log𝑟 𝐾 (1 + 𝛿)𝑗 (1 − (1 + 𝛿)−𝑡 ) − 𝑡𝛿 log𝑟 4
>
log𝑟 𝑛 (1 + 𝛿)𝑗+1
(12.2.26)
1 − (1 + 𝛿)−𝑡 𝑡𝛿 log𝑟 4
= − .
1+𝛿 (1 + 𝛿)𝑗+1
Now we choose a sufficiently small 𝛿, and then a sufficiently large 𝑡 so that the first term
in the last row of (12.2.26) is greater than 1−𝜀. As 𝛿 and 𝑡 are fixed, the numerator of the
second term is a constant whereas the denominator tends to infinity with 𝑗 → ∞, hence
the second term is less than 𝜀 if 𝑗 (i.e. if 𝑛) is large enough. So the entire expression is
greater than 1 − 2𝜀, which proves (12.2.23). □

Exercises 12.2
3
1. Show that the greedy algorithm yields a Sidon set between 1 and 𝑛 of at least √𝑛
elements.
2. Let 𝑝 > 0 be a prime and 𝑎𝑖 = 1 + 2𝑖𝑝 + ⟨𝑖2 mod 𝑝⟩, 𝑖 = 0, 1, . . . , 𝑝 − 1, where
⟨𝑖2 mod 𝑝⟩ denotes the least non-negative residue of 𝑖2 modulo 𝑝. Verify that this
is a Sidon set in [1, 𝑛] of size √𝑛/2 for 𝑛 = 2𝑝2 .
S* 3. Let 𝑝 > 0 be a prime. There exist 𝑝 integers 𝑎𝑖 such that the sums 𝑎𝑖 + 𝑎𝑗 , 𝑖 ≤ 𝑗,
are (not just distinct, but are) pairwise incongruent modulo 𝑝2 − 1.
Remark: An equivalent formulation is that the differences 𝑎𝑖 − 𝑎𝑗 , 𝑖 ≠ 𝑗, are (not
just distinct, but are) pairwise incongruent modulo 𝑝2 − 1. There are 𝑝2 − 𝑝 such
differences and 𝑝2 − 2 non-zero residues modulo 𝑝2 − 1. This means that nearly
all residues can be represented as a difference 𝑎𝑖 − 𝑎𝑗 . We can see from the proof
that the missing residues are the multiples of 𝑝+1. We can deduce Theorem 12.2.3
also from this exercise just as we did it from Theorem 12.2.2. (The same holds also
for the next exercise.)
S* 4. Let 𝑝 > 0 be prime. There exist 𝑝 − 1 integers 𝑎𝑖 such that the differences 𝑎𝑖 − 𝑎𝑗 ,
𝑖 ≠ 𝑗, are (not just distinct, but are) pairwise incongruent modulo 𝑝2 − 𝑝.
5. Construct a Sidon set satisfying 𝐴(𝑛) > (1/√2−𝜀)√𝑛 for every 𝜀 > 0 with infinitely
many 𝑛 (i.e. lim sup𝑛→∞ 𝐴(𝑛)/√𝑛 ≥ 1/√2).
Remark: It is unknown whether the same holds with 1 instead of 1/√2.
394 12. Combinatorial Number Theory

6. Sums of more terms. Let ℎ ≥ 2 be a fixed integer, and consider sequences in the
interval [1, 𝑛] such that the ℎ-fold sums are all distinct. (The Sidon sets are the
special case ℎ = 2.)
* (a) Prove the existence of a sequence having about 𝑛1/ℎ elements.
(b) Show that there is a constant 𝑐 = 𝑐(ℎ) depending only on ℎ such that every
sequence has at most 𝑐(ℎ)𝑛1/ℎ elements.
Remark: It is an unsolved problem whether, similar to the Sidon sets, we can reduce
𝑐(ℎ) to 1 + 𝜀, i.e. the maximal size is asymptotically 𝑛1/ℎ for ℎ > 2. The proof of
Theorem 12.2.4 does not work since we cannot switch sums to differences if ℎ ≠ 2.
7. Show that there exists an infinite sequence of integers 𝑎1 < 𝑎2 < ⋯ such that
every non-zero integer has a unique representation as 𝑎𝑖 − 𝑎𝑗 .
8. Two infinite sequences of positive integers 𝐴 and 𝐵 form a good pair if the sums
𝑎 + 𝑏 (𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵) are distinct. We get a good pair if we cut a Sidon set into two
parts. Show that there exist denser good pairs, too: Construct a good pair such that
both 𝐴(𝑛) > 𝑐√𝑛 and 𝐵(𝑛) > 𝑐√𝑛 for every 𝑛 with a suitable constant 𝑐 > 0.

12.3. Sumsets
In this section we deal with sets of the type 𝐴 + 𝐴 = {𝑎𝑖 + 𝑎𝑗 ∣ 𝑎𝑖 , 𝑎𝑗 ∈ 𝐴}, where the
elements of 𝐴 are either integers in the interval [0, 𝑛 − 1] or residue classes modulo 𝑝
for some prime 𝑝. Let the number of elements in 𝐴 be |𝐴| = 𝑘.
𝑘+1
The size of 𝐴+𝐴 is maximal if 𝐴 is a Sidon set when |𝐴+𝐴| = ( ). We examine
2
now first the opposite extreme: What is the minimal value of |𝐴 + 𝐴|? If the elements
of 𝐴 are integers, then in conformity with expectations, the minimum occurs when 𝐴
consists of consecutive terms of an arithmetic progression, so min |𝐴 + 𝐴| = 2𝑘 − 1
(see Exercise 12.3.1). We get a similar result also if 𝐴 ⊆ 𝐙𝑝 (so the elements of 𝐴 are
modulo 𝑝 residue classes), we verify this (by no means obvious) fact in Theorem 12.3.1.
This result was found by Cauchy, but was rediscovered 120 years later independently by
Davenport and Chowla. We give two proofs and present several interesting applications
of the theorem and method in Exercises 12.3.3–12.3.8.
Our second topic concerning sumsets is a dual of the Sidon property in a certain
sense. For finite Sidon sets, the main goal was to find large sets 𝐴 such that every integer
has at most one representation in the form 𝑎𝑖 + 𝑎𝑗 . Now we are looking for small sets
𝐴 such that every integer in the interval [0, 𝑛 − 1] has at least one representation in
the form 𝑎𝑖 + 𝑎𝑗 . Sets 𝐴 with this property are called (additive) bases (of second order).
Theorem 12.3.3 provides lower and upper bounds for the minimal number of elements
in a basis.
Let us turn to determine the minimum of |𝐴 + 𝐴| if 𝐴 ⊆ 𝐙𝑝 . More generally, we
shall find the minimal number of elements in sets 𝐴 + 𝐵 = { 𝑎 + 𝑏 ∣ 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵 } as a
function of |𝐴| and |𝐵|. This is not just in order to have a more general result, but—as
so often in mathematics—this generalization gives the key to the proof of the original
statement.
12.3. Sumsets 395

Theorem 12.3.1 (Cauchy–Davenport–Chowla). If 𝑝 is a prime, 𝐴, 𝐵 ⊆ 𝐙𝑝 , |𝐴| = 𝑘(> 0),

|𝐵| = 𝑟(> 0), then
(12.3.1) |𝐴 + 𝐵| ≥ min(𝑝, 𝑘 + 𝑟 − 1). ♣

The upper bound 𝑝 in (12.3.1) cannot be omitted, as 𝐴+𝐵 ⊆ 𝐙𝑝 , and so |𝐴+𝐵| ≤ 𝑝.

The inequality is sharp: If 𝐴 = {0, 1, . . . , 𝑘 − 1} and 𝐵 = {0, 1, . . . , 𝑟 − 1}, then
(assuming 𝑘 + 𝑟 ≤ 𝑝 + 1) 𝐴 + 𝐵 = {0, 1, . . . , 𝑘 + 𝑟 − 2}, so |𝐴 + 𝐵| = 𝑘 + 𝑟 − 1 yielding
equality in (12.3.1).
In the special case 𝐴 = 𝐵, we obtain |𝐴 + 𝐴| ≥ min(𝑝, 2𝑘 − 1), and equality holds
if, for example, 𝐴 = {0, 1, . . . , 𝑘 − 1}.

First proof. To get a contradiction, we assume that for some 𝑝 there exist 𝐴 and 𝐵 for
which (12.3.1) is false. Let us call such a pair of sets ugly.
We consider an ugly pair 𝐴, 𝐵 with |𝐴| = 𝑘, |𝐵| = 𝑟, where 𝑟 is minimal. We shall
construct an ugly pair 𝐴′ , 𝐵 ′ with |𝐴′ | = 𝑘′ , |𝐵 ′ | = 𝑟′ , and 𝑟′ < 𝑟, which contradicts the
minimality of 𝑟. This means that there cannot be ugly pairs.
If 𝑘+𝑟−1 > 𝑝, then delete 𝑘+𝑟−1−𝑝(< 𝑟) elements from 𝐵, denote the remaining
set by 𝐵′ , and let 𝐴′ = 𝐴. Clearly,
|𝐴′ + 𝐵 ′ | ≤ |𝐴 + 𝐵| < min(𝑝, 𝑘 + 𝑟 − 1) = 𝑝 = min(𝑝, 𝑘′ + 𝑟′ − 1),
so 𝐴′ , 𝐵 ′ is an ugly pair and (0 <)𝑟′ < 𝑟, which is impossible. Therefore 𝑘 + 𝑟 − 1 ≤ 𝑝.
Clearly 𝑘 ≥ 𝑟 ≥ 2, since if 𝑘 < 𝑟, then interchanging the roles of 𝐴 and 𝐵 contradicts
the minimality of 𝑟, and if 𝑟 = 1, then (12.3.1) holds with equality, so 𝐴, 𝐵 is not an ugly
pair. As 𝑟 ≥ 2 and 𝑘 + 𝑟 − 1 ≤ 𝑝, 𝑘 < 𝑝.
We may assume 0 ∈ 𝐵, since adding the same value to every element in 𝐵 causes
no changes in |𝐴|, |𝐵|, and |𝐴 + 𝐵|.
We show that if 𝑏 ≠ 0 is any fixed element in 𝐵, then 𝐴 + 𝑏 = { 𝑎 + 𝑏 ∣ 𝑎 ∈ 𝐴 } ⊈ 𝐴.
Otherwise, we have 𝐴 + 𝑏 = 𝐴, and so the sums of elements on the two sides are the
same:
∑ 𝑎 = ∑ (𝑎 + 𝑏) = 𝑘𝑏 + ∑ 𝑎, so 𝑘𝑏 = 0,
𝑎∈𝐴 𝑎∈𝐴 𝑎∈𝐴
which is impossible as 𝑘 < 𝑝 and 𝑏 ≠ 0.
Thus there exist 𝑎1 ∈ 𝐴 and 𝑏1 ∈ 𝐵 such that 𝑎1 + 𝑏1 ∉ 𝐴. Let
𝐴′ = 𝐴 ∪ { 𝑎1 + 𝑏 ∣ 𝑏 ∈ 𝐵, 𝑎1 + 𝑏 ∉ 𝐴 } and 𝐵 ′ = { 𝑏 ∣ 𝑎1 + 𝑏 ∈ 𝐴 }.
Then clearly 𝑘′ + 𝑟′ = 𝑘 + 𝑟 and 0 < 𝑟′ < 𝑟 (since 0 ∈ 𝐵 ′ , but 𝑏1 ∉ 𝐵 ′ ). We show
𝐴′ + 𝐵 ′ ⊆ 𝐴 + 𝐵. Let 𝑎′ + 𝑏′ ∈ 𝐴′ + 𝐵′ . If 𝑎′ ∈ 𝐴, then 𝑎′ + 𝑏′ ∈ 𝐴 + 𝐵. If 𝑎′ = 𝑎1 + 𝑏,
then
𝑎′ + 𝑏′ = (𝑎1 + 𝑏) + 𝑏′ = (𝑎1 + 𝑏′ ) + 𝑏 ∈ 𝐴 + 𝐵,
since 𝑎1 + 𝑏′ ∈ 𝐴 by the definition of 𝐵′ . Therefore
|𝐴′ + 𝐵 ′ | ≤ |𝐴 + 𝐵| < min(𝑝, 𝑘 + 𝑟 − 1) = 𝑘 + 𝑟 − 1 = 𝑘′ + 𝑟′ − 1 = min(𝑝, 𝑘′ + 𝑟′ − 1),
so the pair 𝐴′ , 𝐵 ′ is ugly, and 𝑟′ < 𝑟, providing the contradiction. □

For a second proof of Theorem 12.3.1, we need a lemma.

396 12. Combinatorial Number Theory

Lemma 12.3.2. Let 𝐹 be a commutative field, 𝐴, 𝐵 ⊆ 𝐹, |𝐴| = 𝑘, |𝐵| = 𝑟, and 𝑓(𝑥, 𝑦) a

polynomial in two variables over 𝐹 such that its degrees with respect to 𝑥 and 𝑦 are less
than 𝑘 and 𝑟, (so 𝑓(𝑥, 𝑦) = ∑𝑖<𝑘,𝑗<𝑟 𝛼𝑖𝑗 𝑥𝑖 𝑦𝑗 ). Assume 𝑓(𝑎, 𝑏) = 0 for every 𝑎 ∈ 𝐴 and
𝑏 ∈ 𝐵. Then 𝑓 is the zero polynomial with every coefficient 0. ♣

Proof. We write 𝑓(𝑥, 𝑦) as a polynomial in 𝑦, so the coefficients are polynomials in 𝑥:

(12.3.2) 𝑓(𝑥, 𝑦) = ℎ0 (𝑥) + ℎ1 (𝑥)𝑦 + ⋯ + ℎ𝑟−1 (𝑥)𝑦𝑟−1 , deg ℎ𝑖 ≤ 𝑘 − 1.

For 𝑎 ∈ 𝐴, let

𝑔𝑎 (𝑦) = 𝑓(𝑎, 𝑦) = ℎ0 (𝑎) + ℎ1 (𝑎)𝑦 + ⋯ + ℎ𝑟−1 (𝑎)𝑦𝑟−1 .

Then deg 𝑔𝑎 ≤ 𝑟 − 1, but 𝑔𝑎 (𝑏) = 𝑓(𝑎, 𝑏) = 0 for every 𝑏 ∈ 𝐵, so 𝑔𝑎 has at least 𝑟 roots.
This is possible only if every coefficient of 𝑔𝑎 is 0. This means that every 𝑎 ∈ 𝐴 is a
root of each polynomial ℎ𝑖 of degree at most 𝑘 − 1, so each ℎ𝑖 has at least 𝑘 roots, which
implies ℎ𝑖 = 0 (i.e. every coefficient is 0). Therefore 𝑓 = 0 by (12.3.2). □

Second proof of Theorem 12.3.1. We assume that (12.3.1) is false for some 𝐴 and 𝐵.
As in the first proof, we may restrict ourselves to 𝑘 + 𝑟 − 1 ≤ 𝑝 (where |𝐴| = 𝑘 and
|𝐵| = 𝑟). Let 𝐶 = 𝐴 + 𝐵, so |𝐶| ≤ 𝑘 + 𝑟 − 2 < 𝑝. Let

(12.3.3) 𝑓1 (𝑥, 𝑦) = (𝑥 + 𝑦)𝑚 ∏(𝑥 + 𝑦 − 𝑐), where 𝑚 = 𝑘 + 𝑟 − 2 − |𝐶|.

𝑐∈𝐶

Then 𝑓1 (𝑎, 𝑏) = 0 for every 𝑎 ∈ 𝐴 and 𝑏 ∈ 𝐵.

We cannot apply Lemma 12.3.2 to 𝑓1 (𝑥, 𝑦) directly because it contains terms 𝑥𝑖 𝑦𝑗
with 𝑖 ≥ 𝑘 or 𝑗 ≥ 𝑟. Consider an 𝑥𝑖 where 𝑖 ≥ 𝑘, and replace it with a polynomial 𝑢𝑖 (𝑥)
of degree at most 𝑘 − 1 that has the same values as 𝑥𝑖 in 𝐴, i.e. 𝑢𝑖 (𝑎) = 𝑎𝑖 for every
𝑎 ∈ 𝐴. It is well known that such an interpolation polynomial 𝑢𝑖 (𝑥) always exists and
is unique. We proceed similarly if 𝑗 ≥ 𝑟. Then 𝑦𝑗 is replaced by a polynomial 𝑣𝑗 (𝑦) of
degree at most 𝑟 − 1 such that 𝑣𝑗 (𝑏) = 𝑏𝑗 for every 𝑏 ∈ 𝐵.
Thus we obtain a polynomial 𝑓(𝑥, 𝑦) satisfying 𝑓(𝑎, 𝑏) = 𝑓1 (𝑎, 𝑏) = 0 for every
𝑎 ∈ 𝐴 and 𝑏 ∈ 𝐵, that contains only terms 𝑥𝑖 𝑦𝑗 with 𝑖 ≤ 𝑘 − 1 and 𝑗 ≤ 𝑟 − 1. By
Lemma 12.3.2, every coefficient of 𝑓 is 0.
We now compute the coefficient of 𝑥𝑘−1 𝑦𝑟−1 in 𝑓 directly, and show that it is not
0, which gives the desired contradiction.
By (12.3.3), terms 𝑥𝑖 𝑦𝑗 in 𝑓1 with 𝑖 + 𝑗 = 𝑘 + 𝑟 − 2 arise only from (𝑥 + 𝑦)𝑘+𝑟−2 as we
have 𝑖 + 𝑗 < 𝑘 + 𝑟 − 2 for every other term. In reducing 𝑓1 to 𝑓, the terms 𝑥𝑖 and 𝑦𝑗 with
𝑖 ≥ 𝑘 and 𝑗 ≥ 𝑟, are replaced by polynomials of smaller degree. Therefore 𝑓 has exactly
one term 𝑥𝑘−1 𝑦𝑟−1 that is obtained from the expansion of (𝑥 + 𝑦)𝑘+𝑟−2 ; its coefficient
𝑘+𝑟−2
is ( ). Since 𝑘 + 𝑟 − 2 < 𝑝, this coefficient is not 0 (in 𝐙𝑝 ), as claimed. □
𝑘−1

Now we turn to the second topic of the section. Repeating the definition, an ad-
ditive basis of order 2 in [0, 𝑛 − 1] is a set 𝐴 of non-negative integers such that every
integer 0 ≤ 𝑟 ≤ 𝑛 − 1 is the sum of two elements in 𝐴, i.e. 𝑟 = 𝑎𝑖 + 𝑎𝑗 (𝑎𝑖 , 𝑎𝑗 ∈ 𝐴).
12.3. Sumsets 397

𝑘+1
If |𝐴| = 𝑘, then there are ( ) sums 𝑎𝑖 + 𝑎𝑗 , and if 𝐴 is a basis, then there are at
2
least 𝑛 distinct integers among them, so
𝑘+1 1
( ) ≥ 𝑛, hence 𝑘 > √2𝑛 − .
2 2
On the other hand, if 𝑛 is a square, 𝑛 = 𝑠2 , then the integers less than 𝑛 have (at most)
two digits in the number system with base 𝑠, so they can be written in the form 𝑖 + 𝑠𝑗,
where 0 ≤ 𝑖, 𝑗 ≤ 𝑠 − 1. This means that
𝐴 = {0, 1, . . . , 𝑠 − 1, 𝑠, 2𝑠, . . . , (𝑠 − 1)𝑠}
is a basis of second order having 2𝑠 = 2√𝑛 elements. If 𝑛 is not a square, then we do
the same for the smallest square greater than 𝑛, and so 𝑠 = ⌈√𝑛⌉.
These observations yield estimates for the minimal size of a basis:
1
(12.3.4) √2𝑛 − < min 𝑘 < 2√𝑛 + 2.
2
We show in the next theorem that the coefficients of √𝑛 can be slightly improved
in both bounds:
Theorem 12.3.3. Let 𝑓(𝑛) denote the minimal number of additive bases of second order
in [0, 𝑛 − 1]. Then
289
(12.3.5) √𝑛 − 2 < 𝑓(𝑛) < (√3.5 + 𝜀)√𝑛
√ 144
if 𝑛 is large enough, depending on 𝜀 > 0. ♣

This is the currently known best upper bound due to Katalin Fried. The lower
estimate comes from a simplified version of Moser’s method. Moser’s original bound
is somewhat better.

Proof. For the upper estimate, we observe that the construction using number systems
establishes the basis as the union of two arithmetic progressions. As a variant of this
idea, our basis will be the union of five arithmetic progressions.
Let 𝑡 be a positive integer, and consider the following five disjoint arithmetic pro-
gressions:
𝐵 = {𝑏0 , . . . , 𝑏𝑡 } = { 𝑗 ∣ 0 ≤ 𝑗 ≤ 𝑡 }
𝐶 = {𝑐 0 , . . . , 𝑐 3𝑡−1 } = { 2𝑡 + 1 + 𝑗(𝑡 + 1) ∣ 0 ≤ 𝑗 ≤ 3𝑡 − 1 }
𝐷 = {𝑑0 , . . . , 𝑑𝑡 } = { 3𝑡2 + 5𝑡 + 1 + 𝑗 ∣ 0 ≤ 𝑗 ≤ 𝑡 }
𝐸 = {𝑒 0 , . . . , 𝑒 𝑡 } = { 6𝑡2 + 12𝑡 + 3 + 𝑗𝑡 ∣ 0 ≤ 𝑗 ≤ 𝑡 }
𝐹 = {𝑓0 , . . . , 𝑓𝑡 } = { 10𝑡2 + 18𝑡 + 5 + 𝑗𝑡 ∣ 0 ≤ 𝑗 ≤ 𝑡 }
The differences of the progressions in order are 1, 𝑡 + 1, 1, 𝑡, and 𝑡, and they have 𝑡 + 1,
3𝑡, 𝑡 + 1, 𝑡 + 1, and 𝑡 + 1 elements.
Let 𝐴𝑡 be the union of the five sets, so |𝐴𝑡 | = 7𝑡 + 4. We verify that 𝐴𝑡 is a basis of
second order for 𝑛 = 14𝑡2 + 24𝑡 + 7, so every integer up to 14𝑡2 + 24𝑡 + 6 is the sum of
two elements in 𝐴𝑡 .
398 12. Combinatorial Number Theory

For an arbitrary 𝑛, we take the smallest 𝑡 satisfying 𝑛 ≤ 14𝑡2 + 24𝑡 + 7. Then 𝐴𝑡 is

a suitable basis for 𝑛, and |𝐴𝑡 | = 7𝑡 + 4 ∼ √3.5𝑛, as 𝑛 → ∞ (since 𝑡 ∼ √𝑛/14).
So we have to prove that every integer 0 ≤ 𝑟 ≤ 14𝑡2 + 24𝑡 + 6 is the sum of two
elements in 𝐴𝑡 . Let [[𝑥, 𝑦]] denote the set of integers in the interval [𝑥, 𝑦]. Clearly,
𝐵 + 𝐵 = [[0, 2𝑡]] and 𝐵 + 𝐶 = [[2𝑡 + 1, 3𝑡2 + 5𝑡]].
We obtain similarly
𝐵 + 𝐷 = [[3𝑡2 + 5𝑡 + 1, 3𝑡2 + 7𝑡 + 1]]
𝐶 + 𝐷 = [[3𝑡2 + 7𝑡 + 2, 6𝑡2 + 10𝑡 + 1]]
𝐷 + 𝐷 = [[6𝑡2 + 10𝑡 + 2, 6𝑡2 + 12𝑡 + 2]]
𝐵 + 𝐸 = [[6𝑡2 + 12𝑡 + 3, 7𝑡2 + 13𝑡 + 3]].

So far 𝐴𝑡 + 𝐴𝑡 ⊇ [[0, 7𝑡2 + 13𝑡 + 3]].

Now we show 𝐶 + 𝐸 ⊇ [[7𝑡2 + 13𝑡 + 4, 9𝑡2 + 17𝑡 + 3]]. We start with
𝑐 0 + 𝑒 𝑡−1 = (2𝑡 + 1) + (7𝑡2 + 11𝑡 + 3) = 7𝑡2 + 13𝑡 + 4.
As the differences in 𝐶 and 𝐸 are 𝑡 + 1 and 𝑡, therefore it is worthwhile to combine the
consecutive elements of 𝐶 with the corresponding earlier elements of 𝐸:
𝑐 1 + 𝑒 𝑡−2 = 𝑐 0 + 𝑒 𝑡−1 + 1
𝑐 2 + 𝑒 𝑡−3 = 𝑐 0 + 𝑒 𝑡−1 + 2
⋮
𝑐 𝑡−1 + 𝑒 0 = 𝑐 0 + 𝑒 𝑡−1 + (𝑡 − 1).
The next integer is obtained as the sum 𝑐 0 + 𝑒 𝑡 = 𝑐 0 + 𝑒 𝑡−1 + 𝑡, and we proceed forward
in 𝐶 and backward in 𝐸 to represent every integer in the form 𝑐 𝑖 + 𝑒 𝑡−𝑖 up to 𝑐 𝑡 + 𝑒 0 =
𝑐 0 + 𝑒 𝑡 + 𝑡. We jump now to 𝑐 1 + 𝑒 𝑡 = 𝑐 0 + 𝑒 𝑡 + (𝑡 + 1), and the sums 𝑐 1+𝑖 + 𝑒 𝑡−𝑖
give the next 𝑡 + 1 integers. Continuing the procedure similarly, we arrive at the sum
𝑐 3𝑡−1 + 𝑒 1 = 9𝑡2 + 17𝑡 + 3, so 𝐶 + 𝐸 ⊇ [[7𝑡2 + 13𝑡 + 4, 9𝑡2 + 17𝑡 + 3]].
The next observation is 𝐷 + 𝐸 = [[9𝑡2 + 17𝑡 + 4, 10𝑡2 + 18𝑡 + 4]].
Similar to the previous considerations, we can show
𝐵 + 𝐹 = [[10𝑡2 + 18𝑡 + 5, 11𝑡2 + 19𝑡 + 5]]
𝐶 + 𝐹 = [[11𝑡2 + 19𝑡 + 6, 13𝑡2 + 23𝑡 + 5]]
𝐷 + 𝐹 = [[13𝑡2 + 23𝑡 + 6, 11𝑡2 + 24𝑡 + 6]].

Thus we have verified 𝑟 ∈ 𝐴𝑡 + 𝐴𝑡 for every integer 0 ≤ 𝑟 ≤ 14𝑡2 + 24𝑡 + 6, which

completes the proof of the upper bound.
Turning to the lower estimate, we consider an arbitrary basis 𝐴 = {0 ≤ 𝑎1 < ⋯ <
𝑎𝑘 ≤ 𝑛 − 1} of second order in the interval [0, 𝑛 − 1]. Let
𝑘
(12.3.6) ℎ(𝑥) = ∑ 𝑥𝑎𝑖
𝑖=1
12.3. Sumsets 399

be the generating function belonging to 𝐴, so

𝑘 𝑘 𝑘 𝑘
ℎ2 (𝑥) = ( ∑ 𝑥𝑎𝑖 )( ∑ 𝑥𝑎𝑗 ) = ∑ 𝑥𝑎𝑖 +𝑎𝑗 = 2 ∑ 𝑥𝑎𝑖 +𝑎𝑗 + ∑ 𝑥2𝑎𝑖 =
𝑖=1 𝑗=1 𝑖,𝑗=1 1≤𝑖<𝑗≤𝑘 𝑖=1
𝑘
=2 ∑ 𝑥𝑎𝑖 +𝑎𝑗 − ∑ 𝑥2𝑎𝑖 = 2 ∑ 𝑥𝑎𝑖 +𝑎𝑗 − ℎ(𝑥2 ).
1≤𝑖≤𝑗≤𝑘 𝑖=1 1≤𝑖≤𝑗≤𝑘

Thus
ℎ2 (𝑥) + ℎ(𝑥2 )
(12.3.7) 𝑔(𝑥) = ∑ 𝑥𝑎𝑖 +𝑎𝑗 = .
1≤𝑖≤𝑗≤𝑘
2
𝑟
The coefficient of 𝑥 in 𝑔(𝑥) is the number of representations of 𝑟 in the form 𝑎𝑖 + 𝑎𝑗
where 𝑖 ≤ 𝑗. Since every 0 ≤ 𝑟 ≤ 𝑛 − 1 can be written as 𝑎𝑖 + 𝑎𝑗 , the coefficient of 𝑥𝑟 is
at least 1, so
2𝑛−2
(12.3.8) 𝑔(𝑥) = 1 + 𝑥 + ⋯ + 𝑥𝑛−1 + ∑ 𝑢𝑚 𝑥𝑚 , where 𝑢𝑚 ≥ 0.
𝑚=0

By (12.3.7) and (12.3.8),

2𝑛−2
ℎ2 (1) + ℎ(1) 𝑘2 + 𝑘
(12.3.9) 𝑔(1) = = = 𝑛 + ∑ 𝑢𝑚 .
2 2 𝑚=0

Since 𝑢𝑚 ≥ 0, (12.3.9) implies (𝑘2 + 𝑘)/2 ≥ 𝑛, which leads to the estimate 𝑘 ≥

√2𝑛 − (1/2) obtained before stating our theorem. To improve this bound, we replace
2𝑛−2
∑𝑚=0 𝑢𝑚 ≥ 0 by a significantly better lower estimate.
We show
2𝑛−2
(12.3.10) 𝑆 = ∑ 𝑢𝑚 > 𝜈𝑘2 ,
𝑚=0

where we shall determine the constant 𝜈 > 0 explicitly, which substituted back into
(12.3.9) will give the lower bound claimed in the theorem.
Let 𝐵 = 𝜏𝑘 and 𝐿 = (1 − 𝜏)𝑘 be the number of those elements in 𝐴 for which
𝑎𝑖 > (𝑛 − 1)/2 and 𝑎𝑖 ≤ (𝑛 − 1)/2, (so 𝐵 + 𝐿 = 𝑘 and 𝜏 is the ratio of the big elements
𝑎𝑖 in this basis).
2𝑛−2
Observe that 𝑆 ′ = ∑𝑚=𝑛 𝑢𝑚 is just the number of sums 𝑎𝑖 + 𝑎𝑗 , 𝑖 ≤ 𝑗, that are
greater than 𝑛 − 1. If both 𝑎𝑖 and 𝑎𝑗 are larger than (𝑛 − 1)/2, then 𝑎𝑖 + 𝑎𝑗 > 𝑛 − 1, so

(𝐵 + 1)𝐵 (𝜏𝑘 + 1)(𝜏𝑘) 𝜏2 2

(12.3.11) 𝑆 ≥ 𝑆′ ≥ = ≥ ⋅𝑘 .
2 2 2
(This means informally that if there are many elements 𝑎𝑖 greater than (𝑛 − 1)/2, then
many sums get wasted, and thus we need a larger basis to represent the integers up to
𝑛 − 1. To elaborate this idea precisely, we do not even need generating functions. But
we cannot get along without them if the small elements dominate 𝐴, see below.)
400 12. Combinatorial Number Theory

We now substitute a complex 𝑛th root of unity 𝜚 ≠ 1 into 𝑥 in (12.3.8). Then the
sum 1 + 𝜚 + ⋯ + 𝜚𝑛−1 in (12.3.8) is 0, so
2𝑛−2
𝑔(𝜚) = ∑ 𝑢𝑚 𝜚𝑚 .
𝑚=0

Taking the absolute value of both sides,

2𝑛−2 2𝑛−2 2𝑛−2
|𝑔(𝜚)| = || ∑ 𝑢𝑚 𝜚𝑚 || ≤ ∑ |𝑢𝑚 | ⋅ |𝜚|𝑚 = ∑ 𝑢𝑚 = 𝑆,
𝑚=0 𝑚=0 𝑚=0

since 𝑢𝑚 ≥ 0 and |𝜚| = 1. By (12.3.7),

|ℎ2 (𝜚) + ℎ(𝜚2 )| |ℎ2 (𝜚)| |ℎ(𝜚2 )|
(12.3.12) 𝑆 ≥ |𝑔(𝜚)| = ≥ − .
2 2 2
To continue this chain of inequalities, we need a lower bound for the difference at the
right of (12.3.12), so we estimate the subtrahend from above and the minuend from
below.
By definition (12.3.6) of the generating function ℎ(𝑥),
𝑘 𝑘
|ℎ(𝜚2 )| = || ∑ 𝜚2𝑎𝑖 || ≤ ∑ |𝜚|2𝑎𝑖 = 𝑘,
𝑖=1 𝑖=1

since |𝜚| = 1, so
|ℎ(𝜚2 )| 𝑘
(12.3.13) ≤ ,
2 2
which will be negligible compared to the minuend |ℎ2 (𝜚)|/2 having an order of magni-
tude 𝑘2 .
Thus we seek a lower bound for
𝑘
(12.3.14) |ℎ(𝜚)| = || ∑ 𝜚𝑎𝑖 ||.
𝑖=1

Recall that we have to cope basically with the case when the small elements are domi-
nant, i.e. 𝐿 = (1 − 𝜏)𝑘 is big. Accordingly, in (12.3.14) we separate the parts belonging
to the small and large elements 𝑎𝑖 :
𝐿 𝑘 𝐿 𝑘
|ℎ(𝜚)| = || ∑ 𝜚𝑎𝑖 + ∑ 𝜚𝑎𝑖 || ≥ || ∑ 𝜚𝑎𝑖 || − || ∑ 𝜚𝑎𝑖 || ≥
𝑖=1 𝑖=𝐿+1 𝑖=1 𝑖=𝐿+1
(12.3.15)
𝐿 𝑘 𝐿
≥ || ∑ 𝜚𝑎𝑖 || − ∑ |𝜚𝑎𝑖 | = || ∑ 𝜚𝑎𝑖 || − 𝐵.
𝑖=1 𝑖=𝐿+1 𝑖=1

Therefore, we have to find a good lower bound for

𝐿
(12.3.16) 𝑇(𝜚) = || ∑ 𝜚𝑎𝑖 ||.
𝑖=1
12.3. Sumsets 401

Let 𝜔 = cos(2𝜋/𝑛)+𝑖 sin(2𝜋/𝑛) and 𝑧𝑗 = 𝜔𝑎𝑗 , 𝑗 = 1, . . . , 𝐿. Since 0 ≤ 𝑎𝑗 ≤ (𝑛−1)/2,

every complex number 𝑧𝑗 has a non-negative imaginary part, and thus they all are in
the upper half-plane.
Let 𝛼 be an acute angle to be specified later, and let 𝑈 denote how many numbers
𝑧𝑗 have an angle 𝛽𝑗 satisfying 𝛼 ≤ 𝛽𝑗 ≤ 𝜋 − 𝛼. Let us call them upper numbers. Thus
the other 𝑆 − 𝑈 lower numbers 𝑧𝑗 have angles 0 ≤ 𝛽𝑗 < 𝛼 or 𝜋 − 𝛼 < 𝛽𝑗 < 𝜋.
Concerning the imaginary parts, Im(𝑧𝑗 ) ≥ sin 𝛼 for upper numbers, and Im(𝑧𝑗 ) ≥ 0
for lower ones, so
𝐿 𝐿
(12.3.17) | ∑ 𝑧 | ≥ Im( ∑ 𝑧 ) ≥ 𝑈 ⋅ sin 𝛼.
| 𝑗| 𝑗
𝑗=1 𝑗=1

If we choose 𝜚 = 𝜔, then 𝜚𝑎𝑗 = 𝑧𝑗 , so

(12.3.18) 𝑇(𝜔) ≥ 𝑈 ⋅ sin 𝛼
by (12.3.16) and (12.3.17).
We next choose 𝜚 = 𝜔2 , so 𝜚𝑎𝑗 = 𝑧𝑗2 . For lower numbers, the angle of 𝑧2 lies be-
tween −2𝛼 and 2𝛼, so Re(𝑧𝑗2 ) > cos(2𝛼), and Re(𝑧𝑗2 ) ≥ −1 for upper numbers, trivially.
Therefore
𝐿 𝐿
(12.3.19) 𝑇(𝜔2 ) = || ∑ 𝑧𝑗2 || ≥ Re( ∑ 𝑧𝑗2 ) ≥ (𝐿 − 𝑈) cos(2𝛼) − 𝑈.
𝑗=1 𝑗=1

Choosing 𝛼 = 𝜋/6, (12.3.18) and (12.3.19) yield

(12.3.20) 𝑇(𝜔) ≥ 𝑈/2 and 𝑇(𝜔2 ) ≥ (𝐿 − 3𝑈)/2.
Let
𝑀 = max(𝑇(𝜔), 𝑇(𝜔2 )).
Then (12.3.20) implies
3𝑇(𝜔) + 𝑇(𝜔2 ) 𝐿
𝑀≥ ≥ .
4 8
Thus we obtained that 𝑇(𝜚) in (12.3.16) satisfies 𝑇(𝜚) ≥ 𝐿/8 for a suitable 𝜚 (where
𝜚 = 𝜔 or 𝜚 = 𝜔2 ). Substituting into (12.3.15), we get
𝐿 1 − 9𝜏
(12.3.21) |ℎ(𝜚| ≥ − 𝐵 = 𝑘.
8 8
So
(1 − 9𝜏)2 2 𝑘
(12.3.22) 𝑆≥ 𝑘 −
128 2
by (12.3.12), (12.3.13), and (12.3.21). Taking (12.3.11) into consideration, we obtain
𝜏2 2 (1 − 9𝜏)2 2 𝑘
(12.3.23) 𝑆 ≥ max( 𝑘 , 𝑘 − ).
2 128 2
The worst case is if the coefficients of 𝑘2 are the same in the two expressions, i.e. 𝜏 =
1/17, and then
𝑘2 𝑘
(12.3.24) 𝑆≥ − ,
578 2
so (12.3.10) is satisfied with the constant 𝜈 = 1/578 (disregarding the error term 𝑘/2).
 402 12. Combinatorial Number Theory

Substituting (12.3.24) into (12.3.9), we get

𝑘2 + 𝑘 𝑘2 𝑘
≥𝑛+ − ,
2 578 2
so
144 2 289
𝑘 + 𝑘 ≥ 𝑛, and so (𝑘 + 2)2 > 𝑛,
289 144
which is just the lower bound claimed in the theorem. □

Exercises 12.3

1. Verify the following statements for sets of real numbers.

(a) If |𝐴| = 𝑘, then |𝐴 + 𝐴| ≥ 2𝑘 − 1, and equality holds if and only if the elements
of 𝐴 form an arithmetic progression.
(b) If |𝐴| = 𝑘, |𝐵| = 𝑟, then |𝐴 + 𝐵| ≥ 𝑘 + 𝑟 − 1, and equality holds if and only if
either 𝑘 = 1, or 𝑟 = 1, or 𝐴 and 𝐵 are arithmetic progressions with a common
difference.
(c) If |𝐴𝑖 | = 𝑘𝑖 , 𝑖 = 1, 2, . . . , 𝑡, then |𝐴1 + ⋯ + 𝐴𝑡 | ≥ 𝑘1 + ⋯ + 𝑘𝑡 + 1 − 𝑡, and if
𝑘𝑖 > 1, 𝑖 = 1, 2, . . . , 𝑡, then equality holds if and only if every 𝐴𝑖 is an arithmetic
progression with the same difference.
2. Prove the following generalization of Theorem 12.3.1 for an arbitrary modulus 𝑚:
Let 𝐴, 𝐵 ⊆ 𝐙𝑚 , 0 ∈ 𝐵. Then |𝐴 + 𝐵| ≥ min(𝑚, |𝐴| + 𝑠), where 𝑠 is the number of
elements in 𝐵 coprime to 𝑚. Show an example for a composite 𝑚 and 𝑠 < |𝐵| − 1
when we have equality.
3. Prove the statements.
(a) Let 𝐴, 𝐵 ⊆ 𝐙𝑚 , 0 ∈ 𝐴 ∩ 𝐵, and assume that 𝑎 + 𝑏 = 0 implies 𝑎 = 𝑏 = 0
for 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵. Then |𝐴 + 𝐵| ≥ |𝐴| + |𝐵| − 1. (The conditions guarantee
|𝐴| + |𝐵| − 1 ≤ 𝑚, so, in contrast with Theorem 12.3.1, there is no need for a
minimum in the formulation of the inequality.)
(b) The inequality in (a) is sharp.
(c) The statement in (a) remains valid if 𝐙𝑚 is replaced by finite subsets of an
abelian group.
̂ = { 𝑎 + 𝑎′ ∣ 𝑎, 𝑎′ ∈ 𝐴, 𝑎 ≠ 𝑎′ }, so we
* 4. Let 𝑝 be a prime, 𝐴 ⊆ 𝐙𝑝 , |𝐴| = 𝑘, and 𝐴+𝐴
consider now only the sums of different elements. Show |𝐴+𝐴| ̂ ≥ min(𝑝, 2𝑘 − 3).
Remarks: (1) This long-standing conjecture of Erdős and Heilbronn was first ver-
ified by Hamidoune and Da Silva. Later Alon, Ruzsa, and Nathanson found a
much simpler proof.
(2) The example 𝐴 = {0, 1, . . . , 𝑘 − 1} shows that this bound is best possible.

5. (a) Let 𝐹 be a commutative field, 𝐴, 𝐵 ⊆ 𝐹, |𝐴| = 𝑘, |𝐵| = 𝑟, and 𝐺(𝑥, 𝑦) a

polynomial over 𝐹 in two variables of degree 𝑘 + 𝑟 − 2 where the coefficient
of 𝑥𝑘−1 𝑦𝑟−1 is not zero. Prove 𝐺(𝑎, 𝑏) ≠ 0 for some 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵.
 12.4. Schur’s Theorem 403

(b) Generalize part (a) for 𝑛 subsets instead of two and for a polynomial 𝐺 in 𝑛
variables.
S* 6. Let 𝑝 > 2 be a prime, and let 𝐶 and 𝐷 be two subsets of the same size in 𝐙𝑝 . Show
that we can pair the elements of 𝐶 and 𝐷 so that the sums of the two elements in
the pairs are all distinct.
7. Formulate and prove the generalization of Theorem 12.3.1 for more than two sets.
8. We consider Exercise 3.6.6 and its generalizations in the plane and in higher di-
mensions.
* (a) Give a new proof to Exercise 3.6.6 based on Exercise 12.3.7.
(b) Verify that we can always find, among any five points of the usual square lat-
tice in the plane, two points such that their midpoint is a lattice point.
(c) Let 𝑓(𝑛) be the smallest integer such that among any 𝑓(𝑛) lattice points in the
plane, we can always find 𝑛 whose center of gravity is a lattice point. Show
𝑓(𝑛) ≥ 4𝑛 − 3.
Remark: The old conjecture 𝑓(𝑛) = 4𝑛 − 3 was proved in 2004.
(d) Let 𝑓(𝑛, 𝑑) be the smallest integer such that among any 𝑓(𝑛, 𝑑) points in the
usual 𝑑 dimensional lattice, we can always find 𝑛 whose center of gravity is a
lattice point. Prove
(i) 2𝑑 (𝑛 − 1) + 1 ≤ 𝑓(𝑛, 𝑑)) ≤ 𝑛𝑑 (𝑛 − 1) + 1
(ii) 𝑓(𝑛𝑚, 𝑑) ≤ 𝑓(𝑛, 𝑑) + 𝑛(𝑓(𝑚, 𝑑) − 1).
Remark: The upper bound in (i) can be greatly improved to 𝑐 𝑑 𝑛 where 𝑐 𝑑 is a
constant depending only on 𝑑. The lower bound is sharp for 𝑑 = 1 and 𝑑 = 2
(see part (a) and the remark after part (c)). However, the lower bound can be
improved for every 𝑑 > 2 if 𝑛 ≥ 3 is odd (the lower bound gives the right value
for every 𝑑 if 𝑛 = 2𝑘 , see below). The exact value of 𝑓(𝑛, 𝑑) is known for 𝑛 > 2
and 𝑑 > 2 only in the cases
𝑓(3, 3) = 19, 𝑓(3, 4) = 41, 𝑓(3, 5) = 91, and 𝑓(2𝑘 , 𝑑) = (2𝑘 −1)2𝑑 +1.
9. Let 𝑝 be a prime, 𝐴 ⊆ 𝐙𝑝 , and assume that the difference of two distinct elements
of 𝐴 is never a square in 𝐙𝑝 (so 𝑎𝑖 − 𝑎𝑗 , 𝑖 ≠ 𝑗, is always a quadratic non-residue
mod 𝑝). Prove |𝐴| < √𝑝.
10. A set 𝐴 of non-negative integers is called a basis of order ℎ for the interval [0, 𝑛 − 1]
if every integer 0 ≤ 𝑟 ≤ 𝑛 − 1 is the sum of ℎ elements of 𝐴. Let 𝑔(ℎ, 𝑛) denote the
minimal possible size of such a basis. Verify
√ℎ! 𝑛 − ℎ + 1 < 𝑔(ℎ, 𝑛) < ℎ√ℎℎ 𝑛 + ℎ.
ℎ

12.4. Schur’s Theorem

This classical result of combinatorial number theory has its strange origin in the seem-
ingly remote Fermat’s Last Theorem, and its proof requires methods from graph the-
ory. The topic has had intensive research ever since, but there still are many unsolved
problems.
404 12. Combinatorial Number Theory

We deal first with the graph theoretical background. We start with the following
well-known puzzle: Among any six people there are either three so that any two know
each other, or there are three where no two know each other (the acquaintance is sup-
posed to be mutual).
Rewording in terms of graph theory, we consider a complete graph (or clique) of
six nodes corresponding to the six people, and an edge is colored red if its endpoints
know each other, and is colored blue otherwise. Then the statement says that however
we color the edges of a complete graph of six nodes, there is a monochromatic triangle.
To prove this, we pick a node 𝐴. Considering the five edges starting from 𝐴, (at
least) three of them must be of the same color, say red. Let 𝐵, 𝐶, and 𝐷 be the other
endpoints of these edges. If there is a red edge between two of them, say edge 𝐵𝐶 is
red, then 𝐴𝐵𝐶 is a red triangle, otherwise 𝐵𝐶𝐷 is a blue triangle.
We can generalize this puzzle: We color the edges of a complete graph of 𝑛 nodes
with 𝑡 colors, and instead of a monochromatic triangle we want to find a complete
graph of 𝑘 nodes with edges of the same color (the original problem is a special case
𝑡 = 2, 𝑘 = 3). Ramsey’s fundamental theorem asserts that we always have such a
subgraph if 𝑛 (depending on 𝑘 and 𝑡) is large enough :

Theorem 12.4.1 (Ramsey’s Theorem). For any 𝑡 and 𝑘 there exists an integer 𝑅(𝑘, 𝑡)
such that if 𝑛 ≥ 𝑅(𝑘, 𝑡) and we color the edges of a complete graph of 𝑛 nodes with 𝑡
colors, then there is a complete subgraph of 𝑘 nodes with edges of the same color. ♣

In the sequel 𝑅(𝑘, 𝑡) will denote the minimal integer with this property.
Solving the puzzle, we verified 𝑅(3, 2) ≤ 6, and it is easy to check that we have
here equality (see Exercise 12.4.1). We can read from the proof that 𝑅(3, 𝑡) ≤ 3𝑡!, more-
over 𝑅(3, 𝑡) ≤ ⌈𝑒𝑡! ⌉, where 𝑒 = 2.71 . . . is the base of the natural logarithm (see Ex-
ercise 12.4.2). We can improve the constant multiplier to 𝑒 − 1/24 with more refined
methods, but probably this is very far from the actual value of 𝑅(3, 𝑡). We know the
exact values of Ramsey numbers 𝑅(𝑘, 𝑡) only in very few cases, e.g. 𝑅(3, 3) = 17, and
there is generally a large gap between the lower and upper estimates.

Proof. For a clearer exposition, we prove first the case 𝑘 = 3 by induction on 𝑡, and
turn to a general 𝑘 afterwards. (The proof of Schur’s Theorem will require only the case
𝑘 = 3.)
I. We can start the induction either with 𝑡 = 1 (clearly, 𝑅(3, 1) = 3), or with 𝑡 = 2,
as we verified 𝑅(3, 2) ≤ 6 earlier. The idea used to prove the latter can serve as a general
induction step.
Assume that 𝑛 = 𝑅(3, 𝑡 − 1) exists, and color the edges of a complete graph of 𝑁
nodes with 𝑡 colors. If 𝑁 ≥ 1 + 𝑡(𝑛 − 1) + 1, then considering 𝑡(𝑛 − 1) + 1 edges starting
from a node 𝐴, there will be at least 𝑛 among them of the same color, say red, by the
pigeonhole principle. If there is a red edge between two other endpoints of these edges,
e.g. between 𝐵 and 𝐶, then 𝐴𝐵𝐶 is a red triangle. Otherwise, the 𝑛 endpoints form a
complete graph whose edges are colored with 𝑡 − 1 colors, so it contains a monochro-
matic triangle by the induction hypothesis.
12.4. Schur’s Theorem 405

II. To prove the general case, it is worthwhile to formulate a more refined version
of the problem. For a simpler wording, the size of a graph is its number of nodes, the
colors are the integers 1, 2, . . . , 𝑡, and a graph of color 𝑗 is a complete graph where every
edge has color 𝑗. Then the modified statement is:
For any 𝑡 and 𝑘1 , . . . , 𝑘𝑡 , there exists an 𝑛 = 𝑅∗ (𝑘1 , 𝑘2 , . . . , 𝑘𝑡 ) such that if we color
the edges of a complete graph of 𝑛 nodes arbitrarily with colors 1, 2, . . . , 𝑡, then there
results a complete subgraph of size 𝑘𝑗 and of color 𝑗 for some 𝑗. (𝑅∗ (𝑘1 , 𝑘2 , . . . , 𝑘𝑡 ) is
the smallest 𝑛 with this property.)
The two problems can easily be deduced from each other: clearly, 𝑅(𝑘, 𝑡) =
𝑅∗ (𝑘, . . . , 𝑘), and on the other hand, 𝑅∗ (𝑘1 , . . . , 𝑘𝑡 ) ≤ 𝑅(𝑘, 𝑡), where 𝑘 = max(𝑘1 , . . . , 𝑘𝑡 ).
If every 𝑘𝑖 = 1 or 2, then the modified statement is trivial. We claim that induction
yields
𝑡
(12.4.1) 𝑅∗ (𝑘1 , . . . , 𝑘𝑡 ) ≤ 1 + ∑ [𝑅∗ (𝑘1 , . . . , 𝑘𝑗 − 1, . . . , 𝑘𝑡 ) − 1] + 1.
𝑗=1

Let us color the edges of a complete graph of size 𝑁 with 𝑡 colors, where 𝑁 is the value on
the right-hand side of (12.4.1). Considering the edges starting from a node 𝐴, there will
be at least 𝑅∗ (𝑘1 , . . . , 𝑘𝑗 − 1, . . . , 𝑘𝑡 ) among them of color 𝑗 for some 𝑗 by the pigeonhole
principle. The other endpoints of these edges form a complete graph that contains a
suitable monochromatic complete subgraph by the induction hypothesis. If the color
of the subgraph is 𝑖 ≠ 𝑗, then we have a complete graph of size 𝑘𝑖 and color 𝑖, so we are
done. If its color is 𝑗, then we have a graph of size 𝑘𝑗 − 1, and together with 𝐴 it forms
a complete graph of size 𝑘𝑗 and color 𝑗. □

Schur’s Theorem refers to colorings of positive integers.

Theorem 12.4.2 (Schur’s Theorem). For any 𝑡 there exists an 𝑛 = 𝑆(𝑡) with the property
that coloring the numbers 1, 2, . . . , 𝑛 + 1 with 𝑡 colors arbitrarily, there will be some 𝑎 and
𝑏 of the same color such that 𝑎 + 𝑏 has this color (we allow 𝑎 = 𝑏). ♣

In the sequel 𝑆(𝑡) will denote the smallest such 𝑛. That is, 𝑆(𝑡) is the biggest wrong
integer: 1, 2, . . . , 𝑆(𝑡) can still be colored with 𝑡 colors so that the equation 𝑥 + 𝑦 = 𝑧
has no monochromatic solution. (In Ramsey’s Theorem, 𝑅(𝑘, 𝑡) is the minimal good
integer; we keep the traditional notation in both cases.)
Clearly, 𝑆(1) = 1, and we easily infer 𝑆(2) = 4. Besides these, the only values
known exactly are 𝑆(3) = 13 and 𝑆(4) = 44. We discuss some lower and upper bounds
for Schur numbers 𝑆(𝑡) in Exercise 12.4.3.

Proof. We show 𝑆(𝑡) < 𝑅(3, 𝑡), so the required property holds for an arbitrary coloring
of 1, 2, . . . , 𝑅(3, 𝑡). Consider the complete graph having these numbers as nodes, and
the graph-color of edge (𝑖, 𝑗) is defined as the number-color of |𝑖 −𝑗|. Then by Ramsey’s
Theorem, there results a monochromatic triangle in the graph, so the edges (𝑖, 𝑗), (𝑗, 𝑚),
and (𝑖, 𝑚) have the same graph-color for some 𝑖 < 𝑗 < 𝑚. This means that the integers
𝑎 = 𝑗 − 𝑖, 𝑏 = 𝑚 − 𝑗, and 𝑎 + 𝑏 = 𝑚 − 𝑖 have the same number-color. □
406 12. Combinatorial Number Theory

Now we turn to the connection between Schur’s Theorem and Fermat’s Last The-
orem.
Consider the congruence 𝑥𝑡 +𝑦𝑡 ≡ 𝑧𝑡 (mod 𝑝). If it has only trivial solutions where
𝑥𝑦𝑧 ≡ 0 (mod 𝑝) for infinitely many primes 𝑝, then Fermat’s Last Theorem follows for
the exponent 𝑡. Indeed, if we have a counterexample of non-zero integers 𝑎, 𝑏, and
𝑐 satisfying 𝑎𝑡 + 𝑏𝑡 = 𝑐𝑡 , then they provide a non-trivial solution of the congruence
for every prime 𝑝 > max(|𝑎|, |𝑏|, |𝑐|). But this contradicts that there are only trivial
solutions for infinitely many primes.
It turns out, however, that this idea does not lead to a proof of Fermat’s Last The-
orem:
Theorem 12.4.3. The congruence 𝑥𝑡 + 𝑦𝑡 ≡ 𝑧𝑡 (mod 𝑝) has a non-trivial (i.e. 𝑥𝑦𝑧 ≢ 0
(mod 𝑝)) solution for every prime 𝑝 large enough (depending on 𝑡). ♣

Proof. Let 𝑝 − 1 > 𝑆(𝑡) and 𝑔 be a primitive root mod 𝑝. We color the integers 1, 2,
. . . , 𝑝 − 1 with colors 0, 1, . . . , 𝑡 − 1 as follows: An integer gets color 𝑟 if it is congruent
mod 𝑝 to one of the numbers 𝑔𝑟 , 𝑔𝑟+𝑡 , 𝑔𝑟+2𝑡 , . . . .
By Schur’s Theorem, there is a monochromatic triple 𝑎, 𝑏, 𝑎 + 𝑏, so
𝑎 ≡ 𝑔𝑠𝑡+𝑟 , 𝑏 ≡ 𝑔ᵆ𝑡+𝑟 , 𝑎 + 𝑏 ≡ 𝑔𝑣𝑡+𝑟 (mod 𝑝)
for some 𝑟, 𝑠, 𝑢, and 𝑣. Hence
𝑔𝑠𝑡+𝑟 + 𝑔ᵆ𝑡+𝑟 ≡ 𝑔𝑣𝑡+𝑟 (mod 𝑝) .
Cancelling 𝑔𝑟 (which is coprime to 𝑝), we obtain
(𝑔𝑠 )𝑡 + (𝑔ᵆ )𝑡 ≡ (𝑔𝑣 )𝑡 (mod 𝑝) ,
so 𝑥 = 𝑔𝑠 , 𝑦 = 𝑔ᵆ , 𝑧 = 𝑔𝑣 is a non-trivial solution of the congruence. □

Schur raised also another problem concerning colorings of natural numbers, that
was first solved by Van der Waerden. We state this result without proof:
Theorem 12.4.4 (Van der Waerden’s Theorem). Coloring the positive integers with two
colors, there are arbitrarily long ( finite) monochromatic arithmetic progressions. ♣

In fact, Van der Waerden proved the following finite variant involving more colors
with a very tricky induction:
Theorem 12.4.4A (Van der Waerden’s Theorem). For any 𝑡 and 𝑘 there exists an 𝑛 =
𝑤(𝑘, 𝑡) such that coloring the integers 1, 2, . . . , 𝑛 with 𝑡 colors arbitrarily, there is a mono-
chromatic arithmetic progression of 𝑘 terms.

Similar to the Ramsey numbers 𝑅(𝑘, 𝑡) and Schur numbers 𝑆(𝑡), there is a big gap
between the lower and upper estimates for the (minimal) Van der Waerden numbers
𝑤(𝑘, 𝑡). The only exact values known are
𝑤(3, 2) = 9 𝑤(4, 2) = 35 𝑤(5, 2) = 178 𝑤(6, 2) = 1132
𝑤(3, 3) = 27 𝑤(4, 3) = 293 𝑤(3, 4) = 76
and trivially 𝑤(𝑘, 1) = 𝑘 and 𝑤(2, 𝑡) = 𝑡 + 1. For two colors, lower estimates of 𝑤(𝑘) =
𝑤(𝑘, 2) are discussed in Exercise 12.4.11.
Exercises 12.4 407

On the other hand, we can color the positive integers with two colors so that no
infinite monochromatic arithmetic progression arises, moreover we can show that no
infinite red and not even a three-term blue arithmetic progression occurs (see Exer-
cise 12.4.7).
We conclude the section by mentioning a substantial generalization of Van der
Waerden’s Theorem. This famous conjecture of Erdős and Turán resisted all attempts
for many decades, and was solved finally by Szemerédi. He thus deserved the biggest
prize (1000 US dollars) offered and paid by Erdős for a solution of a mathematical prob-
lem. (Very recently, a $10000 problem of Erdős was solved, too, see the story after
Theorem 5.5.4.) Szemerédi got an Abel Prize, one of the most prestigious honors in
mathematics, in 2012 for his many fundamental contributions to number theory, com-
binatorics, and computer science.
Let us look at the conjecture of Erdős and Turán. Van der Waerden’s Theorem
states that coloring the natural numbers, or its sufficiently long initial segment, there
will occur a long monochromatic arithmetic progression, but provides no information
about its color. We feel, of course, that this should be the most frequent color, i.e. one
having the largest density. Erdős and Turán had the idea that, independent of any
coloring, if we take a sufficiently dense subsequence of the natural numbers, then it
will contain a long arithmetic progression. The precise formulation of their conjecture
is
Theorem 12.4.5 (Szemerédi’s Theorem). Consider a subset of {1, 2, . . . , 𝑛} of maximal
size that does not contain a 𝑘-term arithmetic progression, and denote the number of its
elements by 𝑟 𝑘 (𝑛). Then lim𝑛→∞ 𝑟 𝑘 (𝑛)/𝑛 = 0 for any fixed 𝑘. ♣

This implies Van der Waerden’s Theorem: Coloring the integers 1, 2, . . . , 𝑛 with 𝑡
colors, some color must occur at least 𝑛/𝑡 times. If 𝑛 is large enough, then 1/𝑡 is bigger
than 𝑟 𝑘 (𝑛)/𝑛 tending to 0, so 𝑛/𝑡 > 𝑟 𝑘 (𝑛), thus there must occur a 𝑘-term arithmetic
progression of that color.
Another formulation of Szemerédi’s Theorem is that any sequence of natural num-
bers having positive upper density must contain arbitrarily long (finite) arithmetic pro-
gressions. Erdős extended his conjecture for even less dense sequences, thinking that
it is sufficient that the sum of reciprocals of elements be divergent. It was a great sur-
prise in 2004 when the conjecture was verified for the sequence of primes (so there are
arbitrarily long arithmetic progressions among the primes, see also Section 5.1), but
the general conjecture is still open.

Exercises 12.4

1. Verify 𝑅(3, 2) = 6, 𝑅(𝑘, 1) = 𝑘, 𝑅(1, 𝑡) = 1, and 𝑅(2, 𝑡) = 2.

2. Show (a) 𝑅(3, 𝑡) ≤ 3𝑡! (b) 𝑅(3, 𝑡) ≤ ⌈𝑒𝑡! ⌉.
3. Prove the estimates for Schur numbers:
(a) 𝑆(𝑡) < 𝑒𝑡!
 408 12. Combinatorial Number Theory

(b) 𝑆(𝑡 + 1) ≥ 3𝑆(𝑡) + 1

(c) 𝑆(𝑡) ≥ (3𝑡 − 1)/2
* (d) 𝑆(𝑡 + 𝑣) ≥ 2𝑆(𝑡)𝑆(𝑣) + 𝑆(𝑡) + 𝑆(𝑣).
Remark: Part (b) is a special case of (d) for 𝑣 = 1. Using (d) and 𝑆(5) ≥ 157, we
can slightly improve the lower bound in (c).
4. For a given 𝑛, find the largest 𝑟 = 𝑓(𝑛) such that the integers 𝑛, 𝑛 + 1, . . . , 𝑟 can
be colored with two colors so that the equation 𝑥 + 𝑦 = 𝑧 has no monochromatic
solution.
5. Prove that for any 𝑡 there exists an 𝑛 such that coloring the integers 1, 2, . . . , 𝑛 + 1
with 𝑡 colors arbitrarily, there will be three (not necessarily distinct) integers of the
same color so that their sum has this color.
6. Let 𝑗 be fixed. Show that there exist two consecutive 𝑗th power residues modulo
every sufficiently large prime 𝑝, i.e. both 𝑥𝑗 ≡ 𝑎 − 1 and 𝑧𝑗 ≡ 𝑎 (mod 𝑝) are
solvable for some 𝑎 ≢ 0, 1 (mod 𝑝).
7. Verify that the positive integers can be colored red and blue avoiding
(a) infinitely long monochromatic arithmetic progressions
* (b) both infinite red and three-term blue arithmetic progressions.
8. Show that coloring the natural numbers with finitely many colors arbitrarily, for
every 𝑘 there will arise infinitely many 𝑘-term arithmetic progressions all having
the same color.
9. Demonstrate that coloring the natural numbers with finitely many colors arbitrar-
ily, there arise arbitrarily long (finite) monochromatic geometric progressions.
10. Verify 𝑤(3, 2) = 9.
** 11. Prove the lower estimates for 𝑤(𝑘) = 𝑤(𝑘, 2):
(a) 𝑤(𝑘) ≥ 2𝑘/2 √𝑘 − 1
S (b) 𝑤(𝑝 + 1) > 𝑝(2𝑝 − 1), if 𝑝 is a prime.
S** 12. Prove a lower bound for 𝑟3 (𝑛): For every sufficiently large 𝑛, there exist
𝑛/𝑒𝑐√log 𝑛 integers between 1 and 𝑛 (where 𝑐 > 0 is a suitable constant), that con-
tain no three-term arithmetic progression.

12.5. Covering Congruences

We deal with another favorite problem of Erdős: We represent the set of non-negative
integers as a union of finitely many arithmetic progressions with distinct differences
(greater than 1):
{0, 1, . . . , 𝑛, . . . }
(12.5.1) = {𝑎1 , 𝑎1 + 𝑚1 , 𝑎1 + 2𝑚1 , . . . } ∪ ⋯ ∪ {𝑎𝑘 , 𝑎𝑘 + 𝑚𝑘 , 𝑎𝑘 + 2𝑚𝑘 , . . . },
where 1 < 𝑚1 < ⋯ < 𝑚𝑘 .
12.5. Covering Congruences 409

An equivalent formulation is that we cover the integers with residue classes of distinct
moduli (greater than 1): Every integer 𝑡 is an element of at least one of the residue
classes
(12.5.2) 𝑎1 (mod 𝑚1 ) , . . . , 𝑎𝑘 (mod 𝑚𝑘 ) , 1 < 𝑚1 < ⋯ < 𝑚 𝑘 ,
so 𝑡 ≡ 𝑎𝑖 (mod 𝑚𝑖 ) for at least one 𝑖.
Such systems of arithmetic progressions or congruences are called covering con-
gruences.
A simple example is
(12.5.3) 0 (mod 2) , 0 (mod 3) , 1 (mod 4) , 1 (mod 6) , 11 (mod 12) .

This is the minimal number of moduli, and these are the only possible moduli for
five congruences (see Exercise 12.5.4).
Erdős invented covering congruences to solve a seemingly remote problem, see
Theorem 12.5.2. There arise many questions concerning covering congruences. The
two oldest and at the same time most interesting ones are:
• Can all moduli be odd? This problem is still unsolved.
• Can all moduli be arbitrarily large, i.e. does there exist for any 𝐿 covering con-
gruences whose moduli are greater than 𝐿?
This was verified for values of 𝐿 which reached 𝐿 = 40 in 2008. In an extremely
long and tricky construction by Nielsen, just explaining the notation took several pages.
It was a great surprise, however, when it turned out that the answer is negative,
and there is an upper bound for the smallest modulus in covering congruences. Hough
presented this result in 2013 at a conference in honor of the centennial of Erdős’ birth.
It is a natural question to investigate exact or disjoint covering when the arith-
metic progressions in (12.5.1), or equivalently, the residue classes in (12.5.2) are dis-
joint, i.e. every integer satisfies exactly one congruence in (12.5.2).
The next theorem shows that this is not possible:

Theorem 12.5.1. The set of non-negative integers cannot be obtained as the disjoint
union of finitely many arithmetic progressions with distinct differences greater than 1. ♣

We present two proofs. The first relies on elementary analysis with complex num-
bers. The second formulates an interesting equivalent statement about regular poly-
gons and verifies it using geometric arguments.

First proof. We use a generating function, where 𝑧 denotes a complex number of

|𝑧| < 1.
For a proof by contradiction, assume that (12.5.1) is a disjoint union. Then every
𝑛 ≥ 0 has a unique representation 𝑛 = 𝑎𝑖 + 𝑟𝑚𝑖 , where 1 ≤ 𝑖 ≤ 𝑘 and 𝑟 ≥ 0. Therefore

(𝑧𝑎1 + 𝑧𝑎1 +𝑚1 + 𝑧𝑎1 +2𝑚1 + . . . ) + ⋯ + (𝑧𝑎𝑘 + 𝑧𝑎𝑘 +𝑚𝑘 + 𝑧𝑎𝑘 +2𝑚𝑘 + . . . ) =
= 1 + 𝑧 + 𝑧2 + ⋯ + 𝑧𝑛 + . . . .
410 12. Combinatorial Number Theory

(We used the fact that the series can be rearranged arbitrarily because it is absolutely
convergent for |𝑧| < 1.)
Summing the infinite geometric series, we obtain
𝑘
1 1
(12.5.4) ∑ 𝑧 𝑎𝑖 = .
𝑖=1
1 − 𝑧 𝑚𝑖 1−𝑧

If the complex variable 𝑧 tends to an 𝑚𝑖 th complex root of unity (on a path in the region
|𝑧| < 1), then the corresponding term 𝑧𝑎𝑖 /(1 − 𝑧𝑚𝑖 ) on the left-hand side of (12.5.4) will
be unbounded. Thus, if 𝑧 → 𝑤 = cos(2𝜋/𝑚𝑘 ) + 𝑖 sin(2𝜋/𝑚𝑘 ), then the last term on
the left-hand side is unbounded, whereas the other terms and the right-hand side are
bounded, since 𝑤 is not an 𝑚𝑖 th root of unity for 𝑖 < 𝑘 due to the maximality of 𝑚𝑘 .
This yields the desired contradiction. □

Second proof. Assume again that (12.5.1) is a disjoint union. As the arithmetic pro-
gressions are periodic modulo the least common multiple 𝑀 = [𝑚1 , . . . , 𝑚𝑘 ] of their
differences, our assumption is equivalent to the condition that each of the integers 1,
2, . . . , 𝑀 is an element of exactly one arithmetic progression.
We draw a regular 𝑀-gon, and label its vertices 1, 2, . . . , 𝑀 in that order. We choose
distinct colors to the covering arithmetic progressions, and paint the vertices covered
by a given arithmetic progression with its color. For example, if 𝑀 = 12 and the color
of the arithmetic progression 1 (mod 4) is red, then the vertices 1, 5, and 9 will be red.
The vertices covered by the arithmetic progression 𝑎𝑖 (mod 𝑚𝑖 ) form a regular
polygon of 𝑛𝑖 = 𝑀/𝑚𝑖 sides (allowing for when the polygon degenerates into a segment
or a point for 𝑛𝑖 = 2 and 1, resp.). Clearly, 𝑛1 > 𝑛2 > ⋯ > 𝑛𝑘 .
In this geometric formulation, we assumed the existence of a regular 𝑀-gon where
the vertices can be colored with 𝑘 > 1 colors so that the monochromatic vertices form
regular (possibly degenerate) polygons of different numbers of sides.
We shall use a simple geometric fact, namely that the sum of vectors from the
center of a regular 𝑛-gon to its vertices is zero for 𝑛 > 1 (including the degenerate case
𝑛 = 2). Indeed, rotating the sum vector 𝐯 around the center by angle 2𝜋/𝑛does not
change, since the polygon was mapped onto itself. On the other hand, 𝐯 gets rotated
by the given angle, so it can be only the zero vector.
For a clearer exposition, assume first 𝑛𝑘 = 1. Let 𝐬 and 𝐬𝑖 , 𝑖 = 1, . . . , 𝑘 be the sums
of vectors leading from the center to the vertices of the 𝑀-gon and the 𝑛𝑖 -gons formed
𝑘
from the vertices of color 𝑖. Then obviously 𝐬 = ∑𝑖=1 𝐬𝑖 , but by the previous remark,
𝐬 = 𝐬𝟏 = ⋯ = 𝐬𝑘−1 = 𝟎, whereas 𝐬𝑘 ≠ 𝟎, which is a contradiction.
We can handle the general case with a refinement of the argument. Let 𝑡 be fixed,
and consider the transformation that maps vertex 𝑗 of the regular 𝑀-gon into the vertex
𝑡𝑗 (mod 𝑀), 𝑗 = 1, . . . , 𝑀. We show that the images of the originally monochromatic
vertices cover the vertices of a regular polygon with the same multiplicity. E.g. if 𝑀 =
12 and 𝑡 = 2, then the images of 1, 5, 9 corresponding to the arithmetic progression
1 (mod 4) will be 2, 10, 6 in this order, so we get the regular triangle 2, 6, 10; for 2
(mod 3), vertices 2, 5, 8, 11 are mapped into 4, 10, 4, 10, so the images cover the regular
12.5. Covering Congruences 411

2-gon 4, 10 twice; finally, for 4 (mod 6), vertices 4, 10 go to 8, 8, thus we have a 1-gon
with double multiplicity.
This is the case also in general. For 𝑎𝑖 (mod 𝑚𝑖 ), the vertices 𝑎𝑖 + 𝑗𝑚𝑖 , 𝑗 = 0, 1, . . . ,
𝑛𝑖 − 1, are mapped into 𝑡𝑎𝑖 + 𝑗𝑡𝑚𝑖 (mod 𝑀). Considering this arithmetic progression
with difference 𝑡𝑚𝑖 modulo 𝑚, and arranging its elements into a suitable order, we
see that starting from 𝑡𝑎𝑖 we get vertices of distance (𝑡𝑚𝑖 , 𝑀) = (𝑡, 𝑛𝑖 )𝑚𝑖 between the
neighbors, and each vertex occurs (𝑡, 𝑛𝑖 ) times. So the images cover the vertices of a
regular polygon with the same multiplicity, and we get a 1-gon if and only if 𝑛𝑖 ∣ 𝑡.
Based on this, we choose 𝑡 = 𝑛𝑘 . Repeating our argument about the sums of
vectors from the center to the vertices, we get that the sum vector is zero for the images
of the 𝑛𝑖 -gons for 𝑖 < 𝑘 and of the original 𝑀-gon, but it is not zero for the images of the
𝑛𝑘 -gon. Thus we arrived at the same contradiction as in the special case 𝑛𝑘 = 1. □

Now we turn to Romanoff’s problem which was solved by Erdős using covering
congruences.
Theorem 12.5.2. There are infinitely many odd numbers that cannot be written as a
sum of a power of two and an odd integer. ♣

Proof. We shall verify a stronger statement. We construct an infinite arithmetic pro-

gression of odd integers none of which has such a representation.
We start with the following covering congruences 𝑎𝑖 (mod 𝑚𝑖 ), 𝑖 = 1, 2, . . . , 6:
(12.5.5) 0 (mod 2) , 0 (mod 3) , 1 (mod 4) , 3 (mod 8) , 7 (mod 12) , 23 (mod 24) .
We use the fact that to every 𝑚𝑖 there exists a prime 𝑝 𝑖 such that the order of 2 mod 𝑝 𝑖
is 𝑚𝑖 , i.e. 𝑜𝑝𝑖 (2) = 𝑚𝑖 : the primes 3, 7, 5, 17, 13, and 241 have this property:
(12.5.6)
𝑜3 (2) = 2, 𝑜7 (2) = 3, 𝑜5 (2) = 4, 𝑜17 (2) = 8, 𝑜13 (2) = 12, 𝑜241 (2) = 24.
(To every 𝑚 ≠ 6 and 1, there exists a prime 𝑝 such that the order of 2 mod 𝑝 is just
𝑚. This means that we cannot use (12.5.3), but any covering congruences are suitable
that do not contain 6 among the moduli. It is clear that for different values of 𝑚 there
always belong different primes 𝑝.)
Consider the above values 𝑎𝑖 , 𝑚𝑖 , 𝑝 𝑖 , and choose 𝑠 to satisfy 2𝑠−1 > max𝑖 𝑝 𝑖 (for
covering congruences (12.5.5)–(12.5.6) we can take 𝑠 = 9).
We show that taking any solution 𝑥 = 𝑐 of the simultaneous system of congruences
(12.5.7) 𝑥 ≡ 2𝑎𝑖 (mod 𝑝 𝑖 ) , 𝑖 = 1, . . . , 𝑘, 𝑥 ≡ 1 (mod 2𝑠 ) ,
we cannot write 𝑐 as a sum of a power of two and an odd integer. The moduli in (12.5.7)
are pairwise coprime, thus the system is solvable and the solutions form an infinite
arithmetic progression of odd numbers, which proves the theorem.
Assume that for some solution 𝑐 = 2𝑛 + 𝑝, where 𝑝 is a prime. Since 𝑎𝑖 (mod 𝑚𝑖 )
are covering congruences, 𝑛 ≡ 𝑎𝑖 (mod 𝑚𝑖 ) for some 𝑖. We know that the order of 2
mod 𝑝 𝑖 is 𝑚𝑖 , and 𝑐 satisfies (12.5.7), thus
2𝑛 ≡ 2𝑎𝑖 ≡ 𝑐 (mod 𝑝 𝑖 ) .
This implies 𝑝 = 𝑐 − 2𝑛 ≡ 0 (mod 𝑝 𝑖 ), so only 𝑝 = 𝑝 𝑖 is possible.
412 12. Combinatorial Number Theory

To achieve a contradiction, we show that 𝑐 = 2𝑛 + 𝑝 𝑖 does not satisfy the last

congruence in (12.5.7), i.e. 2𝑛 + 𝑝 𝑖 ≢ 1 (mod 2𝑠 ). If 𝑛 ≤ 𝑠 − 1, then this is guaranteed
by 1 < 2𝑛 + 𝑝 𝑖 < 2𝑠−1 + 2𝑠−1 = 2𝑠 . If 𝑛 ≥ 𝑠, then clearly 2𝑛 + 𝑝 𝑖 ≡ 𝑝 𝑖 ≢ 1 (mod 2𝑠 ). □

Exercises 12.5

(We use the notation (12.5.1) and (12.5.2).)

𝑘
1. Verify ∑𝑖=1 1/𝑚𝑖 ≥ 1 for any covering congruences.

2. Show that replacing a modulus 𝑚𝑖 by one of its divisors (different from 1 and the
other moduli), the new congruences keep the covering property.

3. Consider minimal covering congruences, where deleting any congruence will de-
stroy the covering property. Demonstrate that each 𝑚𝑖 divides the least common
multiple of the other moduli 𝑚𝑗 .

4. Prove that two, three, or four residue classes cannot form covering congruences,
and for five residue classes only the moduli in (12.5.3) are possible.

5. Construct covering congruences where the minimal modulus is 3.

6. We can infuse life into the notion of disjoint covering congruences (DCC) if we
allow the repetition of moduli: 𝑎𝑖 (mod 𝑚𝑖 ), 𝑖 = 1, . . . , 𝑘, where 1 < 𝑚1 ≤ . . . ≤ 𝑚𝑘 ,
and every integer is an element of exactly one residue class. Verify the statements
about DCC:
𝑘
(a) ∑𝑖=1 1/𝑚𝑖 = 1
(b) 𝑚𝑘 = 𝑚𝑘−1
(c) to every 𝑘 there exist DCC satisfying 𝑚1 < 𝑚2 < ⋯ < 𝑚𝑘−1 .

7. Prove that infinitely many even numbers cannot be written as a sum of a power
of three and a prime. In general, to every odd number 𝑎 > 1 and to every even
number 𝑏 > 2 there exist infinitely many even and odd numbers, resp., that cannot
be written in the form 𝑎𝑛 + 𝑝 and 𝑏𝑛 + 𝑝, where 𝑝 is a prime.

12.6. Additive Complements

Two infinite sets 𝐴 and 𝐵 of non-negative integers are additive complements of each
other if every sufficiently large integer can be written as 𝑎 + 𝑏, where 𝑎 ∈ 𝐴, 𝑏 ∈ 𝐵.
Consider, for example, the unique decimal representation of a positive integer 𝑛 =
𝑐 0 + 10𝑐 1 + 102 𝑐 2 + ⋯ + 𝑐 𝑘 10𝑘 (where 0 ≤ 𝑐 𝑖 ≤ 9), and let 𝐴 consist of 0 and of positive
integers with 0 = 𝑐 0 = 𝑐 2 = 𝑐 4 = . . . , and let 𝐵 consist of 0 and of positive integers with
0 = 𝑐 1 = 𝑐 3 = 𝑐 5 = . . . (e.g. 3010 ∈ 𝐴, 70005 ∈ 𝐵). Then clearly every non-negative
integer has a unique representation 𝑎 + 𝑏, so 𝐴 and 𝐵 are additive complements of each
other. (We shall generally omit the phrases “additive” and “of each other” for brevity.)
12.6. Additive Complements 413

We establish first a simple density condition necessary for 𝐴 and 𝐵 to be comple-

ments, and check how sharp this condition is. Then we investigate for two important
special sets, the powers of two and the primes, how rare their complements can be.
Let 𝐴(𝑛) and 𝐵(𝑛) denote the number of elements not greater than 𝑛 in the sets
𝐴 and 𝐵. Let 𝑓(𝑛) denote how many integers 0 ≤ 𝑡 ≤ 𝑛 can be written as 𝑡 = 𝑎 + 𝑏.
Then 𝑓(𝑛) ≤ 𝐴(𝑛)𝐵(𝑛), since 𝑎 ≤ 𝑡 ≤ 𝑛 and 𝑏 ≤ 𝑡 ≤ 𝑛 in such representations
of 𝑡. (This estimate is crude from two points of view: some 𝑡 may have more than one
representation, and many sums 𝑎+𝑏 will be larger than 𝑛.) If 𝐴 and 𝐵 are complements,
then every 𝑡 > 𝑡0 can be written in the form 𝑡 = 𝑎 + 𝑏, so 𝑓(𝑛) ≥ 𝑛 − 𝑡0 . Combining the
lower and upper estimates for 𝑓(𝑛), we obtain 𝐴(𝑛)𝐵(𝑛) ≥ 𝑛 − 𝑡0 for every 𝑛. Dividing
by 𝑛 and letting 𝑛 → ∞, we obtain that additive complements satisfy
𝐴(𝑛)𝐵(𝑛)
(12.6.1) lim inf ≥ 1.
𝑛→∞ 𝑛
As our estimates were very generous, we might feel that (12.6.1) cannot hold with
equality and it would seem to be absurd that not only lim inf but even lim sup can
reach 1 (which means that the limit is 1). Therefore it is quite surprising that all this
occurs, and in fact there are lots of various constructions. We present the first such
example found by Danzer.
Theorem 12.6.1. There exist additive complements 𝐴 and 𝐵 satisfying
(12.6.2) lim 𝐴(𝑛)𝐵(𝑛)/𝑛 = 1. ♣
𝑛→∞

Proof. We choose 𝐴 as a rapidly growing sequence with certain divisibility properties:

(12.6.3) 𝑎𝑘 = (𝑘2 )! +𝑘.
Clearly 𝑎𝑘 ≡ 𝑘 (mod 𝑑) for 𝑑 ≤ 𝑘2 . It follows that
(12.6.4) 𝑎𝑘 , 𝑎𝑘−1 , . . . , 𝑎𝑘−𝑑𝑘 +1 is a complete residue system mod 𝑑𝑘
if 𝑑𝑘 ≤ (𝑘 − 𝑑𝑘 + 1)2 . For every 𝑘, we select a relatively large 𝑑𝑘 with this property such
that
(12.6.5) 𝑑𝑘 ≤ 𝑑𝑘+1
and
(12.6.6) lim 𝑑𝑘 /𝑘 = 1.
𝑘→∞

We can take, for example, 𝑑𝑘 = ⌊𝑘 − √𝑘⌋.

Let now 𝑛 be arbitrary and define 𝑘 by
(12.6.7) 𝑘𝑎𝑘 ≤ 𝑛 < (𝑘 + 1)𝑎𝑘+1 .
Then by (12.6.4), there exists 0 ≤ 𝑠 < 𝑑𝑘 satisfying 𝑛 ≡ 𝑎𝑘−𝑠 (mod 𝑑𝑘 ), so
(12.6.8) 𝑛 = 𝑎𝑘−𝑠 + 𝑟𝑑𝑘 .
From (12.6.7) and 0 < 𝑎𝑘−𝑠 ≤ 𝑎𝑘 , we obtain
(𝑘 − 1)𝑎𝑘 𝑛 − 𝑎𝑘−𝑠 (𝑘 + 1)𝑎𝑘+1
(12.6.9) ≤𝑟= < .
𝑑𝑘 𝑑𝑘 𝑑𝑘
414 12. Combinatorial Number Theory

Let 𝐵𝑘 be the set of integers 𝑟𝑑𝑘 where 𝑟 satisfies (12.6.9), and let
∞ ∞
(𝑘 − 1)𝑎𝑘 (𝑘 + 1)𝑎𝑘+1
(12.6.10) 𝐵= 𝐵𝑘 = { 𝑟𝑑𝑘 ∣ ≤𝑟< }.
⋃ ⋃ 𝑑𝑘 𝑑𝑘
𝑘=1 𝑘=1

Then 𝐴 and 𝐵 are complements by (12.6.8).

To verify (12.6.2), we estimate 𝐴(𝑛) and 𝐵(𝑛) from above.
Since 𝑛 < (𝑘 + 1)𝑎𝑘+1 < 𝑎𝑘+2 by (12.6.7) and (12.6.3), thus
(12.6.11) 𝐴(𝑛) ≤ 𝑘 + 1
(in fact, 𝐴(𝑛) = 𝑘 or 𝑘 + 1).
By (12.6.10), the smallest element in 𝐵𝑘+2 is at least (𝑘 + 1)𝑎𝑘+2 , which is greater
than 𝑛 by (12.6.7), therefore we do not have to consider 𝐵𝑘+2 when checking 𝐵(𝑛). So
𝑘−2
(12.6.12) 𝐵(𝑛) ≤ 𝐵𝑘+1 (𝑛) + 𝐵𝑘 (𝑛) + |𝐵𝑘−1 | + || 𝐵𝑖 ||.
⋃
𝑖=1

Let us examine the terms on the right-hand side of (12.6.12) one by one.
By (12.6.10), the smallest element in 𝐵𝑘+1 is at least 𝑘𝑎𝑘+1 , so 𝐵𝑘+1 has a role in
𝐵(𝑛) only if
𝑛
(12.6.13) 𝑘𝑎𝑘+1 ≤ 𝑛, or 𝑎𝑘+1 ≤ .
𝑘
Even in this case, 𝑛 < (𝑘 + 1)𝑎𝑘+1 by (12.6.7), hence at most the multiples of 𝑑𝑘+1
between 𝑘𝑎𝑘+1 and (𝑘 + 1)𝑎𝑘+1 count in 𝐵𝑘+1 (𝑛), so
(𝑘 + 1)𝑎𝑘+1 − 𝑘𝑎𝑘+1 𝑎 𝑛
(12.6.14) 𝐵𝑘+1 (𝑛) ≤ + 1 = 𝑘+1 + 1 ≤ +1
𝑑𝑘+1 𝑑𝑘+1 𝑘𝑑𝑘−1
(we used (12.6.5) and (12.6.13) for the last inequality).
Similarly, 𝐵𝑘 (𝑛) counts the multiples of 𝑑𝑘 between (𝑘 − 1)𝑎𝑘 and 𝑛, so
𝑛 − (𝑘 − 1)𝑎𝑘 𝑛 − (𝑘 − 1)𝑎𝑘
(12.6.15) 𝐵𝑘 (𝑛) ≤ +1≤ + 1.
𝑑𝑘 𝑑𝑘−1

Also,
𝑘𝑎𝑘 − (𝑘 − 2)𝑎𝑘−1 𝑘𝑎𝑘
(12.6.16) |𝐵𝑘−1 | ≤ +1≤ + 1.
𝑑𝑘−1 𝑑𝑘−1

Finally, for 𝑖 ≤ 𝑘 − 2, every element in 𝐵𝑖 is less than (𝑘 − 1)𝑎𝑘−1 , so

𝑘−2
(12.6.17) | |
| ⋃ 𝐵𝑖 | ≤ (𝑘 − 1)𝑎𝑘−1 − 1.
𝑖=1

From (12.6.12), (12.6.14), (12.6.15), (12.6.16), and (12.6.17), we get

𝑛
𝑘
+ 𝑛 + 𝑎𝑘
(12.6.18) 𝐵(𝑛) ≤ + (𝑘 − 1)𝑎𝑘−1 + 2.
𝑑𝑘−1
12.6. Additive Complements 415

By (12.6.7), 𝑎𝑘 ≤ 𝑛/𝑘, so (12.6.18) implies

2
1+ 𝑘 (𝑘 − 1)𝑎𝑘−1 + 2
(12.6.19) 𝐵(𝑛) ≤ 𝑛 ( + ).
𝑑𝑘−1 𝑛

Combining (12.6.11) and (12.6.19), we have

2
𝐴(𝑛)𝐵(𝑛) (𝑘 + 1)(1 + 𝑘 ) (𝑘 + 1)((𝑘 − 1)𝑎𝑘−1 + 2)
(12.6.20) ≤ + .
𝑛 𝑑𝑘−1 𝑛
If 𝑛, and thus also 𝑘, tends to infinity, then the first fraction on the right-hand side
of (12.6.20) tends to 1 by (12.6.6), and the second fraction tends to 0 by (12.6.7) and
(12.6.3), so
𝐴(𝑛)𝐵(𝑛)
(12.6.21) lim sup ≤ 1.
𝑛→∞ 𝑛
Since 𝐴 and 𝐵 are complements, (12.6.1) holds, thus, combining (12.6.1) and (12.6.21),
we get the desired formula (12.6.2). □

We say that 𝐵 is a completely economical complement (CEC) of 𝐴 if it is a comple-

ment of 𝐴 and (12.6.2) holds. By Theorem 12.6.1, 𝐴 = { (𝑘2 )! +𝑘 ∣ 𝑘 = 1, 2, . . . } has a
CEC. Ruzsa proved that every 𝐴 = {𝑎1 < 𝑎2 < ⋯} satisfying lim𝑘→∞ 𝑎𝑘+1 /(𝑘𝑎𝑘 ) = ∞
has a CEC (thus much denser sets than 𝐴 in Theorem 12.6.1 have this property even
without any divisibility requirements).
Next we examine how rare complements are for powers of two and for the primes.
Ruzsa proved that the powers of two have a CEC. We verify a slightly weaker result:
Theorem 12.6.2. The powers of two 𝑊 = {2, 4, 8, . . . } have a complement 𝑀 satisfying
(12.6.22) 𝑀(𝑛) < 𝑐𝑛/ log2 𝑛,
where 𝑐 is an effectively computable constant. ♣

As 𝑊(𝑛) = ⌊log2 𝑛⌋, 𝑊(𝑛)𝑀(𝑛)/𝑛 < 𝑐, which is just slightly worse than (12.6.2).
The set 𝑊𝑠 = {𝑠, 𝑠2 , 𝑠3 , . . . } consisting of the powers of any integer 𝑠 > 1 has a CEC.

Proof. Since 2 is a primitive root mod 9, it is a primitive root mod 3𝑟 for every 𝑟 (see
part Y2 in the proof of Theorem 3.3.5). This means that if (3, 𝑛) = 1, there exists 𝑘,
0 < 𝑘 ≤ 𝜑(3𝑟 ) < 3𝑟 , satisfying 𝑛 ≡ 2𝑘 (mod 3𝑟 ). If 3 ∣ 𝑛, then we have 𝑛 − 1 ≡ 2𝑘
(mod 3𝑟 ). Thus for every 𝑛 and 𝑟, there exist 𝑣 and 0 < 𝑘 < 3𝑟 satisfying
(12.6.23) 𝑛 = 2𝑘 + 3𝑟 𝑣 or 𝑛 = 2𝑘 + 3𝑟 𝑣 + 1.
Accordingly, the complement 𝑀 will consist of suitable integers of the form 3𝑟 𝑣 and
3𝑟 𝑣 + 1.
For a given 𝑛, we first choose 𝑟 and then check which values of 𝑣 are needed.
𝑟 𝑟
Since 𝑘 < 3𝑟 implies 2𝑘 < 23 , 𝑣 is positive in (12.6.23) if 23 ≤ 𝑛. Therefore we
choose 𝑟 to satisfy
𝑟 𝑟+1
(12.6.24) 23 ≤ 𝑛 < 23 .
416 12. Combinatorial Number Theory

Then by (12.6.23) and (12.6.24),

𝑟+1
𝑣 ≤ 3𝑟 𝑣 < 𝑛 < 23 ,

so let

∞
𝑟+1
(12.6.25) 𝑀= 𝑀𝑟 , where 𝑀𝑟 = { 3𝑟 𝑣, 3𝑟 𝑣 + 1 ∣ 0 < 𝑣 < 23 }.
⋃
𝑟=1

By the previous considerations, 𝑀 is a complement of 𝑊.

We show now that (12.6.22) holds.
Let

𝑟+1
(12.6.26) 𝐾 = { 3𝑟 𝑣 ∣ 0 < 𝑟, 0 < 𝑣 < 23 }.

Then

(12.6.27) 𝑀(𝑛) ≤ 2|𝐾|.

We divide 𝐾 into two parts 𝐾1 and 𝐾2 depending on 𝑣 ≤ 𝑇 and 𝑣 > 𝑇, resp., where
we choose a suitable 𝑇 later (as a function of 𝑛).
In 𝐾1 , there are 𝑇 possible values for 𝑣, and at most log3 𝑛 values for 𝑟, so

(12.6.28) |𝐾1 | ≤ 𝑇 log3 𝑛.

𝑟+1
By (12.6.26), 𝑇 < 𝑣 < 23 in 𝐾2 , so

(12.6.29) 3𝑟+1 > log2 𝑇.

At most ⌊𝑛/3𝑟 ⌋ values of 𝑣 belong to 3𝑟 , hence

𝑛 3 𝑛
|𝐾2 | < ∑ = ⋅ 𝑟 ,
𝑟≥𝑟0
3𝑟 2 30

where 𝑟0 is the smallest value of 𝑟 satisfying (12.6.29). This implies

9 𝑛
(12.6.30) |𝐾2 | < ⋅ .
2 log2 𝑇

By (12.6.27), (12.6.28), and (12.6.30), we have 𝑀(𝑛) < 2𝑇 log3 𝑛+9𝑛/ log2 𝑇. Choos-
ing 𝑇 = ⌊𝑛/(log2 𝑛)2 ⌋ for example, we arrive at (12.6.22). □
12.6. Additive Complements 417

Now we find a rare complement to the primes. The best known result is due to
Erdős:
Theorem 12.6.3. The set 𝑃 of the prime numbers has a complement 𝑅 satisfying
2
(12.6.31) 𝑅(𝑛) < 𝑐 log 𝑛
(where 𝑐 is an explicitly computable constant and log denotes the natural logarithm). ♣

Since 𝑃(𝑛) = 𝜋(𝑛) ∼ 𝑛/ log 𝑛, then 𝑃(𝑛)𝑅(𝑛)/𝑛 < 𝑐 log 𝑛, which is significantly
weaker than (12.6.2). Ruzsa verified that (12.6.2) is not attainable, so 𝑃 has no CEC.

The main line of the proof. We construct a probability space that consists of certain
sequences 𝑅 of positive integers, show that any sequence 𝑅 is a complement of 𝑃 with
2
probability 1, and 𝑅(𝑛) ∼ 𝑐 log 𝑛 holds with probability 1. This implies that there ex-
ists an 𝑅 meeting the requirements of the theorem. (This argument verifies only the
existence of a suitable sequence without explicitly constructing one. Moreover it guar-
antees that nearly all sequences are suitable, which should be understood, of course,
as a function of the probability in question.)
Let 0 ≤ 𝛼𝑖 ≤ 1, 𝑖 = 1, 2, . . . be real numbers. Then there exists a probability space
consisting of certain sequences 𝑅 of positive integers, where the probability of 𝑛 ∈ 𝑅
is 𝛼𝑛 for every positive integer 𝑛 and the events 𝑛 ∈ 𝑅 and 𝑚 ∈ 𝑅 are independent
for any 𝑛 ≠ 𝑚. We can imagine this as choosing the integers 1, 2, . . . in the sequences
independently with probabilities 𝛼1 , 𝛼2 , . . .
Let
(12.6.32) 𝛼𝑖 = min(1, 𝑑(log 𝑖)/𝑖),
where we will specify the constant 𝑑 > 0 later.
We sketch first a proof that a sequence 𝑅 is a complement of 𝑃 with probability 1.
Let 𝑄𝑛 be the event that 𝑛 cannot be written as 𝑛 = 𝑝 + 𝑟, where 𝑝 is a prime
and 𝑟 ∈ 𝑅, and we denote the probability of 𝑄𝑛 by 𝑞𝑛 . 𝑅 will be a complement of 𝑃 if
and only if only finitely many events 𝑄𝑛 occur. By the Borel–Cantelli lemma this has
probability 1 if the infinite series of probabilities 𝑞𝑛 is convergent, or
∞
(12.6.33) 𝑆 = ∑ 𝑞𝑛 < ∞.
𝑛=1

We compute 𝑞𝑛 . For a prime 𝑝, 𝑛 ≠ 𝑟 + 𝑝 is equivalent to 𝑛 − 𝑝 ∉ 𝑅, which has

probability 1 − 𝛼𝑛−𝑝 . The event 𝑄𝑛 means that 𝑛 cannot be written as 𝑛 = 𝑟 + 𝑝 with
any prime 𝑝, so
(12.6.34) 𝑞𝑛 = ∏(1 − 𝛼𝑛−𝑝 ).
𝑝<𝑛

−𝑥
By (12.6.34) and 1 − 𝑥 ≤ 𝑒 , the sum 𝑆 in (12.6.33) obeys
∞ ∞ ∞
− ∑𝑝<𝑛 𝛼𝑛−𝑝
(12.6.35) 𝑆 = ∑ 𝑞𝑛 = ∑ ∏(1 − 𝛼𝑛−𝑝 ) ≤ ∑ 𝑒 .
𝑛=1 𝑛=1 𝑝<𝑛 𝑛=1
418 12. Combinatorial Number Theory

The exponent of 𝑒 on the right-hand side of (12.6.35) is about

log(𝑛 − 𝑝)
(12.6.36) −𝑑 ∑
𝑝<𝑛
𝑛−𝑝

by (12.6.32). It can be proved that

log(𝑛 − 𝑝)
(12.6.37) ∑ > ℎ log 𝑛
𝑝<𝑛
𝑛−𝑝

with a suitable constant ℎ if 𝑛 is large enough. Hence the quantity in (12.6.36) is less
than −𝑑ℎ log 𝑛, so by (12.6.35),
∞ ∞
𝑆 < ∑ 𝑒−𝑑ℎ log 𝑛 = ∑ 𝑛−𝑑ℎ ,
𝑛=1 𝑛=1

which is convergent if 𝑑 is chosen to satisfy 𝑑ℎ > 1.

Seemingly, (12.6.37) is similar to the relation ∑𝑝<𝑛 (log 𝑝)/𝑝 ∼ log 𝑛 in Theo-
rem 5.6.3, as both contain terms of type (log 𝑘)/𝑘. However, due to the thinning of
the primes, the latter sum is dominated by larger terms (log 𝑘)/𝑘 belonging to small
values of 𝑘, whereas the situation is just the opposite in (12.6.37). To verify (12.6.37),
we need that the primes are sufficiently dense even in later relatively small intervals.
2
Now we turn to sketching the proof that 𝑅(𝑛) ∼ 𝑐 log 𝑛 holds with probability 1.
𝑛
We can write 𝑅(𝑛) = ∑𝑖=1 𝜉𝑖 where the random variable 𝜉𝑖 is 1 if 𝑖 ∈ 𝑅 and is 0 if 𝑖 ∉ 𝑅.
Then the expectation
𝑛 𝑛 𝑛 𝑛 2
log 𝑖 log 𝑥 𝑑 log 𝑛
∑ 𝐸(𝜉𝑖 ) = ∑ 𝛼𝑖 ∼ ∑ 𝑑 ∼ 𝑑∫ 𝑑𝑥 = .
𝑖=1 𝑖=1 𝑖=1
𝑖 1
𝑥 2
𝑛 𝑛
Thus it suffices to show that ∑𝑖=1 𝜉𝑖
∼ ∑𝑖=1 𝐸(𝜉𝑖 ) with probability 1. This is true in
general if 𝐸(𝜉𝑖 ) and the standard deviations 𝐷(𝜉𝑖 ) satisfy certain conditions which hold
in this case. □

Finally, we state Lorentz’s result about complements of general sets without proof:
Theorem 12.6.4. For any 𝐴, there exists a complement 𝐵 satisfying
𝑛
log 𝐴(𝑖)
𝐵(𝑛) < 10 ∑ . ♣
𝑖=𝑎1
𝐴(𝑖)

Exercises 12.6

1. Generalize the example at the beginning of this section to a number system with
an arbitrary base 𝑐 > 1 instead of 10 and for an arbitrary grouping of the places
instead of the even-odd distribution. Verify that these sets 𝐴 and 𝐵 are always
complements, and compute lim inf𝑛→∞ 𝐴(𝑛)𝐵(𝑛)/𝑛.
2. Let 𝑊 be the set of powers of 2 and 𝑃1 = { 𝑝, 𝑝 + 1 ∣ 𝑝 is a prime }, so we include
the numbers 𝑝 + 1 into 𝑃1 . Are 𝑊 and 𝑃1 complements?
 Exercises 12.6 419

3. Decide for each of the following conditions whether or not it is necessary or suf-
ficient for the set 𝐴 = {𝑎1 < 𝑎2 < . . . } to have a finite complement, so every
sufficiently large integer is the sum of an element in 𝐴 and an element in 𝐵 for
some suitable finite set 𝐵.
(a) 𝑎𝑖+1 − 𝑎𝑖 is bounded.
(b) 𝐴 contains an infinite arithmetic progression.
(c) lim inf𝑛→∞ 𝐴(𝑛)/𝑛 > 0.
(d) lim𝑛→∞ 𝐴(𝑛)/𝑛 = 1.
* 4. Let 𝐴 consist of the numbers 𝑎𝑘 = 6𝑘 + 𝑘, and 𝐵 consist of the multiples of 𝑑𝑘
between 6𝑘 (1 − 1/𝑘) and 6𝑘+1 , where 𝑑𝑘 is an integer of the form 2𝑖 3𝑗 satisfying
𝑑𝑘 < 𝑘−5 log6 𝑘, but also 𝑑𝑘 ∼ 𝑘 and 𝑑𝑘+1 ≥ 𝑑𝑘 . Verify that 𝐴 and 𝐵 are completely
economical complements.
5. Show that Theorem 12.6.4 guarantees a complement 𝑆 to the primes with 𝑆(𝑛) <
3
𝑐 log 𝑛 (which is thus weaker than Theorem 12.6.3).
6. Prove that any infinite set 𝐴 has a complement 𝐵 of density zero, i.e. 𝐵(𝑛)/𝑛 → 0,
as 𝑛 → ∞.
Answers and Hints

A.1. Basic Notions

1.1.

1. The six digit number is 1001 times the three digit number, and 1001 is divisible by
91.

2. Show that in the product 𝑎2 − 𝑏2 = (𝑎 − 𝑏)(𝑎 + 𝑏), both factors are even and exactly
one of them is divisible by 4.
Another option: (2𝑘 + 1)2 − (2𝑚 + 1)2 = 4𝑘(𝑘 + 1) − 4𝑚(𝑚 + 1), and both terms
are multiples of 8 on the right-hand side.

3. 𝑏𝑐𝑎 = 100𝑏 + 10𝑐 + 𝑎 = 10 ⋅ 𝑎𝑏𝑐 − 999𝑎.

4. Multiply 5𝑎 + 9𝑏 by a suitable integer so that adding an appropriate multiple of 23

we obtain just 3𝑎 + 10𝑏.

5. True: (b), (d), (f).

6. (i) Apply the identity 𝑎𝑛 − 𝑏𝑛 = (𝑎 − 𝑏)(𝑎𝑛−1 + 𝑎𝑛−2 𝑏 + ⋯ + 𝑏𝑛−1 ).

(ii)–(iii) Apply (i) replacing 𝑏 by −𝑏.

7. 𝑐 = ±3.

8. 11𝑛+2 + 122𝑛+1 = 12(144𝑛 − 11𝑛 ) + 133 ⋅ 11𝑛 .

We can also use induction.

9. 𝑛 = 4𝑘 + 2. (It can be shown that there are no other appropriate 𝑛.)

421
422 Answers and Hints

10. (𝑏 − 1)2 ∣ 𝑏𝑘 − 1 is equivalent to 𝑏 − 1 ∣ 𝑏𝑘−1 + 𝑏𝑘−2 + ⋯ + 1. Rewrite the right-hand

side as

(𝑏𝑘−1 − 1) + (𝑏𝑘−2 − 1) + ⋯ + (1 − 1) + 𝑘.
Here, the first 𝑘 terms are divisible by 𝑏 − 1.
11. If 𝑎 ≥ 𝑏, then 2𝑎 +1 = 2𝑎−𝑏 (2𝑏 −1)+2𝑎−𝑏 +1. Continuing, we obtain 2𝑏 −1 ∣ 2𝑑 +1
for some 𝑑 < 𝑎. Then 2𝑏 − 1 ≤ 2𝑑 + 1 ≤ 2𝑏−1 + 1 implying 𝑏 ≤ 2.
Another way: If 𝑏 has an odd prime divisor 𝑐 > 1, then 2𝑐 − 1 ∣ 2𝑎𝑐 − 1, and
2𝑐 − 1 ∣ 2𝑏 − 1 ∣ 2𝑎 + 1 ∣ 2𝑎𝑐 + 1, thus 2𝑐 − 1 ∣ 2, a contradiction. If 𝑏 is a multiple of
4, then 15 = 24 − 1 ∣ 2𝑏 − 1 ∣ 2𝑎 + 1, but this is impossible since 3 ∣ 2𝑎 + 1 ⟺ 𝑎
is odd, 5 ∣ 2𝑎 + 1 ⟺ 𝑎 = 4𝑘 + 2.
12. (a) If 𝑎 = 𝑏𝑞, then |𝑎| = |𝑏| ⋅ |𝑞| ≥ |𝑏| ⋅ 1 for 𝑞 ≠ 0.
(b) Part (a) implies that 𝑎 has 2 ⋅ |𝑎| divisors at most.
13. The largest and second largest proper divisors are less than or equal to the half and
the one third of the number. Answers:
(a) the positive even numbers
(b) the positive multiples of 3 and/or 4 (only 3𝑘 = 𝑘 + 𝑘 + 𝑘, 4𝑘 = 2𝑘 + 𝑘 + 𝑘, and
6𝑘 = 3𝑘 + 2𝑘 + 𝑘 are possible).
14. Denoting the digits backwards by 𝑎0 , . . . , 𝑎𝑠 ,
𝑎𝑠 𝑎𝑠−1 . . . 𝑎1 𝑎0 = 𝑎𝑠 10𝑠 + 𝑎𝑠−1 10𝑠−1 + ⋯ + 𝑎1 10 + 𝑎0 .
Observe:
(a) 10𝑘 − 1 is divisible by 9.
(b) 10𝑘 is divisible by 4 and 25 for 𝑘 ≥ 2.
(c) 10𝑘 is divisible by 8 and 125 for 𝑘 ≥ 3.
(d) 10𝑘 + 1 or 10𝑘 − 1 is divisible by 11 depending on whether 𝑘 is odd or even.
15. No, check the divisibility by 3.
16. Yes, prove by induction that to any 𝑘 there exists a 𝑘-digit number divisible by 2𝑘
and consisting only of digits 1 and 2.
17. (b) (𝑛𝑘) is an integer.
18. The first player has a winning strategy for every 𝑛 > 1.
19. Factor the numbers into the product of a power of two and an odd number and use
the pigeonhole principle. We can also use induction.
20. In 0 = 0 ⋅ 𝑞, the number 𝑞 is not unique.
21. (a) 𝑛 = 4𝑘 + 2. (b) 𝑛 = ±4.
22. (a) Divisible; the quotient is of the required form after eliminating the square root
in the denominator.
(b) 1 + √2 ∣ 1.
(c) The powers of 1 + √2 are units.
1.2. 423

(d) Infinitely many.

(e) If ±1 = 𝑐2 −2𝑑 2 = (𝑐+𝑑√2)(𝑐−𝑑√2), then 𝑐+𝑑√2 ∣ 1. To prove the converse,
show that if 𝑐 + 𝑑√2 ∣ 𝑟 + 𝑠√2, then 𝑐2 − 2𝑑 2 ∣ 𝑟2 − 2𝑠2 .
(f) If there were another unit, then multiplying it by a suitable ±(1 + √2)𝑘 we
obtain a unit 𝑢 + 𝑣√2 with
1 < 𝑢 + 𝑣√2 < 1 + √2.
Using (e), we get a contradiction in all the four cases of the signs of 𝑢 and 𝑣.
(g) Both occur infinitely often; this follows basically from (e).
23. (d) (ii) and (iv) are true in any integral domain, (i) and (iii) are true if and only if
there is an identity element. (If there is no identity, 𝑎 ∣ 𝑏, 𝑏 ∣ 𝑎 ⟺ 𝑎 = 𝑏 = 0.)

1.2.

1. Answer: 97. Hint: The three-digit number divides the difference of the two num-
bers.
2. There are only 𝑚 possible remainders, so there must be infinitely many powers of
two all giving the same remainder when divided by 𝑚.
3. Consider the remainders of 𝑐 1 , 𝑐 1 + 𝑐 2 , . . . , 𝑐 1 + 𝑐 2 + ⋯ + 𝑐𝑛 when divided by 𝑛.
4. Given 𝑚, consider the integers having as digits only 1s and having at most 𝑚 + 1
digits: 1, 11, 111, . . . There must occur two among them with the same remainder
when divided by 𝑚, hence their difference is of the required form and is a multiple
of 𝑚.
5. Let 𝑟 𝑘 be the remainder of 𝜑𝑘 on division by 𝑚. The pairs (𝑟 𝑘 , 𝑟 𝑘+1 ) can assume
only 𝑚2 distinct values, therefore (𝑟𝑡 , 𝑟𝑡+1 ) = (𝑟𝑠 , 𝑟𝑠+1 ) for some 𝑡 > 𝑠. Show that
(𝑟 𝑘 , 𝑟 𝑘+1 ) = (𝑟 𝑘+𝑡−𝑠 , 𝑟 𝑘+𝑡−𝑠+1 ) for every 𝑘, i.e. the sequence of the remainders 𝑟𝑛 is
periodic (with a period 𝑡 − 𝑠). As 𝑟0 = 0, also 𝑟𝑗(𝑡−𝑠) = 0 for every 𝑗, so 𝑚 ∣ 𝜑𝑗(𝑡−𝑠) .
6. (a) Every integer is of the form 3𝑘 or 3𝑘± 1, so its square is of the form 3𝑠 or 3𝑠 + 1.
This means that a square can have a remainder 0 or 1 on division by 3.
(b) 0, 1. (c) 0, ±1. (d) 0, 1, 4.
7. Examine the remainder of the sum on division by 3 or 4.
8. (a) No. Examine the remainders of divisions by 4 and 5.
(b) Similar to (a), one can show that there is no such square with eight or more
digits and a four- or six-digit number must terminate with 4. Finally, check
the divisibility by 11 and 111/3 = 37. Answer: 7744 is the only solution.
9. Verify that an odd power of a number gives the same remainder as the number
itself when divided by 3.
10. Answer: 16 (so the product is always a multiple of 216 but not of 217 in some cases).
424 Answers and Hints

11. ⌊√𝑛⌋ = 𝑘 holds exactly for 𝑘2 ≤ 𝑛 < (𝑘 + 1)2 . Of these, 𝑘2 , 𝑘2 + 𝑘, and 𝑘2 + 2𝑘 are
divisible by 𝑘. Answer: 3(105 − 1) = 299997.
12. ⌊𝑎 + 𝑏⌋ − (⌊𝑎⌋ + ⌊𝑏⌋) = 0 or 1.
13. No: e.g. |𝑟| ≥ 4 if 12 = 4𝑞 + 𝑟 .
14. Let 𝑡 be the base of the number system. If 𝑑 ∣ 𝑡 − 1, then the remainder on division
by 𝑑 equals the remainder of the sum of the digits. If 𝑑 ∣ 𝑡𝑘 , then the remainder
equals the remainder of the number composed from the last 𝑘 digits. If 𝑑 ∣ 𝑡 + 1,
then the remainder equals the remainder of the alternating sum of the digits (the
last digit has to be taken with a positive sign).
15. This is the special case 𝑡 = 100, 𝑑 = 99 of the previous exercise.
16. Consider the remainder on division by 9. Answer: 8.
17. We convert each digit in base 9 into a two-digit number in base 3 (with first digit 0
if necessary). We can apply a similar procedure if one base is a power of the other
(with positive integer exponent).
18. Answer: 𝑛 = 8. Hint: 𝑡3 ≤ 𝑛 ≤ (𝑡 + 1)2 − 1 implies 𝑡 = 2.
19. From 𝑡 ∣ 735, 𝑡 ≥ 6, and 𝑡 < 10 we get 𝑡 = 7.
20. (a) We can measure every integer gram up to 210 −1 = 1023 with weights of 1, 2, 4,
. . . , 29 grams. This is the maximum. When measuring, there are two options
for each weight: whether or not we put it onto the pan. Thus ten weights can
measure at most 210 − 1 values (we subtract 1 for the case when we put no
weight onto the pan).
(b) We can measure every integer gram up to (310 −1)/2 with weights of 1, 3, 9, . . . ,
39 grams: in base three representation we have to convert the digits 2 to −1.
There is no better stock of weights: when measuring, there are three options
for each weight (left pan, right pan, no pan) but the result has to be divided
by 2 due to the symmetry of the two pans.
21. The limit is log2 10 = 3.3219 . . . .
22. Apply a suitable modification of the proof of Theorem 1.2.2.
23. Though the numbers increase rapidly in the beginning, we will get 0 in finitely
many steps. The reason is that we gradually “lose” all digits.

1.3.

1. 14 = 3794 ⋅ (−44) + 2226 ⋅ 75.

2. (a) If (3𝑛 + 5, 7𝑛 + 12) = 𝑑, then 𝑑 ∣ −7(3𝑛 + 5) + 3(7𝑛 + 12) = 1, so 𝑑 = 1.
(b) If (3𝑛2 + 1, 4𝑛2 + 3) = 𝑑, then 𝑑 ∣ −4(3𝑛2 + 1) + 3(4𝑛2 + 3) = 5, but 5 ∤ 3𝑛2 + 1,
thus 𝑑 = 1.
(c) If (𝑛! −1, (𝑛 + 1)! −1) = 𝑑, then 𝑑 ∣ (𝑛 + 1)! −1 − (𝑛 + 1)(𝑛! −1) = 𝑛, hence
𝑑 ∣ 𝑛! −(𝑛! −1) = 1.
1.3. 425

(d) If (7𝑛 − 2, 7𝑛+1 − 5) = 𝑑, then 𝑑 ∣ (7𝑛+1 − 5) − 7(7𝑛 − 2) = 9, but 7𝑛 − 2 =

(2 ⋅ 3 + 1)𝑛 − 2 = 3𝑘 + 1 − 2 = 3𝑘 − 1, thus 𝑑 is not divisible by 3.
3. 1 if 𝑛 is odd, and 2 if 𝑛 is even.
4. (a) 5 or 10. (b) 5, 15, or 45.
5. 6, 10, 15, or 21, 66, 77, etc.
6. True: (a), (c).
𝑏
7. Answer: (𝑎, 𝑏). Hint: 𝑏 ∣ 𝑘𝑎 ⟺ (𝑎,𝑏)
∣ 𝑘.
8. (a) True: Since (𝑎+𝑛, 𝑏+𝑛) ∣ (𝑎+𝑛)−(𝑏+𝑛) = 𝑎−𝑏, 𝑛 works if 𝑎+𝑛 = 𝑘(𝑎−𝑏)+1.
(b) True. (c) False, 𝑎 = 1, 𝑏 = 4 is a counterexample.
9. (a) Infinitely many; if 𝑢, 𝑣 is appropriate, then the pair 𝑢 + 𝑡𝑏, 𝑣 − 𝑡𝑎 also works
for any integer 𝑡.
(b) 1.
(c) (𝑎, 𝑏).
10. (b) Use that 𝛿 and 𝛿1 divide each other.
11. Verify first 𝑐(𝑎, 𝑏) ∣ (𝑐𝑎, 𝑐𝑏). Then prove that 𝑞 is a unit in the equality 𝑐(𝑎, 𝑏)𝑞 =
(𝑐𝑎, 𝑐𝑏).
12. (a) These are exactly the numbers coprime to 10 (i.e. which are divisible neither
by 2 nor by 5). Hint: Apply the argument of Exercise 1.2.4 and then Theo-
rem 1.3.9.
(b) The smallest one is the repunit consisting of 31000 digits. Hint: Show by in-
duction on 𝑘 that the smallest repunit multiple of 3𝑘 has 3𝑘 digits.
13. Use 𝑟 ∣ 𝑠 ⇒ 𝑐𝑟 − 1 ∣ 𝑐𝑠 − 1 several times and the representation (𝑛, 𝑘) = 𝑛𝑢 + 𝑘𝑣.
14. (a) Show that if 𝑛 and 𝑘 are powers of two and 𝑘 < 𝑛, then 𝑎𝑘 + 1 ∣ 𝑎𝑛 − 1.
(b) 𝑎(𝑛,𝑘) + 1 if both 𝑛/(𝑛, 𝑘) and 𝑘/(𝑛, 𝑘) are odd, and 1 or 2 otherwise depending
on whether 𝑎 is even or odd.
15. The second neighbors are coprime. The third neighbors with indices divisible by 3
have gcd 2, the others are coprime.
16. Use the identity 𝜑𝑚+𝑛 = 𝜑𝑚−1 𝜑𝑛 + 𝜑𝑚 𝜑𝑛+1 . Based on this, we can prove 𝑘 ∣ 𝑛 ⟹
𝜑𝑘 ∣ 𝜑𝑛 by induction on 𝑛/𝑘. For the converse and the claim concerning the gcd,
verify that 𝑎 = 𝑏𝑞 + 𝑟 implies (𝜑𝑎 , 𝜑𝑏 ) = (𝜑𝑏 , 𝜑𝑟 ). An alternative method: Show
that for every 𝑚, the indices of the Fibonacci numbers divisible by 𝑚 are just the
multiples of the index of the smallest Fibonacci number with this property.
17. We denote the lengths of the two segments by 𝑎 and 𝑏, and 𝑘 and 𝑛 are suitable
positive integers.
(a) If 𝑎/𝑏 = 𝑘/𝑛, then 𝑎/𝑘 = 𝑏/𝑛 is a common measure. Conversely, if 𝑐 is a
common measure, 𝑎 = 𝑘𝑐 and 𝑏 = 𝑛𝑐, so 𝑎/𝑏 = 𝑘/𝑛.
(b) Infinitely many; dividing a common measure by any integer 𝑛, we get a com-
mon measure again.
426 Answers and Hints

(c) The analog of the division algorithm: We measure the smaller segment on the
larger one as many times as possible, so 𝑎 = 𝑏𝑞+𝑟 where 𝑞 is a positive integer,
𝑟 is a real number, and 0 ≤ 𝑟 < 𝑏. If two segments are commensurable, so
𝑎 = 𝑘𝑐 and 𝑏 = 𝑛𝑐 (with a common measure 𝑐), then the Euclidean algorithm
with 𝑎 and 𝑏 is essentially the same as the similar procedure with the integers
𝑘 and 𝑛, therefore it terminates. Conversely, if the Euclidean algorithm for the
segments terminates, then the last non-zero remainder is a common measure.
(d) The existence of such a special common measure follows from the Euclidean
algorithm.
(e) We start the Euclidean algorithm by measuring the side of length 𝑏 of the
square 𝐴𝐵𝐶𝐷 from 𝐴 on the diagonal 𝐴𝐶 of length 𝑎. We obtain an endpoint
𝐸 with 𝐴𝐸 = 𝑏 and 𝐸𝐶 = 𝑟. The perpendicular to the diagonal in 𝐸 intersects
side 𝐵𝐶 in 𝐹. Then 𝑟 = 𝐸𝐶 = 𝐸𝐹 = 𝐹𝐵. In the next step of the Euclidean
algorithm we divide 𝑏 by 𝑟 in the following way. We first measure 𝐵𝐹 on 𝐵𝐶
and then perform the division algorithm for the hypotenuse 𝐶𝐹 and the leg
𝐶𝐸 of the isosceles right triangle 𝐸𝐹𝐶. But this leads to the original state on
a smaller scale: we have to compare the diagonal and the side of a (smaller)
square. This shows that the Euclidean algorithm goes on for ever.

1.4.

1. Answer: (a) and (b) 3. (c) 5. (d) 7. Hint: Check the remainder on division by 3,
5, and 7.
2. No; if the difference 𝑑 is positive and 𝑐 > 1 is an arbitrary element in the arithmetic
progression, then e.g. 𝑐 + 𝑐𝑑 is composite.
3. Answer: 3 years old. Hint: Consider the remainders on division by 3.
Remark: We have no information about the ages of the two older grandchildren:
e.g. 3, 5, 7, or 3, 7, 11, or 3, 13, 17 are all triples satisfying the requirements. It is an
unsolved problem whether or not there are infinitely many such triples. However,
the smallest element of every such triple must be 3, as claimed in this exercise.
4. (a) 𝑎 − 1 ∣ 𝑎𝑘 − 1 and if 𝑘 = 𝑟𝑠, then 𝑎𝑟 − 1 ∣ 𝑎𝑘 − 1.
(b) If 𝑘 = 𝑟𝑠 with 𝑠 odd, then 𝑎𝑟 + 1 ∣ 𝑎𝑘 + 1.
5. Answer: 𝑡 = 2, 𝑘 = 1. Hint: Check the divisibility by 𝑡 + 1 or 𝑡.
6. Answer: (a), (d), (e) 𝑛 = 1. (b) 𝑛 = 2, 4. (c) There is no such 𝑛. Hint: Check the
divisibility by 3 for (a), and factor the other four expressions.
7. (a) If 𝑛 = 𝑎𝑏 with 0 < 𝑎 ≤ 𝑏, then 𝑎 ≤ √𝑛, thus only 𝑎 = 1 is possible.
(b) If this smallest divisor 𝑑 had a non-trivial positive divisor 𝑠, then 𝑠 ∣ 𝑛 and
1 < 𝑠 < 𝑑 yield a contradiction.
(c) If 𝑛 = 𝑑𝑘 where 𝑑 is the minimal divisor greater than 1, then 𝑑 is a prime by
(b) and 𝑘 is a prime by (a).
1.5. 427

8. Use the prime property of 17.

9. The irreducible elements are the numbers 4𝑘 + 2, and there are no primes.
10. (a) Consider the divisibility 𝑝 ∣ 𝑝2 (and use the argument seen at the solution of
Exercise 1.1.23a).
(b) Follow part I in the proof of Theorem 1.4.3.

1.5.

1. If 𝑎 = 𝑝1 . . . 𝑝𝑟 , then |𝑎| ≥ 2𝑟 since |𝑝 𝑖 | ≥ 2.

2. (a) 2𝑡, ±2𝑘 , and 2𝑘 𝑝 where 𝑡 is an odd number and 𝑝 is any odd integer irreducible
among the integers.
(b) E.g. 22 ⋅ 31998 .
3. First proof: An irreducible element is not necessarily prime (and there are no
primes at all).
Second proof: The implication 𝑝1 ∣ 𝑞1 − 𝑝1 ⇒ 𝑝1 ∣ 𝑞1 occurring in the last step is
false among the even numbers as here 𝑝1 ∤ 𝑝1 .
4. 1000 = 20 ⋅ 50 = 10 ⋅ 10 ⋅ 10.
5. We use the fact that the non-zero elements of 𝐹 have a unique decomposition as
2𝑘 5𝑚 𝑡 where the exponents 𝑘 and 𝑚 are integers and 𝑡 is coprime to 10.
(a) Units: ±2𝑘 5𝑚 . Irreducibles: 2𝑘 5𝑚 𝑝 where 𝑝 ≠ ±2, ±5 is irreducible in the
integers.
(b) The factorization of 2𝑘 5𝑚 𝑡 in 𝐹 is essentially the same as the decomposition
of 𝑡 among the integers.
(c) Let 𝑓(2𝑘 5𝑚 𝑡) = |𝑡| and 𝑓(0) = 0.
6. We obtain 𝑝1 ∣ 𝑞1 𝑞3 . . . 𝑞𝑠 in the last step. To show its impossibility, use the induc-
tion hypothesis again for 𝑎 = 𝑞1 𝑞3 . . . 𝑞𝑠 .
𝑘 𝑘
7. Let 𝑎 = ±𝑝1 1 . . . 𝑝𝑟 𝑟 where the 𝑝 𝑖 are pairwise distinct positive irreducibles, 𝑘𝑖 > 0,
and 𝑘 = 𝑘1 + ⋯ + 𝑘𝑟 . Then the number of decompositions is 2𝑘−1 𝑘! /(𝑘1 ! . . . 𝑘𝑟 ! ).
8. Assuming that 𝑝 is an irreducible element dividing 𝑎𝑏, establish the decomposition
of 𝑎𝑏 into a product of irreducible factors from the decompositions of 𝑎 and 𝑏.
Observe that an associate of 𝑝 must occur in the decomposition of 𝑎𝑏.
9. The appropriate triples 𝑝1 , 𝑝2 , 𝑝3 are 5, 2, 2; −5, −2, −2; 5, 2, −3; 5, −3, 2; −5, −2,
3; −5, 3, −2. Hint: After ordering, we obtain 𝑝2 𝑝3 = (𝑝1 − 𝑝2 − 𝑝3 )(𝑝2 + 𝑝3 ). By the
Fundamental Theorem, this can hold only if 𝑝2 + 𝑝3 = ±𝑝2 , ±𝑝3 , ±1, or ±𝑝2 𝑝3 .
10. Answer: 2 and 3. Hint: Writing 𝑥3 + 𝑦3 = 𝑝𝛼 , we can assume that 𝑥 and 𝑦 are
coprime. Factoring the left-hand side, both factors must be powers of 𝑝. Express
𝑥𝑦 from these two equalities.
428 Answers and Hints

1.6.

1. An integer 𝑛 is a 𝑘th power if and only if the exponents of all primes are multiples
of 𝑘 in the standard form of 𝑛.
2. (a) Let 𝑝 be an arbitrary prime divisor of the factor 𝑎 in the product 𝑎𝑏. Since
(𝑎, 𝑏) = 1, 𝑝 ∤ 𝑏, so 𝑝 occurs with the same exponents in the standard forms
of 𝑎 and 𝑎𝑏. Now apply Exercise 1.6.1.
(b) The two factors will be associates of 𝑘th powers except if the product is zero.
(c) We have to assume that the factors are pairwise coprime.
3. Rely on Exercise 1.6.2a.
4. Answer: 3 and 7. Hint: Factor the numerator and argue as in Exercise 1.6.2a.
5. (a) If 𝑎1 ∣ 𝑎 and 𝑏1 ∣ 𝑏, then 𝑎1 𝑏1 ∣ 𝑎𝑏 follows from the elementary properties of
divisibility. For the converse, use Theorem 1.6.2. Consider an arbitrary prime
divisor 𝑝 of 𝑎𝑏 and let the (possibly 0) exponents of 𝑝 be 𝛼, 𝛽, and 𝛾 in the
standard forms of 𝑎, 𝑏, and 𝑐. The condition 𝑐 ∣ 𝑎𝑏 implies 𝛾 ≤ 𝛼 + 𝛽. Thus,
we have to show that 𝛾 = 𝛼′ + 𝛽 ′ for some 0 ≤ 𝛼′ ≤ 𝛼 and 0 ≤ 𝛽 ′ ≤ 𝛽.
(b) Apply the argument of (a) knowing that either 𝛼, or 𝛽 is 0. An alternative way:
Assume 𝑎1 𝑏1 = 𝑎2 𝑏2 where 𝑎𝑖 ∣ 𝑎 and 𝑏𝑖 ∣ 𝑏. Then 𝑎1 ∣ 𝑎2 𝑏2 and (𝑎1 , 𝑏2 ) = 1,
thus 𝑎1 ∣ 𝑎2 . We obtain the converse divisibility similarly, therefore (using
positivity) 𝑎1 = 𝑎2 .
(c) For example, any common divisor 𝑐 > 1 of 𝑎 and 𝑏 can be represented as
𝑐 = 1 ⋅ 𝑐 = 𝑐 ⋅ 1.
(d) Use the arguments of (a) and (b).
(e) (𝑎, 𝑏) ∣ 𝑐 ∣ [𝑎, 𝑏].
6. Use Theorem 1.6.2.
7. (a) 230 . (b) 210 ⋅ 32 . (c) 23 ⋅ 3 ⋅ 5 ⋅ 7 = 840.
8. These are the squares. Hint: Use the formula for 𝑑(𝑛) and Exercise 1.6.1. Another
way: Form pairs of divisors matching every 𝑑 ∣ 𝑛 to its complementary divisor 𝑛/𝑑.
This match is not perfect if a divisor is equal to its complementary divisor.
9. Answer: 20. Hint: Examine which guards touched a lock and apply the previous
exercise.
10. (b) Equality holds if and only if the exponents of all primes are odd in the standard
form of 𝑛.
11. (a)–(b) Check how many divisors of 𝑛 can be larger than 𝑛/2 and 𝑛/3.
(c) Form pairs of divisors whose product is 𝑛. The smaller (more precisely, not
greater) element in each pair is at most √𝑛. Another possibility: Apply the argu-
ment in (a) and (b) for a general 𝑛/𝑘 and choose the optimal value of 𝑘.
12. Answer: 𝑛𝑑(𝑛)/2 . Hint: Form pairs of divisors.
1.6. 429

13. Answer: 𝑛+1. Hint: (i) 𝑛+1 such divisors are 2𝑖 5𝑛−𝑖 , 𝑖 = 0, 1, . . . , 𝑛. (ii) Among 𝑛+2
divisors two must contain 5 with the same exponent by the pigeonhole principle,
and so the larger divisor is a multiple of the smaller one.
14. (a) 𝑎 ∣ 𝑏.
(b) 8.
(c) 2𝑟 where 𝑟 is the number of distinct prime factors in 𝑏/𝑎.
(In (b) and (c), we considered the pairs 𝑥, 𝑦 and 𝑦, 𝑥 as different solutions for 𝑥 ≠ 𝑦.)
15. Use arguments similar to those in the proof of (𝑎, 𝑏)[𝑎, 𝑏] = 𝑎𝑏 (Theorem 1.6.6/III).
16. True: (b), (d).
17. (a) 𝑎 ∣ [𝑎, 𝑏] ∣ 𝑎 + 𝑏 ⟹ 𝑎 ∣ 𝑏, and 𝑏 ∣ 𝑎 follows by symmetry.
(b) and (d) Divide by (𝑎, 𝑏) and apply Exercise 1.6.16b.
(c) For example, 𝑎 = 10𝑘, 𝑏 = 15𝑘; or 𝑎 = 𝑢(𝑢 + 𝑣), 𝑏 = 𝑣(𝑢 + 𝑣).
18. Each equality holds if and only if every common prime divisor of 𝑎 and 𝑏 occurs
with the same exponent in the standard forms of 𝑎 and 𝑏.
19. Let 𝛼, 𝛽, and 𝛾 be (the possibly 0) exponents of a prime 𝑝 in the standard forms
of 𝑎, 𝑏, and 𝑐. To prove (a), we have to verify max(𝛼, min(𝛽, 𝛾)) = min(max(𝛼, 𝛽),
max(𝛼, 𝛾)). We can check this in the three cases separately when 𝛼 is the smallest,
middle, or largest among the three exponents. We can prove also (b) along similar
lines.
20. (a) Using the notation of the previous exercise, both conditions mean that two
exponents of 𝛼, 𝛽, and 𝛾 are equal and the third exponent is not smaller.
(b) Infinitely many.
(c) The analog of (a) remains valid if we replace gcd everywhere by lcm. This
means for the exponents that two of 𝛼, 𝛽, and 𝛾 are equal and the third one is
not larger. The number of solutions is the product of the values 𝛿 belonging
to the distinct prime divisors of 𝑎𝑏𝑐 where 𝛿 = 3𝛼 + 1 if 𝛼 = 𝛽 = 𝛾, and
𝛿 = 2 min(𝛼, 𝛽, 𝛾) + 1 otherwise. (There is a unique solution if and only if
(𝑎, 𝑏, 𝑐) = 1.)
21. Factor 𝑝4 − 1 as long as you can, and verify the divisibilities by 16, 3, and 5 sepa-
rately.
22. Factor 𝑎6 −𝑏6 as long as you can, and verify the divisibilities by 7, 8, and 9 separately.
23. Factor the expression, and show the divisibility for each of the prime power factors
of 360.
24. Verify the divisibility for each prime power factor in the standard form of the divi-
sor separately. Apply various forms of 𝑎 − 𝑏 ∣ 𝑎𝑚 − 𝑏𝑚 and the binomial theorem
for the divisibility by 101.
25. (a) 275. (b) The last digit is not zero.
430 Answers and Hints

26. (a) Every prime occurs in the standard form of 𝑛! with an exponent less than 𝑛: if
𝑝𝑠 ≤ 𝑛 < 𝑝𝑠+1 , then

∞ 𝑠 𝑠
𝑛 𝑛 𝑛 𝑛(𝑝𝑠 − 1) 𝑛
𝛼𝑝 = ∑ ⌊ ⌋ = ∑ ⌊ ⌋ ≤ ∑ = 𝑠 (𝑝 − 1)
< ≤ 𝑛.
𝑘=1
𝑝𝑘 𝑘=1
𝑝 𝑘
𝑘=1
𝑝𝑘 𝑝 𝑝 − 1

(b) 𝑐 = 2, 𝑛 = 2𝑗 .

27. (a) (𝑛𝑘) = (𝑛/𝑘)(𝑛−1

𝑘−1
). Thus 𝑘 ∣ 𝑛(𝑛−1
𝑘−1
) and (𝑘, 𝑛) = 1 implies 𝑘 ∣ (𝑛−1
𝑘−1
). This means
𝑛 𝑛−1
that (𝑘)/𝑛 = (𝑘−1)/𝑘 is an integer.

(b) False, (10

4
) is a counterexample.

(c) (c1) 𝑛 is a prime. (c2) 𝑛 = 2𝑗 . (c3) 𝑛 = 2𝑗 − 1.

(d) No: 𝑘(𝑛𝑘) = 𝑛(𝑛−1

𝑘−1
). Thus 𝑛 ∣ 𝑘(𝑛𝑘). If (𝑛, (𝑛𝑘)) = 1, then this implies 𝑛 ∣ 𝑘, a
contradiction.

28. Exactly the powers of two are appropriate.

29. First solution: Choose a prime that occurs in the standard form of 𝑛! +𝑘 with a
higher exponent than in 𝑘.

Second solution: Every integer has a prime divisor greater than 𝑛/2 and it divides
none of the other numbers.

30. 9.

31. The squarefree numbers (i.e. those that are not divisible by any square greater than
one).

32. Prove by contradiction. Reduce the problem to the case when the two 𝑘th powers
are coprime. Show that their difference divides the double of both 𝑘th powers.
Thus, it also divides 2 which is impossible.

33. (a) (𝑎/𝑏)5 = 100 ⇒ 𝑎5 = 100𝑏5 . Examine the exponent of 5 (or of 2) in the
standard forms of the two sides.

(b) 6𝑎/𝑏 = 18 ⇒ 6𝑎 = 18𝑏 . We may assume 𝑎, 𝑏 > 0. Check the exponents of 2

and 3 in the standard forms of the two sides.

35. (a) Yes. (b) No.

2.1. 431

A.2. Congruences

2.1.

1. Apply the method in Example E1.

2. Answer: 999. Hint: 999 ≡ −1 (mod 1000).

3. The proof of divisibility by 11:

10 ≡ −1 (mod 11) ⟹ 10𝑘 ≡ (−1)𝑘 (mod 11) ,

hence

𝑎𝑠 𝑎𝑠−1 . . . 𝑎1 𝑎0 = 𝑎𝑠 10𝑠 + 𝑎𝑠−1 10𝑠−1 + ⋯ + 𝑎1 10 + 𝑎0 ≡

≡ 𝑎0 − 𝑎1 + 𝑎2 ± ⋯ + (−1)𝑠 𝑎𝑠 (mod 11) .

4. True: (a), (d), (e), (h).

5. Answer: 50. Hint: We obtain the last digits of the squares by squaring the 101 dig-
its, i.e. all possible remainders modulo 101. To determine the pairwise incongruent
values, examine the coincidences induced by squaring. Use Exercise 2.1.4h.

6. The theorem is false, e.g. (47) ≢ (48). The proof violated the rule that you must not
replace the numerator of a fraction by a congruent value even if both the original
and the new fractions are integers.

7. Using 𝑎 ≡ 𝑏 (mod 𝑚), demonstrate that (𝑎𝑚 − 𝑏𝑚 )/(𝑎 − 𝑏) = 𝑎𝑚−1 + 𝑎𝑚−2 𝑏 + ⋯ +

𝑏𝑚−1 is divisible by 𝑚.

8. Show 𝑎 ≡ 𝑏 (mod 3) and use it to prove 3 ∤ (𝑎𝑛 − 𝑏𝑛 )/(𝑎 − 𝑏).

9. (b) Prove by induction on 𝑘, using (a) and (𝑛𝑘) = (𝑛−1 𝑘

) + (𝑛−1
𝑘−1
). Another option:
To avoid the difficulties with fractions, multiply by the denominator 𝑘!. Since
(𝑘! , 𝑝) = 1, we obtain an equivalent congruence with the same modulus. To prove
this fraction-free version, take the product of the congruences 𝑝 − 𝑗 ≡ −𝑗 (mod 𝑝).
(c) Apply a suitable modification of either method indicated in part (b).

10. Answer: 𝑝 = 5. Hint: Verify (3𝑝

𝑝
) ≡ 3 (mod 𝑝).

11. (a) Cancelling the left-hand side by 𝑝, the new denominator (𝑝 − 1)! is coprime
to 𝑝. Hence, multiplying by (𝑝 − 1)!, we get an equivalent congruence. This
can be proved as in the previous two exercises.
(b)–(c) Apply similar methods as in (a).
432 Answers and Hints

2.2.

1. (a) 3. (b) 5. (c) 2. Hint: The modulus is coprime to the given numbers and
divides their difference.
2. (a) 62 ⋅ 5𝑚−2 ⋅ 𝑚! (b) 6 ⋅ 5𝜑(𝑚)−1 ⋅ 𝜑(𝑚)!
(We considered two residue systems as distinct even if they differed only in the
order of the elements.)
3. Both properties depend only on the difference 𝑑 of the arithmetic progression:
(a) 𝑑 ∣ 𝑚. (b) (𝑑, 𝑚) = 1.
4. (a) 𝑚 is odd.
(b) Every 𝑚 is suitable.
(c) 𝑚 = 2.
(d) (𝑚, 10) = 1.
(e) 𝑚 = 2.
(f) 𝑚 = 3𝑘 .
(g) 𝑚 is squarefree.
(Parts (a) and (d) can be considered as special cases of Exercise 2.2.3b.)
5. (a) (𝑚, 15) = 1.
(b) Every 𝑚 is suitable.
(c) 𝑚 = 2.
(d) (𝑚, 20) ≤ 2.
(e) Every 𝑚 is suitable. This can be verified similar to the proof of 2.2.4g but by a
considerably simpler argument.
6. True: (b).
7. (a) The remainder is 0 for 𝑚 odd and 𝑚/2 for 𝑚 even. Hint: Demonstrate that the
result does not depend on which complete residue system we consider. Then
examine e.g. the least non-negative remainders or the ones of least absolute
value. Another way: Form suitable pairs from the elements of a complete
residue system.
(b) Use the result of (a). If 𝑚 is odd, then we can always exhibit examples both
for 𝑎𝑖 + 𝑏𝑖 forming and not forming a complete residue system.
(c) The remainder of the sum of elements in a reduced residue system is 0 for
𝑚 > 2. For the sums 𝑎𝑖 + 𝑏𝑖 , we have the same results as seen at the complete
residue systems.
8. (a) 𝑚 is either odd or is a multiple of 4. (b) 𝑚 is odd.
9. (a) 𝑚 = 2𝑘 . Hint: We get a complete residue system if and only if the given
numbers are pairwise incongruent, i.e. (𝑖+1)+(𝑖+2)+⋯+𝑗 = (𝑖+𝑗+1)(𝑗−𝑖)/2
is not divisible by 𝑚 for 0 ≤ 𝑖 < 𝑗 ≤ 𝑚 − 1. For 𝑚 = 2𝑘 , use the opposite parity
of the two factors to show the impossibility of such a divisibility. If 𝑚 is not a
2.3. 433

power of two, i.e. 𝑚 = 2𝑘 (2𝑠 + 1) with 𝑠 > 0 (the exponent 𝑘 may be 0), then
(2𝑘 − 𝑠) + (2𝑘 − 𝑠 + 1) + ⋯ + (2𝑘 + 𝑠) is divisible by (in fact, is equal to) 𝑚.
The largest term satisfies the condition 2𝑘 + 𝑠 < 𝑚, but for the smallest term,
2𝑘 − 𝑠 ≤ 0 may occur. In this case, deleting all negative terms, their negatives,
and 0, we obtain a forbidden sum within the given limits still divisible by 𝑚.
(b) 𝑚 is even.
10. True: (a), (c), (e). Hint for (c) and (e): Show that both assertions follow from the
claim:
If (𝑟, 𝑘) = 1, then there exists an 𝑠 satisfying 𝑠 ≡ 𝑟 (mod 𝑘) and (𝑠, 𝑚) = 1.
Proof of the claim: If every prime divisor of 𝑚 divides 𝑘, then (𝑟, 𝑘) = 1 ⇒ (𝑟, 𝑚) =
1, thus we can choose 𝑠 = 𝑟. Otherwise, let 𝑞1 , . . . , 𝑞𝑡 be those prime divisors of 𝑚
that do not divide 𝑘. Assume that 𝑞1 , . . . , 𝑞𝑗 are the ones among these that divide 𝑟
(also 𝑗 = 0 or 𝑗 = 𝑡 may occur). Then 𝑠 = 𝑟 + 𝑞𝑗+1 . . . 𝑞𝑡 𝑘 satisfies the requirements.
11. (b) Answer: 𝑚/(𝑎, 𝑚).
Hint: 𝑎𝑟 𝑖 + 𝑏 ≡ 𝑎𝑟𝑗 + 𝑏 (mod 𝑚) ⟺ 𝑟 𝑖 ≡ 𝑟𝑗 (mod 𝑚/(𝑎, 𝑚)).
12. (a) (𝑎, 𝑚) = 1 or 2 for 𝑚 = 4𝑘 + 2, and (𝑎, 𝑚) = 1 otherwise.
(b) 𝑝1 ⋅ ⋯ ⋅ 𝑝𝑠 ∣ 𝑏 where 𝑝1 , . . . , 𝑝𝑠 are the distinct prime divisors of 𝑚.
13. (𝑘, 𝑚) = 1.
14. (c) Use (b).

2.3.

1. Form pairs of the elements of a (cleverly chosen) reduced residue system or use
the formula for 𝜑(𝑛).
2. (a) 3, 4, 6.
(b) 5, 8, 10, 12.
(c) There is no such 𝑛.
(d) 61, 77, 93, 99, 122, 124, 154, 186, 198.
3. (a) 1285 = 5 ⋅ 257. Hint: 𝜑(211 ) = 210 shows that the minimal number is not
greater than 211 . A smaller suitable integer can only be the product of primes
of the form 2𝑘 + 1.
(b) 311 . Hint: Use the following: (i) 2 ⋅ 310 + 1 is composite (17 divides it); (ii) If
3𝑗 ∣ 𝑝 − 1 for a prime 𝑝(> 2), then 𝑝 ≥ 2 ⋅ 3𝑗 + 1.
4. 100, 80, 50, 40.
5. (a) Use the standard forms of 𝑘 and 𝑛 and the formula for 𝜑. Be careful that only
positive exponents should occur in each standard form.
(b) It follows from (a).
434 Answers and Hints

(c) For the least computation, verify the identity

𝜑((𝑎, 𝑏))𝜑([𝑎, 𝑏]) = (𝜑(𝑎), 𝜑(𝑏))[𝜑(𝑎), 𝜑(𝑏)].

6. Rewrite 𝜑(𝑎)/𝜑(𝑏) = 𝑎/𝑏 as

1 1
(A.2.1) ∏ (1 − ) = ∏ (1 − ) .
𝑝∣𝑎
𝑝 𝑞∣𝑏
𝑞
𝑝 prime 𝑞 prime

If 𝑎 and 𝑏 have the same prime divisors, then (A.2.1) clearly holds. To prove the
converse, assume that (A.2.1) is true in some other case, too. Delete the common
factors 1 − 1/𝑝 = 1 − 1/𝑞 and multiply by the common denominator (i.e. by the
product of all remaining primes 𝑝 and 𝑞). Then the largest prime will divide only
one side thus yielding a contradiction.
7. True: (a).
𝑟 𝛽
8. Let the standard form of 𝑘 be 𝑘 = ∏𝑖=1 𝑝𝑖 𝑖 , 𝛽 𝑖 > 0. Then an appropriate 𝑛 is
𝑟 𝑟
𝛼 𝛽 𝑖 , if 𝑝 𝑖 ∣ ∏𝑗=1 (𝑝𝑗 − 1)
𝑛 = ∏ 𝑝𝑖 𝑖 where 𝛼𝑖 = {
𝑖=1 𝛽 𝑖 + 1, otherwise.

9. Use that both 𝑟 ∣ 𝑛 and (𝑟, 𝑛) = 1 are true only for 𝑟 = 1. Equality holds if and only
if 𝑛 is 1, 4, or a prime. Hint: In every other case there exists a number 𝑟, 1 < 𝑟 < 𝑛,
neither coprime to 𝑛 nor dividing 𝑛; e.g. 𝑟 = 𝑛 − 𝑝 where 𝑝 is the smallest prime
divisor of 𝑛.
10. (a) and (c) Use the formula for 𝜑(𝑛).
(b) The columns in table 2.3.1 are not complete residue systems mod 𝑏.
11. (a) The multiples of the least prime divisor of 𝑛 are not coprime to 𝑛. Equality
holds if and only if 𝑛 is the square of a prime.
(b) (b1) 𝑛 is a prime. (b2) 10. (b3) 15, 49. (b4) There is no such 𝑛.
12. 1, 2, and 3. Hint: Verify 𝜑(𝑛) ∣ 𝑛 ⟺ 𝑛 = 2𝛼 3𝛽 where either 𝛼 ≥ 0 and 𝛽 = 0, or
𝛼 > 0 and 𝛽 > 0.
13. Prove by contradiction. Use the formula for 𝜑. The largest prime divisor remaining
after cancellation will divide only one side.
14. Write the fractions 1/𝑛, 2/𝑛, . . . , 𝑛/𝑛 in reduced form, and count how many times
a denominator occurs.
15. Using the formula for 𝜑(𝑛), prove 𝜑(𝑛) ≥ √𝑛/2.
Another option: All primes are coprime to 𝑛 except its prime divisors and there are
many primes up to 𝑛 (see Section 5.4).
16. Denote by 2 = 𝑝1 < 𝑝2 < . . . the sequence of (positive) primes and let 𝑝𝑗 be the
smallest prime not dividing 𝑘. Then 𝑛 = (𝑝𝑗 − 1)𝑘 works.
17. Let 2 = 𝑝1 < 𝑝2 < ⋯ < 𝑝1000 be the first 1000 primes and 𝑃 their product. Then
𝑛𝑖 = 𝑃(𝑝 𝑖 − 1)/𝑝 𝑖 satisfy the requirements.
2.4. 435

18. Answer: 𝑛 ≤ 3. Hint: Compare the exponents of 2 in the standard forms of 𝜑(𝑛! )
and 𝑘!.
19. 𝑚 = 2𝑘 , 𝑝, or 2𝑝 where 𝑝 > 2 is a prime.

2.4.

1. 𝜑(𝑛) ≤ 𝑛 implies 𝜑(𝑛) ∣ 𝑛!. We can solve the exercise without using the Euler–
Fermat Theorem. Among 1, 2, 22 , . . . , 2𝑛 there must be two numbers congruent
modulo 𝑛 by the pigeonhole principle: 2𝑖 ≡ 2𝑗 (mod 𝑛) with some 0 ≤ 𝑖 < 𝑗 ≤ 𝑛.
Since (2, 𝑛) = 1, we can cancel 2𝑖 to obtain 2𝑗−𝑖 ≡ 1 (mod 𝑛) with 1 ≤ 𝑗 − 𝑖 ≤ 𝑛.
Finally, 𝑗 − 𝑖 ∣ 𝑛! implies the assertion of the exercise.
2. Answer: 49. Hint: (1793, 102 ) = 1 implies 1793𝑘𝜑(100) ≡ 1 (mod 100). Compute
𝜑(100) and use 1793 ≡ −7 (mod 100).
3. Apply Fermat’s Little Theorem for 𝑝 = 13 several times.
4. Prove that one of the numbers is divisible by 7.
5. Exhibit the standard form of the divisor and verify the divisibility for each prime
power factor separately by the Euler–Fermat Theorem. Do not forget the cases
where the prime power is not coprime to 𝑎.
6. Demonstrate that the remainder of a 30th power can be only 0 or 1 modulo 11 and
modulo 9.
7. Show that the remainder of an 88th power is 0 or 1 modulo 23.
2𝑝−3 2𝑝−3
8. If neither of 𝑟 𝑖 and 𝑟𝑗 is divisible by 𝑝, then, multiplying 𝑟𝑖 ≡ 𝑟𝑗 (mod 𝑝) by
𝑟 𝑖 𝑟𝑗 , we infer 𝑟 𝑖 ≡ 𝑟𝑗 (mod 𝑝), i.e. 𝑖 = 𝑗 by Fermat’s Little Theorem.
9. (a) Examine the cases 𝑝 ∤ 𝑎 and 𝑝 ∣ 𝑎 separately as in the proof of Theorem 2.4.1B.
(b) Let 𝑘 be the maximum of the exponents in the standard form of 𝑚. Then
𝑖, 𝑗 ≥ 𝑘, 𝑖 ≡ 𝑗 (mod 𝜑(𝑚)) ⟹ 𝑎𝑖 ≡ 𝑎𝑗 (mod 𝑚). Hint: Verify 𝑎𝑖 ≡ 𝑎𝑗
(mod 𝑝𝛼 ) for every prime power factor 𝑝𝛼 in the standard form of 𝑚. Also
use 𝜑(𝑝𝛼 ) ∣ 𝜑(𝑚) (see Exercise 2.3.5a).
10. True: (a), (c).
(a) Use the Euler–Fermat Theorem (𝑎 = 133, 𝑚 = 1000), or modify the method
sketched at Exercise 2.4.1.
(b) Check the divisibility by 4.
(c) Start using 136𝑘 ≡ 136 (mod 1000) ⟺ 136𝑘−1 ≡ 1 (mod 125).
11. Hint: 𝑎𝑘 ≡ 𝑎 (mod 𝑑) ⟺ 𝑎𝑘−1 ≡ 1 (mod 𝑑/(𝑎, 𝑑)).
12. The repunits are the numbers (10𝑘 − 1)/9. Thus we have to determine the integers
𝑚 satisfying 10𝑘 ≡ 1 (mod 9𝑚) for some (positive) 𝑘.
436 Answers and Hints

13. It is sufficient to show that every odd positive prime divisor 𝑝 of 𝑛2 + 1 is of the
form 4𝑘 + 1. To do this, raise 𝑛2 ≡ −1 (mod 𝑝) to the power (𝑝 − 1)/2 and use
Fermat’s Little Theorem.
We can also solve the problem without Fermat’s Little Theorem. Assume that some
positive integer 𝑎 of the form 4𝑘−1 divides 𝑛2 +1 for some 𝑛. Consider the smallest
such 𝑎. We shall get a contradiction by finding a positive integer 𝑏 less than 𝑎 also
of the form 4𝑘 − 1 and dividing some integer 𝑠2 + 1.
As the divisibility 𝑎 ∣ 𝑛2 + 1 depends only on the remainder of 𝑛 on division by 𝑎,
we may assume 0 ≤ 𝑛 ≤ 𝑎 − 1 (or even |𝑛| ≤ 𝑎/2).
Let 𝑛2 + 1 = 𝑎𝑞. Then 𝑎𝑞 = 𝑛2 + 1 ≤ (𝑎 − 1)2 + 1 < 𝑎2 , so (0 <)𝑞 < 𝑎.
If 𝑛 is even, then 𝑛2 + 1 is of the form 4𝑘 + 1, hence 𝑞 is of the form 4𝑘 − 1.
If 𝑛 is odd, then 𝑛2 + 1 is of the form 8𝑘 + 2 = 2(4𝑘 + 1), hence 𝑞/2 is of the form
4𝑘 − 1.
We obtained that the positive number 𝑞 or 𝑞/2 of the form 4𝑘 − 1 and less than 𝑎
divides 𝑛2 + 1, contradicting the minimality of 𝑎.
14. By Fermat’s Little Theorem, 𝑛40 ≡ 𝑛4 (mod 19). Thus, the condition can be written
as 𝑎4 ≡ −𝑏4 (mod 19). Raise this congruence to the 9th power.
15. In the special case 𝑚 = 𝑝, assertions (a) and (b) are just the second form of Fermat’s
Little Theorem. Assertion (c) shows that 𝑎𝑚 ≡ 𝑎 (mod 𝑚) may hold for every 𝑎
even with a composite 𝑚. (These composite integers are called universal pseudo-
primes or Carmichael numbers. We discuss them more in detail in Section 5.7.)
Hints:
(a) In the case of a squarefree 𝑚, verify 𝑎𝜑(𝑚)+1 ≡ 𝑎 (mod 𝑝) for every prime
divisor 𝑝 of 𝑚. If 𝑚 is not squarefree, so the square of a prime 𝑝 divides 𝑚,
then the congruence does not hold e.g. for 𝑎 = 𝑝.
(b) Use the result of Exercise 2.4.9b.
(c) Check 𝑎1729 ≡ 𝑎 (mod 𝑘) for every prime (power) divisor 𝑘 of 1729.
16. 2.4.1B: It is sufficient to prove 𝑎𝑝 ≡ 𝑎 (mod 𝑝) for the elements of a complete
residue system, e.g. for 𝑎 = 1, 2, . . . , 𝑝. Using induction, assume that the congru-
ence is true for some 𝑎 = 𝑘. Expanding (𝑘 + 1)𝑝 by the binomial theorem, we
obtain that the congruence holds for 𝑎 = 𝑘 + 1.
2.4.1A: Let (𝑎, 𝑝) = 1. We may divide the congruence 𝑎𝑝 ≡ 𝑎 (mod 𝑝) (just proved)
by 𝑎, i.e. also 𝑎𝑝−1 ≡ 1 (mod 𝑝) is valid.

2.5.

2. (a) 𝑥 ≡ 11, 28, 45 (mod 51).

(b) 𝑥 ≡ 9, 38, 67, 96 (mod 116).
(c) 𝑥 ≡ 1011 + 11111𝑘 (mod 55555), 0 ≤ 𝑘 ≤ 4.
2.6. 437

(d) 𝑥 ≡ (2𝑘+3 + 4)/3 (mod 2𝑘+2 + 1) if 𝑘 is even and there is no solution if 𝑘 is

odd.
(e) 𝑥 ≡ 0, 11 (mod 19). Hint: By Fermat’s Little Theorem, we obtain the congru-
ence 𝑥(8𝑥 + 7) ≡ 0 (mod 19). Use again that 19 is a prime.
(f) 𝑥 ≡ 79 (mod 100). Hint: Since (27, 100) = 1, only solutions coprime to 100
are possible. Thus we can use the Euler–Fermat Theorem.
3. We get 25 and 74 from the congruence 13𝑥 ≡ 31 (mod 49).
4. Answer: 67. Hint: The Euler–Fermat Theorem implies 3280 ≡ 1 (mod 100), thus
we have to solve 3𝑥 ≡ 1 (mod 100).
5. Sufficient: (a), (c), (f).
6. True: (a), (b).
7. 𝑚.

2.6.

1. (a) 93.
(b) The system 𝑥 ≡ 4 (mod 12), 𝑥 ≡ 8 (mod 15) has no solution.
2. (a) Every digit can occur. (b) 3 or 7.
3. Apply the method shown in Example E1: Transform each congruence into a sys-
tem of congruences where the moduli are the prime powers in the standard form
of the original modulus. Handling a congruence with prime power modulus, we
generally have to distinguish two cases according to whether or not the solution is
coprime to the modulus. Answers:
(a) 𝑥 ≡ 20 (mod 176)
(b) 𝑥 ≡ 60 (mod 333) and 𝑥 ≡ 208 (mod 333)
(c) 𝑥 ≡ 91 (mod 105).
4. (a) 1. (b) 2.
5. Instead of the resulting congruence modulo 1000, investigate the simultaneous sys-
tem modulo 125 and modulo 8. Answer: 016.
6. 1166.
7. (a) 25, 76. (b) 376, 625.
8. (a) Answer: 36. Hint: Instead of 𝑥2 ≡ 𝑥 (mod 1020 ), consider the system of con-
gruences with the corresponding prime power moduli. Show that the congru-
ence 𝑥(𝑥 − 1) ≡ 0 has two solutions modulo a prime power.
(b) Answer: 135. Hint: Find the number of solutions of 𝑥3 ≡ 𝑥 (mod 1020 ) simi-
lar to (a).
438 Answers and Hints

37
9. There are 24 ⋅ 60 = 1440 minutes in a day, so we have 𝑥 ≡ 3938 (mod 1440).
Using 1440 = 25 ⋅ 32 ⋅ 5, consider the congruence for moduli 25 , 32 , and 5. Answer:
13 hours and 21 minutes.
10. Proceed as in the solution of Exercise 2.2.14b-c.
11. Let 𝑝1 , . . . , 𝑝𝐾 be distinct primes and consider the system 𝑥+𝑖 ≡ 0 (mod 𝑝𝑖2 ), 𝑖 = 1,
2, . . . , 𝐾.
12. (a) Solutions are 𝑥 = 𝑎 + 𝑏 + 𝑐 and 𝑥 = 𝑎𝑏 + 𝑏𝑐 + 𝑐𝑎.
(b) Necessity: Apply Theorem 2.6.1 for the subsystems consisting of two congru-
ences. Sufficiency: Let 𝑎 = 𝑑𝑎1 , 𝑏 = 𝑑𝑏1 , and 𝑐 = 𝑑𝑐 1 where 𝑎1 , 𝑏1 , and 𝑐 1
are pairwise coprime and 𝑥 = 𝑑𝑥1 . Divide the congruences by 𝑑 (including
the moduli). The variable in the resulting system is 𝑥1 and the moduli are 𝑎1 ,
𝑏1 , and 𝑐 1 . The moduli are pairwise coprime, therefore this system is solvable,
and thus so is the original system.
13. Necessity: Apply Theorem 2.6.1 for the subsystems consisting of two congruences.
Sufficiency: Prove by induction on 𝑘. The subsystem of the first 𝑘 − 1 congruences
is solvable by the induction hypothesis for 𝑘 − 1. Let 𝑐 be a solution. Thus we need
to verify the solvability of
𝑥 ≡ 𝑐 (mod [𝑚1 , . . . , 𝑚𝑘−1 ]) , 𝑥 ≡ 𝑐 𝑘 (mod 𝑚𝑘 ) .
To check the criterion of Theorem 2.6.1, apply the generalization of Exercise 1.6.19b
for more terms and use the conditions (𝑚𝑘 , 𝑚𝑖 ) ∣ 𝑐 𝑘 − 𝑐 𝑖 and 𝑚𝑖 ∣ 𝑐 𝑖 − 𝑐 for 1 ≤
𝑖 ≤ 𝑘 − 1.
14. No. Rewrite the congruence as a system of congruences with prime (power) mod-
uli. The product of the numbers of solutions of these congruences cannot be 14.
15. (a) Necessity: The number of elements has to be 𝜑(𝑘) = 𝑛. We have 𝑛 ∣ 𝑐 for the
number 𝑐 representing 0 (mod 𝑛), and (𝑐, 𝑘) = 1, so (𝑘, 𝑛) = 1. Sufficiency:
Let 𝑟1 , . . . , 𝑟𝑛 be a complete residue system modulo 𝑛 and 𝑠1 , . . . , 𝑠𝑛 a reduced
residue system modulo 𝑘 (by assumption, 𝜑(𝑘) = 𝑛). Then the systems
𝑥 ≡ 𝑟 𝑖 (mod 𝑛) , 𝑥 ≡ 𝑠𝑖 (mod 𝑘) , 𝑖 = 1, 2, . . . , 𝑛
are solvable due to (𝑘, 𝑛) = 1. Picking one solution for each, these integers
satisfy the requirements.
(b) Necessity is obvious. To verify sufficiency, we can apply the method in (a) di-
rectly if (𝑘, 𝑛) = 1. In the general case, however, we have to pair the elements
of the two reduced residue systems so that the resulting systems of congru-
ences are solvable. This can be guaranteed by proving the claim: If 𝑑 ∣ 𝑛, then
every reduced residue class modulo 𝑑 contains the same number of elements
as a reduced residue system modulo 𝑛.
16. (a) Verify first that (𝑎𝑖 +𝑛, 𝑎𝑗 +𝑛) must be a divisor of 𝑆 = (𝑎1 −𝑎2 )(𝑎1 −𝑎3 )(𝑎2 −𝑎3 )
for any 𝑛 and 𝑖 ≠ 𝑗. Let 𝑝 be a prime divisor of 𝑆 and choose 𝑛 modulo 𝑝 so
that at most one of 𝑎1 + 𝑛, 𝑎2 + 𝑛, and 𝑎3 + 𝑛 is divisible by 𝑝 (for 𝑝 > 3 we
can get that none of them is a multiple of 𝑝). The system composed of these
2.7. 439

congruences for the various prime divisors of 𝑆 is solvable since the moduli
are pairwise coprime.
(b) For example, 1, 2, 3 ,4.
(c) Refine the method of (a) by choosing the odd prime divisors of the product
𝑆 = ∏1≤𝑖<𝑗≤4 (𝑎𝑖 − 𝑎𝑗 ) and 4 as moduli.
(d) Now we have to choose 𝑛 so that for any prime divisor 𝑝 of 𝑆, at most two of
the numbers 𝑎𝑖 + 𝑛 should be multiples of 𝑝 .
(e) Both assertions are true for five numbers and both are false for six numbers.

2.7.

1. (a) Answer: 2 for 𝑚 = 4 and 0 for 𝑚 > 4. Hint: If 𝑚 is the product of two distinct
integers greater than 1, then both occur as factors in (𝑚 − 1)!, so 𝑚 ∣ (𝑚 − 1)!.
The remaining case is 𝑚 = 𝑝2 where 𝑝 is a prime. If 𝑝 > 2, then both 𝑝 and
2𝑝 are factors in (𝑚 − 1)!.
(b) Answer: 2 for 𝑚 = 4, 𝑝−1 for 𝑚 = 2𝑝 where 𝑝 > 2 is a prime, and 0 otherwise.
Hint: Verify first 𝜑(𝑚) ≥ 𝑝𝛼 for 𝑚 = 𝑝𝛼 𝑡 where 𝑝 ∤ 𝑡 and 𝑡 > 2. This implies
that the remainder is 0 unless 𝑚 = 2𝛼 , 𝑝𝛼 , or 2𝑝𝛼 (where 𝑝 > 2 is a prime).
If 𝑚 = 𝑝𝛼 or 2𝑝𝛼 with 𝛼 ≥ 2, then both 𝑝𝛼−1 and 2𝑝𝛼−1 occur in the product
(𝜑(𝑚))!, so 𝑚 ∣ (𝜑(𝑚))!. Similarly, if 𝑚 = 2𝛼 with 𝛼 ≥ 3, then both 2𝛼−1 and
2 appear as factors in (𝜑(𝑚))!. Finally, for 𝑚 = 2𝑝, investigate the remainders
of (𝜑(𝑚))! = (𝑝 − 1)! separately modulo 𝑝 and modulo 2.
(c) Answer: −1 for 𝑚 = 4, 𝑝𝛼 , and 2𝑝𝛼 where 𝑝 > 2 is a prime, and 1 in all other
cases. Hint: Form pairs as in the proof of Wilson’s Theorem. An element 𝑐 in
the reduced residue system causes a problem if it is the pair of itself, i.e. 𝑐2 ≡ 1
(mod 𝑚). Let 𝐻 denote the set of these wrong elements 𝑐. Then the remainder
𝑟 we are looking for equals the remainder of the product of the elements in
𝐻. The main difficulty is that 𝑐2 ≡ 1 (mod 𝑚) holds not only for 𝑐 ≡ ±1
(mod 𝑚) for most composite 𝑚. The exceptions are 𝑚 = 4, 𝑝𝛼 , and 2𝑝𝛼 . Then
𝐻 contains no other elements than 𝑐 ≡ ±1 (mod 𝑚), so 𝑟 ≡ −1 (mod 𝑚). For
all other moduli, show by the Chinese Remainder Theorem that 𝐻 has more
than two elements. Let 𝑑 ≢ 1 (mod 𝑚) be any element in 𝐻 and pair the
elements of 𝐻 by the rule 𝑐 ↦ 𝑐𝑑 (mod 𝑚). Show that this implies 𝑟 ≡ 𝑑 or 1
(mod 𝑚). Forming the pairs within 𝐻 by another element 𝑑 ′ ≢ 1 (mod 𝑚),
we infer that only 𝑟 ≡ 1 (mod 𝑚) is possible.
2. Answer: 7 and 17. Hint: Use Wilson’s Theorem for 𝑚 prime. For composite 𝑚,
observe that (𝑚 − 6)! is not coprime to 𝑚 if 𝑚 − 6 ≥ 𝑚/2.
3. We have to show that the products 𝑎1 𝑏1 , . . . , 𝑎𝑚 𝑏𝑚 do not form a complete residue
system modulo 𝑚.
(a) Let 𝑚 be a prime, 𝑚 = 𝑝. If 𝑝 = 𝑎𝑖 = 𝑏𝑗 holds with 𝑖 ≠ 𝑗, then 𝑎𝑖 𝑏𝑖 ≡ 𝑎𝑗 𝑏𝑗 ≡ 0
(mod 𝑝). If 𝑝 = 𝑎𝑖 = 𝑏𝑖 , then the remaining elements 𝑎𝑗 and 𝑏𝑗 , form two
440 Answers and Hints

reduced residue systems modulo 𝑝. By Wilson’s Theorem,

∏ 𝑎𝑗 𝑏𝑗 ≡ ∏ 𝑎𝑗 ∏ 𝑏𝑗 ≡ (−1)(−1) = 1 ≢ −1 (mod 𝑝) .
𝑗≠𝑖 𝑗≠𝑖 𝑗≠𝑖

Thus the products 𝑎𝑗 𝑏𝑗 (𝑗 ≠ 𝑖) cannot form a reduced residue system mod-

ulo 𝑝.
(b) Verify first that for any 𝑘, 𝑘 ∣ 𝑚, the multiples of 𝑘 among the elements 𝑎 and
𝑏 must be multiplied by each other. If 𝑚 is not squarefree, i.e. 𝑝2 ∣ 𝑚 for some
prime 𝑝, then each product 𝑎𝑖 𝑏𝑖 is either coprime to 𝑝, or is a multiple of 𝑝2
by the previous observation. Thus the residue class (𝑝)𝑚 is one that cannot be
represented. If 𝑚 is squarefree and 𝑝 is an odd prime divisor of 𝑚, then show
that the multiples of 𝑚/𝑝 among the elements 𝑎 and 𝑏 form two complete
residue systems modulo 𝑝. This reduces the problem to (a).
4. Replace the factors 𝑝 − 𝑐 > (𝑝 − 1)/2 in (𝑝 − 1)! ≡ −1 (mod 𝑝) by −𝑐 and take a
square root using the prime property of 𝑝.
5. Factoring 𝑝𝑝−1 from (𝑝2 − 1)!, the remaining part is the product of 𝑝 + 1 reduced
residue systems modulo 𝑝 (the (𝑝 + 1)-st system comes from the coefficients of the
numbers divisible by 𝑝).
6. (𝑝 − 3)/2.
7. Answer: 10000. Hint: Examine the remainders modulo 101 and modulo 100 sep-
arately and solve the resulting system of congruences.
8. Answer: 3, 4, 5, 9. Hint: First get rid of the factorial: subtracting an appropriate
multiple of the first number from the second one, we see that the required gcd 𝑑
divides 3𝑛(𝑛 + 3). Using that the remainder of (𝑛 + 2)! modulo 𝑛 + 3 is 0 or −1,
show 𝑑 = 3 for 𝑛 ≥ 4.
9. The answer for both questions is 𝑚 ≤ 3. Hint: Clearly, it is sufficient to prove that
there is no such reduced residue system for 𝑚 > 3. If 𝑚 = 𝑝 > 3 is a prime, then
only 1!, 2!, . . . , (𝑝 − 1)! could work, but (𝑝 − 2)! ≡ 1! by Wilson’s Theorem. If 𝑚 is
composite and 𝑝 is its smallest prime divisor, then (𝑘! , 𝑚) ≠ 1 for 𝑝 ≤ 𝑘. It is easy
to see that 𝑝 ≤ 𝜑(𝑚), thus there are less than 𝜑(𝑚) factorials coprime to 𝑚.
10. The divisibility by 31 is not affected by multiplying the sum by (𝑎1 𝑎2 𝑎3 )27 coprime
to 31. Now use Wilson’s Theorem and Fermat’s Little Theorem.
11. Answer: 0, ±1. Hint: Verify that if no element in the arithmetic progression is a
multiple of 𝑝, then the elements either form a reduced residue system modulo 𝑝, or
all have the same remainder on division by 𝑝. Use Wilson’s Theorem and Fermat’s
Little theorem, in the two cases.
12. Answer: 𝑥 = 1, 𝑧 = 2. Hint: Replace every factor 1 ≤ 𝑖 ≤ 𝑥 − 1 in 𝑥! by the
congruent number −(𝑧 − 𝑖). Then
𝑥! (𝑧 − 𝑥)! ≡ (−1)𝑥−1 𝑥(𝑧 − 1)! (mod 𝑧) .
Use Wilson’s Theorem and Exercise 2.7.1a.
2.8. 441

13. Answer: 𝑝 ≤ 5. Hint: For a proof by contradiction, assume (𝑝 − 1)! +1 = 𝑝𝑘 for

some prime 𝑝 > 5. After transformation, we obtain
𝑝𝑘 − 1
(A.2.2) (𝑝 − 2)! = = 𝑝𝑘−1 + 𝑝𝑘−2 + ⋯ + 1.
𝑝−1
Considering (A.2.2) modulo (𝑝 − 1), we obtain 0 ≡ 𝑘 (mod 𝑝 − 1) using Exer-
cise 2.7.1a and 𝑝 ≡ 1 (mod 𝑝 − 1). This yields 𝑘 ≥ 𝑝 − 1, implying 𝑝𝑘 ≥ 𝑝𝑝−1 >
(𝑝 − 1)! +1, a contradiction.

2.8.

1. For 𝑚 even.
2. (a) We have to solve the congruence 13𝑥 ≡ 1 (mod 100). Answer: (77).
(b) 100 − 𝜑(100) − 1 = 59.
(c) 19.
(d) Yes.
3. Answers: (a) 2. (b) 4. (c) 8. (d) Let 𝑚 = 2𝛼 𝑡 with 𝑡 odd and let 𝑡 have 𝑘 distinct
prime divisors. Then the answer is 2𝑘 for 𝛼 ≤ 1, 2𝑘+1 for 𝛼 = 2, and 2𝑘+2 for 𝛼 ≥ 3.
Hint: We have to determine the number of solutions of 𝑥2 ≡ 1 (mod 𝑚). First
examine the special cases where 𝑚 is a power of a prime (treat the odd primes and
2 separately). In the general case, convert the problem into a system of congruences
modulo the prime powers in the standard form of 𝑚.
4. (a)–(b) Apply the definition of zero divisor or Theorem 2.8.5.
(c) Prime powers.
(d) The sum is (0) for 𝑚 odd and (𝑚/2) for 𝑚 even. The product is (2) for 𝑚 = 4
and (0) for 𝑚 > 4.
(e) The integers not squarefree, i.e. which are divisible by the square of at least
one prime.
5. (a) We have to verify first of all that the operations are well defined, so the sum
and product of two such residue classes are again residue classes of this type.
The identities hold among all residue classes modulo 20, so they are valid au-
tomatically also in the subset 𝐻. The zero element is (0)20 , and the negative
of (4𝑠)20 is a (−4𝑠)20 = (20 − 4𝑠)20 . The identity element is (16)20 , the inverses
of (16)20 and (4)20 are themselves, whereas (8)20 and (12)20 are the inverses
of each other.
(b) (𝑎)40 (20)40 = (0)40 for every (𝑎) ∈ 𝐾, so every (non-zero) element is a zero
divisor. This implies that there is no identity element and thus 𝐾 is not a field.
(𝐾 is a commutative ring as can be verified similar to part (a).)
(c) Let 1 < 𝑘 < 𝑚 and 𝑘 ∣ 𝑚.
(i) The multiples of 𝑘 among the residue classes modulo 𝑚 form a commu-
tative ring 𝑅 under the addition and multiplication of residue classes.
442 Answers and Hints

(ii) If (𝑘, 𝑚/𝑘) = 1, then this ring 𝑅 has an identity element.

(iii) If (𝑘, 𝑚/𝑘) = 1 and 𝑚/𝑘 is a prime, then 𝑅 is a field.
(iv) If (𝑘, 𝑚/𝑘) ≠ 1, then every non-zero element in 𝑅 is a zero divisor, so
there is no identity element.
6. Only raising to a third power is okay. Details:
(a) Gcd: the residue class on the right-hand side generally depends on which el-
ements were chosen to represent the residue classes (𝑎)𝑚 and (𝑏)𝑚 .
(b) Third power: the definition makes sense.
(c) Cube root: the residue class on the right-hand side generally depends on which
element was chosen to represent the residue class (𝑎)𝑚 and that can depend
on the choice of the representative whether or not √ 3 𝑎 is an integer.

(d) Arithmetic mean: the situation is similar to (c). To make a more subtle anal-
ysis, we have to distinguish cases according to the parity of 𝑚. If 𝑚 is odd and
we represent the residue classes with elements providing an integer value for
(𝑎 + 𝑏)/2, then this determines the residue class ((𝑎 + 𝑏)/2)𝑚 uniquely. This
makes it possible to define (slightly artificially) the arithmetic mean of any
two residue classes. If 𝑚 is even, then picking arbitrary representatives from
the two residue classes, (𝑎 + 𝑏)/2 will be uniformly either always an integer,
or never an integer. However, ((𝑎 + 𝑏)/2)𝑚 will not be unique even in the first
case. This means that there is no way to define the arithmetic mean of two
residue classes if 𝑚 is even.
(e) Exponentiation: the residue class on the right-hand side generally depends on
which element was chosen to represent the residue class (𝑏)𝑚 .
7. Modify suitably the argument in the proof of Theorem 2.4.1. Let 𝑔1 , . . . , 𝑔𝑘 be
all elements in 𝐺. Show that 𝑎𝑔1 , . . . , 𝑎𝑔𝑘 enumerates all elements in 𝐺. This
implies (𝑎𝑔1 )(𝑎𝑔2 ) . . . (𝑎𝑔𝑘 ) = 𝑔1 𝑔2 . . . 𝑔𝑘 . Multiplying by the inverse of 𝑔1 𝑔2 . . . 𝑔𝑘 ,
we obtain the statement of the exercise.
8. Following the proof of Wilson’s Theorem, pair every element with its inverse. The
assertion follows if there are at most two elements (including the identity) whose
square is the identity. If there are more than two such elements, devise another
pairing among them, similar to the end of the hint of Exercise 2.7.1c.

A.3. Congruences of Higher Degree

3.1.

1. (a) 2. (b) 4. (c) 0. (d) 60.

2. To the ring 𝐙𝑚 , apply the theorem that a polynomial over a (commutative) ring
is divisible by 𝑥 − 𝛼 if and only if 𝛼 is a root of the (corresponding) polynomial
(function).
3.2. 443

3. Only (c) is true.

4. (a) E.g. 𝑓 = 𝑥2 (𝑥 − 1) . . . (𝑥 − 11). (b) 37 ⋅ 36 ⋅ (36
11
).
5. If 𝑖 is a solution, then 𝑓(𝑖)𝑝−1 ≡ 0 (mod 𝑝), whereas if 𝑖 is not a solution, then
𝑓(𝑖)𝑝−1 ≡ 1 (mod 𝑝) by Fermat’s Little Theorem.
6. Rely on the proof of Wilson’s Theorem in this section: the product is (−1)𝑗+1 𝑎𝑝−1−𝑗
where 𝑎𝑝−1−𝑗 is the relevant coefficient of the polynomial 𝑓 used in the proof.
7. Replace 𝑥𝑝−1 in 𝑓 by 1 as long as possible.
8. Treat the problem among polynomials over the field 𝐙𝑝 . The polynomial function
belonging to the polynomial 𝑓 is described by the values assumed at the 𝑝 elements
of the field. The interpolation by Lagrange or Newton guarantees a unique polyno-
mial 𝑔 of degree at most 𝑝−1 (or 𝑔 is the zero polynomial) that assumes the required
values at the given elements of the field. This means that now 𝑔 and 𝑓 assume the
same values at each place. There are several methods for the construction of the
interpolation polynomial but we always need all values of 𝑓. This means that we
have to know all the roots and thus also the number of solutions. Therefore, we
cannot use the interpolation polynomial for determining the number of solutions.
9. Assume that both polynomials 𝑔1 and 𝑔2 meet the requirements and consider ℎ =
𝑔1 −𝑔2 . The degree of ℎ modulo 𝑝 is at most 𝑝−1 by the conditions. However, every
𝑐 is a solution of ℎ(𝑥) ≡ 0 (mod 𝑝), so there are 𝑝 solutions. The only possibility
to avoid a contradiction is that ℎ has no degree modulo 𝑝, i.e. every coefficient of ℎ
is a multiple of 𝑝.
10. Modify the first proof of Theorem 3.1.3 using Exercise 2.4.15b.

3.2.

1. (a) 1. (b) 2. (c) 12. (d) 46. (We can exlude 23 as possible order even without
any computations using 43 ≡ −22 (mod 47) and Fermat’s Little Theorem.)
2. There is an appropriate 𝑎 only in (c).
3. 9, 21, and 63.
4. Use (𝑎𝑖 )𝑡 = 𝑎𝑖𝑡 and assertion (i) in Theorem 3.2.2. The most difficult part (c) (con-
taining (a) and (b) as special cases) can be verified as follows:
𝑘 | 𝑖 𝑘 |
1 ≡ (𝑎𝑖 )𝑡 = 𝑎𝑖𝑡 (mod 𝑚) ⟺ 𝑘 ∣ 𝑖𝑡 ⟺ |𝑡 ⟺ | 𝑡.
(𝑖, 𝑘) | (𝑖, 𝑘) (𝑖, 𝑘) |

5. (a) 10 and 30 (show examples that both really do occur).

(b) 36.
7. 16.
8. (a) 𝑝 ∣ 𝑎3 − 1 = (𝑎 − 1)(𝑎2 + 𝑎 + 1) but 𝑝 ∤ 𝑎 − 1.
(b) Answer: 6. Hint: (1 + 𝑎)2 ≡ 𝑎 (mod 𝑝) by (a).
444 Answers and Hints

9. 16.
10. (a) The modulus of the congruences is 𝑚:
𝑎𝑛 ≡ 1 ⟺ 𝑜𝑚 (𝑎) ∣ 𝑛
⟺ 𝑜𝑚 (𝑎) ∣ (𝑛, 𝑘) ⟺ 𝑎(𝑛,𝑘) ≡ 1.
𝑎𝑘 ≡ 1 ⟺ 𝑜𝑚 (𝑎) ∣ 𝑘
(b) By (a), the common divisors of 𝑎𝑛 − 1 and 𝑎𝑘 − 1 are the same as the divisors
of 𝑎(𝑛,𝑘) − 1.
11. For a proof by contradiction, assume that both 𝑎𝑛 ≡ 1 and 𝑎𝑘 ≡ −1 (mod 𝑚) hold
for some 𝑚 > 2. Then 𝑜𝑚 (𝑎) ∣ 𝑛 implies that 𝑜𝑚 (𝑎) is odd. Further, 𝑎2𝑘 ≡ 1
(mod 𝑚) yields 𝑜𝑚 (𝑎) ∣ 2𝑘. Hence, 𝑜𝑚 (𝑎) ∣ 𝑘, so 𝑎𝑘 ≡ 1 (mod 𝑚), a contradiction.
12. To prove 𝑎𝑠 ≡ −1 (mod 𝑝) ⟹ 𝑜𝑝 (𝑎) is even, follow the previous hint. This part
is true for any modulus 𝑚 > 2 instead of 𝑝. For the converse, let 𝑜𝑝 (𝑎) = 2𝑘,
then 𝑎𝑘 ≡ −1 (mod 𝑝). This is false in general for composite moduli, consider
e.g. 𝑚 = 15 and 𝑎 = 4.
13. (b) Use that 𝑎𝑘 ≡ 1 (mod [𝑚, 𝑛]) holds if and only if both congruences 𝑎𝑘 ≡ 1
(mod 𝑚) and 𝑎𝑘 ≡ 1 (mod 𝑛) are valid.
14. Answer: 7. Hint: We ask how many 𝑥 ≢ 1 (mod 1000) satisfy 𝑥2 ≡ 1 (mod 1000).
Instead of mod 1000, consider the system 𝑥2 ≡ 1 (mod 125), 𝑥2 ≡ 1 (mod 8).
15. (a) (𝑎𝑏)[ᵆ,𝑣] = 𝑎[ᵆ,𝑣] 𝑏[ᵆ,𝑣] ≡ 1 ⋅ 1 = 1 (mod 𝑚), so 𝑜(𝑎𝑏) ∣ [𝑢, 𝑣]. Thus 𝑜(𝑎𝑏) =
𝑢𝑣 can occur only for (𝑢, 𝑣) = 1. To prove the converse, assume (𝑎𝑏)𝑡 ≡ 1
(mod 𝑚); we have to show 𝑢𝑣 ∣ 𝑡. To eliminate 𝑎, raise the congruence to the
𝑢th power: 1 ≡ 𝑎𝑡ᵆ 𝑏𝑡ᵆ ≡ 𝑏𝑡ᵆ (mod 𝑚). This implies 𝑜(𝑏) = 𝑣 ∣ 𝑡𝑢. Since
(𝑢, 𝑣) = 1, we infer 𝑣 ∣ 𝑡. Similarly, 𝑢 ∣ 𝑡, thus 𝑢𝑣 = [𝑢, 𝑣] ∣ 𝑡.
(b) We proved 𝑜(𝑎𝑏) ∣ [𝑢, 𝑣] in (a). The other divisibility can be verified using the
ideas in the second part of (a).
16. Let 𝑑 = (𝑜(𝑎), 𝑜(𝑏)) and raise the congruence to powers of exponents 𝑜(𝑎)/𝑑 and
𝑜(𝑏)/𝑑, resp.
17. Observe that the order of 𝑎 modulo 𝑎𝑛 − 1 is just 𝑛.
18. Show that 𝑎𝑏 ≡ 1 (mod 𝑚) implies 𝑜𝑚 (𝑎) = 𝑜𝑚 (𝑏), and so 𝑜𝑚 (𝑎) + 𝑜𝑚 (𝑏) is even.
We have to treat separately the case of 𝑎 ≡ 𝑏 (mod 𝑚), i.e. 𝑎2 ≡ 1 (mod 𝑚). This
means 𝑜𝑚 (𝑎) = 2 (which is even) or 𝑎 ≡ 1 (mod 𝑚) (of order 1).
19. (a) The remainder is 1 for 𝑎 ≡ 1 (mod 𝑝) and 0 otherwise.
(b) The remainder is 1 if 𝑜(𝑎) is odd and −1 if 𝑜(𝑎) is even.
20. (a) Let 𝑎/𝑏 = 0.𝑐 1 𝑐 2 𝑐 3 . . . be the decimal representation of the rational number
𝑎/𝑏. We obtain the digits 𝑐 𝑖 from the following divisions:
10𝑎 = 𝑐 1 𝑏 + 𝑟1 where 0 ≤ 𝑟1 < 𝑏
10𝑟1 = 𝑐 2 𝑏 + 𝑟2 where 0 ≤ 𝑟2 < 𝑏
(A.3.1)
10𝑟2 = 𝑐 3 𝑏 + 𝑟3 where 0 ≤ 𝑟3 < 𝑏
⋮
3.3. 445

If some 𝑟 𝑖 = 0, then the algorithm terminates and we obtain a finite decimal

fraction. Otherwise we have 𝑟 ℎ = 𝑟𝑗 for some ℎ < 𝑗 since 𝑟 𝑖 can assume only
the values 1, 2, . . . , 𝑏 − 1. Then (A.3.1) implies 𝑐 ℎ+1 = 𝑐𝑗+1 , 𝑟 ℎ+1 = 𝑟𝑗+1 ,
so 𝑐 ℎ+2 = 𝑐𝑗+2 , 𝑟 ℎ+2 = 𝑟𝑗+2 , etc. This means that the decimal fraction is
periodic.
For the converse, assume that the decimal representation of the real number
0 < 𝛼 < 1 is finite
(A.3.2a) 𝛼 = 0, 𝑢1 𝑢2 . . . 𝑢𝑘 , 𝑢𝑘 ≠ 0,
or periodic
(A.3.2b) 𝛼 = 0, 𝑢1 𝑢2 . . . 𝑢𝑘 𝑣 1 . . . 𝑣 𝑛 𝑣 1 . . . 𝑣 𝑛 . . .
where 𝑢1 𝑢2 . . . 𝑢𝑘 is the non-periodic part (which is empty in the case of pure
periodicity, i.e. 𝑘 = 0) and 𝑣 1 . . . 𝑣 𝑛 is the (smallest) period. Then (A.3.2a)
means 𝛼 = 𝑢1 . . . 𝑢𝑘 /10𝑘 , and (A.3.2b) implies that 𝛼(10𝑛+𝑘 −10𝑘 ) is an integer.
(b) We verified this in (a) essentially.
(c) A purely periodic decimal representation can be transformed into a fraction
with denominator 10𝑛 − 1 by the procedure in (a). As 𝑏 is obtained from this
denominator after (eventual) cancellation, so (𝑏, 10) = 1.
For the converse, consider the algorithm in (A.3.1). Introducing 𝑟0 = 𝑎, we
have
𝑟0 ≡ 𝑎 (mod 𝑏)
𝑟1 ≡ 10𝑎 (mod 𝑏)
2
𝑟2 ≡ 10𝑟1 ≡ 10 𝑎 (mod 𝑏) ,
and similarly 𝑟 𝑖 ≡ 10𝑖 𝑎 (mod 𝑏) in general.
The equality 𝑟 ℎ = 𝑟𝑗 (ℎ < 𝑗) means 10ℎ 𝑎 ≡ 10𝑗 𝑎 (mod 𝑏). By (10𝑎, 𝑏) = 1,
this is equivalent to 10𝑗−ℎ ≡ 1 (mod 𝑏). Therefore, 𝑟 𝑖 = 𝑟0 = 𝑎 for some 𝑖 > 0,
so the period starts right after the decimal point and its length is equal to the
number of pairwise incongruent powers of 10 which is 𝑜 𝑏 (10).
(d) The equivalence follows from the previous parts as the rational numbers not
yet discussed must form the remaining mixed periodic case. The lengths of
the period and of the non-periodic part can be shown as in (c).

3.3.

1. All elements of the reduced residue classes represented by: (a) 3, 5. (b) 3, 7.
(c) 5, 11.
2. Take e.g. the solution of the system 𝑥 ≡ 2 (mod 11), 𝑥 ≡ 3 (mod 14), it is 𝑥 ≡ 101
(mod 154).
3. (a) Follow the arguments of (Y1) and (Y2) in the proof of Theorem 3.3.5. Find
first a primitive root modulo 5, e.g. 2 is suitable. Then test whether or not 2
is a primitive root modulo 25; it suffices to check 25−1 ≢ 1 (mod 25) which
446 Answers and Hints

holds. Since 2 is a primitive root modulo 52 , therefore it is a primitive root for

every power of 5, as well.
(b) We search for a number in the form 𝑎 = 2 + 5𝑡. It is not a primitive root
modulo 25 if and only if 1 ≡ (2 + 5𝑡)5−1 ≡ 24 + 4 ⋅ 8 ⋅ (5𝑡) (mod 25), so
𝑡 ≡ 1 (mod 5). This gives 𝑎 ≡ 7 (mod 25). We have to show that if 𝑎 is not a
primitive root modulo 25, then it cannot be a primitive root modulo 625 either;
this can be done using Theorem 3.3.2.
4. True: (b), (d), (e), (f).
5. (a) If 𝑔 is a primitive root, then 𝑔(𝑝−1)/2 ≡ −1 (mod 𝑝). So
(𝑔1 𝑔2 )(𝑝−1)/2 ≡ (−1)(−1) = 1 (mod 𝑝) .
(b) Show that if 𝑔 is a primitive root and 𝑔ℎ ≡ 1 (mod 𝑝), then ℎ is a primitive
root. Thus, such a pair 𝑔 and ℎ and a primitive root 𝑡 meet the requirements
as 𝑔ℎ𝑡 ≡ 𝑡 (mod 𝑝).
(c) These are the Fermat primes, those of the form 2𝑘 + 1 (the exponent 𝑘 must
be a power of two, see Exercise 1.4.4).
6. Let 𝑝 > 2 be a prime and 𝑔 a primitive root mod 𝑝. Then 1, 𝑔, . . . , 𝑔𝑝−2 form a
reduced residue system mod 𝑝, so
𝑝−2
(𝑝 − 1)! ≡ 1 ⋅ 𝑔 ⋅ ⋯ ⋅ 𝑔𝑝−2 = (𝑔(𝑝−1)/2 ) ≡ (−1)𝑝−2 = −1 (mod 𝑝) .
7. The remainder of the sum is 0 if 𝑝−1 ∤ 𝑘 and 𝑝−1 if 𝑝−1 ∣ 𝑘. Hint: The remainder
is the same if we consider another reduced residue system instead of 1, 2, . . . , 𝑝 − 1.
Thus, compute the sum 1𝑘 + 𝑔𝑘 + ⋯ + 𝑔(𝑝−2)𝑘 where 𝑔 is a primitive root mod 𝑝.
If 𝑔𝑘 ≡ 1 (mod 𝑝), the the remainder of the sum is clearly 𝑝 − 1. Otherwise apply
the formula for the sum of a (finite) geometric series.
8. Answer: 1 for 𝑝 > 3 and 2 for 𝑝 = 3. Hint: Form pairs of the primitive roots so
that the product of the elements in a pair is congruent to 1 mod 𝑝.
9. (a) Use Exercise 3.2.4c.
(b) Consider the values 𝑗 = 𝑡(𝑝 − 1)/𝑑 in (a) satisfying 0 ≤ 𝑗 < 𝑝 − 1. By 0 ≤ 𝑡 < 𝑑
and (𝑡, 𝑑) = 1, we have 𝜑(𝑑) such numbers.
10. One direction follows easily from Exercise 3.2.4a. For the other, write 𝑎 and 𝑏 as
powers of a primitive root 𝑔 and use Exercise 3.2.4c. Another option: For (𝑐, 𝑝) = 1,
the number of elements with order 𝑜𝑝 (𝑐) is the same as the number of powers of 𝑐
with order 𝑜𝑝 (𝑐).
11. Every proposition remains valid if we replace 𝑝 − 1 by 𝜑(𝑚).
12. (a) It is sufficient to verify
𝛼−3
52 = 1 + 𝑡2𝛼−1 where 𝑡 is odd (and 𝛼 ≥ 3).
We can prove this by induction on 𝛼.
(b) The congruence is false mod 4.
(c) The given 𝜑(𝑚) numbers are coprime to 𝑚 and we easily infer from (a) and
(b) that they are pairwise incongruent modulo 𝑚.
3.4. 447

𝛼
13. Let 𝑔𝑖 be primitive roots mod 𝑝𝑖 𝑖 , 𝑖 = 1, 2, . . . , 𝑟. Then 𝑢𝑖 can be chosen as the
𝛼 𝛼
solution of the system 𝑥 ≡ 𝑔𝑖 (mod 𝑝𝑖 𝑖 ), 𝑥 ≡ 1 (mod 𝑚/𝑝𝑖 𝑖 ). For 𝑚 even, use
Exercise 3.3.12c. Let 𝛼 be the exponent of 2 in the standard form of 𝑚. For 𝛼 = 1,
there is no need for any change in the formula. For 𝛼 = 2, we have to insert a
factor 𝑢𝑗 into the product of powers where 0 ≤ 𝑗 < 2 = 𝜑(4). For 𝛼 ≥ 3, we need
an extra factor 𝑢𝑗 𝑣𝑘 where 0 ≤ 𝑗 < 2 and 0 ≤ 𝑘 < 2𝛼−2 . The values of 𝑢 and 𝑣
are the solutions of the systems 𝑥 ≡ −1 (mod 2𝛼 ), 𝑥 ≡ 1 (mod 𝑚/2𝛼 ), and 𝑥 ≡ 5
(mod 2𝛼 ), 𝑥 ≡ 1 (mod 𝑚/2𝛼 ).
14. (a) For a polynomial 𝐹 with integer coefficients, let deg 𝐹 denote the degree of
𝐹 and 𝑁(𝐹) the number of solutions of 𝐹(𝑥) ≡ 0 (mod 𝑝). Theorem 3.1.2
implies 𝑁(𝐹) ≤ deg 𝐹. If 𝑥𝑝−1 − 1 = 𝑓ℎ, then every element of a reduced
residue system satisfies (at least) one of the congruences 𝑓(𝑥) ≡ 0 (mod 𝑝)
and ℎ(𝑥) ≡ 0 (mod 𝑝) by Fermat’s Little Theorem and the prime property of
𝑝. Hence
𝑝 − 1 ≤ 𝑁(𝑓) + 𝑁(ℎ) ≤ deg 𝑓 + deg ℎ = 𝑝 − 1.
Thus we have equality everywhere, so 𝑁(𝑓) = deg 𝑓.
(b) Apply (a) for the polynomials 𝑓𝑖 .
(c) 𝑜𝑝 (𝑐) = 𝑞𝛽 if and only if 𝑓1 (𝑐) ≡ 0 (mod 𝑝) but 𝑓2 (𝑐) ≢ 0 (mod 𝑝). The
existence of such a 𝑐 now follows from (b).
𝛽 𝛽
(d) Let 𝑑 = 𝑞1 1 . . . 𝑞𝑟 𝑟 be the standard form of 𝑑. By (c), there exist 𝑐 𝑖 with 𝑜𝑝 (𝑐 𝑖 ) =
𝛽
𝑞𝑖 𝑖 (𝑖 = 1, 2, . . . , 𝑟). Then 𝑜𝑝 (𝑐 1 . . . 𝑐𝑟 ) = 𝑑 by Exercise 3.2.15a.

3.4.

1. The condition implies 𝑝 ∣ 73 − 2 = 11 ⋅ 31. Thus, the only candidates are 𝑝 = 11

and 𝑝 = 31. Since 7 is a primitive root mod 11 but not mod 31, the only solution is
𝑝 = 11.
2. (a) 0. (b) (𝑝 − 1)/2. (c) (𝑝 + 1)/2.
3. (a) We exhibit powers of 𝑔 congruent to 𝑎𝑏 in two ways:
𝑔ind(𝑎𝑏) ≡ 𝑎𝑏 ≡ 𝑔ind 𝑎 ⋅ 𝑔ind 𝑏 = 𝑔ind 𝑎+ind 𝑏 (mod 𝑝) .
Hence, the exponents of 𝑔 in the first and last terms are congruent mod 𝑝 − 1.
(b) We argue as in (a):
𝑘) 𝑘
𝑔ind(𝑎 ≡ 𝑎𝑘 ≡ (𝑔ind 𝑎 ) = 𝑔𝑘⋅ind 𝑎 (mod 𝑝) .
4. Follow the method of the previous exercise.
5. 𝑜𝑝 (𝑎).
6. This is just a reformulation of asssertion (i) in Theorem 3.3.4.
7. (a) By the previous exercise, both conditions are equivalent to 𝑎 being a primitive
root mod 𝑝.
448 Answers and Hints

(b) By Exercise 3.2.4c, 𝑜𝑝 (𝑎) = (𝑝 − 1)/(ind 𝑎, 𝑝 − 1) independent of the choice of

the primitive root.
8. Use Exercise 3.4.6.
9. Start from the hint to Exercise 3.4.7b.
10. The upper row in each table lists the least positive representatives of the reduced
residue classes mod 𝑝 in increasing order and the lower row contains their indices
with base 𝑔.
(a) 𝑝 = 7, 𝑔 = 3:
1 2 3 4 5 6
0 2 1 4 5 3
(b) 𝑝 = 11, 𝑔 = 2:
1 2 3 4 5 6 7 8 9 10
0 1 8 2 4 9 7 3 6 5
(c) 𝑝 = 17, 𝑔 = 3:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 14 1 12 5 15 11 10 2 3 7 13 4 9 6 8
11. For 𝑝 ∣ 𝑎, the multiples of 𝑝 serve as 𝑘. For (𝑎, 𝑝) = 1, let 𝑔 be a primitive root
mod 𝑝. Then the solutions of the system 𝑥 ≡ 𝑔 (mod 𝑝), 𝑥 ≡ ind𝑔 𝑎 (mod 𝑝 − 1)
can be taken as 𝑘. The exercise can be solved also without primitive roots, relying
just on Fermat’s Little Theorem: Choose the solutions of the system 𝑥 ≡ 𝑎 (mod 𝑝),
𝑥 ≡ 1 (mod 𝑝 − 1) as 𝑘.

3.5.

1. (a) No solution.
(b) 𝑥 ≡ 51 (mod 101). Hint: Use Fermat’s Little Theorem.
(c) 𝑥 ≡ ±2 (mod 23). Hint: We get 𝑥2 ≡ 4 (mod 23) after the usual reduction.
(d) 𝑥 ≡ 0, ±6, ±7 (mod 17).
(e) 𝑥 ≡ 0, 2, 5, 6 (mod 13).
(f) 𝑥 ≡ ±5 (mod 11). Hint: As 𝑥 ≡ 0 (mod 11) is not a solution, we can replace
𝑥20 by 1 during the reduction.
2. (a) Answer: 12. Hint: Add the numbers of solutions of 𝑥30 ≡ 1 (mod 73) and
𝑥45 ≡ 1 (mod 73) and subtract the number of common solutions. The latter
are the solutions of 𝑥(30,45) ≡ 1 (mod 73).
(b) Answer: (𝑘 + 1, 30) if 31 ∣ 𝑘 + 1, and (𝑘 + 1, 30) − 1 otherwise. Hint: The left-
hand side can be written as (𝑥𝑘+1 −1)/(𝑥 −1). Thus the solutions are the same
as the solutions of 𝑥𝑘+1 ≡ 1 (mod 31) except perhaps for 𝑥 ≡ 1. Therefore, we
have to check separately for which 𝑘 does 𝑥 ≡ 1 (mod 31) satisfy the original
congruence.
3.6. 449

3. 𝑎 ≡ 0, ±1 (mod 𝑝).
4. The condition for solvability is (𝑘, 𝑝 − 1) ∣ ind𝑔 𝑔 = 1. The number of solutions is
(𝑘, 𝑝 − 1) = 1.
5. 𝑥 ≡ 𝑐𝑏𝑖 (mod 𝑝), 𝑖 = 1, . . . , 𝑟.
6. (a) 1. (b) ±1.
7. (𝑘, 𝑝 − 1) = 1.
8. For 3 and the primes of the form 3𝑡 − 1.
9. Use any of the two criteria in Theorem 3.5.3 or Definition 3.5.2 (in the latter case
we need Fermat’s Little Theorem for (b)).
10. (𝑘, 𝑝 − 1) = 2.
11. (a) Answer: 1 if 𝑝−1 ∣ 𝑘, and 0 otherwise. Hint: Put 𝑑 = (𝑘, 𝑝−1). The 𝑘th power
residues can be written as 𝑔𝑟𝑑 where 0 ≤ 𝑟 < (𝑝 − 1)/𝑑. Apply the formula for
the sum of a finite geometric series. Another way: In the sum of Exercise 3.3.7,
every 𝑘th power residue occurs (𝑘, 𝑝 − 1) times. A third possibility: Observe
that the 𝑘th power residues are just the roots (with multiplicity one) of the
𝑝−1
polynomial 𝑥 (𝑘,𝑝−1) − 1 over 𝐙𝑝 . Apply the law connecting the roots and the
coefficients (Viète’s formulas) for this polynomial.
𝑝−1
(b) Answer: −1 or 1 according as is even or odd. Hint: Form pairs
(𝑘, 𝑝 − 1)
from the 𝑘th power residues so that the product of the elements in each pair
is congruent to 1. Two other options: Write the 𝑘th power residues as in the
first hint to (a), or apply the third hint to (a).
12. See the hint to Exercise 3.5.9. Generalization: 𝑎 is both a 𝑘th and an 𝑛th power
residue if and only if it is a [𝑘, 𝑛]th power residue.

3.6.

1. A homogeneous system of linear equations always has a non-trivial solution if

there are more variables than equations. (This holds not just modulo 𝑝 but over
any field.)
2. Apply Chevalley’s Theorem.
3. (a) It suffices to solve the problem for a prime power modulus 𝑝𝛼 by the Chinese
Remainder Theorem. For 𝛼 > 1, take 𝑥1 = 𝑝⌈𝛼/2⌉ , 𝑥2 = 𝑥3 = 0. For 𝛼 = 1,
the congruence 𝑥12 + 𝑥22 + 𝑥32 ≡ 0 (mod 𝑝) has a non-trivial solution (e.g. by
Chevalley’s Theorem). We may assume |𝑥𝑖 | ≤ 𝑝/2, so 0 < 𝑥12 + 𝑥22 + 𝑥32 < 𝑝2 .
Thus, 𝑥12 + 𝑥22 + 𝑥32 is a multiple of 𝑝 but not of 𝑝2 .
(b) We have to refine the procedure in (a) only in one case: if 𝛼 > 1 is odd, then
let 𝑥𝑖 = 𝑝(𝛼−1)/2 𝑦 𝑖 and apply to 𝑦 𝑖 the previous argument used for 𝛼 = 1.
450 Answers and Hints

4. The case 𝑝 = 2 is obvious. For 𝑝 > 2, by Chevalley’s Theorem, there exist integers
5
𝑢𝑖 , 1 ≤ 𝑖 ≤ 5, yielding a non-trivial solution of ∑𝑖=1 𝑥𝑖4 ≡ 0 (mod 𝑝). If e.g. 𝑢1 ≢ 0
𝑝−2
(mod 𝑝), then 𝑣 𝑖 = 𝑢1 𝑢𝑖 is another solution with 𝑣 1 ≡ 1 (mod 𝑝). We may
5
assume |𝑣 𝑖 | ≤ (𝑝 − 1)/2 also for the other 𝑣 𝑖 . Thus ∑𝑖=1 𝑣4𝑖 is a multiple of 𝑝 and
5
𝑝 − 1 4 𝑝4
0 < ∑ 𝑣4𝑖 ≤ 1 + 4( ) < .
𝑖=1
2 4

5. (a) Let 𝛾 𝑖𝑗 be the exponent of the prime 𝑞𝑖 in 𝑐𝑗 (1 ≤ 𝑖 ≤ 𝑘, 1 ≤ 𝑗 ≤ 𝑡). Ap-

𝑡
ply Chevalley’s Theorem for the polynomials 𝑓𝑖 (𝑥1 , . . . , 𝑥𝑡 ) = ∑𝑗=1 𝛾 𝑖𝑗 𝑥𝑗2 and
𝑝 = 3.
(b) The corresponding condition is 𝑡 ≥ (𝑚 − 1)𝑘 + 1.
6. Verify first that if the proposition holds for 𝑛 = 𝑟 and 𝑛 = 𝑠, then it is true for 𝑛 = 𝑟𝑠.
Taking any 2𝑟 − 1 from the 2𝑟𝑠 − 1 numbers, we can select 𝑟 of them whose sum is
a multiple of 𝑟. We repeat this for 2𝑟 − 1 from the remaining 2𝑟𝑠 − 1 − 𝑟 numbers,
etc. Show that we obtain 2𝑠 − 1 groups of size 𝑟 where the sums 𝑈1 , 𝑈2 , . . . , 𝑈2𝑠−1 of
the elements in the groups are all multiples of 𝑟. Apply now the proposition about
𝑠 for 𝑈1 /𝑟, 𝑈2 /𝑟, . . . , 𝑈2𝑠−1 /𝑟.
2𝑝−1 𝑝−1
We thus reduced the problem to the case 𝑛 = 𝑝 = prime. Let 𝑓1 = ∑𝑗=1 𝑐𝑗 𝑥𝑗 ,
2𝑝−1 𝑝−1
𝑓2 = ∑𝑗=1 𝑥𝑗 and apply Chevalley’s Theorem.

7. (a) For a proof by contradiction, assume that 𝑥𝑗 = 𝑎𝑗 , 𝑗 = 1, 2, . . . , 𝑡, is the only

solution. We have to modify the polynomial 𝐺 in the proof of Chevalley’s
Theorem to
𝑡
𝐺(𝑥1 , . . . , 𝑥𝑡 ) = ∏(1 − (𝑥𝑗 − 𝑎𝑗 )𝑝−1 ).
𝑗=1

(b) Assume that there are 𝑠 solutions 𝑎1 , . . . , 𝑎𝑠 . Form the polynomials 𝐺𝑣 for ev-
𝑠
ery solution 𝑎𝑣 (𝑣 = 1, . . . , 𝑠) as described in (a). Let 𝐺 = ∑𝑣=1 𝐺𝑣 . Following
the proof of Chevalley’s Theorem, we obtain 𝐹 ∗ = 𝐺. Comparing the degrees
yields that the coefficient of the term (𝑥1 . . . 𝑥𝑡 )𝑝−1 in 𝐺 must be 0 modulo 𝑝,
i.e. 𝑠(−1)𝑡 ≡ 0 (mod 𝑝).
8. (a) The determinant of the matrix 𝐴 is
|−𝑏 𝑎 0 ... 0|
| 0 −𝑏 𝑎 ... 0 ||
|
|0 0 −𝑏 . . . 0 | = (−𝑏)𝑝−1 + (−1)𝑝−2 𝑎𝑝−1 ≡ 0 (mod 𝑝) ,
|⋮ ⋮ ⋮ ⋱ ⋮ ||
|
|𝑎 0 0 ... −𝑏|
so 𝑟(𝐴) ≤ 𝑝 − 2. On the other hand, the minor belonging to the upper left
corner is (−𝑏)𝑝−2 ≢ 0 (mod 𝑝), so 𝑟(𝐴) ≥ 𝑝 − 2. This implies 𝑟(𝐴) = 𝑝 − 2
and the number of solutions is 𝑝 − 1 − (𝑝 − 2) = 1. (Of course, the result is
well known from Theorem 2.5.5.)
3.7. 451

(b) Every element of the matrix is 1, hence its rank is 1, implying that there are
𝑝 − 2 solutions (cf. Exercise 3.5.3).
(c) Similar to (a), we get rank 𝑝−2, so there is one solution (this follows also from
Exercise 3.5.7). The solution is 𝑥 ≡ 𝑎𝑝−2 (mod 𝑝).

9. We have to prove that the determinant of the matrix is 0 (mod 𝑝).

(a) The sum of each row is 0.

(b) Denoting the 𝑖th row by 𝑟 𝑖 , we get 𝑟1 + 𝑟2 − 𝑟3 − 𝑟4 + 𝑟5 + ⋯ = 0.

10. Let 𝐴𝑓 , 𝐴𝑔 , and 𝐴ℎ be the matrices corresponding to the three polynomials. We get
𝐴𝑔 by putting the last row of 𝐴𝑓 above the other rows without changing the order
of the others. We obtain 𝐴ℎ by reflecting 𝐴𝑓 through the main diagonal and then
make a first row from the last one. These transformations do not affect the rank
of the matrix, so the numbers of solutions are the same for the three congruences.
We can easily solve the problem without the Kőnig–Rados Theorem, too. Since
𝑓(𝑗) ≡ 𝑗𝑔(𝑗) (mod 𝑝) for (𝑗, 𝑝) = 1, the first two congruences have the same
solutions. Similarly,

𝑓(𝑎) ≡ 0 (mod 𝑝) ⟺ ℎ(𝑎−1 ) ≡ 0 (mod 𝑝)

where 𝑎−1 is the multiplicative inverse of 𝑎, i.e. 𝑎𝑎−1 ≡ 1 (mod 𝑝).

11. We can eliminate the terms of degree higher than 𝑝−1 by the reduction described in
Theorem 3.1.3. Since it is easy to see whether or not 𝑥 ≡ 0 (mod 𝑝) is a solution, we
can concentrate on finding the solutions coprime to 𝑝. Thus we can replace 𝑥𝑝−1
by 1 by Fermat’s Little Theorem. If every coefficient 𝑑𝑗 in the resulting polynomial
ℎ = 𝑑0 + 𝑑1 𝑥 + ⋯ + 𝑑𝑝−2 𝑥𝑝−2 is a multiple of 𝑝, then ℎ(𝑥) ≡ 0 (mod 𝑝) is true for
every 𝑥. Finally, if 𝑑0 ≡ ⋯ ≡ 𝑑𝑖−1 ≡ 0 (mod 𝑝) but 𝑑𝑖 ≢ 0 (mod 𝑝), then we can
apply the Kőnig–Rados Theorem to the polynomial ℎ1 = ℎ/𝑥𝑖 . The congruences
ℎ(𝑥) ≡ 0 (mod 𝑝) and ℎ1 (𝑥) ≡ 0 (mod 𝑝) will have the same same reduced residue
classes as solutions.

3.7.

1. (a) 1. (b) 0. (c) 12. (d) 73. (e) 15.

2. Use Theorem 3.7.1.

3. (a) The condition of solvability is 𝑎 ≡ 1 (mod 11) and there are ten solutions.
Hint: Use Fermat’s Little Theorem and Theorem 3.7.1.
(b) It is solvable if and only if 𝑎 ≡ 1 (mod 8) and there are four solutions.

4. The proposition follows from the proof of Theorem 3.7.1.

5. (a) 𝑥 ≡ 32 (mod 73 ). (b) No solution. (c) 𝑥 ≡ 2 + 49𝑗 (mod 73 ).

452 Answers and Hints

A.4. Legendre and Jacobi Symbols

4.1.

1. First proof: The congruence 𝑥2 ≡ 𝑐2 (mod 𝑝) is solvable as 𝑥 ≡ 𝑐 (mod 𝑝) is a

solution.
Second proof: (𝑐2 )(𝑝−1)/2 = 𝑐𝑝−1 ≡ 1 (mod 𝑝).
2
𝑐2 𝑐
Third proof: ( 𝑝 ) = ( 𝑝 ) = 1.
2. (a) 1. (b) −1. (c) −1.
3. The sum is 0. The product is 1 for 𝑝 ≡ 1 (mod 4) and −1 for 𝑝 ≡ −1 (mod 4).
4. The solution of 𝑥2 ≡ 𝑎 (mod 𝑝) must be congruent to an element 𝑗 from the re-
𝑝−1
duced residue system ±1, ±2, . . . , ±( 2 ). So, 𝑎 ≡ |𝑗|2 (mod 𝑝). Further, there
are (𝑝 − 1)/2 quadratic residues, therefore no two of the given (𝑝 − 1)/2 num-
bers can be congruent. This can be verified directly, too. Assuming 𝑢2 ≡ 𝑣2
(mod 𝑝) for some 1 ≤ 𝑢 < 𝑣 ≤ (𝑝 − 1)/2, we have 𝑝 ∣ (𝑣 − 𝑢)(𝑣 + 𝑢). How-
ever, 1 ≤ 𝑣 − 𝑢 < 𝑣 + 𝑢 ≤ (𝑝 − 1), thus none of the factors is a multiple of 𝑝, which
contradicts the prime property of 𝑝.
5. We show 𝑎 ≡ 𝑏 ≡ 0 (mod 77), which implies 5929 = 772 ∣ 𝑎2 + 𝑏2 . For a proof
by contradiction, if e.g. 𝑎 is not a multiple of (say) 7, then 7 ∣ 𝑎2 + 𝑏2 and 7 being
a prime implies that 𝑏 is not divisible by 7 either. Using 𝑎2 ≡ −𝑏2 (mod 7) and
−1
( 7 ) = −1, we get a contradiction:
2 2
𝑎 𝑎2 −𝑏2 −1 𝑏
1=( ) =( )=( ) = ( )( ) = −1.
7 7 7 7 7
6. Apply Wilson’s Theorem.
7. (±𝑎(𝑝+1)/4 )2 = 𝑎(𝑝+1)/2 = 𝑎 ⋅ 𝑎(𝑝−1)/2 ≡ 𝑎 ⋅ 1 = 𝑎 (mod 𝑝).
8. (a) If 𝑜𝑝 (𝑎) = 2𝑡 − 1, then (𝑎𝑡 )2 ≡ 𝑎 (mod 𝑝). (b) 𝑝 = 4𝑘 + 3.
9. (a) If 𝑜𝑝 (𝑔) = 𝑝 − 1, then 𝑔(𝑝−1)/2 ≢ 1 (mod 𝑝).
(b) 𝑝 = 2𝑘 + 1 (i.e. the Fermat primes, see Exercise 1.4.4 and Section 5.2).
10. 32.
2
1 𝑝+1 4𝑘 2 𝑘 𝑘
11. (a) Since 𝑝 + 1 = 4𝑘, 1 = ( 𝑝 ) = ( 𝑝
) =( 𝑝
) = ( 𝑝 ) ( 𝑝 ) = ( 𝑝 ).
(b) Argue as in (a).
12. For 𝑝 ≤ 11, at least one of the congruences is of the type 𝑥2 ≡ 0 (mod 𝑝). Other-
wise, observe that the product of the five numbers is a square. Hence, the product
of the five corresponding Legendre symbols is 1.
13. (a) 𝑥 ≡ 1 and 6 (mod 13). Hint: Eliminate the linear term by completing the
square.
4.2. 453

(b) 𝑥 ≡ −3 (mod 17).

(c) 𝑥 ≡ 0, ±8 (mod 23). Hint: 𝑥25 can be replaced by 𝑥3 according to Fermat’s
Little Theorem. Factoring out 𝑥, we get a congruence of degree four that can
be reduced to a quadratic congruence by introducing a new variable.
(d) No solution. Hint: 𝑥 ≡ 0 (mod 19) is not a solution, so multiplying by 𝑥 and
replacing 𝑥18 by 1 is an equivalent transformation.
14. (a) Apply the multiplicative property of the Legendre symbol.
(b) Let 𝑛(𝑝) = 𝑛 and 𝑟 the smallest integer satisfying 𝑟𝑛 > 𝑝. Then 0 < 𝑟𝑛−𝑝 < 𝑛,
𝑟𝑛−𝑝 𝑟𝑛 𝑟
thus 1 = ( 𝑝 ) = ( 𝑝 ) = −( 𝑝 ) yielding 𝑟 ≥ 𝑛. The assertion now follows
from (𝑟 − 1)𝑛 < 𝑝.
𝑖2
15. (a) ( 𝑝 ) = 1 for (𝑖, 𝑝) = 1 and 0 for 𝑝 ∣ 𝑖.
(b) Verify that replacing 𝑖 by 𝑎𝑖 in 𝑆(𝑎, 𝑝) the sum remains the same, but is equal
𝑎2
to 𝑆(1, 𝑝) after factoring out ( 𝑝 ) = 1.
(c) For a fixed 𝑖, the values 𝑖 + 𝑎 form a complete residue system mod 𝑝, so the
sum of the corresponding Legendre symbols is 0 by Exercise 4.1.3.
(d) This follows from the previous three parts.
𝑐
16. (a) Observe that ( 𝑝 ) + 1 is 2, 0, or 1 according to 𝑐 being a quadratic residue, a
non-residue, or a multiple of 𝑝.
−1
(b) It follows from (a) using Exercises 4.1.3 and 4.1.15d and the formula for ( 𝑝
).

4.2.

1. Solvable: (c), (e), (f). Use Wilson’s Theorem for (c). A congruence with a composite
modulus is solvable if and only if there is a solution for every prime power divisor
of the modulus.
−2 −1 2
2. (a) 𝑝 = 8𝑘 + 1 or 8𝑘 + 3. Hint: ( 𝑝
) =( 𝑝
)( 𝑝 ).
(b) 𝑝 = 12𝑘 ± 1 or 𝑝 = 3. Hint: To apply reciprocity, we need the remainder of
𝑝 > 3 mod 4, and afterwards we need the remainder of 𝑝 mod 3. Therefore, it
is best to distinguish cases according to the remainder of 𝑝 mod 12.
(c) 𝑝 = 6𝑘 + 1 or 𝑝 = 3.
(d) 𝑝 = 5𝑘 ± 1 or 𝑝 = 5.
(e) 𝑝 = 8𝑘 ± 1 or 8𝑘 + 3. Hint: Factor 𝑥4 − 4.
(f) 𝑝 = 4𝑘 + 1. Hint: Apply Theorem 3.5.1. Distinguish cases according to the
−1 2
remainder of 𝑝 mod 8 and use the formulas of ( 𝑝 ) and ( 𝑝 ).
(g) Every 𝑝. Hint: Use (e) and (f) or apply Theorem 3.5.1.
(h) Every prime except the ones of the form 24𝑘 + 17.
−2
3. Follow the hint to Exercise 4.1.5, and apply that 1999 is a prime and ( 1999 ) = −1.
454 Answers and Hints

4. The condition is equivalent to (2𝑐)8 ≡ −27 (mod 43100 ). The solvability of 𝑥8 ≡

−2
−27 (mod 43) follows from Theorem 3.5.1 and ( 43 ) = 1. The conversion to mod-
ulus 43100 is based on Exercise 3.7.2 (or Theorem 3.7.1). Finally, a residue class
obtained as a solution must contain even elements as the modulus is odd.
5. (a) If 8𝑐2 ≡ 1 (mod 𝑝), then
3 2
1 8𝑐2 2 𝑐 2
1=( )=( ) = ( ) ( ) = ( ).
𝑝 𝑝 𝑝 𝑝 𝑝
We prove the second assertion by contradiction: If every prime factor of 8𝑐2 − 1
were of the form 8𝑘 + 1, then also their product (with the corresponding mul-
tiplicity), i.e. 8𝑐2 − 1 itself would be of the form 8𝑘 + 1.
3
(b) Argue as in (a) using ( 𝑝 ) = 1.
−1
(c) Working with ( we obtain that 𝑝 ≡ 1 (mod 4) for every odd prime divisor
𝑝
),
𝑝 of 𝑐2 + 4. This implies 𝑝 ≡ 1 or 5 (mod 8) and (mod 12). Since 𝑐2 + 4 ≡ 5
(mod 8) and (mod 12), we cannot have 𝑝 ≡ 1 (mod 8) and (mod 12), for every
prime divisor.
6. (a) By reciprocity,
5
𝑎𝑖
) = (−1)(2) ,
𝑟
∏(
𝑖=1
𝑝𝑖
where 𝑟 is the number of 𝑝 𝑖 of the form 4𝑘 − 1. Further, (2𝑟) is odd if and only
if 𝑟 = 2 or 3.
𝑝
(b) The condition implies ( 𝑝 𝑖 ) = 1 for every 𝑖 ≠ 𝑗. Hence, at most one of the
𝑗
primes 𝑝 𝑖 can be of the form 4𝑘 − 1.
7. (a) Denoting the middle number by 𝑐, the sum is
𝑆 = (𝑐 − 9)2 + (𝑐 − 8)2 + ⋯ + (𝑐 + 9)2 = 19(𝑐2 + 30).
−30
As ( 19
) = −1, only the first power of 19 divides 𝑆. So 𝑆 cannot be a power.
(b) As in (a), it suffices to show that 𝑎 = (1 − 𝑝2 )/12 is a quadratic non-residue
𝑎 36𝑎 3
mod 𝑝. Observe ( 𝑝 ) = ( 𝑝 ) = ( 𝑝 ).

8. For example, 𝑓 = (𝑥2 + 1)(𝑥2 − 17)(𝑥2 + 17) is suitable.

4.3.
1. (a) 1. (b) −1. (c) −1. (d) 1.
2. (a) Let 𝑚 = 𝑝1 . . . 𝑝𝑟 . If 𝑥2 ≡ 𝑎 (mod 𝑚) is solvable, then 𝑥2 ≡ 𝑎 (mod 𝑝 𝑖 ) is
𝑎 𝑎 𝑎 𝑎
solvable for every 𝑖. Thus ( 𝑝 ) = 1 for every 𝑖 implying ( 𝑚 ) = ( 𝑝 ) . . . ( 𝑝 ) = 1.
𝑖 1 𝑟

(b) For example, 𝑚 = 9, 𝑎 = 2; or 𝑚 = 15, 𝑎 = 8, etc.

(c) 𝑚 = 𝑝2𝑘+1 (where 𝑝 is a prime, 𝑘 ≥ 0).
5.1. 455

−1
3. The case 𝑝 = 2 is obvious. Otherwise 𝑝 ≡ 1 (mod 4), implying ( 𝑝
) = 1. So we
𝑎 𝑝 𝑎2 +𝑏2
can reduce the problem to 𝑎, 𝑏 > 0. Let (say) 𝑎 be odd, then ( 𝑝 ) = (𝑎) = ( 𝑎 ) =
𝑏2
( 𝑎 ) = 1 (for 𝑎 > 1).
4. Both sums equal −1.
𝑘 −2
Hint to (b): Verify ( 2𝑘+1 ) = ( 2𝑘+1 ).
𝑎 𝑚 𝑛 𝑎
5. (a) If 𝑎 ≡ 1 (mod 4), then ( 𝑚 ) = ( 𝑎 ) = ( 𝑎 ) = ( 𝑛 ). If 𝑎 = 2𝑘 𝑡 with 𝑘 ≥ 2 and 𝑡
odd, then 𝑚 ≡ 𝑛 (mod 4) guarantees that the pairs 𝑡, 𝑚 and 𝑡, 𝑛 behave alike
2 2
concerning reciprocity. Also, ( 𝑚 ) = ( 𝑛 ) if 𝑚 ≡ 𝑛 (mod 8), i.e. 𝑘 ≥ 3. If 𝑘 = 2
2 2
(or any even number), then ( 𝑚 ) and ( 𝑛 ) play no role.
(b) Any odd 𝑚 > 1 (coprime to 𝑎) and 𝑛 = 𝑚 + 2𝑎 are suitable in both cases.
𝑟
6. (a) 0 or 𝜑(𝑚). Hint: If every ( 𝑚 ) = 1, then the sum 𝑆 is clearly 𝜑(𝑚). Otherwise
𝑐
take any 𝑐 with ( 𝑚 ) = −1 and replace every 𝑟 by 𝑐𝑟. Verify that the resulting
sum equals both 𝑆 and −𝑆.
(b) −1 if 𝑚 is an odd power of a prime of the form 4𝑘 + 3, and 1 in every other
case.
7. (a) 𝑚 is a square. Hint: The squares clearly meet the requirement. If 𝑚 is not a
square, then there is a prime 𝑝 occuring at an odd exponent in the standard
form of 𝑚, i.e. 𝑚 = 𝑝𝑘 𝑡 with (𝑡, 𝑝) = 1 and 𝑘 odd. Let 𝑐 be a quadratic non-
𝑎
residue mod 𝑝. Then ( 𝑚 ) = −1 for a solution 𝑎 of the system 𝑥 ≡ 𝑐 (mod 𝑝),
𝑥 ≡ 1 (mod 𝑡).
(b) 𝑎 is a square. Hint: Argue as in (a) using reciprocity. Be careful to handle the
negative and/or even numbers 𝑎, as well.

A.5. Prime Numbers

5.1.

1. If (say) 𝑟1 , . . . , 𝑟𝑚 is a complete residue system modulo 𝑚 > 1, then 𝑛 + 𝑟1 , . . . , 𝑛 + 𝑟𝑚

also form a complete residue system modulo 𝑚 for any 𝑛, hence 𝑚 divides one of
these elements. If 𝑚 ∣ 𝑛 + 𝑟 𝑖 and 𝑛 + 𝑟 𝑖 > 𝑚, then 𝑛 + 𝑟 𝑖 cannot be a prime.
2. (a) Let 𝑛 ≥ 7 be odd. Then 𝑛−3 ≥ 4 is even, so 𝑛−3 = 𝑝1 +𝑝2 , i.e. 𝑛 = 3+𝑝1 +𝑝2 .
(b) If an even number is the sum of three primes, then one of the primes must be
2 and 𝑛 − 2 = 𝑝1 + 𝑝2 ⟺ 𝑛 = 2 + 𝑝1 + 𝑝2 .
3. Every 𝑛 ≥ 8. — Every 𝑛 ≥ 40 and 𝑛 = 18, 24, 30, 34, and 36.
4. Only the pair 5 and 2 has this property.
5. (c) Use that for (𝑝, 𝑑) = 1, the first 𝑝 terms of the arithmetic progression form a
complete residue system modulo 𝑝.
456 Answers and Hints

6. Mersenne and Fermat: We saw in Exercise 1.4.4 that 2𝑘 − 1 is composite if 𝑘 is

composite, and 2𝑘 + 1 is composite if 𝑘 is not a power of two.
𝑛2 + 1: If 𝑛 > 1 is odd, then 𝑛2 + 1 > 2 is even, and in general, if 𝑘 < 𝑛 ≡ 𝑘
(mod 𝑘2 + 1), then 𝑛2 + 1 ≡ 𝑘2 + 1 ≡ 0 (mod 𝑘2 + 1), hence 𝑛2 + 1 is composite.
Repunit: If 𝑘 is composite, then the repunit of 𝑘 digits is composite.
333 . . . 31: These numbers are of the form (10𝑘 − 7)/3 and are primes for 2 ≤ 𝑘 ≤ 8.
If, however, 𝑘 = 2 + 30𝑟, then, by Fermat’s Little Theorem, 10𝑘 − 7 ≡ 102 − 7
(mod 31), hence (3, 31) = 1 implies
10𝑘 − 7 102 − 7
≡ = 31 ≡ 0 (mod 31) ,
3 3
thus we obtain a multiple of 31. Similarly, infinitely many of them are divisible by
17: 10 is a primitive root modulo 17, thus 10𝑠 ≡ 7 (mod 17) for some 𝑠, and then
17 ∣ (10𝑘 − 7)/3 for 𝑘 = 𝑠 + 16𝑟.
Fibonacci: Every third element is even. For any 𝑚, there are infinitely many Fi-
bonacci numbers divisible by 𝑚 (see Exercise 1.2.5).
7. Apply the theorem about interpolation polynomials: Prescribing the values at 𝑘
places, there exists exactly one suitable polynomial of degree at most 𝑘 − 1 (with
coefficients from the given field).
8. (a) If 𝑎 ≡ 𝑏 (mod 𝑓(𝑏)), then 𝑓(𝑎) ≡ 0 (mod 𝑓(𝑏)).
(b) (i) Equivalently, for a polynomial 𝑔 with integer coefficients, 𝑔(𝑛) cannot be a
constant times a prime for every 𝑛. This can be shown as in (a).
(ii) If a polynomial with complex coefficients assumes rational values at more
places than its degree, then it must have rational coefficients. This can be
proved using the interpolation polynomials.
(iii) Fix integer values for all but one variable, thus reducing the problem to
the case of a single variable.
9. (a) It follows by induction on 𝑛 from the argument in the proof of Theorem 5.1.1.
2𝑗
(b) The last digits in the integer ⌊102 𝑐⌋ are 𝑝𝑗 .
(c) 𝑐 can be computed (probably) only if we know in advance the prime numbers.
10. E.g. 𝐾 = (104 )! is suitable.

5.2.

1. (a) Verify 𝐹𝑛+1 = 𝐹𝑛 (𝐹𝑛 − 2) + 2, then use induction.

(b) Use part (a).
(c) Every Fermat number has a prime factor that does not divide any other Fermat
number.
(d) The 𝑛th prime cannot be larger than 𝐹𝑛−1 .
5.3. 457

5 10
2. For a prime 𝐹𝑛 (≠ 5), show that both ( 𝐹 ) and ( 𝐹 ) are −1. The converse can be
𝑛 𝑛
proved exactly the same way as in Theorem 5.2.2.
3. The only if part follows exactly the same way as in Theorem 5.2.2. The converse
can be proved by contradiction: we can assume then that 𝐾𝑛 has a prime divisor
𝑞 ≤ √𝐾𝑛 . Show that 𝑜𝑞 (3) = 2𝑛 or 5 ⋅ 2𝑛 . This implies 2𝑛 ∣ 𝑞 − 1 which combined
with 𝑞 ≤ √𝐾𝑛 yields the desired contradiction.
4. Apply the formula for 𝜑(𝑁).
5. Answer: 5. Hint: Show first that 𝑘 must be a power of two. Then apply Exer-
cise 5.2.1a and the fact that 𝐹5 is divisible by 641.
6. By Theorem 5.2.3, the smallest possible primes are 47, 233, 223, and 431, and these
divide the given Mersenne numbers, as can be checked quickly by repeated squar-
ings.
𝑛
8. If 22 ≡ −1 (mod 𝑞2 ), then we obtain 𝑜𝑞2 (2) = 2𝑛+1 ∣ 𝜑(𝑞2 ) = 𝑞(𝑞 − 1) as in the
proof of Theorem 5.2.1. This implies 𝑜𝑞2 (2) ∣ 𝑞 − 1, so 2𝑞−1 ≡ 1 (mod 𝑞2 ). The
statement for the Mersenne numbers can be proved similarly.
9. Besides (8, 9) only those pairs work where one element is a Fermat or Mersenne
prime and the other element is a suitable power of two.

10. If 𝑘 ∣ 𝑛 holds in 𝐻, then 𝑛/𝑘 = 𝑎 + 𝑏√3 for suitable integers 𝑎 and 𝑏, and 𝑛/𝑘 is
also rational. Using the irrationality of √3, it follows that 𝑏 = 0 and 𝑎 is integer.
The converse is straightforward.
11. It is sufficient to show that if 𝐹𝑛 is a prime, then 𝐹𝑛 ∣ 𝐻𝑘 for a suitable 𝑘. Observe
that 𝑜𝐹𝑛 (6) ∣ 𝐹𝑛 − 1, so 𝑜𝐹𝑛 (6) = 2𝑗 for some 𝑗. Then 𝐹𝑛 ∣ 𝐻𝑗−1 .

5.3.

1. Answer: 6003. (There are infinitely many primes in the reduced residue classes
and each residue class represented by a prime divisor of 9999 contains a positive
prime.)
2. The integer 𝐴 = 4𝑝1 . . . 𝑝𝑟 + 1 does not necessarily have a prime divisor of the form
4𝑘 + 1, since it can be the product of an even number of primes of the form 4𝑘 + 3.
3. (a) Adapt the proof of Theorem 5.3.2.
(b)–(h) Argue as in the proof of Theorem 5.3.3. Examine the possible forms of
prime divisors of the following numbers (rely on Exercise 4.2.5 in parts (c),
(d), (f), and (h)):
(b) 𝑛2 + 2; (c) 𝑛2 + 4; (d) 𝑛2 − 2 or 8𝑛2 − 1; (e) 5𝑛2 − 1; (f) 𝑛2 + 4;
(g) (2𝑛)2 + 3; (h) 12𝑛2 − 1.
4. Infinitely many; the question refers to the arithmetic progression 10000𝑘 + 4321.
458 Answers and Hints

5. Prove by contradiction: assume that the decimal fraction is periodic with a period
of length 𝑘 starting after an initial aperiodic part of 𝑚 digits. We know that there
are infinitely many primes having 1s as their last 2𝑘 digits, and the same holds with
3s as the last 2𝑘 digits. Therefore the period must consist purely of 1s on the one
hand, and purely of 3s on the other hand, which is impossible.
6. The condition is (𝑎, 𝑏, 𝑐) = 1. Necessity is obvious. Hint for sufficiency: Put
(𝑎, 𝑏) = 𝑠, then (𝑠, 𝑐) = 1. By Dirichlet’s theorem, 𝑎 + 𝑏𝑘 = 𝑠𝑝 for some 𝑘, where 𝑝
is a prime greater than 𝑐. Apply again Dirichlet’s Theorem to the arithmetic pro-
gression 𝑠𝑝 + 𝑐𝑛, 𝑛 = 0, 1, . . . .
𝑐
7. (a) ( 𝑝 ) = 1 e.g. for primes of the form 𝑝 = 8 ⋅ |𝑐| ⋅ 𝑘 + 1. We can verify this by
using the standard form of |𝑐| and the properties of the Legendre (or Jacobi)
symbol. (We also have to consider the cases when 𝑐 is negative or even.)
(b) Answer: 𝑐 is not a square. Hint: Use Exercise 4.3.7b (or proceed along the
lines of the solution seen there).
8. For distinct primes 𝑝1 , . . . , 𝑝𝑛−1 , 𝑓 = 𝑥(1 + 𝑘(𝑥 − 𝑝1 ) . . . (𝑥 − 𝑝𝑛−1 )) meets the
requirement for some integer 𝑘: 𝑣 1 = 𝑝1 , . . . , 𝑣 𝑛−1 = 𝑝𝑛−1 , 𝑣 𝑛 = 1.
9. Let 𝑎 and 𝑑 be fixed positive coprime integers. Then 𝑎1 = 𝑎 + 𝑟𝑑 is composite
for some 𝑟 ≥ 0. Since (𝑎1 , 𝑑 𝑠 ) = 1 for every 𝑠, the assumption implies that 𝑝𝑠 =
𝑎1 + 𝑘𝑠 𝑑 𝑠 is a prime for some 𝑘𝑠 . These primes 𝑝𝑠 are also of the form 𝑎 + 𝑘𝑑, and
there are infinitely many distinct numbers among them since 𝑘𝑠 ≠ 0.

5.4.

1. Write 𝑎 and 𝑏 as 𝑎 = ⌊𝑎⌋ + {𝑎} and 𝑏 = ⌊𝑏⌋ + {𝑏}, where 0 ≤ {𝑎}, {𝑏} < 1. Then
𝑎 + 𝑏 = ⌊𝑎⌋ + ⌊𝑏⌋ + {𝑎} + {𝑏}. If the sum of the last two terms is less than 1, then
⌊𝑎 + 𝑏⌋ = ⌊𝑎⌋ + ⌊𝑏⌋, whereas if it falls between 1 and 2, then ⌊𝑎 + 𝑏⌋ = ⌊𝑎⌋ + ⌊𝑏⌋ + 1.
2. Show first that we can restrict ourselves to integer values of 𝑥 and then observe
that there are only finitely many positive integers less than the 𝑥0 guaranteed by
Theorem 5.4.3.
3. Proceed as in the proof of Theorem 5.4.2. Combine 𝜋(𝑝𝑛 ) = 𝑛 with the upper
bound for 𝜋(𝑥) to obtain 𝑝𝑛 > (1/𝑐 2 ) ⋅ 𝑛 ⋅ log 𝑛, if 𝑛 is large enough. The other
estimate is slightly more complicated. You need to verify log 𝑝𝑛 < (1 + 𝜀) log 𝑛.
This leads to 𝑝𝑛 < (1/𝑐 1 + 𝜀) ⋅ 𝑛 ⋅ log 𝑛 for any 𝜀 > 0 if 𝑛 is large enough (depending
on 𝜀).
4. Part (a) is the logarithmic version of (b), so we need to prove only (a). We can use
the inequalities
log 𝑛 ⋅ 𝜋(𝑛) ≥ ∑ log 𝑝 ≥ log 𝑓(𝑛) ⋅ (𝜋(𝑛) − 𝜋(𝑓(𝑛)))
𝑝≤𝑛

and choosing e.g. 𝑓(𝑛) = 𝑛/(log 𝑛)2 leads to the desired result.
5.5. 459

5. (iii) is the logarithmic form of (iv). The implications (i)⇒(ii) and (i)⇒(iii) can be
verified as in Theorem 5.4.2 and Exercise 5.4.4. The converses can be proven by
similar arguments.
6. (a) The upper bound follows immediately from 𝑆(𝑛) ≤ 𝑛⋅𝜋(𝑛) and from the upper
bound for 𝜋(𝑥). For the lower bound, start from 𝑆(𝑛) ≥ (𝜋(𝑛) − 𝜋(𝑐𝑛)) ⋅ (𝑐𝑛)
where 0 < 𝑐 < 1, and show, with the help of the Prime Number Theorem,
that 𝜋(𝑛) − 𝜋(𝑐𝑛) > 𝑐′ ⋅ 𝑛/ log 𝑛 for some 𝑐′ > 0. (We can use Theorem 5.4.3
instead. Then 𝑐 must be chosen sufficiently small to guarantee the existence
of a suitable 𝑐′ .)
(b) Using 𝑝 𝑘 ∼ 𝑘 log 𝑘, show
𝜋(𝑛) 𝜋(𝑛)
𝑆(𝑛) ∼ ∑ 𝑘 log 𝑘 ∼ ∫ 𝑡 log 𝑡 𝑑𝑡.
𝑘=2 2

To evaluate the integral, apply

2𝑡2 log 𝑡 − 𝑡2 𝑛
∫ 𝑡 log 𝑡 𝑑𝑡 = and 𝜋(𝑛) ∼ .
4 log 𝑛
7. The argument is based on the fact that there are many primes up to 𝑁, so they give
rise to many sums and differences, but these sums and differences can assume only
a few even values, hence, by the pigeonhole principle, some even integer must have
many representations as such a sum or difference.
Let us see this in detail for the sums; the differences can be handled similarly. The
sum of any two odd primes not exceeding 𝑁 is an even integer not greater than 2𝑁.
The number of such sums is
𝜋(𝑁) − 1 + 1 𝑁2
( )∼ ,
2 2(log 𝑁)2
the number of even integers up to 2𝑁 is 𝑁. Therefore, (for 𝑁 large enough) there
exists an even integer that has at least
𝑁
>𝐾
3(log 𝑁)2
representations as the sum of two primes.
8. The formula is based on Wilson’s Theorem and its converse: For 𝑗 > 1, we have
𝑗 ∣ (𝑗 −1)! +1 ⟺ 𝑗 is a prime. This cannot be used to determine 𝜋(𝑛) in practice,
since no quick methods are known to compute factorials or their remainders.

5.5.

1. Apply Chebyshev’s Theorem.

2. Write the larger number in the form 𝑛 = 𝑝 + (𝑛 − 𝑝) where 𝑝 is the largest prime
not exceeding 𝑛, then repeat the process for 𝑛−𝑝 instead of 𝑛, etc. till you get 0 or 1.
The primes thus representing 𝑛 or 𝑛 − 1 will be distinct by Chebyshev’s Theorem.
460 Answers and Hints

3. (a) The integers 𝑛 with 𝑘 + 1 digits and first digit 1 satisfy 10𝑘 ≤ 𝑛 < 2 ⋅ 10𝑘 , hence
there is a prime among them for every 𝑘 by Chebyshev’s Theorem.
(b) Use part (A) in Theorem 5.5.5 instead of Chebyshev’s Theorem.
4. (a) Let 𝑝 be a prime satisfying 𝑛/2 < 𝑝 ≤ 𝑛. Writing the fractions with a com-
mon denominator, the denominator and all but one numerators are divisible
by 𝑝. Therefore, the sum cannot be an integer (it will be a fraction with a de-
nominator divisible by 𝑝). The statement can be proved without Chebyshev’s
Theorem by examining the exponent of 2 in the least common denominator
lcm(1, 2, . . . , 𝑛) and in the numerator (of the sum).
(b) For 𝑛 ≥ 2𝑘 − 1, any proof of (a) works. For 𝑛 < 2𝑘 − 1, the sum is less than 1.
5. As (2𝑛
𝑘
2𝑛
) = (2𝑛−𝑘 ), we may assume 𝑘 < 𝑛. Then
2𝑛 2𝑛 (2𝑛 − 𝑘) . . . (𝑛 + 1)
( )=( )⋅ .
𝑛 𝑘 (𝑘 + 1) . . . 𝑛
Both the numerator and the denominator of the last fraction are products of 𝑛 − 𝑘
factors, and every factor in the numerator is bigger than any factor in the denomi-
nator. Hence this fraction is larger than 1.
6. The moduli are pairwise coprime, hence this system of congruences is solvable.
The solutions form a reduced residue class modulo 𝑚 = 𝑝1 . . . 𝑝𝐾 𝑞1 . . . 𝑞𝐾 that con-
tains (infinitely many) primes 𝑝 > 𝑚, by Dirichlet’s Theorem. By the construction
of the congruences, 𝑝 − 𝑗 is divisible by 𝑝𝑗 , and 𝑝 + 𝑗 is divisible by 𝑞𝑗 . Further,
𝑝 − 𝑗 > 𝑝𝑗 , 𝑝 + 𝑗 > 𝑞𝑗 , hence each 𝑝 ± 𝑗 is composite.
7. (a) The numerator of (2𝑛 𝑛
) contains 𝑝 as a factor, whereas the denominator and
the other factors of the numerator are not divisible by 𝑝.
(b) Both the numerator and the denominator are divisible by exactly the second
power of 𝑝 (the factors 3𝑝 and 4𝑝 in the numerator and the factors 𝑝 and 2𝑝
in the denominator contain 𝑝). Generalization: If 2𝑛/(2𝑘 + 1) < 𝑝 ≤ 𝑛/𝑘 and
𝑝 > 2𝑘, then (2𝑛
𝑛
) is not divisible by 𝑝.
8. Let 𝐿 be the number of primes between 𝑛 and 2𝑛. By Exercise 5.5.7a, the product
of these primes is the quantity 𝐶 defined in the proof of Theorem 5.5.3 after (5.5.1),
hence 𝐶 < (2𝑛)𝐿 . On the other hand, (5.5.6) in the same proof implies 𝐶 > 4𝑛/4
for 𝑛 large enough, since the second term on the right-hand side of (5.5.7) can
be neglected compared to the first term. The two inequalities thus obtained for
𝐶 imply 4𝑛/4 < (2𝑛)𝐿 , and, taking logarithms, we get the statement for 𝑛 large
enough. This can be extended to every 𝑛 ≥ 2 by the argument seen in the hint to
Exercise 5.4.2.
9. (a) Use the fact that the interval (𝑛, 𝑛 + 𝑛2/3 ) contains a prime if 𝑛 is large enough.
𝑛
(b) The condition 𝑞𝑛 = ⌊𝛼3 ⌋ is equivalent to
𝑛
3𝑛
(A.5.1) √𝑞𝑛 ≤ 𝛼 < 3 √𝑞𝑛 + 1.
Using (A.5.1), choose the primes 𝑞𝑛 so that that 𝛼 should be a common ele-
ment of a nested sequence of intervals. This can be done since nestedness is
equivalent to 𝑞3𝑛 ≤ 𝑞𝑛+1 < (𝑞𝑛 + 1)3 − 1.
5.6. 461

(c) The formula in (b) gives no exact value for 𝛼, so we could prove only the exis-
tence of such an 𝛼.
10. (a) Following the proof of part (B) in Theorem 5.5.5, we get that, choosing a suit-
able 𝑐 > 0, the intervals (𝑛, 𝑛 + 𝑐 log 𝑛) contain no primes for infinitely many
values of 𝑛.
(b) By the proof of Theorem 5.5.1, the interval (𝑛, 𝑛 + 𝐾) is primefree for 𝑛 =
(𝐾 + 1)! +1. We express 𝐾 in terms of 𝑛, using the following estimates for 𝑚!
𝑚 𝑚
( ) < 𝑚! ≤ 𝑚𝑚 .
𝑒
(The upper bound is obvious, and the lower bound can be easily verified by
induction.) Taking logarithms of the inequalities (or of Stirling’s formula),
we get log 𝑚! ∼ 𝑚 log 𝑚. In our case this means log 𝑛 ∼ 𝐾 log 𝐾, yielding
𝐾 ∼ log 𝑛/ log log 𝑛.
Thus we proved that for any 𝜀 > 0 there exist infinitely many positive integers
𝑛 such that the interval (𝑛, 𝑛 + (1 − 𝜀) log 𝑛/ log log 𝑛) contains no primes.
(c) By the Remark, the interval (𝑛, 𝑛 + 𝐾) is primefree if 𝑛 − 1 is the product
of primes not greater than 𝐾 + 1. By Lemma 5.4.5, 𝑛 ≤ 4𝐾+1 , and by Exer-
cise 5.4.4b, even 𝑛 < 𝑒(1+𝜀)(𝐾+1) holds (the latter inequality requires the Prime
Number Theorem). This gives 𝐾 > 𝑐 log 𝑛, which is the result in (a), or using
the sharper inequality, we get part (B) of Theorem 5.5.5.
11. Apply similar arguments as in the proof of part (B) of Theorem 5.5.5 (we need now
inequalities in the opposite direction, of course). The only essential difference is
that the inequality corresponding to (5.5.15) would need log 𝑝𝑗 > log 𝑁 which
is false since 𝑝𝑗 < 𝑁. We can overcome this difficulty as follows: If 𝑁 > 𝑝𝑗 >
𝑁/(log 𝑁)2 , then log 𝑝𝑗 > (1 − 𝜀′ ) log 𝑁 for sufficiently large 𝑁. Therefore it is
worthwhile to write and add the inequalities corresponding to (5.5.13) for these
primes.

5.6.

1. Divergent: (a), (c), (e).

Denote the sequences by 𝐴, 𝐵, . . . , 𝐹, and the number of elements not greater than
𝑛 in them by 𝐴(𝑛), 𝐵(𝑛), . . . , 𝐹(𝑛). Then
𝐴(𝑛) ∼ 𝑐 1 𝑛; 𝐵(𝑛) ∼ √𝑛; 𝐸(𝑛) ∼ 𝑐 2 𝑛; 𝐹(𝑛) ∼ 𝑐 3 √𝑛,
where the 𝑐 𝑖 s are suitable positive constants (depending on 𝐿 except for 𝑐 3 ). For
the sequence 𝐷 we have
𝐷(𝑛) ∼ 𝑐 4 (log 𝑛)𝑘
where 𝑘 is the number of primes less than 𝐿. Here it is much simpler to prove the
weaker result
𝑐 5 (log 𝑛)𝑘 < 𝐷(𝑛) < 𝑐 6 (log 𝑛)𝑘 .
462 Answers and Hints

2. Only (c) is divergent. The corresponding integrals are

𝑑𝑥 −100
(a) ∫ = 0.01
𝑥1.01 𝑥
𝑑𝑥 −1
(b) ∫ =
𝑥(log 𝑥)2 log 𝑥
𝑑𝑥
(c) ∫ = log log log 𝑥.
𝑥 ⋅ log 𝑥 ⋅ log log 𝑥
3. Divergent: (b). Use arguments similar to the first proof of Theorem 5.6.1.
4. (a) Convergent: Rearrange the numbers according to their smallest prime divi-
sors (these are distinct from the assumption). Then 𝑎𝑛 ≥ 𝑝𝑛2 , so
∞ ∞
1 1
∑ ≤ ∑ 2 < ∞.
𝑎
𝑛=1 𝑛 𝑛=1 𝑝𝑛

(b) Convergent: By assumption, 𝑎𝑛 ≥ 22 log 𝑛 = 𝑛2 log 2 . Since 𝛼 = 2 log 2 > 1,

∞ ∞
1 1
∑ ≤ ∑ 𝛼 < ∞.
𝑎
𝑛=1 𝑛 𝑛=1
𝑛

(c) Divergent: 𝑎𝑛 < 𝑐𝑛 with 𝑐 = 101001 , if 𝑛 is large enough.

(d) Both convergence and divergence are possible.
(e) Convergent: Rearrange the elements according to the number of their divi-
sors, so 𝑑(𝑎𝑛 ) ≥ 𝑛 by assumption. By Exercise 1.6.11c, this implies 𝑛 ≤ 2√𝑎𝑛 ,
i.e. 𝑎𝑛 ≥ 𝑛2 /4. Apply the fact that the sum of reciprocals of the squares is
convergent.
5. It makes no sense; the value of the sum is strongly influenced by the first few terms.
For example, adjoining 2 and 3 to the cubes, the sum of reciprocals will exceed the
sum of reciprocals of the squares, whereas the cubes grow much faster than the
squares. Thus the sequence of cubes (plus the numbers 2 and 3) is less dense than
the sequence of squares.
6. Argue as in the third proof of Theorem 5.6.1.
7. If the sequence 𝑎𝑗 does not tend to 0, then it is easy to see that the infinite series
diverges and the infinite product is 0. Hence, we may assume that the sequence 𝑎𝑗
tends to 0. Taking the logarithm of the infinite product, we have
∞ ∞
∏(1 − 𝑎𝑗 ) = 0 ⟺ ∑ − log(1 − 𝑎𝑗 ) = ∞.
𝑗=1 𝑗=1

Use the fact that 0 < 𝑎𝑗 < 1/2 implies 𝑎𝑗 < − log(1 − 𝑎𝑗 ) < 2𝑎𝑗 .
8. It is more convenient to prove the corresponding inequality for the logarithms of
the two sides. Use Theorem 5.6.2 and the fact that − log(1 − 𝑎) can be well approx-
imated by 𝑎 for 0 < 𝑎 ≤ 1/2.
9. (a) Divergent: For even numbers 𝑛 = 2𝑘 we have 𝑛𝑝(𝑛) = 4𝑘, and ∑𝑘 1/(4𝑘) is
divergent.
5.7. 463

(b) Convergent. Let 𝑞 be a fixed prime and 𝑆𝑞 the sum of reciprocals of the integers
𝑛 satisfying 𝑃(𝑛) = 𝑞. Verify
1 1
𝑆𝑞 = ∏ .
𝑞 𝑝≤𝑞 1 − 1
𝑝

This implies 𝑆𝑞 < 𝑐(log 𝑞)/𝑞, by Exercise 5.6.8. Hence,

∞
1 𝑆𝑞 log 𝑞
∑ =∑ < 𝑐 ∑ 2 < ∞.
𝑛=2
𝑛𝑃(𝑛) 𝑞
𝑞 𝑞
𝑞

10. To prove the observation, let 𝑠 be the period of the rational number and consider
only those 𝑖 > 𝑖0 for which 𝑎𝑖 falls into the periodic part. Show that there can be at
∞ ∞
most 𝑠 such 𝑎𝑖 with exactly 𝑡 digits (for any 𝑡). Hence, ∑𝑖>𝑖 1/𝑎𝑖 < 𝑠 ∑𝑡=1 1/10𝑡−1 <
0
∞.

5.7.

1. (a) Consider the step 𝑟 𝑘 = 𝑟 𝑘+1 𝑞𝑘+2 + 𝑟 𝑘+2 in the algorithm. If we decrease the
product after the equality sign using 𝑟 𝑘+1 > 𝑟 𝑘+2 and 𝑞𝑘+2 ≥ 1, we obtain the
desired inequality 𝑟 𝑘 > 2𝑟 𝑘+2 .
(b) 2 log2 𝑏.
(c) We get the smallest 𝑏, if (𝑎, 𝑏) = 𝑟𝑠−1 = 1 and the quotients 𝑞𝑖 are minimal,
i.e. 𝑞𝑠 = 2 and 𝑞𝑖 = 1 for 𝑖 < 𝑠. Then, starting from the end, the algorithm
gives
𝑟𝑠−1 = 1, 𝑟𝑠−2 = 2, 𝑟𝑠−3 = 𝑟𝑠−2 + 𝑟𝑠−1 , ... , 𝑏 = 𝑟1 + 𝑟2 ,
thus 𝑟𝑠−𝑗 = 𝜑𝑗+1 and 𝑏 = 𝜑𝑠+1 , by the recursion for the Fibonacci numbers.
2. The gcd of the numerator and the denominator does not change during the process
(even when halving the numerator, since the denominator is odd, hence so is the
gcd). As the procedure is a variant of the Euclidean algorithm, we reach finally
(𝑎, 𝑏) = 𝑑. This 𝑑 appears in the numerator, since the new numbers occur there
after each step. Then the denominator 𝑣 satisfies (𝑑, 𝑣) = (𝑎, 𝑏) = 𝑑, thus 𝑑 ∣ 𝑣.
3. 341 = 11 ⋅ 31. Note that
𝜑(11) ∣ 340 ⇒ 2340 ≡ 1 (mod 11) and
5 340
2 ≡ 1 (mod 31) ⇒ 2 ≡ 1 (mod 31) .
This implies 2340 ≡ 1 (mod 11 ⋅ 31), so 341 is a pseudoprime of base 2. But
3340 ≡ 310 ≢ 1 (mod 31) ⇒ 3340 ≢ 1 (mod 341) ,
so 341 is not a pseudoprime of base 3.
5. As 𝑝 is odd, we have
𝑎𝑝 − 1 𝑎𝑝 + 1
𝑛= ⋅ =
𝑎−1 𝑎+1
𝑝−1 𝑝−2
= (𝑎 +𝑎 + ⋯ + 1)(𝑎𝑝−1 − 𝑎𝑝−2 + ⋯ + 1),
464 Answers and Hints

implying that 𝑛 is odd and composite. The validity of 𝑎𝑛−1 ≡ 1 (mod 𝑛) follows
from 𝑎2𝑝 ≡ 1 (mod 𝑛) and 𝑛 ≡ 1 (mod 2𝑝); the latter can be verified by considering
𝑛(𝑎2 − 1) = 𝑎2𝑝 − 1 modulo 𝑝 and using that 𝑛 is odd.
6. 561 = 3 ⋅ 11 ⋅ 17. To prove (𝑎, 561) = 1 ⟹ 𝑎560 ≡ 1 (mod 561), it is sufficient to
verify this for the moduli 3, 11, and 17, which follow from Fermat’s Little Theorem.
7. (a) ⇒ (b): If 𝑛 is not squarefree, then we get a contradiction following the relevant
parts in the proof of Theorem 5.7.4 (but disregarding (5.7.2) there, of course). If
𝑝 ∣ 𝑛, then consider a primitive root 𝑔 mod 𝑝 coprime to 𝑛 (this can be guaranteed
by a suitable system of congruences as seen in the proof of Theorem 5.7.4). Then
(𝑔, 𝑛) = 1 ⟹ 𝑔𝑛−1 ≡ 1 (mod 𝑛)
⟹ 𝑔𝑛−1 ≡ 1 (mod 𝑝)
⟹ 𝑜𝑝 (𝑔) = 𝑝 − 1 ∣ 𝑛 − 1.
(b) ⇒ (c): Since 𝑛 is squarefree, it is sufficient to verify 𝑎𝑛 ≡ 𝑎 (mod 𝑝) for every
prime divisor 𝑝 of 𝑛. This is obvious for 𝑝 ∣ 𝑎. If (𝑝, 𝑎) = 1, then Fermat’s Little
Theorem and 𝑝 − 1 ∣ 𝑛 − 1 imply 𝑎𝑛−1 ≡ 1 (mod 𝑝), and multiplying by 𝑎 we get
the desired congruence.
(c) ⇒ (a): If (𝑎, 𝑛) = 1, then we can divide 𝑎𝑛 ≡ 𝑎 (mod 𝑛) by 𝑎 to get 𝑎𝑛−1 ≡ 1
(mod 𝑛).
8. Use condition (b) of Exercise 5.7.7.
9. (a) If luckily we get 1 < (𝑎, 𝑛) < 𝑛, then we verified not only the compositeness
of 𝑛, but also found a non-trivial divisor. (This has, however, a very small
probability, see part (b).)
(b) Roughly 10−100 .
10. (𝑎 − 1, 𝑛) (or (𝑎 + 1, 𝑛)) is a non-trivial divisor.
11. First we check whether or not 𝑛 is a prime. Then we can clearly restrict ourselves
to the case when 𝑛 is odd and composite.
We see, using a quick algorithm, if 𝑛 is a perfect power: we check whether 𝑘√𝑛 is
an integer for some 2 ≤ 𝑘 ≤ log2 𝑛. If 𝑛 = 𝑚𝑘 , then it suffices to factor 𝑚. The
initial condition also holds for 𝑚, since 𝜑(𝑚) ∣ 𝜑(𝑛), hence the given multiple of
𝜑(𝑛) is a multiple of 𝜑(𝑚). Thus we may assume that 𝑛 is not a perfect power.
We choose (say) 1000 random values 𝑛 ∤ 𝑎 and compute (𝑎, 𝑛). If (𝑎, 𝑛) > 1, then
we can decompose 𝑛 into the product of two non-trivial factors, by Exercise 5.7.9.
If (𝑎, 𝑛) = 1, then adapting the basic idea in Theorem 5.7.5 to our case, consider
the sequence
𝑒 𝑒
𝑎𝑒 , 𝑎 2 , 𝑎 4 , . . . ,
where we know that 𝑒 is a multiple of 𝜑(𝑛). The remainder modulo 𝑛 of the first
element is 1 from the Euler–Fermat Theorem. In the squarefree part of the proof of
Theorem 5.7.5, we only used that 𝑛 is not a prime power, and we can show the same
way that at least half of the elements in a reduced residue system modulo 𝑛 generate
a sequence of remainders where the 1s are followed by a remainder different from
±1, and so we can factor 𝑛, by Exercise 5.7.10.
5.7. 465

If 𝑛 = 𝑛1 𝑛2 with 𝑛𝑖 > 1, then we repeat the entire process for 𝑛1 and 𝑛2 (𝜑(𝑛𝑖 ) ∣ 𝜑(𝑛)
implies that we can use the same exponent 𝑒), and proceed similarly till we get the
prime factorization of 𝑛. Since the number of prime factors is at most log2 𝑛 and
each factorization requires at most 𝑐 log2 𝑛 steps, we get the complete factorization
in not more than 𝑐(log2 𝑛)2 steps with a suitable constant 𝑐.
12. This idea does not work in practice since no quick methods are known for com-
puting factorials or their remainders.
13. (a) Argue as in the part in the proof of Theorem 5.7.4 where we showed that there
are at least as many witnesses as accomplices, provided there are witnesses at
all.
(b) Let 𝑛 > 1 be odd. Choose (say) 1000 random values 𝑎 ≢ 0 (mod 𝑛) and check
the validity of 𝑎𝑛−1 ≡ 1 (mod 𝑛). If it is false in at least one case, then 𝑛 must
be composite. If it is true in all the 1000 cases, then the probability of 𝑛 not
being a prime or a universal pseudoprime is less than 2−1000 .
14. We check 𝑅 integers 𝑎. If 𝑛 is a prime, then we always obtain remainders ±1 and
the probability of pure 1s is 2−𝑅 . (Thus we can make an error also in the opposite
direction at this test by declaring a prime falsely to be a composite integer.) If 𝑛 is
composite, then we can proceed as in the proofs of Theorems 5.7.4 and 5.7.5.
15. Apply a suitable modification of the argument in the hint to Exercise 5.2.3.
16. (a) Verify 𝑜𝑛 (𝑎) = 𝑛 − 1.
(b) Let the standard form of 𝑛 − 1 be
𝛽 𝛽
𝑛 − 1 = 𝑝1 1 . . . 𝑝𝑟 𝑟 .
𝛽
By assumption, 𝑝𝑖 𝑖 ∣ 𝑜𝑛 (𝑎𝑖 ). Then (e.g. by Exercise 3.2.4c) there are integers 𝑏𝑖
𝛽
satisfying 𝑜𝑛 (𝑏𝑖 ) = 𝑝𝑖 𝑖 , which implies 𝑜𝑛 (𝑏1 . . . 𝑏𝑟 ) = 𝑛−1, by Exercise 3.2.15a.
(c) For a proof of contradiction, assume that 𝑛 is composite, hence it has a prime
divisor 𝑞 ≤ √𝑛. Repeat the argument of part (b) for the modulus 𝑞 instead of
𝑛. We obtain 𝑜𝑞 (𝑏) = 𝑐 > √𝑛 ≥ 𝑞 for some 𝑏, which is a contradiction.
17. We have to show that if 𝑎 generates a good sequence, then
𝑎
(A.5.2) 𝑎(𝑛−1)/2 ≡ ( ) (mod 𝑛)
𝑛
holds.
If 𝑎𝑟 ≡ 1 (mod 𝑛), deduce that both sides of (A.5.2) are 1.
𝑗
Turning to the case 𝑎2 𝑟 ≡ −1 (mod 𝑛), compute the remainder of 𝑎(𝑛−1)/2 . Then
show for any prime divisor 𝑞 of 𝑛, that 𝑜𝑞 (𝑎) is an odd multiple of 2𝑗+1 , thus 2𝑗+1 ∣
𝑎
𝑞−1. Based on that, prove that the value of ( 𝑞 ) depends on the parity of (𝑞−1)/2𝑗+1 ,
𝑎
and write ( 𝑛 ) using the standard form of 𝑛. Replace the primes 𝑞 in the standard
form of 𝑛 by the expressions obtained from 2𝑗+1 ∣ 𝑞−1, perform the multiplications
𝑎
and examine the divisibility by a suitable power of two to obtain that ( 𝑛 ) assumes
the value in (A.5.2).
466 Answers and Hints

5.8.

1. This would be an unsigned, anonymous letter that could have been falsified by a
third party in the name of 𝐴.
2. The invertibility of 𝐸 means that the congruence 𝑟𝑒 ≡ 𝑠 (mod 𝑁) has exactly one
solution in 𝑟 for any 𝑠. This congruence is equivalent to the system
(A.5.3) 𝑟𝑒 ≡ 𝑠 (mod 𝑝) , 𝑟𝑒 ≡ 𝑠 (mod 𝑞) .
By Exercise 3.5.7, each of the two congruences in (A.5.3) has exactly one solution
for every 𝑠 if and only if (𝑒, 𝑝 − 1) = (𝑒, 𝑞 − 1) = 1, i.e. (𝑒, 𝜑(𝑁)) = 1.
3. (a) It suffices to show that the congruence is valid both mod 𝑝 and mod 𝑞. Let us
see this mod 𝑝: For 𝑝 ∣ 𝑟, both sides are congruent to 0, and for (𝑝, 𝑟) = 1, we
have
𝑘(𝑞−1)
𝑟1+𝑘𝜑(𝑁) ≡ 𝑟(𝑟𝑝−1 ) ≡ 𝑟 ⋅ 1 = 𝑟 (mod 𝑝) .
(b) 𝑣 ≡ 1 (mod [𝑝 − 1, 𝑞 − 1]).
4. This causes no problem, since we use only the property that 𝑟𝑝 ≡ 𝑟 (mod 𝑝) holds
for every 𝑟 (see Exercise 5.8.3a). (In this case, however, the product (𝑝 − 1)(𝑞 − 1)
is not the same as 𝜑(𝑁), of course.)
5. Let 𝑠 ≡ 𝑟𝑒 (mod 𝑁), where 𝑠 and 𝑒 are known, and we want to find the value of 𝑟.
We raise 𝑠 to the 𝑒th power, and then raise the result to the 𝑒th power, etc., till we
get a number congruent to 𝑠:
𝑘
(A.5.4) 𝑠𝑒 ≡ 𝑠 (mod 𝑁) .
Since (𝑒, 𝜑(𝑁)) = 1, we can take 𝑒th roots in (A.5.4), by Exercise 5.8.2, so
𝑘−1
𝑠𝑒 ≡ 𝑟 (mod 𝑁) .
This means that if (A.5.4) occurs for a small 𝑘, then we can determine 𝑟. If 𝑒𝑘 ≡ 1
(mod 𝜑(𝑁)), then (A.5.4) holds by Exercise 5.8.3a, therefore the order of 𝑒 modulo
𝜑(𝑁) must not be small.
6. 𝐴 and 𝐵 can compute the value using the identities
𝑔𝑘𝐴 𝑘𝐵 = (𝑔𝑘𝐵 )𝑘𝐴 = (𝑔𝑘𝐴 )𝑘𝐵 .
Others cannot do this (hopefully) because they do not know 𝑘𝐴 or 𝑘𝐵 .
7. (a) For a proof by contradiction, assume that two subset sums are equal. Can-
celling the common terms, we get that all terms are distinct in the two sums.
By (5.8.6), the largest term is itself larger, than the complete other sum, yield-
ing a contradiction.
(b) For a proof by contradiction, assume ∑ 𝑑𝑖 = ∑ 𝑑𝑗 for some 𝑑𝑖 and 𝑑𝑗 . Then
∑ 𝑟𝑐 𝑖 ≡ ∑ 𝑟𝑐𝑗 (mod 𝑚), by (5.8.7). We can divide by 𝑟 because (𝑟, 𝑚) = 1,
𝑘−1
i.e. ∑ 𝑐 𝑖 ≡ ∑ 𝑐𝑗 (mod 𝑚). Since 𝑚 > ∑𝑖=0 𝑐 𝑖 , we can replace congruence by
equality which contradicts that 𝐶 is sum injective.
(c) It follows directly from the definition of sum injectivity.
6.1. 467

(d) To get 𝑢, we need the values 𝛿 𝑖 , i.e. which terms of the sum injective sequence
sum to the given 𝑣. For (5.8.6), we can obtain them by the greedy algorithm,
where we always take the largest possible 𝑐 𝑖 . For (5.8.7), we get the values 𝑐 𝑖
and the corresponding 𝑣′ as the smallest positive solutions of the congruences
𝑟𝑥 ≡ 𝑑𝑖 and 𝑟𝑥 ≡ 𝑣 (mod 𝑚). Then we apply the previous procedure.

A.6. Arithmetic Functions

6.1.

1. To verify multiplicativity, apply the formula for 𝑑(𝑛) (Theorem 1.6.3) or use Ex-
ercise 1.6.5a-b. To disprove complete multiplicativity, find a pair of integers 𝑎, 𝑏
satisfying 𝑑(𝑎𝑏) ≠ 𝑑(𝑎)𝑑(𝑏) (and (𝑎, 𝑏) ≠ 1).
2. (a), (c) 𝑓(𝑛) and ℎ(𝑛) are neither additive nor multiplicative.
(b) 𝑔(𝑛) is completely multiplicative.
(d) 𝑘(𝑛) is additive but not completely.
3. There is no such multiplicative ℎ: By the conditions,
0 = ℎ(6) = ℎ(2)ℎ(3) ⇒ ℎ(10)ℎ(15) = ℎ(2)ℎ(5)ℎ(3)ℎ(5) = 0 ≠ 3.
There are, however, infinitely many additive, in fact completely additive functions
ℎ. Solving the system of equations
0 = ℎ(2) + ℎ(3), 1 = ℎ(2) + ℎ(5), 3 = ℎ(3) + ℎ(5),
we obtain ℎ(2) = −1, ℎ(3) = 1, and ℎ(5) = 2. Let ℎ(7) be a parameter 𝑐, and let
ℎ(𝑝) = 0 for all other primes; there is exactly one completely additive function ℎ
satisfying these conditions: If
𝑛 = 2𝛼1 3𝛼2 5𝛼3 7𝛼4 𝑡, where (𝑡, 210) = 1 where 𝛼𝑖 ≥ 0, 𝑖 = 1, 2, 3, 4,
then
ℎ(𝑛) = −𝛼1 + 𝛼2 + 2𝛼3 + 𝑐𝛼4 .
4. If there exists such a multiplicative function 𝑓 ≠ 0, then 𝑓(1) = 1 by Theorem 6.1.6,
and if 𝑞𝑗 , . . . , 𝑞𝑤 are the prime powers in the standard form of 𝑛, then only 𝑓(𝑛) =
𝑐𝑗 . . . 𝑐𝑤 is possible by Theorem 6.1.7. Verify that the function defined this way is
multiplicative. We can proceed similarly for additive functions and in part (b).
5. True: (a), (d).
6. (a) A necessary and sufficient condition is 𝑓(𝑘) = 0.
(b) A necessary and sufficient condition is 𝑓(𝑘) = 0 in this case, too. To prove
sufficiency, consider the standard forms of 𝑎, 𝑏, and 𝑘, and compute 𝑔(𝑎) =
𝑓(𝑘𝑎), 𝑔(𝑏) = 𝑓(𝑘𝑏), and 𝑔(𝑎𝑏) = 𝑓(𝑘𝑎𝑏) by Theorem 6.1.7. Since (𝑎, 𝑏) = 1,
a prime divisor of 𝑘 cannot divide both 𝑎 and 𝑏.
468 Answers and Hints

(c) For completely multiplicative functions, a necessary and sufficient condition

is 𝑓(𝑘) = 1 or 0. In the multiplicative case, this condition is necessary but not
sufficient: consider
0, if 𝑛 ≡ 4 (mod 8) ;
𝑓(𝑛) = { for 𝑘 = 4,
1, otherwise,

then 𝑓(𝑘) = 0, but 𝑔 is not multiplicative, as 𝑔(3)𝑔(2) = 0 ≠ 1 = 𝑔(6). A

necessary and sufficient condition is 𝑓(𝑘) = 1 or 𝑓(𝑘𝑛) = 0 for every 𝑛 (we get
𝑔 = 0 in the latter case).

7. (a) Apply the relation 𝑎𝑏 = (𝑎, 𝑏)[𝑎, 𝑏].

(b) Use the standard forms of the numbers.
(c) Answer: 𝑓 is the sum of an additive and a constant function.
(d) The constant multiples of a multiplicative function always satisfy the equality.
If 𝑓(1) ≠ 0, then there are no other solutions. In the general case, all solutions
are given by the functions

0, if 𝐾 ∤ 𝑛
𝑓(𝑛) = { 𝑛
𝑐𝑔( 𝐾 ), if 𝐾 ∣ 𝑛

where 𝑔(𝑛) is multiplicative, 𝑐 is a constant, and 𝐾 is a fixed positive integer.

8. This follows directly from the definitions of multiplicativity and additivity.

9. (a), (e) These are direct consequences of the definitions.

(b)–(d) Demonstrate first that the product 𝑓𝑔 is completely additive or additive if
and only if 𝑓(𝑎)𝑔(𝑏) + 𝑓(𝑏)𝑔(𝑎) = 0 for every pair 𝑎, 𝑏 or for every coprime
pair 𝑎, 𝑏, respectively. Answer to (d): If 𝑓 ≠ 0 and 𝑔 ≠ 0, then 𝑓 and 𝑔
assume 0 at every prime power apart from the powers of one or two primes,
and in the last case, strict rules apply for the values assumed on the powers
of the two primes.
(f) It follows from Theorem 6.1.6.

10. (a) It follows directly from the definitions.

(b) We can transform the condition into (𝑓(𝑎) − 𝑔(𝑎))(𝑓(𝑏) − 𝑔(𝑏)) = 0. In the
multiplicative case, the two functions may have different values on the powers
of a single prime 𝑝, but must be equal on all other prime powers.

11. If 𝑓 = 0, then the condition implies 𝑔 = 0, so the assertion is true trivially. Oth-
erwise, looking at the values assumed at 1, we infer that only the constant 1 is
possible as the sum of the two functions. Writing the definition of multiplicativity
for 𝑓 = 1 − 𝑔 and using additivity of 𝑔, we obtain 𝑔(𝑎)𝑔(𝑏) = 0 for every (𝑎, 𝑏) = 1.
Hence 𝑔 assumes 0 and 𝑓 assumes 1 at every prime power except perhaps the pow-
ers of a single prime 𝑝. Therefore (𝑓1000 + 𝑔1000 )(𝑛) = 1 and (𝑓1000 𝑔1000 )(𝑛) = 0
if 𝑝 ∤ 𝑛. This makes it possible to check easily the desired multiplicativity and
additivity.
6.1. 469

12. We can argue as in the solution of Exercise 6.1.9d. We can start from the equalities:

(a) If ℎ = 𝑓 − 𝑔 where 𝑓 and 𝑔 are multiplicative, then

(𝑓(𝑎) − 1)(𝑓(𝑏) − 1) = (𝑔(𝑎) − 1)(𝑔(𝑏) − 1)

for any (𝑎, 𝑏) with (𝑎, 𝑏) = 1.

(b) If ℎ = 𝑓𝑔 where 𝑓 is multiplicative and 𝑔 is additive, then

𝑓(𝑎)𝑔(𝑎)(𝑓(𝑏) − 1) + 𝑓(𝑏)𝑔(𝑏)(𝑓(𝑎) − 1) = 0

for any (𝑎, 𝑏) with (𝑎, 𝑏) = 1.

13. (a) Show that the function has value 0 at infinitely many pairwise coprime inte-
gers.
(b) Let 𝑓(1) = 𝑓(2) = 1 and 𝑓(𝑛) = 0 for 𝑛 > 2.
(c) If 𝑓(𝑝𝜈𝑝 ) ≠ 0 for infinitely many primes 𝑝 with suitable exponents 𝜈𝑝 > 0,
then we infer as in part (a) that the function assumes every value of the range
infinitely often. Hence, there can be only finitely many such primes 𝑝 and we
can take 𝐾 as their maximum.

14. (a) False. A counterexample is 𝑓(𝑛) = 3 if 2 ∣ 𝑛 but 4 ∤ 𝑛, and 𝑓(𝑛) = 0 otherwise.

This 𝑓 is additive, and 𝑓(4) + 𝑓(8) = 𝑓(32), but 𝑓 is not completely additive
as 𝑓(2) + 𝑓(6) ≠ 𝑓(12).
(b) True. If (𝑐, 𝑎𝑏) = 1, then (𝑐𝑎, 𝑏) ≥ (𝑎, 𝑏) > 1, and

𝑓((𝑐𝑎)𝑏) = 𝑓(𝑐(𝑎𝑏)) = 𝑓(𝑐) + 𝑓(𝑎𝑏) = 𝑓(𝑐) + 𝑓(𝑎) + 𝑓(𝑏) = 𝑓(𝑐𝑎) + 𝑓(𝑏).

(c) False. This is another formulation of the statement in part (a).

(d) True. We can use similar arguments as in part (b).
(e) False. A counterexample is 𝑓(1) = 𝑓(2) = 1 and 𝑓(𝑛) = 0, for 𝑛 > 2.
It is worthwhile to analyze why we get different answers for parts (d) and (e):
Adding 𝑓(𝑐) to the inequality 𝑓(𝑎𝑏) ≠ 𝑓(𝑎) + 𝑓(𝑏) in (d), the inequality remains
valid, but multiplying the inequality 𝑓(𝑎𝑏) ≠ 𝑓(𝑎)𝑓(𝑏) by 𝑓(𝑐) = 0 in (e), we obtain
equality.

15. Answer: 𝜑2 (𝑛) = 𝑛 ∏𝑝∣𝑛 (1 − 2/𝑝) (where 𝑝 denotes a prime). Hint: Using si-
multaneous systems of congruences, prove that 𝜑2 (𝑛) is multiplicative. Then it is
sufficient to compute the values of the function at prime powers.

16. Verify that the functions on both sides are multiplicative; for the sum on the left-
hand side, we can argue similarly as in the previous exercise. By multiplicativity,
it is enough to check equality for prime powers.
470 Answers and Hints

6.2.

1. Let 𝑎1 , . . . , 𝑎𝑟 be all positive divisors of 𝑎, and 𝑏1 , . . . , 𝑏𝑠 be all positive divisors of

𝑏. If (𝑎, 𝑏) = 1, then 𝑎𝑖 𝑏𝑗 are all positive divisors of 𝑎𝑏, each occurring once, by
Exercise 1.6.5a-b. Thus
𝑟 𝑠 𝑟 𝑠
𝜎(𝑎𝑏) = ∑ ∑ 𝑎𝑖 𝑏𝑗 = ( ∑ 𝑎𝑖 )( ∑ 𝑏𝑗 ) = 𝜎(𝑎)𝜎(𝑏).
𝑖=1 𝑗=1 𝑖=1 𝑗=1

Then, by multiplicativity, it suffices to compute the values of 𝜎 for prime powers.

2. Use the formulas for the functions, or rely on Exercise 1.6.5a-c.
3. Since 3 ∤ 𝑛𝜑(𝑛), every prime divisor 𝑝 of 𝑛 is of the form 3𝑘 − 1. Let 𝛼 be the
exponent of such a prime 𝑝 in the standard form of 𝑛. If 𝛼 is odd, then 1 + 𝑝 is
a factor of 𝜎(𝑝𝛼 ), so 3 divides 𝜎(𝑛) which contradicts the assumption. Therefore
every 𝑝 occurs with an even exponent, thus 𝑛 is a square.
𝛼 𝛼
4. Let 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard form of 𝑛. A sufficient condition for 𝑘 is
𝛼 +1 𝑘𝛼𝑖 +1
𝑝𝑖 𝑖 − 1 ∣ 𝑝𝑖 − 1, 𝑖 = 1, . . . , 𝑟.
This is definitely satisfied if
𝛼𝑖 + 1 ∣ 𝑘𝛼𝑖 + 1, or 𝛼𝑖 + 1 ∣ (𝑘 − 1)𝛼𝑖
for every 𝑖. Thus we can choose 𝑘−1 as any common multiple of the integers 𝛼𝑖 +1.
5. Answer: 𝑛. Hint: Write the sum of reciprocals using a common denominator, and
observe that if 𝑑 ranges over all divisors of 𝑛, then the same applies also for 𝑛/𝑑.
6. (a) Answer: The squares and the doubles of squares. Hint: Apply the fraction-
free form of the formula for 𝜎(𝑛). Another option: Write 𝑛 as 𝑛 = 2𝑘 𝑡 where 𝑡
is odd. Then only the number of odd divisors of 𝑛, i.e. the number of divisors
of 𝑡 is relevant to the problem. By Exercise 1.6.8, 𝑑(𝑡) is odd if and only if 𝑡 is
a square.
(b) Answer: The products of distinct Mersenne primes. Hint for necessity: Let
𝛼 𝛼
𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard form of 𝑛. Then
𝑟
𝛼
2𝑘 = 𝜎(𝑛) = ∏(1 + 𝑝 𝑖 + 𝑝𝑖2 + ⋯ + 𝑝𝑖 𝑖 ).
𝑖=1

Here every factor is a power of two, so it is even. Therefore 𝑝 𝑖 > 2 and 𝛼𝑖 is

odd for every 𝑖. Thus we can refine the factorization into
𝑟
𝛼 −1
2 = ∏(1 + 𝑝 𝑖 )(1 + 𝑝𝑖2 + 𝑝𝑖4 + ⋯ + 𝑝𝑖 𝑖
𝑘
).
𝑖=1

Every factor on the right-hand side is a power of two, hence 𝑝 𝑖 is a Mersenne

prime. We have to show 𝛼𝑖 = 1. For a proof by contradiction assume 𝛼𝑖 > 1.
𝛼 −1
Then 1 + 𝑝𝑖2 + 𝑝𝑖4 + ⋯ + 𝑝𝑖 𝑖 > 1 is a power of two, so it is even, hence it has
2
a factor 1 + 𝑝𝑖 which is a power of two. But this is impossible since 1 + 𝑝𝑖2 is
not even divisible by 4.
6.2. 471

7. First solution: 𝜎(𝑛) ≠ 2𝑝 where 𝑝 is an odd prime of the form 3𝑘 − 1.

Second solution: 𝜎(𝑛) ≠ 3𝑠 for 𝑠 > 1.
Third solution: Use the fact that 𝜎 assumes odd values rarely.
Fourth solution: If 𝜎(𝑥) ≤ 𝑁, then 𝑥 ≤ 𝑁. But 𝜎(𝑥) > 𝑁 also for many integers
𝑥 ≤ 𝑁, therefore at least that many values 𝑦 ≤ 𝑁 are missing from the range of 𝜎.
Fifth solution: Find many pairs 𝑥𝑖 ≠ 𝑥𝑗 for which 𝜎(𝑥𝑖 ) = 𝜎(𝑥𝑗 ), and apply similar
considerations as in the fourth solution.
8. Only 𝑛 = 1 has this property. Hint: Verify 𝑛! < 𝜎(𝑛! ) < (𝑛 + 1)! for every 𝑛 ≥ 2.
9. Observe that 𝑛 = 𝑎𝑏 implies that 𝑎 or 𝑏 is greater than or equal to √𝑛. Equality
holds if and only if 𝑛 is a prime square.
10. (a) (a1) 𝑛 is a prime. (a2) No solution. (a3) 𝑛 = 10, 49. (a4) 𝑛 = 21.
(b) Only for 𝑐 = 1.
(c) If 𝑐 = 2𝑘 + 1 > 7 and 2𝑘 = 𝑝 + 𝑞 where 𝑝 and 𝑞 are distinct primes, then
𝑛 = 𝑝𝑞 is a solution.
11. (a) (a1) 𝑛 is a prime. (a2) No solution. (a3) 𝑛 = 4. (a4) 𝑛 = 6.
(b) Only for 𝑐 = 2.
(c) 𝑐 = 4𝑘 where 𝑘 > 3.
12. (a) Infinitely many. If we find a suitable pair 𝑎0 , 𝑏0 and 𝑝 is a common prime
divisor of 𝑎0 and 𝑏0 , then 𝑎𝑘 = 𝑎0 𝑝𝑘 , 𝑏𝑘 = 𝑏0 𝑝𝑘 meet the requirement for any
𝑘. We can start with 𝑎0 = 6, 𝑏0 = 8 or 𝑎0 = 12, 𝑏0 = 14, etc.
(b) Infinitely many. If 𝑛 can be represented as 𝑛 = 𝑝1 + 𝑝2 = 𝑝3 + 𝑝4 with distinct
primes 𝑝 𝑖 , then 𝑎 = 𝑝1 𝑝2 , 𝑏 = 𝑝3 𝑝4 satisfy the equation. The existence of
infinitely many such 𝑛 (those that have at least two representations as the sum
of two distinct primes) can be proved as in Exercise 5.4.7. We note that the
same idea also works for part (a) but there we could use a simpler argument.
13. All non-trivial divisors 𝑑 of 𝑛 satisfy 2 ≤ 𝑑 ≤ 𝑛/2.
Equality: (a) 𝑛 is a prime or 𝑛 = 1, (b) and (c) 𝑛 is a prime or 𝑛 = 4.
14. Answer: 𝑛 = 6. Hint: We have to refine the method of the previous exercise.
15. (a) For (a1), use the formulas for the functions. For (a2), observe that 𝜑(𝑛) is the
signed sum of certain divisors of 𝑛. Equality holds in each case if and only if
𝑛 is a prime.
𝛼 𝛼
(b) If 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 is the standard form of 𝑛, then
𝑟 𝑟
𝜎(𝑛)𝜑(𝑛) 1 1
2
= ∏(1 − 𝛼 +1 ) ≥ ∏(1 − 2 ).
𝑛 𝑖=1 𝑝𝑖 𝑖
𝑖=1 𝑝𝑖
This implies (b1) using 𝑝 𝑖 ≥ 𝑖 + 1.
To prove (b2), show
𝜎(𝑛)𝜑(𝑛) 1
inf = lim ∏ (1 − 2 )
𝑛2 𝑁→∞
𝑝≤𝑁
𝑝
and apply Exercise 5.6.6.
472 Answers and Hints

𝛼 𝛼
16. Let 𝑛 = 2𝛼 𝑝1 1 . . . 𝑝𝑟 𝑟 be the standard form of 𝑛 where 𝑝 𝑖 > 2 (𝛼 = 0 and/or 𝑟 = 0
is allowed). The condition implies 𝛼𝑖 = 1, 𝛼 ≤ 2, and 𝑟 ≤ 1, so 𝑛 = 1, 2, 4, 𝑝,
2𝑝, or 4𝑝 where 𝑝 is an odd prime. Checking these integers, we see that only the
specified four values of 𝑛 satisfy the condition.
17. Both functions assume only the values 0 and ±1.
18. (a) 3. Hint: There is a multiple of 4 among any four consecutive integers.
(b) Arbitrarily many. Hint: See Exercise 2.6.11.
19. Let 𝑆(𝑛) be the sum of the 𝑛th primitive complex roots of unity. It is sufficient to
show that 𝑆(𝑛) is multiplicative and 𝑆(𝑝𝛼 ) = 𝜇(𝑝𝛼 ) for every prime power 𝑝𝛼 . The
multiplicativity is a corollary of the observation: if (𝑘, 𝑚) = 1, then the product
of a 𝑘th and an 𝑚th primitive root of unity is a 𝑘𝑚th primitive root of unity, and
every 𝑘𝑚th primitive root of unity has a unique decomposition into such a prod-
uct. We can solve the exercise also using summation and inversion functions, see
Exercise 6.5.9a.
20. 0.
21. (a) Use the formulas for the functions, or the fact that the divisors of 𝑛 corre-
spond to certain subsets of prime divisors counted with multiplicity. If 𝑛 is
squarefree, then equality holds, otherwise we have strict inequalities.
(b) 𝑘𝜔(𝑛) ≤ 𝑑𝑘 (𝑛) ≤ 𝑘Ω(𝑛) .
22. True: (a).
23. We can proceed as for 𝜎. See the proofs of Theorem 6.2.2 and the part of Theo-
𝛼 𝛼
rem 6.2.8 concerning 𝜎, or Exercise 6.2.1. Answer: If 𝑛 = 𝑝1 1 . . . 𝑝𝑟 𝑟 is the standard
form of 𝑛 and 𝜈 ≠ 0, then
𝑟 𝑟 𝜈(𝛼𝑖 +1)
𝜈𝛼 𝑝𝑖 −1
𝜎𝜈 (𝑛) = ∏(1 + 𝑝𝑖𝜈 + 𝑝𝑖2𝜈 + ⋯ + 𝑝𝑖 𝑖 ) = ∏ .
𝑖=1 𝑖=1
𝑝𝑖𝜈 −1

6.3.

1. Use Theorem 6.3.2.

𝑟 𝛼
2. (a) If 𝑛 = ∏𝑖=1 𝑝𝑖 𝑖 is the standard form of 𝑛, then 2𝑛 = 𝜎(𝑛) is equivalent to
𝑟 𝑟
𝛼 𝛼
(A.6.1) 2 ∏ 𝑝𝑖 𝑖 = ∏(1 + 𝑝 𝑖 + ⋯ + 𝑝𝑖 𝑖 )
𝑖=1 𝑖=1

The left-hand side of (A.6.1) is divisible by exactly the first power of 2, so ex-
actly one factor on the right-hand side is even but is not a multiple of 4. There-
fore only one exponent 𝛼𝑖 is odd and the prime 𝑝 𝑖 belonging to it is necessarily
of the form 4𝑘 + 1, whereas the other exponents 𝛼𝑗 are even.
6.3. 473

(b) By part (a), 𝑛 = 𝑠2 𝑝 where 𝑝 is a prime of the form 4𝑘 + 1. This implies

immediately 𝑛 ≡ 1 (mod 4). If 3 ∣ 𝑠, then 9 ∣ 𝑛, thus 𝑛 ≡ 9 (mod 36). If 3 ∤ 𝑠,
then 3 ∤ 𝑛 as 𝑝 ≠ 3. The exponent of 𝑝 is odd in the standard form of 𝑛, so
1 + 𝑝 ∣ 𝜎(𝑛), therefore 3 ∤ 𝑝 + 1. Hence only 𝑝 ≡ 1 (mod 3) is possible, so
𝑛 = 𝑠2 𝑝 ≡ 1 (mod 3). Combining this with 𝑛 ≡ 1 (mod 4), we obtain 𝑛 ≡ 1
(mod 12).
3. (a) We have to prove 2𝑝𝛼 > 𝜎(𝑝𝛼 ) which is equivalent to 𝑝𝛼 (𝑝 − 2) > −1.
(b)
𝜎(𝑝𝛼 𝑞𝛽 ) 1 1 1 1
= (1 + + ⋯ + 𝛼 )(1 + + ⋯ + 𝛽 ) <
𝛼
𝑝 𝑞 𝛽 𝑝 𝑝 𝑞 𝑞
𝑝 𝑞 3 5
< ⋅ ≤ ⋅ < 2.
𝑝−1 𝑞−1 2 4
𝑘 𝛼
(c) Examples of abundant numbers: integers with standard form ∏𝑖=1 𝑝𝑖 𝑖 where
𝑝 𝑖 is the 𝑖th odd prime (𝑝1 = 3, 𝑝2 = 5, etc.), 𝛼1 ≥ 3, and the other exponents
𝛼𝑖 are positive integers.
Examples for deficient numbers: products of 𝑘 distinct primes 𝑞𝑖 satisfying
1 𝑘
1+ < √2.
𝑞𝑖
(d) If 𝑑1 , . . . , 𝑑𝑡 are all (positive) divisors of 𝑛, then the integers 𝑎𝑑𝑖 are distinct
divisors of 𝑎𝑛, so
𝜎(𝑎𝑛) 𝜎(𝑛)
(A.6.2) >
𝑎𝑛 𝑛
for any 𝑎 > 1. Other options to prove A.6.2 are to use the formula for 𝜎 or the
fact that 𝜎(𝑚)/𝑚 is the sum of reciprocals of the divisors of 𝑚.
(e) The product of a deficient and an abundant number is abundant, whereas
multiplying a deficient number by a sufficiently large prime, gives a deficient
number.
4. By Exercise 6.2.6a, such a number must be of the form 𝑛 = 2𝛼 𝑡2 with 𝑡 odd. We
have to show 𝛼 = 0. We can transform 𝜎(𝑛) = 2𝑛 + 1 into
(A.6.3) (2𝛼+1 − 1)(𝜎(𝑡2 ) − 𝑡2 ) = 𝑡2 + 1.
If 𝛼 ≥ 1, then the first factor on the left-hand side of (A.6.3) is of the form 4𝑘 − 1,
hence it has a prime factor of this type. But 𝑡2 + 1 cannot have such a prime divisor.
5. (a) We can apply an argument similar to the proof of Theorem 6.3.2.
(b) We have to show that 𝜎(𝑛) is odd. Write 𝜎(𝑛) = 2𝑣 𝑤 where 𝑤 is odd and get a
contradiction for 𝑣 ≥ 1.
(c) Assume that 𝑝𝛼 is superperfect, and express 𝜎(𝜎(𝑝𝛼 )) using the standard form
of 𝜎(𝑝𝛼 ).
6. (a) The harmonic mean of the divisors of 𝑛 is
𝑑(𝑛) 𝑛𝑑(𝑛)
1 = .
∑𝑑∣𝑛 𝑑 𝜎(𝑛)
474 Answers and Hints

(b) By part (a), it is enough to check that 𝑑(𝑛) is even for a perfect number 𝑛, so
𝑛 cannot be a square. This holds as 𝜎(𝑛) is odd if 𝑛 is a square, so 𝜎(𝑛) ≠ 2𝑛.
(c) For a proof by contradiction, assume 1 + 𝑝 + ⋯ + 𝑝𝛼 ∣ 𝑝𝛼 (𝛼 + 1). As (1 + 𝑝 +
⋯ + 𝑝𝛼 , 𝑝𝛼 ) = 1, we have 1 + 𝑝 + ⋯ + 𝑝𝛼 ∣ 𝛼 + 1. But this is impossible, since
1 + 𝑝 + ⋯ + 𝑝𝛼 > 𝛼 + 1.
(d) Let 𝑛 = 𝑝1 𝑝2 . . . 𝑝𝑟 where 𝑝1 < 𝑝2 < ⋯ < 𝑝𝑟 are primes. If every 𝑝 𝑖 is odd,
then
𝑝1 + 1 𝑝 +1
... 𝑟 ∣ 𝑝1 . . . 𝑝𝑟
2 2
cannot hold since (𝑝1 + 1)/2 is coprime to every factor of the right-hand side.
If 𝑝1 = 2, then necessarily 𝑝2 = 3. We see that 𝑛 = 6 is harmonic, but if 𝑛 has
further prime factors, we get a contradiction as in the previous argument.
7. (a) If 𝑎 < 𝑏 and 𝜎(𝑎) = 𝜎(𝑏) = 𝑎+𝑏, then 𝜎(𝑏) = 𝑎+𝑏 < 2𝑏 and 𝜎(𝑎) = 𝑎+𝑏 > 2𝑎.
(b) Assume that 𝑎 = 2𝑘 and 𝑏 are amicable. Then
𝜎(2𝑘 ) = 2𝑘+1 − 1 = 𝜎(𝑏) = 2𝑘 + 𝑏,
thus 𝑏 = 2𝑘 − 1, and because both 𝑏 and 𝜎(𝑏) are odd, 𝑏 = 𝑢2 . This yields
2𝑘 − 1 = 𝑢2 , which is already false modulo 4 for 𝑘 ≥ 2.

6.4.

1. We start with the canyon theorems. The proof for Ω(𝑛) is the same as for 𝑑(𝑛)
(Theorem 6.4.1), for 𝑑𝑘 (𝑛) we have to modify the moduli of the system of congru-
ences to 2𝐾+𝑘 and 3𝐾+𝑘 , and for 𝜔(𝑛) we choose two coprime moduli where each
is a product of 𝐾 + 2 distinct primes. For 𝜎(𝑛) we can take 𝑛 as a sufficiently large
prime since then 𝜎(𝑛) = 𝑛 + 1. Because 𝑛 + 1 are 𝑛 − 1 even,
𝑛−1 𝑛+1
𝜎(𝑛 − 1) > (𝑛 − 1) + and 𝜎(𝑛 + 1) > (𝑛 + 1) + .
2 2
This also gives a proof for the peak theorem for 𝜑(𝑛).
Turning to the other peak theorems and to the canyon theorem for 𝜑(𝑛), we choose
𝑛 as the product of the first 𝑟 primes as we did for 𝑑(𝑛) (Theorem 6.4.2).
The peak theorem for 𝑑𝑘 (𝑛) and 𝜎(𝑛), and the canyon theorem for 𝜑(𝑛) can be veri-
fied by a suitable modification of the proof of Theorem 6.4.2. Keeping the notation
there, for Ω(𝑛) and 𝜔(𝑛) we have to show 𝑟 − 𝑠 > 𝐾. This follows combining
𝑛 ≤ 𝑝1 . . . 𝑝𝐾+1 𝑝𝑟𝑟−𝐾−1 < 𝑝𝑟𝑟−𝐾
(for 𝑟 large enough), and
𝑛 + 1 = 𝑞1 . . . 𝑞𝑠 > 𝑝𝑟𝑠 .

2. Follow the proof of Theorem 6.4.5.

3. (a) We can take 𝑛 as a large power of the product of the first 101 primes.
6.4. 475

(b) Let 𝑛 be the product of the first 𝑟 primes. Then, using the results of Section 5.4,
we get
log 𝑛
log 𝑛 ∼ 𝑝𝑟 ∼ 𝑟 log 𝑟, and so 𝑟 ∼ .
log log 𝑛
By 𝑑(𝑛) = 2𝑟 , we get the estimate stated in the exercise.
4. Let Ω(𝑛) = 𝑠, so 𝑛 = 𝑞1 . . . 𝑞𝑠 where 𝑞𝑖 = 𝑞𝑗 may occur. Because 𝑞𝑖 ≥ 2 we get
𝑛 ≥ 2𝑠 . Equality holds if and only if 𝑛 is a power of two.
5. Show that for a fixed 𝑟, the product of the first 𝑟 primes is the smallest 𝑛 for which
𝜔(𝑛) = 𝑟. This means that 𝜔(𝑛) attains its maximal order of magnitude as a func-
tion of 𝑛 exactly on the products of that type. The desired estimates now follow as
in Exercise 6.4.3b.
6. (a) Apply Theorem 6.4.6 for 𝑛0,99 /𝜑(𝑛), or use 𝑑(𝑛)𝜑(𝑛) ≥ 𝑛 and Theorem 6.4.5.
(b) 𝜑(𝑛) ≥ 𝜋(𝑛) − 𝜔(𝑛).
(c) Let 𝑛 be any integer with 𝜔(𝑛) = 𝑟, and let 𝑛𝑟 be the product of the first 𝑟
primes. Show
𝜑(𝑛) 𝜑(𝑛𝑟 )
≥ and log log 𝑛 ≥ log log 𝑛𝑟 .
𝑛 𝑛𝑟
Hence, it suffices to prove the statement for the numbers 𝑛𝑟 . Using results on
the distribution of primes, we obtain
𝑟 𝑟
𝜑(𝑛𝑟 ) 1 1
log ( ) = log ∏(1 − ) = ∑ log(1 − ) ≥
𝑛𝑟 𝑖=1
𝑝 𝑖 𝑖=1
𝑝 𝑖
𝑟 𝑟
1 1 1
≥ −∑ −∑ 2 >− ∑ − 2 > − log log 𝑝𝑟 − 𝑐 − 2,
𝑝
𝑖=1 𝑖 𝑖=1 𝑝𝑖 𝑝≤𝑝
𝑝
𝑟

so
𝜑(𝑛𝑟 ) 1
> ′ .
𝑛𝑟 𝑐 log 𝑝𝑟
Finally, apply log log 𝑛𝑟 ∼ log 𝑝𝑟 (obtained by taking the logarithm of log 𝑛𝑟 ∼
𝑝𝑟 which is legal as both sides tend to infinity).
(d) Apply Theorem 6.4.6 for 𝜎(𝑛)/𝑛1.01 , or use 𝜎(𝑛) ≤ 𝑛𝑑(𝑛) and Theorem 6.4.5.
(e) 𝜎(𝑛)/𝑛 is the sum of reciprocals of divisors of 𝑛, thus
𝑛
𝜎(𝑛) 1
≤ ∑ ≤ 1 + log 𝑛.
𝑛 𝑗=1
𝑗

(f) Use arguments similar to those in part (c).

Remark: By Exercise 6.2.15a, the statements on 𝜎(𝑛) follow directly from the rele-
vant statements on 𝜑(𝑛) (and by Exercise 6.2.15b, this is almost true vice versa).
7. Use
1
(a) lim ∏ (1 − )=0
𝑛→∞
𝑝≤𝑛
𝑝
476 Answers and Hints

1
(b) lim ∏ (1 + ) = ∞.
𝑛→∞
𝑝≤𝑛
𝑝

8. (a) Let 𝑣 1 , 𝑣 2 , . . . be all primes satisfying 𝑘 ∣ 𝑣 𝑖 − 1, and let 𝐵𝑟 = 𝑣 1 . . . 𝑣 𝑟 .

If (𝑛, 𝐵𝑟 ) > 1, then some 𝑣 𝑖 divides 𝑛, so
𝑘 ∣ 𝑣 𝑖 − 1 ∣ 𝜑(𝑛).
Therefore 𝑘 ∤ 𝜑(𝑛) can occur only if 𝑛 is coprime to 𝐵𝑟 . The number of such
integers 𝑛 ≤ 𝑁 is about
𝜑(𝐵𝑟 )
𝑁
𝐵𝑟
for large 𝑁. Therefore it is enough to show that for any 𝜀 > 0 there is an 𝑟 such
that
𝑟
𝜑(𝐵𝑟 ) 1
= ∏(1 − ) < 𝜀.
𝐵𝑟 𝑖=1
𝑣𝑖
∞
This follows from the divergence of ∑𝑖=1 1/𝑣 𝑖 by Exercise 5.6.7.
(b) If 𝜔(𝑛) is large, then a large power of two divides 𝜑(𝑛), so there can be only
a few such values 𝜑(𝑛). If 𝜔(𝑛) is small, then 𝜑(𝑛) > 𝑐𝑛 with some (small
positive) constant 𝑐, thus 𝜑(𝑛) ≤ 𝑁 implies 𝑛 < 𝑁/𝑐. By part (a), it is also
true for these integers 𝑛 that 𝜑(𝑛) is nearly always a multiple of a fixed large
𝑘 (which can be e.g. the power of two used already), so again there can arise
only few values 𝜑(𝑛).
9. (a) We can follow the ideas used in Exercise 6.4.8a. Let 𝑤 1 , 𝑤 2 , . . . be all primes
satisfying 𝑘 ∣ 𝑤 𝑖 + 1, and 𝐶𝑟 = 𝑤 1 . . . 𝑤 𝑟 .
If 𝑛 is divisible by exactly the first power of some 𝑤 𝑖 , then
𝑘 ∣ 𝑤 𝑖 + 1 ∣ 𝜎(𝑛).
Thus 𝑘 ∤ 𝜎(𝑛) can occur if either 𝑛 is coprime to 𝐶𝑟 or the square of some
prime factor in 𝐶𝑟 divides 𝑛. These integers 𝑛 fall into certain residue classes
mod 𝐶𝑟2 . The ratio of the number of these residue classes to the number of all
residue classes modulo 𝐶𝑟2 is
𝑟
𝑤𝑖 − 1
∏(1 − ).
𝑖=1 𝑤2𝑖
Using the ideas seen in Exercise 6.4.8a, prove that this ratio can be arbitrarily
small if 𝑟 is large enough.
(b) The situation is simpler than it was for 𝜑(𝑛) since 𝜎(𝑛) ≤ 𝑁 implies 𝑛 ≤ 𝑁.
Therefore we need just the last step of the proof seen for 𝜑(𝑛): as 𝜎(𝑛) is nearly
always the multiple of a large fixed 𝑘, an integer can occur only rarely among
the values 𝜎(𝑛).
6.5. 477

6.5.

1. It follows from the definition of 𝑑𝑗 (𝑛).

2. (a) Assume that 𝑓 is multiplicative, and (𝑎, 𝑏) = 1. To prove the multiplicativ-
ity of 𝑓+ , we use that, by Exercise 1.6.5.a-b, the divisors of 𝑎𝑏 have a unique
representation as the product of a divisor of 𝑎 and a divisor of 𝑏 (which are
coprime). Hence
𝑓+ (𝑎𝑏) = ∑ 𝑓(𝑑) = ∑ 𝑓(𝑎1 𝑏1 ) =
𝑑∣𝑎𝑏 𝑎1 ∣𝑎,𝑏1 ∣𝑏

= ∑ 𝑓(𝑎1 )𝑓(𝑏1 ) = ( ∑ 𝑓(𝑎1 ))( ∑ 𝑓(𝑏1 )) = 𝑓+ (𝑎)𝑓+ (𝑏).

𝑎1 ∣𝑎,𝑏1 ∣𝑏 𝑎1 ∣𝑎 𝑏1 ∣𝑏

We can verify the converse similarly by induction on 𝑛 = 𝑎𝑏 or with the

Möbius Inversion Formula.
(b) Replacing 𝑓 by 𝑓+ , we just get the statement in (a).
3. (a) Answer: 𝑓 = 0 and 𝑒(𝑛) defined among the examples after Definition 6.5.1.
2
Hint: Verify that 𝑓+ (𝑝2 ) = (𝑓+ (𝑝)) can hold for a prime 𝑝 only if 𝑓(𝑝) = 0.
(b) Answer: 𝑓 = 0. Hint: Examine the values of 𝑓+ assumed at 𝑝1 𝑝2 , 𝑝1 𝑝3 ,
𝑝2 𝑝3 , 𝑝12 𝑝2 , 𝑝13 𝑝2 , etc. where 𝑝1 , 𝑝2 , and 𝑝3 are distinct primes, and deduce
𝑓(𝑝𝑘 ) = 0 for every prime power 𝑝𝑘 .
4. (a) Use Exercise 6.5.2.
(b) It follows from part (a) and the complete multiplicativity of 𝑓. For 𝑓(𝑛) = 𝑛,
we obtain the formulas for 𝜎(𝑛) and 𝜑(𝑛).

̃ = { 𝑐,
5. (a) 𝑓(𝑛)
if 𝑛 = 1
0, if 𝑛 > 1.
1, if 𝑛 = 2
(b) 𝑔(𝑛)
̃ ={
0, if 𝑛 ≠ 2.
1, if 𝑛 is a prime power
̃
(c) Ω(𝑛) ={
0, otherwise.
1, if 𝑛 is a prime
(d) 𝜔(𝑛)
̃ ={
0, otherwise.
𝑟 𝛼
6. Let 𝑛 = ∏𝑖=1 𝑝𝑖 𝑖 be the standard form of 𝑛. Then
𝑟 𝑟 𝛼𝑖
𝛼 ̃ 𝛽𝑖 ) = ∑ 𝑓(𝑝
̃ 𝛽 ).
𝑓(𝑛) = ∑ 𝑓(𝑝𝑖 𝑖 ) = ∑ ∑ 𝑓(𝑝𝑖
𝑖=1 𝑖=1 𝛽𝑖 =0 𝑝𝛽 ∣𝑛

The uniqueness of 𝑓 ̃ implies 𝑓(𝑘)

̃ = 0 if 𝑘 is not a prime power.

7. 𝑓(𝑛) = 𝑛, by the Möbius Inversion Formula.

478 Answers and Hints

8. By the Möbius Inversion Formula,

𝑛
𝜑(𝑛) = ∑ 𝜇(𝑑) .
𝑑∣𝑛
𝑑

9. (a) Let 𝑇(𝑛) be the sum of all 𝑛th roots of unity, and 𝑆(𝑛) the sum of the primitive
𝑛th roots of unity. Then 𝑆 + (𝑛) = 𝑇(𝑛) = 𝑒(𝑛) implies 𝑆(𝑛) = 𝜇(𝑛). (We
sketched another proof in Exercise 6.2.18.)
(b) Let 𝑇𝑘 (𝑛) be the sum of 𝑘th powers of all 𝑛th roots of unity, and 𝑆 𝑘 (𝑛) the
similar sum for primitive 𝑛th roots of unity. Then 𝑆 𝑘 (𝑛) = 𝑇𝑘̃ (𝑛) and

𝑛, if 𝑛 ∣ 𝑘
𝑇𝑘 (𝑛) = {
0, if 𝑛 ∤ 𝑘.
Exhibit 𝑆 𝑘 (𝑛) by the Möbius Inversion Formula, and also using Exercise 6.5.8.
Another option: Since 𝑆 𝑘 (𝑛) and the function given in the exercise are multi-
plicative, it is sufficient to verify their equality at prime power places.
(c) We convert the problem into the modulo 𝑝 field. Let 𝑉(𝑘) be the sum of the
solutions of the congruence 𝑥𝑘 ≡ 1 (mod 𝑝), and 𝑈(𝑘) the sum of the elements
of order 𝑘. Prove 𝑈 + (𝑛) = 𝑉(𝑛) and 𝑉(𝑑) = 𝑒(𝑑) for 𝑑 ∣ 𝑝 − 1. Deduce
𝑈(𝑑) = 𝜇(𝑑) for 𝑑 ∣ 𝑝 − 1, thus 𝑈(𝑝 − 1) = 𝜇(𝑝 − 1).
10. (a) 𝜑(1)𝜑(2) . . . 𝜑(𝑛). (b) 𝑛!. (c) 1. (d) 0.
11. The proof of Theorem 6.5.4 applies for this general case.

6.6.

1. 𝑑𝑘 (𝑛).
2. It is well known that addition satisfies all requirements. For convolution playing
the role of multiplication, the associative and commutative laws and the existence
of an identity element follow from Theorem 6.6.2. The distributive law
(𝑓 + 𝑔) ∗ ℎ = (𝑓 ∗ ℎ) + (𝑔 ∗ ℎ)
can be verified easily (it is enough to check one of the two distributive laws since
multiplication is commutative).
No zero divisors: Show that if 𝑘 and 𝑚 are the smallest positive integers satisfying
𝑓(𝑘) ≠ 0 and 𝑔(𝑚) ≠ 0, then (𝑓 ∗ 𝑔)(𝑘𝑚) ≠ 0.
3. Answer: 𝑘. Hint: List the equalities (𝑔 ∗ 𝑔 ∗ ⋯ ∗ 𝑔)(𝑛) = 𝑓(𝑛) for every 𝑛. If 𝑛 = 1,
then we get
𝑔(1) = 𝑘√𝑓(1).
Considering 𝑛 = 2, 3, . . . one after the other, we get unique values for 𝑔(2), 𝑔(3) ,. . .
4. (a) Apply an argument similar to that in the hint for Exercise 6.5.2.
6.6. 479

(b) The statement is true if 𝑓 = 0 or 𝑔 = 0, hence we may assume 𝑓(1) = 𝑔(1) = 1.

If 𝑓 ∗ 𝑔 is completely multiplicative, then
2
(𝑓 ∗ 𝑔)(𝑝2 ) = ((𝑓 ∗ 𝑔)(𝑝))
implies 𝑓(𝑝)𝑔(𝑝) = 0 for every prime 𝑝, and 𝑓(𝑛)𝑔(𝑛) = 0 for every 𝑛 > 1
follows from the complete multiplicativity of 𝑓 and 𝑔. To prove the converse,
show that 𝑓(𝑝)𝑔(𝑝) = 0 implies
𝑘
(𝑓 ∗ 𝑔)(𝑝𝑘 ) = 𝑓(𝑝𝑘 ) + 𝑔(𝑝𝑘 ) = ((𝑓 ∗ 𝑔)(𝑝)) .

5. Since the functions on both sides of the equality are multiplicative, it is enough to
prove equality for prime powers. But it is more elegant to rely on the properties of
convolution: Put 𝑔(𝑛) = 𝑛, then 𝜎 ∗ 𝜑 = (𝑔 ∗ 1) ∗ (𝜇 ∗ 𝑔) = 𝑔 ∗ 𝑔, thus
𝑛 𝑛
∑ 𝜎(𝑑)𝜑( ) = (𝜎 ∗ 𝜑)(𝑛) = (𝑔 ∗ 𝑔)(𝑛) = ∑ 𝑘 ⋅ = 𝑛𝑑(𝑛).
𝑑∣𝑛
𝑑 𝑘∣𝑛
𝑘

6.
∞ ∞ ∞
𝑓(𝑛) | 𝑓(𝑛) | 1 1
∑ || = ∑| ⋅ < 𝑐 ∑ 𝑠−𝑠 < ∞.
𝑛=1
𝑛𝑠 | 𝑛=1| 𝑛𝑠0 | 𝑛𝑠−𝑠0 𝑛=1
𝑛 0

7. Apply Theorem 6.6.4.

8. Use Exercise 6.6.1 and Theorem 6.6.4.
9. Write the functions 𝜎 and 𝜇 as summation and inversion functions, and apply Ex-
ercise 6.6.7.
10. (a) By definition, the right-hand side is the limit of
∞
𝑓(𝑝𝑘 )
(A.6.4) ∏( ∑ )
𝑝≤𝑁 𝑘=0
𝑝𝑘𝑠

when 𝑁 → ∞. Performing the multiplication of the finitely many absolutely

convergent series in (A.6.4), by unique prime factorization and multiplicativ-
ity of 𝑓 we obtain the infinite series 𝐹𝑁 (𝑠) consisting of terms 𝑓(𝑛)/𝑛𝑠 where
every prime divisor of 𝑛 is less than or equal to 𝑁. Since the series
∞
𝑓(𝑛)
𝐹(𝑠) = ∑
𝑛=1
𝑛𝑠

is absolutely convergent,
lim 𝐹𝑁 (𝑠) = 𝐹(𝑠).
𝑁→∞

(b) Since 𝑓 is completely multiplicative,

𝑓(𝑝𝑘 ) 𝑓(𝑝) 𝑘
= ( ) ,
𝑝𝑘𝑠 𝑝𝑠
hence we have infinite geometric series on the right-hand side of the formula
in part (a).
480 Answers and Hints

11. Take the product form of the 𝜁 function and note that the Dirichlet series 𝑀(𝑠) of
the function 𝜇 is the reciprocal of 𝜁. Another possibility: Apply Exercise 6.6.10a
for the function 𝑓 = 𝜇.
12. (a) Answer: 𝜋4 /36. Hint: Apply Exercise 6.6.8a.
(b) Answer: 5𝜋4 /72. Hint: Transform the Dirichlet series 𝑇(𝑠) belonging to the
function 𝑑 2 (𝑛) into an infinite product using Exercise 6.6.10a, then compute
the infinite series occuring in the factors of the product to establish
𝜁4 (𝑠)
𝑇(𝑠) = .
𝜁(2𝑠)
13. Answer: 15/𝜋2 . Hint: Apply Exercise 6.6.10a for 𝑓 = |𝜇|, and show that the infinite
product equals 𝜁(𝑠)/𝜁(2𝑠).
∞ ∞ ∞ ∞ ∞
𝑓(𝑛)𝑥𝑛
14. (a) ∑ 𝑛
= ∑ 𝑓(𝑛)( ∑ 𝑥𝑗𝑛 ) = ∑ 𝑥𝑘 (∑ 𝑓(𝑑)) = ∑ 𝑓+ (𝑘)𝑥𝑘 .
𝑛=1
1 − 𝑥 𝑛=1 𝑗=1 𝑘=1 𝑑∣𝑘 𝑘=1
(b) Apply part (a) for functions 𝜇 and 𝜑, taking 𝑥 = 1/2. Answer: (b1) 1/2; (b2) 2.

6.7.

1. Answer: 1. Hint: As in the second proof of Theorem 6.7.5, this sum is an applica-
tion of the Inclusion and Exclusion Principle for the number of integers among 1, 2,
. . . , 𝑛 that have no prime divisors at all. As 1 is the only integer with this property,
the sum equals 1. (The lesson of this story is that even a complicated argument
can be useful sometimes: we computed the obvious number of prime-free integers
with a complicated formula, and this made it possible to find a simple form for the
intricate sum.) Another option: After checking a few small values of 𝑛, we guess
the answer, and then prove it by induction.
2. Answer: 6/𝜋2 . Hint: Let 𝐾(𝑛) be the number of squarefree integers among 1, 2,
. . . , 𝑛. We have to determine
𝐾(𝑛)
lim .
𝑛→∞ 𝑛
As in the second proof of Theorem 6.7.5, use the Inclusion and Exclusion Principle
to establish
𝑛
𝐾(𝑛) = ∑ 𝜇(𝑗)⌊ 2 ⌋.
𝑗
𝑗≤√𝑛

Omitting the floors causes an error term not greater than √𝑛 that can be neglected
compared to the main term
𝜇(𝑗)
𝑛 ∑ .
𝑗2
𝑗≤√𝑛

3. (a) Applying Theorem 6.7.2 to the convolution 𝑑3 = 𝑑2 ∗ 1, we obtain

𝑛
𝑛
𝐷3 (𝑛) = ∑ 𝑑(𝑗)⌊ ⌋.
𝑗=1
𝑗
6.7. 481

After dividing by 𝑛 and deleting the floors, we have to estimate

𝑛
𝑑(𝑗)
(A.6.5) ∑
𝑗=1
𝑗

apart from an error term. We can do this using Theorem 6.4.3 about the mean
value of 𝑑(𝑛). Using the notation there, 𝑑(𝑗) = 𝐷(𝑗)−𝐷(𝑗 −1). We reorder the
sum in (A.6.5) accordingly and apply Theorem 6.4.3 for 𝐷(𝑗). Thus we obtain
𝑛 𝑛 2
log 𝑗 log 𝑡 log 𝑛
∑ ∼∫ 𝑑𝑡 ∼
𝑘=2
𝑗 2
𝑡 2

apart from error terms. We must also show that the error terms are negligible
compared to the main term.
(b) We follow the proof of Theorem 6.7.3. Let 𝑓𝜈 (𝑛) = 𝑛𝜈 and apply Theorem 6.7.2
to the convolution 𝜎𝜈 = 1 ∗ 𝑓𝜈 , then we obtain
𝑛
𝑛 ⌊𝑗⌋
Σ𝜈 (𝑛) = ∑ ∑ 𝑘𝜈 .
𝑗=1 𝑘=1

We can estimate the inner sum for 𝑘 on the right-hand side with the integral
criterion as usual (see the first proof of Theorem 5.6.1 or Exercise 5.6.2).
4. Since the mean value of 𝜎 is relatively small, there are many integers 𝑖 among 1, 2,
. . . , 𝑛 for which (say) 𝜎(𝑖) ≤ 2𝑛. There are few such values 𝜎(𝑖) by Exercise 6.4.9,
so there must be one that is assumed many times by the function.
5. (a) The lower bound is obvious as Ω(𝑖) ≥ 𝜔(𝑖). To establish the upper bound,
represent Ω(𝑖) and 𝜔(𝑖) with the help of their inversion functions (see Ex-
ercise 6.5.5c-d). After the usual rearrangement and omitting the floors, we
obtain
𝑛
′ 1
∑ (Ω(𝑖) − 𝜔(𝑖)) < 𝑛 ∑ ,
𝑖=1 𝑟≤𝑛
𝑟
′
where ∑ indicates that the sum is taken only for the prime power values 𝑟
with exponent greater than one. This sum is less than 1, see the solution of
Exercise 5.6.1b.
(b) This follows from part (a) and the theorems in question.
6. Use Exercise 6.2.20a and apply the Hardy–Ramanujan Theorem for 𝜔 and (relying
on Exercise 6.7.5b) for Ω.
7. The (surprising) answer is 0. Hint: We use that the Hardy–Ramanujan Theorem
is valid also for Ω (see Exercise 6.7.5b). Assume 𝑖 = 𝑎𝑏 where 𝑎 and 𝑏 are less than
√𝑛. Then in most cases both Ω(𝑎) and Ω(𝑏) are about
log log √𝑛 ∼ log log 𝑛,
thus Ω(𝑖) ∼ 2 log log 𝑛. But there are only few such integers 𝑖 (using Exercise 6.7.5b
again).
482 Answers and Hints

8. For a precise formulation, replace 𝜔 by 𝑓 (meeting the requirements) and modify

log log 𝑖 to
𝑓(𝑝)
∑
𝑝≤𝑖
𝑝

in Theorem 6.7.7. The proof is the same as for Theorems 6.7.7 and 6.7.7A.

6.8.

1. If for a fixed 𝑚, the sequence 𝑓(𝑚𝑘 ) = 𝑘𝑓(𝑚), 𝑘 = 1, 2, . . . , is bounded, then

𝑓(𝑚) = 0.
2. Let 𝑚 be fixed, and consider the positive integers 𝑘 coprime to 𝑚. Then 𝑓(𝑚) =
𝑓(𝑘𝑚) − 𝑓(𝑘). By Cauchy’s criterion for convergence, for any 𝜀 > 0 and 𝑘 large
enough, we have |𝑓(𝑘𝑚) − 𝑓(𝑘)| < 𝜀. Thus only 𝑓(𝑚) = 0 is possible.
3. Answer:
⎧1, if 𝑛 = 1
𝑐
𝑓 = 0; 𝑔𝑐 (𝑛) = 𝑛 ; ℎ𝑟 (𝑛) = 𝑟, if 𝑛 = 2
⎨
⎩ 0 if 𝑛 > 2,
where 𝑐 is any real number and 0 ≤ 𝑟 ≤ 1. Hint: If the function is positive every-
where, then we can apply Theorem 6.8.1 to its logarithm, and arrive at 𝑔𝑐 . If the
function has the value 0 somewhere than it must be 0 at every larger integer; show
that the first appearance of 0 cannot occur later than at 3. This yields 𝑓 = 0 and
ℎ𝑟 . It is easy to see that the function cannot assume negative values.
4. Then −𝑓 satisfies condition (6.8.1) in the proof of Theorem 6.8.1.
5. We can apply Theorem 6.8.1 to the real and imaginary parts of 𝑓 separately.
6. (a) We can take the sequence
𝑘1 , 2𝑘1 , 2𝑘2 , 3𝑘2 , 3𝑘3 , 4𝑘3 , . . . , 𝑗𝑘𝑗 , (𝑗 + 1)𝑘𝑗 , . . . ,
where (𝑘𝑗 , 𝑗(𝑗 + 1)) = 1 and the numbers 𝑘𝑗 are large enough (compared to
𝑏𝑛 ). If 𝑓 is monotone (say) increasing on the elements of the sequence, then
𝑓(𝑗) + 𝑓(𝑘𝑗 ) = 𝑓(𝑗𝑘𝑗 ) ≤ 𝑓((𝑗 + 1)𝑘𝑗 ) = 𝑓(𝑗 + 1) + 𝑓(𝑘𝑗 )
by additivity. Subtracting 𝑓(𝑘𝑗 ), we get 𝑓(𝑗) ≤ 𝑓(𝑗 + 1), so 𝑓 is monotone.
Theorem 6.8.1 guarantees 𝑓(𝑛) = 𝑐 log 𝑛.
(b) Consider the sequence
𝑐 1 , 𝑐 1 𝑑1 , 𝑐 2 , 𝑐 2 𝑑2 , 𝑐 3 , 𝑐 3 𝑑3 , . . . , 𝑐𝑗 , 𝑐𝑗 𝑑𝑗 , . . . ,
where every integer greater than 1 occurs infinitely often in the sequence 𝑑1 ,
𝑑2 , . . . , (𝑐𝑗 , 𝑑𝑗 ) = 1, and 𝑐𝑗 is sufficiently large (compared to 𝑏𝑛 ). Let 𝑚 > 1
be fixed and take 𝜀 > 0. Then using the construction of the sequence, the
7.1. 483

additivity of 𝑓, and the condition of the exercise, we can find a (large) 𝑗 such
that 𝑚 = 𝑑𝑗 and
|𝑓(𝑚)| = |𝑓(𝑐𝑗 𝑑𝑗 ) − 𝑓(𝑐𝑗 )| < 𝜀.
Hence, only 𝑓(𝑚) = 0 is possible.

A.7. Diophantine Equations

7.1.

1. 3. (10000 = 201 ⋅ 47 + 7 ⋅ 79 = 122 ⋅ 47 + 54 ⋅ 79 = 43 ⋅ 47 + 101 ⋅ 79.)

2. 14.
3. 7. Hint: Eliminating 𝑥 from the system of equations 7𝑥+13𝑦+15𝑧 = 500, 𝑥+𝑦+𝑧 =
50, we get 6𝑦 + 8𝑧 = 150. Dividing by 2, we need solutions of the Diophantine
equation 3𝑦 + 4𝑧 = 75 satisfying 𝑦 ≥ 0, 𝑧 ≥ 0, and 𝑦 + 𝑧 ≤ 50 (since 𝑥 ≥ 0).
4. 9.
5. A pair of integers 𝑥, 𝑦 satisfies the Diophantine equation 𝑎𝑥 + 𝑏𝑦 = 𝑐 with 𝑏 ≠ 0
if and only if 𝑥 is a solution of the linear congruence 𝑎𝑥 ≡ 𝑐 (mod 𝑏) (and then
𝑦 is determined uniquely from the equation). Observe that formula (2.5.5) in the
proof of Theorem 2.5.4 is the same as the description of 𝑥′ in formula (7.1.1) of
Theorem 7.1.1 (after converting the notation). (We do not have to use the proof. We
need only the statements of Theorem 2.5.4, though then the argument is slightly
clumsier.)
6. (a) 0 or ∞. (b) 0 or 1.
7. 𝑥 = −3−5𝑢−10𝑣, 𝑦 = 3𝑢+3𝑣 +1, 𝑧 = 2𝑣 +1. Hint: As in the case of two variables,
we solve for one of the variables, separate the integer part from the fraction, and
introduce a suitable new variable, reducing the absolute values of the coefficients
till we arrive at a fraction with denominator 1. Then, proceeding backwards, we
express the original variables with the help of the two integer parameters obtained
before.
8. A possible approach is to generalize the algorithm sketched after Theorem 7.1.1
(applied in the previous exercise), which also establishes the statement about solv-
ability. Another option is to use induction on 𝑘. We can reduce an equation
𝑎1 𝑥1 + ⋯ + 𝑎𝑘 𝑥𝑘 = 𝑐 with 𝑘 variables to an equation with 𝑘 − 1 variables: Let
𝑑 = (𝑎𝑘−1 , 𝑎𝑘 ), then the integers of the form 𝑎𝑘−1 𝑥𝑘−1 + 𝑎𝑘 𝑥𝑘 are exactly the
multiples of 𝑑, i.e. the numbers 𝑑𝑦. Thus we can reduce the original equation
to 𝑎1 𝑥1 + ⋯ + 𝑎𝑘−2 𝑥𝑘−2 + 𝑑𝑦 = 𝑐 with 𝑘 − 1 variables to which we can apply the
induction hypothesis.
9. If the equation is solvable, then obviously any solution also satisfies the congruence
for an arbitrary modulus 𝑚. If the equation has no solutions, then (𝑎1 , . . . , 𝑎𝑘 ) ∤ 𝑐,
so the congruence modulo 𝑚 = (𝑎1 , . . . , 𝑎𝑘 ) is not solvable either.
484 Answers and Hints

10. This is true if and only if the integers 𝑎𝑖 are coprime and at least one of them is
positive. Hint: Necessity is obvious. To prove sufficiency, assume (e.g.) 𝑎1 > 0.
If we can find a solution in positive integers for some 𝑐 0 , then increasing 𝑥1 and
keeping the other variables unaltered, we get a positive solution for every 𝑐 > 𝑐 0
in the residue class of 𝑐 0 modulo 𝑎1 . Thus it is enough to show that every residue
class modulo 𝑎1 contains an element 𝑐 for which there is a positive solution. We
rely on the equivalence (in the precisely defined meaning discussed in Section 2.5)
of the Diophantine equation
(A.7.1) 𝑎1 𝑥1 + ⋯ + 𝑎𝑘 𝑥𝑘 = 𝑐
and the congruence
(A.7.2) 𝑎2 𝑥2 + ⋯ + 𝑎𝑘 𝑥𝑘 ≡ 𝑐 (mod 𝑎1 ) .
We solve (A.7.2) for 𝑐 = 1, 2, . . . , 𝑎1 . (It is solvable, since (𝑎1 , . . . , 𝑎𝑘 ) = 1 guar-
antees its solvability for any 𝑐.) In congruences we can replace any integer by one
congruent to it, so we can assume that the values 𝑥2 , . . . , 𝑥𝑘 obtained in the 𝑎1
congruences are all positive.
11. (a) Let 𝑎 > 𝑏 and apply the key idea of the previous exercise: If 𝑐 is assem-
blable, then also 𝑐 + 𝑡𝑏 is assemblable for any positive 𝑡. Thus we have to
find the smallest assemblable element in every residue class modulo 𝑏. Since
(𝑎, 𝑏) = 1, the numbers 0𝑎, 1𝑎, 2𝑎, . . . , (𝑏−1)𝑎 form a complete residue system
modulo 𝑏, so the smallest assemblable elements in the residue classes are 𝑏, 𝑎,
2𝑎, . . . , (𝑏 − 1)𝑎. The residue class of (𝑏 − 1)𝑎 enters last, so the largest number
that is not assemblable is (𝑏 − 1)𝑎 − 𝑏 = 𝑎𝑏 − 𝑎 − 𝑏.
(b) Answer: (𝑎 − 1)(𝑏 − 1)/2. (This is an integer, since (𝑎, 𝑏) = 1 implies that at
least one of 𝑎 and 𝑏 is odd.) Hint: Show that if the sum of two positive integers
is 𝑎𝑏 − 𝑎 − 𝑏, then exactly one of them is assemblable.
12. It is more convenient to view the problem from an inverse perspective as cutting
to pieces instead of assembling. Thus we claim that a large cube can be cut into
exactly 𝑛 cubes if (a) 𝑛 is large enough; (b) 𝑛 ≥ 48, and we ask for the complete
answer in (c) for the analog for squares.
(a) We can easily cut a cube into 8 or 27 small (congruent) cubes, so with the
repeated application of these steps, we can cut a cube into 1 + 7𝑥 + 26𝑦 cubes,
where 𝑥 and 𝑦 are arbitrary non-negative integers. Since 7 and 26 are coprime,
every sufficiently large 𝑛 can be represented in this form.
(b) Cutting a cube into 8 cubes, we can always increase the number of small cubes
by 7. Hence it suffices to verify the statement for 48 ≤ 𝑛 ≤ 54.
48: 48 = 27 + 3 ⋅ 7. We cut the cube into 27 cubes, and then we cut each of
three small cubes into eight parts.
49: For brevity, let us write Cu𝑘 for a cube if the length of its edge is 𝑘. We cut
the lower half of Cu6 into four Cu3, the top row into thirty-six Cu1, and the
remaining two rows into nine Cu2.
50: 50 = 7 ⋅ 7 + 1.
51: In Cu6, we form five Cu3 from the lower half plus one quarter in the upper
half, select five Cu2 from the remaining part, and there are forty-one Cu1 left.
7.2. 485

52: We cut a Cu3 from Cu4, and partition two of the remaining thirty-seven
Cu1 into eight parts.
53: Using 53 = 1 + 2 ⋅ 19 + 2 ⋅ 7, it is enough to show a procedure that increases
the number of cubes by nineteen; we cut Cu3 into a Cu2 and nineteen Cu1.
54: We cut Cu8 into six Cu4, two Cu3, four Cu2, and forty-two Cu1.
(c) 𝑛 ≠ 2, 3, 5.

7.2.

1. Show that if 𝑥2 + 𝑦2 = 𝑧2 , then (at least) one of 𝑥, 𝑦, or 𝑧 must be divisible by 3,

4, and 5. We consider divisibility by 5. The remainder of a square mod 5 is 0, 1,
or −1. For a proof by contradiction, assume that none of 𝑥, 𝑦, and 𝑧 is a multiple
of 5, so the left-hand side of 𝑥2 + 𝑦2 = 𝑧2 is congruent to 0 or ±2, the right-hand
side is congruent to ±1 modulo 5, which is a contradiction. We can verify the
divisibility by 3 and 4 similarly. Alternatively, we can use the characterization in
Theorem 7.2.1 and apply similar arguments.

2. Answer: 8, 15, 17. Hint: The area is 𝑥𝑦/2, so 𝑥𝑦 = 120. Checking all possible
factorizations of 120, 𝑥2 + 𝑦2 is a square only for 8 ⋅ 15. Another option: By Theo-
rem 7.2.1, we have to solve the equation 60 = 𝑑 2 𝑚𝑛(𝑚 − 𝑛)(𝑚 + 𝑛) with respect to
conditions (7.2.4). Thus we get 𝑑 = 1, 𝑚 = 4, 𝑛 = 1.

3. Answer: 6, 8, 10 and 5, 12, 13. Hint: By Theorem 7.2.1, the area is

𝑑 2 𝑚𝑛(𝑚 − 𝑛)(𝑚 + 𝑛),

and the perimeter is

𝑑(2𝑚𝑛 + (𝑚2 − 𝑛2 ) + (𝑚2 + 𝑛2 )) = 2𝑚𝑑(𝑚 + 𝑛).

Equating them gives 𝑑𝑛(𝑚 − 𝑛) = 2 after cancellation. The solutions satisfying

also conditions (7.2.4) in Theorem 7.2.1 are 𝑑 = 𝑚 = 2, 𝑛 = 1, and 𝑑 = 1, 𝑛 = 2,
𝑚 = 3. Another option: We have to solve the system of Diophantine equations

𝑥𝑦
= 𝑥 + 𝑦 + 𝑧, 𝑥2 + 𝑦2 = 𝑧 2 .
2

Squaring the form (𝑥𝑦/2)−𝑧 = 𝑥+𝑦 of the first equation, combining the result with
the second equation, and dividing by 𝑥𝑦, we obtain 𝑧 = (𝑥𝑦/4) − 2. Substituting
into the first equation, reordering, and factoring gives (𝑥 − 4)(𝑦 − 4) = 8. Since 𝑥
and 𝑦 are positive, we have only the decompositions 1 ⋅ 8 and 2 ⋅ 4 (apart from the
order of factors).
486 Answers and Hints

4. Answer: Every 𝑘 ≥ 3. Hint: Use Theorem 7.2.1. Verify that 1 and 2 can be repre-
sented in none of the forms given there for 𝑥, 𝑦, and 𝑧. For integers greater than
2, it is sufficient to find a representation for 4 and the odd numbers, due to the
multiplier 𝑑 in the formula: 4 = 2 ⋅ 2 ⋅ 1, and 2𝑟 + 1 = (𝑟 + 1)2 − 𝑟2 .

5. If 𝑥, 𝑦, 𝑧 is a primitive Pythagorean triple, then (𝑦−𝑥)2 , 𝑧2 , and (𝑥+𝑦)2 are coprime

and form an arithmetic progression.

Remark: The solutions 0 < 𝑢 < 𝑤 < 𝑣 of the Diophantine equation 𝑢2 + 𝑣2 = 2𝑤2
and the solutions 0 < 𝑥 < 𝑦 < 𝑧 of the Pythagorean equation 𝑥2 + 𝑦2 = 𝑧2 can be
deduced from each other by the substitutions 𝑢 = 𝑦 − 𝑥, 𝑣 = 𝑥 + 𝑦, 𝑤 = 𝑧, and
𝑥 = (𝑣 − 𝑢)/2, 𝑦 = (𝑢 + 𝑣)/2, 𝑧 = 𝑤. (𝑥 and 𝑦 are integers as 𝑢 and 𝑣 must be of the
same parity). Therefore, we can characterize all solutions of 𝑢2 + 𝑣2 = 2𝑤2 with
three integer parameters.

7.3.

1. As the signs of 𝑥 and 𝑦 are irrelevant now, we can group the solutions in integers by
four to obtain the essentially distinct solutions, except for the case 𝑦 = 0 that occurs
if and only if 𝑛 is a square and then these two solutions form a group. Thus there
𝑓(𝑛)
are ⌈ ⌉ essentially distinct solutions, where 𝑓(𝑛) is the number of solutions
4
given in Theorem 7.3.1.

2. There are two solutions: we have to make 5 and 7, or 4 and 11 cuts parallel to the
walls of the tin (we get 6 ⋅ 8 = 48 and 5 ⋅ 12 = 60 pieces). Hint : If we make 𝑥 − 1
and 𝑦 −1 cuts parallel to the tin’s walls, then there are 𝑥𝑦/2 crispy and (𝑥 −2)(𝑦 −2)
soft pieces. Equating the two numbers, we obtain (𝑥 − 4)(𝑦 − 4) = 8 after ordering.
Another option: In the first row running around the inside of the tin’s walls, there
are by eight more pieces than in the second such row. This means that apart from
these two rows, there are altogether eight pieces inside that constitute a 2 × 4 or
1 × 8 rectangle.

3. The equation 2/𝑝 = 1/𝑥 + 1/𝑦 is equivalent to (2𝑥 − 𝑝)(2𝑦 − 𝑝) = 𝑝2 . Géza Ottlik’s
approach was different: Multiplying the original equation by 𝑥𝑦, we get that one
of the variables is divisible by 𝑝, say 𝑥 = 𝑘𝑝. Substituting it into the equation and
solving for 𝑦, we find 𝑝 = 2𝑘 − 1. This determines also 𝑥 and 𝑦 uniquely.

4. Answer: The denominator has a positive divisor not of the form 4𝑘 + 1.

5. Using
1 1 1
= +
𝑢 2𝑢 2𝑢
7.3. 487

it is enough to represent 4/𝑛 as a sum of two or three natural numbers for the given
values of 𝑛.
4 1 1
𝑛 = 2𝑠∶ = +
𝑛 𝑠 𝑠
4 1 1
𝑛 = 4𝑠 − 1∶ = +
𝑛 𝑠 𝑠(4𝑠 − 1)
4 1 1 1
𝑛 = 8𝑠 − 3∶ = + +
𝑛 2𝑠 𝑠(8𝑠 − 3) 2𝑠(8𝑠 − 3)
4 1 1
𝑛 = 24𝑠 − 15∶ = +
𝑛 8𝑠 − 5 24𝑠 − 15
4 1 1 1
𝑛 = 24𝑠 − 7∶ = + + .
𝑛 6𝑠 𝑠(24𝑠 − 7) 6𝑠(24𝑠 − 7)

6. Start with the wrong representation 𝑎/𝑏 = 1/𝑏 + 1/𝑏 + ⋯ + 1/𝑏, and apply the
identity
1 1 1
= +
𝑛 𝑛 + 1 𝑛(𝑛 + 1)
sufficiently many times.
7. Answer: No. Hint: Factoring the left-hand side of the Diophantine equation 𝑥4 −
4 = 𝑦5 , the two factors are coprime for 𝑥 odd, hence each is a fifth power. However,
their difference is 4, which is impossible. If 𝑥 is even, then the right-hand side of
the equation is a multiple of 8, which is false for the left-hand side.
8. The only solution is 𝑥 = 𝑦 = 𝑠 = 𝑡 = 0. Hint: Assuming a non-trivial rational solu-
tion, we can convert it into an integer solution, one with (𝑥, 𝑦, 𝑠, 𝑡) = 1. Examining
parity, we get a contradiction. Another approach: A non-trivial integer solution
leads to an equilateral triangle where all three vertices are lattice points. Show by
area considerations that no such triangle exists.
9. The sum is divisible by 3, but not by 9.
10. ±4, ±6.
11. An ugly solution: Let the six numbers be 𝑛, 𝑛 + 1, . . . , 𝑛 + 5, and partition them
into two groups in all possible ways. We have to show that none of the resulting
equations have integer solutions. Since we can easily find the integer (or even ra-
tional) roots of a polynomial with integer coefficients, the proof requires just some
patient (and tedious) computation. We do not have to do this for all groupings, of
course, for example, we immediately see by comparing the size of the factors that
𝑛(𝑛 + 1)(𝑛 + 4) is smaller than (𝑛 + 2)(𝑛 + 3)(𝑛 + 5) for every 𝑛 ≥ 0, and also further
similar considerations can speed up the work.
The following argument is much more elegant; Three of the six numbers are even,
one more is a multiple of 3, and at most one more can be divisible by 5. Hence,
one of the numbers must have a prime divisor greater than 5 for 𝑛 > 1. This prime
cannot divide any of the other five numbers, hence it divides only one of the two
products.
488 Answers and Hints

A third option: If one of the numbers is divisible by 7, then we are done, as seen
previously. Otherwise the six numbers form a reduced residue system mod 7. If
there exist two equal products, then the product of all the six numbers is a square.
However, the product of the six numbers is congruent to −1 mod 7, which is im-
possible for a square.
The third solution works also for 106 instead of 6, using Wilson’s Theorem and the
−1
Legendre symbol ( 𝑝 ) (as 107 is a prime of the form 4𝑘 − 1). Also the first solu-
tion works for 106 (or any other number) in principle (or even in practice with a
well-designed computer program). We can generalize the second solution, too: A
classical theorem by Sylvester and Schur states that among 𝑘 consecutive integers
greater than 𝑘 there always exists one having a prime divisor greater than 𝑘, hence
this prime can divide only one of the two products. In the remaining cases, Cheby-
shev’s Theorem guarantees such a prime that divides only one of the products.
Finally we note that the validity of the statement for any 𝑘 consecutive integers in-
stead of six follows from the hard theorem that the product of consecutive integers
is never a power (see the Remark after Exercise 1.6.3).
12. There is a solution only for even 𝑚: 𝑛 = 𝑚 + 1 and 𝑥 = 𝑦 = 2𝑚/2 . Hint: Rewrite
the equation with the help of (𝑥, 𝑦) and show 𝑥 = 𝑦. Then the equation is of the
form
(A.7.3) 2𝑚 = 𝑥2𝑛−2𝑚 .
Clearly, 𝑥 = 2𝑠 . Substituting it into (A.7.3), prove 𝑚 = 2𝑠 and 𝑛 = 𝑚 + 1.
13. (a) From the form (𝑥 + 5)(𝑦 + 3) = 22, we can obtain 2𝑑(22) = 8 solutions.
(b) No solution; consider the equation modulo 11.
(c)–(e) We have only the trivial solution 𝑥 = 𝑦 = 𝑧 = 0. The good moduli are 3 or
8 for (c); 5, 7, 8, or 23 for (d); 11 for (e).
(f) 𝑥 = ±1, 𝑧 = −2. Hint: The two factors on the left-hand side are coprime for
any integer 𝑥, thus both factors are cubes.
(g) 𝑥 = ±1, 𝑦 = 0. Hint: After simple transformations, we obtain that the product
of two consecutive integers is almost a fourth power. Continuing by congru-
ence considerations, we need one more factorization.
(h) Besides 𝑦 = 𝑥, the only solutions are 𝑥 = 2, 𝑦 = 4, and 𝑥 = 4, 𝑦 = 2. Hint:
Rewrite the equation with the help of (𝑥, 𝑦), or take the logarithm and examine
the behavior of the (real) function 𝑓(𝑧) = 𝑧/ log 𝑧.
(i) 𝑥 = 5, 𝑦 = 1. Hint: Consider the equation modulo 31, and apply the facts
about power residues.
14. (a) There is no such number system. Hint: 1 + 𝑥 + 𝑥2 is always between two
consecutive squares for 𝑥 > 1.
(b) Base 3 is the only solution. Hint: 4(1 + 𝑥 + 𝑥2 + 𝑥3 + 𝑥4 ) is between two
consecutive squares for 𝑥 > 3.
(c) There is no such number system. Hint: The expression can be decomposed
into two coprime factors where one of them cannot be a square.
7.4. 489

7.4.

1. 1 + 𝑖 ∣ 𝑎 + 𝑏𝑖 ⟺ 𝑎 ≡ 𝑏 (mod 2).
2. (a) 𝛼 = 𝛾𝜚 ⟺ 𝛼 = 𝛾 𝜚,
(b) It follows from part (a).
(c) Apply the definition either of a Gaussian irreducible, or of a Gaussian prime,
or use Theorem 7.4.15.
3. By Exercise 7.4.2a, 𝛼 ∣ 𝛼 ⟺ 𝛼 ∣ 𝛼, so 𝛼 = 𝜀𝛼 with a unit 𝜀. Check that the
absolute values of the two sides are always equal, and comparing the angles we get
arg(𝛼) = 𝑘 ⋅ 45∘ . This means that 𝛼 is on one of the coordinate axes or the lines
𝑦 = ±𝑥. (We can get the same result by substituting 𝜀 = ±1, ±𝑖 into 𝛼 = 𝜀𝛼 and
solving the four equations.)
4. (a) Observe that a rational number 𝑎/𝑏 is a Gaussian integer if and only if it is an
(ordinary) integer.
(b) If (𝑎, 𝑏) = 𝑑 in the integers, then we have to show that 𝑎1 = 𝑎/𝑑 and 𝑏1 = 𝑏/𝑑
are also coprime in the Gaussian integers. If a Gaussian integer 𝛾 is a common
divisor of 𝑎1 and 𝑏1 , then 𝑁(𝛾) is a common divisor in the integers of 𝑁(𝑎1 ) =
𝑎21 and 𝑁(𝑏1 ) = 𝑏21 , which implies 𝑁(𝛾) = 1, so 𝛾 is a unit. (Another option is
to establish 1 = 𝑎1 𝑢 + 𝑏1 𝑣 with suitable integers 𝑢 and 𝑣, so 𝛾 ∣ 𝑎1 and 𝛾 ∣ 𝑏1
imply 𝛾 ∣ 1.)
5. True: (a), (c).
6. (Of course, any associate of the results below is correct.)
(a) 2 − 𝑖. Hint: Apply the Euclidean algorithm.
(b) 2. Hint: Observe that 1 − 𝑖 and 2 + 𝑖 are Gaussian primes, 2 = 𝜀(1 − 𝑖)2 , and
2 + 𝑖 ∤ 39.
(c) 1 + 𝑖. Hint: The gcd 𝛿 also divides the sum and difference of the two numbers,
and since (4 + 𝑖, 2 + 𝑖) = 1, we obtain 𝛿 ∣ 2. Hence 𝛿 = 1, or 2, or 1 + 𝑖. Show
that the first two cases are not possible.
7. (a) True: (a1).
(b) (𝛼, 𝛼) = (𝑎, 𝑏) or (𝛼, 𝛼) = (1 + 𝑖)(𝑎, 𝑏).
8. Verify that 𝛽 is a friend of 𝛼 if and only if 𝛽 = 𝜀𝛼 and (𝛼, 𝛼) = 1. Thus 𝛼 has no or
four friends, and we can easily deduce the condition in (a).
9. 32 (2 + 𝑖)3 (2 − 𝑖)(1 + 𝑖)3 (−1 − 4𝑖). Hint: Decompose (270, 2610) = 90 into a product
of Gaussian primes by Theorem 7.4.15. To find the factorization of the remaining
part, 3 + 29𝑖 = 𝜋1 . . . 𝜋𝑟 , consider the norms: 850 = 𝑁(𝜋1 ) . . . 𝑁(𝜋𝑟 ). From the
standard form of 850 (in the integers), we obtain 𝑟 = 4, and the norms of the
Gaussian primes 𝜋𝑖 are 2, 5, 5, and 17. So 𝜋1 = 1 + 𝑖, 𝜋2 = 𝜋3 = 2 + 𝑖 or 2 − 𝑖
depending on whether or not (3 + 29𝑖)/(2 + 𝑖) is a Gaussian integer (𝜋3 = 𝜋2 is
impossible, why?), etc.
490 Answers and Hints

10. True: (b), (c), (e).

11. We can use induction on 𝑁(𝛼). The key step is: If 𝛼 has two distinct decompositions
into the product of Gaussian primes
𝛼 = 𝜋1 . . . 𝜋𝑟 = 𝜚 1 . . . 𝜚 𝑠 , where 𝜋𝑖 ≠ 𝜀𝜚𝑗 ,
and (say) 𝑁(𝜋1 ) ≤ 𝑁(𝜚1 ), then there is a unit 𝜀 such that
𝛼1 = 𝜀𝛼 − 𝜋1 𝜚2 . . . 𝜚𝑠
satisfies 𝑁(𝛼1 ) < 𝑁(𝛼), and also 𝛼1 has two distinct factorizations into the product
of Gaussian primes.

7.5.

𝑟(𝑛)
1. ⌈ ⌉, where 𝑟(𝑛) is the number of solutions given in Theorem 7.5.1 (𝑟(𝑛) = 0 if
8
there are no solutions). Hint: Interchanging 𝑥 and 𝑦, or modifying signs do not
yield essentially different solutions. These give eight possibilities except when 𝑥 or
𝑦 is 0, or |𝑥| = |𝑦| (these occur in the cases 𝑛 = 𝑘2 and 𝑛 = 2𝑘2 ).
2. 16.
3. Answer: 7. Hint: The integers of the form 8𝑘 + 6 cannot be represented as the
sum or difference of two squares, thus 𝑟 ≤ 7. We have to show that all the seven
numbers between two consecutive integers of the form 8𝑘 + 6 can be represented
as desired in infinitely many cases.
4. By Theorem 7.5.1, the exponents of primes 7 and 11 in the standard form of 𝑎2 + 𝑏2
are even, thus they must be at least 2. Another option: 7 and 11 are Gaussian
primes, hence
7 ∣ 𝑎2 + 𝑏2 = (𝑎 + 𝑏𝑖)(𝑎 − 𝑏𝑖) ⟹ 7 ∣ 𝑎 + 𝑏𝑖 or 7 ∣ 𝑎 − 𝑏𝑖
𝑎 + 𝑏𝑖 𝑎 − 𝑏𝑖
⟹ or is a Gaussian integer
7 7
⟹ 7 ∣ 𝑎 and 7 ∣ 𝑏,
and the same holds also for 11.
5. It is solvable if and only if the exponents of the primes of the form 4𝑘 − 1 are even
and the exponent of 2 is not one in the standard form of 𝑛. The number of solutions
is the same as in Theorem 7.5.1 if 𝑛 is a multiple of 4, and is half of that if 𝑛 is odd.
6. An integer has such a representation if and only if it is not a multiple of 4 and has
no prime divisors of the form 4𝑘 − 1. Then the number of representations is 2𝑟+2 ,
where 𝑟 is the number of its odd prime divisors (all are of the form 4𝑘 + 1).
7. (a) Depending on whether 𝑘 is the length of the hypothenuse or of a leg, we need
the number of essentially different solutions in positive integers 𝑥 and 𝑦 of
7.5. 491

the Diophantine equations 𝑥2 + 𝑦2 = 𝑘2 and 𝑥2 − 𝑦2 = 𝑘2 . We infer from

Theorem 7.5.1 (and Exercise 7.5.1), that for the first equation, this number is
(2𝛽1 + 1) . . . (2𝛽𝑟 + 1) − 1
,
2
where 𝛽1 , . . . , 𝛽𝑟 are the exponents of the primes of the form 4𝑡 + 1 in the
standard form of 𝑘. For the second equation, we use Theorem 7.3.1 (and Ex-
ercise 7.3.1) to obtain the answer
1
(𝑑(𝑘2 ) − 1) if 𝑘 is odd;
2
1 𝑘2
(𝑑 ( ) − 1) if 𝑘 is even.
2 4
(b) By Exercise 7.5.6, the length of a hypothenuse can be 𝑘 if and only if every
prime divisor of 𝑘 > 1 is of the form 4𝑡 + 1, and then the number of triangles
is 2𝜔(𝑘)−1 . We get by similar arguments that the length of a leg can be 𝑘 if and
only if 𝑘 > 1 is either odd, or 4 ∣ 𝑘, and there are 2𝜔(𝑘)−1 suitable triangles in
both cases.
Instead of the above considerations, we could apply Theorem 7.2.1 character-
izing the primitive Pythagorean triples.
8. Assume first that there is a prime 𝑞 of the form 4𝑘 − 1 occurring with an odd ex-
ponent 2𝑤 − 1 in the standard form of 𝑛. Then the equation has no solutions, so
we have to prove that 𝑛 has as many (positive) odd divisors of the form 4𝑘 + 1 as of
the form 4𝑘 − 1. Any odd divisor of 𝑛 has a (unique) decomposition as 𝑡𝑞ᵆ , where
(𝑡, 2𝑞) = 1 and 0 ≤ 𝑢 ≤ 2𝑤 − 1. Then one of the divisors 𝑡𝑞2𝑗 and 𝑡𝑞2𝑗+1 is of the
form 4𝑘 + 1, and the other is of the form 4𝑘 − 1 (for any 0 ≤ 𝑗 ≤ 𝑤 − 1).
Now we turn to the case when every prime 𝑞𝜈 of the form 4𝑘 − 1 occurs with an
even exponent 2𝑤 𝜈 in the standard form of 𝑛. By Theorem 7.5.1, we have to verify
𝑟
(A.7.4) 𝑑 ′ (𝑛) − 𝑑 ″ (𝑛) = ∏(𝛽𝜇 + 1),
𝜇=1

where 𝛽𝜇 are the exponents of primes of the form 4𝑘 + 1 in the standard form of 𝑛.
If we perform the previous pairing of divisors by 𝑞1 , then only those (odd positive)
divisors are left where the exponent of 𝑞1 is 2𝑤 1 . Now we repeat the procedure
by 𝑞2 for these divisors, etc. Thus finally only those (positive) odd divisors remain
unmatched where the exponent of every 𝑞𝜈 is 2𝑤 𝜈 . The number of such divisors
is clearly the product on the right-hand side of (A.7.4), on the one hand, and as
all these divisors are of the form 4𝑘 + 1, their number is just 𝑑 ′ (𝑛) − 𝑑 ″ (𝑛), on the
other hand.
We can prove the statement of the exercise also in a single step by writing the dif-
ference 𝐷 = 𝑑 ′ (𝑛) − 𝑑 ″ (𝑛) as
𝑟 𝑠
′ ′
𝐷= ∑ (−1)𝛾1 +⋯+𝛾𝑠 = ∏(𝛽𝜇 + 1) ∏(1 − 1 + ⋯ + (−1)𝛾𝜈 ).
′ ≤𝛽
0≤𝛽𝜇 𝜇=1 𝜈=1
𝜇
0≤𝛾′𝜈 ≤𝛾𝜈
492 Answers and Hints

𝑛
9. Answer: 𝜋. Hint: Observe that 1 + ∑𝑖=1 𝑟(𝑖) is just the number of lattice points
inside or on the border of a circle around the origin of radius √𝑛. Show that the
number of these lattice points is asymptotically equal to the area of the circle as
𝑛 → ∞.
10. All solutions are 𝑥 = ±2, 𝑦 = 2 and 𝑥 = ±11, 𝑦 = 5. Hint: Factor the left-hand side
of the equation in the Gaussian integers and find the possible values of the greatest
common divisor of the two factors. It turns out that each factor must be the cube
of a Gaussian integer. Finally, cube and compare the imaginary parts.
11. 𝛼 = 𝑎 + 𝑏𝑖 is not of this form if and only if 𝑏 is odd or 𝑎 ≡ 𝑏 ≡ 2 (mod 4). Hint:
Apply the argument in the proof of Theorem 7.3.1.
12. Each Gaussian prime in the standard form can be replaced by any of its associates
(which can be compensated by modifying the extra unit factor).
13. True: (a), (c).
14. Answer: 5/6. Hint: Let 𝐹(𝑁) be the number of integers among 1, 2, . . . , 𝑁 that
cannot be written as the sum of three squares. Prove
𝑁+1 𝑁+4 𝑁 + 42
𝐹(𝑁) = ⌊ ⌋+⌊ ⌋+⌊ ⌋ + ... ,
8 8⋅4 8 ⋅ 42
hence
∞
𝐹(𝑁) 1 1
lim = ∑ 𝑘.
𝑁→∞ 𝑁 8 𝑘=0 4
15. Answer: 10. Hint: Verify, using the Three Squares Theorem that at most ten odd
squares suffice, and relying on the Two Squares Theorem, show that infinitely
many integers of the form 8𝑘 + 2 cannot be represented as the sum of less than
ten squares.
16. If 𝑛 = 4𝑘 (8𝑚 + 7), then 𝑛 − (2𝑘 )2 is the sum of three squares.
17. Exactly the positive integers 𝑛 = 4𝑘 (16𝑚 + 14) have no such representation. Hint:
Show that 𝑛 can be written in the required form if and only if 2𝑛 is the sum of three
squares.
18. Yes, it is solvable. Hint: We have to show that the number can be written as the
sum of four squares with at least one of them divisible by 3.
19. It follows from Chevalley’s theorem (or from Exercise 3.6.2) that the congruence
𝑋 2 + 𝑌 2 + 𝑍 2 ≡ 0 (mod 𝑝) has a non-trivial solution 𝑋, 𝑌 , 𝑍. If 𝑍 ≢ 0 (mod 𝑝),
then multiplying the congruence by 𝑍 𝑝−3 (for 𝑝 > 2), we obtain
1 + 𝑐2 + 𝑑 2 ≡ 0 (mod 𝑝) , where 𝑐 = 𝑋𝑍 (𝑝−3)/2 and 𝑑 = 𝑌 𝑍 (𝑝−3)/2 .
20. We can use the solvability of 𝑥2 + 1 ≡ 0 (mod 𝑝) instead of Lemma 7.5.5, and use
the identity
(A.7.5) (𝑎21 + 𝑎22 )(𝑏21 + 𝑏22 ) = (𝑎1 𝑏1 + 𝑎2 𝑏2 )2 + (𝑎1 𝑏2 − 𝑎2 𝑏1 )2
instead of Lemma 7.5.4. We note that there is no need to prove that 𝑚 is odd
(though the argument is valid), and (A.7.5) is just an expanded form of the identity
𝑁(𝛼)𝑁(𝛽) = 𝑁(𝛽𝛼) for the norms of Gaussian integers.
7.6. 493

21. (a) Consider those vectors 𝐝 = 𝐶𝐬 − 𝐭, where the components of 𝐬 and 𝐭 satisfy
0 ≤ 𝑠𝑖 < 𝑢 𝑖 , 0 ≤ 𝑡𝑖 < 𝑣𝑖 , 𝑖 = 1, 2, . . . , 𝑘.
By the pigeonhole principle, there must be two of the 𝐝 that are congruent
modulo 𝑝. Then the difference of the vectors 𝐬 belonging to them can be taken
as 𝐱, and the difference of the relevant vectors 𝐭 plays the role of 𝐳.
(b) Apply part (a) for the case
𝑐 𝑑
𝑘 = 2, 𝑢1 = 𝑢2 = 𝑣 1 = 𝑣 2 = ⌈√𝑝⌉, 𝐶=( )
−𝑑 𝑐
where 1 + 𝑐2 + 𝑑 2 ≡ 0 (mod 𝑝). We obtain
0 < 𝑥12 + 𝑥22 + 𝑧21 + 𝑧22 < 4𝑝 and 𝑝 ∣ 𝑥12 + 𝑥22 + 𝑧21 + 𝑧22 .
(c) If 2𝑝 is nice, then we can proceed exactly as when we showed that 𝑚 is odd in
the proof of Theorem 7.5.3.
If 3𝑝 = 𝑎21 + 𝑎22 + 𝑎23 + 𝑎24 , then let 𝑏𝑖 be the residue of least absolute value
mod 3 of 𝑎𝑖 , and apply (7.5.10) in Lemma 7.5.4. Then 9𝑝 is the sum of four
squares where each is a multiple of 3, thus cancelling by 9 we get that also 𝑝
is nice. (In this step, we basically repeated the proof of Theorem 7.5.3 in the
special case 𝑚 = 3.)

7.6.

1. If 𝑛 is the sum of 𝑠 terms of 600th powers, then 𝑛 is the sum of the same number
of 200th powers as
𝑛 = 𝑥1600 + ⋯ + 𝑥𝑠600 = (𝑥13 )200 + ⋯ + (𝑥𝑠3 )200 .
2. As in the proof of Theorem 7.6.5, the keys are congruences with suitable moduli.
(a) (a1) Prove by induction on 𝑗 that 31 ⋅ 16𝑗 cannot be written as a sum of less
than 16 fourth powers.
(a2) The integers 64𝑡 + 32 are not the sums of 31 eighth powers.
(a3) 𝐺(24) ≥ 𝐺(8) follows as in Exercise 7.6.1.
(a4) The integers 625𝑡 + 125 require at least 125 hundredth powers.
(a5) Check the numbers 625𝑡 + 312.
(b) We can generalize parts (a1)–(a3) to the cases 𝑘 = 2𝑟 and 𝑘 = 3 ⋅ 2𝑟 with 𝑟 ≥ 2.
Prove that the remainder of 𝑎𝑘 modulo 2𝑟+2 can only be 0 or 1 as there is no
primitive root for this modulus.
Part (a4) can be generalized to 𝑘 = 𝜑(𝑝𝛼 ), where 𝑝 > 2 is a prime and 𝛼 ≥ 2.
Apply the Euler–Fermat Theorem (as in the proof of Theorem 7.6.5).
1
The generalization of part (a5) works for 𝑘 = 2 𝜑(𝑝𝛼 ), where 𝑝 > 2 is a prime
and 𝛼 ≥ 2. Verify
𝛼 )/2
𝑎𝜑(𝑝 ≡ 0 or ±1 (mod 𝑝𝛼 )
for any 𝑎.
494 Answers and Hints

We get the following lower bounds for 𝐺(𝑘) in the cases 𝑝 > 2 is a prime,
𝛼 ≥ 2, and 𝑟 ≥ 2:
𝐺(3 ⋅ 2𝑟 ) ≥ 𝐺(2𝑟 ) ≥ 2𝑟+2
𝐺(𝑝𝛼 − 𝑝𝛼−1 ) ≥ 𝑝𝛼
𝑝𝛼 − 𝑝𝛼−1 𝑝𝛼 − 1
𝐺( )≥ .
2 2
We note that these are the only known lower bounds for 𝐺(𝑘) besides those in
Theorem 7.6.4.
3. Let 𝑅 be a large number and form the sums
𝑥1𝑘 + ⋯ + 𝑥𝑘+1
𝑘
, 𝑥𝑖 are integers, 0 ≤ 𝑥𝑖 ≤ 𝑅, 𝑖 = 1, 2, . . . , 𝑘 + 1.
Demonstrate that there are many more sums than values they can have. Thus there
must be an 𝑛 that has many such representations.
4. (a) Performing the operations on the left-hand side, there remain only terms of
the type 𝑎4𝑖 and 𝑎2𝑖 𝑎𝑗2 (𝑖 < 𝑗) with coefficients 6 and 12. We obtain the same
result after squaring on the right-hand side.
(b) Let 𝑛 = 6𝑞 + 𝑟 where 0 ≤ 𝑟 ≤ 5. By Theorem 7.5.3, 𝑞 = 𝑥12 + 𝑥22 + 𝑥32 + 𝑥42 .
Write each 𝑥𝑖 as a sum of four squares. Applying the identity in part (a), we
can represent 6𝑞 as a sum of 48 fourth powers, and 𝑟 is the sum of at most five
terms 14 .
5. The integers 8𝑡 + 6 cannot be written as 𝑥2 ± 𝑦2 , thus two squares are not sufficient.
To verify the second part of the statement, transform the Diophantine equation
𝑥2 + 𝑦2 − 𝑧2 = 𝑛 into 𝑧2 − 𝑦2 = 𝑥2 − 𝑛, and select the value of 𝑥 arbitrarily with
the restriction that 𝑥2 − 𝑛 should not be of the form 4𝑡 + 2 (for any 𝑛, all even or all
odd integers can be taken as 𝑥, and occasionally both the odd and even numbers
are suitable). Apply Theorem 7.3.1 (and the fact that if an integer is the difference
of two squares, then so is its negative). We can proceed similarly for the other
equation.

7.7.

1. (a) If 𝑚 = 𝑞𝑘, then

𝑥𝑚 + 𝑦𝑚 = 𝑧𝑚 ⟹ (𝑥𝑞 )𝑘 + (𝑦𝑞 )𝑘 = (𝑧𝑞 )𝑘 .
(b) It follows from part (a), as any 𝑘 > 2 has an odd prime divisor or is a multiple
of 4.
2. (a) No solution, which follows from the case 𝑘 = 4 of Fermat’s Last Theorem.
(b) There are infinitely many solutions. Looking for solutions in the form 𝑥 = 2𝛼 ,
𝑦 = 2𝛽 , and 𝑧 = 2𝛾 , we get
23𝛼 + 24𝛽 = 25𝛾 .
Choosing 𝛼 = 4𝜈 and 𝛽 = 3𝜈, the condition 12𝜈 + 1 = 5𝛾 has to be satisfied.
7.7. 495

Remark: The arguments can be generalized to Diophantine equations of the type

𝑥𝑘 + 𝑦𝑚 = 𝑧 𝑛 :
(i) If (𝑘, 𝑚, 𝑛) ≥ 3, then there are no solutions in positive integers.
(ii) If (𝑘𝑚, 𝑛) = 1, then there are infinitely many solutions in positive integers.
Also, if two of the exponents are given arbitrarily, then we can find infinitely
many third exponents for which the equation is solvable in positive integers.
For example, let us fix 𝑘 and 𝑚, let 𝑎 and 𝑏 be positive integers, and define 𝑐 as
𝑐 = 𝑎𝑘 + 𝑏𝑚 . Multiplying this equality by 𝑐𝑠 where 𝑠 is any common multiple
of 𝑘 and 𝑚, we see that 𝑥 = 𝑎𝑐𝑠/𝑘 , 𝑦 = 𝑏𝑐𝑠/𝑚 , 𝑧 = 𝑐 is a positive integer solution
of 𝑥𝑘 + 𝑦𝑚 = 𝑧𝑠+1 .
3. All solutions are 𝑘 = 2, 𝑥 = 𝑦 = 𝑧 − 1.
4. (a) No solution; the equation obtained after multiplying by a common denomi-
nator contradicts the case 𝑘 = 4 of Fermat’s Last Theorem.
(b) All solutions are 𝑥 = 𝑣𝑤𝑑, 𝑦 = 𝑢𝑤𝑑, 𝑧 = 𝑢𝑣𝑑, where 𝑢, 𝑣, 𝑤 is a (primitive)
Pythagorean triple (with 𝑤 as hypotenuse) and 𝑑 is an arbitrary positive in-
teger. Hint: We can check by a simple substitution that these are solutions.
Conversely, assume that 𝑥, 𝑦, 𝑧 is a solution. We can restrict ourselves to the
case (𝑥, 𝑦, 𝑧) = 1. Let (𝑥, 𝑦) = 𝑤, (𝑥, 𝑧) = 𝑣, and (𝑦, 𝑧) = 𝑢. Verify that 𝑢,
𝑣, and 𝑤 are pairwise coprime, hence 𝑥 = 𝑣𝑤𝑥1 , 𝑦 = 𝑢𝑤𝑦1 , and 𝑧 = 𝑢𝑣𝑧1 ,
where 𝑥1 , 𝑦1 , and 𝑧1 are pairwise coprime. Substituting these values into the
equation, prove 𝑥1 = 𝑦1 = 𝑧1 = 1 and 𝑢2 + 𝑣2 = 𝑤2 .
(c) All solutions are 𝑥 = 𝑎2 𝑑, 𝑦 = 𝑏2 𝑑, 𝑧 = (𝑎 + 𝑏)2 𝑑, where 𝑎, 𝑏, 𝑑 are positive
integers and we can assume (𝑎, 𝑏) = 1 (this guarantees the uniqueness of
the parametric representation). Hint: This can also be reduced to the case
(𝑥, 𝑦, 𝑧) = 1. After two squarings, we obtain
𝑧−𝑥−𝑦 2
𝑥𝑦 = ( ) ,
2
where (𝑥, 𝑦) = 1, so 𝑥 and 𝑦 are (coprime) squares.
(d) All solutions are 𝑥 = 𝑎3 𝑑, 𝑦 = 𝑏3 𝑑, 𝑧 = (𝑎 + 𝑏)3 𝑑, where 𝑎, 𝑏, 𝑑 are positive
integers and (𝑎, 𝑏) = 1. Hint: The first cubing yields
3 3 3 3
𝑥 + 𝑦 + 3√ 𝑥√ y( √ 𝑥+√ y) = 𝑧.
3 3 3
Replace √𝑥 + √𝑦 by √𝑧, and cube again to get
𝑧−𝑥−𝑦 3
𝑥𝑦𝑧 = ( ) .
3
After dividing by (𝑥, 𝑦, 𝑧)3 , the three factors on the left-hand side are pairwise
coprime, so each is a cube.
5. Use the characterization of the primitive Pythagorean triples.
(a) For the equation 𝑥4 + 𝑦2 = 𝑧2 we need 𝑥2 = 2𝑚𝑛 or 𝑥2 = 𝑚2 − 𝑛2 , whereas
the equation 𝑥2 + 𝑦2 = 𝑧4 requires 𝑧2 = 𝑚2 + 𝑛2 . There are infinitely many
ways to choose 𝑚 and 𝑛 so that 2𝑚𝑛, 𝑚2 − 𝑛2 , and 𝑚2 + 𝑛2 , should resp. be
squares (and 𝑚 > 𝑛 > 0, (𝑚, 𝑛) = 1, and 𝑚 ≢ 𝑛 (mod 2) are valid).
496 Answers and Hints

(b) Prove by infinite descent.

6. All solutions are 𝑥 = ±1, 𝑦 = ±1. Hint: Transform the equation into 𝑥4 + (𝑦2 − 1)2 = 𝑦4 .
7. Only base 7 works. Hint: After several factorizations and applying the character-
ization of primitive Pythagorean triples, we can reduce the equation to Exercises
7.3.13g and 7.7.6.
8. We can proceed similarly as in Exercise 7.4.3. Answer: 0 and
𝑐, 𝑐𝜔, 𝑐(1 + 2𝜔), 𝑐(1 + 𝜔), 𝑐(1 − 𝜔), 𝑐(2 + 𝜔),
where 𝑐 is an integer. This formula characterizes Eulerian integers as complex
numbers with angles 𝑘𝜋/6 where 𝑘 is an integer.
9. If 𝛼 = 𝑎 + 𝑏𝜔, 𝛽 = 𝑐 + 𝑑𝜔, then the identity in the exercise is just an expanded form
of
|𝛼|2 ⋅ |𝛽|2 = |𝛼𝛽|2 .
(Of course, we can verify the identity by performing multiplications and comparing
the terms resulting on the two sides, but this would be an ugly solution and would
not reveal the background of the exercise.)
10. (a) The simplest demonstration of the relation between the two equations uses
norms of Eulerian integers.
(b) The equations are solvable if and only if every prime of the form 3𝑡 −1 appears
with an even exponent in the standard form (in 𝐙) of 𝑛.
Counting the number of solutions, we distinguish those that differ only in
signs or the order of terms. Assume that the equations are solvable and put
𝑟
𝐿 = ∏(𝛽𝜇 + 1),
𝜇=1

where 𝛽1 , . . . , 𝛽𝑟 are the exponents of the primes of the form 3𝑡 + 1 in the

standard form (in 𝐙) of 𝑛 (𝐿 = 1 if 𝑛 has no such prime divisor).
Then 𝑥2 − 𝑥𝑦 + 𝑦2 = 𝑛 has 6𝐿 solutions, and the equation 𝑥2 + 3𝑦2 = 𝑛 has
6𝐿 or 2𝐿 solution according as 𝑛 is divisible by 4 or is odd. (𝑛 = 4𝑠 + 2 is
not possible since 2 (as a prime of the form 3𝑡 − 1) must occur with an even
exponent in the standard form of 𝑛.)
We can verify the statement about the equation 𝑥2 − 𝑥𝑦 + 𝑦2 = 𝑛 as in the
proof of the Two Squares Theorem 7.5.1.
The second equation can be reduced to the first one by establishing a bijection
(as in part (a)) between the solutions of 𝑥2 + 3𝑦2 = 𝑛 and those solutions of
𝑥2 − 𝑥𝑦 + 𝑦2 = 𝑛 where 𝑥 is even. For 4 ∣ 𝑛, we have to show that 𝑥 is even in
all solutions of 𝑥2 − 𝑥𝑦 + 𝑦2 = 𝑛. If 𝑛 is odd, observe that the corresponding 𝑥
is even for exactly two of the six associates of an Eulerian integer with norm 𝑛.
11. All solutions are 𝑥 = ±10, 𝑦 = 7. Hint: Follow the ideas used in Exercise 7.5.11.
Start with factoring the left-hand side in the Eulerian integers, then both factors
are cubes apart from units and the Eulerian primes in their gcd.
7.7. 497

12. (a) Let 𝑘𝜇 denote the number of elements in a complete residue system modulo 𝜇,
and let 𝑅 be the rhombus lattice of the Eulerian integers. Multiplying 𝑅 by 𝜇,
we obtain the rhombus lattice 𝑅𝜇 consisting of the multiples of 𝜇. Thus the
vectors defining the sides of the fundamental rhombus in 𝑅𝜇 are 𝜇 and 𝜔𝜇.
The Eulerian integers in every such fundamental rhombus of 𝑅𝜇 form a com-
plete residue system modulo 𝜇. Therefore 𝑘𝜇 is roughly the ratio of the areas of
the fundamental rhombuses in 𝑅𝜇 and 𝑅, which ratio is |𝜇|2 = 𝑁(𝜇). We can
get rid of the word “roughly” by considering the number of points of the two
lattices in a large circle or square 𝐻. Let 𝐻 have area 𝐴, the number of points
of lattices 𝑅 and 𝑅𝜇 in 𝐻 be 𝑛 and 𝑛𝜇 , and the areas of the fundamental rhom-
buses be 𝑎 and 𝑎𝜇 . Since there are 𝑘𝜇 Eulerian integers in every fundamental
rhombus of 𝑅𝜇 ,
𝑛
(A.7.6) 𝑘𝜇 ∼
𝑛𝜇
if 𝐴 → ∞. On the other hand,
𝐴 𝐴 𝐴
𝑛∼ , 𝑛𝜇 ∼ = ,
𝑎 𝑎𝜇 𝑎𝑁(𝜇)
so
𝐴
𝑛 𝑎
𝑎𝜇
(A.7.7) ∼ 𝐴
= = 𝑁(𝜇).
𝑛𝜇 𝑎
𝑎𝜇

By (A.7.6) and (A.7.7), the constants 𝑘𝜇 and 𝑁(𝜇) are asymptotically equal, so
they must be equal.
(b) By part (a), the number of elements is all right. To show that the elements are
pairwise incongruent modulo 𝜇, use
𝜇 ∣ 𝑗 ⟹ 𝑝 = 𝑁(𝜇) ∣ 𝑗2 ⟹ 𝑝 ∣ 𝑗.
(c) Apply the argument in the proof of the Euler–Fermat Theorem 2.4.1.
13. No solution. Hint: Multiplying the equation by 𝑢𝑣𝑤, we obtain 𝑢2 𝑤 + 𝑣2 𝑢 = 𝑤2 𝑣.
Introducing 𝑢2 𝑤 = 𝑐 and 𝑣2 𝑢 = 𝑑, we get 𝑐𝑑(𝑐 + 𝑑) = (𝑢𝑣𝑤)3 . We can see in the
usual way that the factors on the left-hand side be pairwise coprime, thus 𝑐, 𝑑, and
𝑐 + 𝑑 are (non-zero) cubes, which contradicts Fermat’s Last Theorem for 𝑘 = 3.
14. By the formula for the Pythagorean triples, the area of the triangle is
𝑑 2 𝑚𝑛(𝑚 + 𝑛)(𝑚 − 𝑛),
where 𝑚 > 𝑛 > 0, (𝑚, 𝑛) = 1, and 𝑚 ≢ 𝑛 (mod 2).
(a) The area is (measured by) a square number if and only if 𝑚𝑛(𝑚+𝑛)(𝑚−𝑛) is a
square. The conditions imply that the four factors are (positive and) pairwise
coprime, thus each is a square. This, however, contradicts Lemma 7.7.3.
(b) 𝑑 = 1 by the assumption, thus we obtain as in the previous argument that 𝑚,
𝑛, 𝑚 + 𝑛 are cubes, which contradicts Theorem 7.7.10.
498 Answers and Hints

(c) There are infinitely many such triangles. For every Pythagorean triangle we
can find a similar triangle with this property: if 𝑚 and 𝑛 are given, choose
𝑑 = 𝑚𝑛(𝑚 + 𝑛)(𝑚 − 𝑛). We can express this also without the parametric
characterization: If the area of a triangle is 𝐴, then enlarging its size by 𝐴, the
new triangle has area 𝐴3 .
(d) For 𝑘 even, part (a) implies that the area cannot be a 𝑘th power. For 𝑘 odd,
we get by the arguments in parts (b) and (c) that in the case of coprime side
lengths the area cannot be a 𝑘th power, but for every Pythagorean triangle we
can find a similar one such that its area is a 𝑘th power.

7.8.

1. If 𝑚 = 0, then 𝑥 = ±1 and 𝑦 is arbitrary; if 𝑚 = −1, then 𝑥 = ±1, 𝑦 = 0, or 𝑥 = 0,

𝑦 = ±1; if 𝑚 ≤ −2 or 𝑚 = 𝑘2 > 0, then 𝑥 = ±1, 𝑦 = 0. Hint: For 𝑚 = 𝑘2 , the
factorization (𝑥 − 𝑘𝑦)(𝑥 + 𝑘𝑦) = 1 is in the integers, so either both factors are 1 or
both are −1.

2. This is Pell’s equation 10𝑦2 + 1 = 𝑥2 , so there are infinitely many such squares.

3. If we multiply a solution of 𝑥2 − 𝑚𝑦2 = 𝑟 by a solution of Pell’s equation 𝑥2 −

𝑚𝑦2 = 1 (as seen in the proof of Theorem 7.8.2), then we again get a solution of
𝑥2 − 𝑚𝑦2 = 𝑟.

4. Infinitely many solutions: (a1), (a2), (b1). No solution: (b2) (this follows from
considering 𝑥2 − 3𝑦2 = −1 modulo 3 or modulo 4).

5. Infinitely many. Hint: Multiplying 𝑛(𝑛 − 1) = 2𝑦2 by 4, we get Pell’s equation

𝑧2 − 8𝑦2 = 1 (the condition 𝑧 = 2𝑛 − 1 imposes no restriction since 𝑧 is odd in all
solutions of 𝑧2 − 8𝑦2 = 1). Another option: One of 𝑛 and 𝑛 − 1 is a square, the
other is the double of a square, and both resulting equations 𝑢2 − 2𝑣2 = ±1 have
infinitely many solutions.

6. Infinitely many. Hint: Multiplying 𝑥2 + (𝑥 + 1)2 = 𝑧2 by 2, we get (2𝑥 + 1)2 − 2𝑧2 =

−1. Another option: The parametric characterization of the primitive Pythagorean
triples leads to the equations 𝑢2 − 2𝑣2 = ±1.

7. No solution: (a), (b), (d), (e). Infinitely many solutions: (c), (f). Hint: The insolv-
ability can be shown by congruences with suitable moduli. Modulus 8 works in all
the four cases, but 3, 7, 9, and 3, can also be applied in the order of the list. In (c),
we easily see the solution 𝑥 = 4, 𝑦 = 1, thus there are infinitely many solutions
by Exercise 7.8.3. In (f), after multiplying by 3, we get 𝑧2 − 6𝑦2 = 3. As 𝑧 = 3,
𝑦 = 1 is a solution, there are infinitely many solutions. It is clear that 3 ∣ 𝑧 in every
solution, so also 𝑥 = 𝑧/3 is an integer.

8. The equation is solvable if and only if 𝑝 ≡ 1 (mod 4) or 𝑝 = 2. Hint: A congru-

ence modulo 4 implies necessity immediately. To prove sufficiency, consider the
7.9. 499

solution 𝑥 > 0, 𝑦 > 0 of 𝑥2 − 𝑝𝑦2 = 1 where 𝑥 is minimal. Show that 𝑥 must be

odd, and transform the equation into
𝑥+1 𝑥−1 𝑦 2
(A.7.8) ⋅ = 𝑝( ) .
2 2 2
One of the factors on the left-hand side of (A.7.8) is a square, and the other factor
is a square multiplied by 𝑝. Hence 𝑢2 − 𝑝𝑣2 = ±1, but the + sign is impossible, as
𝑥 was a minimal solution.
9. The statement about signs is obvious. To establish the congruences, consider a
non-trivial solution satisfying (𝑥, 𝑦, 𝑧) = 1, and derive (𝑧, 𝑎) = (𝑦, 𝑎) = 1. Multi-
plying the equation by 𝑏𝑧2(𝜑(|𝑎|)−1) , we obtain
(𝑏𝑦𝑧𝜑(|𝑎|)−1 )2 ≡ −𝑏𝑐 (mod |𝑎|) .
The other two congruences can be obtained the same way, or we can refer to sym-
metry.
10. Infinitely many. Hint: A necessary condition is that 28𝑘2 + 1 be a square and this
happens infinitely often. Show that then 2 + 2√28𝑘2 + 1 is a square. For the proof,
divide 𝑟2 − 1 = 28𝑘2 by 4, and factor the left-hand side. The factors are consecutive
integers, one of them a square, and the other one 7 times a square. Finally, verify
that the factor (𝑟 + 1)/2 has to be a square, thus the number 2𝑟 + 2 in the exercise
is a square.
11. If 𝑥 = 𝑢2 , then we can rewrite the equation as (𝑢2 − 1)(𝑢2 + 1) = 2𝑦2 . Verify that
𝑢2 − 1 is a square, which is impossible as 𝑢 ≠ ±1. (This equation also arose in the
solution of Exercise 7.7.7.) The case 𝑦 = 𝑣2 is the same as Exercise 7.3.13g.

7.9.

1. If a term 1 occurs in a partition of 𝑛 + 1, then delete one such term, otherwise

decrease the least term by one. Thus we get every partition of 𝑛 at most twice. The
second step produces only partitions with 1 occurring in them at most once, thus
we cannot get all partitions of 𝑛 if 𝑛 > 1. Hence, equality holds only for 𝑛 = 1.
2. (a) ∞. (b) −∞.
3. These integers are (3𝑘2 ± 𝑘)/2 by Theorem 7.9.5.
4. 2𝑛−1 . Hint: Consider a representation 𝑛 = 𝑥1 + 𝑥2 + ⋯ + 𝑥𝑟 (where 𝑟 and 𝑥1 , . . . , 𝑥𝑟
are positive integers), and, starting from the origin, draw segments of lengths 𝑥1 ,
. . . , 𝑥𝑟 in this order one after the other onto the interval [0, 𝑛]. Then the endpoints
of the segments different from 0 and 𝑛 form a subset of 𝐻 = {1, 2, . . . , 𝑛 − 1} in
the interval (the extreme cases are possible when all or none of these points are
marked). Thus we established a bijection between the representations of 𝑛 and the
subsets of 𝐻. So the number of representations is equal to the number of subsets
in a set of 𝑛 − 1 elements.
500 Answers and Hints

5. Subtracting 1 from each term in a partition of 𝑛 with 𝑟 terms, we get a partition of

𝑛 − 𝑟 with at most 𝑟 terms (there will be fewer than 𝑟 terms if and only if 1 occurred
in the original partition). Verify that this is a bijection between the two types of
partitions.
𝑥𝑟
6. 𝑟 .
∏𝑖=1 (1 − 𝑥𝑖 )
7. We can proceed either by establishing a suitable bijection, or by applying generat-
ing functions.
(a) Bijection: Consider a partition 𝑛 = 𝑥1 +⋯+𝑥𝑟 with distinct integers 𝑥𝑖 . Every
𝑥𝑖 has a unique decomposition as 2𝛼 𝑡, where 𝛼 ≥ 0 and 𝑡 is odd. Factoring out
the common values of 𝑡, we obtain 𝑛 = 1𝑢1 + 3𝑢2 + 5𝑢3 + . . . , where every 𝑢𝑗 is
a non-negative integer. This can be considered as a partition of 𝑛 containing
𝑢1 terms of 1, 𝑢2 terms of 3, etc.
To illustrate the procedure, consider the partition 23 = 10 + 6 + 4 + 3. Then

23 = 21 ⋅ 5 + 21 ⋅ 3 + 22 ⋅ 1 + 20 ⋅ 3
= 21 ⋅ 5 + (21 + 20 ) ⋅ 3 + 22 ⋅ 1 = 1 ⋅ 4 + 3 ⋅ 3 + 2 ⋅ 5
leads to the partition 23 = 5 + 5 + 3 + 3 + 3 + 1 + 1 + 1 + 1.
Verify that the above map is a bijection between the two types of partitions
of 𝑛.
Generating functions: The appropriate generating functions are
∞ ∞
1
𝑈(𝑥) = ∏(1 + 𝑥𝑖 ) and 𝑊(𝑥) = ∏ .
𝑖=1 𝑗=1
(1 − 𝑥2𝑗−1 )

Rewriting 𝑈(𝑥) using the identity

1 − 𝑥2𝑖
(1 + 𝑥𝑖 ) = ,
1 − 𝑥𝑖
we get 𝑊(𝑥) after cancellation. For a precise proof, one has to work either with
formal power series and formal infinite products, or has to manage properly
the limit process in the infinite products.
(b) To establish a bijection, write the terms as 𝑘𝛼 𝑡 with 𝑘 ∤ 𝑡.
The generating functions are
∞ ∞
1
𝑈 𝑘 (𝑥) = ∏(1 + 𝑥𝑖 + ⋯ + (𝑥𝑖 )𝑘−1 ) and 𝑊 𝑘 (𝑥) = ∏ .
𝑖=1 𝑡=1 (1 − 𝑥𝑡 )
𝑘∤𝑡

8. First proof : By Exercise 7.9.6, the coefficient of 𝑥𝑛 in the power series expansion of
𝑥𝑟
(1 − 𝑥)(1 − 𝑥2 ) . . . (1 − 𝑥𝑟 )
is the number of partitions of 𝑛 where the biggest term is 𝑟. Thus the sum of these
coefficients for all 𝑟 is just 𝑝(𝑛).
8.1. 501

Second proof : The coefficient of 𝑥𝑛 is influenced only by the first 𝑛 terms on the
right-hand side. Giving them a common denominator and adding, we obtain
1
−1 + .
(1 − 𝑥)(1 − 𝑥2 ) . . . (1 − 𝑥𝑛 )
By Theorem 7.9.2, the coefficient of 𝑥𝑛 equals the number of partitions of 𝑛 from
summands 1, 2, . . . , 𝑛, which is just 𝑝(𝑛).
∞
9. The derivative of the logarithm of 𝑉(𝑥) = ∏𝑖=1 (1 − 𝑥𝑖 ) is
∞
𝑉 ′ (𝑥) −𝑖𝑥𝑖−1
(A.7.9) =∑ .
𝑉(𝑥) 𝑖=1
1 − 𝑥𝑖
(Taking the logarithm and differentiating term by term are legal for |𝑥| < 1/2.)
Multiply (A.7.9) by −𝑥𝑉(𝑥), and apply
∞ ∞ ∞
𝑖𝑥𝑖
∑ = ∑ 𝑖(𝑥𝑖 + 𝑥2𝑖 + . . . ) = ∑ 𝜎(𝑗)𝑥𝑗 .
𝑖=1
1 − 𝑥𝑖 𝑖=1 𝑗=1

Then
∞
(A.7.10) −𝑥𝑉 ′ (𝑥) = 𝑉(𝑥) ∑ 𝜎(𝑗)𝑥𝑗 .
𝑗=1

Finally, substitute the formulas

𝑉(𝑥) = 1 − 𝑥 − 𝑥2 + 𝑥5 + 𝑥7 − 𝑥12 − 𝑥15 + . . .
𝑥𝑉 ′ (𝑥) = − 𝑥 − 2𝑥2 + 5𝑥5 + 7𝑥7 − 12𝑥12 − 15𝑥15 + . . .
into (A.7.10) and perform the multiplication of the two power series on the right-
hand side of (A.7.10).

A.8. Diophantine Approximation

8.1.

1. (a) With a common denominator, the numerator 𝑎𝑠 − 𝑏𝑟 ≠ 0, thus |𝑎𝑠 − 𝑏𝑟| ≥ 1.

(b) |𝑎𝑠 − 𝑏𝑟| = 1 holds infinitely often, since the Diophantine equations 𝑎𝑠 − 𝑏𝑟 =
±1 have infinitely many solutions.
2. Since 𝑑 = 𝛼 − 𝑟/𝑠 ≠ 0, so |𝑑| > 1/(𝑘𝑠)2 if 𝑘 is large enough.
3. (a) For any 𝑠 > 1, at most one suitable fraction with denominator 𝑠 can fit.
(b) It follows from part (a).
4. (a) For any 𝑘, a fraction with denominator either 2𝑘 or 2𝑘+1 meets the require-
ment.
(b) 𝛼 = 1/3.
(c) There is a fraction with denominator 3𝑘 for any 𝑘.
(d) 𝛼 = 1/2.
502 Answers and Hints

(e) The squares of fractions 𝑟/𝑠 approximating √𝛼 well have this property.
(f) 𝛼 = (1 + √5)2 /4.
5. Use that the fractions 𝑟/𝑠 approximating 𝛼 well satisfy 𝑟2 ∼ 𝛼𝑠2 .
6. We can argue similarly as in the proof of Theorem 8.1.6. To get rid of the square
root, multiply the difference by √2 + 𝑟/𝑠.
7. If 𝑟/𝑠 approximates 𝛼 well, then
(a) 𝑎(𝑟/𝑠) + 𝑏 approximates 𝑎𝛼 + 𝑏 well
(b) 𝑟2 /𝑠2 approximates 𝛼2 well.
8. (a) 0 and 1. (b) and (c) The complete interval (−1, 1).
9. (a) Draw an interval of length 𝜀/2𝑖 around the 𝑖th element.
(b) Cardinality: There is a bijection between these ternary fractions and all real
numbers in [0, 1) written as binary fractions (replace digit 2 by 1). Measure
zero: We obtain the Cantor set by deleting the middle third of the interval
[0, 1), then deleting the middle thirds of both remaining intervals, then delet-
ing the middle thirds of the four remaining intervals, etc. The total length of
the remaining intervals after 𝑚 steps is
𝑚 2
1 2 2𝑚−1 1 1 − (3)
1− − −⋯− 𝑚 =1− ⋅ 2
→ 0, if 𝑚 → ∞.
3 9 3 3 1− 3

10. (a) This is a direct consequence of the definition.

(b) Cover each of the 𝑘 sets with intervals of total length 𝜀/𝑘.
(c) Cover the 𝑖th set with intervals of total length 𝜀/2𝑖 (𝑖 = 1, 2, . . . ).
(d) Every set is the union of its one-element subsets, which are of measure zero.
This union has measure zero e.g. for the Cantor set, but not for the interval
[0, 1].

8.2.

1. (a) Both proofs of Theorem 8.2.1 can be adapted to the space; for the second proof,
we have to apply a three-dimensional variant of Lemma 8.2.2.
(b) In the 𝑛-dimensional case, we have to assume that the volume of 𝐻 is at least
2𝑛 Δ. (Here Δ is the absolute value of the determinant formed from the coor-
dinate vectors of the 𝑛 sides of the fundamental parallelepiped.)
2. Both proofs of Theorem 8.2.1 can be modified to verify this statement. For the
second proof, we need a generalization of Lemma 8.2.2 (we keep the notation used
there): If the intersection of any 𝑟 + 1 sets 𝐾𝑃 is empty, then 𝑡 ≤ 𝑟Δ. Following
the arguments of the first or second proof, we obtain 𝑟 non-trivial lattice points, no
two of which are symmetric about the center 𝑂. Their mirror images with respect
to 𝑂 yield another 𝑟 lattice points.
8.3. 503

3. Argue as in the proof of Theorem 8.2.4. For a prime 𝑝 = 3𝑘 + 1, we have 𝑐2 ≡ −3

(mod 𝑝) with a suitable 𝑐. Then 𝑝 ∣ 𝑥2 + 3𝑦2 for the lattice points (8.2.6) in the
proof of Theorem 8.2.4. Applying Minkowski’s theorem for a suitable ellipse, we
obtain a non-trivial lattice point satisfying 𝑥2 + 3𝑦2 < 3𝑝. Since 𝑥2 + 3𝑦2 = 2𝑝 is
impossible modulo 3, 𝑥2 + 3𝑦2 = 𝑝.
4. Using the notation in Theorem 8.2.1, now 𝐿 is the usual square lattice, Δ = 1, and
𝐻 is the parallelogram bounded by the lines
𝑎11 𝑥1 + 𝑎12 𝑥2 = ±𝑏1 , 𝑎21 𝑥1 + 𝑎22 𝑥2 = ±𝑏2 ,
its area is 4𝑏1 𝑏2 /|𝐷|. Thus the statement follows from Minkowski’s theorem.
5. Based on the three-dimensional variant of Minkowski’s theorem (see Exercise
8.2.1a), we can proceed as in the proof of Theorem 8.2.3. Consider the lattice
𝑥 = 𝑠𝛼1 − 𝑟1 , 𝑦 = 𝑠𝛼2 − 𝑟2 , 𝑧 = 𝑠.
The volume of the fundamental parallelepiped is Δ = 1. The approximation re-
quirement can be written as |𝑧𝑥2 | < 𝑐2 , |𝑧𝑦2 | < 𝑐2 , where 𝑐 = 2/3. This set in the
space is not convex (and is unbounded), so we should consider octahedrons
1 3 1 3
|𝑧| + 2𝑎|𝑥| ≤ √12, |𝑧| + 2𝑎|𝑦| ≤ √12
𝑎2 𝑎2
instead, with suitable values 𝑎 > 1, also using the inequality between arithmetic
and geometric means.

8.3.

1. (a) 4, 1, 4, 2
(b) 1, 1, 2, 1, 2, 1, 2, . . .
(c) 2, 4, 4, 4, . . .
(d) 1, 1, 1, 1, . . .
2. (a) 43/30. (b) (1 + √3)/2.
3. Use the good approximation of the fractions 𝑟𝑛 /𝑠𝑛 in Theorem 8.3.3, and observe
that (𝑠𝑛−1 , 𝑠𝑛 ) = 1 follows from (8.3.11).
4. By Exercise 8.3.1d, every digit in the continued fraction expansion of (1 + √5)/2 is
1. Hence, the fractions 𝑟𝑛 /𝑠𝑛 in Theorem 8.3.3 satisfy 𝑟𝑛 = 𝜑𝑛+2 and 𝑠𝑛 = 𝜑𝑛+1 by
recursion (8.3.8a)–(8.3.8b).
5. Use (8.3.8a), (8.3.8b), and (8.3.10) in Lemma 8.3.4.
6. Denoting the original number by 𝛼 and the one formed from the purely periodic
part by 𝛽, we obtain the finite continued fractions
𝛼 = 𝐶(𝑐 0 , 𝑐 1 , . . . , 𝑐 𝑀−𝑘 , 𝛽) and 𝛽 = 𝐶(𝑐 𝑀−𝑘+1 , . . . , 𝑐 𝑀 , 𝛽).
We obtain the statement by simplifying the multiple-decked fractions and perform-
ing some further rearrangements.
504 Answers and Hints

8.4.

1. Dense: (b), (d), (f), (g).

2. We draw countably many subintervals in [0, 1) of lengths tending to zero around
every rational point 0 < 𝑟 < 1, and arrange them in a single sequence of intervals 𝐽1 ,
𝐽2 , . . . . To verify that the fractional parts of a sequence of numbers 𝑢𝑖 is everywhere
dense, we have to show that every interval 𝐽𝑠 contains at least one {𝑢𝑖 }.
We shall obtain 𝛼 as a common point of nested closed intervals. We start (say)
with 𝐻0 = [2, 3]. If the interval 𝐻𝑘−1 is given, then we define 𝐻𝑘 as a subinterval
of 𝐻𝑘−1 : We choose an exponent 𝑛𝑘 such that the 𝑛𝑘 th powers of the elements
𝑥 in 𝐻𝑘−1 cover a complete interval 𝑇 between two consecutive integers, and 𝐻𝑘
consists of numbers 𝑥 satisfying
𝑥 ∈ 𝐻𝑘−1 , 𝑥𝑛𝑘 ∈ 𝑇, and {𝑥𝑛𝑘 } ∈ 𝐽𝑘 .
Then 𝛼 can be chosen as a common point of the intervals 𝐻𝑘 .
3. If a point 𝑃𝑛 is very close to a point 𝑄 = (𝑣 1 , . . . , 𝑣 𝑘 ) in the 𝑘-dimensional unit cube,
then {𝑛𝛼𝑗 } − 𝑣𝑗 has small absolute value for every 1 ≤ 𝑗 ≤ 𝑘, so the absolute value
of their linear combination is also small. If 1, 𝛼1 , . . . , 𝛼𝑘 are linearly dependent,
then we get a condition for a suitable linear combination of the coordinates 𝑣 𝑖 that
cannot hold for an arbitrary 𝑄.
4. (a) We build the new sequence by always taking the first element of the old one
that was not yet used and that falls into the following intervals in this order:
1 1 1 1 2 2 1
[0, ) , [ , 1) , [0, ) , [ , ) , [ , 1) , [0, ) , . . . .
2 2 3 3 3 3 4
(b) Every second element in the new sequence should have e.g. a very small frac-
tional part.
5. True: (b), (c).
6. (a) Let 𝑘 be an arbitrary positive integer. If 10𝑘 ≤ 𝑚 < 10𝑘+1 , then
1
{log10 𝑚} > ⟺ 𝑚 > 10𝑘 √10.
2
This means that many more than half of the fractional parts fall into the in-
terval (1/2, 1), if 𝑛 = 10𝑘+1 (and many less than half, if 𝑛 = ⌊10𝑘 √10⌋).
(b) The ratio 1/(2𝜋) is irrational, thus the angles 𝑛 (measured in radians) are uni-
formly distributed on the unit circle by Theorem 8.4.5. Therefore, the uniform
distribution of the values {sin 𝑛} would mean that the set of real numbers 𝑥 for
which {sin 𝑥} falls into a fixed subinterval 𝐼 in [0, 1] of length 𝑑 would occupy
a part on the unit circle of size 𝑑 times the perimeter. However, we can easily
check that this is false e.g. for the interval 𝐼 = [1/2, √3/2].
7. We have to show that 54321 ⋅ 10𝑣 ≤ 𝑡𝑛 < 54322 ⋅ 10𝑣 holds for suitable natural
numbers 𝑛 and 𝑣. Take the base-10 logarithm and apply Theorem 8.4.1 for 𝛼 =
log10 𝑡.
9.1. 505

A.9. Algebraic and Transcendental Numbers

9.1.

1. (a) A suitable polynomial is 𝑥20 − 7.

(b) Square 𝛼 − 3 = √2.
(c) Squaring 𝛼 − √3 = √2, rearranging the result, and squaring again, we get a
suitable polynomial with integer coefficients.
3
(d) Cube 𝛼 − √2 = √ 4, rearrange the result and square it.
3 3
(e) Cube 𝛼 = √ 2+√ 4, and rewrite the part including cube roots on the right-
hand side as
3 3 3 3
3 √2 √4( √2 + √4) = 3 ⋅ 2𝛼.
(f) We can eliminate the square roots by successive squarings.
2. Assume that 𝛼 is a root of a polynomial 𝑓(𝑥) = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛 𝑥𝑛 with rational
coefficients and 𝑎𝑛 ≠ 0. Then the given numbers are roots of the polynomials
(a) 𝑓(−𝑥) = 𝑎0 − 𝑎1 𝑥 + 𝑎2 𝑥2 + ⋯ + (−1)𝑛 𝑥𝑛
(b) 𝑓(𝑥) (if 𝛼 is a root of a polynomial with real coefficients, then also 𝛼 is a root
of the same polynomial)
(c) 𝑥𝑓(1/𝑥) = 𝑎𝑛 + 𝑎𝑛−1 𝑥 + ⋯ + 𝑎0 𝑥𝑛 (we can assume 𝑎0 ≠ 0, 𝛼 ≠ 0)
(d) 𝑓(𝑥 − 𝑟) = 𝑎0 + 𝑎1 (𝑥 − 𝑟) + ⋯ + 𝑎𝑛 (𝑥 − 𝑟)𝑛
(e) 𝑓(𝑥/𝑟) = 𝑎0 + 𝑎1 (𝑥/𝑟) + ⋯ + 𝑎𝑛 (𝑥/𝑟)𝑛 (we may clearly assume 𝑟 ≠ 0)
(f) 𝑓(𝑥𝑘 ) = 𝑎0 + 𝑎1 𝑥𝑘 + ⋯ + 𝑎𝑛 𝑥𝑘𝑛 .
3. If 𝜁(2) = 𝜋2 /6 were algebraic, then 𝜋 would be algebraic by parts (e) and (f) of the
previous exercise.
4. Assume that 𝑓(𝛼) = 𝑎0 + 𝑎1 𝛼 + ⋯ + 𝑎𝑛 𝛼𝑛 is algebraic, so
𝑏0 + 𝑏1 (𝑎0 + 𝑎1 𝛼 + ⋯ + 𝑎𝑛 𝛼𝑛 ) + ⋯ + 𝑏𝑠 (𝑎0 + 𝑎1 𝛼 + ⋯ + 𝑎𝑛 𝛼𝑛 )𝑠 = 0
for some rational numbers 𝑏0 , 𝑏1 , . . . , 𝑏𝑠 not all zero. Performing the operations,
we see that 𝛼 is a root of a non-zero polynomial with rational coefficients, which
is a contradiction.
5. If there is such an ℎ, then all its roots, including all roots of 𝑔, are algebraic. Con-
versely, if the roots of 𝑔 are the algebraic numbers 𝛼1 , . . . , 𝛼𝑟 (counted with multi-
plicity), and 𝛼𝑗 is a root of a non-zero polynomial 𝑓𝑗 with integer coefficients (𝑗 = 1,
. . . , 𝑟), then ℎ = 𝑓1 . . . 𝑓𝑟 meets the requirements.
6. The statement follows immediately from the definitions of algebraic numbers and
linear dependence.
7. A complex number 𝛼 is a root of the polynomials (a) 𝑥 − 𝛼; (b) (𝑥 − 𝛼)(𝑥 − 𝛼).
506 Answers and Hints

9.2.

1. (a)–(e) The degree equals deg 𝛼, except if 𝑟 = 0 in (e). For a proof, choose the
polynomial 𝑓 in the hint to Exercise 9.1.2 as 𝑚𝛼 , and verify that the poly-
nomials 𝑓(−𝑥), etc. given in the hint are irreducible over 𝐐.
(f) deg 𝑘√𝛼 ≤ 𝑘 deg 𝛼.
2. Find first a non-zero polynomial 𝑓 with rational coefficients such that 𝑓(𝛼) = 0,
and check the irreducibility of 𝑓 over 𝐐. If 𝑓 is irreducible, then 𝑓 = 𝑚𝛼 , thus
deg 𝛼 = deg 𝑓. If 𝑓 is reducible, then decompose it into the product of irreducible
factors, and determine which factor has 𝛼 among its roots. We can often verify
irreducibility using the Schönemann–Eisenstein criterion, and for polynomials of
degree two or three it is sufficient to check whether or not the polynomial has a
rational root.
(a) 7.
(b) 3. Express 1/2 = cos 60∘ using cos 20∘ .
(c) 3. See hint to Exercise 9.1.1e.
(d) 2. There is a perfect square under the big square root sign.
(e) 4.
(f) 4. Add 1 and apply the summation formula for this geometric series of four
terms.
3. If 𝛼 = 𝑟 + √𝑠, then 𝛼 is a root of the polynomial (𝑥 − 𝑟)2 − 𝑠 irreducible over 𝐐. For
the converse, use the quadratic formula.
4. (a) Apply that if 𝛼 is algebraic and 𝑟 is rational, then deg(𝛼 + 𝑟) = deg 𝛼 (see
Exercise 9.2.1d).
(b) If 𝛼 is a non-real complex number, then the numbers 𝑠(𝛼 + 𝑟) are everywhere
dense in the complex plane when 𝑟 and 𝑠 assume all rational numbers.
5. (a) deg 𝛼𝑖 ≤ deg 𝑓 for every 𝑖.
(b) Equality holds if and only if 𝑓 is irreducible over 𝐐.
(c) Write 𝑓 as a product of irreducible polynomials (over 𝐐): 𝑓 = 𝑓1 . . . 𝑓𝑘 , where
𝑘 ≥ 2 since 𝑓 is reducible. Let deg 𝑓𝑗 = 𝑛𝑗 . Then 𝑛1 + ⋯ + 𝑛𝑘 = 𝑛 and
𝑛 𝑘
(A.9.1) ∑ deg 𝛼𝑖 = ∑ 𝑛𝑗2 .
𝑖=1 𝑗=1

Show that the sum on the right-hand side of (A.9.1) is maximal if and only if
𝑘 = 2, one of 𝑛1 and 𝑛2 is 1, and the other is 𝑛 − 1.
6. 𝑚𝛼 = 𝑥6 + 5𝑥5 + 10𝑥2 + 5𝑥 − 10. Hint: The conditions imply 𝑓 = 𝑔𝑚𝛼 , where
deg 𝑔 = 1. Hence, 𝑓 has a rational root. Determine it by the rational root test,
and divide 𝑓 by the suitable root factor (the best way to do this is to apply Horner’s
scheme).
9.3. 507

7. We have [𝑚𝛼 , 𝑚𝛽 ] ∣ 𝑓, and if 𝑚𝛼 ≠ 𝑚𝛽 , then (𝑚𝛼 , 𝑚𝛽 ) = 1 due to the irreducibility

of minimal polynomials.
8. If 𝑓 were irreducible, then the conditions would imply 𝑓 = 𝑚𝛼 ∣ 𝑔.

9.3.

1. (a) Let 𝛼 be algebraic and 𝛽 transcendental. If 𝛼 + 𝛽 were algebraic, then 𝛽 =

(𝛼 + 𝛽) − 𝛼 would be algebraic, which is a contradiction.
(b) For example, 𝜋 + (1 − 𝜋) is algebraic, 𝜋 + (1 + 𝜋) is transcendental.
(c) The only difference compared to addition is that the product of an algebraic
and a transcendental number can be algebraic but only in the exceptional case
where the algebraic factor is 0.
2. (a) Both 𝛼 and 𝛽 are algebraic.
(b) Both 𝛼 and 𝛽 are transcendental.
(c) At least one of 𝛼 and 𝛽 is transcendental (find examples for each of the possible
cases).
(d) 𝛼 and 𝛽 are algebraic, or 𝛼 = 0 and 𝛽 is transcendental.
(e) Both 𝛼 and 𝛽 are transcendental.
(f) Both 𝛼 and 𝛽 are transcendental, or one of them is 0 and the other is transcen-
dental.
(g) At least one of 𝛼 and 𝛽 is transcendental.
(h) Both 𝛼 and 𝛽 are algebraic. Hint: Solving the system of equations 𝛼 + 𝛽 = 𝑐,
𝛼𝛽 = 𝑑, the quadratic formula (or Theorem 9.3.6) yields that 𝛼 and 𝛽 are
algebraic.
In the rational/irrational variant, there are changes only at (d) and (h):
(d) 𝛼 = 0 and 𝛽(≠ 0), or 𝛼 = √𝑟 and 𝛽 = 𝑠√𝑟(≠ 0)
(h) 𝛼 = 𝑠 + √𝑟 and 𝛽 = 𝑠 − √𝑟 where 𝑟 > 0 and 𝑠 are arbitrary rational numbers.
3. Algebraic: (b).
4. (a) At most one of them can be algebraic; use Exercise 9.3.2a,d,h.
(b) Apply Theorem 9.3.3 for (b1) and Theorem 9.3.5 for (b2) observing 𝑒𝑖𝜋 = −1.
5. Algebraic: (a), (b).
7. Show that log10 𝑛 is irrational, and apply Theorem 9.3.5.
8. Assume that for some positive integers 𝑘 and 𝑚, 𝑘 ≠ 𝑚, 𝛼𝑘 +𝛽 𝑘 = 𝑐 and 𝛼𝑚 +𝛽 𝑚 =
𝑑 are algebraic and not both are 0. Then
(𝑐 − 𝛽 𝑘 )𝑚 = (𝑑 − 𝛽 𝑚 )𝑘 .
So 𝛽 is a root of a non-zero polynomial with algebraic coefficients, hence 𝛽 itself
is algebraic by Theorem 9.3.6. We get similarly that 𝛼 is algebraic, and therefore
𝛼𝑛 + 𝛽 𝑛 is algebraic for every 𝑛.
508 Answers and Hints

9. Algebraic: Show that there exist infinitely many positive integers that are not ra-
tional powers of 𝛼. These must be powers of 𝛼 with transcendental exponents by
Theorem 9.3.5.
Transcendental: The number of powers of 𝛼 with transcendental exponents has
the cardinality of the continuum but only countably many of them can be algebraic
numbers.

9.4.

1. (b) The number 𝛼 defined in Theorem 9.4.2 is a Liouville number, so part (a) im-
plies that there are infinitely many Liouville numbers. Continuum: We obtain as
in the proof of Theorem 9.4.2 that the infinite series formed of any infinite subse-
quence of the sequence 10−𝑘! is a Liouville number.
2. (a) Let 𝑓 = 𝑓1 . . . 𝑓𝑘 be the decomposition of 𝑓 into the product of irreducible
polynomials over 𝐐. Then we can reduce the Diophantine equation (9.4.12)
to a system of equations
𝑧
𝑔𝑗 (𝑦, 𝑧) = 𝑦𝑛𝑗 𝑓𝑗 ( ) = 𝑏𝑗 , 𝑗 = 1, 2, . . . , 𝑘,
𝑦
𝑘
where ∏𝑗=1 𝑏𝑗 = 𝑏. If 𝑏 ≠ 0, then there are only finitely many possibilities
for (say) 𝑏1 , and for each 𝑏1 the first equation can have only finitely many
solutions by (the original) Theorem 9.4.5. If 𝑏 = 0, then at least one 𝑏𝑗 = 0,
and the 𝑗th equation (with 𝑏𝑗 = 0) can have only finitely many solutions for
every possible 𝑗.
(b) We used only these properties in the proof of Theorem 9.4.5.
3. Follow the proof of Theorem 9.4.5. If 𝑧𝑖 /𝑦 𝑖 has no bounded subsequence, then
interchange the roles of 𝑧𝑖 and 𝑦 𝑖 , and consider 𝑓(𝑦 𝑖 /𝑧𝑖 ) instead of 𝑓(𝑧𝑖 /𝑦 𝑖 ). It
suffices to apply Theorem 9.4.4 in the special case (say) 𝜅 = 0.99.
4. Use that if 𝛼 is a multiple root of a polynomial 𝑓, then 𝛼 is a root of the derivative
of 𝑓, too.

9.5.

1. Use ideas similar to those in the proof of Theorem 9.5.1.

2. (a) Using the power series of sin 𝑥 and cos 𝑥, expand sin 1 and cos 1, and argue as
in the proof of Theorem 9.5.1.
(b) Modify the proof of Theorem 9.5.2: replace sin(𝜋𝑥) by sin(𝑟𝑥) in the integral
𝐼, and let 𝑎 be a common denominator of the rational numbers 1/𝑟, cos 𝑟, and
sin 𝑟.
9.6. 509

(c) Express sin(2𝑥) and cos(2𝑥) using tan 𝑥. This implies that if tan 𝑟 is rational,
then both sin(2𝑟) and cos(2𝑟) are rational, which contradicts part (b).
3. In the proof of Theorem 9.5.2, the integral-free expression is 0 after every second
integration by parts since sin 𝜋 = sin 0 = 0. Thus considering two consecutive in-
tegrations by parts as a single step, there will arise always just one new integral-free
expression, and its denominator is 𝜋2 times the previous one. Hence, the assump-
tion 𝜋2 = 𝑎/𝑏 will lead to a contradiction by computing the integral
1
𝜋𝑎𝑛+1 ∫ sin(𝜋𝑥)𝑓(𝑥) 𝑑𝑥
0
following the ideas seen at Theorem 9.5.2.

9.6.

1. The numbers 𝛼 and 𝛼 share the same minimal polynomial. The other three num-
bers can be obtained from 𝛼 and 𝛼 by addition; subtraction and multiplication by
𝑖; multiplication and taking a square root.
2. Only (c) is an algebraic integer. Hint for (d): Assume that cos 1∘ is an algebraic
integer, and show that then so is sin 1∘ . The addition formulas show that cos 𝑘∘
and sin 𝑘∘ are algebraic integers for every integer 𝑘. This is, however, false e.g. for
𝑘 = 30.
3. True: (a), (c), (e), (f), (h).
4. Yes, it is solvable, e.g. 𝑥 = 𝑦 = 1, 𝑧 = 𝑛√2 is a non-trivial solution.
5. True: (a), (c), (d).
6. As 𝛼 is algebraic, it satisfies
𝑎0 + 𝑎1 𝛼 + ⋯ + 𝑎𝑛 𝛼𝑛 = 0
with suitable integers 𝑎𝑖 , where 𝑎𝑛 ≠ 0. Multiplying by 𝑎𝑛−1 𝑛 and arranging the
result by the powers of 𝑎𝑛 𝛼, we obtain that 𝑎𝑛 𝛼 is an algebraic integer, i.e. 𝛼 is a
quotient of an algebraic integer and the integer 𝑎𝑛 . Applying the procedure for 1/𝛼
instead of 𝛼, we get that 𝛼 is a quotient of an integer and an algebraic integer (and
if 𝛼 = 0, then this holds trivially).
7. The constant term is ±1 in the minimal polynomial of 𝛼 (with integer coefficients
and leading coefficient 1).
8. (a) For example, 𝛽𝑛 = (√2 − 1)𝑛 .
(b) If both 1/𝛼 and 𝛼/𝛽 are algebraic integers, then so is their product 1/𝛽. For
the converse, let 𝛽𝑛 = 𝑛√𝛼.
(c) Let 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥𝑛−1 + 𝑥𝑛 be the minimal polynomial of an algebraic
integer 𝛼 (where every 𝑎𝑖 is an integer). Then the minimal polynomial of 𝛼/𝑏 is
𝑎0 +𝑎1 𝑏𝑥+⋯+𝑎𝑛−1 𝑏𝑛−1 𝑥𝑛−1 +𝑏𝑛 𝑥𝑛 . Rewriting it with a leading coefficient 1,
510 Answers and Hints

the constant term can be an integer only if 𝑏𝑛 ∣ 𝑎0 , thus there exist only finitely
many such integers 𝑏 (since 𝛼 ≠ 0 implies 𝑎0 ≠ 0).
9. The answer is yes for both questions. Take e.g. cos 𝜑+𝑖 sin 𝜑, where (a) cos 𝜑 = 1/3;
(b) cos 𝜑 = √2 − 1.
10. (a) The numbers 𝑎 + 𝑏 𝑛√2, where 𝑎 and 𝑏 are integers, are everywhere dense on
the real line by Theorem 8.4.1.
(b) We obtain from the quadratic formula that the real part of a non-real algebraic
integer can only be a fraction with denominator 2. Hence the algebraic inte-
gers of degree 2 are not dense in the complex plane. The ones of degree 4 are,
however, dense: the numbers (𝑎 + 𝑏√2) + 𝑖(𝑐 + 𝑑√2) where 𝑎, 𝑏, 𝑐, and 𝑑 are
integers have mostly degree 4, and are dense in the plane.
11. (a) If 𝑟 is rational, then 𝛼 = cos 𝑟∘ +𝑖 sin 𝑟∘ is a complex root of unity, and so it is an
algebraic integer. Therefore 2 Re 𝛼 = 2 cos 𝑟∘ is an algebraic integer. If 2 cos 𝑟∘
is rational then it must be an integer. Hence cos 𝑟∘ is 0, ±1/2, or ±1. We can
solve the problem without referring to algebraic integers. If 𝑟 is rational, then
𝑛𝑟 is an integer multiple of 360 for some positive integer 𝑛, i.e. cos(𝑛𝑟∘ ) = 1.
Using
cos(𝑛𝛼) = 2 cos((𝑛 − 1)𝛼) cos 𝛼 − cos((𝑛 − 2)𝛼),
verify by induction that 2 cos(𝑛𝛼) is a polynomial in 2 cos 𝛼 with integer coef-
ficients and leading coefficient 1. Thus if cos(𝑛𝑟∘ ) = 1, then 2 cos 𝑟∘ is a root of
a polynomial with integer coefficients and leading coefficient 1. All rational
roots of such a polynomial can only be integers, so 2 cos 𝑟∘ must be an integer.
(b) At least one of 𝑟 and sin 𝑟∘ is irrational, except if 𝑟 is an odd multiple of 30 or
is divisible by 180.
Assume that tan 𝑟∘ is defined, so 𝑟 is not an odd multiple of 90. Then at least
one of 𝑟 and tan 𝑟∘ is irrational, except if 𝑟 is an odd multiple of 45 or is divisible
by 180.
The result for the sine follows immediately from part (a) because sin 𝑟∘ =
cos(90 − 𝑟)∘ . This implies the statement for the tangent by the hint to Ex-
ercise 9.5.2c.

A.10. Algebraic Number Fields

10.1.

1. In the chain of extensions 𝐿 ⊆ 𝐹 ⊆ 𝑀, one of the two links must have degree 1 by
the Tower Theorem 10.1.3.
2. (a) 2; (b) ∞; (c) ∞.
3. (a) One of the directions is obvious, and the other follows from Theorem 9.3.6.
(b) (b1) 1; (b2) 2; (b3) 2; (b4) 3.
10.2. 511

4. (a) True: (a1).

(b) 𝑚𝜗,𝑀 ∣ 𝑚𝜗,𝐿 and deg𝑀 𝜗 ≤ deg𝐿 𝜗.

10.2.

1. To establish 𝐐(𝛼) = 𝐐(𝛽), it suffices to verify 𝛼 ∈ 𝐐(𝛽) and 𝛽 ∈ 𝐐(𝛼) by Theo-

rem 10.2.2.
2. (a) It follows from Theorem 10.2.2.
(b) 𝐐(𝛼) is a subspace in the finite dimensional vector space 𝐐(𝜗) over 𝐐. In a
finite dimensional vector space 𝑉, a subspace 𝑈 satisfies 𝑈 = 𝑉 if and only if
dim 𝑈 = dim 𝑉.
(c) The numbers 𝜗 and 𝛼 can be mutually expressed in the form prescribed by
Definition 10.2.1 if and only if the given condition holds.
3. True: (b), (d). (When verifying these, do not forget that 𝜗 can be transcendental.)
3 3 13 9 1 3 2 3
4. (a) 12 + 2 √ 2 + 9√ 4; (b) √4; (c) − √2 + √4.
2 17 17 17
5. (a) 4; (b) 10; (c) 7; (d) 4. Hint: It is worthwhile to operate with the two obser-
vations: (i) If 𝛼 is an element of a finite extension, then deg 𝛼 divides the degree of
the extension and (ii) If 𝛼 is algebraic and a number of degree 𝑘 is an element of
𝐐(𝛼), then 𝑘 ∣ deg 𝛼.
3 3
6. (a) ∅; (b) 𝐐( √ 7); (c) 𝐐(√5). Hint to (b): Use that 𝐐( √ 7) is a subset of the inter-
section and the degree of the intersection (over 𝐐) divides the degrees of both ex-
tensions. An alternative approach: Write an element of the intersection both as an
6 9
element of 𝐐( √ 7) and as an element of 𝐐( √ 7) in the form given in Theorem 10.2.3.
The two representations can be considered as writing the same element of 𝐐( 18√7)
according to Theorem 10.2.3, and the answer follows from the uniqueness of the
representation.
3
7. (a) 𝐐; (b) 𝐐( √ 3); (c) 𝐐(√2).
8. Observe that |𝜗| = 1 implies

𝜗+𝜗 1 1
Re 𝜗 = = (𝜗 + ).
2 2 𝜗
(Be aware during the proof that 𝜗 can be transcendental.)
7
9. Comparing the extensions and their degrees, we obtain 𝐐(𝛼) = 𝐐(√ 5). (Use The-
orems 10.2.5 and 10.2.3 and Exercise 10.2.2.)
10. Answer: 𝑘 and 𝑘/2 (the latter can occur only for even 𝑘). Hint: Apply the Tower
Theorem for the chain 𝐐 ⊆ 𝐐(𝛽 2 ) ⊆ 𝐐(𝛽). (If 𝑘 is even, exhibit examples to demon-
strate that both values can occur.)
512 Answers and Hints

11. Answer: ±1. Hint: As in Exercise 10.2.8, consider the chain 𝐐 ⊆ 𝐐(Re 𝜗) ⊆ 𝐐(𝜗).
Another option: Show that 𝜗 and 1/𝜗 share the same minimal polynomial and 1
or −1 is a root of this minimal polynomial.
12. Parts (a) and (b) follow from the proofs of Theorem 10.2.6 (or 9.3.1) and Theo-
rem 10.2.7 (or 9.3.6).
13. (a) As 𝜗 is transcendental, (𝑔1 ℎ2 −𝑔2 ℎ1 )(𝜗) = 0 holds if and only if 𝑔1 ℎ2 −𝑔2 ℎ1 = 0.
(b) By part (a),
𝑔(𝑥) 𝑔(𝜗)
↦
ℎ(𝑥) ℎ(𝜗)
is a bijection between the algebraic fractions over 𝐐 and 𝐐(𝜗) that preserves
the operations.

10.3.

1. (a) Verify as in the proof for 𝐼(√2) in Theorem 10.3.5 that there is a division algo-
rithm with respect to the absolute value of the norm in 𝐼(√3).
(b1) The irreducible factors on the two sides are associates:
5 + 3√3 = (2 + √3)(1 + √3) and − 4 + 3√3 = (2 − √3)(1 + 2√3).
(b2) Each decomposition contains a reducible factor.
(c) Apply Theorem 10.3.8. We obtain all (non-associate) primes from the decom-
positions of the positive prime numbers:
(c1) 3 = (√3)2 ; 2 = 𝜀(1 + √3)2 , where 𝜀 = 2 − √3 is a unit.
(c2) If 𝑝 ≡ ±5 (mod 12), then 𝑝 is a prime.
(c3) If 𝑝 ≡ ±1 (mod 12), then 𝑝 is a product of two non-associate primes.
(d) If solvable, there are infinitely many solutions, see Exercise 7.8.3. The equa-
tion is solvable if and only if every prime number of the form 12𝑘 ± 5 occurs
with an even exponent in the standard form of 𝑛 and the sum of the expo-
nents of 2, 3, and the primes of the form 12𝑘 − 1 is even. Hint: Use the result
of part (c) and follow the proof of the Two Squares Theorem. Every unit has
norm +1. The reason why we have to examine the exponents of 2, 3, and the
prime numbers of the form 12𝑘 − 1 is that the primes in 𝐼(√3) occurring in
their decompositions have negative norms, therefore, if the sum of the expo-
nents is odd, then not 𝑛 but −𝑛 can be written in the form 𝑥2 − 3𝑦2 .
2. (a) We can verify as in the Gaussian integers that there is a division algorithm
with respect to the norm.
(b) It follows from Theorem 10.3.8 that all (non-associate) primes are obtained
from the decompositions of the positive prime numbers:
(b1) 2 = −(√−2)2 .
(b2) If 𝑝 ≡ 5 or 7 (mod 8), then 𝑝 is a prime.
(b3) If 𝑝 ≡ 1 or 3 (mod 8), then 𝑝 is a product of two non-associate primes.
10.3. 513

(c) Answer: 𝑥 = ±5, 𝑦 = 3. Hint: The two factors on the left-hand side of
(𝑥 + √−2)(𝑥 − √−2) = 𝑦3 can share only √−2 as a common prime fac-
tor, which implies that 𝑥 is even, but this is impossible by checking the orig-
inal equation modulo 4. Thus the two factors are coprime, and since the
only units are ±1, which are cubes themselves, each factor must be a cube
itself. So we can get the answer by comparing the coefficients of √−2 in
𝑥 + √−2 = (𝑎 + 𝑏√−2)3 .
3. Consider e.g. the decompositions
(a) (1 + √15)(1 − √15) = (−2) ⋅ 7
(b) (1 + √26)(1 − √26) = (−5) ⋅ 5
(c) (2 + √−6)(2 − √−6) = 2 ⋅ 5
(d) (2 + √−10)(2 − √−10) = 2 ⋅ 7.
4. We follow the pattern seen for the Gaussian and Eulerian integers (Theorem 7.4.8).
If 𝑡 ≢ 1 (mod 4), then the elements of 𝐼(√𝑡) form a rectangular lattice in the com-
plex plane, where the lengths of the horizontal and vertical sides of the fundamen-
tal rectangle are 1 and √|𝑡|. The division algorithm requires that every element of
𝐐(√𝑡) falls inside a unit circle around some lattice point. This is satisfied if the cir-
cles cover the entire plane, i.e. √|𝑡| < √3, which means 𝑡 = −1 or −2. Further, it
is definitely not satisfied if a segment on the vertical side bisector of a fundamental
rectangle remains uncovered, i.e. √|𝑡| > √3, which means 𝑡 < −3 (since −3 ≡ 1
(mod 4), so 𝑡 = −3 does not come up now). We can argue similarly also in the
case 𝑡 ≡ 1 (mod 4). Then we have a parallelogram lattice where the length of the
horizontal side of the fundamental parallelogram is 1, the corresponding altitude
1
is 2 √|𝑡|, and its foot is the midpoint of the horizontal base.
5. Use Theorem 10.3.8(vii).
6. Show 𝑛2 + 𝑛 + 𝑘 = 𝑁(𝛼𝑛 ) for every 0 ≤ 𝑛 ≤ 𝑘 − 2, where 𝛼𝑛 is irreducible
in 𝐼(√−4𝑘 + 1). Deduce that if 𝑁(𝛼𝑛 ) were a composite integer for some 𝑛, then
𝑁(𝛼𝑛 ) would have two essentially distinct decompositions into the product of irre-
ducible elements in 𝐼(√−4𝑘 + 1).
7. Irreducibility follows immediately from the properties of the norm. For (b), de-
duce from the condition that to every 𝛽 ∈ 𝐼(√𝑡) there exists an integer 𝑏 satisfying
𝛼 ∣ 𝛽 − 𝑏. Then the prime property of 𝛼 follows from
𝛼 ∣ 𝛽𝛾 ⟹ 𝛼 ∣ 𝑏𝑐
⟹ ±𝑝 = 𝑁(𝛼) ∣ 𝑏2 𝑐2
⟹ 𝑝 ∣ 𝑏 or 𝑝 ∣ 𝑐
⟹ 𝛼 ∣ 𝑏 or 𝛼 ∣ 𝑐
⟹ 𝛼 ∣ 𝛽 or 𝛼 ∣ 𝛾.

8. Since 𝛽 2 /𝛼2 is an algebraic integer, so is its square root 𝛽/𝛼. As 𝛽/𝛼 ∈ 𝐐(√𝑡),
𝛽/𝛼 ∈ 𝐼(√𝑡).
514 Answers and Hints

9. (a) 5 = −(√−5)2 .
(b) We saw in the proof of Theorem 10.3.5 that 2 is irreducible and

2 ∣ 6 = (1 + √−5)(1 − √−5), but 2 ∤ 1 ± √−5,

thus 2 is not a prime.
−5
(c) By Theorem 10.3.7, we have to check that ( 𝑝
) = −1 holds exactly for the
primes 𝑝 of the given forms.
(d) We see from (c) that these are not primes. They are irreducible since such a
𝑝 (and in general, any integer of the form 10𝑠 ± 3) cannot be the norm of an
element in 𝐼(√−5).
(e) Verify that these prime numbers 𝑝 are the norms of some elements in 𝐼(√−5),
𝑝 = 𝑎2 +5𝑏2 where 𝑎 and 𝑏 are integers, since then 𝑝 = (𝑎+𝑏√−5)(𝑎−𝑏√−5).
Using the solvability of the congruence 𝑥2 ≡ −5 (mod 𝑝) and following the
proof of Theorem 8.2.4 or applying Thue’s lemma in Exercise 7.5.21a, show
that a small multiple of 𝑝 can be written in the form 𝑎2 + 5𝑏2 , and deduce that
this holds also for 𝑝 itself.

10.4.

1. (a) ±√2 ± √3
(b) √2(±1 ± 𝑖)
(c) cos 20∘ , cos 140∘ , cos 260∘
(d) cos 𝑘∘ + 𝑖 sin 𝑘∘ , where 1 ≤ 𝑘 ≤ 360, 𝑘 is an integer and (𝑘, 360) = 1.
2. (a) Applying Viète’s formula for the sum of the roots of the minimal polynomial
of 𝜗, we obtain that 𝜗 (1) + 𝜗 (2) is rational, so 𝜗 (2) ∈ 𝐐(𝜗 (1) ).
(b) There exists a real 𝜗 (𝑗) , thus 𝐐(𝜗 (𝑗) ) ⊆ 𝐑, so 𝐐(𝜗 (𝑗) ) ≠ 𝐐(𝜗).
(c) In the chain 𝐐 ⊆ 𝐐(𝜗 (𝑗) )∩𝐐(𝜗 (𝑘) ) ⊆ 𝐐(𝜗 (𝑗) ), the product of the degrees of the
two links is 3. Therefore it suffices to prove that any two extensions 𝐐(𝜗 (𝑗) )
are distinct. Show that if two of the three extensions 𝐐(𝜗 (𝑗) ) coincide, then
the third must be equal to them. This, however, contradicts part (b).
3. (We abbreviate the relative conjugates by R.C.)
4 4
(a) R.C.: 1 ± √ 2, 1 ± 𝑖 √ 2, 𝑁(𝛼) = −1.
(b) R.C.: 1 ± √2 with double multiplicity, 𝑁(𝛽) = 1.
4 4
(c) R.C.: (1 ± √ 2)(1 + √2), (1 ± 𝑖 √ 2)(1 − √2), 𝑁(𝛾) = −1.
4. Adapt the proof of Theorem 10.3.4. (Be careful: the relative conjugates of 𝜀 are
generally outside 𝐐(𝜗), but their product divided by 𝜀 is inside.)
5. (a) For example, (3 + 4𝑖)/5 is suitable.
10.5. 515

(b) Let the quadratic field be of the form 𝐐(√𝑡), where 𝑡 ≠ 1 is a squarefree in-
𝑡
teger, and let 𝑝 > 2 be a prime satisfying ( 𝑝 ) = 1. Then the congruence
𝑥2 −𝑡 ≡ 0 (mod 𝑝) is solvable, and so the same is true for 𝑥2 − 𝑡 ≡ 0 (mod 𝑝2 ).
Let 𝑐 be a solution. Then (𝑐 + √𝑡)/𝑝 is not an algebraic integer, but its norm
is an integer.

10.5.

1. (a) −4; (b) −3; (c) −108; (d) 2𝑛−1 𝑛𝑛 (−1)(𝑛−1)(𝑛−2)/2 .

Hint for (d): The discriminant is the square of a Vandermonde determinant that
should be computed by the usual row-column multiplication of matrices.
2. (a) Then
𝛽 𝜔
⎛ 1⎞ ⎛ 1⎞
𝛽2 𝜔2
⎜ ⎟ = 𝐶⎜ ⎟
⎜⋮⎟ ⎜⋮⎟
⎝𝛽𝑛 ⎠ ⎝𝜔𝑛 ⎠
where the elements of matrix 𝐶 are integers, thus
Δ(𝛽1 , . . . , 𝛽𝑛 ) = Δ(𝜔1 , . . . , 𝜔𝑛 )(det 𝐶)2
by Theorem 10.5.3(iii).
(b) By part (a), we obtain each discriminant by multiplying the other one by a
positive integer.

3. The discriminant of 𝐐(√𝑡) (with a squarefree integer 𝑡 ≠ 1) is 4𝑡 if 𝑡 ≢ 1 (mod 4),

and 𝑡 if 𝑡 ≡ 1 (mod 4).
4. Argue as in Exercise 10.5.2.
5. (a) The condition is 𝑎, 𝑏, 𝑐, 𝑑 ∈ 𝐙 and
| 𝑎𝑐 𝑑𝑏 | = ±1
(b) Let 𝜔 = cos(2𝜋/3) + 𝑖 sin(2𝜋/3). The Eulerian rationals 𝑎 + 𝑏𝜔 and 𝑐 + 𝑑𝜔
form an integral basis if and only if 𝑎, 𝑏, 𝑐, 𝑑 satisfy the same condition as in
part (a).
6. These are the fields 𝐐(√𝑡), where (𝑡 ≠ 1 is a squarefree integer and) 𝑡 ≡ 1 (mod 4).
7. It follows directly from the definition of discriminant. Another option: Apply The-
orem 10.5.3(iii) for 𝛼𝑖 = 𝜗𝑖−1 , and note that Δ(1, 𝜗, . . . , 𝜗𝑛−1 ) is the square of a
Vandermonde determinant with real generators.
8. (a) Take, for example, 1/2 and 2𝑖 in 𝐐(𝑖).
(b) Δ(𝑟1 𝛼1 , . . . , 𝑟𝑛 𝛼𝑛 ) = Δ(𝛼1 , . . . , 𝛼𝑛 ) if the product of the rational numbers 𝑟1 , . . . ,
𝑟𝑛 is 1.
516 Answers and Hints

A.11. Ideals

11.1.

1. (a) (2)
(b) (1 + 𝑖)
(c) Not an ideal
(d) (1 + 𝑖)
(e) Not an ideal
(f) (7).
2. (a) (2𝑥 − 1)
(b) ([𝑥2 − 2][𝑥2 − 3])
(c) Not an ideal
(d) (𝑥 − 3, 2)
(e) Not an ideal.
3. Let 𝑅 be a field and 𝐼 ≠ 0 an ideal in 𝑅. We have to show 𝐼 = 𝑅. If 𝑎 ≠ 0 is an
element of 𝐼 and 𝑏 is an element of 𝑅, then 𝑐 = 𝑏/𝑎 ∈ 𝑅, so 𝑐𝑎 = 𝑏, 𝑏 ∈ 𝐼, thus
𝐼 = 𝑅. For the converse, pick an element 𝑎 ≠ 0 in 𝑅. Then, by the condition,
(𝑎) = 𝑅, thus 𝑏 ∈ (𝑎) for every 𝑏 ∈ 𝑅. This means 𝑐𝑎 = 𝑏 for some 𝑐 ∈ 𝑅, so
division works and 𝑅 is a field.
4. Let 𝐼 = (𝜉1 21/𝑘1 , . . . , 𝜉𝑛 21/𝑘𝑛 ), where 𝜉1 , . . . , 𝜉𝑛 ∈ 𝑈. Then every element in 𝐼 is of
the form 𝜉21/𝑚 , where 𝜉 ∈ 𝑈 and 𝑚 = lcm[𝑘1 , . . . , 𝑘𝑛 ]. Since 21/(𝑚+1) is not of this
form, 𝐼 ≠ 𝐾, and 𝐾 cannot be generated by finitely many elements.
5. Show that the generators of one of the ideals can be expressed with the help of
generators of the other ideal, and vice versa.
6. (a) (a1): 4 (a2): 9 (a3): 5.
Field: (a2), (a3).
(b) If 𝛼 ≠ 0, then 𝐺/(𝛼) has 𝑁(𝛼) elements, and 𝐺/(𝛼) is a field if and only if 𝛼 is a
Gaussian prime. Hint: To determine the number of residue classes modulo 𝛼,
see the hint for Exercise 7.7.12. To characterize the fields, argue as we proved
that 𝐙/(𝑚) is a field if and only if 𝑚 is a prime number (Theorem 2.8.4; we have
to check, of course, that all necessary preliminary theorems can be adapted
from integers to Gaussian integers).
7. (a) Proceed as in the proof that (2, 𝑥) is not a principal ideal in 𝐙[𝑥] (see the para-
graph about E3 before Definition 11.1.4).
(b) (b1): 2, it is a field. (b2): 6, it is not a field. (b3): 121, it is a field.
8. (a) Field: (a2).
(b) 𝐹[𝑥]/(𝑔) is a field if and only if 𝑔 is irreducible over 𝐹.
11.2. 517

(c) The factor ring has four elements (the residue classes can be represented by
the remainders 𝑎0 + 𝑎1 𝑥, where 𝑎𝑖 = 0 or 1), and we can easily check that
the three non-zero elements have inverses. Another option: The factor ring is
isomorphic to 𝑆 = 𝐙2 [𝑥]/(𝑥2 + 𝑥 + 1), where 𝐙2 is the field of residue classes
modulo 2, and 𝑆 is a field by part (b).

9. (a) Follow the proof of the special case 𝜗 = √2 seen in the Example after Theo-
rem 11.1.6. The key observation is that each residue class of 𝐐[𝑥] modulo the
principal ideal (𝑚𝜗 ) can be uniquely characterized by the common remainder
of the polynomials in the class on division by 𝑚𝜗 , and the only computational
rule for the remainders is that the multiples of 𝑚𝜗 do not count. This corre-
sponds perfectly to the usual representation of the elements in 𝐐(𝜗) and to
the computation method there that uses only 𝑚𝜗 (𝜗) = 0. An alternative ap-
proach: The map 𝑓 ↦ 𝑓(𝜗) from 𝐐[𝑥] onto 𝐐(𝜗) is a ring homomorphism
with image 𝐐(𝜗) and kernel (𝑚𝜗 ). Thus the statement follows from the ho-
momorphism theorem for rings.
(b) By part (a), let 𝑀 = 𝐿[𝑥]/(𝑓). The irreducibility of 𝑓 implies that 𝑀 is a field,
the set of residue classes constant+(𝑓) corresponds to 𝐿∗ , and the residue class
𝑥 + (𝑓) plays the role of 𝜗.
10. (a) It is sufficient to verify the statement for principal ideals since 𝛼 ∈ 𝐼 implies
(𝛼) ⊆ 𝐼, and so the number of residue classes modulo 𝐼 is less than or equal to
the number of residue classes modulo (𝛼). Let 𝛼 ≠ 0, and we show that there
are only finitely many remainders modulo 𝛼. Let 𝜔1 , . . . , 𝜔𝑛 be an integral
basis in 𝐼(𝜗). Then every 𝜉 ∈ 𝐼(𝜗) can be written as 𝜉 = 𝑘1 𝜔1 + ⋯ + 𝑘𝑛 𝜔𝑛 ,
where 𝑘𝑖 ∈ 𝐙, 𝑖 = 1, . . . , 𝑛. Since 𝛼 ∣ 𝑁(𝛼), every residue class modulo 𝛼 has a
representative 𝜉 satisfying 0 ≤ 𝑘𝑖 < |𝑁(𝛼)|, 𝑖 = 1, . . . , 𝑛.
(b) The numbers of elements of the factor rings 𝑅/𝐴𝑗 form a strictly decreasing
sequence. This is impossible, however, as 𝐴2 ≠ 0 and so 𝑅/𝐴2 has only finitely
many elements.
(c) If an ideal 𝐼 ≠ 0 were not finitely generated, then it would contain a strictly
increasing chain of ideals
(𝑎1 ) ⊂ (𝑎1 , 𝑎2 ) ⊂ (𝑎1 , 𝑎2 , 𝑎3 ) ⊂ . . . .

11.2.

1. (a) (5)
(b) (60).
2. (a) 4
(b) 16.
3. Rephrase the statement with divisibility according to Theorem 11.2.1.
518 Answers and Hints

4. (a) Both 2 and 1 + √−5 are common divisors, but there is no common multiple
of them among the common divisors.
(b) (2), (1 + √−5), (1).
(c) For example, 𝛼 = 2, 𝛽 = 1 + √−5.

11.3.

1. (a) They have minimal polynomials with integer coefficients, leading coefficient 1,
and constant term 1 or −1 (see Exercise 9.6.7).
(b) 𝛼 = √𝛼√𝛼.
2. (a) 𝑎 ≠ 0 and 𝑏 is arbitrary or 𝑎 = 𝑏 = 0.
(b) Every 𝑎 ≠ 0 is a unit, thus there are no irreducible or prime elements.
(c) Fundamental Theorem: It is an empty statement, as it refers to elements dif-
ferent from 0 and units. Principal ideal domain: A field contains only the
trivial ideals (0) and (1) (see Exercise 11.1.3), and these are principal ideals.
Euclidean ring: As division can be performed, we can always achieve a zero
remainder (and so any function can be chosen as 𝑓).
3. (a) Only 2 is irreducible.
(b) The procedure yields a unit that has no irreducible divisors.
(c) We can construct a suitable 𝑓 as in the hint to Exercise 1.5.5c.
(d) (0), (1), (2), (22 ), (23 ), . . . .
4. We have to check the requirements of Definition 11.1.1.
5. Hint for necessity: If 𝑅[𝑥] is a principal ideal domain, then (𝑎, 𝑥) is a principal ideal
for every (non-zero) constant polynomial 𝑎.
6. Show that if 𝑓(𝑐) is minimal for an element 𝑐 ≠ 0, then 𝑐 is a unit. So 𝑐 ∣ 𝑐, or 𝑒𝑐 = 𝑐
for some 𝑒. Applying the lack of zero divisors, show that 𝑒 is an identity element.
7. True: (a).
8. The division algorithm with remainders of least absolute value satisfies the condi-
tion. If (𝑏 ≠ 0 and) 𝑎 = 𝑏𝑞 + 𝑟, where |𝑟| ≤ |𝑏|/2, then 𝑓(𝑟) < 𝑓(𝑏).
9. (a) Prove first that every ideal in 𝑅 is finitely generated, and then show (𝑎, 𝑏) =
(𝑑), where 𝑑 = gcd{𝑎, 𝑏}.
(b) It follows from part (a) by Exercise 11.1.10a.
10. For sufficiency, see Exercise 10.3.4 and the hint for it. For necessity, assume that
𝐼(√𝑡) is a Euclidean ring for some 𝑡 < −3 and take an element 𝛽 ≠ 0, ±1 for which
𝑓(𝛽) is minimal. Verify 𝑁(𝛽) ≤ 3. This implies 𝑡 = −7 or 𝑡 = −11 (for 𝑡 < −3).
11.4. 519

11.4.

1. (a) 𝐻 is not an ideal if 𝐴 and 𝐵 are the ideals in Examples E1 or E2 before Defini-
tion 11.4.3: e.g. 2⋅3+[𝑥+3][𝑥−2] = 𝑥2 +𝑥 and 3⋅3−[1+ √−5][1− √−5] = 3,
are not of the form 𝑎𝑏.
(b) If 𝐴 = (𝛼), then
𝑛 𝑛 𝑛
∑ 𝑎𝑖 𝑏𝑖 = ∑ [𝑟 𝑖 𝛼]𝑏𝑖 = 𝛼 ∑ 𝑟 𝑖 𝑏𝑖 = 𝛼𝑏.
𝑖=1 𝑖=1 𝑖=1

2. (a), (b) The proof is the same as for integers.

(c) It follows from (iv) of Theorem 11.4.2.
(d) Apply part (c).
(e) To prove necessity, let 𝐴 = (1), and use part (c).
3. (a) If 𝛼 = 𝛽𝛾, then the proof of (iii) in Theorem 11.4.2 yields (𝛼) = (𝛽)(𝛾). Con-
versely, if (𝛽)𝐶 = (𝛼), then by the hint to Exercise 11.4.1b, every element of
(𝛽)𝐶, thus also 𝛼 is divisible by 𝛽.
(b) 𝛾 = 𝛼/𝛽 obtained in part (a) meets the requirements.
4. (a) We have to verify that 𝐷 is an ideal, 𝐷 contains 𝐴 and 𝐵, and if some ideal 𝐶
contains 𝐴 and 𝐵, then 𝐷 ⊆ 𝐶.
(b) Negative: 𝐴 ⊆ 𝐴 + 𝐵 = (0) ⟹ 𝐴 = (0).
𝑛
(c) The elements of the ideal 𝐴(𝐵, 𝐶) are of the form ∑𝑖=1 𝑎𝑖 [𝑏𝑖 + 𝑐 𝑖 ], so remov-
ing the brackets, we get elements of (𝐴𝐵, 𝐴𝐶). For the other inclusion, the
elements of (𝐴𝐵, 𝐴𝐶) can be written as
𝑛 𝑘 𝑛 𝑘
∑ 𝑎𝑖 𝑏𝑖 + ∑ 𝑎𝑗′ 𝑐𝑗 = ∑ 𝑎𝑖 [𝑏𝑖 + 0] + ∑ 𝑎𝑗′ [0 + 𝑐𝑗 ],
𝑖=1 𝑗=1 𝑖=1 𝑗=1

so they are in 𝐴(𝐵, 𝐶), too.

5. The least common multiple of 𝐴 and 𝐵 is a common multiple that divides all com-
mon multiples. We can rephrase this by (11.4.5) to inclusion: 𝑀 is the largest ideal
that is a subset of both 𝐴 and 𝐵, i.e. 𝑀 = 𝐴 ∩ 𝐵.
6. For example, 𝐴 = (𝑥) and 𝐵 = (2, 𝑥) in 𝐙[𝑥].
7. Prove (11.4.12)⇒(11.4.11) by contradiction. For the converse, apply (11.4.11) for
𝐴 = (𝑎) and 𝐵 = (𝑏).
8. (a) (a1): It has only the two trivial divisors.
(a2): The only non-trivial divisor is the ideal in (a1).
(a3): It has two non-trivial divisors: (2, 1 + √−5) and (3, 1 + √−5).
(b) (b1): (2, 1 + √−5)
(b2): (1).
(c) Irreducible: (c1), (c3).
520 Answers and Hints

9. True: (b), (c), (d).

10. (a) 𝐴 = (2, 𝑥), 𝐵 = (4, 𝑥2 ), 𝐶 = (4, 2𝑥, 𝑥2 ).
(b) By Exercise 11.4.1b, (𝛼)𝐵 = { 𝛼𝑏 ∣ 𝑏 ∈ 𝐵 }, (𝛼)𝐶 = { 𝛼𝑐 ∣ 𝑐 ∈ 𝐶 }, and since
𝛼 ≠ 0 and 𝑅 has no zero divisors, we have 𝛼𝑏 = 𝛼𝑐 ⇒ 𝑏 = 𝑐.
11. (a) Check the requirements in the definition of ideals.
(b) Verify that 𝐼 is a maximal ideal, i.e it satisfies (11.4.9). It follows that 𝐼 cannot
have other decompositions than the three listed in the exercise. To show 𝐼 ⋅𝐼 =
𝐼, use 𝑥𝛼 = 𝑥𝛼/2 𝑥𝛼/2 .
12. (a) If 𝑃 = 𝐴𝐵, then 𝑃 ⊆ 𝐴 and 𝑃 ⊆ 𝐵. Further (11.4.11), equivalent to (11.4.12),
implies 𝐴 ⊆ 𝑃 or 𝐵 ⊆ 𝑃. Therefore 𝑃 = 𝐴 or 𝑃 = 𝐵.
(b) For example, (4, 𝑥) in 𝐙[𝑥].
(c) Assume that 𝑀 is a maximal ideal, and there exist 𝑎 ∉ 𝑀 and 𝑏 ∉ 𝑀 satisfying
𝑎𝑏 ∈ 𝑀. Let (𝑎, 𝑀) and (𝑏, 𝑀) be the smallest ideals containing 𝑎 and 𝑏,
besides 𝑀. Since 𝑀 is maximal, we have (𝑎, 𝑀) = (𝑏, 𝑀) = 𝑅. Then
𝑅 = 𝑅𝑅 = (𝑎, 𝑀)(𝑏, 𝑀) ⊆ (𝑎𝑏, 𝑀) = 𝑀,
a contradiction.
(d) For example, (𝑥) in 𝐙[𝑥].
(e) Maximal ideals: Establish a bijection between the ideals of 𝑅 containing 𝐼
and the ideals of the factor ring 𝑅/𝐼, and apply Exercise 11.1.3. Prime ideals:
Rephrase condition (11.4.12) in the terms of the factor ring 𝑅/𝐼.

11.5.

1. Both conditions are equivalent to 𝐴 ∣ (𝛼).

2. (a) The quotient 𝑁(𝛼)/𝛼 is both an algebraic integer and an element in 𝐐(𝜗).
(b) By part (a) (or by Theorem 11.5.5) 𝐴 contains a non-zero integer, and so its
integer multiples are in 𝐴. All integers in 𝐴 are obtained as (integer) multiples
of the least such positive integer 𝑎, therefore 𝐴 = (𝑎).
3. It follows from Theorem 11.5.8.
4. (a) There is an integer 𝑐 > 1 in every prime ideal 𝑃 by Exercise 11.5.2. Factor 𝑐
into the product of prime numbers. Since 𝑃 is a prime ideal, it must contain
at least one of them. If 𝑃 contained two distinct positive prime numbers, then
also their combination by suitable integers giving 1 would be in 𝑃 which is
impossible.
(b) It follows from part (a).
(c) Yes.
(d) No, by Exercise 11.5.3.
5. Use the properties of greatest common divisors and least common multiples of
ideals.
12.1. 521

6. Express the greatest common divisor of ideals (𝛼)2 and (𝛽)2 in two different ways.

7. (a) (21) = (3, 4 + √−5)(3, 4 − √−5)(7, 4 + √−5)(7, 4 − √−5). (Of course, we can
describe these prime ideals with other generators, as well, e.g. (3, 4 + √−5) =
(3, 1 + √−5) = (3, 1 − 2√−5) = (2 − √−5, 1 + √−5), etc.)
(b) 𝑝 = 2 and 3.
(c) 𝑝 = 2, 5, and primes of the form 20𝑘 + 1, 20𝑘 + 3, 20𝑘 + 7, and 20𝑘 + 9.
8. Both properties are equivalent to the fact that every ideal in 𝐼(𝜗) is a principal ideal
(see Exercise 11.3.9b, and Theorems 11.4.2(iii) and 11.5.8).

11.6.

1. (2, √−6)(3 + √−6) = (3, √−6)(2 − √−6).

2. Both conditions are equivalent to 𝐼(𝜗) being a principal ideal domain (cf. Exer-
cise 11.3.9b).
3. Use the fact that 𝑘𝑢 = 1 + ℎ𝑣 with suitable integers 𝑢 and 𝑣.
4. (a) No solution.
(b) 𝑥 = 0, 𝑦 = 1.
(c) 𝑥 = ±985, 𝑦 = 99.
(d) 𝑥 = ±36, 𝑦 = 11. Note that −35 ≡ 1 (mod 4), so 𝑎 and 𝑏 are not necessarily
integers in 𝑎 + 𝑏√−35 ∈ 𝐼(√−35).

A.12. Combinatorial Number Theory

12.1.

1. (a) ⌊𝑛/2⌋ + 1, i.e. ℎ + 1, if 𝑛 = 2ℎ or 2ℎ + 1. Hint: The integers in the interval

[𝑛/2, 𝑛] form a suitable set. To prove that no bigger set exists, observe that if
𝑢 + 𝑣 = 𝑎𝑘 where 0 < 𝑢 < 𝑣, then at most one of 𝑢 and 𝑣 can occur among the
integers 𝑎𝑖 .
(b) Given 𝑟, let 𝐴𝑟 consist of the numbers 𝑎1 + 𝑎2 + ⋯ + 𝑎𝑟 + 𝑎𝑠 where 𝑠 = 𝑟 + 1,
𝑟 + 2, . . . (hence 𝐴0 is the original sequence), and let 𝐴𝑟 (𝑛) denote the number
of elements in 𝐴𝑟 not exceeding 𝑛. By the assumption, the sequences 𝐴𝑟 are
pairwise disjoint, hence
𝑡
𝑛 ≥ ∑ 𝐴𝑖 (𝑛) ≥ (𝑡 + 1)𝐴𝑡 (𝑛)
𝑖=0
522 Answers and Hints

for any 𝑛 and 𝑡. On the other hand,

𝑡 𝑡
𝐴𝑡 (𝑛) = 𝐴(𝑛 − ∑ 𝑎𝑖 ) − 𝑡 ≥ 𝐴(𝑛) − ∑ 𝑎𝑖 − 𝑡.
𝑖=1 𝑖=1

From the two inequalities we obtain

𝑡
𝑛
𝐴(𝑛) ≤ + ∑ 𝑎 + 𝑡.
𝑡 + 1 𝑖=1 𝑖
Dividing by 𝑛, the right-hand side tends to 1/(𝑡 + 1) as 𝑛 → ∞, and since 𝑡 was
arbitrary, this proves 𝐴(𝑛)/𝑛 → 0.
2. The integers not divisible by 3 form such a set of the desired density. To prove
that no larger density is possible, observe that any interval [𝑟, 4𝑟] can contain at
most 2𝑟 + 1 numbers 𝑎𝑖 , because the sums 𝑎𝑗 + 𝑎𝑗+1 where 𝑎𝑗 ≤ 2𝑟 fall into the
interval [2𝑟+1, 4𝑟], except perhaps the last one, and by assumption they differ from
the numbers 𝑎𝑖 in this interval. Thus we obtain the desired result by dividing the
interval [1, 𝑛] into subintervals of the type [𝑟, 4𝑟].
3. To construct a set of maximal size, take ⌈𝑘/2⌉ numbers and let 𝑡 be their sum. If we
delete the first two terms and insert the sum of the deleted terms as a new term,
then the sum does not change. Repeat the process as long as possible. To prove
that no larger number of representations can occur, apply that the last term and
the number of terms are different in every representation of 𝑡.
4. By the condition, an integer 1 ≤ 𝑗 ≤ 𝑛 is divisible by at most one 𝑎𝑖 , hence
𝑘 𝑘
∑𝑖=1 ⌊𝑛/𝑎𝑖 ⌋ ≤ 𝑛, and so 𝑛 ∑𝑖=1 1/𝑎𝑖 < 𝑛 + 𝑘.
1 (𝑎 , 𝑎 ) 𝑎 − 𝑎𝑖 1 1
5. = 𝑖 𝑖+1 ≤ 𝑖+1 = − .
[𝑎𝑖 , 𝑎𝑖+1 ] 𝑎𝑖 𝑎𝑖+1 𝑎𝑖 𝑎𝑖+1 𝑎𝑖 𝑎𝑖+1
6. (a) The integers of the form 3𝑗 + 1 satisfy the condition and this establishes the
lower bound. To verify the upper bound, observe that if 𝑡2 is the largest square
not exceeding 𝑛 and 𝑢 + 𝑣 = 𝑡2 , then at most one of 𝑢 and 𝑣 can occur among
the numbers 𝑎𝑖 .
(b) Find eleven residues modulo 32 such that the sum of no two of them is con-
gruent to a square mod 32.
7. Consider the numbers whose last and every second digit in base 5 are 0 or 2 (the
other digits are arbitrary), and prove that they satisfy the condition. Then 𝑘 is
approximately 𝑛𝑐 where 𝑐 = (1 + log5 2)/2 = 0.71 . . . .
8. The primes form a suitable set, hence 𝑠(𝑛) ≥ 𝜋(𝑛). To show 𝑠(𝑛) < 𝜋(𝑛) + 2𝑛2/3 ,
let 𝐶 be the set of integers between 1 and 𝑛2/3 and let 𝐷 be the union of 𝐶 and the
primes not exceeding 𝑛. First verify that every number up to 𝑛 can be represented
as 𝑛 = 𝑐𝑑 where 𝑐 ∈ 𝐶, 𝑑 ∈ 𝐷 (the representation is generally not unique). Then
fix such a representation 𝑎𝑖 = 𝑐 𝑖 𝑑𝑖 for every 𝑎𝑖 , and construct a bipartite graph
with |𝐶| + |𝐷| ≤ 𝜋(𝑛) + 2𝑛2/3 vertices where the two groups of vertices are 𝐶 and
𝐷, and the number 𝑎𝑖 is represented by the edge between vertices 𝑐 𝑖 and 𝑑𝑖 . If the
number of edges is not less than the number of vertices, then the graph contains a
12.1. 523

circuit. Since the graph is bipartite, the circuit has an even number of edges, and by
the construction, the product of numbers 𝑎𝑖 corresponding to every second edge is
equal to the product of numbers 𝑎𝑖 corresponding to the other edges in the circuit
(as both products are equal to the product of all numbers appearing in the vertices
of the circuit).
9. 𝜋(𝑛). Hint: The primes clearly satisfy the condition, hence the maximum is at
least 𝜋(𝑛). Assume that there are 𝜋(𝑛) + 1 such numbers 𝑎𝑖 . Then for every 𝑎𝑖
we can find a prime that occurs in the standard form of 𝑎𝑖 with a larger exponent
than in the standard form of all other numbers 𝑎𝑗 . By the pigeonhole principle,
there must be a prime that plays this role for two different numbers 𝑎𝑖 which is a
contradiction.
10. 2𝑛/3. Hint: The 2𝑛/3 numbers not relatively prime to 6 (that is, those that are
divisible by at least one of 2 and 3) satisfy the condition. If we pick more than 2𝑛/3
elements, then by the pigeonhole principle there must be an 𝑠 for which at least
five 𝑎𝑖 occur among the numbers 6𝑠 + 1, . . . , 6𝑠 + 6. Show that there must be three
of them that are pairwise relatively prime.
Remark: We can generalize the exercise, replacing three by 𝑟: Determine the max-
imum of 𝑘 if among any 𝑟 numbers 𝑎𝑖 there must be two that are not coprime. For
example, the numbers divisible by at least one of the first 𝑟 − 1 primes form such a
set. (Why?) Erdős conjectured that this set yields the maximum (for every 𝑛 large
enough compared to 𝑟). This long-standing unsolved problem was finally solved
by Ahlswede and Khachatrian in 1994.
11. Dividing by the gcd of the integers 𝑎𝑖 , we can assume that they are relatively prime.
𝑎𝑖
If some of them are divisible by 𝑘, e.g. 𝑘 ∣ 𝑎𝑖 and 𝑘 ∤ 𝑎𝑗 , then 𝑘 ∣ (since 𝑘 is
(𝑎𝑖 , 𝑎𝑗 )
𝑎𝑖
a prime) and ≥ 𝑘. If no 𝑎𝑖 is divisible by 𝑘, then there are two of them, say
(𝑎𝑖 , 𝑎𝑗 )
𝑎𝑖 𝑎𝑗
𝑎𝑖 and 𝑎𝑗 , that are congruent mod 𝑘. Hence ≡ (mod 𝑘), thus the
(𝑎𝑖 , 𝑎𝑗 ) (𝑎𝑖 , 𝑎𝑗 )
larger of the two quotients must be greater than 𝑘.
12. Let 𝑎1 , . . . , 𝑎𝑘 be a suitable set for 𝑛 = 2𝑗 . Then the set 1, 2, . . . , 2𝑡−1 , 2𝑡 𝑎1 , . . . , 2𝑡 𝑎𝑘
will work for 2𝑗+𝑡 ≤ 𝑛 < 2𝑗+𝑡+1 .
13. The optimal choice is 𝑐 = √3 in Chebyshev’s inequality. Then we can replace 8/3
in (12.1.9) and (12.1.10) by 3√3/2. A further improvement is possible if we replace
(12.1.6) by a better estimate: (12.1.10) implies 𝑘 ≤ (1 + 𝜀) log2 𝑛 with an arbitrarily
small 𝜀 > 0 for 𝑛 large enough, hence the term 1 on the right-hand side of (12.1.7)
can be nearly omitted. In total, this means that 2 at the end of (12.1.2) can be
replaced by any constant larger than log2 (3√3/2) = 1.377 . . . for 𝑛 large enough.
524 Answers and Hints

12.2.

1. We apply the greedy algorithm, and always pick the first element which does not
ruin the Sidon property. Assume that we have already chosen 𝑎1 < 𝑎2 < ⋯ < 𝑎𝑠 <
𝑛. We cannot choose 𝑑 as 𝑎𝑠+1 if 𝑑 + 𝑎𝑖 = 𝑎𝑗 + 𝑎𝑘 , or 𝑑 = 𝑎𝑗 + 𝑎𝑘 − 𝑎𝑖 for some 𝑖, 𝑗,
𝑘 ≤ 𝑠. (The case 𝑑 + 𝑑 = 𝑎𝑗 + 𝑎𝑘 cannot occur, since then 𝑑 < 𝑎𝑘 and so we would
have chosen 𝑑 in the sequence earlier, instead of 𝑎𝑘 .) This excludes at most 𝑠3 (in
fact, less than 𝑠3 /2) elements. This means that if 𝑠 < 𝑛1/3 , then we can still find a
new element 𝑎𝑠+1 ≤ 𝑛.
2. To verify the Sidon property, assume 𝑎𝑖 + 𝑎𝑗 = 𝑎𝑘 + 𝑎𝑙 , so
2𝑝(𝑖 + 𝑗 − 𝑘 − 𝑙) + (⟨𝑖2 mod 𝑝⟩ + ⟨𝑗2 mod 𝑝⟩ − ⟨𝑘2 mod 𝑝⟩ − ⟨𝑙2 mod 𝑝⟩) = 0.
The second term is divisible by 2𝑝 and has absolute value less than 2𝑝, so it must
be 0. Then the first term is also 0. This means 𝑖 − 𝑘 = 𝑙 − 𝑗 and 𝑖2 − 𝑘2 ≡ 𝑙2 − 𝑗2
(mod 𝑝). A calculation shows that either 𝑖 = 𝑘 and 𝑗 = 𝑙, or 𝑖 = 𝑙 and 𝑗 = 𝑘.
3. Apply a simplified version of the proof of Theorem 12.2.2 for the field of 𝑝2 ele-
ments and its subfield of 𝑝 elements.
4. Let 𝑔 be a primitive root modulo 𝑝, and let 𝑎𝑖 be the solution of the system of con-
gruences 𝑥 ≡ 𝑖 (mod 𝑝 − 1), 𝑥 ≡ 𝑔𝑖 (mod 𝑝) modulo 𝑝(𝑝 − 1), 𝑖 = 1, 2, . . . , 𝑝 − 1.
5. We can take a Sidon set 𝑆 1 between 1 and 𝑛1 having about √𝑛1 elements by The-
orem 12.2.1. Let 𝑛2 be much larger than 𝑛1 . We leave the interval (𝑛1 , 𝑛1 + 𝑛2 ]
empty, choose a Sidon set in the interval (𝑛1 + 𝑛2 , 𝑛1 + 2𝑛2 ] of about √𝑛2 elements,
delete (at least one member of) those pairs whose difference is less than < 𝑛1 , and
denote the remaining set by 𝑆 2 . By the Sidon property, we deleted fewer than 2𝑛1
elements. Therefore we selected about √𝑛2 + √𝑛1 − 2𝑛1 ≈ √𝑛2 elements up to
𝑛1 +2𝑛2 . Verify that 𝑆 1 ∪𝑆 2 is a Sidon set. Choose an 𝑛3 much bigger than 𝑛1 +2𝑛2 ,
place a Sidon set of size about √𝑛3 between 𝑛1 + 2𝑛2 + 𝑛3 and 𝑛1 + 2𝑛2 + 2𝑛3 , delete
the elements with differences less than 𝑛1 + 2𝑛2 , etc. Continuing the procedure we
obtain an infinite Sidon set meeting the requirements.
6. (a) Generalize the method of Exercise 12.2.3 to the field of 𝑝ℎ elements.
(b) The ℎ-fold sums are all distinct and fall between 1 and 𝑛ℎ.
7. It is sufficient to prove that every positive integer has a unique representation as
𝑎𝑖 −𝑎𝑗 with 𝑖 > 𝑗. We always define two new elements of the sequence. They should
be big enough to avoid that their differences with previously constructed elements
should coincide with differences of two previously constructed elements, and the
difference of these two elements should be the smallest positive integer that has
not yet appeared as a difference of two elements.
8. Let 𝐴 and 𝐵 consist of the numbers which have 0 digits at every odd or even place
in their binary representation counted backwards.
12.3. 525

12.3.

1. (a) Let 𝐴 = {𝑎1 < 𝑎2 < ⋯ < 𝑎𝑘 }. Then 𝑎1 + 𝑎1 < 𝑎1 + 𝑎2 < 𝑎2 + 𝑎2 < 𝑎2 + 𝑎3 <
⋯ < 𝑎𝑘 + 𝑎𝑘 are 2𝑘 − 1 distinct sums. If |𝐴 + 𝐴| = 2𝑘 − 1, then every 𝑎𝑖 + 𝑎𝑗 ,
thus 𝑎𝑖 + 𝑎𝑖+2 is among the above sums, and comparing magnitudes yields
that it can only equal 𝑎𝑖+1 + 𝑎𝑖+1 , so 𝑎𝑖+1 = (𝑎𝑖 + 𝑎𝑖+2 )/2.
(b) If 𝐴 = {𝑎1 < 𝑎2 < ⋯ < 𝑎𝑘 }, 𝐵 = {𝑏1 < 𝑏2 < ⋯ < 𝑏𝑟 }, and 𝑘 ≥ 𝑟, then
𝑎1 +𝑏1 < 𝑎1 +𝑏2 < 𝑎2 +𝑏2 < 𝑎2 +𝑏3 < ⋯ < 𝑎𝑟 +𝑏𝑟 < 𝑎𝑟+1 +𝑏𝑟 < ⋯ < 𝑎𝑘 +𝑏𝑟
are 𝑘 + 𝑟 − 1 distinct sums. In the case of equality, every other 𝑎𝑖 + 𝑏𝑗 coincides
with one of the above sums. By estimating magnitudes, we can easily identify
the sums 𝑎2 +𝑏1 , 𝑎1 +𝑏3 , 𝑎3 +𝑏2 , etc. We obtain that 𝐵 and the first 𝑟 elements
of 𝐴 form arithmetic progressions with the same difference. We can extend
this to any consecutive 𝑟 elements of 𝐴 by modifying the initial sequence of
𝑘 + 𝑟 − 1 sums suitably.
(c) Prove by induction on 𝑡.
2. Delete from 𝐵 all non-zero elements that are not coprime to 𝑚, and follow the first
proof of Theorem 12.3.1. To show that the estimate is sharp, consider e.g. 𝑚 = 𝑝2 ,
𝐴 = {0, 𝑝, 2𝑝, . . . , (𝑝 − 1)𝑝}, and 𝐵 = {0, 𝑝, 2𝑝, . . . , 1, 𝑝 + 1, 2𝑝 + 1, . . . , (𝑝 − 1)𝑝 + 1}.
3. (a) Follow the first proof of Theorem 12.3.1. We have to use the condition when
showing the impossibility of 𝐴 + 𝑏 = 𝐴 for 𝑏 ≠ 0.
(b) We have equality e.g. for 𝐴 = {0, 1, . . . , 𝑘 − 1} and 𝐵 = {0, 1, . . . , 𝑟 − 1} (where
𝑘 + 𝑟 ≤ 𝑚 + 1).
(c) The same proof applies also for the general case.
̂ and
4. We can argue as in the second proof of Theorem 12.3.1: let 𝐴 = 𝐵, 𝐶 = 𝐴+𝐴,
𝑓1 (𝑥, 𝑦) = (𝑥 + 𝑦)𝑚 (𝑥 − 𝑦)2 ∏(𝑥 + 𝑦 − 𝑐),
𝑐∈𝐶

where 𝑚 + |𝐶| = 2𝑘 − 4.
5. (a) As in the second proof of Theorem 12.3.1, reduce the terms 𝑥𝑖 𝑦𝑗 where 𝑖 ≥ 𝑘
or 𝑗 ≥ 𝑟, and apply Lemma 12.3.2.
(b) Let |𝐴𝑖 | = 𝑘𝑖 , 𝑖 = 1, . . . , 𝑛, and let 𝐺(𝑥1 , . . . , 𝑥𝑛 ) be a polynomial over 𝐹 in 𝑛
𝑛
variables and of degree ∑𝑖=1 (𝑘𝑖 − 1). Assume that the coefficient of the term
𝑛 𝑘 −1
∏𝑖=1 𝑥𝑖 𝑖 is not zero. Then 𝐺(𝑎1 , . . . , 𝑎𝑛 ) ≠ 0 for some 𝑎𝑖 ∈ 𝐴𝑖 , 𝑖 = 1, . . . , 𝑛.
6. If 𝐶 = 𝐷 = 𝐙𝑝 , then 𝑐 = 𝑑 works since 2𝑢 = 2𝑣 in 𝐙𝑝 implies 𝑢 = 𝑣 as 𝑝 is odd. If
|𝐶| = |𝐷| = 𝑛 < 𝑝, then apply Exercise 12.3.5b for 𝐴1 = ⋯ = 𝐴𝑛 = 𝐷 and
𝐺(𝑥1 , . . . , 𝑥𝑛 ) = ∏ (𝑥𝑖 − 𝑥𝑗 )(𝑥𝑖 + 𝑐 𝑖 − 𝑥𝑗 − 𝑐𝑗 ).
1≤𝑗<𝑖≤𝑛

7. Let 𝑝 be a prime and 𝐴𝑖 ⊆ 𝐙𝑝 , 𝑖 = 1, . . . , 𝑛. Then

|𝐴1 + ⋯ + 𝐴𝑛 | ≥ min(𝑝, |𝐴1 | + ⋯ + |𝐴𝑛 | + 1 − 𝑛).
This follows from Theorem 12.3.1 by induction on 𝑛.
526 Answers and Hints

8. (a) We have to show that among any 2𝑛 − 1 integers, there exist 𝑛 such that their
sum is a multiple of 𝑛. As seen in Exercise 3.6.6, it is sufficient to prove this
when 𝑛 is a prime 𝑝. We can assume 0 ≤ 𝑎1 ≤ 𝑎2 ≤ . . . ≤ 𝑎2𝑝−1 ≤ 𝑝 − 1.
If there are 𝑝 equal numbers 𝑎𝑖 , then their sum is divisible by 𝑝. Otherwise,
switching to 𝐙𝑝 , let 𝐴𝑖 = {𝑎𝑖 , 𝑎𝑖+𝑝−1 }, 𝑖 = 1, . . . , 𝑝 − 1, then |𝐴𝑖 | = 2. By
Exercise 12.3.7, |𝐴1 + ⋯ + 𝐴𝑝−1 | = 𝑝, so every element in 𝐙𝑝 , thus 𝑎2𝑝−1 , can
be written as 𝑎(1) + ⋯ + 𝑎(𝑝−1) , where 𝑎(𝑖) ∈ 𝐴𝑖 , so 𝑎(1) + ⋯ + 𝑎(𝑝−1) + 𝑎2𝑝−1
is a multiple of 𝑝.
(b) The midpoint of lattice points 𝑃 and 𝑄 is a lattice point if and only if both
the first and second coordinates of 𝑃 and 𝑄 have the same parity. By the pi-
geonhole principle, among any five lattice points there must be two with this
property.
(c) Take 𝑛−1 lattice points of each type where the coordinates modulo 𝑛 are (0, 0),
(0, 1), (1, 0), and (1, 1). We cannot select 𝑛 out of these 4𝑛 − 4 lattice points so
that the averages of both the first and second coordinates are integers.
(d) (i) The lower bound can be verified by generalizing the construction in (c).
The upper bound follows from the pigeonhole principle since among that
many lattice points there are always 𝑛 such that considering any coordinate
they are congruent modulo 𝑛. (ii) Argue similarly as we showed in Exer-
cise 3.6.6 that if the statement there is valid for two integers, then it is true
also for their product.
9. Let |𝐴| = 𝑘, 𝑐 a quadratic non-residue mod 𝑝, and consider the 𝑘2 sums 𝑎𝑖 + 𝑐𝑎𝑗 .
If 𝑘2 > 𝑝, then two sums must be equal, which yields 𝑎𝑖 − 𝑎𝑟 = 𝑐(𝑎𝑠 − 𝑎𝑗 ). Then
(exactly) one of 𝑎𝑖 − 𝑎𝑟 and 𝑎𝑠 − 𝑎𝑗 is a quadratic residue mod 𝑝.
10. Generalize the observations before Theorem 12.3.3.

12.4.

1. The last three equalities are obvious, and we have proved 𝑅(3, 2) ≤ 6. Thus we have
to show that we can color the edges of a complete graph of five vertices with two
colors so that no monochromatic triangle arises. Coloring the sides and diagonals
of a pentagon red and blue, resp., meets this requirement.
2. In part I of the proof of Theorem 12.4.1 we verified
(A.12.1) 𝑅(3, 𝑡) ≤ 𝑡(𝑅(3, 𝑡 − 1) − 1) + 2.
This implies 𝑅(3, 𝑡) ≤ 𝑡𝑅(3, 𝑡 − 1), and we get (a) by induction. We can prove also
the sharper statement (b) by induction if we use (A.12.1) and
1 1 1
⌈𝑒𝑡! ⌉ = 𝑡! (1 + + + ⋯ + ) + 1
1! 2! 𝑡!
obtained from the infinite series expansion of 𝑒.
3. (a) Combine 𝑆(𝑡) < 𝑅(3, 𝑡) (see the proof of Theorem 12.4.2) and part (b) in the
previous exercise.
12.4. 527

(b) Take a bad coloring of the integers 1, 2, . . . , 𝑛 = 𝑆(𝑡) with 𝑡 colors, one where
the equation 𝑥 + 𝑦 = 𝑧 has no monochromatic solution, color each of the
numbers 𝑛 + 1, . . . , 2𝑛 + 1 with the (𝑡 + 1)st color and repeat the coloring of
the first 𝑛 numbers for 2𝑛 + 2, . . . , 3𝑛 + 1 (i.e. 2𝑛 + 1 + 𝑖 has the same color as
𝑖). Show that this is a bad coloring of the integers 1, 2, . . . , 3𝑛 + 1 with 𝑡 + 1
colors.
(c) Prove by induction using part (b).
(d) We generalize the construction in (b). Let 𝜈 be a bad coloring of 1, . . . , 𝑛 = 𝑆(𝑡)
with 𝑡 colors, and 𝜚 a bad coloring of 1, . . . , 𝑟 = 𝑆(𝑣) with 𝑣 other colors. Then
we can obtain a bad coloring of 1 ≤ 𝑚 ≤ 2𝑛𝑟 + 𝑛 + 𝑟 with 𝑡 + 𝑣 colors: Write
𝑚 as 𝑚 = 𝑖(2𝑛 + 1) + 𝑗, where 1 ≤ 𝑗 ≤ 2𝑛 + 1, and let the color of 𝑚 be 𝜈(𝑗) or
𝜚(𝑖) according as 1 ≤ 𝑗 ≤ 𝑛 or 𝑛 + 1 ≤ 𝑗 ≤ 2𝑛 + 1 (i.e. we repeat the coloring
of 1, 2, . . . , 𝑛 defined by 𝜈 in the first halves of the intervals of length 2𝑛 + 1,
and the elements in the second halves of the intervals uniformly get the color
of the serial number of the interval in the coloring of 1, 2, . . . , 𝑟 defined by 𝜚).
4. 5𝑛 − 1.
5. Apply the proof of Theorem 12.4.2 with 𝑅(4, 𝑡) instead of 𝑅(3, 𝑡).
6. If 𝐵 𝑡 + 𝐶 𝑡 ≡ 𝐷𝑡 (mod 𝑝) for some 𝐵𝐶𝐷 ≢ 0 (mod 𝑝) and 𝐶𝐹 ≡ 1 (mod 𝑝), then
(𝐵𝐹)𝑡 + 1 ≡ (𝐷𝐹)𝑡 (mod 𝑝).
7. (a) Use longer and longer red and blue intervals.
(b) We order all arithmetic progressions into one sequence and color an element
blue in each progression one after the other so that the next blue number is at
least the double of the previous one. A more concrete construction: Just the
integers 𝑛! +𝑛 are blue. Then every arithmetic progression 𝑎 + 𝑚𝑑, 𝑚 = 1, 2,
. . . contains a blue number since for 𝑛 = 𝑎 + 𝑑 we have (𝑎 + 𝑑)! +𝑎 + 𝑑 ≡ 𝑎
(mod 𝑑). Therefore there result no infinite red arithmetic progressions, and
as the blue numbers grow very quickly, they cannot even form a three-term
arithmetic progression.
8. If 𝑚 = 𝑤(𝑘, 𝑡) + 1, then we get a 𝑘-term monochromatic arithmetic progression
(𝑘-MCAP) less than 𝑚. Consider the integers 𝑚, 2𝑚, . . . , (𝑚 − 1)𝑚 and apply
Theorem 12.4.4A again (in fact, we color the multipliers of 𝑚). Then we get a new
𝑘-MCAP of multiples of 𝑚 not exceeding (𝑚 − 1)𝑚, etc. Among these infinitely
many 𝑘-MCAP there are infinitely many of the same color since the number of
colors is finite.
9. Apply Van der Waerden’s Theorem for the exponents of powers of two.
10. RRBBRRBB shows that eight numbers do not suffice. To prove the sufficiency of
nine numbers, we must distinguish a few cases. It is worthwhile to rely on symme-
try (of numbers and colors): we may assume that 5 is red, 1 is blue, and 9 is either
red, or blue, then we consider the colors of 3 and 7, etc.
11. (a) There are 2𝑛 colorings of 1, 2, . . . , 𝑛 with two colors. We estimate the number
of colorings containing a 𝑘-term monochromatic arithmetic progression (𝑘-
MCAP). Counting by the first terms and differences, there are at most
528 Answers and Hints

𝑛2 /2(𝑘 − 1) such 𝑘-term arithmetic progressions, each can have two colors,
and we can color the other numbers in 2𝑛−𝑘 ways. Therefore, altogether at
most 𝑛2 2𝑛−𝑘 /(𝑘 − 1) colorings may contain a 𝑘-MCAP (we counted some
bad colorings several times, of course). Thus, if 𝑛2 2𝑛−𝑘 /(𝑘 − 1) < 2𝑛 , so
𝑛 < 2𝑘/2 √𝑘 − 1, then there must be a coloring without a 𝑘-MCAP.
(b) Consider a finite field 𝐹 with 2𝑝 elements, let Δ be a generator of its multi-
plicative group, and 𝑊 a (𝑝 − 1)-dimensional subspace in 𝐹 (considered as a
vector space over 𝐙2 ). We color 𝑘 red if and only if Δ𝑘 ∈ 𝑊. In this coloring
of 1, 2, . . . , 𝑝(2𝑝 − 1), there is no 𝑝 + 1-MCAP.
12. We use the number system with base 𝑑 where we shall specify 𝑑 later. Consider
those positive integers up to 𝑛 where every digit is less than 𝑑/2 and the sum of
the squares of digits is a given 𝑞. Show that such a set contains no three-term
arithmetic progression, and we can choose 𝑞 and 𝑑 so that the set should be as
large as required in the exercise.

12.5.

1. A residue class 𝑎𝑖 (mod 𝑚𝑖 ) contains 𝑀/𝑚𝑖 numbers from 1, 2, . . . , 𝑀 = [𝑚1 , . . . , 𝑚𝑘 ],

𝑘
and as every integer is contained in at least one residue class, we have ∑𝑖=1 𝑀/𝑚𝑖 ≥
𝑀.
2. The old residue class is a subset of the new one.
3. Let 𝑚𝑖 be arbitrary and let 𝐿 denote the least common multiple of the other moduli
𝑚𝑗 . By the condition, there is an integer 𝑐 contained in none of the residue classes
with 𝑗 ≠ 𝑖. Then this holds for 𝑐 + 𝐿, too. Therefore, both integers must be in the
residue class 𝑎𝑖 (mod 𝑚𝑖 ), so 𝑐 ≡ 𝑐 + 𝐿 (mod 𝑚𝑖 ) and 𝑚𝑖 ∣ 𝐿.
4. Rely on the previous three exercises.
5. For example, choose the divisors of 120 greater than 2 as moduli.
6. (a) Proceed similarly as in Exercise 12.5.1.
(b) It follows from either proof of Theorem 12.5.1.
(c) Let 𝑚𝑖 = 2𝑖 for 1 ≤ 𝑖 ≤ 𝑘 − 1 (and 𝑚𝑘 = 𝑚𝑘−1 ).
7. For example, the even multiples of 3 have no such representation except for the
numbers of the form 3𝑛 + 3. If we also consider 1 as a power of 3, then we have to
exclude the numbers of the form 1 + 𝑝, where 𝑝 is a prime (of the form 6𝑘 − 1),
but there still remain infinitely many non-representable numbers (as the primes
occur rarely). We can proceed similarly in the general case replacing 3 by 𝑎 and
𝑏/2. (This shows that 𝑏 = 2 was the only difficult case, see Theorem 12.5.2.)
12.6. 529

12.6.

1. The precise formulation: Decompose the set of non-negative integers into the dis-
joint union of two arbitrary infinite subsets 𝐼 and 𝐽, and write an integer 𝑛 > 0
𝑉
in the number system with base 𝑐: 𝑛 = ∑𝑣=0 𝛾𝑣 𝑐𝑣 , 0 ≤ 𝛾𝑣 < 𝑐. Let 𝐴 = { 𝑛 ∣
𝛾 𝑖 = 0 for 𝑖 ∈ 𝐼 } and 𝐵 = { 𝑛 ∣ 𝛾𝑗 = 0 for 𝑗 ∈ 𝐽 }. These are complements as ev-
ery positive integer has a representation in the number system with base 𝑐. Every
such construction satisfies lim inf𝑛→∞ 𝐴(𝑛)𝐵(𝑛)/𝑛 = 1 (but we can easily check
lim sup𝑛→∞ 𝐴(𝑛)𝐵(𝑛)/𝑛 > 1).
2. No, this follows from Theorem 12.5.2.
3. (a) Necessary and sufficient. (b) Sufficient, but not necessary, see e.g. the red set
in Exercise 12.4.7b. (c) Necessary, but not sufficient. (d) Neither necessary, nor
sufficient.
4. We can proceed as in the proof of Theorem 12.6.1. Since 𝑎𝑡 ≡ 𝑡 (mod 2𝑖 3𝑗 ) for
𝑖, 𝑗 ≤ 𝑡, the numbers 𝑎𝑘−𝑠 for log6 𝑘 + 1 ≤ 𝑠 ≤ log6 𝑘 + 𝑑𝑘 form a complete residue
system mod 𝑑𝑘 = 2𝑖 3𝑗 if 𝑑𝑘 < 𝑘 − 5 log6 𝑘. We can guarantee the conditions 𝑑𝑘 ∼ 𝑘
and 𝑑𝑘 ≤ 𝑑𝑘+1 (needed to estimate the number of elements), since if we order the
integer 2𝑖 3𝑗 into an increasing sequence, then the quotient of consecutive elements
tends to 1 because the fractional parts of the values log2 (2𝑖 3𝑗 ) are dense in [0, 1] by
Theorem 8.4.1.
If 𝑎𝑘 ≤ 𝑛 < 𝑎𝑘+1 , then 𝑛 = 𝑎𝑘−𝑠 + 𝑟𝑑𝑘 , where 6𝑘 (1 − 1/𝑘) < 𝑟𝑑𝑘 < 6𝑘+1 . Thus,
choosing these values 𝑟𝑑𝑘 into 𝐵, we get a complement of 𝐴. Here 𝐴(𝑛) = 𝑘. Con-
cerning 𝐵(𝑛), we have to find a good estimate for the number of integers 𝑟𝑑𝑗 satis-
fying 𝑘 ≥ 𝑗 ≥ 𝑣 = ⌊𝑘 − 2 log6 𝑘⌋, and use the common denominator 𝑑𝑣 . There are
at most 6𝑣 terms belonging to 𝑗 < 𝑣.
5. Now 𝐴(𝑛) = 𝜋(𝑛) ∼ 𝑛/ log 𝑛, so
𝑛 2 𝑛 2
log 𝑛 log 𝑥 10(log 𝑛)3
𝑆(𝑛) <∼ 10 ∑ ∼ 10 ∫ 𝑑𝑥 ∼ .
𝑖=2
𝑛 2
𝑥 3

6. Apply Theorem 12.6.4. Since (log 𝐴(𝑖))/𝐴(𝑖) → 0, for any 𝜀 > 0 there is an 𝑖0 such
that (log 𝐴(𝑖))/𝐴(𝑖) < 𝜀/20 for 𝑖 ≥ 𝑖0 . Then
𝑛 𝑛
log 𝐴(𝑖) log 𝐴(𝑖) 10𝑛𝜀
𝐵(𝑛) < 10 ∑ < 𝐶 + 10 ∑ <𝐶+ < 𝜀𝑛.
𝑖=𝑎1
𝐴(𝑖) 𝑖=𝑖
𝐴(𝑖) 20
0
Historical Notes

Continuing the historical comments in the text, we give the birth and death dates, na-
tionalities, and some results in number theory for those mathematicians from the past
whose names occurred in the book. This short summary is very subjective for two
reasons. First, it contains only mathematicians who played an important role in the
branches of number theory discussed in this book. Many great practitioners of num-
ber theory are missing. Second, what we mention or praise are not necessarily the most
important results of the mathematicians listed and we say nothing about their activ-
ities in other branches of mathematics. Thus, the summary below is by no means a
valuation of the mathematicians appearing in it, it is just a small supplement adding
some historical background to the number theory material discussed in the book.
Chebyshev, Pafnuti Lvovich, 1821–1894, Russian. He was the first to prove that
there is always a prime between (2 ≤)𝑛 and 2𝑛, and he determined the order of mag-
nitude of the number of primes up to 𝑥. His famous inequality plays an important
role in probability theory and is connected to Turán’s proof of the Hardy–Ramanujan
Theorem, which became a starting point of probabilistic number theory.

Chevalley, Claude, 1909–1984, French. He achieved important results in algebraic

number theory.

Dedekind, Richard, 1831–1916, German. He developed the notion of ideals intro-

duced by Kummer as a basic tool of investigating rings both from algebraic and number
theoretic aspects.

Diophantus of Alexandria, lived around 250 CE, Greek. His name is preserved in
algebraic equations with (generally) integer coefficients when also the solutions are
required to be integers (or occasionally, rational numbers), and also in Diophantine
approximation, which plays an important role in the theory of Diophantine equations.

531
532 Historical Notes

Dirichlet, Peter Lejeune, 1805–1859, German. He applied analytic methods in num-

ber theory effectively. He proved that if the first term and the difference of an arith-
metic progression are coprime, then the progression contains infinitely many primes.
Dirichlet series are important tools in the theory of arithmetic functions.

Eratosthenes, 276?–194? BCE, Greek. His name is preserved in a sieve method for
finding primes.

Erdős, Paul, 1913–1996, Hungarian. One of the most influential mathematicians of

the twentieth century, “traveling ambassador of mathematics, great master of problem
solving, and uncrowned monarch of problem posing”, as characterized by Ernst Straus
who was a close coworker of both Erdős and Einstein(!). He became internationally
known at the age of 18 with his simple proof of Chebyshev’s theorem. He initiated,
among other things, the probabilistic constructions, the characterization of arithmetic
functions, and several topics in combinatorial number theory.

Euclid, lived around 300 BCE, Greek. Mathematicians were educated using his mon-
umental work Elements for more than two thousand years. It contains thirteen books,
three of which deal with number theory and contain the formula for even perfect num-
bers and the proof of the infinitude of primes. We still use the Euclidean algorithm to
find the greatest common divisor of large integers.

Euler, Leonhard, 1707–1783, Swiss. Encyclopedist of great format, champion of ana-

lytic methods. In number theory, he introduced the function 𝜑, discovered the Euler–
Fermat Theorem as a generalization of Fermat’s Little Theorem, elaborated the theory
of quadratic congruences, solved the case for cubes of Fermat’s Last Theorem, proved
the divergence of the sum of reciprocals of primes, and achieved important results for
partitions.

Fermat, Pierre, 1601–1665, French. Founder of modern number theory (though his
official profession was in law). His famous Last Theorem remained a conjecture for
more than 350 years, during which the attempts to prove it enriched mathematics with
many effective, new methods. Andrew Wiles proved Fermat’s Last Theorem in 1994.
Fermat’s Little Theorem and its generalization by Euler are fundamental in the theory
of congruences. Fermat primes are related to the Euclidean constructibility of regu-
lar polygons. Fermat discovered which numbers can be represented as sums of two
squares and showed that Pell’s equation has infinitely many solutions.

Gauss, Carl Friedrich, 1777–1855, German. Perhaps the greatest and most versa-
tile mathematician of all times. He was just 15 when he conjectured (but could not
prove) the Prime Number Theorem. He published his book Disquisitiones Arithmeticae
in 1801 containing among other things the detailed theory of quadratic congruences.
Gauss introduced the standard notation for congruences and the Gaussian integers,
which served later as a base to the theory of algebraic number fields. He proved the
Three Squares Theorem and the criterion for constructibility of regular polygons.
Historical Notes 533

Gelfond, Alexander Osipovich, 1906–1968, Russian. He and Schneider verified (at

the same time, but independently) Hilbert’s conjecture stating that an algebraic num-
ber (different from 0 and 1) raised to an irrational algebraic exponent is always tran-
scendental.

Goldbach, Christian, 1690–1764, German. The famous Goldbach conjecture appears

in one of his letters to Euler.

Hadamard, Jacques, 1865–1963, French. He and de la Vallée Poussin proved first (at
the same time, but independently) the Prime Number Theorem.

Hardy, Geoffrey, 1877–1947, English. He achieved significant results in the theory of

primes and in additive number theory. He discovered and helped Ramanujan.

Hermite, Charles, 1822–1901, French. He was the first to prove the transcendence of
𝑒 in 1873.

Hilbert, David, 1862–1943, German. In his famous talk at the mathematical congress
in Paris in 1900, he sketched 23 problems of fundamental importance which exerted
a great influence on twentieth century mathematics. Several Hilbert problems are re-
lated to number theory. Hilbert was the first to prove the existence of 𝑔(𝑘) in Waring’s
problem.

Jacobi, Carl, 1804–1851, German. The Jacobi symbol obtained as a generalization of

Legendre symbol bears his name.

Kalmár, László, 1905–1976, Hungarian. His main area of research was mathematical
logic. In number theory, he and Erdős gave a simple proof for the upper bound on the
number of primes up to 𝑥.

Kőnig, Gyula, 1849–1913, Hungarian. His main area was set theory. In number the-
ory, he was the coauthor of the Kőnig–Rados theorem about the solvability and number
of solutions of congruences of higher degree modulo a prime.

Kronecker, Leopold, 1823–1891, German. He achieved important results about ideals

of algebraic number fields.

Kummer, Ernst, 1810–1893, German. By introducing ideals, he made significant

progress on Fermat’s Last Theorem.

Lagrange, Joseph Louis, 1736–1813, French. His proof of the Four Squares Theorem
was a nice contribution to number theory.

Lamé, Gabriel, 1795–1870, French. A good mathematician, but remembered mostly

for his erroneous proof to Fermat’s Last Theorem.

Legendre, Adrien-Marie, 1752–1833, French. We find his name in the Legendre

symbol and in Legendre’s formula for the standard form of 𝑛!.
534 Historical Notes

Lindemann, Ferdinand, 1852–1939, German. He proved in 1882 the transcendence

of 𝜋 settling thus the 2000-year-old problem of (the impossibility of) squaring the circle
(with Euclidean constructions).

Liouville, Joseph, 1809–1882, French. He was the first to construct a transcendental

number. He rendered a great service to mathematics by analyzing the mathematical
legacy of Galois who sketchily wrote his ideas in the last night before he was killed in
a duel at age 21. Liouville recognized and disseminated Galois’ revolutionary discov-
eries.

Lucas, Edouard, 1842–1891, French. He elaborated an efficient procedure to test

Mersenne numbers. Its improved version by Lehmer is used today in computer search-
es for large Mersenne primes.

Mersenne, Marin, 1588–1648, French. An excellent organizer who corresponded in-

tensively with Fermat, Descartes, and several other leading mathematicians of the era.
He was interested in the primes bearing his name mainly because of their connection
to perfect numbers. His list of them contains surprisingly few errors (we had to wait
more than 200 years for the mathematical and technical tools necessary to check it).

Minkowski, Hermann, 1864–1909, German. Founder of the geometry of numbers

with his famous theorem about lattice points.

Möbius, Ferdinand, 1790–1868, German. The function 𝜇 introduced by him plays

an important role for arithmetic functions and primes (and the Möbius strip occurs to
most people hearing his name).

Poussin, Charles de la Vallée, 1866–1962, Belgian. He and Hadamard verified first

(at the same time, but independently) the Prime Number Theorem.

Rados, Gusztáv, 1862–1942, Hungarian. In number theory, he was the coauthor of the
Kőnig–Rados theorem about the solvability and number of solutions of congruences of
higher degree modulo a prime.

Ramanujan, Srinivasa, 1887–1920, Indian. An uneducated mathematical genius

who did not explain his results with the usual steps of mathematical reasoning. Hardy
helped him to develop his intuitive mental gift at Cambridge University in England.
His diaries are still sources for new research.

Ramsey, Frank Plumpton, 1903–1930, English. During his short life, he was equally
excellent as economist, philosopher, and mathematician. He discovered his famous
theorem in graph theory while investigating mathematical logic.

Rényi, Alfréd, 1921–1970, Hungarian. A leading mathematician in probability theory,

founder and first director of the Mathematical Research Institute of the Hungarian
Academy of Sciences that now bears his name. In number theory, he found important
new results related to Goldbach’s conjecture.

Riemann, Bernhard, 1826–1866, German. He sketched the principles leading to the

Prime Number Theorem, which was proved using his ideas by Hadamard and de la
Historical Notes 535

Vallée Poussin independently in 1896. Improving Euler’s ideas, Riemann pointed out
the central significance of the zeta function (that bears his name) in examining the
distribution of primes. The celebrated Riemann Hypothesis about this function is still
unsolved.
Schneider, Theodor, 1911–1988, German. He and Gelfond solved (at the same time,
but independently) Hilbert’s problem about the powers of algebraic numbers with an
irrational algebraic exponent.
Schur, Issai, 1875–1941, German (forced to emigrate by the Nazis being a Jew). His
famous theorem states that coloring a sufficiently large initial segment of the natural
numbers using finitely many colors, the equation 𝑥 + 𝑦 = 𝑧 has a monochromatic
solution.
Schnirelmann, Lev Demidovich, 1905–1938, Russian. Introducing a special notion
for density, he achieved significant results about Goldbach’s conjecture.
Thue, Axel, 1863–1922, Norwegian. He has important achievements in Diophantine
approximation and in the theory of Diophantine equations.
Turán, Paul, 1910–1976, Hungarian. He gave a simple proof of the Hardy–Ramanujan
theorem which argument became a starting point for applications of probability theory
to number theory. He achieved outstanding results in analytic number theory and for
partitions.
Vinogradov, Ivan Matveyevich, 1891–1975, Russian. He proved a slightly weaker
version of the odd Goldbach conjecture that every sufficiently large odd integer is the
sum of three primes. He improved significantly the previous upper bounds on 𝐺(𝑘) in
Waring’s problem.
Waerden, Bartel Leendert van der, 1903–1996, Dutch. He proved that coloring the
natural numbers using finitely many colors there always arise arbitrarily long (finite)
monochromatic arithmetic progressions.
Waring, Edward, 1736–1798, English. He initiated the investigation of representing
integers as sums of 𝑘th powers. This area is called today Waring’s problem.
Wilson, John, 1741–1793, English. His name appears in the theorem about the
residue modulo 𝑝 of (𝑝 − 1)!.
Tables

537
538 Tables

Primes 2–1733
2 127 283 467 661 877 1087 1297 1523
3 131 293 479 673 881 1091 1301 1531
5 137 307 487 677 883 1093 1303 1543
7 139 311 491 683 887 1097 1307 1549
11 149 313 499 691 907 1103 1319 1553
13 151 317 503 701 911 1109 1321 1559
17 157 331 509 709 919 1117 1327 1567
19 163 337 521 719 929 1123 1361 1571
23 167 347 523 727 937 1129 1367 1579
29 173 349 541 733 941 1151 1373 1583

31 179 353 547 739 947 1153 1381 1597

37 181 359 557 743 953 1163 1399 1601
41 191 367 563 751 967 1171 1409 1607
43 193 373 569 757 971 1181 1423 1609
47 197 379 571 761 977 1187 1427 1613
53 199 383 577 769 983 1193 1429 1619
59 211 389 587 773 991 1201 1433 1621
61 223 397 593 787 997 1213 1439 1627
67 227 401 599 797 1009 1217 1447 1637
71 229 409 601 809 1013 1223 1451 1657

73 233 419 607 811 1019 1229 1453 1663

79 239 421 613 821 1021 1231 1459 1667
83 241 431 617 823 1031 1237 1471 1669
89 251 433 619 827 1033 1249 1481 1693
97 257 439 631 829 1039 1259 1483 1697
101 263 443 641 839 1049 1277 1487 1699
103 269 449 643 853 1051 1279 1489 1709
107 271 457 647 857 1061 1283 1493 1721
109 277 461 653 859 1063 1289 1499 1723
113 281 463 659 863 1069 1291 1511 1733
Primes 1741–3907 539

Primes 1741–3907
1741 1993 2221 2437 2689 2909 3187 3433 3659
1747 1997 2237 2441 2693 2917 3191 3449 3671
1753 1999 2239 2447 2699 2927 3203 3457 3673
1759 2003 2243 2459 2707 2939 3209 3461 3677
1777 2011 2251 2467 2711 2953 3217 3463 3691
1783 2017 2267 2473 2713 2957 3221 3467 3697
1787 2027 2269 2477 2719 2963 3229 3469 3701
1789 2029 2273 2503 2729 2969 3251 3491 3709
1801 2039 2281 2521 2731 2971 3253 3499 3719
1811 2053 2287 2531 2741 2999 3257 3511 3727

1823 2063 2293 2539 2749 3001 3259 3517 3733

1831 2069 2297 2543 2753 3011 3271 3527 3739
1847 2081 2309 2549 2767 3019 3299 3529 3761
1861 2083 2311 2551 2777 3023 3301 3533 3767
1867 2087 2333 2557 2789 3037 3307 3539 3769
1871 2089 2339 2579 2791 3041 3313 3541 3779
1873 2099 2341 2591 2797 3049 3319 3547 3793
1877 2111 2347 2593 2801 3061 3323 3557 3797
1879 2113 2351 2609 2803 3067 3329 3559 3803
1889 2129 2357 2617 2819 3079 3331 3571 3821

1901 2131 2371 2621 2833 3083 3343 3581 3823

1907 2137 2377 2633 2837 3089 3347 3583 3833
1913 2141 2381 2647 2843 3109 3359 3593 3847
1931 2143 2383 2657 2851 3119 3361 3607 3851
1933 2153 2389 2659 2857 3121 3371 3613 3853
1949 2161 2393 2663 2861 3137 3373 3617 3863
1951 2179 2399 2671 2879 3163 3389 3623 3877
1973 2203 2411 2677 2887 3167 3391 3631 3881
1979 2207 2417 2683 2897 3169 3407 3637 3889
1987 2213 2423 2687 2903 3181 3413 3643 3907
540 Tables

Prime Factorization
The table below contains the prime factorization of integers less than 1100 and not
divisible by 2, or 3, or 5.

49 = 72 377 = 13 ⋅ 29 637 = 72 ⋅ 13 871 = 13 ⋅ 67

77 = 7 ⋅ 11 391 = 17 ⋅ 23 649 = 11 ⋅ 59 889 = 7 ⋅ 127
91 = 7 ⋅ 13 403 = 13 ⋅ 31 667 = 23 ⋅ 29 893 = 19 ⋅ 47
119 = 7 ⋅ 17 407 = 11 ⋅ 37 671 = 11 ⋅ 61 899 = 29 ⋅ 31
2
121 = 11 413 = 7 ⋅ 59 679 = 7 ⋅ 97 901 = 17 ⋅ 53
133 = 7 ⋅ 19 427 = 7 ⋅ 61 689 = 13 ⋅ 53 913 = 11 ⋅ 83
143 = 11 ⋅ 13 437 = 19 ⋅ 23 697 = 17 ⋅ 41 917 = 7 ⋅ 131
161 = 7 ⋅ 23 451 = 11 ⋅ 41 703 = 19 ⋅ 37 923 = 13 ⋅ 71
2
169 = 13 469 = 7 ⋅ 67 707 = 7 ⋅ 101 931 = 72 ⋅ 19
187 = 11 ⋅ 17 473 = 11 ⋅ 43 713 = 23 ⋅ 31 943 = 23 ⋅ 41
203 = 7 ⋅ 29 481 = 13 ⋅ 37 721 = 7 ⋅ 103 949 = 13 ⋅ 73
209 = 11 ⋅ 19 493 = 17 ⋅ 29 731 = 17 ⋅ 43 959 = 7 ⋅ 137
217 = 7 ⋅ 31 497 = 7 ⋅ 71 737 = 11 ⋅ 67 961 = 312
221 = 13 ⋅ 17 511 = 7 ⋅ 73 749 = 7 ⋅ 107 973 = 7 ⋅ 139
247 = 13 ⋅ 19 517 = 11 ⋅ 47 763 = 7 ⋅ 109 979 = 11 ⋅ 89
253 = 11 ⋅ 23 527 = 17 ⋅ 31 767 = 13 ⋅ 59 989 = 23 ⋅ 43
2
259 = 7 ⋅ 37 529 = 23 779 = 19 ⋅ 41 1001 = 7 ⋅ 11 ⋅ 13
287 = 7 ⋅ 41 533 = 13 ⋅ 41 781 = 11 ⋅ 71 1003 = 17 ⋅ 59
2 2
289 = 17 539 = 7 ⋅ 11 791 = 7 ⋅ 113 1007 = 19 ⋅ 53
299 = 13 ⋅ 23 551 = 19 ⋅ 29 793 = 13 ⋅ 61 1027 = 13 ⋅ 79
301 = 7 ⋅ 43 553 = 7 ⋅ 79 799 = 17 ⋅ 47 1037 = 17 ⋅ 61
319 = 11 ⋅ 29 559 = 13 ⋅ 43 803 = 11 ⋅ 73 1043 = 7 ⋅ 149
323 = 17 ⋅ 19 581 = 7 ⋅ 83 817 = 19 ⋅ 43 1057 = 7 ⋅ 151
329 = 7 ⋅ 47 583 = 11 ⋅ 53 833 = 72 ⋅ 17 1067 = 11 ⋅ 97
2
341 = 11 ⋅ 31 589 = 19 ⋅ 31 841 = 29 1073 = 29 ⋅ 37
3 2
343 = 7 611 = 13 ⋅ 47 847 = 7 ⋅ 11 1079 = 13 ⋅ 83
2
361 = 19 623 = 7 ⋅ 89 851 = 23 ⋅ 37 1081 = 23 ⋅ 47
371 = 7 ⋅ 53 629 = 17 ⋅ 37 869 = 11 ⋅ 79 1099 = 7 ⋅ 157
Mersenne Numbers 541

Mersenne Numbers
Mersenne numbers are the integers 𝑀𝑝 = 2𝑝 − 1 where 𝑝 > 0 is a prime. We discuss
them in detail in Section 5.2 where we list the 51 primes of this form known in 2019.
The table contains the prime factorization of Mersenne numbers with exponents
between 10 and 100.
211 − 1 = 23 ⋅ 89
213 − 1 = 8191
217 − 1 = 131071
219 − 1 = 524287
223 − 1 = 47 ⋅ 178481
229 − 1 = 233 ⋅ 1103 ⋅ 2089
231 − 1 = 2147483647
237 − 1 = 223 ⋅ 616318177
241 − 1 = 13367 ⋅ 164511353
243 − 1 = 431 ⋅ 9719 ⋅ 2099863
247 − 1 = 2351 ⋅ 4513 ⋅ 13264529
253 − 1 = 6361 ⋅ 69431 ⋅ 20394401
259 − 1 = 179951 ⋅ 3203431780337
261 − 1 = 2305843009213693951
267 − 1 = 193707721 ⋅ 761838257287
271 − 1 = 228479 ⋅ 48544121 ⋅ 212885833
273 − 1 = 439 ⋅ 2298041 ⋅ 9361973132609
279 − 1 = 2687 ⋅ 202029703 ⋅ 1113491139767
283 − 1 = 167 ⋅ 57912614113275649087721
289 − 1 = 618970019642690137449562111
297 − 1 = 11447 ⋅ 13842607235828485645766393
542 Tables

Fermat Numbers
𝑛
Fermat numbers are the integers 𝐹𝑛 = 22 + 1, where 𝑛 ≥ 0 is an integer. We discuss
them in detail in Section 5.2.
𝐹𝑛 is a prime for 0 ≤ 𝑛 ≤ 4:
𝐹0 = 3, 𝐹1 = 5, 𝐹2 = 17, 𝐹3 = 257, 𝐹4 = 65537.
No primes are known among the Fermat numbers for 𝑛 ≥ 5.
The prime factorizations of 𝐹5 , 𝐹6 , and 𝐹7 are
𝐹5 = 641 ⋅ 6700417
𝐹6 = 274177 ⋅ 67280421310721
𝐹7 = 59649589127497217 ⋅ 5704689200685129054721.
The complete prime factorization of 𝐹𝑛 is known also for 8 ≤ 𝑛 ≤ 11, but for no
greater 𝑛.
𝐹𝑛 is known to be composite for 12 ≤ 𝑛 ≤ 32 and for some greater values of 𝑛.
No non-trivial divisor of 𝐹20 has been determined so far.
We do not know whether 𝐹33 is prime or composite.
Index

We generally indicate the first occurrence only. The data include the typical
notation (if it exists), the serial number of the definition, theorem, etc. ex-
plaining the notion or denomination, and finally the page number in paren-
theses.
D3.2.1 means Definition 3.2.1, and letters T, L, E instead of D refer to the theo-
rem, lemma, and exercise with the given number. P1.3.3 stands for the proof
of Theorem 1.3.3, 9.6.E3 denotes Example 3 in Section 9.6, and 5.8 means
Section 5.8. This latter can mean the entire section or a part of it. In some
cases, there is only a page number pointing directly to the occurence of the
expression in question, e.g. “Diffie–Hellman principle (160)”.
We add a sign “−” or “+” to the number of definition theorem, etc., if the
notion is introduced not in the given definition, theorem, etc., but just before
or after it, resp., without a new serial number. E.g. D1.4.1− indicates at “triv-
ial divisor” that this phrase is explained before Definition 1.4.1. Similarly,
T6.7.3+ shows that we find the meaning of “average order of magnitude” for
the function 𝜎(𝑛) after stating the theorem (still before the proof ), whereas
P9.3.6+ indicates that we can look up “algebraically closed field” after the
proof of Theorem 9.3.6.
We often include also important theorems besides the definition, e.g. for
“𝜎(𝑛)” we refer both to Definition 6.2.1 explaining this function and Theorem
6.2.2 establishing a formula for it. In some other cases, we list the related the-
orems in separate lines, e.g. at “mean value” we enumerate the mean value
theorems for several arithmetic functions.
If an important notion appears in various topics, we generally list all of them,
see e.g. at “unit” and “norm”. (If the notation is the same, we indicate it only
once.)
For information about notation used in the book, please consult part “Tech-
nical details” in the Introduction. We add that as mentioned in another part
of the Introduction, exercises marked with one or two asterisks are consid-
ered hard or extra hard, resp., by our judgement, and a letter S indicates
that a detailed solution can be found online at www.ams.org/bookpages/
amstext-48.

543
544 Index

abundant number, E6.3.3 (177) basis, integral, in 𝐐(𝜗), 𝜔1 , . . . , 𝜔𝑛 , D10.5.1

accomplice, (154) (336), T10.5.4 (338)
additive arithmetic function, D6.1.4 (166) Bertrand’s postulate (Chebyshev’s
(completely), D6.1.5 (166) theorem), T5.5.3+ (135)
characterization of, T6.8.1 (207) binomial congruence, T3.5.1 (88)
additive basis, T12.3.3− (397), E12.3.10
(403) 𝐂 = complex numbers
additive complement, 12.6 (412–419) canyon theorem, T6.4.1 (178)
Agrawal–Kayal–Saxena primality test Carmichael number, D5.7.3 (152)
(AKS), 157 Cauchy–Davenport–Chowla theorem,
algebraic element, D10.1.4 (313) T12.3.1 (395)
degree of, deg 𝜗, D10.1.5 (313) ceiling, ⌈ ⌉, P1.2.1 (11)
minimal polynomial of, 𝑚𝜗 , D10.1.5 characterization of additive arithmetic
(313) functions, T6.8.1 (207)
algebraic integer, D9.6.1 (306) Chebyshev’s inequality, P6.7.7+ (202),
algebraic number, D9.1.1 (285) P12.1.1 (378)
approximation of, T9.4.1 (296), T9.4.3 Chebyshev’s theorem, T5.5.3 (135)
(298), T9.4.4 (298) Chevalley’s theorem, T3.6.1 (91)
conjugate over 𝐐 of, 𝜗 (𝑗) , D10.4.1 (331) Chinese Remainder Theorem, T2.6.2 (59)
degree of, deg 𝛼, D9.2.4 (289) class number, T11.6.3 (373)
minimal polynomial of, 𝑚𝛼 , D9.2.1 (288) colorings, T12.4.2 (405), T12.4.4 (406),
norm (in 𝐐(𝜗)) of, 𝑁(𝛼), D10.4.4 (334), T12.4.4A (406)
T10.4.5 (334) commensurability of segments, E1.3.17
relative conjugate of, 𝑓(𝜗 (𝑗) ), D10.4.2 (21)
(332), T10.4.3 (333) common divisor, greatest, (𝑎, 𝑏), gcd{𝑎, 𝑏},
algebraic number field, 𝐐(𝜗), D10.2.1 D1.3.1 (15), D7.4.9 (225)
(315), T10.2.3 (316) common divisor, special, (𝑎, 𝑏), D1.3.2 (15)
algebraically closed field, P9.3.6+ (294) common multiple, least, [𝑎, 𝑏], lcm{𝑎, 𝑏},
amicable numbers, E6.3.7 (178) D1.6.5 (30)
approximation (Diophantine), 8.1 commutative field, 𝐹, T2.8.3+ (69)
(263–270) commutative group, P2.8.5+ (69)
of algebraic numbers, T9.4.1 (296), complement (additive), 12.6 (412–419)
T9.4.3 (298) completely economic (CEC), T12.6.2−
of irrational numbers, 8.1 (263–270) (415)
of rational numbers, E8.1.1 (268) complete residue system, D2.2.2 (41),
simultaneous, T8.1.3 (265), T8.1.4 (265) T2.2.3 (42)
arithmetic function, D6.1.1 (165) completely additive arithmetic function,
additive, D6.1.4 (166) D6.1.5 (166)
completely additive, D6.1.5 (166) completely economic complement (CEC),
completely multiplicative, D6.1.3 (166) T12.6.2− (415)
multiplicative, D6.1.2 (166) completely multiplicative arithmetic
arithmetic progressions, monochromatic, function, D6.1.3 (166)
T12.4.4 (406), T12.4.4A (406) congruence, 𝑎 ≡ 𝑏 (mod 𝑚), D2.1.1 (37)
primes in, (116), T5.3.1 (125) for Eulerian integers, D7.7.8 (245)
average order function = mean value for numbers 𝑎 + 𝑏√3, P5.2.4 (122)
function modulo prime powers, T3.7.1 (96)
average order of magnitude of 𝜑(𝑛), binomial, 𝑥𝑘 ≡ 𝑎 (mod 𝑝), T3.5.1 (88)
T6.7.4+ (197) linear, 𝑎𝑥 ≡ 𝑏 (mod 𝑚), D2.5.1 (52),
of 𝜎(𝑛), T6.7.3+ (196) T2.5.3 (53)–T2.5.5 (55)
number of solutions of, D2.5.2 (53)
basis (additive), T12.3.3− (397), E12.3.10 quadratic, 𝑥2 ≡ 𝑎 (mod 𝑝), D4.1.1 (101)
(403) conjugate over 𝐐, 𝜗 (𝑗) , D10.4.1 (331)
Index 545

relative, 𝑓(𝜗 (𝑗) ), D10.4.2 (332), T10.4.3 for Gaussian integers, T7.4.8 (224)
(333) divisors, number of, 𝑑(𝑛), T1.6.3 (29)
continued fraction, 8.3 (275–281) divisors, sum of, 𝜎(𝑛), D6.2.1 (170), T6.2.2
digit, D8.3.1 (275) (170)
convolution, 𝑓 ∗ 𝑔, D6.6.1 (190)
coprime = relatively prime, D1.3.7 (18) 𝑒 is irrational, T9.5.1 (301)
pairwise, D1.3.8 (18) 𝑒 is transcendental, T9.5.3 (303)
covering congruences, 12.5 (408–412) Egyptian fraction, E7.3.6 (222)
disjoint (DCC), E12.5.6 (412) elementary symmetric polynomial, 𝜎𝑗 ,
cryptography, 5.8 (160–165) T9.3.1+ (291)
cryptosystem, public key, 5.8 (160–165) equivalence relation, P2.1.2+ (38)
cyclotomic polynomial Φ𝑚 , P5.3.4 (126) equivalent ideals, D11.6.1 (373)
Eratosthenes, sieve of, T5.1.2 (114)
𝑑(𝑛) = number of (positive) divisors of 𝑛,
Euclidean algorithm, P1.3.3 (16)
T1.6.3 (29)
Euclidean ring, D11.3.4 (353), T11.3.5
𝑑𝑘 (𝑛), D6.2.6 (171), T6.2.7 (171)
(354)
decimal fraction, E3.2.20 (79)
Euler–Fermat Theorem, T2.4.1 (50)
deficient number, E6.3.3 (177)
Eulerian integer, 𝛼 = 𝑎 + 𝑏𝜔, D7.7.4 (244)
deg = degree
Eulerian prime, T7.7.7 (245)
degree of algebraic element, deg 𝜗, D10.1.5
Eulerian rational, 9.6.E3 (306)
(313)
Euler’s function 𝜑, 𝜑(𝑛), D2.2.7 (43), T2.3.1
of algebraic number, deg 𝛼, D9.2.4 (289)
(47)
of field extension, deg(𝑀 ∶ 𝐿), D10.1.2
Euler’s theorem for partitions, T7.9.5 (258)
(311)
even numbers, number theory of, P1.1.3+
of polynomial modulo 𝑚, deg 𝑓, D3.1.1
(8), P1.4.3+ (22), P1.5.1− (24)
(73)
extension = field extension
derivative of a polynomial, 𝑓′ , T3.7.1 (96),
P5.3.4 (126)
Diffie–Hellman principle, (160) 𝐹: denotes a commutative field in general
Diophantine approximation, 8.1 (263–270) 𝐹[𝑥] = ring of polynomials over the field 𝐹
Diophantine equation, T1.3.6− (18) 𝜑(𝑛) = Euler’s function 𝜑, D2.2.7 (43),
linear, T1.3.6 (18), T7.1.1 (212) T2.3.1 (47)
Dirichlet series, 𝐹(𝑠), D6.6.3 (192) factor ring, 𝑅/𝐼, T11.1.6 (344)
Dirichlet’s theorem (on primes in Fermat number, 𝐹𝑛 , 5.2 (118–125)
arithmetic progressions), T5.3.1 (125) primality test for, T5.2.2 (119)
discrete logarithm = index, ind 𝑎, ind𝑔 𝑎, (prime) divisors of, T5.2.1 (119)
D3.4.1 (86) Fermat prime, 𝐹𝑛 , E1.4.4 (23), 5.2
discriminant of 𝐐(𝜗), P10.5.4+ (338) (118–125)
of 𝑛-tuples in 𝐐(𝜗), Δ(𝛼1 , . . . , 𝛼𝑛 ), Fermat’s Last Theorem, T7.7.1 (241)
D10.5.2 (337) for exponent 3, T7.7.10 (247)
disjoint covering congruences (DCC), for exponent 4, T7.7.2 (242)
E12.5.6 (412) Fermat’s Little Theorem, T2.4.1A (50),
divisibility, divisor, 𝑏 ∣ 𝑎, D1.1.1 (7), D7.4.4 T2.4.1B (51)
(224) Fibonacci number, 𝜑𝑛 , E1.2.5 (13)
among Gaussian integers, 𝛽 ∣ 𝛼, D7.4.4 field, 𝐹, T2.8.3+ (69)
(224) algebraically closed, P9.3.6+ (294)
among ideals, 𝐵 ∣ 𝐴, D11.4.3 (359) field extension, 𝑀 ∶ 𝐿, D10.1.1 (311)
among integers, 𝑏 ∣ 𝑎, D1.1.1 (7) degree of, deg(𝑀 ∶ 𝐿), D10.1.2 (311)
divisibility laws, E1.1.14 (10) finite, D10.1.2 (311)
division algorithm (for integers), T1.2.1 quadratic, 𝐐(√𝑡), 10.3 (320–331)
(11), T1.2.1A (12) simple, 𝐐(𝜗), D10.2.1 (315), T10.2.2
in Euclidean rings, D11.3.4 (353) (315)
546 Index

simple algebraic, D10.2.1 (315), T10.2.3 harmonic number, E6.3.6 (177)

(316)
tower theorem, T10.1.3 (312) 𝐼(𝜗) = ring of algebraic integers in 𝐐(𝜗)
finite extension, D10.1.2 (311) Im = imaginary part (of complex numbers)
finitely generated ideal, (𝑎1 , . . . , 𝑎𝑘 ), ideal, 𝐼, D11.1.1 (341)
D11.1.4 (343) ideal class, T11.6.3− (373)
floor, ⌊ ⌋, P1.2.1 (11) ideal, finitely generated, (𝑎1 , . . . , 𝑎𝑘 ),
Four Squares Theorem, T7.5.3 (232) D11.1.4 (343)
fractional part, { }, P8.1.2 (264) generated, (𝑎), (𝑎1 , . . . , 𝑎𝑘 ), D11.1.2
Frobenius, problem of, E7.1.11 (215) (342), D11.1.4 (343)
fundamental parallelogram (of lattice), irreducible, D11.4.6 (360)
T8.2.1 (270) maximal, D11.4.6+ (360)
Fundamental Theorem of Arithmetic, prime, D11.4.7 (360)
T1.5.1 (24), T7.4.13 (226), 11.3 principal, (𝑎), D11.1.2 (342)
(350–356) smallest, T11.1.3 (342), T11.1.5 (343)
for Gaussian integers, T7.4.13 (226) trivial, 11.1.E4, (342)
for ideals, T11.5.8 (368) ideals, divisibility of, 𝐵 ∣ 𝐴, D11.4.3 (359)
for integers, T1.5.1 (24) equivalence of,, D11.6.1 (373)
in integral domains, 11.3 (350–356) greatest common divisor of, (𝐴, 𝐵),
in quadratic fields, T10.3.5 (325), T10.3.6 D11.4.4 (359), T11.4.5 (359)
(327) least common multiple of, E11.4.5 (362)
Fundamental Theorem of Symmetric product of, 𝐴𝐵, D11.4.1 (357), T11.4.2
Polynomials, T9.3.2 (291) (357)
sum of, 𝐴 + 𝐵, E11.4.4b (362)
𝑔(𝑘), D7.6.1 (237) identity, identity element (for
𝐺(𝑘), D7.6.3 (238) multiplication), 1, 𝑒, E1.1.23a (11)
gaps between consecutive primes, 5.5 imaginary quadratic field, T10.3.6− (327)
(134–140) incongruent = not congruent, ≢, D2.1.1+
Gauss’ lemma, for primitive polynomials, (37)
E11.5.9 (372) index, ind 𝑎, ind𝑔 𝑎, D3.4.1 (86) (119)
for quadratic congruences, T4.2.1 (104) infinite descent, P7.5.3+ (232)
Gaussian integer, 𝛼 = 𝑎 + 𝑏𝑖, D7.4.1 (223) infinite product, E5.6.6 (148), E5.6.7 (148)
irreducible, 𝜋, D7.4.10 (226) integer part (lower) = floor
prime, 𝜋, D7.4.11 (226), T7.4.15 (227) upper = ceiling
Gaussian rational, 9.6.E3, (306) integral basis (in 𝐐(𝜗)), 𝜔1 , . . . , 𝜔𝑛 , D10.5.1
Gelfond–Schneider theorem, T9.3.5 (293) (336), T10.5.4 (338)
generating function for partitions, 7.9 integral domain, E1.1.23 (11)
(256–263) inverse (multiplicative), T2.8.3− (69)
Goldbach conjecture, (115) inversion formula, T6.5.3 (187)
greatest common divisor, (𝑎, 𝑏), gcd{𝑎, 𝑏}, inversion function, 𝑓,̃ T6.5.2 (186)
D1.3.1 (15), D7.4.9 (225) irrational number, approximation of, 8.1
for Gaussian integers, (𝛼, 𝛽), D7.4.9 (263–270)
(225) irrationality of 𝑒, T9.5.1 (301)
for ideals, (𝐴, 𝐵), D11.4.4 (359), T11.4.5 of 𝑘√𝑛, E1.6.33a (36)
(359) of log𝑎 𝑏, E1.6.33b (36)
for integers, (𝑎, 𝑏), gcd{𝑎, 𝑏}, D1.3.1 (15) of 𝜋, T9.5.2 (302)
standard form of, T1.6.4 (29) of √2 (geometrically), E1.3.17e (21)
greatest common measure, E1.3.17d (21) irreducible, ideal, D11.4.6 (360)
group, P2.8.5+ (69) number, D1.4.1 (21)
isolated prime, T5.5.2 (135)
Hardy–Ramanujan theorem, T6.7.7 (202),
𝑎
T6.7.7A (202) Jacobi symbol, (𝑚), D4.3.1 (109)
Index 547

𝑘th power non-residue, D3.5.2 (89) Möbius function, 𝜇(𝑛), D6.2.3 (170)
residue, D3.5.2 (89), T3.5.3 (89) Möbius inversion formula, T6.5.3 (187)
Kőnig–Rados theorem, T3.6.2 (93) multiple, D1.1.1 (7), D7.4.4 (224)
Kronecker’s theorem (for ideals), T11.5.5 least common, [𝑎, 𝑏], lcm{𝑎, 𝑏}, D1.6.5
(366) (30)
multiple roots of polynomials, P5.3.4 (126)
lattice, T8.2.1 (270), L8.2.2 (271) multiplicative arithmetic function, D6.1.2
least absolute value, remainder of, 𝑟, (166)
T1.2.1A+ (12) (completely), D6.1.3 (166)
least common multiple, [𝑎, 𝑏], lcm{𝑎, 𝑏}, multiplicative inverse, T2.8.3− (69)
D1.6.5 (30)
standard form of, T1.6.6 (30) 𝑛!, standard form of (=
least non-negative remainder, 𝑟, P1.2.1+ Legendre’s-formula), T1.6.8 (32)
(11) norm in algebraic number fields, 𝑁(𝛼),
Legendre’s formula = standard form of 𝑛!, D10.4.4 (334)
T1.6.8 (32) in quadratic fields, D10.3.3 (323)
𝑎
Legendre symbol, (𝑝), D4.1.3 (102) of Eulerian integers, D7.7.5 (244)
linear Diophantine equation, 𝑎𝑥 + 𝑏𝑦 = 𝑐, of Gaussian integers, D7.4.2 (223),
T1.3.6 (18), T7.1.1 (212) T7.4.3 (223)
linear congruence, 𝑎𝑥 ≡ 𝑏 (mod 𝑚), of quaternions, P7.5.4+ (232)
D2.5.1 (52), T2.5.3 (53)–T2.5.5 (55) number of ideal classes, T11.6.3 (373)
Liouville’s approximation theorem, T9.4.1 number of solutions of congruences,
(296) D2.5.2 (53)
Liouville number, E9.4.1 (300) number systems, T1.2.2 (12)
lower integer part = floor
Lucas–Lehmer test (for Mersenne 𝜔(𝑛) = number of distinct (positive) prime
numbers), T5.2.4 (122) divisors of 𝑛, D6.2.5 (171)
Ω(𝑛) = number of “all” (positive) prime
𝜇(𝑛) = Möbius function, D6.2.3 (170) divisors of 𝑛
maximal ideal, D11.4.6+ (360) (counted with multiplicity), D6.2.5 (171)
mean value function( = mean value), order (modulo 𝑚), 𝑜(𝑎), 𝑜𝑚 (𝑎), D3.2.1 (76)
D6.7.1 (195) Ore number, E6.3.6 (177)
of 𝑑(𝑛), T6.4.3 (179), T6.4.4 (181)
of 𝜑(𝑛), T6.7.4 (197) 𝑝𝑛 : denotes the 𝑛th prime in general
of 𝜔(𝑛), T6.7.6 (200) 𝑝(𝑛) = number of partitions of 𝑛, D7.9.1
of Ω(𝑛), E6.7.5 (206) (256)
of 𝜎(𝑛), T6.7.3 (196) 𝜋 is irrational, T9.5.2 (302)
measure zero, D8.1.7 (266) 𝜋(𝑥) = number of primes not greater than
Mersenne number, 𝑀𝑝 , 5.2 (118–125) 𝑥, T5.4.1− (128)
primality test for, T5.2.4 (122) lower and upper bounds, T5.4.3 (130)
(prime) divisors of, T5.2.3 (121) pairwise coprime = pairwise relatively
Mersenne prime, 𝑀𝑝 , E1.4.4 (23), 5.2 prime, D1.3.8 (18)
(118–125) partition, D7.9.1 (256)
Miller–Lenstra–Rabin primality test, peak theorem, T6.4.2 (179)
T5.7.5 (156) Pell’s equation, T7.8.1 (251), T7.8.2 (253)
minimal polynomial of algebraic element, Pepin’s test = primality test for Fermat
𝑚𝜗 , D10.1.5 (313) numbers, T5.2.2 (119)
of algebraic number 𝑚𝛼 , D9.2.1 (288) perfect number, D6.3.1 (176), T6.3.2 (176)
Minkowski’s theorem, T8.2.1 (270) polynomial, cyclotomic, Φ𝑚 , P5.3.4 (126)
modulus of congruence,𝑚, D2.1.1+ (37) degree modulo 𝑚 of, D3.1.1 (73)
monochromatic arithmetic progressions, derivative of, 𝑓′ , T3.7.1 (96), P5.3.4 (126)
T12.4.4 (406), T12.4.4A (406) multiple roots of, P5.3.4 (126)
548 Index

primitive, E11.5.9 (372) 𝐑 = real numbers

power non-residue (𝑘th), D3.5.2 (89) Re = real part (of complex numbers)
residue (𝑘th), D3.5.2 (89),T3.5.3 (89) Ramsey number, T12.4.1+ (404)
primality test, Agrawal–Kayal–Saxena, Ramsey’s theorem, T12.4.1 (404)
(157) rational numbers, approximation of,
based on Fermat’s Little Theorem, E8.1.1 (268)
T5.7.2 (152) real quadratic field, T10.3.6− (327)
for Fermat numbers, T5.2.2 (119) reciprocity law, T4.2.3 (106)
for Mersenne numbers, T5.2.4 (122) reduced residue class, D2.2.6 (43)
Miller–Lenstra–Rabin, T5.7.5 (156) reduced residue system, D2.2.8 (43), T2.2.9
Solovay–Strassen, T5.7.4 (153) (43)
prime, prime number, 𝑝, D1.4.2 (21) relative conjugate in 𝐐(𝜗), 𝑓(𝜗 (𝑗) ), D10.4.2
prime divisors, number of all, Ω(𝑛), D6.2.5 (332), T10.4.3 (333)
(171) relatively prime, D1.3.7 (18)
prime divisors, number of distinct, 𝜔(𝑛), pairwise, D1.3.8 (18)
D6.2.5 (171) probability of, T6.7.5 (198)
prime formulas, (116) remainder (at division algorithm), 𝑟,
prime ideal, D11.4.7 (360) P1.2.1+ (11)
prime number theorem, T5.4.1 (128) of least absolute value, T1.2.1A+ (12)
prime power modulus, congruence of, least non-negative, P1.2.1+ (11)
T3.7.1 (96) remainder number system, P2.6.E2- (62)
primes in arithmetic progressions, (116), repeated squarings, (77), P5.7.1 (149)
T5.3.1 (125) repunit, E1.3.12 (20)
primitive polynomial, E11.5.9 (372) residue class, modulo an ideal in factor
primitive Pythagorean triple, T7.2.1 (216) rings 𝑎 + 𝐼, T11.1.6 (344)
primitive root (modulo 𝑚), 𝑔, D3.3.1 (80), modulo 𝑚 at congruences, (𝑎), (𝑎)𝑚 ,
T3.3.2 (80) D2.2.1 (41)
principal ideal, (𝑎), D11.1.2 (342) reduced, D2.2.6 (43)
principal ideal domain, D11.3.2 (352), residue, quadratic, D4.1.1 (101)
T11.3.3 (352) residue system, complete, D2.2.2 (41),
pseudoprime, of base 𝑎, D5.7.3 (152) T2.2.3 (42)
universal, D5.7.3 (152)
reduced, D2.2.8 (43), T2.2.9 (43)
public key cryptosystem, 5.8 (160–165)
Riemann Hypothesis, T6.6.4− (193)
Pythagorean triple, T7.2.1 (216)
Riemann zeta function, 𝜁(𝑠), E5.6.6 (148),
primitive, T7.2.1 (216)
T6.6.4− (193)
𝐐 = rational numbers ring, 𝑅, P2.8.2+ (68)
𝐐(𝜗) = simple extension of 𝐐, D10.2.1 Euclidean, D11.3.4 (353), T11.3.5 (354)
(315), T10.2.2 (315), T10.2.3 (316) with unique prime factorization, T11.3.1
quadratic congruence, 𝑥2 ≡ 𝑎 (mod 𝑝), (351)
D4.1.1 (101) Roth’s approximation theorem, T9.4.4
quadratic field, 𝐐(√𝑡), 10.3 (320–331) (298)
imaginary, T10.3.6− (327) RSA scheme, T5.8.1 (162)
real, T10.3.6− (327)
algebraic integers in, T10.3.2 (321) 𝜎(𝑛) = sum of (positive) divisors of 𝑛,
quadratic non-residue, D4.1.1 (101) D6.2.1 (170), T6.2.2 (170)
quadratic reciprocity law, T4.2.3 (106) Schur numbers, T12.4.2+ (405)
quadratic residue, D4.1.1 (101) Schur’s theorem, T12.4.2 (405)
quasiperfect number, E6.3.4 (177) Sidon set, 12.2 (386–394)
quick algorithms, T5.7.1 (149) Sieve of Eratosthenes, T5.1.2 (114)
quotient at division algorithm, 𝑞, P1.2.1+ simple algebraic extension of 𝐐 =
(11) algebraic number field
Index 549

simple extension, 𝐐(𝜗), D10.2.1 (315), (among Gaussian integers), D7.4.6

T10.2.2 (315) (224), T7.4.7 (224)
simultaneous approximation, T8.1.3 (265), (among integers), D1.1.2 (8), T1.1.3 (8)
T8.1.4 (265) (in quadratic fields), T10.3.4 (323)
simultaneous system of congruences, 2.6 universal pseudoprime, D5.7.3 (152)
(58–65) upper integer part = ceiling
smallest ideal, T11.1.3 (342), T11.1.5 (343)
smallest (sub)field, T10.2.2 (315) Van der Waerden numbers, T12.4.4A+
Smith determinant, T6.5.4 (188) (406)
Solovay–Strassen primality test, T5.7.4 Van der Waerden’s theorem, T12.4.4 (406),
(153) T12.4.4A (406)
special common divisor, (𝑎, 𝑏), D1.3.2 (15) Waring’s problem, 7.6 (236–241)
squarefree integer, E1.6.10 (34) Weyl’s theorem, T8.4.4 (282)
squareful number, E5.6.1f (147) Wiles’ theorem = Fermat’s Last Theorem,
standard form (of integers), T1.6.1 (28) T7.7.1 (241)
of divisor, T1.6.2 (28) Wilson’s theorem, T2.7.1 (66), P3.1.2+ (74)
of Gaussian integers, P7.5.1 (230) witness, (154)
of greatest common divisor, T1.6.4 (29)
of ideals, T11.5.9− (370) 𝐙 = integers
of least common multiple, T1.6.6 (30) 𝐙𝑚 = ring of modulo 𝑚 residue classes,
modified, T1.6.1+ (28) T2.8.2 (68)
of 𝑛!, T1.6.8 (32) zero divisor, T2.8.5− (69)
summation function, 𝑓+ , D6.5.1 (186) zeta function, 𝜁(𝑠), E5.6.6 (148), T6.6.4−
superperfect number, E6.3.5 (177) (193)
symmetric polynomial, T9.3.1+ (291)
elementary 𝜎𝑗 , T9.3.1+ (291)
symmetric polynomials, fundamental
theorem, T9.3.2 (291)
Szemerédi’s theorem, T12.4.5 (407)

Three Squares Theorem, T7.5.2 (232)

Thue’s approximation theorem, T9.4.3
(298)
Thue’s lemma, E7.5.21a (236)
totally additive/multiplicative =
completely additive/multiplicative
tower theorem, T10.1.3 (312)
transcendence of 𝑒, T9.5.3 (303)
of log 𝑛, E9.3.7 (295)
transcendental number, D9.1.2 (286)
existence of, T9.1.3 (286), T9.4.2 (297)
trivial divisor, D1.4.1- (21)
trivial ideal, 11.1.E4, (342)
twin primes, (114)
Two Squares Theorem, T7.5.1 (230)

uniform distribution, D8.4.3 (282), T8.4.4

(282)
unique prime factorization =
Fundamental Theorem of Arithmetic
unit, 𝜀, D1.1.2 (8), D7.4.6 (224)
(among Eulerian integers), T7.7.6 (245)
Selected Published Titles in This Series
48 Róbert Freud and Edit Gyarmati, Number Theory, 2020
47 Michael E. Taylor, Introduction to Analysis in One Variable, 2020
46 Michael E. Taylor, Introduction to Analysis in Several Variables, 2020
45 Michael E. Taylor, Linear Algebra, 2020
44 Alejandro Uribe A. and Daniel A. Visscher, Explorations in Analysis, Topology, and
Dynamics, 2020
43 Allan Bickle, Fundamentals of Graph Theory, 2020
42 Steven H. Weintraub, Linear Algebra for the Young Mathematician, 2019
41 William J. Terrell, A Passage to Modern Analysis, 2019
40 Heiko Knospe, A Course in Cryptography, 2019
39 Andrew D. Hwang, Sets, Groups, and Mappings, 2019
38 Mark Bridger, Real Analysis, 2019
37 Mike Mesterton-Gibbons, An Introduction to Game-Theoretic Modelling, Third
Edition, 2019
36 Cesar E. Silva, Invitation to Real Analysis, 2019
35 Álvaro Lozano-Robledo, Number Theory and Geometry, 2019
34 C. Herbert Clemens, Two-Dimensional Geometries, 2019
33 Brad G. Osgood, Lectures on the Fourier Transform and Its Applications, 2019
32 John M. Erdman, A Problems Based Course in Advanced Calculus, 2018
31 Benjamin Hutz, An Experimental Introduction to Number Theory, 2018
30 Steven J. Miller, Mathematics of Optimization: How to do Things Faster, 2017
29 Tom L. Lindstrøm, Spaces, 2017
28 Randall Pruim, Foundations and Applications of Statistics: An Introduction Using R,
Second Edition, 2018
27 Shahriar Shahriari, Algebra in Action, 2017
26 Tamara J. Lakins, The Tools of Mathematical Reasoning, 2016
25 Hossein Hosseini Giv, Mathematical Analysis and Its Inherent Nature, 2016
24 Helene Shapiro, Linear Algebra and Matrices, 2015
23 Sergei Ovchinnikov, Number Systems, 2015
22 Hugh L. Montgomery, Early Fourier Analysis, 2014
21 John M. Lee, Axiomatic Geometry, 2013
20 Paul J. Sally, Jr., Fundamentals of Mathematical Analysis, 2013
19 R. Clark Robinson, An Introduction to Dynamical Systems: Continuous and Discrete,
Second Edition, 2012
18 Joseph L. Taylor, Foundations of Analysis, 2012
17 Peter Duren, Invitation to Classical Analysis, 2012
16 Joseph L. Taylor, Complex Variables, 2011
15 Mark A. Pinsky, Partial Differential Equations and Boundary-Value Problems with
Applications, Third Edition, 1998
14 Michael E. Taylor, Introduction to Differential Equations, 2011
13 Randall Pruim, Foundations and Applications of Statistics, 2011
12 John P. D’Angelo, An Introduction to Complex Analysis and Geometry, 2010
11 Mark R. Sepanski, Algebra, 2010
10 Sue E. Goodman, Beginning Topology, 2005
9 Ronald Solomon, Abstract Algebra, 2003

For a complete list of titles in this series, visit the

AMS Bookstore at www.ams.org/bookstore/amstextseries/.
Number Theory is a newly translated and revised edition of the most popular
introductory textbook on the subject in Hungary. The book covers the usual
topics of introductory number theory: divisibility, primes, Diophantine
equations, arithmetic functions, and so on. It also introduces several more
advanced topics including congruences of higher degree, algebraic number
theory, combinatorial number theory, primality testing, and cryptography.
The development is carefully laid out with ample illustrative examples and a
treasure trove of beautiful and challenging problems. The exposition is both
clear and precise.

The book is suitable for both graduate and undergraduate courses with enough
material to fill two or more semesters and could be used as a source for inde-
pendent study and capstone projects. Freud and Gyarmati are well-known
mathematicians and mathematical educators in Hungary, and the Hungarian
version of this book is legendary there. The authors’ personal pedagogical
style as a facet of the rich Hungarian tradition shines clearly through. It will
inspire and exhilarate readers.

For additional information

and updates on this book, visit
www.ams.org/bookpages/amstext-48

AMSTEXT/48

This series was founded by the highly respected

mathematician and educator, Paul J. Sally, Jr.