sign in sign up
<<
Home , Algebraic extension, Algebraic number field, Characteristic (algebra), Field extension, Finite field, Irreducible element

MA3A6 Algebraic Theory

David Loeffler

Term 2, 2014–15 Chapter 0

Introduction

Lecture 1 0.1 What is this about?

This is a module about fields. An algebraic number field is a special kind of field, which contains the rational Q, but is a little bit bigger. We’ll give a formal definition soon enough, but a good example to bear in mind is the Gaussian field

Q(i) = {a + bi : a, b ∈ Q}, which comes with its of Gaussian

Z[i] = {a + bi : a, b ∈ Z}.

Exercise. Why is the Gaussian field a field? (Most of the axioms are straightforward, but why is it closed under inverses?)

In 2 you saw that Z[i] was a unique , and you used this to show that any p = 1 mod 4 could be written as the sum of two squares,

p = x2 + y2.

So rings like Z[i] have some interesting structure; and they tell us new things about Z.

0.2 Logistics

• There will be 4 problem sheets, which will be distributed as we go along. These count for 15% of your grade. The deadlines will be – Sheet 1: distributed Thursday, week 2; deadline 3pm Monday, week 4. – Sheet 2: distributed Thursday, week 4; deadline 3pm Monday, week 6. – Sheet 3: distributed Thursday, week 6; deadline 3pm Monday, week 8. – Sheet 4: distributed Thursday, week 8; deadline 3pm Monday, week 10. • Weekly office hour: Tuesdays 13.30–14.30, Zeeman B1.25. • Support classes with Heline Deconinck: Fridays 11–12, MS.04, from week 2 onwards.

1 • Books: see list on Undergraduate Handbook page. The main reference is Stewart & Tall, which is also probably the friendliest of the books on the list; Swinnerton-Dyer’s book is harder going, but was the book which inspired me to become a number theorist. • Most of you have done , and about half of you are doing .

2 Chapter 1

Algebraic number fields

1.1 Extensions of fields

Notation 1.1.1. Let K and L be fields. If K is a subfield of L, we say L is a field extension of K, and we write L | K.

For instance, C | Q is a field extension, as is C | R.

Definition 1.1.2. Let L | K be a field extension, and let α ∈ L. We say α is algebraic over K if there exists a nonzero g ∈ K[X] such that g(α) = 0. Example 1.1.3. In the extension C | R, the element iπ is algebraic over R (it’s a root of X2 + π2). However, it is not algebraic over Q. Proposition 1.1.4. Let α be algebraic over K. Then there is a unique polynomial f ∈ K[X] such that f (α) = 0 and f is irreducible and monic (its leading coefficient is 1). We call this the minimal polynomial of f over K.

Proof. Recall from Algebra 2 the concept of an and a . The I ⊂ K[X] of g such that g(α) = 0 is an ideal of K[X]; the K[X] is a , so every ideal of this ring is principal, i.e. consists of the multiples of some polynomial f (which we can assume is monic, by multiplying it by an element of K× if necessary). To see that f is irreducible, we suppose that we can write f = gh. Then g(α)h(α) = 0; since L is a field, we must have either g(α) = 0 or h(α) = 0, and thus at least one of g and h is in I. So f divides one of g and h, WLOG g. Since g also divides f , we have deg(g) = deg( f ) and hence h is constant. Thus f is irreducible. Remark. For Commutative Algebra students: a slightly posher way of stating the last part is that I is the of the homomorphism K[X] → L g 7→ g(α). L is an (being a field); the kernel of a homomorphism to an integral domain is a ; and a generator of a principal prime ideal is a , and hence must be irreducible.

Definition 1.1.5. Let L | K be an extension. We say L | K is algebraic if every α ∈ L is algebraic over K. We say L | K is finite if L has finite as a K-. Example 1.1.6. The extension C | R is finite (of degree 2), since {1, i} is a basis of C over R. It is also algebraic, because every a + bi ∈ C satisfies the polynomial (X − a)2 + b2 = X2 − 2aX + (a2 + b2) ∈ R[X].

Notation 1.1.7. If L | K is finite, we define the degree [L : K] to be the dimension of L as a K-vector space.

3 √ Example 1.1.8. Let α = i + 2 ∈ C. But α is also algebraic over Q: we have √ √ α − 2 = i ⇒ α2 − 2 2α + 2 = −1 √ ⇒ α2 + 3 = 2 2α ⇒ (α2 + 3)2 = 8α2 ⇒ α4 − 2α2 + 9 = 0.

We’ll see later that X4 − 2X2 + 9 is irreducible in Q[X], so it is the minimal polynomial of α over Q. Lecture √ 2 On the other hand, the minimal polynomial of α over R is X2 − 2 2X + 3, by the previous example. This shows that the minimal polynomial of α over K really depends on which K we use! Remark. I forgot to point out in the last lecture that in Proposition 1.1.4, the minimal polynomial f of α over K has the property that any polynomial g ∈ K[X] such that g(α) = 0 is necessarily a multiple of f . This is clear from the proof. We’ll use this fact a lot, so make sure it’s in your notes! Proposition 1.1.9. Let L | K be a field extension. An element α ∈ L is algebraic over K if and only if there exists a finite extension of K inside L which contains α.

(In particular, any finite extension is algebraic, and any is a union of finite extensions. There are algebraic extensions which aren’t finite, as we’ll see later.)

Proof. Firstly, let’s prove the “if” part. It suffices to show that if L | K is a finite extension and α ∈ L, then α is algebraic. Suppose [L : K] = d < ∞. Then the powers 1, α, α2, ... , αd are d + 1 elements of a d-dimensional vector space over K, so they must be linearly dependent: that is, we can find elements c0, ... , cd of K, not all zero, such that d c0 + c1α + ··· + cdα = 0. i Thus α satisfies the non-zero polynomial g(X) = ∑ ciX ∈ K[X] of degree ≤ d. Thus α is algebraic over K. The “only if” part is a little harder. Let f be the minimal polynomial of α over K, and d its degree. We will show that the K-subspace M of L spanned by the powers of α is d-dimensional over L, with basis S = {1, ... , αd−1}, and is a subfield of L. Since S is a finite set, this shows that M is a finite field extension of K inside L which contains α. Claim 1: M is a subring of L. N By definition, M is exactly the elements of L which are of the form a0 + a1α + ··· + aNα for some α0, ... , αN ∈ K; that is, L is the of the K[X] → L given by mapping g to g(α). But the image of a ring homomorphism is always a subring (Algebra 2). Claim 2: M is spanned by S. By the division algorithm for polynomials, for each g ∈ K[X] we can write g(X) = a(X) f (X) + b(X) where a, b ∈ K[X] and deg(b) ≤ d − 1. But this implies that

g(α) = a(α) f (α) + b(α) = b(α),

since f (α) = 0. As b has degree ≤ d − 1, b(α) is a K- of the elements of S. Claim 3: M is closed under taking inverses of nonzero elements. This is the most difficult bit! There are many possible proofs, but here’s one. We know by this stage that M is finite-dimensional over K. Let x ∈ M be non-zero, and consider the map mx : M → M given by mx(y) = xy. (This is called the “-by-x map”).

I claim that mx is injective. If not, there would be some nonzero y such that xy = 0; but this equality takes place inside L, which is a field, so either x = 0 or y = 0, which is a contradiction.

4 By the rank–nullity theorem, it follows that mx is surjective. In particular, 1 ∈ image(mx), which shows that 1/x ∈ M. This concludes the proof that M is a field.

As a by-product of the proof of the “only if” part, we get two interesting pieces of information. Corollary 1.1.10. (i) An element α ∈ L is algebraic over K if and only if the powers of α span a finite-dimensional K-subspace of L. (ii) If α is algebraic over L, then there is a unique smallest extension of K in L which contains α, namely the K-subspace spanned by the powers of α; and this has a K-basis 1, α, ... , αd−1, where d is the degree of α over K.

Proof. The only thing we have left to check is that if α has degree d over K, the set S = {1, ... , αd−1} is linearly independent over K. Suppose S is linearly dependent. Then there are c0, ... , cd−1 ∈ K, not all zero, d−1 i such that c0 + c1α + ··· + cd−1α = 0; in other words, g(α) = 0 where g is the polynomial ∑ ciX , whose degree is ≤ d − 1. But this implies g must be divisible by the minimal polynomial f of α over K, which is impossible, since f has degree d. √ 2 Example 1.1.11. It’s clear that√ 2 is algebraic over Q, and its minimal polynomial is X − 2. Thus the smallest extension of Q containing 2 is the field √ {a + b 2 : a, b ∈ Q}. Fact 1.1.12. For any extension L | K and α ∈ L, there’s always a unique smallest extension of K inside L containing α (whether or not α is algebraic). We denote this smallest extension by K(α). So Proposition 1.1.9 shows that α is algebraic over K if and only if [K(α) : K] < ∞. We’ll occasionally have to consider stacking field extensions on top of each other: if we have three fields K, L, M with K ⊆ L ⊆ M, then we have three field extensions, L | K, M | L, and M | K. Proposition 1.1.13 (Tower law). The extension M | K is finite if and only if L | K and M | L are both finite, and in this case, we have [M : K] = [M : L][L : K].

Proof. Suppose [M : L] = r and [L : K] = s are finite. Then let `1, ... , `r be a K-basis of L and let m1, ... , ms be an L-basis of M. It’s easy to see that {`imj : 1 ≤ i ≤ r, 1 ≤ j ≤ s} is a K-basis of M, so [M : K] = rs and in particular M | K is a finite extension. Conversely, if [M : K] is finite, then L is a K-vector subspace of a finite-dimensional K-vector space, hence is itself finite-dimensional over K, so L | K is finite; and any set spanning M as a K-vector space certainly spans M as an L-vector space, so M | L is also finite. √ Example 1.1.14. Consider the field Q(α), where α = 2 + i, as in Example 1.1.8. We know that [Q(α) : Q] ≤ 4, since we have written down a polynomial of degree 4 that α satisfies. 2 √ √ α +3 = Q( ) Q( ) Q( ) On√ the other hand, 2α 2, so 2 is a subfield√ of α . We√ know that α must be bigger than Q( 2) (since α isn’t in R), and thus both [Q(α) : Q( 2)] and [Q( 2) : Q] are ≥ 2. Hence √ √ [Q(α) : Q] = [Q(α) : Q( 2)][Q( 2) : Q] ≥ 4 by the tower law. So the degree is exactly 4. √ √ Moreover, by√ Proposition 1.1.9, we√ know that {1, 2} is a basis√ of Q( 2) over Q, and {1, i} is a basis of Q(α) over√ Q( √2) (since i = α − 2 is in Q(α) but not in Q( 2)). So, by the proof of the tower law, we see that {1, 2, i, i 2} is a basis of Q(α) over Q.

5 1.2 Algebraic numbers and number fields Lecture Definition 1.2.1. An algebraic number is a α ∈ C which is algebraic over Q: that is, there exists a 3 non-zero polynomial g ∈ Q[X] such that g(α) = 0. We write A for the set of all algebraic numbers (so A ⊂ C). √ Example 1.2.2. Any √ α is algebraic (it’s a root of f (X) = X − α). The numbers i, 3, etc are algebraic; and we saw above that 2 + i was algebraic, although this took a bit of work to show. Remark. We’ll see in the next section that A is a field, so in particular the sum of any two algebraic numbers is always algebraic; but we’ll need to develop a bit more theory first. Definition 1.2.3. An algebraic number field, or just a number field, is a subfield of C which is finite as an extension of Q.

Exercise. Can you see why every subfield of C must automatically contain Q?

As a special case of Proposition 1.1.9, we see that α ∈ C is algebraic if and only if Q(α) is a number field. This gives us a massive supply of number fields: if we take any f ∈ Q[X], then we can find a root α of f in C (by the Fundamental Theorem of Algebra), and then Q(α) will be a number field. Example 1.2.4 (Quadratic fields). Let√ d be a non- in Q. Then there are exactly two square roots of d in C; choose one of them and call it d (it doesn’t matter which we choose). Then the field √ √ Q( d) = {a + b d : a, b ∈ Q}

is a number field, of degree 2 over Q.

These are called quadratic fields and they’re some of the simplest number fields; we’ll use them as one of our main sources of examples. √ √ √ Of course there is some redundancy here: the fields Q( 2), Q( 8) and Q( 18) are the same. Let’s say an d is square-free if it is not divisible by m2 for any integer m > 1. (Thus 1 is squarefree, but 0 is not.) √ Proposition 1.2.5. Any number field K such that [K : Q] = 2 is equal to Q( d) for a unique square-free integer d 6= 1.

Proof. Let K be a number field of degree 2, and let α ∈ K be such that α ∈/ Q. Then {1, α} must be a basis 2 = + ∈ − of K, so we have α xα y for some x, y Q. Replacing α with√ α x/2, which doesn’t change the field generated by α, we can assume that α2 = y; so K is the field Q( y) for some rational number y.

n1 nr Let us factorize y into prime powers, y = ±p1 ... pr (where some of the nr may be negative). Replacing α −n1/2 (1−n1)/2 with p1 α if n1 is even, and with p1 if n1 is odd, and similarly for the other factors, we may arrange that y is a square-free integer d. If we end up with d = 1 then this is a contradiction, since this forces α to be ±1, contradicting the assumption that α 6= Q. √ √ We still need to check that the fields Q( d1) and Q( d2) are different if d1 and d2 are distinct squarefree integers. This is left as an exercise (see coursework #1).

1.3 Extensions of number fields

We defined number fields as finite extensions of Q, and this gave us a bunch of new and interesting fields. We might expect to get even more new fields by taking finite extensions of number fields; but we don’t get anything new if we do this.

6 Proposition 1.3.1. Let K be a number field, and let α ∈ C. Suppose α is algebraic over K. Then K(α) is a number field, and in particular α ∈ A.

Proof. Applying Proposition 1.1.9, we see that K(α) is a finite extension of K; but K is also finite as an extension of Q. The tower law now shows that K(α) | Q is a finite extension. Thus K(α) is a number field.

Notation 1.3.2. Let L | K be a field extension. For a finite set S = {a1, a2, ..., an} ⊂ L, we denote by K(S) = K(a1, a2,..., an) the smallest extension of K inside L that contains S. √ √ Example 1.3.3. The field Q( 2, i) is the smallest√ extension of√Q inside C that contains i and 2. The field Q(α)√from Example 1.1.14√ contains i and 2, so Q√(α) ⊇ Q(i, 2); on the other hand, any field containing i and 2 must contain α = 2 + i, so Q(α) = Q(i, 2). Corollary 1.3.4. If S is any finite set of algebraic numbers, then Q(S) is a number field.

Proof. We will show, by induction on n, that if S is any set of algebraic numbers with #S = n, then Q(S) is a number field. For n = 0 this is trivial (Q is a number field). So let us assume it is true for n − 1. Write S = {a1, ... , an}. We have Q(S) = Q(a1, ... , an) = K(an), where K is the field Q(a1, ... , an−1). By the induction hypothesis, K is a number field. Since an is algebraic over Q it is certainly algebraic over K, so, by the previous proposition, K(an) = Q(S) is a number field. So the induction hypothesis holds for n and we are done. √ We can now show that all the hard work we had to do in Example 1.1.8, to prove that 2 + i was algebraic, has been washed away by the rising sea of theory! Theorem 1.3.5. The set A of algebraic numbers is a field.

Proof. We need to show that A contains 0 and 1 (easy), and is closed under , multiplication, and inversion of non-zero elements. If α ∈ A is nonzero, then Q(α) is a number field and 1/α ∈ Q(α), so 1/α ∈ A. d i (Exercise: If fα(X) = ∑i=0 ciX is the minimal polynomial of α over Q, write down explicitly a nonzero polynomial over Q satisfied by 1/α.) Now let α, β ∈ A. By the previous corollary, Q(α, β) is a number field, so Q(α, β) ⊂ A. However, Q(α, β) obviously contains α + β and αβ so we are done.

Remark. Note that A is not itself a number field (why?) Lecture 4 1.4 Interlude: Number fields and matrices

Recall from the proof of Proposition 1.1.9 that if K is a number field, and α ∈ K, then we can associate to α a linear operator mα : K → K.

If we choose a basis of K as a Q-vector space, we can write mα as a . √ √ √ Example 1.4.1. Let K = Q( d) be a quadratic field. Then {1, d} is a basis of K. If we take α = a + b d, then we have √ mα(1) = a + b d √ √ mα( d) = bd + a d

7 a bd so the matrix of m is . α b a

It turns out that lots of useful algebraic information about α is encapsulated in the operator mα. Proposition 1.4.2. Let K be a number field.

(i) The map α 7→ mα is an injective Q-, and a ring homomorphism, from K to the ring of Q-linear operators on K.

(ii) If g is the polynomial of mα, then g(α) = 0.

Proof. Part (i) is obvious, so we give the proof of part (ii).

We know that g(mα) is the zero matrix by the Cayley–Hamilton theorem. However, for any polynomial h ∈ Q[X], we have h(mα) = mh(α) by part (i). So mg(α) is the zero linear operator; but by injectivity this forces g(α) = 0. Example 1.4.3. Let K = Q(θ) where θ is the unique real root of f (X) = X3 + X + 1. Then {1, θ, θ2} is a basis of K over Q. Let’s let α = 1 + 3θ2 and calculate the matrix of α. We have

α · 1 = 1 + 3θ2 α · θ = θ + 3θ3 = −3 − 2θ α · θ2 = −3θ − 2θ2

so the matrix of mα in this basis is 1 −3 0  0 −2 −3 3 0 −2 Hence α satisfies the characteristic polynomial of this matrix, which is X3 + 3X2 − 31. 1 We can also use this method to calculate α : we have  4 −6 9  1 m1/α = 1/mα = 31  −9 −2 3  6 −9 −2

1 2 and the first column of this shows that 1/α = m1/α(1) = 31 (4 − 9θ + 6θ ). Remark. Some textbooks refer to the characteristic polynomial of mα as the field polynomial of α√. Notice that unlike the√ minimal polynomial, it really√ depends on the field K, e.g. the field polynomials of 2 as an element of Q( 2) and as an element of Q( 2, i) aren’t the same.

1.5

Definition 1.5.1. An of a number field K is a ring homomorphism ϕ : K → C.

Any such homomorphism is necessarily injective, and satisfies ϕ(x) = x for all x ∈ Q. Note that K is by definition a subfield of C, so there is a distinguished identity embedding (sending x to x for all x); but there might be more. √ √ √ For instance, we can embed Q( 3) into C by sending a + b 3 ∈ K to a − b 3 ∈ C. If L | K is an extension of number fields, then any embedding of L restricts to an embedding of K; but different embeddings L → C can give the same embedding K → C.

8 √ √ √ Example 1.5.2. Let√ K be the field Q( 2). Let ϕ : K → C be the embedding a + b 2 7→ a − b 2. Let L be the extension Q(i, 2) of K; as in Example 1.1.14, every element of L can be written uniquely as √ √ a + b 2 + ci + di 2

for some a, b, c, d ∈ Q.

There are two embeddings Φ1, Φ2 of L which restrict to ϕ, given by √ √ √ √ Φ (a + b 2 + ci + di 2) = a − b 2 + ci − di 2, 1 √ √ √ √ Φ2(a + b 2 + ci + d 2) = a − b 2 − ci + di 2.

There’s a close link between embeddings of K, and roots of the minimal polynomials of elements of K. We’ll need a preliminary lemma: Lemma 1.5.3 (Separability Lemma). Let K be a number field, let f ∈ K[X] be an irreducible polynomial of degree d ≥ 1, and let ϕ be an embedding of K. Let ϕ( f ) ∈ C[X] be the polynomial obtained by applying ϕ to the coefficients of f . Then ϕ( f ) has d distinct roots in C.

Proof. Replacing K with its image under ϕ, which is also a number field, we can assume that ϕ is the identity embedding. The Fundamental Theorem of Algebra tells us that any complex polynomial of degree d has d roots in C counted with multiplicity; so we need to show that f cannot have repeated roots. Let f 0 be the derivative of f , which is also in K[X] and is non-zero. Let h ∈ K[X] be the GCD of f and f 0. Then h has degree ≤ d − 1, but divides f , so h must be a constant. So f cannot have roots in common with f 0. But any repeated root of f is a common root of f and f 0. Remark. We call this the Separability Lemma because it’s related to the concept of “separable extensions” in Galois theory (but we won’t need to know that here).

This now gives us a pretty good handle on embeddings: Proposition 1.5.4. (i) Let L | K be an extension of number fields. For any embedding ϕ of K, there are exactly [L : K] distinct embeddings of L extending ϕ. (ii) Any number field K has [K : Q] embeddings.

Proof. For (i), let us suppose first that L = K(α) for a single element α. Let f be the minimal polynomial of α over K. I claim that the extensions of ϕ to an embedding Φ of L biject with the roots of ϕ( f ) in C.

By Proposition 1.1.9, we know that every ` ∈ L can be written uniquely in the form ` = k0 + k1α + ··· + d−1 kd−1α , for some ki ∈ K, where d = [L : K]. Thus, if Φ is an embedding of L extending ϕ, we must have i Φ(`) = ∑ ϕ(ci)Φ(α) ; thus Φ is uniquely determined by where it sends α. Moreover, we have

(ϕ( f ))(Φ(α)) = Φ( f (α)) = Φ(0) = 0, so Φ(α) must be a root of ϕ( f ). Lecture It remains to show that, for every root ρ of ϕ( f ), there is an embedding sending α to ρ. We define a map Φ 5 d−1 i i by sending ` = ∑i=0 kiα to ∑ ϕ(ki)ρ . This is obviously compatible with addition, but we need to show it is compatible with multiplication. i i i Let ` = ∑ aiα and ` = ∑ biα be elements of L. We can write ` = r(α) and m = s(α) where r = ∑ aiX and i s = ∑ biX are polynomials in K[X] of degree ≤ d − 1. Then `m = t(α) where t is the remainder of rs divided by f . Under the map Φ, we have ` 7→ ϕ(r)(ρ) and m 7→ ϕ(s)(ρ). Hence we have

Φ(`)Φ(m) = ϕ(r)(ρ)ϕ(s)(ρ) = ϕ(rs)(ρ),

9 but Φ(`m) = ϕ(t)(ρ). Since ϕ(t) differs from ϕ(rs) by a multiple of ϕ( f ), and ϕ( f )(ρ) = 0, we have ϕ(rs)(ρ) = ϕ(t)(ρ) as required. This proves (i) when L = K(α). Now let’s prove the general case. It’s clear that we can find a finite set α1, ... , αn such that L = K(α1, ... , αn) (for example, any basis of L as a K-vector space will do). Let Ki = K(α1, ... , αi). Then each embedding of K extends to [K1 : K] embeddings of K1, and these extend to [K2 : K1] embeddings of K2, etc; so the number of embeddings of Kn = L is

[L : Kn−1][Kn−1 : Kn−2] ... [K1 : K] = [L : K]

by the tower law. To prove (ii), we simply apply (i) to the extension K/Q.

Remark. Note that the√ image of an embedding√ √ of K doesn’t always land in K. For instance, there is an embedding of K = Q( 3 2) mapping 3 2 to ω 3 2, where ω = e2πi/3; this isn’t in K, since K is contained in R (and ω isn’t).

From the proof of (i), we see that if α ∈ A, the embeddings of Q(α) biject with the roots in C of the minimal polynomial of α (over Q). These have a special name:

Definition 1.5.5. Let α be an algebraic number, and let fα be its minimal polynomial. Then the roots of fα in C are called the conjugates of α. If ϕ1, ... , ϕd are the embeddings of Q(α) in C, then the conjugates of α are α1 = ϕ1(α),..., αd = ϕd(α).

Proposition 1.5.6. Let α ∈ A, and let α1 = α, α2, ... , αd be the conjugates of α and f its minimal polynomial. Then

d f (X) = ∏(X − αi). i=1

d Proof. We know that f is monic of degree d and the αi are its roots, and the same is true of ∏i=1(X − αi), so the two polynomials must coincide. √ √ √ √ √ √ Example 1.5.7. Let K = Q( 2 + 5), so [K : Q] = 4. The conjugates of 2 + 5 are ± 2 ± 5 and we calculate that √ √ √ √ √ √ √ √ (X − 2 − 5)(X − 2 + 5))(X + 2 − 5)(X + 2 + 5) √ √ = ((X − 2)2 − 5)((X + 2)2 − 5) √ √ = (X2 − 2 2X − 3)(X2 + 2 2X − 3) √ = (X2 − 3)2 − (2 2X)2 = X4 − 14X2 + 9, √ √ which is the minimal polynomial of 2 + 5.

Remark. If K is a number field and α ∈ K, and ϕ1,..., ϕd are the embeddings of K, then

d r ∏(X − αi) = fα(X) i=1 where r = [K : Q(α)]. This follows easily from Prop 1.5.4 and Prop 1.5.6.

10 1.6 Primitive elements √ Corollary 1.3.4 gives us lots of examples of number fields, like Q( 2, i), which aren’t given to us in the form Q(α) for a single α. However, sometimes these fields are “secretly” of this form: for instance, we saw above that √ √ Q( 2, i) = Q( 2 + i).

This is an instance of a more general fact: Theorem 1.6.1 (Primitive element theorem). For any number field K, we can find an element α ∈ K such that K = Q(α) (a “primitive element” for K over Q).

The proof is a little technical but the idea is fairly simple: if we let α be any “sufficiently random” element of K, then α will be a primitive element. We’ll need a lemma first. Lemma 1.6.2. Let K be a number field, and let α ∈ K. If the only embedding ϕ of K such that ϕ(α) = α is the identity embedding, then α is a primitive element (i.e. K = Q(α)).

Proof. Suppose α is not a primitive element. Then Q(α) is a proper subfield of K, and thus e = [Q(α) : Q] is < d. By Proposition 1.5.4, the identity embedding of Q(α) extends to more than one embedding of K, and these all satisfy ϕ(α) = α.

Proof of Theorem 1.6.1. We can certainly find a finite set S such that K = Q(S) (any Q-basis of K will do). So, by induction on the size of S, it is sufficient to show that in any field extension of the form K = Q(α, β) there is a primitive element.

Let f (t), g(t) ∈ Q[t] be the minimal polynomials of α and β over Q, respectively. Let ϕ1, ... , ϕr be the embeddings of Q(α), and ψ1, ... , ψs the embeddings of β, and write αi = ϕi(α), βj = ψj(β). WLOG, α1 = α and β1 = β. Choose c ∈ Q so that α + cβ 6= αi + cβj unless i = j = 1. (1.1) This is possible since Q is infinite and each of the equations

α + cβ = αi + cβj has at most one solution for c. Now let θ = α + cβ; we will show that Q(α, β) = Q(θ). Let ϕ be an embedding of K, and suppose that ϕ(θ) = θ. We know that ϕ(α) must be one of the αi, and ϕ(β) must be one of the βj. By the condition (1.1), this implies that ϕ(α) = α and ϕ(β) = β, so ϕ is the identity on Q(α, β). By the lemma, it follows that Q(α, β) = Q(θ).

1.7 and Lecture The last purely field-theoretic topic we’ll cover is to do with ways of passing between elements of K and 6 elements of Q. Recall that if K is a number field and α ∈ K, then multiplication by α defines a linear map mα : K → K. Definition 1.7.1. We define the trace of α by

TrK/Q(α) = Tr(mα) ∈ Q and the norm of α by

NmK/Q(α) = Det(mα) ∈ Q.

11 (We sometimes omit the subscripts if it’s clear what field K we are talking about.) √ √ √ ( + ) = √ ( + ) = 2 − 2 So in Example 1.4.1 we have TrQ( d)/Q a b d 2a and NmQ( d)/Q a b d a db . In Example

1 −3 0

1.4.3 we have Tr (α) = −3, and Nm (α) = 0 −2 −3 = 31. K/Q K/Q 3 0 −2 Proposition 1.7.2. The trace is additive, and the norm is multiplicative; for any α, β in K we have

TrK/Q(α + β) = TrK/Q(α) + TrK/Q(β), NmK/Q(αβ) = NmK/Q(α) NmK/Q(β).

Proof. This follows immediately from the equalities of linear operators

mα+β = mα + mβ,

mαβ = mαmβ, which are just the associativity of addition and multiplication.

Theorem 1.7.3. Let ϕ1, ... , ϕd be the embeddings K → C, and let α ∈ K. Then the characteristic polynomial of mα is given by d ∏(X − ϕi(α)), i=1 so in particular we have

d TrK/Q(α) = ∑ ϕi(α), i=1 d NmK/Q(α) = ∏ ϕi(α). i=1

Proof. We first prove the theorem assuming that K = Q(α). Consider the linear map mα, and let gα be its characteristic polynomial. By vector-space theory, we have

d d−1 d gα(X) = X − TrK/Q(α)X + ··· + (−1) NmK/Q(α).

On the other hand, α must be a root of the characteristic polynomial gα of mα, by the Cayley-Hamilton theorem. Since gα is of degree d and is monic, we must have

gα(X) = fα(X) = ∏(x − αi). i

We can then compare coefficients to conclude. This deals with “almost all” α. To clinch the result in general, choose a primitive element β of the exten- sion K|Q. The result above shows that the matrix of mβ (with respect to any choice of Q-basis of K) is diagonalizable over C, with distinct eigenvalues; so there exists an invertible matrix T over C such that

−1 mβ = TDβT ,

12 where Dβ is the diagonal matrix with entries β1 = ϕ1(β),..., βd = ϕd(β). Now an arbitrary element α of K i can be written in the form ∑i ci β , and exploiting associativity and distributivity again, we get

d−1 i Mα = ∑ ci Mβ i=0 d−1 −1 i = ∑ ci(TDβT ) i=0 d−1 i −1 = T( ∑ ciDβ)T . i=0

d−1 i But since the ϕi are ring homomorphisms, the matrix ∑i=0 ciDβ is diagonal with its j-th diagonal entry being d−1 d−1 i ∑i=0 ci ϕj(β) = ϕj(∑i=0 ci β ) = ϕj(α). The result once again follows by taking trace and .

13 Chapter 2

Algebraic integers

2.1 Motivation and definitions

We now understand the purely field-theoretic structure of number fields pretty thoroughly. But there’s a limit to the interesting things you can say about a field. For instance, Q is a pretty boring ring: there are no nontrivial ideals (only the zero ideal), and every nonzero element divides every other element, so there is no interesting theory of factorisation, etc. On the other hand, the ring Z of integers is a much richer object – we can factor integers into primes, for instance, and this is a genuinely subtle and interesting process. The aim of this chapter is to show that inside the field A of algebraic numbers, there’s a of “nice” elements R, with R sitting inside A in the same nice way that Z sits inside Q. Here are some natural things we might ask for:

• R should be a subring of A (the sum and product of algebraic integers should be an integer). • We know what it means for a rational number to be integral, so it should be true that R ∩ Q = Z.

• If α ∈ R, then all the conjugates of α should be in R.

Proposition 2.1.1. Suppose that a subring R ⊂ A exists with these properties. Then for any α ∈ R, the minimal polynomial fα(X) has integer coefficients.

Proof. Let α = α1,..., αd be the conjugates of α. Then we have

d fα(X) = ∏(X − αi) ∈ R[X], i=1 so the coefficients of fα are in R. But they are also in Q, and we’re assuming that R ∩ Q = Z.

Warning: we haven’t yet proven that a ring R satisfying our wishlist actually exists, or that it is unique. But this gives us a strong hint what R should be! Definition 2.1.2. We define the algebraic integers as the subset B ⊂ A given by

{α ∈ C : the minimal polynomial of α over Q lies in Z[X]} .

14 We’ll see shortly that B satisfies our wishlist above; and it’s clear that any other subset R satisfying our wishlist must be contained in B, so B is somehow the “best choice”. First, we give a slightly more useful criterion for identifying elements of B. Proposition 2.1.3. Let α ∈ A be such that g(α) = 0 for some g ∈ Z[X]. Then α ∈ B.

Proof. Recall “Gauss’ Lemma” from Algebra 2, which states that if f , g ∈ Q[X] are monic polynomials with f | g, and g ∈ Z[X], then f ∈ Z[X] as well. We apply this with g as in the statement, and f equal to the minimal polynomial of α. We know that f must divide g, so by Gauss’ Lemma we have f ∈ Z[X]. Lecture √ √ 2 1+ 5 7 Example 2.1.4. Clearly 2 ∈ B, since its minimal polynomial is X − 2. A more subtle example is 2 (the “”). This has minimal polynomial X2 − X − 1 = 0, so it’s in B, even though it might not look integral at first sight!

We’ll now give a version of Proposition 1.1.9 (and Corollary 1.1.10) for algebraic integers. Proposition 2.1.5. Let α ∈ C. Then α ∈ B iff there is a subring of C containing α which is finitely-generated as an abelian . Moreover, for any α ∈ C there is a unique smallest subring of C containing α, denoted by Z[α], which is generated as an by the powers of α; so α ∈ B iff Z[α] is finitely-generated as an abelian group.

Proof. Define Z[α] to be the of C generated by {1, α, ... } under addition. This is a subring, since it is the image of the ring Z[X] under the evaluation-at-α homomorphism. Moreover, any subring of C containing α must contain Z[α] so it’s the unique smallest such subring. Now, suppose α ∈ B. Let the minimal polynomial of α be f ∈ Z[X]. Take any x ∈ Z[α]; then we have x = g(α) for some polynomial g ∈ Z[X]. By polynomial division, we can write g = a f + b for some polynomials a, b with b of degree < deg( f ); and since f is monic, we have a, b in Z[X]. Thus x = g(α) = b(α) is in the group generated by 1, α,..., αd−1. So Z[α] is finitely-generated as an abelian group, as required. Conversely, suppose α lies in a subring R ⊆ C which is finitely-generated as an abelian group. Then R ⊇ Z[α], so Z[α] is itself finitely-generated. Hence there must be some N such that {1, α, ... , αN−1} is a generating set. So αN is a Z-linear combination of {1, ... , αN−1}, which shows that α is a root of a monic polynomial (of degree N) with coefficients in Z. Hence α ∈ B by Proposition 2.1.3. Remark. Whenever you see two theorems with virtually identical proofs, you should be thinking “Can I formulate a single theorem of which both of these are special cases?”. It is indeed possible to formulate a theorem of which Proposition 1.1.9 and Proposition 2.1.5 are special cases, but you need to use the notion of a module over a – this is a concept which you’ll meet if you’re doing Commutative Algebra. Proposition 2.1.6. The set B satisfies our wishlist above.

Proof. It is clear that B ∩ Q = Z, since the minimal polynomial of α ∈ Q is X − α, which is in Z[X] iff α ∈ Z. Moreover, if α ∈ B then the conjugates of α are in B, since they have the same minimal polynomial as α. So let’s show that B is a ring. Let α, β ∈ B. I claim that the abelian group generated by the expressions {αi βj : i, j ≥ 0} is finitely-generated. If α has degree r and β has degree s, then one sees by induction on max(i, j) that any term αi βj can be written as a linear combination of αpβq with 0 ≤ p < r, 0 ≤ q < s, and there are finitely many of these, which proves the claim. But this group is a ring (it’s the image of Z[X, Y] under the map f (X, Y) 7→ f (α, β)) and it contains α and β, so it contains αβ and α ± β. Thus αβ and α ± β are contained in a subring that’s a finitely-generated abelian group; so they’re both in B by the previous proposition.

15 We also have another property of B, which shows that B is “big enough” in some sense. Proposition 2.1.7. Let α ∈ A. Then there is an integer n ≥ 1 such that nα ∈ B.

i Proof. Suppose the minimal polynomial of α is fα(X) = ∑ ciX , with cd = 1 and ci ∈ Q. Let di ≥ 1 be the denominator of ci (as a fraction in lowest terms); and let n be the lowest common multiple of the di. Then d n d−1 2 d−2 d n fα(X/n) = X + ncd−1X + n cd−2X + ··· + n c0 ∈ Z[X] is a monic polynomial satisfied by nα, so nα ∈ B.

α Remark. This certainly implies that any element of A can be written as β with α, β ∈ B; so A is the field of fractions of B, in the sense of Commutative Algebra.

2.2 Rings of integers and integral bases

Definition 2.2.1. If K is a number field, the of K, denoted OK, is the ring K ∩ B. √ Proposition 2.2.2 (Integers of quadratic fields). Let d 6= 1 be a square-free integer and K = Q( d). I claim that ( √ Z[ d] if d 6= , √ 1 mod 4 OK = h 1+ d i Z 2 if d = 1 mod 4. √ √ Proof. It is clear that Z[ d] ⊆ OK (for any value of d). Conversely, if α = a + b d ∈ OK, then either b = 0, 2 2 2 in which case α ∈ OK ∩ Q = Z; or the minimal polynomial of α is X − 2aX + (a − db ), so 2a ∈ Z and 4db2 ∈ Z. Since d is square-free, the last condition implies that 2b is also in Z. √ √ √ Z[ d] { 1 d 1+ d } 1 O Hence√α differs by an element of from√ one of the elements 0, 2 , 2 , 2 . Clearly 2 is not in K, and d 1+ d 2 1−d nor is 2 . The minimal polynomial of 2 is X − X + 4 , so it is integral if and only if d = 1 mod 4. Lecture 8 Definition 2.2.3. An integral basis of a number field K is a set of elements b1, ... , bn ∈ OK which are a Z-basis for OK; that is, a set such that every x ∈ OK can be written uniquely in the form n1b1 + ··· + ndbd with ni ∈ Z. √ √ √ 1+ d So {1, d} is an integral basis of Q( d) if d 6= 1 mod 4, and {1, 2 } is an integral basis if d = 1 mod 4. Note that we haven’t shown, yet, that every number field actually has an integral basis! We’ll prove this in the next section. Notice that any integral basis of K must in particular be a basis of K as a Q-vector space (use Proposition 2.1.7 to see that it spans). √ Remark. √Not every basis of K consisting of algebraic integers is an integral basis – for instance, if K = Q( 5), then {1, 5} is a basis of K contained in OK, but not an integral basis of K.

2.3 The trace pairing and the

In chapter 1 we thought a lot about number fields K | Q as vector spaces over Q. There is some more Q-linear structure on K, which comes from a special Q- on K, namely

(α, β) 7−→ TrK/Q(αβ).

We call this pairing the trace pairing. It’s a symmetric bilinear form.

16 Proposition 2.3.1. This pairing is perfect: if α is an element of K, and TrK/Q(αβ) = 0 for all β ∈ K, then α = 0.

−1 −1 Proof. If α 6= 0, then α ∈ K and TrK/Q(αα ) = [K : Q] is non-zero.

We’ll use the trace pairing to study bases of K, and in particular determine which bases are integral bases. Let b1, ... , bd be a basis of K. The matrix of the trace pairing with respect to B is the d × d matrix TB given by

(TB)ij = Tr(bibj).

The determinant of the trace-pairing matrix is rather important, and it has a special name:

Definition 2.3.2. The discriminant of K relative to the basis B, denoted by ∆K(B) or ∆K(b1, ... , bd), is the determinant of the matrix TB.

(Notations vary: Stewart–Tall write ∆[b1,..., bd].)

Remark. One can define ∆K(b1, ... , bd) for any d elements of K as the determinant of the matrix with (i, j)- entry Tr(bibj), whether or not b1, ... , bd is a basis. In fact ∆K(b1, ... , bd) is non-zero if and only if b1, ... , bd is a basis – can you see how to prove this? √ √ Example 2.3.3. Let K = Q( d) for d 6= 1 squarefree. Then B = {1, d} is a basis of K and we have √  Tr(1) Tr( d) 2 0  T = √ = B Tr( d) Tr(d) 0 2d so ∆K(B) = 4d. √ √  √ 2 √ 1+ d  1+ d   1+ d   1+d+2 d  1+d If we use instead B = {1, 2 }, then we have Tr 2 = 1 and Tr 2 = Tr 4 = 2 , so 2 1  TB = 1+d 1 2

so ∆K(B) = d.

Proposition 2.3.4. Let B and C be bases of K, and let S be the change-of-basis matrix (so S = (Sij), where ci = ∑j Sjibj). Then 2 ∆K(C) = Det(S) ∆K(B).

t Proof. By Algebra 1, the matrix of the trace pairing with respect to the basis C is given by TC = S TBS where t t 2 S is the transpose of S. Hence Det TC = Det(S ) Det(TB) Det(S) = Det(S) Det(TB).

Proposition 2.3.5. If the bi are in OK, then ∆(b1,..., bd) ∈ Z.

Proof. This is clear since bibj is an , so TrK/Q(bibj) is in Z. Thus TB is a matrix of integers, so its determinant is an integer.

Fact 2.3.6. In fact one can show that if the bi are in OK then ∆(b1, ... , bd) is always congruent to 0 or 1 modulo 4. See Swinnerton-Dyer’s book for the proof.

Theorem 2.3.7. Let B = {b1, ... , bd} be a basis of K contained in OK, and such that |∆K(B)| is as small as possible among bases of K contained in OK. Then B is an integral basis of K. In particular, every number field admits integral bases.

17 Proof. For the first part, it suffices to prove the following: if B = {b1, ... , bd} is any basis of K contained in 0 OK, and there exists an element α ∈ OK that is not in the Z-span of B, then we can find a new basis B ⊂ OK 0 such that |∆K(B )| < |∆K(B)|.

Let H be the abelian group generated by the bi, and let G be the larger abelian group generated by the bi and α. Note that both G and H are of OK, and by assumption G is strictly bigger than H. It is clear that G is finitely-generated, and G has no nonzero elements of finite (because it’s a subgroup of C). By the classification of finitely-generated abelian groups, we must have G =∼ Zr for some r. We must have r ≥ d, because G contains H which is itself isomorphic to Zd; on the other hand, we must have r ≤ d, since any d + 1 elements of G are linearly dependent over Q and hence linearly dependent over Z. ∼ d Thus G = Z , so we can pick a set of elements C = {c1, ... , cd} which are a basis of G as an abelian group, and the ci are also a basis for K as a Q-vector space.

If we let S be the matrix whose columns are the coefficients of the bi in the basis ci, then we have Det(S) = 2 [G : H] > 1 (by the Smith normal form theorem from Algebra 1). Hence ∆K(B) = Det(S) ∆K(C), and so |∆K(C)| < |∆K(B)|, as required. Now, we show existence. Any number field has some basis B as a Q-vector space, and by Proposition 2.1.7 we may scale B so it is contained in OK. Hence the set

{|∆K(B)| : B ⊂ OK basis of K}

is a non-empty set of positive integers and hence has a smallest element. By the first part, this implies that K has integral bases. Lecture 9 Corollary 2.3.8. Let B ⊂ OK be a basis of K. If ∆K(B) is a square-free integer, then B is an integral basis.

Proof. Let C be an integral basis of K and let S be the change-of-basis matrix. Then we have ∆K(B) = 2 Det(S) ∆K(C), but ∆K(B) is squarefree, so we must have Det(S) = ±1. Thus ∆K(B) = ∆K(C), so B is itself an integral basis. Example 2.3.9. Let Q(θ) be the cubic field from Example 1.4.3, where θ3 + θ + 1 = 0. We compute that

Tr(1) = 3, Tr(θ) = 0, Tr(θ2) = −2, Tr(θ3) = Tr(−1 − θ) = −3, Tr(θ4) = Tr(−θ − θ2) = 2.

Hence the discriminant of K in the basis {1, θ, θ2} is given by

3 0 −2

0 −2 −3 = −31.

−2 −3 2

Since −31 is squarefree, it follows that OK = Z[θ]. Note that Corollary 2.3.8 is not an “if and only if” criterion!

Example 2.3.10. Recall that if K = Q(i), then we know that {1, i} is an integral basis. However, ∆K(1, i) = −4, which is certainly not square-free.

Definition 2.3.11. We define the discriminant of K, denoted ∆K, to be the discriminant ∆K(B), where B is an integral basis.

18 Notice that any two integral bases have the same discriminant, because if B and C are integral bases, the 2 basis-change matrix S in Proposition 2.3.4 has determinant ±1, so ∆K(C) = Det(S) ∆K(B) = ∆K(B). Thus ∆K is well-defined. By Theorem 2.3.7, |∆K| is the smallest value of |∆K(B)| as B varies over bases of K contained in OK.

2.4 Interlude: formulae for

There are lots of rather pretty formulae for discriminants. The first one is elegant, but not particularly useful in practice:

Proposition 2.4.1. Let ϕ1,..., ϕd be the embeddings of K into C. Then

0 2 ∆K(B) = Det TB 0 where TB is the matrix with (i, j) entry ϕi(bj).

0 t 0 Proof. We know that Tr(bibj) = ∑k ϕk(bi)ϕk(bj); but this is exactly the (i, j) entry of the matrix (TB) TB. Thus we have 0 t 0  0 2 Det TB = Det (TB) TB = Det(TB) .

Remark. The problem with using this in practice is that the entries of the matrix TB are in Q, but the entries of 0 TB aren’t even in K (they’re in the subfield of C generated by all the images ϕi(K), which is a number field, but typically has much bigger degree than K does). It works quite well on a computer, though.

The bases that come up most often tend to be ones of the form {1, α, ... , αd−1} for some primitive element α ∈ K (“power bases”), so we have some special formulae for these. Proposition 2.4.2. Suppose B = (1, α, ..., αd−1) for some α ∈ K. Then

2 ∆K(B) = ∏(ϕi(α) − ϕj(α)) . i

Proof. It’s a general fact that for any complex numbers x1,..., xn, the determinant of the n × n matrix

 2 n−1 1 x1 x1 ... x1  . .   . .  2 n−1 1 xn xn ... xn

(a ) is equal to ∏i

Again, this formula suffers from the fact that the ϕi(α) aren’t in Q or even in K, so doing arithmetic with them is a bit fiddly. But our last, and weirdest, formula doesn’t have this problem:

Proposition 2.4.3. Suppose K = Q(α), and let B = (1, α, ..., αd−1) again. Then

d(d−1)/2 0  ∆K(B) = (−1) NmK/Q f (α)

where f is the minimal polynomial of α.

19 1 0 Proof. Let’s define g(X) = X−α f (X), which is in K[X]. Then we see easily that g(α) = f (α). Let ϕ1,..., ϕd be the embeddings of K, and write αi = ϕi(α). For each i, we have f (X) ϕ (g)(X) = = (X − α ) ∈ C[X], i − ∏ j X αi j6=i

so that ϕi(g(α)) = (ϕi(g)) (αi) = ∏(αi − αj). j6=i

Multiplying all these together we have

d n ! ∏ ϕi(g(α)) = ∏ ∏(αi − αj) i=1 i=1 j6=i

= ∏(αj − αi)(αi − αj) i

d ∏ ϕi(g(α)) = NmK/Q (g(α)) i=1 by a formula from Chapter 1. Example 2.4.4. Let’s do Example 2.3.9 again: K = Q(θ) where θ3 + θ + 1 = 0, and B = {1, θ, θ2}. We have 0 2 2 f (X) = 3X + 1, so we just need to calculate NK/Q(3α + 1). We did this already in Example 1.4.3 (what a 2 handy coincidence!): it’s 31. So ∆K(1, θ, θ ) = −31. (Notice that −31 = 1 mod 4.) Exactly the same method works for any cubic field (i.e. any K with [K : Q] = 3). Here’s a handy special case. Corollary 2.4.5. Let K be a cubic field, and let θ be a primitive element of K whose minimal polynomial over Q is of the form f (X) = X3 + bX + c. Then 2 2 3 ∆K(1, θ, θ ) = −27c − 4b .

For the proof, just put together Examples 1.4.3 and 2.4.4. See Coursework # 2 for the general formula. Lecture 10

2.5 An algorithm for finding OK

The proof of Theorem 2.3.7 can be extended to give an explicit recipe – an algorithm – for finding an integral basis.

Proposition 2.5.1. Suppose b1, ... , bd is a basis of K consisting of algebraic integers. If B is not an integral basis, 2 then there exists a prime p such that p | ∆K(B), and integers λ1, ... , λd with 0 ≤ λi < p and not all λi zero, such that 1 d u = ∑ λibi p i=1

is in OK.

20 Proof. Let H be the additive subgroup generated by the bi as before. Then Q = OK/H is a finite group, and 2 |Q| divides ∆K(B) by Proposition 2.3.4. 2 If Q is non-trivial, then there is some prime p dividing its order, so p | ∆K(B). Moreover, Q must have an element of order p, so we can find an algebraic integer u ∈ OK such that u ∈/ H but g = pu ∈ H. 1 We can write g = ∑ λibi with λi ∈ Z, so u = p ∑ λibi and if we change the λi by multiples of p, then we don’t change the class of u in Q, so we can assume 0 ≤ λi < p. Since u isn’t the identity in Q, the λi aren’t all zero.

With this in hand, we can give the following algorithm:

1. Start with any Q-basis B = b1,..., bn of K consisting of algebraic integers.

2. Calculate ∆K(B). 2 3. List all primes p such that p | ∆K(B). 4. For each p in the list, and each number of the form

1 d u = ∑ λibi p i=1

with λi ∈ {0, . . . , p − 1} not all zero, check whether u ∈ OK.

5. If you find a u that’s in OK, then compute a basis for the abelian group generated by B and u and go 1 ( ) back to step 2 with B replaced by this new basis. (In fact the new basis will have discriminant p2 ∆K B , so we can skip straight to step 3.)

6. If no such u was found, then B is an integral basis by Prop 2.5.1, so we can stop.

Notice that it might well happen that the list in step 3 is empty – this is exactly the situation of Corollary 2.3.8 where there are no primes whose squares divide ∆K(B). Since |∆K(B)| decreases each time we go around from Step 5 back to Step 3, the algorithm will always finish after a finite number of steps. Example 2.5.2. Let θ be a root of the polynomial f (X) = X3 + 11X + 4. Note that f is irreducible in Z[X] (any root would have to divide 4 by comparing constant terms, and none of ±1, ±2, ±4 are roots) and hence irreducible in Q[X] by Gauss’ Lemma. So if we let K = Q(θ), then [K : Q] = 3, and B = {1, θ, θ2} is a Q-basis of K. Corollary 2.4.5 implies that 2 ∆K(B) = −1439 · 2 . As 1439 is prime, the only prime we need to worry about is p = 2. So we need to check whether any of the following seven elements of K are algebraic integers:

n 1 θ θ2 1+θ 1+θ2 1+θ 1+θ+θ2 o 2 , 2 , 2 , 2 , 2 , 2 , 2 .

1 θ We can rule out a lot of these already: clearly 2 ∈/ OK; and 2 isn’t in OK either as its norm would be 4 1 1+θ  1+θ  3 NmK/Q(θ)/ NmK/Q(2) = 8 = 2 . Similarly, 2 is ruled out because Tr(θ) = 0 and so Tr 2 = 2 . That leaves us with four candidates u to test. For each of these, we can compute a cubic polynomial that kills it by taking the characteristic polynomial of is 3 × 3 matrix (in the basis B); and this must be the minimal polynomial (since otherwise u would have to be in Q).

21 1 2 Some later, we find that u = 2 (θ + θ ) gives us the matrix   0 0 −4  0 0 −4 2 0 −2 −2 1 − + 1 − =  1 − 11 − 15  2 1 0 11 2 1 0 11  2 2 2  . 0 1 0 0 1 0 1 1 11 2 2 − 2

3 2 1 2 The characteristic polynomial of this matrix is X + 11X + 36X + 4, so we conclude that 2 (θ + θ ) is in OK. θ+θ2 n θ+θ2 o The subgroup of K generated by B and 2 has basis 1, θ, 2 , and it contains Z[θ] with index 2; so

 θ+θ2  ∆K 1, θ, 2 = −1439

n θ+θ2 o which is squarefree, and thus 1, θ, 2 is an integral basis.

Remark. It can be shown that for this field K there is no α ∈ OK such that OK = Z[α]; so there is no analogue of the primitive element theorem (Theorem 1.6.1) for OK in place of K.

2.6 Shortcuts for calculating integral bases

Recall the following result from Algebra 2: Proposition 2.6.1 (Eisenstein’s Criterion). Let f (X) ∈ Z[X] be monic, and write

d d−1 f (X) = X + ad−1X + ··· + a0.

2 If there is a prime p such that p | ai for all 0 ≤ i ≤ d − 1, but p - a0, then f is irreducible in Z[X] (and hence also irreducible in Q[X] by Gauss’ Lemma).

There is a shortcut for computing integral bases when this criterion applies: Lemma 2.6.2. Suppose that f ∈ Z[X] satisfies Eisenstein’s criterion for the prime p, and d = deg( f ) > 1. Let K = Q(θ) where θ is a root of f . Then

d−1 (i) p | ∆K(1, θ,..., θ ); (ii) but no element of K of the form d−1 1 i ∑ λiθ , 0 ≤ λi < p not all zero p i=0

is in OK. Lecture d−1 d−1 Remark. In fact more is true: we always have p | ∆K(1, θ, ... , θ ), but this requires a bit more work to 11 prove.

Proof. For (i) we use Proposition 2.4.3. By assumption, f (X) ≡ Xd (mod pZ[X]), so we have f 0(X) ≡ dXd−1 (mod pZ[X]). This implies that the matrices of f 0(θ) and of dθd−1, relative to the basis {1, θ, ... , θd−1} of K, have entries in Z and are congruent to each other modulo p. Hence their are congruent modulo p; that is, Nm( f 0(θ)) = Nm(dθd−1) = dd Nm(θ)d−1 (mod p). Since Nm(θ) is the constant term of f (up to sign), it is zero modulo p. This finishes the proof.

22 For (ii), let’s suppose we have some non-zero element

1 i u = p ∑ λiθ ∈ OK with 0 ≤ λi < p. Let j be the smallest index such that λj 6= 0. Then we can write this as 1   u = λ θj + θj+1δ , δ ∈ Z[θ] ⊆ O . p j K

d−1−j Multiplying u by θ we still have an element of OK:

d−1 d λjθ θ δ θd−1−ju = + ∈ O . p p K

On the one hand, since f (t) satisfies Eisenstein’s criterion we have

d θ ∈ pZ[θ] ⊆ pOK.

So we must have d−1 λjθ ∈ O . p K We shall calculate the norm of this to get a contradiction:

d−1 ! d d−1 λjθ λj Nm(θ) Nm = . p pd

Since θ is a root of an Eisenstein polynomial, we have Nm(θ) = pr, where p - r. Hence we have

d−1 ! d d−1 d−1 d d−1 λjθ λj p r λj r Nm = = . p pd p

However this cannot be an integer, since neither λj nor r is a multiple of p. This gives the contradiction. √ √ Example 2.6.3. Let us determine an integral basis of the number field Q( 3 2). Let α = 3 2. The minimal polynomial of α over Q is f (t) = t3 − 2, which is obviously Eisenstein for the prime p = 2. Corollary 2.4.5 implies that 2 3 ∆K(1, α, α ) = −4 · 3 . Thus the primes p we need to worry about are p = 2 and p = 3. But we can ignore p = 2, so we only need to worry about p = 3. In fact we can be even cleverer than this: let β = α − 2, so clearly K = Q(β); and moreover Z[α] = Z[β], so 2 3 3 2 ∆K(1, β, β ) is also equal to −4 · 3 . Now the minimal polynomial of β over Q is g(t) = t + 6t + 12t + 6, 1 which is Eisenstein for p = 3 as well. Hence Lemma 2.6.2 implies that we can’t have 3 appearing in the denominators either, so OK = Z[α − 2] = Z[α].

2.7 Example: cyclotomic fields

In this section, we will use Proposition 2.6.2 to determine an integral basis of cyclotomic fields. Definition 2.7.1. A cyclotomic field is a field of the form K = Q(ζ), where ζ = e2πi/m is a primitive m-th for some m.

23 Remark. Much of algebraic was first developed for this special class of fields in an attempt to attack Fermat’s last theorem. If OK had unique factorization for every cyclotomic field K (or even just for m prime) we could use this to prove Fermat’s last theorem without too much difficulty. Sadly, this fails for m = 23. There were several wrong “proofs” of Fermat’s theorem in the 19th century, based on assuming that cyclotomic integer rings had unique factorization; and some historians think that Fermat himself may have made a similar mistake. We will specialize to the case where m = p is an odd prime. You saw in Algebra 2 that the minimal polynomial of ζ p over Q is the

f (X) = Xp−1 + ··· + X + 1,

and the roots of this are exactly the powers ζj for j ∈ (Z/pZ)× (i.e. all the primitive p-th roots of unity). ( ) = ( + ) = p−1 + (p) p−2 + ··· + ( p ) The reason that f is irreducible is that the polynomial g X f X 1 X 1 X p−1 is Eisenstein at p. Lemma 2.7.2. We have Nm(ζ) = 1 and Nm(ζ − 1) = p.

Proof. Clear from the minimal polynomials. Theorem 2.7.3. We have − p−2 p 1 p−2 ∆K(1, ζ,..., ζ ) = (−1) 2 p , and {1, ζ,..., ζ p−2} is an integral basis in K.

Proof. Let λ = ζ − 1.It is clear that {1, ζ, ... , ζ p−2} is an integral basis if and only if {1, λ, ... , λp−2} is an integral basis, and these two bases have the same discriminant. By Proposition 2.4.3 we have

( − )( − ) p−2 p 1 p 2 0 ∆K(1, λ,..., λ ) = (−1) 2 Nm(g (λ)).

0 (t+1)p−1 To calculate Nm(g (λ)), we use a trick: recall that g(t) = t . By the quotient rule, we have p(t + 1)p−1t − (t + 1)p − 1 g0(t) = , t2

0 ζ p−1 so g (λ) = p λ . We deduce that

Nm(g0(λ)) = Nm(p) Nm(ζ)p−1 Nm(λ)−1 = pp−2

(p−1)(p−2) p−1 by Lemma 2.7.2. Since p is odd, we have (−1) 2 = (−1) 2 . Hence

− p−2 p 1 p−2 ∆[1, λ,..., λ ] = (−1) 2 p

as claimed. The only prime whose square divides this is p. However g(t) satisfies Eisenstein’s criterion at p, so we conclude by Lemma 2.6.2. Remark. If m is not prime and K = Q(ζ) where ζ is a primitive m-th root of unity, then it is still true that a OK = Z[ζ], but the proof is harder. If m = p for some prime p, then the minimal polynomial of ζ − 1 still satisfies Eisenstein’s criterion for the prime p, and we can argue as above to prove that {(ζ − 1)i} is an integral basis. If n is not a power of a prime then Eisenstein’s criterion isn’t satisfied, so the proof is quite different in this case.

24 Chapter 3

Factorisation and ideals

Notation 3.0.4. All rings in this chapter are assumed to be commutative.

3.1 Units, irreducible elements, and prime elements

Let R be a (commutative!) ring, and r ∈ R. Recall that we say R is

• a if there exists an inverse r−1 ∈ R; • irreducible if it isn’t a unit, and whenever we have r = xy with x, y ∈ R, then one of x and y is a unit; • prime if it’s not a unit and whenever we have r | xy with x, y ∈ R, then either r | x or r | y (or possibly both!) Lecture 12 Units

Notation 3.1.1. The group of units of a ring R is denoted by R×. × Proposition 3.1.2. If K is a number field, then OK = {x ∈ OK : NmK/Q(x) = ±1}.

−1 −1 Proof. If x ∈ OK, then Nm(x) Nm(x ) = Nm(1) = 1, so Nm(x) is a unit in Z and hence must be ±1.

Conversely, suppose Nm(x) = ±1 and let σ1, ... , σd be the embeddings of K, with σ1(x) = x. Then we have

d ! x ∏ σi(x) = ±1 i=2

−1 d −1 so that x = ± ∏i=2 σi(x), and since all the σi(x) are in B, this shows that x ∈ B ∩ K = OK. √ Example 3.1.3. Let K = Q( d), with d < 0 squarefree. √ √ 2 2 If d 6= 1 mod 4 then OK = Z[ d] and a + b d is a unit if and only if a + |d|b = 1. For d 6= −1 this forces b = 0 and a = ±1. √ 1   2 2 If d = 1 mod 4 then any unit is of the form 2 a + b d for a, b ∈ Z and hence a + |d|b = 4, and unless d = −3 this forces b = 0 so a = ±2. × This shows that OK = {±1} unless d = −1 or d = −3. For these d a case-by-case check gives us

25 • {±1, ±i} if d = −1; √ 2 1+ −3 • {±1, ±ω, ±ω } if d = −3, where ω = 2 is a primitive 6th root of unity;

Note that these are all finite cyclic groups – any finite subgroup of the of a√ field must be cyclic.√ On the other hand, if d > 1 there are lots of units which don’t have finite order,√ e.g. 1 + 2 is a unit in Z[ 2], and since it is real and > 1 it√ can’t be a root of unity, so the unit group of Z[ 2] is infinite. (We’ll see later that the ring of integers of Q( d) has infinite unit group for any squarefree d > 1.)

Irreducible and prime elements

Now, irreducibility and primality. Notice that irreducibility is about things dividing r, while primality is about r dividing other things. Nonetheless, there’s a relation between the two: you saw in Algebra 2 that if the ring R is an integral domain, any nonzero prime element is irreducible. But sometimes irreducible elements can fail to be prime, and this really does happen for the rings OK that we care about in this course. You saw in Algebra 2 that in a PID, any non-zero element has a factorisation into irreducibles, and this is unique up to re-ordering the factors and multiplying them by units. The existence of such a factorisation works very generally:

Proposition 3.1.4. Let K be a number field, and let x ∈ OK be a non-unit. Then there are irreducible elements x1,..., xn such that x = ∏ xi.

Proof. Let’s say x is factorisable if it can be written in this way. We prove by induction on N that every non-unit element r ∈ OK with | Nm(r)| = N is factorisable. The result is trivial for N = 1 (there are no non-unit r); so assume it is true for all N0 < N, and suppose r ∈ OK has | Nm(r)| = N. If r is irreducible it is trivially factorisable. If r is not irreducible, we can write r = xy where both x and y are non-units. Since x and y are non-units and Nm(x) Nm(y) = Nm(r), we must have | Nm(x)| < | Nm(r)| and | Nm(y)| < | Nm(r)|; thus both x and y are factorisable. Multiplying together factorisations of x and y gives a factorisation of r.

Remark. You can replace OK by any ring with reasonable finiteness properties (any in the sense of Commutative Algebra). It doesn’t work in R = B, though!

What fails when we go from Z to general OK is uniqueness of the factorisation; and this is connected with the fact that in O , irreducible elements aren’t necessarily prime, and ideals aren’t necessarily principal. K √ √ Example 3.1.5. Let K = Q( −5). Then OK = Z[ −5]. Then 2 is an in OK, because if we have 2 = xy with x, y ∈ OK, then Nm(x) Nm(y) = Nm(2) = 4. Thus one of x and y (WLOG x) has norm 1 or 2. However, there are no solutions in integers to a2 + 5b2 = 2, and a2 + 5b2 = 1 has only the trivial solutions a = ±1, b = 0. So x = ±1 is a unit in O . Thus 2 is irreducible. √ √ K On the other hand, 2 divides (1 + −5)(1 − −5) = 6, but 2 doesn’t divide either of the factors. So 2 isn’t a prime element√ in OK. This√ means that 6 has two essentially different into irreducibles, as (2)(3) and (1 + −5)(1 − −5).

So OK cannot be a PID, and there must be an ideal that isn’t principal. Consider the set √ I = {a + b −5 : a = b mod 2}.

I claim I is an ideal. Obviously I is an abelian group,√ so we just need to check√ that xI ⊆ I for any x ∈ OK√. It suffices to check this for x = 1 (obvious) and x = −5, and if y = a + b −5 ∈ I, then xy = −5b + a 5, and −5b has the same parity as b.

26 We clearly have 2 ∈ I. If I were principal, with some generator d, we’d have to have d | 2, but 2 is irreducible, so d would have to be 1 or 2 times a unit, and thus we’d have either I = OK or I = 2OK, neither of which are true. So I is not principal. We’re now going to see a really rather radical idea: we’ll embrace the fact that non-principal ideals exist, and rather than factorising elements into irreducible elements, we’ll factorise ideals into irreducible ideals! Lecture 13 3.2 Arithmetic with ideals

What do ideals in a number field look like?

Notation 3.2.1. If R is a ring and x1, ... , xn ∈ R we write hx1, ... , xni for the ideal generated by the ri, which is the set of all finite sums of the form r1x1 + ··· + rnxn : ri ∈ R.

(If R isn’t clear from context we sometimes write hx ,..., x i .) √ 1 n R So the ideal I of Example 3.1.5 is h2, 1 + −5i.

Exercise. Show that any ideal in OK is generated by a finite set. Fact 3.2.2. One can actually show the stronger fact that any ideal in the ring of integers of a number field can be generated by at most 2 elements. We won’t prove this or use it explicitly, but you might find it helpful to bear it in mind as a guide when doing calculations, much like Fact 2.3.6. We’ll need to use the following fact:

Proposition 3.2.3. Let I be a non-zero ideal of OK. Then I contains some positive integer, and the OK/I is finite.

Proof. Firstly, suppose I is a non-zero ideal. Then I contains some non-zero element x ∈ OK. Let N = | NmK/Q(x)|. We know that N/x ∈ K, but N/x = ± ∏j ϕj(x) where the ϕj are the non-identity embeddings of K, so N/x ∈ B. Thus N/x ∈ OK; so N is a multiple of x in OK and hence x ∈ I ⇒ N ∈ I. ∼ d The ideal hNi = NOK is contained in I, so OK/hNi surjects onto OK/I. But OK = Z as an abelian group ∼ d and hence OK/NOK = (Z/NZ) is finite and thus OK/I is also finite.

Now we explain what’s meant by multiplying ideals. Definition 3.2.4. Let I, J be ideals in a ring R. We define an ideal IJ as the ideal consisting of all finite sums of the form i1j1 + ··· + iN jN where im ∈ I and jm ∈ J. Remark. It’s important to note that not every element of IJ is necessarily of the form ij with i ∈ I and j ∈ J. However, IJ is the smallest ideal containing all such elements.

Clearly if I = hx1, ... , xri and J = hy1, ... , ysi, then IJ is exactly the ideal generated by the pairwise products xiyj. √ √ Example 3.2.5. Let R = Z[ −5], I = h2, 1 + −5i as before. What is I2? √ √ √ √ Evidently I2 = 4, 2 + 2 −5, (1 + −5)2 = h4, 2 + 2 −5, −4 + 2 5i. √ √ √ Can we√ give a simpler generating set? Clearly the ideal h4, 2 + 2 −5, −4 + 2 5i contains (2 + 2 −5) − (−4 + 2 5) = 6. So it contains both 4 and 6, so it must contain 2. On the other hand, all the generators of I are multiples of 2. So we have I2 = h2i. Definition 3.2.6. An ideal I in a ring R is prime if I 6= R and the following relation holds: if x, y are elements of R, and xy ∈ I, then either x ∈ I or y ∈ I.

27 Clearly the principal ideal hri is prime if and only if r is a prime element (or zero; it’s a historical quirk that h0i is considered prime but 0 itself is not). Notice that x ∈ I if and only if the principal ideal hxi is a subset of I, so the definition of “prime” is that whenever hxihyi ⊂ I then either hxi ⊂ I or hyi ⊂ I. The following shows that we can do the same with more general ideals: Lemma 3.2.7. If I is a prime ideal in a ring R, and we have AB ⊂ I, for A, B ideals, then A ⊂ I or B ⊂ I.

Proof. If neither A nor B is a subset of I, then we can find elements a ∈ A and b ∈ B, neither of which are in I. Then ab ∈ AB, so ab ∈ I (since AB is contained in I), but by assumption neither a nor b is in I. This contradicts the assumption that I is prime.

Prime ideals are related to maximal ideals: recall that an ideal I is maximal if there is no ideal J 6= R such that J ) I, and I is maximal iff the quotient R/I is a field. Proposition 3.2.8. Let R be any ring.

(i) I is prime iff R/I is an integral domain. (ii) Maximal ideals are prime.

(iii) If R is the ring of integers of a number field, any non-zero prime ideal is maximal.

Proof. (i) Let I be prime and x¯, y¯ ∈ R/I. Choose representatives x, y ∈ R. If x¯y¯ = 0, then xy ∈ I, so we must have x ∈ I or y ∈ I, which implies that one of x¯ and y¯ is 0. So R/I is an integral domain. The converse implication is similar. (ii) A field is an integral domain, so I maximal ⇒ R/I a field ⇒ R/I an integral domain ⇒ I prime.

(iii) I claim that if I is a non-zero ideal of OK, not necessarily prime, then OK/I is finite. Let x ∈ I be nonzero; then N = | Nm(x)| is a multiple of x in OK, so I contains N, which is a positive integer. Hence OK/I is a ∼ d ∼ d quotient of OK/hNi, but OK = Z as an abelian group, so OK/hNi = (Z/NZ) is finite.

Now, if I is prime, this shows that OK/I is a finite integral domain; but a finite integral domain must be a field, because multiplication by any non-zero element is an injective map from a finite set to itself and must therefore also be surjective. So OK/I is a field, and therefore I is maximal.

Notice that (iii) is not true in more general rings; for instance, in Q[X, Y] the prime ideal hXi is properly contained in the prime ideal hX, Yi.

3.3 Fractional ideals and unique factorization

In this section we’ll prove the following rather hard theorem:

Theorem 3.3.1. Let K be a number field and a any non-zero ideal in OK. Then there are prime ideals p1, ... , pn such that a = p1 ... pn,

and the pi are unique up to re-ordering.

In order to do this we’ll introduce a certain technical convenience called a . A fractional ideal in K is like an ideal of OK, except that it isn’t necessarily contained in OK:

Definition 3.3.2. A fractional ideal of OK is a subset a ⊂ K such that

28 • a is an abelian group under addition,

• xa ⊆ a for every x ∈ OK,

• there exists some x ∈ OK such that xa ⊆ OK.

Note that the first two conditions say that a is an OK-submodule of K. The last condition says that a isn’t too large – for instance, K itself is not a fractional ideal of OK. Lecture 14 Notice that a subset of K contained in OK is a fractional ideal if and only if it’s an honest ideal. Thus fractional ideals are somehow “ideals of OK divided by things” – hence the name.

Notation 3.3.3. Given x1,..., xn ∈ K we write  hx1,..., xni = ∑ rixi : ri ∈ OK .

We can multiply fractional ideals in the same way we multiply usual ideals: if a and b are ideals, then ab is the set {a1b1 + ··· + anbn : ai ∈ a, bi ∈ b} which is also a fractional ideal, and we can find a generating set for the product by multiplying generators of a and b as before. The reason we care about these objects is that we’ll prove Theorem 3.3.1 together with a second theorem:

Theorem 3.3.4. The non-zero fractional ideals of OK form a group under multiplication.

In these two theorems, it’s really essential to use all the properties of OK. Before we start on the proofs, I want to explain why if we use the wrong ring, then it definitely fails.

Definition 3.3.5. An order in a number field K is a subring R ⊆ OK such that the abelian group OK/R is finite. √ √ √ h 1+ −3 i For example, Z[ −3] is an order in Q( −3), with index 2 in the ring of integers Z 2 . Finding any old order is much easier than finding OK; in Chapter 2 we started by writing down an arbitrary order and then gradually enlarged it to find OK. One can define fractional ideals of R for any order R exactly as above: they are the R-submodules of K of the form x−1 I where x ∈ R is nonzero and I is an ideal of R.

It’s a confusing, but true, statement that if R is any order, then OK is a fractional ideal of R! This shows immediately that the fractional ideals of an order R 6= OK can’t be a group: it would have to have two identities R and OK (as RR = R and OKOK = OK) and a group has to have exactly one . Now let’s start on the proof of Theorems 3.3.1 and 3.3.4. Following Stewart and Tall, we’ll do it in 9 steps, of which steps 1-3 work for any order R, and steps 4 onwards require us to use OK.

Step 1: Every nonzero ideal of an order R contains a product of prime ideals. This is almost identical to Proposition 3.1.4. Let a be a nonzero ideal in R. Let’s say a is good if there exist primes p1, ... , pr such that p1 ... pr ⊆ a, and bad otherwise.

Let a be a bad ideal. Since a is a non-zero ideal of R, the index R/a is finite (we saw this above for R = OK, but the proof works for any order R). Let us assume WLOG that a has the smallest possible index among all bad ideals, so in particular any ideal strictly containing a is good.

Since it’s bad, a cannot be prime. So there exist elements x1, x2 ∈ R such that x1x2 ∈ a but x1 ∈/ a, x2 ∈/ a. Let a1 be the ideal generated by a and x1, and similarly a2 generated by a and x2. Since these are both strictly bigger than a, they must both be good, so we can find primes p1, ... , pr and pr+1, ... , ps such that p1 ... ps ⊆ a1 and ps+1 ... pr ⊆ a2.

Consider the product p1 ... pr. This is contained in a1a2; but a1a2 is contained in a, since x1x2 ∈ a. So this gives a product of prime ideals which is contained in a, contradicting the assumption that a was bad.

29 Step 2: Definition of (what will turn out to be) the inverse of a fractional ideal. Definition 3.3.6. Let a be a fractional ideal of R. We define

a−1 = {x ∈ K : xa ⊆ R}.

This is evidently an R-submodule of K. If a is an ideal of R, then a−1 ⊇ R. −1 −1 If a is not zero, then it contains some non-zero element c, and we have ca ⊆ OK, so in this case a is also a fractional ideal. (If a = 0 then a−1 = K, which is not a fractional ideal!) Exercise. Check that for c ∈ K we have hci−1 = hc−1i.

−1 −1 From the definition, we have aa ⊆ R. The goal of the next two steps is to show that if R = OK then aa is actually equal to OK.

− Step 3: If a is a proper ideal of R, then a 1 ) R. Any proper ideal a is contained in a p, and if a ⊆ p then p−1 ⊆ a−1, so it suffices to assume a = p is maximal (or, equivalently, prime). We will use Step 1 to do this. Take any nonzero a ∈ p. Using step 1 we can write

p1 ... pr ⊆ hai

for some prime ideals p1 ... pr. Since hai ⊆ p, this shows that

p1,..., pr ⊆ p

so p must contain one of the pi by Lemma 3.2.7. Without loss of generality, we can assume that p1 ⊆ p; but non-zero prime ideals of R are maximal, so we must have p1 = p.

If p2,..., pr ⊆ p then we can repeat the argument again to show that p2 = p etc, so we can assume that

p2,..., pr 6⊆ hai.

b b So there is some b ∈ p2, ... , pr which isn’t in hai, but such that bp ⊆ hai. So x = a ∈/ R. But a p ⊆ R. This shows that x ∈ p−1 and thus p−1 is strictly bigger than R.

Step 4: If a is a non-zero fractional ideal of OK, and θ ∈ K is such that θa ⊆ a, then θ ∈ OK. Since a is a fractional ideal, it is isomorphic as an abelian group to an ideal of OK, and hence it’s finitely-generated (since m OK is). It’s also torsion-free, so it must be isomorphic to Z for some integer m ≤ d. Let a1, ... , am be a basis of a as an abelian group.

If θa ⊆ a then we must be able to write θai as a Z-linear combination of the ai for all i. So we can write

m θai = ∑ bjiaj j=1 for some m × m matrix B = (bij) with integer entries. This shows that θ is an eigenvalue of B considered as a complex matrix. So θ is a root of the characteristic polynomial of B. But that shows that θ is an algebraic integer, so θ ∈ OK.

Remark. This step goes horribly wrong if we work with of OK rather than the whole of OK, and that’s why these non-maximal orders don’t have a nice factorization theory. Lecture 15

30 −1 Step 5: If p is prime then pp = OK. We’ll get this by playing the two previous steps off against each −1 −1 −1 other. Since p ⊇ OK we must have pp ⊇ pOK = p; and p is maximal, so we must have either pp = OK or pp−1 = p. −1 −1 −1 Step 4 says that pp = p could only happen if we had p = OK; but Step 3 says precisely that p is not −1 contained in OK, which is a contradiction. So pp must be OK. Remark. There is a small but crucial typographical error in Stewart & Tall (3rd edition) at this point: they −1 accidentally claim that pp = OK leads to a contradiction!

−1 −1 Step 6: For any nonzero ideal a we have aa = OK. Suppose a is a nonzero ideal such that aa 6= OK. −1 By induction on the size of the quotient |OK/a| (as in Step 1), we can assume that bb = OK for all ideals b which strictly contain a. −1 We obviously cannot have a = OK, so there is a maximal ideal p containing a. Let b = ap . −1 −1 −1 −1 Firstly, b is indeed an ideal of OK, because p ⊆ a and so ap ⊂ aa ⊂ OK. Clearly we have b ⊇ a. If −1 b = a then Step 4 would imply p = OK, contradicting Step 3. So b is strictly larger than a; hence, by our −1 assumption on a, we must have bb = OK. We now have:

−1 bb = OK −1 −1 ⇒ ap b ⊆ OK (definition of b) ⇒ p−1b−1 ⊆ a−1 (definition of the set a−1) ⇒ ap−1b−1 ⊆ aa−1 (multiply everything by a) ⇒ bb−1 ⊆ aa−1.

−1 −1 Since bb = OK, we must have aa = OK as well.

Step 7: Nonzero fractional ideals are a group under multiplication (Theorem 3.3.4). All the axioms are obvious except for existence of inverses. Let a be a fractional ideal; then we have a = c−1b for some genuine −1 −1 ideal b and some nonzero c ∈ OK, and hence a = cb . −1 −1 −1 −1 −1 −1 We have aa = cc bb = bb , and Step 6 shows that bb = OK. So a is genuinely the inverse of a under multiplication, as the notation suggests.

Step 8: Every non-zero ideal is a product of prime ideals. Let a be a nonzero ideal that’s not the product of prime ideals. If such an a exists, then there is one of smallest index, so we may assume without loss of generality that every ideal b strictly containing a is a product of prime ideals. −1 Clearly a 6= OK so we can find some prime p such that a ⊆ p. Then ap is strictly bigger than a (by Step 4) −1 so ap = p1 ... pr for some primes pi. −1 But then a = ap p = p1 ... prp, so a is a product of primes itself.

Step 9: Prime factorization is unique up to ordering. Suppose we have a nonzero ideal a such that a = p1, ... , pr = q1, ... , qs for prime ideals p1, ... , pr and q1, ... , qs. We want to show that r = s and we can re-order the qi such that qi = pi for all i. WLOG r ≥ s ≥ 0. If r = s = 0 there is nothing to prove; so assume that r ≥ 1 and that the claim is true for r − 1. The product q1, ... , qr is contained in p1, so one of the qi is contained in p1 by primality; without loss of generality, q1 ⊆ p1. But q1 is maximal, so q1 = p1. −1 Then we have p1 a = p2,..., pr = q2,..., qs. By the induction hypothesis we are done.

31 Remark. Note that this is exactly the same argument as you used to prove existence of unique factorization into prime elements in a PID, but it is now even simpler, because there is no messing around with units and associates. This completes the proof of Theorems 3.3.1 and 3.3.4.

Remark. Let’s just take stock for a minute. What did we use about OK here? The key ingredients were:

1. OK is an integral domain.

2. Any non-empty set of non-zero ideals of OK must contain a minimal element (used for the WLOG’ing in Steps 1,6, and 8).

3. Every nonzero prime ideal of OK is maximal.

4. If θ ∈ K satisfies a monic polynomial in Z[X], then θ ∈ OK.

Rings satisfying (2) are said to be Noetherian, and rings satisfying (3) are said to be of one. For step 4, one can check that this is equivalent to the (apparently) stronger statement

4’. If θ ∈ K = Frac OK satisfies a monic polynomial in OK[X], then θ ∈ OK.

Rings satisfying 4’ are said to be integrally closed in their field of fractions. So Theorems 3.3.1 and 3.3.4 work for any ring R which is an integral domain, is Noetherian, has Krull dimension one, and is integrally closed in its field of fractions. Such rings are often called Dedekind Domains.

Other than the rings OK, another vital example of a is K[X] for any field K. We’ll conclude this section by isolating two useful ideals that come up in the course of the proof:

Proposition 3.3.7 (“To contain is to divide”). Let a, b be fractional ideals of OK. If a ⊇ b then there is an ideal c such that b = ac.

Proof. We can assume a, b are both non-zero (the other cases are trivial). If a ⊇ b then a−1 ⊆ b−1, so −1 −1 −1 a b ⊆ b b = OK. Thus c = a b is a fractional ideal contained in OK, so it’s an ideal of OK, and it clearly −1 satisfies ac = aa b = OKb = b.

Exercise. This√ is not true in for all rings, or even all orders of number fields. Can you find a counterexample in the ring Z[ −3]? We now define norms for ideals.

Definition 3.3.8. If a is a non-zero ideal of OK, then we define NmK/Q(a) = |OK/a|.

By abelian- from Algebra 1, we have Nm(hxi) = | Nm(x)| for any nonzero element x, so this notation is reasonably consistent with the definition for elements. Lecture 16 Proposition 3.3.9. If a, b are non-zero ideals of OK then we have Nm(ab) = Nm(a) Nm(b).

Proof. By induction we can suppose b = p is prime. It’s clear that

Nm(ap) = |OK/ap| = |OK/a||a/ap|.

So it suffices to show that |a/ap| = |OK/p|.

Since p 6= OK and fractional ideals are a group, ap 6= a, so we can pick a ∈ a \ ap. Then x 7→ ax + ap is a map OK → a/ap whose kernel contains p. It is not the zero map, since a ∈/ ap. So its kernel is a proper ideal of OK containing p. Since prime ideals are maximal, it must be an injection OK/p → a/ap. It is also surjective, because there are no ideals strictly between ap and a by unique factorisation; so we are done.

32 Example 3.3.10. The first part of the proposition does not work for orders R 6= OK. We can still de- fine Nm(a) = |R/a|, and this still agrees with the definition for elements, but the relation Nm(ab) = Nm(a) Nm(b) stops working. √ √ For instance, in the order Z[ −3], the ideal a = h2, 1 + −3i clearly has Nm(a) = 2. But it satisfies √ √ √ a2 = h4, 2 + 2 −3, −2 + 2 −3i = h4, 2 + 2 −3i

and hence a2 = h2ia. So if Nm were multiplicative on ideals of R, we’d have 22 = 4 × 2, which is a contradiction.

Proposition 3.3.11. For any integer N ≥ 1, any number field K, and any order R ⊆ OK, the ring R has only finitely many ideals of norm N.

Proof. If a is an ideal of norm N, then |R/a| = N, so multiplication by N kills the group R/a and hence hNi ⊆ a. So it suffices to prove that there are only finitely many ideals containing hNi. By the theorems, the ideals of R containing hNi biject with the ideals of the quotient ring R/hNi. This ring is finite, of size N[K:Q], so it only has finitely many ideals.

3.4 Prime ideals

The big theorems of the previous chapter show that you can build up all ideals in the ring of integers of a number field from the prime ideals. So let’s find out a bit more about prime ideals of rings of integers. From Proposition 3.3.9 it’s clear that if Nm(a) is a prime integer then a is a prime ideal. The converse is false (the ideal h3i is prime in Z[i], but its norm is 9), but something weaker is true:

Proposition 3.4.1. If p is a prime ideal of OK, then there is a unique prime integer p such that p ⊇ hpi, and Nm(p) = pn for some integer n ≥ 1.

Proof. The intersection P = p ∩ Z is an ideal of Z, and we get an injective map Z/P → OK/p. Since OK/p is a finite integral domain, and a subring of a finite integral domain is also a finite integral domain, we conclude that Z/P is a finite integral domain. Hence P is a nonzero prime ideal of Z, meaning that P = pZ for some prime integer p, and p is the only prime integer contained in p.

It remains to show that Nm(p) is a power of p. Since p ∈ p, every element of the finite group OK/p is killed by multiplication by p. Thus OK/p must be a finite product of copies of Z/pZ, by the classification of finitely-generated abelian groups, so |OK/p| must be a power of p as required. h i n OK We say p lies over p. The integer f such that Nm(p) = p is the degree of the field extension p : Fp ; it’s sometimes called the degree of the prime p.

Proposition 3.4.2. For any prime integer p, there are only finitely many distinct primes p1, ... , pg of OK lying over the prime p, and we have a factorization e1 eg p1 ... pg = hpi p g where ei ≥ 1 are integers. If ni is the degree of i, then we have ∑i=1 eini = [K : Q].

Proof. The first part is immediate from the unique factorization theorem, and the second follows by taking norms of both sides. Definition 3.4.3. We give names to some of the possibilities as follows:

33 • If all the ei’s and ni’s are 1 (so hpi is a product of distinct degree 1 primes), we say p is split in OK.

• If g = 1 and e1 = 1 (so hpi is prime), we say p is inert in OK.

• If one of the ei is > 1, we say p is ramified in OK. √ Ramified primes√ are quite special. For instance, h2i is a ramified prime in Z[ −5], since we saw that h2 = h2, 1 + −5i2. The next theorem will tell us how to completely determine the factorisation of hpi:

Theorem 3.4.4 (Dedekind–Kummer). Let α ∈ OK be a primitive element of K, and suppose that p is a prime integer not dividing the index [OK : Z[α]].

Let f be the minimal polynomial of α, and let f¯ ∈ Fp[X] be the reduction of f modulo p. Write f¯ as a product of powers of irreducible polynomials e1 e2 er f¯(X) = f¯1(X) f¯2(X) ... f¯r(X) .

For each i, pick a polynomial fi ∈ Z[X] whose mod p reduction is f¯i, and let Pi be the ideal hp, fi(α)i of OK. Then:

• The ideals Pi are independent of the choice of fi.

• The ideals Pi are distinct, and they are precisely the prime ideals of OK lying above p. • We have r Pei hpi = ∏ i . i=1

We’ll do the proof next time; first let’s do some examples. We’ll usually be interested in the case when O = Z[α] (so we can take p to be any prime). K √ √ √ Example 3.4.5. Let K = Q( −41), so O = Z[ −41]. We take α = −41, so f (X) = X2 + 41. K √ Modulo 2, we have X2 + 41 = X2 + 1 = (X + 1)2. So h2i = P2 where P is the ideal h2, −41 + 1i. Notice that P has norm 2, but there are no solutions to a2 + 41b2 = 2 with a, b ∈ Z, so P is not principal. √ √ Modulo 3, we have X2 + 41 = X2 − 1 = (X − 1)(X + 1), so h3i = h3, 1 + −41ih3, −1 + −41i. Again, these two primes are not principal. Something similar to this happens modulo 5, 7 and 11 as well – in each case hpi is the product of two distinct prime ideals of norm p. Modulo 13 we have X2 + 41 = X2 + 2 which is irreducible (because −2 is not a square modulo 13), so h13i is a prime ideal of O . K Lecture 17 Proof of Dedekind–Kummer. Although it may look scary, the proof is actually not that difficult (far easier than the unique factorization theorem). The key to the proof is that there is an isomorphism of rings

OK ∼ Fp[X] = .(?) pOK f¯(X) Once we have this, virtually everything else will be easy. We’ll build up (?) by using the ring Z[α]/pZ[α] as a stepping stone. We’ll show that we have ∼ Z[α]/pZ[α] = OK/pOK,(†) Fp[X] Z[α]/pZ[α] =∼ ,(‡) f¯(X)

34 Let’s do (†) first. The second isomorphism theorem tells us that

Z[α] Z[α] + pO =∼ K , Z[α] ∩ pOK pOK

so we need to check that pOK + Z[α] = OK, and that pOK ∩ Z[α] = pZ[α]. We only know one thing about Z[α], which is that its index is coprime to p, so let’s use this: the index of Z[α] + pOK in Z[α] must divide [OK : pOK], which is a power of p, and it must divide [OK : Z[α]], which is coprime to p, so it cannot be anything but 1. That means that the right-hand side of the above isomorphism must have order p[K:Q], so Z[α] ∩ pOK is a subgroup of Z[α] containing pZ[α] and having the same index as pZ[α], and hence they’re equal.

Now let’s do (‡). Here we use the third isomorphism theorem. We have Z[α] = R/h f (X)iR where R = Z[X], so we have R/h f i Z[α]/pZ[α] =∼ R hp, f iR/h f iR R =∼ hp, f iR R/hpi =∼ R hp, f iR/hpiR ∼ = Fp[X]/h f¯i.

Putting these together gives us (?).

Now we’re more or less home and dry. The ideals of OK containing hpi are precisely the ideals of OK/pOK, but this is the same ring as Fp/h f¯i; and the prime ideals of the latter are just the ideals h f¯ii. Unwinding the isomorphisms, we see that these correspond to the ideals Pi above, and in particular it comes for free that the Pi are independent of the choice of fi lifting f¯i. e ei ¯ i Since ∏ih fii is the zero ideal of Fp/h f i, the product ∏i Pi is contained in the ideal hpi. To check it’s an n equality, we compute norms: each Pi has norm |OK/Pi| = |Fp[X]/ f¯i| = p i , where ni = deg fi, so that ei deg( f ) ∏i Nm(Pi) = p = Nm(hpi). 0 For the final statement, let us suppose that p - ∆K. Then the determinant of multiplication by f (α) is coprime 0 0 to p, so f (α) is a unit in OK/p. Running through our isomorphisms above, this shows that f¯ (X) is a unit in 0 Fp[X]/ f¯(X). If any of the ei are > 1, then f¯i(X) divides f¯ (X) in this quotient, which is a contradiction; so all the ei must be 1 in this case.

Remark. 1. For any number field K, we can always find some primitive element α lying in OK. Then d−1 ∆K(1, ... , α ) is a non-zero integer, so there are only finitely many primes which divide it. If p is not in this set, then p - [OK : Z[α]] and we can use Dedekind–Kummer to factorise p in OK, without having to know exactly what OK looks like.

2. If you choose a prime p, it may happen that there is no α such that [OK : Z[α]] is coprime to p, so there is no way to apply the Dedekind–Kummer theorem to factorise p. Such a prime is called an “essential discriminant divisor”.

We can also get a new light on Eisenstein’s criterion using this:

Proposition 3.4.6. If α ∈ OK is a primitive element whose minimal polynomial satisfies Eisenstein’s criterion at p, then we have hpi = P[K:Q], where P = hp, αi.

35 (In other words, p ramifies “as badly as possible” – we say p is totally ramified.)

Proof. If α has Eisenstein minimal polynomial at p, then [OK : Z[α]] has no element of order p by Lemma 2.6.2, so its order is coprime to p. Hence we may apply the Dedekind–Kummer theorem. Since all coefficients of f except the leading one are divisible by p, we have f¯(X) = X[K:Q], so hpi = hp, αi[K:Q]. Exercise. Can you see how to show the following converse statement? If p is a prime which is totally ramified, [K:Q] so hpi = P for some prime P of OK, then there exists α ∈ OK such that α is a primitive element for K and the minimal polynomial of α is Eisenstein at p.

Proposition 3.4.7. The prime p ramifies in K if and only if p | ∆K.

Proof (sketch). (The proof I gave in the lectures was incorrect; here’s a better one.)

Suppose (for simplicity) that there exists an α such that [OK : Z[α]] is coprime to p. Then each of the following statements is equivalent to the next:

• p | ∆K. d−1 • p | ∆K(1, . . . , α ) (since [OK : Z[α]] is coprime to p) • p | Nm( f 0(α)) (by our discriminant formulae). 0 • Some prime Pi above p occurs in the factorisation of h f (α)i in OK (because the primes not dividing p have norm coprime to p). 0 • f¯ (X) is divisible by one of the factors f¯i of f¯ mod p.

• Some factor f¯i divides f¯ to a power ei > 1. • p is ramified in K.

Remark. This proof actually shows that a prime P divides p more than once if and only if P | h f 0(α)i, so the ideal d = h f 0(α)i encodes more subtle information about ramification in K than the crude information provided by ∆K. This ideal d is called the different. It can be defined for arbitrary number fields by writing

−1 d := {x ∈ K : Tr(xy) ∈ Z for all y ∈ OK}

and d := (d−1)−1.

3.5 The Class Group

Let K be a number field. We’ve shown that the non-zero fractional ideals of OK are an abelian group under multiplication. Sitting inside this group there is a natural subgroup: the principal fractional ideals hai for a ∈ K×.

Definition 3.5.1. The class group of OK is the

{non-zero fractional ideals of O } Cl(K) = K . {principal ones}

The elements of Cl(K) are called ideal classes.

36 Lecture Notice that Cl(K) is the trivial group if and only if OK is a PID, and a Dedekind domain is a PID if and only 18 if it’s a UFD; so Cl(K) = {1} if and only if we have unique factorisation (of elements) in OK. Thus Cl(K) “measures” how badly unique factorisation fails in OK. The second main theorem of this course is the following one:

Theorem 3.5.2. The class group of OK is finite for any number field K.

We define the class number of K to be the order of this finite group. We’ll deduce Theorem 3.5.2 from another theorem, whose proof will come in the next chapter. This one depends on the embeddings of K. If ϕ is an embedding, we say ϕ is real if ϕ(K) ⊆ R. If ϕ is an embedding which isn’t real, then its ϕ¯ is another embedding different from ϕ, so the non-real embeddings come in conjugate pairs. Theorem 3.5.3. Suppose K has s real embeddings and t conjugate pairs of non-real embeddings, and let d = [K : Q] = s + 2t. Let a be an ideal of OK. Then there is an element x ∈ a such that

d!  4 t q | Nm(x)| ≤ |∆ | Nm(a). dd π K

 t p The quantity d! 4 |∆ | is sometimes called the Minkowski constant for K, and written µ , so the theorem dd π K K says that we can find an x with | Nm(x)| ≤ µK Nm(a).

Proposition 3.5.4. Let C be an ideal class in K. Then C contains an ideal a of OK such that

Nm(a) ≤ µK.

Proof. Let C be an ideal class. Then C has an inverse C−1, and C−1 has a representative which is an ideal of OK, say b. By part (a), there is an x ∈ b such that | Nm(x)| ≤ µK Nm(b). We set a = b−1 · hxi. This is in the class C, since it differs from b−1 by a principal ideal. Moreover, it is a genuine ideal (not just fractional), since x ∈ b; and its norm is | Nm(x)| Nm(a) = ≤ µ . Nm(b) K

Proof of Theorem 3.5.2. By the preceding proposition, every ideal class C ∈ Cl(K) must contain an ideal of norm at most µK. But we saw in Proposition 3.3.11 that there are only finitely many such ideals, so there are only finitely many possible C.

3.6 Lots of Examples

We can determine the class group of a number field by using Dedekind–Kummer to factor all the ideals of norm ≤ µK. The only difficult bit is recognising which ideals are principal; but for imaginary quadratic fields this is easy (because we can easily see whether or not an equation of the form x2 + |d|y2 = n has solutions or not). Example 3.6.1. We already know that Z[i] has is a PID (it’s a Euclidean domain) but let’s prove this again using Minkowski’s theorem. The discriminant is −4 and we have s = 0, t = 1, so 2!   √ µ = 4 4 = 4 ≈ 1.273. K 22 π π

37 So every ideal class contains an ideal of norm ≤ 1. However, the only ideal with norm 1 is the trivial ideal, so there is only one ideal class, and thus Z[i] is a PID. √ Example 3.6.2√ . Consider the field K = Q( −19). As −19 ≡ 1 (mod 4), an integral basis of K is 1, τ, where τ = (1 + −19)/2 is a root of the polynomial f (X) = X2 − X + 5. As before, we have s = 0 and t = 1 so every ideal class contains an ideal of norm √ 2 19 ≤ ≈ 2.775, π i.e. of norm ≤ 2. Suppose now that a has norm 2. Then a must be prime, and must lie above 2. But the polynomial

f (t) ≡ t2 + t + 1 (mod 2)

is irreducible mod 2, so by Dedekind–Kummer the only prime above 2 is h2i which has norm 4, so there are no ideals of norm 2. Hence OK is a PID. √ Example 3.6.3. Let K = Q( 6). Then K has 2 real embeddings and no non-real ones, so s = 2 and t = 0, and ∆K = 24, so the Minkowski constant is 2! √ √ 24 = 6 ≈ 2.449. 22 √ √ 2 The only rational prime ≤ 6 is 2. Using Dedekind’s criterion, we see that (2) = p2, where p2 = h2, 6i 2 is the unique ideal of norm 2 in OK. Hence Cl(K) is generated by C = [p2], and C is the identity class, so Cl(K) is either trivial or cyclic of order 2. √ In fact, after some experimentation we spot that there is an element of norm −2, namely 2 + 6. So this must generate p2, and hence p2 is trivial and K has class number 1. Remark. It is an open problem to determine if there are infinitely many real quadratic fields with class number 1. There are known to be exactly nine imaginary quadratic fields of class number 1, by a theorem of Heegner, Baker and Stark from the 1950’s. √ 2 Example 3.6.4. Let K = −10, so OK = Z[α] where α is a root of X + 10. We compute √ 4 10 µ = ≈ 4.026. K π

The only rational primes ≤ µK are 2 and 3. To study their factorisation, use Dedekind’s criterion:

prime f (t)(mod p) factorisation norm 2 2 2 t (2) = p2 N(p2) = 2 3 irred. prime N((3)) = 9

Hence√Cl(K) is generated by [p2]. Is p2 principal? Suppose that there exist a, b ∈ Z such that p2 = ha + b −10i. Then √ 2 2 2 = N(p2) = N(a + b −10) = a + 10b .

However, there are no integers a, b which satisfy this equation, so p2 is not principal. We deduce that [p2] has order 2 and hence Cl(K) =∼ Z/2Z. Lecture 19

38 √ √ Example 3.6.5. Let’s do K = Q( −14). The ring of integers is Z[ −14] and the Minkowski constant is √ 4 14 µ = < 5, K π so the class group is generated by primes dividing (2) and (3). We factorise (2) and (3) using Dedekind’s criterion:

prime f (X)(mod p) factorisation norm 2 X2 (2) = p2 N(p) = 2 3 (X − 1)(X + 1) qq0 N(q) = N(q0) = 3 √ √ √ where p = h2, −14i, q = h3, 1 − −14i and q0 = h3, 1 + −14i. Note that p2 ∼ 1 (notation: this means p2 is in the same ideal class as 1) and q0 ∼ (q)−1, so the is generated by p and q. To find relations between these, we look√ around for elements whose√ norms are smallish powers of 2 and 3. We spot that 18 = 22 + 14 · 12 = Nm(2 + −14). The element 2 + −14 is in both p and q. Since p and q are distinct prime ideals, by unique factorisation there exists an ideal r such that √ h2 + −14i = pqr. √ Taking norms, we deduce that N(r) = 3, so r = q or r = q0. If r = q0, then qq0 = h3i | h2 + −14i, which is impossible. Hence √ h2 + −14i = pq2, so

q2 ∼ p−1 ∼ p, q3 ∼ pq ∼ q−1.

Hence 1, [q], [q2], [q3] are all the ideal classes, and q4 ∼ 1. To show that these classes are distinct, it is sufficient to show that q2 6∼ 1. But q2 ∼ p, and p cannot be principal (as there is obviously no element of norm 2), so ∼ we conclude that Cl(K) = C4, generated by the class of q.

39 Chapter 4

Geometry of Numbers

In this section we’ll prove Theorem 3.5.3, and hence complete the proof of the finiteness of the class group. Perhaps surprisingly, the methods involved are geometrical, not algebraic.

4.1 Blichfeldt’s theorem

Theorem 4.1.1 (Blichfeldt). Let S be a subset of Rn which is compact (i.e. closed and bounded), and has volume1 strictly greater than 1. Then S contains two distinct points whose difference lies in Zn.

[pictures not transcribed]

Proof. Let the standard tile in Rn be the set

x    1   .  T =  .  : 0 ≤ xi < 1 .    xn 

n n We call a tile any set of the form T + `, where ` = {m1, ... , mn} ∈ Z . Notice that every point in R lies in exactly one tile. Moreover, any bounded subset of Rn is contained in a union of finitely many tiles. n Let S be a compact subset of volume > 1, and let `1, ... , `N be the finite set of vectors ` ∈ Z such that S ∩ (T + `) 6= ∅.

For each i, let Si be the set S ∩ (T + `i). Since each tile T + `i has well-defined volume, so does Si; and we have N G S = Si ⇒ vol(S) = ∑ vol(Si). i i=1

0 0 We set Si = Si − `i ⊆ T. Then vol(Si) = vol(Si). [picture]

1Strictly speaking, by “volume” I mean “Lebesgue measure”; but this is not a real analysis course, so you can safely assume that there’s a well-defined notion of volume for sufficiently nice of Rn that has the properties you’d expect.

40 0 If the Si were pairwise disjoint, then we’d have to have ! [ 0 0 vol Si = ∑ vol(Si) i i = ∑ vol(Si) i = vol(S) > 1.

S 0 0 This is impossible since i Si ⊆ T, and T has volume 1. Hence the Si cannot be pairwise disjoint: there must 0 0 exist i, j such that Si ∩ Sj 6= ∅. 0 0 Let x ∈ Si ∩ Sj. Then xi = x + `i and xj = x + `j are two distinct points of S, and their difference is n `i − `j ∈ Z , as required. Remark. Answer to an audience question: One can weaken the assumption that S be compact; it suffices to assume that S is Lebesgue measurable.

4.2 Minkowski’s Lattice Theorem

We’re now going to take Blichfeldt’s theorem and dress it up in a rather trivial way to make it seem more clever. Definition 4.2.1. A subset S ⊆ Rn is called

• convex if whenever x, y ∈ S, the line segment joining x to y is contained in S. • centrally symmetric if whenever x ∈ S, then −x ∈ S.

Note that a non-empty convex centrally-symmetric set must contain 0. Proposition 4.2.2. Let S be a compact convex centrally-symmetric subset of Rn such that vol(S) ≥ 2n. Then S contains a non-zero point of Zn.

Proof. First suppose that we have a strict inequality vol(S) > 2n. 1 1 1 Consider the “shrunken” set 2 S = { 2 x : x ∈ S}. Then vol( 2 S) > 1. By Blichfeldt’s theorem, there are two 1 n n distinct points in 2 S whose difference lies in Z , say x and y = x + ` with ` ∈ Z non-zero. 1 1 Since y ∈ 2 S and S is centrally-symmetric, we have −y ∈ 2 S. By convexity, the midpoint of the line segment 1 1 1 1 1 n joining x and −y, which is 2 (x − y), lies in 2 S. But 2 (x − y) = 2 ` ∈ 2 Z ; that is, ` is a non-zero point of S ∩ Zn. If the volume of S is exactly 2n we have to grub around a bit! We need to use the assumption that S is closed (it’s clearly false otherwise) so we have to do some analysis. Consider the sets (1 + e)S for 0 < e < 1. Note that (1 + e)S ⊇ S by convexity. If e > 0, then vol((1 + e)S) = (1 + e)n vol(S) > 2n, so (1 + e)S contains a non-zero point of Zn for every e > 0. But there can be only finitely many points of Zn in (1 + e)S for any e < 1, since S is bounded; so there must be some non-zero point of Zn which is in (1 + e)S for every 0 < e < 1. Because S is closed, this point is actually in S. Lecture Remark. If we assume vol(S) > 2n then we can drop the assumption that S is compact (we don’t even need 20 to assume it’s measurable, because it can be shown that every convex set is automatically measurable). For the case vol(S) = 2n, compactness is really needed.

41 Let’s now dress this up even further.

n n Definition 4.2.3. A lattice in R is a subgroup of R (under addition) which is generated as a group by a set e1, ... , en which is a basis of Rn as an R-vector space.

Remark. Notice that any lattice in Rn is isomorphic as a group to Zn, but not every subgroup isomorphic to Zn is a lattice, because it’s harder for vectors to be R-linearly independent than Z-linearly independent; for   √  1 2 instance, the subgroup of R2 generated by and is isomorphic to Z2 but it is not a lattice in R2. 0 0

n Definition 4.2.4. Let L be a lattice in R generated by n linearly independent vectors v1, ... , vn. We define the covolume of L to be the volume of the set  TL = ∑ λivi : 0 ≤ λi < 1 .

Note that this set is a “parallelepiped” (a sort of n-dimensional analogue of a parallelogram). In particular its volume is well-defined, finite, and non-zero. As we’ve defined it, this depends on the generating set we’ve chosen, but in fact it doesn’t: Proposition 4.2.5. The covolume of L is given by | det A| where A is the matrix with the v’s as columns. In particular, any two generating sets for L give the same covolume.

Proof. We’ll start by giving a different interpretation of the covolume. By hypothesis, v1, ... , vn is a basis of n n n R , so there is an invertible linear map R → R which sends the standard basis {e1, ... , en} to {v1, ... , vn}. n This is precisely the map given by the matrix A. It maps Z to L, and the standard tile T to TL. This linear map won’t preserve volumes, though: it scales all volumes by | det A|. So we conclude that

vol(TL) = | det A| · vol(T) = | det A|.

Any other basis of L is given by multiplying the v’s by a matrix with integer entries and determinant ±1, so it doesn’t change the covolume. Theorem 4.2.6. Let L be a lattice in Rn, and let S be a compact convex centrally-symmetric subset of Rn such that

vol(S) ≥ 2n covol(L).

Then S contains a non-zero point of L.

Proof. We do a basis-change mapping L back onto the standard lattice Zn. This sends S to a new set S0 of vol(S) 0 n ∩ 0 volume covol(L) . Applying Proposition 4.2.2 to the set S gives a nonzero point of Z S , and hence of L ∩ S.

4.3 The Canonical Embedding

Now let’s go back to the world of number fields. Let K be a number field, and let ϕ1, ... , ϕd be its embeddings. Let’s suppose that K has s real embeddings and t conjugate pairs of non-real ones, and we number them so that ϕ1,..., ϕs are the real ones, ϕs+1 is the first non-real one and ϕs+2k = ϕ¯s+2k−1 for k = 1, . . . , t.

42 Definition 4.3.1. The canonical embedding is the map   ϕ1(x)  .   .     ϕs(x)     Re ϕs+1(x)  n   Φ : K → R , x 7→  Im ϕ + (x)  .  s 1   Re ϕ + (x)   s 3   .   .    Re ϕs+2t−1(x) Im ϕs+2t−1(x) √ √ √ Example 4.3.2. If K = Q( 6) then there are two embeddings a + b 6 7→ a ± b 6, and the canonical embedding is given by √ √ √ a + b 6 1  6  a + b 6 7→ √ = a + b √ . a − b 6 1 − 6

On the other hand, if K = Q(i) then the canonical embedding is just

a 1 0 a + bi 7→ = a + b . b 0 1

Proposition 4.3.3. Let B = {b1, ... , bd} be a basis of K as a Q-vector space. Then the image of B under Φ is a basis n 1 p| ( )| of R , and Φ sends the subgroup of K generated by the bi to a lattice of covolume 2t ∆K B . In particular an ideal a ⊆ OK maps to a lattice of covolume q 1 | | (a) 2t ∆K Nm .

Proof. Concretely, what we have to show is that the determinant of the matrix with columns Φ(bi) is equal 1 p| ( )| to 2t ∆K B . Since this is always non-zero, it follows that the columns of the matrix generate a lattice, and that the covolume of this lattice is equal to this determinant by Proposition 4.2.5.

First suppose K is totally real (i.e. t = 0). Then Φ maps the b’s to the matrix with (i, j) entry ϕi(bj), 0 0 2 which is precisely the matrix we called TB in Proposition 2.4.1. We saw there that ∆K(B) = (Det TB) , so 0 p | Det TB| = |∆K(B)| (and in particular the bj do map to a lattice). 0 When there are complex embeddings, this doesn’t quite work because TB doesn’t have real entries. But one 0 checks that the matrix with columns Φ(bj) is just TB multiplied on the left by a matrix looking like 1   .   ..     1         1/2 1/2     −i/2 i/2     .   ..     1/2 1/2 −i/2 i/2

i t with s ones and t two-by-two blocks, and the determinant of this matrix is ( 2 ) , so | Det Φ(bj)j=1...d| = |( i )t 0 | = 1 p| ( )| 2 Det TB 2t ∆K B .

43 −tp In particular, taking B to be an integral basis, OK maps to a lattice of covolume 2 |∆K|; and an ideal a ⊆ OK is a subgroup of index Nm(a) in OK, so it maps to a lattice of covolume Nm(a) times as large.

We want to use this to find elements of ideals having smallish norm, so let’s work out how to see the norm of an element on the Rn side. We define a function Rn → R by   x 1  .  = | |( 2 + 2 )( 2 + 2 ) ( 2 + 2 )  .  x1x2 ... xs xs+1 xs+2 xs+3 xs+4 ... xs+2t−1 xs+2t ,

xn s,t

so that kΦ(x)ks,t = | NmK/Q(x)| for x ∈ K. Exercise. Check this.

n We’d like to use Minkowski theory to find points in the sets {y ∈ R : kyks,t ≤ c}. Sadly these aren’t convex in general, but we’ll put convex sets inside them: Lecture 21 Corollary 4.3.4. Suppose that X is a compact, convex, centrally-symmetric subset of Rn such that vol(X) > 0 and kxks,t ≤ 1 for all x ∈ X. Then for any number field K with s real embeddings and t pairs of complex embeddings, with s + 2t = n, and any basis B of K, the subgroup generated by B contains a non-zero y such that p 2n−t |∆ (B)| | Nm(y)| ≤ K . vol(X)

Proof. Consider the set λX, where λ is any positive . Then the volume of λX is λn vol(X). So if L is a lattice, and λn vol(X) ≥ 2n covol(L),(†) n then L contains a non-zero point of λX, so L contains a non-zero element x such that kxks,t ≤ λ . Choosing λ as small as possible, so that (†) is an equality, we deduce that any lattice L must contain a non-zero element x such that 2n covol(L) kxk ≤ . s,t vol(X)

Applying this to the lattice spanned by Φ(B) we deduce that the subgroup generated by B contains a non-zero element of norm at most n−tp 2 |∆K(B)| vol(X) as required.

It’s clear that an X with vol(X) > 0 exists, and this is already enough to prove the finiteness of the class group. To get the exact Minkowski bound we need to choose the best possible X: Proposition 4.3.5. For any integers s, t ≥ 0 such that n = s + 2t, there exists a compact, convex, centrally symmetric n subset Xs,t ⊆ R with the property that kxks,t ≤ 1 for all x ∈ Xs,t and

 π t nn vol(X ) = 2s . s,t 2 n!

We won’t give a full proof of this, because in order to prove the finiteness of the class group it suffices just to know that the set {kxks,t ≤ 1} contains some compact convex centrally-symmetric subset of non-zero volume, which is obvious.

44   x Example 4.3.6. When s = 2 and t = 0 (the case of a real quadratic field), = |xy|, so we want to find y 2,0 the largest possible convex centrally-symmetric set contained in the star-shape |xy| ≤ 1. We choose the tilted square with vertices at (±2, 0) and (0, ±2), whose area is 8. [draw picture]

When s = 0 and t = 1 (the case of an imaginary quadratic field), the set {x : kxk0,1 ≤ 1} is itself convex (it’s the unit circle, of area π) so we’d be crazy to use anything other than the whole of that set.

Partial proof. We define Xs,t to be the following set:

x    1 q q   .  | | + ··· + | | + 2 + 2 + ··· + 2 + 2 ≤  .  : x1 xs 2 xs+1 xs+2 2 xs+2t−1 xs+2t n .    xn 

This is obviously compact and centrally-symmetric. It’s also convex (exercise). Moreover, for any n positive real numbers z1,..., zn, we have 1 (z ... z )1/n ≤ z 1 n n ∑ i

(the Arithmetic-Geometric Mean inequality); applying this with z1, ... , zn taken to be the real numbers q q 2 2 2 2 |x1|, ... , |xs|, xs+1 + xs+2, ... , xs+2t−1 + xs+2t with the latter taken twice each, we get that kxks,t ≤ 1 for every x ∈ Xs,t.

Computing the volume of Xs,t is an exercise in volume integrals; see Lang’s book, or Brian Osserman’s online notes (http://www.math.uiuc.edu/~r-ash/Ant/AntChapter5.pdf).

Proof of Theorem 3.5.3. We compute that

p t 2n−t |∆ (B)| n!  4  q K = | ( )| n ∆K B . vol(Xs,t) n π

2 Applying this with B a basis for a non-zero ideal a, we have |∆K(B)| = Nm(a) |∆K|, so we obtain the theorem.

4.4 Discriminants are Nontrivial

Here’s a pretty consequence due to Minkowski:

Theorem 4.4.1. Let K be a number field. If K 6= Q, then |∆K| 6= 1. In particular, some prime ramifies in K.

Proof. We’ll show that if we assume |∆K| = 1 then Minkowski’s bound for the trivial ideal is nonsense. The bound would be: OK contains a non-zero element of norm at most

 4 s n!  4 n/2 n! ≤ π nn π nn which is easily seen to be strictly decreasing as a function of n, and is ≈ 0.637 < 1 for n = 2. Since OK cannot contain a non-zero element with | Nm(x)| < 1 this is absurd.

45 Chapter 5

Dirichlet’s Unit Theorem

Lecture Week 8 22 The goal of this chapter is to use a bit more lattice theory to attack another important aspect of number fields: × their unit groups OK .

5.1 Roots of Unity

Proposition 5.1.1. Let K be a number field and let R < ∞ be a real number. Then the set

{x ∈ OK : |ϕ(x)| ≤ R for all embeddings ϕ} is finite.

n Proof. This follows from the fact that Φ(OK) is a lattice in R , so it has finite intersection with any bounded set. Theorem 5.1.2. Let K be a number field. Then the set × n WK = {x ∈ K : x = 1 for some n ≥ 1} × of roots of unity in K is a finite , contained in OK ; and if x ∈ OK, then

x ∈ WK ⇐⇒ |ϕ(x)| = 1 for all embeddings ϕ.

× n Proof. It is clear that that WK is a group, and that it is contained in OK (because x − 1 is a monic integral polynomial). If x ∈ K is a root of unity, then it is clear that |ϕ(x)| must be 1 for every ϕ. In particular, there are only finitely many x ∈ OK with this property, by the Proposition 5.1.1. This shows that WK is finite. It is a standard result that any finite subgroup of K×, for any field K, is cyclic. n Now suppose x ∈ OK is such that |ϕ(x)| = 1 for all ϕ. Then the same is true of x for every n; hence the powers xn all lie in a finite set (by Proposition 5.1.1, again) and hence some two of them must be equal, m m+n i.e. we must x = x for some m, n > 0. Thus x ∈ WK.

Remark. The finiteness of WK can also be seen without lattice theory: there are only finitely many roots of unity in C of any given order, and the degrees of the cyclotomic fields Q(ζN) tend to infinity with N (exercise).

It is not true that every x ∈ K such that |ϕ(x)| = 1 ∀ϕ must be in WK; can you find a counterexample?

46 5.2 Logarithmic Space

We’ll now consider a new embedding which is good for studying units. Let K be a number field with s real embeddings and t conjugate pairs of complex ones, as usual.

× s+t Definition 5.2.1. The logarithmic embedding of K is the map L : OK → R given by   log |ϕ1(x)|  .   .     log |ϕs(x)|    x 7→  2   log |ϕs+1(x)|  .  2   log |ϕ + (x)|   s 3   .   .  2 log |ϕs+2t−1(x)|

Notice that log |x|2 means log(|x|2), not (log x)2, here!

Proposition 5.2.2. The logarithmic embedding is a group homomorphism. It its kernel is the finite group WK, and its image is a discrete subgroup of Rs+t contained in the subspace

 x    1 s+t   .   .  : ∑ xi = 0 .  i=1   xs+t 

Proof. The group homomorphism property is obvious from log(xy) = log(x) + log(y); and the fact that the kernel of L is WK is part of Theorem 5.1.2. The sum of the coordinates of L(x) is given by

n ! log ∏ |ϕi(x)| = log | Nm(x)| = log 1 = 0, i=1 since every unit has norm ±1. It remains to show that the image of L is discrete. To see this, we use Proposition 5.1.1 again to show that L has finite intersection with any bounded set.

Lemma 5.2.3. Let Γ be a discrete subgroup of Rn. Then Γ =∼ Zr for some r ≤ n, where r is the dimension of the R-subspace of Rn spanned by Γ.

n Proof. Let V be the subspace of R spanned by the elements of Γ, and fix a basis b1, ... , br of V contained in Γ. Then these generate a subgroup Γ0 of Γ, and Γ0 =∼ Zr. 0 0 0 Let’s define T = {∑ λibi : 0 ≤ λi < 1} as usual. Then every element of V can be written in the form t + γ where γ0 ∈ Γ0 and t0 ∈ T0 (just chop off the integral parts of the coordinates). Since T0 is bounded and Γ is discrete, it follows that Γ/Γ0 is finite, so Γ is also isomorphic to Zr.

× r Corollary 5.2.4 (Dirichlet’s Unit Theorem, weak form). The group OK is isomorphic to WK × Z for an integer r such that 0 ≤ r ≤ s + t − 1.

r × ∼ r Proof. The lemma shows that Image(L) must be isomorphic to Z for some r ≤ s + t − 1, so OK /WK = Z . The result now follows by the classification of finitely-generated abelian groups.

47 5.3 Proof of the strong Unit Theorem Lecture × s+t−1 23 Theorem 5.3.1. The group OK is isomorphic to WK × Z .

The statement of this theorem is examinable knowledge, but the proof is not. Here it is anyway.

Idea of the proof. The ring OK has lots of elements of small norm (because of lattice theory), but not very many ideals (it has finitely many ideals of each norm, because of Proposition 3.3.11). Since two elements generate the same ideal if and only if they differ by a unit, this means there must be lots of units.

× Proof. Let Γ be the image of OK under the logarithmic embedding L, and let V be the subspace

 x    1 s+t   .   .  : ∑ xi = 0 .  i=1   xs+t 

We want to show that Γ is a lattice in V. To do this, it suffices to show that there is a bounded subset T ⊆ S such that Γ + T = V. To concoct T we’ll go back to “additive” space and use Minkowski theory, again. If x ∈ Rn we define   log |x1|  .   .     log |xs|  `(x) =   ,  log |x2 + x2 |   s+1 s+2   .   .  2 2 log |xs+2t−1 + xs+2t| wherever this makes sense (i.e. when the things we’re taking of aren’t zero). Then `(Φ(x)) is defined for any x ∈ K×, and coincides with L(x). n Set S = {y ∈ R : kyks,t = 1}; then ` sends S to V. It’s easy to see that the restriction of ` to S is well-defined and continuous, so it sends compact subsets to compact subsets. Hence it suffices to find a compact subset × S0 of S such that every y ∈ S can be written as Φ(u)s0 with u ∈ OK and s ∈ S0. We define a ring structure on Rn in such a way that the canonical embedding Φ is a ring homomorphism (that is, we identify Rn with Rs × Ct, and we multiply coordinate-wise). Then for any y ∈ Rn we have a n linear operator my on R , the multiplication-by-y operator. It’s easy to see that | det my| = kyks,t, so that | det my| = 1 if y ∈ S. Fix some compact convex centrally-symmetric subset X of Rn. Then for any y ∈ Rn we can consider −1 my(X) = yX. If y ∈ S then y is certainly invertible, so we can also consider y X, and it has the same volume as X. −1 If we choose X big enough, then it follows that y X ∩ Φ(OK) is non-zero. So we have x = yΦ(α) for some x ∈ X and α ∈ OK. Since X is compact, there is some Q such that kxks,t ≤ Q for all x ∈ X, and hence Nm(α) ≤ Q.

There are only finitely many ideals of OK of norm ≤ Q, so we can pick a finite set α1, ... , αm such that every × α with norm ≤ Q can be written as αiu with u ∈ OK . Let’s take stock. We’ve shown that there is a compact set X, and a finite set α1, ... , αm, such that for every n × y ∈ R with kyks,t = 1, we can find x ∈ X, u ∈ OK and i ∈ {1, . . . , m} such that

−1 −1 y = Φ(αi) Φ(u) x.

48 m −1  n Let S0 = S ∩ ∪i=1Φ(αi) X , which is clearly a compact subset of S. Then every element of y ∈ R can be × written as Φ(u)s0 with x ∈ S0 and u ∈ OK , as required.

5.4 Real Quadratic Fields and Pell’s Equation

We’ll now use some of these ideas to study a classical topic: the Pell equation, which is the equation 2 2 2 2 x − dy = 1 (for a given square-free integer d > √1), or more generally x − dy = n for an integer n. This is clearly closely related to unit groups of fields Q( d). √ × Proposition 5.4.1. Let K = Q( d), where d > 1 is squarefree. Then OK is isomorphic to Z × {±1}, and there is a × × unique unit u ∈ OK such that u generates OK / ± 1 and u > 1 (in the standard embedding).

(This unit is called the fundamental unit of K.)

Proof. We have s = 2 and t = 0 so the unit group has rank 1, and since K is a subfield of R, it has no roots of unity except ±1. × It’s easy to see that if u is any unit mapping to a generator of OK / ± 1, then the other units with this property are precisely the set {u, u−1, −u, −u−1}, and this set contains one element from each of the four intervals {(−∞, −1), (−1, 0), (0, 1), (1, ∞)}. So there is a unique u > 1 with this property. √ √ Remark. Fundamental units√ can be quite large,√ e.g. the fundamental unit of Q( 19) is 170 + 39 19, and the fundamental unit of Q( 46) is 24335 + 3588 46. Lecture √ 24 Proposition 5.4.2. The fundamental unit is given by a + b d, where (a, b) is the solution to

a2 − db2 = ±1

with a, b positive integers (if d 6= 1 mod 4) or half-integers (if d = 1 mod 4) having the smallest possible value of a.

Proof. If u is the fundamental unit, then any other unit v > 1 must be un for some n > 1, so in particular v > u. Thus u is the smallest unit > 1. We now have to check that “smallest u” means “smallest a”. If Nm(u) = +1, then any other unit v > 1 also has Nm(v) = +1 and by definition we have v > u. If we √ 2 2 v = x + y d x > a x ≤ a x2 ≤ a2 y2 = x −1 ≤ b2 = a −1 write , we√ want to√ show that . If , then and hence d d . Thus y ≤ b. So x + y d ≤ a + b d, a contradiction. Thus x > a as required. √ If Nm(u) = −1, then the same argument shows that any other unit x + y d of norm −1 must have x > a. Moreover, u2 is the smallest unit of norm +1, so running the same argument on units of norm +1 shows 2 2 2 that u√ gives the√ solution to x − by = +1 with the smallest value of x. So it suffices to check that if x + y d = (a + b d)2 then x > a. But we have x = a2 + db2 = 2a2 + 1 and this is always > a. √ Example 5.4.3. Consider the field Q( 6). Since 6 6= 1 mod 4, we must look for solutions to a2 − 6b2 = ±1 with a, b positive integers. If a = 1, then 6b2 = 1 ± 1, which gives only the trivial solution a = 1, b = 0 (which doesn’t count, because we’re looking for positive b). If a = 2 then 6b2 = 22 ± 1 = 3 or 5, which doesn’t work

If a = 3 then 6b2 = 32 ± 1 = 8 or 10,

If a = 4 then 6b2 = 42 ± 1 = 15 or 17,

49 2 2 If a = 5, then 6b =√24 or 26, and 24 = 6 × 2 , so we’ve found a solution, and it’s the smallest solution with a, b > 0. Thus 5 + 2 6 is the fundamental unit. √ √ √ n So the units u > 1 of Z[ 6] are√ precisely the elements (5 + 2 6) for n ≥ 1. Since 5 + 2 6 has norm 1, we conclude that every unit of Z[ 6] has norm 1. That is: √ √ • The solutions to the Pell equation x2 − 6y2 = 1 with x, y ∈ N are given by x + y 6 = (5 + 2 6)n for n ∈ N; • The negative Pell equation x2 − 6y2 = −1 has no solutions.

Remark. We could have been a bit more clever in finding the fundamental unit: if a2 − 6b2 = ±1 then a2 = ±1 mod 6, so a is odd and not divisible by 3, which immediately rules out a = 2, 3, 4. But “chalk is cheaper than grey matter”, as the saying goes. √ Example 5.4.4. Consider the field Q( 13). Since 13 = 1 mod 4, we need to look for solutions to a2 − 13b2 = ±1 with a, b half-integers, or a2 − 13b2 = ±4 with a, b integers.

a = 1 ⇒ 13b2 = 1 ± 4 = −3 or 5

a = 2 ⇒ 13b2 = 4 ± 4 = 0 or 8

a = 3 ⇒ 13b2 = 9 ± 4 = 5 or 13 ⇒ (a, b) = (3, 1) √ 3+ 13 So u = 2 is the fundamental unit (and its norm is −1). √ As the previous example shows, if d = 1 mod 4 the fundamental unit might not be in Z[ d] and hence won’t give an integer solution to the Pell equation. But we can get around this: √ × × Proposition 5.4.5. If d = 1 mod 4 and R = Z[ d] ⊂ OK, then R is a subgroup of OK of index either 1 or 3.

Proof. Consider the finite ring Q = OK/2OK. By Dedekind–Kummer we know that this is isomorphic to

 1 − d  F [X]/ X2 − X + . 2 4

There are now two cases to consider. If d = 1 mod 8, the polynomial is X2 + X = X(X + 1) mod 2, so 2 2 splits in K and Q is isomorphic to F2 × F2. If d = 5 mod 8, the polynomial is X + X + 1 mod 2, which is irreducible, so 2 is inert in K and Q is the finite field F4. × × × So Q has order either 1 or 3; and hence the kernel of the reduction map OK → Q has index either 1 or 3 in × × × OK . But anything in the kernel is in 1 + 2OK, so in particular it’s in Z + 2OK = R. So the index of R in OK is 1 or 3. √ 3 Example√ 5.4.4, continued: In our example above, we calculate that u = 18 + 5 13 is the fundamental unit of Z[ √13]. This has√ norm −1, so the solutions of the positive and negative Pell equations for are given by x + y 13 = (18 + 5 13)n for even (respectively, odd) n ∈ N. Remark. The negative Pell equation has solutions if, and only if, the fundamental unit has norm −1. Some- 2 2 times this is obviously impossible because of congruences: if p is a prime dividing d, then√x − dy = −1 2 implies that x ≡ −1 mod p, which is impossible when p = 3 mod 4.√ So the example√ of Q( 6) is not very surprising. But this isn’t the whole story: the fundamental unit of Q( 34) is 35 + 6 34 which has norm 1, so the negative Pell equation for d = 34 is not solvable in Z, although it has solutions in Q and in Z/NZ for every integer N.

50 It has been conjectured by Stevenhagen that if d is a randomly chosen square-free√ integer > 1 with no prime factor that is 3 mod 4, then the probability that the fundamental unit of Q( d) has norm 1 is

∞  1  − ≈ ∏ 1 2n+1 0.41. n=0 2

5.5 Class Groups of Real Quadratic Fields

We want to use this theory to study class groups. The key issue is to understand whether a given ideal is principal or not; equivalently, for each integer n, we want to find coset representatives for the elements of OK of norm ±n, up to multiplication by units. Lecture Sometimes one can rule out the existence of elements of norm ±n by congruences: 25 √ 2 Example√5.5.1. Consider the field K = Q( 10). The prime 2 is ramified√ in K: we have 2 = p where p = h2, 10i. We’d like to know if p is principal. Equivalently, does Z[ 10] contain an element of norm ±2? In fact it doesn’t: we can’t have x2 − 10y2 = ±2, because if this happened, we’d have x2 = ±2 mod 5 and these are not quadratic residues mod 5. √ √ √ √ The Minkowski bound is 10 ≈ 3.16, and 3 splits, 3 = h3, 1 + 10ih3, 2 + 10i. The element 2 + 10 has norm −6, so as usual we deduce that the primes above 3 are in the same ideal class as p and thus the class group is cyclic of order 2. √ Once you have determined the class group of Q( d) and its fundamental unit, you know everything there is to know about equations of the form x2 − dy2 = n (for any n). Example 5.5.2 (Example 5.5.1, continued). For which n is the Pell equation x2 − 10y2 = n solvable in N, and what can we say about the solutions? √ Since the fundamental unit is 3 + 10, which has norm −1, the equation for n is solvable if and only if the equation for −n is solvable. So let’s restrict to the case of n ≥ 1. √ √ • n = 1: we know how to do this. The smallest norm 1 unit is (3 + 10)2 = 19 + 6 10, so the solutions 2 2 to x − 10y = 1 are √ √ x + y 10 = (19 + 6 10)n, n ≥ 1.

• n = 2: there’s a unique ideal of norm 2 and it’s not principal, so x2 − 10y2 = 2 is not solvable.

• n = 3: we’ve just shown that the ideals of norm 3 are not principal, so x2 − 10y2 = 3 is not solvable. • n = 4: since h2i is the only ideal of norm 4, the solutions are just twice the solutions for n = 1, namely √ √ x + y 10 = 2 · (19 + 6 10)n, n ≥ 1. √ • = h i = p2 p = h i n 5: there is a unique prime√ ideal of norm 5, since 10 5 where 5 5, 10 ; but there is an element of norm −10, namely 10, so p5 must be in the same ideal class as the prime above 2 and thus x2 − 10y2 = 5 has no solutions.

• n = 6: there are exactly two ideals of norm 6 (because there is one ideal√ of norm 2 and two√ of norm 3). We’ve seen that they’re both principal: one has generator 4 + 10 and the other 4 − 10. The latter√ isn’t >√1, so we multiply√ it by our minimal norm 1 unit to make it so, which gives us (4 − 10)(19 + 6 10) = 16 + 5 10.

51 We conclude that the positive integer solutions to x2 − 10y2 = 6 are given by √ n √ √ o n √ √ o x + y 10 ∈ (4 + 10)(19 + 6 10)n : n ≥ 0 ∪ (16 + 5 10)(19 + 6 10)n : n ≥ 0 ,

and these two sets of solutions are disjoint.

In the above example, we got lucky: we found a way to prove the ideal above 2 wasn’t principal by using congruences. But this doesn’t always work. Here’s an example where one has to be a bit craftier: √ Example 5.5.3. Consider the quadratic field K = Q( √79). In this field, 2 is ramified, and the prime above 2 is principal (it’s generated by the norm 2 element 9 + 79). The prime 3 is split, √ √ 3 = h3, 1 + 79ih3, 2 + 79i.

We want to know if these primes are principal; equivalently, whether there’s a solution to x2 − 79y2 = ±3. There’s no solution to x2 − 79y2 = +3 modulo 4, but we can’t rule out solutions to x2 − 79y2 = −3 so easily1. √ So we use Dirichlet unit√ theory. The fundamental unit is u = 80 + 9 79 (which has norm +1). So if there’s any element x = a + b 79 of norm −3, there’s one with 1 < x < u. √ √ Since x has norm −3, we have 3/√x = −a + b 79, so that 3/u < −a + b 79 < 3. Combining these inequalities we have 1 + 3/u < 2b 79 < 3 + u, or 0.057 < b < 9.169. As b must be an integer, this reduces us to 1 ≤ b ≤ 9, and none of these nine possibilities for b actually work. Thus the primes above 3 are really not principal. Remark. This approach is guaranteed to work: you do a finite amount of computation and it’ll either produce an element of norm n, or prove that none exists. Notice that the size of the “search space” – the number of possible a’s and b’s we have to check – depends on how large the fundamental unit u is. If u is very large, then there are lots of a’s and b’s, so it’s more plausible that one of them should work. Hence large fundamental units mean that it’s easier for ideals to be principal, and hence that the class group is likely to be smaller.

5.6 Unit groups modulo primes

If K is a number field and p is a prime ideal of OK, then the homomorphism of rings

OK → OK/p gives a homomorphism of groups × × OK → (OK/p) .

× f Because OK/p is a field, (OK/p) is just the non-zero elements of OK/p, so it has order |OK/p| − 1 = p − 1 (where f is the degree of p). It’s always a cyclic group (you’ve seen this before for K = Q, but the same proof works for any finite field). √ Example 5.6.1. Let K = Q( 2). Then h3i is a prime ideal of K of norm 8.

1In fact the equation x2 − 79y2 = −3 has solutions modulo N for every N, because it has two different rational solutions (x, y) = (2/5, 1/5) and (x, y) = (17/3, 2/3) with coprime denominators.

52 √ We’ll show that the fundamental unit u = 1 + 2 is a primitive root modulo 3. We have √ √ u = 1 + √2 ≡ 1 + √2 2 u = 3 + 2√2 ≡ 2√2 3 u = 7 + 5 √2 ≡ 1 + 2 2 4 u = 17 + 12√2 ≡ 2 √ 5 u = 41 + 29√2 ≡ 2 + 2√ 2 6 u = 99 + 70 √2 ≡ 0 + √2 7 u = 239 + 169√2 ≡ 2 + 2 u8 = 577 + 408 2 ≡ 1.

Sometimes, we can use reduction modulo primes to find out things about the unit group: × Proposition 5.6.2. Suppose u ∈ OK and p is a prime of K. If n ≥ 1 is an integer such that u is not an n-th power in × × (OK/p) , then u is not an n-th power in OK .

Proof. This is trivial: if u = vn, then u mod p = vn mod p.

Although this is trivial, it can be rather useful in practice. We’ll see in the next chapter that one can often use number fields to solve equations in the integers. When doing this, one needs to know something about the × × × units; but one usually doesn’t need to know generators for OK , just generators for the quotient OK /NOK for some integer n, and one can often find these quickly by reducing modulo p. Lecture √ √ 26 Example 5.6.3. Suppose we didn’t know that u = 1 + 2 was the fundamental unit of Q( 2), and we just × × wanted to know what OK /3OK looked like. × × We know (by Dirichlet’s unit theorem) that OK /√3OK must be cyclic of order 3, and it’s generated by any unit that isn’t a cube. So we want to know that 1 + 2 is not a cube of a unit. The first thing that comes to mind is: reduce modulo a prime. We probably want the norm of this prime to be 1 mod 3, so that not everything is a cube mod√ p. Working mod a prime above 7 sounds like√ a good idea; there are two, and one of them is p = h7, 3 + 2i whose residue field is F7. Modulo p, we have 2 = −3 so × u = −2 = 5, which is not a cube in F7 (it’s even a primitive root mod 7). × × So u generates OK /3OK . Remark. Of course, we knew this would work because u is the fundamental unit. The advantage of this × method is that it works, with no fuss, for pretty much any number field, while finding generators for OK when K has degree ≥ 3 is much harder.

53 Chapter 6

Diophantine Equations

A Diophantine equation is an equation in some finite set of variables a, b, c, ... that we want to solve for integer values of the variables. Some examples are

• The Fermat equation xn + yn = zn. • Pell’s equation x2 − dy2 = n (solving for x, y, with d and n being given). • The Ramanujan–Nagell equation 2n − 7 = x2.

In this last chapter, we’ll use number fields to solve some Diophantine equations.

6.1 Factorisation and n-th powers

Here’s an easy lemma about integers: Lemma 6.1.1. If r and s are , and rs is an n-th power (for some n ≥ 1), then r and s are both of the form ±xn.

To prove this, just think about the prime factorisations of r and s. If n is odd, then we can ignore the signs, because −xn = (−x)n. This little lemma is surprisingly useful in solving Diophantine equations: Example 6.1.2. Suppose we want to find all integer solutions to y2 = x3 + 16. There’s one obvious pair of solutions (x, y) = (0, ±4); are there any others? We can rewrite the equation as y2 − 16 = x3, or (y − 4)(y + 4) = x3. Now y must be either even or odd. If y is odd, then y − 4 and y + 4 have no common factors; so, by the lemma, they must both be cubes. But cubes get further and further apart, so there aren’t very many pairs of cubes that differ by 8, and in fact there are none where the cubes are odd. If y is even, then x is even; so x3 + 16 is divisible by 8, hence y = 4y0 for some y0. But then x3 = 16y02 − 16 is divisible by 16, so x is also a multiple of 4, say x = 4x0. Then we have

16y02 = 64x02 + 16 ⇒ y02 = 4x03 + 1,

so that y0 is odd. Finally, writing y0 = 2y00 + 1 we end up at

x03 = y00(y00 + 1)

54 so y00 and y00 + 1 are cubes that differ by 1, which means that y00 is 0 or −1. Thus y0 = ±1 and hence y = ±4 as required. Now suppose we want to solve y2 = x3 + k for some other value of k. This class of equation is called a Mordell equation. If k is a square, then we can argue as above: we factorise y2 − k, and either y is coprime to k, in which case y ± k are both cubes, and there are not many possibilities; or we can divide out by some common factor and reduce to another equation (which we can often reduce to another Mordell- equation, as above). If k isn’t a square, then what? With the training√ that we have by this point, the obvious thing to do is to factorise y2 − k in the ring of integers of Q( k). But does the lemma still hold? Sadly no, because its proof relies on unique factorisation: √ √ √ √ Example 6.1.3. In the field K = Q( −26), we have (1 + −26)(1 − −26) = 27 = 33. I claim that 1 + −26 is not a cube. √ √ If we had 1 + −26 = (a + b −26)3 then we’d have ( a3 − 78ab2 = 1 3a2b − 26b3 = 1

and the first factorises as a(a2 − 78b2) = 1, which implies that a = ±1 and 78b2 = (±1)2 ± 1, which is obviously impossible. So non-trivial class groups can really screw things up. Kummer’s fantastic insight was that one can rescue something from this mess:

Theorem 6.1.4. Let K be a number field, n ≥ 1, and r, s ∈ OK such that rs is a nonzero n-th power in OK and r and s are coprime (i.e. hr, si is the unit ideal). If n is coprime to the class number of K, then r = uxn, s = vyn where x, y ∈ OK and u, v are units.

Proof. Because we do have unique factorisation for ideals of OK, the same argument as in the proof of the lemma shows that the ideals hri and hsi are both n-th powers of ideals; that is, we have hri = an, hsi = bn for some ideals a, b. Since an is principal, the order of [a] in Cl(K) must divide n. But it also divides the class number of K, and since these two numbers are coprime, [a] must be the trivial class, so a = hxi for some x. Hence hri = hxni, i.e. r = uxn for some unit u, and similarly for s. Remark. Kummer famously used this to prove that xp + yp = zp has no integer solutions if p ≥ 3 is prime and p doesn’t divide the class number of Q(ζ p), which happens for all p ≤ 100 except 37, 59, and 67. You can p p probably see now how he did this: he factored x + y in Q(ζ p), and then used the theorem to conclude that x + ζ py was a p-th power times a unit, which puts a pretty strong constraint on x and y. There’s a (nearly) full description of Kummer’s proof in Stewart and Tall.

6.2 Some Examples

Example 6.2.1. Here’s an easy example of a Mordell equation:

y2 = x3 − 2. √ There’s an obvious solution, namely 52 = 33 − 2. The class group of Q( −2) is trivial, so we should be able to get some mileage out of the factorisation √ √ (y − −2)(y + −2) = x3.

55 First we√ check whether the factors on the left-hand√ side are coprime. Any common factor would have to divide 2 −2 and thus be a power of the prime h 2i above 2. This would force y to be even; but if y is even, then x is also even and hence x3 − 2 is 2 mod 4, which is a contradiction. × √ Since OK = {±1} and −1 is a cube, we conclude that y + −2 must be a cube, and that gives us the equations ( √ √ a3 − 6ab2 = y y + −2 = (a + b −2)3 ⇒ . 3a2b − 2b3 = 1

The last equation factors as b(3a2 − 2b2) = 1. So b must be ±1. If b = +1 then 3a2 − 2b2 = 1 ⇒ 3a2 = 3, so a = ±1. If b = −1 then 3a2 − 2b2 = −1, so 3a2 = 1 which is impossible. So (a, b) = (±1, 1), and thus y = ±5. So the solution we spotted is the only one, up to signs. Remark. Apparently, some British mathematicians sent this problem to Fermat as a challenge, to see if he could solve it. In typical Fermat style, he responded that he could prove that (3, ±5) were the only solutions but didn’t say how! Lecture Example 6.2.2. Consider the Mordell equation for k = +2, that is y2 = x3 + 2. 27 √ √ 3 As before, we see by reducing√ mod 4 that y must be odd, so (y +√ 2)(y − 2√) = x is a factorisation of a cube into coprime factors in Z[ 2]. If we set up the equation y + 2 = (a + b 2)3 and expand out, we get ( a(a2 + 6b2) = y b(3a2 + 2b2) = 1

so 3a2 + 2b2 = ±1, which is obviously impossible. But something has gone wrong here, because it’s easy√ to see that x = −1, y = 1 is a solution! The reason is that we’ve forgotten the unit group: because Q( 2) is a real quadratic√ field, its unit group is {±1} × Z. × × = + Thus OK /3√OK is nontrivial, generated by√ the fundamental unit√u 1 2, so we have to consider multiple cases: y + 2 must be of the form (1 + 2)iz3 for some z ∈ Z[ 2] and 0 ≤ i < 3. We’ve shown that i = 0 doesn’t work. Let’s see what happens for i = 1: we need to solve √ √ √ y + 2 = (1 + 2)(a + b 2)3

and this does have a solution, with a = 1, b = 0, which gives the solution (x, y) = (−1, 1) we saw above. (In fact this is the only possibility for i = 1, and i = 2 just gives (−1, −1), but this takes a bit more work to prove.)

6.3 The Ramanujan–Nagell Equation

This section is just for fun, and not examinable. Theorem 6.3.1 (Nagell; conjectured by Ramanujan). The only solutions to the equation

2n = x2 + 7 with n, x ∈ N are (n, x) = {(3, 1), (4, 3), (5, 5), (7, 11), (15, 81)}.

The proof below is due to . I think it’s rather elegant.

56 Proof. First, let’s suppose n = 2m is even, and x ≥ 0. Then we can factor 2n − x2 = (2m − x)(2m + x). Since x > 0, 2m + x is obviously positive, and since 7 is prime, we must have 2m + x = 7 and 2m − x = 1. Thus 2x = (2m + x) − (2m − x) = 6, so x = 3 and 2m = 4. This gives the solution (n, x) = (4, 3). Now we come to the more difficult case of n odd. We use the factorisation √ √ 2n = (x + −7)(x − −7) √ √ n x+ −7 in the ring of integers of K = Q( −7). Since 2 is even, x must be odd; hence 2 is in OK and we have √ ! √ ! x + −7 x − −7 2n−2 = . 2 2

Let’s write m = n − 2; note that we must have m ≥ 0 (since n = 1 obviously doesn’t give a solution). So √ ! √ ! √ !m √ !m x + −7 x − −7 1 + −7 1 − −7 = . 2 2 2 2

The factors on the left-hand side are coprime (since otherwise they’d have to be in 2OK, which they clearly aren’t). So we must have either √ ! √ !m √ ! √ !m x + −7 1 + −7 x − −7 1 − −7 = ± , = ± 2 2 2 2

or √ ! √ !m √ ! √ !m x + −7 1 − −7 x − −7 1 + −7 = ± , = ± 2 2 2 2

Subtracting the two equations, we see that in both cases we get the equation √ !m √ !m 1 + −7 1 − −7 √ − = ± −7. 2 2

(Notice that x has disappeared completely from consideration here: any solution to this one-variable equation gives a solution (n, x) to the original two-variable equation.)

For m = 1 we obviously get a solution (with the plus sign), and this corresponds to (n√, x) = (3, 1) √above. We 1+ −7 1− −7 claim that the plus sign cannot occur for m > 1. Suppose it does; let us write a = 2 , b = 2 . Then we have am − bm = a − b. We shall obtain a contradiction by reducing modulo b2. Since ab = 2 and a + b = 1 we have a2 = (1 − b)2 = 1 − (ab)b + b2 = 1 + b2(1 − a) ≡ 1 mod b2, so that we obtain a = a − b mod b2, which is impossible since b 6= 0 mod b2. Thus we must have am − bm = b − a. Expanding the LHS using the and comparing coefficients, we have m m −2m−1 = − 7 + ... 1 3 so −2m−1 = m mod 7. This implies that m must be 3, 5, or 13 modulo 42; and m = 3, m = 5, m = 13 do all work!

We conclude by showing that there cannot be two solutions that are congruent modulo 42. Suppose m1 < m2 are two solutions, and suppose ` ≥ 1 is such that 7` exactly divides m0 − m. √ ` h `+1 Lemma 6.3.2. If 6 × 7 divides h, then a = 1 + h −7 mod 7 OK.

57 √ ( + − )6k Proof of Lemma. First suppose ` = 0. We have a6k = 1 7 . By Fermat’s little theorem we have 26 = 26k √ √ 2 + k − + (6k) − + ··· = + 1 mod√ 7, so the denominator is no problem, and the numerator is 1 6 7 2 7 1 6k −7 mod 7OK.

Now suppose ` ≥ 1 and the result holds for ` − 1. Then for some A ∈ OK we have √ ah = (1 + h −7 + 7` A)7 7 √ = (1 + h −7)7 mod 7`+1 √7 = 1 + h −7 + . . . mod 7`+1

and all the neglected terms are divisible by 7`+1.

Now, back to the main proof: using the lemma, we have  √  m2 m1 `+1 a = a 1 + (m1 − m2) −7 mod 7 OK and similarly  √  m2 m1 `+1 b = b (1 − (m1 − m2) −7 mod 7 OK. √ and since by assumption am2 − bm2 = am1 − bm1 = − −7, subtracting the two equations gives √ m1 m1 `+1 (m2 − m1) −7(a + b ) = 0 mod 7 OK. √ m m m m m m Since a 1 + b 1 = a 1 − b 1 + 2b 1 = − −7 + 2b 1 6= 0 mod 7OK, we have √ `+1 (m2 − m1) −7 = 0 mod 7 OK

`+1 and since m1, m2 are integers, this actually forces m2 = m1 mod 7 , which contradicts the definition of `. Hence there is at most one solution for each congruence class modulo 42, and thus the solutions we have found are all the solutions.

The End

58