Theorema Aureum

Shivam Kumar

B. Math. Hons. IIIrd year Indian Statistical Institute, Bangalore – 560 059

§I. Historical setting

Historically, one of the important reasons for studying algebra has been for finding good ways of solving polynomial equations. Linear and quadratic equations were mastered long back, and attempts to solve the cubic equation brought mathematicians into contact for the first time with the strange world of complex numbers. By the seventeenth century, cubic equations and quartic equations had been mastered, and attention then turned to the quintic (degree 5) equation. The resolution of this problem (in the negative, as it turned out, by Ruffini, Abel and Galois; each one showed, independently, that equations of degree 5 and higher cannot be solved in the same way that we solve equations of degree less than 5, i.e., using methods of school algebra such as “completing the square” and so on) is an extremely important stage in the development of algebra, for it brought forth group theory, the theory of finite fields, Galois theory, and most importantly, the AXIOMATIC APPROACH in algebra.

In the last decade of the eighteenth century, Carl Gauss opened the field hugely by expanding the domain over which we may seek solutions to equations. He introduced the notion of a CONGRUENCE among integers, denoted by the symbol ‘ ’. Let a, b and m ≡ be integers, with m = 0; we call m the MODULUS, and say that a and b are congruent 6 modulo m if they leave the same remainder on division by m; we write this compactly as a b (mod m); e.g., 17 12 (mod 5) and 37 13 (mod 8). The word ‘congruence’ ≡ ≡ ≡ is used here in much the same was as it is in geometry, where we say that two shapes are congruent to each other if they ‘look the same’. The idea is that when the modulus is m, then the universe of available numbers is (in effect) the finite set 0, 1, 2, . . . , m 1 , { − } and the numbers 1, m + 1, 2m + 1, 3m + 1, . . . ‘look’ the same in this world, as do the numbers 2, m+2, 2m+2, 3m+2, . . . (we may picture the numbers as ‘cycling back’ to 0 after reaching m 1). The algebra of congruences is easy to construct, as the congruence − symbol ‘ ’ obeys practically all the rules of the more familiar equality symbol, ‘=’. Only ≡ division could pose some difficulty, and even this is not the case if the modulus is a prime

1 number; e.g., if m = 7, then 2 4 1, so 2 and 4 may be called reciprocals of each other, × ≡ and this shows how division can be done; e.g., 3/4 3 2 6 (mod 7). ≡ × ≡ Once this idea has been conceived, the possibility of solving equations over these finite domains immediately suggests itself. E.g, the linear equation 2x + 3 4 (mod 7) has ≡ the unique solution x 4 (mod 7), and the quadratic equation x2 +2x 3 (mod 7) has ≡ ≡ the two solutions x 1 (mod 7) and x 4 (mod 7). On the other hand, the equation ≡ ≡ x2 +2x 4 (mod 7) has no solutions. The intricacy of algebra in this finite domain soon ≡ emerges, posing numerous questions of great appeal to the mathematician.

For further studying the algebra of congruences, the reader may consult any book on number theory; e.g., the well known one by Hardy and Wright.

§II. Quadratic reciprocity

Quadratic reciprocity concerns congruences of the kind x2 a (mod p), where a is ≡ an integer and p is a prime number, and x is an integer to be found. Depending on the values of a and p, this congruence may or may not have any solutions. For example, the congruences x2 2 (mod 3) and x2 5 (mod 7) have no solutions, as may be ≡ ≡ verified simply by computing the squares of the first positive few integers and checking their residues modulo 3 and modulo 7, respectively. On the other hand, the congruences x2 1 (mod 3) and x2 2 (mod 7) do possess solutions; the former congruence has ≡ ≡ solutions x 1 (mod 3), the latter one x 3 (mod 7). ≡ ± ≡ ± The more general quadratic congruence ax2 + bx + c 0 (mod m) where a, b, c, ≡ m are integers and x is an integer to be found, may always be reduced to a finite set of congruences of the type x2 a (mod p), so the study of such congruences takes care of ≡ all such congruences. But this simple looking congruence possesses vast depths!

Let p denote an odd prime number, and let a be any integer not divisible by p. If the congruence x2 a (mod p) possesses a solution, then a is called a QUADRATIC ≡ RESIDUE modulo p; if not, it is a QUADRATIC NON-RESIDUE modulo p. For example, in the set 1, 2, 3,..., 10 , the quadratic residues modulo 11 are 1, 3, 4, 5, 9 and the { } quadratic non-residues are 2, 6, 7, 8, 10. Among the many attractive properties of these sets of numbers are the following: (I) There are as many quadratic residues modulo p as non-residues modulo p. (II) The product of any two quadratic residues or of any two non-residues modulo p is a quadratic residue modulo p; e.g., 4 5 9 or 6 8 4 for × ≡ × ≡ the case p = 11. (III) The product of a quadratic residues and a non-residue modulo p is a quadratic non-residue modulo p; e.g., 3 7 10. × ≡ Properties (II), (III) remind us of the relations “plus plus = plus”, “minus minus = × × plus”, “plus minus = minus”; and indeed, there is a group theoretic connection. ×

2 Box I. Quadratic residues, cryptography, coin tossing and primality testing Studying quadratic residues modulo a prime is not only a natural and important prob- lem in mathematics, it proves useful in several other places like cryptography. Here is one way of seeing the connection. We stated above that the quadratic residues modulo 11 are 1, 3, 4, 5, 9 and the quadratic non-residues are 2, 6, 7, 8, 10. So the numbers from 1 to 10 have been placed in two sets, but they give the impression of being randomly distributed. This fact may be made use of in devising codes and in “tossing a coin over a telephone” (i.e., tossing a coin electronically) and conveying the result in a believable and verifiable way. In primality testing, there is an efficient test called the Miller-Rabin primality test which is not known to be deterministic, but it can be proved to be deterministic if one could guarantee the existence of ‘small’ quadratic non-residues modulo any prime. Such a guarantee can be given if one assumes one of the deepest open problems of mathematics — the Generalized Riemann Hypothesis. We describe the Miller-Rabin test at the end of this article.

A convenient way of denoting the quadratic character of a modulo p is through the use of the following symbol first introduced by Legendre:

a +1, if a is a quadratic residue modulo p, = p ( 1, if a is a quadratic non-residue modulo p. ² ³ − For example, 2 = +1, whereas 2 = 1. If a is a multiple of p, we write a = 0. 7 5 − p A convenient ¡ and easily proved property¡ of the Legendre symbol is its multiplicative° ± property: we have a b = ab for all integers a, b and all primes p. p · p p ° ± ° ± ° ± a Is there a quick way of computing p for a given integer a and a prime number p? Following the remark made above, we may° ± focus on the cases when the numerator a is a 101 prime number; e.g., one may ask for the value of 1999 . In the resolution of this question p q lies a startling fact connecting the values of q and ¡p for pairs of distinct odd primes p and q. This connection was first found empirically° ± ° by± Euler and Legendre, and proved rigorously only by Gauss, but the seeds of its discovery lie in discoveries made much earlier by Fermat. Today this connection is called QUADRATIC RECIPROCITY. The famous law of quadratic reciprocity may thus be said to have had more than one birth!

§III. First movement: Fermat, circa 1640; Euler, circa 1749

Fermat’s discovery is the following, which he expressed in a letter to Mersenne in 1540:

Every prime number which surpasses by one a multiple of four is composed

3 of two squares . . . .

In other words, a prime number p 1 (mod 4) is a sum of two squares. In a letter to ≡ Pascal in 1654, he also wrote that a prime number p 1 (mod 3) is of the form x2 +3y2, ≡ and that a prime number p 1 or 3 (mod 8) is of the form x2 +2y2. Of course, as is well- ≡ known, Fermat usually mentioned various results without writing proofs in his letters. The prolific Euler learnt of many of Fermat’s assertions through his correspondence with Goldbach and it became a life-long passion for him to prove Fermat’s many assertions. For instance, Euler proved the first assertion on the sum of two squares by reducing it into two steps. The first step is descent which asserts in this case that if p is a prime number which divides a number of the form x2 + y2 with gcd(x, y) = 1, then p is itself a sum of two squares. The second is the reciprocity step to show that a prime number of the form p 1 (mod 4) does divide a number of the form x2 + y2 with gcd(x, y) = 1. Using the ≡ same method, Euler also proved the other two above mentioned assertions of Fermat. He spent a number of years in proving the reciprocity steps. Indeed, the reason we have called it the ‘reciprocity’ step is because, in modern terminology, the two reciprocity statements:

A prime p divides x2 + y2 for some (x, y) = 1 if and only if p 1 mod 4, • ≡ A prime p divides x2 + 2y2 for some (x, y) = 1 if and only if p 1 or 3 mod 8, • ≡ are equivalent, respectively, to the assertions

1 (p 1)/2 2 (p2 1)/8 − = ( 1) − , = ( 1) − . p − p − ² ³ ² ³ After discovering several similar such results, for example, that

7 = 1 if and only if p 1, 3, 9 (mod 28), p ≡ ± ± ± ² ³ Euler finally made the following conjecture around 1749:

q Euler’s conjecture. Let p, q denote distinct odd primes; then p = 1 if and only if p α2 (mod 4q) for some odd integer α. ° ± ≡ ±

It is easy to see that this conjecture is equivalent to the usual formulation of the

Law of Quadratic Reciprocity. Let p, q denote distinct odd primes; then

p q (p 1)(q 1)/4 = ( 1) − − . q · p − ² ³ ² ³

4 §IV. Second movement: Gauss, circa 1795

The second ‘independent birth’ (as one might say) of the reciprocity law occurred in Gauss’s work in March 1795; he was not yet 18 then! In April 1796 Gauss found the first complete proof of the quadratic reciprocity law (later he wrote, “For a whole year this theorem tormented me and absorbed my greatest efforts . . . ”). Apparently, he became aware of Euler’s and Legendre’s work only later. Following his first proof, Gauss found a number of other proofs. The second proof involves the deep genus theory of binary quadratic forms which he himself pioneered. One reason he gave many proofs may be that he considered it a very fundamental result — he called it the theorema aureum (the golden theorem). Several people have given proofs subsequently, and a somewhat tongue- in-cheek title of a paper by Gerstenhaber suggests his proof to be the 152nd! However, many of these proofs are similar to others. In this article I single out three proofs which use different ideas and which I enjoyed learning about. They are all very pretty and do not seem to be well-known; none of them appears in any textbook.

We resisted the temptation to include the elegant geometric proof given by Gauss’s phenomenal but tragically short lived student G Eisenstein, as it appears in one form in the famous book by Hardy & Wright. (Eisenstein was very pleased with his own proof and wrote, “How lucky good Euler would have considered himself, had he possessed these lines about seventy years ago.”) It must be remarked that not all the beautiful features of Eisenstein’s proof seem to have been well-understood as pointed out in their engaging article in MATHEMATICAL INTELLIGENCER by Professors Laubenbacher and Pengelley.

Remark. There have been vast generalizations of quadratic reciprocity; we have cubic reciprocity (Gauss & Eisenstein), quartic reciprocity (Gauss), general p-adic reciprocity (Eisenstein), Artin’s general abelian reciprocity law, the Hilbert-Takagi class field theory, and its nonabelian generalizations (in the ‘Langlands program’).

Notation. Throughout, p, q denote distinct odd primes; x, y denote integers; m denotes an arbitrary modulus, not necessarily prime; Z/mZ denotes the set 0, 1, 2, . . . , m 1 , { − } which forms a ring under addition and multiplication modulo m; (Z/pZ)∗ denotes the set of non-zero elements in Z/pZ, i.e., the set 1, 2, . . . , p 1 . Note that Z/pZ forms { − } a field under addition and multiplication modulo p, and (Z/pZ)∗ forms a group under multiplication modulo p.

Euler’s criterion. Before proceeding with the proofs, we recall an important criterion used to check quadratic reciprocity. First note that the congruence

(p 1)/2 2 x − 1 (mod p) ≡ ¡ 5 (p 1)/2 2 implies that x − = 1 for any x Z/pZ. But if x = y , then ± ∈ (p 1)/2 p 1 x − = y − 1 (mod p), ≡ (p 1)/2 so the quadratic residues are all roots of the polynomial t − 1. Since this polynomial − cannot have more than 1 (p 1) roots in the field Z/pZ, we conclude that its roots are 2 − exactly the quadratic residues. This yields the criterion due to Euler:

x (p 1)/2 x − (mod p). p ≡ ² ³

§V. First proof — counting cosets

We begin with a computational group theoretic proof suggested by G Rousseau.

Recall the Chinese Remainder Theorem (CRT) which gives a ring isomorphism of Z/pqZ with Z/pZ Z/qZ, where p, q are distinct odd primes, the map being c (a, b) × 7→ such that c a (mod p) and c b (mod q). So, in particular, the groups of units (i.e., ≡ ≡ the invertible elements) on both sides must be isomorphic. It is easy to see that the units in a direct product of rings are the elements that have units in each of the coordinates. Thus, we have a group isomorphism of (Z/pqZ)∗ with (Z/pZ)∗ (Z/qZ)∗. Now, the subgroup × (of order 2) generated by 1 in (Z/pqZ)∗ gives a subgroup of (Z/pZ)∗ (Z/qZ)∗ under − × the above identification. The products of the coset representatives of this subgroup under the two representations account for the same element of the quotient group. Comparing the expressions for the product, we get the reciprocity law. The details are as follows.

We consider the group G = (Z/pZ)∗ (Z/qZ)∗ and its subgroup H of order 2 × specified by H = (1, 1), ( 1, 1) . { − − } Let S be the set (i, j) : 1 i p 1, 1 j 1 (q 1) . For any element of G { ≤ ≤ − ≤ ≤ 2 − } with j > 1 (q 1), we have the congruence ( i, j) (p i, q j) (mod H). We also 2 − − − ≡ − − have #S = 1 (p 1)(q 1) = #G/H. It follows that elements of S are distinct coset 2 − − representatives of H in G.

Let θ be the isomorphism mentioned above, (Z/pZ)∗ (Z/qZ)∗ ∼= (Z/pqZ)∗; then θ 1× maps H to 1, 1 . We claim that T = k : 1 k 2 (pq 1), gcd(k, pq) = 1 is a { − } { ≤ ≤ −1 } set of coset representatives in (Z/pqZ)∗ for θ(H). For, if k > (pq 1), we can find its 2 − coset representative using the CRT as

(k (mod p), k (mod q)) ((pq k) (mod p), (pq k) (mod q) θ(H). ≡ − − 1 ¡ The representatives are distinct, because k k k k− θ(H) = 1 k = k . 1 ∼ 2 ⇔ 1 2 ∈ ± ⇔ 1 ± 2 But k = k , as both are less than 1 (pq 1). Therefore, k = k . This proves the claim. 1 6 − 2 2 − 1 2

6 Now, we calculate the products of the coset representatives S and T . For the group G = (Z/pZ)∗ (Z/qZ)∗, we have: ×

(q 1)/2 q 1 p 1 gH = s = (p 1)! − , − ! − H. (1) − 2 gH G/H s S ² ² ³ ³ Y∈ Y∈ For the group (Z/pqZ)∗, we have, working modulo p:

gθ(H) = t gθ(H) θ(G)/θ(H) t T ∈Y Y∈ p 1 p 1 p 1 q 3 (p 1)/2 q 1 − − − − i=1 i i=1 (p + i) i=1 ( −2 )p + i) i=1 ( −2 )p + i) ··· p 1 ≡ q 2q − q Q ¡ Q ¡ ×Q × · · · × 2 ¡ Q ¡ (q 1)/2 p 1 (q 1)/2 (p 1)! − ( −2 )! (p 1)! − (q 1)/2 q − · − (p 1)! − (mod p). (p 1)/2 p 1 q ≡ q − ( − )! ≡ ≡ − · p · 2 p ² ³ ° ± In the same way, we get:

(p 1)/2 p t (q 1)! − (mod q). ≡ − · q t T ² ³ Y∈

Therefore, by the CRT, t T t maps to ∈ Q (q 1)/2 q (p 1)/2 p (p 1)! − , (q 1)! − H G/H. (2) − · p − · q ∈ ² ² ³ ² ³³ Now, using the following relation:

2 q 1 (q 1)/2 (q 1)! − ! ( 1) − (mod q), − ≡ 2 × − ²² ³ ³ we get:

p 1 q 1 − (p 1)/2 (p 1)(q 1)/4 − ! (q 1)! − ( 1) − − (mod q). (3) 2 ≡ − · − ²² ³ ³ Since expressions (1) and (2) represent the same element in G/H, comparing them and using (3) we get p q (p 1)(q 1)/4 = ( 1) − − , q · p − ² ³ ² ³ which is nothing but the Law of Quadratic Reciprocity!

7 Worked example. Let us work through the case p = 3, q = 5. We know that 3 is not a square in Z/5Z, nor is 5 a square in Z/3Z. So, 3 = 1, 5 = 1, and 3 5 = 1. 5 − 3 − 5 · 3 Let us now check this against the above computations. Using the same symbols, we have: ¡ ¡ ¡ ¡

G = (Z/3Z)∗ (Z/5Z)∗ ,S = (1, 1), (1, 2), (2, 1), (2, 2) ,T = 1, 2, 4, 7 , × { } { } s = (4, 4) = 22, 2!2 H, s S Y∈ ¡ 5 3 t 4 (mod 3), t 24 (mod 5). ≡ 3 ≡ 5 t T ² ³ t T ² ³ Y∈ Y∈ Now, 24 = 4! 2!2( 1)2 (mod 5), that is, 24 4 (mod 5). Therefore, ≡ − ≡

3 5 (2 4)/4 = ( 1) × = 1. 5 · 3 − ² ³ ² ³

§VI. Second proof — using linear algebra

We now examine a proof due to F Keune which uses linear algebra and the following well known theorem (first proved by Evaristé Galois himself!) dealing with the nature of the multiplicative group of a finite field:

Theorem (Galois). The multiplicative group formed by the non-zero elements of any finite field is cyclic.

Let p be any prime number, and let r be any positive integer; then the theorem implies that the multiplicative group of non-zero elements of the field Fpr is cyclic, i.e., it has an element of order pr 1. (In the particular case of the field Z/pZ, this simply amounts to − stating that a primitive root modulo p exists; but this is a known result in number theory.) The proof of the theorem may be found in any text on algebra.

We now give Keune’s proof. As earlier, p and q denote distinct odd primes. If n is the order of p in Fq∗, there exists an element ρ of order q in Fp∗n . We now work with the q q (i 1)(j 1) × matrix A Mq (Fpn ) with elements aij = ρ − − . The details are as follows. ∈ Let n be the order of p modulo q; then pn 1 (mod q), and so q (pn 1). This ≡ | − implies that q #Fp∗n . As the group Fp∗n is cyclic, there exists an element ρ Fp∗n such | ∈ that ρ has order q.

(i 1)(j 1) Consider the q q matrix A Mq(Fpn ) with entries aij = ρ − − . Let B = 2 × q ∈ q (i+j 2)(k 1) ((bij)) = A . Then bij = k=1 aikakj = k=1 ρ − − . Now, if q (i + j 2) then q q (k| 1) − b = 1 = q, and for other pairs i, j we have b = ρ(i+j 2) − . ij k=1 P P ij k=1 − P P 8 Using the fact that the order of ρ equals q, we get q 0 .... 0 0 .... 0 q   .... 0 q 0 q 1 q − 2   2 2 B = A = ... 0 q 0 . , det B = (det A) = q ( 1) .   − .. 0 q 0 ..   . 0 q 0 ...   0 q 0 ... 0  q q   × It follows that

q 1 q 1 q − − det A Fp q ( 1) 2 is a square mod p q( 1) 2 is a square mod p ∈ ⇔ − ⇔ − q 1 q( 1) −2 ( − ) = 1. (4) ⇔ p Next, det A = d = (sgn σ)a a a 1,σ(1) 2,σ(2) ··· q,σ(q) σ Sq X∈ dp = (sgn σ)ap ap ap (characteristic p field!) ∴ 1,σ(1) 2,σ(2) ··· q,σ(q) σ Sq X∈ q p(i 1)(σ(i) 1) = (sgn σ)ρ i=1 − − . (5) P σ Sq X∈

Consider the permutation map θ : Z/qZ Z/qZ defined by θ(x) = px x Zq. → ∀ ∈ Since the order of p in Zq∗ is n, it follows that θ is a product of disjoint cycles of the form n 1 (i, pi, , p − i). If the number of such cycles is t, then tn = q 1. Therefore, ··· − q 1 n 1 t t(n 1) q 1 t ( 1) − t sgn (θ) = (( 1) − ) = ( 1) − = ( 1) − − = − = ( 1) . − − − ( 1)t − − Next,

p p p p d = (sgn σ)a 1 a 1 a 1 1σθ− (1) 2σθ− (2) ··· qσθ− (q) σ Sq X∈ = (sgn αθ)ap ap ap 1α(1) 2α(2) ··· qα(q) α Sq X∈ = (sgn θ) d (as ‘sgn’ is a multiplicative homomorphism). (6) Therefore,

p (q 1)/n d = d sgn θ = 1 ( 1) − = 1 ⇔ ⇔ − q 1 q 1 p − is even − 0 (mod n) = 1. (7) ⇔ n ⇔ 2 ≡ ⇔ q ² ³

9 From equations (4) and (7) we get:

(q 1)/2 p q ( 1) − = · − q p ² ³ ² ³ (q 1)/2 p q ( 1) − q (p 1)(q 1)/4 = − = ( 1) − − , (8) ⇒ q p · p p · − ² ³ ² ³ ² ³ ² ³ by Euler’s criterion. This is just the quadratic reciprocity law!

Worked example. Let us consider the same case as above, p = 3, q = 5. We use the same notation as in the proof above.

The order of 3 in F5∗ is 4, so n = 4. Therefore, there exists an element ρ of order q = 5 in F3∗4 . Note that F34 can be realized as

F3[x] F3(α) (1 + x + x2 + x3 + x4) ≡ where α satisfies the relation α4 = (1 + α + α2 + α3). One possible value of ρ can be α. − Now we construct the matrices A and B as above. We find that det B = (det A)2 = 55. Next, 5 5 det A F3 5 is a square 5 is a square in F3 = 1. ∈ ⇔ ⇔ ⇔ 3 ² ³ 5 But 5 is not a square in F3. Therefore, = 1. 3 −

As above, we consider the permutation ¡ map θ : Z5 Z5 given by θ(x) = 3x x → 3 ∀ ∈ Z5. In cycle form, θ = (1, 3, 4, 2) and sgn (θ) = 1. Also, d = d. − − But d3 = d 3 = 1; therefore, 3 = 1. Hence, 3 5 = 1. ⇔ 5 5 − 5 · 3 ¡ ¡ ¡ ¡ §VII. Third proof — computing norms from a field extension

Next, we present a proof due to R. Swan which is more sophisticated than the previous two proofs. The proof is based on calculations of NORMS of certain field extensions and rests on finding a certain ‘natural’ element in a cyclotomic field whose norm is the quadratic symbol of p (mod q). In fact, the norm of this element turns out to be expressible in terms of sine values, and the very same expression appears in another proof of the quadratic reciprocity law (as given in J-P Serre’s A COURSEIN ARITHMETIC). Before going into the details, we first recall the basic notions of field extension and norm.

Let us start with a familiar example — that of GAUSSIANINTEGERS, first introduced by Carl F Gauss in 1829–1831 while studying generalizations of quadratic reciprocity law.

10 Q(i) = x + yi : x, y Q (dimension = 2), { ∈ } Q(21/2) = x + y 21/2 : x, y Q (dimension = 2), ∈ Q(21/3) = ¨x + y 21/3 + z 22/3 : ©x, y, z Q (dimension = 3). ∈ ¨ © Table 1: Some examples of finite field extensions

A Gaussian integer is a complex number a + bi where a, b Z. The Gaussian integers ∈ are members of the imaginary quadratic field Q(i) and form a ring denoted by Z[i]. The norm of a Gaussian integer a + bi is simply (a + ib)(a ib) = a2 + b2, i.e., the square of − its magnitude. So, it is an indication of the ‘size’ of the element, as the norm is the square of the distance of the element from the origin in the complex plane. A similar result holds true for arbitrary quadratic extensions Q(√d) where d is a squarefree integer. The field Q(√d) can be realized as the quotient

Q[x] , (x2 d) − where (x2 d) denotes the ideal generated by the monic polynomial x2 d in the ring − − Q[x]. (The ideal generated by a polynomial g(x) Q[x] is the set of all multiples of g(x), ∈ i.e, all elements of the form f(x) g(x) where f(x) Q[x].) The elements of this field · ∈ can also be represented by the remainders of polynomials in Q[x] when divided by x2 d. − For example, in Q(√2), x represents √2. The norm of an arbitrary element a + b√d is a + b√d a b√d = a2 db2. − − ° The concept± ° of norm± is very useful in algebraic number theory. Algebraic numbers are the roots of non-zero polynomials with integer coefficients. An algebraic integer is an algebraic number which is a root of a polynomial with integer coefficients and with leading coefficient 1. An algebraic number field is obtained by taking any algebraic number α Q and forming all the numbers that can be produced from α and the rational 6∈ numbers using addition, subtraction, multiplication and division by non-zero numbers; the field is denoted by Q(α), and it is called a finite dimensional field extension of Q, its dimension being the degree of the polynomial with integer coefficients and least degree of which α is a root. Examples are given in Table 1.

If K is an algebraic number field, we denote by RK the subring containing all the algebraic integers of K. One abuses notation to say that a ‘unit of RK ’ is a ‘unit element of K’. The norm of an algebraic integer α is now defined to be the product of all the roots of its monic minimal polynomial p(x). (Considering the examples mentioned above, this is a natural definition.) The absolute value of the norm is also equal to the number of RK elements in the finite quotient ring (α) .

11 The above discussion can be generalized for any extension L/K of number fields, as we now show. Let K be a field of characteristic zero; that is,

1 + 1 + 1 + + 1 = 0 ··· 6 n times for all n N. Let E be a finite extension| {z of K. Let} σi 1 i r be the distinct embeddings ∈ { } ≤ ≤ (that is, injective homomorphisms) of E in Ka (the algebraic closure of K) over K (that is, the restriction of the above injective map is the identity map on K). For any α E, ∈ we define the norm of α in K by

k E NK (α) = σi(α); i=1 Y E then N (α) K∗. The norm function is a multiplicative map, and if K E F, K ∈ ⊂ ⊂ then one has the transitivity property NF = NE NF , where embeddings of E over K K ◦ E K are extended to maps from Ka to Ka (which is possible since all extensions under E consideration are algebraic) and then NK is considered. Also, if E = K(α), and the n n 1 least degree polynomial over K of which α is a root is x + an 1x − + + a0, then − ··· NE (α) = ( 1)na . K − 0 The following is true: An element α R is a unit if and only if NK(α) = 1. ∈ K Q ± For, let α be a unit; then there exists β R such that αβ = 1. Then, 1 = NK(1) = ∈ K Q NK(αβ) = NK(α) NK(β) Z. But, as the only units of Z are 1, we get NK(α) = 1. Q Q Q ∈ ± Q ± Next, suppose for some α R , we have NK(α) = 1. We know that there exists ∈ K Q ± β K∗ such that αβ = 1. Now α satisfies a monic integer polynomial of the form n ∈ n 1 x + an 1x − + + a0, where ai Z, 0 i n 1. Also, a0 = 1. Therefore, β − ··· n ∈ n ≤1 ≤ − ± satisfies the monic polynomial x + a x − + + 1. So, β R . Therefore, α is a ± 1 ··· ∈ K unit in RK. Thus this characterization of units is proved.

Swan’s song. With these preliminaries covered, we now give Swan’s proof. Let p be an th a odd prime and let ςp be a primitive p root of unity in Q . The minimal polynomial of ςp over Q is the cyclotomic polynomial

p 1 − r 2 p 1 Φ (x) = x ς = 1 + x + x + + x − . p − p ··· r=1 Y ¡ r The p 1 embeddings of Q(ςp) over Q are those which send ςp to ςp as r varies from 1 to − p 1. So the norm NQ(ςp)(1 ς ) = Φ (1) = p. − Q − p p 1 Now consider the field Kp = R Q(ςp) = Q(ςp + ςp− ). Let πp be defined as follows: ∩ Q(ςp) 1 πp = N (1 ςp) = (1 ςp) 1 ς− . Kp − − − p ¡ 12 Kp Kp Q(ςp) Note that πp is a real number, and N (πp) = N N (1 ςp) = p by virtue of Q Q ◦ Kp − transitivity of the norm.

Let q be another odd prime. We similarly consider the field Kq and the element πq. Finally, we look at the field L = KpKq and the element

1 1 1 1 η = π π = ς + ς− ς ς− = ς− (1 ς ς ) 1 ς− ς . p − q q q − p − p q − p q − p q This element is going to be our candidate for a unit whose norm is equal to¡ the quadratic symbol of p (mod q); we claim that η is a unit in RL.

To prove this, we need to show only that η is a unit in RQ(ςpq) where we have written th ςpq for ςpςq; this is a primitive pq root of unity. We have:

Q(ςpq) Q(ςpq) 1 Q(ςpq) Q(ςpq) 1 N (η) = N ς− N (1 ς ς ) N 1 ς− ς . Q Q q Q − p q Q − p q

Q(ςpq) 1 r 1 ¡ r i 1 ¡ th Now, NQ ςq− = i=1 σi ςq− = i=1 ςq = 1 (since ςq− is also a primitive q root of unity). Next, ¡ Q ¡ Q pq 1 i − 1 ς pq Q(ςpq) i=1 − pq NQ (1 ςpςq) = q 1 p 1 = = 1. − − 1 ςi − 1 ςi p q i=1 Q− q i=1 ¡ − p ×

Q(ςpq) Q1 ¡ Q ¡Q(ςpq) Similarly, we get NQ 1 ςp− ςq = 1. It follows that NQ (η) = 1, and so η is a − 1 unit in Q(ςpq). Since η R (the set of real numbers), it follows that η− RQ(ςpq) R ∈ ¡ ∈ ∩ and hence to RL. Therefore, η is a unit in RL.

L p We now claim that NQ(η) = q . ° ± For, η πp (mod πq), and any embedding of L over Q must take πp to πp times a ≡ r unit in RL. This is because any conjugate of ζp is ζp for some 1 r p 1, and the r ≤ ≤ − element 1 ζp is 1 ζp times a unit in Q(ζp). In other words, both πp and πq are moved − − by an embedding of L to themselves times units in RL. Hence, we have

NL(η) = (σ(π ) σ(π )) NL(π ) (mod π )R . Q p − q ≡ Q p q L σ Y L L But then N (η) N (πp) πqRL Z. Q − Q ∈ ∩ Kq Now, as q = NQ (πq) πqRKq πqRL, and as qZ is a maximal ideal, it follows ∈ L ⊂ L that qZ = πqRL Z. Hence, N (η) N (πp) qZ. ∩ Q − Q ∈ L Kp L Kp (q 1)/2 (q 1)/2 On the other hand, N (π ) = N N (π ) = N (π ) − = p − , because Q p Q ◦ Kp p Q p [L : K ] = 1 (q 1). p 2 − L (q 1)/2 p p So N (η) p − (mod q). As the left side is 1, and so is ( ), they Q ≡ ≡ q ± q must be equal, and the claim follows.° ±

13 Interchanging p and q, we get ( 1)[L:Q]NL(η) = q . Therefore, − Q p ° ± (p 1)(q 1)/4 p q ( 1) − − = . − q p ² ³ ² ³ This is the reciprocity law for odd p and q. A modification will prove it for p = 2 also.

2πir/p Remarks. It is interesting to note that η can be rewritten as follows. Writing ςp = e for some 1 r p 1, we get ≤ ≤ − πr π = 4 sin2 . p p ² ³ Thus, the norm πs πt NL(η) = 4[L:Q] sin2 sin2 . Q p − q s,t Y ² ³ This is exactly the expression in the trigonometric proof given in Serre’s book. So this in some sense provides a conceptual way of viewing the trigonometric proof, which is otherwise quite mysterious and scarcely believable.

Acknowledgements. I would like to thank Professor B. Sury, under whose supervision I did this work during the summer break of 2006. I would also like to thank also Dr. Shailesh Shirali for reading through earlier versions and making key suggestions to make the exposition readable.

References

Hardy, G. H., Wright, E. M., Introduction to the Theory of Numbers, Oxford Uni- • versity Press. Keune F., Quadratic reciprocity and finite fields, Nieuw Archief voor Wiskunde • (4), 9 (1991), 263-266, Lang S., Algebra, Springer Verlag, 2002. Laubenbacher R. C., Pengelley D. J., Eisenstein’s misunderstood geometric proof of • the quadratic reciprocity theorem, College Mathematics Journal 25 (1994), 29-34. Laubenbacher R. C., Pengelley D. J., Gauss, Eisenstein, and the third proof of the • quadratic reciprocity theorem, Ein kleines Schauspiel, Mathematical Intelligencer 16, No. 2 (1994) 67-72. Serre J-P., A Course in Arithmetic, Springer Verlag, 1973. • Sury B., Group Theory – Selected Problems, Universities Press, 2004. • Swan R. G., Another proof of the quadratic reciprocity law?, American Mathemat- • ical Monthly 97 (1990), 138-139.

14 Box II. The Miller-Rabin primality test This is in wide usage especially for the RSA cryptosystem. Let n be an odd prime; write n 1 = r 2s with r odd. For (a, n) = 1, we have s 1 − · a2 − r 1 mod n. Thus, a satisfies at least one of the following conditions : ≡ ± ar 1 mod n; • ≡ i a2 r 1 for some 0 i < s. • ≡ − ≤ A composite n which satisfies this last-mentioned property is called a strong pseudo- prime to the base a. One also calls such a base a strong liar for n. When n is not a strong pseudoprime to some base a (that is, if each of the s + 1 congruences fails), then evidently n is composite, and a is known as a strong witness to the composite- ness of n. For example, the Carmichael number 561 has 2 as a strong witness. This is so because 560 = 16 35 and 235 263, 22 35 166, and 24 35 67 mod 561. Also × ≡ × ≡ × ≡ 28 35 1 mod 561. × ≡ The Miller-Rabin test starts by picking a random a < n 1 and checking whether ar − (mod n) is 1. If it is, then n “passes the test” and we conclude that n is a “probable ± prime”; we then move to the next a. If it is not 1, we keep squaring (upto s 1 ± − times) and checking until we reach 1. If it does, then again n passes the test and − is a probable prime; we move to the next a. If 1 is never reached, then n must be − composite. It turns out that at the most 1 of the numbers 1, 2,..., n 1 can be strong liars 4 − for a composite n. Thus, after d iterations, the probability that the Miller-Rabin test concludes primality of a composite is at the most 1 ; this is the probability of a n 4d wrong conclusion. It may be shown that the Miller-Rabin test is deterministic if we assume the Generalized Riemann hypothesis or GRH. A consequence of GRH is that for any prime p 3, the least quadratic nonresidue is ≥ strictly less than 2(log p)2. So if the Miller-Rabin test is performed for all a less than 2(log n)2, then it finds a strong witness for n. This makes it a deterministic test.

15